You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

399 lines
13 KiB
Python

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

import json
import time
from collections.abc import AsyncGenerator
from dataclasses import replace
from functools import wraps
from fastapi import Depends, Query, Request
from redis.asyncio.client import Redis
from sqlalchemy import select
from sqlalchemy.ext.asyncio import AsyncSession
from sqlalchemy.orm import selectinload
from app.common.enums import RedisInitKeyConfig
from app.config.setting import settings
from app.core.base_schema import AuthSchema
from app.core.database import async_db_session
from app.core.exceptions import CustomException
from app.core.logger import logger
from app.core.redis_crud import RedisCURD
from app.core.request_context import RequestContext
from app.core.request_context import get_current_tenant_id as _get_ctx_tenant_id
from app.core.security import OAuth2Schema, decode_access_token
# 套餐菜单权限缓存: {tenant_id: (timestamp, [menu_ids])}
_package_menu_cache: dict[int, tuple[float, list[int]]] = {}
async def db_getter() -> AsyncGenerator[AsyncSession, None]:
"""数据库会话 — 请求级生命周期管理。
一个 HTTP 请求内所有 SQL 共享同一个事务:要么全成功,要么全失败。
读操作也走这个事务(牺牲一点 MVCC 隔离换取读已写一致性)。
"""
async with async_db_session() as session:
async with session.begin():
yield session
async def redis_getter(request: Request) -> Redis:
"""获取Redis连接
参数:
- request (Request): 请求对象
返回:
- Redis: Redis连接
"""
return request.app.state.redis
async def get_current_tenant_id() -> int | None:
"""获取当前请求的租户 ID 依赖注入函数。
从 ContextVar 中读取租户 ID由 TenantMiddleware 设置)。
非认证路径(白名单)返回 None。
返回:
int | None: 当前租户 ID未设置时返回 None。
"""
return _get_ctx_tenant_id()
async def _decode_token_info(token: str, redis: Redis) -> tuple[dict, str]:
"""解码 JWT token 返回 (user_info, session_id)
JWT sub 现为纯 session_id完整会话信息从 Redis 读取。
参数:
token: JWT token 字符串
redis: Redis 连接
返回:
(user_info, session_id): 用户信息字典和会话 ID
"""
payload = decode_access_token(token)
if not payload or not hasattr(payload, "is_refresh") or payload.is_refresh:
raise CustomException(msg="非法凭证", code=10401, status_code=401)
session_id = payload.sub
if not session_id:
raise CustomException(msg="认证已失效", code=10401, status_code=401)
raw = await RedisCURD(redis).get(
f"{RedisInitKeyConfig.USER_SESSION.key}:{session_id}"
)
if not raw:
raise CustomException(msg="认证已失效", code=10401, status_code=401)
user_info = json.loads(raw)
return user_info, session_id
async def _check_token_online(redis: Redis, session_id: str) -> None:
"""检查 token 是否在线Redis 中存在对应 session
参数:
redis: Redis 连接
session_id: 会话 ID
"""
online_ok = await RedisCURD(redis).exists(
key=f"{RedisInitKeyConfig.ACCESS_TOKEN.key}:{session_id}"
)
if not online_ok:
raise CustomException(msg="认证已失效", code=10401, status_code=401)
async def _try_sliding_refresh(redis: Redis, session_id: str) -> None:
"""滑动过期续期(仅在 token 剩余不足一半时触发)
参数:
redis: Redis 连接
session_id: 会话 ID
"""
if not settings.TOKEN_SLIDING_EXPIRE:
return
ttl = await RedisCURD(redis).ttl(
key=f"{RedisInitKeyConfig.ACCESS_TOKEN.key}:{session_id}"
)
# TTL 返回秒,配置也是秒,无需转换
expire_seconds = settings.ACCESS_TOKEN_EXPIRE_SECONDS
if ttl > 0 and ttl < expire_seconds // 2:
await RedisCURD(redis).expire(
key=f"{RedisInitKeyConfig.ACCESS_TOKEN.key}:{session_id}",
