You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@servicecomb.apache.org by ti...@apache.org on 2021/02/19 08:56:06 UTC
[servicecomb-service-center] branch master updated: use unified
model, compatible with old create account api (#812)
This is an automated email from the ASF dual-hosted git repository.
tianxiaoliang pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/servicecomb-service-center.git
The following commit(s) were added to refs/heads/master by this push:
new e7af4d4 use unified model, compatible with old create account api (#812)
e7af4d4 is described below
commit e7af4d45f5397ff173baf37e8acc88ef7951344a
Author: Shawn <xi...@gmail.com>
AuthorDate: Fri Feb 19 16:55:57 2021 +0800
use unified model, compatible with old create account api (#812)
---
datasource/account.go | 11 ++--
datasource/etcd/account.go | 20 +++----
datasource/etcd/account_test.go | 6 +--
datasource/etcd/role.go | 16 +++---
datasource/mongo/account.go | 20 +++----
datasource/mongo/account_test.go | 16 +++---
datasource/mongo/role.go | 16 +++---
datasource/role.go | 11 ++--
datasource/role_test.go | 6 +--
pkg/{pravicy => privacy}/password.go | 2 +-
pkg/rbacframe/account.go | 19 -------
pkg/rbacframe/api.go | 5 +-
pkg/rbacframe/role.go | 33 ------------
server/plugin/auth/buildin/buidlin_test.go | 3 +-
server/resource/v4/auth_resource.go | 38 +++++++------
server/resource/v4/rbac_resource_test.go | 84 ++++++++++++++---------------
server/resource/v4/role_resource.go | 8 +--
server/service/rbac/dao/account_dao.go | 10 ++--
server/service/rbac/dao/account_dao_test.go | 4 +-
server/service/rbac/dao/role_dao.go | 10 ++--
server/service/rbac/decision.go | 4 +-
server/service/rbac/password.go | 7 +--
server/service/rbac/permission.go | 13 +++--
server/service/rbac/rbac.go | 3 +-
server/service/rbac/rbac_test.go | 18 +++----
server/service/rbac/role.go | 8 +--
server/service/validate.go | 8 +--
27 files changed, 178 insertions(+), 221 deletions(-)
diff --git a/datasource/account.go b/datasource/account.go
index 84b6e7d..b602cc0 100644
--- a/datasource/account.go
+++ b/datasource/account.go
@@ -20,8 +20,7 @@ package datasource
import (
"context"
"errors"
-
- "github.com/apache/servicecomb-service-center/pkg/rbacframe"
+ "github.com/go-chassis/cari/rbac"
)
var (
@@ -32,10 +31,10 @@ var (
// AccountManager contains the RBAC CRUD
type AccountManager interface {
- CreateAccount(ctx context.Context, a *rbacframe.Account) error
+ CreateAccount(ctx context.Context, a *rbac.Account) error
AccountExist(ctx context.Context, key string) (bool, error)
- GetAccount(ctx context.Context, key string) (*rbacframe.Account, error)
- ListAccount(ctx context.Context, key string) ([]*rbacframe.Account, int64, error)
+ GetAccount(ctx context.Context, key string) (*rbac.Account, error)
+ ListAccount(ctx context.Context, key string) ([]*rbac.Account, int64, error)
DeleteAccount(ctx context.Context, key string) (bool, error)
- UpdateAccount(ctx context.Context, key string, account *rbacframe.Account) error
+ UpdateAccount(ctx context.Context, key string, account *rbac.Account) error
}
diff --git a/datasource/etcd/account.go b/datasource/etcd/account.go
index 3306c79..7b887b1 100644
--- a/datasource/etcd/account.go
+++ b/datasource/etcd/account.go
@@ -19,18 +19,18 @@ import (
"context"
"encoding/json"
"fmt"
- "github.com/apache/servicecomb-service-center/pkg/pravicy"
"github.com/apache/servicecomb-service-center/datasource"
"github.com/apache/servicecomb-service-center/datasource/etcd/client"
"github.com/apache/servicecomb-service-center/datasource/etcd/path"
"github.com/apache/servicecomb-service-center/pkg/etcdsync"
"github.com/apache/servicecomb-service-center/pkg/log"
- "github.com/apache/servicecomb-service-center/pkg/rbacframe"
+ "github.com/apache/servicecomb-service-center/pkg/privacy"
"github.com/apache/servicecomb-service-center/pkg/util"
+ "github.com/go-chassis/cari/rbac"
)
-func (ds *DataSource) CreateAccount(ctx context.Context, a *rbacframe.Account) error {
+func (ds *DataSource) CreateAccount(ctx context.Context, a *rbac.Account) error {
lock, err := etcdsync.Lock("/account-creating/"+a.Name, -1, false)
if err != nil {
return fmt.Errorf("account %s is creating", a.Name)
@@ -50,7 +50,7 @@ func (ds *DataSource) CreateAccount(ctx context.Context, a *rbacframe.Account) e
if exist {
return datasource.ErrAccountDuplicated
}
- a.Password, err = pravicy.HashPassword(a.Password)
+ a.Password, err = privacy.HashPassword(a.Password)
if err != nil {
log.Error("pwd hash failed", err)
return err
@@ -81,7 +81,7 @@ func (ds *DataSource) AccountExist(ctx context.Context, key string) (bool, error
}
return true, nil
}
-func (ds *DataSource) GetAccount(ctx context.Context, key string) (*rbacframe.Account, error) {
+func (ds *DataSource) GetAccount(ctx context.Context, key string) (*rbac.Account, error) {
resp, err := client.Instance().Do(ctx, client.GET,
client.WithStrKey(path.GenerateRBACAccountKey(key)))
if err != nil {
@@ -90,7 +90,7 @@ func (ds *DataSource) GetAccount(ctx context.Context, key string) (*rbacframe.Ac
if resp.Count != 1 {
return nil, client.ErrNotUnique
}
- account := &rbacframe.Account{}
+ account := &rbac.Account{}
err = json.Unmarshal(resp.Kvs[0].Value, account)
if err != nil {
log.Errorf(err, "account info format invalid")
@@ -98,15 +98,15 @@ func (ds *DataSource) GetAccount(ctx context.Context, key string) (*rbacframe.Ac
}
return account, nil
}
-func (ds *DataSource) ListAccount(ctx context.Context, key string) ([]*rbacframe.Account, int64, error) {
+func (ds *DataSource) ListAccount(ctx context.Context, key string) ([]*rbac.Account, int64, error) {
resp, err := client.Instance().Do(ctx, client.GET,
client.WithStrKey(path.GenerateRBACAccountKey(key)), client.WithPrefix())
if err != nil {
return nil, 0, err
}
- accounts := make([]*rbacframe.Account, 0, resp.Count)
+ accounts := make([]*rbac.Account, 0, resp.Count)
for _, v := range resp.Kvs {
- a := &rbacframe.Account{}
+ a := &rbac.Account{}
err = json.Unmarshal(v.Value, a)
if err != nil {
log.Error("account info format invalid:", err)
@@ -125,7 +125,7 @@ func (ds *DataSource) DeleteAccount(ctx context.Context, key string) (bool, erro
}
return resp.Succeeded, nil
}
-func (ds *DataSource) UpdateAccount(ctx context.Context, key string, account *rbacframe.Account) error {
+func (ds *DataSource) UpdateAccount(ctx context.Context, key string, account *rbac.Account) error {
value, err := json.Marshal(account)
if err != nil {
log.Errorf(err, "account info is invalid")
diff --git a/datasource/etcd/account_test.go b/datasource/etcd/account_test.go
index 3eaf3f5..7b6ddc9 100644
--- a/datasource/etcd/account_test.go
