gateway/internal/compliance/rules/cred_direct_test.go

package rules

import (
	"testing"

	"github.com/stretchr/testify/assert"
)

// TestCredDirectSupplier 测试直连供应商检测
func TestCredDirectSupplier(t *testing.T) {
	loader := NewRuleLoader()
	engine := NewRuleEngine(loader)

	rule := Rule{
		ID:       "CRED-DIRECT-SUPPLIER",
		Name:     "直连供应商检测",
		Severity: "P0",
		Matchers: []Matcher{
			{
				Type:    "regex_match",
				Pattern: "(api\\.openai\\.com|api\\.anthropic\\.com|api\\.minimax\\.chat)",
				Target:  "request_host",
				Scope:   "all",
			},
		},
		Action: Action{
			Primary:   "block",
			Secondary: "alert",
		},
	}

	testCases := []struct {
		name        string
		input       string
		shouldMatch bool
	}{
		{
			name:        "直连OpenAI API",
			input:       "api.openai.com",
			shouldMatch: true,
		},
		{
			name:        "直连Anthropic API",
			input:       "api.anthropic.com",
			shouldMatch: true,
		},
		{
			name:        "通过平台代理",
			input:       "gateway.platform.com",
			shouldMatch: false,
		},
	}

	for _, tc := range testCases {
		t.Run(tc.name, func(t *testing.T) {
			matchResult := engine.Match(rule, tc.input)
			assert.Equal(t, tc.shouldMatch, matchResult.Matched, "Test case: %s", tc.name)
		})
	}
}

// TestCredDirectAPI 测试直连API端点检测
func TestCredDirectAPI(t *testing.T) {
	loader := NewRuleLoader()
	engine := NewRuleEngine(loader)

	rule := Rule{
		ID:       "CRED-DIRECT-API",
		Name:     "直连API端点检测",
		Severity: "P0",
		Matchers: []Matcher{
			{
				Type:    "regex_match",
				Pattern: "^/v1/(chat/completions|completions|embeddings)$",
				Target:  "request_path",
				Scope:   "all",
			},
		},
		Action: Action{
			Primary: "block",
		},
	}

	testCases := []struct {
		name        string
		input       string
		shouldMatch bool
	}{
		{
			name:        "直接访问chat completions",
			input:       "/v1/chat/completions",
			shouldMatch: true,
		},
		{
			name:        "直接访问completions",
			input:       "/v1/completions",
			shouldMatch: true,
		},
		{
			name:        "平台代理路径",
			input:       "/api/platform/v1/chat/completions",
			shouldMatch: false,
		},
	}

	for _, tc := range testCases {
		t.Run(tc.name, func(t *testing.T) {
			matchResult := engine.Match(rule, tc.input)
			assert.Equal(t, tc.shouldMatch, matchResult.Matched, "Test case: %s", tc.name)
		})
	}
}

// TestCredDirectUnauth 测试未授权直连检测
func TestCredDirectUnauth(t *testing.T) {
	loader := NewRuleLoader()
	engine := NewRuleEngine(loader)

	rule := Rule{
		ID:       "CRED-DIRECT-UNAUTH",
		Name:     "未授权直连检测",
		Severity: "P0",
		Matchers: []Matcher{
			{
				Type:    "regex_match",
				Pattern: "(direct_ip| bypass_proxy| no_platform_auth)",
				Target:  "connection_metadata",
				Scope:   "all",
			},
		},
		Action: Action{
			Primary:   "block",
			Secondary: "alert",
		},
	}

	testCases := []struct {
		name        string
		input       string
		shouldMatch bool
	}{
		{
			name:        "检测到直连标记",
			input:       "direct_ip: 203.0.113.50, bypass_proxy: true",
			shouldMatch: true,
		},
		{
			name:        "正常代理请求",
			input:       "via: platform_proxy, auth: platform_token",
			shouldMatch: false,
		},
	}

	for _, tc := range testCases {
		t.Run(tc.name, func(t *testing.T) {
			matchResult := engine.Match(rule, tc.input)
			assert.Equal(t, tc.shouldMatch, matchResult.Matched, "Test case: %s", tc.name)
		})
	}
}

// TestCredDirectRuleIDFormat 测试规则ID格式
func TestCredDirectRuleIDFormat(t *testing.T) {
	loader := NewRuleLoader()

	validIDs := []string{
		"CRED-DIRECT-SUPPLIER",
		"CRED-DIRECT-API",
		"CRED-DIRECT-UNAUTH",
	}

	for _, id := range validIDs {
		t.Run(id, func(t *testing.T) {
			assert.True(t, loader.ValidateRuleID(id), "Rule ID %s should be valid", id)
		})
	}
}
feat(P1/P2): 完成TDD开发及P1/P2设计文档 ## 设计文档 - multi_role_permission_design: 多角色权限设计 (CONDITIONAL GO) - audit_log_enhancement_design: 审计日志增强 (CONDITIONAL GO) - routing_strategy_template_design: 路由策略模板 (CONDITIONAL GO) - sso_saml_technical_research: SSO/SAML调研 (CONDITIONAL GO) - compliance_capability_package_design: 合规能力包设计 (CONDITIONAL GO) ## TDD开发成果 - IAM模块: supply-api/internal/iam/ (111个测试) - 审计日志模块: supply-api/internal/audit/ (40+测试) - 路由策略模块: gateway/internal/router/ (33+测试) - 合规能力包: gateway/internal/compliance/ + scripts/ci/compliance/ ## 规范文档 - parallel_agent_output_quality_standards: 并行Agent产出质量规范 - project_experience_summary: 项目经验总结 (v2) - 2026-04-02-p1-p2-tdd-execution-plan: TDD执行计划 ## 评审报告 - 5个CONDITIONAL GO设计文档评审报告 - fix_verification_report: 修复验证报告 - full_verification_report: 全面质量验证报告 - tdd_module_quality_verification: TDD模块质量验证 - tdd_execution_summary: TDD执行总结依据: Superpowers执行框架 + TDD规范 2026-04-02 23:35:53 +08:00			`package rules`

