♻️ refactor: add test config constructors and update Context instantiation

- Add TandemConfig::for_testing() for environment-independent unit tests
- Add DatabaseConfig::for_testing() to handle private password field
- Update Context::new_for_test() to use new testing constructors
- Update Context::new_with_proxy() to extract schema and config from Proxy
- Rename Proxy fields: encrypt_config → encrypt_config_manager, schema → schema_manager
- Remove environment variable dependency from Context tests
- Add integration test for schema reload with mapping disabled

Author: tobyhede

packages/cipherstash-proxy-integration/src/schema_change.rs

@@ -22,4 +22,30 @@ mod tests {
 
         assert!(rows.is_empty());
     }
+
+    #[tokio::test]
+    async fn disable_mapping_disables_schema_reload() {
+        let client = connect_with_tls(PROXY).await;
+
+        let sql = "SET CIPHERSTASH.UNSAFE_DISABLE_MAPPING = true";
+        client.query(sql, &[]).await.unwrap();
+
+        let id = random_id();
+
+        let sql = format!(
+            "CREATE TABLE table_{id} (
+            id bigint,
+            PRIMARY KEY(id)
+        );"
+        );
+
+        let _ = client.execute(&sql, &[]).await.unwrap();
+
+        let sql = "SET CIPHERSTASH.UNSAFE_DISABLE_MAPPING = false";
+        client.query(sql, &[]).await.unwrap();
+
+        let sql = format!("SELECT id FROM table_{id}");
+        let result = client.query(&sql, &[]).await;
+        assert!(result.is_err());
+    }
 }

packages/cipherstash-proxy/src/config/database.rs

@@ -81,6 +81,21 @@ impl DatabaseConfig {
         })?;
         Ok(name)
     }
+
+    #[cfg(test)]
+    pub fn for_testing() -> Self {
+        Self {
+            host: Self::default_host(),
+            port: Self::default_port(),
+            name: "test".to_string(),
+            username: "test".to_string(),
+            password: Protected::new("test".to_string()),
+            connection_timeout: None,
+            with_tls_verification: false,
+            config_reload_interval: Self::default_config_reload_interval(),
+            schema_reload_interval: Self::default_schema_reload_interval(),
+        }
+    }
 }
 
 ///

packages/cipherstash-proxy/src/config/tandem.rs

@@ -273,6 +273,29 @@ impl TandemConfig {
 
         DEFAULT_THREAD_STACK_SIZE
     }
+
+    #[cfg(test)]
+    pub fn for_testing() -> Self {
+        Self {
+            server: ServerConfig::default(),
+            database: DatabaseConfig::for_testing(),
+            auth: AuthConfig {
+                workspace_crn: "crn:ap-southeast-2.aws:IJGECSCWKREECNBS".parse().unwrap(),
+                client_access_key: "test".to_string(),
+            },
+            encrypt: EncryptConfig {
+                client_id: "test".to_string(),
+                client_key: "test".to_string(),
+                default_keyset_id: Some(
+                    Uuid::parse_str("00000000-0000-0000-0000-000000000000").unwrap(),
+                ),
+            },
+            tls: None,
+            log: LogConfig::default(),
+            prometheus: PrometheusConfig::default(),
+            development: None,
+        }
+    }
 }
 
 impl PrometheusConfig {

packages/cipherstash-proxy/src/postgresql/context/mod.rs

@@ -13,6 +13,7 @@ use crate::{
     error::{EncryptError, Error},
     log::CONTEXT,
     prometheus::{STATEMENTS_EXECUTION_DURATION_SECONDS, STATEMENTS_SESSION_DURATION_SECONDS},
+    proxy::EncryptConfig,
     services::{EncryptionService, SchemaService},
 };
 use cipherstash_client::IdentifiedBy;
@@ -105,6 +106,7 @@ impl Context {
         client_id: i32,
         schema: Arc<Schema>,
         config: Arc<TandemConfig>,
+        _encrypt_config: Arc<EncryptConfig>,
         encryption: Arc<dyn EncryptionService>,
         schema_service: Arc<dyn SchemaService>,
     ) -> Context {
@@ -570,17 +572,18 @@ impl Context {
     }
 
     /// Helper function for gradual migration - creates Context with Proxy implementing services
-    pub fn new_with_proxy(
-        client_id: i32,
-        schema: Arc<Schema>,
-        proxy: crate::proxy::Proxy,
-    ) -> Context {
+    pub fn new_with_proxy(client_id: i32, proxy: crate::proxy::Proxy) -> Context {
         let config = Arc::new(proxy.config.clone());
+        let encrypt_config = proxy.encrypt_config_manager.load();
+        let schema = proxy.schema_manager.load();
+
         let proxy = Arc::new(proxy);
+
         Self::new(
             client_id,
             schema,
             config,
+            encrypt_config,
             proxy.clone(), // as EncryptionService
             proxy,         // as SchemaService
         )
@@ -633,36 +636,20 @@ impl Context {
             }
         }
 
