increase coverage

Signed-off-by: WashingtonKK <washingtonkigan@gmail.com>

Author: WashingtonKK

go.mod

@@ -63,7 +63,6 @@ require (
 	github.com/google/s2a-go v0.1.9 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.3.6 // indirect
 	github.com/googleapis/gax-go/v2 v2.15.0 // indirect
-	github.com/hokaccha/go-prettyjson v0.0.0-20211117102719-0474bc63780f // indirect
 	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
@@ -72,7 +71,6 @@ require (
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.0 // indirect
-	github.com/pelletier/go-toml v1.9.5 // indirect
 	github.com/planetscale/vtprotobuf v0.6.1-0.20240917153116-6f2963f01587 // indirect
 	github.com/spiffe/go-spiffe/v2 v2.5.0 // indirect
 	github.com/zeebo/errs v1.4.0 // indirect

go.sum

@@ -159,8 +159,6 @@ github.com/gopherjs/gopherjs v1.17.2 h1:fQnZVsXk8uxXIStYb0N4bGk7jeyTalG/wsZjQ25d
 github.com/gopherjs/gopherjs v1.17.2/go.mod h1:pRRIvn/QzFLrKfvEz3qUuEhtE/zLCWfreZ6J5gM2i+k=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2 h1:8Tjv8EJ+pM1xP8mK6egEbD1OgnVTyacbefKhmbLhIhU=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2/go.mod h1:pkJQ2tZHJ0aFOVEEot6oZmaVEZcRme73eIFmhiVuRWs=
-github.com/hokaccha/go-prettyjson v0.0.0-20211117102719-0474bc63780f h1:7LYC+Yfkj3CTRcShK0KOL/w6iTiKyqqBA9a41Wnggw8=
-github.com/hokaccha/go-prettyjson v0.0.0-20211117102719-0474bc63780f/go.mod h1:pFlLw2CfqZiIBOx6BuCeRLCrfxBJipTY0nIOF/VbGcI=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM=
@@ -215,8 +213,6 @@ github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=
 github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM=
-github.com/pelletier/go-toml v1.9.5 h1:4yBQzkHv+7BHq2PQUZF3Mx0IYxG7LsP222s7Agd3ve8=
-github.com/pelletier/go-toml v1.9.5/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/planetscale/vtprotobuf v0.6.1-0.20240917153116-6f2963f01587 h1:xzZOeCMQLA/W198ZkdVdt4EKFKJtS26B773zNU377ZY=

pkg/atls/atls_test.go

@@ -75,6 +75,32 @@ func generateTestCertPEMWithSubject(t *testing.T, commonName string) string {
 	return strings.ReplaceAll(string(certPEM), "\n", "\\n")
 }
 
+func generateTestCertificateWithExtensions(t *testing.T, extensions []pkix.Extension) *x509.Certificate {
+	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	require.NoError(t, err)
+
+	template := x509.Certificate{
+		SerialNumber: big.NewInt(1),
+		Subject: pkix.Name{
+			CommonName: "test",
+		},
+		NotBefore:             time.Now(),
+		NotAfter:              time.Now().Add(365 * 24 * time.Hour),
+		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		BasicConstraintsValid: true,
+		ExtraExtensions:       extensions,
+	}
+
+	certDER, err := x509.CreateCertificate(rand.Reader, &template, &template, &privateKey.PublicKey, privateKey)
+	require.NoError(t, err)
+
+	cert, err := x509.ParseCertificate(certDER)
+	require.NoError(t, err)
+
+	return cert
+}
+
 // TestCertificateSubject tests the CertificateSubject functionality.
 func TestDefaultCertificateSubject(t *testing.T) {
 	subject := DefaultCertificateSubject()
@@ -685,7 +711,8 @@ func TestCertificateVerification(t *testing.T) {
 	})
 }
 
-func TestNewAttestedCAProvider(t *testing.T) {
+// TestAttestedCAProvider tests the CA-signed certificate provider.
+func TestAttestedCAProvider(t *testing.T) {
 	mockProvider := new(mocks.Provider)
 	attestationProvider, err := NewAttestationProvider(mockProvider, attestation.SNPvTPM)
 	require.NoError(t, err)
@@ -694,8 +721,186 @@ func TestNewAttestedCAProvider(t *testing.T) {
 	cvmID := "test-cvm-id"
 	agentToken := "test-token"
 
