refactor service manager code and add tests

management/internals/modules/reverseproxy/manager/manager.go

@@ -135,54 +135,11 @@ func (m *managerImpl) CreateService(ctx context.Context, accountID, userID strin
 		return nil, status.NewPermissionDeniedError()
 	}
 
-	var proxyCluster string
-	if m.clusterDeriver != nil {
-		proxyCluster, err = m.clusterDeriver.DeriveClusterFromDomain(ctx, accountID, service.Domain)
-		if err != nil {
-			log.WithError(err).Warnf("could not derive cluster from domain %s, updates will broadcast to all proxy servers", service.Domain)
-			return nil, status.Errorf(status.PreconditionFailed, "could not derive cluster from domain %s: %v", service.Domain, err)
-		}
+	if err := m.initializeServiceForCreate(ctx, accountID, service); err != nil {
+		return nil, err
 	}
 
-	service.AccountID = accountID
-	service.ProxyCluster = proxyCluster
-	service.InitNewRecord()
-	err = service.Auth.HashSecrets()
-	if err != nil {
-		return nil, fmt.Errorf("hash secrets: %w", err)
-	}
-
-	// Generate session JWT signing keys
-	keyPair, err := sessionkey.GenerateKeyPair()
-	if err != nil {
-		return nil, fmt.Errorf("generate session keys: %w", err)
-	}
-	service.SessionPrivateKey = keyPair.PrivateKey
-	service.SessionPublicKey = keyPair.PublicKey
-
-	err = m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
-		// Check for duplicate domain
-		existingService, err := transaction.GetServiceByDomain(ctx, accountID, service.Domain)
-		if err != nil {
-			if sErr, ok := status.FromError(err); !ok || sErr.Type() != status.NotFound {
-				return fmt.Errorf("failed to check existing service: %w", err)
-			}
-		}
-		if existingService != nil {
-			return status.Errorf(status.AlreadyExists, "service with domain %s already exists", service.Domain)
-		}
-
-		if err = validateTargetReferences(ctx, transaction, accountID, service.Targets); err != nil {
-			return err
-		}
-
-		if err = transaction.CreateService(ctx, service); err != nil {
-			return fmt.Errorf("failed to create service: %w", err)
-		}
-
-		return nil
-	})
-	if err != nil {
+	if err := m.persistNewService(ctx, accountID, service); err != nil {
 		return nil, err
 	}
 
@@ -200,6 +157,67 @@ func (m *managerImpl) CreateService(ctx context.Context, accountID, userID strin
 	return service, nil
 }
 
+func (m *managerImpl) initializeServiceForCreate(ctx context.Context, accountID string, service *reverseproxy.Service) error {
+	if m.clusterDeriver != nil {
+		proxyCluster, err := m.clusterDeriver.DeriveClusterFromDomain(ctx, accountID, service.Domain)
+		if err != nil {
+			log.WithError(err).Warnf("could not derive cluster from domain %s, updates will broadcast to all proxy servers", service.Domain)
+			return status.Errorf(status.PreconditionFailed, "could not derive cluster from domain %s: %v", service.Domain, err)
+		}
+		service.ProxyCluster = proxyCluster
+	}
+
+	service.AccountID = accountID
+	service.InitNewRecord()
+
+	if err := service.Auth.HashSecrets(); err != nil {
+		return fmt.Errorf("hash secrets: %w", err)
+	}
+
+	keyPair, err := sessionkey.GenerateKeyPair()
+	if err != nil {
+		return fmt.Errorf("generate session keys: %w", err)
+	}
+	service.SessionPrivateKey = keyPair.PrivateKey
+	service.SessionPublicKey = keyPair.PublicKey
+
+	return nil
+}
+
+func (m *managerImpl) persistNewService(ctx context.Context, accountID string, service *reverseproxy.Service) error {
+	return m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
+		if err := m.checkDomainAvailable(ctx, transaction, accountID, service.Domain, ""); err != nil {
+			return err
+		}
+
+		if err := validateTargetReferences(ctx, transaction, accountID, service.Targets); err != nil {
+			return err
+		}
+
+		if err := transaction.CreateService(ctx, service); err != nil {
+			return fmt.Errorf("failed to create service: %w", err)
+		}
+
+		return nil
+	})
+}
+
+func (m *managerImpl) checkDomainAvailable(ctx context.Context, transaction store.Store, accountID, domain, excludeServiceID string) error {
+	existingService, err := transaction.GetServiceByDomain(ctx, accountID, domain)
+	if err != nil {
+		if sErr, ok := status.FromError(err); !ok || sErr.Type() != status.NotFound {
+			return fmt.Errorf("failed to check existing service: %w", err)
+		}
+		return nil
+	}
+
+	if existingService != nil && existingService.ID != excludeServiceID {
+		return status.Errorf(status.AlreadyExists, "service with domain %s already exists", domain)
+	}
+
+	return nil
+}
+
 func (m *managerImpl) UpdateService(ctx context.Context, accountID, userID string, service *reverseproxy.Service) (*reverseproxy.Service, error) {
 	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Update)
 	if err != nil {
@@ -209,99 +227,122 @@ func (m *managerImpl) UpdateService(ctx context.Context, accountID, userID strin
 		return nil, status.NewPermissionDeniedError()
 	}
 