expire=expire_seconds,
)
await RedisCURD(redis).expire(
key=f"{RedisInitKeyConfig.REFRESH_TOKEN.key}:{session_id}",
expire=settings.REFRESH_TOKEN_EXPIRE_SECONDS,
)
async def _load_user_from_db(db: AsyncSession, username: str):
"""从数据库加载用户(含角色、菜单、部门、职位全量预加载)
使用原始查询以绕过 CRUDBase 的权限过滤,确保用户认证阶段不受数据权限影响。
所有关系链均 eager-loaded调用方可在会话关闭后安全访问对象属性。
参数:
db: 数据库会话
username: 用户名
返回:
UserModel: 已全量加载的用户 ORM 对象
"""
from app.api.v1.module_system.role.model import RoleModel
from app.api.v1.module_system.user.model import UserModel
stmt = (
select(UserModel)
.options(
selectinload(UserModel.dept),
selectinload(UserModel.roles).selectinload(RoleModel.menus),
selectinload(UserModel.positions),
selectinload(UserModel.created_by),
)
.where(UserModel.username == username, UserModel.is_deleted == False) # noqa: E712
)
result = await db.execute(stmt)
user = result.scalars().first()
if not user:
raise CustomException(msg="用户不存在", code=10401, status_code=401)
if user.status == 1:
raise CustomException(msg="用户已被停用", code=10401, status_code=401)
# 过滤不可用的角色和职位(在会话内完成,确保关联数据已加载)
if hasattr(user, "roles"):
user.roles = [role for role in user.roles if role and role.status]
if hasattr(user, "positions"):
user.positions = [pos for pos in user.positions if pos and pos.status]
return user
async def get_current_user(
request: Request,
db: AsyncSession = Depends(db_getter),
redis: Redis = Depends(redis_getter),
token: str = Depends(OAuth2Schema),
) -> AuthSchema:
"""获取当前用户
用户查询使用独立的只读数据库会话(不参与请求事务,查询完成后立即释放快照),
返回的 auth.db 指向请求级事务会话供后续写操作使用。
参数:
- request (Request): 请求对象
- db (AsyncSession): 请求级事务会话
- redis (Redis): Redis连接
- token (str): 访问令牌
返回:
- AuthSchema: 认证信息模型
"""
return await _authenticate(token, db, redis, request)
async def get_current_user_ws(
token: str = Query(..., description="认证token"),
db: AsyncSession = Depends(db_getter),
redis: Redis = Depends(redis_getter),
) -> AuthSchema:
"""获取当前用户WebSocket专用从查询参数获取token
参数:
- token (str): 认证token
- db (AsyncSession): 数据库会话
- redis (Redis): Redis连接
返回:
- AuthSchema: 认证信息模型
"""
return await _authenticate(token, db, redis)
async def _authenticate(
token: str,
db: AsyncSession,
redis: Redis,
request: Request | None = None,
) -> AuthSchema:
"""核心认证逻辑HTTP 与 WebSocket 共享)
参数:
- token: 访问令牌
- db: 请求级事务会话
- redis: Redis连接
- request: HTTP 请求对象WebSocket 场景为 None
返回:
- AuthSchema: 认证信息模型
"""
if not token:
raise CustomException(msg="认证已失效", code=10401, status_code=401)
# 处理Bearer token
if token.startswith("Bearer"):
token = token.split(" ")[1]
# 优先使用 TenantMiddleware 缓存在 request.state.ctx 中的会话信息(避免重复 Redis 读取)
user_info = None
if request:
ctx = getattr(request.state, "ctx", None)
user_info = ctx.jwt_user_info if ctx else None
if not user_info:
# 降级路径:自行从 Redis 读取会话信息
user_info, _ = await _decode_token_info(token, redis)
session_id = user_info.get("session_id")
if not session_id:
raise CustomException(msg="认证已失效", code=10401, status_code=401)
# Redis 在线检查 + 滑动续期
await _check_token_online(redis, session_id)
await _try_sliding_refresh(redis, session_id)
username = user_info.get("user_name")
if not username:
raise CustomException(msg="认证已失效", code=10401, status_code=401)
tenant_id = user_info.get("tenant_id")
