tls_manager_test.go: reproduce partial tls files handling

mohamedawnallah · mohamedawnallah · commit 090990ca26cf · 2025-11-27T13:15:30.000Z
When there is only one of the tls pairs (key/certificate) and the
other is missing, the TLS manager currently assumes it exists
and ignore generating them. This results in error propgated to user
that the other tls pair file is missing/not found.
diff --git a/tls_manager_test.go b/tls_manager_test.go
@@ -369,3 +369,82 @@ func newTestDirectory(t *testing.T) (string, string, string) {
 
 	return tempDir, certPath, keyPath
 }
+
+// TestGenerateCertPairWithPartialFiles tests that generateCertPair regenerates
+// a cert/key pair when only one file exists.
+func TestGenerateCertPairWithPartialFiles(t *testing.T) {
+	t.Parallel()
+
+	keyRing := &mock.SecretKeyRing{
+		RootKey: privKey,
+	}
+
+	tempDir := t.TempDir()
+	certPath := tempDir + "/tls.cert"
+	keyPath := tempDir + "/tls.key"
+
+	// Create only a key file (simulating leftover from previous run).
+	_, keyBytes := genCertPair(t, false)
+	keyBuf := &bytes.Buffer{}
+	err := pem.Encode(
+		keyBuf, &pem.Block{
+			Type:  "EC PRIVATE KEY",
+			Bytes: keyBytes,
+		},
+	)
+	require.NoError(t, err)
+
+	err = os.WriteFile(keyPath, keyBuf.Bytes(), 0600)
+	require.NoError(t, err)
+
+	// Configure TLS manager - cert doesn't exist, but key does.
+	cfg := &TLSManagerCfg{
+		TLSCertPath:     certPath,
+		TLSKeyPath:      keyPath,
+		TLSCertDuration: testTLSCertDuration,
+	}
+	tlsManager := NewTLSManager(cfg)
+
+	err = tlsManager.generateCertPair(keyRing)
+	require.NoError(
+		t, err, "should generate new cert pair when only key exists",
+	)
+
+	// Verify both files now exist and form a valid pair.
+	_, _, err = cert.GetCertBytesFromPath(certPath, keyPath)
+	require.NoError(t, err, "should be able to load cert pair")
+
+	// Test when only cert exists, key missing.
+	tempDir2 := t.TempDir()
+	certPath2 := tempDir2 + "/tls.cert"
+	keyPath2 := tempDir2 + "/tls.key"
+
+	// Create only a cert file.
+	certBytes, _ := genCertPair(t, false)
+	certBuf := &bytes.Buffer{}
+	err = pem.Encode(
+		certBuf, &pem.Block{
+			Type:  "CERTIFICATE",
+			Bytes: certBytes,
+		},
+	)
+	require.NoError(t, err)
+
+	err = os.WriteFile(certPath2, certBuf.Bytes(), 0644)
+	require.NoError(t, err)
+
+	cfg2 := &TLSManagerCfg{
+		TLSCertPath:     certPath2,
+		TLSKeyPath:      keyPath2,
+		TLSCertDuration: testTLSCertDuration,
+	}
+	tlsManager2 := NewTLSManager(cfg2)
+
+	err = tlsManager2.generateCertPair(keyRing)
+	require.NoError(
+		t, err, "should generate new cert pair when only cert exists",
+	)
+
+	_, _, err = cert.GetCertBytesFromPath(certPath2, keyPath2)
+	require.NoError(t, err, "should be able to load cert pair")
+}