-	var oldCluster string
-	var domainChanged bool
-	var serviceEnabledChanged bool
-
-	err = service.Auth.HashSecrets()
-	if err != nil {
+	if err := service.Auth.HashSecrets(); err != nil {
 		return nil, fmt.Errorf("hash secrets: %w", err)
 	}
 
-	err = m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
-		existingService, err := transaction.GetServiceByID(ctx, store.LockingStrengthUpdate, accountID, service.ID)
-		if err != nil {
-			return err
-		}
-
-		oldCluster = existingService.ProxyCluster
-
-		if existingService.Domain != service.Domain {
-			domainChanged = true
-			conflictService, err := transaction.GetServiceByDomain(ctx, accountID, service.Domain)
-			if err != nil {
-				if sErr, ok := status.FromError(err); !ok || sErr.Type() != status.NotFound {
-					return fmt.Errorf("check existing service: %w", err)
-				}
-			}
-			if conflictService != nil && conflictService.ID != service.ID {
-				return status.Errorf(status.AlreadyExists, "service with domain %s already exists", service.Domain)
-			}
-
-			if m.clusterDeriver != nil {
-				newCluster, err := m.clusterDeriver.DeriveClusterFromDomain(ctx, accountID, service.Domain)
-				if err != nil {
-					log.WithError(err).Warnf("could not derive cluster from domain %s", service.Domain)
-				}
-				service.ProxyCluster = newCluster
-			}
-		} else {
-			service.ProxyCluster = existingService.ProxyCluster
-		}
-
-		if service.Auth.PasswordAuth != nil && service.Auth.PasswordAuth.Enabled &&
-			existingService.Auth.PasswordAuth != nil && existingService.Auth.PasswordAuth.Enabled &&
-			service.Auth.PasswordAuth.Password == "" {
-			service.Auth.PasswordAuth = existingService.Auth.PasswordAuth
-		}
-
-		if service.Auth.PinAuth != nil && service.Auth.PinAuth.Enabled &&
-			existingService.Auth.PinAuth != nil && existingService.Auth.PinAuth.Enabled &&
-			service.Auth.PinAuth.Pin == "" {
-			service.Auth.PinAuth = existingService.Auth.PinAuth
-		}
-
-		service.Meta = existingService.Meta
-		service.SessionPrivateKey = existingService.SessionPrivateKey
-		service.SessionPublicKey = existingService.SessionPublicKey
-		serviceEnabledChanged = existingService.Enabled != service.Enabled
-
-		if err = validateTargetReferences(ctx, transaction, accountID, service.Targets); err != nil {
-			return err
-		}
-
-		if err = transaction.UpdateService(ctx, service); err != nil {
-			return fmt.Errorf("update service: %w", err)
-		}
-
-		return nil
-	})
+	updateInfo, err := m.persistServiceUpdate(ctx, accountID, service)
 	if err != nil {
 		return nil, err
 	}
 
 	m.accountManager.StoreEvent(ctx, userID, service.ID, accountID, activity.ServiceUpdated, service.EventMeta())
 
