Skip to content

test(elasticache): real TLS + auth coverage, not a plaintext stand-in#47

Merged
mrjasonroy merged 2 commits into
mainfrom
test/elasticache-real-tls-auth-coverage
Jun 25, 2026
Merged

test(elasticache): real TLS + auth coverage, not a plaintext stand-in#47
mrjasonroy merged 2 commits into
mainfrom
test/elasticache-real-tls-auth-coverage

Conversation

@mrjasonroy

Copy link
Copy Markdown
Owner

Why

The README/CI claim ElastiCache is covered by the e2e suite, but the coverage was hollow:

  • The e2e-elasticache job ran the handler against a plaintext Redis container — ELASTICACHE_TLS: "false" and no auth token. That exercises the switch branch but with the exact two things that differ on a real ElastiCache cluster (in-transit TLS + auth token) turned off. It was wire-identical to the plain redis job.
  • factory.test.ts had no elasticache case at all.

So the part most likely to break against real ElastiCache — the TLS handshake and AUTH — was never tested. (Found while wiring this handler to a live AWS ElastiCache cluster with in-transit encryption + an auth token.)

What

1. Unit coverage for the factory's elasticache branch (factory.test.ts, no network)
Asserts ELASTICACHE_* env vars and explicit options map to the ioredis config — host/port, TLS-on-by-default, auth-token password, connectTimeout, retryStrategy — and that a missing endpoint throws. Reuses the existing ioredis mock.

2. e2e-elasticache CI job now runs against TLS + AUTH (.github/workflows/ci.yml)

  • Generates a self-signed CA + server cert (SAN=localhost).
  • Starts Redis with --tls-port 6379 --tls-auth-clients no --requirepass <token> (server-side TLS + auth token, no client certs — mirroring real ElastiCache).
  • Trusts the CA via NODE_EXTRA_CA_CERTS, so the factory's tls: {} (default certificate verification) succeeds against localhost.
  • Flips the job env to ELASTICACHE_TLS: "true" + ELASTICACHE_AUTH_TOKEN.

No AWS needed — a TLS+auth Redis is wire-identical to ElastiCache for this code path (there's zero AWS-SDK code in it; the only difference is which CA signs the cert). The real TLS handshake + AUTH are now exercised end to end.

3. e2e app builds through the package factory (apps/e2e-test-app/data-cache-handler.mjs)
The elasticache branch hand-wired ioredis (a copy of the factory logic). It now calls createCacheHandler({ type: "elasticache" }), so the e2e covers the shipped code path rather than a duplicate.

Verification (local)

  • vitest run factory.test.ts → 9/9 pass (4 existing + 5 new)
  • tsc --noEmit clean · biome check clean
  • The TLS round-trip runs in CI on this PR.

🤖 Generated with Claude Code

The ElastiCache backend was claimed as CI-covered, but the e2e-elasticache
job ran the handler against a plaintext Redis (ELASTICACHE_TLS=false, no
auth token) — so it only proved the switch branch, never the TLS handshake
or AUTH that real ElastiCache actually requires. factory.test.ts had no
elasticache case at all.

- factory.test.ts: assert the elasticache branch maps ELASTICACHE_* env vars
  (and explicit options) to the ioredis config (host/port, TLS-on-by-default,
  auth-token password, connect timeout, retry) and throws without an endpoint.
- e2e-elasticache CI job: run Redis with in-transit TLS + requirepass; trust a
  self-signed CA via NODE_EXTRA_CA_CERTS so the factory's `tls: {}` (default
  cert verification) succeeds against SAN=localhost. No AWS required, but the
  TLS + AUTH path is now actually exercised.
- e2e app builds its handler through createCacheHandler({ type: "elasticache" })
  so the e2e covers the shipped factory, not a hand-wired copy.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request refactors the e2e test application to use the package's createCacheHandler factory for the elasticache cache type, replacing custom ioredis initialization. It also adds comprehensive unit tests for the elasticache factory branch, covering environment variable mapping, option overrides, and error handling. Feedback on the tests suggests verifying the behavior of the retryStrategy function and adding a test case to ensure that passing tls: false in the options successfully overrides the default TLS behavior.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment thread packages/cache-handler/src/data-cache/factory.test.ts
Comment thread packages/cache-handler/src/data-cache/factory.test.ts
Address gemini-code-assist review on the factory tests:
- Verify retryStrategy's actual backoff (200ms, 600ms, null after 3 attempts),
  not just that a function was passed.
- Add coverage for the explicit `options.tls: false` override (the existing
  test only covered the ELASTICACHE_TLS env var path).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@mrjasonroy mrjasonroy enabled auto-merge (squash) June 25, 2026 23:08
@mrjasonroy mrjasonroy merged commit b668e5c into main Jun 25, 2026
7 checks passed
@mrjasonroy mrjasonroy deleted the test/elasticache-real-tls-auth-coverage branch June 25, 2026 23:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant