Enforce code coverage of secret

mtglib/secret.go

 	"encoding/base64"
 	"encoding/hex"
 	"fmt"
-	"strings"
 )
 
 const (
 	SecretKeyLength = 16
 
-	secretFakeTLSFirstByte byte = 238
+	secretFakeTLSFirstByte byte = 0xee
 )
 
 var secretEmptyKey [SecretKeyLength]byte
 		return ErrSecretEmpty
 	}
 
-	var (
-		decoded []byte
-		err     error
-	)
-
-	if strings.HasPrefix(text, "ee") {
-		decoded, err = hex.DecodeString(strings.TrimPrefix(text, "ee"))
-	}
-
-	if err != nil || len(decoded) <= SecretKeyLength {
+	decoded, err := hex.DecodeString(text)
+	if err != nil {
 		decoded, err = base64.RawURLEncoding.DecodeString(text)
+	}
 
-		if err != nil {
-			return fmt.Errorf("incorrect secret format: %w", err)
-		}
+	if err != nil {
+		return fmt.Errorf("incorrect secret format: %w", err)
+	}
 
-		if len(decoded) <= SecretKeyLength {
-			return fmt.Errorf("secret has incorrect length %d", len(text))
-		}
+	if len(decoded) < 2 { // nolint: gomnd // we need at least 1 byte here
+		return fmt.Errorf("secret is truncated, length=%d", len(decoded))
+	}
 
-		if decoded[0] != secretFakeTLSFirstByte {
-			return fmt.Errorf("incorrect first byte: %v", decoded[0])
-		}
+	if decoded[0] != secretFakeTLSFirstByte {
+		return fmt.Errorf("incorrect first byte of secret: %#x", decoded[0])
+	}
 
-		decoded = decoded[1:]
+	decoded = decoded[1:]
+	if len(decoded) < SecretKeyLength {
+		return fmt.Errorf("secret has incorrect length %d", len(decoded))
 	}
 
 	copy(s.Key[:], decoded[:SecretKeyLength])

mtglib/secret_test.go

 }
 
 func (suite *SecretTestSuite) TestSerialize() {
+	s := mtglib.Secret{}
+
+	data, err := s.MarshalText()
+	suite.NoError(err)
+	suite.Empty(data)
+
 	secretData, _ := hex.DecodeString("d11c6cbbd9efe7fed5bc0db220b09665")
-	s := mtglib.Secret{
+	s = mtglib.Secret{
 		Host: "google.com",
 	}
 
 		"+ueJ0q91t5XOnFYP8Xac3A",
 		"eed11c6cbbd9efe7fed5bc0db220b09665",
 		"ed11c6cbbd9efe7fed5bc0db220b09665",
+		"",
+		"+**",
+		"ee",
+		"efd11c6cbbd9efe7fed5bc0db220b09665",
 	}
 
 	for _, v := range testData {