51984e9a1f
- OAuth: use JWTService+SessionService, httpOnly cookies (VEZA-SEC-001) - Remove PasswordService.GenerateJWT (VEZA-SEC-002) - Hyperswitch webhook: mandatory verification, 500 if secret empty (VEZA-SEC-005) - Auth middleware: TokenBlacklist.IsBlacklisted check (VEZA-SEC-006) - Waveform: ValidateExecPath before exec (VEZA-SEC-007)
842 lines
28 KiB
Go
842 lines
28 KiB
Go
package middleware
|
|
|
|
import (
|
|
"context"
|
|
"encoding/json"
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"os"
|
|
"testing"
|
|
"time"
|
|
|
|
"veza-backend-api/internal/models"
|
|
"veza-backend-api/internal/services"
|
|
|
|
"github.com/gin-gonic/gin"
|
|
"github.com/golang-jwt/jwt/v5"
|
|
"github.com/google/uuid"
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/mock"
|
|
"github.com/stretchr/testify/require"
|
|
"go.uber.org/zap"
|
|
)
|
|
|
|
const testJWTSecret = "test-secret-key-for-jwt-service-testing-only"
|
|
|
|
// MockUserRepository pour les tests
|
|
type MockUserRepository struct {
|
|
mock.Mock
|
|
}
|
|
|
|
func (m *MockUserRepository) GetByID(id string) (*models.User, error) {
|
|
args := m.Called(id)
|
|
if args.Get(0) == nil {
|
|
return nil, args.Error(1)
|
|
}
|
|
return args.Get(0).(*models.User), args.Error(1)
|
|
}
|
|
|
|
func (m *MockUserRepository) GetByEmail(email string) (*models.User, error) {
|
|
args := m.Called(email)
|
|
if args.Get(0) == nil {
|
|
return nil, args.Error(1)
|
|
}
|
|
return args.Get(0).(*models.User), args.Error(1)
|
|
}
|
|
|
|
func (m *MockUserRepository) GetByUsername(username string) (*models.User, error) {
|
|
args := m.Called(username)
|
|
if args.Get(0) == nil {
|
|
return nil, args.Error(1)
|
|
}
|
|
return args.Get(0).(*models.User), args.Error(1)
|
|
}
|
|
|
|
func (m *MockUserRepository) Create(user *models.User) error {
|
|
args := m.Called(user)
|
|
return args.Error(0)
|
|
}
|
|
|
|
func (m *MockUserRepository) Update(user *models.User) error {
|
|
args := m.Called(user)
|
|
return args.Error(0)
|
|
}
|
|
|
|
func (m *MockUserRepository) Delete(id string) error {
|
|
args := m.Called(id)
|
|
return args.Error(0)
|
|
}
|
|
|
|
func setupTestJWTService(t *testing.T) *services.JWTService {
|
|
// Set a test JWT_SECRET
|
|
originalSecret := os.Getenv("JWT_SECRET")
|
|
os.Setenv("JWT_SECRET", testJWTSecret)
|
|
t.Cleanup(func() {
|
|
if originalSecret != "" {
|
|
os.Setenv("JWT_SECRET", originalSecret)
|
|
} else {
|
|
os.Unsetenv("JWT_SECRET")
|
|
}
|
|
})
|
|
|
|
issuer := "veza-api"
|
|
audience := "veza-app"
|
|
jwtService, err := services.NewJWTService(testJWTSecret, issuer, audience)
|
|
require.NoError(t, err)
|
|
return jwtService
|
|
}
|
|
|
|
// generateTestToken crée un token JWT compatible avec AuthMiddleware.validateJWTToken
|
|
// Le middleware attend claims["user_id"] en string UUID (pas "sub" en int64)
|
|
// ÉTAPE 3.4: Helper pour créer des tokens compatibles avec le nouveau middleware
|
|
func generateTestToken(t *testing.T, userID uuid.UUID, expiresIn time.Duration) string {
|
|
claims := jwt.MapClaims{
|
|
"sub": userID.String(), // CustomClaims maps UserID to "sub"
|
|
"exp": time.Now().Add(expiresIn).Unix(),
|
|
"iat": time.Now().Unix(), // Use Unix timestamp for iat
|
|
"iss": "veza-api",
|
|
"aud": "veza-app",
|
|
"token_version": 0,
|
|
}
|
|
|
|
token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
|
|
tokenString, err := token.SignedString([]byte(testJWTSecret))
|
|
require.NoError(t, err)
|
|
return tokenString
|
|
}
|
|
|
|
// generateExpiredTestToken crée un token JWT expiré pour les tests
|
|
// ÉTAPE 3.4: Helper pour créer des tokens expirés compatibles avec le middleware
|
|
func generateExpiredTestToken(t *testing.T, userID uuid.UUID) string {
|
|
claims := jwt.MapClaims{
|
|
"sub": userID.String(),
|
|
"exp": time.Now().Add(-1 * time.Hour).Unix(), // Expiré il y a 1 heure
