You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@servicecomb.apache.org by ti...@apache.org on 2021/05/19 23:38:52 UTC
[servicecomb-service-center] branch master updated: SCB-2176 Update
CARI (#984)
This is an automated email from the ASF dual-hosted git repository.
tianxiaoliang pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/servicecomb-service-center.git
The following commit(s) were added to refs/heads/master by this push:
new a659a4d SCB-2176 Update CARI (#984)
a659a4d is described below
commit a659a4d1046b7e61e6e55a1fe5c21f1011d025a0
Author: little-cui <su...@qq.com>
AuthorDate: Thu May 20 07:38:46 2021 +0800
SCB-2176 Update CARI (#984)
---
go.mod | 2 +-
go.sum | 5 +++++
pkg/rbacframe/api.go | 9 ++++++---
server/resource/v4/rbac_resource_test.go | 8 ++++----
server/service/rbac/decision.go | 12 +++++++-----
server/service/rbac/rbac_test.go | 4 ++--
6 files changed, 25 insertions(+), 15 deletions(-)
diff --git a/go.mod b/go.mod
index bb88144..09e6eb3 100644
--- a/go.mod
+++ b/go.mod
@@ -18,7 +18,7 @@ require (
github.com/elithrar/simple-scrypt v1.3.0
github.com/fatih/color v1.10.0 // indirect
github.com/ghodss/yaml v1.0.0
- github.com/go-chassis/cari v0.3.1-0.20210508100214-a13e083de04e
+ github.com/go-chassis/cari v0.3.1-0.20210519092219-69f9f0fc3452
github.com/go-chassis/foundation v0.3.1-0.20210513015331-b54416b66bcd
github.com/go-chassis/go-archaius v1.5.1
github.com/go-chassis/go-chassis/v2 v2.1.2-0.20210310004133-c9bc42149a18
diff --git a/go.sum b/go.sum
index 5af479f..6dab41d 100644
--- a/go.sum
+++ b/go.sum
@@ -124,6 +124,8 @@ github.com/gin-gonic/gin v1.4.0/go.mod h1:OW2EZn3DO8Ln9oIKOvM++LBO+5UPHJJDH72/q/
github.com/go-chassis/cari v0.0.0-20201210041921-7b6fbef2df11/go.mod h1:MgtsEI0AM4Ush6Lyw27z9Gk4nQ/8GWTSXrFzupawWDM=
github.com/go-chassis/cari v0.3.1-0.20210508100214-a13e083de04e h1:YLXfK7pSRsYK7EzUnv7WDgJNOHQSXz+UIEbOF86XI6Q=
github.com/go-chassis/cari v0.3.1-0.20210508100214-a13e083de04e/go.mod h1:Ie2lW11Y5ZFClY9z7bhAwK6BoNxqGSf3fYGs4mPFs74=
+github.com/go-chassis/cari v0.3.1-0.20210519092219-69f9f0fc3452 h1:G2Qlpg17t0oULhz0Eu3NQgkxKDcNbpGpmgtMR6RZvwk=
+github.com/go-chassis/cari v0.3.1-0.20210519092219-69f9f0fc3452/go.mod h1:av/19fqwEP4eOC8unL/z67AAbFDwXUCko6SKa4Avrd8=
github.com/go-chassis/foundation v0.2.2-0.20201210043510-9f6d3de40234/go.mod h1:2PjwqpVwYEVaAldl5A58a08viH8p27pNeYaiE3ZxOBA=
github.com/go-chassis/foundation v0.2.2/go.mod h1:2PjwqpVwYEVaAldl5A58a08viH8p27pNeYaiE3ZxOBA=
github.com/go-chassis/foundation v0.3.0/go.mod h1:2PjwqpVwYEVaAldl5A58a08viH8p27pNeYaiE3ZxOBA=
@@ -320,6 +322,9 @@ github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfV
github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
github.com/karlseguin/ccache v2.0.3-0.20170217060820-3ba9789cfd2c+incompatible h1:Yvcw4N+1TaDTNkIuHn3gn8D1KP7Wxn4LP5GngDPWcPQ=
github.com/karlseguin/ccache v2.0.3-0.20170217060820-3ba9789cfd2c+incompatible/go.mod h1:CM9tNPzT6EdRh14+jiW8mEF9mkNZuuE51qmgGYUB93w=
+github.com/karlseguin/ccache/v2 v2.0.8 h1:lT38cE//uyf6KcFok0rlgXtGFBWxkI6h/qg4tbFyDnA=
+github.com/karlseguin/ccache/v2 v2.0.8/go.mod h1:2BDThcfQMf/c0jnZowt16eW405XIqZPavt+HoYEtcxQ=
+github.com/karlseguin/expect v1.0.2-0.20190806010014-778a5f0c6003/go.mod h1:zNBxMY8P21owkeogJELCLeHIt+voOSduHYTFUbwRAV8=
github.com/karlseguin/expect v1.0.7 h1:OF4mqjblc450v8nKARBS5Q0AweBNR0A+O3VjjpxwBrg=
github.com/karlseguin/expect v1.0.7/go.mod h1:lXdI8iGiQhmzpnnmU/EGA60vqKs8NbRNFnhhrJGoD5g=
github.com/karrick/godirwalk v1.8.0/go.mod h1:H5KPZjojv4lE+QYImBI8xVtrBRgYrIVsaRPx4tDPEn4=
diff --git a/pkg/rbacframe/api.go b/pkg/rbacframe/api.go
index 00e1186..8dc46b7 100644
--- a/pkg/rbacframe/api.go
