125e1c80b9
Audit-driven follow-up to the Rust scrum review on the 3 untested
HIGH-risk packages. Both the audit (reports/scrum/risk-register.md)
and the scrum (tests/real-world/runs/scrum_mojxb5bw/) independently
flagged these files as the highest-leverage missing test coverage.
internal/shared/server_test.go — 8 test funcs
newListener: valid addr, invalid addr (non-numeric port, port
out of range, port-already-in-use surfacing as net.OpError).
Empty-addr-is-valid: documents the net.Listen quirk that "" binds
an OS-picked port — future readers don't need to relitigate.
HealthResponse marshal: JSON shape stable, round-trip clean.
/health handler reconstructed via httptest.Server: status 200,
Content-Type application/json, body fields stable.
RegisterRoutes callback: contract verified (callback is invoked
with a real chi.Router, mounted route reachable end-to-end).
Run bind-failure surface: synchronous error, not a goroutine swallow
— the contract Run depends on per the race-safe-startup comment.
internal/shared/config_test.go — 6 test funcs
DefaultConfig G0 port pinning: every binary's default bind locked
in (3110/3211-3216) so a refactor can't silently flip a port.
LoadConfig empty path: returns DefaultConfig, no error.
LoadConfig missing file: returns DefaultConfig, logs warn (the warn
line shows up in test output, captured-but-not-asserted).
LoadConfig valid TOML: partial overrides land, unspecified sections
keep defaults (TOML decoder leave-alone behavior).
LoadConfig invalid TOML: returns wrapped 'parse config' error.
LoadConfig unreadable file: skipped under root (root reads 0000);
captures the read-error wrap path for non-root contexts.
internal/storeclient/client_test.go — 14 test funcs
safeKey table-driven: plain segments, single slash, empty, trailing
slash, space (→ %20), apostrophe (→ %27), unicode (→ %C3%A9),
deep nesting. Locks URL-escape contract per scrum suggestion.
recordingServer helper backs Put/Get/Delete/List against
httptest.Server: verifies method, path, body bytes round-trip.
ErrKeyNotFound on 404 (errors.Is round-trip).
Non-OK status wraps body preview into the error chain.
Delete accepts both 200 and 204 (S3 vs compatible-store quirk).
List parses JSON shape and surfaces query-string prefix.
Context cancellation propagates through Put as context.Canceled.
internal/queryd/db_test.go — 5 test funcs (with subtests)
sqlEscape table-driven: 8 cases including empty, all-quotes,
nested apostrophes (the case from the scrum suggestion).
redactCreds table-driven: 6 cases — both keys, single keys,
empty, multi-occurrence, placeholder-collision (lossy but safe).
buildBootstrap statement order: INSTALL → LOAD → CREATE SECRET.
buildBootstrap endpoint schemes: http strips + USE_SSL false,
https keeps SSL true, no-scheme defaults SSL true (prod ambient).
buildBootstrap URL_STYLE: 'path' vs 'vhost' branch.
buildBootstrap escapes credential quotes: future SSO-token-with-
apostrophe doesn't break out of the SQL string literal — the
belt holds when the suspenders snap.
Real finding caught by my own test:
net.Listen("tcp", "") succeeds (OS-picked port) — captured as
TestNewListener_EmptyAddrIsValid so the quirk is documented.
Verified:
go test -short ./... — every internal/ package now has tests
(no more 'no test files' lines for shared/storeclient).
just verify — vet + test + 9 smokes green in 33s.
just proof contract — 53/0/1 green (no harness regression).
Closes:
R-002 internal/shared zero tests HIGH
R-003 internal/storeclient zero tests HIGH
R-008 queryd/db.go untested MED (sqlEscape, redactCreds,
CREATE SECRET formation)
Composite scrum score should move from 43 → ~46 / 60 — the three
HIGH/MED risks closed, internal/shared and internal/storeclient
become "tested + load-bearing" instead of "untested + load-bearing."
