b19da9c7fe
⚠️ 应用类型约束:当前实现仅支持「钉钉登录-企业内部应用」(DingTalk 开放平台
internal_app 类型)。第三方个人应用、第三方企业应用类型暂不支持——OAuth 流程
相同但 corp 校验、跨企业行为不同。backend 通过 DingTalkAppKind 校验对非
internal_app 类型 fail-closed(硬约束)。
钉钉 OAuth 登录主链
- 4 步 OAuth 链:ExchangeCodeForUserToken / GetUnionIdByUserToken /
GetUserIdByUnionId / GetStaffInfoByUserId;app token 缓存
- pending session 机制持久化 OAuth 中间态;cookie-only token 持久化
- 三种分流:bind_login_required / email_completion / choose_account_action
- corp_restriction_policy 支持 none + internal_only;stale "whitelist" 在
加载层与写入层均静默 coerce 为 none + slog.Warn
- bypass_registration 开关:企业内部模式豁免全局 REGISTRATION_DISABLED
- isReservedEmail / signup_source / canUnbindProvider / OAuth pending flow
等横切点支持 dingtalk provider
- migration 136:4 表 CHECK 约束加入 'dingtalk' provider 值
internal_only 模式同步企业邮箱/姓名/部门到用户属性
- SyncCorpEmail / SyncDisplayName / SyncDept 三个独立开关 + 对应
SyncXxxAttrKey 目标属性 key(默认 dingtalk_email / dingtalk_name /
dingtalk_department);非 internal_only policy 在写入层与加载层均
coerce 为 false,admin handler 与 setting_service 双层兜底
- 同步语义:首次注册写 users.username(昵称优先 → 企业姓名 fallback),
之后每次登录刷新 3 个属性;空值也写入以覆盖旧值
- 邮箱三级 fallback:org_email > email > extension["企业邮箱"]
(钉钉自定义字段 JSON)
- 部门路径递归向上拼接,跳过 dept_id=1 选首个真实子部门,剥离根组织名
- GetUnionIdByUserToken 同时返回 OIDC /contact/users/me 的 nick 字段;
新增 GetDeptInfo 调用 OAPI /topapi/v2/department/get
- AuthHandler 注入 UserAttributeService;OAuth pending flow 在
createPendingOAuthAccount / bindPendingOAuthLogin 分别派发到
AfterRegistration(syncUsername=true)/ AfterLogin
- migration 137 seed dingtalk_email/name/department 三个用户属性定义
附带修复(同集成路径暴露的两个 OAuth 注册回归)
- LoginOrRegisterOAuthWithTokenPair 新建用户分支用 inferLegacySignupSource
覆写 caller 显式传入的 signupSource,导致 dingtalk/linuxdo/oidc/wechat
渠道授权按 email 渠道读取;改为只在 caller 未显式传入时回退邮箱推断
- mergeProviderDefaultGrantSettings 把 parse fallback 默认值
(Concurrency=5 / Balance=0) 当作"未配置"哨兵,admin 显式设 5 时被误判
退回全局默认(复现:全局默认 1 + 渠道默认并发 5 + grant_on_signup → 新
用户实际 concurrency=1);去掉哨兵,admin 任何 >=0 值都覆盖 globalDefaults
前端
- DingTalk Login / Callback / EmailCompletion / ChoiceAccount / Error
视图;router + auth API client
- admin SettingsView:corp policy radio(none / internal_only)+ bypass
注册开关 + i18n;internal_only 下展示三同步开关 + 目标 attr key 下拉
(拉取 user attribute definitions),展示 fieldEmail /
qyapi_get_department_list 钉钉权限申请提示
- Profile:S1 主动绑定 / S5 解绑钉钉按钮 + 合成邮箱防自锁
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
144 lines
5.0 KiB
Go
144 lines
5.0 KiB
Go
package handler
|
||
|
||
import (
|
||
"context"
|
||
"net/http"
|
||
"net/http/httptest"
|
||
"testing"
|
||
"time"
|
||
|
||
"github.com/stretchr/testify/require"
|
||
)
|
||
|
||
func TestDingTalkClient_ExchangeCodeForUserToken_Success(t *testing.T) {
|
||
server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||
require.Equal(t, "POST", r.Method)
|
||
require.Equal(t, "/v1.0/oauth2/userAccessToken", r.URL.Path)
|
||
w.Header().Set("Content-Type", "application/json")
|
||
_, _ = w.Write([]byte(`{"accessToken":"USER_TOKEN_X","expireIn":7200,"refreshToken":"R","corpId":"dingABC"}`))
|
||
}))
|
||
defer server.Close()
|
||
|
||
cli := &DingTalkClient{
|
||
cfg: dingTalkClientConfig{
|
||
ClientID: "k", ClientSecret: "s",
|
||
TokenURL: server.URL + "/v1.0/oauth2/userAccessToken",
|
||
},
|
||
httpClient: server.Client(),
|
||
}
|
||
resp, err := cli.ExchangeCodeForUserToken(context.Background(), "AUTH_CODE")
|
||
require.NoError(t, err)
|
||
require.Equal(t, "USER_TOKEN_X", resp.AccessToken)
|
||
require.Equal(t, "dingABC", resp.CorpID)
|
||
}
|
||
|
||
func TestDingTalkClient_GetUnionIdByUserToken_Success(t *testing.T) {
|
||
server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||
require.Equal(t, "USER_TOKEN_X", r.Header.Get("x-acs-dingtalk-access-token"))
|
||
w.Header().Set("Content-Type", "application/json")
|
||
_, _ = w.Write([]byte(`{"nick":"张三","unionId":"UID_AAA","openId":"OPEN","avatarUrl":"http://x"}`))
|
