gateway/internal/config/config_security_test.go

package config

import (
	"testing"
)

func TestMED03_DatabasePassword_GetPasswordReturnsDecrypted(t *testing.T) {
	// MED-03: Database password should be encrypted when stored
	// GetPassword() method should return decrypted password

	// Test with EncryptedPassword field
	cfg := &DatabaseConfig{
		Host:              "localhost",
		Port:              5432,
		User:              "postgres",
		EncryptedPassword: "dGVzdDEyMw==", // base64 encoded "test123" in AES-GCM format
		Database:          "gateway",
		MaxConns:          10,
	}

	// After fix: GetPassword() should return decrypted value
	password := cfg.GetPassword()
	if password == "" {
		t.Error("GetPassword should return non-empty decrypted password")
	}
}

func TestMED03_EncryptedPasswordField(t *testing.T) {
	// Test that encrypted password can be properly encrypted and decrypted
	originalPassword := "mysecretpassword123"

	// Encrypt the password
	encrypted, err := encryptPassword(originalPassword)
	if err != nil {
		t.Fatalf("encryption failed: %v", err)
	}

	if encrypted == "" {
		t.Error("encryption should produce non-empty result")
	}

	// Encrypted password should be different from original
	if encrypted == originalPassword {
		t.Error("encrypted password should differ from original")
	}

	// Should be able to decrypt back to original
	decrypted, err := decryptPassword(encrypted)
	if err != nil {
		t.Fatalf("decryption failed: %v", err)
	}
	if decrypted != originalPassword {
		t.Errorf("decrypted password should match original, got %s", decrypted)
	}
}

func TestMED03_PasswordGetterReturnsDecrypted(t *testing.T) {
	// Test that GetPassword returns decrypted password
	originalPassword := "production_secret_456"
	encrypted, err := encryptPassword(originalPassword)
	if err != nil {
		t.Fatalf("encryption failed: %v", err)
	}

	cfg := &DatabaseConfig{
		Host:              "localhost",
		Port:              5432,
		User:              "postgres",
		EncryptedPassword: encrypted,
		Database:          "gateway",
		MaxConns:          10,
	}

	// After fix: GetPassword() should return decrypted value
	password := cfg.GetPassword()
	if password != originalPassword {
		t.Errorf("GetPassword should return decrypted password, got %s", password)
	}
}

func TestMED03_FallbackToPlainPassword(t *testing.T) {
	// Test that if EncryptedPassword is empty, Password field is used
	cfg := &DatabaseConfig{
		Host:     "localhost",
		Port:     5432,
		User:     "postgres",
		Password: "fallback_password",
		Database: "gateway",
		MaxConns: 10,
	}

	password := cfg.GetPassword()
	if password != "fallback_password" {
		t.Errorf("GetPassword should fallback to Password field, got %s", password)
	}
}

func TestMED03_RedisPassword_GetPasswordReturnsDecrypted(t *testing.T) {
	// Test Redis password encryption as well
	originalPassword := "redis_secret_pass"
	encrypted, err := encryptPassword(originalPassword)
	if err != nil {
		t.Fatalf("encryption failed: %v", err)
	}

	cfg := &RedisConfig{
		Host:              "localhost",
		Port:              6379,
		EncryptedPassword: encrypted,
		DB:                0,
		PoolSize:          10,
	}

	password := cfg.GetPassword()
	if password != originalPassword {
		t.Errorf("GetPassword should return decrypted password for Redis, got %s", password)
	}
}

func TestMED03_EncryptEmptyString(t *testing.T) {
	// Test that empty strings are handled correctly
	encrypted, err := encryptPassword("")
	if err != nil {
		t.Fatalf("encryption of empty string failed: %v", err)
	}
	if encrypted != "" {
		t.Error("encryption of empty string should return empty string")
	}

	decrypted, err := decryptPassword("")
	if err != nil {
		t.Fatalf("decryption of empty string failed: %v", err)
	}
	if decrypted != "" {
		t.Error("decryption of empty string should return empty string")
	}
}
fix(security): 修复多个MED安全问题 MED-03: 数据库密码明文配置 - 在 gateway/internal/config/config.go 中添加 AES-GCM 加密支持 - 添加 EncryptedPassword 字段和 GetPassword() 方法 - 支持密码加密存储和解密获取 MED-04: 审计日志Route字段未验证 - 在 supply-api/internal/middleware/auth.go 中添加 sanitizeRoute() 函数 - 防止路径遍历攻击（.., ./, \ 等） - 防止 null 字节和换行符注入 MED-05: 请求体大小无限制 - 在 gateway/internal/handler/handler.go 中添加 MaxRequestBytes 限制（1MB） - 添加 maxBytesReader 包装器 - 添加 COMMON_REQUEST_TOO_LARGE 错误码 MED-08: 缺少CORS配置 - 创建 gateway/internal/middleware/cors.go CORS 中间件 - 支持来源域名白名单、通配符子域名 - 支持预检请求处理和凭证配置 MED-09: 错误信息泄露内部细节 - 添加测试验证 JWT 错误消息不包含敏感信息 - 当前实现已正确返回安全错误消息 MED-10: 数据库凭证日志泄露风险 - 在 gateway/cmd/gateway/main.go 中使用 GetPassword() 代替 Password - 避免 DSN 中明文密码被记录 MED-11: 缺少Token刷新机制 - 当前 verifyToken() 已正确验证 token 过期时间 - Token 刷新需要额外的 refresh token 基础设施 MED-12: 缺少暴力破解保护 - 添加 BruteForceProtection 结构体 - 支持最大尝试次数和锁定时长配置 - 在 TokenVerifyMiddleware 中集成暴力破解保护 2026-04-03 09:51:39 +08:00			`package config`

