feat(P1/P2): 完成TDD开发及P1/P2设计文档
## 设计文档 - multi_role_permission_design: 多角色权限设计 (CONDITIONAL GO) - audit_log_enhancement_design: 审计日志增强 (CONDITIONAL GO) - routing_strategy_template_design: 路由策略模板 (CONDITIONAL GO) - sso_saml_technical_research: SSO/SAML调研 (CONDITIONAL GO) - compliance_capability_package_design: 合规能力包设计 (CONDITIONAL GO) ## TDD开发成果 - IAM模块: supply-api/internal/iam/ (111个测试) - 审计日志模块: supply-api/internal/audit/ (40+测试) - 路由策略模块: gateway/internal/router/ (33+测试) - 合规能力包: gateway/internal/compliance/ + scripts/ci/compliance/ ## 规范文档 - parallel_agent_output_quality_standards: 并行Agent产出质量规范 - project_experience_summary: 项目经验总结 (v2) - 2026-04-02-p1-p2-tdd-execution-plan: TDD执行计划 ## 评审报告 - 5个CONDITIONAL GO设计文档评审报告 - fix_verification_report: 修复验证报告 - full_verification_report: 全面质量验证报告 - tdd_module_quality_verification: TDD模块质量验证 - tdd_execution_summary: TDD执行总结 依据: Superpowers执行框架 + TDD规范
This commit is contained in:
Your Name
507
supply-api/internal/iam/handler/iam_handler.go
Normal file
507
supply-api/internal/iam/handler/iam_handler.go
Normal file
@@ -0,0 +1,507 @@
|
||||
package handler
|
||||
|
||||
import (
|
||||
"context"
|
||||
"encoding/json"
|
||||
"net/http"
|
||||
"strconv"
|
||||
|
||||
"lijiaoqiao/supply-api/internal/iam/service"
|
||||
)
|
||||
|
||||
// IAMHandler IAM HTTP处理器
|
||||
type IAMHandler struct {
|
||||
iamService service.IAMServiceInterface
|
||||
}
|
||||
|
||||
// NewIAMHandler 创建IAM处理器
|
||||
func NewIAMHandler(iamService service.IAMServiceInterface) *IAMHandler {
|
||||
return &IAMHandler{
|
||||
iamService: iamService,
|
||||
}
|
||||
}
|
||||
|
||||
// RoleResponse HTTP响应中的角色信息
|
||||
type RoleResponse struct {
|
||||
Code string `json:"role_code"`
|
||||
Name string `json:"role_name"`
|
||||
Type string `json:"role_type"`
|
||||
Level int `json:"level"`
|
||||
Scopes []string `json:"scopes,omitempty"`
|
||||
IsActive bool `json:"is_active"`
|
||||
}
|
||||
|
||||
// CreateRoleRequest 创建角色请求
|
||||
type CreateRoleRequest struct {
|
||||
Code string `json:"code"`
|
||||
Name string `json:"name"`
|
||||
Type string `json:"type"`
|
||||
Level int `json:"level"`
|
||||
Scopes []string `json:"scopes"`
|
||||
}
|
||||
|
||||
// UpdateRoleRequest 更新角色请求
|
||||
type UpdateRoleRequest struct {
|
||||
Code string `json:"code"`
|
||||
Name string `json:"name"`
|
||||
Description string `json:"description"`
|
||||
Scopes []string `json:"scopes"`
|
||||
IsActive *bool `json:"is_active"`
|
||||
}
|
||||
|
||||
// AssignRoleRequest 分配角色请求
|
||||
type AssignRoleRequest struct {
|
||||
RoleCode string `json:"role_code"`
|
||||
TenantID int64 `json:"tenant_id"`
|
||||
ExpiresAt string `json:"expires_at,omitempty"`
|
||||
}
|
||||
|
||||
// HTTPError HTTP错误响应
|
||||
type HTTPError struct {
|
||||
Code string `json:"code"`
|
||||
Message string `json:"message"`
|
||||
}
|
||||
|
||||
// ErrorResponse 错误响应结构
|
||||
type ErrorResponse struct {
