b19da9c7fe
⚠️ 应用类型约束:当前实现仅支持「钉钉登录-企业内部应用」(DingTalk 开放平台
internal_app 类型)。第三方个人应用、第三方企业应用类型暂不支持——OAuth 流程
相同但 corp 校验、跨企业行为不同。backend 通过 DingTalkAppKind 校验对非
internal_app 类型 fail-closed(硬约束)。
钉钉 OAuth 登录主链
- 4 步 OAuth 链:ExchangeCodeForUserToken / GetUnionIdByUserToken /
GetUserIdByUnionId / GetStaffInfoByUserId;app token 缓存
- pending session 机制持久化 OAuth 中间态;cookie-only token 持久化
- 三种分流:bind_login_required / email_completion / choose_account_action
- corp_restriction_policy 支持 none + internal_only;stale "whitelist" 在
加载层与写入层均静默 coerce 为 none + slog.Warn
- bypass_registration 开关:企业内部模式豁免全局 REGISTRATION_DISABLED
- isReservedEmail / signup_source / canUnbindProvider / OAuth pending flow
等横切点支持 dingtalk provider
- migration 136:4 表 CHECK 约束加入 'dingtalk' provider 值
internal_only 模式同步企业邮箱/姓名/部门到用户属性
- SyncCorpEmail / SyncDisplayName / SyncDept 三个独立开关 + 对应
SyncXxxAttrKey 目标属性 key(默认 dingtalk_email / dingtalk_name /
dingtalk_department);非 internal_only policy 在写入层与加载层均
coerce 为 false,admin handler 与 setting_service 双层兜底
- 同步语义:首次注册写 users.username(昵称优先 → 企业姓名 fallback),
之后每次登录刷新 3 个属性;空值也写入以覆盖旧值
- 邮箱三级 fallback:org_email > email > extension["企业邮箱"]
(钉钉自定义字段 JSON)
- 部门路径递归向上拼接,跳过 dept_id=1 选首个真实子部门,剥离根组织名
- GetUnionIdByUserToken 同时返回 OIDC /contact/users/me 的 nick 字段;
新增 GetDeptInfo 调用 OAPI /topapi/v2/department/get
- AuthHandler 注入 UserAttributeService;OAuth pending flow 在
createPendingOAuthAccount / bindPendingOAuthLogin 分别派发到
AfterRegistration(syncUsername=true)/ AfterLogin
- migration 137 seed dingtalk_email/name/department 三个用户属性定义
附带修复(同集成路径暴露的两个 OAuth 注册回归)
- LoginOrRegisterOAuthWithTokenPair 新建用户分支用 inferLegacySignupSource
覆写 caller 显式传入的 signupSource,导致 dingtalk/linuxdo/oidc/wechat
渠道授权按 email 渠道读取;改为只在 caller 未显式传入时回退邮箱推断
- mergeProviderDefaultGrantSettings 把 parse fallback 默认值
(Concurrency=5 / Balance=0) 当作"未配置"哨兵,admin 显式设 5 时被误判
退回全局默认(复现:全局默认 1 + 渠道默认并发 5 + grant_on_signup → 新
用户实际 concurrency=1);去掉哨兵,admin 任何 >=0 值都覆盖 globalDefaults
前端
- DingTalk Login / Callback / EmailCompletion / ChoiceAccount / Error
视图;router + auth API client
- admin SettingsView:corp policy radio(none / internal_only)+ bypass
注册开关 + i18n;internal_only 下展示三同步开关 + 目标 attr key 下拉
(拉取 user attribute definitions),展示 fieldEmail /
qyapi_get_department_list 钉钉权限申请提示
- Profile:S1 主动绑定 / S5 解绑钉钉按钮 + 合成邮箱防自锁
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
320 lines
12 KiB
Go
320 lines
12 KiB
Go
package admin
|
||
|
||
import (
|
||
"bytes"
|
||
"encoding/json"
|
||
"net/http"
|
||
"net/http/httptest"
|
||
"testing"
|
||
|
||
"github.com/Wei-Shaw/sub2api/internal/config"
|
||
"github.com/Wei-Shaw/sub2api/internal/pkg/response"
|
||
"github.com/Wei-Shaw/sub2api/internal/service"
|
||
"github.com/gin-gonic/gin"
|
||
"github.com/stretchr/testify/require"
|
||
)
|
||
|
||
// dingtalkSettingsRepoStub 复用 settingHandlerRepoStub(已在 setting_handler_auth_source_defaults_test.go 定义)
|
||
|
||
func newDingTalkSettingsHandler() (*SettingHandler, *settingHandlerRepoStub) {
|
||
repo := &settingHandlerRepoStub{values: map[string]string{}}
|
||
svc := service.NewSettingService(repo, &config.Config{Default: config.DefaultConfig{UserConcurrency: 5}})
|
||
