From a051fe3debb05dba6c6a13bc24350fb33d24ba3e Mon Sep 17 00:00:00 2001 From: xushuhui Date: Tue, 26 Apr 2022 10:52:32 +0800 Subject: [PATCH] fix: (rbac) cluster privilege change map to []string --- internal/biz/permission.go | 2 +- internal/biz/role.go | 36 ++++++-- internal/biz/user.go | 2 + internal/biz/validate.go | 11 ++- internal/biz/validate_test.go | 155 ++++++++++++++++++++++++++++++++++ model/rbac/role.go | 2 +- 6 files changed, 197 insertions(+), 11 deletions(-) create mode 100644 internal/biz/validate_test.go diff --git a/internal/biz/permission.go b/internal/biz/permission.go index 994a5aae..c2d2af7a 100644 --- a/internal/biz/permission.go +++ b/internal/biz/permission.go @@ -15,7 +15,7 @@ type Role struct { Id string `json:"id"` Name string `json:"name"` } `json:"cluster,omitempty"` - ClusterPrivilege []map[string][]string `json:"cluster_privilege,omitempty"` + ClusterPrivilege []string `json:"cluster_privilege,omitempty"` Index []struct { Name []string `json:"name"` Privilege []string `json:"privilege"` diff --git a/internal/biz/role.go b/internal/biz/role.go index 942a10df..899be203 100644 --- a/internal/biz/role.go +++ b/internal/biz/role.go @@ -31,15 +31,19 @@ type ConsoleRole struct { Platform []string `json:"platform,omitempty"` } -type MenuPermission struct { - Id string `json:"id"` - Privilege string `json:"privilege"` -} type ElasticsearchRole struct { Name string `json:"name"` Description string `json:"description" ` RoleType string `json:"type" ` - rbac.ElasticRole + Cluster []struct { + Id string `json:"id"` + Name string `json:"name"` + } `json:"cluster,omitempty"` + ClusterPrivilege []string `json:"cluster_privilege,omitempty"` + Index []struct { + Name []string `json:"name"` + Privilege []string `json:"privilege"` + } `json:"index,omitempty"` } func NewRole(typ string) (r IRole, err error) { @@ -63,12 +67,15 @@ func (role ConsoleRole) Update(localUser *User, model rbac.Role) (err error) { changeLog, _ := util.DiffTwoObject(model, role) model.Description = role.Description model.Platform = role.Platform - model.Updated = time.Now() err = orm.Save(model) if err != nil { return } + RoleMap[role.Name] = Role{ + Name: model.Name, + Platform: model.Platform, + } err = orm.Save(GenerateEvent(event.ActivityMetadata{ Category: "platform", Group: "rbac", @@ -100,6 +107,12 @@ func (role ElasticsearchRole) Update(localUser *User, model rbac.Role) (err erro if err != nil { return } + RoleMap[role.Name] = Role{ + Name: model.Name, + Cluster: model.Cluster, + ClusterPrivilege: model.ClusterPrivilege, + Index: model.Index, + } err = orm.Save(GenerateEvent(event.ActivityMetadata{ Category: "platform", Group: "rbac", @@ -150,6 +163,10 @@ func (role ConsoleRole) Create(localUser *User) (id string, err error) { return } id = newRole.ID + RoleMap[role.Name] = Role{ + Name: newRole.Name, + Platform: newRole.Platform, + } err = orm.Save(GenerateEvent(event.ActivityMetadata{ Category: "platform", Group: "rbac", @@ -210,6 +227,12 @@ func (role ElasticsearchRole) Create(localUser *User) (id string, err error) { return } id = newRole.ID + RoleMap[role.Name] = Role{ + Name: newRole.Name, + Cluster: newRole.Cluster, + ClusterPrivilege: newRole.ClusterPrivilege, + Index: newRole.Index, + } err = orm.Save(GenerateEvent(event.ActivityMetadata{ Category: "platform", Group: "rbac", @@ -249,6 +272,7 @@ func DeleteRole(localUser *User, id string) (err error) { if err != nil { return } + delete(RoleMap, role.Name) err = orm.Save(GenerateEvent(event.ActivityMetadata{ Category: "platform", Group: "rbac", diff --git a/internal/biz/user.go b/internal/biz/user.go index 85c6d715..b9a1f3f1 100644 --- a/internal/biz/user.go +++ b/internal/biz/user.go @@ -28,6 +28,7 @@ func DeleteUser(localUser *User, id string) (err error) { if err != nil { return } + err = orm.Save(GenerateEvent(event.ActivityMetadata{ Category: "platform", Group: "rbac", @@ -190,6 +191,7 @@ func UpdateUserRole(localUser *User, id string, req dto.UpdateUserRole) (err err if err != nil { return } + err = orm.Save(GenerateEvent(event.ActivityMetadata{ Category: "platform", Group: "rbac", diff --git a/internal/biz/validate.go b/internal/biz/validate.go