|
||||
Error HTTPError `json:"error"`
|
||||
}
|
||||
|
||||
// RegisterRoutes 注册IAM路由
|
||||
func (h *IAMHandler) RegisterRoutes(mux *http.ServeMux) {
|
||||
mux.HandleFunc("/api/v1/iam/roles", h.handleRoles)
|
||||
mux.HandleFunc("/api/v1/iam/roles/", h.handleRoleByCode)
|
||||
mux.HandleFunc("/api/v1/iam/scopes", h.handleScopes)
|
||||
mux.HandleFunc("/api/v1/iam/users/", h.handleUserRoles)
|
||||
mux.HandleFunc("/api/v1/iam/check-scope", h.handleCheckScope)
|
||||
}
|
||||
|
||||
// handleRoles 处理角色相关路由
|
||||
func (h *IAMHandler) handleRoles(w http.ResponseWriter, r *http.Request) {
|
||||
switch r.Method {
|
||||
case http.MethodGet:
|
||||
h.ListRoles(w, r)
|
||||
case http.MethodPost:
|
||||
h.CreateRole(w, r)
|
||||
default:
|
||||
writeError(w, http.StatusMethodNotAllowed, "METHOD_NOT_ALLOWED", "method not allowed")
|
||||
}
|
||||
}
|
||||
|
||||
// handleRoleByCode 处理单个角色路由
|
||||
func (h *IAMHandler) handleRoleByCode(w http.ResponseWriter, r *http.Request) {
|
||||
roleCode := extractRoleCode(r.URL.Path)
|
||||
|
||||
switch r.Method {
|
||||
case http.MethodGet:
|
||||
h.GetRole(w, r, roleCode)
|
||||
case http.MethodPut:
|
||||
h.UpdateRole(w, r, roleCode)
|
||||
case http.MethodDelete:
|
||||
h.DeleteRole(w, r, roleCode)
|
||||
default:
|
||||
writeError(w, http.StatusMethodNotAllowed, "METHOD_NOT_ALLOWED", "method not allowed")
|
||||
}
|
||||
}
|
||||
|
||||
// handleScopes 处理Scope列表路由
|
||||
func (h *IAMHandler) handleScopes(w http.ResponseWriter, r *http.Request) {
|
||||
if r.Method != http.MethodGet {
|
||||
writeError(w, http.StatusMethodNotAllowed, "METHOD_NOT_ALLOWED", "method not allowed")
|
||||
return
|
||||
}
|
||||
|
||||
h.ListScopes(w, r)
|
||||
}
|
||||
|
||||
// handleUserRoles 处理用户角色路由
|
||||
func (h *IAMHandler) handleUserRoles(w http.ResponseWriter, r *http.Request) {
|
||||
// 解析用户ID
|
||||
path := r.URL.Path
|
||||
userIDStr := extractUserID(path)
|
||||
userID, err := strconv.ParseInt(userIDStr, 10, 64)
|
||||
if err != nil {
|
||||
writeError(w, http.StatusBadRequest, "INVALID_USER_ID", "invalid user id")
|
||||
return
|
||||
}
|
||||
|
||||
switch r.Method {
|
||||
case http.MethodGet:
|
||||
h.GetUserRoles(w, r, userID)
|
||||
case http.MethodPost:
|
||||
h.AssignRole(w, r, userID)
|
||||
case http.MethodDelete:
|
||||
roleCode := extractRoleCodeFromUserPath(path)
|
||||
tenantID := int64(0) // 从请求或context获取
|
||||
h.RevokeRole(w, r, userID, roleCode, tenantID)
|
||||
default:
|
||||
writeError(w, http.StatusMethodNotAllowed, "METHOD_NOT_ALLOWED", "method not allowed")
|
||||
}
|
||||
}
|
||||
|
||||
// handleCheckScope 处理检查Scope路由
|
||||
func (h *IAMHandler) handleCheckScope(w http.ResponseWriter, r *http.Request) {
|
||||
if r.Method != http.MethodGet {
|
||||
writeError(w, http.StatusMethodNotAllowed, "METHOD_NOT_ALLOWED", "method not allowed")
|
||||
return
|
||||
}
|
||||
|
||||
h.CheckScope(w, r)
|
||||
}
|
||||
|