+++ b/datasource/etcd/account_test.go
@@ -21,15 +21,15 @@ package etcd_test
import (
"context"
+ "github.com/go-chassis/cari/rbac"
"testing"
"github.com/apache/servicecomb-service-center/datasource"
- "github.com/apache/servicecomb-service-center/pkg/rbacframe"
"github.com/stretchr/testify/assert"
)
var (
- a1 = rbacframe.Account{
+ a1 = rbac.Account{
ID: "11111-22222-33333",
Name: "test-account1",
Password: "tnuocca-tset",
@@ -37,7 +37,7 @@ var (
TokenExpirationTime: "2020-12-30",
CurrentPassword: "tnuocca-tset1",
}
- a2 = rbacframe.Account{
+ a2 = rbac.Account{
ID: "11111-22222-33333-44444",
Name: "test-account2",
Password: "tnuocca-tset",
diff --git a/datasource/etcd/role.go b/datasource/etcd/role.go
index e34f0ff..58acae7 100644
--- a/datasource/etcd/role.go
+++ b/datasource/etcd/role.go
@@ -21,17 +21,17 @@ import (
"context"
"encoding/json"
"fmt"
+ "github.com/go-chassis/cari/rbac"
"github.com/apache/servicecomb-service-center/datasource"
"github.com/apache/servicecomb-service-center/datasource/etcd/client"
"github.com/apache/servicecomb-service-center/datasource/etcd/path"
"github.com/apache/servicecomb-service-center/pkg/etcdsync"
"github.com/apache/servicecomb-service-center/pkg/log"
- "github.com/apache/servicecomb-service-center/pkg/rbacframe"
"github.com/apache/servicecomb-service-center/pkg/util"
)
-func (ds *DataSource) CreateRole(ctx context.Context, r *rbacframe.Role) error {
+func (ds *DataSource) CreateRole(ctx context.Context, r *rbac.Role) error {
lock, err := etcdsync.Lock("/role-creating/"+r.Name, -1, false)
if err != nil {
return fmt.Errorf("role %s is creating", r.Name)
@@ -77,7 +77,7 @@ func (ds *DataSource) RoleExist(ctx context.Context, name string) (bool, error)
}
return true, nil
}
-func (ds *DataSource) GetRole(ctx context.Context, name string) (*rbacframe.Role, error) {
+func (ds *DataSource) GetRole(ctx context.Context, name string) (*rbac.Role, error) {
resp, err := client.Instance().Do(ctx, client.GET,
client.WithStrKey(path.GenerateRBACRoleKey(name)))
if err != nil {
@@ -86,7 +86,7 @@ func (ds *DataSource) GetRole(ctx context.Context, name string) (*rbacframe.Role
if resp.Count != 1 {
return nil, client.ErrNotUnique
}
- role := &rbacframe.Role{}
+ role := &rbac.Role{}
err = json.Unmarshal(resp.Kvs[0].Value, role)
if err != nil {
log.Errorf(err, "role info format invalid")
@@ -94,15 +94,15 @@ func (ds *DataSource) GetRole(ctx context.Context, name string) (*rbacframe.Role
}
return role, nil
}
-func (ds *DataSource) ListRole(ctx context.Context) ([]*rbacframe.Role, int64, error) {
+func (ds *DataSource) ListRole(ctx context.Context) ([]*rbac.Role, int64, error) {
resp, err := client.Instance().Do(ctx, client.GET,
client.WithStrKey(path.GenerateRBACRoleKey("")), client.WithPrefix())
if err != nil {
return nil, 0, err
}
- roles := make([]*rbacframe.Role, 0, resp.Count)
+ roles := make([]*rbac.Role, 0, resp.Count)
for _, v := range resp.Kvs {
- r := &rbacframe.Role{}
+ r := &rbac.Role{}
err = json.Unmarshal(v.Value, r)
if err != nil {
log.Error("role info format invalid:", err)
@@ -121,7 +121,7 @@ func (ds *DataSource) DeleteRole(ctx context.Context, name string) (bool, error)
}
return resp.Succeeded, nil
}
-func (ds *DataSource) UpdateRole(ctx context.Context, name string, role *rbacframe.Role) error {
+func (ds *DataSource) UpdateRole(ctx context.Context, name string, role *rbac.Role) error {
value, err := json.Marshal(role)
if err != nil {
log.Errorf(err, "role info is invalid")
diff --git a/datasource/mongo/account.go b/datasource/mongo/account.go
index 2720338..1347f69 100644
--- a/datasource/mongo/account.go
+++ b/datasource/mongo/account.go
@@ -20,17 +20,17 @@ package mongo
import (
"context"
"errors"
- "github.com/apache/servicecomb-service-center/pkg/pravicy"
+ "github.com/apache/servicecomb-service-center/pkg/privacy"
"github.com/apache/servicecomb-service-center/datasource"
"github.com/apache/servicecomb-service-center/datasource/mongo/client"
"github.com/apache/servicecomb-service-center/pkg/log"
- "github.com/apache/servicecomb-service-center/pkg/rbacframe"
"github.com/apache/servicecomb-service-center/pkg/util"
+ "github.com/go-chassis/cari/rbac"
"go.mongodb.org/mongo-driver/bson"
)
-func (ds *DataSource) CreateAccount(ctx context.Context, a *rbacframe.Account) error {
+func (ds *DataSource) CreateAccount(ctx context.Context, a *rbac.Account) error {
exist, err := ds.AccountExist(ctx, a.Name)
if err != nil {
log.Error("can not save account info", err)
@@ -39,7 +39,7 @@ func (ds *DataSource) CreateAccount(ctx context.Context, a *rbacframe.Account) e
if exist {
return datasource.ErrAccountDuplicated
}
- a.Password, err = pravicy.HashPassword(a.Password)
+ a.Password, err = privacy.HashPassword(a.Password)
if err != nil {
log.Error("pwd hash failed", err)
return err
@@ -70,7 +70,7 @@ func (ds *DataSource) AccountExist(ctx context.Context, key string) (bool, error
return true, nil
}
-func (ds *DataSource) GetAccount(ctx context.Context, key string) (*rbacframe.Account, error) {
+func (ds *DataSource) GetAccount(ctx context.Context, key string) (*rbac.Account, error) {
filter := bson.M{
ColumnAccountName: key,
}
@@ -82,7 +82,7 @@ func (ds *DataSource) GetAccount(ctx context.Context, key string) (*rbacframe.Ac
log.Error("failed to get account: ", result.Err())
return nil, errors.New("failed to get account")
}
- var account rbacframe.Account
+ var account rbac.Account
err = result.Decode(&account)
if err != nil {
log.Error("decode account failed: ", err)
@@ -91,7 +91,7 @@ func (ds *DataSource) GetAccount(ctx context.Context, key string) (*rbacframe.Ac
return &account, nil
}
-func (ds *DataSource) ListAccount(ctx context.Context, key string) ([]*rbacframe.Account, int64, error) {
+func (ds *DataSource) ListAccount(ctx context.Context, key string) ([]*rbac.Account, int64, error) {
filter := bson.M{
ColumnAccountName: bson.M{"$regex": key},
}
@@ -102,10 +102,10 @@ func (ds *DataSource) ListAccount(ctx context.Context, key string) ([]*rbacframe
if err != nil {
return nil, 0, err
}
- var accounts []*rbacframe.Account
+ var accounts []*rbac.Account
defer cursor.Close(ctx)
for cursor.Next(ctx) {
- var account rbacframe.Account
+ var account rbac.Account
err = cursor.Decode(&account)
if err != nil {
log.Error("decode account failed: ", err)
@@ -131,7 +131,7 @@ func (ds *DataSource) DeleteAccount(ctx context.Context, key string) (bool, erro
return true, nil
}
-func (ds *DataSource) UpdateAccount(ctx context.Context, key string, account *rbacframe.Account) error {
+func (ds *DataSource) UpdateAccount(ctx context.Context, key string, account *rbac.Account) error {
filter := bson.M{
