初步实现数据加密、权限管理、日志审计等功能

resources/sql/001_create_users_table.sql

@@ -0,0 +1,67 @@
+-- ============================================
+-- TJWater Server 用户系统数据库迁移脚本
+-- ============================================
+
+-- 创建用户表
+CREATE TABLE IF NOT EXISTS users (
+    id SERIAL PRIMARY KEY,
+    username VARCHAR(50) UNIQUE NOT NULL,
+    email VARCHAR(100) UNIQUE NOT NULL,
+    hashed_password VARCHAR(255) NOT NULL,
+    role VARCHAR(20) DEFAULT 'USER' NOT NULL,
+    is_active BOOLEAN DEFAULT TRUE NOT NULL,
+    is_superuser BOOLEAN DEFAULT FALSE NOT NULL,
+    created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP NOT NULL,
+    updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP NOT NULL,
+    
+    CONSTRAINT users_role_check CHECK (role IN ('ADMIN', 'OPERATOR', 'USER', 'VIEWER'))
+);
+
+-- 创建索引
+CREATE INDEX IF NOT EXISTS idx_users_username ON users(username);
+CREATE INDEX IF NOT EXISTS idx_users_email ON users(email);
+CREATE INDEX IF NOT EXISTS idx_users_role ON users(role);
+CREATE INDEX IF NOT EXISTS idx_users_is_active ON users(is_active);
+
+-- 创建触发器自动更新 updated_at
+CREATE OR REPLACE FUNCTION update_updated_at_column()
+RETURNS TRIGGER AS $$
+BEGIN
+    NEW.updated_at = CURRENT_TIMESTAMP;
+    RETURN NEW;
+END;
+$$ LANGUAGE plpgsql;
+
+DROP TRIGGER IF EXISTS update_users_updated_at ON users;
+CREATE TRIGGER update_users_updated_at 
+    BEFORE UPDATE ON users
+    FOR EACH ROW
+    EXECUTE FUNCTION update_updated_at_column();
+
+-- 创建默认管理员账号 (密码: admin123)
+INSERT INTO users (username, email, hashed_password, role, is_superuser)
+VALUES (
+    'admin',
+    'admin@tjwater.com',
+    '$2b$12$LQv3c1yqBWVHxkd0LHAkCOYz6TtxMQJqhN8/LewY5aeAJK.1tYKAW',
+    'ADMIN',
+    TRUE
+) ON CONFLICT (username) DO NOTHING;
+
+-- 迁移现有硬编码用户 (tjwater/tjwater@123)
+INSERT INTO users (username, email, hashed_password, role, is_superuser)
+VALUES (
+    'tjwater',
+    'tjwater@tjwater.com',
+    '$2b$12$EixZaYVK1fsbw1ZfbX3OXePaWxn96p36WQoeG6Lruj3vjPGga31lW',
+    'ADMIN',
+    TRUE
+) ON CONFLICT (username) DO NOTHING;
+
+-- 添加注释
+COMMENT ON TABLE users IS '用户表 - 存储系统用户信息';
+COMMENT ON COLUMN users.id IS '用户ID（主键）';
+COMMENT ON COLUMN users.username IS '用户名（唯一）';
+COMMENT ON COLUMN users.email IS '邮箱地址（唯一）';
+COMMENT ON COLUMN users.hashed_password IS 'bcrypt 密码哈希';
+COMMENT ON COLUMN users.role IS '用户角色: ADMIN, OPERATOR, USER, VIEWER';

resources/sql/002_create_audit_logs_table.sql

@@ -0,0 +1,45 @@
+-- ============================================
+-- TJWater Server 审计日志表迁移脚本
+-- ============================================
+
+-- 创建审计日志表
+CREATE TABLE IF NOT EXISTS audit_logs (
+    id SERIAL PRIMARY KEY,
+    user_id INTEGER REFERENCES users(id) ON DELETE SET NULL,
+    username VARCHAR(50),
+    action VARCHAR(50) NOT NULL,
+    resource_type VARCHAR(50),
+    resource_id VARCHAR(100),
+    ip_address VARCHAR(45),
+    user_agent TEXT,
+    request_method VARCHAR(10),
+    request_path TEXT,
+    request_data JSONB,
+    response_status INTEGER,
+    error_message TEXT,
+    timestamp TIMESTAMP DEFAULT CURRENT_TIMESTAMP NOT NULL
+);
+
+-- 创建索引以提高查询性能
+CREATE INDEX IF NOT EXISTS idx_audit_logs_user_id ON audit_logs(user_id);
+CREATE INDEX IF NOT EXISTS idx_audit_logs_username ON audit_logs(username);
+CREATE INDEX IF NOT EXISTS idx_audit_logs_timestamp ON audit_logs(timestamp DESC);
+CREATE INDEX IF NOT EXISTS idx_audit_logs_action ON audit_logs(action);
+CREATE INDEX IF NOT EXISTS idx_audit_logs_resource ON audit_logs(resource_type, resource_id);
+
+-- 添加注释
+COMMENT ON TABLE audit_logs IS '审计日志表 - 记录所有关键操作';
+COMMENT ON COLUMN audit_logs.id IS '日志ID（主键）';
+COMMENT ON COLUMN audit_logs.user_id IS '用户ID（外键）';
+COMMENT ON COLUMN audit_logs.username IS '用户名（冗余字段，用于用户删除后仍可查询）';
+COMMENT ON COLUMN audit_logs.action IS '操作类型（如：LOGIN, LOGOUT, CREATE, UPDATE, DELETE）';
+COMMENT ON COLUMN audit_logs.resource_type IS '资源类型（如：user, project, network）';
+COMMENT ON COLUMN audit_logs.resource_id IS '资源ID';
+COMMENT ON COLUMN audit_logs.ip_address IS '客户端IP地址';
+COMMENT ON COLUMN audit_logs.user_agent IS '客户端User-Agent';
+COMMENT ON COLUMN audit_logs.request_method IS 'HTTP请求方法';
+COMMENT ON COLUMN audit_logs.request_path IS '请求路径';
+COMMENT ON COLUMN audit_logs.request_data IS '请求数据（JSON格式，敏感信息已脱敏）';
+COMMENT ON COLUMN audit_logs.response_status IS 'HTTP响应状态码';
+COMMENT ON COLUMN audit_logs.error_message IS '错误消息（如果有）';
+COMMENT ON COLUMN audit_logs.timestamp IS '操作时间';