-	err = m.replaceHostByLookup(ctx, accountID, service)
-	if err != nil {
+	if err := m.replaceHostByLookup(ctx, accountID, service); err != nil {
 		return nil, fmt.Errorf("failed to replace host by lookup for service %s: %w", service.ID, err)
 	}
 
+	m.sendServiceUpdateNotifications(service, updateInfo)
+	m.accountManager.UpdateAccountPeers(ctx, accountID)
+
+	return service, nil
+}
+
+type serviceUpdateInfo struct {
+	oldCluster            string
+	domainChanged         bool
+	serviceEnabledChanged bool
+}
+
+func (m *managerImpl) persistServiceUpdate(ctx context.Context, accountID string, service *reverseproxy.Service) (*serviceUpdateInfo, error) {
+	var updateInfo serviceUpdateInfo
+
+	err := m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
+		existingService, err := transaction.GetServiceByID(ctx, store.LockingStrengthUpdate, accountID, service.ID)
+		if err != nil {
+			return err
+		}
+
+		updateInfo.oldCluster = existingService.ProxyCluster
+		updateInfo.domainChanged = existingService.Domain != service.Domain
+
+		if updateInfo.domainChanged {
+			if err := m.handleDomainChange(ctx, transaction, accountID, service); err != nil {
+				return err
+			}
+		} else {
+			service.ProxyCluster = existingService.ProxyCluster
+		}
+
+		m.preserveExistingAuthSecrets(service, existingService)
+		m.preserveServiceMetadata(service, existingService)
+		updateInfo.serviceEnabledChanged = existingService.Enabled != service.Enabled
+
+		if err := validateTargetReferences(ctx, transaction, accountID, service.Targets); err != nil {
+			return err
+		}
+
+		if err := transaction.UpdateService(ctx, service); err != nil {
+			return fmt.Errorf("update service: %w", err)
+		}
+
+		return nil
+	})
+
+	return &updateInfo, err
+}
+
+func (m *managerImpl) handleDomainChange(ctx context.Context, transaction store.Store, accountID string, service *reverseproxy.Service) error {
+	if err := m.checkDomainAvailable(ctx, transaction, accountID, service.Domain, service.ID); err != nil {
+		return err
+	}
+
+	if m.clusterDeriver != nil {
+		newCluster, err := m.clusterDeriver.DeriveClusterFromDomain(ctx, accountID, service.Domain)
+		if err != nil {
+			log.WithError(err).Warnf("could not derive cluster from domain %s", service.Domain)
+		} else {
+			service.ProxyCluster = newCluster
+		}
+	}
+
+	return nil
+}
+
+func (m *managerImpl) preserveExistingAuthSecrets(service, existingService *reverseproxy.Service) {
+	if service.Auth.PasswordAuth != nil && service.Auth.PasswordAuth.Enabled &&
+		existingService.Auth.PasswordAuth != nil && existingService.Auth.PasswordAuth.Enabled &&
+		service.Auth.PasswordAuth.Password == "" {
+		service.Auth.PasswordAuth = existingService.Auth.PasswordAuth
+	}
+
+	if service.Auth.PinAuth != nil && service.Auth.PinAuth.Enabled &&
+		existingService.Auth.PinAuth != nil && existingService.Auth.PinAuth.Enabled &&
+		service.Auth.PinAuth.Pin == "" {
+		service.Auth.PinAuth = existingService.Auth.PinAuth
+	}
+}
+
+func (m *managerImpl) preserveServiceMetadata(service, existingService *reverseproxy.Service) {
+	service.Meta = existingService.Meta
+	service.SessionPrivateKey = existingService.SessionPrivateKey
+	service.SessionPublicKey = existingService.SessionPublicKey
+}
+
+func (m *managerImpl) sendServiceUpdateNotifications(service *reverseproxy.Service, updateInfo *serviceUpdateInfo) {
 	oidcCfg := m.proxyGRPCServer.GetOIDCValidationConfig()
+
 	switch {
-	case domainChanged && oldCluster != service.ProxyCluster:
-		m.proxyGRPCServer.SendServiceUpdateToCluster(service.ToProtoMapping(reverseproxy.Delete, "", oidcCfg), oldCluster)
+	case updateInfo.domainChanged && updateInfo.oldCluster != service.ProxyCluster:
+		m.proxyGRPCServer.SendServiceUpdateToCluster(service.ToProtoMapping(reverseproxy.Delete, "", oidcCfg), updateInfo.oldCluster)
 		m.proxyGRPCServer.SendServiceUpdateToCluster(service.ToProtoMapping(reverseproxy.Create, "", oidcCfg), service.ProxyCluster)
-	case !service.Enabled && serviceEnabledChanged:
+	case !service.Enabled && updateInfo.serviceEnabledChanged:
 		m.proxyGRPCServer.SendServiceUpdateToCluster(service.ToProtoMapping(reverseproxy.Delete, "", oidcCfg), service.ProxyCluster)
-	case service.Enabled && serviceEnabledChanged:
+	case service.Enabled && updateInfo.serviceEnabledChanged:
 		m.proxyGRPCServer.SendServiceUpdateToCluster(service.ToProtoMapping(reverseproxy.Create, "", oidcCfg), service.ProxyCluster)
 	default:
 		m.proxyGRPCServer.SendServiceUpdateToCluster(service.ToProtoMapping(reverseproxy.Update, "", oidcCfg), service.ProxyCluster)
 	}
-	m.accountManager.UpdateAccountPeers(ctx, accountID)
-
-	return service, nil
 }
 