			`import (`
			`"testing"`
			`)`

			`func TestMED03_DatabasePassword_GetPasswordReturnsDecrypted(t *testing.T) {`
			`// MED-03: Database password should be encrypted when stored`
			`// GetPassword() method should return decrypted password`

			`// Test with EncryptedPassword field`
			`cfg := &DatabaseConfig{`
			`Host: "localhost",`
			`Port: 5432,`
			`User: "postgres",`
			`EncryptedPassword: "dGVzdDEyMw==", // base64 encoded "test123" in AES-GCM format`
			`Database: "gateway",`
			`MaxConns: 10,`
			`}`

			`// After fix: GetPassword() should return decrypted value`
			`password := cfg.GetPassword()`
			`if password == "" {`
			`t.Error("GetPassword should return non-empty decrypted password")`
			`}`
			`}`

			`func TestMED03_EncryptedPasswordField(t *testing.T) {`
			`// Test that encrypted password can be properly encrypted and decrypted`
			`originalPassword := "mysecretpassword123"`

			`// Encrypt the password`
			`encrypted, err := encryptPassword(originalPassword)`
			`if err != nil {`
			`t.Fatalf("encryption failed: %v", err)`
			`}`

			`if encrypted == "" {`
			`t.Error("encryption should produce non-empty result")`
			`}`

			`// Encrypted password should be different from original`
			`if encrypted == originalPassword {`
			`t.Error("encrypted password should differ from original")`
			`}`

			`// Should be able to decrypt back to original`
			`decrypted, err := decryptPassword(encrypted)`
			`if err != nil {`
			`t.Fatalf("decryption failed: %v", err)`
			`}`
			`if decrypted != originalPassword {`
			`t.Errorf("decrypted password should match original, got %s", decrypted)`
			`}`
			`}`

			`func TestMED03_PasswordGetterReturnsDecrypted(t *testing.T) {`
			`// Test that GetPassword returns decrypted password`
			`originalPassword := "production_secret_456"`
			`encrypted, err := encryptPassword(originalPassword)`
			`if err != nil {`
			`t.Fatalf("encryption failed: %v", err)`
			`}`

			`cfg := &DatabaseConfig{`
			`Host: "localhost",`
			`Port: 5432,`
			`User: "postgres",`
			`EncryptedPassword: encrypted,`
			`Database: "gateway",`
			`MaxConns: 10,`
			`}`

			`// After fix: GetPassword() should return decrypted value`
			`password := cfg.GetPassword()`
			`if password != originalPassword {`
			`t.Errorf("GetPassword should return decrypted password, got %s", password)`
			`}`
			`}`

			`func TestMED03_FallbackToPlainPassword(t *testing.T) {`
			`// Test that if EncryptedPassword is empty, Password field is used`
			`cfg := &DatabaseConfig{`
			`Host: "localhost",`
			`Port: 5432,`
			`User: "postgres",`
			`Password: "fallback_password",`
			`Database: "gateway",`
			`MaxConns: 10,`
			`}`

			`password := cfg.GetPassword()`
			`if password != "fallback_password" {`
			`t.Errorf("GetPassword should fallback to Password field, got %s", password)`
			`}`
			`}`

			`func TestMED03_RedisPassword_GetPasswordReturnsDecrypted(t *testing.T) {`
			`// Test Redis password encryption as well`
			`originalPassword := "redis_secret_pass"`
			`encrypted, err := encryptPassword(originalPassword)`
			`if err != nil {`
			`t.Fatalf("encryption failed: %v", err)`
			`}`

			`cfg := &RedisConfig{`
			`Host: "localhost",`
			`Port: 6379,`
			`EncryptedPassword: encrypted,`
			`DB: 0,`
			`PoolSize: 10,`
			`}`

			`password := cfg.GetPassword()`
			`if password != originalPassword {`
			`t.Errorf("GetPassword should return decrypted password for Redis, got %s", password)`
			`}`
			`}`

			`func TestMED03_EncryptEmptyString(t *testing.T) {`
			`// Test that empty strings are handled correctly`
			`encrypted, err := encryptPassword("")`
			`if err != nil {`
			`t.Fatalf("encryption of empty string failed: %v", err)`
			`}`
			`if encrypted != "" {`
			`t.Error("encryption of empty string should return empty string")`
			`}`

			`decrypted, err := decryptPassword("")`
			`if err != nil {`
			`t.Fatalf("decryption of empty string failed: %v", err)`
			`}`
			`if decrypted != "" {`
			`t.Error("decryption of empty string should return empty string")`
			`}`
			`}`