Merge feature/edgezero-pr18-phase5-verification into spin adapter branch

prk-Jr · prk-Jr · commit bee7a39e5a2a · 2026-05-28T16:37:38.000+05:30
Resolve conflict in parity.rs: preserve axum_www_auth binding from base
branch (required by assert_eq! below) and move spin WWW-Authenticate
presence check to end of function, consistent with deactivate test pattern.
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -157,7 +157,7 @@ jobs:
         run: cargo test --manifest-path crates/integration-tests/Cargo.toml --test parity
 
       - name: Clippy (parity test crate)
-        run: cargo clippy --manifest-path crates/integration-tests/Cargo.toml -- -D warnings
+        run: cargo clippy --manifest-path crates/integration-tests/Cargo.toml --all-targets -- -D warnings
 
   test-typescript:
     name: vitest
diff --git a/crates/integration-tests/tests/parity.rs b/crates/integration-tests/tests/parity.rs
@@ -289,22 +289,27 @@ async fn admin_rotate_unauthenticated_parity() {
         "Cloudflare and Spin must return the same status for unauthenticated admin route"
     );
 
-    assert!(
-        axum_headers.contains_key("www-authenticate"),
-        "Axum 401 must include WWW-Authenticate header"
-    );
-    assert!(
-        spin_headers.contains_key("www-authenticate"),
-        "Spin 401 must include WWW-Authenticate header"
-    );
+    let axum_www_auth = axum_headers
+        .get("www-authenticate")
+        .expect("Axum 401 must include WWW-Authenticate")
+        .to_str()
+        .expect("should be valid UTF-8");
     let cf_www_auth = cf_headers
         .get("www-authenticate")
-        .expect("should have www-authenticate header on 401")
+        .expect("Cloudflare 401 must include WWW-Authenticate")
         .to_str()
         .expect("should be valid UTF-8");
+    assert_eq!(
+        axum_www_auth, cf_www_auth,
+        "WWW-Authenticate header value must match across adapters for /admin/keys/rotate"
+    );
     assert!(
-        cf_www_auth.starts_with("Basic realm="),
-        "Cloudflare 401 WWW-Authenticate must be Basic scheme: {cf_www_auth:?}"
+        axum_www_auth.starts_with("Basic"),
+        "WWW-Authenticate must use Basic scheme: {axum_www_auth:?}"
+    );
+    assert!(
+        spin_headers.contains_key("www-authenticate"),
+        "Spin 401 must include WWW-Authenticate header"
     );
 }
 
@@ -336,13 +341,23 @@ async fn admin_deactivate_unauthenticated_parity() {
         "Cloudflare and Spin must return the same status for unauthenticated admin/keys/deactivate"
     );
 
-    assert!(
-        axum_headers.contains_key("www-authenticate"),
-        "Axum 401 on admin/keys/deactivate must include WWW-Authenticate header"
+    let axum_www_auth = axum_headers
+        .get("www-authenticate")
+        .expect("Axum 401 on admin/keys/deactivate must include WWW-Authenticate")
+        .to_str()
+        .expect("should be valid UTF-8");
+    let cf_www_auth = cf_headers
+        .get("www-authenticate")
+        .expect("Cloudflare 401 on admin/keys/deactivate must include WWW-Authenticate")
+        .to_str()
+        .expect("should be valid UTF-8");
+    assert_eq!(
+        axum_www_auth, cf_www_auth,
+        "WWW-Authenticate header value must match across adapters for /admin/keys/deactivate"
     );
     assert!(
-        cf_headers.contains_key("www-authenticate"),
-        "Cloudflare 401 on admin/keys/deactivate must include WWW-Authenticate header"
+        axum_www_auth.starts_with("Basic"),
+        "WWW-Authenticate must use Basic scheme: {axum_www_auth:?}"
     );
     assert!(
         spin_headers.contains_key("www-authenticate"),
@@ -375,13 +390,20 @@ async fn geo_header_parity_on_all_responses() {
             spin_post_headers(path, body).await
         };
 
