baron-sso/backend/internal/handlerregression/dev_handler_trusted_secret_test.go

package handlerregression

import (
	"baron-sso-backend/internal/domain"
	"baron-sso-backend/internal/handler"
	"baron-sso-backend/internal/service"
	"bytes"
	"context"
	"encoding/json"
	"fmt"
	"io"
	"net/http"
	"net/http/httptest"
	"testing"
	"time"

	"github.com/gofiber/fiber/v2"
)

type roundTripFunc func(req *http.Request) (*http.Response, error)

func (f roundTripFunc) RoundTrip(req *http.Request) (*http.Response, error) {
	return f(req)
}

type mockSecretRepo struct {
	secrets map[string]string
}

func (m *mockSecretRepo) Upsert(ctx context.Context, clientID, secret string) error {
	if m.secrets == nil {
		m.secrets = make(map[string]string)
	}
	m.secrets[clientID] = secret
	return nil
}

func (m *mockSecretRepo) GetByID(ctx context.Context, clientID string) (string, error) {
	return m.secrets[clientID], nil
}

func (m *mockSecretRepo) Delete(ctx context.Context, clientID string) error {
	delete(m.secrets, clientID)
	return nil
}

type mockRedisRepo struct {
	data map[string]string
}

func (m *mockRedisRepo) Set(key, value string, exp time.Duration) error {
	if m.data == nil {
		m.data = make(map[string]string)
	}
	m.data[key] = value
	return nil
}

func (m *mockRedisRepo) Get(key string) (string, error) {
	v, ok := m.data[key]
	if !ok {
		return "", fmt.Errorf("not found")
	}
	return v, nil
}

func (m *mockRedisRepo) Delete(key string) error {
	delete(m.data, key)
	return nil
}

func (m *mockRedisRepo) StoreVerificationCode(p, c string) error      { return nil }
func (m *mockRedisRepo) GetVerificationCode(p string) (string, error) { return "", nil }
func (m *mockRedisRepo) DeleteVerificationCode(p string) error        { return nil }

func httpJSONAny(r *http.Request, code int, payload any) *http.Response {
	body, _ := json.Marshal(payload)
	return &http.Response{
		StatusCode: code,
		Header:     http.Header{"Content-Type": []string{"application/json"}},
		Body:       io.NopCloser(bytes.NewReader(body)),
		Request:    r,
	}
}

func newDevHandlerApp(h *handler.DevHandler) *fiber.App {
	app := fiber.New()
	app.Use(func(c *fiber.Ctx) error {
		c.Locals("user_profile", &domain.UserProfileResponse{ID: "test-user", Role: domain.RoleSuperAdmin})
		return c.Next()
	})
	app.Post("/api/v1/dev/clients", h.CreateClient)
	app.Get("/api/v1/dev/clients/:id", h.GetClient)
	app.Put("/api/v1/dev/clients/:id", h.UpdateClient)
	app.Post("/api/v1/dev/clients/:id/secret/rotate", h.RotateClientSecret)
	return app
}

func decodeClientSecret(t *testing.T, resp *http.Response) string {
	t.Helper()

	var payload struct {
		Client struct {
			ClientSecret string `json:"clientSecret"`
		} `json:"client"`
	}
	if err := json.NewDecoder(resp.Body).Decode(&payload); err != nil {
		t.Fatalf("decode response: %v", err)
	}
	return payload.Client.ClientSecret
}

