niuniu/lijiaoqiao
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e82bf0b25d7fd94d9afcb0ec93f589e7041f2903
lijiaoqiao/gateway/internal/middleware/cors_test.go

172 lines
4.8 KiB
Go
Raw Normal View History

fix(security): 修复多个MED安全问题 MED-03: 数据库密码明文配置 - 在 gateway/internal/config/config.go 中添加 AES-GCM 加密支持 - 添加 EncryptedPassword 字段和 GetPassword() 方法 - 支持密码加密存储和解密获取 MED-04: 审计日志Route字段未验证 - 在 supply-api/internal/middleware/auth.go 中添加 sanitizeRoute() 函数 - 防止路径遍历攻击(.., ./, \ 等) - 防止 null 字节和换行符注入 MED-05: 请求体大小无限制 - 在 gateway/internal/handler/handler.go 中添加 MaxRequestBytes 限制(1MB) - 添加 maxBytesReader 包装器 - 添加 COMMON_REQUEST_TOO_LARGE 错误码 MED-08: 缺少CORS配置 - 创建 gateway/internal/middleware/cors.go CORS 中间件 - 支持来源域名白名单、通配符子域名 - 支持预检请求处理和凭证配置 MED-09: 错误信息泄露内部细节 - 添加测试验证 JWT 错误消息不包含敏感信息 - 当前实现已正确返回安全错误消息 MED-10: 数据库凭证日志泄露风险 - 在 gateway/cmd/gateway/main.go 中使用 GetPassword() 代替 Password - 避免 DSN 中明文密码被记录 MED-11: 缺少Token刷新机制 - 当前 verifyToken() 已正确验证 token 过期时间 - Token 刷新需要额外的 refresh token 基础设施 MED-12: 缺少暴力破解保护 - 添加 BruteForceProtection 结构体 - 支持最大尝试次数和锁定时长配置 - 在 TokenVerifyMiddleware 中集成暴力破解保护
2026-04-03 09:51:39 +08:00
package middleware
import (
"net/http"
"net/http/httptest"
"testing"
)
func TestCORSMiddleware_PreflightRequest(t *testing.T) {
config := DefaultCORSConfig()
config.AllowOrigins = []string{"https://example.com"}
handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(http.StatusOK)
})
corsHandler := CORSMiddleware(config)(handler)
// 模拟OPTIONS预检请求
req := httptest.NewRequest("OPTIONS", "/v1/chat/completions", nil)
req.Header.Set("Origin", "https://example.com")
req.Header.Set("Access-Control-Request-Method", "POST")
req.Header.Set("Access-Control-Request-Headers", "Authorization, Content-Type")
w := httptest.NewRecorder()
corsHandler.ServeHTTP(w, req)
// 预检请求应返回204 No Content
if w.Code != http.StatusNoContent {
t.Errorf("expected status 204 for preflight, got %d", w.Code)
}
// 检查CORS响应头
if w.Header().Get("Access-Control-Allow-Origin") != "https://example.com" {
t.Errorf("expected Access-Control-Allow-Origin to be 'https://example.com', got '%s'", w.Header().Get("Access-Control-Allow-Origin"))
}
if w.Header().Get("Access-Control-Allow-Methods") == "" {
t.Error("expected Access-Control-Allow-Methods to be set")
}
}
func TestCORSMiddleware_ActualRequest(t *testing.T) {
config := DefaultCORSConfig()
config.AllowOrigins = []string{"https://example.com"}
handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(http.StatusOK)
})
corsHandler := CORSMiddleware(config)(handler)
// 模拟实际请求
req := httptest.NewRequest("POST", "/v1/chat/completions", nil)
req.Header.Set("Origin", "https://example.com")
w := httptest.NewRecorder()
corsHandler.ServeHTTP(w, req)
// 正常请求应通过到handler
if w.Code != http.StatusOK {
t.Errorf("expected status 200, got %d", w.Code)
}
// 检查CORS响应头
if w.Header().Get("Access-Control-Allow-Origin") != "https://example.com" {
t.Errorf("expected Access-Control-Allow-Origin to be 'https://example.com', got '%s'", w.Header().Get("Access-Control-Allow-Origin"))
}
}
func TestCORSMiddleware_DisallowedOrigin(t *testing.T) {
config := DefaultCORSConfig()
config.AllowOrigins = []string{"https://allowed.com"}
handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(http.StatusOK)
})
corsHandler := CORSMiddleware(config)(handler)
// 模拟来自未允许域名的请求
req := httptest.NewRequest("POST", "/v1/chat/completions", nil)
req.Header.Set("Origin", "https://malicious.com")
w := httptest.NewRecorder()
corsHandler.ServeHTTP(w, req)
// 预检请求应返回403 Forbidden
if w.Code != http.StatusForbidden {
t.Errorf("expected status 403 for disallowed origin, got %d", w.Code)
}
}
func TestCORSMiddleware_WildcardOrigin(t *testing.T) {
config := DefaultCORSConfig()
config.AllowOrigins = []string{"*"} // 允许所有来源
handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(http.StatusOK)
})
corsHandler := CORSMiddleware(config)(handler)
// 模拟请求
req := httptest.NewRequest("POST", "/v1/chat/completions", nil)
req.Header.Set("Origin", "https://any-domain.com")
w := httptest.NewRecorder()
corsHandler.ServeHTTP(w, req)
// 应该允许
if w.Code != http.StatusOK {
t.Errorf("expected status 200, got %d", w.Code)
}
}
func TestCORSMiddleware_SubdomainWildcard(t *testing.T) {
config := DefaultCORSConfig()
config.AllowOrigins = []string{"*.example.com"}
handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(http.StatusOK)
})
corsHandler := CORSMiddleware(config)(handler)
// 测试子域名
tests := []struct {
origin string
shouldAllow bool
}{
{"https://app.example.com", true},
{"https://api.example.com", true},
{"https://example.com", true},
{"https://malicious.com", false},
}
for _, tt := range tests {
req := httptest.NewRequest("POST", "/v1/chat/completions", nil)
req.Header.Set("Origin", tt.origin)
w := httptest.NewRecorder()
corsHandler.ServeHTTP(w, req)
if tt.shouldAllow && w.Code != http.StatusOK {
t.Errorf("origin %s should be allowed, got status %d", tt.origin, w.Code)
}
if !tt.shouldAllow && w.Code != http.StatusForbidden {
t.Errorf("origin %s should be forbidden, got status %d", tt.origin, w.Code)
}
}
}
func TestMED08_CORSConfigurationExists(t *testing.T) {
// MED-08: 验证CORS配置存在且可用
config := DefaultCORSConfig()
// 验证默认配置包含必要的设置
if len(config.AllowMethods) == 0 {
t.Error("default CORS config should have AllowMethods")
}
if len(config.AllowHeaders) == 0 {
t.Error("default CORS config should have AllowHeaders")
}
// 验证CORS中间件函数存在
corsMiddleware := CORSMiddleware(config)
if corsMiddleware == nil {
t.Error("CORSMiddleware should return a valid middleware function")
}
}
Reference in New Issue Copy Permalink