floraachy
/
console
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

update platform permission enum

This commit is contained in:
liugq 2022-05-06 18:04:01 +08:00
parent 51497469e4
commit abe934cef3
4 changed files with 75 additions and 205 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

109
internal/biz/enum/const.go
View File

@ -41,59 +41,90 @@ const (
ClusterOverviewRead = "cluster.overview:read" ClusterOverviewRead = "cluster.overview:read"
ClusterOverviewAll = "cluster.overview:all" ClusterOverviewAll = "cluster.overview:all"
ElasticsearchRead = "cluster.elasticsearch:read" MonitoringRead = "cluster.monitoring:read"
ElasticsearchAll = "cluster.elasticsearch:all" MonitoringAll = "cluster.monitoring:all"
ActivitiesRead = "cluster.activities:read" ActivitiesRead = "cluster.activities:read"
ActivitiesAll = "cluster.activities:all" ActivitiesAll = "cluster.activities:all"
) )
const (
PermissionUserRead string = "user:read"
PermissionUserWrite = "user:write"
PermissionRoleRead = "role:read"
PermissionRoleWrite = "role:write"
PermissionCommandRead = "command:read"
PermissionCommandWrite = "command:write"
PermissionElasticsearchClusterRead = "es.cluster:read"
PermissionElasticsearchClusterWrite = "es.cluster:write" // es cluster
PermissionElasticsearchIndexRead = "es.index:read"
PermissionElasticsearchIndexWrite = "es.index:write" // es index metadata
PermissionElasticsearchNodeRead = "es.node:read" //es node metadata
PermissionActivityRead = "activity:read"
PermissionActivityWrite = "activity:write"
PermissionAlertRuleRead = "alert.rule:read"
PermissionAlertRuleWrite = "alert.rule:write"
PermissionAlertHistoryRead = "alert.history:read"
PermissionAlertHistoryWrite = "alert.history:write"
PermissionAlertChannelRead = "alert.channel:read"
PermissionAlertChannelWrite = "alert.channel:write"
PermissionViewRead = "view:read"
PermissionViewWrite = "view:write"
PermissionGatewayInstanceRead = "gateway.instance:read"
PermissionGatewayInstanceWrite = "gateway.instance:write"
PermissionGatewayEntryRead = "gateway.entry:read"
PermissionGatewayEntryWrite = "gateway.entry:write"
PermissionGatewayRouterRead = "gateway.router:read"
PermissionGatewayRouterWrite = "gateway.router:write"
PermissionGatewayFlowRead = "gateway.flow:read"
PermissionGatewayFlowWrite = "gateway.flow:write"
PermissionElasticsearchMetricRead = "es.metric:read"
)
var ( var (
UserReadPermission = []string{"user:read"} UserReadPermission = []string{PermissionUserRead}
UserAllPermission = []string{"user:read", "user:write"} UserAllPermission = []string{PermissionUserRead, PermissionUserWrite,PermissionRoleRead}
RoleReadPermission = []string{"role:read"} RoleReadPermission = []string{PermissionRoleRead}
RoleAllPermission = []string{"role:read", "role:write"} RoleAllPermission = []string{PermissionRoleRead, PermissionRoleWrite}
ClusterReadPermission = []string{"cluster:read"} ClusterReadPermission = []string{PermissionElasticsearchClusterRead}
ClusterAllPermission = []string{"cluster:read", "cluster:write"} ClusterAllPermission = []string{PermissionElasticsearchClusterRead, PermissionElasticsearchClusterWrite}
CommandReadPermission = []string{"command:read"} CommandReadPermission = []string{PermissionCommandRead}
CommandAllPermission = []string{"command:read", "command:write"} CommandAllPermission = []string{PermissionCommandRead, PermissionCommandWrite}
InstanceReadPermission = []string{"instance:read"} InstanceReadPermission = []string{PermissionGatewayInstanceRead}
InstanceAllPermission = []string{"instance:read", "instance:write"} InstanceAllPermission = []string{PermissionGatewayInstanceRead,PermissionGatewayInstanceWrite}
EntryReadPermission = []string{"entry:read"} EntryReadPermission = []string{PermissionGatewayEntryRead}
EntryAllPermission = []string{"entry:read", "entry:write"} EntryAllPermission = []string{PermissionGatewayEntryRead, PermissionGatewayEntryWrite}
RouterReadPermission = []string{"router:read"} RouterReadPermission = []string{PermissionGatewayRouterRead}
RouterAllPermission = []string{"router:read", "entry:write"} RouterAllPermission = []string{PermissionGatewayRouterRead, PermissionGatewayRouterWrite}