 // validateTargetReferences checks that all target IDs reference existing peers or resources in the account.

management/internals/modules/reverseproxy/manager/manager_test.go

@@ -0,0 +1,375 @@
+package manager
+
+import (
+	"context"
+	"errors"
+	"testing"
+	"time"
+
+	"github.com/golang/mock/gomock"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy"
+	"github.com/netbirdio/netbird/management/server/store"
+	"github.com/netbirdio/netbird/shared/management/status"
+)
+
+func TestInitializeServiceForCreate(t *testing.T) {
+	ctx := context.Background()
+	accountID := "test-account"
+
+	t.Run("successful initialization without cluster deriver", func(t *testing.T) {
+		mgr := &managerImpl{
+			clusterDeriver: nil,
+		}
+
+		service := &reverseproxy.Service{
+			Domain: "example.com",
+			Auth:   reverseproxy.AuthConfig{},
+		}
+
+		err := mgr.initializeServiceForCreate(ctx, accountID, service)
+
+		assert.NoError(t, err)
+		assert.Equal(t, accountID, service.AccountID)
+		assert.Empty(t, service.ProxyCluster, "proxy cluster should be empty when no deriver")
+		assert.NotEmpty(t, service.ID, "service ID should be initialized")
+		assert.NotEmpty(t, service.SessionPrivateKey, "session private key should be generated")
+		assert.NotEmpty(t, service.SessionPublicKey, "session public key should be generated")
+	})
+
+	t.Run("verifies session keys are different", func(t *testing.T) {
+		mgr := &managerImpl{
+			clusterDeriver: nil,
+		}
+
+		service1 := &reverseproxy.Service{Domain: "test1.com", Auth: reverseproxy.AuthConfig{}}
+		service2 := &reverseproxy.Service{Domain: "test2.com", Auth: reverseproxy.AuthConfig{}}
+
+		err1 := mgr.initializeServiceForCreate(ctx, accountID, service1)
+		err2 := mgr.initializeServiceForCreate(ctx, accountID, service2)
+
+		assert.NoError(t, err1)
+		assert.NoError(t, err2)
+		assert.NotEqual(t, service1.SessionPrivateKey, service2.SessionPrivateKey, "private keys should be unique")
+		assert.NotEqual(t, service1.SessionPublicKey, service2.SessionPublicKey, "public keys should be unique")
+	})
+}
+
+func TestCheckDomainAvailable(t *testing.T) {
+	ctx := context.Background()
+	accountID := "test-account"
+
+	tests := []struct {
+		name             string
+		domain           string
+		excludeServiceID string
+		setupMock        func(*store.MockStore)
+		expectedError    bool
+		errorType        status.Type
+	}{
+		{
+			name:             "domain available - not found",
+			domain:           "available.com",
+			excludeServiceID: "",
+			setupMock: func(ms *store.MockStore) {
+				ms.EXPECT().
+					GetServiceByDomain(ctx, accountID, "available.com").
+					Return(nil, status.Errorf(status.NotFound, "not found"))
+			},
+			expectedError: false,
+		},
+		{
+			name:             "domain already exists",
