# Resource Distribution Blackbox Tests

**Task**: AZ-193_resource_tests
**Name**: Resource Blackbox Tests
**Description**: Implement blackbox tests for upload, encrypted download, and encrypt-decrypt round-trip verification
**Complexity**: 5 points
**Dependencies**: AZ-189_test_infrastructure, AZ-190_auth_tests, AZ-192_hardware_tests
**Component**: Blackbox Tests
**Tracker**: AZ-193
**Epic**: AZ-188

## Problem

The encrypted resource distribution flow is the most complex and security-critical feature, with no automated tests.

## Outcome

- File upload succeeds (FT-P-08)
- Encrypted download returns valid ciphertext (FT-P-09)
- Decrypt with same key derivation produces original content (FT-P-10)
- Upload with no file returns error (FT-N-05)
- Unauthenticated download rejected (tested in security tests)

## Scope

### Included
- Resource upload (POST /resources/{folder})
- Encrypted resource download (POST /resources/get)
- Encryption round-trip verification (client-side decryption)
- Empty upload error handling

### Excluded
- Installer download (simple stream, low risk)
- ClearFolder endpoint (utility)

## Acceptance Criteria

**AC-1: File upload**
Given caller is authenticated
When POST /resources/testfolder with multipart file
Then HTTP 200

**AC-2: Encrypted download**
Given a file is uploaded and user has bound hardware
When POST /resources/get with valid credentials
Then HTTP 200 with application/octet-stream content

**AC-3: Encryption round-trip**
Given a known file is uploaded
When the encrypted download is decrypted with the same key derivation (email + password + hwHash via SHA-384)
Then decrypted content byte-equals the original file

**AC-4: Empty upload rejected**
Given caller is authenticated
When POST /resources/testfolder with no file
Then HTTP 409 with ExceptionEnum code 70

## Blackbox Tests

| AC Ref | Initial Data/Conditions | What to Test | Expected Behavior | NFR References |
|--------|------------------------|-------------|-------------------|----------------|
| AC-1 | Auth user | POST /resources/testfolder multipart | HTTP 200 | — |
| AC-2 | Uploaded file, bound hw | POST /resources/get | HTTP 200, binary | — |
| AC-3 | Known file, known creds | Download + decrypt | Byte equality | — |
| AC-4 | Auth user | POST /resources/testfolder no file | HTTP 409, code 70 | — |

## Risks & Mitigation

**Risk 1: Encryption key derivation mismatch**
- *Risk*: Test client must replicate the exact key derivation algorithm (SHA-384 with specific salt format)
- *Mitigation*: Reference Security.GetApiEncryptionKey implementation for exact salt template