|
|
//
|
|
|
// Copyright (C) 2024 veypi <i@veypi.com>
|
|
|
// 2025-02-14 16:08:06
|
|
|
// Distributed under terms of the MIT license.
|
|
|
//
|
|
|
|
|
|
package auth
|
|
|
|
|
|
import (
|
|
|
"context"
|
|
|
"fmt"
|
|
|
"regexp"
|
|
|
"strings"
|
|
|
"time"
|
|
|
|
|
|
"github.com/veypi/vbase/cfg"
|
|
|
"github.com/veypi/vbase/libs/cache"
|
|
|
"github.com/veypi/vbase/models"
|
|
|
"github.com/veypi/vigo"
|
|
|
)
|
|
|
|
|
|
// Auth 权限管理接口
|
|
|
type Auth interface {
|
|
|
// ========== 中间件生成 ==========
|
|
|
// 基础权限检查
|
|
|
Perm(permissionID string) func(*vigo.X) error
|
|
|
|
|
|
// 资源所有者权限
|
|
|
PermWithOwner(permissionID, ownerKey string) func(*vigo.X) error
|
|
|
|
|
|
// 特定资源权限检查 (自动从 Path/Query 获取资源ID)
|
|
|
PermOnResource(permissionID, resourceKey string) func(*vigo.X) error
|
|
|
|
|
|
// 满足任一权限
|
|
|
PermAny(permissionIDs []string) func(*vigo.X) error
|
|
|
|
|
|
// 满足所有权限
|
|
|
PermAll(permissionIDs []string) func(*vigo.X) error
|
|
|
|
|
|
// ========== 权限管理 ==========
|
|
|
// 授予角色
|
|
|
GrantRole(ctx context.Context, userID, orgID, roleCode string) error
|
|
|
|
|
|
// 撤销角色
|
|
|
RevokeRole(ctx context.Context, userID, orgID, roleCode string) error
|
|
|
|
|
|
// 授予特定资源权限
|
|
|
GrantResourcePerm(ctx context.Context, userID, orgID, permissionID, resourceID string) error
|
|
|
|
|
|
// 撤销特定资源权限
|
|
|
RevokeResourcePerm(ctx context.Context, userID, orgID, permissionID, resourceID string) error
|
|
|
|
|
|
// 撤销用户所有权限
|
|
|
RevokeAll(ctx context.Context, userID, orgID string) error
|
|
|
|
|
|
// ========== 权限查询 ==========
|
|
|
// 检查权限
|
|
|
CheckPermission(ctx context.Context, userID, orgID, permissionID, resourceID string) (bool, error)
|
|
|
|
|
|
// 列出用户权限
|
|
|
ListUserPermissions(ctx context.Context, userID, orgID string) ([]models.UserPermissionResult, error)
|
|
|
|
|
|
// 列出资源授权用户
|
|
|
ListResourceUsers(ctx context.Context, orgID, permissionID, resourceID string) ([]models.ResourceUser, error)
|
|
|
}
|
|
|
|
|
|
// 全局 Auth 工厂
|
|
|
var Factory = &authFactory{
|
|
|
apps: make(map[string]*appAuth),
|
|
|
}
|
|
|
|
|
|
// VBaseAuth vbase 自身的权限管理实例
|
|
|
// 由 vbase 包在初始化时注入
|
|
|
var (
|
|
|
VBaseAuth = Factory.New("vb", models.AppConfig{
|
|
|
Name: "VBase",
|
|
|
Description: "VBase 基础设施",
|
|
|
DefaultRoles: []models.RoleDefinition{
|
|
|
{Code: "admin", Name: "管理员", Policies: []string{"*:*"}},
|
|
|
{Code: "user", Name: "普通用户", Policies: []string{
|
|
|
"user:read", "user:update",
|
|
|
"org:read", "org:create",
|
|
|
"oauth-client:read", "oauth-client:create", "oauth-client:update", "oauth-client:delete",
|
|
|
}},
|
|
|
},
|
|
|
})
|
|
|
)
|
|
|
|
|
|
type authFactory struct {
|
|
|
apps map[string]*appAuth // appKey -> auth实例
|
|
|
}
|
|
|
|
|
|
// New 创建权限管理实例(注册应用)
|
|
|
func (f *authFactory) New(appKey string, config models.AppConfig) Auth {
|
|
|
if _, exists := f.apps[appKey]; exists {
|
|
|
return f.apps[appKey]
