scadalink-design/tests/ScadaLink.NotificationService.Tests/OAuth2TokenServiceTests.cs

using System.Net;
using System.Text.Json;
using Microsoft.Extensions.Logging.Abstractions;
using NSubstitute;

namespace ScadaLink.NotificationService.Tests;

/// <summary>
/// Tests for OAuth2 token flow — token acquisition, caching, and credential parsing.
/// </summary>
public class OAuth2TokenServiceTests
{
    private static HttpClient CreateMockHttpClient(HttpStatusCode statusCode, string responseJson)
    {
        var handler = new MockHttpMessageHandler(statusCode, responseJson);
        return new HttpClient(handler);
    }

    private static IHttpClientFactory CreateMockFactory(HttpClient client)
    {
        var factory = Substitute.For<IHttpClientFactory>();
        factory.CreateClient(Arg.Any<string>()).Returns(client);
        return factory;
    }

    [Fact]
    public async Task GetTokenAsync_ReturnsAccessToken_FromTokenEndpoint()
    {
        var tokenResponse = JsonSerializer.Serialize(new
        {
            access_token = "mock-access-token-12345",
            expires_in = 3600,
            token_type = "Bearer"
        });

        var client = CreateMockHttpClient(HttpStatusCode.OK, tokenResponse);
        var factory = CreateMockFactory(client);
        var service = new OAuth2TokenService(factory, NullLogger<OAuth2TokenService>.Instance);

        var token = await service.GetTokenAsync("tenant123:client456:secret789");

        Assert.Equal("mock-access-token-12345", token);
    }

    [Fact]
    public async Task GetTokenAsync_CachesToken_OnSubsequentCalls()
    {
        var tokenResponse = JsonSerializer.Serialize(new
        {
            access_token = "cached-token",
            expires_in = 3600,
            token_type = "Bearer"
        });

        var handler = new CountingHttpMessageHandler(HttpStatusCode.OK, tokenResponse);
        var client = new HttpClient(handler);
        var factory = CreateMockFactory(client);
        var service = new OAuth2TokenService(factory, NullLogger<OAuth2TokenService>.Instance);

        var token1 = await service.GetTokenAsync("tenant:client:secret");
        var token2 = await service.GetTokenAsync("tenant:client:secret");

        Assert.Equal("cached-token", token1);
        Assert.Equal("cached-token", token2);
        Assert.Equal(1, handler.CallCount); // Only one HTTP call should be made
    }

    [Fact]
    public async Task GetTokenAsync_InvalidCredentialFormat_ThrowsInvalidOperationException()
    {
        var client = CreateMockHttpClient(HttpStatusCode.OK, "{}");
        var factory = CreateMockFactory(client);
        var service = new OAuth2TokenService(factory, NullLogger<OAuth2TokenService>.Instance);

        await Assert.ThrowsAsync<InvalidOperationException>(
            () => service.GetTokenAsync("invalid-no-colons"));
    }

    [Fact]
    public async Task GetTokenAsync_HttpFailure_ThrowsHttpRequestException()
    {
        var client = CreateMockHttpClient(HttpStatusCode.Unauthorized, "Unauthorized");
        var factory = CreateMockFactory(client);
        var service = new OAuth2TokenService(factory, NullLogger<OAuth2TokenService>.Instance);

        await Assert.ThrowsAsync<HttpRequestException>(
            () => service.GetTokenAsync("tenant:client:secret"));
    }

    // ── NotificationService-006: token cache must be keyed to credential identity ──

    [Fact]
    public async Task GetTokenAsync_DifferentCredentials_ReturnPerCredentialTokens()
    {
        // NS-006: the singleton cached a single token ignoring the credentials
        // argument, so a second SMTP config with a different tenant/client got the
        // first config's token. Each distinct credential must get its own token.
        var handler = new PerTenantHttpMessageHandler();
        var client = new HttpClient(handler);
        var factory = CreateMockFactory(client);
        var service = new OAuth2TokenService(factory, NullLogger<OAuth2TokenService>.Instance);

        var tokenA = await service.GetTokenAsync("tenantA:clientA:secretA");
        var tokenB = await service.GetTokenAsync("tenantB:clientB:secretB");

        Assert.Equal("token-for-tenantA", tokenA);
        Assert.Equal("token-for-tenantB", tokenB);
    }

    [Fact]
    public async Task GetTokenAsync_SameCredentials_CachedPerCredential()
    {
        // NS-006: caching still works — repeated calls with the same credential
        // identity make exactly one HTTP call.
        var handler = new PerTenantHttpMessageHandler();
        var client = new HttpClient(handler);
        var factory = CreateMockFactory(client);
        var service = new OAuth2TokenService(factory, NullLogger<OAuth2TokenService>.Instance);

        await service.GetTokenAsync("tenantA:clientA:secretA");
        await service.GetTokenAsync("tenantA:clientA:secretA");
        await service.GetTokenAsync("tenantB:clientB:secretB");

        Assert.Equal(2, handler.CallCount); // one per distinct credential, not per call
    }

    /// <summary>
    /// HTTP handler that returns a distinct access token per tenant id, parsed from
    /// the request URL (<c>https://login.microsoftonline.com/{tenantId}/...</c>).
    /// </summary>
    private class PerTenantHttpMessageHandler : HttpMessageHandler
    {
        public int CallCount { get; private set; }

        protected override Task<HttpResponseMessage> SendAsync(
            HttpRequestMessage request, CancellationToken cancellationToken)
        {
            CallCount++;
            var segments = request.RequestUri!.AbsolutePath.Trim('/').Split('/');
            var tenantId = segments[0];
            var json = JsonSerializer.Serialize(new
            {
                access_token = $"token-for-{tenantId}",
                expires_in = 3600,
                token_type = "Bearer"
            });
            return Task.FromResult(new HttpResponseMessage(HttpStatusCode.OK)
            {
                Content = new StringContent(json)
            });
        }
    }

    /// <summary>
    /// Simple mock HTTP handler that returns a fixed response.
    /// </summary>
    private class MockHttpMessageHandler : HttpMessageHandler
    {
        private readonly HttpStatusCode _statusCode;
        private readonly string _responseContent;

        public MockHttpMessageHandler(HttpStatusCode statusCode, string responseContent)
        {
            _statusCode = statusCode;
            _responseContent = responseContent;
        }

        protected override Task<HttpResponseMessage> SendAsync(
            HttpRequestMessage request, CancellationToken cancellationToken)
        {
            return Task.FromResult(new HttpResponseMessage(_statusCode)
            {
                Content = new StringContent(_responseContent)
            });
        }
    }

    /// <summary>
    /// Mock HTTP handler that counts invocations.
    /// </summary>
    private class CountingHttpMessageHandler : HttpMessageHandler
    {
        private readonly HttpStatusCode _statusCode;
        private readonly string _responseContent;
        public int CallCount { get; private set; }

        public CountingHttpMessageHandler(HttpStatusCode statusCode, string responseContent)
        {
            _statusCode = statusCode;
            _responseContent = responseContent;
        }

        protected override Task<HttpResponseMessage> SendAsync(
            HttpRequestMessage request, CancellationToken cancellationToken)
        {
            CallCount++;
            return Task.FromResult(new HttpResponseMessage(_statusCode)
            {
                Content = new StringContent(_responseContent)
            });
        }
    }
}