|
|
"iat": time.Now().Add(-2 * time.Hour).Unix(),
|
|
"iss": "veza-api",
|
|
"aud": "veza-app",
|
|
"token_version": 0,
|
|
}
|
|
|
|
token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
|
|
tokenString, err := token.SignedString([]byte(testJWTSecret))
|
|
require.NoError(t, err)
|
|
return tokenString
|
|
}
|
|
|
|
func generateTokenWithCustomClaims(t *testing.T, claims jwt.MapClaims) string {
|
|
token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
|
|
tokenString, err := token.SignedString([]byte(testJWTSecret))
|
|
require.NoError(t, err)
|
|
return tokenString
|
|
}
|
|
|
|
// MockSessionService pour les tests (évite cycle d'import avec testutils)
|
|
type MockSessionService struct {
|
|
mock.Mock
|
|
}
|
|
|
|
func (m *MockSessionService) CreateSession(ctx context.Context, req *services.SessionCreateRequest) (*services.Session, error) {
|
|
args := m.Called(ctx, req)
|
|
if args.Get(0) == nil {
|
|
return nil, args.Error(1)
|
|
}
|
|
return args.Get(0).(*services.Session), args.Error(1)
|
|
}
|
|
|
|
func (m *MockSessionService) ValidateSession(ctx context.Context, token string) (*services.Session, error) {
|
|
args := m.Called(ctx, token)
|
|
if args.Get(0) == nil {
|
|
return nil, args.Error(1)
|
|
}
|
|
return args.Get(0).(*services.Session), args.Error(1)
|
|
}
|
|
|
|
func (m *MockSessionService) RevokeSession(ctx context.Context, token string) error {
|
|
args := m.Called(ctx, token)
|
|
return args.Error(0)
|
|
}
|
|
|
|
func (m *MockSessionService) RevokeAllUserSessions(ctx context.Context, userID uuid.UUID) (int64, error) {
|
|
args := m.Called(ctx, userID)
|
|
return args.Get(0).(int64), args.Error(1)
|
|
}
|
|
|
|
func (m *MockSessionService) GetUserSessions(ctx context.Context, userID uuid.UUID) ([]*services.Session, error) {
|
|
args := m.Called(ctx, userID)
|
|
if args.Get(0) == nil {
|
|
return nil, args.Error(1)
|
|
}
|
|
return args.Get(0).([]*services.Session), args.Error(1)
|
|
}
|
|
|
|
func (m *MockSessionService) CleanupExpiredSessions(ctx context.Context) (int64, error) {
|
|
args := m.Called(ctx)
|
|
return args.Get(0).(int64), args.Error(1)
|
|
}
|
|
|
|
func (m *MockSessionService) RefreshSession(ctx context.Context, token string, newExpiresIn time.Duration) error {
|
|
args := m.Called(ctx, token, newExpiresIn)
|
|
return args.Error(0)
|
|
}
|
|
|
|
func (m *MockSessionService) GetSessionStats(ctx context.Context) (map[string]interface{}, error) {
|
|
args := m.Called(ctx)
|
|
if args.Get(0) == nil {
|
|
return nil, args.Error(1)
|
|
}
|
|
return args.Get(0).(map[string]interface{}), args.Error(1)
|
|
}
|
|
|
|
// MockAuditService pour les tests (évite cycle d'import avec testutils)
|
|
type MockAuditService struct {
|
|
mock.Mock
|
|
}
|
|
|
|
func (m *MockAuditService) LogAction(ctx context.Context, req *services.AuditLogCreateRequest) error {
|
|
args := m.Called(ctx, req)
|
|
return args.Error(0)
|
|
}
|
|
|
|
func (m *MockAuditService) LogLogin(ctx context.Context, userID *uuid.UUID, success bool, ipAddress, userAgent string, metadata map[string]interface{}) error {
|
|
args := m.Called(ctx, userID, success, ipAddress, userAgent, metadata)
|
|
return args.Error(0)
|
|
}
|
|
|
|
func (m *MockAuditService) LogLogout(ctx context.Context, userID uuid.UUID, ipAddress, userAgent string) error {
|
|
args := m.Called(ctx, userID, ipAddress, userAgent)
|
|
return args.Error(0)
|
|
}
|
|
|
|
func (m *MockAuditService) LogUpload(ctx context.Context, userID uuid.UUID, resourceID uuid.UUID, fileName string, fileSize int64, ipAddress, userAgent string) error {
|
|
args := m.Called(ctx, userID, resourceID, fileName, fileSize, ipAddress, userAgent)
|
|
return args.Error(0)
|
|
}
|
|
|
|
func (m *MockAuditService) LogPermissionChange(ctx context.Context, userID uuid.UUID, targetUserID uuid.UUID, oldPermissions, newPermissions []string, ipAddress, userAgent string) error {
