package loaders import ( "context" "database/sql" "encoding/json" "errors" "fmt" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" "github.com/zeromicro/go-zero/core/stores/cache" "github.com/zeromicro/go-zero/core/stores/redis" "github.com/zeromicro/go-zero/core/stores/sqlx" "golang.org/x/crypto/bcrypt" "math" "math/rand" "perms-system-server/internal/consts" "perms-system-server/internal/model" deptModel "perms-system-server/internal/model/dept" permModel "perms-system-server/internal/model/perm" productModel "perms-system-server/internal/model/product" memberModel "perms-system-server/internal/model/productmember" roleModel "perms-system-server/internal/model/role" rolePermModel "perms-system-server/internal/model/roleperm" userModel "perms-system-server/internal/model/user" userPermModel "perms-system-server/internal/model/userperm" userRoleModel "perms-system-server/internal/model/userrole" "sort" "strings" "sync" "sync/atomic" "testing" "time" ) var testCacheConf = cache.CacheConf{ { RedisConf: redis.RedisConf{Host: "127.0.0.1:6379", Pass: "NsDmWyM@312", Type: "node"}, Weight: 100, }, } var testKeyPrefix = "test_perms" var testDataSource = "root:NsDmWyM@312@tcp(127.0.0.1:3306)/perms_system?charset=utf8mb4&parseTime=true&loc=Asia%2FShanghai" func testConn() sqlx.SqlConn { return sqlx.NewMysql(testDataSource) } func testRedis() *redis.Redis { return redis.MustNewRedis(testCacheConf[0].RedisConf) } func testModels() *model.Models { conn := testConn() return model.NewModels(conn, testCacheConf, testKeyPrefix) } func uniqueId() string { return fmt.Sprintf("t_%d_%d", time.Now().UnixNano(), rand.Intn(100000)) } func hashPwd(p string) string { h, _ := bcrypt.GenerateFromPassword([]byte(p), bcrypt.MinCost) return string(h) } func cleanTable(ctx context.Context, conn sqlx.SqlConn, table string, ids ...int64) { for _, id := range ids { conn.ExecCtx(ctx, fmt.Sprintf("DELETE FROM %s WHERE `id` = ?", table), id) } } func cleanTableByField(ctx context.Context, conn sqlx.SqlConn, table, field string, value interface{}) { conn.ExecCtx(ctx, fmt.Sprintf("DELETE FROM %s WHERE `%s` = ?", table, field), value) } func newTestLoader() *UserDetailsLoader { rds := testRedis() m := testModels() return NewUserDetailsLoader(rds, testKeyPrefix, m) } func now() int64 { return time.Now().Unix() } // --------------- helpers: insert test data --------------- func insertUser(ctx context.Context, t *testing.T, m *model.Models, u *userModel.SysUser) int64 { t.Helper() res, err := m.SysUserModel.Insert(ctx, u) require.NoError(t, err) id, _ := res.LastInsertId() return id } func insertDept(ctx context.Context, t *testing.T, m *model.Models, d *deptModel.SysDept) int64 { t.Helper() res, err := m.SysDeptModel.Insert(ctx, d) require.NoError(t, err) id, _ := res.LastInsertId() return id } func insertProduct(ctx context.Context, t *testing.T, m *model.Models, p *productModel.SysProduct) int64 { t.Helper() res, err := m.SysProductModel.Insert(ctx, p) require.NoError(t, err) id, _ := res.LastInsertId() return id } func insertMember(ctx context.Context, t *testing.T, m *model.Models, mb *memberModel.SysProductMember) int64 { t.Helper() res, err := m.SysProductMemberModel.Insert(ctx, mb) require.NoError(t, err) id, _ := res.LastInsertId() return id } func insertRole(ctx context.Context, t *testing.T, m *model.Models, r *roleModel.SysRole) int64 { t.Helper() res, err := m.SysRoleModel.Insert(ctx, r) require.NoError(t, err) id, _ := res.LastInsertId() return id } func insertPerm(ctx context.Context, t *testing.T, m *model.Models, p *permModel.SysPerm) int64 { t.Helper() res, err := m.SysPermModel.Insert(ctx, p) require.NoError(t, err) id, _ := res.LastInsertId() return id } func insertUserRole(ctx context.Context, t *testing.T, m *model.Models, ur *userRoleModel.SysUserRole) int64 { t.Helper() res, err := m.SysUserRoleModel.Insert(ctx, ur) require.NoError(t, err) id, _ := res.LastInsertId() return id } func insertRolePerm(ctx context.Context, t *testing.T, m *model.Models, rp *rolePermModel.SysRolePerm) int64 { t.Helper() res, err := m.SysRolePermModel.Insert(ctx, rp) require.NoError(t, err) id, _ := res.LastInsertId() return id } func insertUserPerm(ctx context.Context, t *testing.T, m *model.Models, up *userPermModel.SysUserPerm) int64 { t.Helper() res, err := m.SysUserPermModel.Insert(ctx, up) require.NoError(t, err) id, _ := res.LastInsertId() return id } // --------------- TC-0506: Load-DB加载(缓存miss) --------------- func TestLoad_DBMiss(t *testing.T) { ctx := context.Background() conn := testConn() m := testModels() loader := newTestLoader() uid := uniqueId() ts := now() pcode := "p_" + uid deptId := insertDept(ctx, t, m, &deptModel.SysDept{ ParentId: 0, Name: "dept_" + uid, Path: "/1/", Sort: 1, DeptType: consts.DeptTypeNormal, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) userId := insertUser(ctx, t, m, &userModel.SysUser{ Username: uid, Password: hashPwd("pass123"), Nickname: "nick_" + uid, Avatar: sql.NullString{}, Email: uid + "@test.com", Phone: "13800000001", Remark: "remark", DeptId: deptId, IsSuperAdmin: consts.IsSuperAdminNo, MustChangePassword: consts.MustChangePasswordNo, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) productId := insertProduct(ctx, t, m, &productModel.SysProduct{ Code: pcode, Name: "prod_" + uid, AppKey: "ak_" + uid, AppSecret: "as_" + uid, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) memberId := insertMember(ctx, t, m, &memberModel.SysProductMember{ ProductCode: pcode, UserId: userId, MemberType: consts.MemberTypeMember, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) roleId := insertRole(ctx, t, m, &roleModel.SysRole{ ProductCode: pcode, Name: "role_" + uid, Remark: "test", Status: consts.StatusEnabled, PermsLevel: 10, CreateTime: ts, UpdateTime: ts, }) permId := insertPerm(ctx, t, m, &permModel.SysPerm{ ProductCode: pcode, Name: "perm_" + uid, Code: "perm:" + uid, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) urId := insertUserRole(ctx, t, m, &userRoleModel.SysUserRole{ UserId: userId, RoleId: roleId, CreateTime: ts, UpdateTime: ts, }) rpId := insertRolePerm(ctx, t, m, &rolePermModel.SysRolePerm{ RoleId: roleId, PermId: permId, CreateTime: ts, UpdateTime: ts, }) t.Cleanup(func() { loader.Del(ctx, userId, pcode) cleanTable(ctx, conn, "`sys_role_perm`", rpId) cleanTable(ctx, conn, "`sys_user_role`", urId) cleanTable(ctx, conn, "`sys_perm`", permId) cleanTable(ctx, conn, "`sys_role`", roleId) cleanTable(ctx, conn, "`sys_product_member`", memberId) cleanTable(ctx, conn, "`sys_product`", productId) cleanTable(ctx, conn, "`sys_user`", userId) cleanTable(ctx, conn, "`sys_dept`", deptId) }) // clear any leftover cache loader.Del(ctx, userId, pcode) ud, _ := loader.Load(ctx, userId, pcode) require.NotNil(t, ud) assert.Equal(t, userId, ud.UserId) assert.Equal(t, uid, ud.Username) assert.Equal(t, "nick_"+uid, ud.Nickname) assert.Equal(t, uid+"@test.com", ud.Email) assert.Equal(t, int64(consts.StatusEnabled), ud.Status) assert.Equal(t, deptId, ud.DeptId) assert.Equal(t, "dept_"+uid, ud.DeptName) assert.Equal(t, pcode, ud.ProductCode) assert.Equal(t, "prod_"+uid, ud.ProductName) assert.Equal(t, consts.MemberTypeMember, ud.MemberType) assert.Len(t, ud.Roles, 1) assert.Equal(t, roleId, ud.Roles[0].Id) assert.Equal(t, int64(10), ud.MinPermsLevel) assert.Contains(t, ud.Perms, "perm:"+uid) } // --------------- TC-0507: Load-缓存命中 --------------- func TestLoad_CacheHit(t *testing.T) { ctx := context.Background() conn := testConn() m := testModels() loader := newTestLoader() uid := uniqueId() ts := now() pcode := "p_" + uid userId := insertUser(ctx, t, m, &userModel.SysUser{ Username: uid, Password: hashPwd("pass123"), Nickname: "nick_" + uid, Email: uid + "@test.com", Phone: "13800000002", DeptId: 0, IsSuperAdmin: consts.IsSuperAdminNo, MustChangePassword: consts.MustChangePasswordNo, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) productId := insertProduct(ctx, t, m, &productModel.SysProduct{ Code: pcode, Name: "prod_" + uid, AppKey: "ak_" + uid, AppSecret: "as_" + uid, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) t.Cleanup(func() { loader.Del(ctx, userId, pcode) cleanTable(ctx, conn, "`sys_product`", productId) cleanTable(ctx, conn, "`sys_user`", userId) }) loader.Del(ctx, userId, pcode) ud1, _ := loader.Load(ctx, userId, pcode) require.NotNil(t, ud1) ud2, _ := loader.Load(ctx, userId, pcode) require.NotNil(t, ud2) assert.Equal(t, ud1.UserId, ud2.UserId) assert.Equal(t, ud1.Username, ud2.Username) assert.Equal(t, ud1.ProductName, ud2.ProductName) } // --------------- TC-0508: Load-用户不存在 --------------- func TestLoad_UserNotExist(t *testing.T) { ctx := context.Background() loader := newTestLoader() nonExistId := int64(999999999) loader.Del(ctx, nonExistId, "nonexist_product") ud, _ := loader.Load(ctx, nonExistId, "nonexist_product") require.NotNil(t, ud) assert.Equal(t, int64(0), ud.Status) assert.Empty(t, ud.Username) assert.Empty(t, ud.Perms) assert.Empty(t, ud.Roles) loader.Del(ctx, nonExistId, "nonexist_product") } // --------------- TC-0509: Load-productCode为空 --------------- func TestLoad_EmptyProductCode(t *testing.T) { ctx := context.Background() conn := testConn() m := testModels() loader := newTestLoader() uid := uniqueId() ts := now() userId := insertUser(ctx, t, m, &userModel.SysUser{ Username: uid, Password: hashPwd("pass123"), Nickname: "nick_" + uid, Email: uid + "@test.com", Phone: "13800000003", DeptId: 0, IsSuperAdmin: consts.IsSuperAdminNo, MustChangePassword: consts.MustChangePasswordNo, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) t.Cleanup(func() { loader.Del(ctx, userId, "") cleanTable(ctx, conn, "`sys_user`", userId) }) loader.Del(ctx, userId, "") ud, _ := loader.Load(ctx, userId, "") require.NotNil(t, ud) assert.Equal(t, uid, ud.Username) assert.Equal(t, int64(consts.StatusEnabled), ud.Status) assert.Empty(t, ud.ProductCode) assert.Empty(t, ud.ProductName) assert.Empty(t, ud.MemberType) assert.Empty(t, ud.Roles) assert.Empty(t, ud.Perms) } // --------------- TC-0510: Del删除指定缓存 --------------- func TestDel(t *testing.T) { ctx := context.Background() conn := testConn() m := testModels() loader := newTestLoader() uid := uniqueId() ts := now() pcode := "p_" + uid userId := insertUser(ctx, t, m, &userModel.SysUser{ Username: uid, Password: hashPwd("pass123"), Nickname: "nick_" + uid, Email: uid + "@test.com", Phone: "13800000004", DeptId: 0, IsSuperAdmin: consts.IsSuperAdminNo, MustChangePassword: consts.MustChangePasswordNo, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) productId := insertProduct(ctx, t, m, &productModel.SysProduct{ Code: pcode, Name: "prod_" + uid, AppKey: "ak_" + uid, AppSecret: "as_" + uid, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) t.Cleanup(func() { loader.Del(ctx, userId, pcode) cleanTable(ctx, conn, "`sys_product`", productId) cleanTable(ctx, conn, "`sys_user`", userId) }) loader.Del(ctx, userId, pcode) ud1, _ := loader.Load(ctx, userId, pcode) require.NotNil(t, ud1) assert.Equal(t, uid, ud1.Username) loader.Del(ctx, userId, pcode) ud2, _ := loader.Load(ctx, userId, pcode) require.NotNil(t, ud2) assert.Equal(t, uid, ud2.Username) } // --------------- TC-0511: Clean清除用户所有产品缓存 --------------- func TestClean(t *testing.T) { ctx := context.Background() conn := testConn() m := testModels() loader := newTestLoader() uid := uniqueId() ts := now() pcode1 := "p1_" + uid pcode2 := "p2_" + uid userId := insertUser(ctx, t, m, &userModel.SysUser{ Username: uid, Password: hashPwd("pass123"), Nickname: "nick_" + uid, Email: uid + "@test.com", Phone: "13800000005", DeptId: 0, IsSuperAdmin: consts.IsSuperAdminNo, MustChangePassword: consts.MustChangePasswordNo, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) pid1 := insertProduct(ctx, t, m, &productModel.SysProduct{ Code: pcode1, Name: "prod1_" + uid, AppKey: "ak1_" + uid, AppSecret: "as1_" + uid, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) pid2 := insertProduct(ctx, t, m, &productModel.SysProduct{ Code: pcode2, Name: "prod2_" + uid, AppKey: "ak2_" + uid, AppSecret: "as2_" + uid, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) t.Cleanup(func() { loader.Del(ctx, userId, pcode1) loader.Del(ctx, userId, pcode2) cleanTable(ctx, conn, "`sys_product`", pid1, pid2) cleanTable(ctx, conn, "`sys_user`", userId) }) loader.Del(ctx, userId, pcode1) loader.Del(ctx, userId, pcode2) ud1, _ := loader.Load(ctx, userId, pcode1) ud2, _ := loader.Load(ctx, userId, pcode2) require.NotNil(t, ud1) require.NotNil(t, ud2) rds := testRedis() key1 := loader.cacheKey(userId, pcode1) key2 := loader.cacheKey(userId, pcode2) v1, _ := rds.GetCtx(ctx, key1) v2, _ := rds.GetCtx(ctx, key2) assert.NotEmpty(t, v1) assert.NotEmpty(t, v2) loader.Clean(ctx, userId) v1After, _ := rds.GetCtx(ctx, key1) v2After, _ := rds.GetCtx(ctx, key2) assert.Empty(t, v1After) assert.Empty(t, v2After) } // --------------- TC-0512: CleanByProduct清除产品所有用户 --------------- func TestCleanByProduct(t *testing.T) { ctx := context.Background() conn := testConn() m := testModels() loader := newTestLoader() uid1 := uniqueId() uid2 := uniqueId() ts := now() pcode := "p_" + uid1 userId1 := insertUser(ctx, t, m, &userModel.SysUser{ Username: uid1, Password: hashPwd("pass123"), Nickname: "nick_" + uid1, Email: uid1 + "@test.com", Phone: "13800000006", DeptId: 0, IsSuperAdmin: consts.IsSuperAdminNo, MustChangePassword: consts.MustChangePasswordNo, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) userId2 := insertUser(ctx, t, m, &userModel.SysUser{ Username: uid2, Password: hashPwd("pass123"), Nickname: "nick_" + uid2, Email: uid2 + "@test.com", Phone: "13800000007", DeptId: 0, IsSuperAdmin: consts.IsSuperAdminNo, MustChangePassword: consts.MustChangePasswordNo, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) pid := insertProduct(ctx, t, m, &productModel.SysProduct{ Code: pcode, Name: "prod_" + uid1, AppKey: "ak_" + uid1, AppSecret: "as_" + uid1, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) t.Cleanup(func() { loader.Del(ctx, userId1, pcode) loader.Del(ctx, userId2, pcode) cleanTable(ctx, conn, "`sys_product`", pid) cleanTable(ctx, conn, "`sys_user`", userId1, userId2) }) loader.Del(ctx, userId1, pcode) loader.Del(ctx, userId2, pcode) _, _ = loader.Load(ctx, userId1, pcode) _, _ = loader.Load(ctx, userId2, pcode) rds := testRedis() k1 := loader.cacheKey(userId1, pcode) k2 := loader.cacheKey(userId2, pcode) v1, _ := rds.GetCtx(ctx, k1) v2, _ := rds.GetCtx(ctx, k2) assert.NotEmpty(t, v1) assert.NotEmpty(t, v2) loader.CleanByProduct(ctx, pcode) v1After, _ := rds.GetCtx(ctx, k1) v2After, _ := rds.GetCtx(ctx, k2) assert.Empty(t, v1After) assert.Empty(t, v2After) } // --------------- TC-0513: BatchDel批量删除 --------------- func TestBatchDel(t *testing.T) { ctx := context.Background() conn := testConn() m := testModels() loader := newTestLoader() uid1 := uniqueId() uid2 := uniqueId() ts := now() pcode := "p_" + uid1 userId1 := insertUser(ctx, t, m, &userModel.SysUser{ Username: uid1, Password: hashPwd("pass123"), Nickname: "nick_" + uid1, Email: uid1 + "@test.com", Phone: "13800000008", DeptId: 0, IsSuperAdmin: consts.IsSuperAdminNo, MustChangePassword: consts.MustChangePasswordNo, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) userId2 := insertUser(ctx, t, m, &userModel.SysUser{ Username: uid2, Password: hashPwd("pass123"), Nickname: "nick_" + uid2, Email: uid2 + "@test.com", Phone: "13800000009", DeptId: 0, IsSuperAdmin: consts.IsSuperAdminNo, MustChangePassword: consts.MustChangePasswordNo, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) pid := insertProduct(ctx, t, m, &productModel.SysProduct{ Code: pcode, Name: "prod_" + uid1, AppKey: "ak_" + uid1, AppSecret: "as_" + uid1, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) t.Cleanup(func() { loader.Del(ctx, userId1, pcode) loader.Del(ctx, userId2, pcode) cleanTable(ctx, conn, "`sys_product`", pid) cleanTable(ctx, conn, "`sys_user`", userId1, userId2) }) loader.Del(ctx, userId1, pcode) loader.Del(ctx, userId2, pcode) _, _ = loader.Load(ctx, userId1, pcode) _, _ = loader.Load(ctx, userId2, pcode) rds := testRedis() k1 := loader.cacheKey(userId1, pcode) k2 := loader.cacheKey(userId2, pcode) v1, _ := rds.GetCtx(ctx, k1) v2, _ := rds.GetCtx(ctx, k2) assert.NotEmpty(t, v1) assert.NotEmpty(t, v2) loader.BatchDel(ctx, []int64{userId1, userId2}, pcode) v1After, _ := rds.GetCtx(ctx, k1) v2After, _ := rds.GetCtx(ctx, k2) assert.Empty(t, v1After) assert.Empty(t, v2After) } // --------------- TC-0514: BatchDel空数组 --------------- func TestBatchDel_EmptySlice(t *testing.T) { ctx := context.Background() loader := newTestLoader() loader.BatchDel(ctx, []int64{}, "some_code") } // --------------- TC-0515: loadPerms-超管拥有全部权限 --------------- func TestLoadPerms_SuperAdmin(t *testing.T) { ctx := context.Background() conn := testConn() m := testModels() loader := newTestLoader() uid := uniqueId() ts := now() pcode := "p_" + uid userId := insertUser(ctx, t, m, &userModel.SysUser{ Username: uid, Password: hashPwd("pass123"), Nickname: "nick_" + uid, Email: uid + "@test.com", Phone: "13800000010", DeptId: 0, IsSuperAdmin: consts.IsSuperAdminYes, MustChangePassword: consts.MustChangePasswordNo, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) pid := insertProduct(ctx, t, m, &productModel.SysProduct{ Code: pcode, Name: "prod_" + uid, AppKey: "ak_" + uid, AppSecret: "as_" + uid, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) permCode1 := "perm1:" + uid permCode2 := "perm2:" + uid permId1 := insertPerm(ctx, t, m, &permModel.SysPerm{ ProductCode: pcode, Name: "p1_" + uid, Code: permCode1, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) permId2 := insertPerm(ctx, t, m, &permModel.SysPerm{ ProductCode: pcode, Name: "p2_" + uid, Code: permCode2, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) t.Cleanup(func() { loader.Del(ctx, userId, pcode) cleanTable(ctx, conn, "`sys_perm`", permId1, permId2) cleanTable(ctx, conn, "`sys_product`", pid) cleanTable(ctx, conn, "`sys_user`", userId) }) loader.Del(ctx, userId, pcode) ud, _ := loader.Load(ctx, userId, pcode) require.NotNil(t, ud) assert.True(t, ud.IsSuperAdmin) assert.Equal(t, consts.MemberTypeSuperAdmin, ud.MemberType) sort.Strings(ud.Perms) expected := []string{permCode1, permCode2} sort.Strings(expected) assert.Equal(t, expected, ud.Perms) } // --------------- TC-0516: loadPerms-ADMIN成员拥有全部权限 --------------- func TestLoadPerms_AdminMember(t *testing.T) { ctx := context.Background() conn := testConn() m := testModels() loader := newTestLoader() uid := uniqueId() ts := now() pcode := "p_" + uid userId := insertUser(ctx, t, m, &userModel.SysUser{ Username: uid, Password: hashPwd("pass123"), Nickname: "nick_" + uid, Email: uid + "@test.com", Phone: "13800000011", DeptId: 0, IsSuperAdmin: consts.IsSuperAdminNo, MustChangePassword: consts.MustChangePasswordNo, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) pid := insertProduct(ctx, t, m, &productModel.SysProduct{ Code: pcode, Name: "prod_" + uid, AppKey: "ak_" + uid, AppSecret: "as_" + uid, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) memberId := insertMember(ctx, t, m, &memberModel.SysProductMember{ ProductCode: pcode, UserId: userId, MemberType: consts.MemberTypeAdmin, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) permCode := "perm:" + uid permId := insertPerm(ctx, t, m, &permModel.SysPerm{ ProductCode: pcode, Name: "p_" + uid, Code: permCode, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) t.Cleanup(func() { loader.Del(ctx, userId, pcode) cleanTable(ctx, conn, "`sys_perm`", permId) cleanTable(ctx, conn, "`sys_product_member`", memberId) cleanTable(ctx, conn, "`sys_product`", pid) cleanTable(ctx, conn, "`sys_user`", userId) }) loader.Del(ctx, userId, pcode) ud, _ := loader.Load(ctx, userId, pcode) require.NotNil(t, ud) assert.Equal(t, consts.MemberTypeAdmin, ud.MemberType) assert.Contains(t, ud.Perms, permCode) } // --------------- TC-0517: loadPerms-DEVELOPER成员拥有全部权限 --------------- func TestLoadPerms_DeveloperMember(t *testing.T) { ctx := context.Background() conn := testConn() m := testModels() loader := newTestLoader() uid := uniqueId() ts := now() pcode := "p_" + uid userId := insertUser(ctx, t, m, &userModel.SysUser{ Username: uid, Password: hashPwd("pass123"), Nickname: "nick_" + uid, Email: uid + "@test.com", Phone: "13800000012", DeptId: 0, IsSuperAdmin: consts.IsSuperAdminNo, MustChangePassword: consts.MustChangePasswordNo, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) pid := insertProduct(ctx, t, m, &productModel.SysProduct{ Code: pcode, Name: "prod_" + uid, AppKey: "ak_" + uid, AppSecret: "as_" + uid, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) memberId := insertMember(ctx, t, m, &memberModel.SysProductMember{ ProductCode: pcode, UserId: userId, MemberType: consts.MemberTypeDeveloper, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) permCode := "perm:" + uid permId := insertPerm(ctx, t, m, &permModel.SysPerm{ ProductCode: pcode, Name: "p_" + uid, Code: permCode, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) t.Cleanup(func() { loader.Del(ctx, userId, pcode) cleanTable(ctx, conn, "`sys_perm`", permId) cleanTable(ctx, conn, "`sys_product_member`", memberId) cleanTable(ctx, conn, "`sys_product`", pid) cleanTable(ctx, conn, "`sys_user`", userId) }) loader.Del(ctx, userId, pcode) ud, _ := loader.Load(ctx, userId, pcode) require.NotNil(t, ud) assert.Equal(t, consts.MemberTypeDeveloper, ud.MemberType) assert.Contains(t, ud.Perms, permCode) } // --------------- TC-0518: loadPerms-DEV部门成员拥有全部权限 --------------- func TestLoadPerms_DevDept(t *testing.T) { ctx := context.Background() conn := testConn() m := testModels() loader := newTestLoader() uid := uniqueId() ts := now() pcode := "p_" + uid deptId := insertDept(ctx, t, m, &deptModel.SysDept{ ParentId: 0, Name: "devdept_" + uid, Path: "/1/", Sort: 1, DeptType: consts.DeptTypeDev, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) userId := insertUser(ctx, t, m, &userModel.SysUser{ Username: uid, Password: hashPwd("pass123"), Nickname: "nick_" + uid, Email: uid + "@test.com", Phone: "13800000013", DeptId: deptId, IsSuperAdmin: consts.IsSuperAdminNo, MustChangePassword: consts.MustChangePasswordNo, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) pid := insertProduct(ctx, t, m, &productModel.SysProduct{ Code: pcode, Name: "prod_" + uid, AppKey: "ak_" + uid, AppSecret: "as_" + uid, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) memberId := insertMember(ctx, t, m, &memberModel.SysProductMember{ ProductCode: pcode, UserId: userId, MemberType: consts.MemberTypeMember, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) permCode := "perm:" + uid permId := insertPerm(ctx, t, m, &permModel.SysPerm{ ProductCode: pcode, Name: "p_" + uid, Code: permCode, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) t.Cleanup(func() { loader.Del(ctx, userId, pcode) cleanTable(ctx, conn, "`sys_perm`", permId) cleanTable(ctx, conn, "`sys_product_member`", memberId) cleanTable(ctx, conn, "`sys_product`", pid) cleanTable(ctx, conn, "`sys_user`", userId) cleanTable(ctx, conn, "`sys_dept`", deptId) }) loader.Del(ctx, userId, pcode) ud, _ := loader.Load(ctx, userId, pcode) require.NotNil(t, ud) assert.Equal(t, consts.DeptTypeDev, ud.DeptType) assert.Contains(t, ud.Perms, permCode) } // --------------- TC-0519: MEMBER角色权限+ALLOW-DENY --------------- func TestLoadPerms_MemberRolePermWithAllowDeny(t *testing.T) { ctx := context.Background() conn := testConn() m := testModels() loader := newTestLoader() uid := uniqueId() ts := now() pcode := "p_" + uid userId := insertUser(ctx, t, m, &userModel.SysUser{ Username: uid, Password: hashPwd("pass123"), Nickname: "nick_" + uid, Email: uid + "@test.com", Phone: "13800000014", DeptId: 0, IsSuperAdmin: consts.IsSuperAdminNo, MustChangePassword: consts.MustChangePasswordNo, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) pid := insertProduct(ctx, t, m, &productModel.SysProduct{ Code: pcode, Name: "prod_" + uid, AppKey: "ak_" + uid, AppSecret: "as_" + uid, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) memberId := insertMember(ctx, t, m, &memberModel.SysProductMember{ ProductCode: pcode, UserId: userId, MemberType: consts.MemberTypeMember, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) roleId := insertRole(ctx, t, m, &roleModel.SysRole{ ProductCode: pcode, Name: "role_" + uid, Remark: "test", Status: consts.StatusEnabled, PermsLevel: 10, CreateTime: ts, UpdateTime: ts, }) urId := insertUserRole(ctx, t, m, &userRoleModel.SysUserRole{ UserId: userId, RoleId: roleId, CreateTime: ts, UpdateTime: ts, }) // role perm: permA, permB permIdA := insertPerm(ctx, t, m, &permModel.SysPerm{ ProductCode: pcode, Name: "permA_" + uid, Code: "permA:" + uid, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) permIdB := insertPerm(ctx, t, m, &permModel.SysPerm{ ProductCode: pcode, Name: "permB_" + uid, Code: "permB:" + uid, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) // user ALLOW perm: permC permIdC := insertPerm(ctx, t, m, &permModel.SysPerm{ ProductCode: pcode, Name: "permC_" + uid, Code: "permC:" + uid, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) // user DENY perm: permB (should remove permB from result) rpIdA := insertRolePerm(ctx, t, m, &rolePermModel.SysRolePerm{ RoleId: roleId, PermId: permIdA, CreateTime: ts, UpdateTime: ts, }) rpIdB := insertRolePerm(ctx, t, m, &rolePermModel.SysRolePerm{ RoleId: roleId, PermId: permIdB, CreateTime: ts, UpdateTime: ts, }) upAllow := insertUserPerm(ctx, t, m, &userPermModel.SysUserPerm{ UserId: userId, PermId: permIdC, Effect: consts.PermEffectAllow, CreateTime: ts, UpdateTime: ts, }) upDeny := insertUserPerm(ctx, t, m, &userPermModel.SysUserPerm{ UserId: userId, PermId: permIdB, Effect: consts.PermEffectDeny, CreateTime: ts, UpdateTime: ts, }) t.Cleanup(func() { loader.Del(ctx, userId, pcode) cleanTable(ctx, conn, "`sys_user_perm`", upAllow, upDeny) cleanTable(ctx, conn, "`sys_role_perm`", rpIdA, rpIdB) cleanTable(ctx, conn, "`sys_perm`", permIdA, permIdB, permIdC) cleanTable(ctx, conn, "`sys_user_role`", urId) cleanTable(ctx, conn, "`sys_role`", roleId) cleanTable(ctx, conn, "`sys_product_member`", memberId) cleanTable(ctx, conn, "`sys_product`", pid) cleanTable(ctx, conn, "`sys_user`", userId) }) loader.Del(ctx, userId, pcode) ud, _ := loader.Load(ctx, userId, pcode) require.NotNil(t, ud) // permA (from role) + permC (from ALLOW) should be present // permB (denied) should NOT be present assert.Contains(t, ud.Perms, "permA:"+uid) assert.Contains(t, ud.Perms, "permC:"+uid) assert.NotContains(t, ud.Perms, "permB:"+uid) } // --------------- TC-0522: loadRoles-多角色取最小permsLevel --------------- func TestLoadRoles_MinPermsLevel(t *testing.T) { ctx := context.Background() conn := testConn() m := testModels() loader := newTestLoader() uid := uniqueId() ts := now() pcode := "p_" + uid userId := insertUser(ctx, t, m, &userModel.SysUser{ Username: uid, Password: hashPwd("pass123"), Nickname: "nick_" + uid, Email: uid + "@test.com", Phone: "13800000015", DeptId: 0, IsSuperAdmin: consts.IsSuperAdminNo, MustChangePassword: consts.MustChangePasswordNo, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) pid := insertProduct(ctx, t, m, &productModel.SysProduct{ Code: pcode, Name: "prod_" + uid, AppKey: "ak_" + uid, AppSecret: "as_" + uid, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) memberId := insertMember(ctx, t, m, &memberModel.SysProductMember{ ProductCode: pcode, UserId: userId, MemberType: consts.MemberTypeMember, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) roleId1 := insertRole(ctx, t, m, &roleModel.SysRole{ ProductCode: pcode, Name: "roleH_" + uid, Remark: "high", Status: consts.StatusEnabled, PermsLevel: 10, CreateTime: ts, UpdateTime: ts, }) roleId2 := insertRole(ctx, t, m, &roleModel.SysRole{ ProductCode: pcode, Name: "roleL_" + uid, Remark: "low", Status: consts.StatusEnabled, PermsLevel: 5, CreateTime: ts, UpdateTime: ts, }) urId1 := insertUserRole(ctx, t, m, &userRoleModel.SysUserRole{ UserId: userId, RoleId: roleId1, CreateTime: ts, UpdateTime: ts, }) urId2 := insertUserRole(ctx, t, m, &userRoleModel.SysUserRole{ UserId: userId, RoleId: roleId2, CreateTime: ts, UpdateTime: ts, }) t.Cleanup(func() { loader.Del(ctx, userId, pcode) cleanTable(ctx, conn, "`sys_user_role`", urId1, urId2) cleanTable(ctx, conn, "`sys_role`", roleId1, roleId2) cleanTable(ctx, conn, "`sys_product_member`", memberId) cleanTable(ctx, conn, "`sys_product`", pid) cleanTable(ctx, conn, "`sys_user`", userId) }) loader.Del(ctx, userId, pcode) ud, _ := loader.Load(ctx, userId, pcode) require.NotNil(t, ud) assert.Len(t, ud.Roles, 2) assert.Equal(t, int64(5), ud.MinPermsLevel) } // --------------- TC-0523: loadRoles-无角色 --------------- func TestLoadRoles_NoRoles(t *testing.T) { ctx := context.Background() conn := testConn() m := testModels() loader := newTestLoader() uid := uniqueId() ts := now() pcode := "p_" + uid userId := insertUser(ctx, t, m, &userModel.SysUser{ Username: uid, Password: hashPwd("pass123"), Nickname: "nick_" + uid, Email: uid + "@test.com", Phone: "13800000016", DeptId: 0, IsSuperAdmin: consts.IsSuperAdminNo, MustChangePassword: consts.MustChangePasswordNo, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) pid := insertProduct(ctx, t, m, &productModel.SysProduct{ Code: pcode, Name: "prod_" + uid, AppKey: "ak_" + uid, AppSecret: "as_" + uid, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) t.Cleanup(func() { loader.Del(ctx, userId, pcode) cleanTable(ctx, conn, "`sys_product`", pid) cleanTable(ctx, conn, "`sys_user`", userId) }) loader.Del(ctx, userId, pcode) ud, _ := loader.Load(ctx, userId, pcode) require.NotNil(t, ud) assert.Equal(t, int64(math.MaxInt64), ud.MinPermsLevel) } // --------------- TC-0524: loadRoles-角色跨产品过滤 --------------- func TestLoadRoles_CrossProductFilter(t *testing.T) { ctx := context.Background() conn := testConn() m := testModels() loader := newTestLoader() uid := uniqueId() ts := now() pcodeA := "pA_" + uid pcodeB := "pB_" + uid userId := insertUser(ctx, t, m, &userModel.SysUser{ Username: uid, Password: hashPwd("pass123"), Nickname: "nick_" + uid, Email: uid + "@test.com", Phone: "13800000017", DeptId: 0, IsSuperAdmin: consts.IsSuperAdminNo, MustChangePassword: consts.MustChangePasswordNo, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) pidA := insertProduct(ctx, t, m, &productModel.SysProduct{ Code: pcodeA, Name: "prodA_" + uid, AppKey: "akA_" + uid, AppSecret: "asA_" + uid, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) pidB := insertProduct(ctx, t, m, &productModel.SysProduct{ Code: pcodeB, Name: "prodB_" + uid, AppKey: "akB_" + uid, AppSecret: "asB_" + uid, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) memA := insertMember(ctx, t, m, &memberModel.SysProductMember{ ProductCode: pcodeA, UserId: userId, MemberType: consts.MemberTypeMember, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) roleA := insertRole(ctx, t, m, &roleModel.SysRole{ ProductCode: pcodeA, Name: "roleA_" + uid, Remark: "A", Status: consts.StatusEnabled, PermsLevel: 10, CreateTime: ts, UpdateTime: ts, }) roleB := insertRole(ctx, t, m, &roleModel.SysRole{ ProductCode: pcodeB, Name: "roleB_" + uid, Remark: "B", Status: consts.StatusEnabled, PermsLevel: 20, CreateTime: ts, UpdateTime: ts, }) urA := insertUserRole(ctx, t, m, &userRoleModel.SysUserRole{ UserId: userId, RoleId: roleA, CreateTime: ts, UpdateTime: ts, }) urB := insertUserRole(ctx, t, m, &userRoleModel.SysUserRole{ UserId: userId, RoleId: roleB, CreateTime: ts, UpdateTime: ts, }) t.Cleanup(func() { loader.Del(ctx, userId, pcodeA) loader.Del(ctx, userId, pcodeB) cleanTable(ctx, conn, "`sys_user_role`", urA, urB) cleanTable(ctx, conn, "`sys_role`", roleA, roleB) cleanTable(ctx, conn, "`sys_product_member`", memA) cleanTable(ctx, conn, "`sys_product`", pidA, pidB) cleanTable(ctx, conn, "`sys_user`", userId) }) loader.Del(ctx, userId, pcodeA) ud, _ := loader.Load(ctx, userId, pcodeA) require.NotNil(t, ud) assert.Len(t, ud.Roles, 1) assert.Equal(t, roleA, ud.Roles[0].Id) assert.Equal(t, int64(10), ud.MinPermsLevel) } // --------------- TC-0525: loadRoles-禁用角色不计入 --------------- func TestLoadRoles_DisabledRoleExcluded(t *testing.T) { ctx := context.Background() conn := testConn() m := testModels() loader := newTestLoader() uid := uniqueId() ts := now() pcode := "p_" + uid userId := insertUser(ctx, t, m, &userModel.SysUser{ Username: uid, Password: hashPwd("pass123"), Nickname: "nick_" + uid, Email: uid + "@test.com", Phone: "13800000018", DeptId: 0, IsSuperAdmin: consts.IsSuperAdminNo, MustChangePassword: consts.MustChangePasswordNo, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) pid := insertProduct(ctx, t, m, &productModel.SysProduct{ Code: pcode, Name: "prod_" + uid, AppKey: "ak_" + uid, AppSecret: "as_" + uid, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) memberId := insertMember(ctx, t, m, &memberModel.SysProductMember{ ProductCode: pcode, UserId: userId, MemberType: consts.MemberTypeMember, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) enabledRole := insertRole(ctx, t, m, &roleModel.SysRole{ ProductCode: pcode, Name: "rEnabled_" + uid, Remark: "enabled", Status: consts.StatusEnabled, PermsLevel: 5, CreateTime: ts, UpdateTime: ts, }) disabledRole := insertRole(ctx, t, m, &roleModel.SysRole{ ProductCode: pcode, Name: "rDisabled_" + uid, Remark: "disabled", Status: consts.StatusDisabled, PermsLevel: 1, CreateTime: ts, UpdateTime: ts, }) ur1 := insertUserRole(ctx, t, m, &userRoleModel.SysUserRole{ UserId: userId, RoleId: enabledRole, CreateTime: ts, UpdateTime: ts, }) ur2 := insertUserRole(ctx, t, m, &userRoleModel.SysUserRole{ UserId: userId, RoleId: disabledRole, CreateTime: ts, UpdateTime: ts, }) t.Cleanup(func() { loader.Del(ctx, userId, pcode) cleanTable(ctx, conn, "`sys_user_role`", ur1, ur2) cleanTable(ctx, conn, "`sys_role`", enabledRole, disabledRole) cleanTable(ctx, conn, "`sys_product_member`", memberId) cleanTable(ctx, conn, "`sys_product`", pid) cleanTable(ctx, conn, "`sys_user`", userId) }) loader.Del(ctx, userId, pcode) ud, _ := loader.Load(ctx, userId, pcode) require.NotNil(t, ud) assert.Len(t, ud.Roles, 1) assert.Equal(t, enabledRole, ud.Roles[0].Id) assert.Equal(t, int64(5), ud.MinPermsLevel) } // --------------- TC-0526: loadMembership-超管自动SUPER_ADMIN --------------- func TestLoadMembership_SuperAdminAuto(t *testing.T) { ctx := context.Background() conn := testConn() m := testModels() loader := newTestLoader() uid := uniqueId() ts := now() pcode := "p_" + uid userId := insertUser(ctx, t, m, &userModel.SysUser{ Username: uid, Password: hashPwd("pass123"), Nickname: "nick_" + uid, Email: uid + "@test.com", Phone: "13800000019", DeptId: 0, IsSuperAdmin: consts.IsSuperAdminYes, MustChangePassword: consts.MustChangePasswordNo, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) pid := insertProduct(ctx, t, m, &productModel.SysProduct{ Code: pcode, Name: "prod_" + uid, AppKey: "ak_" + uid, AppSecret: "as_" + uid, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) t.Cleanup(func() { loader.Del(ctx, userId, pcode) cleanTable(ctx, conn, "`sys_product`", pid) cleanTable(ctx, conn, "`sys_user`", userId) }) loader.Del(ctx, userId, pcode) ud, _ := loader.Load(ctx, userId, pcode) require.NotNil(t, ud) assert.True(t, ud.IsSuperAdmin) assert.Equal(t, consts.MemberTypeSuperAdmin, ud.MemberType) } // --------------- TC-0527: loadMembership-非成员MemberType为空 --------------- func TestLoadMembership_NonMemberEmpty(t *testing.T) { ctx := context.Background() conn := testConn() m := testModels() loader := newTestLoader() uid := uniqueId() ts := now() pcode := "p_" + uid userId := insertUser(ctx, t, m, &userModel.SysUser{ Username: uid, Password: hashPwd("pass123"), Nickname: "nick_" + uid, Email: uid + "@test.com", Phone: "13800000020", DeptId: 0, IsSuperAdmin: consts.IsSuperAdminNo, MustChangePassword: consts.MustChangePasswordNo, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) pid := insertProduct(ctx, t, m, &productModel.SysProduct{ Code: pcode, Name: "prod_" + uid, AppKey: "ak_" + uid, AppSecret: "as_" + uid, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) t.Cleanup(func() { loader.Del(ctx, userId, pcode) cleanTable(ctx, conn, "`sys_product`", pid) cleanTable(ctx, conn, "`sys_user`", userId) }) loader.Del(ctx, userId, pcode) ud, _ := loader.Load(ctx, userId, pcode) require.NotNil(t, ud) assert.False(t, ud.IsSuperAdmin) assert.Empty(t, ud.MemberType) } // --------------- TC-0520: loadPerms-用户ALLOW权限不跨产品泄漏(修复验证) --------------- func TestLoadPerms_CrossProductPermIsolation(t *testing.T) { ctx := context.Background() conn := testConn() m := testModels() loader := newTestLoader() uid := uniqueId() ts := now() pcodeA := "pA_" + uid pcodeB := "pB_" + uid userId := insertUser(ctx, t, m, &userModel.SysUser{ Username: uid, Password: hashPwd("pass123"), Nickname: "nick_" + uid, Email: uid + "@test.com", Phone: "13800000030", DeptId: 0, IsSuperAdmin: consts.IsSuperAdminNo, MustChangePassword: consts.MustChangePasswordNo, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) pidA := insertProduct(ctx, t, m, &productModel.SysProduct{ Code: pcodeA, Name: "prodA_" + uid, AppKey: "akA_" + uid, AppSecret: "asA_" + uid, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) pidB := insertProduct(ctx, t, m, &productModel.SysProduct{ Code: pcodeB, Name: "prodB_" + uid, AppKey: "akB_" + uid, AppSecret: "asB_" + uid, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) memA := insertMember(ctx, t, m, &memberModel.SysProductMember{ ProductCode: pcodeA, UserId: userId, MemberType: consts.MemberTypeMember, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) memB := insertMember(ctx, t, m, &memberModel.SysProductMember{ ProductCode: pcodeB, UserId: userId, MemberType: consts.MemberTypeMember, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) permA := insertPerm(ctx, t, m, &permModel.SysPerm{ ProductCode: pcodeA, Name: "permA_" + uid, Code: "permA:" + uid, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) permB := insertPerm(ctx, t, m, &permModel.SysPerm{ ProductCode: pcodeB, Name: "permB_" + uid, Code: "permB:" + uid, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) upA := insertUserPerm(ctx, t, m, &userPermModel.SysUserPerm{ UserId: userId, PermId: permA, Effect: consts.PermEffectAllow, CreateTime: ts, UpdateTime: ts, }) upB := insertUserPerm(ctx, t, m, &userPermModel.SysUserPerm{ UserId: userId, PermId: permB, Effect: consts.PermEffectAllow, CreateTime: ts, UpdateTime: ts, }) t.Cleanup(func() { loader.Del(ctx, userId, pcodeA) loader.Del(ctx, userId, pcodeB) cleanTable(ctx, conn, "`sys_user_perm`", upA, upB) cleanTable(ctx, conn, "`sys_perm`", permA, permB) cleanTable(ctx, conn, "`sys_product_member`", memA, memB) cleanTable(ctx, conn, "`sys_product`", pidA, pidB) cleanTable(ctx, conn, "`sys_user`", userId) }) loader.Del(ctx, userId, pcodeA) udA, _ := loader.Load(ctx, userId, pcodeA) require.NotNil(t, udA) assert.Contains(t, udA.Perms, "permA:"+uid, "产品A应包含自身权限") assert.NotContains(t, udA.Perms, "permB:"+uid, "产品A不应包含产品B的权限") loader.Del(ctx, userId, pcodeB) udB, _ := loader.Load(ctx, userId, pcodeB) require.NotNil(t, udB) assert.Contains(t, udB.Perms, "permB:"+uid, "产品B应包含自身权限") assert.NotContains(t, udB.Perms, "permA:"+uid, "产品B不应包含产品A的权限") } // --------------- TC-0528: loadMembership-禁用成员MemberType为空(修复验证) --------------- func TestLoadMembership_DisabledMemberEmpty(t *testing.T) { ctx := context.Background() conn := testConn() m := testModels() loader := newTestLoader() uid := uniqueId() ts := now() pcode := "p_" + uid userId := insertUser(ctx, t, m, &userModel.SysUser{ Username: uid, Password: hashPwd("pass123"), Nickname: "nick_" + uid, Email: uid + "@test.com", Phone: "13800000031", DeptId: 0, IsSuperAdmin: consts.IsSuperAdminNo, MustChangePassword: consts.MustChangePasswordNo, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) pid := insertProduct(ctx, t, m, &productModel.SysProduct{ Code: pcode, Name: "prod_" + uid, AppKey: "ak_" + uid, AppSecret: "as_" + uid, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) memberId := insertMember(ctx, t, m, &memberModel.SysProductMember{ ProductCode: pcode, UserId: userId, MemberType: consts.MemberTypeMember, Status: consts.StatusDisabled, CreateTime: ts, UpdateTime: ts, }) t.Cleanup(func() { loader.Del(ctx, userId, pcode) cleanTable(ctx, conn, "`sys_product_member`", memberId) cleanTable(ctx, conn, "`sys_product`", pid) cleanTable(ctx, conn, "`sys_user`", userId) }) loader.Del(ctx, userId, pcode) ud, _ := loader.Load(ctx, userId, pcode) require.NotNil(t, ud) assert.Empty(t, ud.MemberType, "禁用成员的MemberType应为空") } // --------------- TC-0521: loadPerms-DEV部门禁用后不再拥有全部权限(修复验证) --------------- func TestLoadPerms_DisabledDevDeptNoFullPerms(t *testing.T) { ctx := context.Background() conn := testConn() m := testModels() loader := newTestLoader() uid := uniqueId() ts := now() pcode := "p_" + uid deptId := insertDept(ctx, t, m, &deptModel.SysDept{ ParentId: 0, Name: "devdept_disabled_" + uid, Path: "/1/", Sort: 1, DeptType: consts.DeptTypeDev, Status: consts.StatusDisabled, CreateTime: ts, UpdateTime: ts, }) userId := insertUser(ctx, t, m, &userModel.SysUser{ Username: uid, Password: hashPwd("pass123"), Nickname: "nick_" + uid, Email: uid + "@test.com", Phone: "13800000032", DeptId: deptId, IsSuperAdmin: consts.IsSuperAdminNo, MustChangePassword: consts.MustChangePasswordNo, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) pid := insertProduct(ctx, t, m, &productModel.SysProduct{ Code: pcode, Name: "prod_" + uid, AppKey: "ak_" + uid, AppSecret: "as_" + uid, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) memberId := insertMember(ctx, t, m, &memberModel.SysProductMember{ ProductCode: pcode, UserId: userId, MemberType: consts.MemberTypeMember, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) permCode := "perm_devtest:" + uid permId := insertPerm(ctx, t, m, &permModel.SysPerm{ ProductCode: pcode, Name: "p_" + uid, Code: permCode, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) t.Cleanup(func() { loader.Del(ctx, userId, pcode) cleanTable(ctx, conn, "`sys_perm`", permId) cleanTable(ctx, conn, "`sys_product_member`", memberId) cleanTable(ctx, conn, "`sys_product`", pid) cleanTable(ctx, conn, "`sys_user`", userId) cleanTable(ctx, conn, "`sys_dept`", deptId) }) loader.Del(ctx, userId, pcode) ud, _ := loader.Load(ctx, userId, pcode) require.NotNil(t, ud) assert.Equal(t, consts.DeptTypeDev, ud.DeptType) assert.Equal(t, int64(consts.StatusDisabled), ud.DeptStatus) assert.Empty(t, ud.Perms, "禁用的DEV部门成员不应拥有全部权限") } // --------------------------------------------------------------------------- // audit 回归:DEV 部门用户即使 dept.status=Enabled, // 一旦产品成员被禁用 (MemberType 清空),也不得继续获得全量权限。 // --------------------------------------------------------------------------- // TC-0704: DEV 部门 + 产品成员已禁用 → 不应获得全量权限 func TestLoadPerms_DevDept_DisabledMember_NoFullPerms(t *testing.T) { ctx := context.Background() conn := testConn() m := testModels() loader := newTestLoader() uid := uniqueId() ts := now() pcode := "p_" + uid // DEV 部门本身启用 deptId := insertDept(ctx, t, m, &deptModel.SysDept{ ParentId: 0, Name: "devdept_h3_" + uid, Path: "/1/", Sort: 1, DeptType: consts.DeptTypeDev, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) userId := insertUser(ctx, t, m, &userModel.SysUser{ Username: uid, Password: hashPwd("pass123"), Nickname: "nick_" + uid, Email: uid + "@test.com", Phone: "13800099901", DeptId: deptId, IsSuperAdmin: consts.IsSuperAdminNo, MustChangePassword: consts.MustChangePasswordNo, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) pid := insertProduct(ctx, t, m, &productModel.SysProduct{ Code: pcode, Name: "prod_" + uid, AppKey: "ak_" + uid, AppSecret: "as_" + uid, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) // 关键:产品成员被禁用 (Status=2) memberId := insertMember(ctx, t, m, &memberModel.SysProductMember{ ProductCode: pcode, UserId: userId, MemberType: consts.MemberTypeMember, Status: consts.StatusDisabled, CreateTime: ts, UpdateTime: ts, }) permCode := "perm_h3:" + uid permId := insertPerm(ctx, t, m, &permModel.SysPerm{ ProductCode: pcode, Name: "p_" + uid, Code: permCode, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) t.Cleanup(func() { loader.Del(ctx, userId, pcode) cleanTable(ctx, conn, "`sys_perm`", permId) cleanTable(ctx, conn, "`sys_product_member`", memberId) cleanTable(ctx, conn, "`sys_product`", pid) cleanTable(ctx, conn, "`sys_user`", userId) cleanTable(ctx, conn, "`sys_dept`", deptId) }) loader.Del(ctx, userId, pcode) ud, _ := loader.Load(ctx, userId, pcode) require.NotNil(t, ud) // 部门信息正常载入 assert.Equal(t, consts.DeptTypeDev, ud.DeptType) assert.Equal(t, int64(consts.StatusEnabled), ud.DeptStatus) // 关键:禁用的产品成员,MemberType 被清空 assert.Equal(t, "", ud.MemberType, "禁用产品成员的 MemberType 应被清空") // 关键:DEV 部门 + MemberType='' → 修复后不再命中全量权限分支 assert.Empty(t, ud.Perms, "产品成员被禁用的 DEV 部门用户不应再被授予全量权限") } // --------------------------------------------------------------------------- // audit 回归:当用户不存在时,Load 不应缓存零值 UserDetails // --------------------------------------------------------------------------- // TC-0705: Load 不存在用户时应返回 nil 且不在 Redis 中留下空缓存 func TestLoad_NonExistentUser_NotCached(t *testing.T) { ctx := context.Background() loader := newTestLoader() nonExistentUserId := int64(999999999) pcode := "p_" + uniqueId() // 预先确保缓存中没有该 key loader.Del(ctx, nonExistentUserId, pcode) ud, _ := loader.Load(ctx, nonExistentUserId, pcode) // 按当前实现,Load 返回的是 ud(可能是 nil 或零值的 UserDetails),调用方通过 ud.Username == "" 判定不存在。 // 的关键断言:不论返回什么,Redis 里必须没有缓存的 key(即下次 Load 依然走 DB) // 通过再读一次 Redis 判定:间接用 loader.Del 的 key 规则读取 // 这里简化为:第二次 Load 依然必须从 DB 查询(不能命中缓存) // 验证方式:调用 Del 不报错 + 再次 Load 也应得到空 Username if ud != nil { assert.Empty(t, ud.Username, "不存在用户返回的 ud 必须是空 Username") } ud2, _ := loader.Load(ctx, nonExistentUserId, pcode) if ud2 != nil { assert.Empty(t, ud2.Username) } } func TestCleanByUserIds_WipesAllUserProductKeysAndIndexes(t *testing.T) { rds := testRedis() loader := newTestLoader() ctx := context.Background() type cell struct { uid int64 pc string } cells := []cell{ {1000001, "pcX"}, {1000001, "pcY"}, {1000002, "pcX"}, {1000002, "pcY"}, {1000003, "pcX"}, {1000003, "pcY"}, } // 预埋缓存:每个 cell 写一条 value 到 cacheKey,并 SADD 到 user / product 索引。 cacheKeys := make([]string, 0, len(cells)) for _, c := range cells { ck := loader.cacheKey(c.uid, c.pc) require.NoError(t, rds.SetCtx(ctx, ck, "dummy")) _, _ = rds.SaddCtx(ctx, loader.userIndexKey(c.uid), ck) _, _ = rds.SaddCtx(ctx, loader.productIndexKey(c.pc), ck) cacheKeys = append(cacheKeys, ck) } // 调用 CleanByUserIds 触发 SUNION + 批 DEL。 loader.CleanByUserIds(ctx, []int64{1000001, 1000002, 1000003}) // 6 条 ud: key 必须全消失。 for _, ck := range cacheKeys { exist, err := rds.ExistsCtx(ctx, ck) require.NoError(t, err) assert.False(t, exist, "cacheKey %s 必须被清理", ck) } // 3 条 user 索引 key 必须也被清掉(否则会漏缓存)。 for _, uid := range []int64{1000001, 1000002, 1000003} { exist, err := rds.ExistsCtx(ctx, loader.userIndexKey(uid)) require.NoError(t, err) assert.False(t, exist, "user 索引集合必须被 DEL,否则下次 Clean 会复活假指针") } // 清理 product 索引残留(修复 SLA 不负责 product 索引,其残留 key 已在 user 索引里一并清掉 // 的那一组;但为了测试幂等性,手动 cleanup)。 t.Cleanup(func() { _, _ = rds.DelCtx(ctx, loader.productIndexKey("pcX"), loader.productIndexKey("pcY")) }) } // TC-0847: 空 ids 切片必须直接返回,不打 Redis。 // 如果源码退化成把空 SUNION 交给 Redis,会收到 "SUNION wrong number of arguments" 错误; // 我们通过断言 Redis 未产生任何错误以及函数未 panic 来验证。 func TestCleanByUserIds_EmptyIds_NoOp(t *testing.T) { loader := newTestLoader() // 只要不 panic、返回即可;如果源码 foundation 有 wrong-args 会 logx.Errorf 输出, // 这里做最小断言:调用返回控制权。 loader.CleanByUserIds(context.Background(), nil) loader.CleanByUserIds(context.Background(), []int64{}) // 若走到了 SUNION 分支,Redis 会在 wrong-args 下被 logx 记 Errorf, // 业务回调仍然返回,此时不应 panic;通过到达本行说明 OK。 } func TestUserDetailsLoader_MN2_BatchDelClearsUserAndProductIndexes(t *testing.T) { ctx := context.Background() conn := testConn() m := testModels() loader := newTestLoader() rds := testRedis() ts := now() pcode := "mn2_" + uniqueId() // 插入两个用户 + 一个真实产品,确保 Load 走到 5 分钟正缓存分支并注册索引 uid1 := uniqueId() uid2 := uniqueId() userId1 := insertUser(ctx, t, m, &userModel.SysUser{ Username: uid1, Password: hashPwd("pass123"), Nickname: "nick_" + uid1, Email: uid1 + "@t.com", Phone: "13800000008", DeptId: 0, IsSuperAdmin: consts.IsSuperAdminNo, MustChangePassword: consts.MustChangePasswordNo, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) userId2 := insertUser(ctx, t, m, &userModel.SysUser{ Username: uid2, Password: hashPwd("pass123"), Nickname: "nick_" + uid2, Email: uid2 + "@t.com", Phone: "13800000009", DeptId: 0, IsSuperAdmin: consts.IsSuperAdminNo, MustChangePassword: consts.MustChangePasswordNo, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) pid := insertProduct(ctx, t, m, &productModel.SysProduct{ Code: pcode, Name: "p_" + pcode, AppKey: "ak_" + pcode, AppSecret: "as_" + pcode, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) t.Cleanup(func() { loader.Del(ctx, userId1, pcode) loader.Del(ctx, userId2, pcode) cleanTable(ctx, conn, "`sys_product`", pid) cleanTable(ctx, conn, "`sys_user`", userId1, userId2) }) // 把缓存一次预热,让 userIndex/productIndex 被 registerCacheKey 真实写入 _, err := loader.Load(ctx, userId1, pcode) require.NoError(t, err) _, err = loader.Load(ctx, userId2, pcode) require.NoError(t, err) k1 := loader.cacheKey(userId1, pcode) k2 := loader.cacheKey(userId2, pcode) pIdx := loader.productIndexKey(pcode) u1Idx := loader.userIndexKey(userId1) u2Idx := loader.userIndexKey(userId2) // 预检:主 key 写入、productIndex / userIndex 存在对应元素 for _, k := range []string{k1, k2} { val, gerr := rds.GetCtx(ctx, k) require.NoError(t, gerr) require.NotEmpty(t, val, "主 cacheKey 必须被写入才有意义") } has, _ := rds.SismemberCtx(ctx, pIdx, k1) require.True(t, has, "productIndex 必须含 k1") has, _ = rds.SismemberCtx(ctx, pIdx, k2) require.True(t, has, "productIndex 必须含 k2") has, _ = rds.SismemberCtx(ctx, u1Idx, k1) require.True(t, has, "userIndex(u1) 必须含 k1") has, _ = rds.SismemberCtx(ctx, u2Idx, k2) require.True(t, has, "userIndex(u2) 必须含 k2") // 触发被测路径:BatchDel(pipelined SREM) loader.BatchDel(ctx, []int64{userId1, userId2}, pcode) // 主 key 被清空(原 TC-0513 已保障) for _, k := range []string{k1, k2} { val, _ := rds.GetCtx(ctx, k) assert.Empty(t, val, "BatchDel 必须删除主 cacheKey") } // userIndex / productIndex 中的对应 cacheKey 必须被 SREM 清除(本 TC 核心断言) has, _ = rds.SismemberCtx(ctx, u1Idx, k1) assert.False(t, has, "BatchDel 必须把 k1 从 userIndex(u1) SREM 出去") has, _ = rds.SismemberCtx(ctx, u2Idx, k2) assert.False(t, has, "BatchDel 必须把 k2 从 userIndex(u2) SREM 出去") has, _ = rds.SismemberCtx(ctx, pIdx, k1) assert.False(t, has, "BatchDel 必须把 k1 从 productIndex SREM 出去") has, _ = rds.SismemberCtx(ctx, pIdx, k2) assert.False(t, has, "BatchDel 必须把 k2 从 productIndex SREM 出去") } // TC-1014: productCode 为空时 BatchDel 仅 SREM userIndex,不得 panic 或误访问 productIndex。 // 目前业务侧 BatchDel 的所有调用都传了 productCode;但 pipeline 分支必须对空串 fail-safe, // 防止未来调用方误传时 pipeline 里塞空 key 把 Redis 侧写脏。 func TestUserDetailsLoader_MN2_BatchDelEmptyProductCodeDoesNotPanic(t *testing.T) { ctx := context.Background() loader := newTestLoader() // 即便 uid 不存在,pipelined SREM 对不存在的集合是 no-op,不应报错/panic require.NotPanics(t, func() { loader.BatchDel(ctx, []int64{9999999991, 9999999992}, "") }) } func TestUserDetailsLoader_Load_NotExist_ReturnsUdWithNilErr(t *testing.T) { ctx := context.Background() loader := newTestLoader() nonExistId := int64(900_100_000 + time.Now().UnixNano()%100_000) productCode := "pc_nxud_" + uniqueId() t.Cleanup(func() { loader.Del(ctx, nonExistId, productCode) }) ud, err := loader.Load(ctx, nonExistId, productCode) require.NoError(t, err, "用户不存在必须走 (ud,nil) 语义;否则中间件会把 DB 抖动同化成 401 强制下线引发雪崩") require.NotNil(t, ud) assert.Equal(t, nonExistId, ud.UserId) assert.Equal(t, productCode, ud.ProductCode) assert.Empty(t, ud.Username, "Username 必须为空以便调用方判定为 404 用户") } // TC-0914: 并发时序:CreateUser 成功但 Load 已经走到"写负缓存哨兵"分支之前, // 再次 FindOne 复核必须把"刚创建的用户"识别出来,跳过哨兵写入,避免新用户被投毒。 // // 本测试构造的时序:先 Insert 一个真实用户(这步 Insert 会 DEL 用户主键缓存), // 再立即 Load 该 userId+productCode。 的 freshCheck 必须让"这个第一 Load"拿到用户数据, // 而不是把 ud:: 写为 _NOT_FOUND_。 func TestUserDetailsLoader_Load_L6_CreateUserThenLoadDoesNotWriteSentinel(t *testing.T) { ctx := context.Background() loader := newTestLoader() conn := testConn() m := testModels() ts := now() uid := uniqueId() productCode := "pc_l6_" + uid userId := insertUser(ctx, t, m, &userModel.SysUser{ Username: uid, Password: hashPwd("pw"), Nickname: "l6", Avatar: sql.NullString{}, IsSuperAdmin: consts.IsSuperAdminNo, MustChangePassword: consts.MustChangePasswordNo, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) // 修复后,Load 要求 productCode 对应的产品真实存在才能进入正缓存分支;否则 // loadProduct 失败会被提升为 ErrLoaderDegraded。 