weiym
/
perms-system-server


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241
							package pub

import (
	"context"
	"errors"
	"testing"
	"time"

	"perms-system-server/internal/response"
	"perms-system-server/internal/testutil"
	"perms-system-server/internal/types"

	"github.com/stretchr/testify/assert"
	"github.com/stretchr/testify/require"
)

// TC-0015: 超管正常登录(管理后台)
func TestAdminLogin_SuperAdmin(t *testing.T) {
	ctx := context.Background()
	svcCtx := newTestSvcCtx()
	username := testutil.UniqueId()
	password := "TestPass123"

	_, cleanUser := insertTestUser(t, ctx, svcCtx, username, password, 1, 1)
	t.Cleanup(cleanUser)

	logic := NewAdminLoginLogic(ctx, svcCtx)
	resp, err := logic.AdminLogin(&types.AdminLoginReq{
		Username:      username,
		Password:      password,
		ManagementKey: svcCtx.Config.Auth.ManagementKey,
	})
	require.NoError(t, err)
	require.NotNil(t, resp)
	assert.NotEmpty(t, resp.AccessToken)
	assert.NotEmpty(t, resp.RefreshToken)
	assert.True(t, resp.Expires > time.Now().Unix(), "expires应为未来的unix时间戳")
	assert.Equal(t, username, resp.UserInfo.Username)
	assert.Equal(t, int64(1), resp.UserInfo.IsSuperAdmin)
	assert.Nil(t, resp.UserInfo.Perms)
	assert.Equal(t, "SUPER_ADMIN", resp.UserInfo.MemberType)
}

// TC-0016: 普通用户被拒绝(审计H1修复: 仅超管可通过管理后台登录)
func TestAdminLogin_NormalUserRejected(t *testing.T) {
	ctx := context.Background()
	svcCtx := newTestSvcCtx()
	username := testutil.UniqueId()
	password := "TestPass123"

	_, cleanUser := insertTestUser(t, ctx, svcCtx, username, password, 1, 2)
	t.Cleanup(cleanUser)

	logic := NewAdminLoginLogic(ctx, svcCtx)
	resp, err := logic.AdminLogin(&types.AdminLoginReq{
		Username:      username,
		Password:      password,
		ManagementKey: svcCtx.Config.Auth.ManagementKey,
	})
	require.Nil(t, resp)
	require.Error(t, err)

	var codeErr *response.CodeError
	require.True(t, errors.As(err, &codeErr))
	assert.Equal(t, 403, codeErr.Code())
	assert.Equal(t, "仅超级管理员可通过管理后台登录", codeErr.Error())
}

// TC-0017: managementKey无效
func TestAdminLogin_InvalidManagementKey(t *testing.T) {
	ctx := context.Background()
	svcCtx := newTestSvcCtx()

	logic := NewAdminLoginLogic(ctx, svcCtx)
	resp, err := logic.AdminLogin(&types.AdminLoginReq{
		Username:      "anyone",
		Password:      "pass",
		ManagementKey: "wrong-key",
	})
	require.Nil(t, resp)
	require.Error(t, err)

	var codeErr *response.CodeError
	require.True(t, errors.As(err, &codeErr))
	assert.Equal(t, 401, codeErr.Code())
	assert.Equal(t, "managementKey无效", codeErr.Error())
}

// TC-0018: managementKey为空
func TestAdminLogin_EmptyManagementKey(t *testing.T) {
	ctx := context.Background()
	svcCtx := newTestSvcCtx()

	logic := NewAdminLoginLogic(ctx, svcCtx)
	resp, err := logic.AdminLogin(&types.AdminLoginReq{
		Username:      "anyone",
		Password:      "pass",
		ManagementKey: "",
	})
	require.Nil(t, resp)
	require.Error(t, err)

	var codeErr *response.CodeError
	require.True(t, errors.As(err, &codeErr))
	assert.Equal(t, 401, codeErr.Code())
	assert.Equal(t, "managementKey无效", codeErr.Error())
}

// TC-0019: 用户不存在
func TestAdminLogin_UserNotFound(t *testing.T) {
	ctx := context.Background()
	svcCtx := newTestSvcCtx()

	logic := NewAdminLoginLogic(ctx, svcCtx)
	resp, err := logic.AdminLogin(&types.AdminLoginReq{
		Username:      "nonexistent_" + testutil.UniqueId(),
		Password:      "whatever",
		ManagementKey: svcCtx.Config.Auth.ManagementKey,
	})
	require.Nil(t, resp)
	require.Error(t, err)

	var codeErr *response.CodeError
	require.True(t, errors.As(err, &codeErr))
	assert.Equal(t, 401, codeErr.Code())
	assert.Equal(t, "用户名或密码错误", codeErr.Error())
}

