easyai-ai-gateway/apps/api/internal/securityevents/connection_manager_test.go
chengcheng 9efeb16fd1 feat(ssf): 实现安全事件一键连接与凭据托管
新增数据库驱动的 SecurityEventConnectionManager,复用 RFC 7662 机器 Client,自动完成 Discovery、Push Bearer 生成、Stream 创建、Verification、首次启用、零停机轮换和安全退役。

增加文件与 Kubernetes SecretStore、最小权限 RBAC、动态 Receiver/撤销水位/内省降级,以及系统设置管理页面。已通过全量 Go 测试、go vet、关键包竞态测试、27 个 Web 测试、类型检查、生产构建、Compose 和 Kubernetes dry-run。
2026-07-15 17:25:00 +08:00

294 lines
12 KiB
Go

package securityevents
import (
"context"
"encoding/json"
"errors"
"net"
"net/http"
"net/http/httptest"
"strings"
"sync"
"sync/atomic"
"testing"
"time"
"github.com/easyai/easyai-ai-gateway/apps/api/internal/auth"
"github.com/easyai/easyai-ai-gateway/apps/api/internal/store"
"github.com/google/uuid"
)
type memoryConnectionRepository struct {
mutex sync.Mutex
connection *store.SecurityEventConnection
mode string
verifiedAt *time.Time
evaluation store.SecurityEventEvaluation
}
func (*memoryConnectionRepository) ApplySessionRevoked(context.Context, store.ApplySessionRevokedInput) (store.ApplySecurityEventResult, error) {
return store.ApplySecurityEventResult{}, nil
}
func (*memoryConnectionRepository) ApplySecurityEventStreamUpdated(context.Context, string, string, string, string, string, string, time.Time) (bool, error) {
return true, nil
}
func (*memoryConnectionRepository) ConfirmSecurityEventVerification(context.Context, string, string, string, string, []byte, time.Time) (bool, error) {
return true, nil
}
func (*memoryConnectionRepository) RecordSecurityEventReceipt(context.Context, string, string, string, string, string) (bool, error) {
return true, nil
}
func (r *memoryConnectionRepository) EnsureSecurityEventStreamState(context.Context, string, string, string) error {
r.mode = "bootstrap"
return nil
}
func (*memoryConnectionRepository) BeginSecurityEventVerification(context.Context, string, string, []byte, time.Time) error {
return nil
}
func (*memoryConnectionRepository) RecordSecurityEventHeartbeatFailure(context.Context, string, string, string) error {
return nil
}
func (*memoryConnectionRepository) AdvanceSecurityEventStreamState(context.Context, string, string, time.Time, time.Duration) error {
return nil
}
func (r *memoryConnectionRepository) EvaluateOIDCSecurityEvent(context.Context, string, string, string, string, string, time.Time, time.Time, time.Duration) (store.SecurityEventEvaluation, error) {
if r.evaluation.Mode == "" {
return store.SecurityEventEvaluation{Mode: "bootstrap", RequireIntrospection: true}, nil
}
return r.evaluation, nil
}
func (r *memoryConnectionRepository) CreateSecurityEventConnection(_ context.Context, input store.CreateSecurityEventConnectionInput) (store.SecurityEventConnection, error) {
r.mutex.Lock()
defer r.mutex.Unlock()
if r.connection != nil {
return store.SecurityEventConnection{}, store.ErrSecurityEventConnectionConflict
}
now := time.Now().UTC()
value := store.SecurityEventConnection{ConnectionID: input.ConnectionID, TransmitterIssuer: input.TransmitterIssuer,
EndpointURL: input.EndpointURL, CredentialRef: input.CredentialRef, LifecycleStatus: "connecting", Version: 1,
IdempotencyKey: input.IdempotencyKey, CreatedAt: now, UpdatedAt: now, HealthMode: "disabled"}
r.connection = &value
return value, nil
}
func (r *memoryConnectionRepository) SecurityEventConnection(context.Context) (store.SecurityEventConnection, error) {
r.mutex.Lock()
defer r.mutex.Unlock()
if r.connection == nil {
return store.SecurityEventConnection{}, store.ErrSecurityEventConnectionNotFound
}
value := *r.connection
value.HealthMode, value.LastVerificationAt = r.mode, r.verifiedAt
return value, nil
}
func (r *memoryConnectionRepository) BindSecurityEventConnection(_ context.Context, id, audience, streamID, lifecycle string, expected int64) (store.SecurityEventConnection, error) {
r.mutex.Lock()
defer r.mutex.Unlock()
if r.connection == nil || r.connection.ConnectionID != id || r.connection.Version != expected {
return store.SecurityEventConnection{}, store.ErrSecurityEventConnectionConflict
}
r.connection.Audience, r.connection.StreamID = &audience, &streamID
r.connection.LifecycleStatus, r.connection.Version = lifecycle, r.connection.Version+1
