github
/
halo
mirror of https://github.com/halo-dev/halo
1
0
Fork 0
Code Issues Releases Wiki Activity

feat: add role templates for system (#2260) 

* feat: add role templates for system

* fix: permissions manage config

* feat: add hidden labels

* feat: add ui permissions for role template

* fix: user password change definition
pull/2267/head
guqing 2022-07-20 14:35:07 +08:00 committed by GitHub
parent 9ed0dcafcc
commit ba20f71504
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
10 changed files with 282 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/main/java/run/halo/app/core/extension/endpoint/UserEndpoint.java
View File

@ -38,6 +38,7 @@ import run.halo.app.infra.utils.JsonUtils;
@Component
public class UserEndpoint implements CustomEndpoint {
private static final String SELF_USER = "-";
private final ExtensionClient client;
private final UserService userService;
@ -94,7 +95,8 @@ public class UserEndpoint implements CustomEndpoint {
Mono<ServerResponse> changePassword(ServerRequest request) {
final var nameInPath = request.pathVariable("name");
return ReactiveSecurityContextHolder.getContext()
.map(ctx -> "-".equals(nameInPath) ? ctx.getAuthentication().getName() : nameInPath)
.map(ctx -> SELF_USER.equals(nameInPath) ? ctx.getAuthentication().getName()
: nameInPath)
.flatMap(username -> request.bodyToMono(ChangePasswordRequest.class)
.switchIfEmpty(Mono.defer(() ->
Mono.error(new ServerWebInputException("Request body is empty"))))
@ -182,7 +184,9 @@ public class UserEndpoint implements CustomEndpoint {
@NonNull
private Mono<ServerResponse> getUserPermission(ServerRequest request) {
String name = request.pathVariable("name");
return userService.listRoles(name)
return ReactiveSecurityContextHolder.getContext()
.map(ctx -> SELF_USER.equals(name) ? ctx.getAuthentication().getName() : name)
.flatMapMany(userService::listRoles)
.reduce(new LinkedHashSet<Role>(), (list, role) -> {
list.add(role);
return list;

8
src/main/java/run/halo/app/security/authorization/DefaultRuleResolver.java
View File

@ -4,6 +4,7 @@ import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.core.type.TypeReference;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import lombok.Data;
@ -23,7 +24,7 @@ import run.halo.app.infra.utils.JsonUtils;
*/
@Data
public class DefaultRuleResolver implements AuthorizationRuleResolver {
private static final String AUTHENTICATED_ROLE = "authenticated";
private RoleService roleService;
private RoleBindingService roleBindingService = new DefaultRoleBindingService();
@ -49,7 +50,10 @@ public class DefaultRuleResolver implements AuthorizationRuleResolver {
@Override
public void visitRulesFor(UserDetails user, RuleAccumulator visitor) {
Set<String> roleNames = roleBindingService.listBoundRoleNames(user.getAuthorities());
Set<String> roleNamesImmutable =
roleBindingService.listBoundRoleNames(user.getAuthorities());
Set<String> roleNames = new HashSet<>(roleNamesImmutable);
roleNames.add(AUTHENTICATED_ROLE);
List<Role.PolicyRule> rules = Collections.emptyList();
for (String roleName : roleNames) {

8
src/main/resources/extensions/role-template-anonymous.yaml Normal file
View File

@ -0,0 +1,8 @@
apiVersion: v1alpha1
kind: "Role"
metadata:
name: anonymous
labels:
halo.run/role-template: "true"
halo.run/hidden: "true"
rules: [ ]

51
src/main/resources/extensions/role-template-authenticated.yaml Normal file
View File