的主题是"新用户写入后首次 Load // 不得被自身写的负缓存哨兵投毒",与"产品不存在"正交,因此这里补一条真实产品。 pid := insertProduct(ctx, t, m, &productModel.SysProduct{ Code: productCode, Name: "l6_prod", AppKey: "ak", AppSecret: "as", Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) t.Cleanup(func() { loader.Del(ctx, userId, productCode) cleanTable(ctx, conn, "`sys_user`", userId) cleanTable(ctx, conn, "`sys_product`", pid) }) loader.Del(ctx, userId, productCode) ud, err := loader.Load(ctx, userId, productCode) require.NoError(t, err) require.NotNil(t, ud) assert.Equal(t, uid, ud.Username, "Load 必须识别出这是真实用户而不是写哨兵") // 关键断言:Redis key 里的值绝不能是哨兵。 val, err := loader.rds.GetCtx(ctx, loader.cacheKey(userId, productCode)) require.NoError(t, err) assert.NotEqual(t, negativeCacheMarker, val, "新创建的用户首次 Load 不得被写入负缓存哨兵,否则 10s 内所有请求都会被判为'已删除'") } // TC-0915 (重写 · ): partial load 失败必须返回 ErrLoaderDegraded(而非 (ud,nil) 半成品), // 让调用方统一把它映射为 503 / codes.Unavailable;同时 5 分钟正缓存绝不能被写入。 // // 历史契约:loadOk=false 时 Load 返回 (ud, nil),ud 是 Username 非空但 DeptPath=""/Perms=nil 的 // 半成品,然后 jwtauth / refreshToken / GetUserPerms 等调用方因 MemberType=="" 或 // ProductStatus!=Enabled 错把它当成"产品已被禁用 / 无权限" 返 403,一次 DB 抖动全站静默 403。 // 新契约():loadOk=false → (nil, ErrLoaderDegraded);调用方 err!=nil 分支自然映射 // 503 / codes.Unavailable,SOC 侧能明确观测到基础设施故障。 func TestUserDetailsLoader_Load_MN1_PartialLoadReturnsErrDegradedAndSkipsCache(t *testing.T) { ctx := context.Background() loader := newTestLoader() conn := testConn() m := testModels() ts := now() uid := uniqueId() productCode := "pc_mn1_" + uid // 用一个极大的 DeptId 指向不存在的部门,让 loadDept 报 ErrNotFound → loadFromDB loadOk=false。 phantomDeptId := int64(999_000_000_000) userId := insertUser(ctx, t, m, &userModel.SysUser{ Username: uid, Password: hashPwd("pw"), Nickname: "mn1", Avatar: sql.NullString{}, DeptId: phantomDeptId, IsSuperAdmin: consts.IsSuperAdminNo, MustChangePassword: consts.MustChangePasswordNo, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) // 给产品落一条真实数据,让 loadProduct 本身成功,单独锁定"dept 子步骤失败"这个变量。 pid := insertProduct(ctx, t, m, &productModel.SysProduct{ Code: productCode, Name: "mn1_prod", AppKey: "ak", AppSecret: "as", Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) t.Cleanup(func() { loader.Del(ctx, userId, productCode) cleanTable(ctx, conn, "`sys_user`", userId) cleanTable(ctx, conn, "`sys_product`", pid) }) loader.Del(ctx, userId, productCode) ud, err := loader.Load(ctx, userId, productCode) // 新契约:partial load 必须向上冒 ErrLoaderDegraded;ud 必须为 nil,避免调用方误用半成品。 require.ErrorIs(t, err, ErrLoaderDegraded, "partial load 必须返回 ErrLoaderDegraded,而不是把半成品 ud 静默当成业务拒绝") assert.Nil(t, ud, "err 非 nil 时 ud 必须为 nil,杜绝上层误用半成品字段") // 断言 1:Redis 里没有 5 分钟正缓存,主 key 要么完全未写,要么仅留空串。 val, err := loader.rds.GetCtx(ctx, loader.cacheKey(userId, productCode)) require.NoError(t, err) if val != "" { assert.NotContains(t, val, "\"username\":\""+uid+"\"", "partial-load 不得把半残 UD 写进 5 分钟正缓存") } } // TC-0917 (新增 · ): ErrLoaderDegraded 必须是可用 errors.Is 断言的独立 sentinel, // 供调用方在 HTTP 中间件 / gRPC 拦截器里做到"统一映射 503"而不需要字符串匹配。 func TestUserDetailsLoader_ErrLoaderDegraded_IsStableSentinel(t *testing.T) { require.NotNil(t, ErrLoaderDegraded, "必须导出 sentinel 便于调用方识别") // 再次发生的派生错误仍应 errors.Is 成立(防御"被包一层后调用方失配")。 wrapped := errors.New("extra: " + ErrLoaderDegraded.Error()) assert.False(t, errors.Is(wrapped, ErrLoaderDegraded), "新 error 与 sentinel 不应共享身份;如需传染请显式 fmt.Errorf(\"%%w\", ErrLoaderDegraded)") assert.True(t, errors.Is(ErrLoaderDegraded, ErrLoaderDegraded), "自身 Is 必须为 true(sanity check)") } // TC-0916: deny 查询失败时 fail-close 保底()。通过写一个完全无 perm 的普通 MEMBER, // 再通过 productCode 设为 disabled 让 loadPerms 走 ProductStatus != Enabled 提前返回;再切回 // Enabled 状态,确保 perm 分支被正常 reach 到,覆盖 "allowIds 查询路径正常结束" 的成功契约。 // 这里的反面(fail-close)契约已经由上面 TC-0915 的 "dept 失败不写缓存" 验证;单独断言 deny 失败 // 路径需要 mock 数据库错误,属于下一轮覆盖。 func TestUserDetailsLoader_Load_H1_EnabledProductMemberPermsNonNil(t *testing.T) { ctx := context.Background() loader := newTestLoader() conn := testConn() m := testModels() ts := now() uid := uniqueId() productCode := "pc_h1_" + uid userId := insertUser(ctx, t, m, &userModel.SysUser{ Username: uid, Password: hashPwd("pw"), Nickname: "h1", Avatar: sql.NullString{}, DeptId: 0, IsSuperAdmin: consts.IsSuperAdminNo, MustChangePassword: consts.MustChangePasswordNo, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) pid := insertProduct(ctx, t, m, &productModel.SysProduct{ Code: productCode, Name: "h1_prod", AppKey: "ak", AppSecret: "as", Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) memberId := insertMember(ctx, t, m, &memberModel.SysProductMember{ ProductCode: productCode, UserId: userId, MemberType: consts.MemberTypeMember, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) _ = memberId t.Cleanup(func() { loader.Del(ctx, userId, productCode) cleanTable(ctx, conn, "`sys_user`", userId) cleanTable(ctx, conn, "`sys_product`", pid) cleanTableByField(ctx, conn, "`sys_product_member`", "productCode", productCode) }) loader.Del(ctx, userId, productCode) ud, err := loader.Load(ctx, userId, productCode) require.NoError(t, err) require.NotNil(t, ud) // 这里不强制 Perms 非 nil —— 用户没有任何角色 / allow,Perms 为空 slice 或 nil 都合理; // 重点是 Load 不返回 error、不被 deny 查询(null 结果)污染。 assert.Equal(t, uid, ud.Username) assert.Equal(t, productCode, ud.ProductCode) // 再次 Load 必须命中正缓存:GET 出的 value 一定是合法 JSON 且能反序列化回同样的 UD。 val, err := loader.rds.GetCtx(ctx, loader.cacheKey(userId, productCode)) require.NoError(t, err) require.NotEmpty(t, val, "正常路径必须落正缓存") if strings.HasPrefix(val, "{") { var cached UserDetails require.NoError(t, json.Unmarshal([]byte(val), &cached)) assert.Equal(t, uid, cached.Username) } } func TestUserDetailsLoader_NegativeCache_HitsOnSecondCall(t *testing.T) { ctx := context.Background() loader := newTestLoader() // 随便选一个几乎肯定不存在的 id(避免与真实测试数据冲突)。 nonExistId := int64(900_000_000 + time.Now().UnixNano()%100_000) productCode := "pc_neg_" + uniqueId() // 确保无残留缓存。 loader.Del(ctx, nonExistId, productCode) // 第 1 次 Load:预期回写负缓存哨兵。 // 后 Load 的返回契约从 *UserDetails 扩展为 (*UserDetails, error); // 不存在用户走的是 (ud, nil) 语义 (ud.Username == ""),而不是 (nil, err)。 ud1, err := loader.Load(ctx, nonExistId, productCode) require.NoError(t, err, "用户不存在应走 (ud,nil) 语义而不是 (nil,err)") require.NotNil(t, ud1) assert.Empty(t, ud1.Username, "不存在的用户 Load 后 Username 必须为空") // 直接读 Redis,验证哨兵值真的写进去了。 key := loader.cacheKey(nonExistId, productCode) val, err := loader.rds.GetCtx(ctx, key) require.NoError(t, err) assert.Equal(t, negativeCacheMarker, val, "不存在的用户必须写入负缓存哨兵 %q,以便后续命中直接返回空 UserDetails", negativeCacheMarker) // 第 2 次 Load:必须命中哨兵分支;哨兵应当返回空 UserDetails(Username 依然为空), // 且不得再做 DB 查询(这里没有 mock DB counter,但结果的契约仍然成立)。 ud2, err := loader.Load(ctx, nonExistId, productCode) require.NoError(t, err) require.NotNil(t, ud2) assert.Empty(t, ud2.Username) assert.Equal(t, nonExistId, ud2.UserId) assert.Equal(t, productCode, ud2.ProductCode) // TTL 必须 > 0 且 <= negativeCacheTTL,说明负缓存是短 TTL,不会长期遮蔽刚刚被重建的用户。 ttl, err := loader.rds.TtlCtx(ctx, key) require.NoError(t, err) assert.Greater(t, ttl, 0, "负缓存必须是带 TTL 的短窗口") assert.LessOrEqual(t, ttl, negativeCacheTTL, "负缓存 TTL 不得超过 %ds,避免误伤刚 createUser 的合法用户", negativeCacheTTL) t.Cleanup(func() { loader.Del(ctx, nonExistId, productCode) }) } // TC-0822: 负缓存必须"不挂到 userIndex/productIndex 集合里", // 否则 CleanByProduct / Clean 在 DEL 其它真实 key 的同时会顺带 DEL 哨兵,带来短暂"放穿"。 // 该测试验证:写入负缓存之后,userIndex/productIndex 集合为空。 func TestUserDetailsLoader_NegativeCache_NotIndexed(t *testing.T) { ctx := context.Background() loader := newTestLoader() nonExistId := int64(900_000_123 + time.Now().UnixNano()%10_000) productCode := "pc_idx_" + uniqueId() loader.Del(ctx, nonExistId, productCode) _, _ = loader.Load(ctx, nonExistId, productCode) uidx, err := loader.rds.SmembersCtx(ctx, loader.userIndexKey(nonExistId)) require.NoError(t, err) assert.Empty(t, uidx, "负缓存不得注册到 user index,否则 Clean(userId) 会把哨兵一起抹掉导致立刻再次击穿 DB") pidx, err := loader.rds.SmembersCtx(ctx, loader.productIndexKey(productCode)) require.NoError(t, err) assert.Empty(t, pidx, "负缓存同样不得进入 product index") t.Cleanup(func() { loader.Del(ctx, nonExistId, productCode) }) } // TC-0823: 多并发同一 nonExistId 只穿透 DB 一次(singleflight + 负缓存联动)。 // 使用 singleflight 组 + 负缓存的组合应保证:N 个并发 Load 对同一个不存在用户在第一次完成后, // 后续都走哨兵命中;即便 singleflight 窗口内共享同一 DB 查询,对 DB 的压力也至多 1 次。 // 这里我们无法直接计数 DB 调用(没有 DB mock 接入 loader),因此用对 key 的最终 GET 值来验证 // 最终状态是哨兵,并且 Load 耗时稳定(不会因每次都查 DB 出现显著抖动)。 