fix: (rbac) handle error

2022-04-27 10:22:35 +08:00 · 2022-04-27 10:22:35 +08:00 · 598c655a44
parent f95a336098
commit 598c655a44
10 changed files with 112 additions and 103 deletions
--- a/internal/biz/enum/const.go
+++ b/internal/biz/enum/const.go
@ -4,11 +4,11 @@ import (
 	"time"
 )
-var UserRead = []string{"system.user:read"}
+const UserRead = "system.user:read"
-var UserAll = []string{"system.user:all"}
+const UserAll = "system.user:all"
-var RoleRead = []string{"system.role:read"}
+const RoleRead = "system.role:read"
-var RoleAll = []string{"system.role:all"}
+const RoleAll = "system.role:all"
 var RuleRead = []string{"rule::read"}
 var RuleAll = []string{"rule::read", "rule::write"}
--- a/internal/biz/role.go
+++ b/internal/biz/role.go
@ -1,6 +1,7 @@
 package biz
 import (
 	"errors"
 	"fmt"
 	"infini.sh/console/internal/biz/enum"
 	"infini.sh/console/model/rbac"
@ -26,7 +27,7 @@ type IRole interface {
 }
 type ConsoleRole struct {
 	Name        string   `json:"name"`
-	Description string   `json:"description" `
+	Description string   `json:"description"`
 	RoleType    string   `json:"type" `
 	Platform    []string `json:"platform,omitempty"`
 }
@ -135,6 +136,10 @@ func (role ElasticsearchRole) Update(localUser *User, model rbac.Role) (err erro
 	return
 }
 func (role ConsoleRole) Create(localUser *User) (id string, err error) {
 	if role.Name == "" {
 		err = errors.New("role name is require")
 		return
 	}
 	if _, ok := enum.BuildRoles[role.Name]; ok {
 		err = fmt.Errorf("role name %s already exists", role.Name)
 		return
@ -196,7 +201,10 @@ func (role ConsoleRole) Create(localUser *User) (id string, err error) {
 }
 func (role ElasticsearchRole) Create(localUser *User) (id string, err error) {
-
+	if role.Name == "" {
 		err = errors.New("role name is require")
 		return
 	}
 	if _, ok := enum.BuildRoles[role.Name]; ok {
 		err = fmt.Errorf("role name %s already exists", role.Name)
 		return
--- a/internal/dto/role.go
+++ b/internal/dto/role.go
@ -16,13 +16,13 @@ type ElasticsearchPermission struct {
 	IndexPrivilege   []string `json:"index_privilege" `
 }
 type CreateUser struct {
-	Username string   `json:"username"`
+	Username string `json:"username"`
-	Password string   `json:"password"`
+
-	Name     string   `json:"name"`
+	Name  string   `json:"name"`
-	Email    string   `json:"email"`
+	Email string   `json:"email"`
-	Phone    string   `json:"phone"`
+	Phone string   `json:"phone"`
-	Roles    []Role   `json:"roles"`
+	Roles []Role   `json:"roles"`
-	Tags     []string `json:"tags"`
+	Tags  []string `json:"tags"`
 }
 type Role struct {
 	Id   string `json:"id"`
--- a/internal/middleware/user.go
+++ b/internal/middleware/user.go
@ -22,39 +22,39 @@ func LoginRequired(h httprouter.Handle) httprouter.Handle {
 func IndexRequired(h httprouter.Handle, route ...string) httprouter.Handle {
 	return func(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
-		//claims, err := biz.ValidateLogin(r.Header.Get("Authorization"))
+		claims, err := biz.ValidateLogin(r.Header.Get("Authorization"))
-		//if err != nil {
+		if err != nil {