|
|
args := m.Called(ctx, userID, targetUserID, oldPermissions, newPermissions, ipAddress, userAgent)
|
|
return args.Error(0)
|
|
}
|
|
|
|
func (m *MockAuditService) LogDeletion(ctx context.Context, userID uuid.UUID, resource string, resourceID uuid.UUID, ipAddress, userAgent string) error {
|
|
args := m.Called(ctx, userID, resource, resourceID, ipAddress, userAgent)
|
|
return args.Error(0)
|
|
}
|
|
|
|
func (m *MockAuditService) SearchLogs(ctx context.Context, req *services.AuditLogSearchRequest) ([]*services.AuditLog, error) {
|
|
args := m.Called(ctx, req)
|
|
if args.Get(0) == nil {
|
|
return nil, args.Error(1)
|
|
}
|
|
return args.Get(0).([]*services.AuditLog), args.Error(1)
|
|
}
|
|
|
|
func (m *MockAuditService) GetStats(ctx context.Context, startDate, endDate time.Time) ([]*services.AuditStats, error) {
|
|
args := m.Called(ctx, startDate, endDate)
|
|
if args.Get(0) == nil {
|
|
return nil, args.Error(1)
|
|
}
|
|
return args.Get(0).([]*services.AuditStats), args.Error(1)
|
|
}
|
|
|
|
// MockPermissionService pour les tests
|
|
type MockPermissionService struct {
|
|
mock.Mock
|
|
}
|
|
|
|
func (m *MockPermissionService) HasRole(ctx context.Context, userID uuid.UUID, roleName string) (bool, error) {
|
|
args := m.Called(ctx, userID, roleName)
|
|
return args.Bool(0), args.Error(1)
|
|
}
|
|
|
|
func (m *MockPermissionService) HasPermission(ctx context.Context, userID uuid.UUID, permissionName string) (bool, error) {
|
|
args := m.Called(ctx, userID, permissionName)
|
|
return args.Bool(0), args.Error(1)
|
|
}
|
|
|
|
// MockTokenBlacklist for VEZA-SEC-006 tests
|
|
type MockTokenBlacklist struct {
|
|
mock.Mock
|
|
}
|
|
|
|
func (m *MockTokenBlacklist) IsBlacklisted(ctx context.Context, token string) (bool, error) {
|
|
args := m.Called(ctx, token)
|
|
return args.Bool(0), args.Error(1)
|
|
}
|
|
|
|
// setupTestAuthMiddleware crée un AuthMiddleware configuré pour les tests
|
|
// ÉTAPE 3.4: Utilise les interfaces pour permettre l'injection directe des mocks
|
|
func setupTestAuthMiddleware(t *testing.T, jwtService *services.JWTService) (*AuthMiddleware, *MockSessionService, *MockAuditService, *MockPermissionService, *MockUserRepository) {
|
|
logger, _ := zap.NewDevelopment()
|
|
mockSessionService := new(MockSessionService)
|
|
mockAuditService := new(MockAuditService)
|
|
mockPermissionService := new(MockPermissionService)
|
|
mockUserRepository := new(MockUserRepository)
|
|
|
|
// Configurer le mock audit pour ne pas faire échouer les tests (tous les appels retournent nil)
|
|
mockAuditService.On("LogAction", mock.Anything, mock.Anything).Return(nil).Maybe()
|
|
|
|
// Default JWT Service if nil
|
|
if jwtService == nil {
|
|
jwtService = setupTestJWTService(t)
|
|
}
|
|
|
|
// Create UserService with mock repo
|
|
userService := services.NewUserService(mockUserRepository)
|
|
|
|
// ÉTAPE 3.4: Les mocks implémentent maintenant directement les interfaces
|
|
// Plus besoin de wrappers ou de hacks - injection directe des mocks
|
|
authMiddleware := NewAuthMiddleware(mockSessionService, mockAuditService, mockPermissionService, jwtService, userService, nil, nil, logger)
|
|
|
|
// Mock defaults for GetByID for generic tests (assume user found and version 0)
|
|
// We use .Maybe() because not all tests will hit it (e.g. invalid token format)
|
|
mockUserRepository.On("GetByID", mock.Anything).Return(&models.User{
|
|
ID: uuid.New(), // Just a placeholder, specific tests should override or match
|
|
TokenVersion: 0,
|
|
}, nil).Maybe()
|
|
|
|
return authMiddleware, mockSessionService, mockAuditService, mockPermissionService, mockUserRepository
|
|
}
|
|
|
|
// T0173: Tests pour AuthMiddleware
|
|
// ÉTAPE 3.4: Test du happy path - token valide, user_id en uuid.UUID dans le contexte
|
|