|
|
|
}
|
|
|
|
|
|
// 验证默认角色中的权限格式
|
|
|
for _, role := range config.DefaultRoles {
|
|
|
for _, policy := range role.Policies {
|
|
|
validatePermissionID(policy)
|
|
|
}
|
|
|
}
|
|
|
|
|
|
auth := &appAuth{
|
|
|
appKey: appKey,
|
|
|
config: config,
|
|
|
}
|
|
|
f.apps[appKey] = auth
|
|
|
return auth
|
|
|
}
|
|
|
|
|
|
var (
|
|
|
validResourceRegex = regexp.MustCompile(`^[a-zA-Z][a-zA-Z0-9_-]*$`)
|
|
|
)
|
|
|
|
|
|
func validatePermissionID(permissionID string) {
|
|
|
if permissionID == "*:*" {
|
|
|
return
|
|
|
}
|
|
|
parts := strings.Split(permissionID, ":")
|
|
|
// 允许 app:resource:action 或 resource:action 格式
|
|
|
// 如果是 app:resource:action,则 parts 长度为 3
|
|
|
// 如果是 resource:action,则 parts 长度为 2
|
|
|
if len(parts) != 2 && len(parts) != 3 {
|
|
|
panic(fmt.Sprintf("invalid permission format: %s, expected 'resource:action' or 'app:resource:action'", permissionID))
|
|
|
}
|
|
|
|
|
|
resource := parts[len(parts)-2]
|
|
|
if !validResourceRegex.MatchString(resource) {
|
|
|
panic(fmt.Sprintf("invalid resource identifier: %s, must start with letter and contain only letters, numbers, '-' or '_'", resource))
|
|
|
}
|
|
|
}
|
|
|
|
|
|
// Init 初始化所有注册的权限配置
|
|
|
// - 检查不同 app 之间是否有冲突
|
|
|
// - 同步 Permission 到数据库
|
|
|
// - 建立预设角色
|
|
|
func (f *authFactory) Init() error {
|
|
|
for appKey, auth := range f.apps {
|
|
|
if err := auth.init(); err != nil {
|
|
|
return fmt.Errorf("failed to init auth for %s: %w", appKey, err)
|
|
|
}
|
|
|
}
|
|
|
|
|
|
return nil
|
|
|
}
|
|
|
|
|
|
// appAuth 单个应用的权限管理
|
|
|
type appAuth struct {
|
|
|
appKey string
|
|
|
config models.AppConfig
|
|
|
}
|
|
|
|
|
|
// init 初始化应用的权限配置
|
|
|
func (a *appAuth) init() error {
|
|
|
// 1. 同步权限定义到数据库
|
|
|
for _, permDef := range a.extractPermissions() {
|
|
|
var perm models.Permission
|
|
|
err := cfg.DB().Where("id = ?", permDef.ID).First(&perm).Error
|
|
|
if err != nil {
|
|
|
// 不存在则创建
|
|
|
perm = permDef
|
|
|
if err := cfg.DB().Create(&perm).Error; err != nil {
|
|
|
return fmt.Errorf("failed to create permission %s: %w", permDef.ID, err)
|
|
|
}
|
|
|
}
|
|
|
}
|
|
|
|
|
|
// 2. 创建系统预设角色
|
|
|
for _, roleDef := range a.config.DefaultRoles {
|
|
|
if err := a.initRole(roleDef); err != nil {
|
|
|
return err
|
|
|
}
|
|
|
}
|
|
|
|
|
|
return nil
|
|
|
}
|
|
|
|
|
|
// extractPermissions 从角色定义中提取所有权限
|
|
|
func (a *appAuth) extractPermissions() []models.Permission {
|
|
|
permMap := make(map[string]models.Permission)
|
|
|
|
|
|
for _, roleDef := range a.config.DefaultRoles {
|
|
|
for _, policy := range roleDef.Policies {
|
|
|
// policy 格式: "resource:action" 或 "*:*"
|
|
|
parts := strings.Split(policy, ":")
|
|
|
if len(parts) != 2 {
|
|
|
continue
|
|
|
}
|
|
|
|
|
|
resource, action := parts[0], parts[1]
|
|
|
permID := fmt.Sprintf("%s:%s:%s", a.appKey, resource, action)
|
|
|
|
|
|
if _, exists := permMap[permID]; !exists {
|
|
|
