From 5907f07fa9521b3ecdb79b5b74642acb13a00963 Mon Sep 17 00:00:00 2001
From: Ki Hyun Park <kihyun1998@naver.com>
Date: Thu, 18 Jun 2026 10:31:15 +0900
Subject: [PATCH 1/2] ci: run the client_server test suite (enable __test-data
 in the matrix)

The tests/sspi/client_server module is gated on
all(network_client, __test-data), but no test-matrix row enabled
__test-data, so the client<->server pairing tests (credssp_ntlm,
credssp_kerberos, and the credssp_negotiate_ntlm regression test merged
in #689) never ran in CI. That gap is how #687 shipped unnoticed.

This adds __test-data to the three root-manifest matrix rows. The suite
is hermetic (KdcMock / NetworkClientMock, no real network).
---
 .github/workflows/ci.yml | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 64c76f3f..112843d8 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -101,16 +101,18 @@ jobs:
           - manifest: crates/dpapi-native-transport/Cargo.toml
             crate-name: dpapi-native-transport
 
-          # Per-OS feature overrides for specific manifests
+          # Per-OS feature overrides for specific manifests.
+          # `__test-data` enables the `tests/sspi/client_server` suite (gated on
+          # `all(network_client, __test-data)`), which otherwise never runs in CI.
           - os: win
             manifest: Cargo.toml
-            additional-args: --features network_client,dns_resolver,scard,tsssp
+            additional-args: --features network_client,dns_resolver,scard,tsssp,__test-data
           - os: osx
             manifest: Cargo.toml
-            additional-args: --features network_client,scard
+            additional-args: --features network_client,scard,__test-data
           - os: linux
             manifest: Cargo.toml
-            additional-args: --features network_client,dns_resolver,scard
+            additional-args: --features network_client,dns_resolver,scard,__test-data
 
           - os: win
             manifest: ffi/Cargo.toml

From 96d055b52ce96090d78a150ddff4466e36c720ba Mon Sep 17 00:00:00 2001
From: Ki Hyun Park <kihyun1998@naver.com>
Date: Thu, 18 Jun 2026 11:03:56 +0900
Subject: [PATCH 2/2] test: initialize additional_service_keys in
 ServerProperties test setups

ServerProperties grew an additional_service_keys field; the __test-data
client_server initializers were never updated because the suite does not
compile in CI. Set it to Vec::new() (the library's own default in
ServerProperties::new / fake_server_properties) - these tests use a single
service, so no additional keys; behavior is unchanged.
---
 tests/sspi/client_server/credssp.rs      | 1 +
 tests/sspi/client_server/kerberos/mod.rs | 4 ++++
 2 files changed, 5 insertions(+)

diff --git a/tests/sspi/client_server/credssp.rs b/tests/sspi/client_server/credssp.rs
index e7d46679..5ead857a 100644
--- a/tests/sspi/client_server/credssp.rs
+++ b/tests/sspi/client_server/credssp.rs
@@ -143,6 +143,7 @@ fn credssp_kerberos() {
         max_time_skew: MAX_TIME_SKEW,
         ticket_decryption_key: None,
         service_name: target_service_name,
+        additional_service_keys: Vec::new(),
         user: Some(CredentialsBuffers::try_from(credentials.clone()).unwrap()),
         client: None,
         authenticators_cache: HashSet::new(),
diff --git a/tests/sspi/client_server/kerberos/mod.rs b/tests/sspi/client_server/kerberos/mod.rs
index 216eaadd..2f7e51cb 100644
--- a/tests/sspi/client_server/kerberos/mod.rs
+++ b/tests/sspi/client_server/kerberos/mod.rs
@@ -309,6 +309,7 @@ fn kerberos_auth() {
         max_time_skew: MAX_TIME_SKEW,
         ticket_decryption_key: Some(ticket_decryption_key.into()),
         service_name: target_service_name,
+        additional_service_keys: Vec::new(),
         user: None,
         client: None,
         authenticators_cache: HashSet::new(),
@@ -402,6 +403,7 @@ fn spnego_kerberos_u2u() {
         max_time_skew: MAX_TIME_SKEW,
         ticket_decryption_key: Some(ticket_decryption_key.into()),
         service_name: target_service_name,
+        additional_service_keys: Vec::new(),
         user: Some(credentials.clone()),
         client: None,
         authenticators_cache: HashSet::new(),
@@ -511,6 +513,7 @@ fn run_spnego(
         max_time_skew: MAX_TIME_SKEW,
         ticket_decryption_key: Some(ticket_decryption_key.into()),
         service_name: target_service_name,
+        additional_service_keys: Vec::new(),
         user: None,
         client: None,
         authenticators_cache: HashSet::new(),
@@ -742,6 +745,7 @@ fn spnego_kerberos_ntlm_fallback_spn_ip_address() {
         max_time_skew: MAX_TIME_SKEW,
         ticket_decryption_key: Some(ticket_decryption_key.into()),
         service_name: target_service_name,
+        additional_service_keys: Vec::new(),
         user: Some(credentials.clone()),
         client: None,
         authenticators_cache: HashSet::new(),