feat(iam): 完整实现 iam 身份认证与权限服务

包含 jwt/jwks/audit/grpc、rbac、cache、redis/kafka 配置等完整实现
This commit is contained in:
SpecialX
2026-07-10 19:09:39 +08:00
parent 06e0f9139b
commit a35e759d64
32 changed files with 2589 additions and 778 deletions

View File

@@ -2,15 +2,18 @@ syntax = "proto3";
package next_edu_cloud.events.v1;
// Cross-service event contracts published by CoreEdu via the transactional
// outbox pattern and consumed by downstream services (notifications, analytics,
// audit, etc.). Topics follow the convention edu.{domain}.events.
// Cross-service event contracts published via the transactional outbox pattern
// and consumed by downstream services (notifications, analytics, audit, etc.).
// Topics follow the convention edu.<domain>.<aggregate>.<action>.
//
// Event routing (TOPIC_MAP in outbox.publisher.ts):
// Event routing (TOPIC_MAP in outbox publisher):
// edu.exam.events <- exam.created / exam.updated / exam.deleted
// edu.homework.events <- homework.assigned / homework.submitted / homework.graded
// edu.grade.events <- grade.recorded / grade.updated
// edu.class.events <- class.transferred
// edu.iam.user.events <- user.created / user.updated / user.disabled / user.role_changed
// edu.iam.role.events <- role.created / role.updated
// edu.iam.audit.created <- audit (unified audit topic, action field distinguishes)
message ClassEvent {
string event_id = 1;
@@ -58,3 +61,51 @@ message GradeEvent {
string action = 8;
map<string, string> metadata = 9;
}
// IAM 用户事件edu.iam.user.events topic
// action: created / updated / disabled / role_changed
message UserEvent {
string event_id = 1;
string aggregate_id = 2;
string event_type = 3;
int64 occurred_at = 4;
string user_id = 5;
string email = 6;
string name = 7;
repeated string roles = 8;
string data_scope = 9;
string action = 10;
map<string, string> metadata = 11;
}
// IAM 角色事件edu.iam.role.events topic
// action: created / updated / deleted
message RoleEvent {
string event_id = 1;
string aggregate_id = 2;
string event_type = 3;
int64 occurred_at = 4;
string role_id = 5;
string role_name = 6;
string action = 7;
map<string, string> metadata = 8;
}
// IAM 审计事件edu.iam.audit.created topic统一审计 topic
// action: create / update / delete / login / logout / permission_change
message AuditEvent {
string event_id = 1;
string aggregate_id = 2;
string event_type = 3;
int64 occurred_at = 4;
string actor_user_id = 5;
string action = 6;
string resource_type = 7;
string resource_id = 8;
string before_state = 9;
string after_state = 10;
string ip = 11;
string user_agent = 12;
string trace_id = 13;
map<string, string> metadata = 14;
}

View File

@@ -3,14 +3,33 @@ syntax = "proto3";
package next_edu_cloud.iam.v1;
// IamService 定义身份与访问管理契约
// P2: REST 实现P3 起转 gRPC
// 双入口策略president §2.16REST 供 gateway 透传 + admin-portal 直连,
// gRPC 供 BFF 聚合调用。同一 Application Service 同时被两种 Controller 调用。
// gRPC 端口 50052P2 即启用I1 裁决)。
service IamService {
// 认证类
rpc Register(RegisterRequest) returns (AuthResponse);
rpc Login(LoginRequest) returns (AuthResponse);
rpc RefreshToken(RefreshTokenRequest) returns (TokenPair);
rpc Logout(LogoutRequest) returns (LogoutResponse);
// 用户信息类
rpc GetUserInfo(GetUserInfoRequest) returns (UserInfo);
rpc BatchGetUsers(BatchGetUsersRequest) returns (BatchGetUsersResponse);
// 权限与视口类
rpc GetEffectivePermissions(GetEffectivePermissionsRequest) returns (EffectivePermissionsResponse);
rpc GetEffectiveAccess(GetEffectiveAccessRequest) returns (EffectiveAccessResponse);
rpc GetEffectiveDataScope(GetEffectiveDataScopeRequest) returns (DataScopeResponse);
rpc GetViewports(GetViewportsRequest) returns (ViewportsResponse);
// 密钥与关系类
rpc GetPublicKey(GetPublicKeyRequest) returns (PublicKeyResponse);
rpc GetChildrenByParent(GetChildrenByParentRequest) returns (ChildrenResponse);
}
// ========== 认证类 ==========
message RegisterRequest {
string email = 1;
string password = 2;
@@ -26,8 +45,13 @@ message RefreshTokenRequest {
string refresh_token = 1;
}
message GetUserInfoRequest {
string user_id = 1;
message LogoutRequest {
string refresh_token = 1;
string user_id = 2;
}
message LogoutResponse {
bool success = 1;
}
message AuthResponse {
@@ -41,10 +65,95 @@ message TokenPair {
int32 expires_in = 3;
}
// ========== 用户信息类 ==========
message GetUserInfoRequest {
string user_id = 1;
}
message BatchGetUsersRequest {
repeated string user_ids = 1;
}
message BatchGetUsersResponse {
repeated UserInfo users = 1;
}
message UserInfo {
string id = 1;
string email = 2;
string name = 3;
repeated string roles = 4;
repeated string permissions = 5;
string data_scope = 6;
string status = 7;
}
// ========== 权限与视口类 ==========
message GetEffectivePermissionsRequest {
string user_id = 1;
}
message EffectivePermissionsResponse {
repeated string permissions = 1;
}
message GetEffectiveAccessRequest {
string user_id = 1;
string permission = 2;
}
message EffectiveAccessResponse {
bool allowed = 1;
string data_scope = 2;
}
message GetEffectiveDataScopeRequest {
string user_id = 1;
}
message DataScopeResponse {
string data_scope = 1;
}
message GetViewportsRequest {
string user_id = 1;
}
message ViewportsResponse {
repeated ViewportItem viewports = 1;
}
message ViewportItem {
string key = 1;
string label = 2;
string route = 3;
string icon = 4;
string sort_order = 5;
string required_permission = 6;
}
// ========== 密钥与关系类 ==========
message GetPublicKeyRequest {}
message PublicKeyResponse {
string kid = 1;
string alg = 2;
string public_key_pem = 3;
}
message GetChildrenByParentRequest {
string parent_id = 1;
}
message ChildrenResponse {
repeated ChildInfo children = 1;
}
message ChildInfo {
string student_id = 1;
string name = 2;
string relation = 3;
}