Example 1 with ResourceCheckResult
use of org.limbo.doorkeeper.api.model.vo.check.ResourceCheckResult in project doorkeeper by limbo-world.
the class DoorkeeperService method hasUriPermission.
/**
* 是否有路径访问权限
*/
public boolean hasUriPermission(UserPO user, String path, UriMethod method) {
// 判断用户是否属于doorkeeper域或公有域
if (!getDoorkeeperRealmId().equals(user.getRealmId())) {
return false;
}
// 超级管理员认证
if (isSuperAdmin(user.getUserId())) {
return true;
}
// 判断uri权限
ClientPO apiClient = clientMapper.getByName(doorkeeperRealm.getRealmId(), DoorkeeperConstants.API_CLIENT);
ResourceCheckParam checkParam = new ResourceCheckParam().setClientId(apiClient.getClientId()).setUris(Collections.singletonList(method + DoorkeeperConstants.KV_DELIMITER + path));
ResourceCheckResult checkResult = resourceChecker.check(user.getUserId(), checkParam);
return checkResult.getResources().size() > 0;
}
Also used :
ResourceCheckResult(org.limbo.doorkeeper.api.model.vo.check.ResourceCheckResult)
Example 2 with ResourceCheckResult
use of org.limbo.doorkeeper.api.model.vo.check.ResourceCheckResult in project doorkeeper by limbo-world.
the class DoorkeeperService method userClients.
/**
* user拥有哪些client
*/
public List<ClientVO> userClients(Long realmId, Long userId, ClientQueryParam param) {
List<Long> clientIds = null;
// 判断是不是doorkeeper的REALM admin
if (!isSuperAdmin(userId)) {
clientIds = new ArrayList<>();
// 获取realm在doorkeeper下对应的client
ClientPO apiClient = clientMapper.getByName(getDoorkeeperRealmId(), DoorkeeperConstants.API_CLIENT);
ResourceCheckParam checkParam = new ResourceCheckParam();
checkParam.setClientId(apiClient.getClientId());
checkParam.setOrTags(Collections.singletonList("type=clientOwn"));
checkParam.setNeedTag(true);
ResourceCheckResult check = resourceChecker.check(userId, checkParam);
if (CollectionUtils.isEmpty(check.getResources())) {
return new ArrayList<>();
}
for (ResourceVO resource : check.getResources()) {
if (CollectionUtils.isEmpty(resource.getTags())) {
continue;
}
for (ResourceTagVO tag : resource.getTags()) {
if (DoorkeeperConstants.CLIENT_ID.equals(tag.getK())) {
clientIds.add(Long.valueOf(tag.getV()));
break;
}
}
}
}
List<ClientPO> clients = clientMapper.selectList(Wrappers.<ClientPO>lambdaQuery().eq(ClientPO::getRealmId, realmId).eq(StringUtils.isNotBlank(param.getName()), ClientPO::getName, param.getName()).like(StringUtils.isNotBlank(param.getDimName()), ClientPO::getName, param.getDimName()).in(clientIds != null, ClientPO::getClientId, clientIds).orderByDesc(ClientPO::getClientId));
return EnhancedBeanUtils.createAndCopyList(clients, ClientVO.class);
}
Also used :
ArrayList(java.util.ArrayList)
ResourceCheckResult(org.limbo.doorkeeper.api.model.vo.check.ResourceCheckResult)
Example 3 with ResourceCheckResult
use of org.limbo.doorkeeper.api.model.vo.check.ResourceCheckResult in project doorkeeper by limbo-world.
the class DoorkeeperService method userRealms.
/**
* user拥有哪些realm
*/
public List<RealmVO> userRealms(Long userId) {
LambdaQueryWrapper<RealmPO> realmSelect = Wrappers.<RealmPO>lambdaQuery().select(RealmPO::getRealmId, RealmPO::getName);
// 判断是不是doorkeeper的REALM admin
if (isSuperAdmin(userId)) {
List<RealmPO> realms = realmMapper.selectList(realmSelect);
return EnhancedBeanUtils.createAndCopyList(realms, RealmVO.class);
}
ClientPO apiClient = clientMapper.getByName(getDoorkeeperRealmId(), DoorkeeperConstants.API_CLIENT);
// 普通用户,查看绑定的realm 资源
ResourceCheckParam checkParam = new ResourceCheckParam();
checkParam.setClientId(apiClient.getClientId());
checkParam.setOrTags(Collections.singletonList("type=realmOwn"));
checkParam.setNeedTag(true);
ResourceCheckResult check = resourceChecker.check(userId, checkParam);
if (CollectionUtils.isEmpty(check.getResources())) {
return new ArrayList<>();
}
List<Long> realmIds = new ArrayList<>();
for (ResourceVO resource : check.getResources()) {
if (CollectionUtils.isEmpty(resource.getTags())) {
continue;
}
for (ResourceTagVO tag : resource.getTags()) {
if (DoorkeeperConstants.REALM_ID.equals(tag.getK())) {
realmIds.add(Long.valueOf(tag.getV()));
break;
}
}
}
List<RealmPO> realms = realmMapper.selectList(realmSelect.in(RealmPO::getRealmId, realmIds));
return EnhancedBeanUtils.createAndCopyList(realms, RealmVO.class);
}
Also used :
ArrayList(java.util.ArrayList)
ResourceCheckResult(org.limbo.doorkeeper.api.model.vo.check.ResourceCheckResult)
Example 4 with ResourceCheckResult
use of org.limbo.doorkeeper.api.model.vo.check.ResourceCheckResult in project doorkeeper by limbo-world.
the class ResourceChecker method check.
