package middleware import ( "context" "encoding/json" "net/http" "net/http/httptest" "os" "testing" "time" "veza-backend-api/internal/models" "veza-backend-api/internal/services" "github.com/gin-gonic/gin" "github.com/golang-jwt/jwt/v5" "github.com/google/uuid" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/mock" "github.com/stretchr/testify/require" "go.uber.org/zap" ) const testJWTSecret = "test-secret-key-for-jwt-service-testing-only" // MockUserRepository pour les tests type MockUserRepository struct { mock.Mock } func (m *MockUserRepository) GetByID(id string) (*models.User, error) { args := m.Called(id) if args.Get(0) == nil { return nil, args.Error(1) } return args.Get(0).(*models.User), args.Error(1) } func (m *MockUserRepository) GetByEmail(email string) (*models.User, error) { args := m.Called(email) if args.Get(0) == nil { return nil, args.Error(1) } return args.Get(0).(*models.User), args.Error(1) } func (m *MockUserRepository) GetByUsername(username string) (*models.User, error) { args := m.Called(username) if args.Get(0) == nil { return nil, args.Error(1) } return args.Get(0).(*models.User), args.Error(1) } func (m *MockUserRepository) Create(user *models.User) error { args := m.Called(user) return args.Error(0) } func (m *MockUserRepository) Update(user *models.User) error { args := m.Called(user) return args.Error(0) } func (m *MockUserRepository) Delete(id string) error { args := m.Called(id) return args.Error(0) } func setupTestJWTService(t *testing.T) *services.JWTService { // Set a test JWT_SECRET originalSecret := os.Getenv("JWT_SECRET") os.Setenv("JWT_SECRET", testJWTSecret) t.Cleanup(func() { if originalSecret != "" { os.Setenv("JWT_SECRET", originalSecret) } else { os.Unsetenv("JWT_SECRET") } }) issuer := "veza-api" audience := "veza-app" jwtService, err := services.NewJWTService("", "", testJWTSecret, issuer, audience) require.NoError(t, err) return jwtService } // generateTestToken crée un token JWT compatible avec AuthMiddleware.validateJWTToken // Le middleware attend claims["user_id"] en string UUID (pas "sub" en int64) // ÉTAPE 3.4: Helper pour créer des tokens compatibles avec le nouveau middleware func generateTestToken(t *testing.T, userID uuid.UUID, expiresIn time.Duration) string { claims := jwt.MapClaims{ "sub": userID.String(), // CustomClaims maps UserID to "sub" "exp": time.Now().Add(expiresIn).Unix(), "iat": time.Now().Unix(), // Use Unix timestamp for iat "iss": "veza-api", "aud": "veza-app", "token_version": 0, } token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims) tokenString, err := token.SignedString([]byte(testJWTSecret)) require.NoError(t, err) return tokenString } // generateExpiredTestToken crée un token JWT expiré pour les tests // ÉTAPE 3.4: Helper pour créer des tokens expirés compatibles avec le middleware func generateExpiredTestToken(t *testing.T, userID uuid.UUID) string { claims := jwt.MapClaims{ "sub": userID.String(), "exp": time.Now().Add(-1 * time.Hour).Unix(), // Expiré il y a 1 heure "iat": time.Now().Add(-2 * time.Hour).Unix(), "iss": "veza-api", "aud": "veza-app", "token_version": 0, } token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims) tokenString, err := token.SignedString([]byte(testJWTSecret)) require.NoError(t, err) return tokenString } func generateTokenWithCustomClaims(t *testing.T, claims jwt.MapClaims) string { token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims) tokenString, err := token.SignedString([]byte(testJWTSecret)) require.NoError(t, err) return tokenString } // MockSessionService pour les tests (évite cycle d'import avec testutils) type MockSessionService struct { mock.Mock } func (m *MockSessionService) CreateSession(ctx context.Context, req *services.SessionCreateRequest) (*services.Session, error) { args := m.Called(ctx, req) if args.Get(0) == nil { return nil, args.Error(1) } return args.Get(0).