feat: add more role templates (#2488)

#### What type of PR is this?
/kind improvement
/area core
/milestone 2.0

#### What this PR does / why we need it:
补充角色模板
#### Which issue(s) this PR fixes:

Fixes #2342 https://github.com/halo-dev/halo/issues/2391

#### Special notes for your reviewer:
/cc @halo-dev/sig-halo 
#### Does this PR introduce a user-facing change?

```release-note
None
```

src/main/java/run/halo/app/core/extension/Role.java

@@ -143,8 +143,6 @@ public class Role extends AbstractExtension {
 
             String[] verbs;
 
-            String pluginName;
-
             public Builder apiGroups(String... apiGroups) {
                 this.apiGroups = apiGroups;
                 return this;

src/main/java/run/halo/app/core/extension/attachment/endpoint/AttachmentEndpoint.java

@@ -59,7 +59,7 @@ public class AttachmentEndpoint implements CustomEndpoint {
 
     @Override
     public RouterFunction<ServerResponse> endpoint() {
-        var tag = "storage.halo.run/v1alpha1/Attachment";
+        var tag = "api.console.halo.run/v1alpha1/Attachment";
         return SpringdocRouteBuilder.route()
             .POST("/attachments/upload", contentType(MediaType.MULTIPART_FORM_DATA), this::upload,
                 builder -> builder

src/main/java/run/halo/app/core/extension/reconciler/PostReconciler.java

@@ -110,7 +110,8 @@ public class PostReconciler implements Reconciler<Reconciler.Request> {
             }
             if (excerpt.getAutoGenerate()) {
                 contentService.getContent(spec.getReleaseSnapshot())
-                    .subscribe(content -> {
+                    .blockOptional()
+                    .ifPresent(content -> {
                         String contentRevised = content.content();
                         status.setExcerpt(getExcerpt(contentRevised));
                     });

src/main/java/run/halo/app/core/extension/service/DefaultRoleService.java

@@ -74,7 +74,8 @@ public class DefaultRoleService implements RoleService {
             }
             visited.add(roleName);
             extensionClient.fetch(Role.class, roleName)
-                .subscribe(role -> {
+                .blockOptional()
+                .ifPresent(role -> {
                     result.add(role);
                     Map<String, String> annotations = role.getMetadata().getAnnotations();
                     if (annotations != null) {

src/main/java/run/halo/app/security/authorization/RequestInfoFactory.java

@@ -178,6 +178,12 @@ public class RequestInfoFactory {
             requestInfo.resource = requestInfo.parts[0];
         }
 
+        // has name and no subresource but verb=create, then this is a non-resource request
+        if (StringUtils.isNotBlank(requestInfo.name) && StringUtils.isBlank(requestInfo.subresource)
+            && "create".equals(requestInfo.verb)) {
+            requestInfo.isResourceRequest = false;
+        }
+
         // if there's no name on the request and we thought it was a get before, then the actual
         // verb is a list or a watch
         if (requestInfo.name.length() == 0 && "get".equals(requestInfo.verb)) {

src/main/resources/extensions/role-template-attachment.yaml

@@ -0,0 +1,40 @@
+apiVersion: v1alpha1
+kind: "Role"
+metadata:
+  name: role-template-manage-attachments
+  labels:
+    halo.run/role-template: "true"
+  annotations:
+    rbac.authorization.halo.run/dependencies: "[ \"role-template-view-attachments\" ]"
+    rbac.authorization.halo.run/module: "Attachments Management"
+    rbac.authorization.halo.run/display-name: "Attachment Manage"
+    rbac.authorization.halo.run/ui-permissions: |
+      ["system:attachments:manage"]
+rules:
+  - apiGroups: [ "storage.halo.run" ]
+    resources: [ "attachments" ]
+    verbs: [ "*" ]
+  - apiGroups: [ "api.console.halo.run" ]
+    resources: [ "attachments" ]
+    verbs: [ "*" ]
+  - nonResourceURLs: [ "/apis/api.console.halo.run/attachments/upload" ]
+    verbs: [ "post" ]
+---
+apiVersion: v1alpha1
+kind: "Role"
+metadata:
+  name: role-template-view-attachments
+  labels:
+    halo.run/role-template: "true"
+  annotations:
+    rbac.authorization.halo.run/module: "Attachments Management"
+    rbac.authorization.halo.run/display-name: "Attachment View"
+    rbac.authorization.halo.run/ui-permissions: |
+      ["system:attachments:view"]
+rules:
+  - apiGroups: [ "storage.halo.run" ]
+    resources: [ "attachments" ]
+    verbs: [ "get", "list" ]
+  - apiGroups: [ "api.console.halo.run" ]
+    resources: [ "attachments" ]
+    verbs: [ "get", "list" ]