||||
// CreateRole 处理创建角色请求
|
||||
func (h *IAMHandler) CreateRole(w http.ResponseWriter, r *http.Request) {
|
||||
var req CreateRoleRequest
|
||||
if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
|
||||
writeError(w, http.StatusBadRequest, "INVALID_REQUEST", err.Error())
|
||||
return
|
||||
}
|
||||
|
||||
// 验证必填字段
|
||||
if req.Code == "" {
|
||||
writeError(w, http.StatusBadRequest, "MISSING_CODE", "role code is required")
|
||||
return
|
||||
}
|
||||
if req.Name == "" {
|
||||
writeError(w, http.StatusBadRequest, "MISSING_NAME", "role name is required")
|
||||
return
|
||||
}
|
||||
if req.Type == "" {
|
||||
writeError(w, http.StatusBadRequest, "MISSING_TYPE", "role type is required")
|
||||
return
|
||||
}
|
||||
|
||||
serviceReq := &service.CreateRoleRequest{
|
||||
Code: req.Code,
|
||||
Name: req.Name,
|
||||
Type: req.Type,
|
||||
Level: req.Level,
|
||||
Scopes: req.Scopes,
|
||||
}
|
||||
|
||||
role, err := h.iamService.CreateRole(r.Context(), serviceReq)
|
||||
if err != nil {
|
||||
if err == service.ErrDuplicateRoleCode {
|
||||
writeError(w, http.StatusConflict, "DUPLICATE_ROLE_CODE", err.Error())
|
||||
return
|
||||
}
|
||||
if err == service.ErrInvalidRequest {
|
||||
writeError(w, http.StatusBadRequest, "INVALID_REQUEST", err.Error())
|
||||
return
|
||||
}
|
||||
writeError(w, http.StatusInternalServerError, "INTERNAL_ERROR", err.Error())
|
||||
return
|
||||
}
|
||||
|
||||
writeJSON(w, http.StatusCreated, map[string]interface{}{
|
||||
"role": toRoleResponse(role),
|
||||
})
|
||||
}
|
||||
|
||||
// GetRole 处理获取单个角色请求
|
||||
func (h *IAMHandler) GetRole(w http.ResponseWriter, r *http.Request, roleCode string) {
|
||||
role, err := h.iamService.GetRole(r.Context(), roleCode)
|
||||
if err != nil {
|
||||
if err == service.ErrRoleNotFound {
|
||||
writeError(w, http.StatusNotFound, "ROLE_NOT_FOUND", err.Error())
|
||||
return
|
||||
}
|
||||
writeError(w, http.StatusInternalServerError, "INTERNAL_ERROR", err.Error())
|
||||
return
|
||||
}
|
||||
|
||||
writeJSON(w, http.StatusOK, map[string]interface{}{
|
||||
"role": toRoleResponse(role),
|
||||
})
|
||||
}
|
||||
|
||||
// ListRoles 处理列出角色请求
|
||||
func (h *IAMHandler) ListRoles(w http.ResponseWriter, r *http.Request) {
|
||||
roleType := r.URL.Query().Get("type")
|
||||
|
||||
roles, err := h.iamService.ListRoles(r.Context(), roleType)
|
||||
if err != nil {
|
||||
writeError(w, http.StatusInternalServerError, "INTERNAL_ERROR", err.Error())
|
||||
return
|
||||
}
|
||||
|
||||
roleResponses := make([]*RoleResponse, len(roles))
|
||||
for i, role := range roles {
|
||||
roleResponses[i] = toRoleResponse(role)
|
||||
}
|
||||
|
||||
writeJSON(w, http.StatusOK, map[string]interface{}{
|
||||
"roles": roleResponses,
|
||||
})
|
||||
}
|
||||
|
||||
// UpdateRole 处理更新角色请求
|
||||
func (h *IAMHandler) UpdateRole(w http.ResponseWriter, r *http.Request, roleCode string) {
|
||||
