Pulse/internal/api/csrf_store_test.go

package api

import (
	"os"
	"path/filepath"
	"testing"
	"time"
)

func TestCsrfSessionKey(t *testing.T) {
	tests := []struct {
		name      string
		sessionID string
	}{
		{
			name:      "simple session ID",
			sessionID: "abc123",
		},
		{
			name:      "UUID format",
			sessionID: "550e8400-e29b-41d4-a716-446655440000",
		},
		{
			name:      "empty string",
			sessionID: "",
		},
		{
			name:      "long session ID",
			sessionID: "very-long-session-id-that-might-come-from-some-external-system-with-lots-of-characters",
		},
		{
			name:      "special characters",
			sessionID: "session/with/slashes!and@special#chars",
		},
	}

	for _, tc := range tests {
		t.Run(tc.name, func(t *testing.T) {
			result := csrfSessionKey(tc.sessionID)

			// Result should be non-empty (hash output)
			if result == "" {
				t.Error("csrfSessionKey() returned empty string")
			}

			// Result should be deterministic
			result2 := csrfSessionKey(tc.sessionID)
			if result != result2 {
				t.Errorf("csrfSessionKey() not deterministic: %q != %q", result, result2)
			}

			// Different inputs should produce different outputs
			if tc.sessionID != "" {
				different := csrfSessionKey(tc.sessionID + "x")
				if result == different {
					t.Error("csrfSessionKey() produced same hash for different inputs")
				}
			}
		})
	}
}

func TestCsrfTokenHash(t *testing.T) {
	tests := []struct {
		name  string
		token string
	}{
		{
			name:  "simple token",
			token: "token123",
		},
		{
			name:  "base64 encoded token",
			token: "dGVzdC10b2tlbi1kYXRh",
		},
		{
			name:  "empty string",
			token: "",
		},
		{
			name:  "long token",
			token: "very-long-token-string-that-might-be-generated-by-a-random-generator-function",
		},
		{
			name:  "special characters",
			token: "token/with+special=chars",
		},
	}

	for _, tc := range tests {
		t.Run(tc.name, func(t *testing.T) {
			result := csrfTokenHash(tc.token)

			// Result should be hex encoded SHA256 (64 characters)
			if len(result) != 64 {
				t.Errorf("csrfTokenHash() length = %d, want 64", len(result))
			}

			// Result should only contain hex characters
			for _, c := range result {
				if !((c >= '0' && c <= '9') || (c >= 'a' && c <= 'f')) {
					t.Errorf("csrfTokenHash() contains non-hex character: %c", c)
				}
			}

			// Result should be deterministic
			result2 := csrfTokenHash(tc.token)
			if result != result2 {
				t.Errorf("csrfTokenHash() not deterministic: %q != %q", result, result2)
			}

			// Different inputs should produce different outputs
			if tc.token != "" {
				different := csrfTokenHash(tc.token + "x")
				if result == different {
					t.Error("csrfTokenHash() produced same hash for different inputs")
				}
			}
		})
	}
}

func TestCSRFToken_Fields(t *testing.T) {
	now := time.Now()
	token := CSRFToken{
		Hash:    "abcdef123456",
		Expires: now,
	}

	if token.Hash != "abcdef123456" {
		t.Errorf("Hash = %q, want abcdef123456", token.Hash)
	}
	if !token.Expires.Equal(now) {
		t.Errorf("Expires = %v, want %v", token.Expires, now)
	}
}

func TestCSRFTokenData_Fields(t *testing.T) {
	now := time.Now()
	data := CSRFTokenData{
		TokenHash:  "hashvalue",
		SessionKey: "sessionkey",
		ExpiresAt:  now,
	}

	if data.TokenHash != "hashvalue" {
		t.Errorf("TokenHash = %q, want hashvalue", data.TokenHash)
	}
	if data.SessionKey != "sessionkey" {
		t.Errorf("SessionKey = %q, want sessionkey", data.SessionKey)
	}
	if !data.ExpiresAt.Equal(now) {
		t.Errorf("ExpiresAt = %v, want %v", data.ExpiresAt, now)
	}
}

func TestCSRFTokenStore_GenerateAndValidate(t *testing.T) {
	// Create a temporary directory for test data
	tmpDir := t.TempDir()

	store := &CSRFTokenStore{
		tokens:   make(map[string]*CSRFToken),
		dataPath: tmpDir,
	}

	sessionID := "test-session-123"