ColumnAccountName: key,
}
diff --git a/datasource/mongo/account_test.go b/datasource/mongo/account_test.go
index 3d55b4f..538cfd1 100644
--- a/datasource/mongo/account_test.go
+++ b/datasource/mongo/account_test.go
@@ -19,15 +19,15 @@ package mongo_test
import (
"context"
+ "github.com/go-chassis/cari/rbac"
"testing"
"github.com/apache/servicecomb-service-center/datasource"
- "github.com/apache/servicecomb-service-center/pkg/rbacframe"
"github.com/stretchr/testify/assert"
)
func TestCreateAccount(t *testing.T) {
- account := rbacframe.Account{
+ account := rbac.Account{
ID: "11111-22222-33333",
Name: "test-account1",
Password: "tnuocca-tset",
@@ -53,7 +53,7 @@ func TestCreateAccount(t *testing.T) {
}
func TestGetAccount(t *testing.T) {
- account := rbacframe.Account{
+ account := rbac.Account{
ID: "11111-22222-33333",
Name: "test-account1",
Password: "tnuocca-tset",
@@ -78,7 +78,7 @@ func TestGetAccount(t *testing.T) {
}
func TestListAccount(t *testing.T) {
- account1 := rbacframe.Account{
+ account1 := rbac.Account{
ID: "11111-22222-33333",
Name: "test-account1",
Password: "tnuocca-tset",
@@ -86,7 +86,7 @@ func TestListAccount(t *testing.T) {
TokenExpirationTime: "2020-12-30",
CurrentPassword: "tnuocca-tset1",
}
- account2 := rbacframe.Account{
+ account2 := rbac.Account{
ID: "11111-22222-33333",
Name: "test-account2",
Password: "tnuocca-tset",
@@ -112,7 +112,7 @@ func TestDeleteAccount(t *testing.T) {
})
t.Run("delete account, if the account exists,it should be deleted", func(t *testing.T) {
- account := rbacframe.Account{
+ account := rbac.Account{
ID: "11111-22222-33333",
Name: "test-account1",
Password: "tnuocca-tset",
@@ -131,7 +131,7 @@ func TestDeleteAccount(t *testing.T) {
func TestUpdateAccount(t *testing.T) {
t.Run("update account: if the account does not exist,the update should fail", func(t *testing.T) {
- account := rbacframe.Account{
+ account := rbac.Account{
ID: "11111-22222-33333",
Name: "test-account1",
Password: "tnuocca-tset",
@@ -145,7 +145,7 @@ func TestUpdateAccount(t *testing.T) {
})
t.Run("update account: if the account exists,it should be updated successfully", func(t *testing.T) {
- account := rbacframe.Account{
+ account := rbac.Account{
ID: "11111-22222-33333",
Name: "test-account1",
Password: "tnuocca-tset",
diff --git a/datasource/mongo/role.go b/datasource/mongo/role.go
index b6c913c..99fc7bb 100644
--- a/datasource/mongo/role.go
+++ b/datasource/mongo/role.go
@@ -25,11 +25,11 @@ import (
"github.com/apache/servicecomb-service-center/datasource"
"github.com/apache/servicecomb-service-center/datasource/mongo/client"
"github.com/apache/servicecomb-service-center/pkg/log"
- "github.com/apache/servicecomb-service-center/pkg/rbacframe"
"github.com/apache/servicecomb-service-center/pkg/util"
+ "github.com/go-chassis/cari/rbac"
)
-func (ds *DataSource) CreateRole(ctx context.Context, r *rbacframe.Role) error {
+func (ds *DataSource) CreateRole(ctx context.Context, r *rbac.Role) error {
exist, err := ds.RoleExist(ctx, r.Name)
if err != nil {
log.Error("failed to query role", err)
@@ -64,7 +64,7 @@ func (ds *DataSource) RoleExist(ctx context.Context, name string) (bool, error)
return true, nil
}
-func (ds *DataSource) GetRole(ctx context.Context, name string) (*rbacframe.Role, error) {
+func (ds *DataSource) GetRole(ctx context.Context, name string) (*rbac.Role, error) {
filter := bson.M{
ColumnRoleName: name,
}
@@ -75,7 +75,7 @@ func (ds *DataSource) GetRole(ctx context.Context, name string) (*rbacframe.Role
if result.Err() != nil {
return nil, client.ErrNoDocuments
}
- var role rbacframe.Role
+ var role rbac.Role
err = result.Decode(&role)
if err != nil {
log.Error("Decode role failed: ", err)
@@ -84,15 +84,15 @@ func (ds *DataSource) GetRole(ctx context.Context, name string) (*rbacframe.Role
return &role, nil
}
-func (ds *DataSource) ListRole(ctx context.Context) ([]*rbacframe.Role, int64, error) {
+func (ds *DataSource) ListRole(ctx context.Context) ([]*rbac.Role, int64, error) {
cursor, err := client.GetMongoClient().Find(ctx, CollectionRole, bson.M{})
if err != nil {
return nil, 0, err
}
- var roles []*rbacframe.Role
+ var roles []*rbac.Role
defer cursor.Close(ctx)
for cursor.Next(ctx) {
- var role rbacframe.Role
+ var role rbac.Role
err = cursor.Decode(&role)
if err != nil {
log.Error("decode role failed: ", err)
@@ -117,7 +117,7 @@ func (ds *DataSource) DeleteRole(ctx context.Context, name string) (bool, error)
return true, nil
}
-func (ds *DataSource) UpdateRole(ctx context.Context, name string, role *rbacframe.Role) error {
+func (ds *DataSource) UpdateRole(ctx context.Context, name string, role *rbac.Role) error {
filter := bson.M{
ColumnRoleName: name,
}
diff --git a/datasource/role.go b/datasource/role.go
index e4c822d..3e7f6d7 100644
--- a/datasource/role.go
+++ b/datasource/role.go
@@ -20,8 +20,7 @@ package datasource
import (
"context"
"errors"
-
- "github.com/apache/servicecomb-service-center/pkg/rbacframe"
+ "github.com/go-chassis/cari/rbac"
)
var (
@@ -31,10 +30,10 @@ var (
// RoleManager contains the RBAC CRUD
type RoleManager interface {
- CreateRole(ctx context.Context, r *rbacframe.Role) error
+ CreateRole(ctx context.Context, r *rbac.Role) error
RoleExist(ctx context.Context, name string) (bool, error)
- GetRole(ctx context.Context, name string) (*rbacframe.Role, error)
- ListRole(ctx context.Context) ([]*rbacframe.Role, int64, error)
+ GetRole(ctx context.Context, name string) (*rbac.Role, error)
+ ListRole(ctx context.Context) ([]*rbac.Role, int64, error)
DeleteRole(ctx context.Context, name string) (bool, error)
- UpdateRole(ctx context.Context, name string, role *rbacframe.Role) error
+ UpdateRole(ctx context.Context, name string, role *rbac.Role) error
}
diff --git a/datasource/role_test.go b/datasource/role_test.go
index dc81a8a..1099904 100644
--- a/datasource/role_test.go
+++ b/datasource/role_test.go
@@ -19,22 +19,22 @@ package datasource_test
import (
"context"
+ "github.com/go-chassis/cari/rbac"
"testing"
"github.com/stretchr/testify/assert"
"github.com/apache/servicecomb-service-center/datasource"
- "github.com/apache/servicecomb-service-center/pkg/rbacframe"
)
var (
- r1 = rbacframe.Role{
+ r1 = rbac.Role{
ID: "11111-22222-33333",
Name: "test-role1",
Perms: nil,
}
- r2 = rbacframe.Role{
+ r2 = rbac.Role{
ID: "11111-22222-33333-44444",
Name: "test-role2",
Perms: nil,
diff --git a/pkg/pravicy/password.go b/pkg/privacy/password.go
similarity index 98%
rename from pkg/pravicy/password.go
rename to pkg/privacy/password.go
index 9be80b9..8e1787d 100644
--- a/pkg/pravicy/password.go
+++ b/pkg/privacy/password.go
@@ -15,7 +15,7 @@
* limitations under the License.
