From 2593d453e9866f93bc843977a3bfe8fe0ce6cccb Mon Sep 17 00:00:00 2001
From: xushuhui <xushuhui@infini.ltd>
Date: Mon, 25 Apr 2022 10:24:05 +0800
Subject: [PATCH] fix: (rbac) login set role map

---
 internal/biz/account.go | 52 +++++++++++++++++++++++++----------------
 plugin/api/rbac/api.go  |  1 +
 2 files changed, 33 insertions(+), 20 deletions(-)

diff --git a/internal/biz/account.go b/internal/biz/account.go
index e2a91213..cfe7cd15 100644
--- a/internal/biz/account.go
+++ b/internal/biz/account.go
@@ -83,21 +83,7 @@ func authenticateAdmin(username string, password string) (user Account, err erro
 	return user, nil
 }
 func authorize(user Account) (m map[string]interface{}, err error) {
-	token := jwt.NewWithClaims(jwt.SigningMethodHS256, UserClaims{
-		User: &User{
-			Username: user.Username,
-			UserId:   user.ID,
-			Roles:    []string{"admin"},
-		},
-		RegisteredClaims: &jwt.RegisteredClaims{
-			ExpiresAt: jwt.NewNumericDate(time.Now().Add(24 * time.Hour)),
-		},
-	})
 
-	tokenString, err := token.SignedString([]byte(Secret))
-	if err != nil {
-		return
-	}
 	var roles, privilege []string
 	if user.Username == "admin" {
 		roles = append(roles, "admin")
@@ -109,9 +95,29 @@ func authorize(user Account) (m map[string]interface{}, err error) {
 			r, _ := GetRole(v.Id)
 
 			privilege = append(privilege, r.Platform...)
+			RolePermission[v.Name] = enum.Role{
+				Platform:         r.Platform,
+				Cluster:          r.Cluster,
+				ClusterPrivilege: r.ClusterPrivilege,
+				Index:            r.Index,
+			}
 		}
 	}
+	token := jwt.NewWithClaims(jwt.SigningMethodHS256, UserClaims{
+		User: &User{
+			Username: user.Username,
+			UserId:   user.ID,
+			Roles:    roles,
+		},
+		RegisteredClaims: &jwt.RegisteredClaims{
+			ExpiresAt: jwt.NewNumericDate(time.Now().Add(24 * time.Hour)),
+		},
+	})
 
+	tokenString, err := token.SignedString([]byte(Secret))
+	if err != nil {
+		return
+	}
 	m = util.MapStr{
 		"access_token": tokenString,
 		"username":     user.Username,
@@ -215,27 +221,33 @@ func ValidateLogin(authorizationHeader string) (clams *UserClaims, err error) {
 }
 func ValidatePermission(claims *UserClaims, permissions []string) (err error) {
 
-	reqUser := claims.User
+	user := claims.User
 
-	if reqUser.UserId == "" {
+	if user.UserId == "" {
 		err = errors.New("user id is empty")
 		return
 	}
-	if reqUser.Roles == nil {
+	if user.Roles == nil {
 		err = errors.New("api permission is empty")
 		return
 	}
-	return nil
+
 	// 权限校验
 	userPermissionMap := make(map[string]struct{})
-	for _, role := range reqUser.Roles {
+	for _, role := range user.Roles {
 		if _, ok := RolePermission[role]; ok {
 			for _, v := range RolePermission[role].Platform {
+
 				userPermissionMap[v] = struct{}{}
+				//all include read
+				if strings.Contains(v, "all") {
+					key := v[:len(v)-3] + "read"
+					userPermissionMap[key] = struct{}{}
+				}
 			}
 		}
 	}
-	//all=>read
+
 	var count int
 	for _, v := range permissions {
 		if _, ok := userPermissionMap[v]; ok {
diff --git a/plugin/api/rbac/api.go b/plugin/api/rbac/api.go
index c74ffd74..7abc09f5 100644
--- a/plugin/api/rbac/api.go
+++ b/plugin/api/rbac/api.go
@@ -73,6 +73,7 @@ func init() {
 	loadRolePermission()
 
 }
+
 func existInternalUser() {
 	//user, err := biz.GetUser("admin")
 	//if errors.Is(err, elastic.ErrNotFound) {