easyai-ai-gateway/apps/api/internal/auth/oidc_session_cookie_test.go
chengcheng a312ad880d fix(identity): 完善统一认证配对恢复与安全退役
修复 credentials_saved 状态无法恢复、配对与激活并发冲突,以及 SSF 和身份 Secret 生命周期不完整的问题。新增持久化协调器、取消与清理状态机、事务级并发门禁、受控 SSF 凭据交接、禁用后的延迟 Secret 清理,并对生产环境统一认证及 Discovery 端点强制 HTTPS。

验证:go test ./...;go test -race ./internal/auth ./internal/identity ./internal/identityruntime ./internal/securityevents ./internal/httpapi ./internal/store -count=1;go vet ./...;真实 PostgreSQL 并发及清理成功/冲突回滚测试;pnpm openapi。
2026-07-17 18:31:12 +08:00

183 lines
7.6 KiB
Go

package auth
import (
"context"
"errors"
"net/http"
"net/http/httptest"
"testing"
"time"
"github.com/golang-jwt/jwt/v5"
)
func TestAuthenticateResolvesOpaqueOIDCSessionCookie(t *testing.T) {
authenticator := New("local-jwt-secret", "", "")
var resolved string
authenticator.OIDCSessionResolver = func(_ context.Context, raw string) (*User, error) {
resolved = raw
return &User{ID: "platform-subject", Source: "oidc", Roles: []string{"user"}}, nil
}
request := httptest.NewRequest(http.MethodGet, "/api/v1/me", nil)
request.AddCookie(&http.Cookie{Name: OIDCSessionCookieName, Value: "opaque-session-id"})
user, err := authenticator.Authenticate(request)
if err != nil {
t.Fatalf("authenticate OIDC session cookie: %v", err)
}
if user.ID != "platform-subject" || user.Source != "oidc" {
t.Fatalf("unexpected session user: %#v", user)
}
if resolved != "opaque-session-id" {
t.Fatalf("session resolver received %q", resolved)
}
}
func TestAuthenticateBearerTakesPrecedenceOverOIDCSessionCookie(t *testing.T) {
authenticator := New("local-jwt-secret", "", "")
localToken, err := authenticator.SignJWT(&User{ID: "local-user", Source: "gateway", Roles: []string{"user"}}, time.Hour)
if err != nil {
t.Fatal(err)
}
request := httptest.NewRequest(http.MethodGet, "/api/v1/me", nil)
request.Header.Set("Authorization", "Bearer "+localToken)
request.AddCookie(&http.Cookie{Name: OIDCSessionCookieName, Value: "not-a-token"})
user, err := authenticator.Authenticate(request)
if err != nil {
t.Fatalf("authenticate bearer token: %v", err)
}
if user.ID != "local-user" || user.Source != "gateway" {
t.Fatalf("cookie overrode explicit bearer credentials: %#v", user)
}
}
func TestAuthenticateRejectsMalformedExplicitCredentialInsteadOfFallingBackToCookie(t *testing.T) {
authenticator := New("local-jwt-secret", "", "")
var resolved bool
authenticator.OIDCSessionResolver = func(context.Context, string) (*User, error) {
resolved = true
return &User{ID: "cookie-manager", Source: "gateway", Roles: []string{"manager"}}, nil
}
request := httptest.NewRequest(http.MethodPost, "/api/admin/system/identity/disable", nil)
request.Header.Set("Authorization", "not-a-bearer-credential")
request.AddCookie(&http.Cookie{Name: OIDCSessionCookieName, Value: "valid-cookie-session"})
if _, err := authenticator.Authenticate(request); !errors.Is(err, ErrUnauthorized) {
t.Fatalf("malformed explicit credential error=%v, want unauthorized", err)
}
if resolved {
t.Fatal("malformed Authorization header fell back to the OIDC session cookie")
}
}
func TestAuthenticateRejectsManagerJWTInQueryWithoutCookieFallback(t *testing.T) {
authenticator := New("local-jwt-secret", "", "")
managerToken, err := authenticator.SignJWT(&User{ID: "manager", Source: "gateway", Roles: []string{"manager"}}, time.Hour)
if err != nil {
t.Fatal(err)
}
var resolved bool
authenticator.OIDCSessionResolver = func(context.Context, string) (*User, error) {
resolved = true
return &User{ID: "cookie-manager", Source: "gateway", Roles: []string{"manager"}}, nil
}
request := httptest.NewRequest(http.MethodPost, "/api/admin/system/identity/disable?key="+managerToken, nil)
request.AddCookie(&http.Cookie{Name: OIDCSessionCookieName, Value: "valid-cookie-session"})
if _, err := authenticator.Authenticate(request); !errors.Is(err, ErrUnauthorized) {
t.Fatalf("manager query JWT error=%v, want unauthorized", err)
}
if resolved {
t.Fatal("rejected query credential fell back to the OIDC session cookie")
}
}
func TestAuthenticateRejectsInvalidOIDCSessionCookie(t *testing.T) {
