Widen test coverage.

Author: lewisgoddard

tests/test_api.py

@@ -433,3 +433,65 @@ async def test_deactivate_users_mode(client):
     r2 = await client.post("/deactivate", json={"license_id": lid, "app_id": "*", "user_principal": "bob@co.com"})
     assert r2.status_code == 404
     assert "Active activation not found" in r2.json()["detail"]
+
+
+@pytest.mark.asyncio
+async def test_activate_reactivates_after_deactivate(client):
+    """Re-activating a previously-released identity reuses (un-revokes) its row."""
+    lid = (await _issue_license(client, restriction="activations", activation_limit=1))["license_id"]
+    assert (await _activate(client, lid, machine_id="m1")).status_code == 200
+
+    deact = await client.post("/deactivate", json={"license_id": lid, "app_id": "*", "machine_id": "m1"})
+    assert deact.status_code == 204
+
+    r = await _activate(client, lid, machine_id="m1")
+    assert r.status_code == 200
+    assert r.json()["active_count"] == 1
+
+
+# ---------------------------------------------------------------------------
+# Admin auth + not-found branches
+# ---------------------------------------------------------------------------
+
+
+@pytest.mark.asyncio
+async def test_admin_requires_configured_key(client):
+    """With a bearer token but no admin key configured server-side → 503."""
+    from locksmith.core.config import settings
+
+    original = settings.admin_api_key
+    settings.admin_api_key = ""
+    try:
+        resp = await client.post("/licenses", json={}, headers={"Authorization": "Bearer anything"})
+        assert resp.status_code == 503
+        assert "not configured" in resp.json()["detail"].lower()
+    finally:
+        settings.admin_api_key = original
+
+
+@pytest.mark.asyncio
+async def test_get_unknown_license_returns_404(client):
+    from locksmith.core.config import settings
+
+    original = settings.admin_api_key
+    settings.admin_api_key = "testkey123"
+    try:
+        resp = await client.get("/licenses/no-such-id", headers={"Authorization": "Bearer testkey123"})
+        assert resp.status_code == 404
+        assert "not found" in resp.json()["detail"].lower()
+    finally:
+        settings.admin_api_key = original
+
+
+@pytest.mark.asyncio
+async def test_revoke_unknown_license_returns_404(client):
+    from locksmith.core.config import settings
+
+    original = settings.admin_api_key
+    settings.admin_api_key = "testkey123"
+    try:
+        resp = await client.delete("/licenses/no-such-id", headers={"Authorization": "Bearer testkey123"})
+        assert resp.status_code == 404
+        assert "not found" in resp.json()["detail"].lower()
+    finally:
+        settings.admin_api_key = original

tests/test_keys.py

@@ -72,6 +72,30 @@ def test_save_keypair_succeeds_without_permission_bit_assertions_on_non_posix(ke
     assert loaded_pubkey == pubkey
 
 
+def test_save_keypair_non_posix_branch(keypair, tmp_path, monkeypatch):
+    """Force the non-POSIX path (plain write_bytes, no fd/chmod) on a POSIX host.
+
+    Only ``keys``'s view of ``os`` reports ``name == 'nt'``; the real ``os`` is left
+    alone so ``pathlib`` still produces a usable ``PosixPath`` on this host.
+    """
+    import locksmith.core.keys as keys
+
+    class _NonPosixOS:
+        name = "nt"
+
+        def __getattr__(self, attr):
+            return getattr(os, attr)
+
+    monkeypatch.setattr(keys, "os", _NonPosixOS())
+    pubkey, privkey = keypair
+    priv_path, pub_path = save_keypair(pubkey, privkey, tmp_path / "keys")
+
+    assert priv_path.exists()
+    assert pub_path.exists()
+    assert rsa.PrivateKey.load_pkcs1(priv_path.read_bytes()) == privkey
+    assert rsa.PublicKey.load_pkcs1(pub_path.read_bytes()) == pubkey
+
+
 def test_load_pkcs1_raises_for_corrupted_key_files(tmp_path):
     priv_path = tmp_path / "id_rsa"
     pub_path = tmp_path / "id_rsa.pub"

tests/test_signer.py

@@ -347,3 +347,36 @@ async def test_verify_only_signer_cannot_sign(verify_only_signer):
     lic = _make_license()
     with pytest.raises(ValueError, match="no private key"):
         await sign_license(lic, verify_only_signer)
+
+
+# ---------------------------------------------------------------------------
+# Defensive / edge branches
+# ---------------------------------------------------------------------------
+
+
+@pytest.mark.asyncio
+async def test_naive_datetimes_treated_as_utc(file_signer):
+    """valid_from / expires_at without tzinfo are assumed to be UTC during validation."""
+    lic = _make_license(time_policy=TimePolicy.LIMITED)
+    naive_utc = datetime.now(UTC).replace(tzinfo=None)
+    lic.valid_from = naive_utc - timedelta(hours=1)
+    lic.expires_at = naive_utc + timedelta(hours=1)
+    await sign_license(lic, file_signer)  # re-sign so the signature matches the mutated payload
+    await validate_license(lic, file_signer)  # currently valid → must not raise
+
+
+@pytest.mark.asyncio
+async def test_specific_policy_requires_app_version(file_signer):
+    lic = _make_license(version_policy=VersionPolicy.SPECIFIC, locked_version="2.0.0")
+    await sign_license(lic, file_signer)
+    with pytest.raises(LicenseVersionError, match="app_version is required"):
+        await validate_license(lic, file_signer)  # no app_version supplied
+
+
+@pytest.mark.asyncio
+async def test_entitlement_version_range_requires_app_version(file_signer):
+    ent = Entitlement(app_id="com.app", min_version="2.0.0")
+    lic = _make_license(entitlements=[ent])
+    await sign_license(lic, file_signer)
+    with pytest.raises(LicenseVersionError, match="app_version is required"):
+        await validate_license(lic, file_signer, app_id="com.app")  # matches, but no app_version

tests/test_store.py

@@ -0,0 +1,14 @@
+"""Tests for store helpers not reachable through the API layer."""
+
+from __future__ import annotations
+
+import pytest
+
+import locksmith.core.store as store
+
+
+def test_get_session_raises_when_not_initialised(monkeypatch):
+    """get_session() refuses to hand out sessions before init_db() has run."""
+    monkeypatch.setattr(store, "_async_session", None)
+    with pytest.raises(RuntimeError, match="Database not initialised"):
+        store.get_session()