feat: add *some* tests (read desc)

test currently use mock certs and as such are currently focused on testing aspects which *don't* rely on valid certificates, such as some input validation and so on. i marked some things as TODO.

Author: bitfl0wer

.sqlx/query-6ac8de40e7b49521a3c7f28f81b887384ee1f1c03af69aadec3736356cb94421.json

@@ -0,0 +1,59 @@
+-- Fixture for IdCert integration tests
+-- Contains data for testing HomeServerCert::get_idcert_by method
+
+-- Algorithm identifiers including ED25519
+INSERT INTO algorithm_identifiers (id, algorithm_identifier, common_name, parameters) VALUES
+(1, 'rsaEncryption', 'RSA', NULL),
+(2, 'id-ecPublicKey', 'EC', NULL),
+(3, '1.3.101.112', 'Edwards-curve Digital Signature Algorithm (EdDSA) Ed25519', NULL);
+
+-- Test actors for IdCert scenarios
+INSERT INTO actors (uaid, type) VALUES
+('00000000-0000-0000-0000-000000000010', 'local'),
+('00000000-0000-0000-0000-000000000011', 'local'),
+('00000000-0000-0000-0000-000000000012', 'local'),
+('00000000-0000-0000-0000-000000000013', 'local');
+
+INSERT INTO local_actors (uaid, local_name, deactivated, joined, password_hash) VALUES
+('00000000-0000-0000-0000-000000000010', 'idcert_test_user_1', FALSE, NOW(), 'hash'),
+('00000000-0000-0000-0000-000000000011', 'idcert_test_user_2', FALSE, NOW(), 'hash'),
+('00000000-0000-0000-0000-000000000012', 'idcert_test_user_3', FALSE, NOW(), 'hash'),
+('00000000-0000-0000-0000-000000000013', 'idcert_test_user_4', FALSE, NOW(), 'hash');
+
+-- Test public keys (using placeholders - tests will generate real keys)
+INSERT INTO public_keys (id, uaid, pubkey, algorithm_identifier) VALUES
+(100, '00000000-0000-0000-0000-000000000010', 'PLACEHOLDER_PEM_KEY_1', 3),
+(101, '00000000-0000-0000-0000-000000000011', 'PLACEHOLDER_PEM_KEY_2', 3),
+(102, '00000000-0000-0000-0000-000000000012', 'PLACEHOLDER_PEM_KEY_3', 3),
+(103, '00000000-0000-0000-0000-000000000013', 'PLACEHOLDER_PEM_KEY_4', 3),
+-- Additional home server public keys
+(200, NULL, 'PLACEHOLDER_HOMESERVER_KEY_1', 3),
+(201, NULL, 'PLACEHOLDER_HOMESERVER_KEY_2', 3);
+
+-- Test ID-CSRs for IdCert tests
+INSERT INTO idcsr (
+    id, serial_number, uaid, subject_public_key_id, subject_signature,
+    session_id, valid_not_before, valid_not_after, extensions, pem_encoded
+) VALUES
+(100, 10000000000000000001, '00000000-0000-0000-0000-000000000010', 100, 'test_signature_idcert_1', 'session_idcert_1', NOW() - INTERVAL '1 day', NOW() + INTERVAL '30 days', 'test_extensions_idcert_1', 'test_csr_pem_idcert_1'),
+(101, 10000000000000000002, '00000000-0000-0000-0000-000000000011', 101, 'test_signature_idcert_2', 'session_idcert_2', NOW() - INTERVAL '1 day', NOW() + INTERVAL '30 days', 'test_extensions_idcert_2', 'test_csr_pem_idcert_2'),
+(102, 10000000000000000003, '00000000-0000-0000-0000-000000000012', 102, 'test_signature_idcert_3', 'session_idcert_3', NOW() - INTERVAL '2 days', NOW() - INTERVAL '1 day', 'test_extensions_idcert_3', 'test_csr_pem_idcert_3'),
+(103, 10000000000000000004, '00000000-0000-0000-0000-000000000013', 103, 'test_signature_idcert_4', 'session_idcert_4', NOW() + INTERVAL '1 day', NOW() + INTERVAL '30 days', 'test_extensions_idcert_4', 'test_csr_pem_idcert_4');
+
+-- Test issuers (different domains for testing)
+INSERT INTO issuers (id, domain_components) VALUES
+(100, ARRAY['example', 'com']),
+(101, ARRAY['test', 'org']),
+(102, ARRAY['expired', 'net']);
+
+-- Test ID-Certs
+-- Valid certificate for example.com
+INSERT INTO idcert (
+    idcsr_id, issuer_info_id, valid_not_before, valid_not_after,
+    home_server_public_key_id, home_server_signature, pem_encoded
+) VALUES
+(100, 100, NOW() - INTERVAL '1 day', NOW() + INTERVAL '30 days', 200, 'homeserver_signature_1', 'PLACEHOLDER_CERT_PEM_1'),
+-- Valid certificate for test.org
+(101, 101, NOW() - INTERVAL '1 day', NOW() + INTERVAL '30 days', 201, 'homeserver_signature_2', 'PLACEHOLDER_CERT_PEM_2'),
+-- Expired certificate for expired.net
+(102, 102, NOW() - INTERVAL '2 days', NOW() - INTERVAL '1 day', 200, 'homeserver_signature_3', 'PLACEHOLDER_CERT_PEM_3');

