feat: 实现 RBAC 权限系统和数据权限控制 (004-rbac-data-permission)

主要功能: - 实现完整的 RBAC 权限系统（账号、角色、权限的多对多关联） - 基于 owner_id + shop_id 的自动数据权限过滤 - 使用 PostgreSQL WITH RECURSIVE 查询下级账号 - Redis 缓存优化下级账号查询性能（30分钟过期） - 支持多租户数据隔离和层级权限管理技术实现: - 新增 Account、Role、Permission 模型及关联关系表 - 实现 GORM Scopes 自动应用数据权限过滤 - 添加数据库迁移脚本（000002_rbac_data_permission、000003_add_owner_id_shop_id） - 完善错误码定义（1010-1027 为 RBAC 相关错误） - 重构 main.go 采用函数拆分提高可读性测试覆盖: - 添加 Account、Role、Permission 的集成测试 - 添加数据权限过滤的单元测试和集成测试 - 添加下级账号查询和缓存的单元测试 - 添加 API 回归测试确保向后兼容文档更新: - 更新 README.md 添加 RBAC 功能说明 - 更新 CLAUDE.md 添加技术栈和开发原则 - 添加 docs/004-rbac-data-permission/ 功能总结和使用指南 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-18 16:44:06 +08:00
parent e8eb5766cb
commit eaa70ac255
86 changed files with 15395 additions and 245 deletions
--- a/tests/integration/api_regression_test.go
+++ b/tests/integration/api_regression_test.go
@@ -0,0 +1,405 @@
+package integration
+
+import (
+	"context"
+	"fmt"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	"github.com/gofiber/fiber/v2"
+	"github.com/redis/go-redis/v9"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"github.com/testcontainers/testcontainers-go"
+	testcontainers_postgres "github.com/testcontainers/testcontainers-go/modules/postgres"
+	testcontainers_redis "github.com/testcontainers/testcontainers-go/modules/redis"
+	"github.com/testcontainers/testcontainers-go/wait"
+	"gorm.io/driver/postgres"
+	"gorm.io/gorm"
+	"gorm.io/gorm/logger"
+
+	"github.com/break/junhong_cmp_fiber/internal/handler"
+	"github.com/break/junhong_cmp_fiber/internal/model"
+	"github.com/break/junhong_cmp_fiber/internal/routes"
+	accountService "github.com/break/junhong_cmp_fiber/internal/service/account"
+	permissionService "github.com/break/junhong_cmp_fiber/internal/service/permission"
+	roleService "github.com/break/junhong_cmp_fiber/internal/service/role"
+	postgresStore "github.com/break/junhong_cmp_fiber/internal/store/postgres"
+	"github.com/break/junhong_cmp_fiber/pkg/constants"
+	"github.com/break/junhong_cmp_fiber/pkg/middleware"
+)
+
+// regressionTestEnv 回归测试环境
+type regressionTestEnv struct {
+	db              *gorm.DB
+	redisClient     *redis.Client
+	app             *fiber.App
+	postgresCleanup func()
+	redisCleanup    func()
+}
+
+// setupRegressionTestEnv 设置回归测试环境
+func setupRegressionTestEnv(t *testing.T) *regressionTestEnv {
+	t.Helper()
+
+	ctx := context.Background()
+
+	// 启动 PostgreSQL 容器
+	pgContainer, err := testcontainers_postgres.RunContainer(ctx,
+		testcontainers.WithImage("postgres:14-alpine"),
+		testcontainers_postgres.WithDatabase("testdb"),
+		testcontainers_postgres.WithUsername("postgres"),
+		testcontainers_postgres.WithPassword("password"),
+		testcontainers.WithWaitStrategy(
+			wait.ForLog("database system is ready to accept connections").
+				WithOccurrence(2).