@ -0,0 +1,51 @@
apiVersion: v1alpha1
kind: "Role"
metadata:
name: authenticated
labels:
halo.run/role-template: "true"
halo.run/hidden: "true"
annotations:
rbac.authorization.halo.run/dependencies: |
[ "role-template-own-user-info", "role-template-own-permissions", "role-template-change-own-password",
"role-template-manage-configmaps" ]
rules: [ ]
---
apiVersion: v1alpha1
kind: "Role"
metadata:
name: role-template-own-user-info
labels:
halo.run/role-template: "true"
halo.run/hidden: "true"
rules:
- apiGroups: [ "api.halo.run" ]
resources: [ "users" ]
resourceNames: [ "-" ]
verbs: [ "list", "get" ]
---
apiVersion: v1alpha1
kind: "Role"
metadata:
name: role-template-own-permissions
labels:
halo.run/role-template: "true"
halo.run/hidden: "true"
rules:
- apiGroups: [ "api.halo.run" ]
resources: [ "users/permissions" ]
resourceNames: [ "-" ]
verbs: [ "list", "get" ]
---
apiVersion: v1alpha1
kind: "Role"
metadata:
name: role-template-change-own-password
labels:
halo.run/role-template: "true"
halo.run/hidden: "true"
rules:
- apiGroups: [ "api.halo.run" ]
resources: [ "users/password" ]
resourceNames: [ "-" ]
verbs: [ "update" ]

32
src/main/resources/extensions/role-template-configmap.yaml Normal file
View File

@ -0,0 +1,32 @@
apiVersion: v1alpha1
kind: "Role"
metadata:
name: role-template-manage-configmaps
labels:
halo.run/role-template: "true"
annotations:
rbac.authorization.halo.run/dependencies: "[ \"role-template-view-configmaps\" ]"
rbac.authorization.halo.run/module: "ConfigMaps Management"
rbac.authorization.halo.run/display-name: "ConfigMap Manage"
rbac.authorization.halo.run/ui-permissions: |
["system:configmaps:manage"]
rules:
- apiGroups: [ "" ]
resources: [ "configmaps" ]
verbs: [ "create", "patch", "update", "delete", "deletecollection" ]
---
apiVersion: v1alpha1
kind: "Role"
metadata:
name: role-template-view-configmaps
labels:
halo.run/role-template: "true"
annotations:
rbac.authorization.halo.run/module: "ConfigMaps Management"
rbac.authorization.halo.run/display-name: "ConfigMap View"
rbac.authorization.halo.run/ui-permissions: |
["system:configmaps:view"]
rules:
- apiGroups: [ "" ]
resources: [ "configmaps" ]
verbs: [ "get", "list" ]

32
src/main/resources/extensions/role-template-permissions.yaml Normal file
View File

@ -0,0 +1,32 @@
apiVersion: v1alpha1
kind: "Role"
metadata:
name: role-template-manage-permissions
labels:
halo.run/role-template: "true"
annotations:
rbac.authorization.halo.run/dependencies: "[ \"role-template-view-permissions\" ]"
rbac.authorization.halo.run/module: "Permissions Management"
rbac.authorization.halo.run/display-name: "Permissions Manage"
rbac.authorization.halo.run/ui-permissions: |
["system:permissions:manage"]
rules:
- apiGroups: [ "api.halo.run" ]
resources: [ "users/permissions" ]
verbs: [ "create", "patch", "update", "delete", "deletecollection" ]
---
apiVersion: v1alpha1
kind: "Role"
metadata:
name: role-template-view-permissions
labels:
halo.run/role-template: "true"
annotations:
rbac.authorization.halo.run/module: "Permissions Management"
rbac.authorization.halo.run/display-name: "Permissions View"
rbac.authorization.halo.run/ui-permissions: |
["system:permissions:view"]
rules:
- apiGroups: [ "api.halo.run" ]
resources: [ "users/permissions" ]
verbs: [ "get", "list" ]

34
src/main/resources/extensions/role-template-plugin.yaml Normal file
View File

@ -0,0 +1,34 @@
apiVersion: v1alpha1
kind: "Role"
metadata:
name: role-template-manage-plugins
labels:
halo.run/role-template: "true"
annotations:
rbac.authorization.halo.run/dependencies: |
[ "role-template-view-plugins", "role-template-manage-configmaps" ]
rbac.authorization.halo.run/module: "Plugins Management"
rbac.authorization.halo.run/display-name: "Plugin Manage"
rbac.authorization.halo.run/ui-permissions: |
["system:plugins:manage"]
rules:
- apiGroups: [ "plugin.halo.run" ]
resources: [ "plugins" ]
verbs: [ "create", "patch", "update", "delete", "deletecollection" ]
---
apiVersion: v1alpha1
kind: "Role"
metadata:
name: role-template-view-plugins
labels:
halo.run/role-template: "true"
annotations:
rbac.authorization.halo.run/dependencies: "[ \"role-template-view-settings\" ]"
rbac.authorization.halo.run/module: "Plugins Management"
rbac.authorization.halo.run/display-name: "Plugin View"
rbac.authorization.halo.run/ui-permissions: |
["system:plugins:view"]
rules:
- apiGroups: [ "plugin.halo.run" ]
resources: [ "plugins" ]
verbs: [ "get", "list" ]