src/main/resources/extensions/role-template-category.yaml

@@ -0,0 +1,25 @@
+apiVersion: v1alpha1
+kind: "Role"
+metadata:
+  name: role-template-manage-categories
+  labels:
+    halo.run/role-template: "true"
+    halo.run/hidden: "true"
+  annotations:
+    rbac.authorization.halo.run/dependencies: "[ \"role-template-view-categories\" ]"
+rules:
+  - apiGroups: [ "content.halo.run" ]
+    resources: [ "categories" ]
+    verbs: [ "*" ]
+---
+apiVersion: v1alpha1
+kind: "Role"
+metadata:
+  name: role-template-view-categories
+  labels:
+    halo.run/role-template: "true"
+    halo.run/hidden: "true"
+rules:
+  - apiGroups: [ "content.halo.run" ]
+    resources: [ "categories" ]
+    verbs: [ "get", "list" ]

src/main/resources/extensions/role-template-comment.yaml

@@ -0,0 +1,38 @@
+apiVersion: v1alpha1
+kind: "Role"
+metadata:
+  name: role-template-manage-comments
+  labels:
+    halo.run/role-template: "true"
+  annotations:
+    rbac.authorization.halo.run/dependencies: "[ \"role-template-view-comments\" ]"
+    rbac.authorization.halo.run/module: "Comments Management"
+    rbac.authorization.halo.run/display-name: "Comment Manage"
+    rbac.authorization.halo.run/ui-permissions: |
+      ["system:comments:manage"]
+rules:
+  - apiGroups: [ "content.halo.run" ]
+    resources: [ "comments", "replies" ]
+    verbs: [ "*" ]
+  - apiGroups: [ "api.console.halo.run" ]
+    resources: [ "comments", "comments/reply", "replies" ]
+    verbs: [ "*" ]
+---
+apiVersion: v1alpha1
+kind: "Role"
+metadata:
+  name: role-template-view-comments
+  labels:
+    halo.run/role-template: "true"
+  annotations:
+    rbac.authorization.halo.run/module: "Comments Management"
+    rbac.authorization.halo.run/display-name: "Comment View"
+    rbac.authorization.halo.run/ui-permissions: |
+      ["system:comments:view"]
+rules:
+  - apiGroups: [ "content.halo.run" ]
+    resources: [ "comments", "replies" ]
+    verbs: [ "get", "list" ]
+  - apiGroups: [ "api.console.halo.run" ]
+    resources: [ "comments", "comments/reply", "replies" ]
+    verbs: [ "get", "list" ]

src/main/resources/extensions/role-template-menu.yaml

@@ -0,0 +1,32 @@
+apiVersion: v1alpha1
+kind: "Role"
+metadata:
+  name: role-template-manage-menus
+  labels:
+    halo.run/role-template: "true"
+  annotations:
+    rbac.authorization.halo.run/dependencies: "[ \"role-template-view-menus\" ]"
+    rbac.authorization.halo.run/module: "Menus Management"
+    rbac.authorization.halo.run/display-name: "Menu Manage"
+    rbac.authorization.halo.run/ui-permissions: |
+      ["system:menus:manage"]
+rules:
+  - apiGroups: [ "" ]
+    resources: [ "menus", "menuitems" ]
+    verbs: [ "*" ]
+---
+apiVersion: v1alpha1
+kind: "Role"
+metadata:
+  name: role-template-view-menus
+  labels:
+    halo.run/role-template: "true"
+  annotations:
+    rbac.authorization.halo.run/module: "Menus Management"
+    rbac.authorization.halo.run/display-name: "Menu Manage"
+    rbac.authorization.halo.run/ui-permissions: |
+      ["system:menus:view"]
+rules:
+  - apiGroups: [ "" ]
+    resources: [ "menus", "menuitems" ]
+    verbs: [ "get", "list" ]