+			domain:           "exists.com",
+			excludeServiceID: "",
+			setupMock: func(ms *store.MockStore) {
+				ms.EXPECT().
+					GetServiceByDomain(ctx, accountID, "exists.com").
+					Return(&reverseproxy.Service{ID: "existing-id", Domain: "exists.com"}, nil)
+			},
+			expectedError: true,
+			errorType:     status.AlreadyExists,
+		},
+		{
+			name:             "domain exists but excluded (same ID)",
+			domain:           "exists.com",
+			excludeServiceID: "service-123",
+			setupMock: func(ms *store.MockStore) {
+				ms.EXPECT().
+					GetServiceByDomain(ctx, accountID, "exists.com").
+					Return(&reverseproxy.Service{ID: "service-123", Domain: "exists.com"}, nil)
+			},
+			expectedError: false,
+		},
+		{
+			name:             "domain exists with different ID",
+			domain:           "exists.com",
+			excludeServiceID: "service-456",
+			setupMock: func(ms *store.MockStore) {
+				ms.EXPECT().
+					GetServiceByDomain(ctx, accountID, "exists.com").
+					Return(&reverseproxy.Service{ID: "service-123", Domain: "exists.com"}, nil)
+			},
+			expectedError: true,
+			errorType:     status.AlreadyExists,
+		},
+		{
+			name:             "store error (non-NotFound)",
+			domain:           "error.com",
+			excludeServiceID: "",
+			setupMock: func(ms *store.MockStore) {
+				ms.EXPECT().
+					GetServiceByDomain(ctx, accountID, "error.com").
+					Return(nil, errors.New("database error"))
+			},
+			expectedError: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			ctrl := gomock.NewController(t)
+			defer ctrl.Finish()
+
+			mockStore := store.NewMockStore(ctrl)
+			tt.setupMock(mockStore)
+
+			mgr := &managerImpl{}
+			err := mgr.checkDomainAvailable(ctx, mockStore, accountID, tt.domain, tt.excludeServiceID)
+
+			if tt.expectedError {
+				require.Error(t, err)
+				if tt.errorType != 0 {
+					sErr, ok := status.FromError(err)
+					require.True(t, ok, "error should be a status error")
+					assert.Equal(t, tt.errorType, sErr.Type())
+				}
+			} else {
+				assert.NoError(t, err)
+			}
+		})
+	}
+}
+
+func TestCheckDomainAvailable_EdgeCases(t *testing.T) {
+	ctx := context.Background()
+	accountID := "test-account"
+
+	t.Run("empty domain", func(t *testing.T) {
+		ctrl := gomock.NewController(t)
+		defer ctrl.Finish()
+
+		mockStore := store.NewMockStore(ctrl)
+		mockStore.EXPECT().
+			GetServiceByDomain(ctx, accountID, "").
+			Return(nil, status.Errorf(status.NotFound, "not found"))
+
+		mgr := &managerImpl{}
+		err := mgr.checkDomainAvailable(ctx, mockStore, accountID, "", "")
+
+		assert.NoError(t, err)
+	})
+
+	t.Run("empty exclude ID with existing service", func(t *testing.T) {
+		ctrl := gomock.NewController(t)
+		defer ctrl.Finish()
+
+		mockStore := store.NewMockStore(ctrl)
+		mockStore.EXPECT().