// Maintenant fonctionnel grâce aux interfaces
|
|
func TestAuthMiddleware_ValidToken(t *testing.T) {
|
|
gin.SetMode(gin.TestMode)
|
|
authMiddleware, mockSessionService, _, _, mockUserRepository := setupTestAuthMiddleware(t, nil)
|
|
|
|
userUUID := uuid.MustParse("00000000-0000-0000-0000-000000000042")
|
|
|
|
// Reset mock for specific call
|
|
mockUserRepository.ExpectedCalls = nil
|
|
mockUserRepository.On("GetByID", userUUID.String()).Return(&models.User{
|
|
ID: userUUID,
|
|
TokenVersion: 0,
|
|
}, nil)
|
|
|
|
token := generateTestToken(t, userUUID, 15*time.Minute)
|
|
|
|
sessionID := uuid.New()
|
|
mockSession := &services.Session{
|
|
ID: sessionID,
|
|
UserID: userUUID,
|
|
CreatedAt: time.Now(),
|
|
ExpiresAt: time.Now().Add(24 * time.Hour),
|
|
}
|
|
mockSessionService.On("ValidateSession", mock.Anything, token).Return(mockSession, nil)
|
|
|
|
router := gin.New()
|
|
router.Use(authMiddleware.RequireAuth())
|
|
router.GET("/test", func(c *gin.Context) {
|
|
userIDInterface, exists := c.Get("user_id")
|
|
assert.True(t, exists, "user_id should exist in context")
|
|
userID, ok := userIDInterface.(uuid.UUID)
|
|
assert.True(t, ok, "user_id should be uuid.UUID")
|
|
assert.Equal(t, userUUID, userID, "user_id should match expected UUID")
|
|
|
|
sessionIDCtx, exists := c.Get("session_id")
|
|
assert.True(t, exists, "session_id should exist in context")
|
|
assert.Equal(t, mockSession.ID, sessionIDCtx, "session_id should match session ID")
|
|
|
|
c.JSON(http.StatusOK, gin.H{"message": "success"})
|
|
})
|
|
|
|
req, _ := http.NewRequest("GET", "/test", nil)
|
|
req.Header.Set("Authorization", "Bearer "+token)
|
|
w := httptest.NewRecorder()
|
|
|
|
router.ServeHTTP(w, req)
|
|
|
|
assert.Equal(t, http.StatusOK, w.Code)
|
|
mockSessionService.AssertExpectations(t)
|
|
}
|
|
|
|
// TestAuthMiddleware_BlacklistedToken_Returns401 verifies that a valid JWT but blacklisted token returns 401 (VEZA-SEC-006)
|
|
func TestAuthMiddleware_BlacklistedToken_Returns401(t *testing.T) {
|
|
gin.SetMode(gin.TestMode)
|
|
_, _, _, _, mockUserRepository := setupTestAuthMiddleware(t, nil)
|
|
|
|
userUUID := uuid.MustParse("00000000-0000-0000-0000-000000000042")
|
|
token := generateTestToken(t, userUUID, 15*time.Minute)
|
|
|
|
// Create middleware with mock blacklist that returns true (blacklisted)
|
|
mockBlacklist := new(MockTokenBlacklist)
|
|
mockBlacklist.On("IsBlacklisted", mock.Anything, token).Return(true, nil)
|
|
|
|
// Rebuild auth middleware with blacklist
|
|
logger, _ := zap.NewDevelopment()
|
|
userService := services.NewUserService(mockUserRepository)
|
|
mockUserRepository.On("GetByID", userUUID.String()).Return(&models.User{
|
|
ID: userUUID,
|
|
TokenVersion: 0,
|
|
}, nil)
|
|
|
|
jwtService := setupTestJWTService(t)
|
|
mockSessionService2 := new(MockSessionService)
|
|
mockAuditService2 := new(MockAuditService)
|
|
mockPermissionService2 := new(MockPermissionService)
|
|
mockAuditService2.On("LogAction", mock.Anything, mock.Anything).Return(nil).Maybe()
|
|
|
|
authWithBlacklist := NewAuthMiddleware(
|
|
mockSessionService2, mockAuditService2, mockPermissionService2,
|
|
jwtService, userService, nil, mockBlacklist, logger,
|
|
)
|
|
|
|
router := gin.New()
|
|
router.Use(authWithBlacklist.RequireAuth())
|
|
router.GET("/test", func(c *gin.Context) {
|
|
c.JSON(http.StatusOK, gin.H{"message": "success"})
|
|
})
|
|
|
|
req, _ := http.NewRequest("GET", "/test", nil)
|
|
req.Header.Set("Authorization", "Bearer "+token)
|
|
w := httptest.NewRecorder()
|
|
router.ServeHTTP(w, req)
|
|
|
|
assert.Equal(t, http.StatusUnauthorized, w.Code)
|
|
var response map[string]interface{}
|
|
require.NoError(t, json.Unmarshal(w.Body.Bytes(), &response))
|
|
assert.False(t, response["success"].(bool))
|
|
errorObj := response["error"].(map[string]interface{})
|
|
