Files
backend/cmd/test_casbin/main.go
lan d3065b30cc feat(admin): add comprehensive admin management system
- Add admin handlers and services for users, posts, comments, groups, and dashboard
- Implement role permission management with ability to view and update permissions
- Add database seeding for roles and Casbin permission policies
- Upgrade Casbin from v2 to v3 with GORM adapter for persistent policy storage
- Add admin-specific repository methods with filtering and pagination
- Register new admin API routes under /api/v1/admin/*
2026-03-14 18:01:55 +08:00

364 lines
12 KiB
Go

package main
import (
"context"
"flag"
"fmt"
"log"
"os"
"strings"
"carrot_bbs/internal/config"
"carrot_bbs/internal/model"
"carrot_bbs/internal/repository"
"carrot_bbs/internal/service"
"github.com/casbin/casbin/v3"
gormadapter "github.com/casbin/gorm-adapter/v3"
"gorm.io/driver/postgres"
"gorm.io/gorm"
)
func main() {
configPath := flag.String("config", "configs/config.yaml", "配置文件路径")
flag.Parse()
fmt.Println("============================================")
fmt.Println("Casbin RBAC1 权限系统测试")
fmt.Println("============================================")
// 加载配置
cfg, err := config.Load(*configPath)
if err != nil {
log.Fatalf("Failed to load config: %v", err)
}
fmt.Println("✓ 配置加载成功")
// 连接数据库
dsn := fmt.Sprintf("host=%s port=%d user=%s password=%s dbname=%s sslmode=disable",
cfg.Database.Postgres.Host,
cfg.Database.Postgres.Port,
cfg.Database.Postgres.User,
cfg.Database.Postgres.Password,
cfg.Database.Postgres.DBName,
)
db, err := gorm.Open(postgres.Open(dsn), &gorm.Config{})
if err != nil {
log.Fatalf("Failed to connect database: %v", err)
}
fmt.Println("✓ 数据库连接成功")
// 自动迁移
if err := db.AutoMigrate(&model.Role{}, &model.UserRole{}, &model.CasbinRule{}); err != nil {
log.Fatalf("Failed to migrate: %v", err)
}
fmt.Println("✓ 数据库迁移完成")
// 初始化角色数据
if err := initRoles(db); err != nil {
log.Printf("[WARNING] Failed to init roles: %v", err)
}
// 初始化 Casbin 策略数据
if err := initCasbinPolicies(db); err != nil {
log.Printf("[WARNING] Failed to init casbin policies: %v", err)
}
// 创建 GORM 适配器
adapter, err := gormadapter.NewAdapterByDB(db)
if err != nil {
log.Fatalf("Failed to create GORM adapter: %v", err)
}
// 创建 Casbin Enforcer
enforcer, err := casbin.NewEnforcer(cfg.Casbin.ModelPath, adapter)
if err != nil {
log.Fatalf("Failed to create enforcer: %v", err)
}
fmt.Println("✓ Casbin enforcer 创建成功")
// 创建角色仓储
roleRepo := repository.NewRoleRepository(db)
// 创建 Casbin 服务
casbinSvc := service.NewCasbinService(enforcer, nil, roleRepo, &cfg.Casbin)
fmt.Println("✓ Casbin 服务创建成功")
ctx := context.Background()
// 测试权限检查
fmt.Println("\n=== 测试权限检查 ===")
testCases := []struct {
sub string
obj string
act string
expected bool
}{
// banned 用户权限
{"banned", "/api/v1/posts", "GET", true},
{"banned", "/api/v1/posts", "POST", false},
{"banned", "/api/v1/admin/users", "GET", false},
// user 用户权限
{"user", "/api/v1/posts", "GET", true},
{"user", "/api/v1/posts", "POST", true},
{"user", "/api/v1/posts/123", "PUT", true},
{"user", "/api/v1/posts/123", "DELETE", true},
{"user", "/api/v1/comments", "POST", true},
{"user", "/api/v1/users/me", "GET", true},
{"user", "/api/v1/admin/users", "GET", false},
// moderator 权限 (继承 user)
{"moderator", "/api/v1/posts", "POST", true},
{"moderator", "/api/v1/admin/posts/123", "DELETE", true},
{"moderator", "/api/v1/admin/comments/456", "DELETE", true},
{"moderator", "/api/v1/admin/audit", "GET", true},
{"moderator", "/api/v1/admin/users", "GET", false},
// admin 权限 (继承 moderator)
{"admin", "/api/v1/posts", "POST", true},
{"admin", "/api/v1/admin/posts/123", "DELETE", true},
