floraachy
/
console
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: (rbac) ValidateEsPermission

This commit is contained in:
xushuhui 2022-04-25 18:31:34 +08:00
parent c000596e66
commit c879a6aa9e
4 changed files with 59 additions and 60 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
internal/biz/account.go
View File

@ -6,7 +6,6 @@ import (
"github.com/golang-jwt/jwt" "github.com/golang-jwt/jwt"
"github.com/mitchellh/mapstructure" "github.com/mitchellh/mapstructure"
"golang.org/x/crypto/bcrypt" "golang.org/x/crypto/bcrypt"
"infini.sh/console/internal/biz/enum"
"infini.sh/console/internal/dto" "infini.sh/console/internal/dto"
"infini.sh/console/model/rbac" "infini.sh/console/model/rbac"
"infini.sh/framework/core/event" "infini.sh/framework/core/event"
@ -85,23 +84,10 @@ func authenticateAdmin(username string, password string) (user Account, err erro
func authorize(user Account) (m map[string]interface{}, err error) { func authorize(user Account) (m map[string]interface{}, err error) {
var roles, privilege []string var roles, privilege []string
if user.Username == "admin" {
roles = append(roles, "admin")
privilege = append(privilege, enum.AdminPrivilege...)
} else {
for _, v := range user.Roles { for _, v := range user.Roles {
role := RoleMap[v.Name]
roles = append(roles, v.Name) roles = append(roles, v.Name)
privilege = append(privilege, role.Platform...)
r, _ := GetRole(v.Id)
privilege = append(privilege, r.Platform...)
RoleMap[v.Name] = Role{
Platform: r.Platform,
Cluster: r.Cluster,
ClusterPrivilege: r.ClusterPrivilege,
Index: r.Index,
}
}
} }
token := jwt.NewWithClaims(jwt.SigningMethodHS256, UserClaims{ token := jwt.NewWithClaims(jwt.SigningMethodHS256, UserClaims{
User: &User{ User: &User{

7
internal/biz/permission.go
View File

@ -21,6 +21,13 @@ type Role struct {
Privilege []string `json:"privilege"` Privilege []string `json:"privilege"`
} `json:"index,omitempty"` } `json:"index,omitempty"`
} }
type RolePermission struct {
Platform []string `json:"platform,omitempty"`
Cluster []string `json:"cluster"`
ClusterPrivilege []string `json:"cluster_privilege"`
Index []string `json:"index"`
IndexPrivilege []string `json:"index_privilege"`
}
type ConsolePermisson struct { type ConsolePermisson struct {
Platform []Platform `json:"platform"` Platform []Platform `json:"platform"`
} }

18
internal/biz/role.go
View File

@ -23,7 +23,6 @@ type IRole interface {
ListPermission() interface{} ListPermission() interface{}
Create(localUser *User) (id string, err error) Create(localUser *User) (id string, err error)
Update(localUser *User, model rbac.Role) (err error) Update(localUser *User, model rbac.Role) (err error)
//Delete(localUser *User, id string) (err error)
} }
type ConsoleRole struct { type ConsoleRole struct {
Name string `json:"name"` Name string `json:"name"`
@ -218,10 +217,12 @@ func (role ElasticsearchRole) Create(localUser *User) (id string, err error) {
Type: "create", Type: "create",
Labels: util.MapStr{ Labels: util.MapStr{
"id": id, "id": id,
"name": role.Name, "name": newRole.Name,
"description": role.Description, "description": newRole.Description,
"cluster": newRole.Cluster,
"type": role.RoleType, "index": newRole.Index,
"cluster_privilege": newRole.ClusterPrivilege,
"type": newRole.RoleType,
"created": newRole.Created.Format("2006-01-02 15:04:05"), "created": newRole.Created.Format("2006-01-02 15:04:05"),
"updated": newRole.Updated.Format("2006-01-02 15:04:05"), "updated": newRole.Updated.Format("2006-01-02 15:04:05"),
}, },
@ -265,6 +266,9 @@ func DeleteRole(localUser *User, id string) (err error) {
"name": role.Name, "name": role.Name,
"description": role.Description, "description": role.Description,
"platform": role.Platform, "platform": role.Platform,
"cluster": role.Cluster,
"index": role.Index,
"cluster_privilege": role.ClusterPrivilege,
"type": role.RoleType, "type": role.RoleType,
"created": role.Created.Format("2006-01-02 15:04:05"), "created": role.Created.Format("2006-01-02 15:04:05"),
"updated": role.Updated.Format("2006-01-02 15:04:05"), "updated": role.Updated.Format("2006-01-02 15:04:05"),
@ -283,6 +287,10 @@ func GetRole(id string) (role rbac.Role, err error) {
} }
return return
} }
func ListRoleByName(names []string) (roles []rbac.Role, err error) {
return
}
func SearchRole(keyword string, from, size int) (roles orm.Result, err error) { func SearchRole(keyword string, from, size int) (roles orm.Result, err error) {
query := orm.Query{} query := orm.Query{}

