chore: 禁止普通用户使用不安全插件，比如复制到本机、自定义js脚本等

packages/core/pipeline/src/core/executor.ts

@@ -1,7 +1,7 @@
 import { ConcurrencyStrategy, NotificationWhen, Pipeline, ResultType, Runnable, RunStrategy, Stage, Step, Task } from "../dt/index.js";
 import _ from "lodash-es";
 import { RunHistory, RunnableCollection } from "./run-history.js";
-import { AbstractTaskPlugin, PluginDefine, pluginRegistry, TaskInstanceContext } from "../plugin/index.js";
+import { AbstractTaskPlugin, PluginDefine, pluginRegistry, TaskInstanceContext, UserInfo } from "../plugin/index.js";
 import { ContextFactory, IContext } from "./context.js";
 import { IStorage } from "./storage.js";
 import { logger } from "../utils/util.log.js";
@@ -16,13 +16,13 @@ import { hashUtils, utils } from "../utils/index.js";
 // import { TimeoutPromise } from "../utils/util.promise.js";
 
 export type ExecutorOptions = {
-  userId: any;
   pipeline: Pipeline;
   storage: IStorage;
   onChanged: (history: RunHistory) => Promise<void>;
   accessService: IAccessService;
   emailService: IEmailService;
   fileRootDir?: string;
+  user: UserInfo;
 };
 
 export class Executor {
@@ -46,7 +46,7 @@ export class Executor {
     this.onChanged = async (history: RunHistory) => {
       await options.onChanged(history);
     };
-    this.pipeline.userId = options.userId;
+    this.pipeline.userId = options.user.id;
     this.contextFactory = new ContextFactory(options.storage);
     this.logger = logger;
     this.pipelineContext = this.contextFactory.getContext("pipeline", this.pipeline.id);
@@ -269,7 +269,7 @@ export class Executor {
       accessService: this.options.accessService,
       emailService: this.options.emailService,
       pipelineContext: this.pipelineContext,
-      userContext: this.contextFactory.getContext("user", this.options.userId),
+      userContext: this.contextFactory.getContext("user", this.options.user.id),
       fileStore: new FileStore({
         scope: this.pipeline.id,
         parent: this.runtime.id,
@@ -277,6 +277,7 @@ export class Executor {
       }),
       signal: this.abort.signal,
       utils,
+      user: this.options.user,
     };
     instance.setCtx(taskCtx);
 

packages/core/pipeline/src/plugin/api.ts

@@ -9,7 +9,10 @@ import { ILogger, logger, utils } from "../utils/index.js";
 import { HttpClient } from "../utils/util.request";
 import dayjs from "dayjs";
 import _ from "lodash-es";
-
+export type UserInfo = {
+  role: "admin" | "user";
+  id: any;
+};
 export enum ContextScope {
   global,
   pipeline,
@@ -81,6 +84,8 @@ export type TaskInstanceContext = {
   signal: AbortSignal;
   //工具类
   utils: typeof utils;
+
+  user: UserInfo;
 };
 
 export abstract class AbstractTaskPlugin implements ITaskPlugin {
@@ -170,6 +175,10 @@ export abstract class AbstractTaskPlugin implements ITaskPlugin {
     }
     throw new Error(`action ${req.action} not found`);
   }
+
+  isAdmin() {
+    return this.ctx.user.role === "admin";
+  }
 }
 
 export type OutputVO = {

packages/ui/certd-client/src/views/sys/authority/permission/index.vue

@@ -4,11 +4,19 @@
       <div class="title">权限管理</div>
     </template>
     <fs-crud ref="crudRef" v-bind="crudBinding">
-      <a-button v-permission="'sys:auth:per:add'" style="margin-left: 20px" @click="addHandle({})">
+      <a-button v-permission="'1sys:auth:per:add'" style="margin-left: 20px" @click="addHandle({})">
         <fs-icon :icon="ui.icons.add"></fs-icon>
         添加
       </a-button>
-      <fs-permission-tree class="permission-tree mt-10" :tree="crudBinding.data" :checkable="false" :actions="permission" @add="addHandle" @edit="editHandle" @remove="removeHandle"></fs-permission-tree>
+      <fs-permission-tree
+        class="permission-tree mt-10"
+        :tree="crudBinding.data"
+        :checkable="false"
+        :actions="permission"
+        @add="addHandle"
+        @edit="editHandle"
+        @remove="removeHandle"
+      ></fs-permission-tree>
     </fs-crud>
   </fs-page>
 </template>
@@ -49,9 +57,9 @@ export default defineComponent({
 
     const { hasPermissions } = usePermission();
     const permission = ref({
-      add: hasPermissions("sys:auth:per:add"),
+      add: hasPermissions("1sys:auth:per:add"),
-      edit: hasPermissions("sys:auth:per:edit"),
+      edit: hasPermissions("1sys:auth:per:edit"),
-      remove: hasPermissions("sys:auth:per:remove")
+      remove: hasPermissions("1sys:auth:per:remove")
     });
 
     return {

packages/ui/certd-server/src/modules/authority/controller/permission-controller.ts

