test: implement coverage #005 Tier-A suggestions (S1-S4, S8)

Add 165 tests covering the directly-testable surface identified in
coverage review #005. Workspace coverage rises 87.1% -> 91.2%
(5759/6615 -> 6505/7135); all 389 tests pass, clippy clean.

- S1 (connection.rs): dispatch_envelope across all five event-type arms
  for Call + Subscribe, plus SubscriptionStream poll_next branches and
  SubscriptionStream::closed.
- S2 (types.rs): map_quinn/iroh_connection_error for TimedOut/Reset/
  ApplicationClosed/other, plus HandlerError + StreamError Debug/Display/
  source for every variant.
- S3 (config.rs): Ed25519SecretKey from_bytes/as_bytes round-trip,
  sign+verify, tampered-message rejection, Debug non-leakage.
- S4 (endpoint.rs): build_rustls_server_config RawKey/SelfSigned/Acme
  arms, build_quinn_server_config_from_rustls, load_private_key/
  load_cert_chain error paths, has_iroh_identity branches,
  AcceptAnyCertVerifier trait methods, Ed25519SigningKey trait impls
  (choose_scheme both branches, algorithm, public_key, sign, scheme),
  RawKeyCertResolver + AlknetEndpoint Debug. endpoint.rs 56% -> 73%.
- S8 (vault protocol.rs): the existing redacted-deserialize test passed
  for the wrong reason (JSON string failed Vec<u8> coercion before the
  guard). Two new tests exercise the guard directly via a [REDACTED] byte
  array (rejected) and a real payload (accepted). protocol.rs -> 100%.

Deferred to follow-up: S5 (loopback quinn integration test, the real
unlock for accept/dispatch/stream paths), S6 (ACME event-loop extraction),
S7 (adapter abort arm). Review #005 updated with the resolution.
This commit is contained in:
2026-06-25 05:43:59 +00:00
parent 32dcc05658
commit 011db05a52
6 changed files with 841 additions and 3 deletions

View File

@@ -423,4 +423,60 @@ mod tests {
"fingerprint-resolved identities must have empty resources (Option B — scopes only)"
);
}
// --- Ed25519SecretKey -------------------------------------------------
#[test]
fn ed25519_secret_key_round_trips_bytes() {
let key = Ed25519SecretKey::generate();
let bytes = key.as_bytes();
let restored = Ed25519SecretKey::from_bytes(&bytes);
assert_eq!(restored.as_bytes(), bytes);
}
#[test]
fn ed25519_secret_key_sign_verifies_against_public_key() {
use ed25519_dalek::{Signature, Verifier};
let key = Ed25519SecretKey::generate();
let public = key.public();
let message = b"alknet coverage check";
let signature: Signature = key.sign(message);
assert_eq!(signature.to_bytes().len(), 64);
assert!(
public.verify(message, &signature).is_ok(),
"signature produced by Ed25519SecretKey::sign must verify under its public key"
);
}
#[test]
fn ed25519_secret_key_sign_rejects_tampered_message() {
use ed25519_dalek::{Signature, Verifier};
let key = Ed25519SecretKey::generate();
let public = key.public();
let signature: Signature = key.sign(b"original message");
assert!(
public.verify(b"tampered message", &signature).is_err(),
"signature must not verify against a different message"
);
}
#[test]
fn ed25519_secret_key_debug_does_not_leak_material() {
let key = Ed25519SecretKey::generate();
let dbg = format!("{key:?}");
assert!(dbg.contains("Ed25519SecretKey"));
assert!(!dbg.contains("SigningKey"));
let raw = hex::encode(key.as_bytes());
assert!(
!dbg.contains(&raw),
"Debug output must not contain the raw key bytes"
);
}
#[test]
fn ed25519_secret_key_public_matches_underlying_signing_key() {
let key = Ed25519SecretKey::generate();
let public = key.public();
assert_eq!(public.to_bytes().len(), 32);
}
}