gogcli/internal/googleapi/client_more_test.go

package googleapi

import (
	"context"
	"errors"
	"os"
	"path/filepath"
	"testing"

	"github.com/99designs/keyring"
	"golang.org/x/oauth2"

	"github.com/steipete/gogcli/internal/config"
	"github.com/steipete/gogcli/internal/googleauth"
	"github.com/steipete/gogcli/internal/secrets"
)

var (
	errBoom         = errors.New("boom")
	errNope         = errors.New("nope")
	errMissingCreds = errors.New("missing creds")
)

type stubStore struct {
	lastEmail string
	tok       secrets.Token
	err       error
}

func (s *stubStore) Keys() ([]string, error)              { return nil, nil }
func (s *stubStore) SetToken(string, secrets.Token) error { return nil }
func (s *stubStore) DeleteToken(string) error             { return nil }
func (s *stubStore) ListTokens() ([]secrets.Token, error) { return nil, nil }
func (s *stubStore) GetDefaultAccount() (string, error)   { return "", nil }
func (s *stubStore) SetDefaultAccount(string) error       { return nil }
func (s *stubStore) GetToken(email string) (secrets.Token, error) {
	s.lastEmail = email
	if s.err != nil {
		return secrets.Token{}, s.err
	}

	return s.tok, nil
}

func TestTokenSourceForAccountScopes_StoreErrors(t *testing.T) {
	origOpen := openSecretsStore

	t.Cleanup(func() { openSecretsStore = origOpen })

	openSecretsStore = func() (secrets.Store, error) {
		return nil, errBoom
	}

	_, err := tokenSourceForAccountScopes(context.Background(), "svc", "a@b.com", "id", "secret", []string{"s1"})
	if err == nil || !errors.Is(err, errBoom) {
		t.Fatalf("expected boom, got: %v", err)
	}
}

func TestTokenSourceForAccountScopes_KeyNotFound(t *testing.T) {
	origOpen := openSecretsStore

	t.Cleanup(func() { openSecretsStore = origOpen })

	openSecretsStore = func() (secrets.Store, error) {
		return &stubStore{err: keyring.ErrKeyNotFound}, nil
	}

	_, err := tokenSourceForAccountScopes(context.Background(), "gmail", "a@b.com", "id", "secret", []string{"s1"})
	if err == nil {
		t.Fatalf("expected error")
	}
	var are *AuthRequiredError

	if !errors.As(err, &are) {
		t.Fatalf("expected AuthRequiredError, got: %T %v", err, err)
	}

	if are.Service != "gmail" || are.Email != "a@b.com" {
		t.Fatalf("unexpected: %#v", are)
	}
}

func TestTokenSourceForAccountScopes_OtherGetError(t *testing.T) {
	origOpen := openSecretsStore

	t.Cleanup(func() { openSecretsStore = origOpen })

	openSecretsStore = func() (secrets.Store, error) {
		return &stubStore{err: errNope}, nil
	}

	_, err := tokenSourceForAccountScopes(context.Background(), "svc", "a@b.com", "id", "secret", []string{"s1"})
	if err == nil || !errors.Is(err, errNope) {
		t.Fatalf("expected nope, got: %v", err)
	}
}

func TestTokenSourceForAccountScopes_HappyPath(t *testing.T) {
	origOpen := openSecretsStore

	t.Cleanup(func() { openSecretsStore = origOpen })

	s := &stubStore{tok: secrets.Token{Email: "a@b.com", RefreshToken: "rt"}}
	openSecretsStore = func() (secrets.Store, error) { return s, nil }

	ts, err := tokenSourceForAccountScopes(context.Background(), "svc", "A@B.COM", "id", "secret", []string{"s1"})
	if err != nil {
		t.Fatalf("unexpected err: %v", err)
	}

	if ts == nil {
		t.Fatalf("expected token source")
	}
	// Ensure we pass through the email (store normalizes in production).
	if s.lastEmail != "A@B.COM" {
		t.Fatalf("expected email passed through, got: %q", s.lastEmail)
	}
}

func TestTokenSourceForAccount_ReadCredsError(t *testing.T) {
	origRead := readClientCredentials

	t.Cleanup(func() { readClientCredentials = origRead })

	readClientCredentials = func() (config.ClientCredentials, error) {
		return config.ClientCredentials{}, errMissingCreds
	}

