console/internal/biz/validate.go

138 lines
3.2 KiB
Go

package biz
import (
"errors"
httprouter "infini.sh/framework/core/api/router"
"infini.sh/framework/core/util"
"strings"
)
type EsRequest struct {
Doc string `json:"doc"`
Privilege string `json:"privilege"`
ClusterRequest
IndexRequest
}
type ClusterRequest struct {
Cluster []string `json:"cluster"`
Privilege []string `json:"privilege"`
}
type IndexRequest struct {
Cluster []string `json:"cluster"`
Index []string `json:"index"`
Privilege []string `json:"privilege"`
}
func NewIndexRequest(ps httprouter.Params, privilege []string) IndexRequest {
index := ps.ByName("index")
clusterId := ps.ByName("id")
return IndexRequest{
Cluster: []string{clusterId},
Index: []string{index},
Privilege: privilege,
}
}
func NewClusterRequest(ps httprouter.Params, privilege []string) ClusterRequest {
clusterId := ps.ByName("id")
return ClusterRequest{
Cluster: []string{clusterId},
Privilege: privilege,
}
}
func ValidateIndex(req IndexRequest, userRole RolePermission) (err error) {
userClusterMap := make(map[string]struct{})
for _, v := range userRole.Cluster {
userClusterMap[v] = struct{}{}
}
for _, v := range req.Cluster {
if _, ok := userClusterMap[v]; !ok {
err = errors.New("no cluster permission")
return
}
}
for _, val := range req.Privilege {
position := strings.Index(val, ".")
if position == -1 {
err = errors.New("invalid privilege parmeter")
return err
}
prefix := val[:position]
for _, v := range req.Index {
privilege, ok := userRole.IndexPrivilege[v]
if !ok {
err = errors.New("no index permission")
return err
}
if util.StringInArray(privilege, prefix+".*") {
return nil
}
if util.StringInArray(privilege, val) {
return nil
}
}
}
return errors.New("no index api permission")
}
func ValidateCluster(req ClusterRequest, userRole RolePermission) (err error) {
userClusterMap := make(map[string]struct{})
for _, v := range userRole.Cluster {
userClusterMap[v] = struct{}{}
}
for _, v := range req.Cluster {
if _, ok := userClusterMap[v]; !ok {
err = errors.New("no cluster permission")
return
}
}
// if include api.* for example: cat.* , return nil
for _, privilege := range req.Privilege {
prefix := privilege[:strings.Index(privilege, ".")]
if util.StringInArray(userRole.ClusterPrivilege, prefix+".*") {
return nil
}
if util.StringInArray(userRole.ClusterPrivilege, privilege) {
return nil
}
}
return errors.New("no cluster api permission")
}
func CombineUserRoles(roleNames []string) RolePermission {
newRole := RolePermission{}
m := make(map[string][]string)
for _, val := range roleNames {
role := RoleMap[val]
for _, v := range role.Cluster {
newRole.Cluster = append(newRole.Cluster, v.Id)
}
for _, v := range role.ClusterPrivilege {
newRole.ClusterPrivilege = append(newRole.ClusterPrivilege, v)
}
for _, v := range role.Platform {
newRole.Platform = append(newRole.Platform, v)
}
for _, v := range role.Index {
for _, name := range v.Name {
if _, ok := m[name]; ok {
m[name] = append(m[name], v.Privilege...)
} else {
m[name] = v.Privilege
}
}
}
}
newRole.IndexPrivilege = m
return newRole
}