package auth import ( "context" "errors" "fmt" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" "github.com/zeromicro/go-zero/core/stores/sqlx" "go.uber.org/mock/gomock" "math" "math/rand" "os" "perms-system-server/internal/consts" "perms-system-server/internal/loaders" "perms-system-server/internal/middleware" deptModel "perms-system-server/internal/model/dept" "perms-system-server/internal/model/productmember" userModel "perms-system-server/internal/model/user" "perms-system-server/internal/response" "perms-system-server/internal/svc" "perms-system-server/internal/testutil" "perms-system-server/internal/testutil/ctxhelper" "perms-system-server/internal/testutil/mocks" "testing" "time" ) // ===================================================================== // RequireSuperAdmin // ===================================================================== // TC-0481: 超管通过 func TestRequireSuperAdmin_SuperAdmin(t *testing.T) { err := RequireSuperAdmin(ctxhelper.SuperAdminCtx()) assert.NoError(t, err) } // TC-0482: ADMIN → 403 "仅超级管理员" func TestRequireSuperAdmin_Admin(t *testing.T) { err := RequireSuperAdmin(ctxhelper.AdminCtx("p1")) require.Error(t, err) var ce *response.CodeError require.True(t, errors.As(err, &ce)) assert.Equal(t, 403, ce.Code()) assert.Contains(t, ce.Error(), "仅超级管理员") } // TC-0483: MEMBER → 403 func TestRequireSuperAdmin_Member(t *testing.T) { err := RequireSuperAdmin(ctxhelper.MemberCtx("p1")) require.Error(t, err) var ce *response.CodeError require.True(t, errors.As(err, &ce)) assert.Equal(t, 403, ce.Code()) } // TC-0484: 无 UserDetails → 401 "未登录" func TestRequireSuperAdmin_NoUserDetails(t *testing.T) { err := RequireSuperAdmin(context.Background()) require.Error(t, err) var ce *response.CodeError require.True(t, errors.As(err, &ce)) assert.Equal(t, 401, ce.Code()) assert.Contains(t, ce.Error(), "未登录") } // ===================================================================== // RequireProductAdmin // ===================================================================== // TC-0485: SuperAdmin → nil func TestRequireProductAdminFor_SuperAdmin(t *testing.T) { err := RequireProductAdminFor(ctxhelper.SuperAdminCtx(), "p1") assert.NoError(t, err) } // TC-0486: ADMIN → nil (same product) func TestRequireProductAdminFor_Admin(t *testing.T) { err := RequireProductAdminFor(ctxhelper.AdminCtx("p1"), "p1") assert.NoError(t, err) } // TC-0487: DEVELOPER → 403 func TestRequireProductAdminFor_Developer(t *testing.T) { err := RequireProductAdminFor(ctxhelper.DeveloperCtx("p1"), "p1") require.Error(t, err) var ce *response.CodeError require.True(t, errors.As(err, &ce)) assert.Equal(t, 403, ce.Code()) } // TC-0488: MEMBER → 403 func TestRequireProductAdminFor_Member(t *testing.T) { err := RequireProductAdminFor(ctxhelper.MemberCtx("p1"), "p1") require.Error(t, err) var ce *response.CodeError require.True(t, errors.As(err, &ce)) assert.Equal(t, 403, ce.Code()) } // TC-0489: 无 UserDetails → 401 func TestRequireProductAdminFor_NoUserDetails(t *testing.T) { err := RequireProductAdminFor(context.Background(), "p1") require.Error(t, err) var ce *response.CodeError require.True(t, errors.As(err, &ce)) assert.Equal(t, 401, ce.Code()) assert.Contains(t, ce.Error(), "未登录") } // TC-0490: ADMIN 跨产品被拒绝 func TestRequireProductAdminFor_AdminCrossProduct(t *testing.T) { err := RequireProductAdminFor(ctxhelper.AdminCtx("p1"), "other_product") require.Error(t, err) var ce *response.CodeError require.True(t, errors.As(err, &ce)) assert.Equal(t, 403, ce.Code()) } // ===================================================================== // CheckMemberTypeAssignment // ===================================================================== // TC-0491: 超管分配 ADMIN → nil func TestCheckMemberTypeAssignment_SuperAdminAssignsAdmin(t *testing.T) { err := CheckMemberTypeAssignment(ctxhelper.SuperAdminCtx(), consts.MemberTypeAdmin) assert.NoError(t, err) } // TC-0492: ADMIN 分配 DEVELOPER → nil func TestCheckMemberTypeAssignment_AdminAssignsDeveloper(t *testing.T) { err := CheckMemberTypeAssignment(ctxhelper.AdminCtx("p1"), consts.MemberTypeDeveloper) assert.NoError(t, err) } // TC-0493: ADMIN 分配 ADMIN(同级)→ 403 func TestCheckMemberTypeAssignment_AdminAssignsAdmin(t *testing.T) { err := CheckMemberTypeAssignment(ctxhelper.AdminCtx("p1"), consts.MemberTypeAdmin) require.Error(t, err) var ce *response.CodeError require.True(t, errors.As(err, &ce)) assert.Equal(t, 403, ce.Code()) } // TC-0494: DEVELOPER 分配 ADMIN(更高级)→ 403 func TestCheckMemberTypeAssignment_DeveloperAssignsAdmin(t *testing.T) { err := CheckMemberTypeAssignment(ctxhelper.DeveloperCtx("p1"), consts.MemberTypeAdmin) require.Error(t, err) var ce *response.CodeError require.True(t, errors.As(err, &ce)) assert.Equal(t, 403, ce.Code()) } // TC-0495: MEMBER 分配 MEMBER(同级)→ 403 func TestCheckMemberTypeAssignment_MemberAssignsMember(t *testing.T) { err := CheckMemberTypeAssignment(ctxhelper.MemberCtx("p1"), consts.MemberTypeMember) require.Error(t, err) var ce *response.CodeError require.True(t, errors.As(err, &ce)) assert.Equal(t, 403, ce.Code()) } // TC-0496: 无 UserDetails → 401 func TestCheckMemberTypeAssignment_NoUserDetails(t *testing.T) { err := CheckMemberTypeAssignment(context.Background(), consts.MemberTypeMember) require.Error(t, err) var ce *response.CodeError require.True(t, errors.As(err, &ce)) assert.Equal(t, 401, ce.Code()) assert.Contains(t, ce.Error(), "未登录") } // ===================================================================== // memberTypePriority (未导出,同包可测) // ===================================================================== // TC-0505: 所有成员类型返回正确优先级 func TestMemberTypePriority(t *testing.T) { tests := []struct { name string memberType string want int }{ {"SUPER_ADMIN=0", consts.MemberTypeSuperAdmin, 0}, {"ADMIN=1", consts.MemberTypeAdmin, 1}, {"DEVELOPER=2", consts.MemberTypeDeveloper, 2}, {"MEMBER=3", consts.MemberTypeMember, 3}, {"unknown=MaxInt32", "UNKNOWN_TYPE", math.MaxInt32}, {"empty=MaxInt32", "", math.MaxInt32}, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { got := memberTypePriority(tt.memberType) assert.Equal(t, tt.want, got) }) } } // ===================================================================== // CheckManageAccess (集成测试,需要真实 DB) // ===================================================================== func newIntegrationSvcCtx() *svc.ServiceContext { return svc.NewServiceContext(testutil.GetTestConfig()) } func createTestUser(t *testing.T, ctx context.Context, svcCtx *svc.ServiceContext, conn sqlx.SqlConn, opts struct { username string deptId int64 isSuperAdmin int64 }) int64 { t.Helper() now := time.Now().Unix() res, err := svcCtx.SysUserModel.Insert(ctx, &userModel.SysUser{ Username: opts.username, Password: testutil.HashPassword("test123"), Nickname: opts.username, Email: opts.username + "@test.com", Phone: "", Remark: "", DeptId: opts.deptId, IsSuperAdmin: opts.isSuperAdmin, MustChangePassword: consts.MustChangePasswordNo, Status: consts.StatusEnabled, CreateTime: now, UpdateTime: now, }) require.NoError(t, err) id, _ := res.LastInsertId() return id } // TC-0497: SuperAdmin 跳过所有检查 func TestCheckManageAccess_SuperAdminBypasses(t *testing.T) { ctx := context.Background() svcCtx := newIntegrationSvcCtx() conn := testutil.GetTestSqlConn() targetId := createTestUser(t, ctx, svcCtx, conn, struct { username string deptId int64 isSuperAdmin int64 }{ username: fmt.Sprintf("target_sa_%d", rand.Intn(100000)), deptId: 0, isSuperAdmin: consts.IsSuperAdminNo, }) t.Cleanup(func() { testutil.CleanTable(ctx, conn, "`sys_user`", targetId) }) err := CheckManageAccess(ctxhelper.SuperAdminCtx(), svcCtx, targetId, "p1") assert.NoError(t, err) } // TC-0498: 操作自己豁免 func TestCheckManageAccess_SelfManagement(t *testing.T) { selfCtx := ctxhelper.CustomCtx(&loaders.UserDetails{ UserId: 100, Username: "self_user", IsSuperAdmin: false, MemberType: consts.MemberTypeMember, Status: consts.StatusEnabled, ProductCode: "p1", DeptId: 1, DeptPath: "/1/", }) svcCtx := newIntegrationSvcCtx() err := CheckManageAccess(selfCtx, svcCtx, 100, "p1") assert.NoError(t, err) } // TC-0499: ADMIN 跳过部门层级检查 func TestCheckManageAccess_AdminSkipsDeptCheck(t *testing.T) { ctx := context.Background() svcCtx := newIntegrationSvcCtx() conn := testutil.GetTestSqlConn() now := time.Now().Unix() pc := fmt.Sprintf("tp_access_%d", rand.Intn(100000)) targetId := createTestUser(t, ctx, svcCtx, conn, struct { username string deptId int64 isSuperAdmin int64 }{ username: fmt.Sprintf("target_admin_%d", rand.Intn(100000)), deptId: 0, isSuperAdmin: consts.IsSuperAdminNo, }) pmRes, err := svcCtx.SysProductMemberModel.Insert(ctx, &productmember.SysProductMember{ ProductCode: pc, UserId: targetId, MemberType: consts.MemberTypeMember, Status: consts.StatusEnabled, CreateTime: now, UpdateTime: now, }) require.NoError(t, err) pmId, _ := pmRes.LastInsertId() t.Cleanup(func() { testutil.CleanTable(ctx, conn, "`sys_product_member`", pmId) testutil.CleanTable(ctx, conn, "`sys_user`", targetId) }) adminCtx := ctxhelper.CustomCtx(&loaders.UserDetails{ UserId: 2, Username: "admin_test", IsSuperAdmin: false, MemberType: consts.MemberTypeAdmin, Status: consts.StatusEnabled, ProductCode: pc, DeptId: 999, DeptPath: "/999/", MinPermsLevel: math.MaxInt64, }) err = CheckManageAccess(adminCtx, svcCtx, targetId, pc) assert.NoError(t, err) } // TC-0500: 无 UserDetails → 401 func TestCheckManageAccess_NoUserDetails(t *testing.T) { svcCtx := newIntegrationSvcCtx() err := CheckManageAccess(context.Background(), svcCtx, 1, "p1") require.Error(t, err) var ce *response.CodeError require.True(t, errors.As(err, &ce)) assert.Equal(t, 401, ce.Code()) } // TC-0501: DEVELOPER 无部门归属 → 403 func TestCheckManageAccess_NoDept(t *testing.T) { svcCtx := newIntegrationSvcCtx() noDeptCtx := ctxhelper.CustomCtx(&loaders.UserDetails{ UserId: 3, Username: "dev_nodept", IsSuperAdmin: false, MemberType: consts.MemberTypeDeveloper, Status: consts.StatusEnabled, ProductCode: "p1", DeptId: 0, DeptPath: "", MinPermsLevel: math.MaxInt64, }) err := CheckManageAccess(noDeptCtx, svcCtx, 99999, "p1") require.Error(t, err) var ce *response.CodeError require.True(t, errors.As(err, &ce)) assert.Equal(t, 403, ce.Code()) assert.Contains(t, ce.Error(), "未归属任何部门") } // TC-0502: DEVELOPER 操作不同部门的用户 → 403 func TestCheckManageAccess_CrossDeptForbidden(t *testing.T) { ctx := context.Background() svcCtx := newIntegrationSvcCtx() conn := testutil.GetTestSqlConn() now := time.Now().Unix() dept1Res, err := svcCtx.SysDeptModel.Insert(ctx, &deptModel.SysDept{ ParentId: 0, Name: fmt.Sprintf("dept_a_%d", rand.Intn(100000)), Path: fmt.Sprintf("/%d/", rand.Intn(100000)), Sort: 1, DeptType: consts.DeptTypeNormal, Status: consts.StatusEnabled, CreateTime: now, UpdateTime: now, }) require.NoError(t, err) dept1Id, _ := dept1Res.LastInsertId() dept2Res, err := svcCtx.SysDeptModel.Insert(ctx, &deptModel.SysDept{ ParentId: 0, Name: fmt.Sprintf("dept_b_%d", rand.Intn(100000)), Path: fmt.Sprintf("/%d/", rand.Intn(100000)), Sort: 1, DeptType: consts.DeptTypeNormal, Status: consts.StatusEnabled, CreateTime: now, UpdateTime: now, }) require.NoError(t, err) dept2Id, _ := dept2Res.LastInsertId() targetId := createTestUser(t, ctx, svcCtx, conn, struct { username string deptId int64 isSuperAdmin int64 }{ username: fmt.Sprintf("target_crossdept_%d", rand.Intn(100000)), deptId: dept2Id, isSuperAdmin: consts.IsSuperAdminNo, }) dept2, err := svcCtx.SysDeptModel.FindOne(ctx, dept2Id) require.NoError(t, err) dept1, err := svcCtx.SysDeptModel.FindOne(ctx, dept1Id) require.NoError(t, err) t.Cleanup(func() { testutil.CleanTable(ctx, conn, "`sys_user`", targetId) testutil.CleanTable(ctx, conn, "`sys_dept`", dept1Id, dept2Id) }) callerCtx := ctxhelper.CustomCtx(&loaders.UserDetails{ UserId: 99998, Username: "dev_crossdept", IsSuperAdmin: false, MemberType: consts.MemberTypeDeveloper, Status: consts.StatusEnabled, ProductCode: "p1", DeptId: dept1Id, DeptPath: dept1.Path, MinPermsLevel: math.MaxInt64, }) _ = dept2 err = CheckManageAccess(callerCtx, svcCtx, targetId, "p1") require.Error(t, err) var ce *response.CodeError require.True(t, errors.As(err, &ce)) assert.Equal(t, 403, ce.Code()) } // TC-0504: caller.DeptPath为空时拒绝 func TestCheckManageAccess_EmptyDeptPath(t *testing.T) { svcCtx := newIntegrationSvcCtx() emptyPathCtx := ctxhelper.CustomCtx(&loaders.UserDetails{ UserId: 88888, Username: "dev_emptypath", IsSuperAdmin: false, MemberType: consts.MemberTypeDeveloper, Status: consts.StatusEnabled, ProductCode: "p1", DeptId: 1, DeptPath: "", MinPermsLevel: math.MaxInt64, }) err := CheckManageAccess(emptyPathCtx, svcCtx, 99999, "p1") require.Error(t, err) var ce *response.CodeError require.True(t, errors.As(err, &ce)) assert.Equal(t, 403, ce.Code()) assert.Contains(t, ce.Error(), "部门信息异常") } // TC-0503: DEVELOPER 操作同部门的 MEMBER 且权限级别更高 → nil func TestCheckManageAccess_SameDeptLowerLevel(t *testing.T) { ctx := context.Background() svcCtx := newIntegrationSvcCtx() conn := testutil.GetTestSqlConn() now := time.Now().Unix() pc := fmt.Sprintf("tp_samedept_%d", rand.Intn(100000)) deptRes, err := svcCtx.SysDeptModel.Insert(ctx, &deptModel.SysDept{ ParentId: 0, Name: fmt.Sprintf("dept_same_%d", rand.Intn(100000)), Path: "/", Sort: 1, DeptType: consts.DeptTypeNormal, Status: consts.StatusEnabled, CreateTime: now, UpdateTime: now, }) require.NoError(t, err) deptId, _ := deptRes.LastInsertId() deptObj, err := svcCtx.SysDeptModel.FindOne(ctx, deptId) require.NoError(t, err) targetId := createTestUser(t, ctx, svcCtx, conn, struct { username string deptId int64 isSuperAdmin int64 }{ username: fmt.Sprintf("target_samedept_%d", rand.Intn(100000)), deptId: deptId, isSuperAdmin: consts.IsSuperAdminNo, }) pmRes, err := svcCtx.SysProductMemberModel.Insert(ctx, &productmember.SysProductMember{ ProductCode: pc, UserId: targetId, MemberType: consts.MemberTypeMember, Status: consts.StatusEnabled, CreateTime: now, UpdateTime: now, }) require.NoError(t, err) pmId, _ := pmRes.LastInsertId() t.Cleanup(func() { testutil.CleanTable(ctx, conn, "`sys_product_member`", pmId) testutil.CleanTable(ctx, conn, "`sys_user`", targetId) testutil.CleanTable(ctx, conn, "`sys_dept`", deptId) }) callerCtx := ctxhelper.CustomCtx(&loaders.UserDetails{ UserId: 99997, Username: "dev_samedept", IsSuperAdmin: false, MemberType: consts.MemberTypeDeveloper, Status: consts.StatusEnabled, ProductCode: pc, DeptId: deptId, DeptPath: deptObj.Path, MinPermsLevel: 1, }) err = CheckManageAccess(callerCtx, svcCtx, targetId, pc) assert.NoError(t, err) } // suppress unused import var _ = sqlx.ErrNotFound // --------------------------------------------------------------------------- // 覆盖目标:CheckAddMemberAccess 专门为 AddMember 前置流程设计, // 用以堵住"产品 ADMIN 从部门树外把人强拉进自己产品"的漏洞。 // 对比 CheckManageAccess: // 1) 不做 memberType / permsLevel 比对; // 2) 对产品 ADMIN 不走 checkDeptHierarchy 的 bypass,强制做部门链校验; // 3) SuperAdmin 仍完全豁免; // 4) target 为空 / 未归属部门等情况 fail-close。 // --------------------------------------------------------------------------- func callerProductAdmin(deptId int64, deptPath string) *loaders.UserDetails { return &loaders.UserDetails{ UserId: 2, Username: "pa", IsSuperAdmin: false, MemberType: consts.MemberTypeAdmin, Status: consts.StatusEnabled, ProductCode: "pc_h3", DeptId: deptId, DeptPath: deptPath, } } func callerMember(deptId int64, deptPath string) *loaders.UserDetails { return &loaders.UserDetails{ UserId: 3, Username: "mbr", IsSuperAdmin: false, MemberType: consts.MemberTypeMember, Status: consts.StatusEnabled, ProductCode: "pc_h3", DeptId: deptId, DeptPath: deptPath, } } // TC-0940: 产品 ADMIN 将部门树**外**的 target 拉进产品时必须 403, // 不得因其 MemberType=ADMIN 享受 checkDeptHierarchy 的 bypass。 func TestCheckAddMemberAccess_ProductAdmin_CrossDept_Rejected(t *testing.T) { ctrl := gomock.NewController(t) t.Cleanup(ctrl.Finish) // target 所在部门 path = /200/201/,与 caller 部门 path=/100/ 不在同一子树 deptMock := mocks.NewMockSysDeptModel(ctrl) deptMock.EXPECT().FindOne(gomock.Any(), int64(201)). Return(&deptModel.SysDept{Id: 201, Path: "/200/201/"}, nil).Times(1) svcCtx := mocks.NewMockServiceContext(mocks.MockModels{Dept: deptMock}) ctx := middleware.WithUserDetails(context.Background(), callerProductAdmin(100, "/100/")) target := &userModel.SysUser{Id: 42, DeptId: 201} err := CheckAddMemberAccess(ctx, svcCtx, target) require.Error(t, err, "产品 ADMIN 不能把部门树外的人拉进自己产品") var ce *response.CodeError require.True(t, errors.As(err, &ce)) assert.Equal(t, 403, ce.Code()) assert.Contains(t, ce.Error(), "其他部门") } // TC-0941: 产品 ADMIN 将部门树**内**的 target 拉进产品允许通过。 func TestCheckAddMemberAccess_ProductAdmin_SameSubtree_Allowed(t *testing.T) { ctrl := gomock.NewController(t) t.Cleanup(ctrl.Finish) deptMock := mocks.NewMockSysDeptModel(ctrl) deptMock.EXPECT().FindOne(gomock.Any(), int64(101)). Return(&deptModel.SysDept{Id: 101, Path: "/100/101/"}, nil).Times(1) svcCtx := mocks.NewMockServiceContext(mocks.MockModels{Dept: deptMock}) ctx := middleware.WithUserDetails(context.Background(), callerProductAdmin(100, "/100/")) target := &userModel.SysUser{Id: 42, DeptId: 101} err := CheckAddMemberAccess(ctx, svcCtx, target) require.NoError(t, err, "target 在 caller 部门子树内应允许添加") } // TC-0942: SuperAdmin 完全豁免,不触发 SysDeptModel.FindOne。 func TestCheckAddMemberAccess_SuperAdmin_BypassNoDBCall(t *testing.T) { ctrl := gomock.NewController(t) t.Cleanup(ctrl.Finish) deptMock := mocks.NewMockSysDeptModel(ctrl) deptMock.EXPECT().FindOne(gomock.Any(), gomock.Any()).Times(0) svcCtx := mocks.NewMockServiceContext(mocks.MockModels{Dept: deptMock}) su := &loaders.UserDetails{ UserId: 1, Username: "su", IsSuperAdmin: true, MemberType: consts.MemberTypeSuperAdmin, Status: consts.StatusEnabled, } ctx := middleware.WithUserDetails(context.Background(), su) target := &userModel.SysUser{Id: 42, DeptId: 999} // 任意部门 err := CheckAddMemberAccess(ctx, svcCtx, target) require.NoError(t, err) } // TC-0943: caller 自加自 (target.Id == caller.UserId) 豁免部门校验, // 避免阻塞"ADMIN 把自己添加进新产品"这类合法运维路径。 func TestCheckAddMemberAccess_SelfAdd_Allowed(t *testing.T) { ctrl := gomock.NewController(t) t.Cleanup(ctrl.Finish) deptMock := mocks.NewMockSysDeptModel(ctrl) deptMock.EXPECT().FindOne(gomock.Any(), gomock.Any()).Times(0) svcCtx := mocks.NewMockServiceContext(mocks.MockModels{Dept: deptMock}) caller := callerProductAdmin(100, "/100/") ctx := middleware.WithUserDetails(context.Background(), caller) target := &userModel.SysUser{Id: caller.UserId, DeptId: 999} err := CheckAddMemberAccess(ctx, svcCtx, target) require.NoError(t, err) } // TC-0944: caller 自身 DeptId=0(幽灵账号)时必须 403, // 不得让"无部门归属但拥有 product ADMIN"的账号绕过整个部门链校验。 func TestCheckAddMemberAccess_CallerWithoutDept_Rejected(t *testing.T) { ctrl := gomock.NewController(t) t.Cleanup(ctrl.Finish) deptMock := mocks.NewMockSysDeptModel(ctrl) deptMock.EXPECT().FindOne(gomock.Any(), gomock.Any()).Times(0) svcCtx := mocks.NewMockServiceContext(mocks.MockModels{Dept: deptMock}) caller := callerProductAdmin(0, "") ctx := middleware.WithUserDetails(context.Background(), caller) target := &userModel.SysUser{Id: 42, DeptId: 101} err := CheckAddMemberAccess(ctx, svcCtx, target) require.Error(t, err) var ce *response.CodeError require.True(t, errors.As(err, &ce)) assert.Equal(t, 403, ce.Code()) assert.Contains(t, ce.Error(), "未归属任何部门") } // TC-0945: target 未归属部门时必须 403(仅超管可破例), // 避免"空 deptId 的 user 被部门前缀匹配逻辑误判"通过。 func TestCheckAddMemberAccess_TargetWithoutDept_Rejected(t *testing.T) { ctrl := gomock.NewController(t) t.Cleanup(ctrl.Finish) deptMock := mocks.NewMockSysDeptModel(ctrl) deptMock.EXPECT().FindOne(gomock.Any(), gomock.Any()).Times(0) svcCtx := mocks.NewMockServiceContext(mocks.MockModels{Dept: deptMock}) caller := callerProductAdmin(100, "/100/") ctx := middleware.WithUserDetails(context.Background(), caller) target := &userModel.SysUser{Id: 42, DeptId: 0} err := CheckAddMemberAccess(ctx, svcCtx, target) require.Error(t, err) var ce *response.CodeError require.True(t, errors.As(err, &ce)) assert.Equal(t, 403, ce.Code()) assert.Contains(t, ce.Error(), "未归属部门") } // TC-0946: 未登录 / 缺少 UserDetails 上下文时返回 401, // 而不是 silently 放行或 panic。 func TestCheckAddMemberAccess_NoCallerCtx_Unauthorized(t *testing.T) { ctrl := gomock.NewController(t) t.Cleanup(ctrl.Finish) deptMock := mocks.NewMockSysDeptModel(ctrl) deptMock.EXPECT().FindOne(gomock.Any(), gomock.Any()).Times(0) svcCtx := mocks.NewMockServiceContext(mocks.MockModels{Dept: deptMock}) target := &userModel.SysUser{Id: 42, DeptId: 101} err := CheckAddMemberAccess(context.Background(), svcCtx, target) require.Error(t, err) var ce *response.CodeError require.True(t, errors.As(err, &ce)) assert.Equal(t, 401, ce.Code()) } // TC-0947: SysDeptModel.FindOne 报错时必须 fail-close 返回 403(无法校验), // 不得静默放行。消息避免暴露底层 DB 细节。 func TestCheckAddMemberAccess_DeptFindOneError_FailClose(t *testing.T) { ctrl := gomock.NewController(t) t.Cleanup(ctrl.Finish) deptMock := mocks.NewMockSysDeptModel(ctrl) deptMock.EXPECT().FindOne(gomock.Any(), int64(777)). Return(nil, errors.New("db: connection refused")).Times(1) svcCtx := mocks.NewMockServiceContext(mocks.MockModels{Dept: deptMock}) caller := callerProductAdmin(100, "/100/") ctx := middleware.WithUserDetails(context.Background(), caller) target := &userModel.SysUser{Id: 42, DeptId: 777} err := CheckAddMemberAccess(ctx, svcCtx, target) require.Error(t, err) var ce *response.CodeError require.True(t, errors.As(err, &ce)) assert.Equal(t, 403, ce.Code()) assert.NotContains(t, ce.Error(), "db:", "错误消息不得泄漏底层 DB 细节") } // TC-0948: 非 ADMIN 的普通 MEMBER 作 caller 时同样走 CheckAddMemberAccess 的部门链判定 // (虽然 AddMember 的 RequireProductAdminFor 会更早拒绝,但防御深度仍需保证此函数独立正确)。 