feat: 多租户权限与安全体系重构

- 新增 RBAC 权限矩阵: 自定义角色、权限定义、成员权限管理
- 新增 TOTP 双因素认证: 启用、确认、验证完整流程
- 新增配额管理系统: 账户配额模型与执行逻辑
- 新增用户与账户模型: 独立用户认证与多租户账户关联
- 新增安全中间件: Admin 鉴权中间件、依赖注入鉴权
- 新增 gRPC 增强: 流超时控制、设备注销、会话管理优化
- 新增 OOBE 初始化引导模块
- 新增加密服务: 独立 crypto 模块
- 新增 OpenAPI 导出脚本
- 重构 Admin API: 拆分路由为账户/角色/权限/配额/TOTP 子模块
- 重构租户体系: 移除旧 tenant 模型，采用 account 体系
- 重构认证令牌与资源令牌服务
- 增强测试覆盖: 安全攻击、多租户隔离、权限、配额、TOTP 等
- 修复数据库安全: 参数化 schema 操作，防止 SQL 注入
- 更新依赖与项目配置

Author: Alexander Green

.gitignore

@@ -190,3 +190,6 @@ settings.json
 #  option (not recommended) you can uncomment the following to ignore the entire idea folder.
 #.idea/
 cims_server.key
+
+# CIMS 本地配置
+.cims/

.idea/dataSources.xml

@@ -0,0 +1 @@
+"""HTTP API 路由聚合包。"""

.idea/db-forest-config.xml

@@ -0,0 +1 @@
+"""管理端 API 路由子包。"""

app/api/__init__.py

@@ -0,0 +1,53 @@
+"""账户管理路由。
+
+提供账户列表查询和详情查看端点，
+需要管理员或以上权限。
+"""
+
+from fastapi import APIRouter, Depends, HTTPException
+from sqlalchemy import select
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from app.models.session import get_db
+from app.models.account import Account
+from app.core.auth.dependencies import require_role
+from app.api.schemas.account import AccountOut
+
+router = APIRouter()
+_admin = require_role(90)
+
+
+@router.get("", response_model=list[AccountOut])
+async def list_accounts(
+    db: AsyncSession = Depends(get_db),
+    _user=Depends(_admin),
+):
+    """查询所有账户列表（需管理员）。"""
+    result = await db.execute(select(Account))
+    return [_to_out(a) for a in result.scalars().all()]
+
+
+@router.get("/{account_id}", response_model=AccountOut)
+async def get_account(
+    account_id: str,
+    db: AsyncSession = Depends(get_db),
+    _user=Depends(_admin),
+):
+    """查询单个账户详情（需管理员）。"""
+    result = await db.execute(select(Account).where(Account.id == account_id))
+    acct = result.scalar_one_or_none()
+    if not acct:
+        raise HTTPException(status_code=404, detail="账户不存在")
+    return _to_out(acct)
+
+
+def _to_out(acct) -> AccountOut:
+    """将 Account 模型转换为响应模型。"""
+    return AccountOut(
+        id=acct.id,
+        name=acct.name,
+        slug=acct.slug,
+        api_key=acct.api_key,
+        is_active=acct.is_active,
+        created_at=str(acct.created_at),
+    )

app/api/admin/__init__.py

@@ -1,33 +1,73 @@
 """管理端身份认证处理器。
 
-管理使用 ADMIN_SECRET 的登录以及令牌注销逻辑。
+提供用户注册和登录端点，支持 TOTP 2FA 流程。
 """
 
-from fastapi import APIRouter, Body, HTTPException, Request
-from app.core.config import ADMIN_SECRET
-from app.api.schemas.auth import TokenResponse, AdminLoginRequest
-from app.services import auth_token
+from fastapi import APIRouter, Body, Depends, HTTPException
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from app.models.session import get_db
+from app.api.schemas.user import UserRegisterRequest, UserLoginRequest
+from app.api.schemas.auth import TokenResponse, MessageResponse
+from app.services.user.register import register_user
+from app.services.user.login import login_user
 
 router = APIRouter()
 
 
-@router.post("/login", response_model=TokenResponse)
-async def admin_login(
-    payload: AdminLoginRequest = Body(...),
+@router.post("/register", response_model=TokenResponse)
+async def user_register(
+    payload: UserRegisterRequest = Body(...),
+    db: AsyncSession = Depends(get_db),
 ):
-    """通过全局管理密钥兑换 Admin Bearer 令牌。"""
-    if payload.secret != ADMIN_SECRET:
-        raise HTTPException(status_code=403, detail="Invalid secret")
+    """注册新用户并自动创建关联账户。"""
+    try:
+        user = await register_user(
+            payload.username,
+            payload.email,
+            payload.password,
+            payload.display_name,
+            db,
+        )
+    except ValueError as exc:
+        raise HTTPException(status_code=400, detail=str(exc))
+    from app.services.crypto.token_factory import create_session_token
 
-    token = await auth_token.generate_token("admin")
+    token = await create_session_token(user.id)
     return TokenResponse(token=token)
 