	// Generate a token
	token := store.GenerateCSRFToken(sessionID)
	if token == "" {
		t.Fatal("GenerateCSRFToken() returned empty string")
	}

	// Token should be valid
	if !store.ValidateCSRFToken(sessionID, token) {
		t.Error("ValidateCSRFToken() returned false for valid token")
	}

	// Wrong token should be invalid
	if store.ValidateCSRFToken(sessionID, "wrong-token") {
		t.Error("ValidateCSRFToken() returned true for wrong token")
	}

	// Different session should be invalid
	if store.ValidateCSRFToken("different-session", token) {
		t.Error("ValidateCSRFToken() returned true for wrong session")
	}
}

func TestCSRFTokenStore_DeleteToken(t *testing.T) {
	tmpDir := t.TempDir()

	store := &CSRFTokenStore{
		tokens:   make(map[string]*CSRFToken),
		dataPath: tmpDir,
	}

	sessionID := "test-session-456"

	// Generate a token
	token := store.GenerateCSRFToken(sessionID)

	// Verify it's valid
	if !store.ValidateCSRFToken(sessionID, token) {
		t.Fatal("Token should be valid after generation")
	}

	// Delete it
	store.DeleteCSRFToken(sessionID)

	// Should no longer be valid
	if store.ValidateCSRFToken(sessionID, token) {
		t.Error("Token should be invalid after deletion")
	}
}

func TestCSRFTokenStore_Cleanup(t *testing.T) {
	store := &CSRFTokenStore{
		tokens: make(map[string]*CSRFToken),
	}

	// Add expired token
	expiredKey := csrfSessionKey("expired-session")
	store.tokens[expiredKey] = &CSRFToken{
		Hash:    "expired-hash",
		Expires: time.Now().Add(-1 * time.Hour), // Expired
	}

	// Add valid token
	validKey := csrfSessionKey("valid-session")
	store.tokens[validKey] = &CSRFToken{
		Hash:    "valid-hash",
		Expires: time.Now().Add(1 * time.Hour), // Not expired
	}

	// Run cleanup
	store.cleanup()

	// Expired token should be removed
	if _, exists := store.tokens[expiredKey]; exists {
		t.Error("Expired token should be removed after cleanup")
	}

	// Valid token should remain
	if _, exists := store.tokens[validKey]; !exists {
		t.Error("Valid token should remain after cleanup")
	}
}

func TestCSRFTokenStore_ExpiredTokenInvalid(t *testing.T) {
	store := &CSRFTokenStore{
		tokens: make(map[string]*CSRFToken),
	}

	sessionID := "test-session-789"
	token := "test-token"

	// Add token that is already expired
	key := csrfSessionKey(sessionID)
	store.tokens[key] = &CSRFToken{
		Hash:    csrfTokenHash(token),
		Expires: time.Now().Add(-1 * time.Second), // Already expired
	}

	// Should be invalid
	if store.ValidateCSRFToken(sessionID, token) {
		t.Error("Expired token should not validate")
	}
}

func TestCSRFTokenStore_NonexistentSession(t *testing.T) {
	store := &CSRFTokenStore{
		tokens: make(map[string]*CSRFToken),
	}

	// Should return false for nonexistent session
	if store.ValidateCSRFToken("nonexistent", "any-token") {
		t.Error("Should return false for nonexistent session")
	}
}

func TestCSRFTokenStore_MultipleTokens(t *testing.T) {
	tmpDir := t.TempDir()

	store := &CSRFTokenStore{
		tokens:   make(map[string]*CSRFToken),
		dataPath: tmpDir,
	}

