package main import ( "context" "flag" "fmt" "log" "os" "strings" "carrot_bbs/internal/config" "carrot_bbs/internal/model" "carrot_bbs/internal/repository" "carrot_bbs/internal/service" "github.com/casbin/casbin/v3" gormadapter "github.com/casbin/gorm-adapter/v3" "gorm.io/driver/postgres" "gorm.io/gorm" ) func main() { configPath := flag.String("config", "configs/config.yaml", "配置文件路径") flag.Parse() fmt.Println("============================================") fmt.Println("Casbin RBAC1 权限系统测试") fmt.Println("============================================") // 加载配置 cfg, err := config.Load(*configPath) if err != nil { log.Fatalf("Failed to load config: %v", err) } fmt.Println("✓ 配置加载成功") // 连接数据库 dsn := fmt.Sprintf("host=%s port=%d user=%s password=%s dbname=%s sslmode=disable", cfg.Database.Postgres.Host, cfg.Database.Postgres.Port, cfg.Database.Postgres.User, cfg.Database.Postgres.Password, cfg.Database.Postgres.DBName, ) db, err := gorm.Open(postgres.Open(dsn), &gorm.Config{}) if err != nil { log.Fatalf("Failed to connect database: %v", err) } fmt.Println("✓ 数据库连接成功") // 自动迁移 if err := db.AutoMigrate(&model.Role{}, &model.UserRole{}, &model.CasbinRule{}); err != nil { log.Fatalf("Failed to migrate: %v", err) } fmt.Println("✓ 数据库迁移完成") // 初始化角色数据 if err := initRoles(db); err != nil { log.Printf("[WARNING] Failed to init roles: %v", err) } // 初始化 Casbin 策略数据 if err := initCasbinPolicies(db); err != nil { log.Printf("[WARNING] Failed to init casbin policies: %v", err) } // 创建 GORM 适配器 adapter, err := gormadapter.NewAdapterByDB(db) if err != nil { log.Fatalf("Failed to create GORM adapter: %v", err) } // 创建 Casbin Enforcer enforcer, err := casbin.NewEnforcer(cfg.Casbin.ModelPath, adapter) if err != nil { log.Fatalf("Failed to create enforcer: %v", err) } fmt.Println("✓ Casbin enforcer 创建成功") // 创建角色仓储 roleRepo := repository.NewRoleRepository(db) // 创建 Casbin 服务 casbinSvc := service.NewCasbinService(enforcer, nil, roleRepo, &cfg.Casbin) fmt.Println("✓ Casbin 服务创建成功") ctx := context.Background() // 测试权限检查 fmt.Println("\n=== 测试权限检查 ===") testCases := []struct { sub string obj string act string expected bool }{ // banned 用户权限 {"banned", "/api/v1/posts", "GET", true}, {"banned", "/api/v1/posts", "POST", false}, {"banned", "/api/v1/admin/users", "GET", false}, // user 用户权限 {"user", "/api/v1/posts", "GET", true}, {"user", "/api/v1/posts", "POST", true}, {"user", "/api/v1/posts/123", "PUT", true}, {"user", "/api/v1/posts/123", "DELETE", true}, {"user", "/api/v1/comments", "POST", true}, {"user", "/api/v1/users/me", "GET", true}, {"user", "/api/v1/admin/users", "GET", false}, // moderator 权限 (继承 user) {"moderator", "/api/v1/posts", "POST", true}, {"moderator", "/api/v1/admin/posts/123", "DELETE", true}, {"moderator", "/api/v1/admin/comments/456", "DELETE", true}, {"moderator", "/api/v1/admin/audit", "GET", true}, {"moderator", "/api/v1/admin/users", "GET", false}, // admin 权限 (继承 moderator) {"admin", "/api/v1/posts", "POST", true}, {"admin", "/api/v1/admin/posts/123", "DELETE", true}, {"admin", "/api/v1/admin/users", "GET", true}, {"admin", "/api/v1/admin/roles", "GET", true}, {"admin", "/api/v1/some/unknown/path", "GET", false}, // super_admin 权限 (完全访问) {"super_admin", "/api/v1/admin/anything", "DELETE", true}, {"super_admin", "/api/v1/admin/users", "GET", true}, {"super_admin", "/any/path", "ANY", true}, } passed := 0 failed := 0 for _, tc := range testCases { allowed, err := casbinSvc.Enforce(ctx, tc.sub, tc.obj, tc.act) if err != nil { fmt.Printf("✗ 错误: %s -> %s %s: %v\n", tc.sub, tc.obj, tc.act, err) failed++ continue } status := "✗ DENIED" if allowed { status = "✓ ALLOWED" } // 检查结果是否符合预期 resultMatch := "" if allowed != tc.expected { resultMatch = fmt.Sprintf(" (预期: %v)", tc.expected) failed++ } else { passed++ } fmt.Printf("%s: %s -> %s %s%s\n", status, tc.sub, tc.obj, tc.act, resultMatch) } // 测试角色继承 fmt.Println("\n=== 测试角色继承 ===") // moderator 应该继承 user 的权限 allowed, _ := casbinSvc.Enforce(ctx, "moderator", "/api/v1/posts", "POST") fmt.Printf("Moderator 继承 user 权限 - 可以发帖: %v\n", allowed) // admin 应该继承 moderator 的权限 allowed, _ = casbinSvc.Enforce(ctx, "admin", "/api/v1/admin/posts/123", "DELETE") fmt.Printf("Admin 继承 moderator 权限 - 可以删帖: %v\n", allowed) // 测试用户角色管理 fmt.Println("\n=== 测试用户角色管理 ===") testUserID := "test_user_123" // 获取用户当前角色 roles, err := casbinSvc.GetRolesForUser(ctx, testUserID) if err != nil { fmt.Printf("获取用户角色失败: %v\n", err) } else { fmt.Printf("用户 %s 当前角色: %v\n", testUserID, roles) } // 添加角色 err = casbinSvc.AddRoleForUser(ctx, testUserID, "moderator") if err != nil { fmt.Printf("添加角色失败: %v\n", err) } else { fmt.Printf("✓ 为用户 %s 添加 moderator 角色\n", testUserID) } // 再次获取角色 roles, err = casbinSvc.GetRolesForUser(ctx, testUserID) if err != nil { fmt.Printf("获取用户角色失败: %v\n", err) } else { fmt.Printf("用户 %s 当前角色: %v\n", testUserID, roles) } // 检查用户是否有指定角色 hasRole, err := casbinSvc.HasRoleForUser(ctx, testUserID, "moderator") if err != nil { fmt.Printf("检查角色失败: %v\n", err) } else { fmt.Printf("用户 %s 是否有 moderator 角色: %v\n", testUserID, hasRole) } // 测试用户权限检查 allowed, err = casbinSvc.EnforceForUser(ctx, testUserID, "/api/v1/admin/posts/123", "DELETE") if err != nil { fmt.Printf("用户权限检查失败: %v\n", err) } else { fmt.Printf("用户 %s 可以删除管理后台帖子: %v\n", testUserID, allowed) } // 移除角色 err = casbinSvc.DeleteRoleForUser(ctx, testUserID, "moderator") if err != nil { fmt.Printf("移除角色失败: %v\n", err) } else { fmt.Printf("✓ 移除用户 %s 的 moderator 角色\n", testUserID) } // 清理测试数据 cleanupTestData(db, testUserID) // 输出测试结果 fmt.Println("\n============================================") fmt.Printf("测试结果: %d 通过, %d 失败\n", passed, failed) fmt.Println("============================================") if failed > 0 { os.Exit(1) } } // initRoles 初始化角色数据 func initRoles(db *gorm.DB) error { roles := []model.Role{ {Name: "banned", DisplayName: "被封禁用户", Description: "仅可浏览公开内容,无法交互", Priority: 0}, {Name: "user", DisplayName: "普通用户", Description: "注册用户,拥有基本功能权限", ParentRole: strPtr("banned"), Priority: 10}, {Name: "moderator", DisplayName: "版主", Description: "内容审核员,管理帖子和评论", ParentRole: strPtr("user"), Priority: 20}, {Name: "admin", DisplayName: "管理员", Description: "系统管理员,管理用户和内容", ParentRole: strPtr("moderator"), Priority: 30}, {Name: "super_admin", DisplayName: "超级管理员", Description: "系统最高权限者", ParentRole: strPtr("admin"), Priority: 40}, } for _, role := range roles { result := db.FirstOrCreate(&role, model.Role{Name: role.Name}) if result.Error != nil { return result.Error } } fmt.Println("✓ 角色数据初始化完成") return nil } // initCasbinPolicies 初始化 Casbin 策略数据 func initCasbinPolicies(db *gorm.DB) error { // 角色继承关系 (g 策略) gPolicies := []model.CasbinRule{ {Ptype: "g", V0: "user", V1: "banned"}, {Ptype: "g", V0: "moderator", V1: "user"}, {Ptype: "g", V0: "admin", V1: "moderator"}, {Ptype: "g", V0: "super_admin", V1: "admin"}, } // 权限策略 (p 策略) pPolicies := []model.CasbinRule{ // banned 