From ba20f71504b274459e5c69463cc52fb287906a72 Mon Sep 17 00:00:00 2001 From: guqing <38999863+guqing@users.noreply.github.com> Date: Wed, 20 Jul 2022 14:35:07 +0800 Subject: [PATCH] feat: add role templates for system (#2260) * feat: add role templates for system * fix: permissions manage config * feat: add hidden labels * feat: add ui permissions for role template * fix: user password change definition --- .../core/extension/endpoint/UserEndpoint.java | 8 ++- .../authorization/DefaultRuleResolver.java | 8 ++- .../extensions/role-template-anonymous.yaml | 8 +++ .../role-template-authenticated.yaml | 51 +++++++++++++++++++ .../extensions/role-template-configmap.yaml | 32 ++++++++++++ .../extensions/role-template-permissions.yaml | 32 ++++++++++++ .../extensions/role-template-plugin.yaml | 34 +++++++++++++ .../extensions/role-template-role.yaml | 33 ++++++++++++ .../extensions/role-template-setting.yaml | 32 ++++++++++++ .../extensions/role-template-user.yaml | 48 +++++++++++++++++ 10 files changed, 282 insertions(+), 4 deletions(-) create mode 100644 src/main/resources/extensions/role-template-anonymous.yaml create mode 100644 src/main/resources/extensions/role-template-authenticated.yaml create mode 100644 src/main/resources/extensions/role-template-configmap.yaml create mode 100644 src/main/resources/extensions/role-template-permissions.yaml create mode 100644 src/main/resources/extensions/role-template-plugin.yaml create mode 100644 src/main/resources/extensions/role-template-role.yaml create mode 100644 src/main/resources/extensions/role-template-setting.yaml create mode 100644 src/main/resources/extensions/role-template-user.yaml diff --git a/src/main/java/run/halo/app/core/extension/endpoint/UserEndpoint.java b/src/main/java/run/halo/app/core/extension/endpoint/UserEndpoint.java index cc357691d..b1ddaedb0 100644 --- a/src/main/java/run/halo/app/core/extension/endpoint/UserEndpoint.java +++ b/src/main/java/run/halo/app/core/extension/endpoint/UserEndpoint.java @@ -38,6 +38,7 @@ import run.halo.app.infra.utils.JsonUtils; @Component public class UserEndpoint implements CustomEndpoint { + private static final String SELF_USER = "-"; private final ExtensionClient client; private final UserService userService; @@ -94,7 +95,8 @@ public class UserEndpoint implements CustomEndpoint { Mono changePassword(ServerRequest request) { final var nameInPath = request.pathVariable("name"); return ReactiveSecurityContextHolder.getContext() - .map(ctx -> "-".equals(nameInPath) ? ctx.getAuthentication().getName() : nameInPath) + .map(ctx -> SELF_USER.equals(nameInPath) ? ctx.getAuthentication().getName() + : nameInPath) .flatMap(username -> request.bodyToMono(ChangePasswordRequest.class) .switchIfEmpty(Mono.defer(() -> Mono.error(new ServerWebInputException("Request body is empty")))) @@ -182,7 +184,9 @@ public class UserEndpoint implements CustomEndpoint { @NonNull private Mono getUserPermission(ServerRequest request) { String name = request.pathVariable("name"); - return userService.listRoles(name) + return ReactiveSecurityContextHolder.getContext() + .map(ctx -> SELF_USER.equals(name) ? ctx.getAuthentication().getName() : name) + .flatMapMany(userService::listRoles) .reduce(new LinkedHashSet(), (list, role) -> { list.add(role); return list; diff --git a/src/main/java/run/halo/app/security/authorization/DefaultRuleResolver.java b/src/main/java/run/halo/app/security/authorization/DefaultRuleResolver.java index 3b7d4a625..35680c1b9 100644 --- a/src/main/java/run/halo/app/security/authorization/DefaultRuleResolver.java +++ b/src/main/java/run/halo/app/security/authorization/DefaultRuleResolver.java @@ -4,6 +4,7 @@ import