rbac

2023-08-24 10:00:27 +08:00
parent 254bf9dbdb
commit a715828a2a
8 changed files with 130 additions and 115 deletions
--- a/lib/midware/midhandle.go
+++ b/lib/midware/midhandle.go
@@ -2,12 +2,14 @@ package midware

 import (
 	"net/http"
+	"strings"

 	"ems.agt/lib/log"
 	"ems.agt/lib/services"
+	"github.com/gorilla/mux"
 )

-func LoggerTraceMiddleware(next http.Handler) http.Handler {
+func LoggerTrace(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		// Do stuff here
 		log.Trace("Http Trace Info:")
@@ -26,10 +28,48 @@ func LoggerTraceMiddleware(next http.Handler) http.Handler {
 		//r.Body = ioutil.NopCloser(bytes.NewReader(body))
 		//log.Trace("Body:", string(body))
 		// Call the next handler, which can be another middleware in the chain, or the final handler.
+		// if r.Method == "OPTIONS" {
+		// 	services.ResponseStatusOK201Accepted(w)
+		// 	return
+		// }
+
+		next.ServeHTTP(w, r)
+	})
+}
+
+func OptionProcess(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		if r.Method == "OPTIONS" {
 			services.ResponseStatusOK201Accepted(w)
 			return
 		}
+
+		next.ServeHTTP(w, r)
+	})
+}
+
+func CheckPermission(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		token := r.Header.Get("AccessToken")
+		vars := mux.Vars(r)
+		management := vars["managedType"]
+		element := vars["elementTypeValue"]
+		object := vars["objectTypeValue"]
+		pack := "*"
+		if token != "" && element != "oauth" {
+			log.Debugf("token:%s, method:%s, management:%s, element:%s, object:%s, pack:%s", token, r.Method, management, element, object, pack)
+			exist, err := services.CheckUserPermission(token, strings.ToLower(r.Method), management, element, object, pack)
+			if err != nil {
+				log.Error("Failed to get permission:", err)
+				services.ResponseForbidden403NotPermission(w)
+				return
+			}
+			if !exist {
+				log.Error("Not permission!")
+				services.ResponseForbidden403NotPermission(w)
+				return
+			}
+		}
 		next.ServeHTTP(w, r)
 	})
 }
--- a/lib/oauth/oauth.go
+++ b/lib/oauth/oauth.go
@@ -78,9 +78,14 @@ func RandStringBytes(n int) string {
 	return string(b)
 }

-func GenRandToken() string {
-	return RandStringBytes(8) + "-" + RandStringBytes(4) + "-" +
-		RandStringBytes(4) + "-" + RandStringBytes(4) + "-" + RandStringBytes(12)
+func GenRandToken(prefix string) string {
+	if prefix == "" {
+		return RandStringBytes(8) + "-" + RandStringBytes(4) + "-" +
+			RandStringBytes(4) + "-" + RandStringBytes(4) + "-" + RandStringBytes(12)
+	} else {
+		return prefix + "-" + RandStringBytes(8) + "-" + RandStringBytes(4) + "-" +
+			RandStringBytes(4) + "-" + RandStringBytes(4) + "-" + RandStringBytes(12)
+	}
 }

 type OAuthBody struct {
--- a/lib/routes/routes.go
+++ b/lib/routes/routes.go
@@ -59,46 +59,42 @@ func init() {
 	Register("GET", state.CustomUriLicenseInfoOne, state.GetOneLicenseInfoFromNF, nil)

 	// database management
-	Register("GET", dbrest.XormGetDataUri, dbrest.DatabaseGetData, nil)
-	Register("GET", dbrest.XormSelectDataUri, dbrest.DatabaseGetData, nil)
-	Register("POST", dbrest.XormInsertDataUri, dbrest.DatabaseInsertData, nil)
-	Register("PUT", dbrest.XormUpdateDataUri, dbrest.DatabaseUpdateData, nil)
-	Register("DELETE", dbrest.XormDeleteDataUri, dbrest.DatabaseDeleteData, nil)
+	Register("GET", dbrest.XormGetDataUri, dbrest.DatabaseGetData, midware.CheckPermission)
+	Register("GET", dbrest.XormSelectDataUri, dbrest.DatabaseGetData, midware.CheckPermission)
+	Register("POST", dbrest.XormInsertDataUri, dbrest.DatabaseInsertData, midware.CheckPermission)
+	Register("PUT", dbrest.XormUpdateDataUri, dbrest.DatabaseUpdateData, midware.CheckPermission)
+	Register("DELETE", dbrest.XormDeleteDataUri, dbrest.DatabaseDeleteData, midware.CheckPermission)