			`import (`
			`"testing"`

			`"github.com/stretchr/testify/assert"`
			`)`

			`// TestCredDirectSupplier 测试直连供应商检测`
			`func TestCredDirectSupplier(t *testing.T) {`
			`loader := NewRuleLoader()`
			`engine := NewRuleEngine(loader)`

			`rule := Rule{`
			`ID: "CRED-DIRECT-SUPPLIER",`
			`Name: "直连供应商检测",`
			`Severity: "P0",`
			`Matchers: []Matcher{`
			`{`
			`Type: "regex_match",`
			`Pattern: "(api\\.openai\\.com\|api\\.anthropic\\.com\|api\\.minimax\\.chat)",`
			`Target: "request_host",`
			`Scope: "all",`
			`},`
			`},`
			`Action: Action{`
			`Primary: "block",`
			`Secondary: "alert",`
			`},`
			`}`

			`testCases := []struct {`
			`name string`
			`input string`
			`shouldMatch bool`
			`}{`
			`{`
			`name: "直连OpenAI API",`
			`input: "api.openai.com",`
			`shouldMatch: true,`
			`},`
			`{`
			`name: "直连Anthropic API",`
			`input: "api.anthropic.com",`
			`shouldMatch: true,`
			`},`
			`{`
			`name: "通过平台代理",`
			`input: "gateway.platform.com",`
			`shouldMatch: false,`
			`},`
			`}`

			`for _, tc := range testCases {`
			`t.Run(tc.name, func(t *testing.T) {`
			`matchResult := engine.Match(rule, tc.input)`
			`assert.Equal(t, tc.shouldMatch, matchResult.Matched, "Test case: %s", tc.name)`
			`})`
			`}`
			`}`

			`// TestCredDirectAPI 测试直连API端点检测`
			`func TestCredDirectAPI(t *testing.T) {`
			`loader := NewRuleLoader()`
			`engine := NewRuleEngine(loader)`

			`rule := Rule{`
			`ID: "CRED-DIRECT-API",`
			`Name: "直连API端点检测",`
			`Severity: "P0",`
			`Matchers: []Matcher{`
			`{`
			`Type: "regex_match",`
			`Pattern: "^/v1/(chat/completions\|completions\|embeddings)$",`
			`Target: "request_path",`
			`Scope: "all",`
			`},`
			`},`
			`Action: Action{`
			`Primary: "block",`
			`},`
			`}`

			`testCases := []struct {`
			`name string`
			`input string`
			`shouldMatch bool`
			`}{`
			`{`
			`name: "直接访问chat completions",`
			`input: "/v1/chat/completions",`
			`shouldMatch: true,`
			`},`
			`{`
			`name: "直接访问completions",`
			`input: "/v1/completions",`
			`shouldMatch: true,`
			`},`
			`{`
			`name: "平台代理路径",`
			`input: "/api/platform/v1/chat/completions",`
			`shouldMatch: false,`
			`},`
			`}`

			`for _, tc := range testCases {`
			`t.Run(tc.name, func(t *testing.T) {`
			`matchResult := engine.Match(rule, tc.input)`
			`assert.Equal(t, tc.shouldMatch, matchResult.Matched, "Test case: %s", tc.name)`
			`})`
			`}`
			`}`

			`// TestCredDirectUnauth 测试未授权直连检测`
			`func TestCredDirectUnauth(t *testing.T) {`
			`loader := NewRuleLoader()`
			`engine := NewRuleEngine(loader)`

			`rule := Rule{`
			`ID: "CRED-DIRECT-UNAUTH",`
			`Name: "未授权直连检测",`
			`Severity: "P0",`
			`Matchers: []Matcher{`
			`{`
			`Type: "regex_match",`
			`Pattern: "(direct_ip\| bypass_proxy\| no_platform_auth)",`
			`Target: "connection_metadata",`
			`Scope: "all",`
			`},`
			`},`
			`Action: Action{`
			`Primary: "block",`
			`Secondary: "alert",`
			`},`
			`}`

			`testCases := []struct {`
			`name string`
			`input string`
			`shouldMatch bool`
			`}{`
			`{`
			`name: "检测到直连标记",`
			`input: "direct_ip: 203.0.113.50, bypass_proxy: true",`
			`shouldMatch: true,`
			`},`
			`{`
			`name: "正常代理请求",`
			`input: "via: platform_proxy, auth: platform_token",`
			`shouldMatch: false,`
			`},`
			`}`

			`for _, tc := range testCases {`
			`t.Run(tc.name, func(t *testing.T) {`
			`matchResult := engine.Match(rule, tc.input)`
			`assert.Equal(t, tc.shouldMatch, matchResult.Matched, "Test case: %s", tc.name)`
			`})`
			`}`
			`}`

			`// TestCredDirectRuleIDFormat 测试规则ID格式`
			`func TestCredDirectRuleIDFormat(t *testing.T) {`
			`loader := NewRuleLoader()`

			`validIDs := []string{`
			`"CRED-DIRECT-SUPPLIER",`
			`"CRED-DIRECT-API",`
			`"CRED-DIRECT-UNAUTH",`
			`}`

			`for _, id := range validIDs {`
			`t.Run(id, func(t *testing.T) {`
			`assert.True(t, loader.ValidateRuleID(id), "Rule ID %s should be valid", id)`
			`})`
			`}`
			`}`