Search in sources :

Example 1 with RoleInfo

use of com.alibaba.nacos.config.server.auth.RoleInfo in project XHuiCloud by sindaZeng.

the class NacosAuthManager method loginRemote.

@Override
public User loginRemote(Object request) throws AccessException {
    Request req = (Request) request;
    String token = resolveToken(req);
    if (StringUtils.isBlank(token)) {
        throw new AccessException("user not found!");
    }
    try {
        tokenManager.validateToken(token);
    } catch (ExpiredJwtException e) {
        throw new AccessException("token expired!");
    } catch (Exception e) {
        throw new AccessException("token invalid!");
    }
    Authentication authentication = tokenManager.getAuthentication(token);
    SecurityContextHolder.getContext().setAuthentication(authentication);
    String username = authentication.getName();
    NacosUser user = new NacosUser();
    user.setUserName(username);
    user.setToken(token);
    List<RoleInfo> roleInfoList = roleService.getRoles(username);
    if (roleInfoList != null) {
        for (RoleInfo roleInfo : roleInfoList) {
            if (roleInfo.getRole().equals(NacosRoleServiceImpl.GLOBAL_ADMIN_ROLE)) {
                user.setGlobalAdmin(true);
                break;
            }
        }
    }
    return user;
}
Also used : AccessException(com.alibaba.nacos.auth.exception.AccessException) ExpiredJwtException(io.jsonwebtoken.ExpiredJwtException) NacosUser(com.alibaba.nacos.security.nacos.users.NacosUser) RoleInfo(com.alibaba.nacos.config.server.auth.RoleInfo) Authentication(org.springframework.security.core.Authentication) Request(com.alibaba.nacos.api.remote.request.Request) HttpServletRequest(javax.servlet.http.HttpServletRequest) AccessException(com.alibaba.nacos.auth.exception.AccessException) ExpiredJwtException(io.jsonwebtoken.ExpiredJwtException) AuthenticationException(org.springframework.security.core.AuthenticationException)

Example 2 with RoleInfo

use of com.alibaba.nacos.config.server.auth.RoleInfo in project XHuiCloud by sindaZeng.

the class NacosRoleServiceImpl method hasPermission.

/**
 * Determine if the user has permission of the resource.
 *
 * <p>
 * Note if the user has many roles, this method returns true if any one role of the
 * user has the desired permission.
 * @param username user info
 * @param permission permission to auth
 * @return true if granted, false otherwise
 */
public boolean hasPermission(String username, Permission permission) {
    // update password
    if (NacosAuthConfig.UPDATE_PASSWORD_ENTRY_POINT.equals(permission.getResource())) {
        return true;
    }
    List<RoleInfo> roleInfoList = getRoles(username);
    if (Collections.isEmpty(roleInfoList)) {
        return false;
    }
    // Global admin pass:
    for (RoleInfo roleInfo : roleInfoList) {
        if (GLOBAL_ADMIN_ROLE.equals(roleInfo.getRole())) {
            return true;
        }
    }
    // Old global admin can pass resource 'console/':
    if (permission.getResource().startsWith(NacosAuthConfig.CONSOLE_RESOURCE_NAME_PREFIX)) {
        return false;
    }
    // For other roles, use a pattern match to decide if pass or not.
    for (RoleInfo roleInfo : roleInfoList) {
        List<PermissionInfo> permissionInfoList = getPermissions(roleInfo.getRole());
        if (Collections.isEmpty(permissionInfoList)) {
            continue;
        }
        for (PermissionInfo permissionInfo : permissionInfoList) {
            String permissionResource = permissionInfo.getResource().replaceAll("\\*", ".*");
            String permissionAction = permissionInfo.getAction();
            if (permissionAction.contains(permission.getAction()) && Pattern.matches(permissionResource, permission.getResource())) {
                return true;
            }
        }
    }
    return false;
}
Also used : PermissionInfo(com.alibaba.nacos.config.server.auth.PermissionInfo) RoleInfo(com.alibaba.nacos.config.server.auth.RoleInfo)

Example 3 with RoleInfo

use of com.alibaba.nacos.config.server.auth.RoleInfo in project XHuiCloud by sindaZeng.

the class NacosRoleServiceImpl method reload.

@Scheduled(initialDelay = 5000, fixedDelay = 15000)
private void reload() {
    try {
        Page<RoleInfo> roleInfoPage = rolePersistService.getRolesByUserName(StringUtils.EMPTY, DEFAULT_PAGE_NO, Integer.MAX_VALUE);
        if (roleInfoPage == null) {
            return;
        }
        Set<String> tmpRoleSet = new HashSet<>(16);
        Map<String, List<RoleInfo>> tmpRoleInfoMap = new ConcurrentHashMap<>(16);
        for (RoleInfo roleInfo : roleInfoPage.getPageItems()) {
            if (!tmpRoleInfoMap.containsKey(roleInfo.getUsername())) {
                tmpRoleInfoMap.put(roleInfo.getUsername(), new ArrayList<>());
            }
            tmpRoleInfoMap.get(roleInfo.getUsername()).add(roleInfo);
            tmpRoleSet.add(roleInfo.getRole());
        }
        Map<String, List<PermissionInfo>> tmpPermissionInfoMap = new ConcurrentHashMap<>(16);
        for (String role : tmpRoleSet) {
            Page<PermissionInfo> permissionInfoPage = permissionPersistService.getPermissions(role, DEFAULT_PAGE_NO, Integer.MAX_VALUE);
            tmpPermissionInfoMap.put(role, permissionInfoPage.getPageItems());
        }
        roleSet = tmpRoleSet;
        roleInfoMap = tmpRoleInfoMap;
        permissionInfoMap = tmpPermissionInfoMap;
    } catch (Exception e) {
        Loggers.AUTH.warn("[LOAD-ROLES] load failed", e);
    }
}
Also used : PermissionInfo(com.alibaba.nacos.config.server.auth.PermissionInfo) RoleInfo(com.alibaba.nacos.config.server.auth.RoleInfo) ConcurrentHashMap(java.util.concurrent.ConcurrentHashMap) ConcurrentHashSet(org.apache.mina.util.ConcurrentHashSet) Scheduled(org.springframework.scheduling.annotation.Scheduled)

