package server import ( "context" "fmt" "net" "time" "perms-system-server/internal/consts" authHelper "perms-system-server/internal/logic/auth" pub "perms-system-server/internal/logic/pub" "perms-system-server/internal/middleware" "perms-system-server/internal/svc" "perms-system-server/pb" "github.com/golang-jwt/jwt/v4" "github.com/zeromicro/go-zero/core/limit" "golang.org/x/crypto/bcrypt" "google.golang.org/grpc/codes" "google.golang.org/grpc/peer" "google.golang.org/grpc/status" ) // PermServer 权限管理系统 gRPC 服务实现,供接入产品的服务端调用。 type PermServer struct { svcCtx *svc.ServiceContext pb.UnimplementedPermServiceServer } func NewPermServer(svcCtx *svc.ServiceContext) *PermServer { return &PermServer{svcCtx: svcCtx} } // SyncPermissions 同步权限声明。产品服务端通过 appKey/appSecret 认证后批量同步权限定义(新增/更新/禁用不在列表中的权限)。 func (s *PermServer) SyncPermissions(ctx context.Context, req *pb.SyncPermissionsReq) (*pb.SyncPermissionsResp, error) { items := make([]pub.SyncPermItem, len(req.Perms)) for i, p := range req.Perms { items[i] = pub.SyncPermItem{Code: p.Code, Name: p.Name, Remark: p.Remark} } result, err := pub.ExecuteSyncPerms(ctx, s.svcCtx, req.AppKey, req.AppSecret, items) if err != nil { if se, ok := err.(*pub.SyncPermsError); ok { switch se.Code { case 400: return nil, status.Error(codes.InvalidArgument, se.Message) case 401: return nil, status.Error(codes.Unauthenticated, se.Message) case 403: return nil, status.Error(codes.PermissionDenied, se.Message) default: return nil, status.Error(codes.Internal, se.Message) } } return nil, status.Error(codes.Internal, "同步权限失败") } return &pb.SyncPermissionsResp{Added: result.Added, Updated: result.Updated, Disabled: result.Disabled}, nil } // Login 产品端登录。产品成员通过用户名密码 + productCode 登录,返回 JWT 令牌对及用户权限信息。受 IP 维度限流保护。 func (s *PermServer) Login(ctx context.Context, req *pb.LoginReq) (*pb.LoginResp, error) { var clientIP string if s.svcCtx.GrpcLoginLimiter != nil { p, ok := peer.FromContext(ctx) if ok { clientIP, _, _ = net.SplitHostPort(p.Addr.String()) if clientIP == "" { clientIP = p.Addr.String() } code, _ := s.svcCtx.GrpcLoginLimiter.Take(fmt.Sprintf("grpc:login:%s", clientIP)) if code == limit.OverQuota { return nil, status.Error(codes.ResourceExhausted, "请求过于频繁,请稍后再试") } } } if req.ProductCode == "" { return nil, status.Error(codes.InvalidArgument, "productCode不能为空") } result, err := pub.ValidateProductLogin(ctx, s.svcCtx, req.Username, req.Password, req.ProductCode, clientIP) if err != nil { if le, ok := err.(*pub.LoginError); ok { switch le.Code { case 400: return nil, status.Error(codes.InvalidArgument, le.Message) case 401: return nil, status.Error(codes.Unauthenticated, le.Message) case 403: return nil, status.Error(codes.PermissionDenied, le.Message) case 429: return nil, status.Error(codes.ResourceExhausted, le.Message) } } return nil, status.Error(codes.Internal, "登录失败") } ud := result.UserDetails return &pb.LoginResp{ AccessToken: result.AccessToken, RefreshToken: result.RefreshToken, Expires: time.Now().Unix() + s.svcCtx.Config.Auth.AccessExpire, UserId: ud.UserId, Username: ud.Username, Nickname: ud.Nickname, MemberType: ud.MemberType, Perms: ud.Perms, }, nil } // RefreshToken 刷新令牌。使用有效的 refreshToken 换取新的令牌对,同时递增 tokenVersion 使旧令牌即时失效(单会话轮转)。 