xiaokang/lotteryLaravel
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
442b6dc7586d081e084a387fd1d5ef922b4fdd3a
lotteryLaravel/tests/Feature/AdminIntegrationSiteApiTest.php
kang fe0594beaa feat: 增强钱包 API URL 验证与配置 
- 在 AdminIntegrationSiteStoreRequest 和 AdminIntegrationSiteUpdateRequest 中引入 WalletApiUrlRule,确保 wallet_api_url 字段符合 HTTPS 公开域名要求。
- 更新 HttpMainSiteWalletBalanceClient 和 HttpMainSiteWalletGateway,使用 WalletApiUrlSanitizer 进行 URL 规范化与验证,防止 SSRF 攻击。
- 新增测试用例,验证 wallet_api_url 的有效性,确保系统安全性与稳定性。
- 更新 .env.example 文件,添加 LOTTERY_RISK_POOL_USE_REDIS_LUA 配置项以支持 Redis Lua 原子扣减功能。
- 修改 package-lock.json 中的项目名称,确保一致性。
- 在 API 路由中新增 integration/runtime-origins 路由,提供运行时白名单功能。
2026-05-28 10:10:26 +08:00

365 lines
13 KiB
PHP
Raw Blame History

<?php
use App\Models\AdminSite;
use App\Models\AuditLog;
use App\Models\AdminUser;
use App\Models\Player;
use App\Services\Integration\PartnerSiteConfig;
use App\Services\Integration\PartnerSiteConfigResolver;
use Illuminate\Support\Facades\DB;
use Illuminate\Support\Facades\Hash;
use Illuminate\Support\Facades\Http;
use Illuminate\Foundation\Testing\RefreshDatabase;
uses(RefreshDatabase::class);
beforeEach(function (): void {
$this->artisan('lottery:admin-auth-sync')->assertExitCode(0);
});
function integrationAdminToken(): string
{
$admin = AdminUser::query()->create([
'username' => 'integration_admin',
'name' => 'Integration Admin',
'email' => null,
'password' => Hash::make('secret-strong'),
'status' => 0,
]);
grantSuperAdminRole($admin);
return $admin->createToken('test', ['*'], now()->addDay())->plainTextToken;
}
test('super admin can create integration site and receive secrets once', function (): void {
$token = integrationAdminToken();
$response = $this->withHeader('Authorization', 'Bearer '.$token)
->postJson('/api/v1/admin/integration-sites', [
'code' => 'partner-a',
'name' => 'Partner A',
'wallet_api_url' => 'https://wallet.partner-a.test',
'status' => 1,
]);
$response->assertCreated()
->assertJsonPath('code', 0)
->assertJsonPath('data.code', 'partner-a')
->assertJsonPath('data.secrets_display_once', true)
->assertJsonStructure([
'data' => [
'secrets' => ['sso_jwt_secret', 'wallet_api_key'],
],
]);
$site = AdminSite::query()->where('code', 'partner-a')->first();
expect($site)->not->toBeNull();
expect($site?->decryptedSsoJwtSecret())->not->toBeEmpty();
expect(AuditLog::query()->where('module_code', 'integration')->where('action_code', 'create')->exists())->toBeTrue();
});
test('integration site code cannot be changed on update', function (): void {
$token = integrationAdminToken();
$create = $this->withHeader('Authorization', 'Bearer '.$token)
->postJson('/api/v1/admin/integration-sites', [
'code' => 'partner-b',
'name' => 'Partner B',
]);
$create->assertCreated();
$id = (int) $create->json('data.id');
$this->withHeader('Authorization', 'Bearer '.$token)
->putJson('/api/v1/admin/integration-sites/'.$id, [
'name' => 'Partner B Renamed',
'status' => 1,
])
->assertOk()
->assertJsonPath('data.code', 'partner-b')
->assertJsonPath('data.name', 'Partner B Renamed');
});
test('partner site config resolver cache roundtrip returns partner site config', function (): void {
AdminSite::query()->create([
'code' => 'cache-roundtrip',
'name' => 'Cache',
'currency_code' => 'NPR',
'status' => 1,
'is_default' => false,
'sso_jwt_secret_encrypted' => encrypt('cache-sso'),
'wallet_api_key_encrypted' => encrypt('cache-wallet'),
]);
$resolver = app(PartnerSiteConfigResolver::class);
$first = $resolver->resolveBySiteCode('cache-roundtrip');
$second = $resolver->resolveBySiteCode('cache-roundtrip');
expect($second)->toBeInstanceOf(PartnerSiteConfig::class)
->and($second->ssoJwtSecret)->toBe('cache-sso');
});
test('partner site config resolver reads database secrets', function (): void {
AdminSite::query()->create([
'code' => 'partner-db',
'name' => 'DB Partner',
'currency_code' => 'NPR',
'status' => 1,
'is_default' => false,