(*services.Session), args.Error(1) } func (m *MockSessionService) ValidateSession(ctx context.Context, token string) (*services.Session, error) { args := m.Called(ctx, token) if args.Get(0) == nil { return nil, args.Error(1) } return args.Get(0).(*services.Session), args.Error(1) } func (m *MockSessionService) RevokeSession(ctx context.Context, token string) error { args := m.Called(ctx, token) return args.Error(0) } func (m *MockSessionService) RevokeAllUserSessions(ctx context.Context, userID uuid.UUID) (int64, error) { args := m.Called(ctx, userID) return args.Get(0).(int64), args.Error(1) } func (m *MockSessionService) GetUserSessions(ctx context.Context, userID uuid.UUID) ([]*services.Session, error) { args := m.Called(ctx, userID) if args.Get(0) == nil { return nil, args.Error(1) } return args.Get(0).([]*services.Session), args.Error(1) } func (m *MockSessionService) CleanupExpiredSessions(ctx context.Context) (int64, error) { args := m.Called(ctx) return args.Get(0).(int64), args.Error(1) } func (m *MockSessionService) RefreshSession(ctx context.Context, token string, newExpiresIn time.Duration) error { args := m.Called(ctx, token, newExpiresIn) return args.Error(0) } func (m *MockSessionService) GetSessionStats(ctx context.Context) (map[string]interface{}, error) { args := m.Called(ctx) if args.Get(0) == nil { return nil, args.Error(1) } return args.Get(0).(map[string]interface{}), args.Error(1) } // MockAuditService pour les tests (évite cycle d'import avec testutils) type MockAuditService struct { mock.Mock } func (m *MockAuditService) LogAction(ctx context.Context, req *services.AuditLogCreateRequest) error { args := m.Called(ctx, req) return args.Error(0) } func (m *MockAuditService) LogLogin(ctx context.Context, userID *uuid.UUID, success bool, ipAddress, userAgent string, metadata map[string]interface{}) error { args := m.Called(ctx, userID, success, ipAddress, userAgent, metadata) return args.Error(0) } func (m *MockAuditService) LogLogout(ctx context.Context, userID uuid.UUID, ipAddress, userAgent string) error { args := m.Called(ctx, userID, ipAddress, userAgent) return args.Error(0) } func (m *MockAuditService) LogUpload(ctx context.Context, userID uuid.UUID, resourceID uuid.UUID, fileName string, fileSize int64, ipAddress, userAgent string) error { args := m.Called(ctx, userID, resourceID, fileName, fileSize, ipAddress, userAgent) return args.Error(0) } func (m *MockAuditService) LogPermissionChange(ctx context.Context, userID uuid.UUID, targetUserID uuid.UUID, oldPermissions, newPermissions []string, ipAddress, userAgent string) error { args := m.Called(ctx, userID, targetUserID, oldPermissions, newPermissions, ipAddress, userAgent) return args.Error(0) } func (m *MockAuditService) LogDeletion(ctx context.Context, userID uuid.UUID, resource string, resourceID uuid.UUID, ipAddress, userAgent string) error { args := m.Called(ctx, userID, resource, resourceID, ipAddress, userAgent) return args.Error(0) } func (m *MockAuditService) SearchLogs(ctx context.Context, req *services.AuditLogSearchRequest) ([]*services.AuditLog, error) { args := m.Called(ctx, req) if args.Get(0) == nil { return nil, args.Error(1) } return args.Get(0).([]*services.AuditLog), args.Error(1) } func (m *MockAuditService) GetStats(ctx context.Context, startDate, endDate time.Time) ([]*services.AuditStats, error) { args := m.Called(ctx, startDate, endDate) if args.Get(0) == nil { return nil, args.Error(1) } return args.Get(0).