feat : custom仓库支持本地权限校验 TencentBlueKing#1905

felixncheng · Apr 1, 2024 · ce16e97 · ce16e97
1 parent 8e7199a
commit ce16e97
Show file tree

Hide file tree

Showing 5 changed files with 26 additions and 23 deletions.
diff --git a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/controller/OpenResource.kt b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/controller/OpenResource.kt
@@ -38,39 +38,51 @@ import com.tencent.bkrepo.auth.pojo.enums.ResourceType
 import com.tencent.bkrepo.auth.pojo.permission.CheckPermissionRequest
 import com.tencent.bkrepo.auth.pojo.user.UserInfo
 import com.tencent.bkrepo.auth.service.PermissionService
+import com.tencent.bkrepo.common.api.constant.ADMIN_USER
 import com.tencent.bkrepo.common.api.exception.ErrorCodeException
 import com.tencent.bkrepo.common.api.message.CommonMessageCode
 import com.tencent.bkrepo.common.security.util.SecurityUtils
+import com.tencent.bkrepo.common.service.util.HttpContextHolder
 import org.slf4j.LoggerFactory
 
 open class OpenResource(private val permissionService: PermissionService) {
 
     /**
      * the userContext should equal userId or be admin
+     * only use in user api
      */
     fun preCheckContextUser(userId: String) {
         val userContext = SecurityUtils.getUserId()
-        if (!SecurityUtils.isAdmin() && userContext.isNotEmpty() && userContext != userId) {
+        if (!isAdminFromApi() && userContext.isNotEmpty() && userContext != userId) {
             logger.warn("user not match [$userContext, $userId]")
             throw ErrorCodeException(AuthMessageCode.AUTH_USER_FORAUTH_NOT_PERM)
         }
     }
 
+    /**
+     * 是否系统管理员
+     * 限定在auth服务api请求时使用
+     */
+    fun isAdminFromApi(): Boolean {
+        return HttpContextHolder.getRequestOrNull()?.getAttribute(ADMIN_USER) as? Boolean ?: false
+    }
+
     /**
      *  userId's assetUsers contain userContext or userContext be admin
      */
     fun preCheckUserOrAssetUser(userId: String, users: List<UserInfo>) {
-        if (!users.any { userInfo -> userInfo.userId.equals(userId) }) {
+        if (!users.any { userInfo -> userInfo.userId == userId }) {
             preCheckContextUser(userId)
         }
     }
 
     /**
      * the userContext should be admin
+     * only use in user api
      */
     fun preCheckUserAdmin() {
         val userContext = SecurityUtils.getUserId()
-        if (!SecurityUtils.isAdmin()) {
+        if (!isAdminFromApi()) {
             logger.warn("user not match admin [$userContext]")
             throw ErrorCodeException(AuthMessageCode.AUTH_USER_FORAUTH_NOT_PERM)
         }
@@ -181,4 +193,4 @@ open class OpenResource(private val permissionService: PermissionService) {
     companion object {
         private val logger = LoggerFactory.getLogger(OpenResource::class.java)
     }
-}
+}
diff --git a/...uth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkauth/DevopsPermissionServiceImpl.kt b/...uth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkauth/DevopsPermissionServiceImpl.kt
@@ -81,7 +81,7 @@ class DevopsPermissionServiceImpl constructor(
 
     override fun listPermissionRepo(projectId: String, userId: String, appId: String?): List<String> {
         // 用户为系统管理员，或者当前项目管理员
-        if (isUserSystemAdmin() || isUserLocalProjectAdmin(userId, projectId)
+        if (isUserSystemAdmin(userId) || isUserLocalProjectAdmin(userId, projectId)
             || isDevopsProjectMember(userId, projectId, READ.name)
         ) return getAllRepoByProjectId(projectId)
 
@@ -137,7 +137,7 @@ class DevopsPermissionServiceImpl constructor(
         with(request) {
             logger.debug("check devops permission request [$request]")
 
-            if (isUserSystemAdmin()) return true
+            if (isUserSystemAdmin(uid)) return true
 