assert.Equal(t, "Token revoked", errorObj["message"])
|
|
mockBlacklist.AssertExpectations(t)
|
|
}
|
|
|
|
func TestAuthMiddleware_MissingHeader(t *testing.T) {
|
|
gin.SetMode(gin.TestMode)
|
|
authMiddleware, _, _, _, _ := setupTestAuthMiddleware(t, nil)
|
|
|
|
router := gin.New()
|
|
router.Use(authMiddleware.RequireAuth())
|
|
router.GET("/test", func(c *gin.Context) {
|
|
c.JSON(http.StatusOK, gin.H{"message": "success"})
|
|
})
|
|
|
|
req, _ := http.NewRequest("GET", "/test", nil)
|
|
w := httptest.NewRecorder()
|
|
|
|
router.ServeHTTP(w, req)
|
|
|
|
assert.Equal(t, http.StatusUnauthorized, w.Code)
|
|
var response map[string]interface{}
|
|
err := json.Unmarshal(w.Body.Bytes(), &response)
|
|
assert.NoError(t, err)
|
|
// P0: Nouveau format AppError - error est un objet avec code, message, timestamp
|
|
assert.False(t, response["success"].(bool))
|
|
errorObj, ok := response["error"].(map[string]interface{})
|
|
require.True(t, ok, "Error should be a map")
|
|
assert.Equal(t, "Access token required", errorObj["message"])
|
|
}
|
|
|
|
func TestAuthMiddleware_InvalidHeaderFormat(t *testing.T) {
|
|
gin.SetMode(gin.TestMode)
|
|
authMiddleware, _, _, _, _ := setupTestAuthMiddleware(t, nil)
|
|
|
|
router := gin.New()
|
|
router.Use(authMiddleware.RequireAuth())
|
|
router.GET("/test", func(c *gin.Context) {
|
|
c.JSON(http.StatusOK, gin.H{"message": "success"})
|
|
})
|
|
|
|
testCases := []struct {
|
|
name string
|
|
header string
|
|
expectedError string
|
|
}{
|
|
{"No Bearer prefix", "token123", "Access token required"},
|
|
{"Wrong prefix", "Basic token123", "Access token required"},
|
|
{"Multiple spaces", "Bearer token123", "Access token required"},
|
|
{"Empty token", "Bearer ", "Access token required"},
|
|
{"Empty header", "", "Access token required"},
|
|
}
|
|
|
|
for _, tc := range testCases {
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
req, _ := http.NewRequest("GET", "/test", nil)
|
|
if tc.header != "" {
|
|
req.Header.Set("Authorization", tc.header)
|
|
}
|
|
w := httptest.NewRecorder()
|
|
|
|
router.ServeHTTP(w, req)
|
|
|
|
assert.Equal(t, http.StatusUnauthorized, w.Code)
|
|
var response map[string]interface{}
|
|
err := json.Unmarshal(w.Body.Bytes(), &response)
|
|
assert.NoError(t, err)
|
|
// P0: Nouveau format AppError
|
|
errorObj, ok := response["error"].(map[string]interface{})
|
|
require.True(t, ok, "Error should be a map")
|
|
assert.Contains(t, errorObj["message"].(string), tc.expectedError)
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestAuthMiddleware_InvalidToken(t *testing.T) {
|
|
gin.SetMode(gin.TestMode)
|
|
authMiddleware, _, _, _, _ := setupTestAuthMiddleware(t, nil)
|
|
|
|
router := gin.New()
|
|
router.Use(authMiddleware.RequireAuth())
|
|
router.GET("/test", func(c *gin.Context) {
|
|
c.JSON(http.StatusOK, gin.H{"message": "success"})
|
|
})
|
|
|
|
testCases := []struct {
|
|
name string
|
|
token string
|
|
expectedError string
|
|
}{
|
|
{"Invalid token string", "invalid.token.string", "Invalid"},
|
|
{"Malformed token", "not.a.valid.token", "Invalid"},
|
|
{"Empty token", "", "Access token required"},
|
|
}
|
|
|
|
for _, tc := range testCases {
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
req, _ := http.NewRequest("GET", "/test", nil)
|
|
req.Header.Set("Authorization", "Bearer "+tc.token)
|
|
w := httptest.NewRecorder()
|
|
|
|
router.ServeHTTP(w, req)
|
|
|
|
assert.Equal(t, http.StatusUnauthorized, w.Code)
|
|
var response map[string]interface{}
|
|
err := json.Unmarshal(w.Body.Bytes(), &response)
|
|
assert.NoError(t, err)
|
|
// P0: Nouveau format AppError
|
|
errorObj, ok := response["error"].(map[string]interface{})
|
|
require.True(t, ok, "Error should be a map")
|
|
assert.Contains(t, errorObj["message"].(string), tc.expectedError)