.sqlx/query-de4bfa33f888b7d4a3447c9efd3ce7ef44332dd6b7d492857cc4b63d1ad62fc1.json

@@ -76,3 +76,232 @@ impl HomeServerCert {
 		.map(Some)
 	}
 }
+
+#[cfg(test)]
+mod tests {
+	use chrono::{NaiveDate, Utc};
+	use sqlx::{Pool, Postgres, query};
+
+	use super::*;
+	use crate::crypto::ed25519::{DigitalPublicKey, DigitalSignature, generate_keypair};
+
+	/// Helper function to update fixture with real ED25519 keys and mock
+	/// certificates
+	// TODO: use real certs
+	async fn setup_real_keys_mock_certs(pool: &Pool<Postgres>) {
+		// Generate keypairs functionally and convert to PEM
+		let public_key_updates: Vec<(i64, String)> = (0..6)
+			.map(|_| generate_keypair().1) // Take only public key
+			.map(|pubkey| pubkey.public_key_info().to_pem(polyproto::der::pem::LineEnding::LF))
+			.collect::<Result<Vec<_>, _>>()
+			.expect("Failed to encode public keys to PEM")
+			.into_iter()
+			.zip([100i64, 101, 102, 103, 200, 201])
+			.map(|(pem, id)| (id, pem))
+			.collect();
+
+		// Apply updates to database
+		for (id, pem) in public_key_updates {
+			query!("UPDATE public_keys SET pubkey = $1 WHERE id = $2", pem, id)
+				.execute(pool)
+				.await
+				.unwrap_or_else(|_| panic!("Failed to update public key {}", id));
+		}
+
+		// Generate mock certificates functionally
+		let mock_cert_data = [
+			"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy8Dbv8prpJ/0kKhlGeJY",
+			"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1gKdWHX6Zv8ZLNqXwC7D",
+			"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2hLdVGY7Wx9YMNpXzE8G",
+		];
+
+		let certificate_updates: Vec<(i64, String)> = mock_cert_data
+			.iter()
+			.map(|&data| {
+				format!("-----BEGIN CERTIFICATE-----\n{}\n-----END CERTIFICATE-----", data)
+			})
+			.zip([100i64, 101, 102])
+			.map(|(pem, id)| (id, pem))
+			.collect();
+
+		// Apply certificate updates to database
+		for (id, pem) in certificate_updates {
+			query!("UPDATE idcert SET pem_encoded = $1 WHERE idcsr_id = $2", pem, id)
+				.execute(pool)
+				.await
+				.unwrap_or_else(|_| panic!("Failed to update certificate {}", id));
+		}
+	}
+
+	#[sqlx::test(fixtures("../../fixtures/idcert_integration_tests.sql"))]
+	async fn test_get_idcert_by_nonexistent_domain(pool: Pool<Postgres>) {
+		setup_real_keys_mock_certs(&pool).await;
+		let db = Database { pool };
+
+		let domain = DomainName::new("nonexistent.com").unwrap();
+		let timestamp = Utc::now().naive_utc();
+
+		let result = HomeServerCert::get_idcert_by::<DigitalSignature, DigitalPublicKey>(
+			&db, &domain, &timestamp,
+		)
+		.await
+		.unwrap();
+
+		assert!(result.is_none());
+	}
+
+	#[sqlx::test(fixtures("../../fixtures/idcert_integration_tests.sql"))]
+	async fn test_get_idcert_by_expired_certificate(pool: Pool<Postgres>) {
+		setup_real_keys_mock_certs(&pool).await;
+		let db = Database { pool };
+
+		// expired.net has a certificate that's already expired
+		let domain = DomainName::new("expired.net").unwrap();
+		let timestamp = Utc::now().naive_utc();
+
+		let result = HomeServerCert::get_idcert_by::<DigitalSignature, DigitalPublicKey>(
+			&db, &domain, &timestamp,
+		)
+		.await
+		.unwrap();
+
+		assert!(result.is_none());
+	}
+
+	#[sqlx::test(fixtures("../../fixtures/idcert_integration_tests.sql"))]
+	async fn test_get_idcert_by_future_timestamp(pool: Pool<Postgres>) {
+		setup_real_keys_mock_certs(&pool).await;
+		let db = Database { pool };
+
+		let domain = DomainName::new("example.com").unwrap();
+		// Set timestamp far in the future, beyond certificate validity
+		let future_timestamp =
+			NaiveDate::from_ymd_opt(2030, 1, 1).unwrap().and_hms_opt(0, 0, 0).unwrap();
+
+		let result = HomeServerCert::get_idcert_by::<DigitalSignature, DigitalPublicKey>(
+			&db,
+			&domain,
+			&future_timestamp,
+		)
+		.await
+		.unwrap();
+
+		assert!(result.is_none());
+	}
+
+	#[sqlx::test(fixtures("../../fixtures/idcert_integration_tests.sql"))]