handler := NewSettingHandler(svc, nil, nil, nil, nil, nil, nil)
|
||
return handler, repo
|
||
}
|
||
|
||
// baseValidDingTalkBody 返回一个可以通过所有校验的最小合法 body。
|
||
func baseValidDingTalkBody() map[string]any {
|
||
return map[string]any{
|
||
"dingtalk_connect_enabled": true,
|
||
"dingtalk_connect_client_id": "test-client-id",
|
||
"dingtalk_connect_client_secret": "test-client-secret",
|
||
"dingtalk_connect_redirect_url": "https://example.com/auth/dingtalk/callback",
|
||
"dingtalk_connect_corp_restriction_policy": "none",
|
||
}
|
||
}
|
||
|
||
// TestSettingsPUT_DingTalk_V3_InternalOnlyAllowsEmptyCorpID 验证方案 A:
|
||
// internal_only + internal_corp_id="" 应通过校验(→ 200),不再是 400。
|
||
func TestSettingsPUT_DingTalk_V3_InternalOnlyAllowsEmptyCorpID(t *testing.T) {
|
||
gin.SetMode(gin.TestMode)
|
||
handler, _ := newDingTalkSettingsHandler()
|
||
|
||
body := baseValidDingTalkBody()
|
||
body["dingtalk_connect_corp_restriction_policy"] = "internal_only"
|
||
body["dingtalk_connect_internal_corp_id"] = "" // 空值现在合法
|
||
|
||
rawBody, err := json.Marshal(body)
|
||
require.NoError(t, err)
|
||
|
||
rec := httptest.NewRecorder()
|
||
c, _ := gin.CreateTestContext(rec)
|
||
c.Request = httptest.NewRequest(http.MethodPut, "/api/v1/admin/settings", bytes.NewReader(rawBody))
|
||
c.Request.Header.Set("Content-Type", "application/json")
|
||
|
||
handler.UpdateSettings(c)
|
||
|
||
require.Equal(t, http.StatusOK, rec.Code)
|
||
}
|
||
|
||
// TestSettingsPUT_DingTalk_HappyPath_None 验证 none policy → 200
|
||
func TestSettingsPUT_DingTalk_HappyPath_None(t *testing.T) {
|
||
gin.SetMode(gin.TestMode)
|
||
handler, _ := newDingTalkSettingsHandler()
|
||
|
||
body := baseValidDingTalkBody()
|
||
body["dingtalk_connect_corp_restriction_policy"] = "none"
|
||
|
||
rawBody, err := json.Marshal(body)
|
||
require.NoError(t, err)
|
||
|
||
rec := httptest.NewRecorder()
|
||
c, _ := gin.CreateTestContext(rec)
|
||
c.Request = httptest.NewRequest(http.MethodPut, "/api/v1/admin/settings", bytes.NewReader(rawBody))
|
||
c.Request.Header.Set("Content-Type", "application/json")
|
||
|
||
handler.UpdateSettings(c)
|
||
|
||
require.Equal(t, http.StatusOK, rec.Code)
|
||
var resp response.Response
|
||
require.NoError(t, json.Unmarshal(rec.Body.Bytes(), &resp))
|
||
data, ok := resp.Data.(map[string]any)
|
||
require.True(t, ok)
|
||
require.Equal(t, true, data["dingtalk_connect_enabled"])
|
||
}
|
||
|
||
// TestSettingsPUT_DingTalk_HappyPath_InternalOnly_WithCorpID 验证 internal_only + corp_id → 200
|
||
func TestSettingsPUT_DingTalk_HappyPath_InternalOnly_WithCorpID(t *testing.T) {
|
||
gin.SetMode(gin.TestMode)
|
||
handler, _ := newDingTalkSettingsHandler()
|
||
|
||
body := baseValidDingTalkBody()
|
||
body["dingtalk_connect_corp_restriction_policy"] = "internal_only"
|
||
body["dingtalk_connect_internal_corp_id"] = "ding-corp-123"
|
||
|
||
rawBody, err := json.Marshal(body)
|
||
require.NoError(t, err)
|
||
|
||
rec := httptest.NewRecorder()
|
||
c, _ := gin.CreateTestContext(rec)
|
||
c.Request = httptest.NewRequest(http.MethodPut, "/api/v1/admin/settings", bytes.NewReader(rawBody))
|
||
c.Request.Header.Set("Content-Type", "application/json")
|
||
|
||
handler.UpdateSettings(c)
