senke/veza
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
veza/veza-backend-api/internal/middleware/auth_middleware_test.go

619 lines
20 KiB
Go
Raw Blame History

package middleware
import (
"context"
"encoding/json"
"net/http"
"net/http/httptest"
"os"
"testing"
"time"
"github.com/gin-gonic/gin"
"github.com/golang-jwt/jwt/v5"
"github.com/google/uuid"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/mock"
"github.com/stretchr/testify/require"
"go.uber.org/zap"
"veza-backend-api/internal/services"
)
func setupTestJWTService(t *testing.T) *services.JWTService {
// Set a test JWT_SECRET
originalSecret := os.Getenv("JWT_SECRET")
os.Setenv("JWT_SECRET", "test-secret-key-for-jwt-service-testing-only")
t.Cleanup(func() {
if originalSecret != "" {
os.Setenv("JWT_SECRET", originalSecret)
} else {
os.Unsetenv("JWT_SECRET")
}
})
return services.NewJWTService("test-secret-key-for-jwt-service-testing-only") // Pass secret
}
// generateTestToken crée un token JWT compatible avec AuthMiddleware.validateJWTToken
// Le middleware attend claims["user_id"] en string UUID (pas "sub" en int64)
// ÉTAPE 3.4: Helper pour créer des tokens compatibles avec le nouveau middleware
func generateTestToken(t *testing.T, userID uuid.UUID, expiresIn time.Duration) string {
secret := os.Getenv("JWT_SECRET")
if secret == "" {
secret = "test-secret-key-for-jwt-service-testing-only"
}
claims := jwt.MapClaims{
"user_id": userID.String(), // Le middleware attend user_id en string UUID
"exp": time.Now().Add(expiresIn).Unix(),
"iat": time.Now().Unix(), // Use Unix timestamp for iat
"iss": "veza-api",
}
token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
tokenString, err := token.SignedString([]byte(secret))
require.NoError(t, err)
return tokenString
}
// generateExpiredTestToken crée un token JWT expiré pour les tests
// ÉTAPE 3.4: Helper pour créer des tokens expirés compatibles avec le middleware
func generateExpiredTestToken(t *testing.T, userID uuid.UUID) string {
secret := os.Getenv("JWT_SECRET")
if secret == "" {
secret = "test-secret-key-for-jwt-service-testing-only"
}
claims := jwt.MapClaims{
"user_id": userID.String(),
"exp": time.Now().Add(-1 * time.Hour).Unix(), // Expiré il y a 1 heure
"iat": time.Now().Add(-2 * time.Hour).Unix(),
"iss": "veza-api",
}
token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
tokenString, err := token.SignedString([]byte(secret))
require.NoError(t, err)
return tokenString
}
// MockSessionService pour les tests (évite cycle d'import avec testutils)
type MockSessionService struct {
mock.Mock
}
func (m *MockSessionService) CreateSession(ctx context.Context, req *services.SessionCreateRequest) (*services.Session, error) {
args := m.Called(ctx, req)
if args.Get(0) == nil {
return nil, args.Error(1)
}
return args.Get(0).(*services.Session), args.Error(1)
}
func (m *MockSessionService) ValidateSession(ctx context.Context, token string) (*services.Session, error) {
args := m.Called(ctx, token)
if args.Get(0) == nil {
return nil, args.Error(1)
}
return args.Get(0).(*services.Session), args.Error(1)
}
func (m *MockSessionService) RevokeSession(ctx context.Context, token string) error {
args := m.Called(ctx, token)
return args.Error(0)
}
func (m *MockSessionService) RevokeAllUserSessions(ctx context.Context, userID uuid.UUID) (int64, error) {
args := m.Called(ctx, userID)
return args.Get(0).(int64), args.Error(1)
}
func (m *MockSessionService) GetUserSessions(ctx context.Context, userID uuid.UUID) ([]*services.Session, error) {
args := m.Called(ctx, userID)
if args.Get(0) == nil {
return nil, args.Error(1)
}
return args.Get(0).([]*services.Session), args.Error(1)
}
func (m *MockSessionService) CleanupExpiredSessions(ctx context.Context) (int64, error) {
args := m.Called(ctx)
return args.Get(0).(int64), args.Error(1)
}
func (m *MockSessionService) RefreshSession(ctx context.Context, token string, newExpiresIn time.Duration) error {