// TC-0020: 密码错误
func TestAdminLogin_WrongPassword(t *testing.T) {
	ctx := context.Background()
	svcCtx := newTestSvcCtx()
	username := testutil.UniqueId()

	_, cleanUser := insertTestUser(t, ctx, svcCtx, username, "CorrectPass", 1, 2)
	t.Cleanup(cleanUser)

	logic := NewAdminLoginLogic(ctx, svcCtx)
	resp, err := logic.AdminLogin(&types.AdminLoginReq{
		Username:      username,
		Password:      "WrongPass",
		ManagementKey: svcCtx.Config.Auth.ManagementKey,
	})
	require.Nil(t, resp)
	require.Error(t, err)

	var codeErr *response.CodeError
	require.True(t, errors.As(err, &codeErr))
	assert.Equal(t, 401, codeErr.Code())
	assert.Equal(t, "用户名或密码错误", codeErr.Error())
}

// TC-0021: 账号冻结
func TestAdminLogin_AccountFrozen(t *testing.T) {
	ctx := context.Background()
	svcCtx := newTestSvcCtx()
	username := testutil.UniqueId()
	password := "TestPass123"

	_, cleanUser := insertTestUser(t, ctx, svcCtx, username, password, 2, 2)
	t.Cleanup(cleanUser)

	logic := NewAdminLoginLogic(ctx, svcCtx)
	resp, err := logic.AdminLogin(&types.AdminLoginReq{
		Username:      username,
		Password:      password,
		ManagementKey: svcCtx.Config.Auth.ManagementKey,
	})
	require.Nil(t, resp)
	require.Error(t, err)

	var codeErr *response.CodeError
	require.True(t, errors.As(err, &codeErr))
	assert.Equal(t, 403, codeErr.Code())
	assert.Equal(t, "账号已被冻结", codeErr.Error())
}

// TC-0022: 不带productCode时token无权限(perms为空)
func TestAdminLogin_NoPermsWithoutProductCode(t *testing.T) {
	ctx := context.Background()
	svcCtx := newTestSvcCtx()
	username := testutil.UniqueId()
	password := "TestPass123"

	_, cleanUser := insertTestUser(t, ctx, svcCtx, username, password, 1, 1)
	t.Cleanup(cleanUser)

	logic := NewAdminLoginLogic(ctx, svcCtx)
	resp, err := logic.AdminLogin(&types.AdminLoginReq{
		Username:      username,
		Password:      password,
		ManagementKey: svcCtx.Config.Auth.ManagementKey,
	})
	require.NoError(t, err)
	require.NotNil(t, resp)
	assert.Nil(t, resp.UserInfo.Perms, "管理后台不传productCode,不应加载权限列表")
	assert.Equal(t, "SUPER_ADMIN", resp.UserInfo.MemberType, "超管即使不传productCode也会被标记SUPER_ADMIN")
}

// TC-0025: adminLogin 用户名级别限流(H-2修复验证)
func TestAdminLogin_UsernameRateLimit(t *testing.T) {
	ctx := context.Background()
	svcCtx := newTestSvcCtx()
	require.NotNil(t, svcCtx.UsernameLoginLimit, "UsernameLoginLimit 应被配置")

	username := "rl_" + testutil.UniqueId()

	logic := NewAdminLoginLogic(ctx, svcCtx)
	var last error
	for i := 0; i < 11; i++ {
		_, last = logic.AdminLogin(&types.AdminLoginReq{
			Username:      username,
			Password:      "wrong_pass",
			ManagementKey: svcCtx.Config.Auth.ManagementKey,
		})
		require.Error(t, last)
	}
	var ce *response.CodeError
	require.True(t, errors.As(last, &ce))
	assert.Equal(t, 429, ce.Code(), "第11次应被用户名级限流")
}

// TC-0024: SQL注入username
func TestAdminLogin_SQLInjection(t *testing.T) {
	ctx := context.Background()
	svcCtx := newTestSvcCtx()

	logic := NewAdminLoginLogic(ctx, svcCtx)
	resp, err := logic.AdminLogin(&types.AdminLoginReq{
		Username:      "' OR 1=1 --",
		Password:      "anything",
		ManagementKey: svcCtx.Config.Auth.ManagementKey,
	})
	require.Nil(t, resp)
	require.Error(t, err)

	var codeErr *response.CodeError
	require.True(t, errors.As(err, &codeErr))
	assert.Equal(t, 401, codeErr.Code())
	assert.Equal(t, "用户名或密码错误", codeErr.Error())
}