enoch
bb9d7a869d
Some checks failed
Deploy to Production / Run Tests (push) Failing after 16m35s
Deploy to Production / Security Scan (push) Has been skipped
Deploy to Production / Build Docker Image (push) Has been skipped
Deploy to Production / Deploy to Staging (push) Has been skipped
Deploy to Production / Deploy to Production (push) Has been skipped
Deploy to Production / Notify Results (push) Successful in 31s
✨ 新功能: - SQLite数据库集成和持久化存储 - 数据库迁移系统和版本管理 - API分页功能和高效查询 - 用户搜索和过滤机制 - 完整的RBAC角色权限系统 - 结构化日志记录和系统监控 - API限流和多层安全防护 - Docker容器化和生产部署配置 🔒 安全特性: - JWT认证和授权 - 限流和防暴力破解 - 安全头和CORS配置 - 输入验证和XSS防护 - 审计日志和安全监控 📊 监控和运维: - Prometheus指标收集 - 健康检查和系统监控 - 自动化备份和恢复 - 完整的运维文档和脚本 - CI/CD流水线配置 🚀 部署支持: - 多环境Docker配置 - 生产环境部署指南 - 性能优化和安全加固 - 故障排除和应急响应 - 自动化运维脚本 📚 文档完善: - API使用文档 - 部署检查清单 - 运维操作手册 - 性能和安全指南 - 故障排除指南
147 lines
4.6 KiB
Rust
147 lines
4.6 KiB
Rust
//! 安全中间件测试
|
|
|
|
use std::sync::Arc;
|
|
use std::net::{IpAddr, Ipv4Addr};
|
|
use rust_user_api::middleware::{SecurityConfig, SecurityState};
|
|
|
|
#[tokio::test]
|
|
async fn test_security_config_default() {
|
|
let config = SecurityConfig::default();
|
|
assert_eq!(config.requests_per_minute, 60);
|
|
assert_eq!(config.brute_force_max_attempts, 5);
|
|
assert!(config.enable_cors);
|
|
assert!(config.enable_security_headers);
|
|
}
|
|
|
|
#[tokio::test]
|
|
async fn test_security_state_creation() {
|
|
let config = SecurityConfig::default();
|
|
let state = SecurityState::new(config);
|
|
|
|
let ip = IpAddr::V4(Ipv4Addr::new(192, 168, 1, 1));
|
|
|
|
// 初始状态不应该被封禁
|
|
assert!(!state.is_ip_banned(&ip));
|
|
}
|
|
|
|
#[tokio::test]
|
|
async fn test_ip_ban_functionality() {
|
|
let config = SecurityConfig::default();
|
|
let state = SecurityState::new(config);
|
|
let ip = IpAddr::V4(Ipv4Addr::new(192, 168, 1, 1));
|
|
|
|
// 初始状态不应该被封禁
|
|
assert!(!state.is_ip_banned(&ip));
|
|
|
|
// 封禁IP
|
|
state.ban_ip(ip, "测试封禁".to_string());
|
|
|
|
// 现在应该被封禁
|
|
assert!(state.is_ip_banned(&ip));
|
|
}
|
|
|
|
#[tokio::test]
|
|
async fn test_suspicious_pattern_detection() {
|
|
let config = SecurityConfig::default();
|
|
let state = SecurityState::new(config);
|
|
let headers = axum::http::HeaderMap::new();
|
|
|
|
// 测试SQL注入模式
|
|
assert!(state.check_suspicious_patterns("/api/users?id=1' OR '1'='1", &headers));
|
|
|
|
// 测试XSS模式
|
|
assert!(state.check_suspicious_patterns("/api/search?q=<script>alert('xss')</script>", &headers));
|
|
|
|
// 测试路径遍历模式
|
|
assert!(state.check_suspicious_patterns("/api/files?path=../../../etc/passwd", &headers));
|
|
|
|
// 测试正常请求
|
|
assert!(!state.check_suspicious_patterns("/api/users", &headers));
|
|
assert!(!state.check_suspicious_patterns("/api/users/123", &headers));
