From ce16e97720af887bd297d2140f71164070e8f411 Mon Sep 17 00:00:00 2001 From: owen Date: Mon, 1 Apr 2024 17:00:11 +0800 Subject: [PATCH] =?UTF-8?q?feat=20:=20custom=E4=BB=93=E5=BA=93=E6=94=AF?= =?UTF-8?q?=E6=8C=81=E6=9C=AC=E5=9C=B0=E6=9D=83=E9=99=90=E6=A0=A1=E9=AA=8C?= =?UTF-8?q?=20#1905?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../bkrepo/auth/controller/OpenResource.kt | 20 +++++++++++++++---- .../bkauth/DevopsPermissionServiceImpl.kt | 6 +++--- .../service/local/PermissionServiceImpl.kt | 10 +++++----- .../auth/service/local/UserServiceImpl.kt | 3 +-- .../common/security/util/SecurityUtils.kt | 10 +--------- 5 files changed, 26 insertions(+), 23 deletions(-) diff --git a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/controller/OpenResource.kt b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/controller/OpenResource.kt index 7822e03f97..98fa0bbcc6 100644 --- a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/controller/OpenResource.kt +++ b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/controller/OpenResource.kt @@ -38,39 +38,51 @@ import com.tencent.bkrepo.auth.pojo.enums.ResourceType import com.tencent.bkrepo.auth.pojo.permission.CheckPermissionRequest import com.tencent.bkrepo.auth.pojo.user.UserInfo import com.tencent.bkrepo.auth.service.PermissionService +import com.tencent.bkrepo.common.api.constant.ADMIN_USER import com.tencent.bkrepo.common.api.exception.ErrorCodeException import com.tencent.bkrepo.common.api.message.CommonMessageCode import com.tencent.bkrepo.common.security.util.SecurityUtils +import com.tencent.bkrepo.common.service.util.HttpContextHolder import org.slf4j.LoggerFactory open class OpenResource(private val permissionService: PermissionService) { /** * the userContext should equal userId or be admin + * only use in user api */ fun preCheckContextUser(userId: String) { val userContext = SecurityUtils.getUserId() - if (!SecurityUtils.isAdmin() && userContext.isNotEmpty() && userContext != userId) { + if (!isAdminFromApi() && userContext.isNotEmpty() && userContext != userId) { logger.warn("user not match [$userContext, $userId]") throw ErrorCodeException(AuthMessageCode.AUTH_USER_FORAUTH_NOT_PERM) } } + /** + * 是否系统管理员 + * 限定在auth服务api请求时使用 + */ + fun isAdminFromApi(): Boolean { + return HttpContextHolder.getRequestOrNull()?.getAttribute(ADMIN_USER) as? Boolean ?: false + } + /** * userId's assetUsers contain userContext or userContext be admin */ fun preCheckUserOrAssetUser(userId: String, users: List) { - if (!users.any { userInfo -> userInfo.userId.equals(userId) }) { + if (!users.any { userInfo -> userInfo.userId == userId }) { preCheckContextUser(userId) } } /** * the userContext should be admin + * only use in user api */ fun preCheckUserAdmin() { val userContext = SecurityUtils.getUserId() - if (!SecurityUtils.isAdmin()) { + if (!isAdminFromApi()) { logger.warn("user not match admin [$userContext]") throw ErrorCodeException(AuthMessageCode.AUTH_USER_FORAUTH_NOT_PERM) } @@ -181,4 +193,4 @@ open class OpenResource(private val permissionService: PermissionService) { companion object { private val logger = LoggerFactory.getLogger(OpenResource::class.java) } -} +} \ No newline at end of file diff --git a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkauth/DevopsPermissionServiceImpl.kt b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkauth/DevopsPermissionServiceImpl.kt index a08023d908..d75de991f3 100644 --- a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkauth/DevopsPermissionServiceImpl.kt +++ b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkauth/DevopsPermissionServiceImpl.kt @@ -81,7 +81,7 @@ class DevopsPermissionServiceImpl constructor( override fun listPermissionRepo(projectId: String, userId: String, appId: String?): List { // 用户为系统管理员,或者当前项目管理员 - if (isUserSystemAdmin() || isUserLocalProjectAdmin(userId, projectId) + if (isUserSystemAdmin(userId) || isUserLocalProjectAdmin(userId, projectId) || isDevopsProjectMember(userId, projectId, READ.name) ) return getAllRepoByProjectId(projectId) @@ -137,7 +137,7 @@ class DevopsPermissionServiceImpl constructor( with(request) { logger.debug("check devops permission request [$request]") - if (isUserSystemAdmin()) return true + if (isUserSystemAdmin(uid)) return true //user is not local admin, not in project if (projectId == null) return