([]*services.AuditStats), args.Error(1) } // MockPermissionService pour les tests type MockPermissionService struct { mock.Mock } func (m *MockPermissionService) HasRole(ctx context.Context, userID uuid.UUID, roleName string) (bool, error) { args := m.Called(ctx, userID, roleName) return args.Bool(0), args.Error(1) } func (m *MockPermissionService) HasPermission(ctx context.Context, userID uuid.UUID, permissionName string) (bool, error) { args := m.Called(ctx, userID, permissionName) return args.Bool(0), args.Error(1) } // MockTokenBlacklist for VEZA-SEC-006 tests type MockTokenBlacklist struct { mock.Mock } func (m *MockTokenBlacklist) IsBlacklisted(ctx context.Context, token string) (bool, error) { args := m.Called(ctx, token) return args.Bool(0), args.Error(1) } // setupTestAuthMiddleware crée un AuthMiddleware configuré pour les tests // ÉTAPE 3.4: Utilise les interfaces pour permettre l'injection directe des mocks func setupTestAuthMiddleware(t *testing.T, jwtService *services.JWTService) (*AuthMiddleware, *MockSessionService, *MockAuditService, *MockPermissionService, *MockUserRepository) { logger, _ := zap.NewDevelopment() mockSessionService := new(MockSessionService) mockAuditService := new(MockAuditService) mockPermissionService := new(MockPermissionService) mockUserRepository := new(MockUserRepository) // Configurer le mock audit pour ne pas faire échouer les tests (tous les appels retournent nil) mockAuditService.On("LogAction", mock.Anything, mock.Anything).Return(nil).Maybe() // Default JWT Service if nil if jwtService == nil { jwtService = setupTestJWTService(t) } // Create UserService with mock repo userService := services.NewUserService(mockUserRepository) // ÉTAPE 3.4: Les mocks implémentent maintenant directement les interfaces // Plus besoin de wrappers ou de hacks - injection directe des mocks authMiddleware := NewAuthMiddleware(mockSessionService, mockAuditService, mockPermissionService, jwtService, userService, nil, nil, logger) // Mock defaults for GetByID for generic tests (assume user found and version 0) // We use .Maybe() because not all tests will hit it (e.g. invalid token format) mockUserRepository.On("GetByID", mock.Anything).Return(&models.User{ ID: uuid.New(), // Just a placeholder, specific tests should override or match TokenVersion: 0, }, nil).Maybe() return authMiddleware, mockSessionService, mockAuditService, mockPermissionService, mockUserRepository } // T0173: Tests pour AuthMiddleware // ÉTAPE 3.4: Test du happy path - token valide, user_id en uuid.UUID dans le contexte // Maintenant fonctionnel grâce aux interfaces func TestAuthMiddleware_ValidToken(t *testing.T) { gin.SetMode(gin.TestMode) authMiddleware, mockSessionService, _, _, mockUserRepository := setupTestAuthMiddleware(t, nil) userUUID := uuid.MustParse("00000000-0000-0000-0000-000000000042") // Reset mock for specific call mockUserRepository.ExpectedCalls = nil mockUserRepository.On("GetByID", userUUID.String()).Return(&models.User{ ID: userUUID, TokenVersion: 0, }, nil) token := generateTestToken(t, userUUID, 15*time.Minute) sessionID := uuid.New() mockSession := &services.Session{ ID: sessionID, UserID: userUUID, CreatedAt: time.Now(), ExpiresAt: time.Now().Add(24 * time.Hour), } mockSessionService.On("ValidateSession", mock.Anything, token).Return(mockSession, nil) router := gin.New() router.Use(authMiddleware.RequireAuth()) router.GET("/test", func(c *gin.Context) { userIDInterface, exists := c.Get("user_id") assert.True(t, exists, "user_id should exist in context") userID, ok := userIDInterface.