OneAuth/scripts/tests/02_resource_perm.sh

#!/bin/bash
#
# 02_resource_perm.sh
#
# 功能：测试跨用户资源访问权限
# 场景：
# 1. Admin 修改任意用户资源 (Allow)
# 2. 普通用户修改自己资源 (Allow)
# 3. 普通用户修改他人资源 (Deny)
# 4. 普通用户修改 Admin 资源 (Deny)
#

set -e

# 加载公共库
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
source "$SCRIPT_DIR/lib.sh"

test_start "资源权限交叉验证测试"

# 检查服务
check_service

# ==========================================
# 准备环境 (登录三个账户)
# ==========================================
COMMON_PASS="password123"

ADMIN_USER="admin_${TEST_TIMESTAMP}"
USER1_NAME="user1_${TEST_TIMESTAMP}"
USER2_NAME="user2_${TEST_TIMESTAMP}"

step "0. 登录测试账户"

# Admin Login
RES=$(login_user "$ADMIN_USER" "$COMMON_PASS")
check_http_code "$RES" "200"
ADMIN_TOKEN=$(get_token "$RES")
ADMIN_ID=$(get_user_id "$RES")
info "Admin ID: $ADMIN_ID"

# User1 Login
RES=$(login_user "$USER1_NAME" "$COMMON_PASS")
check_http_code "$RES" "200"
USER1_TOKEN=$(get_token "$RES")
USER1_ID=$(get_user_id "$RES")
info "User1 ID: $USER1_ID"

# User2 Login
RES=$(login_user "$USER2_NAME" "$COMMON_PASS")
check_http_code "$RES" "200"
USER2_TOKEN=$(get_token "$RES")
USER2_ID=$(get_user_id "$RES")
info "User2 ID: $USER2_ID"


# ==========================================
# 测试用例
# ==========================================

# Case 1: Admin 修改 User1 (应成功)
step "1. Admin 修改 User1 信息 (预期: 成功)"
RES=$(api_patch "/api/users/$USER1_ID" '{"nickname": "Edited By Admin"}' "$ADMIN_TOKEN")
check_http_code "$RES" "200"
NICK=$(echo "$RES" | jq -r '.nickname')
if [ "$NICK" == "Edited By Admin" ]; then
    check_success "Admin 修改 User1 成功"
else
    error "Admin 修改失败, nickname=$NICK"
    exit 1
fi

# Case 2: User1 修改 User1 (应成功)
step "2. User1 修改自己信息 (预期: 成功)"
RES=$(api_patch "/api/users/$USER1_ID" '{"nickname": "Edited By Self"}' "$USER1_TOKEN")
check_http_code "$RES" "200"
NICK=$(echo "$RES" | jq -r '.nickname')
if [ "$NICK" == "Edited By Self" ]; then
    check_success "User1 修改自己成功"
else
    error "User1 修改自己失败, nickname=$NICK"
    exit 1
fi

# Case 3: User1 修改 User2 (应失败)
step "3. User1 修改 User2 信息 (预期: 失败 403/404)"
RES=$(api_patch "/api/users/$USER2_ID" '{"nickname": "Hacked By User1"}' "$USER1_TOKEN")
# Vigo 可能返回 403 Forbidden 或 404 NotFound (如果做了隔离)
code=$(echo "$RES" | jq -r '.code // 200')
if [[ "$code" == "403"* ]] || [[ "$code" == "404"* ]] || [[ "$code" == "401"* ]]; then
    check_success "User1 修改 User2 被拒绝 (Code: $code)"
else
    error "User1 竟然修改了 User2 ! Code: $code"
    info "Response: $RES"
    exit 1
fi

# Case 4: User1 修改 Admin (应失败)
step "4. User1 修改 Admin 信息 (预期: 失败 403/404)"
RES=$(api_patch "/api/users/$ADMIN_ID" '{"nickname": "Hacked By User1"}' "$USER1_TOKEN")
code=$(echo "$RES" | jq -r '.code // 200')
if [[ "$code" == "403"* ]] || [[ "$code" == "404"* ]] || [[ "$code" == "401"* ]]; then
    check_success "User1 修改 Admin 被拒绝 (Code: $code)"
else
    error "User1 竟然修改了 Admin ! Code: $code"
    info "Response: $RES"
    exit 1
fi

# Case 5: User2 修改 User1 (应失败)
step "5. User2 修改 User1 信息 (预期: 失败 403/404)"
RES=$(api_patch "/api/users/$USER1_ID" '{"nickname": "Hacked By User2"}' "$USER2_TOKEN")
code=$(echo "$RES" | jq -r '.code // 200')
if [[ "$code" == "403"* ]] || [[ "$code" == "404"* ]] || [[ "$code" == "401"* ]]; then
    check_success "User2 修改 User1 被拒绝 (Code: $code)"
else
    error "User2 竟然修改了 User1 ! Code: $code"
    info "Response: $RES"
    exit 1
fi

test_end
refactor(tests): Restructure test scripts with better coverage - Add 00_none_auth.sh for unauthenticated access testing - Replace 01_basic_auth.sh with 01_setup_users.sh for comprehensive user setup - Replace 02_user_permission.sh with 02_resource_perm.sh for cross-user permission tests - Update lib.sh to handle non-numeric code fields in response - Update README.md with new test structure and usage instructions - Update run_all.sh with new test sequence 1 week ago			`#!/bin/bash`
			`#`
			`# 02_resource_perm.sh`
			`#`
			`# 功能：测试跨用户资源访问权限`
			`# 场景：`
			`# 1. Admin 修改任意用户资源 (Allow)`
			`# 2. 普通用户修改自己资源 (Allow)`
			`# 3. 普通用户修改他人资源 (Deny)`
			`# 4. 普通用户修改 Admin 资源 (Deny)`
			`#`