-	Register("GET", dbrest.CustomXormGetDataUri, dbrest.DatabaseGetData, nil)
-	Register("GET", dbrest.CustomXormSelectDataUri, dbrest.DatabaseGetData, nil)
-	Register("POST", dbrest.CustomXormInsertDataUri, dbrest.DatabaseInsertData, nil)
-	Register("PUT", dbrest.CustomXormUpdateDataUri, dbrest.DatabaseUpdateData, nil)
-	Register("DELETE", dbrest.CustomXormDeleteDataUri, dbrest.DatabaseDeleteData, nil)
-	// 系统备份-数据库备份
-	Register("POST", dbrest.UriDbBackup, dbrest.DbBackup, nil)
-	// 系统备份-文件备份
-	Register("POST", dbrest.UriConfBackup, dbrest.ConfBackup, nil)
+	Register("GET", dbrest.CustomXormGetDataUri, dbrest.DatabaseGetData, midware.CheckPermission)
+	Register("GET", dbrest.CustomXormSelectDataUri, dbrest.DatabaseGetData, midware.CheckPermission)
+	Register("POST", dbrest.CustomXormInsertDataUri, dbrest.DatabaseInsertData, midware.CheckPermission)
+	Register("PUT", dbrest.CustomXormUpdateDataUri, dbrest.DatabaseUpdateData, midware.CheckPermission)
+	Register("DELETE", dbrest.CustomXormDeleteDataUri, dbrest.DatabaseDeleteData, midware.CheckPermission)

-	Register("GET", dbrest.XormCommonUri, dbrest.DatabaseGetData, nil)
-	Register("POST", dbrest.XormCommonUri, dbrest.DatabaseInsertData, nil)
-	Register("PUT", dbrest.XormCommonUri, dbrest.DatabaseUpdateData, nil)
-	Register("DELETE", dbrest.XormCommonUri, dbrest.DatabaseDeleteData, nil)
+	Register("GET", dbrest.XormCommonUri, dbrest.DatabaseGetData, midware.CheckPermission)
+	Register("POST", dbrest.XormCommonUri, dbrest.DatabaseInsertData, midware.CheckPermission)
+	Register("PUT", dbrest.XormCommonUri, dbrest.DatabaseUpdateData, midware.CheckPermission)
+	Register("DELETE", dbrest.XormCommonUri, dbrest.DatabaseDeleteData, midware.CheckPermission)

-	Register("GET", dbrest.XormDatabaseUri, dbrest.TaskDatabaseGetData, nil)
-	Register("POST", dbrest.XormDatabaseUri, dbrest.TaskDatabaseInsertData, nil)
-	Register("PUT", dbrest.XormDatabaseUri, dbrest.TaskDatabaseUpdateData, nil)
-	Register("DELETE", dbrest.XormDatabaseUri, dbrest.TaskDatabaseDeleteData, nil)
+	Register("GET", dbrest.XormDatabaseUri, dbrest.TaskDatabaseGetData, midware.CheckPermission)
+	Register("POST", dbrest.XormDatabaseUri, dbrest.TaskDatabaseInsertData, midware.CheckPermission)
+	Register("PUT", dbrest.XormDatabaseUri, dbrest.TaskDatabaseUpdateData, midware.CheckPermission)
+	Register("DELETE", dbrest.XormDatabaseUri, dbrest.TaskDatabaseDeleteData, midware.CheckPermission)