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestAuthMiddleware_ExpiredToken(t *testing.T) {
|
|
gin.SetMode(gin.TestMode)
|
|
jwtService := setupTestJWTService(t)
|
|
authMiddleware, _, _, _, _ := setupTestAuthMiddleware(t, jwtService)
|
|
|
|
router := gin.New()
|
|
router.Use(authMiddleware.RequireAuth())
|
|
router.GET("/test", func(c *gin.Context) {
|
|
c.JSON(http.StatusOK, gin.H{"message": "success"})
|
|
})
|
|
|
|
userUUID := uuid.New()
|
|
expiredToken := generateExpiredTestToken(t, userUUID)
|
|
|
|
req, _ := http.NewRequest("GET", "/test", nil)
|
|
req.Header.Set("Authorization", "Bearer "+expiredToken)
|
|
w := httptest.NewRecorder()
|
|
|
|
router.ServeHTTP(w, req)
|
|
|
|
assert.Equal(t, http.StatusUnauthorized, w.Code)
|
|
var response map[string]interface{}
|
|
err := json.Unmarshal(w.Body.Bytes(), &response)
|
|
assert.NoError(t, err)
|
|
// P0: Nouveau format AppError
|
|
errorObj, ok := response["error"].(map[string]interface{})
|
|
require.True(t, ok, "Error should be a map")
|
|
assert.Contains(t, errorObj["message"].(string), "Invalid")
|
|
}
|
|
|
|
func TestAuthMiddleware_ContextValues(t *testing.T) {
|
|
gin.SetMode(gin.TestMode)
|
|
jwtService := setupTestJWTService(t)
|
|
|
|
testCases := []struct {
|
|
name string
|
|
userUUID uuid.UUID
|
|
}{
|
|
{"Regular user", uuid.MustParse("00000000-0000-0000-0000-000000000001")},
|
|
{"Admin user", uuid.MustParse("00000000-0000-0000-0000-000000000002")},
|
|
{"Moderator", uuid.MustParse("00000000-0000-0000-0000-000000000003")},
|
|
}
|
|
|
|
for _, tc := range testCases {
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
authMiddleware, mockSessionService, _, _, mockUserRepository := setupTestAuthMiddleware(t, jwtService)
|
|
|
|
// Setup UserRepo override
|
|
mockUserRepository.ExpectedCalls = nil
|
|
mockUserRepository.On("GetByID", tc.userUUID.String()).Return(&models.User{
|
|
ID: tc.userUUID,
|
|
TokenVersion: 0,
|
|
}, nil)
|
|
|
|
token := generateTestToken(t, tc.userUUID, 15*time.Minute)
|
|
|
|
sessionID := uuid.New()
|
|
mockSession := &services.Session{
|
|
ID: sessionID,
|
|
UserID: tc.userUUID,
|
|
CreatedAt: time.Now(),
|
|
ExpiresAt: time.Now().Add(24 * time.Hour),
|
|
}
|
|
mockSessionService.On("ValidateSession", mock.Anything, token).Return(mockSession, nil)
|
|
|
|
router := gin.New()
|
|
router.Use(authMiddleware.RequireAuth())
|
|
router.GET("/test", func(c *gin.Context) {
|
|
userIDInterface, exists := c.Get("user_id")
|
|
assert.True(t, exists, "user_id should exist in context")
|
|
userID, ok := userIDInterface.(uuid.UUID)
|
|
assert.True(t, ok, "user_id should be uuid.UUID")
|
|
assert.Equal(t, tc.userUUID, userID, "user_id should match expected UUID")
|
|
|
|
sessionIDCtx, exists := c.Get("session_id")
|
|
assert.True(t, exists, "session_id should exist in context")
|
|
assert.Equal(t, mockSession.ID, sessionIDCtx, "session_id should match session ID")
|
|
|
|
c.JSON(http.StatusOK, gin.H{"message": "success"})
|
|
})
|
|
|
|
req, _ := http.NewRequest("GET", "/test", nil)
|
|
req.Header.Set("Authorization", "Bearer "+token)
|
|
w := httptest.NewRecorder()
|
|
|
|
router.ServeHTTP(w, req)
|
|
|
|
assert.Equal(t, http.StatusOK, w.Code)
|
|
mockSessionService.AssertExpectations(t)
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestAuthMiddleware_P1_TokenRevocation(t *testing.T) {
|
|
gin.SetMode(gin.TestMode)
|
|
authMiddleware, _, _, _, mockUserRepository := setupTestAuthMiddleware(t, nil)
|
|
|
|
userUUID := uuid.New()
|
|
|
|
// User token is outdated (User has version 5 in DB, token is version 0)
|
|
mockUserRepository.ExpectedCalls = nil
|
|
mockUserRepository.On("GetByID", userUUID.String()).Return(&models.User{
|
|
ID: userUUID,
|
|
TokenVersion: 5,
|
|
}, nil)
|
|
|
|
// Token has version 0 by default in generateTestToken
|
|
token := generateTestToken(t, userUUID, 15*time.Minute)