(uuid.UUID) assert.True(t, ok, "user_id should be uuid.UUID") assert.Equal(t, userUUID, userID, "user_id should match expected UUID") sessionIDCtx, exists := c.Get("session_id") assert.True(t, exists, "session_id should exist in context") assert.Equal(t, mockSession.ID, sessionIDCtx, "session_id should match session ID") c.JSON(http.StatusOK, gin.H{"message": "success"}) }) req, _ := http.NewRequest("GET", "/test", nil) req.Header.Set("Authorization", "Bearer "+token) w := httptest.NewRecorder() router.ServeHTTP(w, req) assert.Equal(t, http.StatusOK, w.Code) mockSessionService.AssertExpectations(t) } // TestAuthMiddleware_BlacklistedToken_Returns401 verifies that a valid JWT but blacklisted token returns 401 (VEZA-SEC-006) func TestAuthMiddleware_BlacklistedToken_Returns401(t *testing.T) { gin.SetMode(gin.TestMode) _, _, _, _, mockUserRepository := setupTestAuthMiddleware(t, nil) userUUID := uuid.MustParse("00000000-0000-0000-0000-000000000042") token := generateTestToken(t, userUUID, 15*time.Minute) // Create middleware with mock blacklist that returns true (blacklisted) mockBlacklist := new(MockTokenBlacklist) mockBlacklist.On("IsBlacklisted", mock.Anything, token).Return(true, nil) // Rebuild auth middleware with blacklist logger, _ := zap.NewDevelopment() userService := services.NewUserService(mockUserRepository) mockUserRepository.On("GetByID", userUUID.String()).Return(&models.User{ ID: userUUID, TokenVersion: 0, }, nil) jwtService := setupTestJWTService(t) mockSessionService2 := new(MockSessionService) mockAuditService2 := new(MockAuditService) mockPermissionService2 := new(MockPermissionService) mockAuditService2.On("LogAction", mock.Anything, mock.Anything).Return(nil).Maybe() authWithBlacklist := NewAuthMiddleware( mockSessionService2, mockAuditService2, mockPermissionService2, jwtService, userService, nil, mockBlacklist, logger, ) router := gin.New() router.Use(authWithBlacklist.RequireAuth()) router.GET("/test", func(c *gin.Context) { c.JSON(http.StatusOK, gin.H{"message": "success"}) }) req, _ := http.NewRequest("GET", "/test", nil) req.Header.Set("Authorization", "Bearer "+token) w := httptest.NewRecorder() router.ServeHTTP(w, req) assert.Equal(t, http.StatusUnauthorized, w.Code) var response map[string]interface{} require.NoError(t, json.Unmarshal(w.Body.Bytes(), &response)) assert.False(t, response["success"].(bool)) errorObj := response["error"].(map[string]interface{}) assert.Equal(t, "Token revoked", errorObj["message"]) mockBlacklist.AssertExpectations(t) } func TestAuthMiddleware_MissingHeader(t *testing.T) { gin.SetMode(gin.TestMode) authMiddleware, _, _, _, _ := setupTestAuthMiddleware(t, nil) router := gin.New() router.Use(authMiddleware.RequireAuth()) router.GET("/test", func(c *gin.Context) { c.JSON(http.StatusOK, gin.H{"message": "success"}) }) req, _ := http.NewRequest("GET", "/test", nil) w := httptest.NewRecorder() router.ServeHTTP(w, req) assert.Equal(t, http.StatusUnauthorized, w.Code) var response map[string]interface{} err := json.Unmarshal(w.Body.Bytes(), &response) assert.NoError(t, err) // P0: Nouveau format AppError - error est un objet avec code, message, timestamp assert.False(t, response["success"].(bool)) errorObj, ok := response["error"].(map[string]interface{}) require.True(t, ok, "Error should be a map") assert.Equal(t, "Access token required", errorObj["message"]) } func TestAuthMiddleware_InvalidHeaderFormat(t *testing.T) { gin.SetMode(gin.TestMode) authMiddleware, _, _, _, _ := setupTestAuthMiddleware(t, nil) router := gin.New() router.Use(authMiddleware.RequireAuth()) router.GET("/test", func(c *gin.Context) { c.JSON(http.StatusOK, gin.H{"message": "success"}) }) testCases := []struct { name string header string expectedError string }{ {"No Bearer prefix", "token123", "Access token required"}, {"Wrong prefix", "Basic token123", "Access token required"}, {"Multiple spaces", "Bearer token123", "Access token required"}, {"Empty token", "Bearer ", "Access token required"}, {"Empty header", "", "Access token required"}, } for _, tc := range testCases { t.Run(tc.name, func(t *testing.T) { req, _ := http.NewRequest("GET", "/test", nil) if tc.header != "" { req.Header.Set("Authorization", tc.header) } w := httptest.NewRecorder() router.ServeHTTP(w, req) assert.Equal(t, http.StatusUnauthorized, w.Code) var response map[string]interface{} err := json.Unmarshal(w.Body.Bytes(), &response) assert.NoError(t, err) // P0: Nouveau format AppError errorObj, ok := response["error"].