{"admin", "/api/v1/admin/users", "GET", true},
{"admin", "/api/v1/admin/roles", "GET", true},
{"admin", "/api/v1/some/unknown/path", "GET", false},
// super_admin 权限 (完全访问)
{"super_admin", "/api/v1/admin/anything", "DELETE", true},
{"super_admin", "/api/v1/admin/users", "GET", true},
{"super_admin", "/any/path", "ANY", true},
}
passed := 0
failed := 0
for _, tc := range testCases {
allowed, err := casbinSvc.Enforce(ctx, tc.sub, tc.obj, tc.act)
if err != nil {
fmt.Printf("✗ 错误: %s -> %s %s: %v\n", tc.sub, tc.obj, tc.act, err)
failed++
continue
}
status := "✗ DENIED"
if allowed {
status = "✓ ALLOWED"
}
// 检查结果是否符合预期
resultMatch := ""
if allowed != tc.expected {
resultMatch = fmt.Sprintf(" (预期: %v)", tc.expected)
failed++
} else {
passed++
}
fmt.Printf("%s: %s -> %s %s%s\n", status, tc.sub, tc.obj, tc.act, resultMatch)
}
// 测试角色继承
fmt.Println("\n=== 测试角色继承 ===")
// moderator 应该继承 user 的权限
allowed, _ := casbinSvc.Enforce(ctx, "moderator", "/api/v1/posts", "POST")
fmt.Printf("Moderator 继承 user 权限 - 可以发帖: %v\n", allowed)
// admin 应该继承 moderator 的权限
allowed, _ = casbinSvc.Enforce(ctx, "admin", "/api/v1/admin/posts/123", "DELETE")
fmt.Printf("Admin 继承 moderator 权限 - 可以删帖: %v\n", allowed)
// 测试用户角色管理
fmt.Println("\n=== 测试用户角色管理 ===")
testUserID := "test_user_123"
// 获取用户当前角色
roles, err := casbinSvc.GetRolesForUser(ctx, testUserID)
if err != nil {
fmt.Printf("获取用户角色失败: %v\n", err)
} else {
fmt.Printf("用户 %s 当前角色: %v\n", testUserID, roles)
}
// 添加角色
err = casbinSvc.AddRoleForUser(ctx, testUserID, "moderator")
if err != nil {
fmt.Printf("添加角色失败: %v\n", err)
} else {
fmt.Printf("✓ 为用户 %s 添加 moderator 角色\n", testUserID)
}
// 再次获取角色
roles, err = casbinSvc.GetRolesForUser(ctx, testUserID)
if err != nil {
fmt.Printf("获取用户角色失败: %v\n", err)
} else {
fmt.Printf("用户 %s 当前角色: %v\n", testUserID, roles)
}
// 检查用户是否有指定角色
hasRole, err := casbinSvc.HasRoleForUser(ctx, testUserID, "moderator")
if err != nil {
fmt.Printf("检查角色失败: %v\n", err)
} else {
fmt.Printf("用户 %s 是否有 moderator 角色: %v\n", testUserID, hasRole)
}
// 测试用户权限检查
allowed, err = casbinSvc.EnforceForUser(ctx, testUserID, "/api/v1/admin/posts/123", "DELETE")
if err != nil {
fmt.Printf("用户权限检查失败: %v\n", err)
} else {
fmt.Printf("用户 %s 可以删除管理后台帖子: %v\n", testUserID, allowed)
}
// 移除角色
err = casbinSvc.DeleteRoleForUser(ctx, testUserID, "moderator")
if err != nil {
fmt.Printf("移除角色失败: %v\n", err)
} else {
fmt.Printf("✓ 移除用户 %s 的 moderator 角色\n", testUserID)
}
// 清理测试数据
cleanupTestData(db, testUserID)
// 输出测试结果
fmt.Println("\n============================================")
fmt.Printf("测试结果: %d 通过, %d 失败\n", passed, failed)
fmt.Println("============================================")
if failed > 0 {
os.Exit(1)
}
}
// initRoles 初始化角色数据
func initRoles(db *gorm.DB) error {
roles := []model.Role{
{Name: "banned", DisplayName: "被封禁用户", Description: "仅可浏览公开内容,无法交互", Priority: 0},
{Name: "user", DisplayName: "普通用户", Description: "注册用户,拥有基本功能权限", ParentRole: strPtr("banned"), Priority: 10},
{Name: "moderator", DisplayName: "版主", Description: "内容审核员,管理帖子和评论", ParentRole: strPtr("user"), Priority: 20},
{Name: "admin", DisplayName: "管理员", Description: "系统管理员,管理用户和内容", ParentRole: strPtr("moderator"), Priority: 30},
{Name: "super_admin", DisplayName: "超级管理员", Description: "系统最高权限者", ParentRole: strPtr("admin"), Priority: 40},
}
for _, role := range roles {
result := db.FirstOrCreate(&role, model.Role{Name: role.Name})
if result.Error != nil {
return result.Error
}
}
fmt.Println("✓ 角色数据初始化完成")
return nil
}
// initCasbinPolicies 初始化 Casbin 策略数据
func initCasbinPolicies(db *gorm.DB) error {
// 角色继承关系 (g 策略)
gPolicies := []model.CasbinRule{
{Ptype: "g", V0: "user", V1: "banned"},