-		//	w = handleError(w, http.StatusUnauthorized, err)
+			w = handleError(w, http.StatusUnauthorized, err)
-		//	return
+			return
-		//}
+		}
-		//newRole := biz.CombineUserRoles(claims.Roles)
+		newRole := biz.CombineUserRoles(claims.Roles)
-		//
+
-		//indexReq := biz.NewIndexRequest(ps, route)
+		indexReq := biz.NewIndexRequest(ps, route)
-		//
+
-		//err = biz.ValidateIndex(indexReq, newRole)
+		err = biz.ValidateIndex(indexReq, newRole)
-		//if err != nil {
+		if err != nil {
-		//	w = handleError(w, http.StatusForbidden, err)
+			w = handleError(w, http.StatusForbidden, err)
-		//	return
+			return
-		//}
+		}
 		h(w, r, ps)
 	}
 }
 func ClusterRequired(h httprouter.Handle, route ...string) httprouter.Handle {
 	return func(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
-		//claims, err := biz.ValidateLogin(r.Header.Get("Authorization"))
+		claims, err := biz.ValidateLogin(r.Header.Get("Authorization"))
-		//if err != nil {
+		if err != nil {
-		//	w = handleError(w, http.StatusUnauthorized, err)
+			w = handleError(w, http.StatusUnauthorized, err)
-		//	return
+			return
-		//}
+		}
-		//newRole := biz.CombineUserRoles(claims.Roles)
+		newRole := biz.CombineUserRoles(claims.Roles)
-		//clusterReq := biz.NewClusterRequest(ps, route)
+		clusterReq := biz.NewClusterRequest(ps, route)
-		//
+
-		//err = biz.ValidateCluster(clusterReq, newRole)
+		err = biz.ValidateCluster(clusterReq, newRole)
-		//if err != nil {
+		if err != nil {
-		//	w = handleError(w, http.StatusForbidden, err)
+			w = handleError(w, http.StatusForbidden, err)
-		//	return
+			return
-		//}
+		}
 		h(w, r, ps)
 	}
 }
--- a/plugin/api/account/account.go
+++ b/plugin/api/account/account.go
@ -33,13 +33,13 @@ func (h Account) Login(w http.ResponseWriter, r *http.Request, ps httprouter.Par
 	var req dto.Login
 	err := h.DecodeJSON(r, &req)
 	if err != nil {
-		h.Error(w, err)
+		h.ErrorInternalServer(w, err.Error())
 		return
 	}
 	data, err := biz.Login(req.Username, req.Password)
 	if err != nil {
-		h.Error(w, err)
+		h.ErrorInternalServer(w, err.Error())
 		return
 	}
 	data["status"] = "ok"
@ -100,7 +100,7 @@ func (h Account) Logout(w http.ResponseWriter, r *http.Request, ps httprouter.Pa
 func (h Account) Profile(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
 	reqUser, err := biz.FromUserContext(r.Context())
 	if err != nil {
-		h.Error(w, err)
+		h.ErrorInternalServer(w, err.Error())
 		return
 	}
@ -116,7 +116,7 @@ func (h Account) Profile(w http.ResponseWriter, r *http.Request, ps httprouter.P
 	} else {
 		user, err := biz.GetUser(reqUser.UserId)
 		if err != nil {
-			h.Error(w, err)
+			h.ErrorInternalServer(w, err.Error())
 			return
 		}
 		u := util.MapStr{
@ -133,18 +133,18 @@ func (h Account) Profile(w http.ResponseWriter, r *http.Request, ps httprouter.P
 func (h Account) UpdatePassword(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
 	reqUser, err := biz.FromUserContext(r.Context())
 	if err != nil {
-		h.Error(w, err)
+		h.ErrorInternalServer(w, err.Error())
 		return
 	}
 	var req dto.UpdatePassword
 	err = h.DecodeJSON(r, &req)
 	if err != nil {
