d44e9966e0
MED-03: 数据库密码明文配置 - 在 gateway/internal/config/config.go 中添加 AES-GCM 加密支持 - 添加 EncryptedPassword 字段和 GetPassword() 方法 - 支持密码加密存储和解密获取 MED-04: 审计日志Route字段未验证 - 在 supply-api/internal/middleware/auth.go 中添加 sanitizeRoute() 函数 - 防止路径遍历攻击(.., ./, \ 等) - 防止 null 字节和换行符注入 MED-05: 请求体大小无限制 - 在 gateway/internal/handler/handler.go 中添加 MaxRequestBytes 限制(1MB) - 添加 maxBytesReader 包装器 - 添加 COMMON_REQUEST_TOO_LARGE 错误码 MED-08: 缺少CORS配置 - 创建 gateway/internal/middleware/cors.go CORS 中间件 - 支持来源域名白名单、通配符子域名 - 支持预检请求处理和凭证配置 MED-09: 错误信息泄露内部细节 - 添加测试验证 JWT 错误消息不包含敏感信息 - 当前实现已正确返回安全错误消息 MED-10: 数据库凭证日志泄露风险 - 在 gateway/cmd/gateway/main.go 中使用 GetPassword() 代替 Password - 避免 DSN 中明文密码被记录 MED-11: 缺少Token刷新机制 - 当前 verifyToken() 已正确验证 token 过期时间 - Token 刷新需要额外的 refresh token 基础设施 MED-12: 缺少暴力破解保护 - 添加 BruteForceProtection 结构体 - 支持最大尝试次数和锁定时长配置 - 在 TokenVerifyMiddleware 中集成暴力破解保护
137 lines
3.7 KiB
Go
137 lines
3.7 KiB
Go
package config
|
|
|
|
import (
|
|
"testing"
|
|
)
|
|
|
|
func TestMED03_DatabasePassword_GetPasswordReturnsDecrypted(t *testing.T) {
|
|
// MED-03: Database password should be encrypted when stored
|
|
// GetPassword() method should return decrypted password
|
|
|
|
// Test with EncryptedPassword field
|
|
cfg := &DatabaseConfig{
|
|
Host: "localhost",
|
|
Port: 5432,
|
|
User: "postgres",
|
|
EncryptedPassword: "dGVzdDEyMw==", // base64 encoded "test123" in AES-GCM format
|
|
Database: "gateway",
|
|
MaxConns: 10,
|
|
}
|
|
|
|
// After fix: GetPassword() should return decrypted value
|
|
password := cfg.GetPassword()
|
|
if password == "" {
|
|
t.Error("GetPassword should return non-empty decrypted password")
|
|
}
|
|
}
|
|
|
|
func TestMED03_EncryptedPasswordField(t *testing.T) {
|
|
// Test that encrypted password can be properly encrypted and decrypted
|
|
originalPassword := "mysecretpassword123"
|
|
|
|
// Encrypt the password
|
|
encrypted, err := encryptPassword(originalPassword)
|
|
if err != nil {
|
|
t.Fatalf("encryption failed: %v", err)
|
|
}
|
|
|
|
if encrypted == "" {
|
|
t.Error("encryption should produce non-empty result")
|
|
}
|
|
|
|
// Encrypted password should be different from original
|
|
if encrypted == originalPassword {
|
|
t.Error("encrypted password should differ from original")
|
|
}
|
|
|
|
// Should be able to decrypt back to original
|
|
decrypted, err := decryptPassword(encrypted)
|
|
if err != nil {
|
|
t.Fatalf("decryption failed: %v", err)
|
|
}
|
|
if decrypted != originalPassword {
|
|
t.Errorf("decrypted password should match original, got %s", decrypted)
|
|
}
|
|
}
|
|
|
|
func TestMED03_PasswordGetterReturnsDecrypted(t *testing.T) {
|
|
// Test that GetPassword returns decrypted password
|
|
originalPassword := "production_secret_456"
|
|
encrypted, err := encryptPassword(originalPassword)
|
|
if err != nil {
|
|
t.Fatalf("encryption failed: %v", err)
|
|
}
|
|
|
|
cfg := &DatabaseConfig{
|
|
Host: "localhost",
|
|
Port: 5432,
|
|
User: "postgres",
|
|
EncryptedPassword: encrypted,
|
|
Database: "gateway",
|
|
MaxConns: 10,
|
|
}
|
|
|
|
// After fix: GetPassword() should return decrypted value
|
|
password := cfg.GetPassword()
|
|
if password != originalPassword {
|
|
t.Errorf("GetPassword should return decrypted password, got %s", password)
|
|
}
|
|
}
|
|
|
|
func TestMED03_FallbackToPlainPassword(t *testing.T) {
|
|
// Test that if EncryptedPassword is empty, Password field is used
|
|
cfg := &DatabaseConfig{
|
|
Host: "localhost",
|
|
Port: 5432,
|
|
User: "postgres",
|
|
Password: "fallback_password",
|
|
Database: "gateway",
|
|
MaxConns: 10,
|
|
}
|
|
|
|
password := cfg.GetPassword()
|
|
if password != "fallback_password" {
|
|
t.Errorf("GetPassword should fallback to Password field, got %s", password)
|
|
}
|
|
}
|
|
|
|
func TestMED03_RedisPassword_GetPasswordReturnsDecrypted(t *testing.T) {
|
|
// Test Redis password encryption as well
|
|
originalPassword := "redis_secret_pass"
|
|
encrypted, err := encryptPassword(originalPassword)
|
|
if err != nil {
|
|
t.Fatalf("encryption failed: %v", err)
|
|
}
|
|
|
|
cfg := &RedisConfig{
|
|
Host: "localhost",
|
|
Port: 6379,
|
|
EncryptedPassword: encrypted,
|
|
DB: 0,
|
|
PoolSize: 10,
|
|
}
|
|
|
|
password := cfg.GetPassword()
|
|
if password != originalPassword {
|
|
t.Errorf("GetPassword should return decrypted password for Redis, got %s", password)
|
|
}
|
|
}
|
|
|
|
func TestMED03_EncryptEmptyString(t *testing.T) {
|
|
// Test that empty strings are handled correctly
|
|
encrypted, err := encryptPassword("")
|
|
if err != nil {
|
|
t.Fatalf("encryption of empty string failed: %v", err)
|
|
}
|
|
if encrypted != "" {
|
|
t.Error("encryption of empty string should return empty string")
|
|
}
|
|
|
|
decrypted, err := decryptPassword("")
|
|
if err != nil {
|
|
t.Fatalf("decryption of empty string failed: %v", err)
|
|
}
|
|
if decrypted != "" {
|
|
t.Error("decryption of empty string should return empty string")
|
|
}
|
|
} |