src/main/resources/extensions/role-template-post.yaml

@@ -0,0 +1,41 @@
+apiVersion: v1alpha1
+kind: "Role"
+metadata:
+  name: role-template-manage-posts
+  labels:
+    halo.run/role-template: "true"
+  annotations:
+    rbac.authorization.halo.run/dependencies: |
+      [ "role-template-view-posts", "role-template-manage-snaphosts", "role-template-manage-tags", "role-template-manage-categories" ]
+    rbac.authorization.halo.run/module: "Posts Management"
+    rbac.authorization.halo.run/display-name: "Post Manage"
+    rbac.authorization.halo.run/ui-permissions: |
+      ["system:posts:manage"]
+rules:
+  - apiGroups: [ "content.halo.run" ]
+    resources: [ "posts" ]
+    verbs: [ "*" ]
+  - apiGroups: [ "api.console.halo.run" ]
+    resources: [ "posts", "posts/publish", "contents", "contents/publish" ]
+    verbs: [ "create", "patch", "update", "delete", "deletecollection" ]
+---
+apiVersion: v1alpha1
+kind: "Role"
+metadata:
+  name: role-template-view-posts
+  labels:
+    halo.run/role-template: "true"
+  annotations:
+    rbac.authorization.halo.run/dependencies: |
+      [ "role-template-view-snaphosts", "role-template-view-tags", "role-template-view-categories" ]
+    rbac.authorization.halo.run/module: "Posts Management"
+    rbac.authorization.halo.run/display-name: "Post View"
+    rbac.authorization.halo.run/ui-permissions: |
+      ["system:posts:view"]
+rules:
+  - apiGroups: [ "content.halo.run" ]
+    resources: [ "posts" ]
+    verbs: [ "get", "list" ]
+  - apiGroups: [ "api.console.halo.run" ]
+    resources: [ "posts", "contents" ]
+    verbs: [ "get", "list" ]

src/main/resources/extensions/role-template-singlepage.yaml

@@ -0,0 +1,39 @@
+apiVersion: v1alpha1
+kind: "Role"
+metadata:
+  name: role-template-manage-singlepages
+  labels:
+    halo.run/role-template: "true"
+  annotations:
+    rbac.authorization.halo.run/dependencies: "[ \"role-template-view-singlepages\", \"role-template-manage-snaphosts\" ]"
+    rbac.authorization.halo.run/module: "SinglePages Management"
+    rbac.authorization.halo.run/display-name: "SinglePage Manage"
+    rbac.authorization.halo.run/ui-permissions: |
+      ["system:singlepages:manage"]
+rules:
+  - apiGroups: [ "content.halo.run" ]
+    resources: [ "singlepages" ]
+    verbs: [ "*" ]
+  - apiGroups: [ "api.console.halo.run" ]
+    resources: [ "singlepages", "singlepages/publish", "contents", "contents/publish" ]
+    verbs: [ "create", "patch", "update", "delete", "deletecollection" ]
+---
+apiVersion: v1alpha1
+kind: "Role"
+metadata:
+  name: role-template-view-singlepages
+  labels:
+    halo.run/role-template: "true"
+  annotations:
+    rbac.authorization.halo.run/dependencies: "[ \"role-template-view-snaphosts\" ]"
+    rbac.authorization.halo.run/module: "SinglePages Management"
+    rbac.authorization.halo.run/display-name: "SinglePage View"
+    rbac.authorization.halo.run/ui-permissions: |
+      ["system:singlepages:view"]
+rules:
+  - apiGroups: [ "content.halo.run" ]
+    resources: [ "singlepages" ]
+    verbs: [ "get", "list" ]
+  - apiGroups: [ "api.console.halo.run" ]
+    resources: [ "singlepages", "contents" ]
+    verbs: [ "get", "list" ]