/**
* 进行权限校验,是否有资格访问
*
* @param userId 用户id
* @param checkParam 用于获取资源的参数
* @return
*/
public ResourceCheckResult check(Long userId, ResourceCheckParam checkParam) {
ClientPO client = getClient(checkParam.getClientId());
UserPO user = getUser(userId);
if (!user.getIsEnabled()) {
return emptyResult();
}
try {
// 找到待检测的启用资源
List<ResourceVO> resources = findResources(client.getRealmId(), client.getClientId(), checkParam);
if (CollectionUtils.isEmpty(resources)) {
return emptyResult();
}
// 找到资源权限关系
List<PermissionResourcePO> permissionResources = permissionResourceMapper.selectList(Wrappers.<PermissionResourcePO>lambdaQuery().in(PermissionResourcePO::getResourceId, resources.stream().map(ResourceVO::getResourceId).collect(Collectors.toList())));
if (CollectionUtils.isEmpty(permissionResources)) {
return checkResourceRefuseResult(resources);
}
Set<Long> permissionIds = new HashSet<>();
Map<Long, List<Long>> resourcePermissionMap = new HashMap<>();
for (PermissionResourcePO permissionResource : permissionResources) {
permissionIds.add(permissionResource.getPermissionId());
if (!resourcePermissionMap.containsKey(permissionResource.getResourceId())) {
resourcePermissionMap.put(permissionResource.getResourceId(), new ArrayList<>());
}
resourcePermissionMap.get(permissionResource.getResourceId()).add(permissionResource.getPermissionId());
}
// 查询权限
List<PermissionVO> allPermissions = getPermissions(client.getRealmId(), client.getClientId(), new ArrayList<>(permissionIds));
if (CollectionUtils.isEmpty(allPermissions)) {
return checkResourceRefuseResult(resources);
}
// 获取策略ID
Map<Long, PermissionVO> permissionMap = new HashMap<>();
Set<Long> policyIds = new HashSet<>();
for (PermissionVO permission : allPermissions) {
if (Logic.parse(permission.getLogic()) == null) {
throw new IllegalArgumentException("无法解析权限的策略,permission=" + permission);
}
permissionMap.put(permission.getPermissionId(), permission);
if (CollectionUtils.isNotEmpty(permission.getPolicies())) {
policyIds.addAll(permission.getPolicies().stream().map(PermissionPolicyVO::getPolicyId).collect(Collectors.toList()));
}
}
if (CollectionUtils.isEmpty(policyIds)) {
return checkResourceRefuseResult(resources);
}
// 获取策略
List<PolicyVO> allPolicies = policyDao.getVOSByPolicyIds(client.getRealmId(), client.getClientId(), new ArrayList<>(policyIds), true);
if (CollectionUtils.isEmpty(allPolicies)) {
return checkResourceRefuseResult(resources);
}
Map<Long, PolicyVO> policyMap = allPolicies.stream().collect(Collectors.toMap(PolicyVO::getPolicyId, policyVO -> policyVO));
// 获取策略校验器
PolicyChecker checker = policyCheckerFactory.newPolicyChecker(user);
List<ResourceVO> result = new ArrayList<>();
ASSIGNER_ITER: for (ResourceVO resource : resources) {
// 获取资源权限ID
List<Long> resourcePermissionIds = resourcePermissionMap.get(resource.getResourceId());
if (CollectionUtils.isEmpty(resourcePermissionIds)) {
if (refuseWhenUnauthorized) {
continue;
} else {
result.add(resource);
}
}
// 获取资源权限
List<PermissionVO> permissionVOS = new ArrayList<>();
for (Long permissionId : resourcePermissionIds) {
if (permissionMap.containsKey(permissionId)) {
permissionVOS.add(permissionMap.get(permissionId));
}
}
if (CollectionUtils.isEmpty(permissionVOS)) {
if (refuseWhenUnauthorized) {
continue;
} else {
result.add(resource);
}
}
// 对Permission的Intention进行分组
Map<Intention, Set<PermissionVO>> intentGroupedPerms = permissionVOS.stream().collect(Collectors.groupingBy(permissionVO -> Intention.parse(permissionVO.getIntention()), Collectors.mapping(Function.identity(), Collectors.toSet())));
// 先检测 REFUSE 的权限,如果存在一个 REFUSE 的权限校验通过,则此资源约束被看作拒绝
Set<PermissionVO> refusedPerms = intentGroupedPerms.getOrDefault(Intention.REFUSE, new HashSet<>());
for (PermissionVO permission : refusedPerms) {
if (checkPermissionLogic(checker, checkParam, permission, policyMap)) {
continue ASSIGNER_ITER;
}
}
// 再检测 ALLOW 的权限
