fix(auth): iam check

tests/iam_client_cache.rs

@@ -4,15 +4,11 @@ use std::sync::{
 };
 use std::time::Duration;
 
-use axum::{Json, Router, routing::post};
 use axum::response::IntoResponse;
+use axum::{Json, Router, routing::post};
 use cms_service::infrastructure::iam_client::{IamClient, IamClientConfig};
-use serde::{Deserialize, Serialize};
-
-#[derive(Debug, Deserialize)]
-struct AuthorizationCheckRequest {
-    permission: String,
-}
+use serde::Serialize;
+use serde_json::Value;
 
 #[derive(Debug, Serialize)]
 struct AuthorizationCheckResponse {
@@ -31,28 +27,28 @@ async fn start_mock_iam(
     call_count: Arc<AtomicUsize>,
     fail: Arc<AtomicBool>,
 ) -> (String, tokio::task::JoinHandle<()>) {
-    let app = Router::new().route(
-        "/authorize/check",
-        post(move |Json(body): Json<AuthorizationCheckRequest>| {
-            let call_count = call_count.clone();
-            let fail = fail.clone();
-            async move {
-                call_count.fetch_add(1, Ordering::SeqCst);
-                if fail.load(Ordering::SeqCst) {
-                    return (axum::http::StatusCode::INTERNAL_SERVER_ERROR, "fail").into_response();
-                }
-
-                let allowed = body.permission == "cms:article:read";
-                let resp = ApiSuccessResponse {
-                    code: 0,
-                    message: "ok".to_string(),
-                    data: AuthorizationCheckResponse { allowed },
-                    trace_id: None,
-                };
-                (axum::http::StatusCode::OK, Json(resp)).into_response()
+    let handler = move |Json(_body): Json<Value>| {
+        let call_count = call_count.clone();
+        let fail = fail.clone();
+        async move {
+            call_count.fetch_add(1, Ordering::SeqCst);
+            if fail.load(Ordering::SeqCst) {
+                return (axum::http::StatusCode::INTERNAL_SERVER_ERROR, "fail").into_response();
             }
-        }),
-    );
+
+            let resp = ApiSuccessResponse {
+                code: 0,
+                message: "ok".to_string(),
+                data: AuthorizationCheckResponse { allowed: true },
+                trace_id: None,
+            };
+            (axum::http::StatusCode::OK, Json(resp)).into_response()
+        }
+    };
+
+    let app = Router::new()
+        .route("/authorize/check-expr", post(handler.clone()))
+        .route("/api/v1/authorize/check-expr", post(handler));
 
     let listener = tokio::net::TcpListener::bind("127.0.0.1:0").await.unwrap();
     let addr = listener.local_addr().unwrap();
@@ -81,11 +77,11 @@ async fn iam_client_caches_decisions() {
     let user_id = uuid::Uuid::new_v4();
 
     client
-        .require_permission(tenant_id, user_id, "cms:article:read", "token")
+        .require_permission(tenant_id, user_id, "cms:article:edit", "token")
         .await
         .unwrap();
     client
-        .require_permission(tenant_id, user_id, "cms:article:read", "token")
+        .require_permission(tenant_id, user_id, "cms:article:edit", "token")
         .await
         .unwrap();
 
@@ -111,7 +107,7 @@ async fn iam_client_uses_stale_cache_on_error() {
     let user_id = uuid::Uuid::new_v4();
 
     client
-        .require_permission(tenant_id, user_id, "cms:article:read", "token")
+        .require_permission(tenant_id, user_id, "cms:article:edit", "token")
         .await
         .unwrap();
 
@@ -119,7 +115,7 @@ async fn iam_client_uses_stale_cache_on_error() {
     fail.store(true, Ordering::SeqCst);
 
     client
-        .require_permission(tenant_id, user_id, "cms:article:read", "token")
+        .require_permission(tenant_id, user_id, "cms:article:edit", "token")
         .await
         .unwrap();