more util test coverage and remove duplicate env read from docker_init.rs

Author: JasonVranek

Cargo.lock

@@ -344,7 +344,6 @@ fn create_signer_service_local(
     let mut envs = IndexMap::from([
         get_env_val(CONFIG_ENV, CONFIG_DEFAULT),
         get_env_same(JWTS_ENV),
-        get_env_same(JWTS_ENV),
         get_env_same(ADMIN_JWT_ENV),
         get_env_val(SIGNER_TLS_CERTIFICATES_PATH_ENV, SIGNER_TLS_CERTIFICATES_PATH_DEFAULT),
     ]);

crates/cli/src/docker_init.rs

@@ -52,3 +52,6 @@ tree_hash.workspace = true
 tree_hash_derive.workspace = true
 unicode-normalization.workspace = true
 url.workspace = true
+
+[dev-dependencies]
+  tempfile.workspace = true

crates/common/Cargo.toml

@@ -318,6 +318,29 @@ mod tests {
         let _: SignedProxyDelegationEcdsa = serde_json::from_str(data).unwrap();
     }
 
+    #[test]
+    fn test_reload_request_jwt_secrets_present() {
+        let data = r#"{"jwt_secrets": "module_a=secret1,module_b=secret2"}"#;
+        let req: ReloadRequest = serde_json::from_str(data).unwrap();
+        let secrets = req.jwt_secrets.expect("should have secrets");
+        assert_eq!(secrets.get(&ModuleId("module_a".into())), Some(&"secret1".to_string()));
+        assert_eq!(secrets.get(&ModuleId("module_b".into())), Some(&"secret2".to_string()));
+    }
+
+    #[test]
+    fn test_reload_request_jwt_secrets_absent() {
+        let data = r#"{}"#;
+        let req: ReloadRequest = serde_json::from_str(data).unwrap();
+        assert!(req.jwt_secrets.is_none());
+    }
+
+    #[test]
+    fn test_reload_request_jwt_secrets_invalid_format() {
+        // Missing '=' separator — decode_string_to_map should fail
+        let data = r#"{"jwt_secrets": "bad_value_no_equals"}"#;
+        assert!(serde_json::from_str::<ReloadRequest>(data).is_err());
+    }
+
     #[test]
     fn test_decode_response_proxy_map() {
         let data = r#"{

crates/common/src/commit/request.rs

@@ -183,19 +183,16 @@ impl PbsConfig {
         }
 
         if let Some(rpc_url) = &self.rpc_url {
-            // TODO: remove this once we support chain ids for custom chains
-            if !matches!(chain, Chain::Custom { .. }) {
-                let provider = ProviderBuilder::new().connect_http(rpc_url.clone());
-                let chain_id = provider.get_chain_id().await?;
-                let chain_id_big = U256::from(chain_id);
-                ensure!(
-                    chain_id_big == chain.id(),
-                    "Rpc url is for the wrong chain, expected: {} ({:?}) got {}",
-                    chain.id(),
-                    chain,
-                    chain_id_big
-                );
-            }
+            let provider = ProviderBuilder::new().connect_http(rpc_url.clone());
+            let chain_id = provider.get_chain_id().await?;
+            let chain_id_big = U256::from(chain_id);
+            ensure!(
+                chain_id_big == chain.id(),
+                "Rpc url is for the wrong chain, expected: {} ({:?}) got {}",
+                chain.id(),
+                chain,
+                chain_id_big
+            );
         }
 
         ensure!(

crates/common/src/config/pbs.rs

@@ -98,20 +98,68 @@ pub fn decode_string_to_map(raw: &str) -> Result<HashMap<ModuleId, String>> {
 
 #[cfg(test)]
 mod tests {
+    use std::sync::Mutex;
+
     use super::*;
     use crate::utils::TestRandomSeed;
 
