test: add unit tests for client certificate PEM/PKCS helpers#793
Merged
Conversation
Adds table-driven unit tests for the previously untested pure helpers in clientcertcredential.go: isPublicKeyEqual, splitPEMBlock, parseRsaPrivateKey, parseKeyPairFromPEMBlock, decodePkcs12 (error path), and readCertificate. Certificates and keys are generated in-test, so no fixtures or new dependencies are introduced. Package coverage improves from 64.1% to 65.8%; the targeted helpers go from 0% to 89-100% (decodePkcs12 error path only, as the success path needs a real PFX). Related to Azure#7 Signed-off-by: Naeem Hossain <naeemhossain@users.noreply.github.com>
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #793 +/- ##
==========================================
- Coverage 63.43% 59.61% -3.83%
==========================================
Files 37 49 +12
Lines 2210 2481 +271
==========================================
+ Hits 1402 1479 +77
- Misses 733 844 +111
- Partials 75 158 +83 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
Adds tests that decode a password-protected PKCS#12 (PFX) via decodePkcs12 and readCertificate: correct password returns the cert/key, wrong password errors. The fixture is an embedded, base64-encoded throwaway self-signed cert using legacy SHA1/3DES PBE (the only algorithms x/crypto/pkcs12 supports); a comment documents how to regenerate it. This exercises the client-certificate password path end to end, taking decodePkcs12 0%->100% and readCertificate 89%->100%. The --client-certificate-password flag requested in Azure#127 is already implemented; these tests lock in its behavior. Signed-off-by: Naeem Hossain <naeemhossain@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Adds unit-test coverage for the client certificate parsing helpers in pkg/internal/token, exercising PEM splitting, RSA key parsing, certificate/key matching, and PKCS#12 decode/read paths.
Changes:
- Introduces table-driven tests for PEM/keypair helper functions (RSA PKCS#1/PKCS#8, mismatch/error cases).
- Adds PKCS#12 (PFX) tests covering both correct/incorrect password behavior and
.pfxreading viareadCertificate.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| pkg/internal/token/clientcertcredential_helpers_test.go | Adds table-driven unit tests for PEM/keypair parsing helpers and error paths. |
| pkg/internal/token/clientcertcredential_pfx_test.go | Adds PKCS#12/PFX-focused tests, including a known-good PFX blob to validate successful decode and readCertificate behavior. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This adds unit-test coverage for the pure certificate-parsing helpers in
pkg/internal/token/clientcertcredential.go, which were previously untested.What is covered
Table-driven tests for:
isPublicKeyEqual— identical / differing / nil-modulus keyssplitPEMBlock— separates cert vs. key blocks, ignores unknown block types, handles input with no PEM blocksparseRsaPrivateKey— PKCS#1, PKCS#8 (RSA), PKCS#8 (non-RSA → error), non-PEM / empty inputparseKeyPairFromPEMBlock— matching pair, mismatched cert/key, missing keydecodePkcs12— invalid input error pathreadCertificate— valid.pem, missing.pem, missing.pfxNotes
crypto/x509self-signed), so no fixtures and no new dependencies are introduced.testify).Coverage impact
Package
pkg/internal/tokencoverage improves 64.1% → 65.8%. Targeted helpers go from 0% to:isPublicKeyEqualsplitPEMBlockparseRsaPrivateKeyparseKeyPairFromPEMBlockreadCertificatedecodePkcs12Related to #7.