feat: 实现权限检查功能并添加Redis缓存优化

- 完成 CheckPermission 方法的完整实现（账号→角色→权限查询链） - 实现 Redis 缓存机制，大幅提升权限查询性能（~12倍提升） - 自动缓存失效：角色/权限变更时清除相关用户缓存 - 新增完整的单元测试和集成测试（10个测试用例全部通过） - 添加权限检查使用文档和缓存机制说明 - 归档 implement-permission-check OpenSpec 提案性能优化： - 首次查询: ~18ms（3次DB查询 + 1次Redis写入） - 缓存命中: ~1.5ms（1次Redis查询） - TTL: 30分钟，自动失效机制保证数据一致性
2026-01-16 18:15:32 +08:00
parent 18f35f3ef4
commit 028cfaa7aa
23 changed files with 1664 additions and 71 deletions
--- a/internal/store/postgres/account_role_store.go
+++ b/internal/store/postgres/account_role_store.go
@@ -5,6 +5,8 @@ package postgres
 import (
 	"context"

+	"github.com/break/junhong_cmp_fiber/pkg/constants"
+	"github.com/redis/go-redis/v9"
 	"gorm.io/gorm"

 	"github.com/break/junhong_cmp_fiber/internal/model"
@@ -12,36 +14,65 @@ import (

 // AccountRoleStore 账号-角色关联数据访问层
 type AccountRoleStore struct {
-	db *gorm.DB
+	db          *gorm.DB
+	redisClient *redis.Client
 }

 // NewAccountRoleStore 创建账号-角色关联 Store
-func NewAccountRoleStore(db *gorm.DB) *AccountRoleStore {
-	return &AccountRoleStore{db: db}
+func NewAccountRoleStore(db *gorm.DB, redisClient *redis.Client) *AccountRoleStore {
+	return &AccountRoleStore{
+		db:          db,
+		redisClient: redisClient,
+	}
 }

 // Create 创建账号-角色关联
 func (s *AccountRoleStore) Create(ctx context.Context, ar *model.AccountRole) error {
-	return s.db.WithContext(ctx).Create(ar).Error
+	if err := s.db.WithContext(ctx).Create(ar).Error; err != nil {
+		return err
+	}
+	s.clearUserPermissionCache(ctx, ar.AccountID)
+	return nil
 }

 // BatchCreate 批量创建账号-角色关联
 func (s *AccountRoleStore) BatchCreate(ctx context.Context, ars []*model.AccountRole) error {
-	return s.db.WithContext(ctx).Create(&ars).Error
+	if err := s.db.WithContext(ctx).Create(&ars).Error; err != nil {
+		return err
+	}
+	for _, ar := range ars {
+		s.clearUserPermissionCache(ctx, ar.AccountID)
+	}
+	return nil
 }

 // Delete 软删除账号-角色关联
 func (s *AccountRoleStore) Delete(ctx context.Context, accountID, roleID uint) error {
-	return s.db.WithContext(ctx).
+	if err := s.db.WithContext(ctx).
 		Where("account_id = ? AND role_id = ?", accountID, roleID).
-		Delete(&model.AccountRole{}).Error
+		Delete(&model.AccountRole{}).Error; err != nil {
+		return err
+	}
+	s.clearUserPermissionCache(ctx, accountID)
+	return nil
 }

 // DeleteByAccountID 删除账号的所有角色关联
 func (s *AccountRoleStore) DeleteByAccountID(ctx context.Context, accountID uint) error {
-	return s.db.WithContext(ctx).
+	if err := s.db.WithContext(ctx).
 		Where("account_id = ?", accountID).
-		Delete(&model.AccountRole{}).Error
+		Delete(&model.AccountRole{}).Error; err != nil {
+		return err
+	}
+	s.clearUserPermissionCache(ctx, accountID)
+	return nil
+}
+
+func (s *AccountRoleStore) clearUserPermissionCache(ctx context.Context, userID uint) {
+	if s.redisClient != nil {
+		key := constants.RedisUserPermissionsKey(userID)
+		s.redisClient.Del(ctx, key)
+	}
 }

