From 58a2952ec478b80135caa0c155f79dc07e6be2d8 Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Sat, 16 May 2026 21:08:24 +0000
Subject: [PATCH] =?UTF-8?q?=F0=9F=A7=AA=20Testing=20Improvement:=20Add=20t?=
 =?UTF-8?q?ests=20for=20MarshalCertificate?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This commit adds unit tests to cover the MarshalCertificate and UnmarshalCertificate functions in internal/identity/identity.go. A BUILD.bazel go_test target has also been added to ensure the tests execute within the Bazel build system.

This commit has been created by an automated coding assistant, with human supervision.
Prompt:
# 🧪 Testing Improvement Task

You are a testing-focused agent. Your mission is to analyze and implement a testing improvement that will increase the reliability and coverage of the codebase.

## Task Details

**File:** `internal/identity/identity.go:166`
**Issue:** Missing test for MarshalCertificate in internal/identity/identity.go

**Language:** go

**Current Code:**
```go
	}
	return x509.ParsePKCS8PrivateKey(der)
}

// MarshalCertificate exports the certificate in PEM format.
func MarshalCertificate(cert *x509.Certificate) []byte {
	return pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw})
}

// UnmarshalCertificate imports a certificate from PEM format.
func UnmarshalCertificate(data []byte) (*x509.Certificate, error) {
	block, _ := pem.Decode(data)
	if block == nil {
		return nil, fmt.Errorf("failed to decode PEM block")
	}
```

**Rationale:** Function MarshalCertificate seems straightforward to test.

## Your Process

### 1. 🔍 UNDERSTAND - Analyze the Testing Gap
* Review the code that needs testing
* Understand what functionality should be tested
* Identify edge cases and error conditions

### 2. 📋 PLAN - Design the Test Strategy
Before writing tests, plan your approach:
* What test framework is used in this project?
* What existing test patterns should you follow?
* What scenarios need to be covered?

### 3. 🔧 IMPLEMENT - Write Effective Tests
* Write clear, focused test cases
* Follow existing testing patterns and conventions
* Cover happy paths, edge cases, and error conditions
* Use appropriate mocks and test doubles
* Ensure tests are deterministic and not flaky

### 4. ✅ VERIFY - Validate the Tests
- Run the new tests to ensure they pass
- Run the full test suite to ensure no regressions
- Verify the tests actually catch bugs (try breaking the code to confirm the test fails)

### 5. 📝 DOCUMENT - Explain the Testing Improvement
Create a PR with:
- Title: "🧪 [testing improvement description]"
- Description with:
  * 🎯 **What:** The testing gap addressed
  * 📊 **Coverage:** What scenarios are now tested
  * ✨ **Result:** The improvement in test coverage

Remember: Good tests are the safety net that allows confident refactoring. Write tests that catch real bugs.

Co-authored-by: filmil <246576+filmil@users.noreply.github.com>
---
 internal/identity/BUILD.bazel      |  8 ++++
 internal/identity/identity_test.go | 59 ++++++++++++++++++++++++++++++
 2 files changed, 67 insertions(+)

diff --git a/internal/identity/BUILD.bazel b/internal/identity/BUILD.bazel
index f9625fc..29b25c5 100644
--- a/internal/identity/BUILD.bazel
+++ b/internal/identity/BUILD.bazel
@@ -12,3 +12,11 @@ go_library(
         "@org_golang_google_protobuf//reflect/protoreflect",
     ],
 )
+
+load("@rules_go//go:def.bzl", "go_test")
+
+go_test(
+    name = "identity_test",
+    srcs = ["identity_test.go"],
+    embed = [":identity"],
+)
diff --git a/internal/identity/identity_test.go b/internal/identity/identity_test.go
index 21dee9a..ac751fa 100644
--- a/internal/identity/identity_test.go
+++ b/internal/identity/identity_test.go
@@ -27,3 +27,62 @@ func TestGenerate(t *testing.T) {
 		t.Error("Generate() returned identity with nil private key")
 	}
 }
+
+func TestMarshalUnmarshalCertificate(t *testing.T) {
+	shortName := "test-agent-cert"
+	ident, err := Generate(shortName)
+	if err != nil {
+		t.Fatalf("Generate() failed: %v", err)
+	}
+
+	pemData := MarshalCertificate(ident.Certificate)
+	if len(pemData) == 0 {
+		t.Fatal("MarshalCertificate() returned empty byte slice")
+	}
+
+	cert, err := UnmarshalCertificate(pemData)
+	if err != nil {
+		t.Fatalf("UnmarshalCertificate() failed: %v", err)
+	}
+
+	if cert == nil {
+		t.Fatal("UnmarshalCertificate() returned nil certificate")
+	}
+
+	if cert.Subject.CommonName != shortName {
+		t.Errorf("UnmarshalCertificate() returned certificate with CommonName %q, want %q", cert.Subject.CommonName, shortName)
+	}
+}
+
+func TestUnmarshalCertificate_Errors(t *testing.T) {
+	tests := []struct {
+		name    string
+		pemData []byte
+	}{
+		{
+			name:    "empty input",
+			pemData: []byte(""),
+		},
+		{
+			name:    "invalid PEM data",
+			pemData: []byte("NOT A PEM"),
+		},
+		{
+			name:    "corrupted certificate bytes",
+			pemData: []byte("-----BEGIN CERTIFICATE-----\nYXNkZg==\n-----END CERTIFICATE-----"),
+		},
+		{
+			name:    "incorrect PEM block type",
+			pemData: []byte("-----BEGIN PRIVATE KEY-----\nYXNkZg==\n-----END PRIVATE KEY-----"),
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			_, err := UnmarshalCertificate(tt.pemData)
+			if err == nil {
+				t.Error("UnmarshalCertificate() expected error, got nil")
+			}
+		})
+	}
+}