fix: (rbac) ValidateEsPermission

internal/biz/account.go

@@ -6,7 +6,6 @@ import (
 	"github.com/golang-jwt/jwt"
 	"github.com/mitchellh/mapstructure"
 	"golang.org/x/crypto/bcrypt"
-	"infini.sh/console/internal/biz/enum"
 	"infini.sh/console/internal/dto"
 	"infini.sh/console/model/rbac"
 	"infini.sh/framework/core/event"
@@ -85,23 +84,10 @@ func authenticateAdmin(username string, password string) (user Account, err erro
 func authorize(user Account) (m map[string]interface{}, err error) {
 
 	var roles, privilege []string
-	if user.Username == "admin" {
+	for _, v := range user.Roles {
-		roles = append(roles, "admin")
+		role := RoleMap[v.Name]
-		privilege = append(privilege, enum.AdminPrivilege...)
+		roles = append(roles, v.Name)
-	} else {
+		privilege = append(privilege, role.Platform...)
-		for _, v := range user.Roles {
-			roles = append(roles, v.Name)
-
-			r, _ := GetRole(v.Id)
-
-			privilege = append(privilege, r.Platform...)
-			RoleMap[v.Name] = Role{
-				Platform:         r.Platform,
-				Cluster:          r.Cluster,
-				ClusterPrivilege: r.ClusterPrivilege,
-				Index:            r.Index,
-			}
-		}
 	}
 	token := jwt.NewWithClaims(jwt.SigningMethodHS256, UserClaims{
 		User: &User{

internal/biz/permission.go

@@ -21,6 +21,13 @@ type Role struct {
 		Privilege []string `json:"privilege"`
 	} `json:"index,omitempty"`
 }
+type RolePermission struct {
+	Platform         []string `json:"platform,omitempty"`
+	Cluster          []string `json:"cluster"`
+	ClusterPrivilege []string `json:"cluster_privilege"`
+	Index            []string `json:"index"`
+	IndexPrivilege   []string `json:"index_privilege"`
+}
 type ConsolePermisson struct {
 	Platform []Platform `json:"platform"`
 }

internal/biz/role.go

@@ -23,7 +23,6 @@ type IRole interface {
 	ListPermission() interface{}
 	Create(localUser *User) (id string, err error)
 	Update(localUser *User, model rbac.Role) (err error)
-	//Delete(localUser *User, id string) (err error)
 }
 type ConsoleRole struct {
 	Name        string   `json:"name"`
@@ -217,13 +216,15 @@ func (role ElasticsearchRole) Create(localUser *User) (id string, err error) {
 		Name:     "role",
 		Type:     "create",
 		Labels: util.MapStr{
-			"id":          id,
+			"id":                id,
-			"name":        role.Name,
+			"name":              newRole.Name,
-			"description": role.Description,
+			"description":       newRole.Description,
-
+			"cluster":           newRole.Cluster,
-			"type":    role.RoleType,
+			"index":             newRole.Index,
-			"created": newRole.Created.Format("2006-01-02 15:04:05"),
+			"cluster_privilege": newRole.ClusterPrivilege,
-			"updated": newRole.Updated.Format("2006-01-02 15:04:05"),
+			"type":              newRole.RoleType,
+			"created":           newRole.Created.Format("2006-01-02 15:04:05"),
+			"updated":           newRole.Updated.Format("2006-01-02 15:04:05"),
 		},
 		User: util.MapStr{
 			"userid":   localUser.UserId,
@@ -261,13 +262,16 @@ func DeleteRole(localUser *User, id string) (err error) {
 			"username": localUser.Username,
 		},
 	}, util.MapStr{
-		"id":          id,
+		"id":                id,
-		"name":        role.Name,
+		"name":              role.Name,
-		"description": role.Description,
+		"description":       role.Description,
-		"platform":    role.Platform,
+		"platform":          role.Platform,
-		"type":        role.RoleType,
+		"cluster":           role.Cluster,
-		"created":     role.Created.Format("2006-01-02 15:04:05"),
+		"index":             role.Index,
-		"updated":     role.Updated.Format("2006-01-02 15:04:05"),
+		"cluster_privilege": role.ClusterPrivilege,
+		"type":              role.RoleType,
+		"created":           role.Created.Format("2006-01-02 15:04:05"),
+		"updated":           role.Updated.Format("2006-01-02 15:04:05"),
 	}, nil))
 
