github.com/infraboard/keyauth@v0.8.1/apps/permission/impl/permission.go (about) 1 package impl 2 3 import ( 4 "context" 5 6 "github.com/infraboard/mcube/exception" 7 "github.com/infraboard/mcube/http/request" 8 9 "github.com/infraboard/keyauth/apps/endpoint" 10 "github.com/infraboard/keyauth/apps/permission" 11 "github.com/infraboard/keyauth/apps/policy" 12 "github.com/infraboard/keyauth/apps/role" 13 ) 14 15 func (s *service) QueryPermission(ctx context.Context, req *permission.QueryPermissionRequest) ( 16 *role.PermissionSet, error) { 17 18 if err := req.Validate(); err != nil { 19 return nil, exception.NewBadRequest("validate param error, %s", err) 20 } 21 22 // 获取用户的策略列表 23 preq := policy.NewQueryPolicyRequest(request.NewPageRequest(100, 1)) 24 preq.Account = req.Account 25 preq.NamespaceId = req.NamespaceId 26 27 policySet, err := s.policy.QueryPolicy(ctx, preq) 28 if err != nil { 29 return nil, err 30 } 31 32 // 获取用户的角色列表 33 rset, err := policySet.GetRoles(ctx, s.role, true) 34 if err != nil { 35 return nil, err 36 } 37 38 return rset.Permissions(), nil 39 } 40 41 func (s *service) QueryRole(ctx context.Context, req *permission.QueryRoleRequest) ( 42 *role.Set, error) { 43 if err := req.Validate(); err != nil { 44 return nil, exception.NewBadRequest("validate param error, %s", err) 45 } 46 47 // 获取用户的策略列表 48 preq := policy.NewQueryPolicyRequest(request.NewPageRequest(100, 1)) 49 preq.Account = req.Account 50 preq.NamespaceId = req.NamespaceId 51 52 policySet, err := s.policy.QueryPolicy(ctx, preq) 53 if err != nil { 54 return nil, err 55 } 56 57 return policySet.GetRoles(ctx, s.role, req.WithPermission) 58 } 59 60 func (s *service) CheckPermission(ctx context.Context, req *permission.CheckPermissionRequest) (*role.Permission, error) { 61 if req.EndpointId == "" { 62 req.EndpointId = endpoint.GenHashID(req.ServiceId, req.Path) 63 } 64 65 if err := req.Validate(); err != nil { 66 return nil, exception.NewBadRequest("validate param error, %s", err) 67 } 68 69 roleReq := permission.NewQueryRoleRequest(req.NamespaceId) 70 roleReq.WithPermission = true 71 roleReq.Account = req.Account 72 roleSet, err := s.QueryRole(ctx, roleReq) 73 if err != nil { 74 return nil, err 75 } 76 77 if roleSet.Len() == 0 { 78 return nil, exception.NewPermissionDeny("no permission") 79 } 80 81 ep, err := s.endpoint.DescribeEndpoint(ctx, endpoint.NewDescribeEndpointRequestWithID(req.EndpointId)) 82 if err != nil { 83 return nil, err 84 } 85 s.log.Debugf("check roles %s has permission access endpoint [%s]", roleSet.RoleNames(), ep.Entry) 86 87 // 不需要鉴权 88 if !ep.Entry.PermissionEnable { 89 return role.NewSkipPermission("endpoint not enable permission check, allow all access"), nil 90 } 91 92 p, ok, err := roleSet.HasPermission(ep) 93 if err != nil { 94 return nil, err 95 } 96 97 if !ok { 98 return nil, exception.NewPermissionDeny("in namespace %s, role %s has no permission access endpoint: %s", 99 req.NamespaceId, 100 roleSet.RoleNames(), 101 ep.Entry.Path, 102 ) 103 } 104 105 return p, nil 106 }