test(apple): cache invariant regression tests for biometric caching#163
Merged
Merged
Conversation
…egressions Add 7 tests for the wrapping-key cache layer: 5 pure-Rust unit tests (run in CI, no keychain needed): - cache_insert_then_lookup_returns_key - cache_evict_removes_entry - cache_lookup_with_zero_ttl_always_misses - cache_entries_are_isolated_by_label / by_app - keychain_store_evicts_cache - migration_restore_must_not_evict_cache (key regression guard) 2 keychain integration tests (#[ignore], run locally): - decrypt_with_cached_key_preserves_cache_after_migration - keychain_store_evicts_but_keychain_store_ffi_does_not The migration_restore_must_not_evict_cache test directly guards the invariant broken in PR #158 — if anyone changes the migration path in decrypt_with_cached_key to call keychain_store instead of keychain_store_ffi, this test fails with an explicit message explaining the biometric caching consequences.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
#[ignore]) for local validationmigration_restore_must_not_evict_cachewould have caught the PR fix(apple): handle errSecInteractionNotAllowed and change keychain protection class #158 regression — it asserts that the protection-class migration path does not evict the cache, with an explicit failure message explaining the Touch ID consequenceContext
The biometric caching regression (#162) happened because there were zero tests covering the cache behavior across the migration path. Any future change to
decrypt_with_cached_keyor thekeychain_store/keychain_store_ffisplit will now fail these tests with a clear message.Test plan
cargo test --workspace— all pass (5 new tests run, 2 new#[ignore]skipped)cargo clippy --workspace --all-targets -- -D warnings— cleancargo fmt --all -- --check— clean