github.com/polarismesh/polaris@v1.17.8/auth/defaultauth/user_authability.go (about) 1 /** 2 * Tencent is pleased to support the open source community by making Polaris available. 3 * 4 * Copyright (C) 2019 THL A29 Limited, a Tencent company. All rights reserved. 5 * 6 * Licensed under the BSD 3-Clause License (the "License"); 7 * you may not use this file except in compliance with the License. 8 * You may obtain a copy of the License at 9 * 10 * https://opensource.org/licenses/BSD-3-Clause 11 * 12 * Unless required by applicable law or agreed to in writing, software distributed 13 * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR 14 * CONDITIONS OF ANY KIND, either express or implied. See the License for the 15 * specific language governing permissions and limitations under the License. 16 */ 17 18 package defaultauth 19 20 import ( 21 "context" 22 23 apimodel "github.com/polarismesh/specification/source/go/api/v1/model" 24 apisecurity "github.com/polarismesh/specification/source/go/api/v1/security" 25 apiservice "github.com/polarismesh/specification/source/go/api/v1/service_manage" 26 27 "github.com/polarismesh/polaris/auth" 28 "github.com/polarismesh/polaris/cache" 29 api "github.com/polarismesh/polaris/common/api/v1" 30 "github.com/polarismesh/polaris/plugin" 31 "github.com/polarismesh/polaris/store" 32 ) 33 34 func NewUserAuthAbility(authMgn *DefaultAuthChecker, target *Server) *UserAuthAbility { 35 return &UserAuthAbility{ 36 authMgn: authMgn, 37 target: target, 38 } 39 } 40 41 type UserAuthAbility struct { 42 *GroupAuthAbility 43 authMgn *DefaultAuthChecker 44 target *Server 45 } 46 47 // Initialize 执行初始化动作 48 func (svr *UserAuthAbility) Initialize(authOpt *auth.Config, storage store.Store, 49 cacheMgn *cache.CacheManager) error { 50 var ( 51 history = plugin.GetHistory() 52 authMgn = &DefaultAuthChecker{} 53 ) 54 if err := authMgn.Initialize(authOpt, storage, cacheMgn); err != nil { 55 return err 56 } 57 58 svr.authMgn = authMgn 59 svr.target = &Server{ 60 storage: storage, 61 history: history, 62 cacheMgn: cacheMgn, 63 authMgn: authMgn, 64 } 65 svr.GroupAuthAbility = &GroupAuthAbility{ 66 authMgn: svr.authMgn, 67 target: svr.target, 68 } 69 70 return nil 71 } 72 73 // Name of the user operator plugin 74 func (svr *UserAuthAbility) Name() string { 75 return auth.DefaultUserMgnPluginName 76 } 77 78 // CreateUsers 创建用户,只能由超级账户 or 主账户调用 79 // 80 // case 1. 超级账户调用:创建的是主账户 81 // case 2. 主账户调用:创建的是子账户 82 func (svr *UserAuthAbility) CreateUsers(ctx context.Context, req []*apisecurity.User) *apiservice.BatchWriteResponse { 83 ctx, rsp := verifyAuth(ctx, WriteOp, MustOwner, svr.authMgn) 84 if rsp != nil { 85 resp := api.NewAuthBatchWriteResponse(apimodel.Code_ExecuteSuccess) 86 api.Collect(resp, rsp) 87 return resp 88 } 89 90 return svr.target.CreateUsers(ctx, req) 91 } 92 93 // UpdateUser 更新用户,任意账户均可以操作 94 // 用户token被禁止也只是表示不能对北极星资源执行写操作,但是改用户信息还是可以执行的 95 func (svr *UserAuthAbility) UpdateUser(ctx context.Context, user *apisecurity.User) *apiservice.Response { 96 ctx, rsp := verifyAuth(ctx, ReadOp, NotOwner, svr.authMgn) 97 if rsp != nil { 98 rsp.User = user 99 return rsp 100 } 101 102 return svr.target.UpdateUser(ctx, user) 103 } 104 105 // UpdateUserPassword 更新用户信息 106 func (svr *UserAuthAbility) UpdateUserPassword( 107 ctx context.Context, req *apisecurity.ModifyUserPassword) *apiservice.Response { 108 ctx, rsp := verifyAuth(ctx, ReadOp, NotOwner, svr.authMgn) 109 if rsp != nil { 110 return rsp 111 } 112 113 return svr.target.UpdateUserPassword(ctx, req) 114 } 115 116 // DeleteUsers 批量删除用户,只能由超级账户 or 主账户操作 117 func (svr *UserAuthAbility) DeleteUsers( 118 ctx context.Context, reqs []*apisecurity.User) *apiservice.BatchWriteResponse { 119 ctx, rsp := verifyAuth(ctx, WriteOp, MustOwner, svr.authMgn) 120 if rsp != nil { 121 resp := api.NewAuthBatchWriteResponse(apimodel.Code_ExecuteSuccess) 122 api.Collect(resp, rsp) 123 return resp 124 } 125 126 return svr.target.DeleteUsers(ctx, reqs) 127 } 128 129 // DeleteUser 删除用户,只能由超级账户 or 主账户操作 130 func (svr *UserAuthAbility) DeleteUser(ctx context.Context, user *apisecurity.User) *apiservice.Response { 131 ctx, rsp := verifyAuth(ctx, WriteOp, MustOwner, svr.authMgn) 132 if rsp != nil { 133 rsp.User = user 134 return rsp 135 } 136 137 return svr.target.DeleteUser(ctx, user) 138 } 139 140 // GetUsers 获取用户列表,任意账户均可以操作 141 func (svr *UserAuthAbility) GetUsers(ctx context.Context, filter map[string]string) *apiservice.BatchQueryResponse { 142 ctx, rsp := verifyAuth(ctx, ReadOp, NotOwner, svr.authMgn) 143 if rsp != nil { 144 return api.NewAuthBatchQueryResponseWithMsg(apimodel.Code(rsp.GetCode().Value), rsp.Info.Value) 145 } 146 147 return svr.target.GetUsers(ctx, filter) 148 } 149 150 // GetUserToken 获取用户token,任意账户均可以操作 151 func (svr *UserAuthAbility) GetUserToken(ctx context.Context, user *apisecurity.User) *apiservice.Response { 152 ctx, rsp := verifyAuth(ctx, ReadOp, NotOwner, svr.authMgn) 153 if rsp != nil { 154 return rsp 155 } 156 157 return svr.target.GetUserToken(ctx, user) 158 } 159 160 // UpdateUserToken 更新用户的 token 状态,只允许超级、主账户进行操作 161 func (svr *UserAuthAbility) UpdateUserToken(ctx context.Context, user *apisecurity.User) *apiservice.Response { 162 ctx, rsp := verifyAuth(ctx, WriteOp, MustOwner, svr.authMgn) 163 if rsp != nil { 164 rsp.User = user 165 return rsp 166 } 167 168 return svr.target.UpdateUserToken(ctx, user) 169 } 170 171 // ResetUserToken 重置用户token,允许子账户进行操作 172 func (svr *UserAuthAbility) ResetUserToken(ctx context.Context, user *apisecurity.User) *apiservice.Response { 173 ctx, rsp := verifyAuth(ctx, WriteOp, NotOwner, svr.authMgn) 174 if rsp != nil { 175 rsp.User = user 176 return rsp 177 } 178 179 return svr.target.ResetUserToken(ctx, user) 180 } 181 182 // Login login Servers 183 func (svr *UserAuthAbility) Login(req *apisecurity.LoginRequest) *apiservice.Response { 184 return svr.target.Login(req) 185 }