-		h.Error(w, err)
+		h.ErrorInternalServer(w, err.Error())
 		return
 	}
 	err = biz.UpdatePassword(reqUser, req)
 	if err != nil {
-		h.Error(w, err)
+		h.ErrorInternalServer(w, err.Error())
 		return
 	}
 	h.WriteOKJSON(w, util.MapStr{
--- a/plugin/api/init.go
+++ b/plugin/api/init.go
@ -25,9 +25,9 @@ func Init(cfg *config.AppConfig) {
 	api.HandleAPIMethod(api.DELETE, path.Join(pathPrefix, "dict/:id"), handler.DeleteDictItemAction)
 	api.HandleAPIMethod(api.PUT, path.Join(pathPrefix, "dict/:id"), handler.UpdateDictItemAction)
-	api.HandleAPIMethod(api.POST, path.Join(esPrefix, "doc/:index/_search"), handler.HandleSearchDocumentAction)
+	api.HandleAPIMethod(api.POST, path.Join(esPrefix, "doc/:index/_search"), m.IndexRequired(handler.HandleSearchDocumentAction, "doc.search"))
-	api.HandleAPIMethod(api.POST, path.Join(esPrefix, "doc/:index"), handler.HandleAddDocumentAction)
+	api.HandleAPIMethod(api.POST, path.Join(esPrefix, "doc/:index"), m.IndexRequired(handler.HandleAddDocumentAction, "doc.create"))
-	api.HandleAPIMethod(api.PUT, path.Join(esPrefix, "doc/:index/:docId"), handler.HandleUpdateDocumentAction)
+	api.HandleAPIMethod(api.PUT, path.Join(esPrefix, "doc/:index/:docId"), m.IndexRequired(handler.HandleUpdateDocumentAction, "doc.create"))
 	api.HandleAPIMethod(api.DELETE, path.Join(esPrefix, "doc/:index/:docId"), m.ClusterRequired(handler.HandleDeleteDocumentAction, "doc.delete"))
 	api.HandleAPIMethod(api.GET, path.Join(esPrefix, "doc/_validate"), handler.ValidateDocIDAction)
--- a/plugin/api/rbac/api.go
+++ b/plugin/api/rbac/api.go
@ -12,7 +12,6 @@ import (
 	"path"
 	log "src/github.com/cihub/seelog"
 	"src/github.com/mitchellh/mapstructure"
 	"strings"
 )
 type Rbac struct {
@ -22,19 +21,19 @@ type Rbac struct {
 func init() {
 	r := Rbac{}
 	api.HandleAPIMethod(api.GET, "/permission/:type", r.ListPermission)
-	api.HandleAPIMethod(api.POST, "/role/:type", m.PermissionRequired(r.CreateRole, enum.RoleAll...))
+	api.HandleAPIMethod(api.POST, "/role/:type", m.PermissionRequired(r.CreateRole, enum.RoleAll))
-	api.HandleAPIMethod(api.GET, "/role/:id", m.PermissionRequired(r.GetRole, enum.RoleRead...))
+	api.HandleAPIMethod(api.GET, "/role/:id", m.PermissionRequired(r.GetRole, enum.RoleRead))
-	api.HandleAPIMethod(api.DELETE, "/role/:id", m.PermissionRequired(r.DeleteRole, enum.RoleAll...))
+	api.HandleAPIMethod(api.DELETE, "/role/:id", m.PermissionRequired(r.DeleteRole, enum.RoleAll))
-	api.HandleAPIMethod(api.PUT, "/role/:id", m.PermissionRequired(r.UpdateRole, enum.RoleAll...))
+	api.HandleAPIMethod(api.PUT, "/role/:id", m.PermissionRequired(r.UpdateRole, enum.RoleAll))
-	api.HandleAPIMethod(api.GET, "/role/_search", m.PermissionRequired(r.SearchRole, enum.RoleRead...))
+	api.HandleAPIMethod(api.GET, "/role/_search", m.PermissionRequired(r.SearchRole, enum.RoleRead))
-	api.HandleAPIMethod(api.POST, "/user", m.PermissionRequired(r.CreateUser, enum.UserAll...))
+	api.HandleAPIMethod(api.POST, "/user", m.PermissionRequired(r.CreateUser, enum.UserAll))
-	api.HandleAPIMethod(api.GET, "/user/:id", m.PermissionRequired(r.GetUser, enum.UserRead...))
