github.com/polarismesh/polaris@v1.17.8/service/service_authability.go (about) 1 /** 2 * Tencent is pleased to support the open source community by making Polaris available. 3 * 4 * Copyright (C) 2019 THL A29 Limited, a Tencent company. All rights reserved. 5 * 6 * Licensed under the BSD 3-Clause License (the "License"); 7 * you may not use this file except in compliance with the License. 8 * You may obtain a copy of the License at 9 * 10 * https://opensource.org/licenses/BSD-3-Clause 11 * 12 * Unless required by applicable law or agreed to in writing, software distributed 13 * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR 14 * CONDITIONS OF ANY KIND, either express or implied. See the License for the 15 * specific language governing permissions and limitations under the License. 16 */ 17 18 package service 19 20 import ( 21 "context" 22 23 apisecurity "github.com/polarismesh/specification/source/go/api/v1/security" 24 apiservice "github.com/polarismesh/specification/source/go/api/v1/service_manage" 25 26 api "github.com/polarismesh/polaris/common/api/v1" 27 "github.com/polarismesh/polaris/common/model" 28 "github.com/polarismesh/polaris/common/utils" 29 ) 30 31 // CreateServices 批量创建服务 32 func (svr *serverAuthAbility) CreateServices( 33 ctx context.Context, reqs []*apiservice.Service) *apiservice.BatchWriteResponse { 34 authCtx := svr.collectServiceAuthContext(ctx, reqs, model.Create, "CreateServices") 35 36 _, err := svr.strategyMgn.GetAuthChecker().CheckConsolePermission(authCtx) 37 if err != nil { 38 return api.NewBatchWriteResponse(convertToErrCode(err)) 39 } 40 41 ctx = authCtx.GetRequestContext() 42 ctx = context.WithValue(ctx, utils.ContextAuthContextKey, authCtx) 43 44 // 填充 ownerID 信息数据 45 ownerID := utils.ParseOwnerID(ctx) 46 if len(ownerID) > 0 { 47 for index := range reqs { 48 req := reqs[index] 49 req.Owners = utils.NewStringValue(ownerID) 50 } 51 } 52 53 resp := svr.targetServer.CreateServices(ctx, reqs) 54 return resp 55 } 56 57 // DeleteServices 批量删除服务 58 func (svr *serverAuthAbility) DeleteServices( 59 ctx context.Context, reqs []*apiservice.Service) *apiservice.BatchWriteResponse { 60 authCtx := svr.collectServiceAuthContext(ctx, reqs, model.Delete, "DeleteServices") 61 62 accessRes := authCtx.GetAccessResources() 63 delete(accessRes, apisecurity.ResourceType_Namespaces) 64 authCtx.SetAccessResources(accessRes) 65 66 if _, err := svr.strategyMgn.GetAuthChecker().CheckConsolePermission(authCtx); err != nil { 67 return api.NewBatchWriteResponseWithMsg(convertToErrCode(err), err.Error()) 68 } 69 70 ctx = authCtx.GetRequestContext() 71 ctx = context.WithValue(ctx, utils.ContextAuthContextKey, authCtx) 72 resp := svr.targetServer.DeleteServices(ctx, reqs) 73 return resp 74 } 75 76 // UpdateServices 对于服务修改来说,只针对服务本身,而不需要检查命名空间 77 func (svr *serverAuthAbility) UpdateServices( 78 ctx context.Context, reqs []*apiservice.Service) *apiservice.BatchWriteResponse { 79 authCtx := svr.collectServiceAuthContext(ctx, reqs, model.Modify, "UpdateServices") 80 81 accessRes := authCtx.GetAccessResources() 82 delete(accessRes, apisecurity.ResourceType_Namespaces) 83 authCtx.SetAccessResources(accessRes) 84 85 _, err := svr.strategyMgn.GetAuthChecker().CheckConsolePermission(authCtx) 86 if err != nil { 87 return api.NewBatchWriteResponse(convertToErrCode(err)) 88 } 89 90 ctx = authCtx.GetRequestContext() 91 ctx = context.WithValue(ctx, utils.ContextAuthContextKey, authCtx) 92 return svr.targetServer.UpdateServices(ctx, reqs) 93 } 94 95 // UpdateServiceToken 更新服务的 token 96 func (svr *serverAuthAbility) UpdateServiceToken( 97 ctx context.Context, req *apiservice.Service) *apiservice.Response { 98 authCtx := svr.collectServiceAuthContext( 99 ctx, []*apiservice.Service{req}, model.Modify, "UpdateServiceToken") 100 101 accessRes := authCtx.GetAccessResources() 102 delete(accessRes, apisecurity.ResourceType_Namespaces) 103 