Skip to content

test(operator): Add comprehensive unit tests for trustee module #39

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
6-dehan wants to merge 1 commit into from
Closed

test(operator): Add comprehensive unit tests for trustee module #39

6-dehan wants to merge 1 commit into from

Conversation

@6-dehan
Copy link
Contributor

@6-dehan 6-dehan commented Sep 24, 2025

This commit introduces a full suite of 15 unit tests for the functions within trustee.rs, validating pure logic, error handling, and both simple and complex Kubernetes API interactions using a mocked client.

  • test_get_image_pcrs_success: Verifies that a valid JSON string in a ConfigMap is correctly deserialized into the ImagePcrs struct.
  • test_get_image_pcrs_no_data: Ensures an error is returned when the ConfigMap's data field is missing.
  • test_get_image_pcrs_invalid_json: Confirms that an error is propagated when the data contains an invalid JSON string.
  • test_generate_luks_key_returns_correct_size: A sanity check to validate that generate_luks_key runs without errors and returns a key of the expected 32-byte length.

These tests validate the idempotency and error handling of functions that perform a single create operation, primarily testing the info_if_exists! macro.

  • test_create_rv_config_map_success: Verifies the function returns Ok(()) on a successful API response (200 OK).
  • test_create_rv_config_map_already_exists: Verifies the function correctly handles a 409 Conflict and returns Ok(()), confirming idempotency.
  • test_create_rv_config_map_generic_error: Ensures a generic API error (e.g., 500) is properly propagated as an Err.
  • test_generate_resource_policy_success: Validates the success path for the generate_resource_policy function.
  • test_generate_kbs_https_certificate_success: Validates the success path for the generate_kbs_https_certificate function.
  • test_generate_kbs_configurations_success: Validates the success path for the generate_kbs_configurations function.
  • test_generate_attestation_policy_success: Validates the success path for the generate_attestation_policy function.
  • test_generate_kbs_success: Validates the success path for the generate_kbs function.

These tests use a stateful mock client to simulate entire operational flows involving multiple API calls.

  • test_recompute_reference_values_flow: Verifies the complete GET (PCRs) -> GET (RV map) -> PUT (RV map) sequence executes successfully.
  • test_generate_secret_flow_success: Validates the full CREATE (Secret) -> GET (KbsConfig) -> PATCH (KbsConfig) workflow for adding a new secret.
  • test_generate_secret_already_present_in_spec: Tests the boundary condition where a secret ID already exists in the KbsConfig spec, ensuring the function exits early without making a redundant PATCH call.

@alicefr alicefr mentioned this pull request Sep 24, 2025
Closed
@6-dehan 6-dehan force-pushed the unittest_verify_func_generate_kbs_auth_public_key branch 2 times, most recently from dc923ff to 0c7e8a9 Compare September 24, 2025 14:41
@6-dehan
Copy link
Contributor Author

6-dehan commented Sep 24, 2025

$ cargo test -p operator
Finished test profile [unoptimized + debuginfo] target(s) in 0.39s
Running unittests src/main.rs (target/debug/deps/operator-eefd1bab08fd6337)

running 15 tests
test trustee::tests::test_generate_attestation_policy_success ... ok
test trustee::tests::test_create_rv_config_map_success ... ok
test trustee::tests::test_create_rv_config_map_generic_error ... ok
test trustee::tests::test_create_rv_config_map_already_exists ... ok
test trustee::tests::test_generate_kbs_https_certificate_success ... ok
test trustee::tests::test_generate_kbs_success ... ok
test trustee::tests::test_generate_kbs_configurations_success ... ok
test trustee::tests::test_get_image_pcrs_invalid_json ... ok
test trustee::tests::test_get_image_pcrs_no_data ... ok
test trustee::tests::test_get_image_pcrs_success ... ok
test trustee::tests::test_generate_resource_policy_success ... ok
test trustee::tests::test_recompute_reference_values_flow ... ok
test trustee::tests::test_generate_luks_key_returns_correct_size ... ok
test trustee::tests::test_generate_secret_already_present_in_spec ... ok
test trustee::tests::test_generate_secret_flow_success ... ok

test result: ok. 15 passed; 0 failed; 0 ignored; 0 measured; 0 filtered out; finished in 0.01s

Some changes are applied, some are not, and I will continue to update.

