Search in sources :

Example 1 with PolicyVO

use of org.limbo.doorkeeper.api.model.vo.policy.PolicyVO in project doorkeeper by limbo-world.

the class PolicyService method get.

public PolicyVO get(Long realmId, Long clientId, Long policyId) {
    PolicyPO policy = policyMapper.getById(realmId, clientId, policyId);
    Verifies.notNull(policy, "策略不存在");
    PolicyVO result = EnhancedBeanUtils.createAndCopy(policy, PolicyVO.class);
    switch(policy.getType()) {
        case ROLE:
            result.setRoles(policyRoleDao.getByPolicy(policyId));
            break;
        case USER:
            result.setUsers(policyUserDao.getByPolicy(policyId));
            break;
        case PARAM:
            result.setParams(policyParamDao.getByPolicy(policyId));
            break;
        case GROUP:
            result.setGroups(policyGroupDao.getByPolicy(policyId));
            break;
    }
    return result;
}
Also used : PolicyVO(org.limbo.doorkeeper.api.model.vo.policy.PolicyVO)

Example 2 with PolicyVO

use of org.limbo.doorkeeper.api.model.vo.policy.PolicyVO in project doorkeeper by limbo-world.

the class ResourceChecker method check.

/**
 * 进行权限校验,是否有资格访问
 *
 * @param userId     用户id
 * @param checkParam 用于获取资源的参数
 * @return
 */
public ResourceCheckResult check(Long userId, ResourceCheckParam checkParam) {
    ClientPO client = getClient(checkParam.getClientId());
    UserPO user = getUser(userId);
    if (!user.getIsEnabled()) {
        return emptyResult();
    }
    try {
        // 找到待检测的启用资源
        List<ResourceVO> resources = findResources(client.getRealmId(), client.getClientId(), checkParam);
        if (CollectionUtils.isEmpty(resources)) {
            return emptyResult();
        }
        // 找到资源权限关系
        List<PermissionResourcePO> permissionResources = permissionResourceMapper.selectList(Wrappers.<PermissionResourcePO>lambdaQuery().in(PermissionResourcePO::getResourceId, resources.stream().map(ResourceVO::getResourceId).collect(Collectors.toList())));
        if (CollectionUtils.isEmpty(permissionResources)) {
            return checkResourceRefuseResult(resources);
        }
        Set<Long> permissionIds = new HashSet<>();
        Map<Long, List<Long>> resourcePermissionMap = new HashMap<>();
        for (PermissionResourcePO permissionResource : permissionResources) {
            permissionIds.add(permissionResource.getPermissionId());
            if (!resourcePermissionMap.containsKey(permissionResource.getResourceId())) {
                resourcePermissionMap.put(permissionResource.getResourceId(), new ArrayList<>());
            }
            resourcePermissionMap.get(permissionResource.getResourceId()).add(permissionResource.getPermissionId());
        }
        // 查询权限
        List<PermissionVO> allPermissions = getPermissions(client.getRealmId(), client.getClientId(), new ArrayList<>(permissionIds));
        if (CollectionUtils.isEmpty(allPermissions)) {
            return checkResourceRefuseResult(resources);
        }
        // 获取策略ID
        Map<Long, PermissionVO> permissionMap = new HashMap<>();
        Set<Long> policyIds = new HashSet<>();
        for (PermissionVO permission : allPermissions) {
            if (Logic.parse(permission.getLogic()) == null) {
                throw new IllegalArgumentException("无法解析权限的策略,permission=" + permission);
            }
            permissionMap.put(permission.getPermissionId(), permission);
            if (CollectionUtils.isNotEmpty(permission.getPolicies())) {
                policyIds.addAll(permission.getPolicies().stream().map(PermissionPolicyVO::getPolicyId).collect(Collectors.toList()));
            }
        }
        if (CollectionUtils.isEmpty(policyIds)) {
            return checkResourceRefuseResult(resources);
        }
        // 获取策略
        List<PolicyVO> allPolicies = policyDao.getVOSByPolicyIds(client.getRealmId(), client.getClientId(), new ArrayList<>(policyIds), true);
        if (CollectionUtils.isEmpty(allPolicies)) {
            return checkResourceRefuseResult(resources);
        }
        Map<Long, PolicyVO> policyMap = allPolicies.stream().collect(Collectors.toMap(PolicyVO::getPolicyId, policyVO -> policyVO));
        // 获取策略校验器
        PolicyChecker checker = policyCheckerFactory.newPolicyChecker(user);
        List<ResourceVO> result = new ArrayList<>();
        ASSIGNER_ITER: for (ResourceVO resource : resources) {
            // 获取资源权限ID