-	provider := NewAttestedCAProvider(attestationProvider, subject, nil, cvmID, agentToken)
-	assert.NotNil(t, provider)
+	t.Run("NewAttestedCAProvider", func(t *testing.T) {
+		provider := NewAttestedCAProvider(attestationProvider, subject, nil, cvmID, agentToken)
+		assert.NotNil(t, provider)
+	})
+
+	t.Run("SetTTL", func(t *testing.T) {
+		provider := NewAttestedCAProvider(attestationProvider, subject, nil, cvmID, agentToken)
+
+		newTTL := time.Hour * 48
+		provider.(*attestedCertificateProvider).SetTTL(newTTL)
+
+		attestedProvider := provider.(*attestedCertificateProvider)
+		assert.Equal(t, newTTL, attestedProvider.ttl)
+	})
+}
+
+// TestCASignedCertificateErrors tests error cases in CA-signed certificate generation.
+func TestCASignedCertificateErrors(t *testing.T) {
+	mockProvider := new(mocks.Provider)
+	attestationProvider, err := NewAttestationProvider(mockProvider, attestation.SNPvTPM)
+	require.NoError(t, err)
+
+	subject := DefaultCertificateSubject()
+	cvmID := "test-cvm-id"
+	agentToken := "test-token"
+
+	cases := []struct {
+		name          string
+		certificate   string
+		sdkError      error
+		expectedError string
+	}{
+		{"SDKIssueError", "", errors.NewSDKError(errors.New("SDK error")), "SDK error"},
+		{"InvalidPEMWithRemainingData", "-----BEGIN CERTIFICATE-----\\nVGVzdA==\\n-----END CERTIFICATE-----\\nExtra data here", nil, "unexpected remaining data"},
+		{"NoPEMBlockFound", "", nil, "no PEM block found"},
+	}
+
+	for _, c := range cases {
+		t.Run(c.name, func(t *testing.T) {
+			mockSDK := sdkmocks.NewSDK(t)
+			mockSDK.On("IssueFromCSRInternal", mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(certssdk.Certificate{Certificate: c.certificate}, c.sdkError)
+
+			provider := NewAttestedCAProvider(attestationProvider, subject, mockSDK, cvmID, agentToken)
+			attestedProvider := provider.(*attestedCertificateProvider)
+
+			privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+			require.NoError(t, err)
+
+			extension := pkix.Extension{
+				Id:    SNPvTPMOID,
+				Value: []byte("test-data"),
+			}
+
+			_, err = attestedProvider.generateCASignedCertificate(privateKey, extension)
+			assert.Error(t, err)
+			assert.Contains(t, err.Error(), c.expectedError)
+		})
+	}
+}
+
+// TestGetCertificateErrors tests error paths in certificate generation.
+func TestGetCertificateErrors(t *testing.T) {
+	t.Run("InvalidServerNameFormat", func(t *testing.T) {
+		mockProvider := new(mocks.Provider)
+		attestationProvider, err := NewAttestationProvider(mockProvider, attestation.SNPvTPM)
+		require.NoError(t, err)
+
+		provider := NewAttestedProvider(attestationProvider, DefaultCertificateSubject())
+
+		clientHello := &tls.ClientHelloInfo{
+			ServerName: "invalid-format",
+		}
+
+		_, err = provider.GetCertificate(clientHello)
+		assert.Error(t, err)
+		assert.Contains(t, err.Error(), "failed to extract nonce")
+	})
+
+	t.Run("AttestationProviderError", func(t *testing.T) {
+		mockProvider := new(mocks.Provider)
+		mockProvider.On("Attestation", mock.Anything, mock.Anything).Return(nil, errors.New("attestation failed"))
+
+		attestationProvider, err := NewAttestationProvider(mockProvider, attestation.SNPvTPM)
+		require.NoError(t, err)
+
+		provider := NewAttestedProvider(attestationProvider, DefaultCertificateSubject())
+
+		nonce := make([]byte, 64)
+		_, err = rand.Read(nonce)
+		require.NoError(t, err)
+
