floraachy
/
console
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: (rbac) ValidateEsPermission

This commit is contained in:
xushuhui 2022-04-25 18:31:34 +08:00
parent c000596e66
commit c879a6aa9e
4 changed files with 59 additions and 60 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
internal/biz/account.go
View File

@ -6,7 +6,6 @@ import (
"github.com/golang-jwt/jwt"
"github.com/mitchellh/mapstructure"
"golang.org/x/crypto/bcrypt"
"infini.sh/console/internal/biz/enum"
"infini.sh/console/internal/dto"
"infini.sh/console/model/rbac"
"infini.sh/framework/core/event"
@ -85,23 +84,10 @@ func authenticateAdmin(username string, password string) (user Account, err erro
func authorize(user Account) (m map[string]interface{}, err error) {
var roles, privilege []string
if user.Username == "admin" {
roles = append(roles, "admin")
privilege = append(privilege, enum.AdminPrivilege...)
} else {
for _, v := range user.Roles {
role := RoleMap[v.Name]
roles = append(roles, v.Name)
r, _ := GetRole(v.Id)
privilege = append(privilege, r.Platform...)
RoleMap[v.Name] = Role{
Platform: r.Platform,
Cluster: r.Cluster,
ClusterPrivilege: r.ClusterPrivilege,
Index: r.Index,
}
}
privilege = append(privilege, role.Platform...)
}
token := jwt.NewWithClaims(jwt.SigningMethodHS256, UserClaims{
User: &User{

7
internal/biz/permission.go
View File

@ -21,6 +21,13 @@ type Role struct {
Privilege []string `json:"privilege"`
} `json:"index,omitempty"`
}
type RolePermission struct {
Platform []string `json:"platform,omitempty"`
Cluster []string `json:"cluster"`
ClusterPrivilege []string `json:"cluster_privilege"`
Index []string `json:"index"`
IndexPrivilege []string `json:"index_privilege"`
}
type ConsolePermisson struct {
Platform []Platform `json:"platform"`
}

18
internal/biz/role.go
View File

@ -23,7 +23,6 @@ type IRole interface {
ListPermission() interface{}
Create(localUser *User) (id string, err error)
Update(localUser *User, model rbac.Role) (err error)
//Delete(localUser *User, id string) (err error)
}
type ConsoleRole struct {
Name string `json:"name"`
@ -218,10 +217,12 @@ func (role ElasticsearchRole) Create(localUser *User) (id string, err error) {
Type: "create",
Labels: util.MapStr{
"id": id,
"name": role.Name,
"description": role.Description,
"type": role.RoleType,
"name": newRole.Name,
"description": newRole.Description,
"cluster": newRole.Cluster,
"index": newRole.Index,
"cluster_privilege": newRole.ClusterPrivilege,
"type": newRole.RoleType,
"created": newRole.Created.Format("2006-01-02 15:04:05"),
"updated": newRole.Updated.Format("2006-01-02 15:04:05"),
},
@ -265,6 +266,9 @@ func DeleteRole(localUser *User, id string) (err error) {
"name": role.Name,
"description": role.Description,
"platform": role.Platform,
"cluster": role.Cluster,
"index": role.Index,
"cluster_privilege": role.ClusterPrivilege,
"type": role.RoleType,
"created": role.Created.Format("2006-01-02 15:04:05"),
"updated": role.Updated.Format("2006-01-02 15:04:05"),
@ -283,6 +287,10 @@ func GetRole(id string) (role rbac.Role, err error) {
}
return
}
func ListRoleByName(names []string) (roles []rbac.Role, err error) {
return
}
func SearchRole(keyword string, from, size int) (roles orm.Result, err error) {
query := orm.Query{}

46
internal/biz/validate.go
View File

@ -31,7 +31,7 @@ func NewEsRequest(r *http.Request, ps httprouter.Params) EsRequest {
Method: r.Method,
}
}
func ValidateEsPermission(req EsRequest, userRole Role) (err error) {
func ValidateEsPermission(req EsRequest, userRole RolePermission) (err error) {
route, err := EsApiRoutes.Handle(req.Method, req.Path)
if err != nil {
@ -47,18 +47,16 @@ func ValidateEsPermission(req EsRequest, userRole Role) (err error) {
err = validateCluster(req, userRole, route)
return
}
func validateIndex(req EsRequest, userRole Role, route string) (err error) {
func validateIndex(req EsRequest, userRole RolePermission, route string) (err error) {
userIndexMap := make(map[string]struct{})
privilegeMap := make(map[string]struct{})
for _, val := range userRole.Index {
for _, v := range val.Name {
for _, v := range userRole.Index {
userIndexMap[v] = struct{}{}
}
for _, v := range val.Privilege {
for _, v := range userRole.IndexPrivilege {
privilegeMap[v] = struct{}{}
}
}
for _, v := range req.Index {
if _, ok := userIndexMap[v]; !ok {
err = errors.New("no index permission")
@ -73,10 +71,10 @@ func validateIndex(req EsRequest, userRole Role, route string) (err error) {
return
}
func validateCluster(req EsRequest, userRole Role, route string) (err error) {
func validateCluster(req EsRequest, userRole RolePermission, route string) (err error) {
userClusterMap := make(map[string]struct{})
for _, v := range userRole.Cluster {
userClusterMap[v.Id] = struct{}{}
userClusterMap[v] = struct{}{}
}
for _, v := range req.Cluster {
if _, ok := userClusterMap[v]; !ok {
@ -85,28 +83,28 @@ func validateCluster(req EsRequest, userRole Role, route string) (err error) {
}
}
tmp := make([]string, 0)
for _, val := range userRole.ClusterPrivilege {
for _, v := range val {
tmp = append(tmp, v...)
}
}
for _, v := range tmp {
for _, v := range userRole.ClusterPrivilege {
if v == route {
return nil
}
}
return errors.New("no cluster api permission")
}
func CombineUserRoles(roleNames []string) Role {
newRole := Role{}
func CombineUserRoles(roleNames []string) RolePermission {
newRole := RolePermission{}
for _, v := range roleNames {
r := RoleMap[v]
newRole.Cluster = append(newRole.Cluster, r.Cluster...)
newRole.Platform = append(newRole.Platform, r.Platform...)
newRole.Index = append(newRole.Index, r.Index...)
newRole.ClusterPrivilege = append(newRole.ClusterPrivilege, r.ClusterPrivilege...)
role := RoleMap[v]
for _, v := range role.Cluster {
newRole.Cluster = append(newRole.Cluster, v.Id)
}
for _, v := range role.Platform {
newRole.Platform = append(newRole.Platform, v)
}
for _, v := range role.Index {
newRole.Index = append(newRole.Index, v.Name...)
newRole.IndexPrivilege = append(newRole.IndexPrivilege, v.Privilege...)
}
}
return newRole
}