从 Active Revision 构造并验证 OIDC、BFF Session、Introspection 与 SSF Runtime,在数据库激活成功后原子替换内存引用。请求链路使用不可变快照,失败保留当前运行时,本地管理登录不受影响。\n\n验证:go test ./apps/api/...;go vet ./apps/api/...
99 lines
3.9 KiB
Go
99 lines
3.9 KiB
Go
package auth
|
|
|
|
import (
|
|
"context"
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"testing"
|
|
"time"
|
|
)
|
|
|
|
func TestAuthenticateResolvesOpaqueOIDCSessionCookie(t *testing.T) {
|
|
authenticator := New("local-jwt-secret", "", "")
|
|
var resolved string
|
|
authenticator.OIDCSessionResolver = func(_ context.Context, raw string) (*User, error) {
|
|
resolved = raw
|
|
return &User{ID: "platform-subject", Source: "oidc", Roles: []string{"user"}}, nil
|
|
}
|
|
|
|
request := httptest.NewRequest(http.MethodGet, "/api/v1/me", nil)
|
|
request.AddCookie(&http.Cookie{Name: OIDCSessionCookieName, Value: "opaque-session-id"})
|
|
user, err := authenticator.Authenticate(request)
|
|
if err != nil {
|
|
t.Fatalf("authenticate OIDC session cookie: %v", err)
|
|
}
|
|
if user.ID != "platform-subject" || user.Source != "oidc" {
|
|
t.Fatalf("unexpected session user: %#v", user)
|
|
}
|
|
if resolved != "opaque-session-id" {
|
|
t.Fatalf("session resolver received %q", resolved)
|
|
}
|
|
}
|
|
|
|
func TestAuthenticateBearerTakesPrecedenceOverOIDCSessionCookie(t *testing.T) {
|
|
authenticator := New("local-jwt-secret", "", "")
|
|
localToken, err := authenticator.SignJWT(&User{ID: "local-user", Source: "gateway", Roles: []string{"user"}}, time.Hour)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
request := httptest.NewRequest(http.MethodGet, "/api/v1/me", nil)
|
|
request.Header.Set("Authorization", "Bearer "+localToken)
|
|
request.AddCookie(&http.Cookie{Name: OIDCSessionCookieName, Value: "not-a-token"})
|
|
|
|
user, err := authenticator.Authenticate(request)
|
|
if err != nil {
|
|
t.Fatalf("authenticate bearer token: %v", err)
|
|
}
|
|
if user.ID != "local-user" || user.Source != "gateway" {
|
|
t.Fatalf("cookie overrode explicit bearer credentials: %#v", user)
|
|
}
|
|
}
|
|
|
|
func TestAuthenticateRejectsInvalidOIDCSessionCookie(t *testing.T) {
|
|
authenticator := New("local-jwt-secret", "", "")
|
|
request := httptest.NewRequest(http.MethodGet, "/api/v1/me", nil)
|
|
request.AddCookie(&http.Cookie{Name: OIDCSessionCookieName, Value: "not-a-token"})
|
|
if _, err := authenticator.Authenticate(request); err == nil {
|
|
t.Fatal("invalid OIDC session cookie was accepted")
|
|
}
|
|
}
|
|
|
|
func TestAuthenticatorReadsOIDCSessionResolverAndLegacyPolicyDynamically(t *testing.T) {
|
|
authenticator := New("local-jwt-secret", "", "")
|
|
currentUser := &User{ID: "first", Roles: []string{"manager"}}
|
|
authenticator.OIDCSessionResolverProvider = func(ctx context.Context, sessionID string) (*User, error) {
|
|
return currentUser, nil
|
|
}
|
|
authenticator.LegacyJWTEnabledProvider = func() bool { return false }
|
|
request := httptest.NewRequest(http.MethodGet, "/", nil)
|
|
request.AddCookie(&http.Cookie{Name: OIDCSessionCookieName, Value: "opaque-session-id"})
|
|
user, err := authenticator.Authenticate(request)
|
|
if err != nil || user.ID != "first" {
|
|
t.Fatalf("first runtime session resolution failed: user=%#v err=%v", user, err)
|
|
}
|
|
currentUser = &User{ID: "second", Roles: []string{"manager"}}
|
|
user, err = authenticator.Authenticate(request)
|
|
if err != nil || user.ID != "second" {
|
|
t.Fatalf("swapped runtime session resolution failed: user=%#v err=%v", user, err)
|
|
}
|
|
if authenticator.legacyJWTEnabled() {
|
|
t.Fatal("dynamic legacy JWT policy was ignored")
|
|
}
|
|
}
|
|
|
|
func TestPublicRouteIgnoresExpiredOptionalOIDCSession(t *testing.T) {
|
|
authenticator := New("local-jwt-secret", "", "")
|
|
authenticator.OIDCSessionResolver = func(context.Context, string) (*User, error) {
|
|
return nil, &RequestAuthError{Status: http.StatusUnauthorized, Code: "OIDC_SESSION_EXPIRED", Message: "expired"}
|
|
}
|
|
request := httptest.NewRequest(http.MethodGet, "/api/v1/public/catalog/providers", nil)
|
|
request.AddCookie(&http.Cookie{Name: OIDCSessionCookieName, Value: "opaque-session-id"})
|
|
recorder := httptest.NewRecorder()
|
|
authenticator.Require(PermissionPublic, http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
|
|
w.WriteHeader(http.StatusNoContent)
|
|
})).ServeHTTP(recorder, request)
|
|
if recorder.Code != http.StatusNoContent {
|
|
t.Fatalf("public route status = %d, want %d", recorder.Code, http.StatusNoContent)
|
|
}
|
|
}
|