false @@ -268,4 +268,4 @@ class DevopsPermissionServiceImpl constructor( companion object { private val logger = LoggerFactory.getLogger(DevopsPermissionServiceImpl::class.java) } -} +} \ No newline at end of file diff --git a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/local/PermissionServiceImpl.kt b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/local/PermissionServiceImpl.kt index 64e820fbfb..52d3f2de48 100644 --- a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/local/PermissionServiceImpl.kt +++ b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/local/PermissionServiceImpl.kt @@ -64,7 +64,6 @@ import com.tencent.bkrepo.auth.util.RequestUtil import com.tencent.bkrepo.auth.util.request.PermRequestUtil import com.tencent.bkrepo.common.api.constant.ANONYMOUS_USER import com.tencent.bkrepo.common.api.exception.ErrorCodeException -import com.tencent.bkrepo.common.security.util.SecurityUtils import com.tencent.bkrepo.repository.api.ProjectClient import com.tencent.bkrepo.repository.api.RepositoryClient import org.slf4j.LoggerFactory @@ -294,7 +293,7 @@ open class PermissionServiceImpl constructor( override fun listNoPermissionPath(userId: String, projectId: String, repoName: String): List { val user = userDao.findFirstByUserId(userId) ?: return emptyList() - if (isUserSystemAdmin() || isUserLocalProjectAdmin(userId, projectId)) { + if (user.admin || isUserLocalProjectAdmin(userId, projectId)) { return emptyList() } val projectPermission = permissionDao.listByResourceAndRepo(NODE.name, projectId, repoName) @@ -361,8 +360,9 @@ open class PermissionServiceImpl constructor( return permHelper.isUserLocalProjectUser(userId, projectId) } - fun isUserSystemAdmin(): Boolean { - return SecurityUtils.isAdmin() + fun isUserSystemAdmin(userId: String): Boolean { + val user = userDao.findFirstByUserId(userId) ?: return false + return user.admin } fun checkNodeAction(request: CheckPermissionRequest, userRoles: List?, isProjectUser: Boolean): Boolean { @@ -377,4 +377,4 @@ open class PermissionServiceImpl constructor( companion object { private val logger = LoggerFactory.getLogger(PermissionServiceImpl::class.java) } -} +} \ No newline at end of file diff --git a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/local/UserServiceImpl.kt b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/local/UserServiceImpl.kt index 9e6d7b6ad2..c3c32fdc44 100644 --- a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/local/UserServiceImpl.kt +++ b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/local/UserServiceImpl.kt @@ -314,7 +314,6 @@ class UserServiceImpl constructor( return null } } - logger.debug("find user userId : [$userId]") val hashPwd = DataDigestUtils.md5FromStr(pwd) val sm3HashPwd = DataDigestUtils.sm3FromStr(pwd) val result = userDao.getUserByPassWordAndHash(userId, pwd, hashPwd, sm3HashPwd) ?: return null @@ -403,4 +402,4 @@ class UserServiceImpl constructor( companion object { private val logger = LoggerFactory.getLogger(UserServiceImpl::class.java) } -} +} \ No newline at end of file diff --git a/src/backend/common/common-security/src/main/kotlin/com/tencent/bkrepo/common/security/util/SecurityUtils.kt b/src/backend/common/common-security/src/main/kotlin/com/tencent/bkrepo/common/security/util/SecurityUtils.kt index 461c17d185..4f28d5cec2 100644 --- a/src/backend/common/common-security/src/main/kotlin/com/tencent/bkrepo/common/security/util/SecurityUtils.kt +++ b/src/backend/common/common-security/src/main/kotlin/com/tencent/bkrepo/common/security/util/SecurityUtils.kt @@ -31,7 +31,6 @@ package com.tencent.bkrepo.common.security.util -import com.tencent.bkrepo.common.api.constant.ADMIN_USER import com.tencent.bkrepo.common.api.constant.ANONYMOUS_USER import com.tencent.bkrepo.common.api.constant.AUTHORITIES_KEY import com.tencent.bkrepo.common.api.constant.MS_REQUEST_KEY @@ -60,13 +59,6 @@ object SecurityUtils { return HttpContextHolder.getRequestOrNull()?.getAttribute(USER_KEY) as? String ?: ANONYMOUS_USER } - /** - * 是否系统管理员 - */ - fun isAdmin(): Boolean { - return HttpContextHolder.getRequestOrNull()?.getAttribute(ADMIN_USER) as? Boolean ?: false - } - /** * 获取platform account id */ @@ -131,4 +123,4 @@ object SecurityUtils { HttpContextHolder.getRequestOrNull()?.setAttribute(USER_KEY, userId) } } -} +} \ No newline at end of file