floraachy
/
console
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: (rbac) cluster privilege change map to []string

This commit is contained in:
xushuhui 2022-04-26 10:52:32 +08:00
parent c879a6aa9e
commit a051fe3deb
6 changed files with 197 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
internal/biz/permission.go
View File

@ -15,7 +15,7 @@ type Role struct {
Id string `json:"id"` Id string `json:"id"`
Name string `json:"name"` Name string `json:"name"`
} `json:"cluster,omitempty"` } `json:"cluster,omitempty"`
ClusterPrivilege []map[string][]string `json:"cluster_privilege,omitempty"` ClusterPrivilege []string `json:"cluster_privilege,omitempty"`
Index []struct { Index []struct {
Name []string `json:"name"` Name []string `json:"name"`
Privilege []string `json:"privilege"` Privilege []string `json:"privilege"`

36
internal/biz/role.go
View File

@ -31,15 +31,19 @@ type ConsoleRole struct {
Platform []string `json:"platform,omitempty"` Platform []string `json:"platform,omitempty"`
} }
type MenuPermission struct {
Id string `json:"id"`
Privilege string `json:"privilege"`
}
type ElasticsearchRole struct { type ElasticsearchRole struct {
Name string `json:"name"` Name string `json:"name"`
Description string `json:"description" ` Description string `json:"description" `
RoleType string `json:"type" ` RoleType string `json:"type" `
rbac.ElasticRole Cluster []struct {
Id string `json:"id"`
Name string `json:"name"`
} `json:"cluster,omitempty"`
ClusterPrivilege []string `json:"cluster_privilege,omitempty"`
Index []struct {
Name []string `json:"name"`
Privilege []string `json:"privilege"`
} `json:"index,omitempty"`
} }
func NewRole(typ string) (r IRole, err error) { func NewRole(typ string) (r IRole, err error) {
@ -63,12 +67,15 @@ func (role ConsoleRole) Update(localUser *User, model rbac.Role) (err error) {
changeLog, _ := util.DiffTwoObject(model, role) changeLog, _ := util.DiffTwoObject(model, role)
model.Description = role.Description model.Description = role.Description
model.Platform = role.Platform model.Platform = role.Platform
model.Updated = time.Now() model.Updated = time.Now()
err = orm.Save(model) err = orm.Save(model)
if err != nil { if err != nil {
return return
} }
RoleMap[role.Name] = Role{
Name: model.Name,
Platform: model.Platform,
}
err = orm.Save(GenerateEvent(event.ActivityMetadata{ err = orm.Save(GenerateEvent(event.ActivityMetadata{
Category: "platform", Category: "platform",
Group: "rbac", Group: "rbac",
@ -100,6 +107,12 @@ func (role ElasticsearchRole) Update(localUser *User, model rbac.Role) (err erro
if err != nil { if err != nil {
return return
} }
RoleMap[role.Name] = Role{
Name: model.Name,
Cluster: model.Cluster,
ClusterPrivilege: model.ClusterPrivilege,
Index: model.Index,
}
err = orm.Save(GenerateEvent(event.ActivityMetadata{ err = orm.Save(GenerateEvent(event.ActivityMetadata{
Category: "platform", Category: "platform",
Group: "rbac", Group: "rbac",
@ -150,6 +163,10 @@ func (role ConsoleRole) Create(localUser *User) (id string, err error) {
return return
} }
id = newRole.ID id = newRole.ID
RoleMap[role.Name] = Role{
Name: newRole.Name,
Platform: newRole.Platform,
}
err = orm.Save(GenerateEvent(event.ActivityMetadata{ err = orm.Save(GenerateEvent(event.ActivityMetadata{
Category: "platform", Category: "platform",
Group: "rbac", Group: "rbac",
@ -210,6 +227,12 @@ func (role ElasticsearchRole) Create(localUser *User) (id string, err error) {
return return
} }
id = newRole.ID id = newRole.ID
RoleMap[role.Name] = Role{
Name: newRole.Name,
Cluster: newRole.Cluster,
ClusterPrivilege: newRole.ClusterPrivilege,
Index: newRole.Index,
}
err = orm.Save(GenerateEvent(event.ActivityMetadata{ err = orm.Save(GenerateEvent(event.ActivityMetadata{
Category: "platform", Category: "platform",
Group: "rbac", Group: "rbac",
@ -249,6 +272,7 @@ func DeleteRole(localUser *User, id string) (err error) {
if err != nil { if err != nil {
return return
} }
delete(RoleMap, role.Name)
err = orm.Save(GenerateEvent(event.ActivityMetadata{ err = orm.Save(GenerateEvent(event.ActivityMetadata{
Category: "platform", Category: "platform",
Group: "rbac", Group: "rbac",

2
internal/biz/user.go
View File

@ -28,6 +28,7 @@ func DeleteUser(localUser *User, id string) (err error) {
if err != nil { if err != nil {
return return
} }
err = orm.Save(GenerateEvent(event.ActivityMetadata{ err = orm.Save(GenerateEvent(event.ActivityMetadata{
Category: "platform", Category: "platform",
Group: "rbac", Group: "rbac",
@ -190,6 +191,7 @@ func UpdateUserRole(localUser *User, id string, req dto.UpdateUserRole) (err err
if err != nil { if err != nil {
return return
} }
err = orm.Save(GenerateEvent(event.ActivityMetadata{ err = orm.Save(GenerateEvent(event.ActivityMetadata{
Category: "platform", Category: "platform",
Group: "rbac", Group: "rbac",