func TestGetClient_ClientSecretFallbackPaths(t *testing.T) {
	tests := []struct {
		name                string
		hydraClient         map[string]any
		initialRedis        map[string]string
		initialSecrets      map[string]string
		expectedSecret      string
		expectedRedisAfter  string
		expectRedisAfterSet bool
	}{
		{
			name: "uses hydra client_secret directly",
			hydraClient: map[string]any{
				"client_id":                  "client-direct",
				"client_name":                "Direct App",
				"client_secret":              "hydra-secret",
				"redirect_uris":              []string{"https://direct.example.com/callback"},
				"grant_types":                []string{"authorization_code", "refresh_token"},
				"response_types":             []string{"code"},
				"scope":                      "openid profile",
				"token_endpoint_auth_method": "client_secret_basic",
				"metadata":                   map[string]any{"status": "active"},
			},
			expectedSecret: "hydra-secret",
		},
		{
			name: "falls back to metadata client_secret",
			hydraClient: map[string]any{
				"client_id":                  "client-metadata",
				"client_name":                "Metadata App",
				"redirect_uris":              []string{"https://metadata.example.com/callback"},
				"grant_types":                []string{"authorization_code", "refresh_token"},
				"response_types":             []string{"code"},
				"scope":                      "openid profile",
				"token_endpoint_auth_method": "client_secret_basic",
				"metadata": map[string]any{
					"status":        "active",
					"client_secret": "metadata-secret",
				},
			},
			expectedSecret: "metadata-secret",
		},
		{
			name: "falls back to redis cache",
			hydraClient: map[string]any{
				"client_id":                  "client-redis",
				"client_name":                "Redis App",
				"redirect_uris":              []string{"https://redis.example.com/callback"},
				"grant_types":                []string{"authorization_code", "refresh_token"},
				"response_types":             []string{"code"},
				"scope":                      "openid profile",
				"token_endpoint_auth_method": "client_secret_basic",
				"metadata":                   map[string]any{"status": "active"},
			},
			initialRedis:   map[string]string{"client_secret:client-redis": "redis-secret"},
			expectedSecret: "redis-secret",
		},
		{
			name: "falls back to postgres and warms redis",
			hydraClient: map[string]any{
				"client_id":                  "client-postgres",
				"client_name":                "Postgres App",
				"redirect_uris":              []string{"https://postgres.example.com/callback"},
				"grant_types":                []string{"authorization_code", "refresh_token"},
				"response_types":             []string{"code"},
				"scope":                      "openid profile",
				"token_endpoint_auth_method": "client_secret_basic",
				"metadata":                   map[string]any{"status": "active"},
			},
			initialSecrets:      map[string]string{"client-postgres": "postgres-secret"},
			expectedSecret:      "postgres-secret",
			expectedRedisAfter:  "postgres-secret",
			expectRedisAfterSet: true,
		},
	}

	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
				if r.Method == http.MethodGet && r.URL.Path == "/clients/"+tt.hydraClient["client_id"].(string) {
					return httpJSONAny(r, http.StatusOK, tt.hydraClient), nil
				}
				return httpJSONAny(r, http.StatusNotFound, nil), nil
			})

			secretRepo := &mockSecretRepo{secrets: map[string]string{}}
			for k, v := range tt.initialSecrets {
				secretRepo.secrets[k] = v
			}

			redisRepo := &mockRedisRepo{data: map[string]string{}}
			for k, v := range tt.initialRedis {
				redisRepo.data[k] = v
			}

			h := &handler.DevHandler{
				Hydra: &service.HydraAdminService{
					AdminURL:   "http://hydra.test",
					PublicURL:  "http://hydra.public",
					HTTPClient: &http.Client{Transport: transport},
				},
				SecretRepo: secretRepo,
				Redis:      redisRepo,
			}

			app := newDevHandlerApp(h)

			clientID := tt.hydraClient["client_id"].(string)
			req := httptest.NewRequest(http.MethodGet, "/api/v1/dev/clients/"+clientID, nil)
			resp, err := app.Test(req, -1)
			if err != nil {
				t.Fatalf("get request failed: %v", err)
			}
			if resp.StatusCode != http.StatusOK {
				t.Fatalf("expected get 200, got %d", resp.StatusCode)
			}

			if secret := decodeClientSecret(t, resp); secret != tt.expectedSecret {
				t.Fatalf("expected secret %q, got %q", tt.expectedSecret, secret)
			}

			if tt.expectRedisAfterSet {
				redisSecret, err := redisRepo.Get("client_secret:" + clientID)
				if err != nil {
					t.Fatalf("expected warmed redis secret, got error: %v", err)
				}
				if redisSecret != tt.expectedRedisAfter {
					t.Fatalf("expected warmed redis secret %q, got %q", tt.expectedRedisAfter, redisSecret)
				}
			}
		})
	}
}

