fix: resolve client hanging and EQL operation mapping issues

- Send error response to client on bind errors instead of just returning,
  preventing indefinite client hangs
- Map EqlTermVariant to correct QueryOp for encryption:
  - JsonPath/JsonAccessor use SteVecSelector for SteVec queries
  - Tokenized uses Default for LIKE/ILIKE match indexes
- Add reusable test:integration:setup:tls task for standalone test runs
- Update EQL version to 2.2.1 in example config

Author: coderdan

mise.local.example.toml

@@ -15,7 +15,7 @@ CS_CLIENT_KEY = "client-key"
 CS_CLIENT_ID = "client-id"
 
 # The release of EQL that the proxy tests will use and releases will be built with
-CS_EQL_VERSION = "eql-2.1.8"
+CS_EQL_VERSION = "eql-2.2.1"
 
 # TLS variables are required for providing TLS to Proxy's clients.
 # CS_TLS__TYPE can be either "Path" or "Pem" (case-sensitive).

mise.toml

@@ -108,6 +108,7 @@ description = "Run psql (interactively) against the proxy; assumes the proxy is
 alias = "psql"
 run = """
 set -eu
+echo psql "postgresql://${CS_DATABASE__USERNAME}:${CS_DATABASE__PASSWORD_ESCAPED_FOR_TESTS}@${CS_PROXY__HOST}:6432/${CS_DATABASE__NAME}"
 docker exec -it postgres${CONTAINER_SUFFIX:-} psql "postgresql://${CS_DATABASE__USERNAME}:${CS_DATABASE__PASSWORD_ESCAPED_FOR_TESTS}@${CS_PROXY__HOST}:6432/${CS_DATABASE__NAME}"
 """
 
@@ -174,7 +175,39 @@ run = """
 cargo nextest run --no-fail-fast --nocapture -p cipherstash-proxy-integration
 """
 
+[tasks."test:integration:setup:tls"]
+description = "Setup for TLS integration tests: preflight, postgres, proxy"
+run = """
+set -e
+
+echo
+echo '###############################################'
+echo '# Preflight'
+echo '###############################################'
+echo
+
+mise run test:integration:preflight
+
+echo
+echo '###############################################'
+echo '# Setup'
+echo '###############################################'
+echo
+
+mise --env tls run postgres:setup
+
+echo
+echo '###############################################'
+echo '# Start Proxy'
+echo '###############################################'
+echo
+
+mise --env tls run proxy:up proxy-tls --extra-args "--detach --wait"
+mise --env tls run test:wait_for_postgres_to_quack --port 6432 --max-retries 20 --tls
+"""
+
 [tasks."test:integration:without_multitenant"]
+depends = ["test:integration:setup:tls"]
 description = "Runs integration tests excluding multitenant"
 run = """
 cargo nextest run --no-fail-fast --nocapture -E 'package(cipherstash-proxy-integration) and not test(multitenant)'
@@ -494,6 +527,7 @@ echo docker compose up --build {{arg(name="service",default="postgres postgres-t
 description = "Run psql (interactively) against the Postgres instance; assumes Postgres is already up"
 run = """
 set -eu
+echo "postgresql://${CS_DATABASE__USERNAME}:${CS_DATABASE__PASSWORD_ESCAPED_FOR_TESTS}@${CS_DATABASE__HOST}:${CS_DATABASE__PORT}/${CS_DATABASE__NAME}"
 docker exec -it postgres${CONTAINER_SUFFIX:-} psql "postgresql://${CS_DATABASE__USERNAME}:${CS_DATABASE__PASSWORD_ESCAPED_FOR_TESTS}@${CS_DATABASE__HOST}:${CS_DATABASE__PORT}/${CS_DATABASE__NAME}"
 """
 

packages/cipherstash-proxy/src/postgresql/frontend.rs

@@ -255,7 +255,8 @@ where
                                 msg = "Bind Error",
                                 err = err.to_string()
                             );
-                            return Err(err);
+                            self.send_error_response(err)?;
+                            return Ok(());
                         }
                     },
                 }

