新增统一认证 Revision 状态机、单 Active 数据库约束、SecretStore 引用字段、Break-glass 与本地租户门禁,并在关键身份变化或禁用时清理旧 BFF Session。\n\n同时实现标准应用接入 Manifest v1 消费端,接入码只进入请求 Body,Exchange Token 只进入 Authorization Header,禁用重定向并限制响应大小。\n\n验证:go test ./...;go vet ./...
90 lines
3.4 KiB
Go
90 lines
3.4 KiB
Go
package identity
|
|
|
|
import (
|
|
"encoding/json"
|
|
"strings"
|
|
"testing"
|
|
)
|
|
|
|
func TestRevisionStateTransitions(t *testing.T) {
|
|
tests := []struct {
|
|
from, to RevisionState
|
|
allowed bool
|
|
}{
|
|
{RevisionDraft, RevisionValidated, true},
|
|
{RevisionDraft, RevisionFailed, true},
|
|
{RevisionValidated, RevisionActive, true},
|
|
{RevisionValidated, RevisionFailed, true},
|
|
{RevisionActive, RevisionSuperseded, true},
|
|
{RevisionSuperseded, RevisionValidated, true},
|
|
{RevisionSuperseded, RevisionActive, false},
|
|
{RevisionDraft, RevisionActive, false},
|
|
{RevisionFailed, RevisionActive, false},
|
|
{RevisionActive, RevisionValidated, false},
|
|
}
|
|
for _, test := range tests {
|
|
if got := CanTransition(test.from, test.to); got != test.allowed {
|
|
t.Errorf("CanTransition(%q, %q)=%v, want %v", test.from, test.to, got, test.allowed)
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestRevisionNeverSerializesSecretValues(t *testing.T) {
|
|
type secretFields interface {
|
|
MachineSecret() string
|
|
}
|
|
var _ = any((*Revision)(nil))
|
|
if _, exposesSecret := any((*Revision)(nil)).(secretFields); exposesSecret {
|
|
t.Fatal("Revision unexpectedly exposes a machine secret value")
|
|
}
|
|
revision := Revision{MachineCredentialRef: "identity-machine-example", SessionEncryptionKeyRef: "identity-session-example"}
|
|
if revision.MachineCredentialRef == "" || revision.SessionEncryptionKeyRef == "" {
|
|
t.Fatal("Revision must retain SecretStore references")
|
|
}
|
|
}
|
|
|
|
func TestValidatePairingInputDerivesExactGatewayURIs(t *testing.T) {
|
|
input := PairingInput{
|
|
AuthCenterURL: "https://auth.example.com", PublicBaseURL: "https://api.example.com",
|
|
WebBaseURL: "https://gateway.example.com", LocalTenantKey: "default",
|
|
}
|
|
metadata, err := input.ConsumerMetadata(true)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
if metadata.RedirectURIs[0] != "https://api.example.com/api/v1/auth/oidc/callback" ||
|
|
metadata.LogoutURIs[0] != "https://gateway.example.com/" ||
|
|
metadata.ReceiverEndpoint != "https://api.example.com/api/v1/security-events/ssf" {
|
|
t.Fatalf("unexpected derived metadata: %#v", metadata)
|
|
}
|
|
}
|
|
|
|
func TestValidatePairingInputRejectsRemoteHTTPAndURLCredentials(t *testing.T) {
|
|
for _, input := range []PairingInput{
|
|
{AuthCenterURL: "http://auth.example.com", PublicBaseURL: "https://api.example.com", WebBaseURL: "https://gateway.example.com", LocalTenantKey: "default"},
|
|
{AuthCenterURL: "https://user:password@auth.example.com", PublicBaseURL: "https://api.example.com", WebBaseURL: "https://gateway.example.com", LocalTenantKey: "default"},
|
|
} {
|
|
if _, err := input.ConsumerMetadata(false); err == nil {
|
|
t.Fatalf("unsafe pairing input accepted: %#v", input)
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestNewDraftAppliesSessionDefaultsWithoutPersistingOnboardingCode(t *testing.T) {
|
|
draft, err := NewDraft(PairingInput{
|
|
AuthCenterURL: "https://auth.example.com", OnboardingCode: "onb1.must-never-be-persisted",
|
|
PublicBaseURL: "https://api.example.com", WebBaseURL: "https://gateway.example.com",
|
|
LocalTenantKey: "default", LegacyJWTEnabled: true,
|
|
})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
if draft.State != RevisionDraft || draft.SessionIdleSeconds != 1800 || draft.SessionAbsoluteSeconds != 28800 || draft.SessionRefreshSeconds != 60 {
|
|
t.Fatalf("unexpected draft defaults: %#v", draft)
|
|
}
|
|
payload, _ := json.Marshal(draft)
|
|
if strings.Contains(string(payload), "must-never-be-persisted") || strings.Contains(string(payload), "onboardingCode") {
|
|
t.Fatalf("draft exposed onboarding code: %s", payload)
|
|
}
|
|
}
|