Example 1 with RoleInfo
use of com.alibaba.nacos.config.server.auth.RoleInfo in project XHuiCloud by sindaZeng.
the class NacosAuthManager method loginRemote.
@Override
public User loginRemote(Object request) throws AccessException {
Request req = (Request) request;
String token = resolveToken(req);
if (StringUtils.isBlank(token)) {
throw new AccessException("user not found!");
}
try {
tokenManager.validateToken(token);
} catch (ExpiredJwtException e) {
throw new AccessException("token expired!");
} catch (Exception e) {
throw new AccessException("token invalid!");
}
Authentication authentication = tokenManager.getAuthentication(token);
SecurityContextHolder.getContext().setAuthentication(authentication);
String username = authentication.getName();
NacosUser user = new NacosUser();
user.setUserName(username);
user.setToken(token);
List<RoleInfo> roleInfoList = roleService.getRoles(username);
if (roleInfoList != null) {
for (RoleInfo roleInfo : roleInfoList) {
if (roleInfo.getRole().equals(NacosRoleServiceImpl.GLOBAL_ADMIN_ROLE)) {
user.setGlobalAdmin(true);
break;
}
}
}
return user;
}
Also used :
AccessException(com.alibaba.nacos.auth.exception.AccessException)
ExpiredJwtException(io.jsonwebtoken.ExpiredJwtException)
NacosUser(com.alibaba.nacos.security.nacos.users.NacosUser)
RoleInfo(com.alibaba.nacos.config.server.auth.RoleInfo)
Authentication(org.springframework.security.core.Authentication)
Request(com.alibaba.nacos.api.remote.request.Request)
HttpServletRequest(javax.servlet.http.HttpServletRequest)
AccessException(com.alibaba.nacos.auth.exception.AccessException)
ExpiredJwtException(io.jsonwebtoken.ExpiredJwtException)
AuthenticationException(org.springframework.security.core.AuthenticationException)
Example 2 with RoleInfo
use of com.alibaba.nacos.config.server.auth.RoleInfo in project XHuiCloud by sindaZeng.
the class NacosRoleServiceImpl method hasPermission.
/**
* Determine if the user has permission of the resource.
*
* <p>
* Note if the user has many roles, this method returns true if any one role of the
* user has the desired permission.
* @param username user info
* @param permission permission to auth
* @return true if granted, false otherwise
*/
public boolean hasPermission(String username, Permission permission) {
// update password
if (NacosAuthConfig.UPDATE_PASSWORD_ENTRY_POINT.equals(permission.getResource())) {
return true;
}
List<RoleInfo> roleInfoList = getRoles(username);
if (Collections.isEmpty(roleInfoList)) {
return false;
}
// Global admin pass:
for (RoleInfo roleInfo : roleInfoList) {
if (GLOBAL_ADMIN_ROLE.equals(roleInfo.getRole())) {
return true;
}
}
// Old global admin can pass resource 'console/':
if (permission.getResource().startsWith(NacosAuthConfig.CONSOLE_RESOURCE_NAME_PREFIX)) {
return false;
}
// For other roles, use a pattern match to decide if pass or not.
for (RoleInfo roleInfo : roleInfoList) {
List<PermissionInfo> permissionInfoList = getPermissions(roleInfo.getRole());
if (Collections.isEmpty(permissionInfoList)) {
continue;
}
for (PermissionInfo permissionInfo : permissionInfoList) {
String permissionResource = permissionInfo.getResource().replaceAll("\\*", ".*");
String permissionAction = permissionInfo.getAction();
if (permissionAction.contains(permission.getAction()) && Pattern.matches(permissionResource, permission.getResource())) {
return true;
}
}
}
return false;
}
Also used :
PermissionInfo(com.alibaba.nacos.config.server.auth.PermissionInfo)
RoleInfo(com.alibaba.nacos.config.server.auth.RoleInfo)
Example 3 with RoleInfo
use of com.alibaba.nacos.config.server.auth.RoleInfo in project XHuiCloud by sindaZeng.
the class NacosRoleServiceImpl method reload.
@Scheduled(initialDelay = 5000, fixedDelay = 15000)
private void reload() {
try {
Page<RoleInfo> roleInfoPage = rolePersistService.getRolesByUserName(StringUtils.EMPTY, DEFAULT_PAGE_NO, Integer.MAX_VALUE);
if (roleInfoPage == null) {
return;
}
Set<String> tmpRoleSet = new HashSet<>(16);
Map<String, List<RoleInfo>> tmpRoleInfoMap = new ConcurrentHashMap<>(16);
for (RoleInfo roleInfo : roleInfoPage.getPageItems()) {
if (!tmpRoleInfoMap.containsKey(roleInfo.getUsername())) {
tmpRoleInfoMap.put(roleInfo.getUsername(), new ArrayList<>());
}
tmpRoleInfoMap.get(roleInfo.getUsername()).add(roleInfo);
tmpRoleSet.add(roleInfo.getRole());
}
Map<String, List<PermissionInfo>> tmpPermissionInfoMap = new ConcurrentHashMap<>(16);
for (String role : tmpRoleSet) {
Page<PermissionInfo> permissionInfoPage = permissionPersistService.getPermissions(role, DEFAULT_PAGE_NO, Integer.MAX_VALUE);
tmpPermissionInfoMap.put(role, permissionInfoPage.getPageItems());
}
roleSet = tmpRoleSet;
roleInfoMap = tmpRoleInfoMap;
permissionInfoMap = tmpPermissionInfoMap;
} catch (Exception e) {
Loggers.AUTH.warn("[LOAD-ROLES] load failed", e);
}
}
Also used :
PermissionInfo(com.alibaba.nacos.config.server.auth.PermissionInfo)
RoleInfo(com.alibaba.nacos.config.server.auth.RoleInfo)
ConcurrentHashMap(java.util.concurrent.ConcurrentHashMap)
ConcurrentHashSet(org.apache.mina.util.ConcurrentHashSet)
Scheduled(org.springframework.scheduling.annotation.Scheduled)
Example 4 with RoleInfo
use of com.alibaba.nacos.config.server.auth.RoleInfo in project nacos by alibaba.
