backend/app/data/seed_rbac.py

# =============================================================================
# 企微IT智能服务台 — RBAC 角色种子数据 (v0.7.1 task #86)
# =============================================================================
# 启动时调用,把 5 角色 + 权限矩阵写入 roles 表
# 兼容"角色已存在"的场景: 不重复插入,但更新 permissions
# =============================================================================

import logging
import uuid
from datetime import datetime

from sqlalchemy import select
from sqlalchemy.ext.asyncio import AsyncSession

from app.models.role import Role
from app.services.rbac_service import (
    ROLE_METADATA,
    get_role_default_permissions,
)

logger = logging.getLogger(__name__)


async def seed_rbac_roles(db: AsyncSession) -> int:
    """种子 RBAC 5 角色。

    行为:
      1. 遍历 ROLE_METADATA
      2. 角色不存在 → 创建(UUID + 默认 permissions)
      3. 角色存在 → 更新 display_name / description / permissions
                       (不动 is_default,避免影响手动设置)

    Returns:
        int: 新建角色数
    """
    created_count = 0

    for role_name, meta in ROLE_METADATA.items():
        # 查询是否已存在
        stmt = select(Role).where(Role.name == role_name)
        result = await db.execute(stmt)
        role = result.scalars().first()

        permissions = get_role_default_permissions(role_name)

        if role:
            # 更新现有角色(不动 is_default,防止覆盖手动设置)
            role.display_name = meta["display_name"]
            role.description = meta["description"]
            role.permissions = permissions
            role.updated_at = datetime.now()
            logger.debug(f"更新角色: {role_name} ({len(permissions)} 项权限)")
        else:
            # 创建新角色
            role = Role(
                id=str(uuid.uuid4()),
                name=role_name,
                display_name=meta["display_name"],
                description=meta["description"],
                permissions=permissions,
                is_default=(meta["is_default"] == "true"),
                created_at=datetime.now(),
                updated_at=datetime.now(),
            )
            db.add(role)
            created_count += 1
            logger.info(f"创建角色: {role_name} ({len(permissions)} 项权限)")

    await db.commit()
    logger.info(f"RBAC 角色种子完成: 新建 {created_count} 个")
    return created_count
feat(v0.7.1): P0 修复 + 企微 SSO + RBAC 细粒度 + audit_log 2026-06-22 17:38:47 +08:00			`# =============================================================================`
			`# 企微IT智能服务台 — RBAC 角色种子数据 (v0.7.1 task #86)`
			`# =============================================================================`
			`# 启动时调用,把 5 角色 + 权限矩阵写入 roles 表`
			`# 兼容"角色已存在"的场景: 不重复插入,但更新 permissions`
			`# =============================================================================`

			`import logging`
			`import uuid`
			`from datetime import datetime`

			`from sqlalchemy import select`
			`from sqlalchemy.ext.asyncio import AsyncSession`

			`from app.models.role import Role`
			`from app.services.rbac_service import (`
			`ROLE_METADATA,`
			`get_role_default_permissions,`
			`)`

			`logger = logging.getLogger(__name__)`


			`async def seed_rbac_roles(db: AsyncSession) -> int:`
			`"""种子 RBAC 5 角色。`

			`行为:`
			`1. 遍历 ROLE_METADATA`
			`2. 角色不存在 → 创建(UUID + 默认 permissions)`
			`3. 角色存在 → 更新 display_name / description / permissions`
			`(不动 is_default,避免影响手动设置)`

			`Returns:`
			`int: 新建角色数`
			`"""`
			`created_count = 0`

			`for role_name, meta in ROLE_METADATA.items():`
			`# 查询是否已存在`
			`stmt = select(Role).where(Role.name == role_name)`
			`result = await db.execute(stmt)`
			`role = result.scalars().first()`

			`permissions = get_role_default_permissions(role_name)`

			`if role:`
			`# 更新现有角色(不动 is_default,防止覆盖手动设置)`
			`role.display_name = meta["display_name"]`
			`role.description = meta["description"]`
			`role.permissions = permissions`
			`role.updated_at = datetime.now()`
			`logger.debug(f"更新角色: {role_name} ({len(permissions)} 项权限)")`
			`else:`
			`# 创建新角色`
			`role = Role(`
			`id=str(uuid.uuid4()),`
			`name=role_name,`
			`display_name=meta["display_name"],`
			`description=meta["description"],`
			`permissions=permissions,`
			`is_default=(meta["is_default"] == "true"),`
			`created_at=datetime.now(),`
			`updated_at=datetime.now(),`
			`)`
			`db.add(role)`
			`created_count += 1`
			`logger.info(f"创建角色: {role_name} ({len(permissions)} 项权限)")`

			`await db.commit()`
			`logger.info(f"RBAC 角色种子完成: 新建 {created_count} 个")`
			`return created_count`