185 lines
4.8 KiB
Go
185 lines
4.8 KiB
Go
package core
|
|
|
|
import (
|
|
rbac "infini.sh/console/core/security"
|
|
httprouter "infini.sh/framework/core/api/router"
|
|
"infini.sh/framework/core/radix"
|
|
"infini.sh/framework/core/util"
|
|
"net/http"
|
|
)
|
|
|
|
func (handler Handler) IndexRequired(h httprouter.Handle, route ...string) httprouter.Handle {
|
|
|
|
return func(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
|
|
if authEnabled {
|
|
claims, err := rbac.ValidateLogin(r.Header.Get("Authorization"))
|
|
if err != nil {
|
|
handler.WriteError(w, err.Error(), http.StatusUnauthorized)
|
|
return
|
|
}
|
|
newRole := rbac.CombineUserRoles(claims.Roles)
|
|
|
|
indexReq := rbac.NewIndexRequest(ps, route)
|
|
|
|
err = rbac.ValidateIndex(indexReq, newRole)
|
|
if err != nil {
|
|
handler.WriteError(w, err.Error(), http.StatusForbidden)
|
|
return
|
|
}
|
|
}
|
|
|
|
h(w, r, ps)
|
|
}
|
|
}
|
|
|
|
func (handler Handler) ClusterRequired(h httprouter.Handle, route ...string) httprouter.Handle {
|
|
|
|
return func(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
|
|
|
|
if authEnabled {
|
|
claims, err := rbac.ValidateLogin(r.Header.Get("Authorization"))
|
|
if err != nil {
|
|
handler.WriteError(w, err.Error(), http.StatusUnauthorized)
|
|
return
|
|
}
|
|
//newRole := biz.CombineUserRoles(claims.Roles)
|
|
clusterReq := rbac.NewClusterRequest(ps, route)
|
|
newRole := rbac.CombineUserRoles(claims.Roles)
|
|
err = rbac.ValidateCluster(clusterReq, newRole)
|
|
if err != nil {
|
|
handler.WriteError(w, err.Error(), http.StatusForbidden)
|
|
return
|
|
}
|
|
}
|
|
|
|
h(w, r, ps)
|
|
}
|
|
}
|
|
|
|
func (handler Handler) GetClusterFilter(r *http.Request, field string) (util.MapStr, bool) {
|
|
if !IsAuthEnable() {
|
|
return nil, true
|
|
}
|
|
hasAllPrivilege, clusterIds := rbac.GetCurrentUserCluster(r)
|
|
if hasAllPrivilege {
|
|
return nil, true
|
|
}
|
|
if len(clusterIds) == 0 {
|
|
return nil, false
|
|
}
|
|
return util.MapStr{
|
|
"terms": util.MapStr{
|
|
field: clusterIds,
|
|
},
|
|
}, false
|
|
}
|
|
func (handler Handler) GetAllowedClusters(r *http.Request) ([]string, bool) {
|
|
if !IsAuthEnable() {
|
|
return nil, true
|
|
}
|
|
hasAllPrivilege, clusterIds := rbac.GetCurrentUserCluster(r)
|
|
return clusterIds, hasAllPrivilege
|
|
}
|
|
|
|
func (handler Handler) GetAllowedIndices(r *http.Request, clusterID string) ([]string, bool) {
|
|
if !IsAuthEnable() {
|
|
return nil, true
|
|
}
|
|
hasAllPrivilege, indices := handler.GetCurrentUserClusterIndex(r, clusterID)
|
|
if hasAllPrivilege {
|
|
return nil, true
|
|
}
|
|
return indices, false
|
|
}
|
|
|
|
func (handler Handler) IsIndexAllowed(r *http.Request, clusterID string, indexName string) bool {
|
|
if !IsAuthEnable() {
|
|
return true
|
|
}
|
|
hasAllPrivilege, indices := handler.GetCurrentUserClusterIndex(r, clusterID)
|
|
if hasAllPrivilege {
|
|
return true
|
|
}
|
|
if len(indices) == 0 {
|
|
return false
|
|
}
|
|
return radix.Compile(indices...).Match(indexName)
|
|
}
|
|
|
|
func (handler Handler) ValidateProxyRequest(req *http.Request, clusterID string) (bool, string, error) {
|
|
if !IsAuthEnable() {
|
|
return false, "", nil
|
|
}
|
|
claims, err := rbac.ValidateLogin(req.Header.Get("Authorization"))
|
|
if err != nil {
|
|
return false, "", err
|
|
}
|
|
if util.StringInArray(claims.Roles, rbac.RoleAdminName) {
|
|
return true, "", nil
|
|
}
|
|
|
|
permission, params, matched := rbac.SearchAPIPermission("elasticsearch", req.Method, req.URL.Path)
|
|
if matched && permission != "" {
|
|
|
|
newRole := rbac.CombineUserRoles(claims.Roles)
|
|
if indexName, ok := params["index_name"]; ok {
|
|
|
|
indexReq := rbac.IndexRequest{
|
|
Cluster: clusterID,
|
|
Index: indexName,
|
|
Privilege: []string{permission},
|
|
}
|
|
|
|
err = rbac.ValidateIndex(indexReq, newRole)
|
|
if err != nil {
|
|
return false, permission, err
|
|
}
|
|
} else {
|
|
clusterReq := rbac.ClusterRequest{
|
|
Cluster: clusterID,
|
|
Privilege: []string{permission},
|
|
}
|
|
err = rbac.ValidateCluster(clusterReq, newRole)
|
|
if err != nil {
|
|
return false, permission, err
|
|
}
|
|
}
|
|
}
|
|
return false, permission, nil
|
|
}
|
|
|
|
func (handler Handler) GetCurrentUserIndex(req *http.Request) (bool, map[string][]string) {
|
|
if !IsAuthEnable() {
|
|
return true, nil
|
|
}
|
|
ctxVal := req.Context().Value("user")
|
|
if userClaims, ok := ctxVal.(*rbac.UserClaims); ok {
|
|
roles := userClaims.Roles
|
|
var realIndex = map[string][]string{}
|
|
for _, roleName := range roles {
|
|
role, ok := rbac.RoleMap[roleName]
|
|
if ok {
|
|
for _, ic := range role.Privilege.Elasticsearch.Cluster.Resources {
|
|
for _, ip := range role.Privilege.Elasticsearch.Index {
|
|
if ic.ID == "*" && util.StringInArray(ip.Name, "*") {
|
|
return true, nil
|
|
}
|
|
realIndex[ic.ID] = append(realIndex[ic.ID], ip.Name...)
|
|
}
|
|
}
|
|
}
|
|
}
|
|
return false, realIndex
|
|
}
|
|
return false, nil
|
|
}
|
|
|
|
func (handler Handler) GetCurrentUserClusterIndex(req *http.Request, clusterID string) (bool, []string) {
|
|
ctxVal := req.Context().Value("user")
|
|
if userClaims, ok := ctxVal.(*rbac.UserClaims); ok {
|
|
return rbac.GetRoleIndex(userClaims.Roles, clusterID)
|
|
} else {
|
|
panic("user context value not found")
|
|
}
|
|
}
|