feat: 实现 RBAC 权限系统和数据权限控制 (004-rbac-data-permission)

主要功能: - 实现完整的 RBAC 权限系统（账号、角色、权限的多对多关联） - 基于 owner_id + shop_id 的自动数据权限过滤 - 使用 PostgreSQL WITH RECURSIVE 查询下级账号 - Redis 缓存优化下级账号查询性能（30分钟过期） - 支持多租户数据隔离和层级权限管理技术实现: - 新增 Account、Role、Permission 模型及关联关系表 - 实现 GORM Scopes 自动应用数据权限过滤 - 添加数据库迁移脚本（000002_rbac_data_permission、000003_add_owner_id_shop_id） - 完善错误码定义（1010-1027 为 RBAC 相关错误） - 重构 main.go 采用函数拆分提高可读性测试覆盖: - 添加 Account、Role、Permission 的集成测试 - 添加数据权限过滤的单元测试和集成测试 - 添加下级账号查询和缓存的单元测试 - 添加 API 回归测试确保向后兼容文档更新: - 更新 README.md 添加 RBAC 功能说明 - 更新 CLAUDE.md 添加技术栈和开发原则 - 添加 docs/004-rbac-data-permission/ 功能总结和使用指南 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-18 16:44:06 +08:00
parent e8eb5766cb
commit eaa70ac255
86 changed files with 15395 additions and 245 deletions
--- a/tests/unit/soft_delete_test.go
+++ b/tests/unit/soft_delete_test.go
@@ -0,0 +1,302 @@
+package unit
+
+import (
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"gorm.io/gorm"
+
+	"github.com/break/junhong_cmp_fiber/internal/model"
+	"github.com/break/junhong_cmp_fiber/internal/store/postgres"
+	"github.com/break/junhong_cmp_fiber/pkg/constants"
+	"github.com/break/junhong_cmp_fiber/tests/testutils"
+)
+
+// TestAccountSoftDelete 测试账号软删除功能
+func TestAccountSoftDelete(t *testing.T) {
+	db, redisClient := testutils.SetupTestDB(t)
+	defer testutils.TeardownTestDB(t, db, redisClient)
+
+	store := postgres.NewAccountStore(db, redisClient)
+	ctx := context.Background()
+
+	// 创建测试账号
+	account := &model.Account{
+		Username: "soft_delete_user",
+		Phone:    "13800000001",
+		Password: "hashed_password",
+		UserType: constants.UserTypePlatform,
+		Status:   constants.StatusEnabled,
+		Creator:  1,
+		Updater:  1,
+	}
+	err := store.Create(ctx, account)
+	require.NoError(t, err)
+
+	t.Run("软删除账号", func(t *testing.T) {
+		err := store.Delete(ctx, account.ID)
+		require.NoError(t, err)
+
+		// 正常查询应该找不到
+		_, err = store.GetByID(ctx, account.ID)
+		assert.Error(t, err)
+		assert.Equal(t, gorm.ErrRecordNotFound, err)
+	})
+
+	t.Run("使用 Unscoped 可以查到已删除账号", func(t *testing.T) {
+		var found model.Account
+		err := db.Unscoped().First(&found, account.ID).Error
+		require.NoError(t, err)
+		assert.Equal(t, account.Username, found.Username)
+		assert.NotNil(t, found.DeletedAt)
+	})
+
+	t.Run("软删除后可以重用用户名和手机号", func(t *testing.T) {
+		// 创建同名账号（因为原账号已软删除）
+		newAccount := &model.Account{
+			Username: "soft_delete_user", // 重用已删除账号的用户名
+			Phone:    "13800000001",      // 重用已删除账号的手机号
+			Password: "hashed_password",
+			UserType: constants.UserTypePlatform,
+			Status:   constants.StatusEnabled,
+			Creator:  1,
+			Updater:  1,
+		}
+		err := store.Create(ctx, newAccount)
+		require.NoError(t, err)
+		assert.NotEqual(t, account.ID, newAccount.ID)
+	})
+}
+
+// TestRoleSoftDelete 测试角色软删除功能
+func TestRoleSoftDelete(t *testing.T) {
+	db, redisClient := testutils.SetupTestDB(t)
+	defer testutils.TeardownTestDB(t, db, redisClient)
+
+	roleStore := postgres.NewRoleStore(db)