11
internal/biz/validate.go
View File

@ -89,18 +89,23 @@ func validateCluster(req EsRequest, userRole RolePermission, route string) (err
} }
} }
return errors.New("no cluster api permission") return errors.New("no cluster api permission")
}
func FilterCluster() {
} }
func CombineUserRoles(roleNames []string) RolePermission { func CombineUserRoles(roleNames []string) RolePermission {
newRole := RolePermission{} newRole := RolePermission{}
for _, v := range roleNames { for _, val := range roleNames {
role := RoleMap[v] role := RoleMap[val]
for _, v := range role.Cluster { for _, v := range role.Cluster {
newRole.Cluster = append(newRole.Cluster, v.Id) newRole.Cluster = append(newRole.Cluster, v.Id)
} }
for _, v := range role.ClusterPrivilege {
newRole.ClusterPrivilege = append(newRole.ClusterPrivilege, v)
}
for _, v := range role.Platform { for _, v := range role.Platform {
newRole.Platform = append(newRole.Platform, v) newRole.Platform = append(newRole.Platform, v)
} }
for _, v := range role.Index { for _, v := range role.Index {
newRole.Index = append(newRole.Index, v.Name...) newRole.Index = append(newRole.Index, v.Name...)
newRole.IndexPrivilege = append(newRole.IndexPrivilege, v.Privilege...) newRole.IndexPrivilege = append(newRole.IndexPrivilege, v.Privilege...)

155
internal/biz/validate_test.go Normal file
View File

@ -0,0 +1,155 @@
package biz
import (
"github.com/stretchr/testify/assert"
"testing"
)
func Test_validateIndex(t *testing.T) {
type args struct {
req EsRequest
userRole RolePermission
route string
}
tests := []struct {
name string
args args
want string
}{
{"no index permission",
args{
req: EsRequest{
Method: "GET",
Cluster: []string{"cluster1"},
Index: []string{"index2"},
Path: "/index1/_mapping",
},
userRole: RolePermission{
Cluster: []string{
"cluster1",
},
Index: []string{
"index1",
},
ClusterPrivilege: []string{
"cat.*",
},
IndexPrivilege: []string{
"indices.get_mapping",
},
},
route: "indices.get_mapping",
}, "no index permission",
},
{"no index api permission",
args{
req: EsRequest{
Method: "GET",
Cluster: []string{"cluster1"},
Index: []string{"index1"},
Path: "/index1/_mapping",
},
userRole: RolePermission{
Cluster: []string{
"cluster1",
},
Index: []string{
"index1",
},
ClusterPrivilege: []string{
"cat.*",
},
IndexPrivilege: []string{
"indices.delete",
},
},
route: "indices.get_mapping",
},
"no index api permission",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
got := validateIndex(tt.args.req, tt.args.userRole, tt.args.route)
assert.EqualError(t, got, tt.want)
})
}
}
func Test_validateCluster(t *testing.T) {
type args struct {
req EsRequest
userRole RolePermission
route string
}
tests := []struct {
name string
args args
want string
}{
{"no cluster permission",
args{
req: EsRequest{
Method: "GET",
Cluster: []string{"cluster1"},
Index: []string{"index2"},
Path: "/index1/_mapping",
},
userRole: RolePermission{
Cluster: []string{
"cluster2",
},
Index: []string{
"index1",
},
ClusterPrivilege: []string{
"cat.*",
},
IndexPrivilege: []string{
"indices.get_mapping",
},
},
route: "indices.get_mapping",
}, "no cluster permission",
},
{"no cluster api permission",
args{
req: EsRequest{
Method: "GET",
Cluster: []string{"cluster1"},
Index: []string{"index1"},
Path: "/index1/_mapping",
},
userRole: RolePermission{
Cluster: []string{
"cluster1",
},
Index: []string{
"index1",
},
ClusterPrivilege: []string{
"cat.*",
},
IndexPrivilege: []string{
"indices.delete",
},
},
route: "indices.get_mapping",
},
"no cluster api permission",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
got := validateCluster(tt.args.req, tt.args.userRole, tt.args.route)
assert.EqualError(t, got, tt.want)
})
}
}

2
model/rbac/role.go
View File

@ -16,7 +16,7 @@ type Role struct {
Id string `json:"id"` Id string `json:"id"`
Name string `json:"name"` Name string `json:"name"`
} `json:"cluster,omitempty"` } `json:"cluster,omitempty"`
ClusterPrivilege []map[string][]string `json:"cluster_privilege,omitempty"` ClusterPrivilege []string `json:"cluster_privilege,omitempty"`
Index []struct { Index []struct {
Name []string `json:"name"` Name []string `json:"name"`
Privilege []string `json:"privilege"` Privilege []string `json:"privilege"`