src/main/resources/extensions/role-template-snaphost.yaml

@@ -0,0 +1,25 @@
+apiVersion: v1alpha1
+kind: "Role"
+metadata:
+  name: role-template-manage-snaphosts
+  labels:
+    halo.run/role-template: "true"
+    halo.run/hidden: "true"
+  annotations:
+    rbac.authorization.halo.run/dependencies: "[ \"role-template-view-snaphosts\" ]"
+rules:
+  - apiGroups: [ "content.halo.run" ]
+    resources: [ "snaphosts" ]
+    verbs: [ "*" ]
+---
+apiVersion: v1alpha1
+kind: "Role"
+metadata:
+  name: role-template-view-snaphosts
+  labels:
+    halo.run/role-template: "true"
+    halo.run/hidden: "true"
+rules:
+  - apiGroups: [ "content.halo.run" ]
+    resources: [ "snaphosts" ]
+    verbs: [ "get", "list" ]

src/main/resources/extensions/role-template-tag.yaml

@@ -0,0 +1,25 @@
+apiVersion: v1alpha1
+kind: "Role"
+metadata:
+  name: role-template-manage-tags
+  labels:
+    halo.run/role-template: "true"
+    halo.run/hidden: "true"
+  annotations:
+    rbac.authorization.halo.run/dependencies: "[ \"role-template-view-tags\" ]"
+rules:
+  - apiGroups: [ "content.halo.run" ]
+    resources: [ "tags" ]
+    verbs: [ "*" ]
+---
+apiVersion: v1alpha1
+kind: "Role"
+metadata:
+  name: role-template-view-tags
+  labels:
+    halo.run/role-template: "true"
+    halo.run/hidden: "true"
+rules:
+  - apiGroups: [ "content.halo.run" ]
+    resources: [ "tags" ]
+    verbs: [ "get", "list" ]

src/main/resources/extensions/role-template-theme.yaml

@@ -0,0 +1,40 @@
+apiVersion: v1alpha1
+kind: "Role"
+metadata:
+  name: role-template-manage-themes
+  labels:
+    halo.run/role-template: "true"
+  annotations:
+    rbac.authorization.halo.run/dependencies: "[ \"role-template-view-themes\" ]"
+    rbac.authorization.halo.run/module: "Themes Management"
+    rbac.authorization.halo.run/display-name: "Theme Manage"
+    rbac.authorization.halo.run/ui-permissions: |
+      ["system:themes:manage"]
+rules:
+  - apiGroups: [ "theme.halo.run" ]
+    resources: [ "themes" ]
+    verbs: [ "*" ]
+  - apiGroups: [ "api.console.halo.run" ]
+    resources: [ "themes", "themes/reload-setting" ]
+    verbs: [ "*" ]
+  - nonResourceURLs: [ "/apis/api.console.halo.run/themes/install" ]
+    verbs: [ "post" ]
+---
+apiVersion: v1alpha1
+kind: "Role"
+metadata:
+  name: role-template-view-themes
+  labels:
+    halo.run/role-template: "true"
+  annotations:
+    rbac.authorization.halo.run/module: "Themes Management"
+    rbac.authorization.halo.run/display-name: "Theme View"
+    rbac.authorization.halo.run/ui-permissions: |
+      ["system:themes:view"]
+rules:
+  - apiGroups: [ "theme.halo.run" ]
+    resources: [ "themes" ]
+    verbs: [ "get", "list" ]
+  - apiGroups: [ "api.console.halo.run" ]
+    resources: [ "singlepages" ]
+    verbs: [ "get", "list" ]

src/main/resources/extensions/system-default-role.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1alpha1
+kind: "Role"
+metadata:
+  name: guest
+rules: [ ]

src/test/java/run/halo/app/security/authorization/RequestInfoResolverTest.java

@@ -168,6 +168,21 @@ public class RequestInfoResolverTest {
                     String.format("%s: expected non-resource request", errorCase.desc));
             }
         }
+
+        List<ErrorCases> postCases =
+            List.of(new ErrorCases("api resource has name and no subresource but post",
+                    "/api/version/themes/install"),
+                new ErrorCases("apis resource has name and no subresource but post",
+                "/apis/api.halo.run/v1alpha1/themes/install"));
+        for (ErrorCases errorCase : postCases) {
+            var request =
+                method(HttpMethod.POST, errorCase.url).build();
+            RequestInfo apiRequestInfo = RequestInfoFactory.INSTANCE.newRequestInfo(request);
+            if (apiRequestInfo.isResourceRequest()) {
+                throw new RuntimeException(
+                    String.format("%s: expected non-resource request", errorCase.desc));
+            }
+        }
     }
 
     @Test