 // GetByAccountID 获取账号的所有角色关联
--- a/internal/store/postgres/role_permission_store.go
+++ b/internal/store/postgres/role_permission_store.go
@@ -3,43 +3,89 @@ package postgres
 import (
 	"context"

-	"gorm.io/gorm"
-
 	"github.com/break/junhong_cmp_fiber/internal/model"
+	"github.com/break/junhong_cmp_fiber/pkg/constants"
+	"github.com/redis/go-redis/v9"
+	"gorm.io/gorm"
 )

 // RolePermissionStore 角色-权限关联数据访问层
 type RolePermissionStore struct {
-	db *gorm.DB
+	db          *gorm.DB
+	redisClient *redis.Client
 }

 // NewRolePermissionStore 创建角色-权限关联 Store
-func NewRolePermissionStore(db *gorm.DB) *RolePermissionStore {
-	return &RolePermissionStore{db: db}
+func NewRolePermissionStore(db *gorm.DB, redisClient *redis.Client) *RolePermissionStore {
+	return &RolePermissionStore{
+		db:          db,
+		redisClient: redisClient,
+	}
 }

 // Create 创建角色-权限关联
 func (s *RolePermissionStore) Create(ctx context.Context, rp *model.RolePermission) error {
-	return s.db.WithContext(ctx).Create(rp).Error
+	if err := s.db.WithContext(ctx).Create(rp).Error; err != nil {
+		return err
+	}
+	s.clearRoleUsersCaches(ctx, rp.RoleID)
+	return nil
 }

 // BatchCreate 批量创建角色-权限关联
 func (s *RolePermissionStore) BatchCreate(ctx context.Context, rps []*model.RolePermission) error {
-	return s.db.WithContext(ctx).Create(&rps).Error
+	if err := s.db.WithContext(ctx).Create(&rps).Error; err != nil {
+		return err
+	}
+	roleIDs := make(map[uint]bool)
+	for _, rp := range rps {
+		roleIDs[rp.RoleID] = true
+	}
+	for roleID := range roleIDs {
+		s.clearRoleUsersCaches(ctx, roleID)
+	}
+	return nil
 }

 // Delete 软删除角色-权限关联
 func (s *RolePermissionStore) Delete(ctx context.Context, roleID, permID uint) error {
-	return s.db.WithContext(ctx).
+	if err := s.db.WithContext(ctx).
 		Where("role_id = ? AND perm_id = ?", roleID, permID).
-		Delete(&model.RolePermission{}).Error
+		Delete(&model.RolePermission{}).Error; err != nil {
+		return err
+	}
+	s.clearRoleUsersCaches(ctx, roleID)
+	return nil
 }

 // DeleteByRoleID 删除角色的所有权限关联
 func (s *RolePermissionStore) DeleteByRoleID(ctx context.Context, roleID uint) error {
-	return s.db.WithContext(ctx).
+	if err := s.db.WithContext(ctx).
 		Where("role_id = ?", roleID).
-		Delete(&model.RolePermission{}).Error
+		Delete(&model.RolePermission{}).Error; err != nil {
+		return err
+	}
+	s.clearRoleUsersCaches(ctx, roleID)
+	return nil
+}
+
+func (s *RolePermissionStore) clearRoleUsersCaches(ctx context.Context, roleID uint) {
+	if s.redisClient == nil {
+		return
+	}
+
+	var accountIDs []uint
+	if err := s.db.WithContext(ctx).
+		Model(&model.AccountRole{}).
+		Where("role_id = ?", roleID).
+		Pluck("account_id", &accountIDs).Error; err != nil {
+		return
+	}
+
+	for _, accountID := range accountIDs {
+		key := constants.RedisUserPermissionsKey(accountID)
+		s.redisClient.Del(ctx, key)
+	}
 }

 // GetByRoleID 获取角色的所有权限关联