FlowReadPermission = []string{"flow:read"} FlowReadPermission = []string{PermissionGatewayFlowRead}
FlowAllPermission = []string{"flow:read", "flow:write"} FlowAllPermission = []string{PermissionGatewayFlowRead, PermissionGatewayFlowWrite}
IndexAllPermission = []string{"index:read"} IndexAllPermission = []string{"index:read"}
IndexReadPermission = []string{"index:read", "index:write"} IndexReadPermission = []string{"index:read", "index:write"}
ViewsAllPermission = []string{"views:read"} ViewsAllPermission = []string{PermissionViewRead}
ViewsReadPermission = []string{"views:read", "views:write"} ViewsReadPermission = []string{PermissionViewRead, PermissionViewWrite}
DiscoverReadPermission = []string{"discover:read"} DiscoverReadPermission = []string{PermissionViewRead}
DiscoverAllPermission = []string{"discover:read", "discover:write"} DiscoverAllPermission = []string{PermissionViewRead}
RuleReadPermission = []string{"rule:read"} RuleReadPermission = []string{PermissionAlertRuleRead}
RuleAllPermission = []string{"rule:read", "rule:write"} RuleAllPermission = []string{PermissionAlertRuleRead, PermissionAlertRuleWrite}
AlertReadPermission = []string{"alert:read"} AlertReadPermission = []string{PermissionAlertHistoryRead}
AlertAllPermission = []string{"alert:read", "alert:write"} AlertAllPermission = []string{PermissionAlertHistoryRead, PermissionAlertHistoryWrite}
ChannelReadPermission = []string{"channel:read"} ChannelReadPermission = []string{PermissionAlertChannelRead}
ChannelAllPermission = []string{"channel:read", "channel:write"} ChannelAllPermission = []string{PermissionAlertChannelRead, PermissionAlertChannelWrite}
ClusterOverviewReadPermission = []string{"clusterOverview:read"} ClusterOverviewReadPermission = []string{PermissionElasticsearchClusterRead, PermissionElasticsearchIndexRead, PermissionElasticsearchNodeRead, PermissionElasticsearchMetricRead}
ClusterOverviewAllPermission = []string{"clusterOverview:read", "clusterOverview:write"} ClusterOverviewAllPermission = ClusterOverviewReadPermission
MonitoringReadPermission = ClusterOverviewAllPermission
ElasticsearchReadPermission = []string{"elasticsearch:read"} ActivitiesReadPermission = []string{PermissionActivityRead}
ElasticsearchAllPermission = []string{"elasticsearch:read", "elasticsearch:write"} ActivitiesAllPermission = []string{PermissionActivityRead, PermissionActivityWrite}
ActivitiesReadPermission = []string{"activities:read"}
ActivitiesAllPermission = []string{"activities:read", "activities:write"}
) )
var AdminPrivilege = []string{ var AdminPrivilege = []string{
@ -101,7 +132,7 @@ var AdminPrivilege = []string{
InstanceAll, EntryAll, RouterAll, FlowAll, InstanceAll, EntryAll, RouterAll, FlowAll,
IndexAll, ViewsAll, DiscoverAll, IndexAll, ViewsAll, DiscoverAll,
RuleAll, AlertAll, ChannelAll, RuleAll, AlertAll, ChannelAll,
ClusterOverviewAll, ElasticsearchAll, ActivitiesAll, ClusterOverviewAll, MonitoringAll, ActivitiesAll,
} }
var BuildRoles = make(map[string]map[string]interface{}, 0) var BuildRoles = make(map[string]map[string]interface{}, 0)
@ -111,7 +142,7 @@ func init() {
BuildRoles["admin"] = map[string]interface{}{ BuildRoles["admin"] = map[string]interface{}{
"id": "admin", "id": "admin",
"name": "管理员", "name": "管理员",
"type": "console", "type": "platform",
"platform": AdminPrivilege, "platform": AdminPrivilege,
"builtin": true, "builtin": true,
"description": "is admin", "description": "is admin",
@ -152,8 +183,8 @@ func init() {
ClusterOverviewRead: ClusterOverviewReadPermission, ClusterOverviewRead: ClusterOverviewReadPermission,
ClusterOverviewAll: ClusterOverviewAllPermission, ClusterOverviewAll: ClusterOverviewAllPermission,
ElasticsearchAll: ElasticsearchAllPermission, MonitoringAll: MonitoringReadPermission,
ElasticsearchRead: ElasticsearchReadPermission, MonitoringRead: MonitoringReadPermission,
ActivitiesAll: ActivitiesAllPermission, ActivitiesAll: ActivitiesAllPermission,
ActivitiesRead: ActivitiesReadPermission, ActivitiesRead: ActivitiesReadPermission,
} }