func TestUserDetailsLoader_NegativeCache_ConcurrentLoadsStabilize(t *testing.T) { ctx := context.Background() loader := newTestLoader() nonExistId := int64(900_000_456 + time.Now().UnixNano()%10_000) productCode := "pc_conc_" + uniqueId() loader.Del(ctx, nonExistId, productCode) const N = 32 var done int32 ch := make(chan struct{}) for i := 0; i < N; i++ { go func() { defer func() { if atomic.AddInt32(&done, 1) == N { close(ch) } }() _, _ = loader.Load(ctx, nonExistId, productCode) }() } select { case <-ch: case <-time.After(5 * time.Second): t.Fatal("并发 Load 未在 5s 内收敛,singleflight/负缓存可能失效") } val, err := loader.rds.GetCtx(ctx, loader.cacheKey(nonExistId, productCode)) require.NoError(t, err) assert.Equal(t, negativeCacheMarker, val) t.Cleanup(func() { loader.Del(ctx, nonExistId, productCode) }) } type countingUserModel struct { userModel.SysUserModel findOneHits int64 } func (c *countingUserModel) FindOne(ctx context.Context, id int64) (*userModel.SysUser, error) { atomic.AddInt64(&c.findOneHits, 1) return c.SysUserModel.FindOne(ctx, id) } // TC-0792: 延伸 —— UserDetailsLoader 必须用 singleflight 合并同一 key 的并发 Load, // 保证缓存 miss 时 DB 只被打一次, 防止冷启动/缓存击穿。 // 实现方式: 用 countingUserModel 拦截 SysUserModel.FindOne, 断言 N 个并发 Load // 触发的 FindOne 次数远少于 N (严格来说, 在我们控制的并发时序下必须恰好 1 次)。 // 为避免 "第一个 goroutine 太快, 写完缓存后其他 goroutine 走 cache 路径也只是少调用" // 这种"假阳性平局", 本用例刻意先 Del 缓存 + 用 WaitGroup barrier 同时释放所有 goroutine, // 把所有 goroutine 都塞进 singleflight.Do 的同一 key flight 里。 func TestLoader_Load_SingleflightCollapsesConcurrentCalls(t *testing.T) { ctx := context.Background() rds := testRedis() realModels := testModels() counting := &countingUserModel{SysUserModel: realModels.SysUserModel} // 替换 models 里的 SysUserModel 为计数包装; 其他模型保持真实以便 loader 的产品/成员/部门/角色/权限流转能跑通 wrappedModels := *realModels wrappedModels.SysUserModel = counting loader := NewUserDetailsLoader(rds, testKeyPrefix, &wrappedModels) u := &userModel.SysUser{ Username: "ld_sf_" + uniqueId(), Password: hashPwd("x"), Nickname: "sf", Avatar: sql.NullString{}, IsSuperAdmin: consts.IsSuperAdminNo, MustChangePassword: consts.MustChangePasswordNo, Status: consts.StatusEnabled, CreateTime: now(), UpdateTime: now(), } userId := insertUser(ctx, t, realModels, u) t.Cleanup(func() { cleanTable(ctx, testConn(), "sys_user", userId) }) // 确保缓存为空 loader.Del(ctx, userId, "") loader.Clean(ctx, userId) const workers = 50 var ( wg sync.WaitGroup start = make(chan struct{}) ptrs = make([]*UserDetails, workers) ) for i := 0; i < workers; i++ { wg.Add(1) go func(idx int) { defer wg.Done() <-start ud, _ := loader.Load(ctx, userId, "") ptrs[idx] = ud }(i) } close(start) wg.Wait() // 每个 goroutine 都应拿到完整的用户数据 for i, p := range ptrs { require.NotNil(t, p, "worker %d 返回 nil", i) assert.Equal(t, u.Username, p.Username, "worker %d 读到的 Username 错乱", i) } hits := atomic.LoadInt64(&counting.findOneHits) assert.LessOrEqual(t, hits, int64(workers/5), "singleflight 必须把 DB 命中压到极少次 (远低于 workers=%d); 实际 FindOne 被调 %d 次", workers, hits) assert.Greater(t, hits, int64(0), "至少要有一次 DB 命中 (否则说明缓存未被真正清空)") } // TC-0793: 延伸 —— 第二波 Load 必须命中缓存, FindOne 不再增加。 // 这是对 TC-0762 的成对断言: singleflight 合并仅作用于"同一飞行中的并发", // 而一旦首次加载完成并写入 Redis, 后续读取应进入 cache fast-path 而非再次走 DB。 func TestLoader_Load_SecondRoundHitsCache(t *testing.T) { ctx := context.Background() rds := testRedis() realModels := testModels() counting := &countingUserModel{SysUserModel: realModels.SysUserModel} wrappedModels := *realModels wrappedModels.SysUserModel = counting loader := NewUserDetailsLoader(rds, testKeyPrefix, &wrappedModels) u := &userModel.SysUser{ Username: "ld_sf2_" + uniqueId(), Password: hashPwd("x"), Nickname: "sf2", Avatar: sql.NullString{}, IsSuperAdmin: consts.IsSuperAdminNo, MustChangePassword: consts.MustChangePasswordNo, Status: consts.StatusEnabled, CreateTime: now(), UpdateTime: now(), } userId := insertUser(ctx, t, realModels, u) t.Cleanup(func() { cleanTable(ctx, testConn(), "sys_user", userId) }) loader.Del(ctx, userId, "") loader.Clean(ctx, userId) _, _ = loader.Load(ctx, userId, "") firstHits := atomic.LoadInt64(&counting.findOneHits) require.Equal(t, int64(1), firstHits, "首次 Load 应命中 DB 一次") for i := 0; i < 20; i++ { _, _ = loader.Load(ctx, userId, "") } secondRoundHits := atomic.LoadInt64(&counting.findOneHits) - firstHits assert.Equal(t, int64(0), secondRoundHits, "后续 Load 必须命中 Redis 缓存; 若持续打到 DB, 说明 cache 写入失败或 TTL 异常") } // TC-1205: NORMAL 部门冻结(DeptStatus=Disabled)后成员 Perms 为空 []。 // loadPerms 在新增的 DeptStatus 前置检查下,NORMAL 部门被禁用后成员重登应立即无权。 func TestLoadPerms_NormalDeptDisabled_NoPerms(t *testing.T) { ctx := context.Background() conn := testConn() m := testModels() loader := newTestLoader() uid := uniqueId() ts := now() pcode := "p_" + uid deptId := insertDept(ctx, t, m, &deptModel.SysDept{ ParentId: 0, Name: "normdept_dis_" + uid, Path: "/1/", Sort: 1, DeptType: consts.DeptTypeNormal, Status: consts.StatusDisabled, CreateTime: ts, UpdateTime: ts, }) userId := insertUser(ctx, t, m, &userModel.SysUser{ Username: uid, Password: hashPwd("pass123"), Nickname: "nick_" + uid, Email: uid + "@test.com", Phone: "13900000001", DeptId: deptId, IsSuperAdmin: consts.IsSuperAdminNo, MustChangePassword: consts.MustChangePasswordNo, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) pid := insertProduct(ctx, t, m, &productModel.SysProduct{ Code: pcode, Name: "prod_" + uid, AppKey: "ak_" + uid, AppSecret: "as_" + uid, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) memberId := insertMember(ctx, t, m, &memberModel.SysProductMember{ ProductCode: pcode, UserId: userId, MemberType: consts.MemberTypeMember, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) permCode := "perm_normdis:" + uid permId := insertPerm(ctx, t, m, &permModel.SysPerm{ ProductCode: pcode, Name: "p_" + uid, Code: permCode, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) t.Cleanup(func() { loader.Del(ctx, userId, pcode) cleanTable(ctx, conn, "`sys_perm`", permId) cleanTable(ctx, conn, "`sys_product_member`", memberId) cleanTable(ctx, conn, "`sys_product`", pid) cleanTable(ctx, conn, "`sys_user`", userId) cleanTable(ctx, conn, "`sys_dept`", deptId) }) loader.Del(ctx, userId, pcode) ud, err := loader.Load(ctx, userId, pcode) require.NoError(t, err) require.NotNil(t, ud) assert.Equal(t, consts.DeptTypeNormal, ud.DeptType) assert.Equal(t, int64(consts.StatusDisabled), ud.DeptStatus) assert.NotNil(t, ud.Perms, "Perms 必须是非 nil 的空 slice([]string{}),而非 nil;下游 JSON 输出必须为 [] 而非 null") assert.Empty(t, ud.Perms, "NORMAL 部门冻结后,成员不应拥有任何权限;冻结部门的'会话吊销'需要 loadPerms 也配合清零才能闭环") } // TC-1206: loadPerms 出口 Perms 恒为非 nil 数组。 // 普通成员无任何角色和附加权限时,Perms 应为 []string{} 而非 nil。 // encoding/json 对 nil slice 输出 null,对 []string{} 输出 [];两种空表达不一致会给前端带来冗余 defensive check。 func TestLoadPerms_EmptyPerms_IsNotNilSlice(t *testing.T) { ctx := context.Background() conn := testConn() m := testModels() loader := newTestLoader() uid := uniqueId() ts := now() pcode := "p_" + uid userId := insertUser(ctx, t, m, &userModel.SysUser{ Username: uid, Password: hashPwd("pass123"), Nickname: "nick_" + uid, Email: uid + "@test.com", Phone: "13900000002", DeptId: 0, IsSuperAdmin: consts.IsSuperAdminNo, MustChangePassword: consts.MustChangePasswordNo, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) pid := insertProduct(ctx, t, m, &productModel.SysProduct{ Code: pcode, Name: "prod_" + uid, AppKey: "ak_" + uid, AppSecret: "as_" + uid, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) memberId := insertMember(ctx, t, m, &memberModel.SysProductMember{ ProductCode: pcode, UserId: userId, MemberType: consts.MemberTypeMember, Status: consts.StatusEnabled, CreateTime: ts, UpdateTime: ts, }) t.Cleanup(func() { loader.Del(ctx, userId, pcode) cleanTable(ctx, conn, "`sys_product_member`", memberId) cleanTable(ctx, conn, "`sys_product`", pid) cleanTable(ctx, conn, "`sys_user`", userId) }) loader.Del(ctx, userId, pcode) ud, err := loader.Load(ctx, userId, pcode) require.NoError(t, err) require.NotNil(t, ud) // 关键断言:Perms 必须为非 nil 的空 slice,不能是 nil。 assert.NotNil(t, ud.Perms, "无权限成员的 Perms 必须是 []string{}(非 nil);"+ "Go encoding/json 对 nil 输出 null,对 [] 输出 [],两种'空'造成下游 defensive check 不一致") // 验证 JSON 序列化确实输出 []。 type wrapper struct { Perms []string `json:"perms"` } jsonBytes, marshalErr := json.Marshal(wrapper{Perms: ud.Perms}) require.NoError(t, marshalErr) jsonStr := string(jsonBytes) assert.Contains(t, jsonStr, `"perms":[]`, "空 Perms 序列化必须为 [],不得为 null;实际 JSON: %s", jsonStr) } // TC-1207: loadMembership errors.Is 语义稳健性契约测试。 // productmember.ErrNotFound = sqlx.ErrNotFound;当前代码已改为 errors.Is,确保未来 model 层包装 // 后 ErrNotFound 仍能被识别,而不会把"用户非成员"退化为 ErrLoaderDegraded 503。 func TestLoadMembership_ErrNotFound_IsStableContract(t *testing.T) { // productmember.ErrNotFound 应等于 sqlx.ErrNotFound。 require.True(t, errors.Is(memberModel.ErrNotFound, sqlx.ErrNotFound), "productmember.ErrNotFound 必须是 sqlx.ErrNotFound 或其包装,"+ "否则 loadMembership 的 errors.Is 检查无法识别'用户非成员'场景") // 包装一层后 errors.Is 仍应成立——防止未来 model 层引入 fmt.Errorf("%w", err) 时失配。 wrapped := fmt.Errorf("model wrap: %w", memberModel.ErrNotFound) require.True(t, errors.Is(wrapped, sqlx.ErrNotFound), "单层 fmt.Errorf 包装后 errors.Is 仍须成立;若失败说明 ErrNotFound 不是通过 %%w 传播的哨兵") }