From a35797956646ca2e81500915df74551a3874c6af Mon Sep 17 00:00:00 2001
From: Simon Skoczylas <github@giftkugel.de>
Date: Fri, 16 Aug 2024 10:08:13 +0200
Subject: [PATCH] Add tests

---
 internal/server/handler/introspect.go      |  2 +-
 internal/server/handler/introspect_test.go | 79 +++++++++++++++++++++-
 internal/server/handler/revoke_test.go     | 74 ++++++++++++++++++++
 3 files changed, 151 insertions(+), 4 deletions(-)

diff --git a/internal/server/handler/introspect.go b/internal/server/handler/introspect.go
index 1368b34..f1a2a12 100644
--- a/internal/server/handler/introspect.go
+++ b/internal/server/handler/introspect.go
@@ -60,7 +60,7 @@ func (handler *IntrospectHandler) ServeHTTP(w http.ResponseWriter, r *http.Reque
 			}
 		} else {
 			if !client.Introspect {
-				oauth2.TokenErrorStatusResponseHandler(w, http.StatusUnauthorized, &oauth2.TokenErrorResponseParameter{Error: oauth2.TokenEtInvalidRequest})
+				oauth2.TokenErrorStatusResponseHandler(w, http.StatusServiceUnavailable, &oauth2.TokenErrorResponseParameter{Error: oauth2.TokenEtInvalidRequest})
 				return
 			}
 		}
diff --git a/internal/server/handler/introspect_test.go b/internal/server/handler/introspect_test.go
index 339363d..68c8494 100644
--- a/internal/server/handler/introspect_test.go
+++ b/internal/server/handler/introspect_test.go
@@ -27,6 +27,13 @@ func Test_Introspect(t *testing.T) {
 				RefreshTTL: 100,
 				Introspect: true,
 			},
+			{
+				Id:         "bar",
+				Secret:     "d82c4eb5261cb9c8aa9855edd67d1bd10482f41529858d925094d173fa662aa91ff39bc5b188615273484021dfb16fd8284cf684ccf0fc795be3aa2fc1e6c181",
+				Redirects:  []string{"https://example.com/callback"},
+				RefreshTTL: 100,
+				Introspect: false,
+			},
 		},
 		Users: []config.User{
 			{
@@ -53,6 +60,8 @@ func Test_Introspect(t *testing.T) {
 
 	testIntrospectWithoutHint(t, testConfig)
 
+	testIntrospectDisabled(t, testConfig)
+
 	testIntrospectNotAllowedHttpMethods(t)
 }
 
@@ -260,7 +269,7 @@ func testIntrospect(t *testing.T, testConfig *config.Config) {
 
 func testIntrospectWithoutHint(t *testing.T, testConfig *config.Config) {
 	type introspectParameter struct {
-		tokenHint oauth2.IntrospectTokenType
+		tokenType oauth2.IntrospectTokenType
 	}
 
 	var introspectParameters = []introspectParameter{
@@ -269,7 +278,7 @@ func testIntrospectWithoutHint(t *testing.T, testConfig *config.Config) {
 	}
 
 	for _, test := range introspectParameters {
-		testMessage := fmt.Sprintf("Introspect %v", test.tokenHint)
+		testMessage := fmt.Sprintf("Introspect without token hint %v", test.tokenType)
 		t.Run(testMessage, func(t *testing.T) {
 			client, _ := testConfig.GetClient("foo")
 			user, _ := testConfig.GetUser("foo")
@@ -297,7 +306,7 @@ func testIntrospectWithoutHint(t *testing.T, testConfig *config.Config) {
 			introspectHandler := CreateIntrospectHandler(testConfig, requestValidator, tokenManager)
 
 			token := accessTokenResponse.AccessTokenKey
-			if test.tokenHint == oauth2.ItRefreshToken {
+			if test.tokenType == oauth2.ItRefreshToken {
 				token = accessTokenResponse.RefreshTokenKey
 			}
 
@@ -329,6 +338,70 @@ func testIntrospectWithoutHint(t *testing.T, testConfig *config.Config) {
 	}
 }
 