Example 4 with RoleInfo

use of com.alibaba.nacos.config.server.auth.RoleInfo in project nacos by alibaba.

the class NacosRoleServiceImpl method hasPermission.

/**
 * Determine if the user has permission of the resource.
 *
 * <p>Note if the user has many roles, this method returns true if any one role of the user has the desired
 * permission.
 *
 * @param username   user info
 * @param permission permission to auth
 * @return true if granted, false otherwise
 */
public boolean hasPermission(String username, Permission permission) {
    // update password
    if (NacosAuthConfig.UPDATE_PASSWORD_ENTRY_POINT.equals(permission.getResource())) {
        return true;
    }
    List<RoleInfo> roleInfoList = getRoles(username);
    if (Collections.isEmpty(roleInfoList)) {
        return false;
    }
    // Global admin pass:
    for (RoleInfo roleInfo : roleInfoList) {
        if (GLOBAL_ADMIN_ROLE.equals(roleInfo.getRole())) {
            return true;
        }
    }
    // Old global admin can pass resource 'console/':
    if (permission.getResource().startsWith(NacosAuthConfig.CONSOLE_RESOURCE_NAME_PREFIX)) {
        return false;
    }
    // For other roles, use a pattern match to decide if pass or not.
    for (RoleInfo roleInfo : roleInfoList) {
        List<PermissionInfo> permissionInfoList = getPermissions(roleInfo.getRole());
        if (Collections.isEmpty(permissionInfoList)) {
            continue;
        }
        for (PermissionInfo permissionInfo : permissionInfoList) {
            String permissionResource = permissionInfo.getResource().replaceAll("\\*", ".*");
            String permissionAction = permissionInfo.getAction();
            if (permissionAction.contains(permission.getAction()) && Pattern.matches(permissionResource, permission.getResource())) {
                return true;
            }
        }
    }
    return false;
}
Also used : PermissionInfo(com.alibaba.nacos.config.server.auth.PermissionInfo) RoleInfo(com.alibaba.nacos.config.server.auth.RoleInfo)

Example 5 with RoleInfo

use of com.alibaba.nacos.config.server.auth.RoleInfo in project nacos by alibaba.

the class UserController method deleteUser.

/**
 * Delete an existed user.
 *
 * @param username username of user
 * @return ok if deleted succeed, keep silent if user not exist
 * @since 1.2.0
 */
@DeleteMapping
@Secured(resource = NacosAuthConfig.CONSOLE_RESOURCE_NAME_PREFIX + "users", action = ActionTypes.WRITE)
public Object deleteUser(@RequestParam String username) {
    List<RoleInfo> roleInfoList = roleService.getRoles(username);
    if (roleInfoList != null) {
        for (RoleInfo roleInfo : roleInfoList) {
            if (roleInfo.getRole().equals(NacosRoleServiceImpl.GLOBAL_ADMIN_ROLE)) {
                throw new IllegalArgumentException("cannot delete admin: " + username);
            }
        }
    }
    userDetailsService.deleteUser(username);
    return RestResultUtils.success("delete user ok!");
}
Also used : RoleInfo(com.alibaba.nacos.config.server.auth.RoleInfo) DeleteMapping(org.springframework.web.bind.annotation.DeleteMapping) Secured(com.alibaba.nacos.auth.annotation.Secured)

Aggregations

RoleInfo (com.alibaba.nacos.config.server.auth.RoleInfo)10 AccessException (com.alibaba.nacos.auth.exception.AccessException)4 PermissionInfo (com.alibaba.nacos.config.server.auth.PermissionInfo)4 ExpiredJwtException (io.jsonwebtoken.ExpiredJwtException)4 HttpServletRequest (javax.servlet.http.HttpServletRequest)4 Authentication (org.springframework.security.core.Authentication)4 AuthenticationException (org.springframework.security.core.AuthenticationException)4 Request (com.alibaba.nacos.api.remote.request.Request)2 Secured (com.alibaba.nacos.auth.annotation.Secured)2 NacosUser (com.alibaba.nacos.console.security.nacos.users.NacosUser)2 NacosUser (com.alibaba.nacos.security.nacos.users.NacosUser)2 ConcurrentHashMap (java.util.concurrent.ConcurrentHashMap)2 ConcurrentHashSet (org.apache.mina.util.ConcurrentHashSet)2 Scheduled (org.springframework.scheduling.annotation.Scheduled)2 ArrayList (java.util.ArrayList)1 HashSet (java.util.HashSet)1 List (java.util.List)1 DeleteMapping (org.springframework.web.bind.annotation.DeleteMapping)1