初步实现数据加密、权限管理、日志审计等功能

app/auth/dependencies.py

@@ -1,21 +1,94 @@
-from fastapi import Depends, HTTPException, status
+from typing import Annotated, Optional
+from fastapi import Depends, HTTPException, status, Request
 from fastapi.security import OAuth2PasswordBearer
-from app.core.config import settings
 from jose import jwt, JWTError
+from app.core.config import settings
+from app.domain.schemas.user import UserInDB, TokenPayload
+from app.infra.repositories.user_repository import UserRepository
+from app.infra.db.postgresql.database import Database
 
-oauth2_scheme = OAuth2PasswordBearer(tokenUrl=f"{settings.API_V1_STR}/login/access-token")
+oauth2_scheme = OAuth2PasswordBearer(tokenUrl=f"{settings.API_V1_STR}/auth/login")
 
-async def get_current_user(token: str = Depends(oauth2_scheme)):
+# 数据库依赖
+async def get_db(request: Request) -> Database:
+    """
+    获取数据库实例
+    
+    从 FastAPI app.state 中获取在启动时初始化的数据库连接
+    """
+    if not hasattr(request.app.state, "db"):
+        raise HTTPException(
+            status_code=status.HTTP_503_SERVICE_UNAVAILABLE,
+            detail="Database not initialized"
+        )
+    return request.app.state.db
+
+async def get_user_repository(db: Database = Depends(get_db)) -> UserRepository:
+    """获取用户仓储实例"""
+    return UserRepository(db)
+
+async def get_current_user(
+    token: str = Depends(oauth2_scheme),
+    user_repo: UserRepository = Depends(get_user_repository)
+) -> UserInDB:
+    """
+    获取当前登录用户
+    
+    从 JWT Token 中解析用户信息，并从数据库验证
+    """
     credentials_exception = HTTPException(
         status_code=status.HTTP_401_UNAUTHORIZED,
         detail="Could not validate credentials",
         headers={"WWW-Authenticate": "Bearer"},
     )
+    
     try:
         payload = jwt.decode(token, settings.SECRET_KEY, algorithms=[settings.ALGORITHM])
         username: str = payload.get("sub")
+        token_type: str = payload.get("type", "access")
+        
         if username is None:
             raise credentials_exception
+        
+        if token_type != "access":
+            raise HTTPException(
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                detail="Invalid token type. Access token required.",
+                headers={"WWW-Authenticate": "Bearer"},
+            )
+        
     except JWTError:
         raise credentials_exception
-    return username
+    
+    # 从数据库获取用户
+    user = await user_repo.get_user_by_username(username)
+    if user is None:
+        raise credentials_exception
+    
+    return user
+
+async def get_current_active_user(
+    current_user: UserInDB = Depends(get_current_user),
+) -> UserInDB:
+    """
+    获取当前活跃用户（必须是激活状态）
+    """
+    if not current_user.is_active:
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Inactive user"
+        )
+    return current_user
+
+async def get_current_superuser(
+    current_user: UserInDB = Depends(get_current_user),
+) -> UserInDB:
+    """
+    获取当前超级管理员用户
+    """
+    if not current_user.is_superuser:
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Not enough privileges. Superuser access required."
+        )
+    return current_user

app/auth/permissions.py

@@ -0,0 +1,106 @@
+"""
+权限控制依赖项和装饰器
+
+基于角色的访问控制（RBAC）
+"""
+from typing import Callable
+from fastapi import Depends, HTTPException, status
+from app.domain.models.role import UserRole
+from app.domain.schemas.user import UserInDB
+from app.auth.dependencies import get_current_active_user
+
+def require_role(required_role: UserRole):
+    """
+    要求特定角色或更高权限
+    
+    用法:
+        @router.get("/admin-only")
+        async def admin_endpoint(user: UserInDB = Depends(require_role(UserRole.ADMIN))):
+            ...
+    
+    Args:
+        required_role: 需要的最低角色
+        
+    Returns:
+        依赖函数
+    """
+    async def role_checker(
+        current_user: UserInDB = Depends(get_current_active_user)
+    ) -> UserInDB:
+        user_role = UserRole(current_user.role)
+        
+        if not user_role.has_permission(required_role):
+            raise HTTPException(
+                status_code=status.HTTP_403_FORBIDDEN,
+                detail=f"Insufficient permissions. Required role: {required_role.value}, "
+                       f"Your role: {user_role.value}"
+            )
+        
+        return current_user
+    
+    return role_checker
+
+# 预定义的权限检查依赖
+require_admin = require_role(UserRole.ADMIN)
+require_operator = require_role(UserRole.OPERATOR)
+require_user = require_role(UserRole.USER)
+
+def get_current_admin(
+    current_user: UserInDB = Depends(require_admin)
+) -> UserInDB:
+    """
+    获取当前管理员用户
+    
+    等同于 Depends(require_role(UserRole.ADMIN))
+    """
+    return current_user
+
+def get_current_operator(
+    current_user: UserInDB = Depends(require_operator)
+) -> UserInDB:
+    """
+    获取当前操作员用户（或更高权限）
+    
+    等同于 Depends(require_role(UserRole.OPERATOR))
+    """
+    return current_user
+
+def check_resource_owner(user_id: int, current_user: UserInDB) -> bool:
+    """
+    检查是否是资源拥有者或管理员
+    
+    Args:
+        user_id: 资源拥有者ID
+        current_user: 当前用户
+        
+    Returns:
+        是否有权限
+    """
+    # 管理员可以访问所有资源
+    if UserRole(current_user.role).has_permission(UserRole.ADMIN):
+        return True
+    
+    # 检查是否是资源拥有者
+    return current_user.id == user_id
+
+def require_owner_or_admin(user_id: int):
+    """
+    要求是资源拥有者或管理员
+    
+    Args:
+        user_id: 资源拥有者ID
+        
+    Returns:
+        依赖函数
+    """
+    async def owner_or_admin_checker(
+        current_user: UserInDB = Depends(get_current_active_user)
+    ) -> UserInDB:
+        if not check_resource_owner(user_id, current_user):
+            raise HTTPException(
+                status_code=status.HTTP_403_FORBIDDEN,
+                detail="You don't have permission to access this resource"
+            )
+        return current_user
+    
+    return owner_or_admin_checker