github.com/infraboard/keyauth@v0.8.1/apps/permission/impl/permission.go

github.com/infraboard/keyauth@v0.8.1/apps/permission/impl/permission.go (about)

     1  package impl
     2  
     3  import (
     4  	"context"
     5  
     6  	"github.com/infraboard/mcube/exception"
     7  	"github.com/infraboard/mcube/http/request"
     8  
     9  	"github.com/infraboard/keyauth/apps/endpoint"
    10  	"github.com/infraboard/keyauth/apps/permission"
    11  	"github.com/infraboard/keyauth/apps/policy"
    12  	"github.com/infraboard/keyauth/apps/role"
    13  )
    14  
    15  func (s *service) QueryPermission(ctx context.Context, req *permission.QueryPermissionRequest) (
    16  	*role.PermissionSet, error) {
    17  
    18  	if err := req.Validate(); err != nil {
    19  		return nil, exception.NewBadRequest("validate param error, %s", err)
    20  	}
    21  
    22  	// 获取用户的策略列表
    23  	preq := policy.NewQueryPolicyRequest(request.NewPageRequest(100, 1))
    24  	preq.Account = req.Account
    25  	preq.NamespaceId = req.NamespaceId
    26  
    27  	policySet, err := s.policy.QueryPolicy(ctx, preq)
    28  	if err != nil {
    29  		return nil, err
    30  	}
    31  
    32  	// 获取用户的角色列表
    33  	rset, err := policySet.GetRoles(ctx, s.role, true)
    34  	if err != nil {
    35  		return nil, err
    36  	}
    37  
    38  	return rset.Permissions(), nil
    39  }
    40  
    41  func (s *service) QueryRole(ctx context.Context, req *permission.QueryRoleRequest) (
    42  	*role.Set, error) {
    43  	if err := req.Validate(); err != nil {
    44  		return nil, exception.NewBadRequest("validate param error, %s", err)
    45  	}
    46  
    47  	// 获取用户的策略列表
    48  	preq := policy.NewQueryPolicyRequest(request.NewPageRequest(100, 1))
    49  	preq.Account = req.Account
    50  	preq.NamespaceId = req.NamespaceId
    51  
    52  	policySet, err := s.policy.QueryPolicy(ctx, preq)
    53  	if err != nil {
    54  		return nil, err
    55  	}
    56  
    57  	return policySet.GetRoles(ctx, s.role, req.WithPermission)
    58  }
    59  
    60  func (s *service) CheckPermission(ctx context.Context, req *permission.CheckPermissionRequest) (*role.Permission, error) {
    61  	if req.EndpointId == "" {
    62  		req.EndpointId = endpoint.GenHashID(req.ServiceId, req.Path)
    63  	}
    64  
    65  	if err := req.Validate(); err != nil {
    66  		return nil, exception.NewBadRequest("validate param error, %s", err)
    67  	}
    68  
    69  	roleReq := permission.NewQueryRoleRequest(req.NamespaceId)
    70  	roleReq.WithPermission = true
    71  	roleReq.Account = req.Account
    72  	roleSet, err := s.QueryRole(ctx, roleReq)
    73  	if err != nil {
    74  		return nil, err
    75  	}
    76  
    77  	if roleSet.Len() == 0 {
    78  		return nil, exception.NewPermissionDeny("no permission")
    79  	}
    80  
    81  	ep, err := s.endpoint.DescribeEndpoint(ctx, endpoint.NewDescribeEndpointRequestWithID(req.EndpointId))
    82  	if err != nil {
    83  		return nil, err
    84  	}
    85  	s.log.Debugf("check roles %s has permission access endpoint [%s]", roleSet.RoleNames(), ep.Entry)
    86  
    87  	// 不需要鉴权
    88  	if !ep.Entry.PermissionEnable {
    89  		return role.NewSkipPermission("endpoint not enable permission check, allow all access"), nil
    90  	}
    91  
    92  	p, ok, err := roleSet.HasPermission(ep)
    93  	if err != nil {
    94  		return nil, err
    95  	}
    96  
    97  	if !ok {
    98  		return nil, exception.NewPermissionDeny("in namespace %s, role %s has no permission access endpoint: %s",
    99  			req.NamespaceId,
   100  			roleSet.RoleNames(),
   101  			ep.Entry.Path,
   102  		)
   103  	}
   104  
   105  	return p, nil
   106  }