(map[string]interface{}) require.True(t, ok, "Error should be a map") assert.Contains(t, errorObj["message"].(string), tc.expectedError) }) } } func TestAuthMiddleware_InvalidToken(t *testing.T) { gin.SetMode(gin.TestMode) authMiddleware, _, _, _, _ := setupTestAuthMiddleware(t, nil) router := gin.New() router.Use(authMiddleware.RequireAuth()) router.GET("/test", func(c *gin.Context) { c.JSON(http.StatusOK, gin.H{"message": "success"}) }) testCases := []struct { name string token string expectedError string }{ {"Invalid token string", "invalid.token.string", "Invalid"}, {"Malformed token", "not.a.valid.token", "Invalid"}, {"Empty token", "", "Access token required"}, } for _, tc := range testCases { t.Run(tc.name, func(t *testing.T) { req, _ := http.NewRequest("GET", "/test", nil) req.Header.Set("Authorization", "Bearer "+tc.token) w := httptest.NewRecorder() router.ServeHTTP(w, req) assert.Equal(t, http.StatusUnauthorized, w.Code) var response map[string]interface{} err := json.Unmarshal(w.Body.Bytes(), &response) assert.NoError(t, err) // P0: Nouveau format AppError errorObj, ok := response["error"].(map[string]interface{}) require.True(t, ok, "Error should be a map") assert.Contains(t, errorObj["message"].(string), tc.expectedError) }) } } func TestAuthMiddleware_ExpiredToken(t *testing.T) { gin.SetMode(gin.TestMode) jwtService := setupTestJWTService(t) authMiddleware, _, _, _, _ := setupTestAuthMiddleware(t, jwtService) router := gin.New() router.Use(authMiddleware.RequireAuth()) router.GET("/test", func(c *gin.Context) { c.JSON(http.StatusOK, gin.H{"message": "success"}) }) userUUID := uuid.New() expiredToken := generateExpiredTestToken(t, userUUID) req, _ := http.NewRequest("GET", "/test", nil) req.Header.Set("Authorization", "Bearer "+expiredToken) w := httptest.NewRecorder() router.ServeHTTP(w, req) assert.Equal(t, http.StatusUnauthorized, w.Code) var response map[string]interface{} err := json.Unmarshal(w.Body.Bytes(), &response) assert.NoError(t, err) // P0: Nouveau format AppError errorObj, ok := response["error"].(map[string]interface{}) require.True(t, ok, "Error should be a map") assert.Contains(t, errorObj["message"].(string), "Invalid") } func TestAuthMiddleware_ContextValues(t *testing.T) { gin.SetMode(gin.TestMode) jwtService := setupTestJWTService(t) testCases := []struct { name string userUUID uuid.UUID }{ {"Regular user", uuid.MustParse("00000000-0000-0000-0000-000000000001")}, {"Admin user", uuid.MustParse("00000000-0000-0000-0000-000000000002")}, {"Moderator", uuid.MustParse("00000000-0000-0000-0000-000000000003")}, } for _, tc := range testCases { t.Run(tc.name, func(t *testing.T) { authMiddleware, mockSessionService, _, _, mockUserRepository := setupTestAuthMiddleware(t, jwtService) // Setup UserRepo override mockUserRepository.ExpectedCalls = nil mockUserRepository.On("GetByID", tc.userUUID.String()).Return(&models.User{ ID: tc.userUUID, TokenVersion: 0, }, nil) token := generateTestToken(t, tc.userUUID, 15*time.Minute) sessionID := uuid.New() mockSession := &services.Session{ ID: sessionID, UserID: tc.userUUID, CreatedAt: time.Now(), ExpiresAt: time.Now().Add(24 * time.Hour), } mockSessionService.On("ValidateSession", mock.Anything, token).Return(mockSession, nil) router := gin.New() router.Use(authMiddleware.RequireAuth()) router.GET("/test", func(c *gin.Context) { userIDInterface, exists := c.Get("user_id") assert.True(t, exists, "user_id should exist in context") userID, ok := userIDInterface.