	// Generate tokens for multiple sessions
	session1 := "session-1"
	session2 := "session-2"
	session3 := "session-3"

	token1 := store.GenerateCSRFToken(session1)
	token2 := store.GenerateCSRFToken(session2)
	token3 := store.GenerateCSRFToken(session3)

	// All tokens should be different
	if token1 == token2 || token2 == token3 || token1 == token3 {
		t.Error("Generated tokens should be unique")
	}

	// Each token should only be valid for its session
	if !store.ValidateCSRFToken(session1, token1) {
		t.Error("Token1 should be valid for session1")
	}
	if store.ValidateCSRFToken(session1, token2) {
		t.Error("Token2 should not be valid for session1")
	}
	if !store.ValidateCSRFToken(session2, token2) {
		t.Error("Token2 should be valid for session2")
	}
}

func TestCSRFTokenStore_RegenerateToken(t *testing.T) {
	tmpDir := t.TempDir()

	store := &CSRFTokenStore{
		tokens:   make(map[string]*CSRFToken),
		dataPath: tmpDir,
	}

	sessionID := "regenerate-session"

	// Generate first token
	token1 := store.GenerateCSRFToken(sessionID)

	// Generate second token for same session (replaces first)
	token2 := store.GenerateCSRFToken(sessionID)

	// Tokens should be different
	if token1 == token2 {
		t.Error("Regenerated token should be different")
	}

	// Only new token should be valid
	if store.ValidateCSRFToken(sessionID, token1) {
		t.Error("Old token should be invalid after regeneration")
	}
	if !store.ValidateCSRFToken(sessionID, token2) {
		t.Error("New token should be valid")
	}
}

func TestCSRFTokenStore_SaveAndLoad(t *testing.T) {
	tmpDir := t.TempDir()

	// Create store and add a token
	store1 := &CSRFTokenStore{
		tokens:   make(map[string]*CSRFToken),
		dataPath: tmpDir,
	}

	sessionID := "persist-session"
	token := store1.GenerateCSRFToken(sessionID)

	// Explicitly save
	store1.save()

	// Verify file was created
	csrfFile := filepath.Join(tmpDir, "csrf_tokens.json")
	if _, err := os.Stat(csrfFile); os.IsNotExist(err) {
		t.Fatal("CSRF tokens file was not created")
	}

	// Create new store and load
	store2 := &CSRFTokenStore{
		tokens:   make(map[string]*CSRFToken),
		dataPath: tmpDir,
	}
	store2.load()

	// Token should still be valid in new store
	if !store2.ValidateCSRFToken(sessionID, token) {
		t.Error("Token should be valid after save/load")
	}
}

func TestCSRFTokenStore_LoadNonexistentFile(t *testing.T) {
	tmpDir := t.TempDir()

	store := &CSRFTokenStore{
		tokens:   make(map[string]*CSRFToken),
		dataPath: filepath.Join(tmpDir, "nonexistent"),
	}

	// Should not panic when loading from nonexistent directory
	store.load()

	if store.tokens == nil {
		t.Error("tokens map should be initialized after load")
	}
}

func TestCSRFTokenStore_EmptyTokensMap(t *testing.T) {
	store := &CSRFTokenStore{
		tokens: make(map[string]*CSRFToken),
	}

	// Cleanup on empty map should not panic
	store.cleanup()

	if len(store.tokens) != 0 {
		t.Error("tokens map should remain empty after cleanup")
	}
}

func TestCSRFTokenStore_SaveUnsafe_MkdirAllError(t *testing.T) {
	// Create a file where the directory should be - MkdirAll will fail
	tmpDir := t.TempDir()
	blockedPath := filepath.Join(tmpDir, "blocked")