+	ctx := context.Background()
+
+	// 创建测试角色
+	role := &model.Role{
+		RoleName: "test_role",
+		RoleDesc: "测试角色",
+		RoleType: constants.RoleTypeSuper,
+		Status:   constants.StatusEnabled,
+		Creator:  1,
+		Updater:  1,
+	}
+	err := roleStore.Create(ctx, role)
+	require.NoError(t, err)
+
+	t.Run("软删除角色", func(t *testing.T) {
+		err := roleStore.Delete(ctx, role.ID)
+		require.NoError(t, err)
+
+		// 正常查询应该找不到
+		_, err = roleStore.GetByID(ctx, role.ID)
+		assert.Error(t, err)
+		assert.Equal(t, gorm.ErrRecordNotFound, err)
+	})
+
+	t.Run("使用 Unscoped 可以查到已删除角色", func(t *testing.T) {
+		var found model.Role
+		err := db.Unscoped().First(&found, role.ID).Error
+		require.NoError(t, err)
+		assert.Equal(t, role.RoleName, found.RoleName)
+		assert.NotNil(t, found.DeletedAt)
+	})
+}
+
+// TestPermissionSoftDelete 测试权限软删除功能
+func TestPermissionSoftDelete(t *testing.T) {
+	db, redisClient := testutils.SetupTestDB(t)
+	defer testutils.TeardownTestDB(t, db, redisClient)
+
+	permissionStore := postgres.NewPermissionStore(db)
+	ctx := context.Background()
+
+	// 创建测试权限
+	permission := &model.Permission{
+		PermName: "测试权限",
+		PermCode: "test:permission",
+		PermType: constants.PermissionTypeMenu,
+		Status:   constants.StatusEnabled,
+		Creator:  1,
+		Updater:  1,
+	}
+	err := permissionStore.Create(ctx, permission)
+	require.NoError(t, err)
+
+	t.Run("软删除权限", func(t *testing.T) {
+		err := permissionStore.Delete(ctx, permission.ID)
+		require.NoError(t, err)
+
+		// 正常查询应该找不到
+		_, err = permissionStore.GetByID(ctx, permission.ID)
+		assert.Error(t, err)
+		assert.Equal(t, gorm.ErrRecordNotFound, err)
+	})
+
+	t.Run("软删除后可以重用权限码", func(t *testing.T) {
+		newPermission := &model.Permission{
+			PermName: "新测试权限",
+			PermCode: "test:permission", // 重用已删除权限的 perm_code
+			PermType: constants.PermissionTypeMenu,
+			Status:   constants.StatusEnabled,
+			Creator:  1,
+			Updater:  1,
+		}
+		err := permissionStore.Create(ctx, newPermission)
+		require.NoError(t, err)
+		assert.NotEqual(t, permission.ID, newPermission.ID)
+	})
+}
+
+// TestAccountRoleSoftDelete 测试账号-角色关联软删除功能
+func TestAccountRoleSoftDelete(t *testing.T) {
+	db, redisClient := testutils.SetupTestDB(t)
+	defer testutils.TeardownTestDB(t, db, redisClient)
+
+	accountStore := postgres.NewAccountStore(db, redisClient)
+	roleStore := postgres.NewRoleStore(db)
+	accountRoleStore := postgres.NewAccountRoleStore(db)
+	ctx := context.Background()
+
+	// 创建测试账号
+	account := &model.Account{
+		Username: "ar_user",
+		Phone:    "13800000001",
+		Password: "hashed_password",
+		UserType: constants.UserTypePlatform,
+		Status:   constants.StatusEnabled,
+		Creator:  1,
+		Updater:  1,
+	}
+	err := accountStore.Create(ctx, account)
+	require.NoError(t, err)
+
+	// 创建测试角色
+	role := &model.Role{
+		RoleName: "ar_role",
+		RoleDesc: "测试角色",
+		RoleType: constants.RoleTypeSuper,
+		Status:   constants.StatusEnabled,
+		Creator:  1,
+		Updater:  1,
+	}
