Files
root ffe4d335aa feat(auth): add workspace scope middleware and context
Introduces current-workspace context helpers plus a WorkspaceScope
middleware that validates X-Workspace-ID against workspace memberships,
defaulting to the actor's primary workspace. Prepares monitoring paths
to resolve quota/access-state per request workspace instead of per tenant.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-24 22:18:54 +08:00

124 lines
3.2 KiB
Go

package middleware
import (
"context"
"net/http"
"net/http/httptest"
"testing"
"github.com/gin-gonic/gin"
"github.com/stretchr/testify/assert"
"github.com/geo-platform/tenant-api/internal/shared/auth"
)
func init() {
gin.SetMode(gin.TestMode)
}
func TestTenantScope_ValidActor(t *testing.T) {
r := gin.New()
r.Use(func(c *gin.Context) {
actor := auth.Actor{UserID: 1, TenantID: 10, Role: "editor"}
c.Request = c.Request.WithContext(auth.WithActor(c.Request.Context(), actor))
c.Next()
})
r.Use(TenantScope())
var gotTenantID int64
r.GET("/test", func(c *gin.Context) {
gotTenantID = TenantIDFromCtx(c.Request.Context())
c.Status(http.StatusOK)
})
w := httptest.NewRecorder()
req := httptest.NewRequest(http.MethodGet, "/test", nil)
r.ServeHTTP(w, req)
assert.Equal(t, http.StatusOK, w.Code)
assert.Equal(t, int64(10), gotTenantID)
}
func TestTenantScope_MissingActor(t *testing.T) {
r := gin.New()
r.Use(TenantScope())
r.GET("/test", func(c *gin.Context) { c.Status(http.StatusOK) })
w := httptest.NewRecorder()
req := httptest.NewRequest(http.MethodGet, "/test", nil)
r.ServeHTTP(w, req)
assert.Equal(t, http.StatusUnauthorized, w.Code)
}
func TestTenantScope_ZeroTenantID(t *testing.T) {
r := gin.New()
r.Use(func(c *gin.Context) {
actor := auth.Actor{UserID: 1, TenantID: 0, Role: "editor"}
c.Request = c.Request.WithContext(auth.WithActor(c.Request.Context(), actor))
c.Next()
})
r.Use(TenantScope())
r.GET("/test", func(c *gin.Context) { c.Status(http.StatusOK) })
w := httptest.NewRecorder()
req := httptest.NewRequest(http.MethodGet, "/test", nil)
r.ServeHTTP(w, req)
assert.Equal(t, http.StatusUnauthorized, w.Code)
}
func TestTenantIDFromCtx_RoundTrip(t *testing.T) {
ctx := WithTenantID(context.Background(), 42)
assert.Equal(t, int64(42), TenantIDFromCtx(ctx))
}
func TestTenantIDFromCtx_Missing(t *testing.T) {
assert.Equal(t, int64(0), TenantIDFromCtx(context.Background()))
}
func TestWorkspaceScopeDefaultsToActorPrimaryWorkspace(t *testing.T) {
r := gin.New()
r.Use(func(c *gin.Context) {
actor := auth.Actor{UserID: 1, TenantID: 10, PrimaryWorkspaceID: 30, Role: "editor"}
c.Request = c.Request.WithContext(auth.WithActor(c.Request.Context(), actor))
c.Next()
})
r.Use(WorkspaceScope(nil))
var gotWorkspaceID int64
r.GET("/test", func(c *gin.Context) {
gotWorkspaceID = auth.CurrentWorkspaceID(c.Request.Context())
c.Status(http.StatusOK)
})
w := httptest.NewRecorder()
req := httptest.NewRequest(http.MethodGet, "/test", nil)
r.ServeHTTP(w, req)
assert.Equal(t, http.StatusOK, w.Code)
assert.Equal(t, int64(30), gotWorkspaceID)
}
func TestRequestedWorkspaceIDDefaultsToPrimary(t *testing.T) {
got, err := requestedWorkspaceID("", 42)
assert.NoError(t, err)
assert.Equal(t, int64(42), got)
}
func TestRequestedWorkspaceIDParsesHeader(t *testing.T) {
got, err := requestedWorkspaceID("84", 42)
assert.NoError(t, err)
assert.Equal(t, int64(84), got)
}
func TestRequestedWorkspaceIDRejectsInvalidHeader(t *testing.T) {
_, err := requestedWorkspaceID("nope", 42)
assert.Error(t, err)
}
func TestRequestedWorkspaceIDRejectsNonPositiveHeader(t *testing.T) {
_, err := requestedWorkspaceID("0", 42)
assert.Error(t, err)
}