*/
-package pravicy
+package privacy
import (
"github.com/go-chassis/foundation/stringutil"
diff --git a/pkg/rbacframe/account.go b/pkg/rbacframe/account.go
index fe95fc9..f8ee449 100644
--- a/pkg/rbacframe/account.go
+++ b/pkg/rbacframe/account.go
@@ -20,22 +20,3 @@ package rbacframe
const (
RoleAdmin = "admin"
)
-
-type AccountResponse struct {
- Total int64 `json:"total"`
- Accounts []*Account `json:"data,omitempty"`
-}
-
-type Account struct {
- ID string `json:"id,omitempty"`
- Name string `json:"name,omitempty"`
- Password string `json:"password,omitempty"`
- Roles []string `json:"roles,omitempty"`
- TokenExpirationTime string `json:"tokenExpirationTime,omitempty" bson:"token_expiration_time"`
- CurrentPassword string `json:"currentPassword,omitempty" bson:"current_password"`
- Status string `json:"status,omitempty"`
-}
-
-type Token struct {
- TokenStr string `json:"token,omitempty"`
-}
diff --git a/pkg/rbacframe/api.go b/pkg/rbacframe/api.go
index c143013..3ec5c3a 100644
--- a/pkg/rbacframe/api.go
+++ b/pkg/rbacframe/api.go
@@ -21,6 +21,7 @@ package rbacframe
import (
"context"
"crypto/rsa"
+ "github.com/go-chassis/cari/rbac"
"github.com/apache/servicecomb-service-center/pkg/log"
"github.com/go-chassis/go-chassis/v2/security/token"
@@ -31,7 +32,7 @@ const (
ClaimsRoles = "roles"
)
-func AccountFromContext(ctx context.Context) (*Account, error) {
+func AccountFromContext(ctx context.Context) (*rbac.Account, error) {
claims := FromContext(ctx)
m, ok := claims.(map[string]interface{})
if !ok {
@@ -48,7 +49,7 @@ func AccountFromContext(ctx context.Context) (*Account, error) {
log.Error("role convert failed ", err)
return nil, ErrConvertErr
}
- account := &Account{Name: a, Roles: roleList}
+ account := &rbac.Account{Name: a, Roles: roleList}
return account, nil
}
diff --git a/pkg/rbacframe/role.go b/pkg/rbacframe/role.go
deleted file mode 100644
index ead04aa..0000000
--- a/pkg/rbacframe/role.go
+++ /dev/null
@@ -1,33 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package rbacframe
-
-type RoleResponse struct {
- Roles []*Role `json:"data,omitempty"`
-}
-
-type Role struct {
- ID string `json:"id,omitempty"`
- Name string `json:"name,omitempty"`
- Perms []*Permission `json:"perms,omitempty"`
-}
-
-type Permission struct {
- Resources []string `json:"resources,omitempty"`
- Verbs []string `json:"verbs,omitempty"`
-}
diff --git a/server/plugin/auth/buildin/buidlin_test.go b/server/plugin/auth/buildin/buidlin_test.go
index 3504a85..063ab3f 100644
--- a/server/plugin/auth/buildin/buidlin_test.go
+++ b/server/plugin/auth/buildin/buidlin_test.go
@@ -20,6 +20,7 @@ package buildin_test
// initialize
import (
"context"
+ rbacmodel "github.com/go-chassis/cari/rbac"
"io/ioutil"
"net/http"
"net/http/httptest"
@@ -102,7 +103,7 @@ func TestTokenAuthenticator_Identify(t *testing.T) {
assert.NoError(t, err)
})
t.Run("valid normal token, should no be able to get account", func(t *testing.T) {
- err := dao.CreateAccount(context.TODO(), &rbacframe.Account{Name: "non-admin", Password: "Complicated_password1"})
+ err := dao.CreateAccount(context.TODO(), &rbacmodel.Account{Name: "non-admin", Password: "Complicated_password1"})
assert.NoError(t, err)
r := httptest.NewRequest(http.MethodGet, "/v4/account", nil)
to, err := authr.Login(context.TODO(), "non-admin", "Complicated_password1")
diff --git a/server/resource/v4/auth_resource.go b/server/resource/v4/auth_resource.go
index 2e0fece..c8712f4 100644
--- a/server/resource/v4/auth_resource.go
+++ b/server/resource/v4/auth_resource.go
@@ -20,20 +20,21 @@ package v4
import (
"context"
"encoding/json"
+ "github.com/apache/servicecomb-service-center/pkg/rbacframe"
+ rbacsvc "github.com/apache/servicecomb-service-center/server/service/rbac"
"io/ioutil"
"net/http"
"github.com/apache/servicecomb-service-center/datasource"
errorsEx "github.com/apache/servicecomb-service-center/pkg/errors"
"github.com/apache/servicecomb-service-center/pkg/log"
- "github.com/apache/servicecomb-service-center/pkg/rbacframe"
"github.com/apache/servicecomb-service-center/pkg/rest"
"github.com/apache/servicecomb-service-center/pkg/util"
"github.com/apache/servicecomb-service-center/server/rest/controller"
"github.com/apache/servicecomb-service-center/server/service"
- "github.com/apache/servicecomb-service-center/server/service/rbac"
"github.com/apache/servicecomb-service-center/server/service/rbac/dao"
"github.com/go-chassis/cari/discovery"
+ "github.com/go-chassis/cari/rbac"
"github.com/go-chassis/go-chassis/v2/security/authr"
)
@@ -58,12 +59,15 @@ func (r *AuthResource) CreateAccount(w http.ResponseWriter, req *http.Request) {
controller.WriteError(w, discovery.ErrInternal, err.Error())
return
}
- a := &rbacframe.Account{}
+ a := &rbac.Account{}
if err = json.Unmarshal(body, a); err != nil {
log.Error("json err", err)
controller.WriteError(w, discovery.ErrInvalidParams, errorsEx.MsgJSON)
return
}
+ if a.Role != "" {
+ a.Roles = []string{a.Role}
+ }
err = service.ValidateCreateAccount(a)
if err != nil {
controller.WriteError(w, discovery.ErrInvalidParams, err.Error())
@@ -96,7 +100,7 @@ func (r *AuthResource) ListAccount(w http.ResponseWriter, req *http.Request) {
controller.WriteError(w, discovery.ErrInternal, errorsEx.MsgGetAccountFailed)
return
}
- resp := &rbacframe.AccountResponse{
+ resp := &rbac.AccountResponse{
Total: n,
Accounts: as,
}
@@ -126,7 +130,7 @@ func (r *AuthResource) GetAccount(w http.ResponseWriter, req *http.Request) {
}
func (r *AuthResource) ChangePassword(w http.ResponseWriter, req *http.Request) {
ip := util.GetRealIP(req)
- if rbac.IsBanned(ip) {
+ if rbacsvc.IsBanned(ip) {
log.Warn("ip is banned:" + ip)
controller.WriteError(w, discovery.ErrForbidden, "")
return
@@ -137,7 +141,7 @@ func (r *AuthResource) ChangePassword(w http.ResponseWriter, req *http.Request)
controller.WriteError(w, discovery.ErrInternal, err.Error())
return
}
- a := &rbacframe.Account{}
+ a := &rbac.Account{}
if err = json.Unmarshal(body, a); err != nil {
log.Error("json err", err)
controller.WriteError(w, discovery.ErrInvalidParams, errorsEx.MsgJSON)
@@ -154,16 +158,16 @@ func (r *AuthResource) ChangePassword(w http.ResponseWriter, req *http.Request)
controller.WriteError(w, discovery.ErrInternal, "can not parse account info")
return
}
- err = rbac.ChangePassword(context.TODO(), changer.Roles, changer.Name, a)
+ err = rbacsvc.ChangePassword(context.TODO(), changer.Roles, changer.Name, a)
if err != nil {
- if err == rbac.ErrSamePassword ||
- err == rbac.ErrEmptyCurrentPassword ||
- err == rbac.ErrNoPermChangeAccount {
+ if err == rbacsvc.ErrSamePassword ||
+ err == rbacsvc.ErrEmptyCurrentPassword ||
+ err == rbacsvc.ErrNoPermChangeAccount {
controller.WriteError(w, discovery.ErrInvalidParams, err.Error())
return
}
- if err == rbac.ErrWrongPassword {
- rbac.CountFailure(ip)
+ if err == rbacsvc.ErrWrongPassword {
+ rbacsvc.CountFailure(ip)
controller.WriteError(w, discovery.ErrInvalidParams, err.Error())
return
}
@@ -174,7 +178,7 @@ func (r *AuthResource) ChangePassword(w http.ResponseWriter, req *http.Request)
}
func (r *AuthResource) Login(w http.ResponseWriter, req *http.Request) {
ip := util.GetRealIP(req)
- if rbac.IsBanned(ip) {
+ if rbacsvc.IsBanned(ip) {
log.Warn("ip is banned:" + ip)
controller.WriteError(w, discovery.ErrForbidden, "")
return
@@ -185,7 +189,7 @@ func (r *AuthResource) Login(w http.ResponseWriter, req *http.Request) {
controller.WriteError(w, discovery.ErrInternal, err.Error())
