package externaladmin import ( "context" "net/http" "net/http/httptest" "strings" "testing" "hyapp-admin-server/internal/appctx" "hyapp-admin-server/internal/config" "hyapp-admin-server/internal/integration/walletclient" adminmiddleware "hyapp-admin-server/internal/middleware" "hyapp-admin-server/internal/modules/appuser" "hyapp-admin-server/internal/modules/hostorg" "hyapp-admin-server/internal/modules/vipconfig" walletv1 "hyapp.local/api/proto/wallet/v1" "github.com/gin-gonic/gin" ) func TestExternalBusinessRoutesKeepIndependentPermissionBoundaries(t *testing.T) { gin.SetMode(gin.TestMode) engine := gin.New() engine.Use(func(c *gin.Context) { // Each request gets exactly one product capability. Allowed reads reach an // intentionally unconfigured handler and return 500; denied routes must stop // at the permission middleware with 403 before any dependency is touched. c.Set(adminmiddleware.ContextPermissions, []string{c.GetHeader("X-Test-Permission")}) c.Next() }) registerBusinessWhitelist(engine.Group(""), &Handler{}, BusinessHandlers{ AppUser: appuser.New(nil, nil, nil, nil, nil, config.Config{}, nil), HostOrg: hostorg.New(nil, nil, nil, nil, nil, nil), }) tests := []struct { name string method string path string permission string allowed bool }{ {name: "BD Manager list accepts its capability", method: http.MethodGet, path: "/admin/managers", permission: "bd-manager:list", allowed: true}, {name: "BD Manager list rejects Super Admin capability", method: http.MethodGet, path: "/admin/managers", permission: "super-admin:list"}, {name: "Super Admin list accepts its capability", method: http.MethodGet, path: "/admin/bd-leaders", permission: "super-admin:list", allowed: true}, {name: "Super Admin list rejects BD Manager capability", method: http.MethodGet, path: "/admin/bd-leaders", permission: "bd-manager:list"}, {name: "user update can read support list", method: http.MethodGet, path: "/app/users", permission: "user:update", allowed: true}, {name: "user update cannot ban", method: http.MethodPost, path: "/app/users/9001/ban", permission: "user:update"}, {name: "user unban can read ban support list", method: http.MethodGet, path: "/app/users/bans", permission: "user:unban", allowed: true}, } for _, testCase := range tests { t.Run(testCase.name, func(t *testing.T) { request := httptest.NewRequest(testCase.method, testCase.path, nil) request.Header.Set("X-Test-Permission", testCase.permission) recorder := httptest.NewRecorder() engine.ServeHTTP(recorder, request) if testCase.allowed && recorder.Code == http.StatusForbidden { t.Fatalf("permission %s was rejected for %s %s: %s", testCase.permission, testCase.method, testCase.path, recorder.Body.String()) } if !testCase.allowed && recorder.Code != http.StatusForbidden { t.Fatalf("permission %s unexpectedly reached %s %s: status=%d body=%s", testCase.permission, testCase.method, testCase.path, recorder.Code, recorder.Body.String()) } }) } } func TestExternalVIPRoutesUseManagerCenterOwnerPolicySource(t *testing.T) { gin.SetMode(gin.TestMode) wallet := &externalVIPRouteWallet{} engine := gin.New() engine.Use(func(c *gin.Context) { c.Request = c.Request.WithContext(appctx.WithContext(c.Request.Context(), "fami")) c.Set(adminmiddleware.ContextPermissions, []string{"user-level:grant"}) c.Set(adminmiddleware.ContextRequestID, "external-vip-route-test") c.Set(adminmiddleware.ContextUserID, uint(77)) c.Next() }) registerBusinessWhitelist(engine.Group(""), &Handler{}, BusinessHandlers{VIPConfig: vipconfig.New(wallet, nil)}) vipRequest := httptest.NewRequest(http.MethodPost, "/admin/activity/vip-grants", strings.NewReader(`{"targetUserId":"9001","level":5,"reason":"manual"}`)) vipRequest.Header.Set("Content-Type", "application/json") vipRecorder := httptest.NewRecorder() engine.ServeHTTP(vipRecorder, vipRequest) if vipRecorder.Code != http.StatusCreated || wallet.vipRequest == nil || wallet.vipRequest.GetGrantSource() != "manager_center" { t.Fatalf("external VIP route source: status=%d request=%+v body=%s", vipRecorder.Code, wallet.vipRequest, vipRecorder.Body.String()) } trialRequest := httptest.NewRequest(http.MethodPost, "/admin/activity/vip-trial-card-grants", strings.NewReader(`{"targetUserId":"9001","level":5,"durationMs":86400000,"resourceId":99,"reason":"manual"}`)) trialRequest.Header.Set("Content-Type", "application/json") trialRecorder := httptest.NewRecorder() engine.ServeHTTP(trialRecorder, trialRequest) if trialRecorder.Code != http.StatusCreated || wallet.trialRequest == nil || wallet.trialRequest.GetGrantSource() != "manager_center" { t.Fatalf("external trial route source: status=%d request=%+v body=%s", trialRecorder.Code, wallet.trialRequest, trialRecorder.Body.String()) } } type externalVIPRouteWallet struct { walletclient.Client vipRequest *walletv1.GrantVipRequest trialRequest *walletv1.GrantVipTrialCardRequest } func (wallet *externalVIPRouteWallet) GrantVip(_ context.Context, request *walletv1.GrantVipRequest) (*walletv1.GrantVipResponse, error) { wallet.vipRequest = request return &walletv1.GrantVipResponse{TransactionId: "vip-route"}, nil } func (wallet *externalVIPRouteWallet) GrantVipTrialCard(_ context.Context, request *walletv1.GrantVipTrialCardRequest) (*walletv1.GrantVipTrialCardResponse, error) { wallet.trialRequest = request return &walletv1.GrantVipTrialCardResponse{TrialCard: &walletv1.VipTrialCard{TrialCardId: "trial-route"}}, nil }