|
|
|
|
router := gin.New()
|
|
router.Use(authMiddleware.RequireAuth())
|
|
router.GET("/test", func(c *gin.Context) {
|
|
c.Status(http.StatusOK)
|
|
})
|
|
|
|
req, _ := http.NewRequest("GET", "/test", nil)
|
|
req.Header.Set("Authorization", "Bearer "+token)
|
|
w := httptest.NewRecorder()
|
|
|
|
router.ServeHTTP(w, req)
|
|
|
|
assert.Equal(t, http.StatusUnauthorized, w.Code)
|
|
var response map[string]interface{}
|
|
err := json.Unmarshal(w.Body.Bytes(), &response)
|
|
require.NoError(t, err)
|
|
// P0: Nouveau format AppError
|
|
errorObj, ok := response["error"].(map[string]interface{})
|
|
require.True(t, ok, "Error should be a map")
|
|
assert.Equal(t, "Token revoked", errorObj["message"])
|
|
}
|
|
|
|
func TestAuthMiddleware_P1_StrictClaims(t *testing.T) {
|
|
gin.SetMode(gin.TestMode)
|
|
jwtService := setupTestJWTService(t)
|
|
authMiddleware, _, _, _, _ := setupTestAuthMiddleware(t, jwtService)
|
|
|
|
router := gin.New()
|
|
router.Use(authMiddleware.RequireAuth())
|
|
router.GET("/test", func(c *gin.Context) {
|
|
c.Status(http.StatusOK)
|
|
})
|
|
|
|
t.Run("Invalid Audience", func(t *testing.T) {
|
|
claims := jwt.MapClaims{
|
|
"sub": uuid.New().String(),
|
|
"exp": time.Now().Add(time.Hour).Unix(),
|
|
"iat": time.Now().Unix(),
|
|
"iss": "veza-api",
|
|
"aud": "evil-app", // BAD AUDIENCE
|
|
"token_version": 0,
|
|
}
|
|
token := generateTokenWithCustomClaims(t, claims)
|
|
|
|
req, _ := http.NewRequest("GET", "/test", nil)
|
|
req.Header.Set("Authorization", "Bearer "+token)
|
|
w := httptest.NewRecorder()
|
|
|
|
router.ServeHTTP(w, req)
|
|
assert.Equal(t, http.StatusUnauthorized, w.Code)
|
|
})
|
|
|
|
t.Run("Invalid Issuer", func(t *testing.T) {
|
|
claims := jwt.MapClaims{
|
|
"sub": uuid.New().String(),
|
|
"exp": time.Now().Add(time.Hour).Unix(),
|
|
"iat": time.Now().Unix(),
|
|
"iss": "evil-api", // BAD ISSUER
|
|
"aud": "veza-app",
|
|
"token_version": 0,
|
|
}
|
|
token := generateTokenWithCustomClaims(t, claims)
|
|
|
|
req, _ := http.NewRequest("GET", "/test", nil)
|
|
req.Header.Set("Authorization", "Bearer "+token)
|
|
w := httptest.NewRecorder()
|
|
|
|
router.ServeHTTP(w, req)
|
|
assert.Equal(t, http.StatusUnauthorized, w.Code)
|
|
})
|
|
}
|
|
|
|
// TestRequireOwnershipOrAdmin_OwnerAccess teste que le propriétaire peut accéder à sa ressource
|
|
// MOD-P0-003: Test ownership middleware avec owner
|
|
func TestRequireOwnershipOrAdmin_OwnerAccess(t *testing.T) {
|
|
jwtService := setupTestJWTService(t)
|
|
authMiddleware, mockSessionService, _, _, mockUserRepository := setupTestAuthMiddleware(t, jwtService)
|
|
|
|
ownerID := uuid.New()
|
|
requesterID := ownerID // Même utilisateur
|
|
|
|
// Mock user
|
|
user := &models.User{
|
|
ID: requesterID,
|
|
Email: "owner@test.com",
|
|
TokenVersion: 0,
|
|
}
|
|
mockUserRepository.On("GetByID", requesterID.String()).Return(user, nil)
|
|
|
|
// Mock session
|
|
session := &services.Session{
|
|
ID: uuid.New(),
|
|
UserID: requesterID,
|
|
}
|
|
mockSessionService.On("ValidateSession", mock.Anything, mock.Anything).Return(session, nil)
|
|
|
|
// Resolver qui retourne l'owner ID depuis les paramètres
|
|
resolver := func(c *gin.Context) (uuid.UUID, error) {
|
|
idStr := c.Param("id")
|
|
return uuid.Parse(idStr)
|
|
}
|
|
|
|
router := gin.New()
|
|
router.Use(authMiddleware.RequireOwnershipOrAdmin("test_resource", resolver))
|
|
router.PUT("/test/:id", func(c *gin.Context) {
|
|
c.JSON(http.StatusOK, gin.H{"message": "success"})
|
|
})
|
|
|
|
token := generateTestToken(t, requesterID, 1*time.Hour)
|
|
req := httptest.NewRequest("PUT", "/test/"+ownerID.String(), nil)
|
|
req.Header.Set("Authorization", "Bearer "+token)
|
|
w := httptest.NewRecorder()
|
|
router.ServeHTTP(w, req)
|
|
|
|
assert.Equal(t, http.StatusOK, w.Code)
|
|
mockUserRepository.AssertExpectations(t)
