From 9045f5ba7363e46c970a6f9141b0582feeff8371 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens@goauthentik.io>
Date: Sat, 24 May 2025 18:43:18 +0200
Subject: [PATCH] add tests for peap-extensions

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
---
 .../radius/eap/protocol/peap/extension_avp.go | 12 +++++--
 .../eap/protocol/peap/extension_avp_test.go   | 36 +++++++++++++++++++
 2 files changed, 45 insertions(+), 3 deletions(-)
 create mode 100644 internal/outpost/radius/eap/protocol/peap/extension_avp_test.go

diff --git a/internal/outpost/radius/eap/protocol/peap/extension_avp.go b/internal/outpost/radius/eap/protocol/peap/extension_avp.go
index 4b6f53a77b..8701f3144c 100644
--- a/internal/outpost/radius/eap/protocol/peap/extension_avp.go
+++ b/internal/outpost/radius/eap/protocol/peap/extension_avp.go
@@ -2,6 +2,7 @@ package peap
 
 import (
 	"encoding/binary"
+	"errors"
 	"fmt"
 )
 
@@ -20,13 +21,18 @@ type ExtensionAVP struct {
 	Value     []byte
 }
 
+var (
+	ErrorReservedBitSet = errors.New("PEAP-Extension: Reserved bit is not 0")
+)
+
 func (eavp *ExtensionAVP) Decode(raw []byte) error {
 	typ := binary.BigEndian.Uint16(raw[:2])
-	// TODO fix this
-	if typ&0b1000000000000000 == 0 {
+	if typ>>15 == 1 {
 		eavp.Mandatory = true
 	}
-	// TODO: Check reserved bit
+	if typ>>14&1 != 0 {
+		return ErrorReservedBitSet
+	}
 	eavp.Type = AVPType(typ & 0b0011111111111111)
 	eavp.Length = binary.BigEndian.Uint16(raw[2:4])
 	val := raw[4:]
diff --git a/internal/outpost/radius/eap/protocol/peap/extension_avp_test.go b/internal/outpost/radius/eap/protocol/peap/extension_avp_test.go
new file mode 100644
index 0000000000..3a25db0349
--- /dev/null
+++ b/internal/outpost/radius/eap/protocol/peap/extension_avp_test.go
@@ -0,0 +1,36 @@
+package peap_test
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"goauthentik.io/internal/outpost/radius/eap/protocol/peap"
+)
+
+func TestEncode(t *testing.T) {
+	eavp := peap.ExtensionAVP{
+		Mandatory: true,
+		Type:      peap.AVPType(3),
+	}
+	assert.Equal(t, []byte{0x80, 0x3, 0x0, 0x0}, eavp.Encode())
+}
+
+func TestDecode(t *testing.T) {
+	eavp := peap.ExtensionAVP{}
+	err := eavp.Decode([]byte{0x80, 0x3, 0x0, 0x0})
+	assert.NoError(t, err)
+	assert.True(t, eavp.Mandatory)
+	assert.Equal(t, peap.AVPType(3), eavp.Type)
+}
+
+func TestDecode_Invalid_ReservedBitSet(t *testing.T) {
+	eavp := peap.ExtensionAVP{}
+	err := eavp.Decode([]byte{0xc0, 0x3, 0x0, 0x0})
+	assert.ErrorIs(t, err, peap.ErrorReservedBitSet)
+}
+
+func TestDecode_Invalid_Length(t *testing.T) {
+	eavp := peap.ExtensionAVP{}
+	err := eavp.Decode([]byte{0x80, 0x3, 0x0, 0x0, 0x0})
+	assert.NotNil(t, err)
+}