+	api.HandleAPIMethod(api.GET, "/user/:id", m.PermissionRequired(r.GetUser, enum.UserRead))
-	api.HandleAPIMethod(api.DELETE, "/user/:id", m.PermissionRequired(r.DeleteUser, enum.UserAll...))
+	api.HandleAPIMethod(api.DELETE, "/user/:id", m.PermissionRequired(r.DeleteUser, enum.UserAll))
-	api.HandleAPIMethod(api.PUT, "/user/:id", m.PermissionRequired(r.UpdateUser, enum.UserAll...))
+	api.HandleAPIMethod(api.PUT, "/user/:id", m.PermissionRequired(r.UpdateUser, enum.UserAll))
-	api.HandleAPIMethod(api.PUT, "/user/:id/role", m.PermissionRequired(r.UpdateUserRole, enum.UserAll...))
+	api.HandleAPIMethod(api.PUT, "/user/:id/role", m.PermissionRequired(r.UpdateUserRole, enum.UserAll))
-	api.HandleAPIMethod(api.GET, "/user/_search", m.PermissionRequired(r.SearchUser, enum.UserRead...))
+	api.HandleAPIMethod(api.GET, "/user/_search", m.PermissionRequired(r.SearchUser, enum.UserRead))
-	api.HandleAPIMethod(api.PUT, "/user/:id/password", m.PermissionRequired(r.UpdateUserPassword, enum.UserAll...))
+	api.HandleAPIMethod(api.PUT, "/user/:id/password", m.PermissionRequired(r.UpdateUserPassword, enum.UserAll))
 }
 func loadJsonConfig() {
@ -54,19 +53,19 @@ func loadJsonConfig() {
 	delete(apis, "indices")
 	biz.ClusterApis = apis
-	bytes, err = util.FileGetContent(path.Join(pwd, "/config/map.json"))
+	//bytes, err = util.FileGetContent(path.Join(pwd, "/config/map.json"))
-	if err != nil {
+	//if err != nil {
-		panic("load json file err " + err.Error())
+	//	panic("load json file err " + err.Error())
-	}
+	//}
-	esapiMap := make(map[string]string)
+	//esapiMap := make(map[string]string)
-	err = json.Unmarshal(bytes, &esapiMap)
+	//err = json.Unmarshal(bytes, &esapiMap)
-	if err != nil {
+	//if err != nil {
-		panic("json config unmarshal err " + err.Error())
+	//	panic("json config unmarshal err " + err.Error())
-	}
+	//}
-	for k, v := range esapiMap {
+	//for k, v := range esapiMap {
-		s := strings.Split(k, "-")
+	//	s := strings.Split(k, "-")
-		biz.EsApiRoutes.AddRoute(s[0], s[1], v)
+	//	biz.EsApiRoutes.AddRoute(s[0], s[1], v)
-	}
+	//}
 }
 func loadRolePermission() {
@ -98,7 +97,7 @@ func loadRolePermission() {
 			},
 		},
 	}
-	res, err := biz.SearchRole("", 0, 100)
+	res, err := biz.SearchRole("", 0, 1000)
 	if err != nil {
 		log.Error(err)
 		return
--- a/plugin/api/rbac/permission.go
+++ b/plugin/api/rbac/permission.go
@ -19,7 +19,7 @@ func (h Rbac) ListPermission(w http.ResponseWriter, r *http.Request, ps httprout
 	if err != nil {
 		_ = log.Error(err.Error())
-		h.Error(w, err)
+		h.ErrorInternalServer(w, err.Error())
 		return
 	}
 	permissions := role.ListPermission()
--- a/plugin/api/rbac/role.go
+++ b/plugin/api/rbac/role.go
@ -17,12 +17,12 @@ func (h Rbac) CreateRole(w http.ResponseWriter, r *http.Request, ps httprouter.P
 	localUser, err := biz.FromUserContext(r.Context())
 	if err != nil {
 		log.Error(err.Error())
-		h.Error(w, err)
