Fix unit tests

kvinwang · kvinwang · commit 73b3cec82e12 · 2026-01-19T08:12:30.000Z
diff --git a/certbot/src/acme_client.rs b/certbot/src/acme_client.rs
@@ -64,7 +64,7 @@ impl AcmeClient {
         dns_txt_ttl: u32,
     ) -> Result<Self> {
         let credentials: Credentials = serde_json::from_str(encoded_credentials)?;
-        let http_client = Box::new(ReqwestHttpClient::new());
+        let http_client = Box::new(ReqwestHttpClient::new()?);
         let account =
             Account::from_credentials_and_http(credentials.credentials, http_client).await?;
         let credentials: Credentials = serde_json::from_str(encoded_credentials)?;
@@ -84,7 +84,7 @@ impl AcmeClient {
         max_dns_wait: Duration,
         dns_txt_ttl: u32,
     ) -> Result<Self> {
-        let http_client = Box::new(ReqwestHttpClient::new());
+        let http_client = Box::new(ReqwestHttpClient::new()?);
         let (account, credentials) = Account::create_with_http(
             &NewAccount {
                 contact: &[],
diff --git a/certbot/src/http_client.rs b/certbot/src/http_client.rs
@@ -4,6 +4,7 @@
 
 //! Custom HTTP client for instant_acme that supports both HTTP and HTTPS.
 
+use anyhow::{Context, Result};
 use bytes::Bytes;
 use http::Request;
 use http_body_util::{BodyExt, Full};
@@ -22,18 +23,12 @@ pub struct ReqwestHttpClient {
 
 impl ReqwestHttpClient {
     /// Create a new HTTP client.
-    pub fn new() -> Self {
+    pub fn new() -> Result<Self> {
         let client = Client::builder()
             .user_agent("dstack-certbot/0.1")
             .build()
-            .expect("failed to build reqwest client");
-        Self { client }
-    }
-}
-
-impl Default for ReqwestHttpClient {
-    fn default() -> Self {
-        Self::new()
+            .context("failed to build reqwest client")?;
+        Ok(Self { client })
     }
 }
 
diff --git a/gateway/src/cert_store.rs b/gateway/src/cert_store.rs
@@ -319,6 +319,13 @@ fn format_expiry(not_after: u64) -> String {
 mod tests {
     use super::*;
 
+    impl CertStore {
+        /// Check if a certificate can be resolved for a given SNI hostname
+        pub fn has_cert_for_sni(&self, sni: &str) -> bool {
+            self.resolve_cert(sni).is_some()
+        }
+    }
+
     fn make_test_cert_data() -> CertData {
         // Generate a self-signed test certificate using rcgen
         use ra_tls::rcgen::{self, CertificateParams, KeyPair};
@@ -427,9 +434,8 @@ mod tests {
         assert!(store.has_cert_for_sni("foo.example.com"));
         assert!(store.has_cert_for_sni("bar.example.com"));
 
-        // Note: wildcard certs also match nested subdomains in our implementation
-        // This is intentional for ease of use with wildcard domains
-        assert!(store.has_cert_for_sni("sub.foo.example.com"));
+        // Wildcard certs do not match nested subdomains
+        assert!(!store.has_cert_for_sni("sub.foo.example.com"));
 
         // Should not resolve different domain
         assert!(!store.has_cert_for_sni("example.org"));
diff --git a/gateway/src/main_service.rs b/gateway/src/main_service.rs
@@ -3,7 +3,7 @@
 // SPDX-License-Identifier: Apache-2.0
 
 use std::{
-    collections::{BTreeMap, BTreeSet},
+    collections::{BTreeMap, BTreeSet, HashSet},
     net::Ipv4Addr,
     ops::Deref,
     sync::{Arc, Mutex, MutexGuard},
@@ -528,41 +528,36 @@ fn start_zt_domain_watch_task(proxy: Proxy) {
     let kv_store = proxy.kv_store.clone();
     let certbot = proxy.certbot.clone();
 
