test(coverage/crypto): drive crypto to ≥95% (was 89.2%)#30
Merged
Conversation
Adds 8 internal tests targeting previously-uncovered branches:
- Encrypt nonce-read error path (lines 66-68): swappable
randReader package var lets tests inject an erroring io.Reader.
- GenerateAPIKey rand-read error + short-read paths: swappable
tokenRandReader package var.
- SignJWT + SignOnboardingJWT SignedString error paths:
swappable jwtSigningMethod package var lets a failingSigningMethod
drive the error branch.
- VerifyOnboardingJWT alg-confusion guard (RS256 header rejected).
- VerifyJWT + VerifyOnboardingJWT defensive iat-future check:
uses jwt.TimeFunc override so the library's RegisteredClaims.Valid
passes, leaving the second-line-of-defense check in our code to
fire — guards against jwt/v4 upstream dropping the iat check.
Source-side change: 3 package-level vars (randReader,
tokenRandReader, jwtSigningMethod) replace direct references to
crypto/rand.Reader and jwt.SigningMethodHS256. Production behaviour
unchanged; only tests override them.
Coverage: 89.2% -> 95.5%. Remaining 5 uncovered statements are
genuinely unreachable defensive code:
- aes.go:61-63 / 87-89 cipher.NewGCM error (AES blocks never
fail GCM construction)
- jwt.go:83 non-ValidationError unwrap (jwt/v4 always wraps
parse errors in ValidationError)
- jwt.go:86-88 / 130-132 !ok || !parsed.Valid defensive
(ParseWithClaims with a typed receiver always either errors
or returns ok && Valid)
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
6 tasks
mastermanas805
added a commit
that referenced
this pull request
May 21, 2026
Caps the cross-repo 95% coverage push for `common`. After PRs #25-#30 landed for crypto/nats/plans/readiness/r2/logctx, the two remaining storage backends sat at 63.6% (dospaces) and 72.2% (s3). dospaces -> 100.0% via accessor + customerEndpointURL fallback coverage: all simple getters (MasterAccessKey, MasterSecretKey, Endpoint, PublicURL, Bucket, Region, UseTLS) plus the scheme-prefix and already-schemed endpoint branches inside customerEndpointURL(). s3 -> 97.2% via accessor + IssueTenantCredentials default-fallback + safeSessionName branch coverage: digits/dashes/underscores retained, RoleSessionName truncation at 56, customerEndpointURL passthrough for already-schemed endpoints, RevokeTenantCredentials no-op confirmation, and AssumeRole error propagation through IssueTenantCredentials. Total: 94.5% -> 98.0%. Every package now >=95%. Coverage block (rule 17): Symptom: common total 94.5% < 95% target; per-pkg dospaces/s3 below floor Enumeration: go tool cover -func | sort | grep "<100" Sites found: 2 (storageprovider/dospaces, storageprovider/s3) Sites touched: both Coverage test: TestRegistry_AllProvidersSatisfyContract + per-backend registry-walk tests already in place; new coverage files add accessor + edge-branch assertions. Live verified: go test ./... -short -coverprofile cov.out; total = 98.0% Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Drives
common/cryptoline coverage from 89.2% → 95.5% by adding 8 internal tests targeting previously-uncovered error branches inaes.go,jwt.go, andtoken.go.Test additions (
crypto/coverage_test.go, internal package)Encryptnonce-read error path —randReaderswap witherrReaderGenerateAPIKeyrand-read error + short-read paths —tokenRandReaderswapSignJWT+SignOnboardingJWTSignedString error paths —jwtSigningMethodswap withfailingSigningMethodVerifyOnboardingJWTalg-confusion guard (RS256 header rejected)VerifyJWT+VerifyOnboardingJWTdefensive iat-future check — usesjwt.TimeFuncoverride so the library'sRegisteredClaims.Validpasses, leaving our defensive check to fire (guards against jwt/v4 upstream dropping the iat check)Source-side change
Three package-level vars replace direct references:
var randReader io.Reader = rand.Reader(aes.go)var tokenRandReader io.Reader = rand.Reader(token.go)var jwtSigningMethod jwt.SigningMethod = jwt.SigningMethodHS256(jwt.go)Production behaviour unchanged; only tests override them.
Remaining uncovered (5 stmts — genuinely unreachable)
aes.go:61-63/87-89cipher.NewGCMerror — AES blocks never fail GCM constructionjwt.go:83non-ValidationError unwrap — jwt/v4 always wraps parse errors in*ValidationErrorjwt.go:86-88/130-132!ok || !parsed.Validdefensive —ParseWithClaimswith a typed receiver either errors or returnsok && ValidTest plan
go test ./crypto -count=1 -racepassesgo vet ./crypto/cleango test ./... -count=1 -short(whole common module) passesgo test ./crypto -coverprofile=cov.out→ 95.5%🤖 Generated with Claude Code