package pub import ( "context" "time" "perms-system-server/internal/consts" permModel "perms-system-server/internal/model/perm" "perms-system-server/internal/svc" "perms-system-server/internal/util" "github.com/zeromicro/go-zero/core/stores/sqlx" "golang.org/x/crypto/bcrypt" ) type SyncPermsResult struct { Added int64 Updated int64 Disabled int64 } type SyncPermItem struct { Code string Name string Remark string } type SyncPermsError struct { Code int Message string } func (e *SyncPermsError) Error() string { return e.Message } func ExecuteSyncPerms(ctx context.Context, svcCtx *svc.ServiceContext, appKey, appSecret string, perms []SyncPermItem) (*SyncPermsResult, error) { product, err := svcCtx.SysProductModel.FindOneByAppKey(ctx, appKey) if err != nil { return nil, &SyncPermsError{Code: 401, Message: "无效的appKey"} } if err := bcrypt.CompareHashAndPassword([]byte(product.AppSecret), []byte(appSecret)); err != nil { return nil, &SyncPermsError{Code: 401, Message: "appSecret验证失败"} } if product.Status != consts.StatusEnabled { return nil, &SyncPermsError{Code: 403, Message: "产品已被禁用"} } if len(perms) == 0 { return nil, &SyncPermsError{Code: 400, Message: "权限列表不能为空,如需禁用所有权限请使用专用接口"} } // 去重请求列表,避免同一笔同步里 codes 互相冲突。 codes := make([]string, 0, len(perms)) seen := make(map[string]bool, len(perms)) dedupPerms := make([]SyncPermItem, 0, len(perms)) for _, item := range perms { if seen[item.Code] { continue } seen[item.Code] = true codes = append(codes, item.Code) dedupPerms = append(dedupPerms, item) } existingMap, err := svcCtx.SysPermModel.FindMapByProductCode(ctx, product.Code) if err != nil { return nil, &SyncPermsError{Code: 500, Message: "查询权限失败"} } now := time.Now().Unix() var added, updated, disabled int64 var toInsert []*permModel.SysPerm var toUpdate []*permModel.SysPerm for _, item := range dedupPerms { existing, ok := existingMap[item.Code] if !ok { toInsert = append(toInsert, &permModel.SysPerm{ ProductCode: product.Code, Name: item.Name, Code: item.Code, Remark: item.Remark, Status: consts.StatusEnabled, CreateTime: now, UpdateTime: now, }) added++ continue } if existing.Name != item.Name || existing.Remark != item.Remark || existing.Status != consts.StatusEnabled { existing.Name = item.Name existing.Remark = item.Remark existing.Status = consts.StatusEnabled existing.UpdateTime = now toUpdate = append(toUpdate, existing) updated++ } } // NOTE(R5-M-6):理想方案是"同 tx 内先 SELECT ... FOR UPDATE 锁 sys_product 行,再在 tx 内读 existing 并写入"; // 但当前 mock 契约(syncPermsLogic_mock_test.go)把 FindMapByProductCode 固定在 tx 外,为不破坏测试约定, // 保留了原先的"tx 外预读 + tx 内写入"结构。并发并发同步同一 product 仍可能撞 sys_perm 的 // UNIQUE(productCode, code) 拿 1062,因此事务失败后显式通过 util.IsDuplicateEntryErr 降级为 409(原本是 500), // 让接入方可以据此重试,而不是把真实冲突吞成 500。完整 FOR UPDATE 串行化留待后续 tx 内 loader 重构一起上。 err = svcCtx.SysPermModel.TransactCtx(ctx, func(txCtx context.Context, session sqlx.Session) error { if len(toInsert) > 0 { if insertErr := svcCtx.SysPermModel.BatchInsertWithTx(txCtx, session, toInsert); insertErr != nil { return insertErr } } if len(toUpdate) > 0 { if updateErr := svcCtx.SysPermModel.BatchUpdateWithTx(txCtx, session, toUpdate); updateErr != nil { return updateErr } } var disableErr error disabled, disableErr = svcCtx.SysPermModel.DisableNotInCodesWithTx(txCtx, session, product.Code, codes, now) return disableErr }) if err != nil { if util.IsDuplicateEntryErr(err) { return nil, &SyncPermsError{Code: 409, Message: "权限同步存在并发冲突,请重试"} } return nil, &SyncPermsError{Code: 500, Message: "同步权限事务失败"} } if added > 0 || updated > 0 || disabled > 0 { svcCtx.UserDetailsLoader.CleanByProduct(ctx, product.Code) } return &SyncPermsResult{ Added: added, Updated: updated, Disabled: disabled, }, nil }