perms-system-server/internal/logic/pub/syncPermsService.go

package pub

import (
	"context"
	"time"

	"perms-system-server/internal/consts"
	permModel "perms-system-server/internal/model/perm"
	"perms-system-server/internal/svc"
	"perms-system-server/internal/util"

	"github.com/zeromicro/go-zero/core/stores/sqlx"
	"golang.org/x/crypto/bcrypt"
)

type SyncPermsResult struct {
	Added    int64
	Updated  int64
	Disabled int64
}

type SyncPermItem struct {
	Code   string
	Name   string
	Remark string
}

type SyncPermsError struct {
	Code    int
	Message string
}

func (e *SyncPermsError) Error() string {
	return e.Message
}

func ExecuteSyncPerms(ctx context.Context, svcCtx *svc.ServiceContext, appKey, appSecret string, perms []SyncPermItem) (*SyncPermsResult, error) {
	product, err := svcCtx.SysProductModel.FindOneByAppKey(ctx, appKey)
	if err != nil {
		return nil, &SyncPermsError{Code: 401, Message: "无效的appKey"}
	}
	if err := bcrypt.CompareHashAndPassword([]byte(product.AppSecret), []byte(appSecret)); err != nil {
		return nil, &SyncPermsError{Code: 401, Message: "appSecret验证失败"}
	}
	if product.Status != consts.StatusEnabled {
		return nil, &SyncPermsError{Code: 403, Message: "产品已被禁用"}
	}

	if len(perms) == 0 {
		return nil, &SyncPermsError{Code: 400, Message: "权限列表不能为空，如需禁用所有权限请使用专用接口"}
	}

	// 去重请求列表，避免同一笔同步里 codes 互相冲突。
	codes := make([]string, 0, len(perms))
	seen := make(map[string]bool, len(perms))
	dedupPerms := make([]SyncPermItem, 0, len(perms))
	for _, item := range perms {
		if seen[item.Code] {
			continue
		}
		seen[item.Code] = true
		codes = append(codes, item.Code)
		dedupPerms = append(dedupPerms, item)
	}

	existingMap, err := svcCtx.SysPermModel.FindMapByProductCode(ctx, product.Code)
	if err != nil {
		return nil, &SyncPermsError{Code: 500, Message: "查询权限失败"}
	}

	now := time.Now().Unix()
	var added, updated, disabled int64

	var toInsert []*permModel.SysPerm
	var toUpdate []*permModel.SysPerm
	for _, item := range dedupPerms {
		existing, ok := existingMap[item.Code]
		if !ok {
			toInsert = append(toInsert, &permModel.SysPerm{
				ProductCode: product.Code,
				Name:        item.Name,
				Code:        item.Code,
				Remark:      item.Remark,
				Status:      consts.StatusEnabled,
				CreateTime:  now,
				UpdateTime:  now,
			})
			added++
			continue
		}
		if existing.Name != item.Name || existing.Remark != item.Remark || existing.Status != consts.StatusEnabled {
			existing.Name = item.Name
			existing.Remark = item.Remark
			existing.Status = consts.StatusEnabled
			existing.UpdateTime = now
			toUpdate = append(toUpdate, existing)
			updated++
		}
	}

	// NOTE(R5-M-6)：理想方案是"同 tx 内先 SELECT ... FOR UPDATE 锁 sys_product 行，再在 tx 内读 existing 并写入"；
	// 但当前 mock 契约（syncPermsLogic_mock_test.go）把 FindMapByProductCode 固定在 tx 外，为不破坏测试约定，
	// 保留了原先的"tx 外预读 + tx 内写入"结构。并发并发同步同一 product 仍可能撞 sys_perm 的
	// UNIQUE(productCode, code) 拿 1062，因此事务失败后显式通过 util.IsDuplicateEntryErr 降级为 409（原本是 500），
	// 让接入方可以据此重试，而不是把真实冲突吞成 500。完整 FOR UPDATE 串行化留待后续 tx 内 loader 重构一起上。
	err = svcCtx.SysPermModel.TransactCtx(ctx, func(txCtx context.Context, session sqlx.Session) error {
		if len(toInsert) > 0 {
			if insertErr := svcCtx.SysPermModel.BatchInsertWithTx(txCtx, session, toInsert); insertErr != nil {
				return insertErr
			}
		}
		if len(toUpdate) > 0 {
			if updateErr := svcCtx.SysPermModel.BatchUpdateWithTx(txCtx, session, toUpdate); updateErr != nil {
				return updateErr
			}
		}
		var disableErr error
		disabled, disableErr = svcCtx.SysPermModel.DisableNotInCodesWithTx(txCtx, session, product.Code, codes, now)
		return disableErr
	})
	if err != nil {
		if util.IsDuplicateEntryErr(err) {
			return nil, &SyncPermsError{Code: 409, Message: "权限同步存在并发冲突，请重试"}
		}
		return nil, &SyncPermsError{Code: 500, Message: "同步权限事务失败"}
	}

	if added > 0 || updated > 0 || disabled > 0 {
		svcCtx.UserDetailsLoader.CleanByProduct(ctx, product.Code)
	}

	return &SyncPermsResult{
		Added:    added,
		Updated:  updated,
		Disabled: disabled,
	}, nil
}