func TestCheckAddMemberAccess_Member_CrossDept_Rejected(t *testing.T) { ctrl := gomock.NewController(t) t.Cleanup(ctrl.Finish) deptMock := mocks.NewMockSysDeptModel(ctrl) deptMock.EXPECT().FindOne(gomock.Any(), int64(201)). Return(&deptModel.SysDept{Id: 201, Path: "/200/201/"}, nil).Times(1) svcCtx := mocks.NewMockServiceContext(mocks.MockModels{Dept: deptMock}) caller := callerMember(100, "/100/") ctx := middleware.WithUserDetails(context.Background(), caller) target := &userModel.SysUser{Id: 42, DeptId: 201} err := CheckAddMemberAccess(ctx, svcCtx, target) require.Error(t, err) var ce *response.CodeError require.True(t, errors.As(err, &ce)) assert.Equal(t, 403, ce.Code()) } // TC-0949: target 为 nil 时必须 400,而不是 panic。 func TestCheckAddMemberAccess_NilTarget_BadRequest(t *testing.T) { ctrl := gomock.NewController(t) t.Cleanup(ctrl.Finish) deptMock := mocks.NewMockSysDeptModel(ctrl) deptMock.EXPECT().FindOne(gomock.Any(), gomock.Any()).Times(0) svcCtx := mocks.NewMockServiceContext(mocks.MockModels{Dept: deptMock}) caller := callerProductAdmin(100, "/100/") ctx := middleware.WithUserDetails(context.Background(), caller) err := CheckAddMemberAccess(ctx, svcCtx, nil) require.Error(t, err) var ce *response.CodeError require.True(t, errors.As(err, &ce)) assert.Equal(t, 400, ce.Code()) } // --------------------------------------------------------------------------- // checkDeptHierarchy 对 caller.DeptId=0 / DeptPath="" // 的历史 MEMBER / DEVELOPER 账号直接 403。 // // 契约期望(fix 后):历史账号任意一次管理动作时,CheckManageAccess 要么走 // (a) 明确的"未归属部门,拒绝管理他人"403(当前行为,方向正确但文案 / 缺失) // (b) 自动把缺失部门挪到默认部门 → 正常走部门链校验 // 无论走 (a) 还是 (b),都需要有 **response.CodeError 结构** 而不是普通 string error, // 否则前端做不到"按错误码触发数据迁移工单"。 // // 本测试用 skipPending 标签,方便 report 识别未落地项;fix 落地(或数据迁移脚本 // 跑完)后把 AUDIT_RUN_PENDING=1 打开并调整断言即可切换成真正的回归保护。 // --------------------------------------------------------------------------- const auditPendingEnv = "AUDIT_RUN_PENDING" func skipPending(t *testing.T, marker, reason string) { t.Helper() if os.Getenv(auditPendingEnv) != "" { return } t.Skipf("AUDIT_PENDING %s (Round 8 fix 未落地) —— %s", marker, reason) } // TC-0993: 历史 DEVELOPER(DeptId=0)对合法目标的管理操作 —— fix 后必须是 // 可识别的 response.CodeError,且带有迁移提示("您未归属任何部门"),让运维据此跑数据迁移。 func TestCheckManageAccess_L3_LegacyDeveloperWithDeptZero_MustReturnCodedError(t *testing.T) { skipPending(t, "L-3", "当前返回 403 但文案分叉('您未归属任何部门' / '您的部门信息异常'),建议"+ "合一为 '您未归属任何部门' 且带 CodeError.Code=403;fix 落地后移除 Skip") ctx := context.Background() svcCtx := svc.NewServiceContext(testutil.GetTestConfig()) // caller 是 legacy developer,DeptId=0 / DeptPath=""。 callerCtx := middleware.WithUserDetails(ctx, &loaders.UserDetails{ UserId: 999001, Username: "legacy_dev", IsSuperAdmin: false, MemberType: consts.MemberTypeDeveloper, Status: consts.StatusEnabled, ProductCode: "test_product", // DeptId=0, DeptPath="" —— legacy 账号 }) err := CheckManageAccess(callerCtx, svcCtx, 999002 /* target */, "test_product") require.Error(t, err, "legacy caller 必须被拒绝") var ce *response.CodeError require.ErrorAs(t, err, &ce, "必须是 response.CodeError,不得为裸 error(前端无法据此触发迁移)") assert.Equal(t, 403, ce.Code(), "必须是 403 以便前端分类") assert.Contains(t, ce.Error(), "未归属", "文案必须显式提示'未归属任何部门',便于人工判定是否需要跑数据迁移") } // --------------------------------------------------------------------------- // 覆盖目标:CheckManageAccess(WithPrefetchedTarget(...)) // 允许调用方透传已经 FindOne 到的 target,避免单次请求内重复 FindOne(targetUserId)。 // // 修复前:UpdateUserStatus / UpdateUser 一次请求会先做 ValidateStatusChange 里的 FindOne, // 紧接着 checkDeptHierarchy 里又 FindOne 一次,DB/缓存都白打一次 RTT。 // // 修复后的契约: // * Option 与参数一致(target.Id == targetUserId)时,FindOne 必须被跳过; // * 不一致时 option 失效(defensive ignore),checkDeptHierarchy 回退到原有 FindOne 路径。 // --------------------------------------------------------------------------- func buildMemberCallerCtx() context.Context { caller := &loaders.UserDetails{ UserId: 1, Username: "op", IsSuperAdmin: false, MemberType: consts.MemberTypeMember, Status: consts.StatusEnabled, ProductCode: "pc_m5", DeptId: 100, DeptPath: "/100/", MinPermsLevel: 50, } return middleware.WithUserDetails(context.Background(), caller) } // TC-0860: 透传的 prefetched.Id 与 targetUserId 一致 → SysUserModel.FindOne 必须一次都不被调用。 func TestCheckManageAccess_PrefetchedTarget_SkipsFindOne(t *testing.T) { ctrl := gomock.NewController(t) t.Cleanup(ctrl.Finish) userMock := mocks.NewMockSysUserModel(ctrl) // 关键断言:FindOne 次数为 0。gomock 默认不允许未声明的调用;省略 EXPECT 即相当于 0 次。 deptMock := mocks.NewMockSysDeptModel(ctrl) pmMock := mocks.NewMockSysProductMemberModel(ctrl) roleMock := mocks.NewMockSysRoleModel(ctrl) // 目标用户所在部门的 Path 需满足 HasPrefix caller.DeptPath="/100/" deptMock.EXPECT().FindOne(gomock.Any(), int64(101)). Return(&deptModel.SysDept{Id: 101, Path: "/100/101/"}, nil) // 目标产品成员存在,MemberType=MEMBER 与 caller 同级 → 走 permsLevel 比较分支。 pmMock.EXPECT().FindOneByProductCodeUserId(gomock.Any(), "pc_m5", int64(42)). Return(&productmember.SysProductMember{MemberType: consts.MemberTypeMember}, nil) // 目标的 permsLevel 高于 caller(数值更大 → 权限更低),校验放行。 roleMock.EXPECT().FindMinPermsLevelByUserIdAndProductCode(gomock.Any(), int64(42), "pc_m5"). Return(int64(100), nil) // checkPermLevel 现在会对 caller 也做一次 DB fresh read。 // caller.UserId=1,permsLevel=50(比 target=100 严格高权)→ 放行。 roleMock.EXPECT().FindMinPermsLevelByUserIdAndProductCode(gomock.Any(), int64(1), "pc_m5"). Return(int64(50), nil) svcCtx := mocks.NewMockServiceContext(mocks.MockModels{ User: userMock, Dept: deptMock, ProductMember: pmMock, Role: roleMock, }) prefetched := &userModel.SysUser{Id: 42, DeptId: 101} err := CheckManageAccess(buildMemberCallerCtx(), svcCtx, 42, "pc_m5", WithPrefetchedTarget(prefetched)) assert.NoError(t, err, "prefetched 与 targetUserId 一致且业务级校验全部通过时应放行") // ctrl.Finish() 里会自动校验 userMock.FindOne 调用次数为 0(未显式 EXPECT), // 若源码回退到 FindOne 路径测试会抛 "unexpected call to FindOne" 直接 FAIL。 } // TC-0861: 透传的 prefetched.Id 与 targetUserId 不一致 → option 被 defensive 忽略, // 必须真实调用 SysUserModel.FindOne(ctx, targetUserId) 一次。 // 这是一条 "调用方把错 id 传进来时不能被当做合法 prefetched" 的安全断言: // 如果源码直接信任 prefetched 而不校验 Id,就会出现 "用 A 的 userDetails 去放行对 B 的管理"。 func TestCheckManageAccess_PrefetchedIdMismatch_IgnoredAndFallsBackToFindOne(t *testing.T) { ctrl := gomock.NewController(t) t.Cleanup(ctrl.Finish) userMock := mocks.NewMockSysUserModel(ctrl) deptMock := mocks.NewMockSysDeptModel(ctrl) pmMock := mocks.NewMockSysProductMemberModel(ctrl) roleMock := mocks.NewMockSysRoleModel(ctrl) // 关键断言:FindOne(targetUserId=42) 必须真实被调用一次,说明 prefetched 没被盲信。 // 我们返回的真实对象 DeptId=101(与乱传的 prefetched 一致),好让流程继续走通。 userMock.EXPECT().FindOne(gomock.Any(), int64(42)). Return(&userModel.SysUser{Id: 42, DeptId: 101}, nil).Times(1) deptMock.EXPECT().FindOne(gomock.Any(), int64(101)). Return(&deptModel.SysDept{Id: 101, Path: "/100/101/"}, nil) pmMock.EXPECT().FindOneByProductCodeUserId(gomock.Any(), "pc_m5", int64(42)). Return(&productmember.SysProductMember{MemberType: consts.MemberTypeMember}, nil) roleMock.EXPECT().FindMinPermsLevelByUserIdAndProductCode(gomock.Any(), int64(42), "pc_m5"). Return(int64(100), nil) // caller 侧 fresh read 仍需要。 roleMock.EXPECT().FindMinPermsLevelByUserIdAndProductCode(gomock.Any(), int64(1), "pc_m5"). Return(int64(50), nil) svcCtx := mocks.NewMockServiceContext(mocks.MockModels{ User: userMock, Dept: deptMock, ProductMember: pmMock, Role: roleMock, }) // 故意传 Id=999,与 targetUserId=42 不一致。 wrong := &userModel.SysUser{Id: 999, DeptId: 101} err := CheckManageAccess(buildMemberCallerCtx(), svcCtx, 42, "pc_m5", WithPrefetchedTarget(wrong)) assert.NoError(t, err, "prefetched.Id 不匹配时回退 FindOne 后,本场景仍应通过业务级校验") } // 正向防御:prefetched 为 nil 时也不应 panic,且必须走 FindOne 一次(不传 option 的等价路径)。 