From c879a6aa9eb4e3d80833ba6040f98363d049cb08 Mon Sep 17 00:00:00 2001 From: xushuhui Date: Mon, 25 Apr 2022 18:31:34 +0800 Subject: [PATCH] fix: (rbac) ValidateEsPermission --- internal/biz/account.go | 22 +++------------- internal/biz/permission.go | 7 +++++ internal/biz/role.go | 38 +++++++++++++++++----------- internal/biz/validate.go | 52 ++++++++++++++++++-------------------- 4 files changed, 59 insertions(+), 60 deletions(-) diff --git a/internal/biz/account.go b/internal/biz/account.go index 47c313ed..ae23b002 100644 --- a/internal/biz/account.go +++ b/internal/biz/account.go @@ -6,7 +6,6 @@ import ( "github.com/golang-jwt/jwt" "github.com/mitchellh/mapstructure" "golang.org/x/crypto/bcrypt" - "infini.sh/console/internal/biz/enum" "infini.sh/console/internal/dto" "infini.sh/console/model/rbac" "infini.sh/framework/core/event" @@ -85,23 +84,10 @@ func authenticateAdmin(username string, password string) (user Account, err erro func authorize(user Account) (m map[string]interface{}, err error) { var roles, privilege []string - if user.Username == "admin" { - roles = append(roles, "admin") - privilege = append(privilege, enum.AdminPrivilege...) - } else { - for _, v := range user.Roles { - roles = append(roles, v.Name) - - r, _ := GetRole(v.Id) - - privilege = append(privilege, r.Platform...) - RoleMap[v.Name] = Role{ - Platform: r.Platform, - Cluster: r.Cluster, - ClusterPrivilege: r.ClusterPrivilege, - Index: r.Index, - } - } + for _, v := range user.Roles { + role := RoleMap[v.Name] + roles = append(roles, v.Name) + privilege = append(privilege, role.Platform...) } token := jwt.NewWithClaims(jwt.SigningMethodHS256, UserClaims{ User: &User{ diff --git a/internal/biz/permission.go b/internal/biz/permission.go index 93f3a1f5..994a5aae 100644 --- a/internal/biz/permission.go +++ b/internal/biz/permission.go @@ -21,6 +21,13 @@ type Role struct { Privilege []string `json:"privilege"` } `json:"index,omitempty"` } +type RolePermission struct { + Platform []string `json:"platform,omitempty"` + Cluster []string `json:"cluster"` + ClusterPrivilege []string `json:"cluster_privilege"` + Index []string `json:"index"` + IndexPrivilege []string `json:"index_privilege"` +} type ConsolePermisson struct { Platform []Platform `json:"platform"` } diff --git a/internal/biz/role.go b/internal/biz/role.go index 05bd64fb..942a10df 100644 --- a/internal/biz/role.go +++ b/internal/biz/role.go @@ -23,7 +23,6 @@ type IRole interface { ListPermission() interface{} Create(localUser *User) (id string, err error) Update(localUser *User, model rbac.Role) (err error) - //Delete(localUser *User, id string) (err error) } type ConsoleRole struct { Name string `json:"name"` @@ -217,13 +216,15 @@ func (role ElasticsearchRole) Create(localUser *User) (id string, err error) { Name: "role", Type: "create", Labels: util.MapStr{ - "id": id, - "name": role.Name, - "description": role.Description, - - "type": role.RoleType, - "created": newRole.Created.Format("2006-01-02 15:04:05"), - "updated": newRole.Updated.Format("2006-01-02 15:04:05"), + "id": id, + "name": newRole.Name, + "description": newRole.Description, + "cluster": newRole.Cluster, + "index": newRole.Index, + "cluster_privilege": newRole.ClusterPrivilege, + "type": newRole.RoleType, + "created": newRole.Created.Format("2006-01-02 15:04:05"), + "updated": newRole.Updated.Format("2006-01-02 15:04:05"), }, User: util.MapStr{ "userid": localUser.UserId, @@ -261,13 +262,16 @@ func DeleteRole(localUser *User, id string) (err error) { "username": localUser.Username, }, }, util.MapStr{ - "id": id, - "name": role.Name, - "description": role.Description, - "platform": role.Platform, - "type": role.RoleType, - "created": role.Created.Format("2006-01-02 