weiym
/
perms-system-server


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247
							package user

import (
	"context"
	"database/sql"
	"errors"
	"github.com/stretchr/testify/assert"
	"github.com/stretchr/testify/require"
	"os"
	"perms-system-server/internal/consts"
	"perms-system-server/internal/loaders"
	"perms-system-server/internal/middleware"
	memberModel "perms-system-server/internal/model/productmember"
	userModel "perms-system-server/internal/model/user"
	"perms-system-server/internal/model/userrole"
	"perms-system-server/internal/response"
	"perms-system-server/internal/svc"
	"perms-system-server/internal/testutil"
	"perms-system-server/internal/testutil/ctxhelper"
	"perms-system-server/internal/types"
	"testing"
	"time"
)

func TestUserDetail_Success(t *testing.T) {
	ctx := ctxhelper.SuperAdminCtx()
	svcCtx := svc.NewServiceContext(testutil.GetTestConfig())
	conn := testutil.GetTestSqlConn()

	username := testutil.UniqueId()
	userId := insertTestUser(t, ctx, username, testutil.HashPassword("pass"))

	// 插入两条"当前产品"下的真实 sys_role 以及一条属于其它产品的 sys_role，
	// 用户同时绑定这三个角色。超管在 test_product 上下文下应当只看到前两个。
	roleInCurrent1 := insertTestRole(t, svcCtx, "test_product", 1)
	roleInCurrent2 := insertTestRole(t, svcCtx, "test_product", 1)
	roleInOther := insertTestRole(t, svcCtx, "other_product", 1)

	now := time.Now().Unix()
	var roleRecordIds []int64
	for _, roleId := range []int64{roleInCurrent1, roleInCurrent2, roleInOther} {
		res, err := svcCtx.SysUserRoleModel.Insert(ctx, &userrole.SysUserRole{
			UserId:     userId,
			RoleId:     roleId,
			CreateTime: now,
			UpdateTime: now,
		})
		require.NoError(t, err)
		id, _ := res.LastInsertId()
		roleRecordIds = append(roleRecordIds, id)
	}

	t.Cleanup(func() {
		testutil.CleanTable(ctx, conn, "`sys_user_role`", roleRecordIds...)
		testutil.CleanTable(ctx, conn, "`sys_role`", roleInCurrent1, roleInCurrent2, roleInOther)
		testutil.CleanTable(ctx, conn, "`sys_user`", userId)
	})

	logic := NewUserDetailLogic(ctx, svcCtx)
	resp, err := logic.UserDetail(&types.UserDetailReq{Id: userId})
	require.NoError(t, err)
	require.NotNil(t, resp)

	assert.Equal(t, userId, resp.Id)
	assert.Equal(t, username, resp.Username)
	// 修复后：超管在产品上下文里只看到 test_product 的角色；other_product 的角色不应返回
	assert.ElementsMatch(t, []int64{roleInCurrent1, roleInCurrent2}, resp.RoleIds)
	assert.NotContains(t, resp.RoleIds, roleInOther, "超管在具体产品上下文不应返回其它产品的 roleIds")
}

// TC-0182: 正常查询-含Avatar
func TestUserDetail_WithAvatar(t *testing.T) {
	ctx := ctxhelper.SuperAdminCtx()
	svcCtx := svc.NewServiceContext(testutil.GetTestConfig())
	conn := testutil.GetTestSqlConn()

	userId := insertTestUserFull(t, ctx, &userModel.SysUser{
		Username:           testutil.UniqueId(),
		Password:           testutil.HashPassword("pass"),
		Nickname:           "avatar_user",
		Avatar:             sql.NullString{String: "https://example.com/avatar.png", Valid: true},
		IsSuperAdmin:       2,
		MustChangePassword: 2,
		Status:             1,
	})
	t.Cleanup(func() { testutil.CleanTable(ctx, conn, "`sys_user`", userId) })

	logic := NewUserDetailLogic(ctx, svcCtx)
	resp, err := logic.UserDetail(&types.UserDetailReq{Id: userId})
	require.NoError(t, err)
	require.NotNil(t, resp)
	assert.Equal(t, "https://example.com/avatar.png", resp.Avatar)
}

