"""Unit tests for undecryptable-secret detection (the admin-banner source).""" from steward.core.crypto import encrypt_secret, init_crypto from steward.core.settings import _is_undecryptable, get_undecryptable_secrets def test_is_undecryptable_false_for_current_key(): init_crypto("key-A") tok = encrypt_secret("hunter2") assert _is_undecryptable(tok, "smtp.password") is False def test_is_undecryptable_true_after_key_rotation(): init_crypto("key-A") tok = encrypt_secret("hunter2") # sealed under key-A init_crypto("key-B") # key changed/lost assert _is_undecryptable(tok, "smtp.password") is True def test_is_undecryptable_ignores_plaintext_and_empty(): init_crypto("key-A") assert _is_undecryptable("", "smtp.password") is False assert _is_undecryptable("plain-value", "smtp.password") is False assert _is_undecryptable(None, "smtp.password") is False def test_get_undecryptable_secrets_returns_sorted_list(): # Default (nothing scanned) is an empty list; the accessor is always safe to # call from the template context processor. assert isinstance(get_undecryptable_secrets(), list)