-        assert!(
-            axum_headers.contains_key("x-geo-info-available"),
-            "Axum: {method} {path} (status={axum_status}) must have X-Geo-Info-Available"
-        );
-        assert!(
-            cf_headers.contains_key("x-geo-info-available"),
-            "Cloudflare: {method} {path} (status={cf_status}) must have X-Geo-Info-Available"
+        let axum_geo = axum_headers
+            .get("x-geo-info-available")
+            .unwrap_or_else(|| panic!("Axum: {method} {path} (status={axum_status}) must have X-Geo-Info-Available"))
+            .to_str()
+            .expect("should be valid UTF-8");
+        let cf_geo = cf_headers
+            .get("x-geo-info-available")
+            .unwrap_or_else(|| panic!("Cloudflare: {method} {path} (status={cf_status}) must have X-Geo-Info-Available"))
+            .to_str()
+            .expect("should be valid UTF-8");
+        assert_eq!(
+            axum_geo, cf_geo,
+            "{method} {path}: X-Geo-Info-Available value must match across adapters \
+             (axum={axum_geo:?} cf={cf_geo:?})"
         );
         assert!(
             spin_headers.contains_key("x-geo-info-available"),
diff --git a/crates/trusted-server-adapter-cloudflare/tests/routes.rs b/crates/trusted-server-adapter-cloudflare/tests/routes.rs
@@ -8,6 +8,23 @@ use edgezero_core::app::Hooks as _;
 use edgezero_core::http::request_builder;
 use trusted_server_adapter_cloudflare::app::TrustedServerApp;
 
+/// Return the set of (METHOD, path) pairs explicitly registered on the router.
+fn registered_routes() -> Vec<(String, String)> {
+    TrustedServerApp::routes()
+        .routes()
+        .into_iter()
+        .map(|r| (r.method().to_string(), r.path().to_string()))
+        .collect()
+}
+
+fn assert_route_registered(method: &str, path: &str) {
+    let routes = registered_routes();
+    assert!(
+        routes.iter().any(|(m, p)| m == method && p == path),
+        "{method} {path} must be explicitly registered; registered routes: {routes:?}"
+    );
+}
+
 #[test]
 fn routes_build_without_panic() {
     // build_state() may fail (no real settings in CI) — startup_error_router
@@ -92,152 +109,29 @@ async fn tsjs_route_is_routed_not_5xx() {
     assert!(status < 500, "tsjs route must not 5xx: got {status}");
 }
 