1
internal/biz/permission.go
View File

@ -29,7 +29,6 @@ type RolePermission struct {
IndexPrivilege map[string][]string `json:"index_privilege"` IndexPrivilege map[string][]string `json:"index_privilege"`
} }
func ListElasticsearchPermission() interface{} { func ListElasticsearchPermission() interface{} {
list := ElasticsearchPermission{ list := ElasticsearchPermission{
ClusterPrivileges: ClusterApis, ClusterPrivileges: ClusterApis,

21
internal/biz/validate.go
View File

@ -191,7 +191,7 @@ func ValidateLogin(authorizationHeader string) (clams *UserClaims, err error) {
err = errors.New("user id is empty") err = errors.New("user id is empty")
return return
} }
fmt.Println("user token", clams.UserId, TokenMap[clams.UserId]) //fmt.Println("user token", clams.UserId, TokenMap[clams.UserId])
tokenVal, ok := TokenMap[clams.UserId] tokenVal, ok := TokenMap[clams.UserId]
if !ok { if !ok {
err = errors.New("token is invalid") err = errors.New("token is invalid")
@ -227,12 +227,6 @@ func ValidatePermission(claims *UserClaims, permissions []string) (err error) {
if _, ok := RoleMap[role]; ok { if _, ok := RoleMap[role]; ok {
for _, v := range RoleMap[role].Privilege.Platform { for _, v := range RoleMap[role].Privilege.Platform {
userPermissions = append(userPermissions, v) userPermissions = append(userPermissions, v)
//all include read
if strings.Contains(v, "all") {
key := v[:len(v)-3] + "read"
userPermissions = append(userPermissions, key)
}
} }
} }
} }
@ -244,17 +238,12 @@ func ValidatePermission(claims *UserClaims, permissions []string) (err error) {
} }
var count int
for _, v := range permissions { for _, v := range permissions {
if _, ok := userPermissionMap[v]; ok { if _, ok := userPermissionMap[v]; !ok {
count++ err = errors.New("permission denied")
continue return
} }
} }
if count == len(permissions) { return nil
return nil
}
err = errors.New("permission denied")
return
} }

149
internal/biz/validate_test.go
View File

@ -145,152 +145,3 @@ func TestStringInArray(t *testing.T) {
assert.Equal(t, true, util.StringInArray(array, "c")) assert.Equal(t, true, util.StringInArray(array, "c"))
assert.Equal(t, false, util.StringInArray(array, "h")) assert.Equal(t, false, util.StringInArray(array, "h"))
} }
func TestFilterCluster(t *testing.T) {
RoleMap["test"] = Role{
Cluster: []struct {
Id string `json:"id"`
Name string `json:"name"`
}{
{
Id: "c97rd2les10hml00pgh0",
Name: "docker-cluster",
},
},
ClusterPrivilege: []string{"cat.*"},
Index: []struct {
Name []string `json:"name"`
Privilege []string `json:"privilege"`
}{
{
Name: []string{".infini_rbac-role"},
Privilege: []string{"indices.get_mapping"},
},
{
Name: []string{".infini_rbac-user", ".infini_rbac-role"},
Privilege: []string{"cat.*"},
},
},
}
type args struct {
roles []string
cluster []string
}
tests := []struct {
name string
args args
want []string
}{
{
name: "empty",
args: args{
roles: []string{"test"},
cluster: []string{
"cluser1", "cluster2",
},
},
want: []string{},
},
{
name: "one",
args: args{
roles: []string{"test"},
cluster: []string{
"cluser1", "cluster2", "c97rd2les10hml00pgh0",
},
},
want: []string{"c97rd2les10hml00pgh0"},
},
{
name: "only",
args: args{
roles: []string{"test"},
cluster: []string{
"c97rd2les10hml00pgh0",
},
},
want: []string{"c97rd2les10hml00pgh0"},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
got := FilterCluster(tt.args.roles, tt.args.cluster)
assert.Equal(t, got, tt.want)
})
}
}
func TestFilterIndex(t *testing.T) {
RoleMap["test"] = Role{
Cluster: []struct {
Id string `json:"id"`
Name string `json:"name"`
}{
{
Id: "c97rd2les10hml00pgh0",
Name: "docker-cluster",
},
},
ClusterPrivilege: []string{"cat.*"},
Index: []struct {
Name []string `json:"name"`
Privilege []string `json:"privilege"`
}{
{
Name: []string{".infini_rbac-role"},
Privilege: []string{"indices.get_mapping"},
},
{
Name: []string{".infini_rbac-user", ".infini_rbac-role"},
Privilege: []string{"cat.*"},
},
},
}
type args struct {
roles []string
index []string
}
tests := []struct {
name string
args args
want []string
}{
{
name: "empty",
args: args{
roles: []string{"test"},
index: []string{
"index1", "index2",
},
},
want: []string{},
},
{
name: "one",
args: args{
roles: []string{"test"},
index: []string{
"index1", "index2", ".infini_rbac-user",
},
},
want: []string{".infini_rbac-user"},
},
{
name: "only",
args: args{
roles: []string{"test"},
index: []string{
".infini_rbac-user",
},
},
want: []string{".infini_rbac-user"},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
got := FilterIndex(tt.args.roles, tt.args.index)
assert.Equal(t, got, tt.want)
})
}
}