func TestCheckManageAccess_NilPrefetched_FallsBackToFindOne(t *testing.T) { ctrl := gomock.NewController(t) t.Cleanup(ctrl.Finish) userMock := mocks.NewMockSysUserModel(ctrl) deptMock := mocks.NewMockSysDeptModel(ctrl) pmMock := mocks.NewMockSysProductMemberModel(ctrl) roleMock := mocks.NewMockSysRoleModel(ctrl) userMock.EXPECT().FindOne(gomock.Any(), int64(42)). Return(&userModel.SysUser{Id: 42, DeptId: 101}, nil).Times(1) deptMock.EXPECT().FindOne(gomock.Any(), int64(101)). Return(&deptModel.SysDept{Id: 101, Path: "/100/101/"}, nil) pmMock.EXPECT().FindOneByProductCodeUserId(gomock.Any(), "pc_m5", int64(42)). Return(&productmember.SysProductMember{MemberType: consts.MemberTypeMember}, nil) roleMock.EXPECT().FindMinPermsLevelByUserIdAndProductCode(gomock.Any(), int64(42), "pc_m5"). Return(int64(math.MaxInt64), nil) // caller 侧 fresh read。 roleMock.EXPECT().FindMinPermsLevelByUserIdAndProductCode(gomock.Any(), int64(1), "pc_m5"). Return(int64(50), nil) svcCtx := mocks.NewMockServiceContext(mocks.MockModels{ User: userMock, Dept: deptMock, ProductMember: pmMock, Role: roleMock, }) err := CheckManageAccess(buildMemberCallerCtx(), svcCtx, 42, "pc_m5", WithPrefetchedTarget(nil)) assert.NoError(t, err) } // --------------------------------------------------------------------------- // 覆盖目标:checkPermLevel 在 DB 非 ErrNotFound 错误时必须 fail-close 返回 500, // 而不是被默默降级为"目标无角色 → 权限最低 → 放行"。 // 该测试用 gomock 伪造 SysRoleModel.FindMinPermsLevelByUserIdAndProductCode 返回一个通用 DB 错误, // 验证 CheckManageAccess 的响应是 500 CodeError(非 403)。 // --------------------------------------------------------------------------- // TC-0819: checkPermLevel 遇到非 ErrNotFound 的 DB 错误时必须 500。 func TestCheckManageAccess_DBError_FailCloseWith500(t *testing.T) { ctrl := gomock.NewController(t) t.Cleanup(ctrl.Finish) const targetUserId = int64(42) const callerDeptId = int64(1) const targetDeptId = int64(2) const productCode = "test_product" // 让 checkDeptHierarchy 顺利放行:target 在 caller 子部门下(path 前缀 /1/)。 mockUser := mocks.NewMockSysUserModel(ctrl) mockUser.EXPECT().FindOne(gomock.Any(), int64(targetUserId)). Return(&userModel.SysUser{Id: targetUserId, DeptId: targetDeptId}, nil).AnyTimes() mockDept := mocks.NewMockSysDeptModel(ctrl) mockDept.EXPECT().FindOne(gomock.Any(), targetDeptId). Return(&deptModel.SysDept{Id: targetDeptId, Path: "/1/2/"}, nil).AnyTimes() // 让 permsLevel 判定路径进入:"target 也是 MEMBER,同级 → 需要 DB 查 permsLevel"。 mockPM := mocks.NewMockSysProductMemberModel(ctrl) mockPM.EXPECT().FindOneByProductCodeUserId(gomock.Any(), productCode, int64(targetUserId)). Return(&productmember.SysProductMember{ UserId: targetUserId, ProductCode: productCode, MemberType: consts.MemberTypeMember, Status: consts.StatusEnabled, }, nil).AnyTimes() // 关键:SysRoleModel 返回非 ErrNotFound 的 DB 错误。 dbErr := errors.New("driver: bad connection") mockRole := mocks.NewMockSysRoleModel(ctrl) mockRole.EXPECT(). FindMinPermsLevelByUserIdAndProductCode(gomock.Any(), int64(targetUserId), productCode). Return(int64(0), dbErr).AnyTimes() svcCtx := mocks.NewMockServiceContext(mocks.MockModels{ User: mockUser, Dept: mockDept, Role: mockRole, ProductMember: mockPM, }) ctx := ctxhelper.CustomCtx(&loaders.UserDetails{ UserId: 100, Username: "l4_member_caller", IsSuperAdmin: false, MemberType: consts.MemberTypeMember, Status: consts.StatusEnabled, ProductCode: productCode, DeptId: callerDeptId, DeptPath: "/1/", MinPermsLevel: 100, }) err := CheckManageAccess(ctx, svcCtx, targetUserId, productCode) require.Error(t, err, "DB 错误时必须 fail-close") var ce *response.CodeError require.True(t, errors.As(err, &ce), "必须是结构化 CodeError") assert.Equal(t, 500, ce.Code(), "DB 非 ErrNotFound 错误绝不能被伪装成'无角色'从而降级为 403/放行;必须是 500") assert.NotContains(t, ce.Error(), "无权管理", "错误消息不得看起来像权限判定成功后做出的业务决策(避免误导运维)") } // TC-0820: 对照组 —— ErrNotFound 仍应被视作"无角色",即按最低权限处理(由 caller.MinPermsLevel 决定放行还是 403)。 // 这里构造 caller 的 MinPermsLevel=MaxInt64(sentinel),target 无角色(ErrNotFound) → // caller.MinPermsLevel(=MaxInt64) >= targetLevel(=MaxInt64) → 返回 403。这个分支不是本次回归重点, // 只是用来证明 ErrNotFound 路径没有被修复误伤为 500。 func TestCheckManageAccess_ErrNotFound_StillTreatedAsNoRole(t *testing.T) { ctrl := gomock.NewController(t) t.Cleanup(ctrl.Finish) const targetUserId = int64(43) const callerDeptId = int64(1) const targetDeptId = int64(2) const productCode = "test_product" mockUser := mocks.NewMockSysUserModel(ctrl) mockUser.EXPECT().FindOne(gomock.Any(), int64(targetUserId)). Return(&userModel.SysUser{Id: targetUserId, DeptId: targetDeptId}, nil).AnyTimes() mockDept := mocks.NewMockSysDeptModel(ctrl) mockDept.EXPECT().FindOne(gomock.Any(), targetDeptId). Return(&deptModel.SysDept{Id: targetDeptId, Path: "/1/2/"}, nil).AnyTimes() mockPM := mocks.NewMockSysProductMemberModel(ctrl) mockPM.EXPECT().FindOneByProductCodeUserId(gomock.Any(), productCode, int64(targetUserId)). Return(&productmember.SysProductMember{ UserId: targetUserId, ProductCode: productCode, MemberType: consts.MemberTypeMember, Status: consts.StatusEnabled, }, nil).AnyTimes() mockRole := mocks.NewMockSysRoleModel(ctrl) mockRole.EXPECT(). FindMinPermsLevelByUserIdAndProductCode(gomock.Any(), int64(targetUserId), productCode). Return(int64(0), sqlx.ErrNotFound).AnyTimes() // checkPermLevel 现在也会对 caller 做 fresh read。 // 这里构造"caller 同样无角色 → callerNoRole=true → >= 比较由 callerNoRole 决定,结果仍 403"。 mockRole.EXPECT(). FindMinPermsLevelByUserIdAndProductCode(gomock.Any(), int64(101), productCode). Return(int64(0), sqlx.ErrNotFound).AnyTimes() svcCtx := mocks.NewMockServiceContext(mocks.MockModels{ User: mockUser, Dept: mockDept, Role: mockRole, ProductMember: mockPM, }) ctx := ctxhelper.CustomCtx(&loaders.UserDetails{ UserId: 101, Username: "l4_caller_no_role", IsSuperAdmin: false, MemberType: consts.MemberTypeMember, Status: consts.StatusEnabled, ProductCode: productCode, DeptId: callerDeptId, DeptPath: "/1/", // sentinel:自己也没有任何角色。 MinPermsLevel: math.MaxInt64, }) err := CheckManageAccess(ctx, svcCtx, targetUserId, productCode) require.Error(t, err, "caller 与 target 都 sentinel → >= 比较应拦截") var ce *response.CodeError require.True(t, errors.As(err, &ce)) assert.Equal(t, 403, ce.Code(), "ErrNotFound 正常降级为 sentinel;结果应是业务 403 而非基础设施 500") } // --------------------------------------------------------------------------- // 覆盖目标:checkPermLevel 必须对 caller.MinPermsLevel 做 DB fresh read。 // // 修复前:caller.MinPermsLevel 来自 UserDetailsLoader 5min TTL 缓存。超管刚把 caller 降级后 // 缓存里仍是旧(更高权)级别,降级 admin 在 5min 内仍可跨级管辖目标用户 —— 这是 的 // GuardRoleLevelAssignable 修复所没有覆盖的"直接管人"分支。 // // 修复后契约: // 1. caller 刚被降级,缓存 MinPermsLevel=低(高权)但 DB 实值=高(低权)→ 走 DB 值,仍拒 403。 // 2. caller 在 DB 里已无角色(sqlx.ErrNotFound)→ callerNoRole=true → 同级管辖拒。 // 3. caller 侧 DB 抖动(非 ErrNotFound)→ 500 fail-close,不得降级为"无角色放行"。 // 4. SuperAdmin caller 短路,永不触发 caller 侧 DB 读。 // 5. caller 管自己时短路在 CheckManageAccess 顶部,根本不到 checkPermLevel。 // // 命名规则:TC-0969 ~ TC-0975 // --------------------------------------------------------------------------- const h2TestProductCode = "pc_h2" // h2MockTargetMemberAndDept 为所有 测试共享的 target 侧 mock: // - target.MemberType=MEMBER(与 MEMBER caller 同级 → 必然进入 permsLevel 对比路径) // - target.DeptPath=/100/101/ 使 caller.DeptPath=/100/ 顺利覆盖 func h2MockTargetMemberAndDept(ctrl *gomock.Controller) ( *mocks.MockSysUserModel, *mocks.MockSysDeptModel, *mocks.MockSysProductMemberModel, ) { userMock := mocks.NewMockSysUserModel(ctrl) userMock.EXPECT().FindOne(gomock.Any(), int64(42)). Return(&userModel.SysUser{Id: 42, DeptId: 101}, nil).AnyTimes() deptMock := mocks.NewMockSysDeptModel(ctrl) deptMock.EXPECT().FindOne(gomock.Any(), int64(101)). Return(&deptModel.SysDept{Id: 101, Path: "/100/101/"}, nil).AnyTimes() pmMock := mocks.NewMockSysProductMemberModel(ctrl) pmMock.EXPECT().FindOneByProductCodeUserId(gomock.Any(), h2TestProductCode, int64(42)). Return(&productmember.SysProductMember{MemberType: consts.MemberTypeMember}, nil).AnyTimes() return userMock, deptMock, pmMock } func h2DowngradedCallerCtx(cachedLevel int64) *loaders.UserDetails { return &loaders.UserDetails{ UserId: 1, Username: "h2_caller", IsSuperAdmin: false, MemberType: consts.MemberTypeMember, Status: consts.StatusEnabled, ProductCode: h2TestProductCode, DeptId: 100, DeptPath: "/100/", MinPermsLevel: cachedLevel, } } // TC-0969: caller 缓存里还是高权(level=10),但 DB 已被降级到低权(level=100) // target level=50;按缓存 "10 < 50" 应放行,按 DB fresh read "100 >= 50" 应拒绝。 // 修复后必须以 DB 为准 → 403。 func TestCheckPermLevel_StaleCacheHighPriv_FreshReadLowPriv_Forbids(t *testing.T) { ctrl := gomock.NewController(t) t.Cleanup(ctrl.Finish) userMock, deptMock, pmMock := h2MockTargetMemberAndDept(ctrl) roleMock := mocks.NewMockSysRoleModel(ctrl) // target fresh read:level=50 roleMock.EXPECT().FindMinPermsLevelByUserIdAndProductCode(gomock.Any(), int64(42), h2TestProductCode). Return(int64(50), nil).Times(1) // caller fresh read:DB 真实已降级到 100(低权),比 target 的 50 更低权 → 应拒 roleMock.EXPECT().FindMinPermsLevelByUserIdAndProductCode(gomock.Any(), int64(1), h2TestProductCode). Return(int64(100), nil).Times(1) svcCtx := mocks.NewMockServiceContext(mocks.MockModels{ User: userMock, Dept: deptMock, ProductMember: pmMock, Role: roleMock, }) // 关键:缓存里还是 10(降级前的高权级别)—— 源码如果信任 caller.MinPermsLevel 就会放行。 ctx := ctxhelper.CustomCtx(h2DowngradedCallerCtx(10)) err := CheckManageAccess(ctx, svcCtx, 42, h2TestProductCode) require.Error(t, err, "降级后缓存仍高权的 caller 必须被 DB 实值拦截") var ce *response.CodeError require.True(t, errors.As(err, &ce)) assert.Equal(t, 403, ce.Code(), "TOCTOU 修复后必须走 DB,结果为 403;若测试看到 200/nil err 说明仍读的是 caller.MinPermsLevel 缓存") assert.Contains(t, ce.Error(), "无权管理权限级别高于或等于您的用户") } // TC-0970: caller 在 DB 里已无任何角色(ErrNotFound)→ 即便缓存仍显示 MinPermsLevel=10,也必须拒。 // 对称验证 里 GuardRoleLevelAssignable 对"caller 被清角色"的处理方式。 func TestCheckPermLevel_CallerFreshRead_NotFound_ForbidsEvenWithCachedLevel(t *testing.T) { ctrl := gomock.NewController(t) t.Cleanup(ctrl.Finish) userMock, deptMock, pmMock := h2MockTargetMemberAndDept(ctrl) roleMock := mocks.NewMockSysRoleModel(ctrl) roleMock.EXPECT().FindMinPermsLevelByUserIdAndProductCode(gomock.Any(), int64(42), h2TestProductCode). Return(int64(50), nil).Times(1) roleMock.EXPECT().FindMinPermsLevelByUserIdAndProductCode(gomock.Any(), int64(1), h2TestProductCode). Return(int64(0), sqlx.ErrNotFound).Times(1) svcCtx := mocks.NewMockServiceContext(mocks.MockModels{ User: userMock, Dept: deptMock, ProductMember: pmMock, Role: roleMock, }) ctx := ctxhelper.CustomCtx(h2DowngradedCallerCtx(10)) err := CheckManageAccess(ctx, svcCtx, 42, h2TestProductCode) require.Error(t, err, "caller 在 DB 已无角色时一律拒绝同级/跨级管辖") var ce *response.CodeError require.True(t, errors.As(err, &ce)) assert.Equal(t, 403, ce.Code()) } // TC-0971: 正向通过路径 —— caller DB level=10(高权),target level=50 → 严格高权,放行。 // 用来证明修复没有误伤合法管理路径。 func TestCheckPermLevel_FreshRead_HigherPriv_Passes(t *testing.T) { ctrl := gomock.NewController(t) t.Cleanup(ctrl.Finish) userMock, deptMock, pmMock := h2MockTargetMemberAndDept(ctrl) roleMock := mocks.NewMockSysRoleModel(ctrl) roleMock.EXPECT().FindMinPermsLevelByUserIdAndProductCode(gomock.Any(), int64(42), h2TestProductCode). Return(int64(50), nil).Times(1) roleMock.EXPECT().FindMinPermsLevelByUserIdAndProductCode(gomock.Any(), int64(1), h2TestProductCode). Return(int64(10), nil).Times(1) svcCtx := mocks.NewMockServiceContext(mocks.MockModels{ User: userMock, Dept: deptMock, ProductMember: pmMock, Role: roleMock, }) ctx := ctxhelper.CustomCtx(h2DowngradedCallerCtx(10)) err := CheckManageAccess(ctx, svcCtx, 42, h2TestProductCode) assert.NoError(t, err, "合法严格高权管理路径不得被修复误伤") } // TC-0972: caller 侧 DB 非 ErrNotFound 错误 → 500 fail-close。 // 对称于 checkPermLevel 里 target 侧的 fail-close,把 caller 侧也钉死,避免"DB 抖动被伪装成无角色"。 func TestCheckPermLevel_CallerFreshRead_GenericDBErr_FailsClosedWith500(t *testing.T) { ctrl := gomock.NewController(t) t.Cleanup(ctrl.Finish) userMock, deptMock, pmMock := h2MockTargetMemberAndDept(ctrl) roleMock := mocks.NewMockSysRoleModel(ctrl) roleMock.EXPECT().FindMinPermsLevelByUserIdAndProductCode(gomock.Any(), int64(42), h2TestProductCode). Return(int64(50), nil).Times(1) // caller 侧 DB 抖动 dbErr := errors.New("driver: bad connection") roleMock.EXPECT().FindMinPermsLevelByUserIdAndProductCode(gomock.Any(), int64(1), h2TestProductCode). Return(int64(0), dbErr).Times(1) svcCtx := mocks.NewMockServiceContext(mocks.MockModels{ User: userMock, Dept: deptMock, ProductMember: pmMock, Role: roleMock, }) ctx := ctxhelper.CustomCtx(h2DowngradedCallerCtx(10)) err := CheckManageAccess(ctx, svcCtx, 42, h2TestProductCode) require.Error(t, err) var ce *response.CodeError require.True(t, errors.As(err, &ce)) assert.Equal(t, 500, ce.Code(), "caller 侧 DB 抖动必须 fail-close 500,绝不能伪装成'无角色→放行'") // 不得透传驱动细节 assert.NotContains(t, ce.Error(), "driver: bad connection") } // TC-0973: SuperAdmin caller 短路 —— 不应触发任何 caller 侧 DB 读。 // 如果修复把 fresh read 放错位置,SuperAdmin 也会被多打一次 DB,测试会因 Role mock 收到未预期调用而挂。 func TestCheckPermLevel_SuperAdmin_ShortCircuits_NoCallerFreshRead(t *testing.T) { ctrl := gomock.NewController(t) t.Cleanup(ctrl.Finish) // 故意不设任何 mock EXPECT —— 任何 DB 调用都会 fail。 userMock := mocks.NewMockSysUserModel(ctrl) deptMock := mocks.NewMockSysDeptModel(ctrl) pmMock := mocks.NewMockSysProductMemberModel(ctrl) roleMock := mocks.NewMockSysRoleModel(ctrl) svcCtx := mocks.NewMockServiceContext(mocks.MockModels{ User: userMock, Dept: deptMock, ProductMember: pmMock, Role: roleMock, }) super := &loaders.UserDetails{ UserId: 999, Username: "super_h2", IsSuperAdmin: true, MemberType: consts.MemberTypeSuperAdmin, Status: consts.StatusEnabled, ProductCode: h2TestProductCode, } err := CheckManageAccess(ctxhelper.CustomCtx(super), svcCtx, 42, h2TestProductCode) assert.NoError(t, err, "SuperAdmin 必须在 CheckManageAccess 顶部短路,不得触发 fresh read") } // TC-0974: caller 管理自己时必须在 CheckManageAccess 顶部短路( 已钉); // 修复不得把这条路径带偏到 fresh read。 func TestCheckPermLevel_ManageSelf_ShortCircuits_NoFreshRead(t *testing.T) { ctrl := gomock.NewController(t) t.Cleanup(ctrl.Finish) // 故意不设 mock EXPECT,caller 管自己应该一次 DB 都不打。 userMock := mocks.NewMockSysUserModel(ctrl) deptMock := mocks.NewMockSysDeptModel(ctrl) pmMock := mocks.NewMockSysProductMemberModel(ctrl) roleMock := mocks.NewMockSysRoleModel(ctrl) svcCtx := mocks.NewMockServiceContext(mocks.MockModels{ User: userMock, Dept: deptMock, ProductMember: pmMock, Role: roleMock, }) ctx := ctxhelper.CustomCtx(h2DowngradedCallerCtx(100)) err := CheckManageAccess(ctx, svcCtx, 1 /* 就是 caller.UserId */, h2TestProductCode) assert.NoError(t, err, "caller 管自己永远放行,且不触发 DB fresh read") } // TC-0975: 与 共享 loadFreshMinPermsLevel helper(契约自洽性)。 // 既然 checkPermLevel 与 GuardRoleLevelAssignable 两个授权决策点的 caller 侧都走同一个 helper, // 任意通用 DB 错误都必须映射为同一文案的 500 CodeError,任意 ErrNotFound 都映射为 notFound=true。 // 这里覆盖 helper 的两个对称分支。 func TestLoadFreshMinPermsLevel_ContractParity(t *testing.T) { t.Run("generic DB error → 500 fail-close", func(t *testing.T) { ctrl := gomock.NewController(t) t.Cleanup(ctrl.Finish) roleMock := mocks.NewMockSysRoleModel(ctrl) roleMock.EXPECT().FindMinPermsLevelByUserIdAndProductCode(gomock.Any(), int64(7), h2TestProductCode). Return(int64(0), errors.New("i/o timeout")).Times(1) svcCtx := mocks.NewMockServiceContext(mocks.MockModels{Role: roleMock}) level, notFound, err := loadFreshMinPermsLevel(ctxhelper.CustomCtx(nil), svcCtx, 7, h2TestProductCode) assert.Equal(t, int64(0), level) assert.False(t, notFound) require.Error(t, err) var ce *response.CodeError require.True(t, errors.As(err, &ce)) assert.Equal(t, 500, ce.Code()) }) t.Run("ErrNotFound → notFound=true, err=nil", func(t *testing.T) { ctrl := gomock.NewController(t) t.Cleanup(ctrl.Finish) roleMock := mocks.NewMockSysRoleModel(ctrl) roleMock.EXPECT().FindMinPermsLevelByUserIdAndProductCode(gomock.Any(), int64(8), h2TestProductCode). Return(int64(0), sqlx.ErrNotFound).Times(1) svcCtx := mocks.NewMockServiceContext(mocks.MockModels{Role: roleMock}) level, notFound, err := loadFreshMinPermsLevel(ctxhelper.CustomCtx(nil), svcCtx, 8, h2TestProductCode) assert.NoError(t, err) assert.True(t, notFound) assert.Equal(t, int64(0), level) }) } // --------------------------------------------------------------------------- // 覆盖目标:GuardRoleLevelAssignable 必须每次走 DB 强一致查询, // 绝不能信任 caller(loaders.UserDetails)里可能已经 stale 的 MinPermsLevel 缓存。 // // TOCTOU 场景: // 1. caller 原先是 permsLevel=5 的高阶成员。 // 2. 超管把 caller 的高阶角色摘掉,现在 DB 里 MinPermsLevel=100(低阶)。 // 3. UD 缓存还没被 Clean(Redis 抖动 / TTL 窗口内),caller.MinPermsLevel=5 是旧值。 // 4. caller 此刻尝试分配 permsLevel=50 的角色 —— 若信缓存(5 vs 50)会**误放行**; // 修复后走 DB(100 vs 50),必须 403 拦截。 // --------------------------------------------------------------------------- // TC-0930: stale caller.MinPermsLevel 不得影响判定,rolePermsLevel <= freshLevel 必须 403。 func TestGuardRoleLevelAssignable_StaleCallerCache_FreshDBRejects(t *testing.T) { ctrl := gomock.NewController(t) t.Cleanup(ctrl.Finish) const productCode = "m3_pc_stale" const callerId = int64(1001) mockRole := mocks.NewMockSysRoleModel(ctrl) // 关键:DB 强一致返回 100(被降级后的真实等级)。 mockRole.EXPECT(). FindMinPermsLevelByUserIdAndProductCode(gomock.Any(), callerId, productCode). Return(int64(100), nil). Times(1) svcCtx := mocks.NewMockServiceContext(mocks.MockModels{Role: mockRole}) caller := &loaders.UserDetails{ UserId: callerId, Username: "m3_stale_caller", MemberType: consts.MemberTypeMember, ProductCode: productCode, Status: consts.StatusEnabled, MinPermsLevel: 5, } err := GuardRoleLevelAssignable(context.Background(), svcCtx, caller, 50) require.Error(t, err, "stale 缓存(5) 下试图分配 permsLevel=50,信缓存会放行;走 DB(100) 必须 403") var ce *response.CodeError require.True(t, errors.As(err, &ce)) assert.Equal(t, 403, ce.Code(), "拒绝分配高于自身 fresh 等级的角色 → 403") } // TC-0931: 同级(rolePermsLevel == freshLevel)也要拦截,保持与 checkPermLevel 的 ">=" 对齐。 func TestGuardRoleLevelAssignable_SameLevel_Rejected(t *testing.T) { ctrl := gomock.NewController(t) t.Cleanup(ctrl.Finish) const productCode = "m3_pc_same" const callerId = int64(1002) mockRole := mocks.NewMockSysRoleModel(ctrl) mockRole.EXPECT(). FindMinPermsLevelByUserIdAndProductCode(gomock.Any(), callerId, productCode). Return(int64(50), nil). Times(1) svcCtx := mocks.NewMockServiceContext(mocks.MockModels{Role: mockRole}) caller := &loaders.UserDetails{ UserId: callerId, Username: "m3_same_caller", MemberType: consts.MemberTypeMember, ProductCode: productCode, Status: consts.StatusEnabled, } err := GuardRoleLevelAssignable(context.Background(), svcCtx, caller, 50) require.Error(t, err, "与自身同级不允许分配,否则会让下属获得与上级等效的权力") var ce *response.CodeError require.True(t, errors.As(err, &ce)) assert.Equal(t, 403, ce.Code()) assert.Contains(t, ce.Error(), "同级") } // TC-0932: rolePermsLevel 严格低于 freshLevel(数值更大)时放行。 func TestGuardRoleLevelAssignable_StrictlyLower_Allowed(t *testing.T) { ctrl := gomock.NewController(t) t.Cleanup(ctrl.Finish) const productCode = "m3_pc_ok" const callerId = int64(1003) mockRole := mocks.NewMockSysRoleModel(ctrl) mockRole.EXPECT(). FindMinPermsLevelByUserIdAndProductCode(gomock.Any(), callerId, productCode). Return(int64(50), nil). Times(1) svcCtx := mocks.NewMockServiceContext(mocks.MockModels{Role: mockRole}) caller := &loaders.UserDetails{ UserId: callerId, Username: "m3_ok_caller", MemberType: consts.MemberTypeMember, ProductCode: productCode, Status: consts.StatusEnabled, } err := GuardRoleLevelAssignable(context.Background(), svcCtx, caller, 80) require.NoError(t, err, "permsLevel=80 严格低于 freshLevel=50(数值更大 = 更低权限)应放行") } // TC-0933: SuperAdmin 完全豁免,不触发任何 DB 查询。 func TestGuardRoleLevelAssignable_SuperAdmin_BypassNoDBCall(t *testing.T) { ctrl := gomock.NewController(t) t.Cleanup(ctrl.Finish) mockRole := mocks.NewMockSysRoleModel(ctrl) // 预期 0 次调用:SuperAdmin 必须短路返回,不能浪费 DB RTT。 mockRole.EXPECT(). FindMinPermsLevelByUserIdAndProductCode(gomock.Any(), gomock.Any(), gomock.Any()). Times(0) svcCtx := mocks.NewMockServiceContext(mocks.MockModels{Role: mockRole}) caller := &loaders.UserDetails{ UserId: 1, Username: "root", IsSuperAdmin: true, Status: consts.StatusEnabled, } err := GuardRoleLevelAssignable(context.Background(), svcCtx, caller, 1) require.NoError(t, err, "SuperAdmin 必须放行任何 permsLevel") } // TC-0934: 产品 ADMIN 拥有全权,豁免 DB 查询。 func TestGuardRoleLevelAssignable_ProductAdmin_BypassNoDBCall(t *testing.T) { ctrl := gomock.NewController(t) t.Cleanup(ctrl.Finish) mockRole := mocks.NewMockSysRoleModel(ctrl) mockRole.EXPECT(). FindMinPermsLevelByUserIdAndProductCode(gomock.Any(), gomock.Any(), gomock.Any()). Times(0) svcCtx := mocks.NewMockServiceContext(mocks.MockModels{Role: mockRole}) caller := &loaders.UserDetails{ UserId: 2, Username: "pa", MemberType: consts.MemberTypeAdmin, ProductCode: "p1", Status: consts.StatusEnabled, } err := GuardRoleLevelAssignable(context.Background(), svcCtx, caller, 1) require.NoError(t, err, "产品 ADMIN 属于全权角色,必须豁免等级校验") } // TC-0935: DEVELOPER 同样享有全权豁免。 func TestGuardRoleLevelAssignable_Developer_BypassNoDBCall(t *testing.T) { ctrl := gomock.NewController(t) t.Cleanup(ctrl.Finish) mockRole := mocks.NewMockSysRoleModel(ctrl) mockRole.EXPECT(). FindMinPermsLevelByUserIdAndProductCode(gomock.Any(), gomock.Any(), gomock.Any()). Times(0) svcCtx := mocks.NewMockServiceContext(mocks.MockModels{Role: mockRole}) caller := &loaders.UserDetails{ UserId: 3, Username: "dev", MemberType: consts.MemberTypeDeveloper, ProductCode: "p1", Status: consts.StatusEnabled, } err := GuardRoleLevelAssignable(context.Background(), svcCtx, caller, 1) require.NoError(t, err) } // TC-0936: caller 在 DB 里**无任何角色**(ErrNotFound),必须 403,不能默认为 MaxInt64 放行。 // 这里的语义是"没有可分配的角色等级":一个 MEMBER 连自己都没角色,自然不能分配角色给别人。 