chore: sync testing plan with authsession

authsession/internal/api/internalhttp/server_test.go

@@ -3,6 +3,8 @@ package internalhttp
 import (
 	"bytes"
 	"context"
+	"io"
+	"net"
 	"net/http"
 	"testing"
 	"time"
@@ -34,7 +36,7 @@ func TestServerRunAndShutdown(t *testing.T) {
 	t.Parallel()
 
 	cfg := DefaultConfig()
-	cfg.Addr = "127.0.0.1:0"
+	cfg.Addr = mustFreeAddr(t)
 
 	server, err := NewServer(cfg, validDependencies())
 	require.NoError(t, err)
@@ -44,30 +46,48 @@ func TestServerRunAndShutdown(t *testing.T) {
 		runErr <- server.Run(context.Background())
 	}()
 
-	require.Eventually(t, func() bool {
-		server.stateMu.RLock()
-		defer server.stateMu.RUnlock()
-		return server.listener != nil
-	}, time.Second, 10*time.Millisecond)
-
-	server.stateMu.RLock()
-	addr := server.listener.Addr().String()
-	server.stateMu.RUnlock()
-
-	response, err := http.Post(
-		"http://"+addr+"/api/v1/internal/sessions/device-session-123/revoke",
-		"application/json",
-		bytes.NewBufferString(`{"reason_code":"admin_revoke","actor":{"type":"system"}}`),
-	)
-	require.NoError(t, err)
-	defer response.Body.Close()
-
-	assert.Equal(t, http.StatusOK, response.StatusCode)
+	client := newTestHTTPClient(t)
+	waitForInternalRevokeReady(t, client, cfg.Addr)
 
 	shutdownCtx, cancel := context.WithTimeout(context.Background(), time.Second)
 	defer cancel()
 	require.NoError(t, server.Shutdown(shutdownCtx))
-	require.NoError(t, <-runErr)
+	waitForServerRunResult(t, runErr)
+}
+
+func TestServerDoesNotExposeProbeOrMetricsRoutes(t *testing.T) {
+	t.Parallel()
+
+	cfg := DefaultConfig()
+	cfg.Addr = mustFreeAddr(t)
+
+	server, err := NewServer(cfg, validDependencies())
+	require.NoError(t, err)
+
+	runErr := make(chan error, 1)
+	go func() {
+		runErr <- server.Run(context.Background())
+	}()
+
+	client := newTestHTTPClient(t)
+	waitForInternalRevokeReady(t, client, cfg.Addr)
+
+	for _, path := range []string{"/healthz", "/readyz", "/metrics"} {
+		request, reqErr := http.NewRequest(http.MethodGet, "http://"+cfg.Addr+path, nil)
+		require.NoError(t, reqErr)
+
+		response, err := client.Do(request)
+		require.NoError(t, err)
+		_, _ = io.ReadAll(response.Body)
+		response.Body.Close()
+
+		assert.Equalf(t, http.StatusNotFound, response.StatusCode, "path %s", path)
+	}
+
+	shutdownCtx, cancel := context.WithTimeout(context.Background(), time.Second)
+	defer cancel()
+	require.NoError(t, server.Shutdown(shutdownCtx))
+	waitForServerRunResult(t, runErr)
 }
 
 func validDependencies() Dependencies {
@@ -104,3 +124,63 @@ func validDependencies() Dependencies {
 		}),
 	}
 }
+
+func newTestHTTPClient(t *testing.T) *http.Client {
+	t.Helper()
+
+	transport := &http.Transport{
+		DisableKeepAlives: true,
+	}
+	t.Cleanup(transport.CloseIdleConnections)
+
+	return &http.Client{
+		Timeout:   250 * time.Millisecond,
+		Transport: transport,
+	}
+}
+
+func waitForInternalRevokeReady(t *testing.T, client *http.Client, addr string) {
+	t.Helper()
+
+	require.Eventually(t, func() bool {
+		response, err := client.Post(
+			"http://"+addr+"/api/v1/internal/sessions/device-session-123/revoke",
+			"application/json",
+			bytes.NewBufferString(`{"reason_code":"admin_revoke","actor":{"type":"system"}}`),
+		)
+		if err != nil {
+			return false
+		}
+		defer response.Body.Close()
+		_, _ = io.ReadAll(response.Body)
+
+		return response.StatusCode == http.StatusOK
+	}, 5*time.Second, 25*time.Millisecond, "internal HTTP server did not become reachable")
+}
+
+func waitForServerRunResult(t *testing.T, runErr <-chan error) {
+	t.Helper()
+
+	var err error
+	require.Eventually(t, func() bool {
+		select {
+		case err = <-runErr:
+			return true
+		default:
+			return false
+		}
+	}, 5*time.Second, 10*time.Millisecond, "internal HTTP server did not stop")
+	require.NoError(t, err)
+}
+
+func mustFreeAddr(t *testing.T) string {
+	t.Helper()
+
+	listener, err := net.Listen("tcp", "127.0.0.1:0")
+	require.NoError(t, err)
+	defer func() {
+		assert.NoError(t, listener.Close())
+	}()
+
+	return listener.Addr().String()
+}