feat(phase8): US7 用户管理模块（角色变更立即生效、禁用即失效）

- RedisService：新增 hPut/sAdd/sRemove/sMembers Set 操作 - RedisKeyManager：新增 userSessionsKey(userId) = user:sessions:{userId} - AuthService：login 后将 token 加入 user:sessions 集合；logout 时从集合移除 - UserService：createUser/updateUser/updateRole/updateStatus - updateRole：DB 写入后更新所有活跃 Token 的 role 字段（立即生效，无需重新登录） - updateStatus(DISABLED)：删除所有活跃 Token（立即失效），清除 sessions 集合 - UserController：5 个端点全部 @RequiresRoles("ADMIN") - 集成测试：角色变更同一 Token 立即生效；禁用后 Token 立即 401
2026-04-09 15:48:07 +08:00
parent 49666d1579
commit f6c3b0b4c6
6 changed files with 503 additions and 0 deletions
--- a/src/test/java/com/label/integration/UserManagementIntegrationTest.java
+++ b/src/test/java/com/label/integration/UserManagementIntegrationTest.java
@@ -0,0 +1,177 @@
+package com.label.integration;
+
+import com.label.AbstractIntegrationTest;
+import com.label.module.user.dto.LoginRequest;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.DisplayName;
+import org.junit.jupiter.api.Test;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.web.client.TestRestTemplate;
+import org.springframework.http.*;
+
+import java.util.Map;
+import java.util.UUID;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+/**
+ * 用户管理集成测试（US7）。
+ *
+ * 测试场景：
+ * 1. 变更角色后权限下一次请求立即生效（无需重新登录）
+ * 2. 禁用账号后现有 Token 下一次请求立即返回 401
+ */
+public class UserManagementIntegrationTest extends AbstractIntegrationTest {
+
+    @Autowired
+    private TestRestTemplate restTemplate;
+
+    private String adminToken;
+
+    @BeforeEach
+    void setup() {
+        adminToken = loginAndGetToken("DEMO", "admin", "admin123");
+        assertThat(adminToken).isNotBlank();
+    }
+
+    // ------------------------------------------------------------------ 测试 1: 角色变更立即生效 --
+
+    @Test
+    @DisplayName("创建用户为 ANNOTATOR，变更为 REVIEWER 后同一 Token 立即可访问审批接口")
+    void updateRole_takesEffectImmediately() {
+        String uniqueUsername = "testuser-" + UUID.randomUUID().toString().substring(0, 8);
+
+        // 1. 创建 ANNOTATOR 用户
+        HttpHeaders headers = new HttpHeaders();
+        headers.set("Authorization", "Bearer " + adminToken);
+        headers.setContentType(MediaType.APPLICATION_JSON);
+
+        ResponseEntity<Map> createResp = restTemplate.exchange(
+                baseUrl("/api/users"),
+                HttpMethod.POST,
+                new HttpEntity<>(Map.of(
+                        "username", uniqueUsername,
+                        "password", "test1234",
+                        "realName", "测试用户",
+                        "role", "ANNOTATOR"
+                ), headers),
+                Map.class);
+        assertThat(createResp.getStatusCode()).isEqualTo(HttpStatus.OK);
+
+        @SuppressWarnings("unchecked")
+        Map<String, Object> userData = (Map<String, Object>) createResp.getBody().get("data");
+        Long newUserId = ((Number) userData.get("id")).longValue();
+
+        // 2. 新用户登录获取 Token
+        String userToken = loginAndGetToken("DEMO", uniqueUsername, "test1234");
+        assertThat(userToken).isNotBlank();
+
+        // 3. 验证：ANNOTATOR 无法访问待审批队列（REVIEWER 专属）→ 403
+        ResponseEntity<Map> beforeRoleChange = restTemplate.exchange(
+                baseUrl("/api/tasks/pending-review"),
+                HttpMethod.GET,
+                bearerRequest(userToken),
+                Map.class);
+        assertThat(beforeRoleChange.getStatusCode()).isEqualTo(HttpStatus.FORBIDDEN);
+
+        // 4. ADMIN 变更角色为 REVIEWER
+        ResponseEntity<Map> roleResp = restTemplate.exchange(
+                baseUrl("/api/users/" + newUserId + "/role"),
+                HttpMethod.PUT,
+                new HttpEntity<>(Map.of("role", "REVIEWER"), headers),
+                Map.class);
+        assertThat(roleResp.getStatusCode()).isEqualTo(HttpStatus.OK);
+
+        // 5. 验证：同一 Token 下次请求立即具有 REVIEWER 权限 → 200
+        ResponseEntity<Map> afterRoleChange = restTemplate.exchange(
+                baseUrl("/api/tasks/pending-review"),
+                HttpMethod.GET,
+                bearerRequest(userToken),
+                Map.class);
+        assertThat(afterRoleChange.getStatusCode())
+                .as("角色变更后同一 Token 应立即具有 REVIEWER 权限")
+                .isEqualTo(HttpStatus.OK);
+    }
+
+    // ------------------------------------------------------------------ 测试 2: 禁用账号 Token 立即失效 --
+
+    @Test
+    @DisplayName("禁用账号后，现有 Token 下一次请求立即返回 401")
+    void disableAccount_tokenInvalidatedImmediately() {
+        String uniqueUsername = "testuser-" + UUID.randomUUID().toString().substring(0, 8);
+
+        // 1. 创建用户
+        HttpHeaders headers = new HttpHeaders();
+        headers.set("Authorization", "Bearer " + adminToken);
+        headers.setContentType(MediaType.APPLICATION_JSON);
+
+        ResponseEntity<Map> createResp = restTemplate.exchange(
+                baseUrl("/api/users"),
+                HttpMethod.POST,
+                new HttpEntity<>(Map.of(
+                        "username", uniqueUsername,
+                        "password", "test1234",
+                        "realName", "测试用户",
+                        "role", "ANNOTATOR"
+                ), headers),
+                Map.class);
+        assertThat(createResp.getStatusCode()).isEqualTo(HttpStatus.OK);
+
+        @SuppressWarnings("unchecked")
+        Map<String, Object> userData = (Map<String, Object>) createResp.getBody().get("data");
+        Long newUserId = ((Number) userData.get("id")).longValue();
+
+        // 2. 新用户登录，获取 Token
+        String userToken = loginAndGetToken("DEMO", uniqueUsername, "test1234");
+        assertThat(userToken).isNotBlank();
+
+        // 3. 验证 Token 有效
+        ResponseEntity<Map> meResp = restTemplate.exchange(
+                baseUrl("/api/auth/me"),
+                HttpMethod.GET,
+                bearerRequest(userToken),
+                Map.class);
+        assertThat(meResp.getStatusCode()).isEqualTo(HttpStatus.OK);
+
+        // 4. ADMIN 禁用账号
+        ResponseEntity<Map> disableResp = restTemplate.exchange(
+                baseUrl("/api/users/" + newUserId + "/status"),
+                HttpMethod.PUT,
+                new HttpEntity<>(Map.of("status", "DISABLED"), headers),
+                Map.class);
+        assertThat(disableResp.getStatusCode()).isEqualTo(HttpStatus.OK);
+
+        // 5. 验证：禁用后，现有 Token 立即失效 → 401
+        ResponseEntity<Map> meAfterDisable = restTemplate.exchange(
+                baseUrl("/api/auth/me"),
+                HttpMethod.GET,
+                bearerRequest(userToken),
+                Map.class);
+        assertThat(meAfterDisable.getStatusCode())
+                .as("禁用账号后现有 Token 应立即失效")
+                .isEqualTo(HttpStatus.UNAUTHORIZED);
+    }
+
+    // ------------------------------------------------------------------ 工具方法 --
+
+    private String loginAndGetToken(String companyCode, String username, String password) {
+        LoginRequest req = new LoginRequest();
+        req.setCompanyCode(companyCode);
+        req.setUsername(username);
+        req.setPassword(password);
+        ResponseEntity<Map> response = restTemplate.postForEntity(
+                baseUrl("/api/auth/login"), req, Map.class);
+        if (!response.getStatusCode().is2xxSuccessful()) {
+            return null;
+        }
+        @SuppressWarnings("unchecked")
+        Map<String, Object> data = (Map<String, Object>) response.getBody().get("data");
+        return (String) data.get("token");
+    }
+
+    private HttpEntity<Void> bearerRequest(String token) {
+        HttpHeaders headers = new HttpHeaders();
+        headers.set("Authorization", "Bearer " + token);
+        return new HttpEntity<>(headers);
+    }
+}