修复 credentials_saved 状态无法恢复、配对与激活并发冲突,以及 SSF 和身份 Secret 生命周期不完整的问题。新增持久化协调器、取消与清理状态机、事务级并发门禁、受控 SSF 凭据交接、禁用后的延迟 Secret 清理,并对生产环境统一认证及 Discovery 端点强制 HTTPS。 验证:go test ./...;go test -race ./internal/auth ./internal/identity ./internal/identityruntime ./internal/securityevents ./internal/httpapi ./internal/store -count=1;go vet ./...;真实 PostgreSQL 并发及清理成功/冲突回滚测试;pnpm openapi。
27 lines
962 B
Go
27 lines
962 B
Go
package httpapi
|
|
|
|
import (
|
|
"testing"
|
|
|
|
"github.com/easyai/easyai-ai-gateway/apps/api/internal/config"
|
|
"github.com/easyai/easyai-ai-gateway/apps/api/internal/store"
|
|
)
|
|
|
|
func TestLocalLoginPolicyAlwaysPreservesBreakGlassManager(t *testing.T) {
|
|
serverMain := &Server{cfg: config.Config{IdentityMode: "server-main"}}
|
|
if !serverMain.localLoginAllowed(store.GatewayUser{Roles: []string{"manager"}}) {
|
|
t.Fatal("server-main mode rejected a local break-glass manager")
|
|
}
|
|
if !serverMain.localLoginAllowed(store.GatewayUser{Roles: []string{"admin"}}) {
|
|
t.Fatal("server-main mode rejected a local break-glass admin")
|
|
}
|
|
if serverMain.localLoginAllowed(store.GatewayUser{Roles: []string{"user"}}) {
|
|
t.Fatal("server-main mode accepted an ordinary local user")
|
|
}
|
|
|
|
hybrid := &Server{cfg: config.Config{IdentityMode: "hybrid"}}
|
|
if !hybrid.localLoginAllowed(store.GatewayUser{Roles: []string{"user"}}) {
|
|
t.Fatal("hybrid mode rejected an ordinary local user")
|
|
}
|
|
}
|