feat(i7): async webhook delivery queue, OPS RBAC, UI role routing; docs and runbook

- Architect: I7_DESIGN.md, I7_IMPLEMENTATION_REVIEW.md; parallel index + track B - Backend: @EnableMethodSecurity; OPS login; CallbackInbox PreAuthorize; IntegrationCatalog triple role - Webhook: V2 webhook_platform_delivery; planner + scheduler + single-shot forwarder; tests - Frontend: Pinia hasAnyRole; MainLayout/HomeView/router for OPS vs dev - Runbook §10.5 delivery config Made-with: Cursor
2026-06-09 10:00:30 +08:00 · 2026-04-06 23:01:10 +08:00
parent ce49fe143c
commit 5fe7181b35
33 changed files with 936 additions and 200 deletions
@@ -4,8 +4,10 @@ import org.mybatis.spring.annotation.MapperScan;
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
 import org.springframework.boot.autoconfigure.security.servlet.UserDetailsServiceAutoConfiguration;
+import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;

@SpringBootApplication(exclude = UserDetailsServiceAutoConfiguration.class)
+@EnableMethodSecurity
@MapperScan("cn.craftlabs.platform.api.persistence")
 public class PlatformApplication {

@@ -1,6 +1,7 @@
 package cn.craftlabs.platform.api.auth;

 import cn.craftlabs.platform.api.security.JwtService;
+import cn.craftlabs.platform.api.security.PlatformRoles;
 import org.springframework.http.HttpStatus;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestBody;
@@ -30,29 +31,42 @@ public class AuthController {
        String pass = body.getOrDefault("password", "");
        if ("admin".equals(user) && "admin".equals(pass)) {
            String token =
-                    jwtService.createToken(user, "管理员", List.of("SYS_ADMIN"));
+                    jwtService.createToken(user, "管理员", List.of(PlatformRoles.SYS_ADMIN));
            return Map.of(
                    "token",
                    token,
                    "tokenType",
                    "Bearer",
                    "roles",
-                    List.of("SYS_ADMIN"),
+                    List.of(PlatformRoles.SYS_ADMIN),
                    "displayName",
                    "管理员");
        }
        if ("dev".equals(user) && "dev".equals(pass)) {
-            String token = jwtService.createToken(user, "开发账号", List.of("DEVELOPER"));
+            String token =
+                    jwtService.createToken(user, "开发账号", List.of(PlatformRoles.DEVELOPER));
            return Map.of(
                    "token",
                    token,
                    "tokenType",
                    "Bearer",
                    "roles",
-                    List.of("DEVELOPER"),
+                    List.of(PlatformRoles.DEVELOPER),
                    "displayName",
                    "开发账号");
        }
+        if ("ops".equals(user) && "ops".equals(pass)) {
+            String token = jwtService.createToken(user, "运营账号", List.of(PlatformRoles.OPS));
+            return Map.of(
+                    "token",
+                    token,
+                    "tokenType",
+                    "Bearer",
+                    "roles",
+                    List.of(PlatformRoles.OPS),
+                    "displayName",
+                    "运营账号");
+        }
        throw new ResponseStatusException(HttpStatus.UNAUTHORIZED, "invalid credentials");
    }
 }
@@ -15,6 +15,7 @@ import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.RestController;

 import java.time.OffsetDateTime;
@@ -22,6 +23,7 @@ import java.time.OffsetDateTime;
@RestController
@RequestMapping("/api/v1/callback-inbox")
@Validated
+@PreAuthorize("hasAnyRole('OPS','SYS_ADMIN')")
 public class CallbackInboxController {

    private final CallbackInboxService callbackInboxService;
@@ -11,11 +11,13 @@ import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.RestController;

@RestController
@RequestMapping("/api/v1/integration")
@Validated
+@PreAuthorize("hasAnyRole('OPS','SYS_ADMIN','DEVELOPER')")
 public class IntegrationCatalogController {

    private final IntegrationCatalogService integrationCatalogService;
@@ -0,0 +1,14 @@
+package cn.craftlabs.platform.api.security;
+
+/**
+ * I7：JWT {@code roles} 声明值（过滤器会加上 {@code ROLE_} 前缀）。
+ */
+public final class PlatformRoles {
+
+    public static final String SYS_ADMIN = "SYS_ADMIN";
+    public static final String DEVELOPER = "DEVELOPER";
+    /** 运营：Callback Inbox 等（不包含合同/交付等业务写接口的默认放宽）。 */
+    public static final String OPS = "OPS";
+
+    private PlatformRoles() {}
+}
@@ -28,6 +28,17 @@ class AuthControllerTest {
                .andExpect(jsonPath("$.token").exists());
    }

+    @Test
+    void opsLoginReturnsOpsRole() throws Exception {
+        mockMvc.perform(
+                        post("/api/v1/auth/login")
+                                .contentType(MediaType.APPLICATION_JSON)
+                                .content("{\"username\":\"ops\",\"password\":\"ops\"}"))
+                .andExpect(status().isOk())
+                .andExpect(jsonPath("$.token").exists())
+                .andExpect(jsonPath("$.roles[0]").value("OPS"));
+    }
+
    @Test
    void loginFail() throws Exception {
        mockMvc.perform(
@@ -108,6 +108,17 @@ class CallbackInboxControllerTest {
                .andExpect(status().isNotFound());
    }

+    @Test
+    void developerCannotAccessCallbackInbox() throws Exception {
+        String token = JwtTestSupport.obtainBearerToken(mockMvc, objectMapper, "dev", "dev");
+        mockMvc.perform(
+                        get("/api/v1/callback-inbox")
+                                .header("Authorization", "Bearer " + token)
+                                .param("page", "0")
+                                .param("size", "10"))
+                .andExpect(status().isForbidden());
+    }
+
    private String minimalIngestJson(String externalMessageId) throws Exception {
        ObjectNode root = objectMapper.createObjectNode();
        root.put("schemaVersion", "1.0");
@@ -12,11 +12,21 @@ public final class JwtTestSupport {
    private JwtTestSupport() {}

    public static String obtainBearerToken(MockMvc mockMvc, ObjectMapper objectMapper) throws Exception {
+        return obtainBearerToken(mockMvc, objectMapper, "admin", "admin");
+    }
+
+    public static String obtainBearerToken(
+            MockMvc mockMvc, ObjectMapper objectMapper, String username, String password) throws Exception {
        MvcResult login =
                mockMvc.perform(
                                post("/api/v1/auth/login")
                                        .contentType(MediaType.APPLICATION_JSON)
-                                        .content("{\"username\":\"admin\",\"password\":\"admin\"}"))
+                                        .content(
+                                                "{\"username\":\""
+                                                        + username
+                                                        + "\",\"password\":\""
+                                                        + password
+                                                        + "\"}"))
                        .andReturn();
        String body = login.getResponse().getContentAsString();
        return objectMapper.readTree(body).get("token").asText();