Examples with DataAuthFilterConfig - org.sagacity.sqltoy.model.DataAuthFilterConfig

Example 1 with DataAuthFilterConfig

use of org.sagacity.sqltoy.model.DataAuthFilterConfig in project sagacity-sqltoy by chenrenfei.

the class QueryExecutorBuilder method dataAuthFilter.

/**
 * @TODO 统一数据权限条件参数:1、前端没有传则自动填充；2、前端传值，对所传值进行是否超出授权数据范围校验
 * @param unifyFieldsHandler
 * @param sqlToyConfig
 * @param fullParamNames
 * @param fullParamValues
 */
private static void dataAuthFilter(IUnifyFieldsHandler unifyFieldsHandler, SqlToyConfig sqlToyConfig, String[] fullParamNames, Object[] fullParamValues) {
    IgnoreKeyCaseMap<String, DataAuthFilterConfig> authFilterMap = (unifyFieldsHandler == null) ? null : unifyFieldsHandler.dataAuthFilters();
    if (authFilterMap == null || authFilterMap.isEmpty()) {
        return;
    }
    String paramName;
    DataAuthFilterConfig dataAuthFilter;
    for (int i = 0; i < fullParamNames.length; i++) {
        paramName = fullParamNames[i];
        if (authFilterMap.containsKey(paramName)) {
            dataAuthFilter = authFilterMap.get(paramName);
            // 实际传参值为空(或等于全新标记值)，权限过滤配置了限制范围，则将实际权限数据值填充到条件参数中
            if (StringUtil.isBlank(fullParamValues[i]) || equalChoiceAllValue(fullParamValues[i], dataAuthFilter.getChoiceAllValue())) {
                // 实现统一传参
                if (dataAuthFilter.getValues() != null) {
                    fullParamValues[i] = dataAuthFilter.getValues();
                    logger.debug("sqlId={} 参数:{} 前端未传值，由平台统一带入授权值!", sqlToyConfig.getId(), paramName);
                }
            } else // 数据权限指定了值，则进行值越权校验，超出范围抛出异常
            if (dataAuthFilter.getValues() != null && dataAuthFilter.isForcelimit()) {
                // 允许访问的值
                Object[] dataAuthed;
                if (dataAuthFilter.getValues().getClass().isArray()) {
                    dataAuthed = (Object[]) dataAuthFilter.getValues();
                } else if (dataAuthFilter.getValues() instanceof Collection) {
                    dataAuthed = ((Collection) dataAuthFilter.getValues()).toArray();
                } else {
                    dataAuthed = new Object[] { dataAuthFilter.getValues() };
                }
                Set<Object> authSet = new HashSet<Object>();
                for (Object item : dataAuthed) {
                    if (item != null) {
                        if (dataAuthFilter.isIgnoreType()) {
                            authSet.add(item.toString());
                        } else {
                            authSet.add(item);
                        }
                    }
                }
                // 参数直接传递的值
                Object[] pointValues;
                if (fullParamValues[i].getClass().isArray()) {
                    pointValues = (Object[]) fullParamValues[i];
                } else if (fullParamValues[i] instanceof Collection) {
                    pointValues = ((Collection) fullParamValues[i]).toArray();
                } else {
                    pointValues = new Object[] { fullParamValues[i] };
                }
                // 校验实际传递的权限值是否在授权范围内
                for (Object paramValue : pointValues) {
                    if (paramValue != null && !authSet.contains(dataAuthFilter.isIgnoreType() ? paramValue.toString() : paramValue)) {
                        throw new DataAccessException("参数:[" + paramName + "]参数对应的值:[" + paramValue + "] 超出授权范围(数据来源参见spring.sqltoy.unifyFieldsHandler配置的实现),请检查!");
                    }
                }
            }
        }
    }
}

Also used : DataAuthFilterConfig(org.sagacity.sqltoy.model.DataAuthFilterConfig) Set(java.util.Set) HashSet(java.util.HashSet) Collection(java.util.Collection) DataAccessException(org.sagacity.sqltoy.exception.DataAccessException)

Aggregations

Collection (java.util.Collection)1 HashSet (java.util.HashSet)1 Set (java.util.Set)1 DataAccessException (org.sagacity.sqltoy.exception.DataAccessException)1 DataAuthFilterConfig (org.sagacity.sqltoy.model.DataAuthFilterConfig)1