fix: harden login for MLPS requirements

This commit is contained in:
2026-05-14 11:05:20 +08:00
parent ecf3ee1ef0
commit 879677516f
39 changed files with 1230 additions and 71 deletions
@@ -168,6 +168,32 @@ server:
}
}
func TestLoadAppliesServerSecurityDefaultsAndOriginOverrides(t *testing.T) {
t.Setenv("SERVER_ALLOWED_ORIGINS", "https://admin.example.com, https://ops.example.com")
configPath := writeTestConfig(t, `
server: {}
`)
cfg, err := Load(configPath)
if err != nil {
t.Fatalf("Load() error = %v", err)
}
if !cfg.Server.SecurityHeaders.Enabled {
t.Fatalf("expected security headers enabled by default")
}
wantOrigins := []string{"https://admin.example.com", "https://ops.example.com"}
if len(cfg.Server.AllowedOrigins) != len(wantOrigins) {
t.Fatalf("allowed origins = %#v, want %#v", cfg.Server.AllowedOrigins, wantOrigins)
}
for i := range wantOrigins {
if cfg.Server.AllowedOrigins[i] != wantOrigins[i] {
t.Fatalf("allowed origins = %#v, want %#v", cfg.Server.AllowedOrigins, wantOrigins)
}
}
}
func TestLoadAppliesSchedulerHTTPDefaultsAndDisableSentinel(t *testing.T) {
defaultConfigPath := writeTestConfig(t, `
scheduler: {}
@@ -358,6 +384,34 @@ jwt:
}
}
func TestLoadPrefersEnvPasswordCipherSettings(t *testing.T) {
t.Setenv("AUTH_PASSWORD_CIPHER_ENABLED", "true")
t.Setenv("AUTH_PASSWORD_CIPHER_KEY_ID", "env-key")
t.Setenv("AUTH_PASSWORD_CIPHER_PRIVATE_KEY_PEM", "pem-value")
configPath := writeTestConfig(t, `
auth:
password_cipher:
enabled: false
key_id: config-key
private_key_pem: config-pem
`)
cfg, err := Load(configPath)
if err != nil {
t.Fatalf("Load() error = %v", err)
}
if !cfg.Auth.PasswordCipher.Enabled {
t.Fatalf("expected env password cipher enabled")
}
if cfg.Auth.PasswordCipher.KeyID != "env-key" {
t.Fatalf("expected env key id, got %q", cfg.Auth.PasswordCipher.KeyID)
}
if cfg.Auth.PasswordCipher.PrivateKeyPEM != "pem-value" {
t.Fatalf("expected env private key pem, got %q", cfg.Auth.PasswordCipher.PrivateKeyPEM)
}
}
func TestLoadAppliesMembershipDefaults(t *testing.T) {
configPath := writeTestConfig(t, `
membership: {}