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
207 lines
6.1 KiB
Go
207 lines
6.1 KiB
Go
package shared
|
|
|
|
import (
|
|
"encoding/json"
|
|
"errors"
|
|
"net"
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"strings"
|
|
"testing"
|
|
|
|
"github.com/go-chi/chi/v5"
|
|
"github.com/go-chi/chi/v5/middleware"
|
|
)
|
|
|
|
// Closes R-002: internal/shared was load-bearing-but-untested per the
|
|
// audit. These tests cover the pieces server.go exposes that DON'T
|
|
// require running Run() under a signal — bind error surfacing, JSON
|
|
// shape of /health, and the register-callback contract.
|
|
|
|
func TestNewListener_ValidAddr(t *testing.T) {
|
|
// Port 0 = "let the OS pick" — the listener should bind cleanly.
|
|
ln, err := newListener("127.0.0.1:0")
|
|
if err != nil {
|
|
t.Fatalf("expected success on :0, got %v", err)
|
|
}
|
|
defer ln.Close()
|
|
if _, _, err := net.SplitHostPort(ln.Addr().String()); err != nil {
|
|
t.Errorf("listener returned unparseable addr %q: %v", ln.Addr(), err)
|
|
}
|
|
}
|
|
|
|
func TestNewListener_InvalidAddr(t *testing.T) {
|
|
cases := []struct {
|
|
name string
|
|
addr string
|
|
}{
|
|
// Note: net.Listen("tcp", "") binds an OS-picked address — NOT
|
|
// an error — so empty string is excluded here. That quirk is
|
|
// captured in TestNewListener_EmptyAddrIsValid below.
|
|
{"non-numeric port", "127.0.0.1:notaport"},
|
|
{"port out of range", "127.0.0.1:999999"},
|
|
}
|
|
for _, tc := range cases {
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
ln, err := newListener(tc.addr)
|
|
if err == nil {
|
|
ln.Close()
|
|
t.Fatalf("expected error on %q, got success", tc.addr)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
// Documents the net.Listen empty-string quirk so a future reader
|
|
// doesn't waste time wondering whether it should be a hard error.
|
|
// stdlib treats "" as ":0" → bind to all addrs, OS-picked port.
|
|
func TestNewListener_EmptyAddrIsValid(t *testing.T) {
|
|
ln, err := newListener("")
|
|
if err != nil {
|
|
t.Fatalf("net.Listen quirk changed: empty addr now errors with %v", err)
|
|
}
|
|
defer ln.Close()
|
|
}
|
|
|
|
func TestNewListener_PortAlreadyInUse(t *testing.T) {
|
|
// Bind first to occupy a real port.
|
|
first, err := newListener("127.0.0.1:0")
|
|
if err != nil {
|
|
t.Fatalf("setup listener: %v", err)
|
|
}
|
|
defer first.Close()
|
|
|
|
// Second bind to the same address should fail synchronously —
|
|
// this is the contract Run depends on per the "race-safe startup"
|
|
// comment in server.go.
|
|
second, err := newListener(first.Addr().String())
|
|
if err == nil {
|
|
second.Close()
|
|
t.Fatalf("expected EADDRINUSE-like error, got success")
|
|
}
|
|
}
|
|
|
|
func TestHealthResponse_JSONShape(t *testing.T) {
|
|
hr := HealthResponse{Status: "ok", Service: "test-svc"}
|
|
out, err := json.Marshal(hr)
|
|
if err != nil {
|
|
t.Fatalf("marshal: %v", err)
|
|
}
|
|
expected := `{"status":"ok","service":"test-svc"}`
|
|
if string(out) != expected {
|
|
t.Errorf("got %q, want %q", string(out), expected)
|
|
}
|
|
|
|
// And round-trip — important because /health consumers depend on
|
|
// the field names being stable; a struct rename would break them.
|
|
var back HealthResponse
|
|
if err := json.Unmarshal(out, &back); err != nil {
|
|
t.Fatalf("unmarshal: %v", err)
|
|
}
|
|
if back != hr {
|
|
t.Errorf("round-trip got %#v, want %#v", back, hr)
|
|
}
|
|
}
|
|
|
|
// TestHealthHandler_Behavior reconstructs the /health handler's
|
|
// behavior in isolation — same wiring as Run uses, exercised via
|
|
// httptest.Server. Confirms the JSON shape AND the Content-Type
|
|
// header AND the service-name echo are all stable.