'sso_jwt_secret_encrypted' => encrypt('db-sso-secret'),
'wallet_api_key_encrypted' => encrypt('db-wallet-key'),
'wallet_api_url' => 'https://wallet.db.test',
]);
$config = app(PartnerSiteConfigResolver::class)->resolveBySiteCode('partner-db');
expect($config->source)->toBe('database')
->and($config->ssoJwtSecret)->toBe('db-sso-secret')
->and($config->walletApiKey)->toBe('db-wallet-key')
->and($config->walletApiUrl)->toBe('https://wallet.db.test');
});
test('rotate secrets returns new plaintext once', function (): void {
$token = integrationAdminToken();
$create = $this->withHeader('Authorization', 'Bearer '.$token)
->postJson('/api/v1/admin/integration-sites', [
'code' => 'partner-rotate',
'name' => 'Rotate',
]);
$id = (int) $create->json('data.id');
$oldSecret = (string) $create->json('data.secrets.sso_jwt_secret');
$rotate = $this->withHeader('Authorization', 'Bearer '.$token)
->postJson('/api/v1/admin/integration-sites/'.$id.'/rotate-secrets');
$rotate->assertOk();
$newSecret = (string) $rotate->json('data.secrets.sso_jwt_secret');
expect($newSecret)->not->toBe($oldSecret);
expect(AuditLog::query()->where('action_code', 'rotate_secrets')->exists())->toBeTrue();
});
test('connectivity test probes partner balance api', function (): void {
Http::fake([
'https://wallet.probe.test/*' => Http::response([
'success' => true,
'data' => ['main_balance' => 12345, 'currency_code' => 'NPR'],
], 200),
]);
$token = integrationAdminToken();
$create = $this->withHeader('Authorization', 'Bearer '.$token)
->postJson('/api/v1/admin/integration-sites', [
'code' => 'probe-site',
'name' => 'Probe',
'wallet_api_url' => 'https://wallet.probe.test',
]);
$id = (int) $create->json('data.id');
$response = $this->withHeader('Authorization', 'Bearer '.$token)
->postJson('/api/v1/admin/integration-sites/'.$id.'/connectivity-test', [
'site_player_id' => '10001',
'currency_code' => 'NPR',
]);
$response->assertOk()
->assertJsonPath('data.probe.success', true)
->assertJsonPath('data.probe.main_balance_minor', 12345);
});
test('export parameter sheet excludes plaintext secrets', function (): void {
$token = integrationAdminToken();
$create = $this->withHeader('Authorization', 'Bearer '.$token)
->postJson('/api/v1/admin/integration-sites', [
'code' => 'export-site',
'name' => 'Export',
'wallet_api_url' => 'https://wallet.export.test',
]);
$id = (int) $create->json('data.id');
$response = $this->withHeader('Authorization', 'Bearer '.$token)
->getJson('/api/v1/admin/integration-sites/'.$id.'/export');
$response->assertOk()
->assertJsonPath('data.site_code', 'export-site')
->assertJsonPath('data.sso_secret_masked', '••••••••')
->assertJsonMissingPath('data.secrets')
->assertJsonMissingPath('data.sso_jwt_secret');
});
test('site scoped admin only sees bound integration sites', function (): void {
$token = integrationAdminToken();
$this->withHeader('Authorization', 'Bearer '.$token)
->postJson('/api/v1/admin/integration-sites', [
'code' => 'site-a',
'name' => 'Site A',
])
->assertCreated();
$this->withHeader('Authorization', 'Bearer '.$token)
->postJson('/api/v1/admin/integration-sites', [
'code' => 'site-b',
'name' => 'Site B',
])
->assertCreated();
$siteAId = (int) AdminSite::query()->where('code', 'site-a')->value('id');
$siteBId = (int) AdminSite::query()->where('code', 'site-b')->value('id');
$scopedAdmin = AdminUser::query()->create([
'username' => 'integration_scoped',
'name' => 'Scoped',
'email' => null,
'password' => Hash::make('secret-strong'),
'status' => 0,
]);
$roleId = (int) DB::table('admin_roles')->insertGetId([
'slug' => 'integration_scoped_role',
'name' => 'Integration Scoped',
'code' => 'integration_scoped_role',
'created_at' => now(),
'updated_at' => now(),
]);
$viewActionId = (int) DB::table('admin_menu_actions')
->where('permission_code', 'integration.site.view')
->value('id');
DB::table('admin_role_menu_actions')->insert([
'role_id' => $roleId,
'menu_action_id' => $viewActionId,
]);