args := m.Called(ctx, token, newExpiresIn)
return args.Error(0)
}
func (m *MockSessionService) GetSessionStats(ctx context.Context) (map[string]interface{}, error) {
args := m.Called(ctx)
if args.Get(0) == nil {
return nil, args.Error(1)
}
return args.Get(0).(map[string]interface{}), args.Error(1)
}
// MockAuditService pour les tests (évite cycle d'import avec testutils)
type MockAuditService struct {
mock.Mock
}
func (m *MockAuditService) LogAction(ctx context.Context, req *services.AuditLogCreateRequest) error {
args := m.Called(ctx, req)
return args.Error(0)
}
func (m *MockAuditService) LogLogin(ctx context.Context, userID *uuid.UUID, success bool, ipAddress, userAgent string, metadata map[string]interface{}) error {
args := m.Called(ctx, userID, success, ipAddress, userAgent, metadata)
return args.Error(0)
}
func (m *MockAuditService) LogLogout(ctx context.Context, userID uuid.UUID, ipAddress, userAgent string) error {
args := m.Called(ctx, userID, ipAddress, userAgent)
return args.Error(0)
}
func (m *MockAuditService) LogUpload(ctx context.Context, userID uuid.UUID, resourceID uuid.UUID, fileName string, fileSize int64, ipAddress, userAgent string) error {
args := m.Called(ctx, userID, resourceID, fileName, fileSize, ipAddress, userAgent)
return args.Error(0)
}
func (m *MockAuditService) LogPermissionChange(ctx context.Context, userID uuid.UUID, targetUserID uuid.UUID, oldPermissions, newPermissions []string, ipAddress, userAgent string) error {
args := m.Called(ctx, userID, targetUserID, oldPermissions, newPermissions, ipAddress, userAgent)
return args.Error(0)
}
func (m *MockAuditService) LogDeletion(ctx context.Context, userID uuid.UUID, resource string, resourceID uuid.UUID, ipAddress, userAgent string) error {
args := m.Called(ctx, userID, resource, resourceID, ipAddress, userAgent)
return args.Error(0)
}
func (m *MockAuditService) SearchLogs(ctx context.Context, req *services.AuditLogSearchRequest) ([]*services.AuditLog, error) {
args := m.Called(ctx, req)
if args.Get(0) == nil {
return nil, args.Error(1)
}
return args.Get(0).([]*services.AuditLog), args.Error(1)
}
func (m *MockAuditService) GetStats(ctx context.Context, startDate, endDate time.Time) ([]*services.AuditStats, error) {
args := m.Called(ctx, startDate, endDate)
if args.Get(0) == nil {
return nil, args.Error(1)
}
return args.Get(0).([]*services.AuditStats), args.Error(1)
}
// MockPermissionService pour les tests
type MockPermissionService struct {
mock.Mock
}
func (m *MockPermissionService) HasRole(ctx context.Context, userID uuid.UUID, roleName string) (bool, error) {
args := m.Called(ctx, userID, roleName)
return args.Bool(0), args.Error(1)
}
func (m *MockPermissionService) HasPermission(ctx context.Context, userID uuid.UUID, permissionName string) (bool, error) {
args := m.Called(ctx, userID, permissionName)
return args.Bool(0), args.Error(1)
}
// setupTestAuthMiddleware crée un AuthMiddleware configuré pour les tests
// ÉTAPE 3.4: Utilise les interfaces pour permettre l'injection directe des mocks
func setupTestAuthMiddleware(t *testing.T, jwtService *services.JWTService) (*AuthMiddleware, *MockSessionService, *MockAuditService, *MockPermissionService) {
logger, _ := zap.NewDevelopment()
mockSessionService := new(MockSessionService)
mockAuditService := new(MockAuditService)
mockPermissionService := new(MockPermissionService)
// Configurer le mock audit pour ne pas faire échouer les tests (tous les appels retournent nil)
mockAuditService.On("LogAction", mock.Anything, mock.Anything).Return(nil).Maybe()
jwtSecret := os.Getenv("JWT_SECRET")
if jwtSecret == "" {
jwtSecret = "test-secret-key-for-jwt-service-testing-only"
}
// ÉTAPE 3.4: Les mocks implémentent maintenant directement les interfaces
// Plus besoin de wrappers ou de hacks - injection directe des mocks
