From 65dd1f2209cc969552bdd9a0bc43600c87699409 Mon Sep 17 00:00:00 2001 From: xushuhui Date: Mon, 18 Apr 2022 18:20:15 +0800 Subject: [PATCH] feat: (rbac) localuser --- internal/biz/context.go | 6 ---- internal/biz/event.go | 17 +++++++++ internal/biz/permission.go | 65 +++++++++++++++++++++++++++++++++-- internal/biz/role.go | 57 +++++++++++++++++++++++++++--- plugin/api/account/account.go | 9 +++-- plugin/api/rbac/init.go | 24 ++++++------- plugin/api/rbac/permission.go | 40 ++++----------------- plugin/api/rbac/role.go | 44 ++++++++++++++++-------- plugin/api/rbac/user.go | 12 +++---- 9 files changed, 190 insertions(+), 84 deletions(-) create mode 100644 internal/biz/event.go diff --git a/internal/biz/context.go b/internal/biz/context.go index d4953794..2d4a8e49 100644 --- a/internal/biz/context.go +++ b/internal/biz/context.go @@ -21,9 +21,3 @@ func FromUserContext(ctx context.Context) (*User, error) { } return reqUser.User, nil } -func NewPermissionContext(ctx context.Context) { - -} -func FromPermissionContext(ctx context.Context) { - -} diff --git a/internal/biz/event.go b/internal/biz/event.go new file mode 100644 index 00000000..8619e491 --- /dev/null +++ b/internal/biz/event.go @@ -0,0 +1,17 @@ +package biz + +import ( + "infini.sh/framework/core/event" + "infini.sh/framework/core/util" + "time" +) + +func GenerateEvent(metadata event.ActivityMetadata, fields util.MapStr) *event.Activity { + return &event.Activity{ + ID: util.GetUUID(), + Timestamp: time.Now(), + Metadata: metadata, + Fields: fields, + } + +} diff --git a/internal/biz/permission.go b/internal/biz/permission.go index ed7a1f58..1bb4384b 100644 --- a/internal/biz/permission.go +++ b/internal/biz/permission.go @@ -1,15 +1,45 @@ package biz +import "fmt" + var ClusterApis = make([]string, 0) var EsApis = make(map[string][]string) +type RoleType = string + +const ( + Console RoleType = "console" + Elastisearch RoleType = "elasticsearch" +) + +type IRole interface { + ListPermission() interface{} +} +type ConsoleRole struct { +} +type ElasticsearchRole struct { +} + +func NewRole(typ string) (r IRole, err error) { + switch typ { + case Console: + r = &ConsoleRole{} + + case Elastisearch: + r = &ElasticsearchRole{} + default: + err = fmt.Errorf("role type %s not support", typ) + } + return +} + type ConsolePermisson struct { Id string `json:"id"` Name string `json:"name"` } -func ListConsolePermisson() (list []ConsolePermisson, err error) { - list = []ConsolePermisson{ +func (r ConsoleRole) ListPermission() interface{} { + list := []ConsolePermisson{ { Id: "cluster_overview", Name: "平台概览", @@ -35,7 +65,36 @@ func ListConsolePermisson() (list []ConsolePermisson, err error) { Name: "集群动态搜索", }, } - return + return list +} +func (r ElasticsearchRole) ListPermission() interface{} { + list := []ConsolePermisson{ + { + Id: "cluster_overview", + Name: "平台概览", + }, + { + Id: "cluster_search", + Name: "平台搜索", + }, + { + Id: "cluster_elasticsearch", + Name: "集群监控", + }, + { + Id: "cluster_elasticsearch_refresh", + Name: "集群监控刷新", + }, + { + Id: "cluster_activities", + Name: "集群动态", + }, + { + Id: "cluster_activities_search", + Name: "集群动态搜索", + }, + } + return list } type ElasticsearchPermisson struct { diff --git a/internal/biz/role.go b/internal/biz/role.go index f4a9c673..0a810f13 100644 --- a/internal/biz/role.go +++ b/internal/biz/role.go @@ -4,6 +4,8 @@ import ( "fmt" "infini.sh/console/internal/dto" "infini.sh/console/model/rbac" + "infini.sh/framework/core/event" + log "src/github.com/cihub/seelog" "infini.sh/framework/core/util" "strings" @@ -12,7 +14,7 @@ import ( "infini.sh/framework/core/orm" ) -func CreateRole(req dto.CreateRole) (id string, err error) { +func