feat(store): accounts CRUD with encrypted password column

internal/store/account_test.go

@@ -0,0 +1,67 @@
+package store
+
+import (
+	"errors"
+	"testing"
+)
+
+func sampleAccount() Account {
+	return Account{
+		Name: "work", Mode: "RO",
+		IMAPHost: "imap.example.com", IMAPPort: 993, IMAPSecurity: "tls",
+		AuthType: "password", Username: "me@example.com",
+		Password: "s3cr3t", SubjectRegex: "",
+	}
+}
+
+func TestAddGetAccountDecryptsSecret(t *testing.T) {
+	s := openTemp(t)
+	id, err := s.AddAccount(sampleAccount())
+	if err != nil {
+		t.Fatalf("AddAccount: %v", err)
+	}
+	if id == 0 {
+		t.Fatal("want non-zero id")
+	}
+	got, err := s.GetAccount("work")
+	if err != nil {
+		t.Fatalf("GetAccount: %v", err)
+	}
+	if got.Password != "s3cr3t" {
+		t.Fatalf("password not decrypted: %q", got.Password)
+	}
+	if got.Mode != "RO" || got.IMAPPort != 993 {
+		t.Fatalf("fields wrong: %+v", got)
+	}
+}
+
+func TestPasswordStoredEncrypted(t *testing.T) {
+	s := openTemp(t)
+	_, _ = s.AddAccount(sampleAccount())
+	var blob []byte
+	if err := s.db.QueryRow("SELECT enc_password FROM accounts WHERE name='work'").Scan(&blob); err != nil {
+		t.Fatalf("query: %v", err)
+	}
+	if string(blob) == "s3cr3t" || len(blob) == 0 {
+		t.Fatalf("password not encrypted at rest: %q", blob)
+	}
+}
+
+func TestGetAccountNotFound(t *testing.T) {
+	s := openTemp(t)
+	if _, err := s.GetAccount("nope"); !errors.Is(err, ErrAccountNotFound) {
+		t.Fatalf("want ErrAccountNotFound, got %v", err)
+	}
+}
+
+func TestListAccountsOmitsSecrets(t *testing.T) {
+	s := openTemp(t)
+	_, _ = s.AddAccount(sampleAccount())
+	list, err := s.ListAccounts()
+	if err != nil || len(list) != 1 {
+		t.Fatalf("list: %v len=%d", err, len(list))
+	}
+	if list[0].Password != "" {
+		t.Fatal("ListAccounts must not return secrets")
+	}
+}