permMap[permID] = models.Permission{
|
|
|
ID: permID,
|
|
|
AppKey: a.appKey,
|
|
|
Resource: resource,
|
|
|
Action: action,
|
|
|
Description: fmt.Sprintf("%s %s on %s", a.config.Name, action, resource),
|
|
|
}
|
|
|
}
|
|
|
}
|
|
|
}
|
|
|
|
|
|
result := make([]models.Permission, 0, len(permMap))
|
|
|
for _, perm := range permMap {
|
|
|
result = append(result, perm)
|
|
|
}
|
|
|
return result
|
|
|
}
|
|
|
|
|
|
// initRole 初始化系统预设角色
|
|
|
func (a *appAuth) initRole(roleDef models.RoleDefinition) error {
|
|
|
// 查找或创建系统角色
|
|
|
var role models.Role
|
|
|
err := cfg.DB().Where("code = ? AND org_id = ''", roleDef.Code).First(&role).Error
|
|
|
if err != nil {
|
|
|
// 创建新角色
|
|
|
role = models.Role{
|
|
|
OrgID: "",
|
|
|
Code: roleDef.Code,
|
|
|
Name: roleDef.Name,
|
|
|
Description: roleDef.Description,
|
|
|
IsSystem: true,
|
|
|
Status: 1,
|
|
|
}
|
|
|
if err := cfg.DB().Create(&role).Error; err != nil {
|
|
|
return fmt.Errorf("failed to create role %s: %w", roleDef.Code, err)
|
|
|
}
|
|
|
}
|
|
|
|
|
|
// 同步角色权限
|
|
|
for _, policy := range roleDef.Policies {
|
|
|
parts := strings.Split(policy, ":")
|
|
|
if len(parts) != 2 {
|
|
|
continue
|
|
|
}
|
|
|
|
|
|
resource, action := parts[0], parts[1]
|
|
|
permID := fmt.Sprintf("%s:%s:%s", a.appKey, resource, action)
|
|
|
|
|
|
// 检查关联是否存在
|
|
|
var count int64
|
|
|
cfg.DB().Model(&models.RolePermission{}).
|
|
|
Where("role_id = ? AND permission_id = ?", role.ID, permID).
|
|
|
Count(&count)
|
|
|
|
|
|
if count == 0 {
|
|
|
rp := models.RolePermission{
|
|
|
RoleID: role.ID,
|
|
|
PermissionID: permID,
|
|
|
Condition: "none",
|
|
|
}
|
|
|
if err := cfg.DB().Create(&rp).Error; err != nil {
|
|
|
return fmt.Errorf("failed to create role permission: %w", err)
|
|
|
}
|
|
|
}
|
|
|
}
|
|
|
|
|
|
return nil
|
|
|
}
|
|
|
|
|
|
// ========== 中间件实现 ==========
|
|
|
|
|
|
func (a *appAuth) Perm(permissionID string) func(*vigo.X) error {
|
|
|
validatePermissionID(permissionID)
|
|
|
return func(x *vigo.X) error {
|
|
|
userID := getUserID(x)
|
|
|
if userID == "" {
|
|
|
return vigo.ErrNotAuthorized
|
|
|
}
|
|
|
|
|
|
orgID := getOrgID(x)
|
|
|
if err := a.checkPermission(x.Context(), userID, orgID, permissionID, ""); err != nil {
|
|
|
return err
|
|
|
}
|
|
|
return nil
|
|
|
}
|
|
|
}
|
|
|
|
|
|
func (a *appAuth) PermWithOwner(permissionID, ownerKey string) func(*vigo.X) error {
|
|
|
validatePermissionID(permissionID)
|
|
|
return func(x *vigo.X) error {
|
|
|
userID := getUserID(x)
|
|
|
if userID == "" {
|
|
|
return vigo.ErrNotAuthorized
|
|
|
}
|
|
|
|
|
|
orgID := getOrgID(x)
|
|
|
|
|
|
// 检查是否有基本权限
|
|
|
if err := a.checkPermission(x.Context(), userID, orgID, permissionID, ""); err != nil {
|
|
|
return err
|
|
|
}
|
|
|
|
|
|
// 获取资源所有者ID
|
|
|
ownerID, _ := x.Get(ownerKey).(string)
|
|
|
if ownerID == "" {
|
|
|
ownerID = x.PathParams.Get(ownerKey)
|
|
|
}
|
|
|
|
|
|
// 如果是所有者,直接放行
