baron-sso/backend/internal/handler/client_tenant_access_test.go

package handler

import (
	"baron-sso-backend/internal/domain"
	"baron-sso-backend/internal/service"
	"bytes"
	"encoding/json"
	"io"
	"net/http"
	"net/http/httptest"
	"testing"

	"github.com/gofiber/fiber/v2"
	"github.com/stretchr/testify/assert"
	"github.com/stretchr/testify/mock"
)

func TestCreateClient_NormalizesTenantAccessMetadata(t *testing.T) {
	var captured domain.HydraClient
	ownerTenantID := "tenant-owner"

	transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
		if r.Method == http.MethodPost && r.URL.Path == "/clients" {
			body, err := io.ReadAll(r.Body)
			assert.NoError(t, err)
			assert.NoError(t, json.Unmarshal(body, &captured))
			return httpJSONAny(r, http.StatusCreated, map[string]any{
				"client_id":                  captured.ClientID,
				"client_name":                captured.ClientName,
				"redirect_uris":              captured.RedirectURIs,
				"grant_types":                captured.GrantTypes,
				"response_types":             captured.ResponseTypes,
				"scope":                      captured.Scope,
				"token_endpoint_auth_method": captured.TokenEndpointAuthMethod,
				"metadata":                   captured.Metadata,
			}), nil
		}
		return httpJSONAny(r, http.StatusNotFound, nil), nil
	})

	h := &DevHandler{
		Hydra: &service.HydraAdminService{
			AdminURL:   "http://hydra.test",
			HTTPClient: &http.Client{Transport: transport},
		},
		Keto: new(devMockKetoService),
	}

	app := fiber.New()
	app.Use(func(c *fiber.Ctx) error {
		c.Locals("user_profile", &domain.UserProfileResponse{
			ID:       "user-1",
			Role:     domain.RoleSuperAdmin,
			TenantID: &ownerTenantID,
		})
		return c.Next()
	})
	app.Post("/api/v1/dev/clients", h.CreateClient)

	body, _ := json.Marshal(map[string]any{
		"id":           "client-tenant",
		"name":         "Tenant Client",
		"type":         "pkce",
		"redirectUris": []string{"https://rp.example.com/cb"},
		"metadata": map[string]any{
			"tenant_access_restricted": true,
			"allowed_tenants":          []string{"tenant-b", "tenant-a", "tenant-b"},
		},
	})
	req := httptest.NewRequest(http.MethodPost, "/api/v1/dev/clients", bytes.NewReader(body))
	req.Header.Set("Content-Type", "application/json")

	resp, err := app.Test(req, -1)
	assert.NoError(t, err)
	assert.Equal(t, http.StatusCreated, resp.StatusCode)
	assert.True(t, clientTenantAccessRestricted(captured.Metadata))
	assert.Equal(t, []string{"tenant-a", "tenant-b", "tenant-owner"}, clientAllowedTenants(captured.Metadata))
}

func TestCreateClient_RejectsTenantAccessWithoutAllowedTenants(t *testing.T) {
	hydraCalled := false
	transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
		if r.Method == http.MethodPost && r.URL.Path == "/clients" {
			hydraCalled = true
		}
		return httpJSONAny(r, http.StatusNotFound, nil), nil
	})

	h := &DevHandler{
		Hydra: &service.HydraAdminService{
			AdminURL:   "http://hydra.test",
			HTTPClient: &http.Client{Transport: transport},
		},
		Keto: new(devMockKetoService),
	}

	app := fiber.New()
	app.Use(func(c *fiber.Ctx) error {
		c.Locals("user_profile", &domain.UserProfileResponse{ID: "user-1", Role: domain.RoleSuperAdmin})
		return c.Next()
	})
	app.Post("/api/v1/dev/clients", h.CreateClient)

	body, _ := json.Marshal(map[string]any{
		"id":           "client-tenant",
		"name":         "Tenant Client",
		"type":         "pkce",
		"redirectUris": []string{"https://rp.example.com/cb"},
		"metadata": map[string]any{
			"tenant_access_restricted": true,
		},
	})
	req := httptest.NewRequest(http.MethodPost, "/api/v1/dev/clients", bytes.NewReader(body))
	req.Header.Set("Content-Type", "application/json")

	resp, err := app.Test(req, -1)
	assert.NoError(t, err)
	assert.Equal(t, http.StatusBadRequest, resp.StatusCode)
	assert.False(t, hydraCalled)
}

func TestMergeRequestedScopesWithClientRequirements_AddsTenantScope(t *testing.T) {
	client := domain.HydraClient{
		Metadata: map[string]any{
			"tenant_access_restricted": true,
			"structured_scopes": []map[string]any{
				{"name": "openid", "mandatory": true},
				{"name": "tenant", "mandatory": true, "locked": true},
				{"name": "profile", "mandatory": false},
			},
		},
	}

	merged := mergeRequestedScopesWithClientRequirements(client, []string{"openid", "profile"})
	assert.Equal(t, []string{"openid", "tenant", "profile"}, merged)
}