return
}
- a := &rbacframe.Account{}
+ a := &rbac.Account{}
if err = json.Unmarshal(body, a); err != nil {
log.Error("json err", err)
controller.WriteError(w, discovery.ErrInvalidParams, err.Error())
@@ -202,9 +206,9 @@ func (r *AuthResource) Login(w http.ResponseWriter, req *http.Request) {
t, err := authr.Login(context.TODO(), a.Name, a.Password,
authr.ExpireAfter(a.TokenExpirationTime))
if err != nil {
- if err == rbac.ErrUnauthorized {
+ if err == rbacsvc.ErrUnauthorized {
log.Error("not authorized", err)
- rbac.CountFailure(ip)
+ rbacsvc.CountFailure(ip)
controller.WriteError(w, discovery.ErrUnauthorized, err.Error())
return
}
@@ -212,7 +216,7 @@ func (r *AuthResource) Login(w http.ResponseWriter, req *http.Request) {
controller.WriteError(w, discovery.ErrInternal, err.Error())
return
}
- to := &rbacframe.Token{TokenStr: t}
+ to := &rbac.Token{TokenStr: t}
b, err := json.Marshal(to)
if err != nil {
log.Error("json err", err)
diff --git a/server/resource/v4/rbac_resource_test.go b/server/resource/v4/rbac_resource_test.go
index 2a235c4..e5ef35e 100644
--- a/server/resource/v4/rbac_resource_test.go
+++ b/server/resource/v4/rbac_resource_test.go
@@ -21,13 +21,13 @@ import (
"bytes"
"context"
"encoding/json"
+ rbacmodel "github.com/go-chassis/cari/rbac"
"io/ioutil"
"net/http"
"net/http/httptest"
"testing"
"time"
- "github.com/apache/servicecomb-service-center/pkg/rbacframe"
"github.com/apache/servicecomb-service-center/pkg/rest"
"github.com/apache/servicecomb-service-center/server/config"
v4 "github.com/apache/servicecomb-service-center/server/resource/v4"
@@ -74,7 +74,7 @@ func TestAuthResource_Login(t *testing.T) {
dao.DeleteAccount(ctx, "dev_account")
t.Run("invalid user login", func(t *testing.T) {
- b, _ := json.Marshal(&rbacframe.Account{Name: "dev_account", Password: "Complicated_password1"})
+ b, _ := json.Marshal(&rbacmodel.Account{Name: "dev_account", Password: "Complicated_password1"})
r, _ := http.NewRequest(http.MethodPost, "/v4/token", bytes.NewBuffer(b))
w := httptest.NewRecorder()
@@ -83,9 +83,9 @@ func TestAuthResource_Login(t *testing.T) {
})
// root account token
- var to = &rbacframe.Token{}
+ var to = &rbacmodel.Token{}
t.Run("root login", func(t *testing.T) {
- b, _ := json.Marshal(&rbacframe.Account{Name: "root", Password: "Complicated_password1", Roles: []string{"admin"}})
+ b, _ := json.Marshal(&rbacmodel.Account{Name: "root", Password: "Complicated_password1", Roles: []string{"admin"}})
r, _ := http.NewRequest(http.MethodPost, "/v4/token", bytes.NewBuffer(b))
w := httptest.NewRecorder()
@@ -95,7 +95,7 @@ func TestAuthResource_Login(t *testing.T) {
})
t.Run("invalid password", func(t *testing.T) {
- b, _ := json.Marshal(&rbacframe.Account{Name: "root", Password: "Complicated_password"})
+ b, _ := json.Marshal(&rbacmodel.Account{Name: "root", Password: "Complicated_password"})
r, _ := http.NewRequest(http.MethodPost, "/v4/token", bytes.NewBuffer(b))
w := httptest.NewRecorder()
@@ -104,7 +104,7 @@ func TestAuthResource_Login(t *testing.T) {
})
t.Run("create dev_account", func(t *testing.T) {
- b, _ := json.Marshal(&rbacframe.Account{Name: "dev_account", Password: "Complicated_password1", Roles: []string{"developer"}})
+ b, _ := json.Marshal(&rbacmodel.Account{Name: "dev_account", Password: "Complicated_password1", Roles: []string{"developer"}})
r, _ := http.NewRequest(http.MethodPost, "/v4/account", bytes.NewBuffer(b))
r.Header.Set(restful.HeaderAuth, "Bearer "+to.TokenStr)
@@ -114,21 +114,21 @@ func TestAuthResource_Login(t *testing.T) {
})
t.Run("dev_account login and change pwd, then login again", func(t *testing.T) {
- b, _ := json.Marshal(&rbacframe.Account{Name: "dev_account", Password: "Complicated_password1", Roles: []string{"developer"}})
+ b, _ := json.Marshal(&rbacmodel.Account{Name: "dev_account", Password: "Complicated_password1", Roles: []string{"developer"}})
r, _ := http.NewRequest(http.MethodPost, "/v4/token", bytes.NewBuffer(b))
w := httptest.NewRecorder()
rest.GetRouter().ServeHTTP(w, r)
assert.Equal(t, http.StatusOK, w.Code)
- b2, _ := json.Marshal(&rbacframe.Account{Name: "dev_account", CurrentPassword: "Complicated_password1", Password: "Complicated_password2"})
+ b2, _ := json.Marshal(&rbacmodel.Account{Name: "dev_account", CurrentPassword: "Complicated_password1", Password: "Complicated_password2"})
r2, _ := http.NewRequest(http.MethodPost, "/v4/account/dev_account/password", bytes.NewBuffer(b2))
r2.Header.Set(restful.HeaderAuth, "Bearer "+to.TokenStr)
w2 := httptest.NewRecorder()
rest.GetRouter().ServeHTTP(w2, r2)
assert.Equal(t, http.StatusOK, w2.Code)
- b3, _ := json.Marshal(&rbacframe.Account{Name: "dev_account", Password: "Complicated_password2", Roles: []string{"developer"}})
+ b3, _ := json.Marshal(&rbacmodel.Account{Name: "dev_account", Password: "Complicated_password2", Roles: []string{"developer"}})
r3, _ := http.NewRequest(http.MethodPost, "/v4/token", bytes.NewBuffer(b3))
w3 := httptest.NewRecorder()
rest.GetRouter().ServeHTTP(w3, r3)
@@ -138,13 +138,13 @@ func TestAuthResource_Login(t *testing.T) {
}
func TestAuthResource_DeleteAccount(t *testing.T) {
t.Run("dev_account can not even delete him self", func(t *testing.T) {
- b, _ := json.Marshal(&rbacframe.Account{Name: "dev_account", Password: "Complicated_password2", Roles: []string{"developer"}})
+ b, _ := json.Marshal(&rbacmodel.Account{Name: "dev_account", Password: "Complicated_password2", Roles: []string{"developer"}})
r, _ := http.NewRequest(http.MethodPost, "/v4/token", bytes.NewBuffer(b))
w := httptest.NewRecorder()
rest.GetRouter().ServeHTTP(w, r)
assert.Equal(t, http.StatusOK, w.Code)
- devTo := &rbacframe.Token{}
+ devTo := &rbacmodel.Token{}
json.Unmarshal(w.Body.Bytes(), devTo)
r2, _ := http.NewRequest(http.MethodDelete, "/v4/account/dev_account", nil)
@@ -154,15 +154,15 @@ func TestAuthResource_DeleteAccount(t *testing.T) {
assert.Equal(t, http.StatusUnauthorized, w2.Code)
})
t.Run("root can delete account", func(t *testing.T) {
- b, _ := json.Marshal(&rbacframe.Account{Name: "root", Password: "Complicated_password1"})
+ b, _ := json.Marshal(&rbacmodel.Account{Name: "root", Password: "Complicated_password1"})
r, _ := http.NewRequest(http.MethodPost, "/v4/token", bytes.NewBuffer(b))
w := httptest.NewRecorder()
rest.GetRouter().ServeHTTP(w, r)
assert.Equal(t, http.StatusOK, w.Code)
- to := &rbacframe.Token{}
+ to := &rbacmodel.Token{}
json.Unmarshal(w.Body.Bytes(), to)
- b, _ = json.Marshal(&rbacframe.Account{Name: "delete_account", Password: "Complicated_password1"})
+ b, _ = json.Marshal(&rbacmodel.Account{Name: "delete_account", Password: "Complicated_password1"})
r2, _ := http.NewRequest(http.MethodPost, "/v4/account", bytes.NewBuffer(b))
r2.Header.Set(restful.HeaderAuth, "Bearer "+to.TokenStr)
w2 := httptest.NewRecorder()
@@ -178,12 +178,12 @@ func TestAuthResource_DeleteAccount(t *testing.T) {
}
func TestAuthResource_GetAccount(t *testing.T) {
t.Run("get account", func(t *testing.T) {
- b, _ := json.Marshal(&rbacframe.Account{Name: "root", Password: "Complicated_password1"})
+ b, _ := json.Marshal(&rbacmodel.Account{Name: "root", Password: "Complicated_password1"})
r, _ := http.NewRequest(http.MethodPost, "/v4/token", bytes.NewBuffer(b))
w := httptest.NewRecorder()
rest.GetRouter().ServeHTTP(w, r)
assert.Equal(t, http.StatusOK, w.Code)
- to := &rbacframe.Token{}
+ to := &rbacmodel.Token{}
json.Unmarshal(w.Body.Bytes(), to)
