Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[ADD][openEuler]增加用户权限判断接口 #18

Open
wants to merge 1 commit into
base: release/om-webserver0230
Choose a base branch
from
Open

[ADD][openEuler]增加用户权限判断接口 #18

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 7 additions & 8 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,43 +2,42 @@

#### 介绍

om-webserver是用来对外提供接口数据服务的框架
om-webserver是用来对外提供账号管理功能的服务

#### 软件架构

* SpringBoot

* elasticsearch
* redis
* obs


#### 安装教程

##### 基本安装

1. 克隆工程
> git clone https://gitee.com/opensourceway/om-webserver.git
> git clone https://github.com/opensourceways/om-webserver.git

2. 打包方式
> mvn clean install package -Dmaven.test.skip

3. 启动应用
> java -jar target/om-webserver.jar

*ps:启动应用需使用对应application.properties配置文件。*

##### 容器安装

1. 克隆工程
> git clone https://gitee.com/opensourceway/om-webserver.git
> git clone https://github.com/opensourceways/om-webserver.git

2. 打包方式
* 用Docker打包(到webserver目录中, 执行Dockerfile文件: docker build -t om-webserver . )
* 注意:DcokerFile中"RUN git clone https://${NEW_YEAR_USER}@gitee.com/lixianlin01/new-year.git"仅用于元旦数据获取,自己本地打镜像时可删除
* 注意:DcokerFile中"RUN git clone https://${NEW_YEAR_USER}@gitee.com/lixianlin01/new-year.git"仅用于元数据获取,自己本地打镜像时可删除

3. 启动应用
* Docker run -d -v /home/config.properties:/var/lib/om-webserver/config.properties 容器名称



#### 使用说明

接口功能描述[https://gitee.com/opensourceway/om-docs/blob/master/docs/om-webserver-interface/%E6%8E%A5%E5%8F%A3%E8%AF%B4%E6%98%8E.md](https://gitee.com/opensourceway/om-docs/blob/master/docs/om-webserver-interface/%E6%8E%A5%E5%8F%A3%E8%AF%B4%E6%98%8E.md)
23 changes: 23 additions & 0 deletions src/main/java/com/om/controller/AuthingController.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,11 +16,13 @@
import com.anji.captcha.model.vo.CaptchaVO;
import com.anji.captcha.service.CaptchaService;
import com.anji.captcha.util.StringUtils;
import com.om.controller.bean.request.PermissionInfo;
import com.om.result.Constant;
import com.om.service.AuthingService;
import com.om.service.LoginService;
import com.om.service.OidcService;
import com.om.service.OneIdManageService;
import com.om.service.ResourceService;
import com.om.service.SendMessageService;
import com.om.service.UserCenterServiceContext;
import com.om.service.inter.UserCenterServiceInter;
Expand Down Expand Up @@ -92,6 +94,12 @@ public class AuthingController {
@Autowired
private SendMessageService sendMessageService;

/**
* 资源管理服务.
*/
@Autowired
private ResourceService resourceService;

/**
* 从 HttpServletRequest 中获取远程主机的 IP 地址或者主机名.
*
Expand Down Expand Up @@ -390,6 +398,21 @@ public ResponseEntity userPermissions(@CookieValue(value = "_Y_G_", required = f
return oneIdManageService.userPermissions(token);
}

/**
* 查询用户是否有权限.
*
* @param token 包含令牌的 Cookie 值(可选)
* @param permissionInfo 请求体
* @return 是否有权限
*/
@RequestLimitRedis
@AuthingUserToken
@RequestMapping(value = "/user/checkPermission", method = RequestMethod.POST)
public ResponseEntity checkPermission(@CookieValue(value = "_Y_G_", required = false) String token,
@RequestBody PermissionInfo permissionInfo) {
return resourceService.checkPermission(token, permissionInfo);
}

/**
* 处理令牌申请请求的方法.
*
Expand Down
2 changes: 1 addition & 1 deletion src/main/java/com/om/controller/ManagerController.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -191,7 +191,7 @@ public ResponseEntity getUserPermissions(
@ManageToken
@RequestMapping(value = "/u/checkPermission", method = RequestMethod.POST)
public ResponseEntity checkPermission(@RequestBody PermissionInfo permissionInfo) {
return resourceService.checkPermission(permissionInfo);
return resourceService.checkPermission(null, permissionInfo);
}

/**
Expand Down
1 change: 1 addition & 0 deletions src/main/java/com/om/service/JwtTokenCreateService.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -148,6 +148,7 @@ public String[] authingUserToken(String appId, String userId, String username,

String headToken = JWT.create()
.withAudience(username) //谁接受签名
.withSubject(userId)
.withIssuedAt(issuedAt) //生成签名的时间
.withExpiresAt(headTokenExpireAt) //过期时间
.withJWTId(codeUtil.randomStrBuilder(Constant.RANDOM_DEFAULT_LENGTH))
Expand Down
103 changes: 72 additions & 31 deletions src/main/java/com/om/service/ResourceService.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,9 +19,15 @@
import java.util.Map;
import java.util.Set;

import com.auth0.jwt.JWT;
import com.auth0.jwt.interfaces.DecodedJWT;
import com.om.modules.MessageCodeConfig;
import com.om.utils.AuthingUtil;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.core.env.Environment;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.stereotype.Service;
Expand All @@ -35,6 +41,11 @@