authMiddleware := NewAuthMiddleware(mockSessionService, mockAuditService, mockPermissionService, logger, jwtSecret)
return authMiddleware, mockSessionService, mockAuditService, mockPermissionService
}
// T0173: Tests pour AuthMiddleware
// ÉTAPE 3.4: Test du happy path - token valide, user_id en uuid.UUID dans le contexte
// Maintenant fonctionnel grâce aux interfaces
func TestAuthMiddleware_ValidToken(t *testing.T) {
gin.SetMode(gin.TestMode)
authMiddleware, mockSessionService, _, _ := setupTestAuthMiddleware(t, nil)
userUUID := uuid.MustParse("00000000-0000-0000-0000-000000000042")
token := generateTestToken(t, userUUID, 15*time.Minute)
sessionID := uuid.New()
mockSession := &services.Session{
ID: sessionID,
UserID: userUUID,
CreatedAt: time.Now(),
ExpiresAt: time.Now().Add(24 * time.Hour),
}
mockSessionService.On("ValidateSession", mock.Anything, token).Return(mockSession, nil)
router := gin.New()
router.Use(authMiddleware.RequireAuth())
router.GET("/test", func(c *gin.Context) {
userIDInterface, exists := c.Get("user_id")
assert.True(t, exists, "user_id should exist in context")
userID, ok := userIDInterface.(uuid.UUID)
assert.True(t, ok, "user_id should be uuid.UUID")
assert.Equal(t, userUUID, userID, "user_id should match expected UUID")
sessionIDCtx, exists := c.Get("session_id")
assert.True(t, exists, "session_id should exist in context")
assert.Equal(t, mockSession.ID, sessionIDCtx, "session_id should match session ID")
c.JSON(http.StatusOK, gin.H{"message": "success"})
})
req, _ := http.NewRequest("GET", "/test", nil)
req.Header.Set("Authorization", "Bearer "+token)
w := httptest.NewRecorder()
router.ServeHTTP(w, req)
assert.Equal(t, http.StatusOK, w.Code)
mockSessionService.AssertExpectations(t)
}
func TestAuthMiddleware_MissingHeader(t *testing.T) {
gin.SetMode(gin.TestMode)
authMiddleware, _, _, _ := setupTestAuthMiddleware(t, nil)
router := gin.New()
router.Use(authMiddleware.RequireAuth())
router.GET("/test", func(c *gin.Context) {
c.JSON(http.StatusOK, gin.H{"message": "success"})
})
req, _ := http.NewRequest("GET", "/test", nil)
w := httptest.NewRecorder()
router.ServeHTTP(w, req)
assert.Equal(t, http.StatusUnauthorized, w.Code)
var response map[string]interface{}
err := json.Unmarshal(w.Body.Bytes(), &response)
assert.NoError(t, err)
assert.Equal(t, "Authorization header required", response["error"])
}
func TestAuthMiddleware_InvalidHeaderFormat(t *testing.T) {
gin.SetMode(gin.TestMode)
authMiddleware, _, _, _ := setupTestAuthMiddleware(t, nil)
router := gin.New()
router.Use(authMiddleware.RequireAuth())
router.GET("/test", func(c *gin.Context) {
c.JSON(http.StatusOK, gin.H{"message": "success"})
})
testCases := []struct {
name string
header string
expectedError string
}{
{"No Bearer prefix", "token123", "Invalid"},
{"Wrong prefix", "Basic token123", "Invalid"},
{"Multiple spaces", "Bearer token123", "Invalid"},
{"Empty token", "Bearer ", "Invalid"},
{"Empty header", "", "Authorization header required"},
}
for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) {
req, _ := http.NewRequest("GET", "/test", nil)
if tc.header != "" {
req.Header.Set("Authorization", tc.header)
}
w := httptest.NewRecorder()
router.ServeHTTP(w, req)
assert.Equal(t, http.StatusUnauthorized, w.Code)
var response map[string]interface{}
err := json.Unmarshal(w.Body.Bytes(), &response)
assert.NoError(t, err)
assert.Contains(t, response["error"], tc.expectedError)
})
}
}
func TestAuthMiddleware_InvalidToken(t *testing.T) {
gin.SetMode(gin.TestMode)
authMiddleware, _, _, _ := setupTestAuthMiddleware(t, nil)
router := gin.New()
router.Use(authMiddleware.RequireAuth())
router.GET("/test", func(c *gin.Context) {
c.JSON(http.StatusOK, gin.H{"message": "success"})
})
testCases := []struct {
name string
token string
}{
{"Invalid token string", "invalid.token.string"},
{"Malformed token", "not.a.valid.token"},
{"Empty token", ""},
}