packages/cipherstash-proxy/src/proxy/zerokms/zerokms.rs

@@ -7,12 +7,13 @@ use crate::{
     proxy::EncryptionService,
 };
 use cipherstash_client::{
-    encryption::Plaintext,
+    encryption::{Plaintext, QueryOp},
     eql::{
         decrypt_eql, encrypt_eql, EqlCiphertext, EqlDecryptOpts, EqlEncryptOpts, EqlOperation,
         PreparedPlaintext,
     },
 };
+use eql_mapper::EqlTermVariant;
 use metrics::counter;
 use moka::future::Cache;
 use std::borrow::Cow;
@@ -152,18 +153,36 @@ impl EncryptionService for ZeroKms {
 
         for (idx, (plaintext_opt, col_opt)) in plaintexts.iter().zip(columns.iter()).enumerate() {
             if let (Some(plaintext), Some(col)) = (plaintext_opt, col_opt) {
-                let eql_op = if col.is_encryptable() {
-                    EqlOperation::Store
-                } else {
-                    // For search-only, we need to get the index type from the column config
-                    // and use Query operation
-                    if let Some(index) = col.config.indexes.first() {
-                        EqlOperation::Query(
-                            &index.index_type,
-                            cipherstash_client::encryption::QueryOp::Default,
-                        )
-                    } else {
-                        EqlOperation::Store
+                // Determine the EQL operation based on the term variant
+                let eql_op = match col.eql_term {
+                    // Full and Partial terms store encrypted data with all indexes
+                    EqlTermVariant::Full | EqlTermVariant::Partial => EqlOperation::Store,
+
+                    // JsonPath generates a selector term for SteVec queries
+                    EqlTermVariant::JsonPath => {
+                        if let Some(index) = col.config.indexes.first() {
+                            EqlOperation::Query(&index.index_type, QueryOp::SteVecSelector)
+                        } else {
+                            EqlOperation::Store
+                        }
+                    }
+
+                    // JsonAccessor generates a selector term for SteVec field access (-> operator)
+                    EqlTermVariant::JsonAccessor => {
+                        if let Some(index) = col.config.indexes.first() {
+                            EqlOperation::Query(&index.index_type, QueryOp::SteVecSelector)
+                        } else {
+                            EqlOperation::Store
+                        }
+                    }
+
+                    // Tokenized generates match index terms for LIKE/ILIKE
+                    EqlTermVariant::Tokenized => {
+                        if let Some(index) = col.config.indexes.first() {
+                            EqlOperation::Query(&index.index_type, QueryOp::Default)
+                        } else {
+                            EqlOperation::Store
+                        }
                     }
                 };
 
@@ -186,9 +205,11 @@ impl EncryptionService for ZeroKms {
         // Use default opts since cipher is already initialized with the correct keyset
         let opts = EqlEncryptOpts::default();
 
+        debug!(target: ENCRYPT, msg="Calling encrypt_eql", count = prepared_plaintexts.len());
         let encrypted = encrypt_eql(cipher, prepared_plaintexts, &opts)
             .await
             .map_err(EncryptError::from)?;
+        debug!(target: ENCRYPT, msg="encrypt_eql completed", count = encrypted.len());
 
         // Reconstruct the result vector with None values in the right places
         let mut result: Vec<Option<EqlCiphertext>> = vec![None; plaintexts.len()];
@@ -237,9 +258,11 @@ impl EncryptionService for ZeroKms {
         // Use default opts since cipher is already initialized with the correct keyset
         let opts = EqlDecryptOpts::default();
 
+        debug!(target: ENCRYPT, msg="Calling decrypt_eql", count = ciphertexts_to_decrypt.len());
         let decrypted = decrypt_eql(cipher, ciphertexts_to_decrypt, &opts)
             .await
             .map_err(EncryptError::from)?;
+        debug!(target: ENCRYPT, msg="decrypt_eql completed", count = decrypted.len());
 
         // Reconstruct the result vector with None values in the right places
         let mut result: Vec<Option<Plaintext>> = vec![None; ciphertexts.len()];