return *r.connection, nil
}
func (r *memoryConnectionRepository) UpdateSecurityEventConnectionLifecycle(_ context.Context, id, lifecycle string, category *string) (store.SecurityEventConnection, error) {
r.mutex.Lock()
defer r.mutex.Unlock()
if r.connection == nil || r.connection.ConnectionID != id {
return store.SecurityEventConnection{}, store.ErrSecurityEventConnectionNotFound
}
r.connection.LifecycleStatus, r.connection.LastErrorCategory = lifecycle, category
r.connection.Version++
r.connection.UpdatedAt = time.Now().UTC()
return *r.connection, nil
}
func (r *memoryConnectionRepository) SetSecurityEventNextCredential(context.Context, string, string) (store.SecurityEventConnection, error) {
return store.SecurityEventConnection{}, errors.New("not used")
}
func TestConnectionManagerBootstrapOnlyBecomesEnabledWhenPushIsHealthy(t *testing.T) {
for _, test := range []struct {
mode, wantLifecycle string
}{
{mode: "push_healthy", wantLifecycle: "enabled"},
{mode: "introspection_fallback", wantLifecycle: "degraded"},
} {
t.Run(test.mode, func(t *testing.T) {
audience := "urn:easyai:ssf:receiver:" + uuid.NewString()
repository := &memoryConnectionRepository{mode: test.mode, connection: &store.SecurityEventConnection{
ConnectionID: uuid.NewString(), TransmitterIssuer: "https://auth.example/ssf", Audience: &audience,
LifecycleStatus: "bootstrap", Version: 1, UpdatedAt: time.Now().UTC(),
}}
manager := &ConnectionManager{ctx: context.Background(), repository: repository,
config: ConnectionManagerConfig{BootstrapDuration: time.Millisecond}}
manager.finishBootstrap(repository.connection.ConnectionID)
connection, err := repository.SecurityEventConnection(context.Background())
if err != nil || connection.LifecycleStatus != test.wantLifecycle {
t.Fatalf("connection=%#v err=%v", connection, err)
}
})
}
}
func TestRemoteNotFoundIsRecognizedForIdempotentDisconnect(t *testing.T) {
if !isRemoteHTTPStatus(remoteHTTPError{status: http.StatusNotFound}, http.StatusNotFound) {
t.Fatal("remote 404 was not recognized as an already-deleted Stream")
}
}
func TestTransmitterSSRFProtectionBlocksReservedNetworks(t *testing.T) {
for _, address := range []string{
"127.0.0.1", "10.0.0.1", "169.254.169.254", "100.64.0.1", "192.0.2.1", "198.51.100.1", "203.0.113.1", "2001:db8::1",
} {
if !blockedAddress(net.ParseIP(address)) {
t.Fatalf("reserved address %s was allowed", address)
}
}
if blockedAddress(net.ParseIP("8.8.8.8")) {
t.Fatal("public address was blocked")
}
}
func TestRetiringConnectionStillAppliesRevocationWatermark(t *testing.T) {
audience := "urn:easyai:ssf:receiver:" + uuid.NewString()
repository := &memoryConnectionRepository{
evaluation: store.SecurityEventEvaluation{Mode: "introspection_fallback", Revoked: true, RequireIntrospection: true},
connection: &store.SecurityEventConnection{
ConnectionID: uuid.NewString(), TransmitterIssuer: "https://auth.example/ssf", Audience: &audience,
LifecycleStatus: "retiring", Version: 1,
},
}
manager := &ConnectionManager{ctx: context.Background(), repository: repository, config: ConnectionManagerConfig{StaleAfter: 3 * time.Minute}}
evaluation, err := manager.Evaluate(context.Background(), auth.OIDCSecurityEventIdentity{IssuedAt: time.Now().Add(-time.Minute)})
if err != nil || !evaluation.Enabled || !evaluation.Revoked || !evaluation.RequireIntrospection {
t.Fatalf("retiring evaluation=%#v err=%v", evaluation, err)
}
}
func (r *memoryConnectionRepository) PromoteSecurityEventCredential(context.Context, string, string) (store.SecurityEventConnection, error) {
return store.SecurityEventConnection{}, errors.New("not used")
}
func (r *memoryConnectionRepository) DeleteSecurityEventConnection(context.Context, string) error {
r.connection = nil
return nil
}
func (r *memoryConnectionRepository) SecurityEventMetrics(context.Context, string, string) (string, *time.Time, error) {
return r.mode, r.verifiedAt, nil
}
type memorySecretStore struct {
values map[string][]byte
}
func (s *memorySecretStore) Put(_ context.Context, reference string, value []byte) error {
if s.values == nil {
s.values = map[string][]byte{}
}
s.values[reference] = append([]byte(nil), value...)