var req UpdateRoleRequest
|
||||
if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
|
||||
writeError(w, http.StatusBadRequest, "INVALID_REQUEST", err.Error())
|
||||
return
|
||||
}
|
||||
|
||||
req.Code = roleCode // 确保使用URL中的roleCode
|
||||
|
||||
serviceReq := &service.UpdateRoleRequest{
|
||||
Code: req.Code,
|
||||
Name: req.Name,
|
||||
Description: req.Description,
|
||||
Scopes: req.Scopes,
|
||||
IsActive: req.IsActive,
|
||||
}
|
||||
|
||||
role, err := h.iamService.UpdateRole(r.Context(), serviceReq)
|
||||
if err != nil {
|
||||
if err == service.ErrRoleNotFound {
|
||||
writeError(w, http.StatusNotFound, "ROLE_NOT_FOUND", err.Error())
|
||||
return
|
||||
}
|
||||
writeError(w, http.StatusInternalServerError, "INTERNAL_ERROR", err.Error())
|
||||
return
|
||||
}
|
||||
|
||||
writeJSON(w, http.StatusOK, map[string]interface{}{
|
||||
"role": toRoleResponse(role),
|
||||
})
|
||||
}
|
||||
|
||||
// DeleteRole 处理删除角色请求
|
||||
func (h *IAMHandler) DeleteRole(w http.ResponseWriter, r *http.Request, roleCode string) {
|
||||
err := h.iamService.DeleteRole(r.Context(), roleCode)
|
||||
if err != nil {
|
||||
if err == service.ErrRoleNotFound {
|
||||
writeError(w, http.StatusNotFound, "ROLE_NOT_FOUND", err.Error())
|
||||
return
|
||||
}
|
||||
writeError(w, http.StatusInternalServerError, "INTERNAL_ERROR", err.Error())
|
||||
return
|
||||
}
|
||||
|
||||
writeJSON(w, http.StatusOK, map[string]interface{}{
|
||||
"message": "role deleted successfully",
|
||||
})
|
||||
}
|
||||
|
||||
// ListScopes 处理列出所有Scope请求
|
||||
func (h *IAMHandler) ListScopes(w http.ResponseWriter, r *http.Request) {
|
||||
// 从预定义Scope列表获取
|
||||
scopes := []map[string]interface{}{
|
||||
{"scope_code": "platform:read", "scope_name": "读取平台配置", "scope_type": "platform"},
|
||||
{"scope_code": "platform:write", "scope_name": "修改平台配置", "scope_type": "platform"},
|
||||
{"scope_code": "platform:admin", "scope_name": "平台级管理", "scope_type": "platform"},
|
||||
{"scope_code": "tenant:read", "scope_name": "读取租户信息", "scope_type": "platform"},
|
||||
{"scope_code": "supply:account:read", "scope_name": "读取供应账号", "scope_type": "supply"},
|
||||
{"scope_code": "consumer:apikey:create", "scope_name": "创建API Key", "scope_type": "consumer"},
|
||||
{"scope_code": "router:invoke", "scope_name": "调用模型", "scope_type": "router"},
|
||||
}
|
||||
|
||||
writeJSON(w, http.StatusOK, map[string]interface{}{
|
||||
"scopes": scopes,
|
||||
})
|
||||
}
|
||||
|
||||
// GetUserRoles 处理获取用户角色请求
|
||||
func (h *IAMHandler) GetUserRoles(w http.ResponseWriter, r *http.Request, userID int64) {
|
||||
roles, err := h.iamService.GetUserRoles(r.Context(), userID)
|
||||
if err != nil {
|
||||
writeError(w, http.StatusInternalServerError, "INTERNAL_ERROR", err.Error())
|
||||
return
|
||||
}
|
||||
|
||||
writeJSON(w, http.StatusOK, map[string]interface{}{
|
||||
"user_id": userID,
|
||||
"roles": roles,
|