			`set -e`

			`# 加载公共库`
			`SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"`
			`source "$SCRIPT_DIR/lib.sh"`

			`test_start "资源权限交叉验证测试"`

			`# 检查服务`
			`check_service`

			`# ==========================================`
			`# 准备环境 (登录三个账户)`
			`# ==========================================`
			`COMMON_PASS="password123"`

			`ADMIN_USER="admin_${TEST_TIMESTAMP}"`
			`USER1_NAME="user1_${TEST_TIMESTAMP}"`
			`USER2_NAME="user2_${TEST_TIMESTAMP}"`

			`step "0. 登录测试账户"`

			`# Admin Login`
			`RES=$(login_user "$ADMIN_USER" "$COMMON_PASS")`
			`check_http_code "$RES" "200"`
			`ADMIN_TOKEN=$(get_token "$RES")`
			`ADMIN_ID=$(get_user_id "$RES")`
			`info "Admin ID: $ADMIN_ID"`

			`# User1 Login`
			`RES=$(login_user "$USER1_NAME" "$COMMON_PASS")`
			`check_http_code "$RES" "200"`
			`USER1_TOKEN=$(get_token "$RES")`
			`USER1_ID=$(get_user_id "$RES")`
			`info "User1 ID: $USER1_ID"`

			`# User2 Login`
			`RES=$(login_user "$USER2_NAME" "$COMMON_PASS")`
			`check_http_code "$RES" "200"`
			`USER2_TOKEN=$(get_token "$RES")`
			`USER2_ID=$(get_user_id "$RES")`
			`info "User2 ID: $USER2_ID"`


			`# ==========================================`
			`# 测试用例`
			`# ==========================================`

			`# Case 1: Admin 修改 User1 (应成功)`
			`step "1. Admin 修改 User1 信息 (预期: 成功)"`
			`RES=$(api_patch "/api/users/$USER1_ID" '{"nickname": "Edited By Admin"}' "$ADMIN_TOKEN")`
			`check_http_code "$RES" "200"`
			`NICK=$(echo "$RES" \| jq -r '.nickname')`
			`if [ "$NICK" == "Edited By Admin" ]; then`
			`check_success "Admin 修改 User1 成功"`
			`else`
			`error "Admin 修改失败, nickname=$NICK"`
			`exit 1`
			`fi`

			`# Case 2: User1 修改 User1 (应成功)`
			`step "2. User1 修改自己信息 (预期: 成功)"`
			`RES=$(api_patch "/api/users/$USER1_ID" '{"nickname": "Edited By Self"}' "$USER1_TOKEN")`
			`check_http_code "$RES" "200"`
			`NICK=$(echo "$RES" \| jq -r '.nickname')`
			`if [ "$NICK" == "Edited By Self" ]; then`
			`check_success "User1 修改自己成功"`
			`else`
			`error "User1 修改自己失败, nickname=$NICK"`
			`exit 1`
			`fi`

			`# Case 3: User1 修改 User2 (应失败)`
			`step "3. User1 修改 User2 信息 (预期: 失败 403/404)"`
			`RES=$(api_patch "/api/users/$USER2_ID" '{"nickname": "Hacked By User1"}' "$USER1_TOKEN")`
			`# Vigo 可能返回 403 Forbidden 或 404 NotFound (如果做了隔离)`
			`code=$(echo "$RES" \| jq -r '.code // 200')`
			`if [[ "$code" == "403"* ]] \|\| [[ "$code" == "404"* ]] \|\| [[ "$code" == "401"* ]]; then`
			`check_success "User1 修改 User2 被拒绝 (Code: $code)"`
			`else`
			`error "User1 竟然修改了 User2 ! Code: $code"`
			`info "Response: $RES"`
			`exit 1`
			`fi`

			`# Case 4: User1 修改 Admin (应失败)`
			`step "4. User1 修改 Admin 信息 (预期: 失败 403/404)"`
			`RES=$(api_patch "/api/users/$ADMIN_ID" '{"nickname": "Hacked By User1"}' "$USER1_TOKEN")`
			`code=$(echo "$RES" \| jq -r '.code // 200')`
			`if [[ "$code" == "403"* ]] \|\| [[ "$code" == "404"* ]] \|\| [[ "$code" == "401"* ]]; then`
			`check_success "User1 修改 Admin 被拒绝 (Code: $code)"`
			`else`
			`error "User1 竟然修改了 Admin ! Code: $code"`
			`info "Response: $RES"`
			`exit 1`
			`fi`

			`# Case 5: User2 修改 User1 (应失败)`
			`step "5. User2 修改 User1 信息 (预期: 失败 403/404)"`
			`RES=$(api_patch "/api/users/$USER1_ID" '{"nickname": "Hacked By User2"}' "$USER2_TOKEN")`
			`code=$(echo "$RES" \| jq -r '.code // 200')`
			`if [[ "$code" == "403"* ]] \|\| [[ "$code" == "404"* ]] \|\| [[ "$code" == "401"* ]]; then`
			`check_success "User2 修改 User1 被拒绝 (Code: $code)"`
			`else`
			`error "User2 竟然修改了 User1 ! Code: $code"`
			`info "Response: $RES"`
			`exit 1`
			`fi`

			`test_end`