func TestGuardRoleLevelAssignable_CallerHasNoRole_Rejected(t *testing.T) { ctrl := gomock.NewController(t) t.Cleanup(ctrl.Finish) const productCode = "m3_pc_noRole" const callerId = int64(1004) mockRole := mocks.NewMockSysRoleModel(ctrl) mockRole.EXPECT(). FindMinPermsLevelByUserIdAndProductCode(gomock.Any(), callerId, productCode). Return(int64(0), sqlx.ErrNotFound). Times(1) svcCtx := mocks.NewMockServiceContext(mocks.MockModels{Role: mockRole}) caller := &loaders.UserDetails{ UserId: callerId, Username: "m3_no_role", MemberType: consts.MemberTypeMember, ProductCode: productCode, Status: consts.StatusEnabled, } err := GuardRoleLevelAssignable(context.Background(), svcCtx, caller, 99) require.Error(t, err, "caller 无任何角色时必须拒绝,否则会被误判为 MaxInt64 最低级从而放行任何 permsLevel") var ce *response.CodeError require.True(t, errors.As(err, &ce)) assert.Equal(t, 403, ce.Code()) assert.Contains(t, ce.Error(), "没有可分配的角色等级") } // TC-0937: DB 抖动(非 ErrNotFound)必须 fail-close 返回 500,不得降级为"无角色 → 放行"。 func TestGuardRoleLevelAssignable_DBError_FailCloseWith500(t *testing.T) { ctrl := gomock.NewController(t) t.Cleanup(ctrl.Finish) const productCode = "m3_pc_dbErr" const callerId = int64(1005) mockRole := mocks.NewMockSysRoleModel(ctrl) mockRole.EXPECT(). FindMinPermsLevelByUserIdAndProductCode(gomock.Any(), callerId, productCode). Return(int64(0), errors.New("driver: bad connection")). Times(1) svcCtx := mocks.NewMockServiceContext(mocks.MockModels{Role: mockRole}) caller := &loaders.UserDetails{ UserId: callerId, Username: "m3_db_err", MemberType: consts.MemberTypeMember, ProductCode: productCode, Status: consts.StatusEnabled, } err := GuardRoleLevelAssignable(context.Background(), svcCtx, caller, 10) require.Error(t, err) var ce *response.CodeError require.True(t, errors.As(err, &ce)) assert.Equal(t, 500, ce.Code(), "DB 非 ErrNotFound 错误必须 fail-close 500,不能被伪装成 ErrNotFound → 放行超权分配") } // TC-0938: nil caller 防御:理论上无登录上下文绝不该进入此函数,防御性路径必须 403 而非 panic。 func TestGuardRoleLevelAssignable_NilCaller_Rejected(t *testing.T) { ctrl := gomock.NewController(t) t.Cleanup(ctrl.Finish) mockRole := mocks.NewMockSysRoleModel(ctrl) mockRole.EXPECT(). FindMinPermsLevelByUserIdAndProductCode(gomock.Any(), gomock.Any(), gomock.Any()). Times(0) svcCtx := mocks.NewMockServiceContext(mocks.MockModels{Role: mockRole}) err := GuardRoleLevelAssignable(context.Background(), svcCtx, nil, 10) require.Error(t, err, "nil caller 必须被拦截,杜绝隐式放行") var ce *response.CodeError require.True(t, errors.As(err, &ce)) assert.Equal(t, 403, ce.Code()) } // --------------------------------------------------------------------------- // 覆盖目标:LoadCallerAssignableLevel 在一次请求内对同一 caller 只做 // 一次 DB 读;CheckRoleLevelAgainst 不再访问 DB,给 BindRoles 这种"批量覆盖"的接口把 // N 次 loadFreshMinPermsLevel 合并为 1 次。 // // 核心断言口径: // 1. SuperAdmin / ADMIN / DEVELOPER 等全权调用者不打 DB(HasFullPerms=true 短路); // 2. MEMBER caller 打 1 次 FindMinPermsLevelByUserIdAndProductCode; // 3. caller.ErrNotFound → NoRole=true(不打翻 500); // 4. caller 其他 DB 错误 → fail-close 500(保持与 loadFreshMinPermsLevel 一致的口径, // 避免降级为"无角色 = 最低级"放行)。 // 5. CheckRoleLevelAgainst 是纯函数,不访问 svcCtx。 // --------------------------------------------------------------------------- // TC-1017: SuperAdmin / ADMIN / DEVELOPER 走 HasFullPerms 短路,不触碰 DB。 func TestLoadCallerAssignableLevel_FullPermsShortCircuit_NoDB(t *testing.T) { ctrl := gomock.NewController(t) t.Cleanup(ctrl.Finish) mockRole := mocks.NewMockSysRoleModel(ctrl) // 关键:没有 EXPECT.FindMinPermsLevelByUserIdAndProductCode —— 一旦被调用会 fail。 svcCtx := mocks.NewMockServiceContext(mocks.MockModels{Role: mockRole}) cases := []struct { name string caller *loaders.UserDetails }{ { name: "SuperAdmin", caller: &loaders.UserDetails{UserId: 1, IsSuperAdmin: true, ProductCode: "p"}, }, { name: "ADMIN", caller: &loaders.UserDetails{UserId: 2, MemberType: consts.MemberTypeAdmin, ProductCode: "p"}, }, { name: "DEVELOPER", caller: &loaders.UserDetails{UserId: 3, MemberType: consts.MemberTypeDeveloper, ProductCode: "p"}, }, } for _, c := range cases { t.Run(c.name, func(t *testing.T) { snap, err := LoadCallerAssignableLevel(context.Background(), svcCtx, c.caller) require.NoError(t, err) assert.True(t, snap.HasFullPerms, "全权调用者必须落 HasFullPerms 分支") assert.False(t, snap.NoRole) }) } } // TC-1018: MEMBER caller 仅打 1 次 FindMinPermsLevelByUserIdAndProductCode; // 循环内对 N 个角色走 CheckRoleLevelAgainst 不再打 DB。 func TestLoadCallerAssignableLevel_Member_ReadsDBOnce_ThenConstantTime(t *testing.T) { ctrl := gomock.NewController(t) t.Cleanup(ctrl.Finish) const callerId = int64(1001) const productCode = "pc_m_r10_3" mockRole := mocks.NewMockSysRoleModel(ctrl) // 关键断言:Times(1) 保证 N 个角色场景不会退化为 N 次 DB 读。 mockRole.EXPECT(). FindMinPermsLevelByUserIdAndProductCode(gomock.Any(), callerId, productCode). Return(int64(100), nil). Times(1) svcCtx := mocks.NewMockServiceContext(mocks.MockModels{Role: mockRole}) caller := &loaders.UserDetails{ UserId: callerId, MemberType: consts.MemberTypeMember, ProductCode: productCode, } snap, err := LoadCallerAssignableLevel(context.Background(), svcCtx, caller) require.NoError(t, err) assert.False(t, snap.HasFullPerms) assert.False(t, snap.NoRole) assert.Equal(t, int64(100), snap.Level) // 模拟 BindRoles 批量覆盖的循环:5 个角色,全部走 CheckRoleLevelAgainst 的纯比较, // 任何一个角色额外打 DB 都会命中 gomock 的 "unexpected call" 断言。 roleLevels := []int64{200, 150, 300, 120, 999} for _, rl := range roleLevels { if err := CheckRoleLevelAgainst(snap, rl); err != nil { t.Fatalf("role level %d should be assignable against caller level %d: %v", rl, snap.Level, err) } } // 同级与更高级一律拒绝(与 GuardRoleLevelAssignable 对称): for _, rl := range []int64{100, 50, 1} { err := CheckRoleLevelAgainst(snap, rl) var codeErr *response.CodeError require.True(t, errors.As(err, &codeErr), "同级或更高级必须返回 CodeError") assert.Equal(t, 403, codeErr.Code()) } } // TC-1019: caller 在该产品下无角色 → NoRole=true,不回滚 500。 func TestLoadCallerAssignableLevel_Member_ErrNotFound_MapsToNoRole(t *testing.T) { ctrl := gomock.NewController(t) t.Cleanup(ctrl.Finish) mockRole := mocks.NewMockSysRoleModel(ctrl) mockRole.EXPECT(). FindMinPermsLevelByUserIdAndProductCode(gomock.Any(), int64(42), "pc"). Return(int64(0), sqlx.ErrNotFound). Times(1) svcCtx := mocks.NewMockServiceContext(mocks.MockModels{Role: mockRole}) caller := &loaders.UserDetails{ UserId: 42, MemberType: consts.MemberTypeMember, ProductCode: "pc", } snap, err := LoadCallerAssignableLevel(context.Background(), svcCtx, caller) require.NoError(t, err, "ErrNotFound 必须被归一为 NoRole=true,不得外泄为 500") assert.False(t, snap.HasFullPerms) assert.True(t, snap.NoRole) // 验证 NoRole 的 caller 连最低级角色也无法分配(与修复前保持的业务语义一致)。 err = CheckRoleLevelAgainst(snap, 999) var codeErr *response.CodeError require.True(t, errors.As(err, &codeErr)) assert.Equal(t, 403, codeErr.Code()) assert.Contains(t, codeErr.Error(), "没有可分配的角色等级") } // TC-1020: caller 其他 DB 错误必须 fail-close 500,不得降级为 NoRole 放行。 // 保证修复没有把"DB 抖动"悄悄压成"无角色 → 最低级 → 403"这种语义欺骗。 func TestLoadCallerAssignableLevel_Member_DBError_FailClose500(t *testing.T) { ctrl := gomock.NewController(t) t.Cleanup(ctrl.Finish) dbErr := errors.New("driver: bad connection") mockRole := mocks.NewMockSysRoleModel(ctrl) mockRole.EXPECT(). FindMinPermsLevelByUserIdAndProductCode(gomock.Any(), int64(7), "pc"). Return(int64(0), dbErr). Times(1) svcCtx := mocks.NewMockServiceContext(mocks.MockModels{Role: mockRole}) caller := &loaders.UserDetails{ UserId: 7, MemberType: consts.MemberTypeMember, ProductCode: "pc", } _, err := LoadCallerAssignableLevel(context.Background(), svcCtx, caller) var codeErr *response.CodeError require.True(t, errors.As(err, &codeErr), "DB 抖动必须 fail-close 为 CodeError 而非 nil") assert.Equal(t, 500, codeErr.Code()) }