 
-@router.post("/logout")
-async def admin_logout(request: Request):
-    """使当前的 Admin 会话失效并注销。"""
-    auth = request.headers.get("authorization", "")
-    bearer = auth[7:] if auth.startswith("Bearer ") else ""
-    if bearer:
-        await auth_token.revoke_token(bearer)
-    return {"status": "success", "message": "Logged out"}
+@router.post("/login")
+async def user_login(
+    payload: UserLoginRequest = Body(...),
+    db: AsyncSession = Depends(get_db),
+):
+    """用户登录，支持 2FA 流程。"""
+    try:
+        token, user, needs_2fa = await login_user(
+            payload.email,
+            payload.password,
+            db,
+        )
+    except ValueError as exc:
+        raise HTTPException(status_code=401, detail=str(exc))
+    if needs_2fa:
+        from app.api.admin.totp_verify import create_2fa_temp_token
+
+        temp = await create_2fa_temp_token(user.id)
+        return {"requires_2fa": True, "temp_token": temp}
+    return {"token": token}
+
+
+@router.post("/logout", response_model=MessageResponse)
+async def user_logout(request=None):
+    """注销当前用户会话。"""
+    if request:
+        auth = request.headers.get("authorization", "")
+        if auth.startswith("Bearer "):
+            from app.core.redis.accessor import get_redis
+            from app.core.config import REDIS_DB_AUTH
+
+            rd = get_redis(REDIS_DB_AUTH)
+            await rd.delete(f"session:{auth[7:]}")
+    return MessageResponse(message="已登出")

app/api/admin/account_routes.py

@@ -0,0 +1,63 @@
+"""权限管理路由。
+
+提供权限定义查询、授予和撤销端点。
+"""
+
+from fastapi import APIRouter, Depends, HTTPException
+from sqlalchemy import select
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from app.models.session import get_db
+from app.models.permission_def import PermissionDef
+from app.core.auth.dependencies import require_role
+from app.api.schemas.permission import (
+    PermissionGrantRequest,
+    PermissionRevokeRequest,
+    PermissionDefOut,
+)
+from app.services.permission.grants import (
+    grant_permission,
+    revoke_permission,
+)
+
+router = APIRouter()
+_admin = require_role(90)
+
+
+@router.get("/defs", response_model=list[PermissionDefOut])
+async def list_permission_defs(
+    db: AsyncSession = Depends(get_db),
+    _user=Depends(_admin),
+):
+    """查询所有权限定义（需管理员）。"""
+    result = await db.execute(select(PermissionDef))
+    return [
+        PermissionDefOut(code=p.code, label=p.label, category=p.category)
+        for p in result.scalars().all()
+    ]
+
+
+@router.post("/grant")
+async def grant(
+    body: PermissionGrantRequest,
+    db: AsyncSession = Depends(get_db),
+    _user=Depends(_admin),
+):
+    """授予或显式拒绝成员权限（需管理员）。"""
+    perm = await grant_permission(
+        body.member_id, body.permission_code, db, granted=body.granted
+    )
+    return {"status": "success", "id": perm.id}
+
+
+@router.post("/revoke")
+async def revoke(
+    body: PermissionRevokeRequest,
+    db: AsyncSession = Depends(get_db),
+    _user=Depends(_admin),
+):
+    """撤销成员权限覆盖（需管理员）。"""
+    ok = await revoke_permission(body.member_id, body.permission_code, db)
+    if not ok:
+        raise HTTPException(status_code=404, detail="权限记录不存在")
+    return {"status": "success"}

app/api/admin/auth_routes.py

@@ -0,0 +1,50 @@
+"""限额管理路由。
+
+提供账户限额查询和设置端点，
+需要超级管理员权限。
+"""
+
+from fastapi import APIRouter, Depends
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from app.models.session import get_db
+from app.core.auth.dependencies import require_role
+from app.api.schemas.quota import QuotaSetRequest, QuotaOut
+from app.services.quota.manager import get_quotas, set_quota
+
+router = APIRouter()
+_superadmin = require_role(100)
+
+
+@router.get("/{account_id}", response_model=list[QuotaOut])
+async def list_quotas(
+    account_id: str,
+    db: AsyncSession = Depends(get_db),
+    _user=Depends(_superadmin),
+):
+    """查询账户的所有限额（需超级管理员）。"""
+    quotas = await get_quotas(account_id, db)
+    return [_to_out(q) for q in quotas]
+
+
+@router.put("/{account_id}", response_model=QuotaOut)
+async def update_quota(
+    account_id: str,
+    body: QuotaSetRequest,
+    db: AsyncSession = Depends(get_db),
+    _user=Depends(_superadmin),
+):
+    """设置或更新账户限额（需超级管理员）。"""
+    quota = await set_quota(account_id, body.quota_key, body.max_value, db)
+    return _to_out(quota)
+
+
+def _to_out(q) -> QuotaOut:
+    """将 AccountQuota 模型转换为响应模型。"""
+    return QuotaOut(
+        id=q.id,
+        account_id=q.account_id,
+        quota_key=q.quota_key,
+        max_value=q.max_value,
+        current_value=q.current_value,
+    )