-    /// TODO: This was only used by the old JWT loader, can it be removed now?
+    // Serializes all tests that read/write environment variables.
+    // std::env::set_var is unsafe (Rust 1.81+) because mutating `environ`
+    // while another thread reads it is UB at the OS level. Holding this
+    // lock ensures our Rust threads don't race each other.
+    static ENV_LOCK: Mutex<()> = Mutex::new(());
+
+    /// Sets or removes env vars for the duration of `f`, then restores the
+    /// original values.  Pass `Some("val")` to set, `None` to ensure absent.
+    fn with_env<R>(vars: &[(&str, Option<&str>)], f: impl FnOnce() -> R) -> R {
+        let _guard = ENV_LOCK.lock().unwrap_or_else(|e| e.into_inner());
+        let saved: Vec<(&str, Option<String>)> =
+            vars.iter().map(|(k, _)| (*k, std::env::var(k).ok())).collect();
+        for (k, v) in vars {
+            match v {
+                Some(val) => unsafe { std::env::set_var(k, val) },
+                None => unsafe { std::env::remove_var(k) },
+            }
+        }
+        let result = f();
+        for (k, old) in &saved {
+            match old {
+                Some(v) => unsafe { std::env::set_var(k, v) },
+                None => unsafe { std::env::remove_var(k) },
+            }
+        }
+        result
+    }
+
+    // Minimal TOML-deserializable type used by load_from_file / load_file_from_env
+    // tests.
+    #[derive(serde::Deserialize, Debug, PartialEq)]
+    struct TestConfig {
+        value: String,
+    }
+
+    // ── decode_string_to_map ─────────────────────────────────────────────────
+
     #[test]
-    fn test_decode_string_to_map() {
-        let raw = " KEY=VALUE , KEY2=value2 ";
+    fn test_decode_string_to_map_single_pair() {
+        let map = decode_string_to_map("ONLY=ONE").unwrap();
+        assert_eq!(map.len(), 1);
+        assert_eq!(map.get(&ModuleId("ONLY".into())), Some(&"ONE".to_string()));
+    }
 
-        let map = decode_string_to_map(raw).unwrap();
+    #[test]
+    fn test_decode_string_to_map_empty_string() {
+        // An empty string yields one token with no `=`, which is invalid.
+        assert!(decode_string_to_map("").is_err());
+    }
 
-        assert_eq!(map.get(&ModuleId("KEY".into())), Some(&"VALUE".to_string()));
-        assert_eq!(map.get(&ModuleId("KEY2".into())), Some(&"value2".to_string()));
+    #[test]
+    fn test_decode_string_to_map_malformed_no_equals() {
+        assert!(decode_string_to_map("KEYONLY").is_err());
     }
 