+		serverName := hex.EncodeToString(nonce) + ".nonce"
+		clientHello := &tls.ClientHelloInfo{ServerName: serverName}
+
+		_, err = provider.GetCertificate(clientHello)
+		assert.Error(t, err)
+		assert.Contains(t, err.Error(), "failed to get attestation")
+	})
+
+	t.Run("CASignedCertificateError", func(t *testing.T) {
+		mockProvider := new(mocks.Provider)
+		mockProvider.On("Attestation", mock.Anything, mock.Anything).Return([]byte("test-attestation"), nil)
+
+		attestationProvider, err := NewAttestationProvider(mockProvider, attestation.SNPvTPM)
+		require.NoError(t, err)
+
+		mockSDK := sdkmocks.NewSDK(t)
+		sdkErr := errors.NewSDKError(errors.New("CA error"))
+		mockSDK.On("IssueFromCSRInternal", mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(certssdk.Certificate{}, sdkErr)
+
+		provider := NewAttestedCAProvider(attestationProvider, DefaultCertificateSubject(), mockSDK, "test-cvm", "test-token")
+
+		nonce := make([]byte, 64)
+		_, err = rand.Read(nonce)
+		require.NoError(t, err)
+
+		serverName := hex.EncodeToString(nonce) + ".nonce"
+		clientHello := &tls.ClientHelloInfo{ServerName: serverName}
+
+		_, err = provider.GetCertificate(clientHello)
+		assert.Error(t, err)
+		assert.Contains(t, err.Error(), "failed to generate certificate")
+	})
+}
+
+// TestCertificateVerificationEdgeCases tests edge cases in certificate verification.
+func TestCertificateVerificationEdgeCases(t *testing.T) {
+	tempDir, err := os.MkdirTemp("", "policy")
+	require.NoError(t, err)
+	defer os.RemoveAll(tempDir)
+
+	attestationPB := prepVerifyAttReport(t)
+	err = setAttestationPolicy(attestationPB, tempDir)
+	require.NoError(t, err)
+
+	t.Run("VerifyPeerCertificateWithMultipleCerts", func(t *testing.T) {
+		verifier := NewCertificateVerifier(nil)
+		cert1 := createSelfSignedCert(t)
+		cert2 := createSelfSignedCert(t)
+		nonce := generateNonce(t)
+
+		err := verifier.VerifyPeerCertificate([][]byte{cert1.Raw, cert2.Raw}, nil, nonce)
+		assert.Error(t, err)
+		assert.Contains(t, err.Error(), "attestation extension not found")
+	})
+
+	t.Run("VerifyAttestationExtensionWithNoExtensions", func(t *testing.T) {
+		cert := createSelfSignedCert(t)
+		verifier := certificateVerifier{}
+		nonce := generateNonce(t)
+
+		err := verifier.verifyAttestationExtension(cert, nonce)
+		assert.Error(t, err)
+		assert.Contains(t, err.Error(), "attestation extension not found")
+	})
+
+	t.Run("VerifyAttestationExtensionWithWrongOID", func(t *testing.T) {
+		wrongOID := asn1.ObjectIdentifier{1, 2, 3, 4, 5}
+		extension := pkix.Extension{
+			Id:    wrongOID,
+			Value: []byte("test-data"),
+		}
+
+		cert := generateTestCertificateWithExtensions(t, []pkix.Extension{extension})
+		verifier := certificateVerifier{}
+		nonce := generateNonce(t)
+
+		err := verifier.verifyAttestationExtension(cert, nonce)
+		assert.Error(t, err)
+		assert.Contains(t, err.Error(), "attestation extension not found")
+	})
+
+	t.Run("VerifyCertificateExtensionPlatformVerifierError", func(t *testing.T) {
+		verifier := certificateVerifier{}
+		invalidPlatformType := attestation.PlatformType(999)
+
+		err := verifier.verifyCertificateExtension([]byte("test-extension"), []byte("test-pubkey"), []byte("test-nonce"), invalidPlatformType)
+		assert.Error(t, err)
+		assert.Contains(t, err.Error(), "unsupported platform type")
+	})
 }
 
 // TestCertificateWithAttestationExtension tests certificates with attestation extensions.