|
|
mockSessionService.AssertExpectations(t)
|
|
}
|
|
|
|
// TestRequireOwnershipOrAdmin_AdminAccess teste qu'un admin peut accéder à n'importe quelle ressource
|
|
// MOD-P0-003: Test ownership middleware avec admin override
|
|
func TestRequireOwnershipOrAdmin_AdminAccess(t *testing.T) {
|
|
jwtService := setupTestJWTService(t)
|
|
authMiddleware, mockSessionService, _, mockPermissionService, mockUserRepository := setupTestAuthMiddleware(t, jwtService)
|
|
|
|
ownerID := uuid.New()
|
|
adminID := uuid.New() // Admin différent du owner
|
|
|
|
// Mock user (admin)
|
|
user := &models.User{
|
|
ID: adminID,
|
|
Email: "admin@test.com",
|
|
TokenVersion: 0,
|
|
}
|
|
mockUserRepository.On("GetByID", adminID.String()).Return(user, nil)
|
|
|
|
// Mock session
|
|
session := &services.Session{
|
|
ID: uuid.New(),
|
|
UserID: adminID,
|
|
}
|
|
mockSessionService.On("ValidateSession", mock.Anything, mock.Anything).Return(session, nil)
|
|
|
|
// Mock admin role
|
|
mockPermissionService.On("HasRole", mock.Anything, adminID, "admin").Return(true, nil)
|
|
|
|
// Resolver qui retourne l'owner ID depuis les paramètres
|
|
resolver := func(c *gin.Context) (uuid.UUID, error) {
|
|
idStr := c.Param("id")
|
|
return uuid.Parse(idStr)
|
|
}
|
|
|
|
router := gin.New()
|
|
router.Use(authMiddleware.RequireOwnershipOrAdmin("test_resource", resolver))
|
|
router.PUT("/test/:id", func(c *gin.Context) {
|
|
c.JSON(http.StatusOK, gin.H{"message": "success"})
|
|
})
|
|
|
|
token := generateTestToken(t, adminID, 1*time.Hour)
|
|
req := httptest.NewRequest("PUT", "/test/"+ownerID.String(), nil)
|
|
req.Header.Set("Authorization", "Bearer "+token)
|
|
w := httptest.NewRecorder()
|
|
router.ServeHTTP(w, req)
|
|
|
|
assert.Equal(t, http.StatusOK, w.Code)
|
|
mockUserRepository.AssertExpectations(t)
|
|
mockSessionService.AssertExpectations(t)
|
|
mockPermissionService.AssertExpectations(t)
|
|
}
|
|
|
|
// TestRequireOwnershipOrAdmin_ForbiddenAccess teste qu'un utilisateur non-owner et non-admin est rejeté
|
|
// MOD-P0-003: Test ownership middleware avec accès interdit
|
|
func TestRequireOwnershipOrAdmin_ForbiddenAccess(t *testing.T) {
|
|
jwtService := setupTestJWTService(t)
|
|
authMiddleware, mockSessionService, _, mockPermissionService, mockUserRepository := setupTestAuthMiddleware(t, jwtService)
|
|
|
|
ownerID := uuid.New()
|
|
otherUserID := uuid.New() // Utilisateur différent du owner
|
|
|
|
// Mock user (non-owner, non-admin)
|
|
user := &models.User{
|
|
ID: otherUserID,
|
|
Email: "other@test.com",
|
|
TokenVersion: 0,
|
|
}
|
|
mockUserRepository.On("GetByID", otherUserID.String()).Return(user, nil)
|
|
|
|
// Mock session
|
|
session := &services.Session{
|
|
ID: uuid.New(),
|
|
UserID: otherUserID,
|
|
}
|
|
mockSessionService.On("ValidateSession", mock.Anything, mock.Anything).Return(session, nil)
|
|
|
|
// Mock non-admin role
|
|
mockPermissionService.On("HasRole", mock.Anything, otherUserID, "admin").Return(false, nil)
|
|
|
|
// Resolver qui retourne l'owner ID depuis les paramètres
|
|
resolver := func(c *gin.Context) (uuid.UUID, error) {
|
|
idStr := c.Param("id")
|
|
return uuid.Parse(idStr)
|
|
}
|
|
|
|
router := gin.New()
|
|
router.Use(authMiddleware.RequireOwnershipOrAdmin("test_resource", resolver))
|
|
router.PUT("/test/:id", func(c *gin.Context) {
|
|
c.JSON(http.StatusOK, gin.H{"message": "success"})
|
|
})
|
|
|
|
token := generateTestToken(t, otherUserID, 1*time.Hour)
|
|
req := httptest.NewRequest("PUT", "/test/"+ownerID.String(), nil)
|
|
req.Header.Set("Authorization", "Bearer "+token)
|
|
w := httptest.NewRecorder()
|
|
router.ServeHTTP(w, req)
|
|
|
|
assert.Equal(t, http.StatusForbidden, w.Code)
|
|
mockUserRepository.AssertExpectations(t)
|
|
mockSessionService.AssertExpectations(t)
|
|
mockPermissionService.AssertExpectations(t)
|
|
}
|