go-course/go18
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
go18/devcloud/mcenter/permission/checker.go
yumaojun03 e1774f973a udpate
2025-06-08 17:27:04 +08:00

171 lines
4.6 KiB
Go
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

package permission
import (
"context"
"122.51.31.227/go-course/go18/devcloud/mcenter/apps/endpoint"
"122.51.31.227/go-course/go18/devcloud/mcenter/apps/policy"
"122.51.31.227/go-course/go18/devcloud/mcenter/apps/token"
"github.com/emicklei/go-restful/v3"
"github.com/infraboard/mcube/v2/exception"
"github.com/infraboard/mcube/v2/http/restful/response"
"github.com/infraboard/mcube/v2/ioc"
"github.com/infraboard/mcube/v2/ioc/config/application"
"github.com/infraboard/mcube/v2/ioc/config/gorestful"
"github.com/infraboard/mcube/v2/ioc/config/log"
"github.com/rs/zerolog"
)
func init() {
ioc.Config().Registry(&Checker{})
}
func Auth(v bool) (string, bool) {
return endpoint.META_REQUIRED_AUTH_KEY, v
}
func Permission(v bool) (string, bool) {
return endpoint.META_REQUIRED_PERM_KEY, v
}
func Resource(v string) (string, string) {
return endpoint.META_RESOURCE_KEY, v
}
func Action(v string) (string, string) {
return endpoint.META_ACTION_KEY, v
}
// 这个中间件也是对象, 认证与鉴权
// 通过路由装饰 来当中开关,控制怎么认证,是否开启认证,是否开启坚强,角色标记
type Checker struct {
ioc.ObjectImpl
log *zerolog.Logger
token token.Service
policy policy.Service
}
// 中间件对象名称
func (c *Checker) Name() string {
return "permission_checker"
}
// 对象初始化的优先级, 由于业务接口在Init函数里面 使用默认优先级0, 由大到小
// 框架是 899 898
// 框架的init函数调用完成里面调用 这个对象的init函数, 实现了全局中间件
func (c *Checker) Priority() int {
return gorestful.Priority() - 1
}
func (c *Checker) Init() error {
c.log = log.Sub(c.Name())
c.token = token.GetService()
c.policy = policy.GetService()
// 注册认证中间件
gorestful.RootRouter().Filter(c.Check)
return nil
}
// 中间件的函数里面
func (c *Checker) Check(r *restful.Request, w *restful.Response, next *restful.FilterChain) {
// 请求处理前, 对接口进行保护
// 1. 知道用户当前访问的是哪个接口, 当前url 匹配到的路由是哪个
// SelectedRoute, 它可以返回当前URL适配哪个路有 RouteReader
// 封装了一个函数 来获取Meta信息 NewEntryFromRestRouteReader
route := endpoint.NewEntryFromRestRouteReader(r.SelectedRoute())
if route.RequiredAuth {
// 校验身份
tk, err := c.CheckToken(r)
if err != nil {
response.Failed(w, err)
return
}
// 校验权限
if err := c.CheckPolicy(r, tk, route); err != nil {
response.Failed(w, err)
return
}
}
// 请求处理
next.ProcessFilter(r, w)
// 请求处理后
}
func (c *Checker) CheckToken(r *restful.Request) (*token.Token, error) {
v := token.GetAccessTokenFromHTTP(r.Request)
if v == "" {
return nil, exception.NewUnauthorized("请先登录")
}
tk, err := c.token.ValiateToken(r.Request.Context(), token.NewValiateTokenRequest(v))
if err != nil {
return nil, err
}
// 如果校验成功,需要把 用户的身份信息,放到请求的上下文中,方便后面的逻辑获取
// context.WithValue 来往ctx 添加 value
// key: value, value token对象
ctx := context.WithValue(r.Request.Context(), token.CTX_TOKEN_KEY, tk)
// ctx 生成一个新的,继续往下传递
r.Request = r.Request.WithContext(ctx)
return tk, nil
}
func (c *Checker) CheckPolicy(r *restful.Request, tk *token.Token, route *endpoint.RouteEntry) error {
// 判断用户是否是超级管理员
if tk.IsAdmin {
return nil
}
// 角色校验 @Required('admin', '')
if route.HasRequiredRole() {
set, err := c.policy.QueryPolicy(r.Request.Context(),
policy.NewQueryPolicyRequest().
SetNamespaceId(tk.NamespaceId).
SetUserId(tk.UserId).
SetExpired(false).
SetEnabled(true).
SetWithRole(true),
)
if err != nil {
return exception.NewInternalServerError("%s", err.Error())
}
hasPerm := false
for i := range set.Items {
p := set.Items[i]
if route.IsRequireRole(p.Role.Name) {
hasPerm = true
break
}
}
if !hasPerm {
return exception.NewPermissionDeny("无权限访问")
}
}
// API权限校验
if route.RequiredPerm {
validateReq := policy.NewValidateEndpointPermissionRequest()
validateReq.UserId = tk.UserId
validateReq.NamespaceId = tk.NamespaceId
validateReq.Service = application.Get().GetAppName()
validateReq.Method = route.Method
validateReq.Path = route.Path
resp, err := c.policy.ValidateEndpointPermission(r.Request.Context(), validateReq)
if err != nil {
return exception.NewInternalServerError("%s", err.Error())
}
if !resp.HasPermission {
return exception.NewPermissionDeny("无权限访问")
}
}
return nil
}
Reference in New Issue View Git Blame Copy Permalink