	// Create a file at the path where dataPath should be
	if err := os.WriteFile(blockedPath, []byte("blocking file"), 0644); err != nil {
		t.Fatalf("failed to create blocking file: %v", err)
	}

	store := &CSRFTokenStore{
		tokens:   make(map[string]*CSRFToken),
		dataPath: blockedPath, // This is a file, not a directory
	}

	// Add a token to save
	store.tokens["testkey"] = &CSRFToken{
		Hash:    "testhash",
		Expires: time.Now().Add(time.Hour),
	}

	// saveUnsafe should handle error gracefully (logs but doesn't panic)
	store.saveUnsafe()

	// Verify the blocking file still exists (wasn't overwritten)
	data, err := os.ReadFile(blockedPath)
	if err != nil {
		t.Fatalf("blocking file was removed: %v", err)
	}
	if string(data) != "blocking file" {
		t.Error("blocking file was modified")
	}
}

func TestCSRFTokenStore_SaveUnsafe_WriteFileError(t *testing.T) {
	if os.Geteuid() == 0 {
		t.Skip("Skipping permission test running as root")
	}
	// Create a read-only directory to prevent file creation
	tmpDir := t.TempDir()
	readOnlyDir := filepath.Join(tmpDir, "readonly")

	if err := os.Mkdir(readOnlyDir, 0755); err != nil {
		t.Fatalf("failed to create readonly dir: %v", err)
	}

	store := &CSRFTokenStore{
		tokens:   make(map[string]*CSRFToken),
		dataPath: readOnlyDir,
	}

	// Add a token
	store.tokens["testkey"] = &CSRFToken{
		Hash:    "testhash",
		Expires: time.Now().Add(time.Hour),
	}

	// Make directory read-only after it exists (MkdirAll succeeds, WriteFile fails)
	if err := os.Chmod(readOnlyDir, 0555); err != nil {
		t.Fatalf("failed to make dir readonly: %v", err)
	}
	t.Cleanup(func() {
		os.Chmod(readOnlyDir, 0755) // Restore for cleanup
	})

	// saveUnsafe should handle error gracefully (logs but doesn't panic)
	store.saveUnsafe()

	// Verify no file was created
	csrfFile := filepath.Join(readOnlyDir, "csrf_tokens.json")
	if _, err := os.Stat(csrfFile); err == nil {
		t.Error("tokens file should not exist after write failure")
	}
}

func TestCSRFTokenStore_SaveUnsafe_RenameError(t *testing.T) {
	// Create a directory at the target path to cause rename error
	tmpDir := t.TempDir()

	// Create a directory at the exact path where csrf_tokens.json should go
	csrfFilePath := filepath.Join(tmpDir, "csrf_tokens.json")
	if err := os.Mkdir(csrfFilePath, 0755); err != nil {
		t.Fatalf("failed to create blocking directory: %v", err)
	}

	store := &CSRFTokenStore{
		tokens:   make(map[string]*CSRFToken),
		dataPath: tmpDir,
	}

	// Add a token
	store.tokens["testkey"] = &CSRFToken{
		Hash:    "testhash",
		Expires: time.Now().Add(time.Hour),
	}

	// saveUnsafe should handle rename error gracefully
	store.saveUnsafe()

	// The blocking directory should still exist (rename failed)
	info, err := os.Stat(csrfFilePath)
	if err != nil {
		t.Fatalf("blocking directory was removed: %v", err)
	}
	if !info.IsDir() {
		t.Error("blocking directory was replaced with a file")
	}
}

func TestCSRFTokenStore_Load_ReadError(t *testing.T) {
	tmpDir := t.TempDir()

	// Create a directory where the tokens file should be - reading it will fail
	csrfPath := filepath.Join(tmpDir, "csrf_tokens.json")
	if err := os.Mkdir(csrfPath, 0755); err != nil {
		t.Fatalf("failed to create directory: %v", err)
	}

	store := &CSRFTokenStore{
		tokens:   make(map[string]*CSRFToken),
		dataPath: tmpDir,
	}

