using System.Net;
using System.Text.Json;
using Microsoft.Extensions.Logging.Abstractions;
using NSubstitute;
namespace ScadaLink.NotificationService.Tests;
///
/// Tests for OAuth2 token flow — token acquisition, caching, and credential parsing.
///
public class OAuth2TokenServiceTests
{
private static HttpClient CreateMockHttpClient(HttpStatusCode statusCode, string responseJson)
{
var handler = new MockHttpMessageHandler(statusCode, responseJson);
return new HttpClient(handler);
}
private static IHttpClientFactory CreateMockFactory(HttpClient client)
{
var factory = Substitute.For();
factory.CreateClient(Arg.Any()).Returns(client);
return factory;
}
[Fact]
public async Task GetTokenAsync_ReturnsAccessToken_FromTokenEndpoint()
{
var tokenResponse = JsonSerializer.Serialize(new
{
access_token = "mock-access-token-12345",
expires_in = 3600,
token_type = "Bearer"
});
var client = CreateMockHttpClient(HttpStatusCode.OK, tokenResponse);
var factory = CreateMockFactory(client);
var service = new OAuth2TokenService(factory, NullLogger.Instance);
var token = await service.GetTokenAsync("tenant123:client456:secret789");
Assert.Equal("mock-access-token-12345", token);
}
[Fact]
public async Task GetTokenAsync_CachesToken_OnSubsequentCalls()
{
var tokenResponse = JsonSerializer.Serialize(new
{
access_token = "cached-token",
expires_in = 3600,
token_type = "Bearer"
});
var handler = new CountingHttpMessageHandler(HttpStatusCode.OK, tokenResponse);
var client = new HttpClient(handler);
var factory = CreateMockFactory(client);
var service = new OAuth2TokenService(factory, NullLogger.Instance);
var token1 = await service.GetTokenAsync("tenant:client:secret");
var token2 = await service.GetTokenAsync("tenant:client:secret");
Assert.Equal("cached-token", token1);
Assert.Equal("cached-token", token2);
Assert.Equal(1, handler.CallCount); // Only one HTTP call should be made
}
[Fact]
public async Task GetTokenAsync_InvalidCredentialFormat_ThrowsInvalidOperationException()
{
var client = CreateMockHttpClient(HttpStatusCode.OK, "{}");
var factory = CreateMockFactory(client);
var service = new OAuth2TokenService(factory, NullLogger.Instance);
await Assert.ThrowsAsync(
() => service.GetTokenAsync("invalid-no-colons"));
}
[Fact]
public async Task GetTokenAsync_HttpFailure_ThrowsHttpRequestException()
{
var client = CreateMockHttpClient(HttpStatusCode.Unauthorized, "Unauthorized");
var factory = CreateMockFactory(client);
var service = new OAuth2TokenService(factory, NullLogger.Instance);
await Assert.ThrowsAsync(
() => service.GetTokenAsync("tenant:client:secret"));
}
// ── NotificationService-006: token cache must be keyed to credential identity ──
[Fact]
public async Task GetTokenAsync_DifferentCredentials_ReturnPerCredentialTokens()
{
// NS-006: the singleton cached a single token ignoring the credentials
// argument, so a second SMTP config with a different tenant/client got the
// first config's token. Each distinct credential must get its own token.
var handler = new PerTenantHttpMessageHandler();
var client = new HttpClient(handler);
var factory = CreateMockFactory(client);
var service = new OAuth2TokenService(factory, NullLogger.Instance);
var tokenA = await service.GetTokenAsync("tenantA:clientA:secretA");
var tokenB = await service.GetTokenAsync("tenantB:clientB:secretB");
Assert.Equal("token-for-tenantA", tokenA);
Assert.Equal("token-for-tenantB", tokenB);
}
[Fact]
public async Task GetTokenAsync_SameCredentials_CachedPerCredential()
{
// NS-006: caching still works — repeated calls with the same credential
// identity make exactly one HTTP call.
var handler = new PerTenantHttpMessageHandler();
var client = new HttpClient(handler);
var factory = CreateMockFactory(client);
var service = new OAuth2TokenService(factory, NullLogger.Instance);
await service.GetTokenAsync("tenantA:clientA:secretA");
await service.GetTokenAsync("tenantA:clientA:secretA");
await service.GetTokenAsync("tenantB:clientB:secretB");
Assert.Equal(2, handler.CallCount); // one per distinct credential, not per call
}
// ── NotificationService-012: token expiry/refresh and concurrent acquisition ──
[Fact]
public async Task GetTokenAsync_ExpiredToken_RefreshesOnNextCall()
{
// NS-012: token expiry/refresh was untested — the cache test used a 3600s
// token so the refresh branch never ran. The service refreshes 60s before
// the stated expiry, so an expires_in of 60 makes the token immediately
// stale and the next call must fetch a fresh one.