||
}))
|
||
defer server.Close()
|
||
|
||
cli := &DingTalkClient{
|
||
cfg: dingTalkClientConfig{UserInfoURL: server.URL + "/v1.0/contact/users/me"},
|
||
httpClient: server.Client(),
|
||
}
|
||
unionID, nick, err := cli.GetUnionIdByUserToken(context.Background(), "USER_TOKEN_X")
|
||
require.NoError(t, err)
|
||
require.Equal(t, "UID_AAA", unionID)
|
||
require.Equal(t, "张三", nick)
|
||
}
|
||
|
||
func TestDingTalkClient_GetAppToken_Cached(t *testing.T) {
|
||
callCount := 0
|
||
server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||
callCount++
|
||
_, _ = w.Write([]byte(`{"accessToken":"APP_TKN","expireIn":7200}`))
|
||
}))
|
||
defer server.Close()
|
||
|
||
cli := &DingTalkClient{
|
||
cfg: dingTalkClientConfig{ClientID: "k", ClientSecret: "s", TokenURL: server.URL + "/gettoken"},
|
||
httpClient: server.Client(),
|
||
}
|
||
t1, err := cli.GetAppToken(context.Background())
|
||
require.NoError(t, err)
|
||
t2, err := cli.GetAppToken(context.Background())
|
||
require.NoError(t, err)
|
||
require.Equal(t, t1, t2)
|
||
require.Equal(t, 1, callCount, "second call should hit cache")
|
||
}
|
||
|
||
func TestDingTalkClient_GetUserIdByUnionId_60011(t *testing.T) {
|
||
appTokenServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||
_, _ = w.Write([]byte(`{"accessToken":"APP_TKN","expireIn":7200}`))
|
||
}))
|
||
defer appTokenServer.Close()
|
||
server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||
w.Header().Set("Content-Type", "application/json")
|
||
_, _ = w.Write([]byte(`{"errcode":60011,"errmsg":"not in directory"}`))
|
||
}))
|
||
defer server.Close()
|
||
|
||
cli := &DingTalkClient{
|
||
cfg: dingTalkClientConfig{TokenURL: appTokenServer.URL + "/gettoken"},
|
||
httpClient: server.Client(),
|
||
}
|
||
cli.appToken = "APP_TKN"
|
||
cli.appTokenExp = time.Now().Add(time.Hour)
|
||
cli.cfg.UserInfoURL = server.URL + "/v1.0/contact/users/byUnionId"
|
||
|
||
_, err := cli.GetUserIdByUnionId(context.Background(), "UID_AAA")
|
||
require.Error(t, err)
|
||
apiErr, ok := err.(*DingTalkAPIError)
|
||
require.True(t, ok)
|
||
require.Equal(t, "60011", apiErr.Code)
|
||
}
|
||
|
||
// TestDingTalkClient_GetDeptInfo_Success 验证 GetDeptInfo 正常情况返回部门信息。
|
||
func TestDingTalkClient_GetDeptInfo_Success(t *testing.T) {
|
||
server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||
w.Header().Set("Content-Type", "application/json")
|
||
_, _ = w.Write([]byte(`{"errcode":0,"errmsg":"ok","result":{"dept_id":42,"name":"AI数据","parent_id":1}}`))
|
||
}))
|
||
defer server.Close()
|
||
|
||
cli := &DingTalkClient{
|
||
cfg: dingTalkClientConfig{
|
||
UserInfoURL: server.URL + "/stub", // 不含 /contact/users/me,走 test stub 路径
|
||
},
|
||
httpClient: server.Client(),
|
||
}
|
||
cli.appToken = "APP_TKN"
|
||
cli.appTokenExp = time.Now().Add(time.Hour)
|
||
|
||
info, err := cli.GetDeptInfo(context.Background(), 42)
|
||
require.NoError(t, err)
|
||
require.Equal(t, int64(42), info.DeptID)
|
||
require.Equal(t, "AI数据", info.Name)
|
||
require.Equal(t, int64(1), info.ParentID)
|
||
}
|
||
|
||
// TestDingTalkClient_GetDeptInfo_ErrCode60003 验证 errcode=60003(部门不存在)时返回错误。
|
||
func TestDingTalkClient_GetDeptInfo_ErrCode60003(t *testing.T) {
|
||
server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||
w.Header().Set("Content-Type", "application/json")
|
||
_, _ = w.Write([]byte(`{"errcode":60003,"errmsg":"dept not found"}`))
|
||
}))
|
||
defer server.Close()
|
||
|
||
cli := &DingTalkClient{
|
||
cfg: dingTalkClientConfig{UserInfoURL: server.URL + "/stub"},
|
||
httpClient: server.Client(),
|
||
}
|
||
cli.appToken = "APP_TKN"
|
||
cli.appTokenExp = time.Now().Add(time.Hour)
|
||
|
||
_, err := cli.GetDeptInfo(context.Background(), 999)
|
||
require.Error(t, err)
|
||
apiErr, ok := err.(*DingTalkAPIError)
|
||
require.True(t, ok)
|
||
require.Equal(t, "60003", apiErr.Code)
|
||
}
|