15:04:05"), - "updated": role.Updated.Format("2006-01-02 15:04:05"), + "id": id, + "name": role.Name, + "description": role.Description, + "platform": role.Platform, + "cluster": role.Cluster, + "index": role.Index, + "cluster_privilege": role.ClusterPrivilege, + "type": role.RoleType, + "created": role.Created.Format("2006-01-02 15:04:05"), + "updated": role.Updated.Format("2006-01-02 15:04:05"), }, nil)) return @@ -283,6 +287,10 @@ func GetRole(id string) (role rbac.Role, err error) { } return } +func ListRoleByName(names []string) (roles []rbac.Role, err error) { + + return +} func SearchRole(keyword string, from, size int) (roles orm.Result, err error) { query := orm.Query{} diff --git a/internal/biz/validate.go b/internal/biz/validate.go index 2020cdfa..1d46ccfa 100644 --- a/internal/biz/validate.go +++ b/internal/biz/validate.go @@ -31,7 +31,7 @@ func NewEsRequest(r *http.Request, ps httprouter.Params) EsRequest { Method: r.Method, } } -func ValidateEsPermission(req EsRequest, userRole Role) (err error) { +func ValidateEsPermission(req EsRequest, userRole RolePermission) (err error) { route, err := EsApiRoutes.Handle(req.Method, req.Path) if err != nil { @@ -47,18 +47,16 @@ func ValidateEsPermission(req EsRequest, userRole Role) (err error) { err = validateCluster(req, userRole, route) return } -func validateIndex(req EsRequest, userRole Role, route string) (err error) { +func validateIndex(req EsRequest, userRole RolePermission, route string) (err error) { userIndexMap := make(map[string]struct{}) privilegeMap := make(map[string]struct{}) - for _, val := range userRole.Index { - for _, v := range val.Name { - userIndexMap[v] = struct{}{} - } - for _, v := range val.Privilege { - privilegeMap[v] = struct{}{} - } - } + for _, v := range userRole.Index { + userIndexMap[v] = struct{}{} + } + for _, v := range userRole.IndexPrivilege { + privilegeMap[v] = struct{}{} + } for _, v := range req.Index { if _, ok := userIndexMap[v]; !ok { err = errors.New("no index permission") @@ -73,10 +71,10 @@ func validateIndex(req EsRequest, userRole Role, route string) (err error) { return } -func validateCluster(req EsRequest, userRole Role, route string) (err error) { +func validateCluster(req EsRequest, userRole RolePermission, route string) (err error) { userClusterMap := make(map[string]struct{}) for _, v := range userRole.Cluster { - userClusterMap[v.Id] = struct{}{} + userClusterMap[v] = struct{}{} } for _, v := range req.Cluster { if _, ok := userClusterMap[v]; !ok { @@ -85,28 +83,28 @@ func validateCluster(req EsRequest, userRole Role, route string) (err error) { } } - tmp := make([]string, 0) - for _, val := range userRole.ClusterPrivilege { - for _, v := range val { - tmp = append(tmp, v...) - } - - } - for _, v := range tmp { + for _, v := range userRole.ClusterPrivilege { if v == route { return nil } } return errors.New("no cluster api permission") } -func CombineUserRoles(roleNames []string) Role { - newRole := Role{} +func CombineUserRoles(roleNames []string) RolePermission { + newRole := RolePermission{} for _, v := range roleNames { - r := RoleMap[v] - newRole.Cluster = append(newRole.Cluster, r.Cluster...) - newRole.Platform = append(newRole.Platform, r.Platform...) - newRole.Index = append(newRole.Index, r.Index...) - newRole.ClusterPrivilege = append(newRole.ClusterPrivilege, r.ClusterPrivilege...) + role := RoleMap[v] + for _, v := range role.Cluster { + newRole.Cluster = append(newRole.Cluster, v.Id) + } + for _, v := range role.Platform { + newRole.Platform = append(newRole.Platform, v) + } + + for _, v := range role.Index { + newRole.Index = append(newRole.Index, v.Name...) + newRole.IndexPrivilege = append(newRole.IndexPrivilege, v.Privilege...) + } } return newRole }