+    // ── remove_duplicate_keys ────────────────────────────────────────────────
+
     #[test]
     fn test_remove_duplicate_keys() {
         let key1 = BlsPublicKey::test_random();
@@ -123,4 +171,134 @@ mod tests {
         assert!(unique_keys.contains(&key1));
         assert!(unique_keys.contains(&key2));
     }
+
+    // ── load_env_var ─────────────────────────────────────────────────────────
+
+    #[test]
+    fn test_load_env_var_present() {
+        with_env(&[("CB_TEST_LOAD_ENV_VAR", Some("hello"))], || {
+            assert_eq!(load_env_var("CB_TEST_LOAD_ENV_VAR").unwrap(), "hello");
+        });
+    }
+
+    #[test]
+    fn test_load_env_var_absent() {
+        with_env(&[("CB_TEST_LOAD_ENV_VAR_ABSENT", None)], || {
+            let err = load_env_var("CB_TEST_LOAD_ENV_VAR_ABSENT").unwrap_err();
+            assert!(err.to_string().contains("CB_TEST_LOAD_ENV_VAR_ABSENT"));
+        });
+    }
+
+    // ── load_optional_env_var ────────────────────────────────────────────────
+
+    #[test]
+    fn test_load_optional_env_var_present() {
+        with_env(&[("CB_TEST_OPT_VAR", Some("world"))], || {
+            assert_eq!(load_optional_env_var("CB_TEST_OPT_VAR"), Some("world".to_string()));
+        });
+    }
+
+    #[test]
+    fn test_load_optional_env_var_absent() {
+        with_env(&[("CB_TEST_OPT_VAR_ABSENT", None)], || {
+            assert_eq!(load_optional_env_var("CB_TEST_OPT_VAR_ABSENT"), None);
+        });
+    }
+
+    // ── load_from_file ───────────────────────────────────────────────────────
+
+    #[test]
+    fn test_load_from_file_valid() {
+        use std::io::Write as _;
+        let mut file = tempfile::NamedTempFile::new().unwrap();
+        file.write_all(b"value = \"hello\"").unwrap();
+        let path = file.path().to_path_buf();
+
+        let (config, returned_path): (TestConfig, _) = load_from_file(&path).unwrap();
+        assert_eq!(config.value, "hello");
+        assert_eq!(returned_path, path);
+    }
+
+    #[test]
+    fn test_load_from_file_missing() {
+        let result: eyre::Result<(TestConfig, _)> =
+            load_from_file("/nonexistent/cb_test_path/file.toml");
+        assert!(result.is_err());
+    }
+
+    #[test]
+    fn test_load_from_file_invalid_toml() {
+        use std::io::Write as _;
+        let mut file = tempfile::NamedTempFile::new().unwrap();
+        file.write_all(b"not valid toml !!!{{").unwrap();
+
+        let result: eyre::Result<(TestConfig, _)> = load_from_file(file.path());
+        assert!(result.is_err());
+    }
+
+    // ── load_file_from_env ───────────────────────────────────────────────────
+
+    #[test]
+    fn test_load_file_from_env_ok() {
+        use std::io::Write as _;
+        let mut file = tempfile::NamedTempFile::new().unwrap();
+        file.write_all(b"value = \"from_env\"").unwrap();
+        let path = file.path().to_str().unwrap().to_owned();
+
+        with_env(&[("CB_TEST_FILE_ENV", Some(&path))], || {
+            let (config, _): (TestConfig, _) = load_file_from_env("CB_TEST_FILE_ENV").unwrap();
+            assert_eq!(config.value, "from_env");
+        });
+    }
+
+    #[test]
+    fn test_load_file_from_env_var_not_set() {
+        with_env(&[("CB_TEST_FILE_ENV_ABSENT", None)], || {
+            let result: eyre::Result<(TestConfig, _)> =
+                load_file_from_env("CB_TEST_FILE_ENV_ABSENT");
+            assert!(result.is_err());
+            assert!(result.unwrap_err().to_string().contains("CB_TEST_FILE_ENV_ABSENT"));
+        });
+    }
+
+    // ── load_jwt_secrets ─────────────────────────────────────────────────────
+
+    #[test]
+    fn test_load_jwt_secrets_ok() {
+        with_env(
+            &[
+                (ADMIN_JWT_ENV, Some("admin_secret")),
+                (JWTS_ENV, Some("MODULE1=secret1,MODULE2=secret2")),
+            ],
+            || {
+                let (admin_jwt, secrets) = load_jwt_secrets().unwrap();
+                assert_eq!(admin_jwt, "admin_secret");
+                assert_eq!(secrets.get(&ModuleId("MODULE1".into())), Some(&"secret1".to_string()));
+                assert_eq!(secrets.get(&ModuleId("MODULE2".into())), Some(&"secret2".to_string()));
+            },
+        );
+    }
+
+    #[test]
+    fn test_load_jwt_secrets_missing_admin_jwt() {
+        with_env(&[(ADMIN_JWT_ENV, None), (JWTS_ENV, Some("MODULE1=secret1"))], || {
+            let err = load_jwt_secrets().unwrap_err();
+            assert!(err.to_string().contains(ADMIN_JWT_ENV));
+        });
+    }
+
+    #[test]
+    fn test_load_jwt_secrets_missing_jwts() {
+        with_env(&[(ADMIN_JWT_ENV, Some("admin_secret")), (JWTS_ENV, None)], || {
+            let err = load_jwt_secrets().unwrap_err();
+            assert!(err.to_string().contains(JWTS_ENV));
+        });
+    }
+
+    #[test]
+    fn test_load_jwt_secrets_malformed_jwts() {
+        with_env(&[(ADMIN_JWT_ENV, Some("admin_secret")), (JWTS_ENV, Some("MALFORMED"))], || {
+            assert!(load_jwt_secrets().is_err());
+        });
+    }
 }