2026-04-02 23:35:53 +08:00
|
|
|
|
package service
|
|
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
|
"context"
|
|
|
|
|
|
"errors"
|
2026-04-03 07:58:46 +08:00
|
|
|
|
"sync"
|
2026-04-02 23:35:53 +08:00
|
|
|
|
"time"
|
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
|
|
// 错误定义
|
|
|
|
|
|
var (
|
|
|
|
|
|
ErrRoleNotFound = errors.New("role not found")
|
|
|
|
|
|
ErrDuplicateRoleCode = errors.New("role code already exists")
|
|
|
|
|
|
ErrDuplicateAssignment = errors.New("user already has this role")
|
|
|
|
|
|
ErrInvalidRequest = errors.New("invalid request")
|
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
|
|
// Role 角色(简化的服务层模型)
|
|
|
|
|
|
type Role struct {
|
|
|
|
|
|
Code string
|
|
|
|
|
|
Name string
|
|
|
|
|
|
Type string
|
|
|
|
|
|
Level int
|
|
|
|
|
|
Description string
|
|
|
|
|
|
IsActive bool
|
|
|
|
|
|
Version int
|
|
|
|
|
|
CreatedAt time.Time
|
|
|
|
|
|
UpdatedAt time.Time
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// UserRole 用户角色(简化的服务层模型)
|
|
|
|
|
|
type UserRole struct {
|
|
|
|
|
|
UserID int64
|
|
|
|
|
|
RoleCode string
|
|
|
|
|
|
TenantID int64
|
|
|
|
|
|
IsActive bool
|
|
|
|
|
|
ExpiresAt *time.Time
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// CreateRoleRequest 创建角色请求
|
|
|
|
|
|
type CreateRoleRequest struct {
|
|
|
|
|
|
Code string
|
|
|
|
|
|
Name string
|
|
|
|
|
|
Type string
|
|
|
|
|
|
Level int
|
|
|
|
|
|
Description string
|
|
|
|
|
|
Scopes []string
|
|
|
|
|
|
ParentCode string
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// UpdateRoleRequest 更新角色请求
|
|
|
|
|
|
type UpdateRoleRequest struct {
|
|
|
|
|
|
Code string
|
|
|
|
|
|
Name string
|
|
|
|
|
|
Description string
|
|
|
|
|
|
Scopes []string
|
|
|
|
|
|
IsActive *bool
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// AssignRoleRequest 分配角色请求
|
|
|
|
|
|
type AssignRoleRequest struct {
|
|
|
|
|
|
UserID int64
|
|
|
|
|
|
RoleCode string
|
|
|
|
|
|
TenantID int64
|
|
|
|
|
|
GrantedBy int64
|
|
|
|
|
|
ExpiresAt *time.Time
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// IAMServiceInterface IAM服务接口
|
|
|
|
|
|
type IAMServiceInterface interface {
|
|
|
|
|
|
CreateRole(ctx context.Context, req *CreateRoleRequest) (*Role, error)
|
|
|
|
|
|
GetRole(ctx context.Context, roleCode string) (*Role, error)
|
|
|
|
|
|
UpdateRole(ctx context.Context, req *UpdateRoleRequest) (*Role, error)
|
|
|
|
|
|
DeleteRole(ctx context.Context, roleCode string) error
|
|
|
|
|
|
ListRoles(ctx context.Context, roleType string) ([]*Role, error)
|
|
|
|
|
|
|
|
|
|
|
|
AssignRole(ctx context.Context, req *AssignRoleRequest) (*UserRole, error)
|
|
|
|
|
|
RevokeRole(ctx context.Context, userID int64, roleCode string, tenantID int64) error
|
|
|
|
|
|
GetUserRoles(ctx context.Context, userID int64) ([]*UserRole, error)
|
|
|
|
|
|
|
|
|
|
|
|
CheckScope(ctx context.Context, userID int64, requiredScope string) (bool, error)
|
|
|
|
|
|
GetUserScopes(ctx context.Context, userID int64) ([]string, error)