	// Should not panic and should log error
	store.load()

	if len(store.tokens) != 0 {
		t.Errorf("store should be empty after read error, got %d tokens", len(store.tokens))
	}
}

func TestCSRFTokenStore_Load_InvalidJSON(t *testing.T) {
	tmpDir := t.TempDir()

	// Write invalid JSON that won't match either format
	csrfFile := filepath.Join(tmpDir, "csrf_tokens.json")
	if err := os.WriteFile(csrfFile, []byte("not valid json at all"), 0600); err != nil {
		t.Fatalf("failed to write invalid JSON: %v", err)
	}

	store := &CSRFTokenStore{
		tokens:   make(map[string]*CSRFToken),
		dataPath: tmpDir,
	}

	// Should not panic
	store.load()

	if len(store.tokens) != 0 {
		t.Errorf("store should be empty after loading invalid JSON, got %d tokens", len(store.tokens))
	}
}

func TestCSRFTokenStore_Load_LegacyFormat(t *testing.T) {
	tmpDir := t.TempDir()

	// Create legacy format JSON (map[sessionID]tokenData) with snake_case fields
	legacyJSON := `{
		"session-1": {"token": "token-value-1", "session_id": "session-1", "expires_at": "2099-12-31T23:59:59Z"},
		"session-2": {"token": "token-value-2", "session_id": "session-2", "expires_at": "2099-12-31T23:59:59Z"},
		"session-expired": {"token": "expired-token", "session_id": "session-expired", "expires_at": "2020-01-01T00:00:00Z"}
	}`
	csrfFile := filepath.Join(tmpDir, "csrf_tokens.json")
	if err := os.WriteFile(csrfFile, []byte(legacyJSON), 0600); err != nil {
		t.Fatalf("failed to write legacy format JSON: %v", err)
	}

	store := &CSRFTokenStore{
		tokens:   make(map[string]*CSRFToken),
		dataPath: tmpDir,
	}

	store.load()

	// Should load the two non-expired tokens (session-1 and session-2)
	// The expired one (session-expired) should be skipped
	if len(store.tokens) != 2 {
		t.Errorf("expected 2 tokens from legacy format, got %d", len(store.tokens))
	}

	// Verify tokens are hashed and can be validated
	// The legacy format stores raw tokens, which get hashed during migration
	if !store.ValidateCSRFToken("session-1", "token-value-1") {
		t.Error("should validate token for session-1 after legacy migration")
	}
	if !store.ValidateCSRFToken("session-2", "token-value-2") {
		t.Error("should validate token for session-2 after legacy migration")
	}
}

func TestCSRFTokenStore_Load_CurrentFormat_SkipsNilAndExpired(t *testing.T) {
	tmpDir := t.TempDir()

	// Create current format JSON with expired and nil entries (snake_case fields)
	// This tests the nil check and expiration check in lines 238-240
	currentJSON := `[
		{"token_hash": "hash1", "session_key": "key1", "expires_at": "2099-12-31T23:59:59Z"},
		null,
		{"token_hash": "hash2", "session_key": "key2", "expires_at": "2020-01-01T00:00:00Z"}
	]`
	csrfFile := filepath.Join(tmpDir, "csrf_tokens.json")
	if err := os.WriteFile(csrfFile, []byte(currentJSON), 0600); err != nil {
		t.Fatalf("failed to write current format JSON: %v", err)
	}

	store := &CSRFTokenStore{
		tokens:   make(map[string]*CSRFToken),
		dataPath: tmpDir,
	}

	store.load()

	// Should load only the valid, non-expired token (key1)
	// null entry and expired entry (key2) should be skipped
	if len(store.tokens) != 1 {
		t.Errorf("expected 1 token after filtering, got %d", len(store.tokens))
	}

	// Verify the valid token was loaded
	if _, exists := store.tokens["key1"]; !exists {
		t.Error("expected key1 to be loaded")
	}
}