index 1d46ccfa..80e6a818 100644 --- a/internal/biz/validate.go +++ b/internal/biz/validate.go @@ -89,18 +89,23 @@ func validateCluster(req EsRequest, userRole RolePermission, route string) (err } } return errors.New("no cluster api permission") +} +func FilterCluster() { + } func CombineUserRoles(roleNames []string) RolePermission { newRole := RolePermission{} - for _, v := range roleNames { - role := RoleMap[v] + for _, val := range roleNames { + role := RoleMap[val] for _, v := range role.Cluster { newRole.Cluster = append(newRole.Cluster, v.Id) } + for _, v := range role.ClusterPrivilege { + newRole.ClusterPrivilege = append(newRole.ClusterPrivilege, v) + } for _, v := range role.Platform { newRole.Platform = append(newRole.Platform, v) } - for _, v := range role.Index { newRole.Index = append(newRole.Index, v.Name...) newRole.IndexPrivilege = append(newRole.IndexPrivilege, v.Privilege...) diff --git a/internal/biz/validate_test.go b/internal/biz/validate_test.go new file mode 100644 index 00000000..cd7fc47f --- /dev/null +++ b/internal/biz/validate_test.go @@ -0,0 +1,155 @@ +package biz + +import ( + "github.com/stretchr/testify/assert" + "testing" +) + +func Test_validateIndex(t *testing.T) { + type args struct { + req EsRequest + userRole RolePermission + route string + } + tests := []struct { + name string + args args + want string + }{ + {"no index permission", + args{ + req: EsRequest{ + Method: "GET", + Cluster: []string{"cluster1"}, + Index: []string{"index2"}, + Path: "/index1/_mapping", + }, + userRole: RolePermission{ + Cluster: []string{ + "cluster1", + }, + Index: []string{ + "index1", + }, + ClusterPrivilege: []string{ + "cat.*", + }, + IndexPrivilege: []string{ + "indices.get_mapping", + }, + }, + route: "indices.get_mapping", + }, "no index permission", + }, + {"no index api permission", + args{ + req: EsRequest{ + Method: "GET", + Cluster: []string{"cluster1"}, + Index: []string{"index1"}, + Path: "/index1/_mapping", + }, + userRole: RolePermission{ + Cluster: []string{ + "cluster1", + }, + Index: []string{ + + "index1", + }, + ClusterPrivilege: []string{ + "cat.*", + }, + IndexPrivilege: []string{ + "indices.delete", + }, + }, + route: "indices.get_mapping", + }, + "no index api permission", + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + + got := validateIndex(tt.args.req, tt.args.userRole, tt.args.route) + + assert.EqualError(t, got, tt.want) + }) + } +} +func Test_validateCluster(t *testing.T) { + type args struct { + req EsRequest + userRole RolePermission + route string + } + tests := []struct { + name string + args args + want string + }{ + {"no cluster permission", + args{ + req: EsRequest{ + Method: "GET", + Cluster: []string{"cluster1"}, + Index: []string{"index2"}, + Path: "/index1/_mapping", + }, + userRole: RolePermission{ + Cluster: []string{ + "cluster2", + }, + Index: []string{ + "index1", + }, + ClusterPrivilege: []string{ + "cat.*", + }, + IndexPrivilege: []string{ + "indices.get_mapping", + }, + }, + route: "indices.get_mapping", + }, "no cluster permission", + }, + {"no cluster api permission", + args{ + req: EsRequest{ + Method: "GET", + Cluster: []string{"cluster1"}, + Index: []string{"index1"}, + Path: "/index1/_mapping", + }, + userRole: RolePermission{ + Cluster: []string{ + "cluster1", + }, + Index: []string{ + + "index1", + }, + ClusterPrivilege: []string{ + "cat.*", + }, + IndexPrivilege: []string{ + "indices.delete", + }, + }, + route: "indices.get_mapping", + }, + "no cluster api permission", + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + + got := validateCluster(tt.args.req, tt.args.userRole, tt.args.route) + + assert.EqualError(t, got, tt.want) + }) + } +} diff --git a/model/rbac/role.go b/model/rbac/role.go index 41fb8cf1..ae17b596 100644 --- a/model/rbac/role.go +++ b/model/rbac/role.go @@ -16,7 +16,7 @@ type Role struct { Id string `json:"id"` Name string `json:"name"` } `json:"cluster,omitempty"` - ClusterPrivilege []map[string][]string `json:"cluster_privilege,omitempty"` + ClusterPrivilege []string `json:"cluster_privilege,omitempty"` Index []struct { Name []string `json:"name"` Privilege []string `json:"privilege"`