- Add admin handlers and services for users, posts, comments, groups, and dashboard - Implement role permission management with ability to view and update permissions - Add database seeding for roles and Casbin permission policies - Upgrade Casbin from v2 to v3 with GORM adapter for persistent policy storage - Add admin-specific repository methods with filtering and pagination - Register new admin API routes under /api/v1/admin/*
364 lines
12 KiB
Go
364 lines
12 KiB
Go
package main
|
|
|
|
import (
|
|
"context"
|
|
"flag"
|
|
"fmt"
|
|
"log"
|
|
"os"
|
|
"strings"
|
|
|
|
"carrot_bbs/internal/config"
|
|
"carrot_bbs/internal/model"
|
|
"carrot_bbs/internal/repository"
|
|
"carrot_bbs/internal/service"
|
|
|
|
"github.com/casbin/casbin/v3"
|
|
gormadapter "github.com/casbin/gorm-adapter/v3"
|
|
"gorm.io/driver/postgres"
|
|
"gorm.io/gorm"
|
|
)
|
|
|
|
func main() {
|
|
configPath := flag.String("config", "configs/config.yaml", "配置文件路径")
|
|
flag.Parse()
|
|
|
|
fmt.Println("============================================")
|
|
fmt.Println("Casbin RBAC1 权限系统测试")
|
|
fmt.Println("============================================")
|
|
|
|
// 加载配置
|
|
cfg, err := config.Load(*configPath)
|
|
if err != nil {
|
|
log.Fatalf("Failed to load config: %v", err)
|
|
}
|
|
fmt.Println("✓ 配置加载成功")
|
|
|
|
// 连接数据库
|
|
dsn := fmt.Sprintf("host=%s port=%d user=%s password=%s dbname=%s sslmode=disable",
|
|
cfg.Database.Postgres.Host,
|
|
cfg.Database.Postgres.Port,
|
|
cfg.Database.Postgres.User,
|
|
cfg.Database.Postgres.Password,
|
|
cfg.Database.Postgres.DBName,
|
|
)
|
|
|
|
db, err := gorm.Open(postgres.Open(dsn), &gorm.Config{})
|
|
if err != nil {
|
|
log.Fatalf("Failed to connect database: %v", err)
|
|
}
|
|
fmt.Println("✓ 数据库连接成功")
|
|
|
|
// 自动迁移
|
|
if err := db.AutoMigrate(&model.Role{}, &model.UserRole{}, &model.CasbinRule{}); err != nil {
|
|
log.Fatalf("Failed to migrate: %v", err)
|
|
}
|
|
fmt.Println("✓ 数据库迁移完成")
|
|
|
|
// 初始化角色数据
|
|
if err := initRoles(db); err != nil {
|
|
log.Printf("[WARNING] Failed to init roles: %v", err)
|
|
}
|
|
|
|
// 初始化 Casbin 策略数据
|
|
if err := initCasbinPolicies(db); err != nil {
|
|
log.Printf("[WARNING] Failed to init casbin policies: %v", err)
|
|
}
|
|
|
|
// 创建 GORM 适配器
|
|
adapter, err := gormadapter.NewAdapterByDB(db)
|
|
if err != nil {
|
|
log.Fatalf("Failed to create GORM adapter: %v", err)
|
|
}
|
|
|
|
// 创建 Casbin Enforcer
|
|
enforcer, err := casbin.NewEnforcer(cfg.Casbin.ModelPath, adapter)
|
|
if err != nil {
|
|
log.Fatalf("Failed to create enforcer: %v", err)
|
|
}
|
|
fmt.Println("✓ Casbin enforcer 创建成功")
|
|
|
|
// 创建角色仓储
|
|
roleRepo := repository.NewRoleRepository(db)
|
|
|
|
// 创建 Casbin 服务
|
|
casbinSvc := service.NewCasbinService(enforcer, nil, roleRepo, &cfg.Casbin)
|
|
fmt.Println("✓ Casbin 服务创建成功")
|
|
|
|
ctx := context.Background()
|
|
|
|
// 测试权限检查
|
|
fmt.Println("\n=== 测试权限检查 ===")
|
|
|
|
testCases := []struct {
|
|
sub string
|
|
obj string
|
|
act string
|
|
expected bool
|
|
}{
|
|
// banned 用户权限
|
|
{"banned", "/api/v1/posts", "GET", true},