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// DefaultIAMService 默认IAM服务实现
|
|
|
|
|
|
type DefaultIAMService struct {
|
|
|
|
|
|
// 角色存储
|
|
|
|
|
|
roleStore map[string]*Role
|
|
|
|
|
|
// 用户角色存储: userID -> []*UserRole
|
|
|
|
|
|
userRoleStore map[int64][]*UserRole
|
|
|
|
|
|
// 角色Scope存储: roleCode -> []scopeCode
|
|
|
|
|
|
roleScopeStore map[string][]string
|
2026-04-03 07:58:46 +08:00
|
|
|
|
// 并发控制
|
|
|
|
|
|
mu sync.RWMutex
|
2026-04-02 23:35:53 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// NewDefaultIAMService 创建默认IAM服务
|
|
|
|
|
|
func NewDefaultIAMService() *DefaultIAMService {
|
|
|
|
|
|
return &DefaultIAMService{
|
|
|
|
|
|
roleStore: make(map[string]*Role),
|
|
|
|
|
|
userRoleStore: make(map[int64][]*UserRole),
|
|
|
|
|
|
roleScopeStore: make(map[string][]string),
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// CreateRole 创建角色
|
|
|
|
|
|
func (s *DefaultIAMService) CreateRole(ctx context.Context, req *CreateRoleRequest) (*Role, error) {
|
2026-04-03 07:58:46 +08:00
|
|
|
|
s.mu.Lock()
|
|
|
|
|
|
defer s.mu.Unlock()
|
|
|
|
|
|
|
2026-04-02 23:35:53 +08:00
|
|
|
|
// 检查是否重复
|
|
|
|
|
|
if _, exists := s.roleStore[req.Code]; exists {
|
|
|
|
|
|
return nil, ErrDuplicateRoleCode
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// 验证角色类型
|
|
|
|
|
|
if req.Type != "platform" && req.Type != "supply" && req.Type != "consumer" {
|
|
|
|
|
|
return nil, ErrInvalidRequest
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
now := time.Now()
|
|
|
|
|
|
role := &Role{
|
|
|
|
|
|
Code: req.Code,
|
|
|
|
|
|
Name: req.Name,
|
|
|
|
|
|
Type: req.Type,
|
|
|
|
|
|
Level: req.Level,
|
|
|
|
|
|
Description: req.Description,
|
|
|
|
|
|
IsActive: true,
|
|
|
|
|
|
Version: 1,
|
|
|
|
|
|
CreatedAt: now,
|
|
|
|
|
|
UpdatedAt: now,
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// 存储角色
|
|
|
|
|
|
s.roleStore[req.Code] = role
|
|
|
|
|
|
|
|
|
|
|
|
// 存储角色Scope关联
|
|
|
|
|
|
if len(req.Scopes) > 0 {
|
|
|
|
|
|
s.roleScopeStore[req.Code] = req.Scopes
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return role, nil
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// GetRole 获取角色
|
|
|
|
|
|
func (s *DefaultIAMService) GetRole(ctx context.Context, roleCode string) (*Role, error) {
|
2026-04-03 07:58:46 +08:00
|
|
|
|
s.mu.RLock()
|
|
|
|
|
|
defer s.mu.RUnlock()
|
|
|
|
|
|
|
2026-04-02 23:35:53 +08:00
|
|
|
|
role, exists := s.roleStore[roleCode]
|
|
|
|
|
|
if !exists {
|
|
|
|
|
|
return nil, ErrRoleNotFound
|
|
|
|
|
|
}
|
|
|
|
|
|
return role, nil
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// UpdateRole 更新角色
|
|
|
|
|
|
func (s *DefaultIAMService) UpdateRole(ctx context.Context, req *UpdateRoleRequest) (*Role, error) {
|
2026-04-03 07:58:46 +08:00
|
|
|
|
s.mu.Lock()
|
|
|
|
|
|
defer s.mu.Unlock()
|
|
|
|
|
|
|
2026-04-02 23:35:53 +08:00
|
|
|
|
role, exists := s.roleStore[req.Code]
|
|
|
|
|
|
if !exists {
|
|
|
|
|
|
return nil, ErrRoleNotFound