func (s *PermServer) RefreshToken(ctx context.Context, req *pb.RefreshTokenReq) (*pb.RefreshTokenResp, error) { claims, err := authHelper.ParseRefreshToken(req.RefreshToken, s.svcCtx.Config.Auth.RefreshSecret) if err != nil { return nil, status.Error(codes.Unauthenticated, "refreshToken无效或已过期") } productCode := claims.ProductCode if req.ProductCode != "" && req.ProductCode != productCode { return nil, status.Error(codes.InvalidArgument, "刷新令牌不允许切换产品") } ud := s.svcCtx.UserDetailsLoader.Load(ctx, claims.UserId, productCode) if ud.Status != consts.StatusEnabled { return nil, status.Error(codes.PermissionDenied, "账号已被冻结") } if productCode != "" && ud.ProductStatus != consts.StatusEnabled { return nil, status.Error(codes.PermissionDenied, "该产品已被禁用") } if productCode != "" && !ud.IsSuperAdmin && ud.MemberType == "" { return nil, status.Error(codes.PermissionDenied, "您已不是该产品的成员") } if claims.TokenVersion != ud.TokenVersion { return nil, status.Error(codes.Unauthenticated, "登录状态已失效,请重新登录") } newVersion, err := s.svcCtx.SysUserModel.IncrementTokenVersion(ctx, claims.UserId) if err != nil { return nil, status.Error(codes.Internal, "刷新token失败") } s.svcCtx.UserDetailsLoader.Clean(ctx, claims.UserId) accessToken, err := authHelper.GenerateAccessToken( s.svcCtx.Config.Auth.AccessSecret, s.svcCtx.Config.Auth.AccessExpire, ud.UserId, ud.Username, ud.ProductCode, ud.MemberType, newVersion, ) if err != nil { return nil, status.Error(codes.Internal, "生成token失败") } newRefreshToken, err := authHelper.GenerateRefreshTokenWithExpiry( s.svcCtx.Config.Auth.RefreshSecret, claims.ExpiresAt.Time, ud.UserId, ud.ProductCode, newVersion, ) if err != nil { return nil, status.Error(codes.Unauthenticated, "refreshToken已过期,请重新登录") } return &pb.RefreshTokenResp{ AccessToken: accessToken, RefreshToken: newRefreshToken, Expires: time.Now().Unix() + s.svcCtx.Config.Auth.AccessExpire, }, nil } // VerifyToken 验证令牌。校验 accessToken 的有效性(签名、过期、用户状态、产品状态、成员资格、tokenVersion),有效时返回用户身份和权限信息。 func (s *PermServer) VerifyToken(ctx context.Context, req *pb.VerifyTokenReq) (*pb.VerifyTokenResp, error) { token, err := jwt.ParseWithClaims(req.AccessToken, &middleware.Claims{}, func(token *jwt.Token) (interface{}, error) { return []byte(s.svcCtx.Config.Auth.AccessSecret), nil }) if err != nil || !token.Valid { return &pb.VerifyTokenResp{Valid: false}, nil } claims, ok := token.Claims.(*middleware.Claims) if !ok || claims.TokenType != consts.TokenTypeAccess { return &pb.VerifyTokenResp{Valid: false}, nil } ud := s.svcCtx.UserDetailsLoader.Load(ctx, claims.UserId, claims.ProductCode) if ud.Status != consts.StatusEnabled { return &pb.VerifyTokenResp{Valid: false}, nil } if claims.TokenVersion != ud.TokenVersion { return &pb.VerifyTokenResp{Valid: false}, nil } if claims.ProductCode != "" && ud.ProductStatus != consts.StatusEnabled { return &pb.VerifyTokenResp{Valid: false}, nil } if claims.ProductCode != "" && !ud.IsSuperAdmin && ud.MemberType == "" { return &pb.VerifyTokenResp{Valid: false}, nil } return &pb.VerifyTokenResp{ Valid: true, UserId: ud.UserId, Username: ud.Username, MemberType: ud.MemberType, Perms: ud.Perms, ProductCode: claims.ProductCode, }, nil } // GetUserPerms 查询用户权限。产品服务端通过 appKey/appSecret 认证后查询指定用户在该产品下的成员类型和权限列表,用于产品侧的权限网关判定。 func (s *PermServer) GetUserPerms(ctx context.Context, req *pb.GetUserPermsReq) (*pb.GetUserPermsResp, error) { product, err := s.svcCtx.SysProductModel.FindOneByAppKey(ctx, req.AppKey) if err != nil { return nil, status.Error(codes.Unauthenticated, "无效的appKey") } if err := bcrypt.CompareHashAndPassword([]byte(product.AppSecret), []byte(req.AppSecret)); err != nil { return nil, status.Error(codes.Unauthenticated, "appSecret验证失败") } if product.Status != consts.StatusEnabled { return nil, status.Error(codes.PermissionDenied, "产品已被禁用") } if product.Code != req.ProductCode { return nil, status.Error(codes.InvalidArgument, "appKey与productCode不匹配") } ud := s.svcCtx.UserDetailsLoader.Load(ctx, req.UserId, req.ProductCode) if ud.Username == "" { return nil, status.Error(codes.NotFound, "用户不存在") } if ud.Status != consts.StatusEnabled { return nil, status.Error(codes.PermissionDenied, "用户已被冻结") } if !ud.IsSuperAdmin && ud.MemberType == "" { return nil, status.Error(codes.PermissionDenied, "用户不是该产品的有效成员") } return &pb.GetUserPermsResp{ MemberType: ud.MemberType, Perms: ud.Perms, }, nil }