@@ -446,6 +446,30 @@ func TestNew(t *testing.T) {
446
446
require .NoError (t , err , "no error should be returned" )
447
447
require .Empty (t , keys , "no keys should be present" )
448
448
})
449
+
450
+ t .Run ("PrimaryRevoked" , func (t * testing.T ) {
451
+ t .Parallel ()
452
+ // Given: a cipher is loaded
453
+ cipher := initCipher (t )
454
+ ctx , cancel := context .WithCancel (context .Background ())
455
+ t .Cleanup (cancel )
456
+ rawDB , _ := dbtestutil .NewDB (t )
457
+
458
+ // And: the cipher is revoked before we init the crypt db
459
+ err := rawDB .InsertDBCryptKey (ctx , database.InsertDBCryptKeyParams {
460
+ Number : 1 ,
461
+ ActiveKeyDigest : cipher .HexDigest (),
462
+ Test : fakeBase64RandomData (t , 32 ),
463
+ })
464
+ require .NoError (t , err , "no error should be returned" )
465
+ err = rawDB .RevokeDBCryptKey (ctx , cipher .HexDigest ())
466
+ require .NoError (t , err , "no error should be returned" )
467
+
468
+ // Then: when we init the crypt db, we error because the key is revoked
469
+ _ , err = New (ctx , rawDB , cipher )
470
+ require .Error (t , err )
471
+ require .ErrorContains (t , err , "has been revoked" )
472
+ })
449
473
}
450
474
451
475
func requireEncryptedEquals (t * testing.T , c Cipher , value , expected string ) {
0 commit comments