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// 更新字段
|
|
|
|
|
|
if req.Name != "" {
|
|
|
|
|
|
role.Name = req.Name
|
|
|
|
|
|
}
|
|
|
|
|
|
if req.Description != "" {
|
|
|
|
|
|
role.Description = req.Description
|
|
|
|
|
|
}
|
|
|
|
|
|
if req.Scopes != nil {
|
|
|
|
|
|
s.roleScopeStore[req.Code] = req.Scopes
|
|
|
|
|
|
}
|
|
|
|
|
|
if req.IsActive != nil {
|
|
|
|
|
|
role.IsActive = *req.IsActive
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// 递增版本
|
|
|
|
|
|
role.Version++
|
|
|
|
|
|
role.UpdatedAt = time.Now()
|
|
|
|
|
|
|
|
|
|
|
|
return role, nil
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// DeleteRole 删除角色(软删除)
|
|
|
|
|
|
func (s *DefaultIAMService) DeleteRole(ctx context.Context, roleCode string) error {
|
2026-04-03 07:58:46 +08:00
|
|
|
|
s.mu.Lock()
|
|
|
|
|
|
defer s.mu.Unlock()
|
|
|
|
|
|
|
2026-04-02 23:35:53 +08:00
|
|
|
|
role, exists := s.roleStore[roleCode]
|
|
|
|
|
|
if !exists {
|
|
|
|
|
|
return ErrRoleNotFound
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
role.IsActive = false
|
|
|
|
|
|
role.UpdatedAt = time.Now()
|
|
|
|
|
|
return nil
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// ListRoles 列出角色
|
|
|
|
|
|
func (s *DefaultIAMService) ListRoles(ctx context.Context, roleType string) ([]*Role, error) {
|
2026-04-03 07:58:46 +08:00
|
|
|
|
s.mu.RLock()
|
|
|
|
|
|
defer s.mu.RUnlock()
|
|
|
|
|
|
|
2026-04-02 23:35:53 +08:00
|
|
|
|
var roles []*Role
|
|
|
|
|
|
for _, role := range s.roleStore {
|
|
|
|
|
|
if roleType == "" || role.Type == roleType {
|
|
|
|
|
|
roles = append(roles, role)
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
return roles, nil
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// AssignRole 分配角色
|
|
|
|
|
|
func (s *DefaultIAMService) AssignRole(ctx context.Context, req *AssignRoleRequest) (*UserRole, error) {
|
2026-04-03 07:58:46 +08:00
|
|
|
|
s.mu.Lock()
|
|
|
|
|
|
defer s.mu.Unlock()
|
|
|
|
|
|
|
2026-04-02 23:35:53 +08:00
|
|
|
|
// 检查角色是否存在
|
|
|
|
|
|
if _, exists := s.roleStore[req.RoleCode]; !exists {
|
|
|
|
|
|
return nil, ErrRoleNotFound
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// 检查是否已分配
|
|
|
|
|
|
for _, ur := range s.userRoleStore[req.UserID] {
|
|
|
|
|
|
if ur.RoleCode == req.RoleCode && ur.TenantID == req.TenantID && ur.IsActive {
|
|
|
|
|
|
return nil, ErrDuplicateAssignment
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
userRole := &UserRole{
|
|
|
|
|
|
UserID: req.UserID,
|
|
|
|
|
|
RoleCode: req.RoleCode,
|
|
|
|
|
|
TenantID: req.TenantID,
|
|
|
|
|
|
IsActive: true,
|
|
|
|
|
|
ExpiresAt: req.ExpiresAt,
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// 存储映射
|
|
|
|
|
|
s.userRoleStore[req.UserID] = append(s.userRoleStore[req.UserID], userRole)
|
|
|
|
|
|
|
|
|
|
|
|
return userRole, nil
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// RevokeRole 撤销角色
|
|
|
|
|
|
func (s *DefaultIAMService) RevokeRole(ctx context.Context, userID int64, roleCode string, tenantID int64) error {
