github.com/polarismesh/polaris@v1.17.8/namespace/namespace_authability.go (about) 1 /** 2 * Tencent is pleased to support the open source community by making Polaris available. 3 * 4 * Copyright (C) 2019 THL A29 Limited, a Tencent company. All rights reserved. 5 * 6 * Licensed under the BSD 3-Clause License (the "License"); 7 * you may not use this file except in compliance with the License. 8 * You may obtain a copy of the License at 9 * 10 * https://opensource.org/licenses/BSD-3-Clause 11 * 12 * Unless required by applicable law or agreed to in writing, software distributed 13 * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR 14 * CONDITIONS OF ANY KIND, either express or implied. See the License for the 15 * specific language governing permissions and limitations under the License. 16 */ 17 18 package namespace 19 20 import ( 21 "context" 22 23 apimodel "github.com/polarismesh/specification/source/go/api/v1/model" 24 apisecurity "github.com/polarismesh/specification/source/go/api/v1/security" 25 apiservice "github.com/polarismesh/specification/source/go/api/v1/service_manage" 26 27 api "github.com/polarismesh/polaris/common/api/v1" 28 "github.com/polarismesh/polaris/common/model" 29 "github.com/polarismesh/polaris/common/utils" 30 ) 31 32 var _ NamespaceOperateServer = (*serverAuthAbility)(nil) 33 34 // CreateNamespaceIfAbsent Create a single name space 35 func (svr *serverAuthAbility) CreateNamespaceIfAbsent(ctx context.Context, 36 req *apimodel.Namespace) (string, *apiservice.Response) { 37 return svr.targetServer.CreateNamespaceIfAbsent(ctx, req) 38 } 39 40 // CreateNamespace 创建命名空间,只需要要后置鉴权,将数据添加到资源策略中 41 func (svr *serverAuthAbility) CreateNamespace(ctx context.Context, req *apimodel.Namespace) *apiservice.Response { 42 authCtx := svr.collectNamespaceAuthContext( 43 ctx, []*apimodel.Namespace{req}, model.Create, "CreateNamespace") 44 // 验证 token 信息 45 if _, err := svr.strategyMgn.GetAuthChecker().CheckConsolePermission(authCtx); err != nil { 46 return api.NewResponseWithMsg(convertToErrCode(err), err.Error()) 47 } 48 49 ctx = authCtx.GetRequestContext() 50 ctx = context.WithValue(ctx, utils.ContextAuthContextKey, authCtx) 51 52 // 填充 ownerId 信息数据 53 if ownerId := utils.ParseOwnerID(ctx); len(ownerId) > 0 { 54 req.Owners = utils.NewStringValue(ownerId) 55 } 56 57 return svr.targetServer.CreateNamespace(ctx, req) 58 } 59 60 // CreateNamespaces 创建命名空间,只需要要后置鉴权,将数据添加到资源策略中 61 func (svr *serverAuthAbility) CreateNamespaces( 62 ctx context.Context, reqs []*apimodel.Namespace) *apiservice.BatchWriteResponse { 63 authCtx := svr.collectNamespaceAuthContext(ctx, reqs, model.Create, "CreateNamespaces") 64 65 // 验证 token 信息 66 if _, err := svr.strategyMgn.GetAuthChecker().CheckConsolePermission(authCtx); err != nil { 67 return api.NewBatchWriteResponseWithMsg(convertToErrCode(err), err.Error()) 68 } 69 70 ctx = authCtx.GetRequestContext() 71 ctx = context.WithValue(ctx, utils.ContextAuthContextKey, authCtx) 72 73 // 填充 ownerId 信息数据 74 ownerId := utils.ParseOwnerID(ctx) 75 if len(ownerId) > 0 { 76 for index := range reqs { 77 req := reqs[index] 78 req.Owners = utils.NewStringValue(ownerId) 79 } 80 } 81 82 return svr.targetServer.CreateNamespaces(ctx, reqs) 83 } 84 85 // DeleteNamespace 删除命名空间,需要先走权限检查 86 func (svr *serverAuthAbility) DeleteNamespace(ctx context.Context, req *apimodel.Namespace) *apiservice.Response { 87 authCtx := svr.collectNamespaceAuthContext( 88 ctx, []*apimodel.Namespace{req}, model.Delete, "DeleteNamespace") 89 if _, err := svr.strategyMgn.GetAuthChecker().CheckConsolePermission(authCtx); err != nil { 90 return api.NewResponseWithMsg(convertToErrCode(err), err.Error()) 91 } 92 93 ctx = authCtx.GetRequestContext() 94 ctx = context.WithValue(ctx, utils.ContextAuthContextKey, authCtx) 95 96 return