Skip to content

[test] Add tests for difc.labels (CheckFlow, ViolationError, Clone, Union)#1370

Merged
lpcox merged 1 commit intomainfrom
add-labels-tests-19dd5330b2b38598
Feb 25, 2026
Merged

[test] Add tests for difc.labels (CheckFlow, ViolationError, Clone, Union)#1370
lpcox merged 1 commit intomainfrom
add-labels-tests-19dd5330b2b38598

Conversation

@github-actions
Copy link
Contributor

@github-actions github-actions bot commented Feb 24, 2026

Test Coverage Improvement: internal/difc/labels.go

Function Analyzed

  • Package: internal/difc
  • File: labels.go
  • Previous Coverage: ~0% for the specific functions targeted
  • Complexity: Medium-High (multiple type hierarchies, nil-receiver patterns, branching error messages)

Why This Function?

labels.go implements the core DIFC (Decentralized Information Flow Control) label primitives — Label, SecrecyLabel, IntegrityLabel, and ViolationError. Despite being central to the security model, several key functions had no direct test coverage:

  • CheckFlow methods (used by evaluator.go but never tested in isolation)
  • ViolationError.Error() — 4-way branch covering secrecy/integrity × read/write scenarios
  • ViolationError.Detailed() — extends Error() with tag context
  • Clone methods for both label types (nil-receiver edge cases)
  • Label.Union, Label.Clone, Label.GetTags base-level operations
  • NewSecrecyLabelWithTags / NewIntegrityLabelWithTags constructors

Tests Added

New file: internal/difc/labels_test.go

  • TestLabel_Union — merging tags, nil other, overlapping tags, empty inputs
  • TestLabel_Clone — independence from original, empty label clone
  • TestLabel_GetTags — correct tag enumeration
  • TestSecrecyLabel_CheckFlow — nil receiver, nil target, subset/superset, multi-tag violations
  • TestIntegrityLabel_CheckFlow — nil receiver, nil target, superset/missing tag scenarios
  • TestSecrecyLabel_Clone — nil receiver, nil inner Label, independence
  • TestIntegrityLabel_Clone — nil receiver, nil inner Label, independence
  • TestNewSecrecyLabelWithTags / TestNewIntegrityLabelWithTags — constructors with tags and nil
  • TestViolationError_Error — all 4 branches (secrecy with/without extra tags; integrity write/read with/without missing tags)
  • TestViolationError_Detailed — tag context, secrecy vs integrity, length check
  • TestViolationError_implementsError — interface compliance
  • TestSecrecyLabel_CanFlowTo_NilCases — nil receiver and nil argument edge cases
  • TestIntegrityLabel_CanFlowTo_NilCases — nil receiver and nil argument edge cases

Testing Approach

All tests follow the project's table-driven test pattern with testify/assert and testify/require assertions. Nil-receiver method calls are exercised directly using typed nil pointers (safe since the implementations explicitly guard against nil receivers).

Generated by Test Coverage Improver

AI generated by Test Coverage Improver

@github-actions
Add comprehensive tests for difc/labels.go
50aaa1a 
Cover previously untested functions in the difc labels package:
- Label.Union, Label.Clone, Label.GetTags
- SecrecyLabel.CheckFlow with all nil/edge-case branches
- IntegrityLabel.CheckFlow with all nil/edge-case branches
- SecrecyLabel.Clone and IntegrityLabel.Clone (nil receiver cases)
- NewSecrecyLabelWithTags and NewIntegrityLabelWithTags
- ViolationError.Error() with all branching paths
  (SecrecyViolation, IntegrityViolation write/read, missing/extra tags)
- ViolationError.Detailed() and interface compliance

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@lpcox lpcox marked this pull request as ready for review February 25, 2026 00:55
Copilot AI review requested due to automatic review settings February 25, 2026 00:55
@lpcox lpcox merged commit e8809de into main Feb 25, 2026
2 checks passed
@lpcox lpcox deleted the add-labels-tests-19dd5330b2b38598 branch February 25, 2026 00:55
Copilot AI reviewed Feb 25, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds focused unit tests for the core DIFC label primitives in internal/difc/labels.go, improving confidence in secrecy/integrity flow checks and DIFC violation messaging.

Changes:

  • Introduces comprehensive table-driven tests for Label, SecrecyLabel, and IntegrityLabel operations (Union/Clone/GetTags/CheckFlow/CanFlowTo).
  • Adds branch coverage for ViolationError.Error() and ViolationError.Detailed(), including interface compliance.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

internal/difc/labels_test.go
Comment on lines +16 to +17
other []Tag // nil means nil *Label is passed
nilOther bool
Copy link

Copilot AI Feb 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The struct field comment for other []Tag is misleading: in this table nil for other produces an empty Label (since nilOther controls whether a nil *Label is passed). Consider updating the comment and/or removing the redundant nilOther flag to avoid confusion when adding new cases.

Suggested change
other []Tag // nil means nil *Label is passed
nilOther bool
other []Tag // nil means "other" is an empty label (no tags)
nilOther bool // when true, a nil *Label is passed to Union

Copilot uses AI. Check for mistakes.
This was referenced Feb 25, 2026
Closed
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

automation testing

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lpcox