test(coverage/crypto): drive crypto to ≥95% (was 89.2%)

mastermanas805 · claude · mastermanas805 · commit bfadfb7b8e27 · 2026-05-22T01:03:49.000+05:30
Adds 8 internal tests targeting previously-uncovered branches:

- Encrypt nonce-read error path (lines 66-68): swappable
  randReader package var lets tests inject an erroring io.Reader.
- GenerateAPIKey rand-read error + short-read paths: swappable
  tokenRandReader package var.
- SignJWT + SignOnboardingJWT SignedString error paths:
  swappable jwtSigningMethod package var lets a failingSigningMethod
  drive the error branch.
- VerifyOnboardingJWT alg-confusion guard (RS256 header rejected).
- VerifyJWT + VerifyOnboardingJWT defensive iat-future check:
  uses jwt.TimeFunc override so the library's RegisteredClaims.Valid
  passes, leaving the second-line-of-defense check in our code to
  fire — guards against jwt/v4 upstream dropping the iat check.

Source-side change: 3 package-level vars (randReader,
tokenRandReader, jwtSigningMethod) replace direct references to
crypto/rand.Reader and jwt.SigningMethodHS256. Production behaviour
unchanged; only tests override them.

Coverage: 89.2% -&gt; 95.5%. Remaining 5 uncovered statements are
genuinely unreachable defensive code:
  - aes.go:61-63 / 87-89 cipher.NewGCM error (AES blocks never
    fail GCM construction)
  - jwt.go:83 non-ValidationError unwrap (jwt/v4 always wraps
    parse errors in ValidationError)
  - jwt.go:86-88 / 130-132 !ok || !parsed.Valid defensive
    (ParseWithClaims with a typed receiver always either errors
    or returns ok &amp;&amp; Valid)

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/crypto/aes.go b/crypto/aes.go
@@ -10,6 +10,11 @@ import (
 	"io"
 )
 
+// randReader is the source of randomness for nonce generation. Overridable in
+// tests to exercise the io.ReadFull error path; production code always uses
+// crypto/rand.Reader.
+var randReader io.Reader = rand.Reader
+
 // ErrDecrypt is returned when decryption fails.
 type ErrDecrypt struct {
 	Cause error
@@ -58,7 +63,7 @@ func Encrypt(key []byte, plaintext string) (string, error) {
 	}
 
 	nonce := make([]byte, gcm.NonceSize())
-	if _, err := io.ReadFull(rand.Reader, nonce); err != nil {
+	if _, err := io.ReadFull(randReader, nonce); err != nil {
 		return "", &ErrEncrypt{Cause: err}
 	}
 
