niuniu/sub2api-cn-relay-manager
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(access): verify subscription readiness with real user keys

Browse Source 
When subscription access is requested with an explicit access_api_key, assign the subscription to the real target user, bind that user's API key to the subscription group, and probe readiness with the same key instead of falling back to a managed synthetic user.

Update the runtime/reconcile flows, adapter tests, and source-of-truth docs so subscription_ready now reflects user-visible host access rather than managed-key-only closure success.
This commit is contained in:
phamnazage-jpg
2026-06-01 09:55:11 +08:00
parent 702ae19a61
commit c588a95c7d
11 changed files with 260 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

41
internal/host/sub2api/sub2api_test.go
View File

@@ -851,7 +851,7 @@ func TestAssignSubscriptionWithMock(t *testing.T) {
}
}
func TestEnsureSubscriptionAccessWithMock(t *testing.T) {
func TestEnsureSubscriptionAccessManagedProbeWithMock(t *testing.T) {
var calls []string
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
calls = append(calls, r.Method+" "+r.URL.Path)
@@ -911,6 +911,45 @@ func TestEnsureSubscriptionAccessWithMock(t *testing.T) {
}
}
func TestEnsureSubscriptionAccessRealUserProbeWithMock(t *testing.T) {
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
switch {
case r.Method == http.MethodGet && r.URL.Path == "/api/v1/admin/users/1/api-keys":
w.Write([]byte(`{"data":{"items":[{"id":501,"key":"caller-probe-key","name":"user-key"}]}}`))
case r.Method == http.MethodPut && r.URL.Path == "/api/v1/admin/api-keys/501":
var req struct {
GroupID int64 `json:"group_id"`
}
if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
t.Fatalf("decode bind api key request: %v", err)
}
if req.GroupID != 101 {
t.Fatalf("group id = %d, want 101", req.GroupID)
}
w.Write([]byte(`{"data":{"api_key":{"id":501}}}`))
default:
w.WriteHeader(http.StatusNotFound)
}
}))
defer srv.Close()
client, _ := NewClient(srv.URL, WithBearerToken("admin-token"))
ref, err := client.EnsureSubscriptionAccess(context.Background(), EnsureSubscriptionAccessRequest{
UserSelector: "1",
GroupID: "101",
ProbeAPIKey: "caller-probe-key",
})
if err != nil {
t.Fatal(err)
}
if ref.UserID != "1" {
t.Fatalf("user id = %q, want 1", ref.UserID)
}
if ref.APIKey != "caller-probe-key" {
t.Fatalf("api key = %q, want caller-probe-key", ref.APIKey)
}
}
func TestCheckGatewayAccessWithMock(t *testing.T) {
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
if got := r.Header.Get("Authorization"); got != "Bearer gk" {