github.com/polarismesh/polaris@v1.17.8/namespace/server_authability.go (about)

     1  /**
     2   * Tencent is pleased to support the open source community by making Polaris available.
     3   *
     4   * Copyright (C) 2019 THL A29 Limited, a Tencent company. All rights reserved.
     5   *
     6   * Licensed under the BSD 3-Clause License (the "License");
     7   * you may not use this file except in compliance with the License.
     8   * You may obtain a copy of the License at
     9   *
    10   * https://opensource.org/licenses/BSD-3-Clause
    11   *
    12   * Unless required by applicable law or agreed to in writing, software distributed
    13   * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
    14   * CONDITIONS OF ANY KIND, either express or implied. See the License for the
    15   * specific language governing permissions and limitations under the License.
    16   */
    17  
    18  package namespace
    19  
    20  import (
    21  	"context"
    22  	"errors"
    23  
    24  	apimodel "github.com/polarismesh/specification/source/go/api/v1/model"
    25  	apisecurity "github.com/polarismesh/specification/source/go/api/v1/security"
    26  	"go.uber.org/zap"
    27  
    28  	"github.com/polarismesh/polaris/auth"
    29  	"github.com/polarismesh/polaris/common/model"
    30  	"github.com/polarismesh/polaris/common/utils"
    31  )
    32  
    33  // serverAuthAbility 带有鉴权能力的 discoverServer
    34  //
    35  // 该层会对请求参数做一些调整,根据具体的请求发起人,设置为数据对应的 owner,不可为为别人进行创建资源
    36  type serverAuthAbility struct {
    37  	targetServer *Server
    38  	userMgn      auth.UserServer
    39  	strategyMgn  auth.StrategyServer
    40  }
    41  
    42  func newServerAuthAbility(targetServer *Server,
    43  	userMgn auth.UserServer, strategyMgn auth.StrategyServer) NamespaceOperateServer {
    44  	proxy := &serverAuthAbility{
    45  		targetServer: targetServer,
    46  		userMgn:      userMgn,
    47  		strategyMgn:  strategyMgn,
    48  	}
    49  
    50  	targetServer.SetResourceHooks(proxy)
    51  	return proxy
    52  }
    53  
    54  // collectNamespaceAuthContext 对于命名空间的处理,收集所有的与鉴权的相关信息
    55  func (svr *serverAuthAbility) collectNamespaceAuthContext(ctx context.Context, req []*apimodel.Namespace,
    56  	resourceOp model.ResourceOperation, methodName string) *model.AcquireContext {
    57  	return model.NewAcquireContext(
    58  		model.WithRequestContext(ctx),
    59  		model.WithOperation(resourceOp),
    60  		model.WithModule(model.CoreModule),
    61  		model.WithMethod(methodName),
    62  		model.WithAccessResources(svr.queryNamespaceResource(req)),
    63  	)
    64  }
    65  
    66  // queryNamespaceResource 根据所给的 namespace 信息,收集对应的 ResourceEntry 列表
    67  func (svr *serverAuthAbility) queryNamespaceResource(
    68  	req []*apimodel.Namespace) map[apisecurity.ResourceType][]model.ResourceEntry {
    69  	names := utils.NewSet[string]()
    70  	for index := range req {
    71  		names.Add(req[index].Name.GetValue())
    72  	}
    73  	param := names.ToSlice()
    74  	nsArr := svr.targetServer.caches.Namespace().GetNamespacesByName(param)
    75  
    76  	temp := make([]model.ResourceEntry, 0, len(nsArr))
    77  
    78  	for index := range nsArr {
    79  		ns := nsArr[index]
    80  		temp = append(temp, model.ResourceEntry{
    81  			ID:    ns.Name,
    82  			Owner: ns.Owner,
    83  		})
    84  	}
    85  
    86  	ret := map[apisecurity.ResourceType][]model.ResourceEntry{
    87  		apisecurity.ResourceType_Namespaces: temp,
    88  	}
    89  	authLog.Debug("[Auth][Server] collect namespace access res", zap.Any("res", ret))
    90  	return ret
    91  }
    92  
    93  func convertToErrCode(err error) apimodel.Code {
    94  	if errors.Is(err, model.ErrorTokenNotExist) {
    95  		return apimodel.Code_TokenNotExisted
    96  	}
    97  	if errors.Is(err, model.ErrorTokenDisabled) {
    98  		return apimodel.Code_TokenDisabled
    99  	}
   100  	return apimodel.Code_NotAllowedAccess
   101  }