|
2026-04-03 07:58:46 +08:00
|
|
|
|
s.mu.Lock()
|
|
|
|
|
|
defer s.mu.Unlock()
|
|
|
|
|
|
|
2026-04-02 23:35:53 +08:00
|
|
|
|
for _, ur := range s.userRoleStore[userID] {
|
|
|
|
|
|
if ur.RoleCode == roleCode && ur.TenantID == tenantID {
|
|
|
|
|
|
ur.IsActive = false
|
|
|
|
|
|
return nil
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
return ErrRoleNotFound
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// GetUserRoles 获取用户角色
|
|
|
|
|
|
func (s *DefaultIAMService) GetUserRoles(ctx context.Context, userID int64) ([]*UserRole, error) {
|
2026-04-03 07:58:46 +08:00
|
|
|
|
s.mu.RLock()
|
|
|
|
|
|
defer s.mu.RUnlock()
|
|
|
|
|
|
|
2026-04-02 23:35:53 +08:00
|
|
|
|
var userRoles []*UserRole
|
|
|
|
|
|
for _, ur := range s.userRoleStore[userID] {
|
|
|
|
|
|
if ur.IsActive {
|
|
|
|
|
|
userRoles = append(userRoles, ur)
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
return userRoles, nil
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// CheckScope 检查用户是否有指定Scope
|
|
|
|
|
|
func (s *DefaultIAMService) CheckScope(ctx context.Context, userID int64, requiredScope string) (bool, error) {
|
2026-04-03 07:58:46 +08:00
|
|
|
|
s.mu.RLock()
|
|
|
|
|
|
defer s.mu.RUnlock()
|
|
|
|
|
|
|
|
|
|
|
|
scopes, err := s.getUserScopesLocked(userID)
|
2026-04-02 23:35:53 +08:00
|
|
|
|
if err != nil {
|
|
|
|
|
|
return false, err
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
for _, scope := range scopes {
|
|
|
|
|
|
if scope == requiredScope || scope == "*" {
|
|
|
|
|
|
return true, nil
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
return false, nil
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// GetUserScopes 获取用户所有Scope
|
|
|
|
|
|
func (s *DefaultIAMService) GetUserScopes(ctx context.Context, userID int64) ([]string, error) {
|
2026-04-03 07:58:46 +08:00
|
|
|
|
s.mu.RLock()
|
|
|
|
|
|
defer s.mu.RUnlock()
|
|
|
|
|
|
|
|
|
|
|
|
return s.getUserScopesLocked(userID)
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// getUserScopesLocked 获取用户所有Scope(内部使用,需要持有锁)
|
|
|
|
|
|
func (s *DefaultIAMService) getUserScopesLocked(userID int64) ([]string, error) {
|
2026-04-02 23:35:53 +08:00
|
|
|
|
var allScopes []string
|
|
|
|
|
|
seen := make(map[string]bool)
|
|
|
|
|
|
|
|
|
|
|
|
for _, ur := range s.userRoleStore[userID] {
|
|
|
|
|
|
if ur.IsActive && (ur.ExpiresAt == nil || ur.ExpiresAt.After(time.Now())) {
|
|
|
|
|
|
if scopes, exists := s.roleScopeStore[ur.RoleCode]; exists {
|
|
|
|
|
|
for _, scope := range scopes {
|
|
|
|
|
|
if !seen[scope] {
|
|
|
|
|
|
seen[scope] = true
|
|
|
|
|
|
allScopes = append(allScopes, scope)
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return allScopes, nil
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// IsExpired 检查用户角色是否过期
|
|
|
|
|
|
func (ur *UserRole) IsExpired() bool {
|
|
|
|
|
|
if ur.ExpiresAt == nil {
|
|
|
|
|
|
return false
|
|
|
|
|
|
}
|
|
|
|
|
|
return time.Now().After(*ur.ExpiresAt)
|
|
|
|
|
|
}
|