the class NacosRoleServiceImpl method hasPermission.
/**
* Determine if the user has permission of the resource.
*
* <p>Note if the user has many roles, this method returns true if any one role of the user has the desired
* permission.
*
* @param username user info
* @param permission permission to auth
* @return true if granted, false otherwise
*/
public boolean hasPermission(String username, Permission permission) {
// update password
if (NacosAuthConfig.UPDATE_PASSWORD_ENTRY_POINT.equals(permission.getResource())) {
return true;
}
List<RoleInfo> roleInfoList = getRoles(username);
if (Collections.isEmpty(roleInfoList)) {
return false;
}
// Global admin pass:
for (RoleInfo roleInfo : roleInfoList) {
if (GLOBAL_ADMIN_ROLE.equals(roleInfo.getRole())) {
return true;
}
}
// Old global admin can pass resource 'console/':
if (permission.getResource().startsWith(NacosAuthConfig.CONSOLE_RESOURCE_NAME_PREFIX)) {
return false;
}
// For other roles, use a pattern match to decide if pass or not.
for (RoleInfo roleInfo : roleInfoList) {
List<PermissionInfo> permissionInfoList = getPermissions(roleInfo.getRole());
if (Collections.isEmpty(permissionInfoList)) {
continue;
}
for (PermissionInfo permissionInfo : permissionInfoList) {
String permissionResource = permissionInfo.getResource().replaceAll("\\*", ".*");
String permissionAction = permissionInfo.getAction();
if (permissionAction.contains(permission.getAction()) && Pattern.matches(permissionResource, permission.getResource())) {
return true;
}
}
}
return false;
}
Also used :
PermissionInfo(com.alibaba.nacos.config.server.auth.PermissionInfo)
RoleInfo(com.alibaba.nacos.config.server.auth.RoleInfo)
Example 5 with RoleInfo
use of com.alibaba.nacos.config.server.auth.RoleInfo in project nacos by alibaba.
the class UserController method deleteUser.
/**
* Delete an existed user.
*
* @param username username of user
* @return ok if deleted succeed, keep silent if user not exist
* @since 1.2.0
*/
@DeleteMapping
@Secured(resource = NacosAuthConfig.CONSOLE_RESOURCE_NAME_PREFIX + "users", action = ActionTypes.WRITE)
public Object deleteUser(@RequestParam String username) {
List<RoleInfo> roleInfoList = roleService.getRoles(username);
if (roleInfoList != null) {
for (RoleInfo roleInfo : roleInfoList) {
if (roleInfo.getRole().equals(NacosRoleServiceImpl.GLOBAL_ADMIN_ROLE)) {
throw new IllegalArgumentException("cannot delete admin: " + username);
}
}
}
userDetailsService.deleteUser(username);
return RestResultUtils.success("delete user ok!");
}
Also used :
RoleInfo(com.alibaba.nacos.config.server.auth.RoleInfo)
DeleteMapping(org.springframework.web.bind.annotation.DeleteMapping)
Secured(com.alibaba.nacos.auth.annotation.Secured)
Aggregations
RoleInfo (com.alibaba.nacos.config.server.auth.RoleInfo)10
AccessException (com.alibaba.nacos.auth.exception.AccessException)4
PermissionInfo (com.alibaba.nacos.config.server.auth.PermissionInfo)4
ExpiredJwtException (io.jsonwebtoken.ExpiredJwtException)4
HttpServletRequest (javax.servlet.http.HttpServletRequest)4
Authentication (org.springframework.security.core.Authentication)4
AuthenticationException (org.springframework.security.core.AuthenticationException)4
Request (com.alibaba.nacos.api.remote.request.Request)2
Secured (com.alibaba.nacos.auth.annotation.Secured)2
NacosUser (com.alibaba.nacos.console.security.nacos.users.NacosUser)2
NacosUser (com.alibaba.nacos.security.nacos.users.NacosUser)2
ConcurrentHashMap (java.util.concurrent.ConcurrentHashMap)2
ConcurrentHashSet (org.apache.mina.util.ConcurrentHashSet)2
Scheduled (org.springframework.scheduling.annotation.Scheduled)2
ArrayList (java.util.ArrayList)1
HashSet (java.util.HashSet)1
List (java.util.List)1
DeleteMapping (org.springframework.web.bind.annotation.DeleteMapping)1
