forked from polarismesh/polaris
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathserver_authability.go
101 lines (88 loc) · 3.26 KB
/
server_authability.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
/**
* Tencent is pleased to support the open source community by making Polaris available.
*
* Copyright (C) 2019 THL A29 Limited, a Tencent company. All rights reserved.
*
* Licensed under the BSD 3-Clause License (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://opensource.org/licenses/BSD-3-Clause
*
* Unless required by applicable law or agreed to in writing, software distributed
* under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
* CONDITIONS OF ANY KIND, either express or implied. See the License for the
* specific language governing permissions and limitations under the License.
*/
package namespace
import (
"context"
"errors"
apimodel "github.com/polarismesh/specification/source/go/api/v1/model"
apisecurity "github.com/polarismesh/specification/source/go/api/v1/security"
"go.uber.org/zap"
"github.com/polarismesh/polaris/auth"
"github.com/polarismesh/polaris/common/model"
"github.com/polarismesh/polaris/common/utils"
)
// serverAuthAbility 带有鉴权能力的 discoverServer
//
// 该层会对请求参数做一些调整,根据具体的请求发起人,设置为数据对应的 owner,不可为为别人进行创建资源
type serverAuthAbility struct {
targetServer *Server
userMgn auth.UserServer
strategyMgn auth.StrategyServer
}
func newServerAuthAbility(targetServer *Server,
userMgn auth.UserServer, strategyMgn auth.StrategyServer) NamespaceOperateServer {
proxy := &serverAuthAbility{
targetServer: targetServer,
userMgn: userMgn,
strategyMgn: strategyMgn,
}
targetServer.SetResourceHooks(proxy)
return proxy
}
// collectNamespaceAuthContext 对于命名空间的处理,收集所有的与鉴权的相关信息
func (svr *serverAuthAbility) collectNamespaceAuthContext(ctx context.Context, req []*apimodel.Namespace,
resourceOp model.ResourceOperation, methodName string) *model.AcquireContext {
return model.NewAcquireContext(
model.WithRequestContext(ctx),
model.WithOperation(resourceOp),
model.WithModule(model.CoreModule),
model.WithMethod(methodName),
model.WithAccessResources(svr.queryNamespaceResource(req)),
)
}
// queryNamespaceResource 根据所给的 namespace 信息,收集对应的 ResourceEntry 列表
func (svr *serverAuthAbility) queryNamespaceResource(
req []*apimodel.Namespace) map[apisecurity.ResourceType][]model.ResourceEntry {
names := utils.NewStringSet()
for index := range req {
names.Add(req[index].Name.GetValue())
}
param := names.ToSlice()
nsArr := svr.targetServer.caches.Namespace().GetNamespacesByName(param)
temp := make([]model.ResourceEntry, 0, len(nsArr))
for index := range nsArr {
ns := nsArr[index]
temp = append(temp, model.ResourceEntry{
ID: ns.Name,
Owner: ns.Owner,
})
}
ret := map[apisecurity.ResourceType][]model.ResourceEntry{
apisecurity.ResourceType_Namespaces: temp,
}
authLog.Debug("[Auth][Server] collect namespace access res", zap.Any("res", ret))
return ret
}
func convertToErrCode(err error) apimodel.Code {
if errors.Is(err, model.ErrorTokenNotExist) {
return apimodel.Code_TokenNotExisted
}
if errors.Is(err, model.ErrorTokenDisabled) {
return apimodel.Code_TokenDisabled
}
return apimodel.Code_NotAllowedAccess
}