-	Register("GET", dbrest.CustomXormCommonUri, dbrest.DatabaseGetData, nil)
-	Register("POST", dbrest.CustomXormCommonUri, dbrest.DatabaseInsertData, nil)
-	Register("PUT", dbrest.CustomXormCommonUri, dbrest.DatabaseUpdateData, nil)
-	Register("DELETE", dbrest.CustomXormCommonUri, dbrest.DatabaseDeleteData, nil)
+	Register("GET", dbrest.CustomXormCommonUri, dbrest.DatabaseGetData, midware.CheckPermission)
+	Register("POST", dbrest.CustomXormCommonUri, dbrest.DatabaseInsertData, midware.CheckPermission)
+	Register("PUT", dbrest.CustomXormCommonUri, dbrest.DatabaseUpdateData, midware.CheckPermission)
+	Register("DELETE", dbrest.CustomXormCommonUri, dbrest.DatabaseDeleteData, midware.CheckPermission)

-	Register("GET", dbrest.XormExtDataUri, dbrest.ExtDatabaseGetData, nil)
-	Register("POST", dbrest.XormExtDataUri, dbrest.ExtDatabaseInsertData, nil)
-	Register("PUT", dbrest.XormExtDataUri, dbrest.ExtDatabaseUpdateData, nil)
-	Register("DELETE", dbrest.XormExtDataUri, dbrest.ExtDatabaseDeleteData, nil)
+	Register("GET", dbrest.XormExtDataUri, dbrest.ExtDatabaseGetData, midware.CheckPermission)
+	Register("POST", dbrest.XormExtDataUri, dbrest.ExtDatabaseInsertData, midware.CheckPermission)
+	Register("PUT", dbrest.XormExtDataUri, dbrest.ExtDatabaseUpdateData, midware.CheckPermission)
+	Register("DELETE", dbrest.XormExtDataUri, dbrest.ExtDatabaseDeleteData, midware.CheckPermission)

-	Register("GET", dbrest.CustomXormExtDataUri, dbrest.ExtDatabaseGetData, nil)
-	Register("POST", dbrest.CustomXormExtDataUri, dbrest.ExtDatabaseInsertData, nil)
-	Register("PUT", dbrest.CustomXormExtDataUri, dbrest.ExtDatabaseUpdateData, nil)
-	Register("DELETE", dbrest.CustomXormExtDataUri, dbrest.ExtDatabaseDeleteData, nil)
+	Register("GET", dbrest.CustomXormExtDataUri, dbrest.ExtDatabaseGetData, midware.CheckPermission)
+	Register("POST", dbrest.CustomXormExtDataUri, dbrest.ExtDatabaseInsertData, midware.CheckPermission)
+	Register("PUT", dbrest.CustomXormExtDataUri, dbrest.ExtDatabaseUpdateData, midware.CheckPermission)
+	Register("DELETE", dbrest.CustomXormExtDataUri, dbrest.ExtDatabaseDeleteData, midware.CheckPermission)

 	// alarm restful Register
 	Register("POST", fm.UriAlarms, fm.PostAlarmFromNF, nil)
@@ -267,7 +263,8 @@ func NewRouter() *mux.Router {
 	r.NotFoundHandler = services.CustomResponseNotFound404Handler()
 	r.MethodNotAllowedHandler = services.CustomResponseMethodNotAllowed405Handler()

-	r.Use(midware.LoggerTraceMiddleware)
+	r.Use(midware.LoggerTrace)
+	r.Use(midware.OptionProcess)

 	for _, router := range routers {
 		r.Methods(router.Method).
--- a/lib/session/session.go
+++ b/lib/session/session.go
@@ -43,7 +43,7 @@ func NewSessManager(name string) *SessManager {
 func (smgr *SessManager) NewSession(w http.ResponseWriter, r *http.Request, plist []bool) string {
 	smgr.lock.Lock()
 	defer smgr.lock.Unlock()
-	token := oauth.GenRandToken() // Generate new token to session ID
+	token := oauth.GenRandToken("omc") // Generate new token to session ID
 	session := &Session{token: token, time: time.Now(), permission: plist, values: make(map[interface{}]interface{})}
 	smgr.sessions[token] = session