||||
})
|
||||
}
|
||||
|
||||
// AssignRole 处理分配角色请求
|
||||
func (h *IAMHandler) AssignRole(w http.ResponseWriter, r *http.Request, userID int64) {
|
||||
var req AssignRoleRequest
|
||||
if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
|
||||
writeError(w, http.StatusBadRequest, "INVALID_REQUEST", err.Error())
|
||||
return
|
||||
}
|
||||
|
||||
serviceReq := &service.AssignRoleRequest{
|
||||
UserID: userID,
|
||||
RoleCode: req.RoleCode,
|
||||
TenantID: req.TenantID,
|
||||
}
|
||||
|
||||
mapping, err := h.iamService.AssignRole(r.Context(), serviceReq)
|
||||
if err != nil {
|
||||
if err == service.ErrRoleNotFound {
|
||||
writeError(w, http.StatusNotFound, "ROLE_NOT_FOUND", err.Error())
|
||||
return
|
||||
}
|
||||
if err == service.ErrDuplicateAssignment {
|
||||
writeError(w, http.StatusConflict, "DUPLICATE_ASSIGNMENT", err.Error())
|
||||
return
|
||||
}
|
||||
writeError(w, http.StatusInternalServerError, "INTERNAL_ERROR", err.Error())
|
||||
return
|
||||
}
|
||||
|
||||
writeJSON(w, http.StatusCreated, map[string]interface{}{
|
||||
"message": "role assigned successfully",
|
||||
"mapping": mapping,
|
||||
})
|
||||
}
|
||||
|
||||
// RevokeRole 处理撤销角色请求
|
||||
func (h *IAMHandler) RevokeRole(w http.ResponseWriter, r *http.Request, userID int64, roleCode string, tenantID int64) {
|
||||
err := h.iamService.RevokeRole(r.Context(), userID, roleCode, tenantID)
|
||||
if err != nil {
|
||||
if err == service.ErrRoleNotFound {
|
||||
writeError(w, http.StatusNotFound, "ROLE_NOT_FOUND", err.Error())
|
||||
return
|
||||
}
|
||||
writeError(w, http.StatusInternalServerError, "INTERNAL_ERROR", err.Error())
|
||||
return
|
||||
}
|
||||
|
||||
writeJSON(w, http.StatusOK, map[string]interface{}{
|
||||
"message": "role revoked successfully",
|
||||
})
|
||||
}
|
||||
|
||||
// CheckScope 处理检查Scope请求
|
||||
func (h *IAMHandler) CheckScope(w http.ResponseWriter, r *http.Request) {
|
||||
scope := r.URL.Query().Get("scope")
|
||||
if scope == "" {
|
||||
writeError(w, http.StatusBadRequest, "MISSING_SCOPE", "scope parameter is required")
|
||||
return
|
||||
}
|
||||
|
||||
// 从context获取userID(实际应用中应从认证中间件获取)
|
||||
userID := int64(1) // 模拟
|
||||
|
||||
hasScope, err := h.iamService.CheckScope(r.Context(), userID, scope)
|
||||
if err != nil {
|
||||
writeError(w, http.StatusInternalServerError, "INTERNAL_ERROR", err.Error())
|
||||
return
|
||||
}
|
||||
|
||||
writeJSON(w, http.StatusOK, map[string]interface{}{
|
||||
"has_scope": hasScope,
|
||||
"scope": scope,
|
||||
"user_id": userID,
|
||||
})
|
||||
}
|
||||
|
||||
// toRoleResponse 转换为RoleResponse
|
||||
func toRoleResponse(role *service.Role) *RoleResponse {
|
||||
return &RoleResponse{
|
||||
Code: role.Code,
|
||||
Name: role.Name,
|
||||
Type: role.Type,
|
||||
Level: role.Level,
|
||||
IsActive: role.IsActive,
|
||||
}
|
||||
}
|
||||
|
||||
// writeJSON 写入JSON响应
|
||||
