diff --git a/internal/biz/enum/const.go b/internal/biz/enum/const.go index 3992f463..5a313392 100644 --- a/internal/biz/enum/const.go +++ b/internal/biz/enum/const.go @@ -41,59 +41,90 @@ const ( ClusterOverviewRead = "cluster.overview:read" ClusterOverviewAll = "cluster.overview:all" - ElasticsearchRead = "cluster.elasticsearch:read" - ElasticsearchAll = "cluster.elasticsearch:all" + MonitoringRead = "cluster.monitoring:read" + MonitoringAll = "cluster.monitoring:all" ActivitiesRead = "cluster.activities:read" ActivitiesAll = "cluster.activities:all" ) +const ( + PermissionUserRead string = "user:read" + PermissionUserWrite = "user:write" + PermissionRoleRead = "role:read" + PermissionRoleWrite = "role:write" + PermissionCommandRead = "command:read" + PermissionCommandWrite = "command:write" + PermissionElasticsearchClusterRead = "es.cluster:read" + PermissionElasticsearchClusterWrite = "es.cluster:write" // es cluster + PermissionElasticsearchIndexRead = "es.index:read" + PermissionElasticsearchIndexWrite = "es.index:write" // es index metadata + PermissionElasticsearchNodeRead = "es.node:read" //es node metadata + PermissionActivityRead = "activity:read" + PermissionActivityWrite = "activity:write" + PermissionAlertRuleRead = "alert.rule:read" + PermissionAlertRuleWrite = "alert.rule:write" + PermissionAlertHistoryRead = "alert.history:read" + PermissionAlertHistoryWrite = "alert.history:write" + PermissionAlertChannelRead = "alert.channel:read" + PermissionAlertChannelWrite = "alert.channel:write" + PermissionViewRead = "view:read" + PermissionViewWrite = "view:write" + PermissionGatewayInstanceRead = "gateway.instance:read" + PermissionGatewayInstanceWrite = "gateway.instance:write" + PermissionGatewayEntryRead = "gateway.entry:read" + PermissionGatewayEntryWrite = "gateway.entry:write" + PermissionGatewayRouterRead = "gateway.router:read" + PermissionGatewayRouterWrite = "gateway.router:write" + PermissionGatewayFlowRead = "gateway.flow:read" + PermissionGatewayFlowWrite = "gateway.flow:write" + PermissionElasticsearchMetricRead = "es.metric:read" +) + var ( - UserReadPermission = []string{"user:read"} - UserAllPermission = []string{"user:read", "user:write"} + UserReadPermission = []string{PermissionUserRead} + UserAllPermission = []string{PermissionUserRead, PermissionUserWrite,PermissionRoleRead} - RoleReadPermission = []string{"role:read"} - RoleAllPermission = []string{"role:read", "role:write"} + RoleReadPermission = []string{PermissionRoleRead} + RoleAllPermission = []string{PermissionRoleRead, PermissionRoleWrite} - ClusterReadPermission = []string{"cluster:read"} - ClusterAllPermission = []string{"cluster:read", "cluster:write"} + ClusterReadPermission = []string{PermissionElasticsearchClusterRead} + ClusterAllPermission = []string{PermissionElasticsearchClusterRead, PermissionElasticsearchClusterWrite} - CommandReadPermission = []string{"command:read"} - CommandAllPermission = []string{"command:read", "command:write"} + CommandReadPermission = []string{PermissionCommandRead} + CommandAllPermission = []string{PermissionCommandRead, PermissionCommandWrite} - InstanceReadPermission = []string{"instance:read"} - InstanceAllPermission = []string{"instance:read", "instance:write"} + InstanceReadPermission = []string{PermissionGatewayInstanceRead} + InstanceAllPermission = []string{PermissionGatewayInstanceRead,PermissionGatewayInstanceWrite} - EntryReadPermission = []string{"entry:read"} - EntryAllPermission = []string{"entry:read", "entry:write"} + EntryReadPermission = []string{PermissionGatewayEntryRead} + EntryAllPermission = []string{PermissionGatewayEntryRead, PermissionGatewayEntryWrite} - RouterReadPermission = []string{"router:read"} - RouterAllPermission = []string{"router:read", "entry:write"} + RouterReadPermission = []string{PermissionGatewayRouterRead} + RouterAllPermission = []string{PermissionGatewayRouterRead, PermissionGatewayRouterWrite} - FlowReadPermission = []string{"flow:read"} - FlowAllPermission = []string{"flow:read", "flow:write"} + FlowReadPermission = []string{PermissionGatewayFlowRead} + FlowAllPermission = []string{PermissionGatewayFlowRead, PermissionGatewayFlowWrite} IndexAllPermission = []string{"index:read"} IndexReadPermission = []string{"index:read", "index:write"} - ViewsAllPermission = []string{"views:read"} - ViewsReadPermission = []string{"views:read", "views:write"} - DiscoverReadPermission = []string{"discover:read"} - DiscoverAllPermission = []string{"discover:read", "discover:write"} + ViewsAllPermission = []string{PermissionViewRead} + ViewsReadPermission = []string{PermissionViewRead, PermissionViewWrite} + DiscoverReadPermission = []string{PermissionViewRead} + DiscoverAllPermission = []string{PermissionViewRead} - RuleReadPermission = []string{"rule:read"} - RuleAllPermission = []string{"rule:read", "rule:write"} - AlertReadPermission = []string{"alert:read"} - AlertAllPermission = []string{"alert:read", "alert:write"} - ChannelReadPermission = []string{"channel:read"} - ChannelAllPermission = []string{"channel:read", "channel:write"} + RuleReadPermission = []string{PermissionAlertRuleRead} + RuleAllPermission = []string{PermissionAlertRuleRead, PermissionAlertRuleWrite} + AlertReadPermission = []string{PermissionAlertHistoryRead} + AlertAllPermission = []string{PermissionAlertHistoryRead, PermissionAlertHistoryWrite} + ChannelReadPermission = []string{PermissionAlertChannelRead} + ChannelAllPermission = []string{PermissionAlertChannelRead, PermissionAlertChannelWrite} - ClusterOverviewReadPermission = []string{"clusterOverview:read"} - ClusterOverviewAllPermission = []string{"clusterOverview:read", "clusterOverview:write"} + ClusterOverviewReadPermission = []string{PermissionElasticsearchClusterRead, PermissionElasticsearchIndexRead, PermissionElasticsearchNodeRead, PermissionElasticsearchMetricRead} + ClusterOverviewAllPermission = ClusterOverviewReadPermission + MonitoringReadPermission = ClusterOverviewAllPermission - ElasticsearchReadPermission = []string{"elasticsearch:read"} - ElasticsearchAllPermission = []string{"elasticsearch:read", "elasticsearch:write"} - - ActivitiesReadPermission = []string{"activities:read"} - ActivitiesAllPermission = []string{"activities:read", "activities:write"} + ActivitiesReadPermission = []string{PermissionActivityRead} + ActivitiesAllPermission = []string{PermissionActivityRead, PermissionActivityWrite} ) var AdminPrivilege = []string{ @@ -101,7 +132,7 @@ var AdminPrivilege = []string{ InstanceAll, EntryAll, RouterAll, FlowAll, IndexAll, ViewsAll, DiscoverAll, RuleAll, AlertAll, ChannelAll, - ClusterOverviewAll, ElasticsearchAll, ActivitiesAll, + ClusterOverviewAll, MonitoringAll, ActivitiesAll, } var BuildRoles = make(map[string]map[string]interface{}, 0) @@ -111,7 +142,7 @@ func init() { BuildRoles["admin"] = map[string]interface{}{ "id": "admin", "name": "管理员", - "type": "console", + "type": "platform", "platform": AdminPrivilege, "builtin": true, "description": "is admin", @@ -152,8 +183,8 @@ func init() { ClusterOverviewRead: ClusterOverviewReadPermission, ClusterOverviewAll: ClusterOverviewAllPermission, - ElasticsearchAll: ElasticsearchAllPermission, - ElasticsearchRead: ElasticsearchReadPermission, + MonitoringAll: MonitoringReadPermission, + MonitoringRead: MonitoringReadPermission, ActivitiesAll: ActivitiesAllPermission, ActivitiesRead: ActivitiesReadPermission, } diff --git a/internal/biz/permission.go b/internal/biz/permission.go index 5a5234a0..f9ba38a5 100644 --- a/internal/biz/permission.go +++ b/internal/biz/permission.go @@ -29,7 +29,6 @@ type RolePermission struct { IndexPrivilege map[string][]string `json:"index_privilege"` } - func ListElasticsearchPermission() interface{} { list := ElasticsearchPermission{ ClusterPrivileges: ClusterApis, diff --git a/internal/biz/validate.go b/internal/biz/validate.go index 923738b7..7ecf1509 100644 --- a/internal/biz/validate.go +++ b/internal/biz/validate.go @@ -191,7 +191,7 @@ func ValidateLogin(authorizationHeader string) (clams *UserClaims, err error) { err = errors.New("user id is empty") return } - fmt.Println("user token", clams.UserId, TokenMap[clams.UserId]) + //fmt.Println("user token", clams.UserId, TokenMap[clams.UserId]) tokenVal, ok := TokenMap[clams.UserId] if !ok { err = errors.New("token is invalid") @@ -227,12 +227,6 @@ func ValidatePermission(claims *UserClaims, permissions []string) (err error) { if _, ok := RoleMap[role]; ok { for _, v := range RoleMap[role].Privilege.Platform { userPermissions = append(userPermissions, v) - - //all include read - if strings.Contains(v, "all") { - key := v[:len(v)-3] + "read" - userPermissions = append(userPermissions, key) - } } } } @@ -244,17 +238,12 @@ func ValidatePermission(claims *UserClaims, permissions []string) (err error) { } - var count int for _, v := range permissions { - if _, ok := userPermissionMap[v]; ok { - count++ - continue + if _, ok := userPermissionMap[v]; !ok { + err = errors.New("permission denied") + return } } - if count == len(permissions) { - return nil - } - err = errors.New("permission denied") - return + return nil } diff --git a/internal/biz/validate_test.go b/internal/biz/validate_test.go index a1b82c1c..345e12f4 100644 --- a/internal/biz/validate_test.go +++ b/internal/biz/validate_test.go @@ -145,152 +145,3 @@ func TestStringInArray(t *testing.T) { assert.Equal(t, true, util.StringInArray(array, "c")) assert.Equal(t, false, util.StringInArray(array, "h")) } -func TestFilterCluster(t *testing.T) { - RoleMap["test"] = Role{ - Cluster: []struct { - Id string `json:"id"` - Name string `json:"name"` - }{ - { - Id: "c97rd2les10hml00pgh0", - Name: "docker-cluster", - }, - }, - ClusterPrivilege: []string{"cat.*"}, - Index: []struct { - Name []string `json:"name"` - Privilege []string `json:"privilege"` - }{ - { - Name: []string{".infini_rbac-role"}, - Privilege: []string{"indices.get_mapping"}, - }, - { - Name: []string{".infini_rbac-user", ".infini_rbac-role"}, - Privilege: []string{"cat.*"}, - }, - }, - } - type args struct { - roles []string - cluster []string - } - tests := []struct { - name string - args args - want []string - }{ - { - name: "empty", - args: args{ - roles: []string{"test"}, - cluster: []string{ - "cluser1", "cluster2", - }, - }, - want: []string{}, - }, - { - name: "one", - args: args{ - roles: []string{"test"}, - cluster: []string{ - "cluser1", "cluster2", "c97rd2les10hml00pgh0", - }, - }, - want: []string{"c97rd2les10hml00pgh0"}, - }, - { - name: "only", - args: args{ - roles: []string{"test"}, - cluster: []string{ - "c97rd2les10hml00pgh0", - }, - }, - want: []string{"c97rd2les10hml00pgh0"}, - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - got := FilterCluster(tt.args.roles, tt.args.cluster) - assert.Equal(t, got, tt.want) - }) - } - -} -func TestFilterIndex(t *testing.T) { - RoleMap["test"] = Role{ - Cluster: []struct { - Id string `json:"id"` - Name string `json:"name"` - }{ - { - Id: "c97rd2les10hml00pgh0", - Name: "docker-cluster", - }, - }, - ClusterPrivilege: []string{"cat.*"}, - Index: []struct { - Name []string `json:"name"` - Privilege []string `json:"privilege"` - }{ - { - Name: []string{".infini_rbac-role"}, - Privilege: []string{"indices.get_mapping"}, - }, - { - Name: []string{".infini_rbac-user", ".infini_rbac-role"}, - Privilege: []string{"cat.*"}, - }, - }, - } - - type args struct { - roles []string - index []string - } - tests := []struct { - name string - args args - want []string - }{ - { - name: "empty", - args: args{ - roles: []string{"test"}, - index: []string{ - "index1", "index2", - }, - }, - want: []string{}, - }, - { - name: "one", - args: args{ - roles: []string{"test"}, - index: []string{ - "index1", "index2", ".infini_rbac-user", - }, - }, - want: []string{".infini_rbac-user"}, - }, - { - name: "only", - args: args{ - roles: []string{"test"}, - index: []string{ - ".infini_rbac-user", - }, - }, - want: []string{".infini_rbac-user"}, - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - got := FilterIndex(tt.args.roles, tt.args.index) - assert.Equal(t, got, tt.want) - }) - } - -}