+		h.ErrorInternalServer(w, err.Error())
 		return
 	}
 	irole, err := biz.NewRole(roleType)
 	if err != nil {
-		h.Error(w, err)
+		h.ErrorInternalServer(w, err.Error())
 		return
 	}
@ -31,12 +31,13 @@ func (h Rbac) CreateRole(w http.ResponseWriter, r *http.Request, ps httprouter.P
 		h.Error400(w, err.Error())
 		return
 	}
 	var id string
 	id, err = irole.Create(localUser)
 	if err != nil {
 		_ = log.Error(err.Error())
-		h.Error(w, err)
+		h.ErrorInternalServer(w, err.Error())
 		return
 	}
 	_ = h.WriteOKJSON(w, core.CreateResponse(id))
@ -55,7 +56,8 @@ func (h Rbac) SearchRole(w http.ResponseWriter, r *http.Request, ps httprouter.P
 	res, err := biz.SearchRole(keyword, from, size)
 	if err != nil {
 		log.Error(err)
-		h.Error(w, err)
+
 		h.ErrorInternalServer(w, err.Error())
 		return
 	}
 	response := elastic.SearchResponse{}
@ -91,7 +93,7 @@ func (h Rbac) GetRole(w http.ResponseWriter, r *http.Request, ps httprouter.Para
 	if err != nil {
 		_ = log.Error(err.Error())
-		h.Error(w, err)
+		h.ErrorInternalServer(w, err.Error())
 		return
 	}
 	h.WriteOKJSON(w, core.Response{Hit: role})
@ -104,14 +106,14 @@ func (h Rbac) DeleteRole(w http.ResponseWriter, r *http.Request, ps httprouter.P
 	localUser, err := biz.FromUserContext(r.Context())
 	if err != nil {
 		log.Error(err.Error())
-		h.Error(w, err)
+		h.ErrorInternalServer(w, err.Error())
 		return
 	}
 	err = biz.DeleteRole(localUser, id)
 	if err != nil {
 		_ = log.Error(err.Error())
-		h.Error(w, err)
+		h.ErrorInternalServer(w, err.Error())
 		return
 	}
 	_ = h.WriteOKJSON(w, core.DeleteResponse(id))
@ -123,17 +125,17 @@ func (h Rbac) UpdateRole(w http.ResponseWriter, r *http.Request, ps httprouter.P
 	localUser, err := biz.FromUserContext(r.Context())
 	if err != nil {
 		log.Error(err.Error())
-		h.Error(w, err)
+		h.ErrorInternalServer(w, err.Error())
 		return
 	}
 	model, err := biz.GetRole(id)
 	if err != nil {
-		h.Error(w, err)
+		h.ErrorInternalServer(w, err.Error())
 		return
 	}
 	irole, err := biz.NewRole(model.RoleType)
 	if err != nil {
-		h.Error(w, err)
+		h.ErrorInternalServer(w, err.Error())
 		return
 	}
@ -147,7 +149,7 @@ func (h Rbac) UpdateRole(w http.ResponseWriter, r *http.Request, ps httprouter.P
 	if err != nil {
 		_ = log.Error(err.Error())
-		h.Error(w, err)
+		h.ErrorInternalServer(w, err.Error())
 		return
 	}
 	_ = h.WriteOKJSON(w, core.UpdateResponse(id))
--- a/plugin/api/rbac/user.go
+++ b/plugin/api/rbac/user.go
@ -29,21 +29,21 @@ func (h Rbac) CreateUser(w http.ResponseWriter, r *http.Request, ps httprouter.P
 		h.Error400(w, err.Error())
 		return
 	}
-	if req.Username == "" || req.Password == "" {
+	if req.Username == "" || req.Phone == "" || req.Email == "" {
-		h.Error400(w, "username or password require")
+		h.Error400(w, "username and phone and email is require")
 		return
 	}
 	localUser, err := biz.FromUserContext(r.Context())
