Add files via upload

This commit is contained in:
公明
2026-07-10 18:58:17 +08:00
committed by GitHub
parent 2995847e0e
commit 46a9b42fde
8 changed files with 351 additions and 29 deletions
+44
View File
@@ -1,11 +1,15 @@
package security
import (
"net/http"
"net/http/httptest"
"path/filepath"
"testing"
"cyberstrike-ai/internal/authctx"
"cyberstrike-ai/internal/database"
"github.com/gin-gonic/gin"
"go.uber.org/zap"
)
@@ -50,4 +54,44 @@ func TestAuthManagerAuthenticatesCreatedRBACUser(t *testing.T) {
if _, _, err := manager.Authenticate("", "operator-secret"); err == nil {
t.Fatalf("empty username must not authenticate non-admin user")
}
router := gin.New()
router.Use(AuthMiddleware(manager))
router.GET("/principal", func(c *gin.Context) {
principal, ok := authctx.PrincipalFromContext(c.Request.Context())
if !ok || principal.UserID != user.ID || !principal.HasPermission("chat:read") || principal.ScopeFor("chat:read") != database.RBACScopeAssigned {
c.Status(http.StatusInternalServerError)
return
}
c.Status(http.StatusNoContent)
})
w := httptest.NewRecorder()
req := httptest.NewRequest(http.MethodGet, "/principal", nil)
req.Header.Set("Authorization", "Bearer "+token)
router.ServeHTTP(w, req)
if w.Code != http.StatusNoContent {
t.Fatalf("principal propagation status = %d", w.Code)
}
}
func TestQueryTokenOnlyAllowedForSSEAndWebSocketGET(t *testing.T) {
requestToken := func(method, accept, upgrade string) string {
c, _ := gin.CreateTestContext(httptest.NewRecorder())
c.Request = httptest.NewRequest(method, "/api/test?token=secret", nil)
c.Request.Header.Set("Accept", accept)
c.Request.Header.Set("Upgrade", upgrade)
return extractTokenFromRequest(c)
}
if got := requestToken(http.MethodGet, "application/json", ""); got != "" {
t.Fatalf("ordinary GET accepted query token %q", got)
}
if got := requestToken(http.MethodPost, "text/event-stream", ""); got != "" {
t.Fatalf("POST accepted query token %q", got)
}
if got := requestToken(http.MethodGet, "text/event-stream", ""); got != "secret" {
t.Fatalf("SSE token = %q", got)
}
if got := requestToken(http.MethodGet, "", "websocket"); got != "secret" {
t.Fatalf("WebSocket token = %q", got)
}
}