test: implement coverage #005 Tier-A suggestions (S1-S4, S8)

Add 165 tests covering the directly-testable surface identified in
coverage review #005. Workspace coverage rises 87.1% -> 91.2%
(5759/6615 -> 6505/7135); all 389 tests pass, clippy clean.

- S1 (connection.rs): dispatch_envelope across all five event-type arms
  for Call + Subscribe, plus SubscriptionStream poll_next branches and
  SubscriptionStream::closed.
- S2 (types.rs): map_quinn/iroh_connection_error for TimedOut/Reset/
  ApplicationClosed/other, plus HandlerError + StreamError Debug/Display/
  source for every variant.
- S3 (config.rs): Ed25519SecretKey from_bytes/as_bytes round-trip,
  sign+verify, tampered-message rejection, Debug non-leakage.
- S4 (endpoint.rs): build_rustls_server_config RawKey/SelfSigned/Acme
  arms, build_quinn_server_config_from_rustls, load_private_key/
  load_cert_chain error paths, has_iroh_identity branches,
  AcceptAnyCertVerifier trait methods, Ed25519SigningKey trait impls
  (choose_scheme both branches, algorithm, public_key, sign, scheme),
  RawKeyCertResolver + AlknetEndpoint Debug. endpoint.rs 56% -> 73%.
- S8 (vault protocol.rs): the existing redacted-deserialize test passed
  for the wrong reason (JSON string failed Vec<u8> coercion before the
  guard). Two new tests exercise the guard directly via a [REDACTED] byte
  array (rejected) and a real payload (accepted). protocol.rs -> 100%.

Deferred to follow-up: S5 (loopback quinn integration test, the real
unlock for accept/dispatch/stream paths), S6 (ACME event-loop extraction),
S7 (adapter abort arm). Review #005 updated with the resolution.
This commit is contained in:
2026-06-25 05:43:59 +00:00
parent 32dcc05658
commit 011db05a52
6 changed files with 841 additions and 3 deletions

View File

@@ -148,6 +148,45 @@ mod tests {
);
}
#[test]
fn test_derived_key_deserialize_rejects_redacted_byte_array() {
// `[REDACTED]` as a 10-byte ASCII array: the redacted-marker guard at
// protocol.rs:78 is only reachable when private_key deserializes as
// Vec<u8> equal to b"[REDACTED]". The byte-array form is the one that
// actually reaches the guard (a JSON string fails type coercion first).
let redacted_bytes: Vec<u8> = b"[REDACTED]".to_vec();
let mut json = String::from(r#"{"key_type":"Ed25519","private_key":"#);
json.push_str(&serde_json::to_string(&redacted_bytes).unwrap());
json.push_str(r#","public_key":[205]}"#);
let result: Result<DerivedKey, _> = serde_json::from_str(&json);
let err = result.expect_err("redacted byte array must be rejected");
let msg = err.to_string();
assert!(
msg.contains("redacted"),
"error must explain the redacted-payload rejection, got: {msg}"
);
assert!(
!msg.contains("AB"),
"error must not leak any key bytes, got: {msg}"
);
}
#[test]
fn test_derived_key_deserialize_accepts_non_redacted_payload() {
// A real (non-redacted) private key byte array must deserialize
// successfully and reach the Ok arm of the deserialize impl.
let key = make_test_key();
let public = serde_json::to_string(&key.public_key).unwrap();
let private = serde_json::to_string(&vec![0xABu8; 32]).unwrap();
let json = format!(
r#"{{"key_type":"Ed25519","private_key":{private},"public_key":{public}}}"#
);
let result: DerivedKey = serde_json::from_str(&json).expect("non-redacted payload deserializes");
assert_eq!(result.key_type, KeyType::Ed25519);
assert_eq!(result.private_key, vec![0xABu8; 32]);
assert_eq!(result.public_key, key.public_key);
}
#[test]
fn test_derived_key_debug_does_not_leak_private_key_bytes() {
let key = make_test_key();