-        // Set up minimal environment variables for testing
-        std::env::set_var("CS_DATABASE__USERNAME", "test");
-        std::env::set_var("CS_DATABASE__PASSWORD", "test");
-        std::env::set_var("CS_DATABASE__NAME", "test");
-        std::env::set_var("CS_DATABASE__HOST", "localhost");
-        std::env::set_var("CS_DATABASE__PORT", "5432");
-        std::env::set_var(
-            "CS_AUTH__WORKSPACE_CRN",
-            "crn:ap-southeast-2.aws:3KISDURL3ZCWYZ2O",
-        );
-        std::env::set_var("CS_AUTH__CLIENT_ACCESS_KEY", "test");
-        std::env::set_var(
-            "CS_ENCRYPT__CLIENT_ID",
-            "e40f1692-6bb7-4bbd-a552-4c0f155be073",
-        );
-        std::env::set_var("CS_ENCRYPT__CLIENT_KEY", "a4627031a16b7065726d75746174696f6e90090e0805000b0d0c0106040f0a0302076770325f66726f6da16b7065726d75746174696f6e9007060a0b02090d080c00040f0305010e6570325f746fa16b7065726d75746174696f6e900a0206090b04050c070f0e010d030800627033a16b7065726d75746174696f6e98210514181d0818200a18190b1112181809130f15181a0717181e000e0103181f0d181c1602040c181b1006");
-        std::env::set_var(
-            "CS_ENCRYPT__KEYSET_ID",
-            "c50d8463-60e9-41a5-86cd-5782e03a503c",
-        );
-
-        let config = Arc::new(
-            crate::config::TandemConfig::build("tests/config/unknown.toml")
-                .expect("Failed to create test config"),
-        );
+        let config = Arc::new(TandemConfig::for_testing());
+        let encrypt_config = Arc::new(EncryptConfig::default());
 
         let encryption = Arc::new(MockEncryptionService) as Arc<dyn EncryptionService>;
         let schema_service = Arc::new(MockSchemaService) as Arc<dyn SchemaService>;
 
-        Self::new(client_id, schema, config, encryption, schema_service)
+        Self::new(
+            client_id,
+            schema,
+            config,
+            encrypt_config,
+            encryption,
+            schema_service,
+        )
     }
 }
 

packages/cipherstash-proxy/src/postgresql/handler.rs

@@ -218,8 +218,7 @@ pub async fn handler(
 
     let channel_writer = ChannelWriter::new(client_writer, client_id);
 
-    let schema = proxy.schema.load();
-    let context = Context::new_with_proxy(client_id, schema, proxy.clone());
+    let context = Context::new_with_proxy(client_id, proxy.clone());
 
     let mut frontend = Frontend::new(
         client_reader,

packages/cipherstash-proxy/src/proxy/mod.rs

@@ -30,8 +30,8 @@ const AGGREGATE_QUERY: &str = include_str!("./sql/select_aggregates.sql");
 #[derive(Clone)]
 pub struct Proxy {
     pub config: TandemConfig,
-    pub encrypt_config: EncryptConfigManager,
-    pub schema: SchemaManager,
+    pub encrypt_config_manager: EncryptConfigManager,
+    pub schema_manager: SchemaManager,
     /// The EQL version installed in the database or `None` if it was not present
     pub eql_version: Option<String>,
     zerokms: ZeroKms,
@@ -70,8 +70,8 @@ impl Proxy {
         Ok(Proxy {
             config,
             zerokms,
-            encrypt_config,
-            schema,
+            encrypt_config_manager: encrypt_config,
+            schema_manager: schema,
             eql_version,
         })
     }
@@ -119,21 +119,21 @@ impl Proxy {
     }
 
     pub fn get_column_config(&self, identifier: &eql::Identifier) -> Option<ColumnConfig> {
-        let encrypt_config = self.encrypt_config.load();
+        let encrypt_config = self.encrypt_config_manager.load();
         encrypt_config.get_column_config(identifier)
     }
 
     pub async fn reload_schema(&self) {
-        self.schema.reload().await;
-        self.encrypt_config.reload().await;
+        self.schema_manager.reload().await;
+        self.encrypt_config_manager.reload().await;
     }
 
     pub fn is_passthrough(&self) -> bool {
-        self.encrypt_config.is_empty() || self.config.mapping_disabled()
+        self.encrypt_config_manager.is_empty() || self.config.mapping_disabled()
     }
 
     pub fn is_empty_config(&self) -> bool {
-        self.encrypt_config.is_empty()
+        self.encrypt_config_manager.is_empty()
     }
 }
 
@@ -172,7 +172,7 @@ impl crate::services::SchemaService for Proxy {
     }
 
     fn get_table_resolver(&self) -> std::sync::Arc<eql_mapper::TableResolver> {
-        self.schema.get_table_resolver()
+        self.schema_manager.get_table_resolver()
     }
 
     fn is_passthrough(&self) -> bool {