|
||
|
||
require.Equal(t, http.StatusOK, rec.Code)
|
||
}
|
||
|
||
// TestSettingsPUT_DingTalk_BypassRegistration_RoundTrip 验证 bypass_registration 字段 save+load。
|
||
// 必须用 policy=internal_only:bypass 仅在该 policy 下生效,其它 policy 写入层会 coerce 为 false。
|
||
func TestSettingsPUT_DingTalk_BypassRegistration_RoundTrip(t *testing.T) {
|
||
gin.SetMode(gin.TestMode)
|
||
handler, _ := newDingTalkSettingsHandler()
|
||
|
||
body := baseValidDingTalkBody()
|
||
body["dingtalk_connect_corp_restriction_policy"] = "internal_only"
|
||
body["dingtalk_connect_bypass_registration"] = true
|
||
|
||
rawBody, err := json.Marshal(body)
|
||
require.NoError(t, err)
|
||
|
||
rec := httptest.NewRecorder()
|
||
c, _ := gin.CreateTestContext(rec)
|
||
c.Request = httptest.NewRequest(http.MethodPut, "/api/v1/admin/settings", bytes.NewReader(rawBody))
|
||
c.Request.Header.Set("Content-Type", "application/json")
|
||
|
||
handler.UpdateSettings(c)
|
||
|
||
require.Equal(t, http.StatusOK, rec.Code)
|
||
var resp response.Response
|
||
require.NoError(t, json.Unmarshal(rec.Body.Bytes(), &resp))
|
||
data, ok := resp.Data.(map[string]any)
|
||
require.True(t, ok)
|
||
require.Equal(t, true, data["dingtalk_connect_bypass_registration"])
|
||
}
|
||
|
||
// TestSettingsPUT_DingTalk_Disabled_SkipsValidation 验证 disabled 时跳过 corp 校验 → 200。
|
||
// 用 enabled=true 时必然触发"Client ID is required when enabled"的空 client_id 作为
|
||
// 哨兵——只要 enabled=false 仍能 200 就证明跳过了。
|
||
func TestSettingsPUT_DingTalk_Disabled_SkipsValidation(t *testing.T) {
|
||
gin.SetMode(gin.TestMode)
|
||
handler, _ := newDingTalkSettingsHandler()
|
||
|
||
body := map[string]any{
|
||
"dingtalk_connect_enabled": false,
|
||
"dingtalk_connect_client_id": "", // 这种空值在 enabled=true 时会被 400 拒绝
|
||
"dingtalk_connect_corp_restriction_policy": "internal_only",
|
||
}
|
||
|
||
rawBody, err := json.Marshal(body)
|
||
require.NoError(t, err)
|
||
|
||
rec := httptest.NewRecorder()
|
||
c, _ := gin.CreateTestContext(rec)
|
||
c.Request = httptest.NewRequest(http.MethodPut, "/api/v1/admin/settings", bytes.NewReader(rawBody))
|
||
c.Request.Header.Set("Content-Type", "application/json")
|
||
|
||
handler.UpdateSettings(c)
|
||
|
||
require.Equal(t, http.StatusOK, rec.Code)
|
||
}
|
||
|
||
// TestSettingsPUT_DingTalk_SyncFlags_InternalOnly_RoundTrip 验证三个 sync 开关在 internal_only 下可正常 save+load。
|
||
func TestSettingsPUT_DingTalk_SyncFlags_InternalOnly_RoundTrip(t *testing.T) {
|
||
gin.SetMode(gin.TestMode)
|
||
handler, _ := newDingTalkSettingsHandler()
|
||
|
||
body := baseValidDingTalkBody()
|
||
body["dingtalk_connect_corp_restriction_policy"] = "internal_only"
|
||
body["dingtalk_connect_sync_corp_email"] = true
|
||
body["dingtalk_connect_sync_display_name"] = true
|
||
body["dingtalk_connect_sync_dept"] = true
|
||
|
||
rawBody, err := json.Marshal(body)
|
||
require.NoError(t, err)
|
||
|
||
rec := httptest.NewRecorder()
|
||
c, _ := gin.CreateTestContext(rec)
|
||
c.Request = httptest.NewRequest(http.MethodPut, "/api/v1/admin/settings", bytes.NewReader(rawBody))
|
||
c.Request.Header.Set("Content-Type", "application/json")
|
||
|
||
handler.UpdateSettings(c)
|
||
|
||
