Oleksandr Bezdieniezhnykh
cbf370c765
- Changed the directory structure for task specifications to include a dedicated `todo/` folder within `_docs/02_tasks/` for tasks ready for implementation. - Updated references in various skills and documentation to reflect the new task lifecycle, including changes in the `implementer` and `decompose` skills. - Enhanced the README and flow documentation to clarify the new task organization and its implications for the implementation process. These updates improve task management clarity and streamline the implementation workflow.
2.9 KiB
Encryption & Security Tests
Task: AZ-157_test_encryption Name: Encryption & Security Tests Description: Implement blackbox, security, performance, resilience, and resource tests for AES-256-CBC encryption — roundtrips, key behavior, IV randomness, throughput, size bounds Complexity: 3 points Dependencies: AZ-152_test_infrastructure Component: Blackbox Tests Jira: AZ-157 Epic: AZ-151
Problem
The encryption module must correctly encrypt/decrypt data, produce key-dependent ciphertexts with random IVs, handle edge cases, and meet throughput requirements.
Outcome
- 13 passing pytest tests in
tests/test_encryption.py - Performance test in
tests/performance/test_encryption_perf.py
Scope
Included
- BT-ENC-01: Encrypt-decrypt roundtrip (1024 random bytes)
- BT-ENC-02: Encrypt-decrypt roundtrip (ONNX model)
- BT-ENC-03: Empty input roundtrip
- BT-ENC-04: Single byte roundtrip
- BT-ENC-05: Different keys produce different ciphertext
- BT-ENC-06: Wrong key fails decryption
- PT-ENC-01: Encryption throughput (10MB ≤ 5s)
- RT-ENC-01: Decrypt with corrupted ciphertext
- ST-ENC-01: Random IV (same data, same key → different ciphertexts)
- ST-ENC-02: Wrong key cannot recover plaintext
- ST-ENC-03: Model encryption key is deterministic
- RL-ENC-01: Encrypted output size bounded (≤ N + 32 bytes)
Excluded
- Model split tests (separate task)
Acceptance Criteria
AC-1: Roundtrip Given 1024 random bytes and key "test-key" When encrypt then decrypt Then output equals input exactly
AC-2: Model roundtrip Given azaion.onnx bytes and model encryption key When encrypt then decrypt Then output equals input exactly
AC-3: Empty input Given b"" and key When encrypt then decrypt Then output equals b""
AC-4: Single byte Given b"\x00" and key When encrypt then decrypt Then output equals b"\x00"
AC-5: Key-dependent ciphertext Given same data, keys "key-a" and "key-b" When encrypting with each key Then ciphertexts differ
AC-6: Wrong key failure Given encrypted with "key-a" When decrypting with "key-b" Then output does NOT equal original
AC-7: Throughput Given 10MB random bytes When encrypt + decrypt roundtrip Then completes within 5 seconds
AC-8: Corrupted ciphertext Given randomly modified ciphertext bytes When decrypt_to is called Then either raises exception or returns non-original bytes
AC-9: Random IV Given same data, same key, encrypted twice When comparing ciphertexts Then they differ (random IV)
AC-10: Model key deterministic Given two calls to get_model_encryption_key() When comparing results Then identical
AC-11: Size bound Given N bytes plaintext When encrypted Then ciphertext size ≤ N + 32 bytes
Constraints
- ONNX model fixture is session-scoped (77MB, read once)
- Security tests marked:
@pytest.mark.security - Performance test marked:
@pytest.mark.performance - Resource limit test marked:
@pytest.mark.resource_limit