return nil
}
func (s *memorySecretStore) Get(_ context.Context, reference string) ([]byte, error) {
value, ok := s.values[reference]
if !ok {
return nil, ErrSecretNotFound
}
return append([]byte(nil), value...), nil
}
func (s *memorySecretStore) Delete(_ context.Context, reference string) error {
delete(s.values, reference)
return nil
}
func TestConnectionManagerCreatesPausedStreamWithBackendGeneratedBearer(t *testing.T) {
repository := &memoryConnectionRepository{}
secrets := &memorySecretStore{}
ctx, cancel := context.WithCancel(context.Background())
defer cancel()
var transmitter *httptest.Server
verificationRequested := make(chan struct{}, 1)
var managementScopeRequested atomic.Bool
transmitter = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
switch r.URL.Path {
case "/.well-known/ssf-configuration/ssf":
_ = json.NewEncoder(w).Encode(map[string]any{
"spec_version": "1_0", "issuer": transmitter.URL + "/ssf", "jwks_uri": transmitter.URL + "/ssf/jwks.json",
"configuration_endpoint": transmitter.URL + "/ssf/v1/stream", "status_endpoint": transmitter.URL + "/ssf/v1/status",
"verification_endpoint": transmitter.URL + "/ssf/v1/verify", "delivery_methods_supported": []string{pushDeliveryMethod},
})
case "/oidc/token":
clientID, secret, ok := r.BasicAuth()
if !ok || clientID != "gateway-machine" || secret != "machine-secret" {
t.Fatal("RFC 7662 machine client was not reused")
}
_ = r.ParseForm()
if strings.Contains(r.Form.Get("scope"), "ssf.stream.manage") {
managementScopeRequested.Store(true)
}
_ = json.NewEncoder(w).Encode(map[string]any{"access_token": "machine-token", "token_type": "Bearer"})
case "/ssf/v1/stream":
if r.Method == http.MethodGet {
_, _ = w.Write([]byte(`[]`))
return
}
var request struct {
Delivery struct {
AuthorizationHeader string `json:"authorization_header"`
EndpointURL string `json:"endpoint_url"`
} `json:"delivery"`
Description string `json:"description"`
}
_ = json.NewDecoder(r.Body).Decode(&request)
if len(strings.TrimPrefix(request.Delivery.AuthorizationHeader, "Bearer ")) < 43 {
t.Fatal("generated Push Bearer has less than 256 bits")
}
_ = json.NewEncoder(w).Encode(map[string]any{
"stream_id": uuid.NewString(), "iss": transmitter.URL + "/ssf",
"aud": "urn:easyai:ssf:receiver:" + uuid.NewString(), "events_requested": []string{sessionRevokedEvent},
"delivery": map[string]any{"method": pushDeliveryMethod, "endpoint_url": request.Delivery.EndpointURL},
"description": request.Description,
})
case "/ssf/v1/verify":
w.WriteHeader(http.StatusNoContent)
select {
case verificationRequested <- struct{}{}:
default:
}
default:
http.NotFound(w, r)
}
}))
defer transmitter.Close()
manager, err := NewConnectionManager(ctx, repository, secrets, ConnectionManagerConfig{
AppEnv: "test", OIDCEnabled: true, OIDCIssuer: transmitter.URL + "/oidc", OIDCTenantID: uuid.NewString(),
ManagementClientID: "gateway-machine", ManagementClientSecret: "machine-secret",
PublicBaseURL: transmitter.URL, HeartbeatInterval: time.Hour, StaleAfter: 2 * time.Hour, HTTPClient: transmitter.Client(),
}, &Metrics{})
if err != nil {
t.Fatal(err)
}
evaluation, err := manager.Evaluate(ctx, auth.OIDCSecurityEventIdentity{})
if err != nil || evaluation.Enabled {
t.Fatalf("unconfigured manager evaluation=%#v err=%v", evaluation, err)
}
view, err := manager.Connect(ctx, transmitter.URL+"/ssf", "connect-once")
if err != nil {
t.Fatal(err)
}
if view.LifecycleStatus != "verifying" || view.StreamID == nil || view.Audience == nil {
t.Fatalf("connection view=%#v", view)
}
encoded, _ := json.Marshal(view)
if strings.Contains(string(encoded), "credential") || strings.Contains(string(encoded), "machine-secret") || strings.Contains(string(encoded), "ssf-push-") {
t.Fatalf("secret metadata escaped in response: %s", encoded)
}
if len(secrets.values) != 1 {
t.Fatalf("secret count=%d", len(secrets.values))
}
if !managementScopeRequested.Load() {
t.Fatal("management scopes were not requested automatically")
}
select {
case <-verificationRequested:
case <-time.After(2 * time.Second):
t.Fatal("verification was not started without a restart")
}
}