func TestGetConsentRequest_DeniesTenantAccess(t *testing.T) {
	transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
		switch {
		case r.URL.Path == "/oauth2/auth/requests/consent" && r.URL.Query().Get("consent_challenge") == "challenge-tenant":
			return httpJSONAny(r, http.StatusOK, map[string]any{
				"challenge":       "challenge-tenant",
				"requested_scope": []string{"openid", "profile"},
				"skip":            false,
				"subject":         "user-123",
				"client": map[string]any{
					"client_id": "client-tenant",
					"metadata": map[string]any{
						"tenant_access_restricted": true,
						"allowed_tenants":          []string{"tenant-b"},
					},
				},
			}), nil
		case r.URL.Host == "kratos.test" && r.URL.Path == "/sessions/whoami":
			return httpJSONAny(r, http.StatusOK, map[string]any{
				"identity": map[string]any{
					"id": "user-123",
					"traits": map[string]any{
						"email":     "user@test.com",
						"tenant_id": "tenant-a",
					},
				},
			}), nil
		default:
			return httpJSONAny(r, http.StatusNotFound, nil), nil
		}
	})

	client := &http.Client{Transport: transport}
	origDefault := http.DefaultClient
	http.DefaultClient = client
	defer func() { http.DefaultClient = origDefault }()

	t.Setenv("KRATOS_PUBLIC_URL", "http://kratos.test")

	h := &AuthHandler{
		Hydra: &service.HydraAdminService{
			AdminURL:   "http://hydra.test",
			HTTPClient: client,
		},
	}

	app := fiber.New()
	app.Get("/api/v1/auth/consent", h.GetConsentRequest)

	t.Setenv("APP_ENV", "dev")
	req := httptest.NewRequest(http.MethodGet, "/api/v1/auth/consent?consent_challenge=challenge-tenant", nil)
	req.Header.Set("X-Mock-Role", "user")
	req.Header.Set("X-Tenant-ID", "tenant-a")

	resp, err := app.Test(req)
	assert.NoError(t, err)
	assert.Equal(t, http.StatusForbidden, resp.StatusCode)

	var body map[string]any
	assert.NoError(t, json.NewDecoder(resp.Body).Decode(&body))
	assert.Equal(t, "tenant_not_allowed", body["code"])
	details, ok := body["details"].(map[string]any)
	assert.True(t, ok)
	account, ok := details["account"].(map[string]any)
	assert.True(t, ok)
	assert.NotEmpty(t, account["email"])
	currentTenant, ok := details["current_tenant"].(map[string]any)
	assert.True(t, ok)
	assert.NotEmpty(t, currentTenant["identifier"])
}

func TestGetConsentRequest_DeniesRestrictedClientWhenProfileResolutionFails(t *testing.T) {
	acceptCalled := false
	transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
		switch {
		case r.URL.Path == "/oauth2/auth/requests/consent" && r.URL.Query().Get("consent_challenge") == "challenge-profile-missing":
			return httpJSONAny(r, http.StatusOK, map[string]any{
				"challenge":       "challenge-profile-missing",
				"requested_scope": []string{"openid", "profile"},
				"skip":            false,
				"subject":         "user-123",
				"client": map[string]any{
					"client_id": "client-tenant",
					"metadata": map[string]any{
						"tenant_access_restricted": true,
						"allowed_tenants":          []string{"tenant-b"},
					},
				},
			}), nil
		case r.URL.Path == "/oauth2/auth/requests/consent/accept":
			acceptCalled = true
			return httpJSONAny(r, http.StatusOK, map[string]any{
				"redirect_to": "http://rp/cb",
			}), nil
		default:
			return httpJSONAny(r, http.StatusNotFound, nil), nil
		}
	})

	client := &http.Client{Transport: transport}
	origDefault := http.DefaultClient
	http.DefaultClient = client
	defer func() { http.DefaultClient = origDefault }()

	t.Setenv("KRATOS_PUBLIC_URL", "http://kratos.test")

	h := &AuthHandler{
		Hydra: &service.HydraAdminService{
			AdminURL:   "http://hydra.test",
			HTTPClient: client,
		},
		KratosAdmin: func() service.KratosAdminService {
			mockKratos := new(MockKratosAdminService)
			mockKratos.On("GetIdentity", mock.Anything, "user-123").Return(&service.KratosIdentity{
				ID: "user-123",
				Traits: map[string]interface{}{
					"email":       "user@test.com",
					"tenant_id":   "tenant-a",
					"companyCode": "tenant-a",
				},
			}, nil).Once()
			return mockKratos
		}(),
		TenantService: func() service.TenantService {
			tenantSvc := new(MockTenantService)
			tenantSvc.On("GetTenant", mock.Anything, "tenant-a").Return(&domain.Tenant{
				ID:   "tenant-a",
				Slug: "tenant-a",
				Name: "Tenant A",
			}, nil).Twice()
			tenantSvc.On("ListJoinedTenants", mock.Anything, "user-123").Return([]domain.Tenant{
				{ID: "tenant-a", Slug: "tenant-a", Name: "Tenant A"},
				{ID: "tenant-c", Slug: "tenant-c", Name: "Tenant C"},
			}, nil).Once()
			tenantSvc.On("GetTenant", mock.Anything, "tenant-b").Return(nil, assert.AnError).Once()
			tenantSvc.On("GetTenantBySlug", mock.Anything, "tenant-b").Return(&domain.Tenant{
				ID:   "tenant-b-id",
				Slug: "tenant-b",
				Name: "Tenant B",
			}, nil).Once()
			return tenantSvc
		}(),
		ConsentRepo: &mockConsentRepo{
			consents: []domain.ClientConsent{
				{
					ClientID:      "client-tenant",
					Subject:       "user-123",
					GrantedScopes: []string{"openid", "profile"},
				},
			},
		},
	}

