easyai-ai-gateway/apps/api/internal/httpapi/security_events_test.go
chengcheng a312ad880d fix(identity): 完善统一认证配对恢复与安全退役
修复 credentials_saved 状态无法恢复、配对与激活并发冲突,以及 SSF 和身份 Secret 生命周期不完整的问题。新增持久化协调器、取消与清理状态机、事务级并发门禁、受控 SSF 凭据交接、禁用后的延迟 Secret 清理,并对生产环境统一认证及 Discovery 端点强制 HTTPS。

验证:go test ./...;go test -race ./internal/auth ./internal/identity ./internal/identityruntime ./internal/securityevents ./internal/httpapi ./internal/store -count=1;go vet ./...;真实 PostgreSQL 并发及清理成功/冲突回滚测试;pnpm openapi。
2026-07-17 18:31:12 +08:00

57 lines
1.8 KiB
Go

package httpapi
import (
"context"
"net/http"
"net/http/httptest"
"testing"
"github.com/easyai/easyai-ai-gateway/apps/api/internal/identity"
"github.com/easyai/easyai-ai-gateway/apps/api/internal/identityruntime"
"github.com/easyai/easyai-ai-gateway/apps/api/internal/securityevents"
)
type preparedReceiverBuilder struct {
receiver http.Handler
}
func (builder *preparedReceiverBuilder) Build(context.Context, identity.Revision) (*identityruntime.Runtime, error) {
return &identityruntime.Runtime{}, nil
}
func (builder *preparedReceiverBuilder) PreparedSecurityEventReceiver() http.Handler {
return builder.receiver
}
func TestReceiveSecurityEventUsesPreparedReceiverBeforeFirstActivation(t *testing.T) {
called := false
builder := &preparedReceiverBuilder{receiver: http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
called = true
w.WriteHeader(http.StatusAccepted)
})}
server := &Server{identityRuntime: identityruntime.NewManager(nil, builder)}
request := httptest.NewRequest(http.MethodPost, "/api/v1/security-events/ssf", nil)
response := httptest.NewRecorder()
server.receiveSecurityEvent(response, request)
if !called || response.Code != http.StatusAccepted {
t.Fatalf("prepared SSF receiver called=%t status=%d", called, response.Code)
}
}
func TestSecurityEventWriteAuditFailsClosedBeforeMutation(t *testing.T) {
server := &Server{}
request := httptest.NewRequest(http.MethodPost, "/api/admin/system/security-events/connection/verify", nil)
recorder := httptest.NewRecorder()
if _, ok := server.requireSecurityEventConnectionAudit(
recorder, request, "verify", "trace-test", securityevents.ConnectionView{},
); ok {
t.Fatal("security event write unexpectedly continued without durable audit storage")
}
if recorder.Code != http.StatusServiceUnavailable {
t.Fatalf("audit failure status=%d, want 503", recorder.Code)
}
}