feat(P1/P2): 完成TDD开发及P1/P2设计文档

## 设计文档 - multi_role_permission_design: 多角色权限设计 (CONDITIONAL GO) - audit_log_enhancement_design: 审计日志增强 (CONDITIONAL GO) - routing_strategy_template_design: 路由策略模板 (CONDITIONAL GO) - sso_saml_technical_research: SSO/SAML调研 (CONDITIONAL GO) - compliance_capability_package_design: 合规能力包设计 (CONDITIONAL GO) ## TDD开发成果 - IAM模块: supply-api/internal/iam/ (111个测试) - 审计日志模块: supply-api/internal/audit/ (40+测试) - 路由策略模块: gateway/internal/router/ (33+测试) - 合规能力包: gateway/internal/compliance/ + scripts/ci/compliance/ ## 规范文档 - parallel_agent_output_quality_standards: 并行Agent产出质量规范 - project_experience_summary: 项目经验总结 (v2) - 2026-04-02-p1-p2-tdd-execution-plan: TDD执行计划 ## 评审报告 - 5个CONDITIONAL GO设计文档评审报告 - fix_verification_report: 修复验证报告 - full_verification_report: 全面质量验证报告 - tdd_module_quality_verification: TDD模块质量验证 - tdd_execution_summary: TDD执行总结依据: Superpowers执行框架 + TDD规范
2026-04-02 23:35:53 +08:00
parent ed0961d486
commit 89104bd0db
94 changed files with 24738 additions and 5 deletions
--- a/gateway/internal/compliance/rules/auth_query_test.go
+++ b/gateway/internal/compliance/rules/auth_query_test.go
@@ -0,0 +1,183 @@
+package rules
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+// TestAuthQueryKey 测试query key请求检测
+func TestAuthQueryKey(t *testing.T) {
+	loader := NewRuleLoader()
+	engine := NewRuleEngine(loader)
+
+	rule := Rule{
+		ID:       "AUTH-QUERY-KEY",
+		Name:     "Query Key请求检测",
+		Severity: "P0",
+		Matchers: []Matcher{
+			{
+				Type:    "regex_match",
+				Pattern: "(key=|api_key=|token=|bearer=|authorization=)",
+				Target:  "query_string",
+				Scope:   "all",
+			},
+		},
+		Action: Action{
+			Primary:   "reject",
+			Secondary: "alert",
+		},
+	}
+
+	testCases := []struct {
+		name        string
+		input       string
+		shouldMatch bool
+	}{
+		{
+			name:        "包含key参数",
+			input:       "?key=sk-1234567890abcdefghijklmnopqrstuvwxyz",
+			shouldMatch: true,
+		},
+		{
+			name:        "包含api_key参数",
+			input:       "?api_key=sk-1234567890abcdefghijklmnopqrstuvwxyz",
+			shouldMatch: true,
+		},
+		{
+			name:        "包含token参数",
+			input:       "?token=bearer_1234567890abcdefghijklmnop",
+			shouldMatch: true,
+		},
+		{
+			name:        "不包含认证参数",
+			input:       "?query=hello&limit=10",
+			shouldMatch: false,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			matchResult := engine.Match(rule, tc.input)
+			assert.Equal(t, tc.shouldMatch, matchResult.Matched, "Test case: %s", tc.name)
+		})
+	}
+}
+
+// TestAuthQueryInject 测试query key注入检测
+func TestAuthQueryInject(t *testing.T) {
+	loader := NewRuleLoader()
+	engine := NewRuleEngine(loader)
+
+	rule := Rule{
+		ID:       "AUTH-QUERY-INJECT",
+		Name:     "Query Key注入检测",
+		Severity: "P0",
+		Matchers: []Matcher{
+			{
+				Type:    "regex_match",
+				Pattern: "(key=|api_key=|token=|bearer=|authorization=).*[a-zA-Z0-9]{20,}",
+				Target:  "query_string",
+				Scope:   "all",
+			},
+		},
+		Action: Action{
+			Primary:   "reject",
+			Secondary: "alert",
+		},
+	}
+
+	testCases := []struct {
+		name        string
+		input       string
+		shouldMatch bool
+	}{
+		{
+			name:        "包含注入的key",
+			input:       "?key=sk-1234567890abcdefghijklmnopqrstuvwxyz",
+			shouldMatch: true,
+		},
+		{
+			name:        "包含空key值",
+			input:       "?key=",
+			shouldMatch: false,
+		},
+		{
+			name:        "包含短key值",
+			input:       "?key=short",
+			shouldMatch: false,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			matchResult := engine.Match(rule, tc.input)
+			assert.Equal(t, tc.shouldMatch, matchResult.Matched, "Test case: %s", tc.name)
+		})
+	}
+}
+
+// TestAuthQueryAudit 测试query key审计检测
+func TestAuthQueryAudit(t *testing.T) {
+	loader := NewRuleLoader()
+	engine := NewRuleEngine(loader)
+
+	rule := Rule{
+		ID:       "AUTH-QUERY-AUDIT",
+		Name:     "Query Key审计检测",
+		Severity: "P1",
+		Matchers: []Matcher{
+			{
+				Type:    "regex_match",
+				Pattern: "(query_key|qkey|query_token)",
+				Target:  "internal_context",
+				Scope:   "all",
+			},
+		},
+		Action: Action{
+			Primary:   "alert",
+			Secondary: "log",
+		},
+	}
+
+	testCases := []struct {
+		name        string
+		input       string
+		shouldMatch bool
+	}{
+		{
+			name:        "包含query_key标记",
+			input:       "internal: query_key=abc123",
+			shouldMatch: true,
+		},
+		{
+			name:        "不包含query_key标记",
+			input:       "internal: platform_token=xyz789",
+			shouldMatch: false,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			matchResult := engine.Match(rule, tc.input)
+			assert.Equal(t, tc.shouldMatch, matchResult.Matched, "Test case: %s", tc.name)
+		})
+	}
+}
+
+// TestAuthQueryRuleIDFormat 测试规则ID格式
+func TestAuthQueryRuleIDFormat(t *testing.T) {
+	loader := NewRuleLoader()
+
+	validIDs := []string{
+		"AUTH-QUERY-KEY",
+		"AUTH-QUERY-INJECT",
+		"AUTH-QUERY-AUDIT",
+	}
+
+	for _, id := range validIDs {
+		t.Run(id, func(t *testing.T) {
+			assert.True(t, loader.ValidateRuleID(id), "Rule ID %s should be valid", id)
+		})
+	}
+}