test: implement coverage #005 Tier-A suggestions (S1-S4, S8)
Add 165 tests covering the directly-testable surface identified in coverage review #005. Workspace coverage rises 87.1% -> 91.2% (5759/6615 -> 6505/7135); all 389 tests pass, clippy clean. - S1 (connection.rs): dispatch_envelope across all five event-type arms for Call + Subscribe, plus SubscriptionStream poll_next branches and SubscriptionStream::closed. - S2 (types.rs): map_quinn/iroh_connection_error for TimedOut/Reset/ ApplicationClosed/other, plus HandlerError + StreamError Debug/Display/ source for every variant. - S3 (config.rs): Ed25519SecretKey from_bytes/as_bytes round-trip, sign+verify, tampered-message rejection, Debug non-leakage. - S4 (endpoint.rs): build_rustls_server_config RawKey/SelfSigned/Acme arms, build_quinn_server_config_from_rustls, load_private_key/ load_cert_chain error paths, has_iroh_identity branches, AcceptAnyCertVerifier trait methods, Ed25519SigningKey trait impls (choose_scheme both branches, algorithm, public_key, sign, scheme), RawKeyCertResolver + AlknetEndpoint Debug. endpoint.rs 56% -> 73%. - S8 (vault protocol.rs): the existing redacted-deserialize test passed for the wrong reason (JSON string failed Vec<u8> coercion before the guard). Two new tests exercise the guard directly via a [REDACTED] byte array (rejected) and a real payload (accepted). protocol.rs -> 100%. Deferred to follow-up: S5 (loopback quinn integration test, the real unlock for accept/dispatch/stream paths), S6 (ACME event-loop extraction), S7 (adapter abort arm). Review #005 updated with the resolution.
This commit is contained in:
@@ -423,4 +423,60 @@ mod tests {
|
||||
"fingerprint-resolved identities must have empty resources (Option B — scopes only)"
|
||||
);
|
||||
}
|
||||
|
||||
// --- Ed25519SecretKey -------------------------------------------------
|
||||
|
||||
#[test]
|
||||
fn ed25519_secret_key_round_trips_bytes() {
|
||||
let key = Ed25519SecretKey::generate();
|
||||
let bytes = key.as_bytes();
|
||||
let restored = Ed25519SecretKey::from_bytes(&bytes);
|
||||
assert_eq!(restored.as_bytes(), bytes);
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn ed25519_secret_key_sign_verifies_against_public_key() {
|
||||
use ed25519_dalek::{Signature, Verifier};
|
||||
let key = Ed25519SecretKey::generate();
|
||||
let public = key.public();
|
||||
let message = b"alknet coverage check";
|
||||
let signature: Signature = key.sign(message);
|
||||
assert_eq!(signature.to_bytes().len(), 64);
|
||||
assert!(
|
||||
public.verify(message, &signature).is_ok(),
|
||||
"signature produced by Ed25519SecretKey::sign must verify under its public key"
|
||||
);
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn ed25519_secret_key_sign_rejects_tampered_message() {
|
||||
use ed25519_dalek::{Signature, Verifier};
|
||||
let key = Ed25519SecretKey::generate();
|
||||
let public = key.public();
|
||||
let signature: Signature = key.sign(b"original message");
|
||||
assert!(
|
||||
public.verify(b"tampered message", &signature).is_err(),
|
||||
"signature must not verify against a different message"
|
||||
);
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn ed25519_secret_key_debug_does_not_leak_material() {
|
||||
let key = Ed25519SecretKey::generate();
|
||||
let dbg = format!("{key:?}");
|
||||
assert!(dbg.contains("Ed25519SecretKey"));
|
||||
assert!(!dbg.contains("SigningKey"));
|
||||
let raw = hex::encode(key.as_bytes());
|
||||
assert!(
|
||||
!dbg.contains(&raw),
|
||||
"Debug output must not contain the raw key bytes"
|
||||
);
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn ed25519_secret_key_public_matches_underlying_signing_key() {
|
||||
let key = Ed25519SecretKey::generate();
|
||||
let public = key.public();
|
||||
assert_eq!(public.to_bytes().len(), 32);
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user