svr.targetServer.DeleteNamespace(ctx, req) 97 } 98 99 // DeleteNamespaces 删除命名空间,需要先走权限检查 100 func (svr *serverAuthAbility) DeleteNamespaces( 101 ctx context.Context, reqs []*apimodel.Namespace) *apiservice.BatchWriteResponse { 102 authCtx := svr.collectNamespaceAuthContext(ctx, reqs, model.Delete, "DeleteNamespaces") 103 if _, err := svr.strategyMgn.GetAuthChecker().CheckConsolePermission(authCtx); err != nil { 104 return api.NewBatchWriteResponseWithMsg(convertToErrCode(err), err.Error()) 105 } 106 107 ctx = authCtx.GetRequestContext() 108 ctx = context.WithValue(ctx, utils.ContextAuthContextKey, authCtx) 109 110 return svr.targetServer.DeleteNamespaces(ctx, reqs) 111 } 112 113 // UpdateNamespaces 更新命名空间,需要先走权限检查 114 func (svr *serverAuthAbility) UpdateNamespaces( 115 ctx context.Context, req []*apimodel.Namespace) *apiservice.BatchWriteResponse { 116 authCtx := svr.collectNamespaceAuthContext(ctx, req, model.Modify, "UpdateNamespaces") 117 if _, err := svr.strategyMgn.GetAuthChecker().CheckConsolePermission(authCtx); err != nil { 118 return api.NewBatchWriteResponseWithMsg(convertToErrCode(err), err.Error()) 119 } 120 121 ctx = authCtx.GetRequestContext() 122 ctx = context.WithValue(ctx, utils.ContextAuthContextKey, authCtx) 123 124 return svr.targetServer.UpdateNamespaces(ctx, req) 125 } 126 127 // UpdateNamespaceToken 更新命名空间的token信息,需要先走权限检查 128 func (svr *serverAuthAbility) UpdateNamespaceToken(ctx context.Context, req *apimodel.Namespace) *apiservice.Response { 129 authCtx := svr.collectNamespaceAuthContext( 130 ctx, []*apimodel.Namespace{req}, model.Modify, "UpdateNamespaceToken") 131 if _, err := svr.strategyMgn.GetAuthChecker().CheckConsolePermission(authCtx); err != nil { 132 return api.NewResponseWithMsg(convertToErrCode(err), err.Error()) 133 } 134 135 ctx = authCtx.GetRequestContext() 136 ctx = context.WithValue(ctx, utils.ContextAuthContextKey, authCtx) 137 138 return svr.targetServer.UpdateNamespaceToken(ctx, req) 139 } 140 141 // GetNamespaces 获取命名空间列表信息,暂时不走权限检查 142 func (svr *serverAuthAbility) GetNamespaces( 143 ctx context.Context, query map[string][]string) *apiservice.BatchQueryResponse { 144 authCtx := svr.collectNamespaceAuthContext(ctx, nil, model.Read, "GetNamespaces") 145 _, err := svr.strategyMgn.GetAuthChecker().CheckConsolePermission(authCtx) 146 if err != nil { 147 return api.NewBatchQueryResponseWithMsg(convertToErrCode(err), err.Error()) 148 } 149 150 ctx = authCtx.GetRequestContext() 151 ctx = context.WithValue(ctx, utils.ContextAuthContextKey, authCtx) 152 153 resp := svr.targetServer.GetNamespaces(ctx, query) 154 if len(resp.Namespaces) != 0 { 155 principal := model.Principal{ 156 PrincipalID: utils.ParseUserID(ctx), 157 PrincipalRole: model.PrincipalUser, 158 } 159 for index := range resp.Namespaces { 160 ns := resp.Namespaces[index] 161 editable := true 162 // 如果鉴权能力没有开启,那就默认都可以进行编辑 163 if svr.strategyMgn.GetAuthChecker().IsOpenConsoleAuth() { 164 editable = svr.targetServer.caches.AuthStrategy().IsResourceEditable(principal, 165 apisecurity.ResourceType_Namespaces, ns.Id.GetValue()) 166 } 167 ns.Editable = utils.NewBoolValue(editable) 168 } 169 } 170 171 return resp 172 } 173 174 // GetNamespaceToken 获取命名空间的token信息,暂时不走权限检查 175 func (svr *serverAuthAbility) GetNamespaceToken(ctx context.Context, req *apimodel.Namespace) *apiservice.Response { 176 authCtx := svr.collectNamespaceAuthContext( 177 ctx, []*apimodel.Namespace{req}, model.Read, "GetNamespaceToken") 178 _, err := svr.strategyMgn.GetAuthChecker().CheckConsolePermission(authCtx) 179 if err != nil { 180 return api.NewResponseWithMsg(convertToErrCode(err), err.Error()) 181 } 182 183 ctx = authCtx.GetRequestContext() 184 ctx = context.WithValue(ctx, utils.ContextAuthContextKey, authCtx) 185 return svr.targetServer.GetNamespaceToken(ctx, req) 186 }