for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) {
req, _ := http.NewRequest("GET", "/test", nil)
req.Header.Set("Authorization", "Bearer "+tc.token)
w := httptest.NewRecorder()
router.ServeHTTP(w, req)
assert.Equal(t, http.StatusUnauthorized, w.Code)
var response map[string]interface{}
err := json.Unmarshal(w.Body.Bytes(), &response)
assert.NoError(t, err)
assert.Contains(t, response["error"], "Invalid")
})
}
}
func TestAuthMiddleware_ExpiredToken(t *testing.T) {
gin.SetMode(gin.TestMode)
jwtService := setupTestJWTService(t)
authMiddleware, _, _, _ := setupTestAuthMiddleware(t, jwtService)
router := gin.New()
router.Use(authMiddleware.RequireAuth())
router.GET("/test", func(c *gin.Context) {
c.JSON(http.StatusOK, gin.H{"message": "success"})
})
userUUID := uuid.New()
expiredToken := generateExpiredTestToken(t, userUUID)
req, _ := http.NewRequest("GET", "/test", nil)
req.Header.Set("Authorization", "Bearer "+expiredToken)
w := httptest.NewRecorder()
router.ServeHTTP(w, req)
assert.Equal(t, http.StatusUnauthorized, w.Code)
var response map[string]interface{}
err := json.Unmarshal(w.Body.Bytes(), &response)
assert.NoError(t, err)
assert.Contains(t, response["error"], "Invalid")
}
func TestAuthMiddleware_ContextValues(t *testing.T) {
gin.SetMode(gin.TestMode)
jwtService := setupTestJWTService(t)
testCases := []struct {
name string
userUUID uuid.UUID
}{
{"Regular user", uuid.MustParse("00000000-0000-0000-0000-000000000001")},
{"Admin user", uuid.MustParse("00000000-0000-0000-0000-000000000002")},
{"Moderator", uuid.MustParse("00000000-0000-0000-0000-000000000003")},
}
for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) {
authMiddleware, mockSessionService, _, _ := setupTestAuthMiddleware(t, jwtService)
token := generateTestToken(t, tc.userUUID, 15*time.Minute)
sessionID := uuid.New()
mockSession := &services.Session{
ID: sessionID,
UserID: tc.userUUID,
CreatedAt: time.Now(),
ExpiresAt: time.Now().Add(24 * time.Hour),
}
mockSessionService.On("ValidateSession", mock.Anything, token).Return(mockSession, nil)
router := gin.New()
router.Use(authMiddleware.RequireAuth())
router.GET("/test", func(c *gin.Context) {
userIDInterface, exists := c.Get("user_id")
assert.True(t, exists, "user_id should exist in context")
userID, ok := userIDInterface.(uuid.UUID)
assert.True(t, ok, "user_id should be uuid.UUID")
assert.Equal(t, tc.userUUID, userID, "user_id should match expected UUID")
sessionIDCtx, exists := c.Get("session_id")
assert.True(t, exists, "session_id should exist in context")
assert.Equal(t, mockSession.ID, sessionIDCtx, "session_id should match session ID")
c.JSON(http.StatusOK, gin.H{"message": "success"})
})
req, _ := http.NewRequest("GET", "/test", nil)
req.Header.Set("Authorization", "Bearer "+token)
w := httptest.NewRecorder()
router.ServeHTTP(w, req)
assert.Equal(t, http.StatusOK, w.Code)
mockSessionService.AssertExpectations(t)
})
}
}
func TestAuthMiddleware_NextCalled(t *testing.T) {
gin.SetMode(gin.TestMode)
authMiddleware, mockSessionService, _, _ := setupTestAuthMiddleware(t, nil)
userUUID := uuid.New()
token := generateTestToken(t, userUUID, 15*time.Minute)
sessionID := uuid.New()
mockSession := &services.Session{
ID: sessionID,
UserID: userUUID,
CreatedAt: time.Now(),
ExpiresAt: time.Now().Add(24 * time.Hour),
}
mockSessionService.On("ValidateSession", mock.Anything, token).Return(mockSession, nil)
nextCalled := false
router := gin.New()
router.Use(authMiddleware.RequireAuth())
router.GET("/test", func(c *gin.Context) {
nextCalled = true
c.JSON(http.StatusOK, gin.H{"message": "success"})
})
req, _ := http.NewRequest("GET", "/test", nil)
req.Header.Set("Authorization", "Bearer "+token)
w := httptest.NewRecorder()
router.ServeHTTP(w, req)
assert.True(t, nextCalled, "Next handler should be called with valid token")
assert.Equal(t, http.StatusOK, w.Code)
mockSessionService.AssertExpectations(t)