require.Equal(t, http.StatusOK, rec.Code)
|
||
var resp response.Response
|
||
require.NoError(t, json.Unmarshal(rec.Body.Bytes(), &resp))
|
||
data, ok := resp.Data.(map[string]any)
|
||
require.True(t, ok)
|
||
require.Equal(t, true, data["dingtalk_connect_sync_corp_email"], "sync_corp_email should be true for internal_only")
|
||
require.Equal(t, true, data["dingtalk_connect_sync_display_name"], "sync_display_name should be true for internal_only")
|
||
require.Equal(t, true, data["dingtalk_connect_sync_dept"], "sync_dept should be true for internal_only")
|
||
}
|
||
|
||
// TestSettingsPUT_DingTalk_SyncFlags_PolicyNone_CoercedToFalse 验证 policy=none 时三个 sync 开关被 coerce 为 false。
|
||
func TestSettingsPUT_DingTalk_SyncFlags_PolicyNone_CoercedToFalse(t *testing.T) {
|
||
gin.SetMode(gin.TestMode)
|
||
handler, _ := newDingTalkSettingsHandler()
|
||
|
||
body := baseValidDingTalkBody()
|
||
body["dingtalk_connect_corp_restriction_policy"] = "none"
|
||
body["dingtalk_connect_sync_corp_email"] = true
|
||
body["dingtalk_connect_sync_display_name"] = true
|
||
body["dingtalk_connect_sync_dept"] = true
|
||
|
||
rawBody, err := json.Marshal(body)
|
||
require.NoError(t, err)
|
||
|
||
rec := httptest.NewRecorder()
|
||
c, _ := gin.CreateTestContext(rec)
|
||
c.Request = httptest.NewRequest(http.MethodPut, "/api/v1/admin/settings", bytes.NewReader(rawBody))
|
||
c.Request.Header.Set("Content-Type", "application/json")
|
||
|
||
handler.UpdateSettings(c)
|
||
|
||
require.Equal(t, http.StatusOK, rec.Code)
|
||
var resp response.Response
|
||
require.NoError(t, json.Unmarshal(rec.Body.Bytes(), &resp))
|
||
data, ok := resp.Data.(map[string]any)
|
||
require.True(t, ok)
|
||
require.Equal(t, false, data["dingtalk_connect_sync_corp_email"], "sync_corp_email must be coerced to false when policy=none")
|
||
require.Equal(t, false, data["dingtalk_connect_sync_display_name"], "sync_display_name must be coerced to false when policy=none")
|
||
require.Equal(t, false, data["dingtalk_connect_sync_dept"], "sync_dept must be coerced to false when policy=none")
|
||
}
|
||
|
||
// TestSettingsPUT_DingTalk_StaleWhitelist_CoercedToNone 验证升级兼容:
|
||
// admin 直接把 corp_restriction_policy=whitelist 提交(前端 UI 已无此选项,但 API 仍可命中)
|
||
// 不应导致 400 失败,应该被静默 coerce 为 none 后通过校验。
|
||
func TestSettingsPUT_DingTalk_StaleWhitelist_CoercedToNone(t *testing.T) {
|
||
gin.SetMode(gin.TestMode)
|
||
handler, repo := newDingTalkSettingsHandler()
|
||
|
||
body := baseValidDingTalkBody()
|
||
body["dingtalk_connect_corp_restriction_policy"] = "whitelist"
|
||
|
||
rawBody, err := json.Marshal(body)
|
||
require.NoError(t, err)
|
||
|
||
rec := httptest.NewRecorder()
|
||
c, _ := gin.CreateTestContext(rec)
|
||
c.Request = httptest.NewRequest(http.MethodPut, "/api/v1/admin/settings", bytes.NewReader(rawBody))
|
||
c.Request.Header.Set("Content-Type", "application/json")
|
||
|
||
handler.UpdateSettings(c)
|
||
|
||
require.Equal(t, http.StatusOK, rec.Code)
|
||
require.Equal(t, "none", repo.values[service.SettingKeyDingTalkConnectCorpRestrictionPolicy],
|
||
"stale whitelist 应在写入路径被 coerce 为 none")
|
||
}
|
||
|
||
// TestSettingsPUT_DingTalk_SyncAttrKey_RoundTrip 验证 3 个 attr key 字段 save+load + 空值 fallback 到默认值。
