floraachy
/
console
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: (rbac) validate index and cluster unit test

This commit is contained in:
xushuhui 2022-04-27 16:49:03 +08:00
parent e865ee5f67
commit 7006c0b256
8 changed files with 201 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
internal/biz/enum/const.go
View File

@ -27,7 +27,8 @@ func init() {
BuildRoles["admin"] = map[string]interface{}{
"id": "admin",
"name": "管理员",
"platform": []string{"system.role:all", "system.user:all"},
"type": "console",
"platform": AdminPrivilege,
"builtin": true,
"description": "is admin",
"created": time.Now(),

24
internal/biz/validate.go
View File

@ -135,3 +135,27 @@ func CombineUserRoles(roleNames []string) RolePermission {
newRole.IndexPrivilege = m
return newRole
}
func FilterCluster(roles []string, cluster []string) []string {
newRole := CombineUserRoles(roles)
userClusterMap := make(map[string]struct{}, 0)
for _, v := range newRole.Cluster {
userClusterMap[v] = struct{}{}
}
realCluster := make([]string, 0)
for _, v := range cluster {
if _, ok := userClusterMap[v]; ok {
realCluster = append(realCluster, v)
}
}
return realCluster
}
func FilterIndex(roles []string, index []string) []string {
realIndex := make([]string, 0)
newRole := CombineUserRoles(roles)
for _, v := range index {
if _, ok := newRole.IndexPrivilege[v]; ok {
realIndex = append(realIndex, v)
}
}
return realIndex
}

169
internal/biz/validate_test.go
View File

@ -2,6 +2,7 @@ package biz
import (
"github.com/stretchr/testify/assert"
"infini.sh/framework/core/util"
"testing"
)
@ -99,6 +100,18 @@ func Test_validateCluster(t *testing.T) {
},
}, "no cluster permission",
},
{"no cluster",
args{
req: ClusterRequest{
Cluster: []string{"cluster1"},
Privilege: []string{"indices.get_mapping"},
},
userRole: RolePermission{
Cluster: []string{},
ClusterPrivilege: []string{},
},
}, "no cluster permission",
},
{"no cluster api",
args{
req: ClusterRequest{
@ -122,10 +135,162 @@ func Test_validateCluster(t *testing.T) {
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
got := ValidateCluster(tt.args.req, tt.args.userRole)
assert.EqualError(t, got, tt.want)
})
}
}
func TestStringInArray(t *testing.T) {
array := []string{"a", "b", "c", "d", "e"}
assert.Equal(t, true, util.StringInArray(array, "c"))
assert.Equal(t, false, util.StringInArray(array, "h"))
}
func TestFilterCluster(t *testing.T) {
RoleMap["test"] = Role{
Cluster: []struct {
Id string `json:"id"`
Name string `json:"name"`
}{
{
Id: "c97rd2les10hml00pgh0",
Name: "docker-cluster",
},
},
ClusterPrivilege: []string{"cat.*"},
Index: []struct {
Name []string `json:"name"`
Privilege []string `json:"privilege"`
}{
{
Name: []string{".infini_rbac-role"},
Privilege: []string{"indices.get_mapping"},
},
{
Name: []string{".infini_rbac-user", ".infini_rbac-role"},
Privilege: []string{"cat.*"},
},
},
}
type args struct {
roles []string
cluster []string
}
tests := []struct {
name string
args args
want []string
}{
{
name: "empty",
args: args{
roles: []string{"test"},
cluster: []string{
"cluser1", "cluster2",
},
},
want: []string{},
},
{
name: "one",
args: args{
roles: []string{"test"},
cluster: []string{
"cluser1", "cluster2", "c97rd2les10hml00pgh0",
},
},
want: []string{"c97rd2les10hml00pgh0"},
},
{
name: "only",
args: args{
roles: []string{"test"},
cluster: []string{
"c97rd2les10hml00pgh0",
},
},
want: []string{"c97rd2les10hml00pgh0"},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
got := FilterCluster(tt.args.roles, tt.args.cluster)
assert.Equal(t, got, tt.want)
})
}
}
func TestFilterIndex(t *testing.T) {
RoleMap["test"] = Role{
Cluster: []struct {
Id string `json:"id"`
Name string `json:"name"`
}{
{
Id: "c97rd2les10hml00pgh0",
Name: "docker-cluster",
},
},
ClusterPrivilege: []string{"cat.*"},
Index: []struct {
Name []string `json:"name"`
Privilege []string `json:"privilege"`
}{
{
Name: []string{".infini_rbac-role"},
Privilege: []string{"indices.get_mapping"},
},
{
Name: []string{".infini_rbac-user", ".infini_rbac-role"},
Privilege: []string{"cat.*"},
},
},
}
type args struct {
roles []string
index []string
}
tests := []struct {
name string
args args
want []string
}{
{
name: "empty",
args: args{
roles: []string{"test"},
index: []string{
"index1", "index2",
},
},
want: []string{},
},
{
name: "one",
args: args{
roles: []string{"test"},
index: []string{
"index1", "index2", ".infini_rbac-user",
},
},
want: []string{".infini_rbac-user"},
},
{
name: "only",
args: args{
roles: []string{"test"},
index: []string{
".infini_rbac-user",
},
},
want: []string{".infini_rbac-user"},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
got := FilterIndex(tt.args.roles, tt.args.index)
assert.Equal(t, got, tt.want)
})
}
}