+				WithStartupTimeout(30*time.Second),
+		),
+	)
+	require.NoError(t, err, "启动 PostgreSQL 容器失败")
+
+	pgConnStr, err := pgContainer.ConnectionString(ctx, "sslmode=disable")
+	require.NoError(t, err)
+
+	// 启动 Redis 容器
+	redisContainer, err := testcontainers_redis.RunContainer(ctx,
+		testcontainers.WithImage("redis:6-alpine"),
+	)
+	require.NoError(t, err, "启动 Redis 容器失败")
+
+	redisHost, err := redisContainer.Host(ctx)
+	require.NoError(t, err)
+	redisPort, err := redisContainer.MappedPort(ctx, "6379")
+	require.NoError(t, err)
+
+	// 连接数据库
+	db, err := gorm.Open(postgres.Open(pgConnStr), &gorm.Config{
+		Logger: logger.Default.LogMode(logger.Silent),
+	})
+	require.NoError(t, err)
+
+	// 自动迁移
+	err = db.AutoMigrate(
+		&model.Account{},
+		&model.Role{},
+		&model.Permission{},
+		&model.AccountRole{},
+		&model.RolePermission{},
+	)
+	require.NoError(t, err)
+
+	// 连接 Redis
+	redisClient := redis.NewClient(&redis.Options{
+		Addr: fmt.Sprintf("%s:%s", redisHost, redisPort.Port()),
+	})
+
+	// 初始化所有 Store
+	accountStore := postgresStore.NewAccountStore(db, redisClient)
+	roleStore := postgresStore.NewRoleStore(db)
+	permStore := postgresStore.NewPermissionStore(db)
+	accountRoleStore := postgresStore.NewAccountRoleStore(db)
+	rolePermStore := postgresStore.NewRolePermissionStore(db)
+
+	// 初始化所有 Service
+	accService := accountService.New(accountStore, roleStore, accountRoleStore)
+	roleSvc := roleService.New(roleStore, permStore, rolePermStore)
+	permSvc := permissionService.New(permStore)
+
+	// 初始化所有 Handler
+	accountHandler := handler.NewAccountHandler(accService)
+	roleHandler := handler.NewRoleHandler(roleSvc)
+	permHandler := handler.NewPermissionHandler(permSvc)
+
+	// 创建 Fiber App
+	app := fiber.New(fiber.Config{
+		ErrorHandler: func(c *fiber.Ctx, err error) error {
+			return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
+		},
+	})
+
+	// 添加测试中间件设置用户上下文
+	app.Use(func(c *fiber.Ctx) error {
+		ctx := middleware.SetUserContext(c.UserContext(), 1, constants.UserTypeRoot, 0)
+		c.SetUserContext(ctx)
+		return c.Next()
+	})
+
+	// 注册所有路由
+	services := &routes.Services{
+		AccountHandler:    accountHandler,
+		RoleHandler:       roleHandler,
+		PermissionHandler: permHandler,
+	}
+	routes.RegisterRoutes(app, services)
+
+	return &regressionTestEnv{
+		db:          db,
+		redisClient: redisClient,
+		app:         app,
+		postgresCleanup: func() {
+			if err := pgContainer.Terminate(ctx); err != nil {
+				t.Logf("终止 PostgreSQL 容器失败: %v", err)
+			}
+		},
+		redisCleanup: func() {
+			if err := redisContainer.Terminate(ctx); err != nil {
+				t.Logf("终止 Redis 容器失败: %v", err)
+			}
+		},
+	}
+}
+
+// TestAPIRegression_AllEndpointsAccessible 测试所有 API 端点在重构后仍可访问
+func TestAPIRegression_AllEndpointsAccessible(t *testing.T) {
+	env := setupRegressionTestEnv(t)
+	defer env.postgresCleanup()
+	defer env.redisCleanup()
+
+	// 定义所有需要测试的端点
+	endpoints := []struct {
+		method string
+		path   string
+		name   string
+	}{
+		// Health endpoints
+		{"GET", "/health", "Health check"},
+		{"GET", "/health/ready", "Readiness check"},
+
+		// Account endpoints
+		{"GET", "/api/v1/accounts", "List accounts"},
+		{"GET", "/api/v1/accounts/1", "Get account"},
+
+		// Role endpoints
+		{"GET", "/api/v1/roles", "List roles"},
+		{"GET", "/api/v1/roles/1", "Get role"},
+
+		// Permission endpoints
+		{"GET", "/api/v1/permissions", "List permissions"},