|
||
func TestSettingsPUT_DingTalk_SyncAttrKey_RoundTrip(t *testing.T) {
|
||
gin.SetMode(gin.TestMode)
|
||
|
||
t.Run("custom_attr_keys_saved", func(t *testing.T) {
|
||
handler, repo := newDingTalkSettingsHandler()
|
||
|
||
body := baseValidDingTalkBody()
|
||
body["dingtalk_connect_corp_restriction_policy"] = "internal_only"
|
||
body["dingtalk_connect_sync_corp_email"] = true
|
||
body["dingtalk_connect_sync_display_name"] = true
|
||
body["dingtalk_connect_sync_dept"] = true
|
||
body["dingtalk_connect_sync_corp_email_attr_key"] = "my_email_attr"
|
||
body["dingtalk_connect_sync_display_name_attr_key"] = "my_name_attr"
|
||
body["dingtalk_connect_sync_dept_attr_key"] = "my_dept_attr"
|
||
|
||
rawBody, err := json.Marshal(body)
|
||
require.NoError(t, err)
|
||
|
||
rec := httptest.NewRecorder()
|
||
c, _ := gin.CreateTestContext(rec)
|
||
c.Request = httptest.NewRequest(http.MethodPut, "/api/v1/admin/settings", bytes.NewReader(rawBody))
|
||
c.Request.Header.Set("Content-Type", "application/json")
|
||
|
||
handler.UpdateSettings(c)
|
||
|
||
require.Equal(t, http.StatusOK, rec.Code)
|
||
|
||
// 验证写入 DB 的 key
|
||
require.Equal(t, "my_email_attr", repo.values[service.SettingKeyDingTalkConnectSyncCorpEmailAttrKey])
|
||
require.Equal(t, "my_name_attr", repo.values[service.SettingKeyDingTalkConnectSyncDisplayNameAttrKey])
|
||
require.Equal(t, "my_dept_attr", repo.values[service.SettingKeyDingTalkConnectSyncDeptAttrKey])
|
||
|
||
// 验证响应中的 attr key
|
||
var resp response.Response
|
||
require.NoError(t, json.Unmarshal(rec.Body.Bytes(), &resp))
|
||
data, ok := resp.Data.(map[string]any)
|
||
require.True(t, ok)
|
||
require.Equal(t, "my_email_attr", data["dingtalk_connect_sync_corp_email_attr_key"])
|
||
require.Equal(t, "my_name_attr", data["dingtalk_connect_sync_display_name_attr_key"])
|
||
require.Equal(t, "my_dept_attr", data["dingtalk_connect_sync_dept_attr_key"])
|
||
})
|
||
|
||
t.Run("empty_attr_keys_fallback_to_defaults", func(t *testing.T) {
|
||
handler, repo := newDingTalkSettingsHandler()
|
||
|
||
body := baseValidDingTalkBody()
|
||
body["dingtalk_connect_corp_restriction_policy"] = "internal_only"
|
||
// 不传 attr key → 写入层 fallback 到默认值
|
||
body["dingtalk_connect_sync_corp_email_attr_key"] = ""
|
||
body["dingtalk_connect_sync_display_name_attr_key"] = ""
|
||
body["dingtalk_connect_sync_dept_attr_key"] = ""
|
||
|
||
rawBody, err := json.Marshal(body)
|
||
require.NoError(t, err)
|
||
|
||
rec := httptest.NewRecorder()
|
||
c, _ := gin.CreateTestContext(rec)
|
||
c.Request = httptest.NewRequest(http.MethodPut, "/api/v1/admin/settings", bytes.NewReader(rawBody))
|
||
c.Request.Header.Set("Content-Type", "application/json")
|
||
|
||
handler.UpdateSettings(c)
|
||
|
||
require.Equal(t, http.StatusOK, rec.Code)
|
||
|
||
// 空值应 fallback 到默认值并持久化
|
||
require.Equal(t, "dingtalk_email", repo.values[service.SettingKeyDingTalkConnectSyncCorpEmailAttrKey])
|
||
require.Equal(t, "dingtalk_name", repo.values[service.SettingKeyDingTalkConnectSyncDisplayNameAttrKey])
|
||
require.Equal(t, "dingtalk_department", repo.values[service.SettingKeyDingTalkConnectSyncDeptAttrKey])
|
||
})
|
||
}
|