authenticator := New("local-jwt-secret", "", "")
request := httptest.NewRequest(http.MethodGet, "/api/v1/me", nil)
request.AddCookie(&http.Cookie{Name: OIDCSessionCookieName, Value: "not-a-token"})
if _, err := authenticator.Authenticate(request); err == nil {
t.Fatal("invalid OIDC session cookie was accepted")
}
}
func TestAuthenticatorReadsOIDCSessionResolverAndLegacyPolicyDynamically(t *testing.T) {
authenticator := New("local-jwt-secret", "", "")
currentUser := &User{ID: "first", Roles: []string{"manager"}}
authenticator.OIDCSessionResolverProvider = func(ctx context.Context, sessionID string) (*User, error) {
return currentUser, nil
}
authenticator.LegacyJWTEnabledProvider = func() bool { return false }
request := httptest.NewRequest(http.MethodGet, "/", nil)
request.AddCookie(&http.Cookie{Name: OIDCSessionCookieName, Value: "opaque-session-id"})
user, err := authenticator.Authenticate(request)
if err != nil || user.ID != "first" {
t.Fatalf("first runtime session resolution failed: user=%#v err=%v", user, err)
}
currentUser = &User{ID: "second", Roles: []string{"manager"}}
user, err = authenticator.Authenticate(request)
if err != nil || user.ID != "second" {
t.Fatalf("swapped runtime session resolution failed: user=%#v err=%v", user, err)
}
if authenticator.legacyJWTEnabled() {
t.Fatal("dynamic legacy JWT policy was ignored")
}
}
func TestAuthenticateKeepsOnlySignedBreakGlassManagerWhenLegacyJWTDisabled(t *testing.T) {
authenticator := New("local-jwt-secret", "", "")
authenticator.LegacyJWTEnabledProvider = func() bool { return false }
managerToken, err := authenticator.SignJWT(&User{ID: "manager", Source: "gateway", Roles: []string{"manager"}}, time.Hour)
if err != nil {
t.Fatal(err)
}
managerRequest := httptest.NewRequest(http.MethodGet, "/api/admin/system/identity/configuration", nil)
managerRequest.Header.Set("Authorization", "Bearer "+managerToken)
manager, err := authenticator.Authenticate(managerRequest)
if err != nil || manager.ID != "manager" {
t.Fatalf("signed break-glass manager was rejected: user=%#v err=%v", manager, err)
}
userToken, err := authenticator.SignJWT(&User{ID: "user", Source: "gateway", Roles: []string{"user"}}, time.Hour)
if err != nil {
t.Fatal(err)
}
userRequest := httptest.NewRequest(http.MethodGet, "/api/v1/me", nil)
userRequest.Header.Set("Authorization", "Bearer "+userToken)
if _, err := authenticator.Authenticate(userRequest); !errors.Is(err, ErrUnauthorized) {
t.Fatalf("ordinary local JWT error = %v, want unauthorized", err)
}
legacyManager := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
"sub": "legacy-manager", "source": "gateway", "role": []string{"manager"},
"iat": time.Now().Unix(), "exp": time.Now().Add(time.Hour).Unix(),
})
legacyManagerToken, err := legacyManager.SignedString([]byte(authenticator.JWTSecret))
if err != nil {
t.Fatal(err)
}
legacyRequest := httptest.NewRequest(http.MethodGet, "/api/admin/system/identity/configuration", nil)
legacyRequest.Header.Set("Authorization", "Bearer "+legacyManagerToken)
if _, err := authenticator.Authenticate(legacyRequest); !errors.Is(err, ErrUnauthorized) {
t.Fatalf("legacy manager without token purpose error = %v, want unauthorized", err)
}
}
func TestPublicRouteIgnoresExpiredOptionalOIDCSession(t *testing.T) {
authenticator := New("local-jwt-secret", "", "")
authenticator.OIDCSessionResolver = func(context.Context, string) (*User, error) {
return nil, &RequestAuthError{Status: http.StatusUnauthorized, Code: "OIDC_SESSION_EXPIRED", Message: "expired"}
}
request := httptest.NewRequest(http.MethodGet, "/api/v1/public/catalog/providers", nil)
request.AddCookie(&http.Cookie{Name: OIDCSessionCookieName, Value: "opaque-session-id"})
recorder := httptest.NewRecorder()
authenticator.Require(PermissionPublic, http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
w.WriteHeader(http.StatusNoContent)
})).ServeHTTP(recorder, request)
if recorder.Code != http.StatusNoContent {
t.Fatalf("public route status = %d, want %d", recorder.Code, http.StatusNoContent)
}
}