|
|
{"banned", "/api/v1/posts", "POST", false},
|
|
{"banned", "/api/v1/admin/users", "GET", false},
|
|
|
|
// user 用户权限
|
|
{"user", "/api/v1/posts", "GET", true},
|
|
{"user", "/api/v1/posts", "POST", true},
|
|
{"user", "/api/v1/posts/123", "PUT", true},
|
|
{"user", "/api/v1/posts/123", "DELETE", true},
|
|
{"user", "/api/v1/comments", "POST", true},
|
|
{"user", "/api/v1/users/me", "GET", true},
|
|
{"user", "/api/v1/admin/users", "GET", false},
|
|
|
|
// moderator 权限 (继承 user)
|
|
{"moderator", "/api/v1/posts", "POST", true},
|
|
{"moderator", "/api/v1/admin/posts/123", "DELETE", true},
|
|
{"moderator", "/api/v1/admin/comments/456", "DELETE", true},
|
|
{"moderator", "/api/v1/admin/audit", "GET", true},
|
|
{"moderator", "/api/v1/admin/users", "GET", false},
|
|
|
|
// admin 权限 (继承 moderator)
|
|
{"admin", "/api/v1/posts", "POST", true},
|
|
{"admin", "/api/v1/admin/posts/123", "DELETE", true},
|
|
{"admin", "/api/v1/admin/users", "GET", true},
|
|
{"admin", "/api/v1/admin/roles", "GET", true},
|
|
{"admin", "/api/v1/some/unknown/path", "GET", false},
|
|
|
|
// super_admin 权限 (完全访问)
|
|
{"super_admin", "/api/v1/admin/anything", "DELETE", true},
|
|
{"super_admin", "/api/v1/admin/users", "GET", true},
|
|
{"super_admin", "/any/path", "ANY", true},
|
|
}
|
|
|
|
passed := 0
|
|
failed := 0
|
|
|
|
for _, tc := range testCases {
|
|
allowed, err := casbinSvc.Enforce(ctx, tc.sub, tc.obj, tc.act)
|
|
if err != nil {
|
|
fmt.Printf("✗ 错误: %s -> %s %s: %v\n", tc.sub, tc.obj, tc.act, err)
|
|
failed++
|
|
continue
|
|
}
|
|
|
|
status := "✗ DENIED"
|
|
if allowed {
|
|
status = "✓ ALLOWED"
|
|
}
|
|
|
|
// 检查结果是否符合预期
|
|
resultMatch := ""
|
|
if allowed != tc.expected {
|
|
resultMatch = fmt.Sprintf(" (预期: %v)", tc.expected)
|
|
failed++
|
|
} else {
|
|
passed++
|
|
}
|
|
|
|
fmt.Printf("%s: %s -> %s %s%s\n", status, tc.sub, tc.obj, tc.act, resultMatch)
|
|
}
|
|
|
|
// 测试角色继承
|
|
fmt.Println("\n=== 测试角色继承 ===")
|
|
|
|
// moderator 应该继承 user 的权限
|
|
allowed, _ := casbinSvc.Enforce(ctx, "moderator", "/api/v1/posts", "POST")
|
|
fmt.Printf("Moderator 继承 user 权限 - 可以发帖: %v\n", allowed)
|
|
|
|
// admin 应该继承 moderator 的权限
|
|
allowed, _ = casbinSvc.Enforce(ctx, "admin", "/api/v1/admin/posts/123", "DELETE")
|
|
fmt.Printf("Admin 继承 moderator 权限 - 可以删帖: %v\n", allowed)
|
|
|
|
// 测试用户角色管理
|
|
fmt.Println("\n=== 测试用户角色管理 ===")
|
|
|
|
testUserID := "test_user_123"
|
|
|
|
// 获取用户当前角色
|
|
roles, err := casbinSvc.GetRolesForUser(ctx, testUserID)
|
|
if err != nil {
|
|
fmt.Printf("获取用户角色失败: %v\n", err)
|
|
} else {
|
|
fmt.Printf("用户 %s 当前角色: %v\n", testUserID, roles)
|
|
}
|
|
|
|
// 添加角色
|
|
err = casbinSvc.AddRoleForUser(ctx, testUserID, "moderator")
|
|
if err != nil {
|
|
fmt.Printf("添加角色失败: %v\n", err)
|
|
} else {
|
|
fmt.Printf("✓ 为用户 %s 添加 moderator 角色\n", testUserID)
|
|
}
|
|
|
|
// 再次获取角色
|
|
roles, err = casbinSvc.GetRolesForUser(ctx, testUserID)
|
|
if err != nil {
|
|
fmt.Printf("获取用户角色失败: %v\n", err)
|
|
} else {
|
|
fmt.Printf("用户 %s 当前角色: %v\n", testUserID, roles)
|
|
}
|
|
|
|