# 用户查询使用独立只读会话(不参与请求事务,查询后立即释放快照)
async with async_db_session() as lookup_db:
user = await _load_user_from_db(lookup_db, username)
# 设置请求上下文(仅在当前 request 对象上,业务方通过 request.state.ctx 读取)
if request:
request.state.ctx = replace(
(getattr(request.state, "ctx", None) or RequestContext()),
user_id=user.id,
user_username=user.username,
session_id=session_id,
session_info=user_info,
)
# 返回的 auth.db 指向请求级事务会话,供后续读写操作使用
auth = AuthSchema(db=db, tenant_id=tenant_id, check_data_scope=False)
auth.user = user
return auth
async def _get_cached_tenant_menu_ids(auth: AuthSchema, tenant_id: int) -> list[int]:
"""获取租户可用菜单 ID带 60s 进程级缓存
套餐菜单变更频率极低,缓存可大幅减少 AuthPermission 的 DB 查询次数。
参数:
auth: 认证信息
tenant_id: 租户 ID
返回:
可用菜单 ID 列表
"""
cached = _package_menu_cache.get(tenant_id)
if cached and time.time() - cached[0] < 60:
return cached[1]
from app.api.v1.module_platform.package.service import PackageService
result = await PackageService.get_tenant_available_menu_ids(auth, tenant_id)
_package_menu_cache[tenant_id] = (time.time(), result)
return result
class AuthPermission:
"""权限验证类"""
def __init__(
self,
permissions: list[str] | None = None,
check_data_scope: bool = True,
) -> None:
"""
初始化权限验证
参数:
- permissions (list[str] | None): 权限标识列表。
- check_data_scope (bool): 是否启用严格模式校验。
"""
self.permissions = permissions or []
self.check_data_scope = check_data_scope
async def __call__(self, auth: AuthSchema = Depends(get_current_user)) -> AuthSchema:
"""
调用权限验证
参数:
- auth (AuthSchema): 认证信息对象。
返回:
- AuthSchema: 认证信息对象。
"""
# 用 model_copy 派生一份带正确 check_data_scope 的新实例(不修改原实例)
auth = auth.model_copy(update={"check_data_scope": self.check_data_scope})
# 超级管理员直接通过
if auth.user and auth.user.is_superuser:
return auth
# 无需验证权限
if not self.permissions:
return auth
# 超级管理员权限标识
if "*" in self.permissions or "*:*:*" in self.permissions:
return auth
# 检查用户是否有角色
if not auth.user or not auth.user.roles:
raise CustomException(msg="无权限操作", code=10403, status_code=403)
# 收集角色权限(附带 menu_id 用于套餐过滤)
role_perms: dict[str, int] = {}
for role in auth.user.roles:
if role.status != 0:
continue
for menu in role.menus:
if menu.status == 0 and menu.permission:
role_perms[menu.permission] = menu.id
if not role_perms:
raise CustomException(msg="无权限操作", code=10403, status_code=403)
# 租户用户:权限必须受套餐菜单约束(带 60s 进程级缓存)
if auth.tenant_id:
allowed_ids = set(await _get_cached_tenant_menu_ids(auth, auth.tenant_id))
user_permissions = {p for p, mid in role_perms.items() if mid in allowed_ids}
else:
user_permissions = set(role_perms.keys())
# 权限验证 - 满足任一权限即可
if not any(perm in user_permissions for perm in self.permissions):
logger.error(f"用户缺少任何所需的权限: {self.permissions}")
raise CustomException(msg="无权限操作", code=10403, status_code=403)
return auth
def require_superadmin(func):
"""
装饰器:仅超级管理员可调用 Service 方法。
自动校验 ``self.auth.user.is_superuser`` 属性,非超管直接抛出 403。
适用于实例方法(``Service(auth).xxx(...)``),由 ``self.auth`` 取认证上下文。
用法:
class XxxService:
def __init__(self, auth: AuthSchema) -> None:
self.auth = auth
@require_superadmin
async def create(self, data: ...) -> ...:
...
"""
@wraps(func)
async def wrapper(self, *args, **kwargs):
if not self.auth.user or not self.auth.user.is_superuser:
raise CustomException(msg="仅平台管理员可操作")
return await func(self, *args, **kwargs)
return wrapper