46
internal/biz/validate.go
View File

@ -31,7 +31,7 @@ func NewEsRequest(r *http.Request, ps httprouter.Params) EsRequest {
Method: r.Method, Method: r.Method,
} }
} }
func ValidateEsPermission(req EsRequest, userRole Role) (err error) { func ValidateEsPermission(req EsRequest, userRole RolePermission) (err error) {
route, err := EsApiRoutes.Handle(req.Method, req.Path) route, err := EsApiRoutes.Handle(req.Method, req.Path)
if err != nil { if err != nil {
@ -47,18 +47,16 @@ func ValidateEsPermission(req EsRequest, userRole Role) (err error) {
err = validateCluster(req, userRole, route) err = validateCluster(req, userRole, route)
return return
} }
func validateIndex(req EsRequest, userRole Role, route string) (err error) { func validateIndex(req EsRequest, userRole RolePermission, route string) (err error) {
userIndexMap := make(map[string]struct{}) userIndexMap := make(map[string]struct{})
privilegeMap := make(map[string]struct{}) privilegeMap := make(map[string]struct{})
for _, val := range userRole.Index { for _, v := range userRole.Index {
for _, v := range val.Name {
userIndexMap[v] = struct{}{} userIndexMap[v] = struct{}{}
} }
for _, v := range val.Privilege { for _, v := range userRole.IndexPrivilege {
privilegeMap[v] = struct{}{} privilegeMap[v] = struct{}{}
} }
}
for _, v := range req.Index { for _, v := range req.Index {
if _, ok := userIndexMap[v]; !ok { if _, ok := userIndexMap[v]; !ok {
err = errors.New("no index permission") err = errors.New("no index permission")
@ -73,10 +71,10 @@ func validateIndex(req EsRequest, userRole Role, route string) (err error) {
return return
} }
func validateCluster(req EsRequest, userRole Role, route string) (err error) { func validateCluster(req EsRequest, userRole RolePermission, route string) (err error) {
userClusterMap := make(map[string]struct{}) userClusterMap := make(map[string]struct{})
for _, v := range userRole.Cluster { for _, v := range userRole.Cluster {
userClusterMap[v.Id] = struct{}{} userClusterMap[v] = struct{}{}
} }
for _, v := range req.Cluster { for _, v := range req.Cluster {
if _, ok := userClusterMap[v]; !ok { if _, ok := userClusterMap[v]; !ok {
@ -85,28 +83,28 @@ func validateCluster(req EsRequest, userRole Role, route string) (err error) {
} }
} }
tmp := make([]string, 0) for _, v := range userRole.ClusterPrivilege {
for _, val := range userRole.ClusterPrivilege {
for _, v := range val {
tmp = append(tmp, v...)
}
}
for _, v := range tmp {
if v == route { if v == route {
return nil return nil
} }
} }
return errors.New("no cluster api permission") return errors.New("no cluster api permission")
} }
func CombineUserRoles(roleNames []string) Role { func CombineUserRoles(roleNames []string) RolePermission {
newRole := Role{} newRole := RolePermission{}
for _, v := range roleNames { for _, v := range roleNames {
r := RoleMap[v] role := RoleMap[v]
newRole.Cluster = append(newRole.Cluster, r.Cluster...) for _, v := range role.Cluster {
newRole.Platform = append(newRole.Platform, r.Platform...) newRole.Cluster = append(newRole.Cluster, v.Id)
newRole.Index = append(newRole.Index, r.Index...) }
newRole.ClusterPrivilege = append(newRole.ClusterPrivilege, r.ClusterPrivilege...) for _, v := range role.Platform {
newRole.Platform = append(newRole.Platform, v)
}
for _, v := range role.Index {
newRole.Index = append(newRole.Index, v.Name...)
newRole.IndexPrivilege = append(newRole.IndexPrivilege, v.Privilege...)
}
} }
return newRole return newRole
} }