CreateRole(localUser *User, req dto.CreateRole) (id string, err error) { q := orm.Query{Size: 1000} q.Conds = orm.And(orm.Eq("name", req.Name)) @@ -36,10 +38,36 @@ func CreateRole(req dto.CreateRole) (id string, err error) { role.Created = time.Now() role.Updated = time.Now() err = orm.Save(role) + if err != nil { + return + } id = role.ID + err = orm.Save(GenerateEvent(event.ActivityMetadata{ + Category: "platform", + Group: "rbac", + Name: "role", + Type: "create", + Labels: util.MapStr{ + "id": id, + "name": req.Name, + "description": req.Description, + "permission": req.Permission, + "type": req.RoleType, + "created": role.Created.Format("2006-01-02 15:04:05"), + "updated": role.Updated.Format("2006-01-02 15:04:05"), + }, + User: util.MapStr{ + "userid": localUser.UserId, + "username": localUser.Username, + }, + }, nil)) + + if err != nil { + log.Error(err) + } return } -func DeleteRole(id string) (err error) { +func DeleteRole(localUser *User, id string) (err error) { role := rbac.Role{} role.ID = id _, err = orm.Get(&role) @@ -47,10 +75,31 @@ func DeleteRole(id string) (err error) { err = ErrNotFound return } - return orm.Delete(role) + err = orm.Delete(role) + if err != nil { + return + } + err = orm.Save(GenerateEvent(event.ActivityMetadata{ + Category: "platform", + Group: "rbac", + Name: "role", + Type: "delete", + Labels: util.MapStr{ + "id": id, + }, + User: util.MapStr{ + "userid": localUser.UserId, + "username": localUser.Username, + }, + }, nil)) + + if err != nil { + log.Error(err) + } + return } -func UpdateRole(id string, req dto.UpdateRole) (err error) { +func UpdateRole(localUser *User, id string, req dto.UpdateRole) (err error) { role := rbac.Role{} role.ID = id _, err = orm.Get(&role) diff --git a/plugin/api/account/account.go b/plugin/api/account/account.go index 62cf8793..6e661714 100644 --- a/plugin/api/account/account.go +++ b/plugin/api/account/account.go @@ -18,11 +18,10 @@ func init() { account := Account{} api.HandleAPIMethod(api.POST, "/account/login", account.Login) - api.HandleAPIMethod(api.GET, "/account/current_user", account.CurrentUser) + //api.HandleAPIMethod(api.GET, "/account/current_user", account.CurrentUser) - api.HandleAPIMethod(api.DELETE, "/account/logout", account.Logout) - api.HandleAPIMethod(api.GET, "/account/profile", - m.LoginRequired(account.Profile)) + api.HandleAPIMethod(api.DELETE, "/account/logout", m.LoginRequired(account.Logout)) + api.HandleAPIMethod(api.GET, "/account/profile", m.LoginRequired(account.Profile)) } const userInSession = "user_in_session" @@ -41,7 +40,7 @@ func (h Account) Login(w http.ResponseWriter, r *http.Request, ps httprouter.Par h.Error(w, err) return } - h.WriteJSON(w, data, http.StatusOK) + h.WriteOKJSON(w, data) } func (h Account) CurrentUser(w http.ResponseWriter, req *http.Request, ps httprouter.Params) { diff --git a/plugin/api/rbac/init.go b/plugin/api/rbac/init.go index 283c9b1d..e3cc0ef5 100644 --- a/plugin/api/rbac/init.go +++ b/plugin/api/rbac/init.go @@ -17,20 +17,20 @@ type Rbac struct { func registerRouter() { r := Rbac{} - api.HandleAPIMethod(api.GET, "/permission/:type", r.ListPermission) - api.HandleAPIMethod(api.POST, "/role/:type", r.CreateRole) - api.HandleAPIMethod(api.GET, "/role/:id", m.LoginRequired(r.GetRole)) - api.HandleAPIMethod(api.DELETE, "/role/:id", r.DeleteRole) - api.HandleAPIMethod(api.PUT, "/role/:id", r.UpdateRole) + api.HandleAPIMethod(api.GET, "/permission/:type", m.LoginRequired(m.PermissionRequired(r.ListPermission, "list.permission"))) + api.HandleAPIMethod(api.POST, "/role/:type", m.LoginRequired(m.PermissionRequired(r.CreateRole, "create.role"))) + api.HandleAPIMethod(api.GET, "/role/:id", m.LoginRequired(m.PermissionRequired(r.GetRole, "get.role"))) + api.HandleAPIMethod(api.DELETE, "/role/:id", m.LoginRequired(m.PermissionRequired(r.DeleteRole, "delete.role"))) + api.HandleAPIMethod(api.PUT, "/role/:id", m.LoginRequired(m.PermissionRequired(r.UpdateRole, "update.role"))) api.HandleAPIMethod(api.GET, "/role/_search", m.LoginRequired(m.PermissionRequired(r.SearchRole, "search.role"))) - api.HandleAPIMethod(api.POST, "/user", r.CreateUser) - api.HandleAPIMethod(api.GET, "/user/:id", r.GetUser) - api.HandleAPIMethod(api.GET, "/user/search", r.SearchUser) - api.HandleAPIMethod(api.DELETE, "/user/:id", r.DeleteUser) - api.HandleAPIMethod(api.PUT, "/user/:id", r.UpdateUser) - api.HandleAPIMethod(api.PUT, "/user/:id/role", r.UpdateUserRole) - api.HandleAPIMethod(api.GET, "/user/_search", r.SearchUser) + api.HandleAPIMethod(api.POST, "/user", m.LoginRequired(m.PermissionRequired(r.CreateUser, "create.user"))) + api.HandleAPIMethod(api.GET, "/user/:id", m.LoginRequired(m.PermissionRequired(r.GetUser, "get.user"))) + api.HandleAPIMethod(api.GET, "/user/search", m.LoginRequired(m.PermissionRequired(r.SearchUser, "search.user"))) + api.HandleAPIMethod(api.DELETE, "/user/:id", m.LoginRequired(m.PermissionRequired(r.DeleteUser, "delete.user"))) + api.HandleAPIMethod(api.PUT, "/user/:id", m.LoginRequired(m.PermissionRequired(r.UpdateUser, "update.user"))) + api.HandleAPIMethod(api.PUT, "/user/:id/role", m.LoginRequired(m.PermissionRequired(r.UpdateUserRole, "update.user.role"))) + api.HandleAPIMethod(api.GET, "/user/_search", m.LoginRequired(m.PermissionRequired(r.SearchUser, "search.user"))) } diff --git a/plugin/api/rbac/permission.go b/plugin/api/rbac/permission.go index c7c4365e..1f480a53 100644 --- a/plugin/api/rbac/permission.go +++ b/plugin/api/rbac/permission.go @@ -2,50 +2,24 @@ package rbac import ( log "github.com/cihub/seelog" - "github.com/pkg/errors" "infini.sh/console/internal/biz" httprouter "infini.sh/framework/core/api/router" "net/http" ) -type RoleType = string - -const ( - Console RoleType = "console" - Elastisearch RoleType = "elasticsearch" -) - -func validateRoleType(roleType RoleType) (err error) { - if roleType != Console && roleType != Elastisearch { - err = errors.New("unsupport type parmeter " + roleType) - } - return -} -func (h Rbac) ListPermission(w http.ResponseWriter, req *http.Request, ps httprouter.Params) { +func (h Rbac) ListPermission(w http.ResponseWriter, r *http.Request, ps httprouter.Params) { typ := ps.MustGetParameter("type") - err := validateRoleType(typ) + role, err := biz.NewRole(typ) + if err != nil { _ = log.Error(err.Error()) h.Error(w, err) return } - var permissons interface{} - switch typ { - case Console: - permissons, err = biz.ListConsolePermisson() - - case Elastisearch: - permissons, err = biz.ListElasticsearchPermisson() - } - if err != nil { - _ = log.Error(err.Error()) - h.Error(w, err) - return - } - - _ = h.WriteJSON(w, Response{ - Hit: permissons, - }, http.StatusOK) + permissions := role.ListPermission() + h.WriteOKJSON(w, Response{ + Hit: permissions, + }) return } diff --git a/plugin/api/rbac/role.go b/plugin/api/rbac/role.go index 9a5a1b73..32a687f5 100644 --- a/plugin/api/rbac/role.go +++ b/plugin/api/rbac/role.go @@ -4,7 +4,6 @@ import ( log "github.com/cihub/seelog" "infini.sh/console/internal/biz" "infini.sh/console/internal/dto" - httprouter "infini.sh/framework/core/api/router" "net/http" ) @@ -12,12 +11,6 @@ import ( func (h Rbac) CreateRole(w http.ResponseWriter, r *http.Request, ps httprouter.Params) { roleType := ps.MustGetParameter("type") var err error - err = validateRoleType(roleType) - if err != nil { - _ = log.Error(err.Error()) - h.Error(w, err) - return - } var req