perms-system-server/internal/server/permserver.go

package server

import (
	"context"
	"crypto/subtle"
	"fmt"
	"net"
	"time"

	"perms-system-server/internal/consts"
	authHelper "perms-system-server/internal/logic/auth"
	pub "perms-system-server/internal/logic/pub"
	"perms-system-server/internal/middleware"
	permModel "perms-system-server/internal/model/perm"
	"perms-system-server/internal/svc"
	"perms-system-server/pb"

	"github.com/golang-jwt/jwt/v4"
	"github.com/zeromicro/go-zero/core/limit"
	"github.com/zeromicro/go-zero/core/stores/sqlx"
	"google.golang.org/grpc/codes"
	"google.golang.org/grpc/peer"
	"google.golang.org/grpc/status"
)

type PermServer struct {
	svcCtx *svc.ServiceContext
	pb.UnimplementedPermServiceServer
}

func NewPermServer(svcCtx *svc.ServiceContext) *PermServer {
	return &PermServer{svcCtx: svcCtx}
}

func (s *PermServer) SyncPermissions(ctx context.Context, req *pb.SyncPermissionsReq) (*pb.SyncPermissionsResp, error) {
	product, err := s.svcCtx.SysProductModel.FindOneByAppKey(ctx, req.AppKey)
	if err != nil {
		return nil, status.Error(codes.Unauthenticated, "无效的appKey")
	}
	if subtle.ConstantTimeCompare([]byte(product.AppSecret), []byte(req.AppSecret)) != 1 {
		return nil, status.Error(codes.Unauthenticated, "appSecret验证失败")
	}
	if product.Status != consts.StatusEnabled {
		return nil, status.Error(codes.PermissionDenied, "产品已被禁用")
	}

	existingMap, err := s.svcCtx.SysPermModel.FindMapByProductCode(ctx, product.Code)
	if err != nil {
		return nil, status.Error(codes.Internal, "查询权限数据失败")
	}

	now := time.Now().Unix()
	var added, updated int64
	codeList := make([]string, 0, len(req.Perms))

	var toInsert []*permModel.SysPerm
	var toUpdate []*permModel.SysPerm

	seen := make(map[string]bool, len(req.Perms))
	for _, item := range req.Perms {
		if seen[item.Code] {
			continue
		}
		seen[item.Code] = true
		codeList = append(codeList, item.Code)
		existing, ok := existingMap[item.Code]
		if !ok {
			toInsert = append(toInsert, &permModel.SysPerm{
				ProductCode: product.Code,
				Name:        item.Name,
				Code:        item.Code,
				Remark:      item.Remark,
				Status:      consts.StatusEnabled,
				CreateTime:  now,
				UpdateTime:  now,
			})
			added++
			continue
		}
		if existing.Name != item.Name || existing.Remark != item.Remark || existing.Status != consts.StatusEnabled {
			existing.Name = item.Name
			existing.Remark = item.Remark
			existing.Status = consts.StatusEnabled
			existing.UpdateTime = now
			toUpdate = append(toUpdate, existing)
			updated++
		}
	}

	var disabled int64
	if txErr := s.svcCtx.SysPermModel.TransactCtx(ctx, func(txCtx context.Context, session sqlx.Session) error {
		if len(toInsert) > 0 {
			if err := s.svcCtx.SysPermModel.BatchInsertWithTx(txCtx, session, toInsert); err != nil {
				return err
			}
		}
		if len(toUpdate) > 0 {
			if err := s.svcCtx.SysPermModel.BatchUpdateWithTx(txCtx, session, toUpdate); err != nil {
				return err
			}
		}
		var err error
		disabled, err = s.svcCtx.SysPermModel.DisableNotInCodesWithTx(txCtx, session, product.Code, codeList, now)
		return err
	}); txErr != nil {
		return nil, status.Error(codes.Internal, "同步权限事务失败")
	}

	if added > 0 || updated > 0 || disabled > 0 {
		s.svcCtx.UserDetailsLoader.CleanByProduct(ctx, product.Code)
	}

	return &pb.SyncPermissionsResp{Added: added, Updated: updated, Disabled: disabled}, nil
}

func (s *PermServer) Login(ctx context.Context, req *pb.LoginReq) (*pb.LoginResp, error) {
	if s.svcCtx.GrpcLoginLimiter != nil {
		p, ok := peer.FromContext(ctx)
		if ok {
			ip, _, _ := net.SplitHostPort(p.Addr.String())
			if ip == "" {
				ip = p.Addr.String()
			}
			code, _ := s.svcCtx.GrpcLoginLimiter.Take(fmt.Sprintf("grpc:login:%s", ip))
			if code == limit.OverQuota {
				return nil, status.Error(codes.ResourceExhausted, "请求过于频繁，请稍后再试")
			}
		}
	}