func TestCreateClient_PersistsSecretForLaterDetailFetch(t *testing.T) {
	transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
		if r.Method == http.MethodPost && r.URL.Path == "/clients" {
			return httpJSONAny(r, http.StatusCreated, map[string]any{
				"client_id":                  "client-created",
				"client_name":                "Created App",
				"client_secret":              "created-secret",
				"redirect_uris":              []string{"https://created.example.com/callback"},
				"grant_types":                []string{"authorization_code", "refresh_token"},
				"response_types":             []string{"code"},
				"scope":                      "openid profile",
				"token_endpoint_auth_method": "client_secret_basic",
				"metadata":                   map[string]any{"status": "active"},
			}), nil
		}
		if r.Method == http.MethodGet && r.URL.Path == "/clients/client-created" {
			return httpJSONAny(r, http.StatusOK, map[string]any{
				"client_id":                  "client-created",
				"client_name":                "Created App",
				"redirect_uris":              []string{"https://created.example.com/callback"},
				"grant_types":                []string{"authorization_code", "refresh_token"},
				"response_types":             []string{"code"},
				"scope":                      "openid profile",
				"token_endpoint_auth_method": "client_secret_basic",
				"metadata":                   map[string]any{"status": "active"},
			}), nil
		}
		return httpJSONAny(r, http.StatusNotFound, nil), nil
	})

	secretRepo := &mockSecretRepo{secrets: make(map[string]string)}
	redisRepo := &mockRedisRepo{data: make(map[string]string)}

	h := &handler.DevHandler{
		Hydra: &service.HydraAdminService{
			AdminURL:   "http://hydra.test",
			PublicURL:  "http://hydra.public",
			HTTPClient: &http.Client{Transport: transport},
		},
		SecretRepo: secretRepo,
		Redis:      redisRepo,
	}

	app := newDevHandlerApp(h)

	createBody, _ := json.Marshal(map[string]any{
		"name":         "Created App",
		"type":         "private",
		"redirectUris": []string{"https://created.example.com/callback"},
		"scopes":       []string{"openid", "profile"},
	})
	createReq := httptest.NewRequest(http.MethodPost, "/api/v1/dev/clients", bytes.NewReader(createBody))
	createReq.Header.Set("Content-Type", "application/json")

	createResp, err := app.Test(createReq, -1)
	if err != nil {
		t.Fatalf("create request failed: %v", err)
	}
	if createResp.StatusCode != http.StatusCreated {
		t.Fatalf("expected create 201, got %d", createResp.StatusCode)
	}

	if secret := decodeClientSecret(t, createResp); secret != "created-secret" {
		t.Fatalf("expected create secret created-secret, got %q", secret)
	}

	storedSecret, _ := secretRepo.GetByID(context.Background(), "client-created")
	if storedSecret != "created-secret" {
		t.Fatalf("expected postgres secret created-secret, got %q", storedSecret)
	}

	redisSecret, err := redisRepo.Get("client_secret:client-created")
	if err != nil {
		t.Fatalf("expected redis secret after create, got error: %v", err)
	}
	if redisSecret != "created-secret" {
		t.Fatalf("expected redis secret created-secret, got %q", redisSecret)
	}

	getReq := httptest.NewRequest(http.MethodGet, "/api/v1/dev/clients/client-created", nil)
	getResp, err := app.Test(getReq, -1)
	if err != nil {
		t.Fatalf("get request failed: %v", err)
	}
	if getResp.StatusCode != http.StatusOK {
		t.Fatalf("expected get 200, got %d", getResp.StatusCode)
	}

	if secret := decodeClientSecret(t, getResp); secret != "created-secret" {
		t.Fatalf("expected detail secret created-secret, got %q", secret)
	}
}

func TestRotateClientSecret_PersistsForLaterDetailFetch(t *testing.T) {
	getCount := 0

	transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
		if r.Method == http.MethodGet && r.URL.Path == "/clients/client-rotate" {
			getCount++
			return httpJSONAny(r, http.StatusOK, map[string]any{
				"client_id":                  "client-rotate",
				"client_name":                "Rotate App",
				"redirect_uris":              []string{"https://rotate.example.com/callback"},
				"grant_types":                []string{"authorization_code", "refresh_token"},
				"response_types":             []string{"code"},
				"scope":                      "openid profile",
				"token_endpoint_auth_method": "client_secret_basic",
				"metadata":                   map[string]any{"status": "active"},
			}), nil
		}
		if r.Method == http.MethodPut && r.URL.Path == "/clients/client-rotate" {
			return httpJSONAny(r, http.StatusOK, map[string]any{
				"client_id":                  "client-rotate",
				"client_name":                "Rotate App",
				"redirect_uris":              []string{"https://rotate.example.com/callback"},
				"grant_types":                []string{"authorization_code", "refresh_token"},
				"response_types":             []string{"code"},
				"scope":                      "openid profile",
				"token_endpoint_auth_method": "client_secret_basic",
				"metadata":                   map[string]any{"status": "active"},
			}), nil
		}
		return httpJSONAny(r, http.StatusNotFound, nil), nil
	})

	secretRepo := &mockSecretRepo{secrets: make(map[string]string)}
	redisRepo := &mockRedisRepo{data: make(map[string]string)}

	h := &handler.DevHandler{
		Hydra: &service.HydraAdminService{
			AdminURL:   "http://hydra.test",
			PublicURL:  "http://hydra.public",
			HTTPClient: &http.Client{Transport: transport},
		},
		SecretRepo: secretRepo,
		Redis:      redisRepo,
	}

	app := newDevHandlerApp(h)

	rotateReq := httptest.NewRequest(http.MethodPost, "/api/v1/dev/clients/client-rotate/secret/rotate", nil)
	rotateResp, err := app.Test(rotateReq, -1)
	if err != nil {
		t.Fatalf("rotate request failed: %v", err)
	}
	if rotateResp.StatusCode != http.StatusOK {
		t.Fatalf("expected rotate 200, got %d", rotateResp.StatusCode)
	}

	rotatedSecret := decodeClientSecret(t, rotateResp)
	if rotatedSecret == "" {
		t.Fatalf("expected rotated secret to be present")
	}

	storedSecret, _ := secretRepo.GetByID(context.Background(), "client-rotate")
	if storedSecret != rotatedSecret {
		t.Fatalf("expected postgres secret %q, got %q", rotatedSecret, storedSecret)
	}

	redisSecret, err := redisRepo.Get("client_secret:client-rotate")
	if err != nil {
		t.Fatalf("expected redis secret after rotate, got error: %v", err)
	}
	if redisSecret != rotatedSecret {
		t.Fatalf("expected redis secret %q, got %q", rotatedSecret, redisSecret)
	}

	getReq := httptest.NewRequest(http.MethodGet, "/api/v1/dev/clients/client-rotate", nil)
	getResp, err := app.Test(getReq, -1)
	if err != nil {
		t.Fatalf("get request failed: %v", err)
	}
	if getResp.StatusCode != http.StatusOK {
		t.Fatalf("expected get 200, got %d", getResp.StatusCode)
	}

	if secret := decodeClientSecret(t, getResp); secret != rotatedSecret {
		t.Fatalf("expected detail secret %q, got %q", rotatedSecret, secret)
	}
}

func TestUpdateClient_TrustedRPSecretPersistsForLaterDetailFetch(t *testing.T) {
	getCount := 0

	transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
		if r.Method == http.MethodGet && r.URL.Path == "/clients/client-trusted" {
			getCount++
			if getCount == 1 {
				return httpJSONAny(r, http.StatusOK, map[string]any{
					"client_id":                  "client-trusted",
					"client_name":                "Trusted Before",
					"redirect_uris":              []string{"https://before.example.com/callback"},
					"grant_types":                []string{"authorization_code", "refresh_token"},
					"response_types":             []string{"code"},
					"scope":                      "openid profile",
					"token_endpoint_auth_method": "none",
					"metadata": map[string]any{
						"status": "active",
					},
				}), nil
			}

			return httpJSONAny(r, http.StatusOK, map[string]any{
				"client_id":                  "client-trusted",
				"client_name":                "Trusted After",
				"redirect_uris":              []string{"https://trusted.example.com/callback"},
				"grant_types":                []string{"authorization_code", "refresh_token"},
				"response_types":             []string{"code"},
				"scope":                      "openid profile",
				"token_endpoint_auth_method": "private_key_jwt",
				"jwks_uri":                   "https://trusted.example.com/jwks.json",
				"metadata": map[string]any{
					"status":                     "active",
					"headless_login_enabled":     true,
					"request_object_signing_alg": "RS256",
				},
			}), nil
		}