	app := fiber.New()
	app.Get("/api/v1/auth/consent", h.GetConsentRequest)

	req := httptest.NewRequest(http.MethodGet, "/api/v1/auth/consent?consent_challenge=challenge-profile-missing", nil)
	req.Header.Set("Cookie", "ory_kratos_session=invalid-session")

	resp, err := app.Test(req)
	assert.NoError(t, err)
	assert.Equal(t, http.StatusForbidden, resp.StatusCode)
	assert.False(t, acceptCalled)

	var body map[string]any
	assert.NoError(t, json.NewDecoder(resp.Body).Decode(&body))
	assert.Equal(t, "tenant_not_allowed", body["code"])

	details, ok := body["details"].(map[string]any)
	assert.True(t, ok)
	account, ok := details["account"].(map[string]any)
	assert.True(t, ok)
	assert.Equal(t, "user@test.com", account["email"])
	currentTenant, ok := details["current_tenant"].(map[string]any)
	assert.True(t, ok)
	assert.Equal(t, "Tenant A", currentTenant["name"])
	affiliatedTenants, ok := details["affiliated_tenants"].([]any)
	assert.True(t, ok)
	assert.Len(t, affiliatedTenants, 2)
}

func TestAcceptOidcLoginRequest_DeniesTenantAccess(t *testing.T) {
	app := fiber.New()
	app.Get("/deny", func(c *fiber.Ctx) error {
		tenantID := "tenant-a"
		profile := &domain.UserProfileResponse{
			ID:          "user-123",
			Role:        domain.RoleUser,
			Email:       "user@test.com",
			TenantID:    &tenantID,
			CompanyCode: "tenant-a",
			JoinedTenants: []domain.Tenant{
				{ID: "tenant-a", Slug: "tenant-a", Name: "Tenant A"},
				{ID: "tenant-c", Slug: "tenant-c", Name: "Tenant C"},
			},
		}
		client := domain.HydraClient{
			ClientID: "client-tenant",
			Metadata: map[string]any{
				"tenant_access_restricted": true,
				"allowed_tenants":          []string{"tenant-b"},
			},
		}
		tenantSvc := new(MockTenantService)
		tenantSvc.On("GetTenant", mock.Anything, "tenant-a").Return(&domain.Tenant{
			ID:   "tenant-a",
			Slug: "tenant-a",
			Name: "Tenant A",
		}, nil).Twice()
		tenantSvc.On("GetTenant", mock.Anything, "tenant-b").Return(nil, assert.AnError).Once()
		tenantSvc.On("GetTenantBySlug", mock.Anything, "tenant-b").Return(&domain.Tenant{
			ID:   "tenant-b-id",
			Slug: "tenant-b",
			Name: "Tenant B",
		}, nil).Once()
		enforceClientTenantAccess(c, tenantSvc, client, profile, nil)
		return nil
	})

	req := httptest.NewRequest(http.MethodGet, "/deny", nil)
	resp, err := app.Test(req)
	assert.NoError(t, err)
	assert.Equal(t, http.StatusForbidden, resp.StatusCode)

	var body map[string]any
	assert.NoError(t, json.NewDecoder(resp.Body).Decode(&body))
	assert.Equal(t, "tenant_not_allowed", body["code"])

	details, ok := body["details"].(map[string]any)
	assert.True(t, ok)

	account, ok := details["account"].(map[string]any)
	assert.True(t, ok)
	assert.Equal(t, "user@test.com", account["email"])

	currentTenant, ok := details["current_tenant"].(map[string]any)
	assert.True(t, ok)
	assert.Equal(t, "Tenant A", currentTenant["name"])
	affiliatedTenants, ok := details["affiliated_tenants"].([]any)
	assert.True(t, ok)
	assert.Len(t, affiliatedTenants, 2)

	allowedTenants, ok := details["allowed_tenants"].([]any)
	assert.True(t, ok)
	assert.Len(t, allowedTenants, 1)
	allowedTenant, ok := allowedTenants[0].(map[string]any)
	assert.True(t, ok)
	assert.Equal(t, "Tenant B", allowedTenant["name"])
}