{Ptype: "g", V0: "moderator", V1: "user"},
{Ptype: "g", V0: "admin", V1: "moderator"},
{Ptype: "g", V0: "super_admin", V1: "admin"},
}
// 权限策略 (p 策略)
pPolicies := []model.CasbinRule{
// banned 用户权限 (仅允许 GET 请求)
{Ptype: "p", V0: "banned", V1: "/api/v1/posts", V2: "GET"},
{Ptype: "p", V0: "banned", V1: "/api/v1/posts/*", V2: "GET"},
{Ptype: "p", V0: "banned", V1: "/api/v1/comments/*", V2: "GET"},
{Ptype: "p", V0: "banned", V1: "/api/v1/users/*", V2: "GET"},
// user 用户权限 (基本操作)
{Ptype: "p", V0: "user", V1: "/api/v1/posts", V2: "POST"},
{Ptype: "p", V0: "user", V1: "/api/v1/posts/*", V2: "PUT"},
{Ptype: "p", V0: "user", V1: "/api/v1/posts/*", V2: "DELETE"},
{Ptype: "p", V0: "user", V1: "/api/v1/posts/*/like", V2: "POST"},
{Ptype: "p", V0: "user", V1: "/api/v1/posts/*/like", V2: "DELETE"},
{Ptype: "p", V0: "user", V1: "/api/v1/posts/*/favorite", V2: "POST"},
{Ptype: "p", V0: "user", V1: "/api/v1/posts/*/favorite", V2: "DELETE"},
{Ptype: "p", V0: "user", V1: "/api/v1/comments", V2: "POST"},
{Ptype: "p", V0: "user", V1: "/api/v1/comments/*", V2: "PUT"},
{Ptype: "p", V0: "user", V1: "/api/v1/comments/*", V2: "DELETE"},
{Ptype: "p", V0: "user", V1: "/api/v1/users/me", V2: "*"},
{Ptype: "p", V0: "user", V1: "/api/v1/users/me/*", V2: "*"},
{Ptype: "p", V0: "user", V1: "/api/v1/conversations", V2: "*"},
{Ptype: "p", V0: "user", V1: "/api/v1/conversations/*", V2: "*"},
{Ptype: "p", V0: "user", V1: "/api/v1/messages/*", V2: "*"},
{Ptype: "p", V0: "user", V1: "/api/v1/notifications", V2: "*"},
{Ptype: "p", V0: "user", V1: "/api/v1/notifications/*", V2: "*"},
{Ptype: "p", V0: "user", V1: "/api/v1/uploads/*", V2: "POST"},
{Ptype: "p", V0: "user", V1: "/api/v1/groups", V2: "*"},
{Ptype: "p", V0: "user", V1: "/api/v1/groups/*", V2: "*"},
{Ptype: "p", V0: "user", V1: "/api/v1/stickers", V2: "*"},
{Ptype: "p", V0: "user", V1: "/api/v1/schedule", V2: "*"},
{Ptype: "p", V0: "user", V1: "/api/v1/schedule/*", V2: "*"},
// moderator 权限 (内容管理)
{Ptype: "p", V0: "moderator", V1: "/api/v1/admin/posts/*", V2: "*"},
{Ptype: "p", V0: "moderator", V1: "/api/v1/admin/comments/*", V2: "*"},
{Ptype: "p", V0: "moderator", V1: "/api/v1/admin/audit/*", V2: "GET"},
// admin 权限 (用户管理)
{Ptype: "p", V0: "admin", V1: "/api/v1/admin/users/*", V2: "*"},
{Ptype: "p", V0: "admin", V1: "/api/v1/admin/roles", V2: "GET"},
{Ptype: "p", V0: "admin", V1: "/api/v1/admin/roles/*", V2: "GET"},
// super_admin 权限 (完全访问)
{Ptype: "p", V0: "super_admin", V1: "/*", V2: "*"},
}
// 插入 g 策略
for _, policy := range gPolicies {
var existing model.CasbinRule
result := db.Where("ptype = ? AND v0 = ? AND v1 = ?", policy.Ptype, policy.V0, policy.V1).First(&existing)
if result.Error == gorm.ErrRecordNotFound {
if err := db.Create(&policy).Error; err != nil {
return err
}
}
}
// 插入 p 策略
for _, policy := range pPolicies {
var existing model.CasbinRule
result := db.Where("ptype = ? AND v0 = ? AND v1 = ? AND v2 = ?", policy.Ptype, policy.V0, policy.V1, policy.V2).First(&existing)
if result.Error == gorm.ErrRecordNotFound {
if err := db.Create(&policy).Error; err != nil {
return err
}
}
}
fmt.Println("✓ Casbin 策略数据初始化完成")
return nil
}
// cleanupTestData 清理测试数据
func cleanupTestData(db *gorm.DB, userID string) {
db.Where("user_id = ?", userID).Delete(&model.UserRole{})
fmt.Printf("✓ 清理测试用户 %s 的数据\n", userID)
}
// strPtr 返回字符串指针
func strPtr(s string) *string {
return &s
}
// 辅助函数:检查字符串是否包含通配符匹配
func matchPattern(pattern, str string) bool {
if pattern == "/*" {
return true
}
if strings.HasSuffix(pattern, "/*") {
prefix := strings.TrimSuffix(pattern, "/*")
return strings.HasPrefix(str, prefix+"/") || str == prefix
}
return pattern == str
}