1
internal/middleware/user.go
View File

@ -26,7 +26,6 @@ func PermissionRequired(h httprouter.Handle, permissions ...string) httprouter.H
if err != nil {
w = handleError(w, http.StatusUnauthorized, err)
return
}
err = biz.ValidatePermission(claims, permissions)

2
main.go
View File

@ -138,8 +138,8 @@ func main() {
if err != nil {
log.Errorf("init alerting task error: %v", err)
}
rbacApi.Init()
}()
go rbacApi.Init()
}, nil) {
app.Run()

2
plugin/api/init.go
View File

@ -27,7 +27,7 @@ func Init(cfg *config.AppConfig) {
api.HandleAPIMethod(api.POST, path.Join(esPrefix, "doc/:index/_search"), m.IndexRequired(handler.HandleSearchDocumentAction, "doc.search"))
api.HandleAPIMethod(api.POST, path.Join(esPrefix, "doc/:index"), m.IndexRequired(handler.HandleAddDocumentAction, "doc.create"))
api.HandleAPIMethod(api.PUT, path.Join(esPrefix, "doc/:index/:docId"), m.IndexRequired(handler.HandleUpdateDocumentAction, "doc.create"))
api.HandleAPIMethod(api.PUT, path.Join(esPrefix, "doc/:index/:docId"), m.IndexRequired(handler.HandleUpdateDocumentAction, "doc.update"))
api.HandleAPIMethod(api.DELETE, path.Join(esPrefix, "doc/:index/:docId"), m.ClusterRequired(handler.HandleDeleteDocumentAction, "doc.delete"))
api.HandleAPIMethod(api.GET, path.Join(esPrefix, "doc/_validate"), handler.ValidateDocIDAction)

26
plugin/api/rbac/api.go
View File

@ -2,6 +2,7 @@ package rbac
import (
"encoding/json"
"github.com/mitchellh/mapstructure"
"infini.sh/console/internal/biz"
"infini.sh/console/internal/biz/enum"
m "infini.sh/console/internal/middleware"
@ -11,7 +12,6 @@ import (
"os"
"path"
log "src/github.com/cihub/seelog"
"src/github.com/mitchellh/mapstructure"
)
type Rbac struct {
@ -73,30 +73,8 @@ func loadRolePermission() {
biz.RoleMap["admin"] = biz.Role{
Platform: enum.AdminPrivilege,
Cluster: []struct {
Id string `json:"id"`
Name string `json:"name"`
}{
{
Id: "c97rd2les10hml00pgh0",
Name: "docker-cluster",
},
},
ClusterPrivilege: []string{"cat.*"},
Index: []struct {
Name []string `json:"name"`
Privilege []string `json:"privilege"`
}{
{
Name: []string{".infini_rbac-role"},
Privilege: []string{"indices.get_mapping"},
},
{
Name: []string{".infini_rbac-user", ".infini_rbac-role"},
Privilege: []string{"cat.*"},
},
},
}
res, err := biz.SearchRole("", 0, 1000)
if err != nil {
log.Error(err)

8
plugin/api/rbac/role.go
View File

@ -56,17 +56,17 @@ func (h Rbac) SearchRole(w http.ResponseWriter, r *http.Request, ps httprouter.P
res, err := biz.SearchRole(keyword, from, size)
if err != nil {
log.Error(err)
h.ErrorInternalServer(w, err.Error())
return
}
response := elastic.SearchResponse{}
util.FromJSONBytes(res.Raw, &response)
list := response.Hits.Hits
hits := response.Hits.Hits
list := make([]elastic.IndexDocument, 0)
total := response.GetTotal()
var index string
for _, v := range list {
for _, v := range hits {
index = v.Index
}
for k, v := range enum.BuildRoles {
@ -78,7 +78,7 @@ func (h Rbac) SearchRole(w http.ResponseWriter, r *http.Request, ps httprouter.P
})
total++
}
list = append(list, hits...)
response.Hits.Hits = list
response.Hits.Total = total