OptimusX
/
OneAuth
mirror of https://github.com/veypi/OneAuth.git
3
0
Fork 0
Code Issues Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
v3
v2
v1.0.0
v0.1.0
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '7f7591cf6d'
${ noResults }
OneAuth/scripts/tests/02_resource_perm.sh

123 lines
3.7 KiB
Bash
Raw Blame History

#!/bin/bash
#
# 02_resource_perm.sh
#
# 功能:测试跨用户资源访问权限
# 场景:
# 1. Admin 修改任意用户资源 (Allow)
# 2. 普通用户修改自己资源 (Allow)
# 3. 普通用户修改他人资源 (Deny)
# 4. 普通用户修改 Admin 资源 (Deny)
#
set -e
# 加载公共库
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
source "$SCRIPT_DIR/lib.sh"
test_start "资源权限交叉验证测试"
# 检查服务
check_service
# ==========================================
# 准备环境 (登录三个账户)
# ==========================================
COMMON_PASS="password123"
ADMIN_USER="admin_${TEST_TIMESTAMP}"
USER1_NAME="user1_${TEST_TIMESTAMP}"
USER2_NAME="user2_${TEST_TIMESTAMP}"
step "0. 登录测试账户"
# Admin Login
RES=$(login_user "$ADMIN_USER" "$COMMON_PASS")
check_http_code "$RES" "200"
ADMIN_TOKEN=$(get_token "$RES")
ADMIN_ID=$(get_user_id "$RES")
info "Admin ID: $ADMIN_ID"
# User1 Login
RES=$(login_user "$USER1_NAME" "$COMMON_PASS")
check_http_code "$RES" "200"
USER1_TOKEN=$(get_token "$RES")
USER1_ID=$(get_user_id "$RES")
info "User1 ID: $USER1_ID"
# User2 Login
RES=$(login_user "$USER2_NAME" "$COMMON_PASS")
check_http_code "$RES" "200"
USER2_TOKEN=$(get_token "$RES")
USER2_ID=$(get_user_id "$RES")
info "User2 ID: $USER2_ID"
# ==========================================
# 测试用例
# ==========================================
# Case 1: Admin 修改 User1 (应成功)
step "1. Admin 修改 User1 信息 (预期: 成功)"
RES=$(api_patch "/api/users/$USER1_ID" '{"nickname": "Edited By Admin"}' "$ADMIN_TOKEN")
check_http_code "$RES" "200"
NICK=$(echo "$RES" | jq -r '.nickname')
if [ "$NICK" == "Edited By Admin" ]; then
check_success "Admin 修改 User1 成功"
else
error "Admin 修改失败, nickname=$NICK"
exit 1
fi
# Case 2: User1 修改 User1 (应成功)
step "2. User1 修改自己信息 (预期: 成功)"
RES=$(api_patch "/api/users/$USER1_ID" '{"nickname": "Edited By Self"}' "$USER1_TOKEN")
check_http_code "$RES" "200"
NICK=$(echo "$RES" | jq -r '.nickname')
if [ "$NICK" == "Edited By Self" ]; then
check_success "User1 修改自己成功"
else
error "User1 修改自己失败, nickname=$NICK"
exit 1
fi
# Case 3: User1 修改 User2 (应失败)
step "3. User1 修改 User2 信息 (预期: 失败 403/404)"
RES=$(api_patch "/api/users/$USER2_ID" '{"nickname": "Hacked By User1"}' "$USER1_TOKEN")
# Vigo 可能返回 403 Forbidden 或 404 NotFound (如果做了隔离)
code=$(echo "$RES" | jq -r '.code // 200')
if [[ "$code" == "403"* ]] || [[ "$code" == "404"* ]] || [[ "$code" == "401"* ]]; then
check_success "User1 修改 User2 被拒绝 (Code: $code)"
else
error "User1 竟然修改了 User2 ! Code: $code"
info "Response: $RES"
exit 1
fi
# Case 4: User1 修改 Admin (应失败)
step "4. User1 修改 Admin 信息 (预期: 失败 403/404)"
RES=$(api_patch "/api/users/$ADMIN_ID" '{"nickname": "Hacked By User1"}' "$USER1_TOKEN")
code=$(echo "$RES" | jq -r '.code // 200')
if [[ "$code" == "403"* ]] || [[ "$code" == "404"* ]] || [[ "$code" == "401"* ]]; then
check_success "User1 修改 Admin 被拒绝 (Code: $code)"
else
error "User1 竟然修改了 Admin ! Code: $code"
info "Response: $RES"
exit 1
fi
# Case 5: User2 修改 User1 (应失败)
step "5. User2 修改 User1 信息 (预期: 失败 403/404)"
RES=$(api_patch "/api/users/$USER1_ID" '{"nickname": "Hacked By User2"}' "$USER2_TOKEN")
code=$(echo "$RES" | jq -r '.code // 200')
if [[ "$code" == "403"* ]] || [[ "$code" == "404"* ]] || [[ "$code" == "401"* ]]; then
check_success "User2 修改 User1 被拒绝 (Code: $code)"
else
error "User2 竟然修改了 User1 ! Code: $code"
info "Response: $RES"
exit 1
fi
test_end
Reference in New Issue View Git Blame Copy Permalink