用户权限 (仅允许 GET 请求) {Ptype: "p", V0: "banned", V1: "/api/v1/posts", V2: "GET"}, {Ptype: "p", V0: "banned", V1: "/api/v1/posts/*", V2: "GET"}, {Ptype: "p", V0: "banned", V1: "/api/v1/comments/*", V2: "GET"}, {Ptype: "p", V0: "banned", V1: "/api/v1/users/*", V2: "GET"}, // user 用户权限 (基本操作) {Ptype: "p", V0: "user", V1: "/api/v1/posts", V2: "POST"}, {Ptype: "p", V0: "user", V1: "/api/v1/posts/*", V2: "PUT"}, {Ptype: "p", V0: "user", V1: "/api/v1/posts/*", V2: "DELETE"}, {Ptype: "p", V0: "user", V1: "/api/v1/posts/*/like", V2: "POST"}, {Ptype: "p", V0: "user", V1: "/api/v1/posts/*/like", V2: "DELETE"}, {Ptype: "p", V0: "user", V1: "/api/v1/posts/*/favorite", V2: "POST"}, {Ptype: "p", V0: "user", V1: "/api/v1/posts/*/favorite", V2: "DELETE"}, {Ptype: "p", V0: "user", V1: "/api/v1/comments", V2: "POST"}, {Ptype: "p", V0: "user", V1: "/api/v1/comments/*", V2: "PUT"}, {Ptype: "p", V0: "user", V1: "/api/v1/comments/*", V2: "DELETE"}, {Ptype: "p", V0: "user", V1: "/api/v1/users/me", V2: "*"}, {Ptype: "p", V0: "user", V1: "/api/v1/users/me/*", V2: "*"}, {Ptype: "p", V0: "user", V1: "/api/v1/conversations", V2: "*"}, {Ptype: "p", V0: "user", V1: "/api/v1/conversations/*", V2: "*"}, {Ptype: "p", V0: "user", V1: "/api/v1/messages/*", V2: "*"}, {Ptype: "p", V0: "user", V1: "/api/v1/notifications", V2: "*"}, {Ptype: "p", V0: "user", V1: "/api/v1/notifications/*", V2: "*"}, {Ptype: "p", V0: "user", V1: "/api/v1/uploads/*", V2: "POST"}, {Ptype: "p", V0: "user", V1: "/api/v1/groups", V2: "*"}, {Ptype: "p", V0: "user", V1: "/api/v1/groups/*", V2: "*"}, {Ptype: "p", V0: "user", V1: "/api/v1/stickers", V2: "*"}, {Ptype: "p", V0: "user", V1: "/api/v1/schedule", V2: "*"}, {Ptype: "p", V0: "user", V1: "/api/v1/schedule/*", V2: "*"}, // moderator 权限 (内容管理) {Ptype: "p", V0: "moderator", V1: "/api/v1/admin/posts/*", V2: "*"}, {Ptype: "p", V0: "moderator", V1: "/api/v1/admin/comments/*", V2: "*"}, {Ptype: "p", V0: "moderator", V1: "/api/v1/admin/audit/*", V2: "GET"}, // admin 权限 (用户管理) {Ptype: "p", V0: "admin", V1: "/api/v1/admin/users/*", V2: "*"}, {Ptype: "p", V0: "admin", V1: "/api/v1/admin/roles", V2: "GET"}, {Ptype: "p", V0: "admin", V1: "/api/v1/admin/roles/*", V2: "GET"}, // super_admin 权限 (完全访问) {Ptype: "p", V0: "super_admin", V1: "/*", V2: "*"}, } // 插入 g 策略 for _, policy := range gPolicies { var existing model.CasbinRule result := db.Where("ptype = ? AND v0 = ? AND v1 = ?", policy.Ptype, policy.V0, policy.V1).First(&existing) if result.Error == gorm.ErrRecordNotFound { if err := db.Create(&policy).Error; err != nil { return err } } } // 插入 p 策略 for _, policy := range pPolicies { var existing model.CasbinRule result := db.Where("ptype = ? AND v0 = ? AND v1 = ? AND v2 = ?", policy.Ptype, policy.V0, policy.V1, policy.V2).First(&existing) if result.Error == gorm.ErrRecordNotFound { if err := db.Create(&policy).Error; err != nil { return err } } } fmt.Println("✓ Casbin 策略数据初始化完成") return nil } // cleanupTestData 清理测试数据 func cleanupTestData(db *gorm.DB, userID string) { db.Where("user_id = ?", userID).Delete(&model.UserRole{}) fmt.Printf("✓ 清理测试用户 %s 的数据\n", userID) } // strPtr 返回字符串指针 func strPtr(s string) *string { return &s } // 辅助函数:检查字符串是否包含通配符匹配 func matchPattern(pattern, str string) bool { if pattern == "/*" { return true } if strings.HasSuffix(pattern, "/*") { prefix := strings.TrimSuffix(pattern, "/*") return strings.HasPrefix(str, prefix+"/") || str == prefix } return pattern == str }