	if req.ProductCode == "" {
		return nil, status.Error(codes.InvalidArgument, "productCode不能为空")
	}

	result, err := pub.ValidateProductLogin(ctx, s.svcCtx, req.Username, req.Password, req.ProductCode)
	if err != nil {
		if le, ok := err.(*pub.LoginError); ok {
			switch le.Code {
			case 400:
				return nil, status.Error(codes.InvalidArgument, le.Message)
			case 401:
				return nil, status.Error(codes.Unauthenticated, le.Message)
			case 403:
				return nil, status.Error(codes.PermissionDenied, le.Message)
			}
		}
		return nil, status.Error(codes.Internal, "登录失败")
	}

	ud := result.UserDetails
	return &pb.LoginResp{
		AccessToken:  result.AccessToken,
		RefreshToken: result.RefreshToken,
		Expires:      time.Now().Unix() + s.svcCtx.Config.Auth.AccessExpire,
		UserId:       ud.UserId,
		Username:     ud.Username,
		MemberType:   ud.MemberType,
		Perms:        ud.Perms,
	}, nil
}

func (s *PermServer) RefreshToken(ctx context.Context, req *pb.RefreshTokenReq) (*pb.RefreshTokenResp, error) {
	claims, err := authHelper.ParseRefreshToken(req.RefreshToken, s.svcCtx.Config.Auth.RefreshSecret)
	if err != nil {
		return nil, status.Error(codes.Unauthenticated, "refreshToken无效或已过期")
	}

	productCode := claims.ProductCode
	if req.ProductCode != "" && req.ProductCode != productCode {
		return nil, status.Error(codes.InvalidArgument, "刷新令牌不允许切换产品")
	}

	ud := s.svcCtx.UserDetailsLoader.Load(ctx, claims.UserId, productCode)

	if ud.Status != consts.StatusEnabled {
		return nil, status.Error(codes.PermissionDenied, "账号已被冻结")
	}

	if productCode != "" && !ud.IsSuperAdmin && ud.MemberType == "" {
		return nil, status.Error(codes.PermissionDenied, "您已不是该产品的成员")
	}

	if claims.TokenVersion != ud.TokenVersion {
		return nil, status.Error(codes.Unauthenticated, "登录状态已失效，请重新登录")
	}

	accessToken, err := authHelper.GenerateAccessToken(
		s.svcCtx.Config.Auth.AccessSecret, s.svcCtx.Config.Auth.AccessExpire,
		ud.UserId, ud.Username, ud.ProductCode, ud.MemberType, ud.Perms, ud.TokenVersion,
	)
	if err != nil {
		return nil, status.Error(codes.Internal, "生成token失败")
	}

	return &pb.RefreshTokenResp{
		AccessToken:  accessToken,
		RefreshToken: req.RefreshToken,
		Expires:      time.Now().Unix() + s.svcCtx.Config.Auth.AccessExpire,
	}, nil
}

func (s *PermServer) VerifyToken(ctx context.Context, req *pb.VerifyTokenReq) (*pb.VerifyTokenResp, error) {
	token, err := jwt.ParseWithClaims(req.AccessToken, &middleware.Claims{}, func(token *jwt.Token) (interface{}, error) {
		return []byte(s.svcCtx.Config.Auth.AccessSecret), nil
	})
	if err != nil || !token.Valid {
		return &pb.VerifyTokenResp{Valid: false}, nil
	}

	claims, ok := token.Claims.(*middleware.Claims)
	if !ok || claims.TokenType != consts.TokenTypeAccess {
		return &pb.VerifyTokenResp{Valid: false}, nil
	}

	ud := s.svcCtx.UserDetailsLoader.Load(ctx, claims.UserId, claims.ProductCode)
	if ud.Status != consts.StatusEnabled {
		return &pb.VerifyTokenResp{Valid: false}, nil
	}
	if claims.ProductCode != "" && !ud.IsSuperAdmin && ud.MemberType == "" {
		return &pb.VerifyTokenResp{Valid: false}, nil
	}
	if claims.TokenVersion != ud.TokenVersion {
		return &pb.VerifyTokenResp{Valid: false}, nil
	}

	return &pb.VerifyTokenResp{
		Valid:      true,
		UserId:     ud.UserId,
		Username:   ud.Username,
		MemberType: ud.MemberType,
		Perms:      ud.Perms,
	}, nil
}

func (s *PermServer) GetUserPerms(ctx context.Context, req *pb.GetUserPermsReq) (*pb.GetUserPermsResp, error) {
	ud := s.svcCtx.UserDetailsLoader.Load(ctx, req.UserId, req.ProductCode)

	if ud.Username == "" {
		return nil, status.Error(codes.NotFound, "用户不存在")
	}

	return &pb.GetUserPermsResp{
		MemberType: ud.MemberType,
		Perms:      ud.Perms,
	}, nil
}