// 检查用户是否有指定角色
|
|
hasRole, err := casbinSvc.HasRoleForUser(ctx, testUserID, "moderator")
|
|
if err != nil {
|
|
fmt.Printf("检查角色失败: %v\n", err)
|
|
} else {
|
|
fmt.Printf("用户 %s 是否有 moderator 角色: %v\n", testUserID, hasRole)
|
|
}
|
|
|
|
// 测试用户权限检查
|
|
allowed, err = casbinSvc.EnforceForUser(ctx, testUserID, "/api/v1/admin/posts/123", "DELETE")
|
|
if err != nil {
|
|
fmt.Printf("用户权限检查失败: %v\n", err)
|
|
} else {
|
|
fmt.Printf("用户 %s 可以删除管理后台帖子: %v\n", testUserID, allowed)
|
|
}
|
|
|
|
// 移除角色
|
|
err = casbinSvc.DeleteRoleForUser(ctx, testUserID, "moderator")
|
|
if err != nil {
|
|
fmt.Printf("移除角色失败: %v\n", err)
|
|
} else {
|
|
fmt.Printf("✓ 移除用户 %s 的 moderator 角色\n", testUserID)
|
|
}
|
|
|
|
// 清理测试数据
|
|
cleanupTestData(db, testUserID)
|
|
|
|
// 输出测试结果
|
|
fmt.Println("\n============================================")
|
|
fmt.Printf("测试结果: %d 通过, %d 失败\n", passed, failed)
|
|
fmt.Println("============================================")
|
|
|
|
if failed > 0 {
|
|
os.Exit(1)
|
|
}
|
|
}
|
|
|
|
// initRoles 初始化角色数据
|
|
func initRoles(db *gorm.DB) error {
|
|
roles := []model.Role{
|
|
{Name: "banned", DisplayName: "被封禁用户", Description: "仅可浏览公开内容,无法交互", Priority: 0},
|
|
{Name: "user", DisplayName: "普通用户", Description: "注册用户,拥有基本功能权限", ParentRole: strPtr("banned"), Priority: 10},
|
|
{Name: "moderator", DisplayName: "版主", Description: "内容审核员,管理帖子和评论", ParentRole: strPtr("user"), Priority: 20},
|
|
{Name: "admin", DisplayName: "管理员", Description: "系统管理员,管理用户和内容", ParentRole: strPtr("moderator"), Priority: 30},
|
|
{Name: "super_admin", DisplayName: "超级管理员", Description: "系统最高权限者", ParentRole: strPtr("admin"), Priority: 40},
|
|
}
|
|
|
|
for _, role := range roles {
|
|
result := db.FirstOrCreate(&role, model.Role{Name: role.Name})
|
|
if result.Error != nil {
|
|
return result.Error
|
|
}
|
|
}
|
|
|
|
fmt.Println("✓ 角色数据初始化完成")
|
|
return nil
|
|
}
|
|
|
|
// initCasbinPolicies 初始化 Casbin 策略数据
|
|
func initCasbinPolicies(db *gorm.DB) error {
|
|
// 角色继承关系 (g 策略)
|
|
gPolicies := []model.CasbinRule{
|
|
{Ptype: "g", V0: "user", V1: "banned"},
|
|
{Ptype: "g", V0: "moderator", V1: "user"},
|
|
{Ptype: "g", V0: "admin", V1: "moderator"},
|
|
{Ptype: "g", V0: "super_admin", V1: "admin"},
|
|
}
|
|
|
|
// 权限策略 (p 策略)
|
|
pPolicies := []model.CasbinRule{
|
|
// banned 用户权限 (仅允许 GET 请求)
|
|
{Ptype: "p", V0: "banned", V1: "/api/v1/posts", V2: "GET"},
|
|
{Ptype: "p", V0: "banned", V1: "/api/v1/posts/*", V2: "GET"},
|
|
{Ptype: "p", V0: "banned", V1: "/api/v1/comments/*", V2: "GET"},
|
|
{Ptype: "p", V0: "banned", V1: "/api/v1/users/*", V2: "GET"},
|
|
|
|
// user 用户权限 (基本操作)
|
|
{Ptype: "p", V0: "user", V1: "/api/v1/posts", V2: "POST"},
|
|
{Ptype: "p", V0: "user", V1: "/api/v1/posts/*", V2: "PUT"},
|
|
{Ptype: "p", V0: "user", V1: "/api/v1/posts/*", V2: "DELETE"},
|
|
{Ptype: "p", V0: "user", V1: "/api/v1/posts/*/like", V2: "POST"},
|
|
{Ptype: "p", V0: "user", V1: "/api/v1/posts/*/like", V2: "DELETE"},
|
|
{Ptype: "p", V0: "user", V1: "/api/v1/posts/*/favorite", V2: "POST"},
|
|