r3, _ := http.NewRequest(http.MethodGet, "/v4/account/dev_account", nil)
@@ -192,19 +192,19 @@ func TestAuthResource_GetAccount(t *testing.T) {
rest.GetRouter().ServeHTTP(w3, r3)
assert.Equal(t, http.StatusOK, w3.Code)
- a := &rbacframe.Account{}
+ a := &rbacmodel.Account{}
json.Unmarshal(w3.Body.Bytes(), a)
assert.Equal(t, "dev_account", a.Name)
assert.Equal(t, []string{"developer"}, a.Roles)
assert.Empty(t, a.Password)
})
t.Run("list account", func(t *testing.T) {
- b, _ := json.Marshal(&rbacframe.Account{Name: "root", Password: "Complicated_password1"})
+ b, _ := json.Marshal(&rbacmodel.Account{Name: "root", Password: "Complicated_password1"})
r, _ := http.NewRequest(http.MethodPost, "/v4/token", bytes.NewBuffer(b))
w := httptest.NewRecorder()
rest.GetRouter().ServeHTTP(w, r)
assert.Equal(t, http.StatusOK, w.Code)
- to := &rbacframe.Token{}
+ to := &rbacmodel.Token{}
json.Unmarshal(w.Body.Bytes(), to)
r3, _ := http.NewRequest(http.MethodGet, "/v4/account", nil)
@@ -213,19 +213,19 @@ func TestAuthResource_GetAccount(t *testing.T) {
rest.GetRouter().ServeHTTP(w3, r3)
assert.Equal(t, http.StatusOK, w3.Code)
- a := &rbacframe.AccountResponse{}
+ a := &rbacmodel.AccountResponse{}
json.Unmarshal(w3.Body.Bytes(), a)
assert.Greater(t, a.Total, int64(1))
assert.Empty(t, a.Accounts[0].Password)
})
t.Run("get a short expiration token", func(t *testing.T) {
- b, _ := json.Marshal(&rbacframe.Account{Name: "root", Password: "Complicated_password1", TokenExpirationTime: "10s"})
+ b, _ := json.Marshal(&rbacmodel.Account{Name: "root", Password: "Complicated_password1", TokenExpirationTime: "10s"})
r, _ := http.NewRequest(http.MethodPost, "/v4/token", bytes.NewBuffer(b))
w := httptest.NewRecorder()
rest.GetRouter().ServeHTTP(w, r)
assert.Equal(t, http.StatusOK, w.Code)
- to := &rbacframe.Token{}
+ to := &rbacmodel.Token{}
json.Unmarshal(w.Body.Bytes(), to)
time.Sleep(11 * time.Second)
@@ -238,12 +238,12 @@ func TestAuthResource_GetAccount(t *testing.T) {
}
func TestRoleResource_CreateOrUpdateRole(t *testing.T) {
- var to = &rbacframe.Token{}
+ var to = &rbacmodel.Token{}
ctx := context.TODO()
dao.DeleteAccount(ctx, "dev_test")
dao.DeleteRole(ctx, "tester")
t.Run("root login", func(t *testing.T) {
- b, _ := json.Marshal(&rbacframe.Account{Name: "root", Password: "Complicated_password1"})
+ b, _ := json.Marshal(&rbacmodel.Account{Name: "root", Password: "Complicated_password1"})
r, err := http.NewRequest(http.MethodPost, "/v4/token", bytes.NewBuffer(b))
if err != nil {
@@ -256,7 +256,7 @@ func TestRoleResource_CreateOrUpdateRole(t *testing.T) {
})
t.Run("create account dev_test and add a role", func(t *testing.T) {
- b, _ := json.Marshal(&rbacframe.Account{Name: "dev_test", Password: "Complicated_password3", Roles: []string{"tester"}})
+ b, _ := json.Marshal(&rbacmodel.Account{Name: "dev_test", Password: "Complicated_password3", Roles: []string{"tester"}})
r, _ := http.NewRequest(http.MethodPost, "/v4/account", bytes.NewBuffer(b))
r.Header.Set(restful.HeaderAuth, "Bearer "+to.TokenStr)
@@ -266,18 +266,18 @@ func TestRoleResource_CreateOrUpdateRole(t *testing.T) {
})
t.Run("create a role name tester ", func(t *testing.T) {
- b, _ := json.Marshal(&rbacframe.Account{Name: "dev_test", Password: "Complicated_password3", Roles: []string{"tester"}})
+ b, _ := json.Marshal(&rbacmodel.Account{Name: "dev_test", Password: "Complicated_password3", Roles: []string{"tester"}})
r, _ := http.NewRequest(http.MethodPost, "/v4/token", bytes.NewBuffer(b))
w := httptest.NewRecorder()
rest.GetRouter().ServeHTTP(w, r)
assert.Equal(t, http.StatusOK, w.Code)
- devToken := &rbacframe.Token{}
+ devToken := &rbacmodel.Token{}
json.Unmarshal(w.Body.Bytes(), devToken)
- b2, _ := json.Marshal(&rbacframe.Role{
+ b2, _ := json.Marshal(&rbacmodel.Role{
Name: "tester",
- Perms: []*rbacframe.Permission{
+ Perms: []*rbacmodel.Permission{
{
Resources: []string{"service", "instance"},
Verbs: []string{"get", "create", "update"},
@@ -297,9 +297,9 @@ func TestRoleResource_CreateOrUpdateRole(t *testing.T) {
rest.GetRouter().ServeHTTP(w3, r3)
assert.Equal(t, http.StatusOK, w3.Code)
- b4, _ := json.Marshal(&rbacframe.Role{
+ b4, _ := json.Marshal(&rbacmodel.Role{
Name: "tester",
- Perms: []*rbacframe.Permission{
+ Perms: []*rbacmodel.Permission{
{
Resources: []string{"service"},
Verbs: []string{"get", "create", "update"},
@@ -314,13 +314,13 @@ func TestRoleResource_CreateOrUpdateRole(t *testing.T) {
})
t.Run("Inquire role", func(t *testing.T) {
- b, _ := json.Marshal(&rbacframe.Account{Name: "root", Password: "Complicated_password1"})
+ b, _ := json.Marshal(&rbacmodel.Account{Name: "root", Password: "Complicated_password1"})
r, _ := http.NewRequest(http.MethodPost, "/v4/token", bytes.NewBuffer(b))
w := httptest.NewRecorder()
rest.GetRouter().ServeHTTP(w, r)
assert.Equal(t, http.StatusOK, w.Code)
- to := &rbacframe.Token{}
+ to := &rbacmodel.Token{}
json.Unmarshal(w.Body.Bytes(), to)
r2, _ := http.NewRequest(http.MethodGet, "/v4/role/admin", nil)
@@ -338,14 +338,14 @@ func TestRoleResource_CreateOrUpdateRole(t *testing.T) {
}
func TestRoleResource_MoreRoles(t *testing.T) {
- var to = &rbacframe.Token{}
+ var to = &rbacmodel.Token{}
ctx := context.TODO()
dao.DeleteAccount(ctx, "dev_test")
dao.DeleteAccount(ctx, "dev_test2")
dao.DeleteRole(ctx, "tester")
dao.DeleteRole(ctx, "tester2")
t.Run("root login", func(t *testing.T) {
- b, _ := json.Marshal(&rbacframe.Account{Name: "root", Password: "Complicated_password1"})
+ b, _ := json.Marshal(&rbacmodel.Account{Name: "root", Password: "Complicated_password1"})
r, err := http.NewRequest(http.MethodPost, "/v4/token", bytes.NewBuffer(b))
if err != nil {
@@ -358,9 +358,9 @@ func TestRoleResource_MoreRoles(t *testing.T) {
})
t.Run("create role name tester", func(t *testing.T) {
- b, _ := json.Marshal(&rbacframe.Role{
+ b, _ := json.Marshal(&rbacmodel.Role{
Name: "tester",
- Perms: []*rbacframe.Permission{
+ Perms: []*rbacmodel.Permission{
{
Resources: []string{"service"},
Verbs: []string{"get", "create", "update"},
@@ -376,9 +376,9 @@ func TestRoleResource_MoreRoles(t *testing.T) {
})
t.Run("create new role name tester2", func(t *testing.T) {
- b, _ := json.Marshal(&rbacframe.Role{
+ b, _ := json.Marshal(&rbacmodel.Role{
Name: "tester2",
- Perms: []*rbacframe.Permission{
+ Perms: []*rbacmodel.Permission{
{
Resources: []string{"rule"},
Verbs: []string{"*"},
@@ -400,7 +400,7 @@ func TestRoleResource_MoreRoles(t *testing.T) {
})
t.Run("account dev_test2 support more than 1 role ", func(t *testing.T) {
- b, _ := json.Marshal(&rbacframe.Account{Name: "dev_test2", Password: "Complicated_password3", Roles: []string{"tester", "tester2"}})
+ b, _ := json.Marshal(&rbacmodel.Account{Name: "dev_test2", Password: "Complicated_password3", Roles: []string{"tester", "tester2"}})
r, _ := http.NewRequest(http.MethodPost, "/v4/account", bytes.NewBuffer(b))
r.Header.Set(restful.HeaderAuth, "Bearer "+to.TokenStr)
@@ -412,7 +412,7 @@ func TestRoleResource_MoreRoles(t *testing.T) {
w2 := httptest.NewRecorder()
rest.GetRouter().ServeHTTP(w2, r2)
assert.Equal(t, http.StatusOK, w2.Code)
- devToken := &rbacframe.Token{}
+ devToken := &rbacmodel.Token{}
json.Unmarshal(w2.Body.Bytes(), devToken)
r3, _ := http.NewRequest(http.MethodGet, "/v4/default/registry/microservices", nil)
@@ -431,7 +431,7 @@ func TestRoleResource_MoreRoles(t *testing.T) {
func TestAuthResource_Login2(t *testing.T) {
t.Run("bock user dev_account", func(t *testing.T) {
