test: set keyset erro if default configured

Author: tobyhede

docs/errors.md

@@ -368,7 +368,7 @@ Unknown keyset name or id '{keyset}'
 ### How to Fix
 
 1. Check that the active `keyset_name` or `keyset_id` is associated with a keyset in the configured workspace.
-2. Check that the configured client credentials have access to the keyset and workspace.
+2. Check that the configured `client` has been granted access to the keyset via the dashboard.
 3. Keyset names are case sensitive. If setting the active keyset by name, check that the `keyset_name` is an exact match.
 
 

packages/cipherstash-proxy-integration/src/lib.rs

@@ -18,6 +18,7 @@ mod passthrough;
 mod pipeline;
 mod schema_change;
 mod select;
+mod set_keyset_error;
 mod simple_protocol;
 mod support;
 mod update;

packages/cipherstash-proxy-integration/src/multitenant/set_keyset_id.rs

@@ -1,3 +1,10 @@
+/// IMPORTANT
+/// IMPORTANT
+///
+/// These test assumes that `CS_DEFAULT_KEYSET_ID` has not been set
+///
+/// The mise integration task splits the `multitenant` tests so that the config can be changed
+///
 #[cfg(test)]
 mod tests {
     use crate::common::{

packages/cipherstash-proxy-integration/src/multitenant/set_keyset_name.rs

@@ -1,3 +1,10 @@
+/// IMPORTANT
+/// IMPORTANT
+///
+/// These test assumes that `CS_DEFAULT_KEYSET_ID` has not been set
+///
+/// The mise integration task splits the `multitenant` tests so that the config can be changed
+///
 #[cfg(test)]
 mod tests {
     use crate::common::{

packages/cipherstash-proxy-integration/src/set_keyset_error.rs

@@ -0,0 +1,66 @@
+/// IMPORTANT
+/// IMPORTANT
+///
+/// This test assumes that `CS_DEFAULT_KEYSET_ID`` has been set
+///
+/// Do not move into the multitenant module,
+///
+/// The mise integration task splits the `multitenant` tests out so that the config can be changed
+///
+#[cfg(test)]
+mod tests {
+    use tracing::info;
+
+    use crate::common::{connect_with_tls, trace, PROXY};
+
+    /// Helper function to assert that a result contains the expected "Cannot SET CIPHERSTASH.KEYSET" error
+    fn assert_keyset_error<T>(result: Result<T, tokio_postgres::Error>) {
+        if let Err(err) = result {
+            let msg = err.to_string();
+            assert_eq!(msg, "db error: FATAL: Cannot SET CIPHERSTASH.KEYSET if a default keyset has been configured. For help visit https://github.com/cipherstash/proxy/blob/main/docs/errors.md#encrypt-unexpected-set-keyset");
+        } else {
+            unreachable!();
+        }
+    }
+
+    /// Tests error handling of unknown keyset id
+    #[tokio::test]
+    async fn set_keyset_id_with_default_config_error() {
+        trace();
+
+        let client = connect_with_tls(PROXY).await;
+
+        let sql = "SET CIPHERSTASH.KEYSET_ID = '2cace9db-3a2a-4b46-a184-ba412b3e0730'";
+
+        let result = client.query(sql, &[]).await;
+        info!(?result);
+        assert!(result.is_err());
+
+        assert_keyset_error(result);
+
+        let result = client.simple_query(sql).await;
+        assert!(result.is_err());
+
+        assert_keyset_error(result);
+    }
+
+    /// Tests error handling of unknown keyset id
+    #[tokio::test]
+    async fn set_keyset_name_with_default_config_error() {
+        trace();
+
+        let client = connect_with_tls(PROXY).await;
+
+        let sql = "SET CIPHERSTASH.KEYSET_NAME = 'tenant-1'";
+
+        let result = client.query(sql, &[]).await;
+        assert!(result.is_err());
+
+        assert_keyset_error(result);
+
+        let result = client.simple_query(sql).await;
+        assert!(result.is_err());
+
+        assert_keyset_error(result);
+    }
+}