+++ b/pkg/rbacframe/api.go
@@ -20,6 +20,7 @@ package rbacframe
import (
"crypto/rsa"
+ "github.com/go-chassis/cari/rbac"
"github.com/apache/servicecomb-service-center/pkg/util"
"github.com/go-chassis/go-chassis/v2/security/token"
@@ -75,10 +76,12 @@ func GetRolesList(v interface{}) ([]string, error) {
}
//BuildResourceList join the resource to an array
-func BuildResourceList(resourceType ...string) []string {
- rt := make([]string, len(resourceType))
+func BuildResourceList(resourceType ...string) []*rbac.Resource {
+ rt := make([]*rbac.Resource, len(resourceType))
for i := 0; i < len(resourceType); i++ {
- rt[i] = resourceType[i]
+ rt[i] = &rbac.Resource{
+ Type: resourceType[i],
+ }
}
return rt
}
diff --git a/server/resource/v4/rbac_resource_test.go b/server/resource/v4/rbac_resource_test.go
index 6a6bace..7e01a10 100644
--- a/server/resource/v4/rbac_resource_test.go
+++ b/server/resource/v4/rbac_resource_test.go
@@ -298,7 +298,7 @@ func TestRoleResource_CreateOrUpdateRole(t *testing.T) {
Name: "tester",
Perms: []*rbacmodel.Permission{
{
- Resources: []string{"service", "instance"},
+ Resources: []*rbacmodel.Resource{{Type: "service"}, {Type: "instance"}},
Verbs: []string{"get", "create", "update"},
},
},
@@ -320,7 +320,7 @@ func TestRoleResource_CreateOrUpdateRole(t *testing.T) {
Name: "tester",
Perms: []*rbacmodel.Permission{
{
- Resources: []string{"service"},
+ Resources: []*rbacmodel.Resource{{Type: "service"}},
Verbs: []string{"get", "create", "update"},
},
},
@@ -381,7 +381,7 @@ func TestRoleResource_MoreRoles(t *testing.T) {
Name: "tester",
Perms: []*rbacmodel.Permission{
{
- Resources: []string{"service"},
+ Resources: []*rbacmodel.Resource{{Type: "service"}},
Verbs: []string{"get", "create", "update"},
},
},
@@ -399,7 +399,7 @@ func TestRoleResource_MoreRoles(t *testing.T) {
Name: "tester2",
Perms: []*rbacmodel.Permission{
{
- Resources: []string{"rule"},
+ Resources: []*rbacmodel.Resource{{Type: "rule"}},
Verbs: []string{"*"},
},
},
diff --git a/server/service/rbac/decision.go b/server/service/rbac/decision.go
index 006603e..ddf0650 100644
--- a/server/service/rbac/decision.go
+++ b/server/service/rbac/decision.go
@@ -28,7 +28,7 @@ import (
func Allow(ctx context.Context, roleList []string, project, resource, verbs string) (bool, error) {
//TODO check project
- if ableToAccessResource(roleList, "admin") {
+ if ableToOperateResource(roleList, "admin") {
return true, nil
}
// allPerms combines the roleList permission
@@ -61,15 +61,17 @@ func Allow(ctx context.Context, roleList []string, project, resource, verbs stri
}
func ableToOperateResource(haystack []string, needle string) bool {
- if ableToAccessResource(haystack, "*") || ableToAccessResource(haystack, needle) {
- return true
+ for _, e := range haystack {
+ if e == "*" || e == needle {
+ return true
+ }
}
return false
}
-func ableToAccessResource(haystack []string, needle string) bool {
+func ableToAccessResource(haystack []*rbac.Resource, needle string) bool {
for _, e := range haystack {
- if e == needle {
+ if e.Type == needle {
return true
}
}
diff --git a/server/service/rbac/rbac_test.go b/server/service/rbac/rbac_test.go
index 0dcb210..cb63543 100644
--- a/server/service/rbac/rbac_test.go
+++ b/server/service/rbac/rbac_test.go
@@ -151,11 +151,11 @@ func TestInitRBAC(t *testing.T) {
Name: "tester",
Perms: []*rbacmodel.Permission{
{
- Resources: []string{"service", "instance"},
+ Resources: []*rbacmodel.Resource{{Type: "service"}, {Type: "instance"}},
Verbs: []string{"get", "create", "update"},
},
{
- Resources: []string{"rule"},
+ Resources: []*rbacmodel.Resource{{Type: "rule"}},
Verbs: []string{"*"},
},
},