            List<Long> resourcePermissionIds = resourcePermissionMap.get(resource.getResourceId());
            if (CollectionUtils.isEmpty(resourcePermissionIds)) {
                if (refuseWhenUnauthorized) {
                    continue;
                } else {
                    result.add(resource);
                }
            }
            // 获取资源权限
            List<PermissionVO> permissionVOS = new ArrayList<>();
            for (Long permissionId : resourcePermissionIds) {
                if (permissionMap.containsKey(permissionId)) {
                    permissionVOS.add(permissionMap.get(permissionId));
                }
            }
            if (CollectionUtils.isEmpty(permissionVOS)) {
                if (refuseWhenUnauthorized) {
                    continue;
                } else {
                    result.add(resource);
                }
            }
            // 对Permission的Intention进行分组
            Map<Intention, Set<PermissionVO>> intentGroupedPerms = permissionVOS.stream().collect(Collectors.groupingBy(permissionVO -> Intention.parse(permissionVO.getIntention()), Collectors.mapping(Function.identity(), Collectors.toSet())));
            // 先检测 REFUSE 的权限,如果存在一个 REFUSE 的权限校验通过,则此资源约束被看作拒绝
            Set<PermissionVO> refusedPerms = intentGroupedPerms.getOrDefault(Intention.REFUSE, new HashSet<>());
            for (PermissionVO permission : refusedPerms) {
                if (checkPermissionLogic(checker, checkParam, permission, policyMap)) {
                    continue ASSIGNER_ITER;
                }
            }
            // 再检测 ALLOW 的权限
            Set<PermissionVO> allowedPerms = intentGroupedPerms.getOrDefault(Intention.ALLOW, new HashSet<>());
            for (PermissionVO permission : allowedPerms) {
                if (checkPermissionLogic(checker, checkParam, permission, policyMap)) {
                    result.add(resource);
                    continue ASSIGNER_ITER;
                }
            }
        }
        return new ResourceCheckResult(result);
    } catch (Exception e) {
        log.error("鉴权校验失败", e);
        throw new AuthorizationException(e.getMessage());
    }
}
Also used : PolicyVO(org.limbo.doorkeeper.api.model.vo.policy.PolicyVO) java.util(java.util) PolicyDao(org.limbo.doorkeeper.server.infrastructure.dao.PolicyDao) PermissionVO(org.limbo.doorkeeper.api.model.vo.PermissionVO) Intention(org.limbo.doorkeeper.api.constants.Intention) Autowired(org.springframework.beans.factory.annotation.Autowired) ResourceCheckResult(org.limbo.doorkeeper.api.model.vo.check.ResourceCheckResult) Function(java.util.function.Function) CollectionUtils(org.apache.commons.collections4.CollectionUtils) ResourceVO(org.limbo.doorkeeper.api.model.vo.ResourceVO) ResourceQueryParam(org.limbo.doorkeeper.api.model.param.query.ResourceQueryParam) org.limbo.doorkeeper.server.infrastructure.mapper(org.limbo.doorkeeper.server.infrastructure.mapper) org.limbo.doorkeeper.server.infrastructure.po(org.limbo.doorkeeper.server.infrastructure.po) DoorkeeperConstants(org.limbo.doorkeeper.api.constants.DoorkeeperConstants) PermissionPolicyVO(org.limbo.doorkeeper.api.model.vo.PermissionPolicyVO) Wrappers(com.baomidou.mybatisplus.core.toolkit.Wrappers) PolicyCheckerParam(org.limbo.doorkeeper.api.model.param.query.PolicyCheckerParam) Collectors(java.util.stream.Collectors) PermissionQueryParam(org.limbo.doorkeeper.api.model.param.query.PermissionQueryParam) Slf4j(lombok.extern.slf4j.Slf4j) Component(org.springframework.stereotype.Component) ResourceCheckParam(org.limbo.doorkeeper.api.model.param.query.ResourceCheckParam) UriMethod(org.limbo.doorkeeper.api.constants.UriMethod) Logic(org.limbo.doorkeeper.api.constants.Logic) AuthorizationException(org.limbo.doorkeeper.server.infrastructure.exception.AuthorizationException) AuthorizationException(org.limbo.doorkeeper.server.infrastructure.exception.AuthorizationException) ResourceCheckResult(org.limbo.doorkeeper.api.model.vo.check.ResourceCheckResult) PermissionPolicyVO(org.limbo.doorkeeper.api.model.vo.PermissionPolicyVO) AuthorizationException(org.limbo.doorkeeper.server.infrastructure.exception.AuthorizationException) PolicyVO(org.limbo.doorkeeper.api.model.vo.policy.PolicyVO) PermissionPolicyVO(org.limbo.doorkeeper.api.model.vo.PermissionPolicyVO) ResourceVO(org.limbo.doorkeeper.api.model.vo.ResourceVO) PermissionVO(org.limbo.doorkeeper.api.model.vo.PermissionVO)