@@ -1,12 +1,4 @@
-import {
+import { ALL, Body, Controller, Inject, Post, Provide, Query } from '@midwayjs/core';
-  ALL,
-  Body,
-  Controller,
-  Inject,
-  Post,
-  Provide,
-  Query,
-} from '@midwayjs/core';
 import { CrudController } from '../../../basic/crud-controller.js';
 import { PermissionService } from '../service/permission-service.js';
 

packages/ui/certd-server/src/modules/authority/service/user-role-service.ts

@@ -16,4 +16,6 @@ export class UserRoleService extends BaseService<UserRoleEntity> {
   getRepository() {
     return this.repository;
   }
+
+
 }

packages/ui/certd-server/src/modules/authority/service/user-service.ts

@@ -204,4 +204,16 @@ export class UserService extends BaseService<UserEntity> {
     }
     await super.delete(ids);
   }
+
+  async isAdmin(userId: any) {
+    const userRoles = await this.userRoleService.find({
+      where: {
+        userId,
+      },
+    });
+    const roleIds = userRoles.map(item => item.roleId);
+    if (roleIds.includes(1)) {
+      return true;
+    }
+  }
 }

packages/ui/certd-server/src/modules/pipeline/service/pipeline-service.ts

@@ -4,7 +4,7 @@ import { In, Repository } from 'typeorm';
 import { BaseService } from '../../../basic/base-service.js';
 import { PipelineEntity } from '../entity/pipeline.js';
 import { PipelineDetail } from '../entity/vo/pipeline-detail.js';
-import { Executor, isPlus, Pipeline, ResultType, RunHistory } from '@certd/pipeline';
+import { Executor, isPlus, Pipeline, ResultType, RunHistory, UserInfo } from '@certd/pipeline';
 import { AccessService } from './access-service.js';
 import { DbStorage } from './db-storage.js';
 import { StorageService } from './storage-service.js';
@@ -16,9 +16,11 @@ import { HistoryLogService } from './history-log-service.js';
 import { logger } from '../../../utils/logger.js';
 import { EmailService } from '../../basic/service/email-service.js';
 import { NeedVIPException } from '../../../basic/exception/vip-exception.js';
+import { UserService } from '../../authority/service/user-service.js';
 
 const runningTasks: Map<string | number, Executor> = new Map();
 const freeCount = 10;
+
 /**
  * 证书申请
  */
@@ -38,6 +40,9 @@ export class PipelineService extends BaseService<PipelineEntity> {
   @Inject()
   historyLogService: HistoryLogService;
 
+  @Inject()
+  userService: UserService;
+
   @Inject()
   cron: Cron;
 
@@ -331,9 +336,13 @@ export class PipelineService extends BaseService<PipelineEntity> {
 
     const userId = entity.userId;
     const historyId = await this.historyService.start(entity);
-
+    const userIsAdmin = await this.userService.isAdmin(userId);
+    const user: UserInfo = {
+      id: userId,
+      role: userIsAdmin ? 'admin' : 'user',
+    };
     const executor = new Executor({
-      userId,
+      user,
       pipeline,
       onChanged,
       accessService: this.accessService,

packages/ui/certd-server/src/plugins/plugin-host/plugin/copy-to-local/index.ts

@@ -8,7 +8,7 @@ import path from 'path';
   name: 'CopyToLocal',
   title: '复制到本机',
   icon: 'solar:copy-bold-duotone',
-  desc: '实际上是复制证书到docker容器内的某个路径，需要做目录映射到宿主机',
+  desc: '【仅管理员使用】实际上是复制证书到docker容器内的某个路径，需要做目录映射到宿主机',
   group: pluginGroups.host.key,
   default: {
     strategy: {
@@ -114,6 +114,10 @@ export class CopyCertToLocalPlugin extends AbstractTaskPlugin {
     fs.copyFileSync(srcFile, destFile);
   }
   async execute(): Promise<void> {
+    if (!this.isAdmin()) {
+      throw new Error('只有管理员才能运行此任务');
+    }
+
     let { crtPath, keyPath, icPath, pfxPath, derPath } = this;
     const certReader = new CertReader(this.cert);
 

packages/ui/certd-server/src/plugins/plugin-other/plugins/plugin-restart.ts

@@ -4,7 +4,7 @@ import { AbstractTaskPlugin, IsTaskPlugin, pluginGroups, RunStrategy, TaskInput
   name: 'RestartCertd',
   title: '重启Certd',
   icon: 'mdi:restart',
-  desc: '延迟一定时间后自动杀死自己，然后通过Docker来自动重启',
+  desc: '【仅管理员】延迟一定时间后自动杀死自己，然后通过Docker来自动重启',
   group: pluginGroups.other.key,
   default: {
     strategy: {
@@ -25,6 +25,9 @@ export class RestartCertdPlugin extends AbstractTaskPlugin {
   delay = 30;
   async onInstance() {}
   async execute(): Promise<void> {
+    if (!this.isAdmin()) {
+      throw new Error('只有管理员才能运行此任务');
+    }
     this.logger.info(`Certd 将在 ${this.delay} 秒后关闭`);
     setTimeout(() => {
       this.logger.info('重启 Certd');

packages/ui/certd-server/src/plugins/plugin-other/plugins/plugin-script.ts

@@ -9,8 +9,8 @@ export type CustomScriptContext = {
 @IsTaskPlugin({
   name: 'CustomScript',
   title: '自定义js脚本',
-  icon:"ri:javascript-line",
+  icon: 'ri:javascript-line',
-  desc: '测试',
+  desc: '【仅管理员】运行自定义js脚本执行',
   group: pluginGroups.other.key,
   default: {
     strategy: {
@@ -45,6 +45,9 @@ export class CustomScriptPlugin extends AbstractTaskPlugin {
 
   async onInstance() {}
   async execute(): Promise<void> {
+    if (!this.isAdmin()) {
+      throw new Error('只有管理员才能运行此任务');
+    }
     this.logger.info('执行自定义脚本:\n', this.script);
     const ctx: CustomScriptContext = {
       CertReader,