+			GetServiceByDomain(ctx, accountID, "test.com").
+			Return(&reverseproxy.Service{ID: "some-id", Domain: "test.com"}, nil)
+
+		mgr := &managerImpl{}
+		err := mgr.checkDomainAvailable(ctx, mockStore, accountID, "test.com", "")
+
+		assert.Error(t, err)
+		sErr, ok := status.FromError(err)
+		require.True(t, ok)
+		assert.Equal(t, status.AlreadyExists, sErr.Type())
+	})
+
+	t.Run("nil existing service with nil error", func(t *testing.T) {
+		ctrl := gomock.NewController(t)
+		defer ctrl.Finish()
+
+		mockStore := store.NewMockStore(ctrl)
+		mockStore.EXPECT().
+			GetServiceByDomain(ctx, accountID, "nil.com").
+			Return(nil, nil)
+
+		mgr := &managerImpl{}
+		err := mgr.checkDomainAvailable(ctx, mockStore, accountID, "nil.com", "")
+
+		assert.NoError(t, err)
+	})
+}
+
+func TestPersistNewService(t *testing.T) {
+	ctx := context.Background()
+	accountID := "test-account"
+
+	t.Run("successful service creation with no targets", func(t *testing.T) {
+		ctrl := gomock.NewController(t)
+		defer ctrl.Finish()
+
+		mockStore := store.NewMockStore(ctrl)
+		service := &reverseproxy.Service{
+			ID:      "service-123",
+			Domain:  "new.com",
+			Targets: []*reverseproxy.Target{},
+		}
+
+		// Mock ExecuteInTransaction to execute the function immediately
+		mockStore.EXPECT().
+			ExecuteInTransaction(ctx, gomock.Any()).
+			DoAndReturn(func(ctx context.Context, fn func(store.Store) error) error {
+				// Create another mock for the transaction
+				txMock := store.NewMockStore(ctrl)
+				txMock.EXPECT().
+					GetServiceByDomain(ctx, accountID, "new.com").
+					Return(nil, status.Errorf(status.NotFound, "not found"))
+				txMock.EXPECT().
+					CreateService(ctx, service).
+					Return(nil)
+
+				return fn(txMock)
+			})
+
+		mgr := &managerImpl{store: mockStore}
+		err := mgr.persistNewService(ctx, accountID, service)
+
+		assert.NoError(t, err)
+	})
+
+	t.Run("domain already exists", func(t *testing.T) {
+		ctrl := gomock.NewController(t)
+		defer ctrl.Finish()
+
+		mockStore := store.NewMockStore(ctrl)
+		service := &reverseproxy.Service{
+			ID:      "service-123",
+			Domain:  "existing.com",
+			Targets: []*reverseproxy.Target{},
+		}
+
+		mockStore.EXPECT().
+			ExecuteInTransaction(ctx, gomock.Any()).
+			DoAndReturn(func(ctx context.Context, fn func(store.Store) error) error {
+				txMock := store.NewMockStore(ctrl)
+				txMock.EXPECT().
+					GetServiceByDomain(ctx, accountID, "existing.com").
+					Return(&reverseproxy.Service{ID: "other-id", Domain: "existing.com"}, nil)
+
+				return fn(txMock)
+			})
+
+		mgr := &managerImpl{store: mockStore}
+		err := mgr.persistNewService(ctx, accountID, service)
+
+		require.Error(t, err)
+		sErr, ok := status.FromError(err)
+		require.True(t, ok)
+		assert.Equal(t, status.AlreadyExists, sErr.Type())