com.fasterxml.jackson.core.JsonProcessingException; import com.fasterxml.jackson.core.type.TypeReference; import java.util.ArrayList; import java.util.Collections; +import java.util.HashSet; import java.util.List; import java.util.Set; import lombok.Data; @@ -23,7 +24,7 @@ import run.halo.app.infra.utils.JsonUtils; */ @Data public class DefaultRuleResolver implements AuthorizationRuleResolver { - + private static final String AUTHENTICATED_ROLE = "authenticated"; private RoleService roleService; private RoleBindingService roleBindingService = new DefaultRoleBindingService(); @@ -49,7 +50,10 @@ public class DefaultRuleResolver implements AuthorizationRuleResolver { @Override public void visitRulesFor(UserDetails user, RuleAccumulator visitor) { - Set roleNames = roleBindingService.listBoundRoleNames(user.getAuthorities()); + Set roleNamesImmutable = + roleBindingService.listBoundRoleNames(user.getAuthorities()); + Set roleNames = new HashSet<>(roleNamesImmutable); + roleNames.add(AUTHENTICATED_ROLE); List rules = Collections.emptyList(); for (String roleName : roleNames) { diff --git a/src/main/resources/extensions/role-template-anonymous.yaml b/src/main/resources/extensions/role-template-anonymous.yaml new file mode 100644 index 000000000..4539f9cc7 --- /dev/null +++ b/src/main/resources/extensions/role-template-anonymous.yaml @@ -0,0 +1,8 @@ +apiVersion: v1alpha1 +kind: "Role" +metadata: + name: anonymous + labels: + halo.run/role-template: "true" + halo.run/hidden: "true" +rules: [ ] diff --git a/src/main/resources/extensions/role-template-authenticated.yaml b/src/main/resources/extensions/role-template-authenticated.yaml new file mode 100644 index 000000000..09b707162 --- /dev/null +++ b/src/main/resources/extensions/role-template-authenticated.yaml @@ -0,0 +1,51 @@ +apiVersion: v1alpha1 +kind: "Role" +metadata: + name: authenticated + labels: + halo.run/role-template: "true" + halo.run/hidden: "true" + annotations: + rbac.authorization.halo.run/dependencies: | + [ "role-template-own-user-info", "role-template-own-permissions", "role-template-change-own-password", + "role-template-manage-configmaps" ] +rules: [ ] +--- +apiVersion: v1alpha1 +kind: "Role" +metadata: + name: role-template-own-user-info + labels: + halo.run/role-template: "true" + halo.run/hidden: "true" +rules: + - apiGroups: [ "api.halo.run" ] + resources: [ "users" ] + resourceNames: [ "-" ] + verbs: [ "list", "get" ] +--- +apiVersion: v1alpha1 +kind: "Role" +metadata: + name: role-template-own-permissions + labels: + halo.run/role-template: "true" + halo.run/hidden: "true" +rules: + - apiGroups: [ "api.halo.run" ] + resources: [ "users/permissions" ] + resourceNames: [ "-" ] + verbs: [ "list", "get" ] +--- +apiVersion: v1alpha1 +kind: "Role" +metadata: + name: role-template-change-own-password + labels: + halo.run/role-template: "true" + halo.run/hidden: "true" +rules: + - apiGroups: [ "api.halo.run" ] + resources: [ "users/password" ] + resourceNames: [ "-" ] + verbs: [ "update" ] diff --git a/src/main/resources/extensions/role-template-configmap.yaml b/src/main/resources/extensions/role-template-configmap.yaml new file mode 100644 index 000000000..889f40b9a --- /dev/null +++ b/src/main/resources/extensions/role-template-configmap.yaml @@ -0,0 +1,32 @@ +apiVersion: v1alpha1 +kind: "Role" +metadata: + name: role-template-manage-configmaps + labels: + halo.run/role-template: "true" + annotations: + rbac.authorization.halo.run/dependencies: "[ \"role-template-view-configmaps\" ]" + rbac.authorization.halo.run/module: "ConfigMaps Management" + rbac.authorization.halo.run/display-name: "ConfigMap Manage" + rbac.authorization.halo.run/ui-permissions: | + ["system:configmaps:manage"] +rules: + - apiGroups: [ "" ] + resources: [ "configmaps" ] + verbs: [ "create", "patch", "update", "delete", "deletecollection" ] +--- +apiVersion: v1alpha1 +kind: "Role" +metadata: + name: role-template-view-configmaps + labels: + halo.run/role-template: "true" + annotations: + rbac.authorization.halo.run/module: "ConfigMaps Management" + rbac.authorization.halo.run/display-name: "ConfigMap View" + rbac.authorization.halo.run/ui-permissions: | + ["system:configmaps:view"] +rules: + - apiGroups: [ "" ] + resources: [ "configmaps" ] + verbs: [ "get", "list" ] diff --git a/src/main/resources/extensions/role-template-permissions.yaml b/src/main/resources/extensions/role-template-permissions.yaml new file mode 100644 index 000000000..0e93d83ba --- /dev/null +++ b/src/main/resources/extensions/role-template-permissions.yaml @@ -0,0 +1,32 @@ +apiVersion: v1alpha1 +kind: "Role" +metadata: + name: role-template-manage-permissions + labels: + halo.run/role-template: "true" + annotations: + rbac.authorization.halo.run/dependencies: "[ \"role-template-view-permissions\" ]" + rbac.authorization.halo.run/module: "Permissions Management" + rbac.authorization.halo.run/display-name: "Permissions Manage" + rbac.authorization.halo.run/ui-permissions: | + ["system:permissions:manage"] +rules: + - apiGroups: [ "api.halo.run" ] + resources: [ "users/permissions" ] + verbs: [ "create", "patch", "update", "delete", "deletecollection" ] +--- +apiVersion: v1alpha1 +kind: "Role" +metadata: + name: role-template-view-permissions + labels: + halo.run/role-template: "true" + annotations: + rbac.authorization.halo.run/module: "Permissions Management" + rbac.authorization.halo.run/display-name: "Permissions View" + rbac.authorization.halo.run/ui-permissions: | + ["system:permissions:view"] +rules: + - apiGroups: [ "api.halo.run" ] + resources: [ "users/permissions" ] + verbs: [ "get", "list" ] diff --git a/src/main/resources/extensions/role-template-plugin.yaml b/src/main/resources/extensions/role-template-plugin.yaml new file mode 100644 index 000000000..8c851227b --- /dev/null +++ b/src/main/resources/extensions/role-template-plugin.yaml @@ -0,0 +1,34 @@ +apiVersion: v1alpha1 +kind: "Role" +metadata: + name: role-template-manage-plugins + labels: + halo.run/role-template: "true" + annotations: + rbac.authorization.halo.run/dependencies: | + [ "role-template-view-plugins", "role-template-manage-configmaps" ] + rbac.authorization.halo.run/module: "Plugins Management" + rbac.authorization.halo.run/display-name: "Plugin Manage" + rbac.authorization.halo.run/ui-permissions: | + ["system:plugins:manage"] +rules: + - apiGroups: [ "plugin.halo.run" ] + resources: [ "plugins" ] + verbs: [ "create", "patch", "update", "delete", "deletecollection" ] +--- +apiVersion: v1alpha1 +kind: "Role" +metadata: + name: role-template-view-plugins + labels: + halo.run/role-template: "true" + annotations: + rbac.authorization.halo.run/dependencies: "[ \"role-template-view-settings\" ]" + rbac.authorization.halo.run/module: "Plugins Management" + rbac.authorization.halo.run/display-name: "Plugin View" + rbac.authorization.halo.run/ui-permissions: | + ["system:plugins:view"] +rules: + - apiGroups: [ "plugin.halo.run" ] + resources: [ "plugins" ] + verbs: [ "get", "list" ] diff --git a/src/main/resources/extensions/role-template-role.yaml b/src/main/resources/extensions/role-template-role.yaml new file mode 100644 index 000000000..c05dad219 --- /dev/null +++ b/src/main/resources/extensions/role-template-role.yaml @@ -0,0 +1,33 @@ +apiVersion: v1alpha1 +kind: "Role" +metadata: + name: role-template-manage-roles + labels: + halo.run/role-template: "true" + annotations: + rbac.authorization.halo.run/dependencies: | + [ "role-template-view-roles", "role-template-manage-permissions" ] + rbac.authorization.halo.run/module: "Roles Management" + rbac.authorization.halo.run/display-name: "Role Manage" + rbac.authorization.halo.run/ui-permissions: | + ["system:roles:manage"] +rules: + - apiGroups: [ "" ] + resources: [ "roles" ] + verbs: [ "create", "patch", "update", "delete", "deletecollection" ] +--- +apiVersion: v1alpha1 +kind: "Role" +metadata: + name: role-template-view-roles + labels: + halo.run/role-template: "true" + annotations: + rbac.authorization.halo.run/module: "Roles Management" + rbac.authorization.halo.run/display-name: "Role View" + rbac.authorization.halo.run/ui-permissions: | + ["system:roles:view"] +rules: + - apiGroups: [ "" ] + resources: [ "roles" ] + verbs: [ "get", "list" ] diff --git a/src/main/resources/extensions/role-template-setting.yaml b/src/main/resources/extensions/role-template-setting.yaml new file mode 100644 index 000000000..444b3cbd6 --- /dev/null +++ b/src/main/resources/extensions/role-template-setting.yaml @@ -0,0 +1,32 @@ +apiVersion: v1alpha1 +kind: "Role" +metadata: + name: role-template-manage-settings + labels: + halo.run/role-template: "true" + annotations: + rbac.authorization.halo.run/dependencies: "[ \"role-template-view-settings\" ]" + rbac.authorization.halo.run/module: "Settings Management" + rbac.authorization.halo.run/display-name: "Setting Manage" + rbac.authorization.halo.run/ui-permissions: | + ["system:settings:manage"] +rules: + - apiGroups: [ "" ] + resources: [ "settings" ] + verbs: [ "create", "patch", "update", "delete", "deletecollection" ] +--- +apiVersion: v1alpha1 +kind: "Role" +metadata: + name: role-template-view-settings + labels: + halo.run/role-template: "true" + annotations: + rbac.authorization.halo.run/module: "Settings Management" + rbac.authorization.halo.run/display-name: "Setting View" + rbac.authorization.halo.run/ui-permissions: | + ["system:settings:view"] +rules: + - apiGroups: [ "" ] + resources: [ "settings" ] + verbs: [ "get", "list" ] diff --git a/src/main/resources/extensions/role-template-user.yaml b/src/main/resources/extensions/role-template-user.yaml new file mode 100644 index 000000000..8c7a1edd5 --- /dev/null +++ b/src/main/resources/extensions/role-template-user.yaml @@ -0,0 +1,48 @@ +apiVersion: v1alpha1 +kind: "Role" +metadata: + name: role-template-manage-users + labels: + halo.run/role-template: "true" + annotations: + rbac.authorization.halo.run/dependencies: | + [ "role-template-view-users", "role-template-change-password" ] + rbac.authorization.halo.run/module: "Users Management" + rbac.authorization.halo.run/display-name: "User manage" + rbac.authorization.halo.run/ui-permissions: | + ["system:users:manage"] +rules: + - apiGroups: [ "" ] + resources: [ "users" ] + verbs: [ "create", "patch", "update", "delete", "deletecollection" ] +--- +apiVersion: v1alpha1 +kind: "Role" +metadata: + name: role-template-view-users + labels: + halo.run/role-template: "true" + annotations: + rbac.authorization.halo.run/module: "Users Management" + rbac.authorization.halo.run/display-name: "User View" + rbac.authorization.halo.run/ui-permissions: | + ["system:users:view"] +rules: + - apiGroups: [ "" ] + resources: [ "users" ] + verbs: [ "get", "list" ] +--- +apiVersion: v1alpha1 +kind: "Role" +metadata: + name: role-template-change-password + labels: + halo.run/role-template: "true" + halo.run/hidden: "true" + annotations: + rbac.authorization.halo.run/module: "Users Management" + rbac.authorization.halo.run/display-name: "User Password Change" +rules: + - apiGroups: [ "api.halo.run" ] + resources: [ "users/password" ] + verbs: [ "update" ]