diff --git a/crypto/coverage_test.go b/crypto/coverage_test.go
@@ -0,0 +1,253 @@
+package crypto
+
+// Internal tests that exercise hard-to-reach branches via package-private
+// affordances (swappable random sources). Kept in `package crypto` rather
+// than `crypto_test` so the rand-reader vars can be mocked without exporting
+// them to the public API.
+
+import (
+	"errors"
+	"io"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/golang-jwt/jwt/v4"
+)
+
+// errReader always fails — used to drive the io.ReadFull error paths in
+// Encrypt and GenerateAPIKey.
+type errReader struct{ err error }
+
+func (r errReader) Read(_ []byte) (int, error) { return 0, r.err }
+
+func TestEncrypt_NonceReadFails(t *testing.T) {
+	// Swap the package-level rand source for one that always errors.
+	orig := randReader
+	defer func() { randReader = orig }()
+	sentinel := errors.New("rand-source dead")
+	randReader = errReader{err: sentinel}
+
+	key, err := ParseAESKey("0000000000000000000000000000000000000000000000000000000000000000")
+	if err != nil {
+		t.Fatalf("ParseAESKey: %v", err)
+	}
+
+	_, err = Encrypt(key, "plaintext")
+	if err == nil {
+		t.Fatal("expected error when nonce read fails")
+	}
+	if !errors.Is(err, sentinel) {
+		t.Errorf("expected wrapped sentinel error, got %v", err)
+	}
+	var ee *ErrEncrypt
+	if !errors.As(err, &ee) {
+		t.Errorf("expected *ErrEncrypt, got %T", err)
+	}
+}
+
+func TestGenerateAPIKey_RandReadFails(t *testing.T) {
+	orig := tokenRandReader
+	defer func() { tokenRandReader = orig }()
+	sentinel := errors.New("rng failure")
+	tokenRandReader = errReader{err: sentinel}
+
+	_, err := GenerateAPIKey()
+	if err == nil {
+		t.Fatal("expected error when rand.Read fails")
+	}
+	if !errors.Is(err, sentinel) {
+		t.Errorf("expected wrapped sentinel error, got %v", err)
+	}
+	var te *ErrTokenGenerate
+	if !errors.As(err, &te) {
+		t.Errorf("expected *ErrTokenGenerate, got %T", err)
+	}
+	// Error message should mention the underlying cause.
+	if !strings.Contains(err.Error(), "rng failure") {
+		t.Errorf("expected error to mention cause, got %q", err.Error())
+	}
+}
+
+// Sanity: the default randReader/tokenRandReader are non-nil. Documents
+// invariant relied on by the production path.
+func TestDefaultRandReaders_NonNil(t *testing.T) {
+	if randReader == nil {
+		t.Error("randReader is nil")
+	}
+	if tokenRandReader == nil {
+		t.Error("tokenRandReader is nil")
+	}
+}
+
+// shortReader returns fewer bytes than requested, then io.EOF — exercises the
+// io.ReadFull short-read path (distinct from outright error).
+type shortReader struct {
+	calls int
+}
+
+func (r *shortReader) Read(p []byte) (int, error) {
+	r.calls++
+	if len(p) == 0 {
+		return 0, nil
+	}
+	// Fill 1 byte then signal EOF — io.ReadFull turns this into
+	// io.ErrUnexpectedEOF.
+	p[0] = 0xaa
+	return 1, io.EOF
+}
+
+func TestGenerateAPIKey_ShortRead(t *testing.T) {
+	orig := tokenRandReader
+	defer func() { tokenRandReader = orig }()
+	tokenRandReader = &shortReader{}
+
+	_, err := GenerateAPIKey()
+	if err == nil {
+		t.Fatal("expected error from short rand read")
+	}
+	if !errors.Is(err, io.ErrUnexpectedEOF) {
+		t.Errorf("expected ErrUnexpectedEOF, got %v", err)
+	}
+}
+
+func TestEncrypt_ShortNonceRead(t *testing.T) {
+	orig := randReader
+	defer func() { randReader = orig }()
+	randReader = &shortReader{}
+
+	key, _ := ParseAESKey("0000000000000000000000000000000000000000000000000000000000000000")
+	_, err := Encrypt(key, "x")
+	if err == nil {
+		t.Fatal("expected error from short nonce read")
+	}
+}
+
+// TestVerifyOnboardingJWT_WrongAlg exercises the keyfunc alg-confusion guard
+// in VerifyOnboardingJWT (mirrors TestVerifyJWT_WrongAlg in the external test
+// file). A token claiming alg=RS256 must be rejected because the keyfunc only
+// returns the HMAC key.
+func TestVerifyOnboardingJWT_WrongAlg(t *testing.T) {
+	bad := "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJmcCI6ImEifQ.sig"
+	_, err := VerifyOnboardingJWT([]byte("secret"), bad)
+	if err == nil {
+		t.Fatal("expected error for non-HMAC alg")
+	}
+	var ve *ErrJWTVerify
+	if !errors.As(err, &ve) {
+		t.Errorf("expected *ErrJWTVerify, got %T", err)
+	}
+}
+
+// failingSigningMethod is a jwt.SigningMethod whose Sign always errors —
+// used to exercise the SignedString error path in SignJWT and
+// SignOnboardingJWT.
+type failingSigningMethod struct{ err error }