authCtx.SetAccessResources(accessRes) 104 105 if _, err := svr.strategyMgn.GetAuthChecker().CheckConsolePermission(authCtx); err != nil { 106 return api.NewResponseWithMsg(convertToErrCode(err), err.Error()) 107 } 108 109 ctx = authCtx.GetRequestContext() 110 ctx = context.WithValue(ctx, utils.ContextAuthContextKey, authCtx) 111 return svr.targetServer.UpdateServiceToken(ctx, req) 112 } 113 114 func (svr *serverAuthAbility) GetAllServices(ctx context.Context, 115 query map[string]string) *apiservice.BatchQueryResponse { 116 authCtx := svr.collectServiceAuthContext(ctx, nil, model.Read, "GetAllServices") 117 118 if _, err := svr.strategyMgn.GetAuthChecker().CheckConsolePermission(authCtx); err != nil { 119 return api.NewBatchQueryResponseWithMsg(convertToErrCode(err), err.Error()) 120 } 121 122 ctx = authCtx.GetRequestContext() 123 ctx = context.WithValue(ctx, utils.ContextAuthContextKey, authCtx) 124 125 return svr.targetServer.GetAllServices(ctx, query) 126 } 127 128 // GetServices 批量获取服务 129 func (svr *serverAuthAbility) GetServices( 130 ctx context.Context, query map[string]string) *apiservice.BatchQueryResponse { 131 authCtx := svr.collectServiceAuthContext(ctx, nil, model.Read, "GetServices") 132 133 if _, err := svr.strategyMgn.GetAuthChecker().CheckConsolePermission(authCtx); err != nil { 134 return api.NewBatchQueryResponseWithMsg(convertToErrCode(err), err.Error()) 135 } 136 137 ctx = authCtx.GetRequestContext() 138 ctx = context.WithValue(ctx, utils.ContextAuthContextKey, authCtx) 139 140 resp := svr.targetServer.GetServices(ctx, query) 141 if len(resp.Services) != 0 { 142 principal := model.Principal{ 143 PrincipalID: utils.ParseUserID(ctx), 144 PrincipalRole: model.PrincipalUser, 145 } 146 for index := range resp.Services { 147 svc := resp.Services[index] 148 editable := true 149 // 如果鉴权能力没有开启,那就默认都可以进行编辑 150 if svr.strategyMgn.GetAuthChecker().IsOpenConsoleAuth() { 151 editable = svr.Cache().AuthStrategy().IsResourceEditable(principal, 152 apisecurity.ResourceType_Services, svc.Id.GetValue()) 153 } 154 svc.Editable = utils.NewBoolValue(editable) 155 } 156 } 157 return resp 158 } 159 160 // GetServicesCount 批量获取服务数量 161 func (svr *serverAuthAbility) GetServicesCount(ctx context.Context) *apiservice.BatchQueryResponse { 162 authCtx := svr.collectServiceAuthContext(ctx, nil, model.Read, "GetServicesCount") 163 164 if _, err := svr.strategyMgn.GetAuthChecker().CheckConsolePermission(authCtx); err != nil { 165 return api.NewBatchQueryResponseWithMsg(convertToErrCode(err), err.Error()) 166 } 167 168 ctx = authCtx.GetRequestContext() 169 ctx = context.WithValue(ctx, utils.ContextAuthContextKey, authCtx) 170 return svr.targetServer.GetServicesCount(ctx) 171 } 172 173 // GetServiceToken 获取服务的 token 174 func (svr *serverAuthAbility) GetServiceToken(ctx context.Context, req *apiservice.Service) *apiservice.Response { 175 authCtx := svr.collectServiceAuthContext(ctx, nil, model.Read, "GetServiceToken") 176 177 if _, err := svr.strategyMgn.GetAuthChecker().CheckConsolePermission(authCtx); err != nil { 178 return api.NewResponseWithMsg(convertToErrCode(err), err.Error()) 179 } 180 181 ctx = authCtx.GetRequestContext() 182 ctx = context.WithValue(ctx, utils.ContextAuthContextKey, authCtx) 183 return svr.targetServer.GetServiceToken(ctx, req) 184 } 185 186 // GetServiceOwner 获取服务的 owner 187 func (svr *serverAuthAbility) GetServiceOwner( 188 ctx context.Context, req []*apiservice.Service) *apiservice.BatchQueryResponse { 189 authCtx := svr.collectServiceAuthContext(ctx, nil, model.Read, "GetServiceOwner") 190 191 if _, err := svr.strategyMgn.GetAuthChecker().CheckConsolePermission(authCtx); err != nil { 192 return api.NewBatchQueryResponseWithMsg(convertToErrCode(err), err.Error()) 193 } 194 195 ctx = authCtx.GetRequestContext() 196 ctx = context.WithValue(ctx, utils.ContextAuthContextKey, authCtx) 197 return svr.targetServer.GetServiceOwner(ctx, req) 198 }