 	return
@@ -283,6 +287,10 @@ func GetRole(id string) (role rbac.Role, err error) {
 	}
 	return
 }
+func ListRoleByName(names []string) (roles []rbac.Role, err error) {
+
+	return
+}
 func SearchRole(keyword string, from, size int) (roles orm.Result, err error) {
 
 	query := orm.Query{}

internal/biz/validate.go

@@ -31,7 +31,7 @@ func NewEsRequest(r *http.Request, ps httprouter.Params) EsRequest {
 		Method:  r.Method,
 	}
 }
-func ValidateEsPermission(req EsRequest, userRole Role) (err error) {
+func ValidateEsPermission(req EsRequest, userRole RolePermission) (err error) {
 
 	route, err := EsApiRoutes.Handle(req.Method, req.Path)
 	if err != nil {
@@ -47,18 +47,16 @@ func ValidateEsPermission(req EsRequest, userRole Role) (err error) {
 	err = validateCluster(req, userRole, route)
 	return
 }
-func validateIndex(req EsRequest, userRole Role, route string) (err error) {
+func validateIndex(req EsRequest, userRole RolePermission, route string) (err error) {
 	userIndexMap := make(map[string]struct{})
 	privilegeMap := make(map[string]struct{})
-	for _, val := range userRole.Index {
+	for _, v := range userRole.Index {
-		for _, v := range val.Name {
+		userIndexMap[v] = struct{}{}
-			userIndexMap[v] = struct{}{}
-		}
-		for _, v := range val.Privilege {
-			privilegeMap[v] = struct{}{}
-		}
-	}
 
+	}
+	for _, v := range userRole.IndexPrivilege {
+		privilegeMap[v] = struct{}{}
+	}
 	for _, v := range req.Index {
 		if _, ok := userIndexMap[v]; !ok {
 			err = errors.New("no index permission")
@@ -73,10 +71,10 @@ func validateIndex(req EsRequest, userRole Role, route string) (err error) {
 
 	return
 }
-func validateCluster(req EsRequest, userRole Role, route string) (err error) {
+func validateCluster(req EsRequest, userRole RolePermission, route string) (err error) {
 	userClusterMap := make(map[string]struct{})
 	for _, v := range userRole.Cluster {
-		userClusterMap[v.Id] = struct{}{}
+		userClusterMap[v] = struct{}{}
 	}
 	for _, v := range req.Cluster {
 		if _, ok := userClusterMap[v]; !ok {
@@ -85,28 +83,28 @@ func validateCluster(req EsRequest, userRole Role, route string) (err error) {
 		}
 	}
 
-	tmp := make([]string, 0)
+	for _, v := range userRole.ClusterPrivilege {
-	for _, val := range userRole.ClusterPrivilege {
-		for _, v := range val {
-			tmp = append(tmp, v...)
-		}
-
-	}
-	for _, v := range tmp {
 		if v == route {
 			return nil
 		}
 	}
 	return errors.New("no cluster api permission")
 }
-func CombineUserRoles(roleNames []string) Role {
+func CombineUserRoles(roleNames []string) RolePermission {
-	newRole := Role{}
+	newRole := RolePermission{}
 	for _, v := range roleNames {
-		r := RoleMap[v]
+		role := RoleMap[v]
-		newRole.Cluster = append(newRole.Cluster, r.Cluster...)
+		for _, v := range role.Cluster {
-		newRole.Platform = append(newRole.Platform, r.Platform...)
+			newRole.Cluster = append(newRole.Cluster, v.Id)
-		newRole.Index = append(newRole.Index, r.Index...)
+		}
-		newRole.ClusterPrivilege = append(newRole.ClusterPrivilege, r.ClusterPrivilege...)
+		for _, v := range role.Platform {
+			newRole.Platform = append(newRole.Platform, v)
+		}
+
+		for _, v := range role.Index {
+			newRole.Index = append(newRole.Index, v.Name...)
+			newRole.IndexPrivilege = append(newRole.IndexPrivilege, v.Privilege...)
+		}
 	}
 	return newRole
 }