- b, _ := json.Marshal(&rbacframe.Account{Name: "dev_account", Password: "Complicated_password1"})
+ b, _ := json.Marshal(&rbacmodel.Account{Name: "dev_account", Password: "Complicated_password1"})
r, _ := http.NewRequest(http.MethodPost, "/v4/token", bytes.NewBuffer(b))
w := httptest.NewRecorder()
diff --git a/server/resource/v4/role_resource.go b/server/resource/v4/role_resource.go
index 103dbfe..7f93b79 100644
--- a/server/resource/v4/role_resource.go
+++ b/server/resource/v4/role_resource.go
@@ -20,13 +20,13 @@ package v4
import (
"context"
"encoding/json"
+ "github.com/go-chassis/cari/rbac"
"io/ioutil"
"net/http"
"github.com/apache/servicecomb-service-center/datasource"
errorsEx "github.com/apache/servicecomb-service-center/pkg/errors"
"github.com/apache/servicecomb-service-center/pkg/log"
- "github.com/apache/servicecomb-service-center/pkg/rbacframe"
"github.com/apache/servicecomb-service-center/pkg/rest"
"github.com/apache/servicecomb-service-center/server/rest/controller"
"github.com/apache/servicecomb-service-center/server/service/rbac/dao"
@@ -57,7 +57,7 @@ func (r *RoleResource) GetRolePermission(w http.ResponseWriter, req *http.Reques
controller.WriteError(w, discovery.ErrInternal, errorsEx.MsgGetRoleFailed)
return
}
- resp := &rbacframe.RoleResponse{
+ resp := &rbac.RoleResponse{
Roles: rs,
}
b, err := json.Marshal(resp)
@@ -70,8 +70,8 @@ func (r *RoleResource) GetRolePermission(w http.ResponseWriter, req *http.Reques
}
//roleParse parse the role info from the request body
-func (r *RoleResource) roleParse(body []byte) (*rbacframe.Role, error) {
- role := &rbacframe.Role{}
+func (r *RoleResource) roleParse(body []byte) (*rbac.Role, error) {
+ role := &rbac.Role{}
err := json.Unmarshal(body, role)
if err != nil {
log.Error("json err", err)
diff --git a/server/service/rbac/dao/account_dao.go b/server/service/rbac/dao/account_dao.go
index c23ff2d..930b14e 100644
--- a/server/service/rbac/dao/account_dao.go
+++ b/server/service/rbac/dao/account_dao.go
@@ -20,22 +20,22 @@ package dao
import (
"context"
+ rbacmodel "github.com/go-chassis/cari/rbac"
"github.com/apache/servicecomb-service-center/datasource"
"github.com/apache/servicecomb-service-center/pkg/log"
- "github.com/apache/servicecomb-service-center/pkg/rbacframe"
)
//CreateAccount save 2 kv
//1. account info
-func CreateAccount(ctx context.Context, a *rbacframe.Account) error {
+func CreateAccount(ctx context.Context, a *rbacmodel.Account) error {
return datasource.Instance().CreateAccount(ctx, a)
}
-func GetAccount(ctx context.Context, name string) (*rbacframe.Account, error) {
+func GetAccount(ctx context.Context, name string) (*rbacmodel.Account, error) {
return datasource.Instance().GetAccount(ctx, name)
}
-func ListAccount(ctx context.Context) ([]*rbacframe.Account, int64, error) {
+func ListAccount(ctx context.Context) ([]*rbacmodel.Account, int64, error) {
return datasource.Instance().ListAccount(ctx, "")
}
func AccountExist(ctx context.Context, name string) (bool, error) {
@@ -47,7 +47,7 @@ func DeleteAccount(ctx context.Context, name string) (bool, error) {
//CreateAccount save 2 kv
//1. account info
-func EditAccount(ctx context.Context, a *rbacframe.Account) error {
+func EditAccount(ctx context.Context, a *rbacmodel.Account) error {
exist, err := datasource.Instance().AccountExist(ctx, a.Name)
if err != nil {
log.Errorf(err, "can not edit account info")
diff --git a/server/service/rbac/dao/account_dao_test.go b/server/service/rbac/dao/account_dao_test.go
index 17dc308..a3e6a2d 100644
--- a/server/service/rbac/dao/account_dao_test.go
+++ b/server/service/rbac/dao/account_dao_test.go
@@ -20,9 +20,9 @@ package dao_test
// initialize
import (
"context"
+ "github.com/go-chassis/cari/rbac"
"testing"
- "github.com/apache/servicecomb-service-center/pkg/rbacframe"
"github.com/apache/servicecomb-service-center/server/service/rbac/dao"
_ "github.com/apache/servicecomb-service-center/test"
"github.com/astaxie/beego"
@@ -35,7 +35,7 @@ func init() {
}
func TestAccountDao_CreateAccount(t *testing.T) {
dao.DeleteAccount(context.TODO(), "admin")
- _ = dao.CreateAccount(context.Background(), &rbacframe.Account{Name: "admin", Password: "pwd"})
+ _ = dao.CreateAccount(context.Background(), &rbac.Account{Name: "admin", Password: "pwd"})
t.Run("get account", func(t *testing.T) {
r, err := dao.GetAccount(context.Background(), "admin")
assert.NoError(t, err)
diff --git a/server/service/rbac/dao/role_dao.go b/server/service/rbac/dao/role_dao.go
index efc2234..c6937ab 100644
--- a/server/service/rbac/dao/role_dao.go
+++ b/server/service/rbac/dao/role_dao.go
@@ -19,21 +19,21 @@ package dao
import (
"context"
+ "github.com/go-chassis/cari/rbac"
"github.com/apache/servicecomb-service-center/datasource"
"github.com/apache/servicecomb-service-center/pkg/log"
- "github.com/apache/servicecomb-service-center/pkg/rbacframe"
)
-func CreateRole(ctx context.Context, r *rbacframe.Role) error {
+func CreateRole(ctx context.Context, r *rbac.Role) error {
return datasource.Instance().CreateRole(ctx, r)
}
-func GetRole(ctx context.Context, name string) (*rbacframe.Role, error) {
+func GetRole(ctx context.Context, name string) (*rbac.Role, error) {
return datasource.Instance().GetRole(ctx, name)
}
-func ListRole(ctx context.Context) ([]*rbacframe.Role, int64, error) {
+func ListRole(ctx context.Context) ([]*rbac.Role, int64, error) {
return datasource.Instance().ListRole(ctx)
}
@@ -49,7 +49,7 @@ func DeleteRole(ctx context.Context, name string) (bool, error) {
return datasource.Instance().DeleteRole(ctx, name)
}
-func EditRole(ctx context.Context, a *rbacframe.Role) error {
+func EditRole(ctx context.Context, a *rbac.Role) error {
exist, err := datasource.Instance().RoleExist(ctx, a.Name)
if err != nil {
log.Errorf(err, "can not edit account info")
diff --git a/server/service/rbac/decision.go b/server/service/rbac/decision.go
index 205d52e..2bd36af 100644
--- a/server/service/rbac/decision.go
+++ b/server/service/rbac/decision.go
@@ -19,10 +19,10 @@ package rbac
import (
"context"
+ "github.com/go-chassis/cari/rbac"
"github.com/apache/servicecomb-service-center/datasource"
"github.com/apache/servicecomb-service-center/pkg/log"
- "github.com/apache/servicecomb-service-center/pkg/rbacframe"
)
func Allow(ctx context.Context, roleList []string, project, resource, verbs string) (bool, error) {
@@ -31,7 +31,7 @@ func Allow(ctx context.Context, roleList []string, project, resource, verbs stri
return true, nil
}
// allPerms combines the roleList permission
- var allPerms = make([]*rbacframe.Permission, 0)
+ var allPerms = make([]*rbac.Permission, 0)
for i := 0; i < len(roleList); i++ {
r, err := datasource.Instance().GetRole(ctx, roleList[i])
if err != nil {
diff --git a/server/service/rbac/password.go b/server/service/rbac/password.go
index a4c1332..6879043 100644
--- a/server/service/rbac/password.go
+++ b/server/service/rbac/password.go
@@ -19,8 +19,9 @@ package rbac
import (
"context"
-
"github.com/apache/servicecomb-service-center/pkg/rbacframe"
+ rbacmodel "github.com/go-chassis/cari/rbac"
+
"github.com/go-chassis/foundation/stringutil"
"golang.org/x/crypto/bcrypt"
@@ -28,7 +29,7 @@ import (
"github.com/apache/servicecomb-service-center/server/service/rbac/dao"
)
-func ChangePassword(ctx context.Context, changerRole []string, changerName string, a *rbacframe.Account) error {