+func testIntrospectDisabled(t *testing.T, testConfig *config.Config) {
+	type introspectParameter struct {
+		tokenHint oauth2.IntrospectTokenType
+	}
+
+	var introspectParameters = []introspectParameter{
+		{oauth2.ItAccessToken},
+		{oauth2.ItRefreshToken},
+	}
+
+	for _, test := range introspectParameters {
+		testMessage := fmt.Sprintf("Introspect for disabled client %v", test.tokenHint)
+		t.Run(testMessage, func(t *testing.T) {
+			client, _ := testConfig.GetClient("bar")
+			user, _ := testConfig.GetUser("foo")
+			scopes := []string{"foo:bar", "moo:abc"}
+
+			id := uuid.New()
+			authSession := &store.AuthSession{
+				Id:                  id.String(),
+				Redirect:            "https://example.com/callback",
+				AuthURI:             "https://example.com/auth",
+				CodeChallenge:       "",
+				CodeChallengeMethod: "",
+				ClientId:            client.Id,
+				ResponseType:        string(oauth2.RtCode),
+				Scopes:              scopes,
+				State:               "xyz",
+			}
+
+			requestValidator := validation.NewRequestValidator(testConfig)
+			sessionManager := store.NewSessionManager(testConfig)
+			tokenManager := store.NewTokenManager(testConfig, store.NewDefaultKeyLoader(testConfig))
+			sessionManager.StartSession(authSession)
+			accessTokenResponse := tokenManager.CreateAccessTokenResponse(user.Username, client, scopes)
+
+			introspectHandler := CreateIntrospectHandler(testConfig, requestValidator, tokenManager)
+
+			token := accessTokenResponse.AccessTokenKey
+			if test.tokenHint == oauth2.ItRefreshToken {
+				token = accessTokenResponse.RefreshTokenKey
+			}
+
+			rr := httptest.NewRecorder()
+
+			bodyString := testCreateBody(
+				oauth2.ParameterToken, token,
+				oauth2.ParameterTokenTypeHint, test.tokenHint,
+			)
+			body := strings.NewReader(bodyString)
+
+			request := httptest.NewRequest(http.MethodPost, "/introspect", body)
+			request.Header.Add(internalHttp.Authorization, fmt.Sprintf("Basic %s", testTokenCreateBasicAuth("bar", "bar")))
+			request.Header.Add(internalHttp.ContentType, "application/x-www-form-urlencoded")
+
+			introspectHandler.ServeHTTP(rr, request)
+
+			if rr.Code != http.StatusServiceUnavailable {
+				t.Errorf("handler returned wrong status code: got %v want %v", rr.Code, http.StatusServiceUnavailable)
+			}
+		})
+	}
+}
+
 func testIntrospectNotAllowedHttpMethods(t *testing.T) {
 	var testInvalidIntrospectHttpMethods = []string{
 		http.MethodGet,
diff --git a/internal/server/handler/revoke_test.go b/internal/server/handler/revoke_test.go
index 98d20d6..4e3f3ea 100644
--- a/internal/server/handler/revoke_test.go
+++ b/internal/server/handler/revoke_test.go
@@ -25,6 +25,13 @@ func Test_Revoke(t *testing.T) {
 				RefreshTTL: 100,
 				Revoke:     true,
 			},
+			{
+				Id:         "bar",
+				Secret:     "d82c4eb5261cb9c8aa9855edd67d1bd10482f41529858d925094d173fa662aa91ff39bc5b188615273484021dfb16fd8284cf684ccf0fc795be3aa2fc1e6c181",
+				Redirects:  []string{"https://example.com/callback"},
+				RefreshTTL: 100,
+				Revoke:     false,
+			},
 		},
 		Users: []config.User{
 			{
@@ -51,6 +58,8 @@ func Test_Revoke(t *testing.T) {
 
 	testRevokeWithoutHint(t, testConfig)
 
+	testRevokeDisabled(t, testConfig)
+
 	testRevokeNotAllowedHttpMethods(t)
 }
 
@@ -322,6 +331,71 @@ func testRevokeWithoutHint(t *testing.T, testConfig *config.Config) {
 	}
 }
 
+func testRevokeDisabled(t *testing.T, testConfig *config.Config) {
+	type revokeParameter struct {
+		tokenHint oauth2.IntrospectTokenType
+	}
+
+	var revokeParameters = []revokeParameter{
+		{oauth2.ItAccessToken},
+		{oauth2.ItRefreshToken},
+	}
+
+	for _, test := range revokeParameters {
+		testMessage := fmt.Sprintf("Revoke for disabld client %v", test.tokenHint)
+		t.Run(testMessage, func(t *testing.T) {
+			client, _ := testConfig.GetClient("bar")
+			user, _ := testConfig.GetUser("foo")
+			scopes := []string{"foo:bar", "moo:abc"}
+
+			id := uuid.New()
+			authSession := &store.AuthSession{
+				Id:                  id.String(),
+				Redirect:            "https://example.com/callback",
+				AuthURI:             "https://example.com/auth",
+				CodeChallenge:       "",
+				CodeChallengeMethod: "",
+				ClientId:            client.Id,
+				ResponseType:        string(oauth2.RtCode),
+				Scopes:              scopes,
+				State:               "xyz",
+			}
+
+			requestValidator := validation.NewRequestValidator(testConfig)
+			sessionManager := store.NewSessionManager(testConfig)
+			tokenManager := store.NewTokenManager(testConfig, store.NewDefaultKeyLoader(testConfig))
+			sessionManager.StartSession(authSession)
+			accessTokenResponse := tokenManager.CreateAccessTokenResponse(user.Username, client, scopes)
+
+			revokeHandler := CreateRevokeHandler(testConfig, requestValidator, tokenManager)
+
+			token := accessTokenResponse.AccessTokenKey
+			if test.tokenHint == oauth2.ItRefreshToken {
+				token = accessTokenResponse.RefreshTokenKey
+			}
+
+			rr := httptest.NewRecorder()
+
+			bodyString := testCreateBody(
+				oauth2.ParameterToken, token,
+				oauth2.ParameterTokenTypeHint, test.tokenHint,
+			)
+			body := strings.NewReader(bodyString)
+
+			request := httptest.NewRequest(http.MethodPost, "/revoke", body)
+			request.Header.Add(internalHttp.Authorization, fmt.Sprintf("Basic %s", testTokenCreateBasicAuth("bar", "bar")))
+			request.Header.Add(internalHttp.ContentType, "application/x-www-form-urlencoded")
+
+			revokeHandler.ServeHTTP(rr, request)
+
+			if rr.Code != http.StatusServiceUnavailable {
+				t.Errorf("handler returned wrong status code: got %v want %v", rr.Code, http.StatusServiceUnavailable)
+			}
+
+		})
+	}
+}
+
 func testRevokeNotAllowedHttpMethods(t *testing.T) {
 	var testInvalidRevokeHttpMethods = []string{
 		http.MethodGet,