+		{"GET", "/api/v1/permissions/1", "Get permission"},
+		{"GET", "/api/v1/permissions/tree", "Get permission tree"},
+	}
+
+	for _, ep := range endpoints {
+		t.Run(ep.name, func(t *testing.T) {
+			req := httptest.NewRequest(ep.method, ep.path, nil)
+			resp, err := env.app.Test(req)
+			require.NoError(t, err)
+
+			// 验证端点可访问（状态码不是 404 或 500）
+			assert.NotEqual(t, fiber.StatusNotFound, resp.StatusCode,
+				"端点 %s %s 应该存在", ep.method, ep.path)
+			assert.NotEqual(t, fiber.StatusInternalServerError, resp.StatusCode,
+				"端点 %s %s 不应该返回 500 错误", ep.method, ep.path)
+		})
+	}
+}
+
+// TestAPIRegression_RouteModularization 测试路由模块化后功能正常
+func TestAPIRegression_RouteModularization(t *testing.T) {
+	env := setupRegressionTestEnv(t)
+	defer env.postgresCleanup()
+	defer env.redisCleanup()
+
+	t.Run("账号模块路由正常", func(t *testing.T) {
+		// 创建测试数据
+		account := &model.Account{
+			Username: "regression_test",
+			Phone:    "13800000300",
+			Password: "hashedpassword",
+			UserType: constants.UserTypePlatform,
+			Status:   constants.StatusEnabled,
+			Creator:  1,
+			Updater:  1,
+		}
+		env.db.Create(account)
+
+		// 测试获取账号
+		req := httptest.NewRequest("GET", fmt.Sprintf("/api/v1/accounts/%d", account.ID), nil)
+		resp, err := env.app.Test(req)
+		require.NoError(t, err)
+		assert.Equal(t, fiber.StatusOK, resp.StatusCode)
+
+		// 测试获取角色列表
+		req = httptest.NewRequest("GET", fmt.Sprintf("/api/v1/accounts/%d/roles", account.ID), nil)
+		resp, err = env.app.Test(req)
+		require.NoError(t, err)
+		assert.Equal(t, fiber.StatusOK, resp.StatusCode)
+	})
+
+	t.Run("角色模块路由正常", func(t *testing.T) {
+		// 创建测试数据
+		role := &model.Role{
+			RoleName: "回归测试角色",
+			RoleType: constants.RoleTypeSuper,
+			Status:   constants.StatusEnabled,
+			Creator:  1,
+			Updater:  1,
+		}
+		env.db.Create(role)
+
+		// 测试获取角色
+		req := httptest.NewRequest("GET", fmt.Sprintf("/api/v1/roles/%d", role.ID), nil)
+		resp, err := env.app.Test(req)
+		require.NoError(t, err)
+		assert.Equal(t, fiber.StatusOK, resp.StatusCode)
+
+		// 测试获取权限列表
+		req = httptest.NewRequest("GET", fmt.Sprintf("/api/v1/roles/%d/permissions", role.ID), nil)
+		resp, err = env.app.Test(req)
+		require.NoError(t, err)
+		assert.Equal(t, fiber.StatusOK, resp.StatusCode)
+	})
+
+	t.Run("权限模块路由正常", func(t *testing.T) {
+		// 创建测试数据
+		perm := &model.Permission{
+			PermName: "回归测试权限",
+			PermCode: "regression:test:perm",
+			PermType: constants.PermissionTypeMenu,
+			Status:   constants.StatusEnabled,
+			Creator:  1,
+			Updater:  1,
+		}
+		env.db.Create(perm)
+
+		// 测试获取权限
+		req := httptest.NewRequest("GET", fmt.Sprintf("/api/v1/permissions/%d", perm.ID), nil)
+		resp, err := env.app.Test(req)
+		require.NoError(t, err)
+		assert.Equal(t, fiber.StatusOK, resp.StatusCode)
+
+		// 测试获取权限树
+		req = httptest.NewRequest("GET", "/api/v1/permissions/tree", nil)
+		resp, err = env.app.Test(req)
+		require.NoError(t, err)
+		assert.Equal(t, fiber.StatusOK, resp.StatusCode)
+	})
+}
+
+// TestAPIRegression_ErrorHandling 测试错误处理在重构后仍正常
+func TestAPIRegression_ErrorHandling(t *testing.T) {
+	env := setupRegressionTestEnv(t)
+	defer env.postgresCleanup()
+	defer env.redisCleanup()
+
+	t.Run("资源不存在返回正确错误码", func(t *testing.T) {
+		// 账号不存在
+		req := httptest.NewRequest("GET", "/api/v1/accounts/99999", nil)
+		resp, err := env.app.Test(req)
+		require.NoError(t, err)
