fix(security): P0 安全修复 — Access Token 吊销 + OpenAPI 保护 + RLS 补齐 + CI 加固 + 测试修复

P0-5: Access Token 吊销机制 - 新增内存 DashMap 黑名单（token_hash → exp），支持单 token 吊销 - 密码修改/登出时自动清除用户权限缓存，强制重新认证 - 惰性清理过期条目，防止内存无限增长 P0-6: OpenAPI 端点安全 - 生产构建返回 404，仅 cfg(debug_assertions) 模式可用 - 防止 385+ API 端点 schema 对外暴露 P0-4: RLS 策略补充迁移 (m000169) - 幂等遍历所有含 tenant_id 的表，补齐缺失的 RLS 策略 - 覆盖 m000088 之后创建的约 20 张新表 P0-3: CI 安全加固 - 移除 CI 中硬编码密码 123123，改用 postgres - 保持 cargo audit / npm-audit 严格门禁 P0-7: AI prompt 集成测试修复 - get_active_prompt 改按 analysis_type 查找而非 name - list_prompts 过滤参数从 category 改为 analysis_type - 167 集成测试全部通过（原 164 passed / 3 failed）
2026-05-29 11:38:38 +08:00
parent 9a67bf80c1
commit aa6d93129d
8 changed files with 160 additions and 22 deletions
--- a/crates/erp-server/migration/src/lib.rs
+++ b/crates/erp-server/migration/src/lib.rs
@@ -175,6 +175,7 @@ mod m20260526_000165_ai_prompt_fix_analysis_type;
 mod m20260526_000166_create_ai_knowledge_bases;
 mod m20260526_000167_create_ai_knowledge_documents;
 mod m20260527_000168_ai_knowledge_v2_menu;
+mod m20260529_000169_supplement_rls_for_new_tables;

 pub struct Migrator;

@@ -357,6 +358,7 @@ impl MigratorTrait for Migrator {
            Box::new(m20260526_000166_create_ai_knowledge_bases::Migration),
            Box::new(m20260526_000167_create_ai_knowledge_documents::Migration),
            Box::new(m20260527_000168_ai_knowledge_v2_menu::Migration),
+            Box::new(m20260529_000169_supplement_rls_for_new_tables::Migration),
        ]
    }
 }
--- a/crates/erp-server/migration/src/m20260529_000169_supplement_rls_for_new_tables.rs
+++ b/crates/erp-server/migration/src/m20260529_000169_supplement_rls_for_new_tables.rs
@@ -0,0 +1,65 @@
+use sea_orm_migration::prelude::*;
+
+#[derive(DeriveMigrationName)]
+pub struct Migration;
+
+#[async_trait::async_trait]
+impl MigrationTrait for Migration {
+    async fn up(&self, manager: &SchemaManager) -> Result<(), DbErr> {
+        let conn = manager.get_connection();
+
+        // 为 m000088 之后创建的新表补充 RLS 策略。
+        // 幂等操作：仅影响尚未启用 RLS 或缺少策略的表。
+        conn.execute_unprepared(
+            r#"
+            DO $$
+            DECLARE
+                tbl TEXT;
+                policy_exists BOOLEAN;
+            BEGIN
+                FOR tbl IN
+                    SELECT c.table_name FROM information_schema.columns c
+                    JOIN information_schema.tables t
+                      ON c.table_name = t.table_name AND c.table_schema = t.table_schema
+                    WHERE c.column_name = 'tenant_id'
+                      AND c.table_schema = 'public'
+                      AND t.table_type = 'BASE TABLE'
+                    ORDER BY c.table_name
+                LOOP
+                    -- 启用 RLS（幂等）
+                    EXECUTE format('ALTER TABLE %I ENABLE ROW LEVEL SECURITY', tbl);
+
+                    -- 检查是否已有 tenant_isolation 策略
+                    SELECT EXISTS(
+                        SELECT 1 FROM pg_policies
+                        WHERE tablename = tbl
+                          AND policyname = 'tenant_isolation'
+                    ) INTO policy_exists;
+
+                    IF NOT policy_exists THEN
+                        EXECUTE format(
+                            'CREATE POLICY tenant_isolation ON %I USING (
+                                current_setting(''app.current_tenant_id'', true) != ''''
+                                AND tenant_id = current_setting(''app.current_tenant_id'', true)::uuid
+                            )',
+                            tbl
+                        );
+                        RAISE NOTICE 'Created RLS policy for table: %', tbl;
+                    END IF;
+                END LOOP;
+            END;
+            $$;
+            "#,
+        )
+        .await?;
+
+        Ok(())
+    }
+
+    async fn down(&self, manager: &SchemaManager) -> Result<(), DbErr> {
+        // 回滚不需要移除 RLS，保持 m000088 的策略不变
+        // 此迁移补充的 RLS 策略在 down() 中保留，因为 m000088 已处理回滚
+        let _ = manager;
+        Ok(())
+    }
+}
--- a/crates/erp-server/src/handlers/openapi.rs
+++ b/crates/erp-server/src/handlers/openapi.rs
@@ -1,5 +1,4 @@
-use axum::response::Json;
-use serde_json::Value;
+use axum::response::{IntoResponse, Json, Response};
 use utoipa::OpenApi;