@Service
public class ResourceService {
/**
* 静态变量: LOGGER - 日志记录器.
*/
private static final Logger LOGGER = LoggerFactory.getLogger(ResourceService.class);

/**
* 注入authingservice.
*/
Expand All @@ -47,48 +58,78 @@ public class ResourceService {
@Autowired
private AuthingManagerDao authingManagerDao;

/**
* authing工具.
*/
@Autowired
private AuthingUtil authingUtil;

/**
* 自动注入环境变量.
*/
@Autowired
private Environment env;

/**
* 查询是否具备权限.
*
* @param token 包含令牌的 Cookie 值
* @param permissionInfo 权限实例
* @return 是否具备权限的结果
*/
public ResponseEntity checkPermission(PermissionInfo permissionInfo) {
HashMap<String, Boolean> hasPermission = new HashMap<>();
hasPermission.put("hasPermission", false);
if (StringUtils.isAnyBlank(permissionInfo.getResource(),
permissionInfo.getUserId(), permissionInfo.getNamespaceCode())) {
return authingService.result(HttpStatus.OK, "success", hasPermission);
}
String resource = authingManagerDao.convertResource(permissionInfo.getResource());
if (CollectionUtils.isEmpty(permissionInfo.getActions())) {
return authingService.result(HttpStatus.OK, "success", hasPermission);
}
ArrayList<String> pers = authingManagerDao.getUserPermission(permissionInfo.getUserId(),
permissionInfo.getNamespaceCode());
List<String> perActions = new ArrayList<>();
for (String per : pers) {
String[] perList = per.split(":");
if (perList.length > 1 && StringUtils.equals(resource, perList[0])) {
perActions.add(perList[1]);
public ResponseEntity checkPermission(String token, PermissionInfo permissionInfo) {
try {
if (permissionInfo == null) {
return authingService.result(HttpStatus.BAD_REQUEST, MessageCodeConfig.E00012, null, null);
}
}
if ("OR".equals(permissionInfo.getOperator())) {
for (String action : perActions) {
if (permissionInfo.getActions().contains(action)) {
hasPermission.put("hasPermission", true);
break;
if (StringUtils.isBlank(permissionInfo.getNamespaceCode())) {
// 自动使用默认权限分组
permissionInfo.setNamespaceCode(env.getProperty("openeuler.groupCode"));
}
if (StringUtils.isNotBlank(token)) {
DecodedJWT decode = JWT.decode(authingUtil.rsaDecryptToken(token));
String userId = decode.getAudience().get(0);
permissionInfo.setUserId(userId);
}
HashMap<String, Boolean> hasPermission = new HashMap<>();
hasPermission.put("hasPermission", false);
if (StringUtils.isAnyBlank(permissionInfo.getResource(),
permissionInfo.getUserId(), permissionInfo.getNamespaceCode())) {
return authingService.result(HttpStatus.FORBIDDEN, "forbidden", hasPermission);
}
String resource = authingManagerDao.convertResource(permissionInfo.getResource());
if (CollectionUtils.isEmpty(permissionInfo.getActions())) {
return authingService.result(HttpStatus.FORBIDDEN, "forbidden", hasPermission);
}
ArrayList<String> pers = authingManagerDao.getUserPermission(permissionInfo.getUserId(),
permissionInfo.getNamespaceCode());
List<String> perActions = new ArrayList<>();
for (String per : pers) {
String[] perList = per.split(":");
if (perList.length > 1 && StringUtils.equals(resource, perList[0])) {
perActions.add(perList[1]);
}
}
return authingService.result(HttpStatus.OK, "success", hasPermission);
} else {
for (String action : permissionInfo.getActions()) {
if (!perActions.contains(action)) {
return authingService.result(HttpStatus.OK, "success", hasPermission);
if ("OR".equals(permissionInfo.getOperator())) {
for (String action : perActions) {
if (permissionInfo.getActions().contains(action)) {
hasPermission.put("hasPermission", true);
return authingService.result(HttpStatus.OK, "success", hasPermission);
}
}
return authingService.result(HttpStatus.FORBIDDEN, "forbidden", hasPermission);
} else {
for (String action : permissionInfo.getActions()) {
if (!perActions.contains(action)) {
return authingService.result(HttpStatus.FORBIDDEN, "forbidden", hasPermission);
}
}
hasPermission.put("hasPermission", true);
return authingService.result(HttpStatus.OK, "success", hasPermission);
}
hasPermission.put("hasPermission", true);
return authingService.result(HttpStatus.OK, "success", hasPermission);
} catch (Exception e) {
LOGGER.error("check permission failed {}", e.getMessage());
return authingService.result(HttpStatus.BAD_REQUEST, MessageCodeConfig.E00012, null, null);
}
}

Expand Down
Loading