(uuid.UUID) assert.True(t, ok, "user_id should be uuid.UUID") assert.Equal(t, tc.userUUID, userID, "user_id should match expected UUID") sessionIDCtx, exists := c.Get("session_id") assert.True(t, exists, "session_id should exist in context") assert.Equal(t, mockSession.ID, sessionIDCtx, "session_id should match session ID") c.JSON(http.StatusOK, gin.H{"message": "success"}) }) req, _ := http.NewRequest("GET", "/test", nil) req.Header.Set("Authorization", "Bearer "+token) w := httptest.NewRecorder() router.ServeHTTP(w, req) assert.Equal(t, http.StatusOK, w.Code) mockSessionService.AssertExpectations(t) }) } } func TestAuthMiddleware_P1_TokenRevocation(t *testing.T) { gin.SetMode(gin.TestMode) authMiddleware, _, _, _, mockUserRepository := setupTestAuthMiddleware(t, nil) userUUID := uuid.New() // User token is outdated (User has version 5 in DB, token is version 0) mockUserRepository.ExpectedCalls = nil mockUserRepository.On("GetByID", userUUID.String()).Return(&models.User{ ID: userUUID, TokenVersion: 5, }, nil) // Token has version 0 by default in generateTestToken token := generateTestToken(t, userUUID, 15*time.Minute) router := gin.New() router.Use(authMiddleware.RequireAuth()) router.GET("/test", func(c *gin.Context) { c.Status(http.StatusOK) }) req, _ := http.NewRequest("GET", "/test", nil) req.Header.Set("Authorization", "Bearer "+token) w := httptest.NewRecorder() router.ServeHTTP(w, req) assert.Equal(t, http.StatusUnauthorized, w.Code) var response map[string]interface{} err := json.Unmarshal(w.Body.Bytes(), &response) require.NoError(t, err) // P0: Nouveau format AppError errorObj, ok := response["error"].(map[string]interface{}) require.True(t, ok, "Error should be a map") assert.Equal(t, "Token revoked", errorObj["message"]) } func TestAuthMiddleware_P1_StrictClaims(t *testing.T) { gin.SetMode(gin.TestMode) jwtService := setupTestJWTService(t) authMiddleware, _, _, _, _ := setupTestAuthMiddleware(t, jwtService) router := gin.New() router.Use(authMiddleware.RequireAuth()) router.GET("/test", func(c *gin.Context) { c.Status(http.StatusOK) }) t.Run("Invalid Audience", func(t *testing.T) { claims := jwt.MapClaims{ "sub": uuid.New().String(), "exp": time.Now().Add(time.Hour).Unix(), "iat": time.Now().Unix(), "iss": "veza-api", "aud": "evil-app", // BAD AUDIENCE "token_version": 0, } token := generateTokenWithCustomClaims(t, claims) req, _ := http.NewRequest("GET", "/test", nil) req.Header.Set("Authorization", "Bearer "+token) w := httptest.NewRecorder() router.ServeHTTP(w, req) assert.Equal(t, http.StatusUnauthorized, w.Code) }) t.Run("Invalid Issuer", func(t *testing.T) { claims := jwt.MapClaims{ "sub": uuid.New().String(), "exp": time.Now().Add(time.Hour).Unix(), "iat": time.Now().Unix(), "iss": "evil-api", // BAD ISSUER "aud": "veza-app", "token_version": 0, } token := generateTokenWithCustomClaims(t, claims) req, _ := http.NewRequest("GET", "/test", nil) req.Header.Set("Authorization", "Bearer "+token) w := httptest.NewRecorder() router.ServeHTTP(w, req) assert.Equal(t, http.StatusUnauthorized, w.Code) }) } // TestRequireOwnershipOrAdmin_OwnerAccess teste que le propriétaire peut accéder à sa ressource // MOD-P0-003: Test ownership middleware avec owner func TestRequireOwnershipOrAdmin_OwnerAccess(t *testing.T) { jwtService := setupTestJWTService(t) authMiddleware, mockSessionService, _, _, mockUserRepository := setupTestAuthMiddleware(t, jwtService) ownerID := uuid.New() requesterID := ownerID // Même utilisateur // Mock user user := &models.User{ ID: requesterID, Email: "owner@test.com", TokenVersion: 0, } mockUserRepository.On("GetByID", requesterID.String()).Return(user, nil) // Mock session session := &services.Session{ ID: uuid.New(), UserID: requesterID, } mockSessionService.On("ValidateSession", mock.Anything, mock.Anything).Return(session, nil) // Resolver qui retourne l'owner ID depuis les paramètres resolver := func(c *gin.Context) (uuid.UUID, error) { idStr := c.Param("id") return uuid.Parse(idStr) } router := gin.New() router.Use(authMiddleware.RequireOwnershipOrAdmin("test_resource", resolver)) router.PUT("/test/:id", func(c *gin.Context) { c.JSON(http.StatusOK, gin.H{"message": "success"}) }) token := generateTestToken(t, requesterID, 1*time.Hour) req := httptest.NewRequest("PUT", "/test/"+ownerID.String(), nil) req.Header.Set("Authorization", "Bearer "+token) w := httptest.NewRecorder() router.ServeHTTP(w, req) assert.Equal(t, http.StatusOK, w.Code) mockUserRepository.AssertExpectations(t) mockSessionService.AssertExpectations(t) } // TestRequireOwnershipOrAdmin_AdminAccess teste qu'un admin peut accéder à n'importe quelle ressource // MOD-P0-003: Test ownership middleware avec admin override func TestRequireOwnershipOrAdmin_AdminAccess(t *testing.T) { jwtService := setupTestJWTService(t) authMiddleware, mockSessionService, _, mockPermissionService, mockUserRepository := setupTestAuthMiddleware(t, jwtService) ownerID := uuid.New() adminID := uuid.New() // Admin différent du owner // Mock user (admin) user := &models.User{ ID: adminID, Email: "admin@test.com", TokenVersion: 0, } mockUserRepository.On("GetByID", adminID.String()).Return(user, nil) // Mock session session := &services.Session{ ID: uuid.New(), UserID: adminID, } mockSessionService.On("ValidateSession", mock.Anything, mock.Anything).Return(session, nil) // Mock admin role mockPermissionService.On("HasRole", mock.Anything, adminID, "admin").Return(true, nil) // Resolver qui retourne l'owner ID depuis les paramètres resolver := func(c *gin.Context) (uuid.UUID, error) { idStr := c.Param("id") return uuid.Parse(idStr) } router := gin.New() router.Use(authMiddleware.RequireOwnershipOrAdmin("test_resource", resolver)) router.PUT("/test/:id", func(c *gin.Context) { c.JSON(http.StatusOK, gin.H{"message": "success"}) }) token := generateTestToken(t, adminID, 1*time.Hour) req := httptest.NewRequest("PUT", "/test/"+ownerID.String(), nil) req.Header.Set("Authorization", "Bearer "+token) w := httptest.NewRecorder() router.ServeHTTP(w, req) assert.Equal(t, http.StatusOK, w.Code) mockUserRepository.AssertExpectations(t) mockSessionService.AssertExpectations(t) mockPermissionService.AssertExpectations(t) } // TestRequireOwnershipOrAdmin_ForbiddenAccess teste qu'un utilisateur non-owner et non-admin est rejeté // MOD-P0-003: Test ownership middleware avec accès interdit func TestRequireOwnershipOrAdmin_ForbiddenAccess(t *testing.T) { jwtService := setupTestJWTService(t) authMiddleware, mockSessionService, _, mockPermissionService, mockUserRepository := setupTestAuthMiddleware(t, jwtService) ownerID := uuid.New() otherUserID := uuid.New() // Utilisateur différent du owner // Mock user (non-owner, non-admin) user := &models.User{ ID: otherUserID, Email: "other@test.com", TokenVersion: 0, } mockUserRepository.On("GetByID", otherUserID.String()).Return(user, nil) // Mock session session := &services.Session{ ID: uuid.New(), UserID: otherUserID, } mockSessionService.On("ValidateSession", mock.Anything, mock.Anything).Return(session, nil) // Mock non-admin role mockPermissionService.On("HasRole", mock.Anything, otherUserID, "admin").Return(false, nil) // Resolver qui retourne l'owner ID depuis les paramètres resolver := func(c *gin.Context) (uuid.UUID, error) { idStr := c.Param("id") return uuid.Parse(idStr) } router := gin.New() router.Use(authMiddleware.RequireOwnershipOrAdmin("test_resource", resolver)) router.PUT("/test/:id", func(c *gin.Context) { c.JSON(http.StatusOK, gin.H{"message": "success"}) }) token := generateTestToken(t, otherUserID, 1*time.Hour) req := httptest.NewRequest("PUT", "/test/"+ownerID.String(), nil) req.Header.Set("Authorization", "Bearer "+token) w := httptest.NewRecorder() router.ServeHTTP(w, req) assert.Equal(t, http.StatusForbidden, w.Code) mockUserRepository.AssertExpectations(t) mockSessionService.AssertExpectations(t) mockPermissionService.AssertExpectations(t) }