             //user is not local admin, not in project
             if (projectId == null) return false
@@ -268,4 +268,4 @@ class DevopsPermissionServiceImpl constructor(
     companion object {
         private val logger = LoggerFactory.getLogger(DevopsPermissionServiceImpl::class.java)
     }
-}
+}
diff --git a/...h/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/local/PermissionServiceImpl.kt b/...h/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/local/PermissionServiceImpl.kt
@@ -64,7 +64,6 @@ import com.tencent.bkrepo.auth.util.RequestUtil
 import com.tencent.bkrepo.auth.util.request.PermRequestUtil
 import com.tencent.bkrepo.common.api.constant.ANONYMOUS_USER
 import com.tencent.bkrepo.common.api.exception.ErrorCodeException
-import com.tencent.bkrepo.common.security.util.SecurityUtils
 import com.tencent.bkrepo.repository.api.ProjectClient
 import com.tencent.bkrepo.repository.api.RepositoryClient
 import org.slf4j.LoggerFactory
@@ -294,7 +293,7 @@ open class PermissionServiceImpl constructor(
 
     override fun listNoPermissionPath(userId: String, projectId: String, repoName: String): List<String> {
         val user = userDao.findFirstByUserId(userId) ?: return emptyList()
-        if (isUserSystemAdmin() || isUserLocalProjectAdmin(userId, projectId)) {
+        if (user.admin || isUserLocalProjectAdmin(userId, projectId)) {
             return emptyList()
         }
         val projectPermission = permissionDao.listByResourceAndRepo(NODE.name, projectId, repoName)
@@ -361,8 +360,9 @@ open class PermissionServiceImpl constructor(
         return permHelper.isUserLocalProjectUser(userId, projectId)
     }
 
-    fun isUserSystemAdmin(): Boolean {
-        return SecurityUtils.isAdmin()
+    fun isUserSystemAdmin(userId: String): Boolean {
+        val user = userDao.findFirstByUserId(userId) ?: return false
+        return user.admin
     }
 
     fun checkNodeAction(request: CheckPermissionRequest, userRoles: List<String>?, isProjectUser: Boolean): Boolean {
@@ -377,4 +377,4 @@ open class PermissionServiceImpl constructor(
     companion object {
         private val logger = LoggerFactory.getLogger(PermissionServiceImpl::class.java)
     }
-}
+}
diff --git a/...nd/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/local/UserServiceImpl.kt b/...nd/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/local/UserServiceImpl.kt
@@ -314,7 +314,6 @@ class UserServiceImpl constructor(
                 return null
             }
         }
-        logger.debug("find user userId : [$userId]")
         val hashPwd = DataDigestUtils.md5FromStr(pwd)
         val sm3HashPwd = DataDigestUtils.sm3FromStr(pwd)
         val result = userDao.getUserByPassWordAndHash(userId, pwd, hashPwd, sm3HashPwd) ?: return null
@@ -403,4 +402,4 @@ class UserServiceImpl constructor(
     companion object {
         private val logger = LoggerFactory.getLogger(UserServiceImpl::class.java)
     }
-}
+}
diff --git a/.../common-security/src/main/kotlin/com/tencent/bkrepo/common/security/util/SecurityUtils.kt b/.../common-security/src/main/kotlin/com/tencent/bkrepo/common/security/util/SecurityUtils.kt
@@ -31,7 +31,6 @@
 
 package com.tencent.bkrepo.common.security.util
 
-import com.tencent.bkrepo.common.api.constant.ADMIN_USER
 import com.tencent.bkrepo.common.api.constant.ANONYMOUS_USER
 import com.tencent.bkrepo.common.api.constant.AUTHORITIES_KEY
 import com.tencent.bkrepo.common.api.constant.MS_REQUEST_KEY
@@ -60,13 +59,6 @@ object SecurityUtils {
         return HttpContextHolder.getRequestOrNull()?.getAttribute(USER_KEY) as? String ?: ANONYMOUS_USER
     }
 
-    /**
-     * 是否系统管理员
-     */
-    fun isAdmin(): Boolean {
-        return HttpContextHolder.getRequestOrNull()?.getAttribute(ADMIN_USER) as? Boolean ?: false
-    }
-
     /**
      * 获取platform account id
      */
@@ -131,4 +123,4 @@ object SecurityUtils {
             HttpContextHolder.getRequestOrNull()?.setAttribute(USER_KEY, userId)
         }
     }
-}
+}