Set<PermissionVO> allowedPerms = intentGroupedPerms.getOrDefault(Intention.ALLOW, new HashSet<>());
for (PermissionVO permission : allowedPerms) {
if (checkPermissionLogic(checker, checkParam, permission, policyMap)) {
result.add(resource);
continue ASSIGNER_ITER;
}
}
}
return new ResourceCheckResult(result);
} catch (Exception e) {
log.error("鉴权校验失败", e);
throw new AuthorizationException(e.getMessage());
}
}
Also used :
PolicyVO(org.limbo.doorkeeper.api.model.vo.policy.PolicyVO)
java.util(java.util)
PolicyDao(org.limbo.doorkeeper.server.infrastructure.dao.PolicyDao)
PermissionVO(org.limbo.doorkeeper.api.model.vo.PermissionVO)
Intention(org.limbo.doorkeeper.api.constants.Intention)
Autowired(org.springframework.beans.factory.annotation.Autowired)
ResourceCheckResult(org.limbo.doorkeeper.api.model.vo.check.ResourceCheckResult)
Function(java.util.function.Function)
CollectionUtils(org.apache.commons.collections4.CollectionUtils)
ResourceVO(org.limbo.doorkeeper.api.model.vo.ResourceVO)
ResourceQueryParam(org.limbo.doorkeeper.api.model.param.query.ResourceQueryParam)
org.limbo.doorkeeper.server.infrastructure.mapper(org.limbo.doorkeeper.server.infrastructure.mapper)
org.limbo.doorkeeper.server.infrastructure.po(org.limbo.doorkeeper.server.infrastructure.po)
DoorkeeperConstants(org.limbo.doorkeeper.api.constants.DoorkeeperConstants)
PermissionPolicyVO(org.limbo.doorkeeper.api.model.vo.PermissionPolicyVO)
Wrappers(com.baomidou.mybatisplus.core.toolkit.Wrappers)
PolicyCheckerParam(org.limbo.doorkeeper.api.model.param.query.PolicyCheckerParam)
Collectors(java.util.stream.Collectors)
PermissionQueryParam(org.limbo.doorkeeper.api.model.param.query.PermissionQueryParam)
Slf4j(lombok.extern.slf4j.Slf4j)
Component(org.springframework.stereotype.Component)
ResourceCheckParam(org.limbo.doorkeeper.api.model.param.query.ResourceCheckParam)
UriMethod(org.limbo.doorkeeper.api.constants.UriMethod)
Logic(org.limbo.doorkeeper.api.constants.Logic)
AuthorizationException(org.limbo.doorkeeper.server.infrastructure.exception.AuthorizationException)
AuthorizationException(org.limbo.doorkeeper.server.infrastructure.exception.AuthorizationException)
ResourceCheckResult(org.limbo.doorkeeper.api.model.vo.check.ResourceCheckResult)
PermissionPolicyVO(org.limbo.doorkeeper.api.model.vo.PermissionPolicyVO)
AuthorizationException(org.limbo.doorkeeper.server.infrastructure.exception.AuthorizationException)
PolicyVO(org.limbo.doorkeeper.api.model.vo.policy.PolicyVO)
PermissionPolicyVO(org.limbo.doorkeeper.api.model.vo.PermissionPolicyVO)
ResourceVO(org.limbo.doorkeeper.api.model.vo.ResourceVO)
PermissionVO(org.limbo.doorkeeper.api.model.vo.PermissionVO)
Aggregations
ResourceCheckResult (org.limbo.doorkeeper.api.model.vo.check.ResourceCheckResult)4
ArrayList (java.util.ArrayList)2
Wrappers (com.baomidou.mybatisplus.core.toolkit.Wrappers)1
java.util (java.util)1
Function (java.util.function.Function)1
Collectors (java.util.stream.Collectors)1
Slf4j (lombok.extern.slf4j.Slf4j)1
CollectionUtils (org.apache.commons.collections4.CollectionUtils)1
DoorkeeperConstants (org.limbo.doorkeeper.api.constants.DoorkeeperConstants)1
Intention (org.limbo.doorkeeper.api.constants.Intention)1
Logic (org.limbo.doorkeeper.api.constants.Logic)1
UriMethod (org.limbo.doorkeeper.api.constants.UriMethod)1
PermissionQueryParam (org.limbo.doorkeeper.api.model.param.query.PermissionQueryParam)1
PolicyCheckerParam (org.limbo.doorkeeper.api.model.param.query.PolicyCheckerParam)1
ResourceCheckParam (org.limbo.doorkeeper.api.model.param.query.ResourceCheckParam)1
ResourceQueryParam (org.limbo.doorkeeper.api.model.param.query.ResourceQueryParam)1
PermissionPolicyVO (org.limbo.doorkeeper.api.model.vo.PermissionPolicyVO)1
PermissionVO (org.limbo.doorkeeper.api.model.vo.PermissionVO)1
ResourceVO (org.limbo.doorkeeper.api.model.vo.ResourceVO)1
PolicyVO (org.limbo.doorkeeper.api.model.vo.policy.PolicyVO)1