@6-dehan 6-dehan force-pushed the unittest_verify_func_generate_kbs_auth_public_key branch 3 times, most recently from ad36cad to d6a996c Compare September 29, 2025 07:20
Jakob-Naucke
Jakob-Naucke reviewed Sep 29, 2025
View reviewed changes
Copy link
Contributor

@Jakob-Naucke Jakob-Naucke left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your updates. Please ensure that the CI passes, e.g. formatting your code using cargo fmt.

operator/src/trustee.rs Outdated

for (filename, content, configmap) in [
("kbs-config.toml", kbs_config, &trustee.kbs_configuration),
("as-config.json", as_config, &trustee.as_configuration),
Copy link
Contributor

@Jakob-Naucke Jakob-Naucke Sep 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR version has some of the merged changes restored, but not all of them (e.g. this older piece is still there). I don't think this PR needs to change most of what's above the tests module, just the Deserialize derive (I could be missing something that is required though).

operator/src/trustee.rs Outdated
vec![serde_json::Value::String("1".to_string())],
)]);
let mut reference_values_in = BTreeMap::from([
(
Copy link
Contributor

@Jakob-Naucke Jakob-Naucke Sep 29, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are a lot of changes in the PR that are formatting only (e.g. this one), but the code was already formatted right, which is why the format CI is failing. Please use cargo fmt with a recent version (1.85+) and default config.

@6-dehan 6-dehan force-pushed the unittest_verify_func_generate_kbs_auth_public_key branch 4 times, most recently from 6e9721b to 5be874b Compare September 30, 2025 08:43
@6-dehan
test(operator): Add comprehensive unit tests for trustee module
405bd72 
This commit introduces a full suite of 15 unit tests for the functions
within `trustee.rs`, validating pure logic, error handling, and both
simple and complex Kubernetes API interactions using a mocked client.

-   `test_get_image_pcrs_success`: Verifies that a valid JSON string in a ConfigMap is correctly deserialized into the `ImagePcrs` struct.
-   `test_get_image_pcrs_no_data`: Ensures an error is returned when the ConfigMap's `data` field is missing.
-   `test_get_image_pcrs_invalid_json`: Confirms that an error is propagated when the data contains an invalid JSON string.
-   `test_generate_luks_key_returns_correct_size`: A sanity check to validate that `generate_luks_key` runs without errors and returns a key of the expected 32-byte length.

These tests validate the idempotency and error handling of functions that perform a single `create` operation, primarily testing the `info_if_exists!` macro.

-   `test_create_rv_config_map_success`: Verifies the function returns `Ok(())` on a successful API response (200 OK).
-   `test_create_rv_config_map_already_exists`: Verifies the function correctly handles a 409 Conflict and returns `Ok(())`, confirming idempotency.
-   `test_create_rv_config_map_generic_error`: Ensures a generic API error (e.g., 500) is properly propagated as an `Err`.
-   `test_generate_resource_policy_success`: Validates the success path for the `generate_resource_policy` function.
-   `test_generate_kbs_https_certificate_success`: Validates the success path for the `generate_kbs_https_certificate` function.
-   `test_generate_kbs_configurations_success`: Validates the success path for the `generate_kbs_configurations` function.
-   `test_generate_attestation_policy_success`: Validates the success path for the `generate_attestation_policy` function.
-   `test_generate_kbs_success`: Validates the success path for the `generate_kbs` function.

These tests use a stateful mock client to simulate entire operational flows involving multiple API calls.

-   `test_recompute_reference_values_flow`: Verifies the complete `GET (PCRs) -> GET (RV map) -> PUT (RV map)` sequence executes successfully.
-   `test_generate_secret_flow_success`: Validates the full `CREATE (Secret) -> GET (KbsConfig) -> PATCH (KbsConfig)` workflow for adding a new secret.
-   `test_generate_secret_already_present_in_spec`: Tests the boundary condition where a secret ID already exists in the KbsConfig spec, ensuring the function exits early without making a redundant PATCH call.

Signed-off-by: Dehan Meng <[email protected]>
@6-dehan 6-dehan force-pushed the unittest_verify_func_generate_kbs_auth_public_key branch from 5be874b to 405bd72 Compare September 30, 2025 09:17
@Jakob-Naucke Jakob-Naucke mentioned this pull request Oct 9, 2025
Merged
@alicefr
Copy link
Contributor

alicefr commented Oct 13, 2025

This PR has been superseded by #53

@alicefr alicefr closed this Oct 13, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Jakob-Naucke Jakob-Naucke Jakob-Naucke left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@6-dehan @alicefr @Jakob-Naucke