 use crate::{ApiDoc, AuthApiDoc, ConfigApiDoc, MessageApiDoc, WorkflowApiDoc};
@@ -7,12 +6,20 @@ use crate::{ApiDoc, AuthApiDoc, ConfigApiDoc, MessageApiDoc, WorkflowApiDoc};
 /// GET /docs/openapi.json
 ///
 /// 返回 OpenAPI 3.0 规范 JSON 文档，合并所有模块的路径和 schema。
-pub async fn openapi_spec() -> Json<Value> {
-    let mut spec = ApiDoc::openapi();
-    spec.merge(AuthApiDoc::openapi());
-    spec.merge(ConfigApiDoc::openapi());
-    spec.merge(WorkflowApiDoc::openapi());
-    spec.merge(MessageApiDoc::openapi());
+/// 仅在 debug 模式下可用，生产构建返回 404。
+pub async fn openapi_spec() -> Response {
+    #[cfg(debug_assertions)]
+    {
+        let mut spec = ApiDoc::openapi();
+        spec.merge(AuthApiDoc::openapi());
+        spec.merge(ConfigApiDoc::openapi());
+        spec.merge(WorkflowApiDoc::openapi());
+        spec.merge(MessageApiDoc::openapi());
+        Json(serde_json::to_value(spec).unwrap_or_default()).into_response()
+    }

-    Json(serde_json::to_value(spec).unwrap_or_default())
+    #[cfg(not(debug_assertions))]
+    {
+        (axum::http::StatusCode::NOT_FOUND, "Not Found").into_response()
+    }
 }
--- a/crates/erp-server/tests/integration/ai_prompt_tests.rs
+++ b/crates/erp-server/tests/integration/ai_prompt_tests.rs
@@ -83,7 +83,11 @@ async fn prompt_list_with_category_filter() {
    let tenant_id = uuid::Uuid::new_v4();
    let user_id = uuid::Uuid::new_v4();

-    for (name, cat) in [("p1", "analysis"), ("p2", "summary"), ("p3", "analysis")] {
+    for (name, cat, at) in [
+        ("p1", "analysis", "lab_report"),
+        ("p2", "summary", "trends"),
+        ("p3", "analysis", "report_summary"),
+    ] {
        svc.create_prompt(
            tenant_id,
            user_id,
@@ -92,16 +96,17 @@ async fn prompt_list_with_category_filter() {
            "usr".into(),
            serde_json::json!({}),
            cat.into(),
-            "lab_report".into(),
+            at.into(),
        )
        .await
        .expect("创建应成功");
    }

+    // list_prompts 现在按 analysis_type 过滤
    let (items, total) = svc
        .list_prompts(
            tenant_id,
-            Some("analysis".into()),
+            Some("lab_report".into()),
            &Pagination {
                page: Some(1),
                page_size: Some(10),
@@ -110,8 +115,9 @@ async fn prompt_list_with_category_filter() {
        .await
        .expect("查询应成功");

-    assert_eq!(total, 2);
-    assert_eq!(items.len(), 2);
+    assert_eq!(total, 1);
+    assert_eq!(items.len(), 1);
+    assert_eq!(items[0].name, "p1");
 }

 #[tokio::test]
@@ -150,9 +156,9 @@ async fn prompt_activate_switches_version() {

    assert_eq!(v2.version, 2);

-    // v1 仍然激活（update 继承 is_active）
+    // v1 仍然激活（update 继承 is_active），按 analysis_type 查找
    let active_before = svc
-        .get_active_prompt(tenant_id, "my_prompt")
+        .get_active_prompt(tenant_id, "lab_report")
        .await
        .expect("active");
    assert_eq!(active_before.system_prompt, "sys_v1");
@@ -163,7 +169,7 @@ async fn prompt_activate_switches_version() {
        .expect("activate");

    let active_after = svc
-        .get_active_prompt(tenant_id, "my_prompt")
+        .get_active_prompt(tenant_id, "lab_report")
        .await
        .expect("active");
    assert_eq!(active_after.id, v2.id);
@@ -218,7 +224,7 @@ async fn prompt_rollback_equals_activate() {
        .expect("rollback");

    let active = svc
-        .get_active_prompt(tenant_id, "rb_test")
+        .get_active_prompt(tenant_id, "lab_report")
        .await
        .expect("active");
    assert_eq!(active.id, v1.id);