33
src/main/resources/extensions/role-template-role.yaml Normal file
View File

@ -0,0 +1,33 @@
apiVersion: v1alpha1
kind: "Role"
metadata:
name: role-template-manage-roles
labels:
halo.run/role-template: "true"
annotations:
rbac.authorization.halo.run/dependencies: |
[ "role-template-view-roles", "role-template-manage-permissions" ]
rbac.authorization.halo.run/module: "Roles Management"
rbac.authorization.halo.run/display-name: "Role Manage"
rbac.authorization.halo.run/ui-permissions: |
["system:roles:manage"]
rules:
- apiGroups: [ "" ]
resources: [ "roles" ]
verbs: [ "create", "patch", "update", "delete", "deletecollection" ]
---
apiVersion: v1alpha1
kind: "Role"
metadata:
name: role-template-view-roles
labels:
halo.run/role-template: "true"
annotations:
rbac.authorization.halo.run/module: "Roles Management"
rbac.authorization.halo.run/display-name: "Role View"
rbac.authorization.halo.run/ui-permissions: |
["system:roles:view"]
rules:
- apiGroups: [ "" ]
resources: [ "roles" ]
verbs: [ "get", "list" ]

32
src/main/resources/extensions/role-template-setting.yaml Normal file
View File

@ -0,0 +1,32 @@
apiVersion: v1alpha1
kind: "Role"
metadata:
name: role-template-manage-settings
labels:
halo.run/role-template: "true"
annotations:
rbac.authorization.halo.run/dependencies: "[ \"role-template-view-settings\" ]"
rbac.authorization.halo.run/module: "Settings Management"
rbac.authorization.halo.run/display-name: "Setting Manage"
rbac.authorization.halo.run/ui-permissions: |
["system:settings:manage"]
rules:
- apiGroups: [ "" ]
resources: [ "settings" ]
verbs: [ "create", "patch", "update", "delete", "deletecollection" ]
---
apiVersion: v1alpha1
kind: "Role"
metadata:
name: role-template-view-settings
labels:
halo.run/role-template: "true"
annotations:
rbac.authorization.halo.run/module: "Settings Management"
rbac.authorization.halo.run/display-name: "Setting View"
rbac.authorization.halo.run/ui-permissions: |
["system:settings:view"]
rules:
- apiGroups: [ "" ]
resources: [ "settings" ]
verbs: [ "get", "list" ]

48
src/main/resources/extensions/role-template-user.yaml Normal file
View File

@ -0,0 +1,48 @@
apiVersion: v1alpha1
kind: "Role"
metadata:
name: role-template-manage-users
labels:
halo.run/role-template: "true"
annotations:
rbac.authorization.halo.run/dependencies: |
[ "role-template-view-users", "role-template-change-password" ]
rbac.authorization.halo.run/module: "Users Management"
rbac.authorization.halo.run/display-name: "User manage"
rbac.authorization.halo.run/ui-permissions: |
["system:users:manage"]
rules:
- apiGroups: [ "" ]
resources: [ "users" ]
verbs: [ "create", "patch", "update", "delete", "deletecollection" ]
---
apiVersion: v1alpha1
kind: "Role"
metadata:
name: role-template-view-users
labels:
halo.run/role-template: "true"
annotations:
rbac.authorization.halo.run/module: "Users Management"
rbac.authorization.halo.run/display-name: "User View"
rbac.authorization.halo.run/ui-permissions: |
["system:users:view"]
rules:
- apiGroups: [ "" ]
resources: [ "users" ]
verbs: [ "get", "list" ]
---
apiVersion: v1alpha1
kind: "Role"
metadata:
name: role-template-change-password
labels:
halo.run/role-template: "true"
halo.run/hidden: "true"
annotations:
rbac.authorization.halo.run/module: "Users Management"
rbac.authorization.halo.run/display-name: "User Password Change"
rules:
- apiGroups: [ "api.halo.run" ]
resources: [ "users/password" ]
verbs: [ "update" ]