Skip to content

[test-improver] Improve tests for server HMAC middleware#6601

Merged
lpcox merged 1 commit into
mainfrom
test-improver/hmac-coverage-7c95c5ae9ad5faa3
May 28, 2026
Merged

[test-improver] Improve tests for server HMAC middleware#6601
lpcox merged 1 commit into
mainfrom
test-improver/hmac-coverage-7c95c5ae9ad5faa3

Conversation

@github-actions
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot commented May 28, 2026

Test Improvements: hmac_test.go

File Analyzed

  • Test File: internal/server/hmac_test.go
  • Package: internal/server
  • Lines of Code: 363 → 483 (+120 lines)

Improvements Made

1. Increased Coverage

  • ✅ Added TestHMACMiddleware_BodyReadError — covers the io.ReadAll error branch in hmacMiddleware that was previously unreachable by existing tests

  • ✅ Added TestHMACMiddleware_ConcurrentReplay_PostCheckRejected — covers the post-check replay detection branch where two concurrent requests with identical nonces both pass the seenNonce pre-check but only one wins checkAndSet

  • Previous Coverage (hmacMiddleware): 88.1%

  • New Coverage (hmacMiddleware): 100%

  • Server package improvement: 91.7% → 92.1%

2. New Test Helper Types

  • errReader — minimal io.Reader that always returns an error, used to trigger the body-read failure path (HTTP 400)
  • barrierReader — synchronized reader that stalls both goroutines inside io.ReadAll (after seenNonce but before checkAndSet), enabling deterministic testing of the concurrent post-check replay race

3. Better Testing Patterns

  • ✅ Uses atomic.Int32 for goroutine-safe result counting in the concurrent test
  • ✅ Uses sync.WaitGroup barrier to guarantee deterministic race coverage without timing-dependent sleeps
  • ✅ Both tests use require for critical invariants

Test Execution

All tests pass:

=== RUN   TestHMACMiddleware_BodyReadError
--- PASS: TestHMACMiddleware_BodyReadError (0.00s)
=== RUN   TestHMACMiddleware_ConcurrentReplay_PostCheckRejected
--- PASS: TestHMACMiddleware_ConcurrentReplay_PostCheckRejected (0.00s)
PASS
ok  	github.com/github/gh-aw-mcpg/internal/server	5.531s

Why These Changes?

hmacMiddleware had two uncovered branches:

  1. Body read error (io.ReadAll failure): This path returns HTTP 400 with "failed to read request body". It was unreachable without a reader that returns errors, which normal test requests never do.

  2. Post-check replay detection (checkAndSet returning false): This is a concurrency guard — the pre-check (seenNonce) is a read-only fast-reject, while the authoritative write happens in checkAndSet. When two concurrent requests carry the same nonce and both pass the pre-check simultaneously, exactly one should win checkAndSet and the other should be rejected. Testing this required a barrierReader to synchronise both goroutines at the body-read stall point, ensuring both are past seenNonce before either calls checkAndSet.

Generated by Test Improver Workflow
Focuses on better patterns, increased coverage, and more stable tests

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • index.crates.io

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "index.crates.io"

See Network Configuration for more information.

Generated by Test Improver · sonnet46 6.5M ·

@github-actions
Improve tests for server HMAC middleware
b8a187a 
Add two tests covering previously uncovered branches in hmacMiddleware:

- TestHMACMiddleware_BodyReadError: exercises the body-read failure path
  (io.ReadAll error → HTTP 400) using an errReader that always returns an error.

- TestHMACMiddleware_ConcurrentReplay_PostCheckRejected: exercises the
  post-check replay detection branch using synchronized barrierReader
  goroutines that both pass the seenNonce pre-check before racing on
  checkAndSet, ensuring exactly one request succeeds.

Also adds errReader and barrierReader helper types to support these tests.

hmacMiddleware coverage: 88.1% → 100%
Overall server package coverage: 91.7% → 92.1%

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@lpcox lpcox marked this pull request as ready for review May 28, 2026 15:45
Copilot AI review requested due to automatic review settings May 28, 2026 15:45
Copilot AI reviewed May 28, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds two new tests to internal/server/hmac_test.go to cover previously unreachable branches in hmacMiddleware: the body-read error path and the post-check concurrent replay rejection path. Coverage of hmacMiddleware increases from 88.1% to 100%.

Changes:

  • Add errReader and barrierReader test helpers for deterministic error and concurrency simulation.
  • Add TestHMACMiddleware_BodyReadError to exercise the io.ReadAll failure branch (HTTP 400).
  • Add TestHMACMiddleware_ConcurrentReplay_PostCheckRejected using a barrier to deterministically race two requests at checkAndSet.
Show a summary per file
File Description
internal/server/hmac_test.go Adds reader helpers and two new tests covering body-read error and post-check replay branches.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 1/1 changed files
  • Comments generated: 0

@lpcox lpcox merged commit 3376b29 into main May 28, 2026
23 checks passed
@lpcox lpcox deleted the test-improver/hmac-coverage-7c95c5ae9ad5faa3 branch May 28, 2026 15:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

automation improvement testing

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lpcox