|
|
func TestHealthHandler_Behavior(t *testing.T) {
|
|
r := chi.NewRouter()
|
|
r.Use(middleware.RequestID)
|
|
|
|
const svcName = "probe-svc"
|
|
r.Get("/health", func(w http.ResponseWriter, _ *http.Request) {
|
|
w.Header().Set("Content-Type", "application/json")
|
|
_ = json.NewEncoder(w).Encode(HealthResponse{Status: "ok", Service: svcName})
|
|
})
|
|
|
|
srv := httptest.NewServer(r)
|
|
defer srv.Close()
|
|
|
|
resp, err := http.Get(srv.URL + "/health")
|
|
if err != nil {
|
|
t.Fatalf("GET /health: %v", err)
|
|
}
|
|
defer resp.Body.Close()
|
|
|
|
if resp.StatusCode != http.StatusOK {
|
|
t.Errorf("status = %d, want 200", resp.StatusCode)
|
|
}
|
|
if ct := resp.Header.Get("Content-Type"); !strings.HasPrefix(ct, "application/json") {
|
|
t.Errorf("Content-Type = %q, want application/json prefix", ct)
|
|
}
|
|
|
|
var got HealthResponse
|
|
if err := json.NewDecoder(resp.Body).Decode(&got); err != nil {
|
|
t.Fatalf("decode body: %v", err)
|
|
}
|
|
if got.Status != "ok" || got.Service != svcName {
|
|
t.Errorf("body = %+v, want {Status:ok Service:%s}", got, svcName)
|
|
}
|
|
}
|
|
|
|
// TestRegisterRoutes_CallbackInvoked verifies that the per-service
|
|
// register callback receives a chi.Router we can mount routes on.
|
|
// This is the contract every cmd/<svc>/main.go relies on.
|
|
func TestRegisterRoutes_CallbackInvoked(t *testing.T) {
|
|
called := false
|
|
var capturedRouter chi.Router
|
|
cb := RegisterRoutes(func(r chi.Router) {
|
|
called = true
|
|
capturedRouter = r
|
|
r.Get("/extra", func(w http.ResponseWriter, _ *http.Request) {
|
|
w.Write([]byte("extra-route"))
|
|
})
|
|
})
|
|
|
|
r := chi.NewRouter()
|
|
cb(r)
|
|
|
|
if !called {
|
|
t.Fatal("RegisterRoutes callback was not invoked")
|
|
}
|
|
if capturedRouter == nil {
|
|
t.Fatal("callback received nil router")
|
|
}
|
|
|
|
// Verify the route mounted via the callback is reachable.
|
|
srv := httptest.NewServer(r)
|
|
defer srv.Close()
|
|
resp, err := http.Get(srv.URL + "/extra")
|
|
if err != nil {
|
|
t.Fatalf("GET /extra: %v", err)
|
|
}
|
|
defer resp.Body.Close()
|
|
if resp.StatusCode != http.StatusOK {
|
|
t.Errorf("status = %d, want 200", resp.StatusCode)
|
|
}
|
|
}
|
|
|
|
// TestRun_BindFailureSurfacedSynchronously is the audit's deepest
|
|
// concern about server.go: bind errors must come back as Run's
|
|
// return value, not be swallowed by the goroutine. We verify by
|
|
// occupying a port first, then expect the second Run call (via the
|
|
// listener factory) to fail loudly.
|
|
func TestRun_BindFailureSurfacedSynchronously(t *testing.T) {
|
|
occupier, err := newListener("127.0.0.1:0")
|
|
if err != nil {
|
|
t.Fatalf("setup listener: %v", err)
|
|
}
|
|
defer occupier.Close()
|
|
|
|
// We don't call Run() directly because it blocks on signal; we
|
|
// test the synchronous-error path by calling newListener with the
|
|
// same addr — which is exactly what Run does first thing.
|
|
_, err = newListener(occupier.Addr().String())
|
|
if err == nil {
|
|
t.Fatal("expected bind error on occupied port, got nil")
|
|
}
|
|
// Smoke that this is a "real" net error, not e.g. nil pointer.
|
|
var opErr *net.OpError
|
|
if !errors.As(err, &opErr) {
|
|
t.Errorf("expected *net.OpError, got %T", err)
|
|
}
|
|
}
|