+func ChangePassword(ctx context.Context, changerRole []string, changerName string, a *rbacmodel.Account) error {
if changerName == a.Name {
if a.CurrentPassword == "" {
log.Error("current pwd is empty", nil)
@@ -79,7 +80,7 @@ func changePassword(ctx context.Context, name, currentPassword, pwd string) erro
return nil
}
-func doChangePassword(ctx context.Context, old *rbacframe.Account, pwd string) error {
+func doChangePassword(ctx context.Context, old *rbacmodel.Account, pwd string) error {
hash, err := bcrypt.GenerateFromPassword([]byte(pwd), 14)
if err != nil {
log.Error("pwd hash failed", err)
diff --git a/server/service/rbac/permission.go b/server/service/rbac/permission.go
index 3d1f6b5..3358496 100644
--- a/server/service/rbac/permission.go
+++ b/server/service/rbac/permission.go
@@ -17,7 +17,10 @@
package rbac
-import "github.com/apache/servicecomb-service-center/pkg/rbacframe"
+import (
+ "github.com/apache/servicecomb-service-center/pkg/rbacframe"
+ "github.com/go-chassis/cari/rbac"
+)
// method to verbs
var (
@@ -30,10 +33,10 @@ var (
)
// AdminPerms allocate all resource permissions
-func AdminPerms() []*rbacframe.Permission {
+func AdminPerms() []*rbac.Permission {
resources := rbacframe.BuildResourceList(ResourceAccount, ResourceRole, ResourceService, ResourceInstance,
ResourceDep, ResourceTag, ResourceRule, ResourceGovern, ResourceAdminister, ResourceSchema)
- perm := []*rbacframe.Permission{
+ perm := []*rbac.Permission{
{
Resources: resources,
Verbs: []string{"*"},
@@ -43,10 +46,10 @@ func AdminPerms() []*rbacframe.Permission {
}
// DevPerms allocate all resource permissions except account and role resources
-func DevPerms() []*rbacframe.Permission {
+func DevPerms() []*rbac.Permission {
resources := rbacframe.BuildResourceList(ResourceService, ResourceInstance,
ResourceDep, ResourceTag, ResourceRule, ResourceGovern, ResourceAdminister, ResourceSchema)
- perm := []*rbacframe.Permission{
+ perm := []*rbac.Permission{
{
Resources: resources,
Verbs: []string{"*"},
diff --git a/server/service/rbac/rbac.go b/server/service/rbac/rbac.go
index 08348ce..67ca5f1 100644
--- a/server/service/rbac/rbac.go
+++ b/server/service/rbac/rbac.go
@@ -21,6 +21,7 @@ import (
"context"
"crypto/rsa"
"errors"
+ "github.com/go-chassis/cari/rbac"
"io/ioutil"
"github.com/apache/servicecomb-service-center/datasource"
@@ -113,7 +114,7 @@ func initFirstTime(admin string) {
if pwd == "" {
log.Fatal("can not enable rbac, password is empty", nil)
}
- a := &rbacframe.Account{
+ a := &rbac.Account{
Name: admin,
Password: pwd,
Roles: []string{rbacframe.RoleAdmin},
diff --git a/server/service/rbac/rbac_test.go b/server/service/rbac/rbac_test.go
index 93e92d3..b3b5ac9 100644
--- a/server/service/rbac/rbac_test.go
+++ b/server/service/rbac/rbac_test.go
@@ -19,19 +19,19 @@ package rbac_test
import (
"context"
- "io/ioutil"
- "testing"
-
"github.com/apache/servicecomb-service-center/pkg/rbacframe"
"github.com/apache/servicecomb-service-center/server/config"
"github.com/apache/servicecomb-service-center/server/service/rbac"
"github.com/apache/servicecomb-service-center/server/service/rbac/dao"
_ "github.com/apache/servicecomb-service-center/test"
"github.com/astaxie/beego"
+ rbacmodel "github.com/go-chassis/cari/rbac"
"github.com/go-chassis/go-archaius"
"github.com/go-chassis/go-chassis/v2/security/authr"
"github.com/go-chassis/go-chassis/v2/security/secret"
"github.com/stretchr/testify/assert"
+ "io/ioutil"
+ "testing"
)
func init() {
@@ -79,19 +79,19 @@ func TestInitRBAC(t *testing.T) {
})
t.Run("change pwd,admin can change any one password", func(t *testing.T) {
- persisted := &rbacframe.Account{Name: "a", Password: "Complicated_password1"}
+ persisted := &rbacmodel.Account{Name: "a", Password: "Complicated_password1"}
err := dao.CreateAccount(context.Background(), persisted)
assert.NoError(t, err)
- err = rbac.ChangePassword(context.Background(), []string{rbacframe.RoleAdmin}, "admin", &rbacframe.Account{Name: "a", Password: "Complicated_password2"})
+ err = rbac.ChangePassword(context.Background(), []string{rbacframe.RoleAdmin}, "admin", &rbacmodel.Account{Name: "a", Password: "Complicated_password2"})
assert.NoError(t, err)
a, err := dao.GetAccount(context.Background(), "a")
assert.NoError(t, err)
assert.True(t, rbac.SamePassword(a.Password, "Complicated_password2"))
})
t.Run("change self password", func(t *testing.T) {
- err := dao.CreateAccount(context.Background(), &rbacframe.Account{Name: "b", Password: "Complicated_password1"})
+ err := dao.CreateAccount(context.Background(), &rbacmodel.Account{Name: "b", Password: "Complicated_password1"})
assert.NoError(t, err)
- err = rbac.ChangePassword(context.Background(), nil, "b", &rbacframe.Account{Name: "b", CurrentPassword: "Complicated_password1", Password: "Complicated_password2"})
+ err = rbac.ChangePassword(context.Background(), nil, "b", &rbacmodel.Account{Name: "b", CurrentPassword: "Complicated_password1", Password: "Complicated_password2"})
assert.NoError(t, err)
a, err := dao.GetAccount(context.Background(), "b")
assert.NoError(t, err)
@@ -138,9 +138,9 @@ func TestInitRBAC(t *testing.T) {
assert.NoError(t, err)
})
- tester := &rbacframe.Role{
+ tester := &rbacmodel.Role{
Name: "tester",
- Perms: []*rbacframe.Permission{
+ Perms: []*rbacmodel.Permission{
{
Resources: []string{"service", "instance"},
Verbs: []string{"get", "create", "update"},
diff --git a/server/service/rbac/role.go b/server/service/rbac/role.go
index eaf09c9..d0b03dd 100644
--- a/server/service/rbac/role.go
+++ b/server/service/rbac/role.go
@@ -19,17 +19,17 @@ package rbac
import (
"context"
+ "github.com/go-chassis/cari/rbac"
"github.com/apache/servicecomb-service-center/pkg/log"
- "github.com/apache/servicecomb-service-center/pkg/rbacframe"
"github.com/apache/servicecomb-service-center/server/service/rbac/dao"
)
-var roleMap = map[string]*rbacframe.Role{}
+var roleMap = map[string]*rbac.Role{}
// Assign resources to admin role, admin role own all permissions
func initAdminRole() {
- roleMap["admin"] = &rbacframe.Role{
+ roleMap["admin"] = &rbac.Role{
Name: "admin",
Perms: AdminPerms(),
}
@@ -41,7 +41,7 @@ func initAdminRole() {
// Assign resources to developer role
func initDevRole() {
- roleMap["developer"] = &rbacframe.Role{
+ roleMap["developer"] = &rbac.Role{
Name: "developer",
Perms: DevPerms(),
}
diff --git a/server/service/validate.go b/server/service/validate.go
index 8306b50..1e443a5 100644
--- a/server/service/validate.go
+++ b/server/service/validate.go
@@ -23,9 +23,9 @@ import (
"regexp"
"github.com/apache/servicecomb-service-center/pkg/log"
- "github.com/apache/servicecomb-service-center/pkg/rbacframe"
"github.com/apache/servicecomb-service-center/pkg/validate"
pb "github.com/go-chassis/cari/discovery"
+ "github.com/go-chassis/cari/rbac"
)
var createAccountValidator = &validate.Validator{}
@@ -121,21 +121,21 @@ func baseCheck(v interface{}) error {
}
return nil
}
-func ValidateCreateAccount(a *rbacframe.Account) error {
+func ValidateCreateAccount(a *rbac.Account) error {
err := baseCheck(a)
if err != nil {
return err
}
return createAccountValidator.Validate(a)
}
-func ValidateAccountLogin(a *rbacframe.Account) error {
+func ValidateAccountLogin(a *rbac.Account) error {
err := baseCheck(a)
if err != nil {
return err
}
return accountLoginValidator.Validate(a)
}
-func ValidateChangePWD(a *rbacframe.Account) error {
+func ValidateChangePWD(a *rbac.Account) error {
err := baseCheck(a)
if err != nil {
return err