+	async fn test_get_idcert_by_past_timestamp(pool: Pool<Postgres>) {
+		setup_real_keys_mock_certs(&pool).await;
+		let db = Database { pool };
+
+		let domain = DomainName::new("example.com").unwrap();
+		// Set timestamp in the past, before certificate validity
+		let past_timestamp =
+			NaiveDate::from_ymd_opt(2020, 1, 1).unwrap().and_hms_opt(0, 0, 0).unwrap();
+
+		let result = HomeServerCert::get_idcert_by::<DigitalSignature, DigitalPublicKey>(
+			&db,
+			&domain,
+			&past_timestamp,
+		)
+		.await
+		.unwrap();
+
+		assert!(result.is_none());
+	}
+
+	#[tokio::test]
+	async fn test_get_idcert_by_domain_case_sensitivity() {
+		// Test domain validation behavior
+		let domain_exact = DomainName::new("example.com");
+		assert!(domain_exact.is_ok(), "Lowercase domain should be valid");
+
+		// Test that uppercase domain names are invalid per domain validation rules
+		let domain_upper_result = DomainName::new("EXAMPLE.COM");
+		assert!(
+			domain_upper_result.is_err(),
+			"Uppercase domain names should be rejected by DomainName validation"
+		);
+
+		println!("Domain case sensitivity validation works correctly");
+	}
+
+	#[sqlx::test(fixtures("../../fixtures/idcert_integration_tests.sql"))]
+	async fn test_get_idcert_by_multiple_domains(pool: Pool<Postgres>) {
+		setup_real_keys_mock_certs(&pool).await;
+		let db = Database { pool };
+
+		let timestamp = Utc::now().naive_utc();
+
+		// Test example.com
+		let domain1 = DomainName::new("example.com").unwrap();
+		let result1 = HomeServerCert::get_idcert_by::<DigitalSignature, DigitalPublicKey>(
+			&db, &domain1, &timestamp,
+		)
+		.await;
+
+		// Test test.org
+		let domain2 = DomainName::new("test.org").unwrap();
+		let result2 = HomeServerCert::get_idcert_by::<DigitalSignature, DigitalPublicKey>(
+			&db, &domain2, &timestamp,
+		)
+		.await;
+
+		// Both should find database records but fail on certificate parsing for now
+		// TODO
+		assert!(result1.is_err());
+		assert!(result2.is_err());
+	}
+
+	#[sqlx::test(fixtures("../../fixtures/idcert_integration_tests.sql"))]
+	async fn test_get_idcert_by_database_edge_cases(pool: Pool<Postgres>) {
+		setup_real_keys_mock_certs(&pool).await;
+		let db = Database { pool };
+
+		// Test with subdomain that doesn't exist
+		let subdomain = DomainName::new("sub.example.com").unwrap();
+		let timestamp = Utc::now().naive_utc();
+
+		let result_subdomain = HomeServerCert::get_idcert_by::<DigitalSignature, DigitalPublicKey>(
+			&db, &subdomain, &timestamp,
+		)
+		.await
+		.unwrap();
+
+		assert!(result_subdomain.is_none());
+
+		// Test with empty domain components (this should fail domain creation)
+		let empty_domain_result = DomainName::new("");
+		assert!(empty_domain_result.is_err());
+	}
+
+	#[tokio::test]
+	async fn test_real_ed25519_key_generation_and_pem_encoding() {
+		let (_private_key, public_key) = generate_keypair();
+
+		// Test PEM encoding/decoding pipeline functionally
+		let pem_data = public_key
+			.public_key_info()
+			.to_pem(polyproto::der::pem::LineEnding::LF)
+			.expect("Failed to encode public key to PEM");
+
+		// Verify PEM structure functionally
+		[
+			("-----BEGIN PUBLIC KEY-----", pem_data.starts_with("-----BEGIN PUBLIC KEY-----")),
+			("-----END PUBLIC KEY-----\n", pem_data.ends_with("-----END PUBLIC KEY-----\n")),
+		]
+		.iter()
+		.for_each(|(expected, valid)| {
+			assert!(*valid, "PEM structure validation failed for: {}", expected);
+		});
+
+		// Test round-trip: PEM -> PublicKeyInfo -> DigitalPublicKey -> bytes
+		let original_bytes = public_key.key.to_bytes();
+		let reconstructed_bytes = PublicKeyInfo::from_pem(&pem_data)
+			.and_then(|info| DigitalPublicKey::try_from_public_key_info(info))
+			.map(|key| key.key.to_bytes())
+			.expect("Failed to reconstruct key from PEM");
+
+		assert_eq!(original_bytes, reconstructed_bytes, "Round-trip key conversion failed");
+	}
+}