{Ptype: "p", V0: "user", V1: "/api/v1/posts/*/favorite", V2: "DELETE"},
|
|
{Ptype: "p", V0: "user", V1: "/api/v1/comments", V2: "POST"},
|
|
{Ptype: "p", V0: "user", V1: "/api/v1/comments/*", V2: "PUT"},
|
|
{Ptype: "p", V0: "user", V1: "/api/v1/comments/*", V2: "DELETE"},
|
|
{Ptype: "p", V0: "user", V1: "/api/v1/users/me", V2: "*"},
|
|
{Ptype: "p", V0: "user", V1: "/api/v1/users/me/*", V2: "*"},
|
|
{Ptype: "p", V0: "user", V1: "/api/v1/conversations", V2: "*"},
|
|
{Ptype: "p", V0: "user", V1: "/api/v1/conversations/*", V2: "*"},
|
|
{Ptype: "p", V0: "user", V1: "/api/v1/messages/*", V2: "*"},
|
|
{Ptype: "p", V0: "user", V1: "/api/v1/notifications", V2: "*"},
|
|
{Ptype: "p", V0: "user", V1: "/api/v1/notifications/*", V2: "*"},
|
|
{Ptype: "p", V0: "user", V1: "/api/v1/uploads/*", V2: "POST"},
|
|
{Ptype: "p", V0: "user", V1: "/api/v1/groups", V2: "*"},
|
|
{Ptype: "p", V0: "user", V1: "/api/v1/groups/*", V2: "*"},
|
|
{Ptype: "p", V0: "user", V1: "/api/v1/stickers", V2: "*"},
|
|
{Ptype: "p", V0: "user", V1: "/api/v1/schedule", V2: "*"},
|
|
{Ptype: "p", V0: "user", V1: "/api/v1/schedule/*", V2: "*"},
|
|
|
|
// moderator 权限 (内容管理)
|
|
{Ptype: "p", V0: "moderator", V1: "/api/v1/admin/posts/*", V2: "*"},
|
|
{Ptype: "p", V0: "moderator", V1: "/api/v1/admin/comments/*", V2: "*"},
|
|
{Ptype: "p", V0: "moderator", V1: "/api/v1/admin/audit/*", V2: "GET"},
|
|
|
|
// admin 权限 (用户管理)
|
|
{Ptype: "p", V0: "admin", V1: "/api/v1/admin/users/*", V2: "*"},
|
|
{Ptype: "p", V0: "admin", V1: "/api/v1/admin/roles", V2: "GET"},
|
|
{Ptype: "p", V0: "admin", V1: "/api/v1/admin/roles/*", V2: "GET"},
|
|
|
|
// super_admin 权限 (完全访问)
|
|
{Ptype: "p", V0: "super_admin", V1: "/*", V2: "*"},
|
|
}
|
|
|
|
// 插入 g 策略
|
|
for _, policy := range gPolicies {
|
|
var existing model.CasbinRule
|
|
result := db.Where("ptype = ? AND v0 = ? AND v1 = ?", policy.Ptype, policy.V0, policy.V1).First(&existing)
|
|
if result.Error == gorm.ErrRecordNotFound {
|
|
if err := db.Create(&policy).Error; err != nil {
|
|
return err
|
|
}
|
|
}
|
|
}
|
|
|
|
// 插入 p 策略
|
|
for _, policy := range pPolicies {
|
|
var existing model.CasbinRule
|
|
result := db.Where("ptype = ? AND v0 = ? AND v1 = ? AND v2 = ?", policy.Ptype, policy.V0, policy.V1, policy.V2).First(&existing)
|
|
if result.Error == gorm.ErrRecordNotFound {
|
|
if err := db.Create(&policy).Error; err != nil {
|
|
return err
|
|
}
|
|
}
|
|
}
|
|
|
|
fmt.Println("✓ Casbin 策略数据初始化完成")
|
|
return nil
|
|
}
|
|
|
|
// cleanupTestData 清理测试数据
|
|
func cleanupTestData(db *gorm.DB, userID string) {
|
|
db.Where("user_id = ?", userID).Delete(&model.UserRole{})
|
|
fmt.Printf("✓ 清理测试用户 %s 的数据\n", userID)
|
|
}
|
|
|
|
// strPtr 返回字符串指针
|
|
func strPtr(s string) *string {
|
|
return &s
|
|
}
|
|
|
|
// 辅助函数:检查字符串是否包含通配符匹配
|
|
func matchPattern(pattern, str string) bool {
|
|
if pattern == "/*" {
|
|
return true
|
|
}
|
|
if strings.HasSuffix(pattern, "/*") {
|
|
prefix := strings.TrimSuffix(pattern, "/*")
|
|
return strings.HasPrefix(str, prefix+"/") || str == prefix
|
|
}
|
|
return pattern == str
|
|
}
|