dto.CreateRole err = h.DecodeJSON(r, &req) @@ -28,13 +21,20 @@ func (h Rbac) CreateRole(w http.ResponseWriter, r *http.Request, ps httprouter.P req.RoleType = roleType var id string - id, err = biz.CreateRole(req) + localUser, err := biz.FromUserContext(r.Context()) + if err != nil { + log.Error(err.Error()) + h.Error(w, err) + return + } + id, err = biz.CreateRole(localUser, req) if err != nil { _ = log.Error(err.Error()) h.Error(w, err) return } - _ = h.WriteJSON(w, CreateResponse(id), http.StatusOK) + + _ = h.WriteOKJSON(w, CreateResponse(id)) return } @@ -54,7 +54,7 @@ func (h Rbac) SearchRole(w http.ResponseWriter, r *http.Request, ps httprouter.P return } - h.WriteJSON(w, Response{Hit: res.Result, Total: res.Total}, http.StatusOK) + h.WriteOKJSON(w, Response{Hit: res.Result, Total: res.Total}) return } @@ -68,38 +68,52 @@ func (h Rbac) GetRole(w http.ResponseWriter, r *http.Request, ps httprouter.Para h.Error(w, err) return } - h.WriteJSON(w, Response{Hit: role}, http.StatusOK) + h.WriteOKJSON(w, Response{Hit: role}) return } func (h Rbac) DeleteRole(w http.ResponseWriter, r *http.Request, ps httprouter.Params) { id := ps.MustGetParameter("id") - err := biz.DeleteRole(id) + + localUser, err := biz.FromUserContext(r.Context()) + if err != nil { + log.Error(err.Error()) + h.Error(w, err) + return + } + err = biz.DeleteRole(localUser, id) if err != nil { _ = log.Error(err.Error()) h.Error(w, err) return } - _ = h.WriteJSON(w, DeleteResponse(id), http.StatusOK) + _ = h.WriteOKJSON(w, DeleteResponse(id)) return } func (h Rbac) UpdateRole(w http.ResponseWriter, r *http.Request, ps httprouter.Params) { id := ps.MustGetParameter("id") + var req dto.UpdateRole err := h.DecodeJSON(r, &req) if err != nil { h.Error(w, err) return } - err = biz.UpdateRole(id, req) + localUser, err := biz.FromUserContext(r.Context()) + if err != nil { + log.Error(err.Error()) + h.Error(w, err) + return + } + err = biz.UpdateRole(localUser, id, req) if err != nil { _ = log.Error(err.Error()) h.Error(w, err) return } - _ = h.WriteJSON(w, UpdateResponse(id), http.StatusOK) + _ = h.WriteOKJSON(w, UpdateResponse(id)) return } diff --git a/plugin/api/rbac/user.go b/plugin/api/rbac/user.go index 6761fa7d..88f51d17 100644 --- a/plugin/api/rbac/user.go +++ b/plugin/api/rbac/user.go @@ -33,7 +33,7 @@ func (h Rbac) CreateUser(w http.ResponseWriter, r *http.Request, ps httprouter.P h.Error(w, err) return } - _ = h.WriteJSON(w, CreateResponse(id), http.StatusOK) + _ = h.WriteOKJSON(w, CreateResponse(id)) return } @@ -51,7 +51,7 @@ func (h Rbac) GetUser(w http.ResponseWriter, r *http.Request, ps httprouter.Para h.Error(w, err) return } - h.WriteJSON(w, Response{Hit: user}, http.StatusOK) + h.WriteOKJSON(w, Response{Hit: user}) return } @@ -71,7 +71,7 @@ func (h Rbac) UpdateUser(w http.ResponseWriter, r *http.Request, ps httprouter.P h.Error(w, err) return } - _ = h.WriteJSON(w, UpdateResponse(id), http.StatusOK) + _ = h.WriteOKJSON(w, UpdateResponse(id)) return } @@ -91,7 +91,7 @@ func (h Rbac) UpdateUserRole(w http.ResponseWriter, r *http.Request, ps httprout h.Error(w, err) return } - _ = h.WriteJSON(w, UpdateResponse(id), http.StatusOK) + _ = h.WriteOKJSON(w, UpdateResponse(id)) return } @@ -107,7 +107,7 @@ func (h Rbac) DeleteUser(w http.ResponseWriter, r *http.Request, ps httprouter.P h.Error(w, err) return } - _ = h.WriteJSON(w, DeleteResponse(id), http.StatusOK) + _ = h.WriteOKJSON(w, DeleteResponse(id)) return } @@ -125,7 +125,7 @@ func (h Rbac) SearchUser(w http.ResponseWriter, r *http.Request, ps httprouter.P return } - h.WriteJSON(w, Response{Hit: res.Result, Total: res.Total}, http.StatusOK) + h.WriteOKJSON(w, Response{Hit: res.Result, Total: res.Total}) return }