func writeJSON(w http.ResponseWriter, status int, data interface{}) {
|
||||
w.Header().Set("Content-Type", "application/json")
|
||||
w.WriteHeader(status)
|
||||
json.NewEncoder(w).Encode(data)
|
||||
}
|
||||
|
||||
// writeError 写入错误响应
|
||||
func writeError(w http.ResponseWriter, status int, code, message string) {
|
||||
writeJSON(w, status, ErrorResponse{
|
||||
Error: HTTPError{
|
||||
Code: code,
|
||||
Message: message,
|
||||
},
|
||||
})
|
||||
}
|
||||
|
||||
// extractRoleCode 从URL路径提取角色代码
|
||||
func extractRoleCode(path string) string {
|
||||
// /api/v1/iam/roles/developer -> developer
|
||||
parts := splitPath(path)
|
||||
if len(parts) >= 5 {
|
||||
return parts[4]
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
// extractUserID 从URL路径提取用户ID
|
||||
func extractUserID(path string) string {
|
||||
// /api/v1/iam/users/123/roles -> 123
|
||||
parts := splitPath(path)
|
||||
if len(parts) >= 4 {
|
||||
return parts[3]
|
||||
}
|
||||
if len(parts) >= 6 {
|
||||
return parts[3]
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
// extractRoleCodeFromUserPath 从用户路径提取角色代码
|
||||
func extractRoleCodeFromUserPath(path string) string {
|
||||
// /api/v1/iam/users/123/roles/developer -> developer
|
||||
parts := splitPath(path)
|
||||
if len(parts) >= 6 {
|
||||
return parts[5]
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
// splitPath 分割URL路径
|
||||
func splitPath(path string) []string {
|
||||
var parts []string
|
||||
var current string
|
||||
for _, c := range path {
|
||||
if c == '/' {
|
||||
if current != "" {
|
||||
parts = append(parts, current)
|
||||
current = ""
|
||||
}
|
||||
} else {
|
||||
current += string(c)
|
||||
}
|
||||
}
|
||||
if current != "" {
|
||||
parts = append(parts, current)
|
||||
}
|
||||
return parts
|
||||
}
|
||||
|
||||
// RequireScope 返回一个要求特定Scope的中间件函数
|
||||
func RequireScope(scope string, iamService service.IAMServiceInterface) func(http.Handler) http.Handler {
|
||||
return func(next http.Handler) http.Handler {
|
||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
// 从context获取userID
|
||||
userID := getUserIDFromContext(r.Context())
|
||||
if userID == 0 {
|
||||
writeError(w, http.StatusUnauthorized, "UNAUTHORIZED", "user not authenticated")
|
||||
return
|
||||
}
|
||||
|
||||
hasScope, err := iamService.CheckScope(r.Context(), userID, scope)
|
||||
if err != nil {
|
||||
writeError(w, http.StatusInternalServerError, "INTERNAL_ERROR", err.Error())
|
||||
return
|
||||
}
|
||||
|
||||
if !hasScope {
|
||||
writeError(w, http.StatusForbidden, "SCOPE_DENIED", "insufficient scope")
|
||||
return
|
||||
}
|
||||
|
||||
next.ServeHTTP(w, r)
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
// getUserIDFromContext 从context获取userID(实际应用中应从认证中间件获取)
|
||||
func getUserIDFromContext(ctx context.Context) int64 {
|
||||
// TODO: 从认证中间件获取真实的userID
|
||||
return 1
|
||||
}
|
||||
Reference in New Issue
Block a user