-#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
-async fn verify_signature_is_routed() {
-    let router = TrustedServerApp::routes();
-    let req = request_builder()
-        .method("POST")
-        .uri("/verify-signature")
-        .header("content-type", "application/json")
-        .body(edgezero_core::body::Body::from("{}"))
-        .expect("should build request");
-    let resp = router.oneshot(req).await;
-    assert_ne!(
-        resp.status().as_u16(),
-        404,
-        "/verify-signature must be routed"
-    );
-}
-
-#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
-async fn admin_rotate_key_is_routed() {
-    let router = TrustedServerApp::routes();
-    let req = request_builder()
-        .method("POST")
-        .uri("/admin/keys/rotate")
-        .header("content-type", "application/json")
-        .body(edgezero_core::body::Body::from("{}"))
-        .expect("should build request");
-    let resp = router.oneshot(req).await;
-    assert_ne!(
-        resp.status().as_u16(),
-        404,
-        "/admin/keys/rotate must be routed"
-    );
-}
-
-#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
-async fn admin_deactivate_key_is_routed() {
-    let router = TrustedServerApp::routes();
-    let req = request_builder()
-        .method("POST")
-        .uri("/admin/keys/deactivate")
-        .header("content-type", "application/json")
-        .body(edgezero_core::body::Body::from("{}"))
-        .expect("should build request");
-    let resp = router.oneshot(req).await;
-    assert_ne!(
-        resp.status().as_u16(),
-        404,
-        "/admin/keys/deactivate must be routed"
-    );
-}
-
-#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
-async fn auction_is_routed() {
-    let router = TrustedServerApp::routes();
-    let req = request_builder()
-        .method("POST")
-        .uri("/auction")
-        .header("content-type", "application/json")
-        .body(edgezero_core::body::Body::from(r#"{"adUnits":[]}"#))
-        .expect("should build request");
-    let resp = router.oneshot(req).await;
-    assert_ne!(resp.status().as_u16(), 404, "/auction must be routed");
-}
-
-#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
-async fn first_party_proxy_is_routed() {
-    let router = TrustedServerApp::routes();
-    let req = request_builder()
-        .method("GET")
-        .uri("/first-party/proxy")
-        .body(edgezero_core::body::Body::empty())
-        .expect("should build request");
-    let resp = router.oneshot(req).await;
-    // Handlers require valid outbound proxy settings; they may return 4xx/5xx in CI.
-    // The assertion is routing only: the path must not fall through to the 404 not-found handler.
-    assert_ne!(
-        resp.status().as_u16(),
-        404,
-        "/first-party/proxy must be routed"
-    );
-}
-
-#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
-async fn first_party_click_is_routed() {
-    let router = TrustedServerApp::routes();
-    let req = request_builder()
-        .method("GET")
-        .uri("/first-party/click")
-        .body(edgezero_core::body::Body::empty())
-        .expect("should build request");
-    let resp = router.oneshot(req).await;
-    assert_ne!(
-        resp.status().as_u16(),
-        404,
-        "/first-party/click must be routed"
-    );
-}
-
-#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
-async fn first_party_sign_get_is_routed() {
-    let router = TrustedServerApp::routes();
-    let req = request_builder()
-        .method("GET")
-        .uri("/first-party/sign")
-        .body(edgezero_core::body::Body::empty())
-        .expect("should build request");
-    let resp = router.oneshot(req).await;
-    assert_ne!(
-        resp.status().as_u16(),
-        404,
-        "GET /first-party/sign must be routed"
-    );
-}
-
-#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
-async fn first_party_sign_post_is_routed() {
-    let router = TrustedServerApp::routes();
-    let req = request_builder()
-        .method("POST")
-        .uri("/first-party/sign")
-        .header("content-type", "application/json")
-        .body(edgezero_core::body::Body::from("{}"))
-        .expect("should build request");
-    let resp = router.oneshot(req).await;
-    assert_ne!(
-        resp.status().as_u16(),
-        404,
-        "POST /first-party/sign must be routed"
-    );
-}
+/// Verify that every expected explicit route is registered in the route table.
+///
+/// Uses [`RouterService::routes()`] for introspection rather than checking
+/// response status codes — wildcards (`/{*rest}`) can return non-404 even when
+/// an explicit registration is missing, making status-based checks false positives.
+#[test]
+fn all_explicit_routes_are_registered() {
+    let expected: &[(&str, &str)] = &[
+        ("GET", "/.well-known/trusted-server.json"),
+        ("POST", "/verify-signature"),
+        ("POST", "/admin/keys/rotate"),
+        ("POST", "/admin/keys/deactivate"),
+        ("POST", "/auction"),
+        ("GET", "/first-party/proxy"),
+        ("GET", "/first-party/click"),
+        ("GET", "/first-party/sign"),
+        ("POST", "/first-party/sign"),
+        ("POST", "/first-party/proxy-rebuild"),
+    ];
 
-#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
-async fn first_party_proxy_rebuild_is_routed() {
-    let router = TrustedServerApp::routes();
-    let req = request_builder()
-        .method("POST")
-        .uri("/first-party/proxy-rebuild")
-        .header("content-type", "application/json")
-        .body(edgezero_core::body::Body::from("{}"))
-        .expect("should build request");
-    let resp = router.oneshot(req).await;
-    assert_ne!(
-        resp.status().as_u16(),
-        404,
-        "/first-party/proxy-rebuild must be routed"
-    );
+    for (method, path) in expected {
+        assert_route_registered(method, path);
+    }
 }
 
 // ---------------------------------------------------------------------------