}
func TestAuthMiddleware_NextNotCalledOnError(t *testing.T) {
gin.SetMode(gin.TestMode)
authMiddleware, _, _, _ := setupTestAuthMiddleware(t, nil)
nextCalled := false
router := gin.New()
router.Use(authMiddleware.RequireAuth())
router.GET("/test", func(c *gin.Context) {
nextCalled = true
c.JSON(http.StatusOK, gin.H{"message": "success"})
})
req, _ := http.NewRequest("GET", "/test", nil)
w := httptest.NewRecorder()
router.ServeHTTP(w, req)
assert.False(t, nextCalled, "Next handler should not be called when authentication fails")
assert.Equal(t, http.StatusUnauthorized, w.Code)
}
func TestAuthMiddleware_TokenExpired(t *testing.T) {
gin.SetMode(gin.TestMode)
authMiddleware, _, _, _ := setupTestAuthMiddleware(t, nil)
userUUID := uuid.New()
tokenString := generateExpiredTestToken(t, userUUID)
router := gin.New()
router.Use(authMiddleware.RequireAuth())
router.GET("/test", func(c *gin.Context) {
c.JSON(http.StatusOK, gin.H{"message": "success"})
})
req, _ := http.NewRequest("GET", "/test", nil)
req.Header.Set("Authorization", "Bearer "+tokenString)
w := httptest.NewRecorder()
router.ServeHTTP(w, req)
assert.Equal(t, http.StatusUnauthorized, w.Code)
var response map[string]interface{}
err := json.Unmarshal(w.Body.Bytes(), &response)
assert.NoError(t, err)
assert.Contains(t, response["error"], "Invalid")
}
func TestAuthMiddleware_TokenExpired_NextNotCalled(t *testing.T) {
gin.SetMode(gin.TestMode)
authMiddleware, _, _, _ := setupTestAuthMiddleware(t, nil)
userUUID := uuid.New()
tokenString := generateExpiredTestToken(t, userUUID)
nextCalled := false
router := gin.New()
router.Use(authMiddleware.RequireAuth())
router.GET("/test", func(c *gin.Context) {
nextCalled = true
c.JSON(http.StatusOK, gin.H{"message": "success"})
})
req, _ := http.NewRequest("GET", "/test", nil)
req.Header.Set("Authorization", "Bearer "+tokenString)
w := httptest.NewRecorder()
router.ServeHTTP(w, req)
assert.False(t, nextCalled, "Next handler should not be called when token is expired")
assert.Equal(t, http.StatusUnauthorized, w.Code)
}
func TestAuthMiddleware_InvalidToken_NoExpiredHeader(t *testing.T) {
gin.SetMode(gin.TestMode)
jwtService := setupTestJWTService(t)
authMiddleware, mockSessionService, _, _ := setupTestAuthMiddleware(t, jwtService)
invalidToken := "invalid.token.string"
mockSessionService.On("ValidateSession", mock.Anything, invalidToken).Return(nil, assert.AnError).Maybe()
router := gin.New()
router.Use(authMiddleware.RequireAuth())
router.GET("/test", func(c *gin.Context) {
c.JSON(http.StatusOK, gin.H{"message": "success"})
})
req, _ := http.NewRequest("GET", "/test", nil)
req.Header.Set("Authorization", "Bearer "+invalidToken)
w := httptest.NewRecorder()
router.ServeHTTP(w, req)
assert.Equal(t, http.StatusUnauthorized, w.Code)
var response map[string]interface{}
err := json.Unmarshal(w.Body.Bytes(), &response)
assert.NoError(t, err)
assert.Contains(t, response["error"], "Invalid")
}
func TestAuthMiddleware_ValidToken_NoExpiredHeader(t *testing.T) {
gin.SetMode(gin.TestMode)
authMiddleware, mockSessionService, _, _ := setupTestAuthMiddleware(t, nil)
userUUID := uuid.New()
token := generateTestToken(t, userUUID, 15*time.Minute)
sessionID := uuid.New()
mockSession := &services.Session{
ID: sessionID,
UserID: userUUID,
CreatedAt: time.Now(),
ExpiresAt: time.Now().Add(24 * time.Hour),
}
mockSessionService.On("ValidateSession", mock.Anything, token).Return(mockSession, nil)
router := gin.New()
router.Use(authMiddleware.RequireAuth())
router.GET("/test", func(c *gin.Context) {
c.JSON(http.StatusOK, gin.H{"message": "success"})
})
req, _ := http.NewRequest("GET", "/test", nil)
req.Header.Set("Authorization", "Bearer "+token)
w := httptest.NewRecorder()
router.ServeHTTP(w, req)
assert.Equal(t, http.StatusOK, w.Code)
mockSessionService.AssertExpectations(t)
}
Reference in a new issue View git blame Copy permalink