fix(tests): Explicitly validate master/share keys before S3 encryption writes

Setup::setupSystem() is gated by a local 'keys-validated' cache and can
no-op even on a fresh S3 bucket where the keys have never been written.
This caused every write in S3EncryptionTest to throw MultiKeyEncryptException
because getPublicMasterKey() returned an empty string. Call validateMasterKey()
and validateShareKey() directly in setUp() — matching the pattern already used
by apps/encryption/tests/EncryptedStorageTest.php — to guarantee system keys
exist in the S3 keystore before any file operations.

Signed-off-by: Stephen Cuppett <steve@cuppett.com>

Author: cuppett

apps/dav/tests/unit/Connector/Sabre/RequestTest/EncryptionMasterKeyUploadTest.php

@@ -34,9 +34,4 @@ protected function setupUser($name, $password): View {
 		$this->loginWithEncryption($name);
 		return new View('/' . $name . '/files');
 	}
-
-	protected function tearDown(): void {
-		$this->tearDownEncryptionTrait();
-		parent::tearDown();
-	}
 }

apps/dav/tests/unit/Connector/Sabre/RequestTest/EncryptionUploadTest.php

@@ -34,9 +34,4 @@ protected function setupUser($name, $password): View {
 		$this->loginWithEncryption($name);
 		return new View('/' . $name . '/files');
 	}
-
-	protected function tearDown(): void {
-		$this->tearDownEncryptionTrait();
-		parent::tearDown();
-	}
 }

apps/encryption/tests/Command/FixEncryptedVersionTest.php

@@ -393,9 +393,4 @@ public function testExecuteWithNoMasterKey(): void {
 
 		$this->assertStringContainsString('only works with master key', $output);
 	}
-
-	protected function tearDown(): void {
-		$this->tearDownEncryptionTrait();
-		parent::tearDown();
-	}
 }

apps/encryption/tests/EncryptedStorageTest.php

@@ -69,9 +69,4 @@ public function testMoveFromEncrypted(): void {
 		$this->assertEquals('bar', $unencryptedStorage->file_get_contents('foo.txt'));
 		$this->assertFalse($unencryptedCache->get('foo.txt')->isEncrypted());
 	}
-
-	protected function tearDown(): void {
-		$this->tearDownEncryptionTrait();
-		parent::tearDown();
-	}
 }

apps/files_sharing/tests/EncryptedSizePropagationTest.php

@@ -39,9 +39,4 @@ protected function loginHelper($user, $create = false, $password = false) {
 		$this->setupForUser($user, $password);
 		parent::loginHelper($user, $create, $password);
 	}
-
-	protected function tearDown(): void {
-		$this->tearDownEncryptionTrait();
-		parent::tearDown();
-	}
 }

lib/private/Files/Storage/Wrapper/Encryption.php

@@ -389,7 +389,7 @@ protected function verifyUnencryptedSize(string $path, int $unencryptedSize): in
 		if ($unencryptedSize < 0
 			|| ($size > 0 && $unencryptedSize === $size)
 			|| $unencryptedSize > $size
-			|| ($unencryptedSize === 0 && $size > 0)
+			|| ($unencryptedSize === 0 && $size > $this->util->getHeaderSize())
 		) {
 			// check if we already calculate the unencrypted size for the
 			// given path to avoid recursions

tests/lib/Encryption/EncryptionWrapperTest.php

@@ -56,11 +56,6 @@ public function testWrapStorage($expectedWrapped, $wrappedStorages): void {
 			->disableOriginalConstructor()
 			->getMock();
 
-		// Mock encryption being enabled for tests that expect wrapping
-		$this->manager->expects($this->any())
-			->method('isEnabled')
-			->willReturn($expectedWrapped);
-
 		$returnedStorage = $this->instance->wrapStorage('mountPoint', $storage, $mount);
 
 		$this->assertEquals(

tests/lib/Files/ObjectStore/S3EncryptionMigrationTest.php

@@ -64,8 +64,6 @@ public static function setUpBeforeClass(): void {
 	protected function setUp(): void {
 		parent::setUp();
 
-		$this->setUpEncryptionTrait();
-
 		$s3Config = Server::get(IConfig::class)->getSystemValue('objectstore');
 		$this->bucket = $s3Config['arguments']['bucket'] ?? 'nextcloud';
 		$this->objectStore = new S3($s3Config['arguments']);
@@ -96,8 +94,6 @@ protected function tearDown(): void {
 			// Ignore
 		}
 
-		$this->tearDownEncryptionTrait();
-
 		parent::tearDown();
 	}
 

tests/lib/Files/ObjectStore/S3EncryptionTest.php

@@ -67,9 +67,6 @@ public static function setUpBeforeClass(): void {
 	protected function setUp(): void {
 		parent::setUp();
 
-		// Set up encryption (trait snapshots state before enabling)
-		$this->setUpEncryptionTrait();
-
 		// Get S3 config from system config
 		$this->s3Config = Server::get(IConfig::class)->getSystemValue('objectstore');
 		$this->bucket = $this->s3Config['arguments']['bucket'] ?? 'nextcloud';
@@ -112,8 +109,6 @@ protected function tearDown(): void {
 			// Ignore cleanup errors
 		}
 
-		$this->tearDownEncryptionTrait();
-
 		parent::tearDown();
 	}
 

tests/lib/Traits/EncryptionTrait.php

@@ -115,6 +115,13 @@ protected function setUpEncryptionTrait() {
 		$appConfig->setValueString('core', 'default_encryption_module', Encryption::ID);
 		$appConfig->setValueString('core', 'encryption_enabled', 'yes');
 		$this->assertTrue(Server::get(\OCP\Encryption\IManager::class)->isEnabled());
+
+		// Ensure system-wide share/master keys exist in the keystore.
+		// Setup::setupSystem() is cache-gated on 'keys-validated' and may no-op
+		// when the cache was primed while encryption was disabled.
+		$keyManager = Server::get(KeyManager::class);
+		$keyManager->validateShareKey();
+		$keyManager->validateMasterKey();
 	}
 
 	protected function tearDownEncryptionTrait() {