+		// 应该返回业务错误，不是 404
+		assert.NotEqual(t, fiber.StatusNotFound, resp.StatusCode)
+
+		// 角色不存在
+		req = httptest.NewRequest("GET", "/api/v1/roles/99999", nil)
+		resp, err = env.app.Test(req)
+		require.NoError(t, err)
+		assert.NotEqual(t, fiber.StatusNotFound, resp.StatusCode)
+
+		// 权限不存在
+		req = httptest.NewRequest("GET", "/api/v1/permissions/99999", nil)
+		resp, err = env.app.Test(req)
+		require.NoError(t, err)
+		assert.NotEqual(t, fiber.StatusNotFound, resp.StatusCode)
+	})
+
+	t.Run("无效参数返回正确错误码", func(t *testing.T) {
+		// 无效账号 ID
+		req := httptest.NewRequest("GET", "/api/v1/accounts/invalid", nil)
+		resp, err := env.app.Test(req)
+		require.NoError(t, err)
+		assert.NotEqual(t, fiber.StatusInternalServerError, resp.StatusCode)
+	})
+}
+
+// TestAPIRegression_Pagination 测试分页功能在重构后仍正常
+func TestAPIRegression_Pagination(t *testing.T) {
+	env := setupRegressionTestEnv(t)
+	defer env.postgresCleanup()
+	defer env.redisCleanup()
+
+	// 创建测试数据
+	for i := 1; i <= 25; i++ {
+		account := &model.Account{
+			Username: fmt.Sprintf("pagination_test_%d", i),
+			Phone:    fmt.Sprintf("138000004%02d", i),
+			Password: "hashedpassword",
+			UserType: constants.UserTypePlatform,
+			Status:   constants.StatusEnabled,
+			Creator:  1,
+			Updater:  1,
+		}
+		env.db.Create(account)
+	}
+
+	t.Run("分页参数正常工作", func(t *testing.T) {
+		// 第一页
+		req := httptest.NewRequest("GET", "/api/v1/accounts?page=1&page_size=10", nil)
+		resp, err := env.app.Test(req)
+		require.NoError(t, err)
+		assert.Equal(t, fiber.StatusOK, resp.StatusCode)
+
+		// 第二页
+		req = httptest.NewRequest("GET", "/api/v1/accounts?page=2&page_size=10", nil)
+		resp, err = env.app.Test(req)
+		require.NoError(t, err)
+		assert.Equal(t, fiber.StatusOK, resp.StatusCode)
+	})
+
+	t.Run("默认分页参数工作", func(t *testing.T) {
+		req := httptest.NewRequest("GET", "/api/v1/accounts", nil)
+		resp, err := env.app.Test(req)
+		require.NoError(t, err)
+		assert.Equal(t, fiber.StatusOK, resp.StatusCode)
+	})
+}
+
+// TestAPIRegression_ResponseFormat 测试响应格式在重构后保持一致
+func TestAPIRegression_ResponseFormat(t *testing.T) {
+	env := setupRegressionTestEnv(t)
+	defer env.postgresCleanup()
+	defer env.redisCleanup()
+
+	t.Run("成功响应包含正确字段", func(t *testing.T) {
+		req := httptest.NewRequest("GET", "/api/v1/accounts", nil)
+		resp, err := env.app.Test(req)
+		require.NoError(t, err)
+		assert.Equal(t, fiber.StatusOK, resp.StatusCode)
+
+		// 响应应该是 JSON
+		assert.Contains(t, resp.Header.Get("Content-Type"), "application/json")
+	})
+
+	t.Run("健康检查端点响应正常", func(t *testing.T) {
+		req := httptest.NewRequest("GET", "/health", nil)
+		resp, err := env.app.Test(req)
+		require.NoError(t, err)
+		assert.Equal(t, fiber.StatusOK, resp.StatusCode)
+	})
+}
+
+// TestAPIRegression_ServicesIntegration 测试服务集成在重构后仍正常
+func TestAPIRegression_ServicesIntegration(t *testing.T) {
+	env := setupRegressionTestEnv(t)
+	defer env.postgresCleanup()
+	defer env.redisCleanup()
+
+	t.Run("Services 容器正确初始化", func(t *testing.T) {
+		// 验证所有模块路由都已注册
+		endpoints := []string{
+			"/health",
+			"/api/v1/accounts",
+			"/api/v1/roles",
+			"/api/v1/permissions",
+		}
+
+		for _, ep := range endpoints {
+			req := httptest.NewRequest("GET", ep, nil)
+			resp, err := env.app.Test(req)
+			require.NoError(t, err)
+			assert.NotEqual(t, fiber.StatusNotFound, resp.StatusCode,
+				"端点 %s 应该已注册", ep)
+		}
+	})
+}