|
|
}
|
|
|
|
#[tokio::test]
|
|
async fn test_brute_force_detection() {
|
|
let mut config = SecurityConfig::default();
|
|
config.brute_force_max_attempts = 3; // 降低阈值便于测试
|
|
let state = SecurityState::new(config);
|
|
let ip = IpAddr::V4(Ipv4Addr::new(192, 168, 1, 2));
|
|
|
|
// 记录多次尝试
|
|
for _ in 0..2 {
|
|
state.record_brute_force_attempt(ip);
|
|
assert!(!state.is_ip_banned(&ip)); // 还未达到阈值
|
|
}
|
|
|
|
// 第三次尝试应该触发封禁
|
|
state.record_brute_force_attempt(ip);
|
|
assert!(state.is_ip_banned(&ip));
|
|
}
|
|
|
|
#[tokio::test]
|
|
async fn test_cleanup_expired_records() {
|
|
let config = SecurityConfig::default();
|
|
let state = SecurityState::new(config);
|
|
let ip = IpAddr::V4(Ipv4Addr::new(192, 168, 1, 3));
|
|
|
|
// 记录暴力破解尝试
|
|
state.record_brute_force_attempt(ip);
|
|
|
|
// 清理过期记录(这个测试主要验证函数不会崩溃)
|
|
state.cleanup_expired_records();
|
|
|
|
// 验证功能仍然正常
|
|
assert!(!state.is_ip_banned(&ip));
|
|
}
|
|
|
|
#[tokio::test]
|
|
async fn test_rate_limiter_creation() {
|
|
let config = SecurityConfig::default();
|
|
let state = SecurityState::new(config);
|
|
|
|
// 验证限流器已创建
|
|
let ip = IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1));
|
|
|
|
// 测试限流器检查(应该允许第一个请求)
|
|
let result = state.rate_limiter.check_key(&ip);
|
|
assert!(result.is_ok());
|
|
}
|
|
|
|
#[tokio::test]
|
|
async fn test_security_headers_patterns() {
|
|
let config = SecurityConfig::default();
|
|
let state = SecurityState::new(config);
|
|
let mut headers = axum::http::HeaderMap::new();
|
|
|
|
// 测试恶意User-Agent
|
|
headers.insert("user-agent", "sqlmap/1.0".parse().unwrap());
|
|
assert!(!state.check_suspicious_patterns("/api/users", &headers)); // 当前实现不检查sqlmap
|
|
|
|
// 测试正常User-Agent
|
|
headers.insert("user-agent", "Mozilla/5.0".parse().unwrap());
|
|
assert!(!state.check_suspicious_patterns("/api/users", &headers));
|
|
|
|
// 测试可疑Referer
|
|
headers.insert("referer", "javascript:alert('xss')".parse().unwrap());
|
|
assert!(state.check_suspicious_patterns("/api/users", &headers));
|
|
}
|
|
|
|
#[tokio::test]
|
|
async fn test_multiple_ips_isolation() {
|
|
let mut config = SecurityConfig::default();
|
|
config.brute_force_max_attempts = 2;
|
|
let state = SecurityState::new(config);
|
|
|
|
let ip1 = IpAddr::V4(Ipv4Addr::new(192, 168, 1, 10));
|
|
let ip2 = IpAddr::V4(Ipv4Addr::new(192, 168, 1, 11));
|
|
|
|
// IP1 触发封禁
|
|
state.record_brute_force_attempt(ip1);
|
|
state.record_brute_force_attempt(ip1);
|
|
assert!(state.is_ip_banned(&ip1));
|
|
|
|
// IP2 应该不受影响
|
|
assert!(!state.is_ip_banned(&ip2));
|
|
state.record_brute_force_attempt(ip2);
|
|
assert!(!state.is_ip_banned(&ip2)); // 只有一次尝试,不应该被封禁
|
|
} |