DB::table('admin_user_site_roles')->insert([
'admin_user_id' => $scopedAdmin->id,
'site_id' => $siteAId,
'role_id' => $roleId,
'granted_at' => now(),
]);
$scopedToken = $scopedAdmin->createToken('test', ['*'], now()->addDay())->plainTextToken;
app('auth')->forgetGuards();
$list = $this->withHeader('Authorization', 'Bearer '.$scopedToken)
->getJson('/api/v1/admin/integration-sites')
->assertOk();
$codes = collect($list->json('data.items'))->pluck('code')->all();
expect($codes)->toContain('site-a')->not->toContain('site-b');
$this->withHeader('Authorization', 'Bearer '.$scopedToken)
->getJson('/api/v1/admin/integration-sites/'.$siteBId)
->assertForbidden();
});
test('player list is filtered by admin site binding', function (): void {
$this->seed(\Database\Seeders\CurrencySeeder::class);
Player::query()->create([
'site_code' => 'site-a',
'site_player_id' => 'pa-1',
'username' => 'pa1',
'nickname' => 'PA1',
'default_currency' => 'NPR',
'status' => 0,
]);
Player::query()->create([
'site_code' => 'site-b',
'site_player_id' => 'pb-1',
'username' => 'pb1',
'nickname' => 'PB1',
'default_currency' => 'NPR',
'status' => 0,
]);
AdminSite::query()->firstOrCreate(['code' => 'site-a'], ['name' => 'A', 'currency_code' => 'NPR', 'status' => 1]);
AdminSite::query()->firstOrCreate(['code' => 'site-b'], ['name' => 'B', 'currency_code' => 'NPR', 'status' => 1]);
$siteAId = (int) AdminSite::query()->where('code', 'site-a')->value('id');
$scopedAdmin = AdminUser::query()->create([
'username' => 'player_scoped',
'name' => 'Player Scoped',
'email' => null,
'password' => Hash::make('secret-strong'),
'status' => 0,
]);
$roleId = (int) DB::table('admin_roles')->insertGetId([
'slug' => 'player_scoped_role',
'name' => 'Player Scoped',
'code' => 'player_scoped_role',
'created_at' => now(),
'updated_at' => now(),
]);
$viewActionId = (int) DB::table('admin_menu_actions')
->where('permission_code', 'service.players.view')
->value('id');
DB::table('admin_role_menu_actions')->insert([
'role_id' => $roleId,
'menu_action_id' => $viewActionId,
]);
DB::table('admin_user_site_roles')->insert([
'admin_user_id' => $scopedAdmin->id,
'site_id' => $siteAId,
'role_id' => $roleId,
'granted_at' => now(),
]);
$scopedToken = $scopedAdmin->createToken('test', ['*'], now()->addDay())->plainTextToken;
$response = $this->withHeader('Authorization', 'Bearer '.$scopedToken)
->getJson('/api/v1/admin/players')
->assertOk();
$siteCodes = collect($response->json('data.items'))->pluck('site_code')->unique()->values()->all();
expect($siteCodes)->toBe(['site-a']);
});
test('wallet_api_url rejects non-https', function (): void {
$token = integrationAdminToken();
$this->withHeader('Authorization', 'Bearer '.$token)
->postJson('/api/v1/admin/integration-sites', [
'code' => 'bad-https-1',
'name' => 'Bad HTTPS 1',
'wallet_api_url' => 'http://wallet.bad.test',
])
->assertStatus(422)
->assertJsonPath('data.errors.wallet_api_url.0', 'wallet_api_url 必须是 https 的公开域名根地址,并拒绝 localhost/内网 IP 与带路径/查询的地址。');
});
test('wallet_api_url rejects localhost', function (): void {
$token = integrationAdminToken();
$this->withHeader('Authorization', 'Bearer '.$token)
->postJson('/api/v1/admin/integration-sites', [
'code' => 'bad-https-2',
'name' => 'Bad HTTPS 2',
'wallet_api_url' => 'https://localhost:8080',
])
->assertStatus(422)
->assertJsonPath('data.errors.wallet_api_url.0', 'wallet_api_url 必须是 https 的公开域名根地址,并拒绝 localhost/内网 IP 与带路径/查询的地址。');
});
test('wallet_api_url rejects private ip with path', function (): void {
$token = integrationAdminToken();
$this->withHeader('Authorization', 'Bearer '.$token)
->postJson('/api/v1/admin/integration-sites', [
'code' => 'bad-https-3',
'name' => 'Bad HTTPS 3',
'wallet_api_url' => 'https://127.0.0.1/wallet',
])
->assertStatus(422)
->assertJsonPath('data.errors.wallet_api_url.0', 'wallet_api_url 必须是 https 的公开域名根地址,并拒绝 localhost/内网 IP 与带路径/查询的地址。');
});
Reference in New Issue View Git Blame Copy Permalink