-    // Track known domains to detect additions
-    let known_domains: std::sync::Arc<std::sync::Mutex<std::collections::HashSet<String>>> =
-        std::sync::Arc::new(std::sync::Mutex::new(
-            kv_store
-                .list_zt_domain_configs()
-                .into_iter()
-                .map(|c| c.domain)
-                .collect(),
-        ));
-
     let mut rx = kv_store.watch_zt_domain_configs();
     tokio::spawn(async move {
+        // Track known domains to detect additions
+        let mut known_domains = kv_store
+            .list_zt_domain_configs()
+            .into_iter()
+            .map(|c| c.domain)
+            .collect::<HashSet<_>>();
+
         loop {
             if rx.changed().await.is_err() {
                 break;
             }
 
             // Get current domains
-            let current_domains: std::collections::HashSet<String> = kv_store
+            let current_domains: HashSet<String> = kv_store
                 .list_zt_domain_configs()
                 .into_iter()
                 .map(|c| c.domain)
                 .collect();
 
             // Find newly added domains
-            let mut known = known_domains.lock().unwrap();
             let new_domains: Vec<String> = current_domains
                 .iter()
-                .filter(|d| !known.contains(*d))
+                .filter(|d| !known_domains.contains(*d))
                 .cloned()
                 .collect();
 
             // Update known domains
-            *known = current_domains;
-            drop(known);
+            known_domains = current_domains;
 
             // Trigger renewal for new domains
             for domain in new_domains {
diff --git a/gateway/src/main_service/tests.rs b/gateway/src/main_service/tests.rs
@@ -21,9 +21,6 @@ impl std::ops::Deref for TestState {
 async fn create_test_state() -> TestState {
     let figment = load_config_figment(None);
     let mut config = figment.focus("core").extract::<Config>().unwrap();
-    let cargo_dir = env!("CARGO_MANIFEST_DIR");
-    config.proxy.cert_chain = format!("{cargo_dir}/assets/cert.pem");
-    config.proxy.cert_key = format!("{cargo_dir}/assets/cert.key");
     let temp_dir = TempDir::new().expect("failed to create temp dir");
     config.sync.data_dir = temp_dir.path().to_string_lossy().to_string();
     let options = ProxyOptions {
diff --git a/gateway/src/proxy.rs b/gateway/src/proxy.rs
@@ -11,6 +11,7 @@ use std::{
 };
 
 use anyhow::{bail, Context, Result};
+use or_panic::ResultOrPanic;
 use sni::extract_sni;
 pub(crate) use tls_terminate::create_acceptor_with_cert_resolver;
 use tokio::{
@@ -212,14 +213,14 @@ pub fn start(config: ProxyConfig, app_state: Proxy) -> Result<()> {
             let rt = tokio::runtime::Builder::new_current_thread()
                 .enable_all()
                 .build()
-                .expect("Failed to build Tokio runtime");
+                .or_panic("Failed to build Tokio runtime");
 
             let worker_rt = tokio::runtime::Builder::new_multi_thread()
                 .thread_name("proxy-worker")
                 .enable_all()
                 .worker_threads(config.workers)
                 .build()
-                .expect("Failed to build Tokio runtime");
+                .or_panic("Failed to build Tokio runtime");
 
             // Run the proxy_main function in this runtime
             if let Err(err) = rt.block_on(proxy_main(&worker_rt, &config, app_state)) {
@@ -239,8 +240,6 @@ mod tests {
 
     #[test]
     fn test_parse_destination() {
-        let base_domain = ".example.com";
-
         // Test basic app_id only
         let result = parse_dst_info("myapp").unwrap();
         assert_eq!(result.app_id, "myapp");
diff --git a/sdk/rust/tests/test_tappd_client.rs b/sdk/rust/tests/test_tappd_client.rs
@@ -11,27 +11,18 @@ use std::env;
 async fn test_tappd_client_creation() {
     // Test client creation with default endpoint
     let _client = TappdClient::new(None);
-
-    // This should succeed without panicking
-    assert!(true);
 }
 
 #[tokio::test]
 async fn test_tappd_client_with_custom_endpoint() {
     // Test client creation with custom endpoint
     let _client = TappdClient::new(Some("/custom/path/tappd.sock"));
-
-    // This should succeed without panicking
-    assert!(true);
 }
 
 #[tokio::test]
 async fn test_tappd_client_with_http_endpoint() {
     // Test client creation with HTTP endpoint
     let _client = TappdClient::new(Some("http://localhost:8080"));
-
-    // This should succeed without panicking
-    assert!(true);
 }
 
 // Integration tests that require a running tappd service