 	if err != nil {
 		log.Error(err.Error())
-		h.Error(w, err)
+		h.ErrorInternalServer(w, err.Error())
 		return
 	}
 	id, pass, err := biz.CreateUser(localUser, req)
 	if err != nil {
 		_ = log.Error(err.Error())
-		h.Error(w, err)
+		h.ErrorInternalServer(w, err.Error())
 		return
 	}
 	_ = h.WriteOKJSON(w, util.MapStr{
@ -65,7 +65,7 @@ func (h Rbac) GetUser(w http.ResponseWriter, r *http.Request, ps httprouter.Para
 	if err != nil {
 		_ = log.Error(err.Error())
-		h.Error(w, err)
+		h.ErrorInternalServer(w, err.Error())
 		return
 	}
 	h.WriteOKJSON(w, core.FoundResponse(id, user))
@ -84,14 +84,14 @@ func (h Rbac) UpdateUser(w http.ResponseWriter, r *http.Request, ps httprouter.P
 	localUser, err := biz.FromUserContext(r.Context())
 	if err != nil {
 		log.Error(err.Error())
-		h.Error(w, err)
+		h.ErrorInternalServer(w, err.Error())
 		return
 	}
 	err = biz.UpdateUser(localUser, id, req)
 	if err != nil {
 		_ = log.Error(err.Error())
-		h.Error(w, err)
+		h.ErrorInternalServer(w, err.Error())
 		return
 	}
 	_ = h.WriteOKJSON(w, core.UpdateResponse(id))
@ -110,14 +110,14 @@ func (h Rbac) UpdateUserRole(w http.ResponseWriter, r *http.Request, ps httprout
 	localUser, err := biz.FromUserContext(r.Context())
 	if err != nil {
 		log.Error(err.Error())
-		h.Error(w, err)
+		h.ErrorInternalServer(w, err.Error())
 		return
 	}
 	err = biz.UpdateUserRole(localUser, id, req)
 	if err != nil {
 		_ = log.Error(err.Error())
-		h.Error(w, err)
+		h.ErrorInternalServer(w, err.Error())
 		return
 	}
 	_ = h.WriteOKJSON(w, core.UpdateResponse(id))
@ -129,7 +129,7 @@ func (h Rbac) DeleteUser(w http.ResponseWriter, r *http.Request, ps httprouter.P
 	localUser, err := biz.FromUserContext(r.Context())
 	if err != nil {
 		log.Error(err.Error())
-		h.Error(w, err)
+		h.ErrorInternalServer(w, err.Error())
 		return
 	}
 	err = biz.DeleteUser(localUser, id)
@ -139,7 +139,7 @@ func (h Rbac) DeleteUser(w http.ResponseWriter, r *http.Request, ps httprouter.P
 	}
 	if err != nil {
 		_ = log.Error(err.Error())
-		h.Error(w, err)
+		h.ErrorInternalServer(w, err.Error())
 		return
 	}
 	_ = h.WriteOKJSON(w, core.DeleteResponse(id))
@ -156,7 +156,7 @@ func (h Rbac) SearchUser(w http.ResponseWriter, r *http.Request, ps httprouter.P
 	res, err := biz.SearchUser(keyword, from, size)
 	if err != nil {
 		log.Error(err.Error())
-		h.Error(w, err)
+		h.ErrorInternalServer(w, err.Error())
 		return
 	}
@ -176,13 +176,13 @@ func (h Rbac) UpdateUserPassword(w http.ResponseWriter, r *http.Request, ps http
 	localUser, err := biz.FromUserContext(r.Context())
 	if err != nil {
 		log.Error(err.Error())
-		h.Error(w, err)
+		h.ErrorInternalServer(w, err.Error())
 		return
 	}
 	err = biz.UpdateUserPassword(localUser, id, req.Password)
 	if err != nil {
 		_ = log.Error(err.Error())
-		h.Error(w, err)
+		h.ErrorInternalServer(w, err.Error())
 		return
 	}