		if r.Method == http.MethodPut && r.URL.Path == "/clients/client-trusted" {
			return httpJSONAny(r, http.StatusOK, map[string]any{
				"client_id":                  "client-trusted",
				"client_name":                "Trusted After",
				"client_secret":              "trusted-secret",
				"redirect_uris":              []string{"https://trusted.example.com/callback"},
				"grant_types":                []string{"authorization_code", "refresh_token"},
				"response_types":             []string{"code"},
				"scope":                      "openid profile",
				"token_endpoint_auth_method": "private_key_jwt",
				"jwks_uri":                   "https://trusted.example.com/jwks.json",
				"metadata": map[string]any{
					"status":                     "active",
					"headless_login_enabled":     true,
					"request_object_signing_alg": "RS256",
				},
			}), nil
		}

		return httpJSONAny(r, http.StatusNotFound, nil), nil
	})

	secretRepo := &mockSecretRepo{secrets: make(map[string]string)}
	redisRepo := &mockRedisRepo{data: make(map[string]string)}

	h := &handler.DevHandler{
		Hydra: &service.HydraAdminService{
			AdminURL:   "http://hydra.test",
			PublicURL:  "http://hydra.public",
			HTTPClient: &http.Client{Transport: transport},
		},
		SecretRepo: secretRepo,
		Redis:      redisRepo,
	}

	app := fiber.New()
	app.Use(func(c *fiber.Ctx) error {
		c.Locals("user_profile", &domain.UserProfileResponse{ID: "test-user", Role: domain.RoleSuperAdmin})
		return c.Next()
	})
	app.Put("/api/v1/dev/clients/:id", h.UpdateClient)
	app.Get("/api/v1/dev/clients/:id", h.GetClient)

	updateBody, _ := json.Marshal(map[string]any{
		"name":                    "Trusted After",
		"redirectUris":            []string{"https://trusted.example.com/callback"},
		"tokenEndpointAuthMethod": "private_key_jwt",
		"jwksUri":                 "https://trusted.example.com/jwks.json",
		"metadata": map[string]any{
			"headless_login_enabled":     true,
			"request_object_signing_alg": "RS256",
		},
	})
	updateReq := httptest.NewRequest(http.MethodPut, "/api/v1/dev/clients/client-trusted", bytes.NewReader(updateBody))
	updateReq.Header.Set("Content-Type", "application/json")

	updateResp, err := app.Test(updateReq, -1)
	if err != nil {
		t.Fatalf("update request failed: %v", err)
	}
	if updateResp.StatusCode != http.StatusOK {
		t.Fatalf("expected update 200, got %d", updateResp.StatusCode)
	}

	storedSecret, _ := secretRepo.GetByID(context.Background(), "client-trusted")
	if storedSecret != "trusted-secret" {
		t.Fatalf("expected postgres secret trusted-secret, got %q", storedSecret)
	}

	redisSecret, err := redisRepo.Get("client_secret:client-trusted")
	if err != nil {
		t.Fatalf("expected redis secret, got error: %v", err)
	}
	if redisSecret != "trusted-secret" {
		t.Fatalf("expected redis secret trusted-secret, got %q", redisSecret)
	}

	getReq := httptest.NewRequest(http.MethodGet, "/api/v1/dev/clients/client-trusted", nil)
	getResp, err := app.Test(getReq, -1)
	if err != nil {
		t.Fatalf("get request failed: %v", err)
	}
	if getResp.StatusCode != http.StatusOK {
		t.Fatalf("expected get 200, got %d", getResp.StatusCode)
	}

	var payload struct {
		Client struct {
			ClientSecret string `json:"clientSecret"`
		} `json:"client"`
	}
	if err := json.NewDecoder(getResp.Body).Decode(&payload); err != nil {
		t.Fatalf("decode response: %v", err)
	}
	if payload.Client.ClientSecret != "trusted-secret" {
		t.Fatalf("expected detail secret trusted-secret, got %q", payload.Client.ClientSecret)
	}
}