+	})
+}
+func TestPreserveExistingAuthSecrets(t *testing.T) {
+	mgr := &managerImpl{}
+
+	t.Run("preserve password when empty", func(t *testing.T) {
+		existing := &reverseproxy.Service{
+			Auth: reverseproxy.AuthConfig{
+				PasswordAuth: &reverseproxy.PasswordAuthConfig{
+					Enabled:  true,
+					Password: "hashed-password",
+				},
+			},
+		}
+
+		updated := &reverseproxy.Service{
+			Auth: reverseproxy.AuthConfig{
+				PasswordAuth: &reverseproxy.PasswordAuthConfig{
+					Enabled:  true,
+					Password: "",
+				},
+			},
+		}
+
+		mgr.preserveExistingAuthSecrets(updated, existing)
+
+		assert.Equal(t, existing.Auth.PasswordAuth, updated.Auth.PasswordAuth)
+	})
+
+	t.Run("preserve pin when empty", func(t *testing.T) {
+		existing := &reverseproxy.Service{
+			Auth: reverseproxy.AuthConfig{
+				PinAuth: &reverseproxy.PINAuthConfig{
+					Enabled: true,
+					Pin:     "hashed-pin",
+				},
+			},
+		}
+
+		updated := &reverseproxy.Service{
+			Auth: reverseproxy.AuthConfig{
+				PinAuth: &reverseproxy.PINAuthConfig{
+					Enabled: true,
+					Pin:     "",
+				},
+			},
+		}
+
+		mgr.preserveExistingAuthSecrets(updated, existing)
+
+		assert.Equal(t, existing.Auth.PinAuth, updated.Auth.PinAuth)
+	})
+
+	t.Run("do not preserve when password is provided", func(t *testing.T) {
+		existing := &reverseproxy.Service{
+			Auth: reverseproxy.AuthConfig{
+				PasswordAuth: &reverseproxy.PasswordAuthConfig{
+					Enabled:  true,
+					Password: "old-password",
+				},
+			},
+		}
+
+		updated := &reverseproxy.Service{
+			Auth: reverseproxy.AuthConfig{
+				PasswordAuth: &reverseproxy.PasswordAuthConfig{
+					Enabled:  true,
+					Password: "new-password",
+				},
+			},
+		}
+
+		mgr.preserveExistingAuthSecrets(updated, existing)
+
+		assert.Equal(t, "new-password", updated.Auth.PasswordAuth.Password)
+		assert.NotEqual(t, existing.Auth.PasswordAuth, updated.Auth.PasswordAuth)
+	})
+}
+
+func TestPreserveServiceMetadata(t *testing.T) {
+	mgr := &managerImpl{}
+
+	existing := &reverseproxy.Service{
+		Meta: reverseproxy.ServiceMeta{
+			CertificateIssuedAt: time.Now(),
+			Status:              "active",
+		},
+		SessionPrivateKey: "private-key",
+		SessionPublicKey:  "public-key",
+	}
+
+	updated := &reverseproxy.Service{
+		Domain: "updated.com",
+	}
+
+	mgr.preserveServiceMetadata(updated, existing)
+
+	assert.Equal(t, existing.Meta, updated.Meta)
+	assert.Equal(t, existing.SessionPrivateKey, updated.SessionPrivateKey)
+	assert.Equal(t, existing.SessionPublicKey, updated.SessionPublicKey)
+}

management/server/store/store.go

@@ -1,5 +1,7 @@
 package store
 
+//go:generate go run github.com/golang/mock/mockgen -package store -destination=store_mock.go -source=./store.go -build_flags=-mod=mod
+
 import (
 	"context"
 	"errors"