// TC-0183: 不存在
func TestUserDetail_NotFound(t *testing.T) {
	ctx := ctxhelper.SuperAdminCtx()
	svcCtx := svc.NewServiceContext(testutil.GetTestConfig())

	logic := NewUserDetailLogic(ctx, svcCtx)
	_, err := logic.UserDetail(&types.UserDetailReq{Id: 999999999})
	require.Error(t, err)

	var codeErr *response.CodeError
	require.True(t, errors.As(err, &codeErr))
	assert.Equal(t, 404, codeErr.Code())
	assert.Equal(t, "用户不存在", codeErr.Error())
}

const auditPendingEnv = "AUDIT_RUN_PENDING"

func skipPending(t *testing.T, marker, reason string) {
	t.Helper()
	if os.Getenv(auditPendingEnv) != "" {
		return
	}
	t.Skipf("AUDIT_PENDING %s (Round 8 fix 未落地) —— %s", marker, reason)
}

func insertH1Member(t *testing.T, ctx context.Context, svcCtx *svc.ServiceContext, productCode string, u *userModel.SysUser) (int64, int64) {
	t.Helper()
	id := insertTestUserFull(t, ctx, u)
	now := time.Now().Unix()
	res, err := svcCtx.SysProductMemberModel.Insert(ctx, &memberModel.SysProductMember{
		ProductCode: productCode, UserId: id, MemberType: consts.MemberTypeMember,
		Status: 1, CreateTime: now, UpdateTime: now,
	})
	require.NoError(t, err)
	mId, _ := res.LastInsertId()
	return id, mId
}

// TC-0990:  对抗性 —— 同产品 MEMBER 互看，必须屏蔽 Email/Phone/Remark。
func TestUserDetail_H1_MemberViewingPeer_MustMaskPII(t *testing.T) {
	skipPending(t, "H-1",
		"UserDetail 当前把 Email/Phone/Remark 原样回传同产品 MEMBER；"+
			"待 filterPIIForCaller + CanViewContact 落地后移除 Skip")
	ctx := context.Background()
	svcCtx := svc.NewServiceContext(testutil.GetTestConfig())
	conn := testutil.GetTestSqlConn()
	productCode := "h1_" + testutil.UniqueId()

	target, mTarget := insertH1Member(t, ctx, svcCtx, productCode, &userModel.SysUser{
		Username:           "t_" + testutil.UniqueId(),
		Password:           testutil.HashPassword("pw"),
		Nickname:           "target",
		Avatar:             sql.NullString{},
		Email:              "[email protected]",
		Phone:              "13800001111",
		Remark:             "内部岗位: 副总",
		DeptId:             1,
		IsSuperAdmin:       2,
		MustChangePassword: 2,
		Status:             1,
	})
	caller, mCaller := insertH1Member(t, ctx, svcCtx, productCode, &userModel.SysUser{
		Username:           "c_" + testutil.UniqueId(),
		Password:           testutil.HashPassword("pw"),
		Nickname:           "caller",
		IsSuperAdmin:       2,
		MustChangePassword: 2,
		Status:             1,
		DeptId:             1,
	})
	t.Cleanup(func() {
		testutil.CleanTable(ctx, conn, "`sys_product_member`", mTarget, mCaller)
		testutil.CleanTable(ctx, conn, "`sys_user`", target, caller)
	})

	callerCtx := middleware.WithUserDetails(context.Background(), &loaders.UserDetails{
		UserId: caller, Username: "caller", MemberType: consts.MemberTypeMember,
		Status: 1, ProductCode: productCode, DeptId: 1, DeptPath: "/1/", MinPermsLevel: 100,
	})

	resp, err := NewUserDetailLogic(callerCtx, svcCtx).UserDetail(&types.UserDetailReq{Id: target})
	require.NoError(t, err)
	require.NotNil(t, resp)

	assert.NotEqual(t, "[email protected]", resp.Email,
		"同级 MEMBER 互看时 Email 必须脱敏（例：t***@example.com），禁止原文暴露")
	assert.NotEqual(t, "13800001111", resp.Phone,
		"同级 MEMBER 互看时 Phone 必须脱敏（例：138****1111）")
	assert.Empty(t, resp.Remark,
		"Remark 常含内部岗位/外部联络人，MEMBER 互看时必须清空")
}