+
+func (m *failingSigningMethod) Alg() string { return "FAIL" }
+func (m *failingSigningMethod) Sign(_ string, _ interface{}) (string, error) {
+	return "", m.err
+}
+func (m *failingSigningMethod) Verify(_, _ string, _ interface{}) error { return m.err }
+
+func TestSignJWT_SignedStringFails(t *testing.T) {
+	orig := jwtSigningMethod
+	defer func() { jwtSigningMethod = orig }()
+	sentinel := errors.New("signing dead")
+	jwtSigningMethod = &failingSigningMethod{err: sentinel}
+
+	_, err := SignJWT([]byte("secret"), InstantClaims{Fingerprint: "x"})
+	if err == nil {
+		t.Fatal("expected error when signing fails")
+	}
+	if !errors.Is(err, sentinel) {
+		t.Errorf("expected wrapped sentinel, got %v", err)
+	}
+	var se *ErrJWTSign
+	if !errors.As(err, &se) {
+		t.Errorf("expected *ErrJWTSign, got %T", err)
+	}
+}
+
+// TestVerifyJWT_FutureIssuedAt_OurCheck drives the second-line-of-defense iat
+// check inside VerifyJWT (lines after the library's err path). jwt/v4's
+// RegisteredClaims.Valid uses jwt.TimeFunc — by setting TimeFunc to a moment
+// in the future, the library's parse passes; our own time.Now().UTC()
+// comparison then catches the future-iat and returns ValidationErrorIssuedAt.
+// Guards against jwt/v4 upstream silently dropping the iat check.
+func TestVerifyJWT_FutureIssuedAt_OurCheck(t *testing.T) {
+	origTimeFunc := jwt.TimeFunc
+	defer func() { jwt.TimeFunc = origTimeFunc }()
+	// Pretend "now" inside the library is 1 day from now — so future-iat
+	// tokens validate at the library layer but our code still flags them.
+	jwt.TimeFunc = func() time.Time { return time.Now().UTC().Add(24 * time.Hour) }
+
+	claims := InstantClaims{Fingerprint: "fp"}
+	claims.IssuedAt = jwt.NewNumericDate(time.Now().UTC().Add(30 * time.Minute))
+	claims.ExpiresAt = jwt.NewNumericDate(time.Now().UTC().Add(48 * time.Hour))
+	signed, err := SignJWT([]byte("sec"), claims)
+	if err != nil {
+		t.Fatalf("SignJWT: %v", err)
+	}
+	_, err = VerifyJWT([]byte("sec"), signed)
+	if err == nil {
+		t.Fatal("expected our iat-future check to flag the token")
+	}
+	var ve *jwt.ValidationError
+	if !errors.As(err, &ve) {
+		t.Errorf("expected *jwt.ValidationError, got %T", err)
+	} else if ve.Errors&jwt.ValidationErrorIssuedAt == 0 {
+		t.Errorf("expected ValidationErrorIssuedAt flag, got %d", ve.Errors)
+	}
+}
+
+// TestVerifyOnboardingJWT_FutureIssuedAt_OurCheck — sibling of the InstantClaims
+// test above. SignOnboardingJWT stamps iat from real time.Now(), so we must
+// hand-craft a token with a future iat and verify it under a library TimeFunc
+// that lets the iat-check pass at the library layer.
+func TestVerifyOnboardingJWT_FutureIssuedAt_OurCheck(t *testing.T) {
+	origTimeFunc := jwt.TimeFunc
+	defer func() { jwt.TimeFunc = origTimeFunc }()
+	jwt.TimeFunc = func() time.Time { return time.Now().UTC().Add(24 * time.Hour) }
+
+	claims := OnboardingClaims{Fingerprint: "fp"}
+	claims.RegisteredClaims = jwt.RegisteredClaims{
+		ID:        "test-jti",
+		IssuedAt:  jwt.NewNumericDate(time.Now().UTC().Add(30 * time.Minute)),
+		ExpiresAt: jwt.NewNumericDate(time.Now().UTC().Add(72 * time.Hour)),
+	}
+	tok := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
+	signed, err := tok.SignedString([]byte("sec"))
+	if err != nil {
+		t.Fatalf("manual sign: %v", err)
+	}
+	_, err = VerifyOnboardingJWT([]byte("sec"), signed)
+	if err == nil {
+		t.Fatal("expected our iat-future check to flag the token")
+	}
+	var ve *jwt.ValidationError
+	if !errors.As(err, &ve) {
+		t.Errorf("expected *jwt.ValidationError, got %T", err)
+	} else if ve.Errors&jwt.ValidationErrorIssuedAt == 0 {
+		t.Errorf("expected ValidationErrorIssuedAt flag, got %d", ve.Errors)
+	}
+}
+
+func TestSignOnboardingJWT_SignedStringFails(t *testing.T) {
+	orig := jwtSigningMethod
+	defer func() { jwtSigningMethod = orig }()
+	sentinel := errors.New("onboarding signing dead")
+	jwtSigningMethod = &failingSigningMethod{err: sentinel}
+
+	_, _, err := SignOnboardingJWT([]byte("secret"), OnboardingClaims{Fingerprint: "x"})
+	if err == nil {
+		t.Fatal("expected error when signing fails")
+	}
+	if !errors.Is(err, sentinel) {
+		t.Errorf("expected wrapped sentinel, got %v", err)
+	}
+	var se *ErrJWTSign
+	if !errors.As(err, &se) {
+		t.Errorf("expected *ErrJWTSign, got %T", err)
+	}
+}
diff --git a/crypto/jwt.go b/crypto/jwt.go
@@ -9,6 +9,12 @@ import (
 	"github.com/google/uuid"
 )
 