+	err = roleStore.Create(ctx, role)
+	require.NoError(t, err)
+
+	// 创建关联
+	accountRole := &model.AccountRole{
+		AccountID: account.ID,
+		RoleID:    role.ID,
+		Status:    constants.StatusEnabled,
+		Creator:   1,
+		Updater:   1,
+	}
+	err = accountRoleStore.Create(ctx, accountRole)
+	require.NoError(t, err)
+
+	t.Run("软删除账号-角色关联", func(t *testing.T) {
+		err := accountRoleStore.Delete(ctx, account.ID, role.ID)
+		require.NoError(t, err)
+
+		// 查询应该找不到
+		roles, err := accountRoleStore.GetByAccountID(ctx, account.ID)
+		require.NoError(t, err)
+		assert.Len(t, roles, 0)
+	})
+
+	t.Run("软删除后可以重新关联", func(t *testing.T) {
+		newAccountRole := &model.AccountRole{
+			AccountID: account.ID,
+			RoleID:    role.ID,
+			Status:    constants.StatusEnabled,
+			Creator:   1,
+			Updater:   1,
+		}
+		err := accountRoleStore.Create(ctx, newAccountRole)
+		require.NoError(t, err)
+
+		// 验证可以查询到
+		roles, err := accountRoleStore.GetByAccountID(ctx, account.ID)
+		require.NoError(t, err)
+		assert.Len(t, roles, 1)
+	})
+}
+
+// TestRolePermissionSoftDelete 测试角色-权限关联软删除功能
+func TestRolePermissionSoftDelete(t *testing.T) {
+	db, redisClient := testutils.SetupTestDB(t)
+	defer testutils.TeardownTestDB(t, db, redisClient)
+
+	roleStore := postgres.NewRoleStore(db)
+	permissionStore := postgres.NewPermissionStore(db)
+	rolePermissionStore := postgres.NewRolePermissionStore(db)
+	ctx := context.Background()
+
+	// 创建测试角色
+	role := &model.Role{
+		RoleName: "rp_role",
+		RoleDesc: "测试角色",
+		RoleType: constants.RoleTypeSuper,
+		Status:   constants.StatusEnabled,
+		Creator:  1,
+		Updater:  1,
+	}
+	err := roleStore.Create(ctx, role)
+	require.NoError(t, err)
+
+	// 创建测试权限
+	permission := &model.Permission{
+		PermName: "rp_permission",
+		PermCode: "rp:permission",
+		PermType: constants.PermissionTypeMenu,
+		Status:   constants.StatusEnabled,
+		Creator:  1,
+		Updater:  1,
+	}
+	err = permissionStore.Create(ctx, permission)
+	require.NoError(t, err)
+
+	// 创建关联
+	rolePermission := &model.RolePermission{
+		RoleID:  role.ID,
+		PermID:  permission.ID,
+		Status:  constants.StatusEnabled,
+		Creator: 1,
+		Updater: 1,
+	}
+	err = rolePermissionStore.Create(ctx, rolePermission)
+	require.NoError(t, err)
+
+	t.Run("软删除角色-权限关联", func(t *testing.T) {
+		err := rolePermissionStore.Delete(ctx, role.ID, permission.ID)
+		require.NoError(t, err)
+
+		// 查询应该找不到
+		permissions, err := rolePermissionStore.GetByRoleID(ctx, role.ID)
+		require.NoError(t, err)
+		assert.Len(t, permissions, 0)
+	})
+
+	t.Run("软删除后可以重新关联", func(t *testing.T) {
+		newRolePermission := &model.RolePermission{
+			RoleID:  role.ID,
+			PermID:  permission.ID,
+			Status:  constants.StatusEnabled,
+			Creator: 1,
+			Updater: 1,
+		}
+		err := rolePermissionStore.Create(ctx, newRolePermission)
+		require.NoError(t, err)
+
+		// 验证可以查询到
+		permissions, err := rolePermissionStore.GetByRoleID(ctx, role.ID)
+		require.NoError(t, err)
+		assert.Len(t, permissions, 1)
+	})
+}