From 3995adba32b0df49a93ef77cf715741bfbd2828d Mon Sep 17 00:00:00 2001 From: guqing <38999863+guqing@users.noreply.github.com> Date: Fri, 30 Sep 2022 17:38:23 +0800 Subject: [PATCH] feat: add more role templates (#2488) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit #### What type of PR is this? /kind improvement /area core /milestone 2.0 #### What this PR does / why we need it: 补充角色模板 #### Which issue(s) this PR fixes: Fixes #2342 https://github.com/halo-dev/halo/issues/2391 #### Special notes for your reviewer: /cc @halo-dev/sig-halo #### Does this PR introduce a user-facing change? ```release-note None ``` --- .../run/halo/app/core/extension/Role.java | 2 - .../endpoint/AttachmentEndpoint.java | 2 +- .../extension/reconciler/PostReconciler.java | 3 +- .../extension/service/DefaultRoleService.java | 3 +- .../authorization/RequestInfoFactory.java | 6 +++ .../extensions/role-template-attachment.yaml | 40 ++++++++++++++++++ .../extensions/role-template-category.yaml | 25 +++++++++++ .../extensions/role-template-comment.yaml | 38 +++++++++++++++++ .../extensions/role-template-menu.yaml | 32 +++++++++++++++ .../extensions/role-template-post.yaml | 41 +++++++++++++++++++ .../extensions/role-template-singlepage.yaml | 39 ++++++++++++++++++ .../extensions/role-template-snaphost.yaml | 25 +++++++++++ .../extensions/role-template-tag.yaml | 25 +++++++++++ .../extensions/role-template-theme.yaml | 40 ++++++++++++++++++ .../extensions/system-default-role.yaml | 5 +++ .../RequestInfoResolverTest.java | 15 +++++++ 16 files changed, 336 insertions(+), 5 deletions(-) create mode 100644 src/main/resources/extensions/role-template-attachment.yaml create mode 100644 src/main/resources/extensions/role-template-category.yaml create mode 100644 src/main/resources/extensions/role-template-comment.yaml create mode 100644 src/main/resources/extensions/role-template-menu.yaml create mode 100644 src/main/resources/extensions/role-template-post.yaml create mode 100644 src/main/resources/extensions/role-template-singlepage.yaml create mode 100644 src/main/resources/extensions/role-template-snaphost.yaml create mode 100644 src/main/resources/extensions/role-template-tag.yaml create mode 100644 src/main/resources/extensions/role-template-theme.yaml create mode 100644 src/main/resources/extensions/system-default-role.yaml diff --git a/src/main/java/run/halo/app/core/extension/Role.java b/src/main/java/run/halo/app/core/extension/Role.java index dc4346eb3..778d13d0b 100644 --- a/src/main/java/run/halo/app/core/extension/Role.java +++ b/src/main/java/run/halo/app/core/extension/Role.java @@ -143,8 +143,6 @@ public class Role extends AbstractExtension { String[] verbs; - String pluginName; - public Builder apiGroups(String... apiGroups) { this.apiGroups = apiGroups; return this; diff --git a/src/main/java/run/halo/app/core/extension/attachment/endpoint/AttachmentEndpoint.java b/src/main/java/run/halo/app/core/extension/attachment/endpoint/AttachmentEndpoint.java index 433b8f257..0ce2e6658 100644 --- a/src/main/java/run/halo/app/core/extension/attachment/endpoint/AttachmentEndpoint.java +++ b/src/main/java/run/halo/app/core/extension/attachment/endpoint/AttachmentEndpoint.java @@ -59,7 +59,7 @@ public class AttachmentEndpoint implements CustomEndpoint { @Override public RouterFunction endpoint() { - var tag = "storage.halo.run/v1alpha1/Attachment"; + var tag = "api.console.halo.run/v1alpha1/Attachment"; return SpringdocRouteBuilder.route() .POST("/attachments/upload", contentType(MediaType.MULTIPART_FORM_DATA), this::upload, builder -> builder diff --git a/src/main/java/run/halo/app/core/extension/reconciler/PostReconciler.java b/src/main/java/run/halo/app/core/extension/reconciler/PostReconciler.java index 791126b8c..6f0247625 100644 --- a/src/main/java/run/halo/app/core/extension/reconciler/PostReconciler.java +++ b/src/main/java/run/halo/app/core/extension/reconciler/PostReconciler.java @@ -110,7 +110,8 @@ public class PostReconciler implements Reconciler { } if (excerpt.getAutoGenerate()) { contentService.getContent(spec.getReleaseSnapshot()) - .subscribe(content -> { + .blockOptional() + .ifPresent(content -> { String contentRevised = content.content(); status.setExcerpt(getExcerpt(contentRevised)); }); diff --git a/src/main/java/run/halo/app/core/extension/service/DefaultRoleService.java b/src/main/java/run/halo/app/core/extension/service/DefaultRoleService.java index ce9b2fd8a..3060b673f 100644 --- a/src/main/java/run/halo/app/core/extension/service/DefaultRoleService.java +++ b/src/main/java/run/halo/app/core/extension/service/DefaultRoleService.java @@ -74,7 +74,8 @@ public class DefaultRoleService implements RoleService { } visited.add(roleName); extensionClient.fetch(Role.class, roleName) - .subscribe(role -> { + .blockOptional() + .ifPresent(role -> { result.add(role); Map annotations = role.getMetadata().getAnnotations(); if (annotations != null) { diff --git a/src/main/java/run/halo/app/security/authorization/RequestInfoFactory.java b/src/main/java/run/halo/app/security/authorization/RequestInfoFactory.java index 96072476b..3dcbbb5ba 100644 --- a/src/main/java/run/halo/app/security/authorization/RequestInfoFactory.java +++ b/src/main/java/run/halo/app/security/authorization/RequestInfoFactory.java @@ -178,6 +178,12 @@ public class RequestInfoFactory { requestInfo.resource = requestInfo.parts[0]; } + // has name and no subresource but verb=create, then this is a non-resource request + if (StringUtils.isNotBlank(requestInfo.name) && StringUtils.isBlank(requestInfo.subresource) + && "create".equals(requestInfo.verb)) { + requestInfo.isResourceRequest = false; + } + // if there's no name on the request and we thought it was a get before, then the actual // verb is a list or a watch if (requestInfo.name.length() == 0 && "get".equals(requestInfo.verb)) { diff --git a/src/main/resources/extensions/role-template-attachment.yaml b/src/main/resources/extensions/role-template-attachment.yaml new file mode 100644 index 000000000..d2d039e94 --- /dev/null +++ b/src/main/resources/extensions/role-template-attachment.yaml @@ -0,0 +1,40 @@ +apiVersion: v1alpha1 +kind: "Role" +metadata: + name: role-template-manage-attachments + labels: + halo.run/role-template: "true" + annotations: + rbac.authorization.halo.run/dependencies: "[ \"role-template-view-attachments\" ]" + rbac.authorization.halo.run/module: "Attachments Management" + rbac.authorization.halo.run/display-name: "Attachment Manage" + rbac.authorization.halo.run/ui-permissions: | + ["system:attachments:manage"] +rules: + - apiGroups: [ "storage.halo.run" ] + resources: [ "attachments" ] + verbs: [ "*" ] + - apiGroups: [ "api.console.halo.run" ] + resources: [ "attachments" ] + verbs: [ "*" ] + - nonResourceURLs: [ "/apis/api.console.halo.run/attachments/upload" ] + verbs: [ "post" ] +--- +apiVersion: v1alpha1 +kind: "Role" +metadata: + name: role-template-view-attachments + labels: + halo.run/role-template: "true" + annotations: + rbac.authorization.halo.run/module: "Attachments Management" + rbac.authorization.halo.run/display-name: "Attachment View" + rbac.authorization.halo.run/ui-permissions: | + ["system:attachments:view"] +rules: + - apiGroups: [ "storage.halo.run" ] + resources: [ "attachments" ] + verbs: [ "get", "list" ] + - apiGroups: [ "api.console.halo.run" ] + resources: [ "attachments" ] + verbs: [ "get", "list" ] \ No newline at end of file diff --git a/src/main/resources/extensions/role-template-category.yaml b/src/main/resources/extensions/role-template-category.yaml new file mode 100644 index 000000000..d3166d0d0 --- /dev/null +++ b/src/main/resources/extensions/role-template-category.yaml @@ -0,0 +1,25 @@ +apiVersion: v1alpha1 +kind: "Role" +metadata: + name: role-template-manage-categories + labels: + halo.run/role-template: "true" + halo.run/hidden: "true" + annotations: + rbac.authorization.halo.run/dependencies: "[ \"role-template-view-categories\" ]" +rules: + - apiGroups: [ "content.halo.run" ] + resources: [ "categories" ] + verbs: [ "*" ] +--- +apiVersion: v1alpha1 +kind: "Role" +metadata: + name: role-template-view-categories + labels: + halo.run/role-template: "true" + halo.run/hidden: "true" +rules: + - apiGroups: [ "content.halo.run" ] + resources: [ "categories" ] + verbs: [ "get", "list" ] diff --git a/src/main/resources/extensions/role-template-comment.yaml b/src/main/resources/extensions/role-template-comment.yaml new file mode 100644 index 000000000..36f335b80 --- /dev/null +++ b/src/main/resources/extensions/role-template-comment.yaml @@ -0,0 +1,38 @@ +apiVersion: v1alpha1 +kind: "Role" +metadata: + name: role-template-manage-comments + labels: + halo.run/role-template: "true" + annotations: + rbac.authorization.halo.run/dependencies: "[ \"role-template-view-comments\" ]" + rbac.authorization.halo.run/module: "Comments Management" + rbac.authorization.halo.run/display-name: "Comment Manage" + rbac.authorization.halo.run/ui-permissions: | + ["system:comments:manage"] +rules: + - apiGroups: [ "content.halo.run" ] + resources: [ "comments", "replies" ] + verbs: [ "*" ] + - apiGroups: [ "api.console.halo.run" ] + resources: [ "comments", "comments/reply", "replies" ] + verbs: [ "*" ] +--- +apiVersion: v1alpha1 +kind: "Role" +metadata: + name: role-template-view-comments + labels: + halo.run/role-template: "true" + annotations: + rbac.authorization.halo.run/module: "Comments Management" + rbac.authorization.halo.run/display-name: "Comment View" + rbac.authorization.halo.run/ui-permissions: | + ["system:comments:view"] +rules: + - apiGroups: [ "content.halo.run" ] + resources: [ "comments", "replies" ] + verbs: [ "get", "list" ] + - apiGroups: [ "api.console.halo.run" ] + resources: [ "comments", "comments/reply", "replies" ] + verbs: [ "get", "list" ] diff --git a/src/main/resources/extensions/role-template-menu.yaml b/src/main/resources/extensions/role-template-menu.yaml new file mode 100644 index 000000000..dca426b5d --- /dev/null +++ b/src/main/resources/extensions/role-template-menu.yaml @@ -0,0 +1,32 @@ +apiVersion: v1alpha1 +kind: "Role" +metadata: + name: role-template-manage-menus + labels: + halo.run/role-template: "true" + annotations: + rbac.authorization.halo.run/dependencies: "[ \"role-template-view-menus\" ]" + rbac.authorization.halo.run/module: "Menus Management" + rbac.authorization.halo.run/display-name: "Menu Manage" + rbac.authorization.halo.run/ui-permissions: | + ["system:menus:manage"] +rules: + - apiGroups: [ "" ] + resources: [ "menus", "menuitems" ] + verbs: [ "*" ] +--- +apiVersion: v1alpha1 +kind: "Role" +metadata: + name: role-template-view-menus + labels: + halo.run/role-template: "true" + annotations: + rbac.authorization.halo.run/module: "Menus Management" + rbac.authorization.halo.run/display-name: "Menu Manage" + rbac.authorization.halo.run/ui-permissions: | + ["system:menus:view"] +rules: + - apiGroups: [ "" ] + resources: [ "menus", "menuitems" ] + verbs: [ "get", "list" ] diff --git a/src/main/resources/extensions/role-template-post.yaml b/src/main/resources/extensions/role-template-post.yaml new file mode 100644 index 000000000..8074c5596 --- /dev/null +++ b/src/main/resources/extensions/role-template-post.yaml @@ -0,0 +1,41 @@ +apiVersion: v1alpha1 +kind: "Role" +metadata: + name: role-template-manage-posts + labels: + halo.run/role-template: "true" + annotations: + rbac.authorization.halo.run/dependencies: | + [ "role-template-view-posts", "role-template-manage-snaphosts", "role-template-manage-tags", "role-template-manage-categories" ] + rbac.authorization.halo.run/module: "Posts Management" + rbac.authorization.halo.run/display-name: "Post Manage" + rbac.authorization.halo.run/ui-permissions: | + ["system:posts:manage"] +rules: + - apiGroups: [ "content.halo.run" ] + resources: [ "posts" ] + verbs: [ "*" ] + - apiGroups: [ "api.console.halo.run" ] + resources: [ "posts", "posts/publish", "contents", "contents/publish" ] + verbs: [ "create", "patch", "update", "delete", "deletecollection" ] +--- +apiVersion: v1alpha1 +kind: "Role" +metadata: + name: role-template-view-posts + labels: + halo.run/role-template: "true" + annotations: + rbac.authorization.halo.run/dependencies: | + [ "role-template-view-snaphosts", "role-template-view-tags", "role-template-view-categories" ] + rbac.authorization.halo.run/module: "Posts Management" + rbac.authorization.halo.run/display-name: "Post View" + rbac.authorization.halo.run/ui-permissions: | + ["system:posts:view"] +rules: + - apiGroups: [ "content.halo.run" ] + resources: [ "posts" ] + verbs: [ "get", "list" ] + - apiGroups: [ "api.console.halo.run" ] + resources: [ "posts", "contents" ] + verbs: [ "get", "list" ] diff --git a/src/main/resources/extensions/role-template-singlepage.yaml b/src/main/resources/extensions/role-template-singlepage.yaml new file mode 100644 index 000000000..b54b692ff --- /dev/null +++ b/src/main/resources/extensions/role-template-singlepage.yaml @@ -0,0 +1,39 @@ +apiVersion: v1alpha1 +kind: "Role" +metadata: + name: role-template-manage-singlepages + labels: + halo.run/role-template: "true" + annotations: + rbac.authorization.halo.run/dependencies: "[ \"role-template-view-singlepages\", \"role-template-manage-snaphosts\" ]" + rbac.authorization.halo.run/module: "SinglePages Management" + rbac.authorization.halo.run/display-name: "SinglePage Manage" + rbac.authorization.halo.run/ui-permissions: | + ["system:singlepages:manage"] +rules: + - apiGroups: [ "content.halo.run" ] + resources: [ "singlepages" ] + verbs: [ "*" ] + - apiGroups: [ "api.console.halo.run" ] + resources: [ "singlepages", "singlepages/publish", "contents", "contents/publish" ] + verbs: [ "create", "patch", "update", "delete", "deletecollection" ] +--- +apiVersion: v1alpha1 +kind: "Role" +metadata: + name: role-template-view-singlepages + labels: + halo.run/role-template: "true" + annotations: + rbac.authorization.halo.run/dependencies: "[ \"role-template-view-snaphosts\" ]" + rbac.authorization.halo.run/module: "SinglePages Management" + rbac.authorization.halo.run/display-name: "SinglePage View" + rbac.authorization.halo.run/ui-permissions: | + ["system:singlepages:view"] +rules: + - apiGroups: [ "content.halo.run" ] + resources: [ "singlepages" ] + verbs: [ "get", "list" ] + - apiGroups: [ "api.console.halo.run" ] + resources: [ "singlepages", "contents" ] + verbs: [ "get", "list" ] diff --git a/src/main/resources/extensions/role-template-snaphost.yaml b/src/main/resources/extensions/role-template-snaphost.yaml new file mode 100644 index 000000000..7b105a0d1 --- /dev/null +++ b/src/main/resources/extensions/role-template-snaphost.yaml @@ -0,0 +1,25 @@ +apiVersion: v1alpha1 +kind: "Role" +metadata: + name: role-template-manage-snaphosts + labels: + halo.run/role-template: "true" + halo.run/hidden: "true" + annotations: + rbac.authorization.halo.run/dependencies: "[ \"role-template-view-snaphosts\" ]" +rules: + - apiGroups: [ "content.halo.run" ] + resources: [ "snaphosts" ] + verbs: [ "*" ] +--- +apiVersion: v1alpha1 +kind: "Role" +metadata: + name: role-template-view-snaphosts + labels: + halo.run/role-template: "true" + halo.run/hidden: "true" +rules: + - apiGroups: [ "content.halo.run" ] + resources: [ "snaphosts" ] + verbs: [ "get", "list" ] diff --git a/src/main/resources/extensions/role-template-tag.yaml b/src/main/resources/extensions/role-template-tag.yaml new file mode 100644 index 000000000..d2515e758 --- /dev/null +++ b/src/main/resources/extensions/role-template-tag.yaml @@ -0,0 +1,25 @@ +apiVersion: v1alpha1 +kind: "Role" +metadata: + name: role-template-manage-tags + labels: + halo.run/role-template: "true" + halo.run/hidden: "true" + annotations: + rbac.authorization.halo.run/dependencies: "[ \"role-template-view-tags\" ]" +rules: + - apiGroups: [ "content.halo.run" ] + resources: [ "tags" ] + verbs: [ "*" ] +--- +apiVersion: v1alpha1 +kind: "Role" +metadata: + name: role-template-view-tags + labels: + halo.run/role-template: "true" + halo.run/hidden: "true" +rules: + - apiGroups: [ "content.halo.run" ] + resources: [ "tags" ] + verbs: [ "get", "list" ] diff --git a/src/main/resources/extensions/role-template-theme.yaml b/src/main/resources/extensions/role-template-theme.yaml new file mode 100644 index 000000000..fe8852e9a --- /dev/null +++ b/src/main/resources/extensions/role-template-theme.yaml @@ -0,0 +1,40 @@ +apiVersion: v1alpha1 +kind: "Role" +metadata: + name: role-template-manage-themes + labels: + halo.run/role-template: "true" + annotations: + rbac.authorization.halo.run/dependencies: "[ \"role-template-view-themes\" ]" + rbac.authorization.halo.run/module: "Themes Management" + rbac.authorization.halo.run/display-name: "Theme Manage" + rbac.authorization.halo.run/ui-permissions: | + ["system:themes:manage"] +rules: + - apiGroups: [ "theme.halo.run" ] + resources: [ "themes" ] + verbs: [ "*" ] + - apiGroups: [ "api.console.halo.run" ] + resources: [ "themes", "themes/reload-setting" ] + verbs: [ "*" ] + - nonResourceURLs: [ "/apis/api.console.halo.run/themes/install" ] + verbs: [ "post" ] +--- +apiVersion: v1alpha1 +kind: "Role" +metadata: + name: role-template-view-themes + labels: + halo.run/role-template: "true" + annotations: + rbac.authorization.halo.run/module: "Themes Management" + rbac.authorization.halo.run/display-name: "Theme View" + rbac.authorization.halo.run/ui-permissions: | + ["system:themes:view"] +rules: + - apiGroups: [ "theme.halo.run" ] + resources: [ "themes" ] + verbs: [ "get", "list" ] + - apiGroups: [ "api.console.halo.run" ] + resources: [ "singlepages" ] + verbs: [ "get", "list" ] diff --git a/src/main/resources/extensions/system-default-role.yaml b/src/main/resources/extensions/system-default-role.yaml new file mode 100644 index 000000000..9a3a2878b --- /dev/null +++ b/src/main/resources/extensions/system-default-role.yaml @@ -0,0 +1,5 @@ +apiVersion: v1alpha1 +kind: "Role" +metadata: + name: guest +rules: [ ] diff --git a/src/test/java/run/halo/app/security/authorization/RequestInfoResolverTest.java b/src/test/java/run/halo/app/security/authorization/RequestInfoResolverTest.java index 815bd9d63..498ddf3c2 100644 --- a/src/test/java/run/halo/app/security/authorization/RequestInfoResolverTest.java +++ b/src/test/java/run/halo/app/security/authorization/RequestInfoResolverTest.java @@ -168,6 +168,21 @@ public class RequestInfoResolverTest { String.format("%s: expected non-resource request", errorCase.desc)); } } + + List postCases = + List.of(new ErrorCases("api resource has name and no subresource but post", + "/api/version/themes/install"), + new ErrorCases("apis resource has name and no subresource but post", + "/apis/api.halo.run/v1alpha1/themes/install")); + for (ErrorCases errorCase : postCases) { + var request = + method(HttpMethod.POST, errorCase.url).build(); + RequestInfo apiRequestInfo = RequestInfoFactory.INSTANCE.newRequestInfo(request); + if (apiRequestInfo.isResourceRequest()) { + throw new RuntimeException( + String.format("%s: expected non-resource request", errorCase.desc)); + } + } } @Test