	_, err := tokenSourceForAccount(context.Background(), googleauth.ServiceGmail, "a@b.com")
	if err == nil || !errors.Is(err, errMissingCreds) {
		t.Fatalf("expected missing creds, got: %v", err)
	}
}

func TestOptionsForAccountScopes_HappyPath(t *testing.T) {
	origRead := readClientCredentials
	origOpen := openSecretsStore

	t.Cleanup(func() {
		readClientCredentials = origRead
		openSecretsStore = origOpen
	})

	readClientCredentials = func() (config.ClientCredentials, error) {
		return config.ClientCredentials{ClientID: "id", ClientSecret: "secret"}, nil
	}
	openSecretsStore = func() (secrets.Store, error) {
		return &stubStore{tok: secrets.Token{Email: "a@b.com", RefreshToken: "rt"}}, nil
	}

	opts, err := optionsForAccountScopes(context.Background(), "svc", "a@b.com", []string{"s1"})
	if err != nil {
		t.Fatalf("unexpected err: %v", err)
	}

	if len(opts) == 0 {
		t.Fatalf("expected client options")
	}
}

func TestOptionsForAccount_HappyPath(t *testing.T) {
	origRead := readClientCredentials
	origOpen := openSecretsStore

	t.Cleanup(func() {
		readClientCredentials = origRead
		openSecretsStore = origOpen
	})

	readClientCredentials = func() (config.ClientCredentials, error) {
		return config.ClientCredentials{ClientID: "id", ClientSecret: "secret"}, nil
	}
	openSecretsStore = func() (secrets.Store, error) {
		return &stubStore{tok: secrets.Token{Email: "a@b.com", RefreshToken: "rt"}}, nil
	}

	opts, err := optionsForAccount(context.Background(), googleauth.ServiceDrive, "a@b.com")
	if err != nil {
		t.Fatalf("unexpected err: %v", err)
	}

	if len(opts) == 0 {
		t.Fatalf("expected client options")
	}
}

func TestOptionsForAccountScopes_ServiceAccountPreferred(t *testing.T) {
	home := t.TempDir()
	t.Setenv("HOME", home)
	t.Setenv("XDG_CONFIG_HOME", filepath.Join(home, "xdg-config"))

	saPath, err := config.ServiceAccountPath("a@b.com")
	if err != nil {
		t.Fatalf("ServiceAccountPath: %v", err)
	}

	if _, ensureErr := config.EnsureDir(); ensureErr != nil {
		t.Fatalf("EnsureDir: %v", ensureErr)
	}

	if writeErr := os.WriteFile(saPath, []byte(`{"type":"service_account"}`), 0o600); writeErr != nil {
		t.Fatalf("write sa: %v", writeErr)
	}

	origRead := readClientCredentials
	origOpen := openSecretsStore
	origSA := newServiceAccountTokenSource

	t.Cleanup(func() {
		readClientCredentials = origRead
		openSecretsStore = origOpen
		newServiceAccountTokenSource = origSA
	})

	readClientCredentials = func() (config.ClientCredentials, error) {
		t.Fatalf("readClientCredentials should not be called")
		return config.ClientCredentials{}, nil
	}
	openSecretsStore = func() (secrets.Store, error) {
		t.Fatalf("openSecretsStore should not be called")
		return nil, errBoom
	}

	called := false
	newServiceAccountTokenSource = func(_ context.Context, keyJSON []byte, subject string, scopes []string) (oauth2.TokenSource, error) {
		called = true

		if subject != "a@b.com" {
			t.Fatalf("unexpected subject: %q", subject)
		}

		if len(scopes) != 1 || scopes[0] != "s1" {
			t.Fatalf("unexpected scopes: %#v", scopes)
		}

		if string(keyJSON) == "" {
			t.Fatalf("expected keyJSON")
		}

		return oauth2.StaticTokenSource(&oauth2.Token{AccessToken: "t"}), nil
	}

	opts, err := optionsForAccountScopes(context.Background(), "svc", "a@b.com", []string{"s1"})
	if err != nil {
		t.Fatalf("unexpected err: %v", err)
	}

	if !called {
		t.Fatalf("expected service account token source used")
	}

	if len(opts) == 0 {
		t.Fatalf("expected client options")
	}
}