// TC-0991:  正向——看自己时 Email/Phone/Remark 必须返回原值。
func TestUserDetail_H1_ViewSelf_KeepsPII(t *testing.T) {
	skipPending(t, "H-1",
		"UserDetail 缺少 caller.UserId == target.Id 的 PII 放行短路；fix 落地后取消 Skip")
	ctx := context.Background()
	svcCtx := svc.NewServiceContext(testutil.GetTestConfig())
	conn := testutil.GetTestSqlConn()
	productCode := "h1_self_" + testutil.UniqueId()

	selfId, mSelf := insertH1Member(t, ctx, svcCtx, productCode, &userModel.SysUser{
		Username:           "self_" + testutil.UniqueId(),
		Password:           testutil.HashPassword("pw"),
		Nickname:           "self",
		Email:              "[email protected]",
		Phone:              "13900002222",
		Remark:             "self-only note",
		IsSuperAdmin:       2,
		MustChangePassword: 2,
		Status:             1,
		DeptId:             1,
	})
	t.Cleanup(func() {
		testutil.CleanTable(ctx, conn, "`sys_product_member`", mSelf)
		testutil.CleanTable(ctx, conn, "`sys_user`", selfId)
	})

	selfCtx := middleware.WithUserDetails(context.Background(), &loaders.UserDetails{
		UserId: selfId, Username: "self", MemberType: consts.MemberTypeMember,
		Status: 1, ProductCode: productCode, DeptId: 1, DeptPath: "/1/", MinPermsLevel: 100,
	})

	resp, err := NewUserDetailLogic(selfCtx, svcCtx).UserDetail(&types.UserDetailReq{Id: selfId})
	require.NoError(t, err)

	assert.Equal(t, "[email protected]", resp.Email, "看自己必须返回 Email 原值")
	assert.Equal(t, "13900002222", resp.Phone, "看自己必须返回 Phone 原值")
	assert.Equal(t, "self-only note", resp.Remark, "看自己必须返回 Remark 原值")
}

// TC-0992:  超管分支 —— SuperAdmin 看任何用户都可以看到 PII 原值（工单兜底）。
// 该分支本应通过；若 fix 改错把超管也一起脱敏了这条会挂，触发回归。
func TestUserDetail_H1_SuperAdmin_KeepsPII(t *testing.T) {
	skipPending(t, "H-1",
		"当前无脱敏逻辑，超管天然看到原值；fix 落地后本测试用来防回归，确保超管不被误脱敏")
	ctx := ctxhelper.SuperAdminCtx()
	svcCtx := svc.NewServiceContext(testutil.GetTestConfig())
	conn := testutil.GetTestSqlConn()

	userId := insertTestUserFull(t, ctx, &userModel.SysUser{
		Username: "sa_view_" + testutil.UniqueId(), Password: testutil.HashPassword("pw"),
		Nickname: "n", Email: "[email protected]", Phone: "13700000000", Remark: "nb",
		IsSuperAdmin: 2, MustChangePassword: 2, Status: 1,
	})
	t.Cleanup(func() { testutil.CleanTable(ctx, conn, "`sys_user`", userId) })

	resp, err := NewUserDetailLogic(ctx, svcCtx).UserDetail(&types.UserDetailReq{Id: userId})
	require.NoError(t, err)
	assert.Equal(t, "[email protected]", resp.Email)
	assert.Equal(t, "13700000000", resp.Phone)
	assert.Equal(t, "nb", resp.Remark)
}