fix: 修复4个安全漏洞 (HIGH-01, HIGH-02, MED-01, MED-02)

- HIGH-01: CheckScope空scope绕过权限检查 * 修复: 空scope现在返回false拒绝访问 - HIGH-02: JWT算法验证不严格 * 修复: 使用token.Method.Alg()严格验证只接受HS256 - MED-01: RequireAnyScope空scope列表逻辑错误 * 修复: 空列表现在返回403拒绝访问 - MED-02: Token状态缓存未命中时默认返回active * 修复: 添加TokenStatusBackend接口，缓存未命中时必须查询后端影响文件: - supply-api/internal/iam/middleware/scope_auth.go - supply-api/internal/middleware/auth.go - supply-api/cmd/supply-api/main.go (适配新API) 测试覆盖: - 添加4个新的安全测试用例 - 更新1个原有测试以反映正确的安全行为
2026-04-03 07:52:41 +08:00
parent 90490ce86d
commit 50225f6822
5 changed files with 300 additions and 66 deletions
--- a/supply-api/internal/middleware/auth.go
+++ b/supply-api/internal/middleware/auth.go
@@ -34,9 +34,15 @@ type AuthConfig struct {

 // AuthMiddleware 鉴权中间件
 type AuthMiddleware struct {
-	config       AuthConfig
-	tokenCache   *TokenCache
-	auditEmitter AuditEmitter
+	config          AuthConfig
+	tokenCache      *TokenCache
+	tokenBackend    TokenStatusBackend
+	auditEmitter    AuditEmitter
+}
+
+// TokenStatusBackend Token状态后端查询接口
+type TokenStatusBackend interface {
+	CheckTokenStatus(ctx context.Context, tokenID string) (string, error)
 }

 // AuditEmitter 审计事件发射器
@@ -57,13 +63,14 @@ type AuditEvent struct {
 }

 // NewAuthMiddleware 创建鉴权中间件
-func NewAuthMiddleware(config AuthConfig, tokenCache *TokenCache, auditEmitter AuditEmitter) *AuthMiddleware {
+func NewAuthMiddleware(config AuthConfig, tokenCache *TokenCache, tokenBackend TokenStatusBackend, auditEmitter AuditEmitter) *AuthMiddleware {
 	if config.CacheTTL == 0 {
 		config.CacheTTL = 30 * time.Second
 	}
 	return &AuthMiddleware{
 		config:       config,
 		tokenCache:   tokenCache,
+		tokenBackend: tokenBackend,
 		auditEmitter: auditEmitter,
 	}
 }
@@ -298,7 +305,8 @@ func (m *AuthMiddleware) ScopeRoleAuthzMiddleware(requiredScope string) func(htt
 // verifyToken 校验JWT token
 func (m *AuthMiddleware) verifyToken(tokenString string) (*TokenClaims, error) {
 	token, err := jwt.ParseWithClaims(tokenString, &TokenClaims{}, func(token *jwt.Token) (interface{}, error) {
-		if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
+		// 严格验证算法：只接受HS256
+		if token.Method.Alg() != jwt.SigningMethodHS256.Alg() {
 			return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
 		}
 		return []byte(m.config.SecretKey), nil
@@ -339,8 +347,13 @@ func (m *AuthMiddleware) checkTokenStatus(tokenID string) (string, error) {
 		}
 	}

-	// 缓存未命中，返回active（实际应该查询数据库）
-	return "active", nil
+	// 缓存未命中，查询后端验证token状态
+	if m.tokenBackend != nil {
+		return m.tokenBackend.CheckTokenStatus(context.Background(), tokenID)
+	}
+
+	// 没有后端实现时，应该拒绝访问而不是默认active
+	return "", errors.New("token status unknown: backend not configured")
 }

 // GetTokenClaims 从context获取token claims
--- a/supply-api/internal/middleware/auth_test.go
+++ b/supply-api/internal/middleware/auth_test.go
@@ -320,6 +320,107 @@ func TestTokenCache(t *testing.T) {
 	})
 }

+// HIGH-02: JWT算法验证不严格 - 应该拒绝非HS256的算法
+func TestHIGH02_JWT_RejectNonHS256Algorithm(t *testing.T) {
+	secretKey := "test-secret-key-12345678901234567890"
+	issuer := "test-issuer"
+
+	tests := []struct {
+		name          string
+		signingMethod jwt.SigningMethod
+		expectError   bool
+		errorContains string
+	}{
+		{
+			name:          "HS256 should be accepted",
+			signingMethod: jwt.SigningMethodHS256,
+			expectError:   false,
+		},
+		{
+			name:          "HS384 should be rejected",
+			signingMethod: jwt.SigningMethodHS384,
+			expectError:   true,
+			errorContains: "unexpected signing method",
+		},
+		{
+			name:          "HS512 should be rejected",
+			signingMethod: jwt.SigningMethodHS512,
+			expectError:   true,
+			errorContains: "unexpected signing method",
+		},
+		{
+			name:          "none algorithm should be rejected",
+			signingMethod: jwt.SigningMethodNone,
+			expectError:   true,
+			errorContains: "malformed",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			claims := TokenClaims{
+				RegisteredClaims: jwt.RegisteredClaims{
+					Issuer:    issuer,
+					Subject:   "subject:1",
+					ExpiresAt: jwt.NewNumericDate(time.Now().Add(time.Hour)),
+					IssuedAt:  jwt.NewNumericDate(time.Now()),
+				},
+				SubjectID: "subject:1",
+				Role:      "owner",
+				Scope:     []string{"read", "write"},
+				TenantID:  1,
+			}
+
+			token := jwt.NewWithClaims(tt.signingMethod, claims)
+			tokenString, _ := token.SignedString([]byte(secretKey))
+
+			middleware := &AuthMiddleware{
+				config: AuthConfig{
+					SecretKey: secretKey,
+					Issuer:    issuer,
+				},
+			}
+
+			_, err := middleware.verifyToken(tokenString)
+
+			if tt.expectError {
+				if err == nil {
+					t.Errorf("expected error but got nil")
+				} else if tt.errorContains != "" && !strings.Contains(err.Error(), tt.errorContains) {
+					t.Errorf("error = %v, want contains %v", err, tt.errorContains)
+				}
+			} else {
+				if err != nil {
+					t.Errorf("unexpected error: %v", err)
+				}
+			}
+		})
+	}
+}
+
+// MED-02: checkTokenStatus缓存未命中时应该查询后端而不是默认返回active
+func TestMED02_TokenCacheMiss_ShouldNotAssumeActive(t *testing.T) {
+	// arrange
+	middleware := &AuthMiddleware{
+		config: AuthConfig{
+			SecretKey: "test-secret-key-12345678901234567890",
+			Issuer:    "test-issuer",
+		},
+		tokenCache: NewTokenCache(), // 空的缓存
+		// 没有设置tokenBackend
+	}
+
+	// act - 查询一个不在缓存中的token
+	status, err := middleware.checkTokenStatus("nonexistent-token-id")
+
+	// assert - 缓存未命中且没有后端时应该返回错误（安全修复）
+	// 修复前bug：缓存未命中时默认返回"active"
+	// 修复后：缓存未命中且没有后端时返回错误
+	if err == nil {
+		t.Errorf("MED-02: cache miss without backend should return error, got status='%s'", status)
+	}
+}
+
 // Helper functions

 func createTestToken(secretKey, issuer, subject, role string, expiresAt time.Time) string {