Example 3 with PolicyVO

use of org.limbo.doorkeeper.api.model.vo.policy.PolicyVO in project doorkeeper by limbo-world.

the class ResourceChecker method checkPermissionLogic.

/**
 * 进行Permission的校验
 *
 * @param permission 待校验的授权信息
 * @return 返回Permission校验是否通过
 */
private boolean checkPermissionLogic(PolicyChecker checker, ResourceCheckParam checkParam, PermissionVO permission, Map<Long, PolicyVO> policyMap) {
    // 检测权限是否禁用
    if (!permission.getIsEnabled()) {
        return false;
    }
    Logic logic = Logic.parse(permission.getLogic());
    if (logic == null) {
        throw new IllegalArgumentException("无法解析权限的策略,permission=" + permission);
    }
    if (CollectionUtils.isEmpty(permission.getPolicies())) {
        return false;
    }
    // 逐个policy检查
    int allowedCount = 0;
    int totalCount = 0;
    for (PermissionPolicyVO permissionPolicy : permission.getPolicies()) {
        PolicyVO policy = policyMap.get(permissionPolicy.getPolicyId());
        if (policy == null) {
            continue;
        }
        // todo 判断是否能进行校验
        // PolicyChecker policyChecker = policyCheckerFactory.newPolicyChecker(user, policy);
        // if (policyChecker == null) {
        // continue;
        // }
        PolicyCheckerParam policyCheckerParam = new PolicyCheckerParam();
        policyCheckerParam.setParams(checkParam.getParams());
        totalCount++;
        // 统计允许的policy个数
        if (checker.check(policy, policyCheckerParam.getParams()).allow()) {
            allowedCount++;
        }
    }
    return Logic.isSatisfied(logic, totalCount, allowedCount);
}
Also used : PermissionPolicyVO(org.limbo.doorkeeper.api.model.vo.PermissionPolicyVO) PolicyVO(org.limbo.doorkeeper.api.model.vo.policy.PolicyVO) PermissionPolicyVO(org.limbo.doorkeeper.api.model.vo.PermissionPolicyVO) PolicyCheckerParam(org.limbo.doorkeeper.api.model.param.query.PolicyCheckerParam) Logic(org.limbo.doorkeeper.api.constants.Logic)

Aggregations

PolicyVO (org.limbo.doorkeeper.api.model.vo.policy.PolicyVO)3 Logic (org.limbo.doorkeeper.api.constants.Logic)2 PolicyCheckerParam (org.limbo.doorkeeper.api.model.param.query.PolicyCheckerParam)2 PermissionPolicyVO (org.limbo.doorkeeper.api.model.vo.PermissionPolicyVO)2 Wrappers (com.baomidou.mybatisplus.core.toolkit.Wrappers)1 java.util (java.util)1 Function (java.util.function.Function)1 Collectors (java.util.stream.Collectors)1 Slf4j (lombok.extern.slf4j.Slf4j)1 CollectionUtils (org.apache.commons.collections4.CollectionUtils)1 DoorkeeperConstants (org.limbo.doorkeeper.api.constants.DoorkeeperConstants)1 Intention (org.limbo.doorkeeper.api.constants.Intention)1 UriMethod (org.limbo.doorkeeper.api.constants.UriMethod)1 PermissionQueryParam (org.limbo.doorkeeper.api.model.param.query.PermissionQueryParam)1 ResourceCheckParam (org.limbo.doorkeeper.api.model.param.query.ResourceCheckParam)1 ResourceQueryParam (org.limbo.doorkeeper.api.model.param.query.ResourceQueryParam)1 PermissionVO (org.limbo.doorkeeper.api.model.vo.PermissionVO)1 ResourceVO (org.limbo.doorkeeper.api.model.vo.ResourceVO)1 ResourceCheckResult (org.limbo.doorkeeper.api.model.vo.check.ResourceCheckResult)1 PolicyDao (org.limbo.doorkeeper.server.infrastructure.dao.PolicyDao)1