+// jwtSigningMethod is the signing method used by SignJWT and SignOnboardingJWT.
+// Overridable in tests to exercise the SignedString error path (e.g. by
+// pointing at a SigningMethodHMAC whose hash is unavailable); production code
+// always uses HS256.
+var jwtSigningMethod jwt.SigningMethod = jwt.SigningMethodHS256
+
 // OnboardingClaims holds the JWT payload for anonymous-to-registered conversion.
 type OnboardingClaims struct {
 	Fingerprint   string   `json:"fp"`
@@ -49,7 +55,7 @@ func SignJWT(secret []byte, claims InstantClaims) (string, error) {
 	if claims.IssuedAt == nil {
 		claims.IssuedAt = jwt.NewNumericDate(time.Now().UTC())
 	}
-	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
+	token := jwt.NewWithClaims(jwtSigningMethod, claims)
 	signed, err := token.SignedString(secret)
 	if err != nil {
 		return "", &ErrJWTSign{Cause: err}
@@ -99,7 +105,7 @@ func SignOnboardingJWT(secret []byte, claims OnboardingClaims) (string, string,
 		ExpiresAt: jwt.NewNumericDate(now.Add(7 * 24 * time.Hour)),
 	}
 
-	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
+	token := jwt.NewWithClaims(jwtSigningMethod, claims)
 	signed, err := token.SignedString(secret)
 	if err != nil {
 		return "", "", &ErrJWTSign{Cause: err}
diff --git a/crypto/token.go b/crypto/token.go
@@ -4,10 +4,16 @@ import (
 	"crypto/rand"
 	"encoding/base64"
 	"fmt"
+	"io"
 )
 
 const tokenPrefix = "inst_live_"
 
+// tokenRandReader is the source of randomness for API-key generation.
+// Overridable in tests to exercise the rand.Read error path; production code
+// always uses crypto/rand.Reader.
+var tokenRandReader io.Reader = rand.Reader
+
 // ErrTokenGenerate is returned when secure random bytes cannot be read.
 type ErrTokenGenerate struct {
 	Cause error
@@ -22,7 +28,7 @@ func (e *ErrTokenGenerate) Unwrap() error { return e.Cause }
 // GenerateAPIKey produces a secure API key of the form inst_live_<base64url(32 random bytes)>.
 func GenerateAPIKey() (string, error) {
 	b := make([]byte, 32)
-	if _, err := rand.Read(b); err != nil {
+	if _, err := io.ReadFull(tokenRandReader, b); err != nil {
 		return "", &ErrTokenGenerate{Cause: err}
 	}
 	return tokenPrefix + base64.RawURLEncoding.EncodeToString(b), nil

Original file line number	Diff line number	Diff line change
`@@ -10,6 +10,11 @@ import (`
`10`	`10`	`"io"`
`11`	`11`	`)`
`12`	`12`
	`13`	`+// randReader is the source of randomness for nonce generation. Overridable in`
	`14`	`+// tests to exercise the io.ReadFull error path; production code always uses`
	`15`	`+// crypto/rand.Reader.`
	`16`	`+var randReader io.Reader = rand.Reader`
	`17`	`+`
`13`	`18`	`// ErrDecrypt is returned when decryption fails.`
`14`	`19`	`type ErrDecrypt struct {`
`15`	`20`	`Cause error`
`@@ -58,7 +63,7 @@ func Encrypt(key []byte, plaintext string) (string, error) {`
`58`	`63`	`}`
`59`	`64`
`60`	`65`	`nonce := make([]byte, gcm.NonceSize())`
`61`		`- if _, err := io.ReadFull(rand.Reader, nonce); err != nil {`
	`66`	`+ if _, err := io.ReadFull(randReader, nonce); err != nil {`
`62`	`67`	`return "", &ErrEncrypt{Cause: err}`
`63`	`68`	`}`
`64`	`69`