var handler = new SequenceHttpMessageHandler(
TokenJson("first-token", expiresIn: 60),
TokenJson("second-token", expiresIn: 3600));
var client = new HttpClient(handler);
var factory = CreateMockFactory(client);
var service = new OAuth2TokenService(factory, NullLogger.Instance);
var token1 = await service.GetTokenAsync("tenant:client:secret");
var token2 = await service.GetTokenAsync("tenant:client:secret");
Assert.Equal("first-token", token1);
Assert.Equal("second-token", token2); // refreshed because the first was already stale
Assert.Equal(2, handler.CallCount);
}
[Fact]
public async Task GetTokenAsync_ConcurrentCalls_MakeExactlyOneHttpRequest()
{
// NS-012: the double-checked-locking path was never exercised. Many callers
// racing for the same uncached credential must collapse to a single token
// fetch, not one HTTP call per caller.
var handler = new SlowCountingHttpMessageHandler(
TokenJson("concurrent-token", expiresIn: 3600), delay: TimeSpan.FromMilliseconds(100));
var client = new HttpClient(handler);
var factory = CreateMockFactory(client);
var service = new OAuth2TokenService(factory, NullLogger.Instance);
var tasks = Enumerable.Range(0, 20)
.Select(_ => service.GetTokenAsync("tenant:client:secret"))
.ToArray();
var tokens = await Task.WhenAll(tasks);
Assert.All(tokens, t => Assert.Equal("concurrent-token", t));
Assert.Equal(1, handler.CallCount);
}
private static string TokenJson(string accessToken, int expiresIn) =>
JsonSerializer.Serialize(new
{
access_token = accessToken,
expires_in = expiresIn,
token_type = "Bearer"
});
/// HTTP handler returning a different response per invocation, in order.
private class SequenceHttpMessageHandler : HttpMessageHandler
{
private readonly string[] _responses;
public int CallCount { get; private set; }
public SequenceHttpMessageHandler(params string[] responses) => _responses = responses;
protected override Task SendAsync(
HttpRequestMessage request, CancellationToken cancellationToken)
{
var body = _responses[Math.Min(CallCount, _responses.Length - 1)];
CallCount++;
return Task.FromResult(new HttpResponseMessage(HttpStatusCode.OK)
{
Content = new StringContent(body)
});
}
}
/// HTTP handler that delays and counts invocations (thread-safe count).
private class SlowCountingHttpMessageHandler : HttpMessageHandler
{
private readonly string _response;
private readonly TimeSpan _delay;
private int _callCount;
public int CallCount => _callCount;
public SlowCountingHttpMessageHandler(string response, TimeSpan delay)
{
_response = response;
_delay = delay;
}
protected override async Task SendAsync(
HttpRequestMessage request, CancellationToken cancellationToken)
{
Interlocked.Increment(ref _callCount);
await Task.Delay(_delay, cancellationToken);
return new HttpResponseMessage(HttpStatusCode.OK)
{
Content = new StringContent(_response)
};
}
}
///
/// HTTP handler that returns a distinct access token per tenant id, parsed from
/// the request URL (https://login.microsoftonline.com/{tenantId}/...).
///
private class PerTenantHttpMessageHandler : HttpMessageHandler
{
public int CallCount { get; private set; }
protected override Task SendAsync(
HttpRequestMessage request, CancellationToken cancellationToken)
{
CallCount++;
var segments = request.RequestUri!.AbsolutePath.Trim('/').Split('/');
var tenantId = segments[0];
var json = JsonSerializer.Serialize(new
{
access_token = $"token-for-{tenantId}",
expires_in = 3600,
token_type = "Bearer"
});
return Task.FromResult(new HttpResponseMessage(HttpStatusCode.OK)
{
Content = new StringContent(json)
});
}
}
///
/// Simple mock HTTP handler that returns a fixed response.
///
private class MockHttpMessageHandler : HttpMessageHandler
{
private readonly HttpStatusCode _statusCode;
private readonly string _responseContent;
public MockHttpMessageHandler(HttpStatusCode statusCode, string responseContent)
{
_statusCode = statusCode;
_responseContent = responseContent;
}
protected override Task SendAsync(
HttpRequestMessage request, CancellationToken cancellationToken)
{
return Task.FromResult(new HttpResponseMessage(_statusCode)
{
Content = new StringContent(_responseContent)
});
}
}
///
/// Mock HTTP handler that counts invocations.
///
private class CountingHttpMessageHandler : HttpMessageHandler
{
private readonly HttpStatusCode _statusCode;
private readonly string _responseContent;
public int CallCount { get; private set; }
public CountingHttpMessageHandler(HttpStatusCode statusCode, string responseContent)
{
_statusCode = statusCode;
_responseContent = responseContent;
}
protected override Task SendAsync(
HttpRequestMessage request, CancellationToken cancellationToken)
{
CallCount++;
return Task.FromResult(new HttpResponseMessage(_statusCode)
{
Content = new StringContent(_responseContent)
});
}
}
}