|
|
|
if ownerID == userID {
|
|
|
return nil
|
|
|
}
|
|
|
|
|
|
// 如果不是所有者,且拥有全局管理权限(如admin),也可以放行
|
|
|
// 这里简化为再次检查是否有更高级别的权限,或者该权限本身隐含了管理权
|
|
|
// 实际上,CheckPermission 已经检查了用户是否拥有该 permissionID
|
|
|
// 如果设计上 PermWithOwner 意味着 "所有者 OR 拥有该权限的管理员",
|
|
|
// 那么前面的 CheckPermission 已经保证了 "拥有该权限"
|
|
|
// 但通常 Owner 权限是针对特定资源的,而 CheckPermission 检查的是通用权限
|
|
|
// 这里逻辑稍微有点混淆,通常 PermWithOwner 意思是:
|
|
|
// 1. 用户必须登录
|
|
|
// 2. 如果用户是资源所有者,允许
|
|
|
// 3. 如果用户不是所有者,必须拥有特定权限 (permissionID)
|
|
|
|
|
|
// 修正逻辑:
|
|
|
if ownerID == userID {
|
|
|
return nil
|
|
|
}
|
|
|
|
|
|
// 不是所有者,检查是否有权限
|
|
|
if err := a.checkPermission(x.Context(), userID, orgID, permissionID, ""); err != nil {
|
|
|
return err
|
|
|
}
|
|
|
|
|
|
return nil
|
|
|
}
|
|
|
}
|
|
|
|
|
|
func (a *appAuth) PermOnResource(permissionID, resourceKey string) func(*vigo.X) error {
|
|
|
validatePermissionID(permissionID)
|
|
|
return func(x *vigo.X) error {
|
|
|
userID := getUserID(x)
|
|
|
if userID == "" {
|
|
|
return vigo.ErrNotAuthorized
|
|
|
}
|
|
|
|
|
|
orgID := getOrgID(x)
|
|
|
|
|
|
// 尝试从 PathParams 获取
|
|
|
resourceID := x.PathParams.Get(resourceKey)
|
|
|
if resourceID == "" {
|
|
|
// 尝试从 Query 获取
|
|
|
resourceID = x.Request.URL.Query().Get(resourceKey)
|
|
|
}
|
|
|
|
|
|
if err := a.checkPermission(x.Context(), userID, orgID, permissionID, resourceID); err != nil {
|
|
|
return err
|
|
|
}
|
|
|
return nil
|
|
|
}
|
|
|
}
|
|
|
|
|
|
// 内部辅助检查方法,返回 error 以便于统一处理错误响应
|
|
|
func (a *appAuth) checkPermission(ctx context.Context, userID, orgID, permissionID, resourceID string) error {
|
|
|
ok, err := a.CheckPermission(ctx, userID, orgID, permissionID, resourceID)
|
|
|
if err != nil {
|
|
|
return vigo.ErrInternalServer.WithError(err)
|
|
|
}
|
|
|
if !ok {
|
|
|
return vigo.ErrForbidden
|
|
|
}
|
|
|
return nil
|
|
|
}
|
|
|
|
|
|
func (a *appAuth) PermAny(permissionIDs []string) func(*vigo.X) error {
|
|
|
for _, pid := range permissionIDs {
|
|
|
validatePermissionID(pid)
|
|
|
}
|
|
|
return func(x *vigo.X) error {
|
|
|
userID := getUserID(x)
|
|
|
if userID == "" {
|
|
|
return vigo.ErrNotAuthorized
|
|
|
}
|
|
|
|
|
|
orgID := getOrgID(x)
|
|
|
var lastErr error
|
|
|
for _, pid := range permissionIDs {
|
|
|
if err := a.checkPermission(x.Context(), userID, orgID, pid, ""); err == nil {
|
|
|
return nil
|
|
|
} else {
|
|
|
lastErr = err
|
|
|
}
|
|
|
}
|
|
|
|
|
|
if lastErr != nil {
|
|
|
// 如果是 Forbidden 错误,返回 Forbidden
|
|
|
// 否则返回最后一个错误
|
|
|
// 这里简单处理,如果所有都失败,返回 Forbidden
|
|
|
return vigo.ErrForbidden
|
|
|
}
|
|
|
return vigo.ErrForbidden
|
|
|
}
|
|
|
}
|
|
|
|
|
|
func (a *appAuth) PermAll(permissionIDs []string) func(*vigo.X) error {
|
|
|
for _, pid := range permissionIDs {
|
|
|
validatePermissionID(pid)
|
|
|
}
|
|
|
return func(x *vigo.X) error {
|
|
|
userID := getUserID(x)
|
|
|
if userID == "" {
|
|
|
return vigo.ErrNotAuthorized
|
|
|
}
|
|
|
|
|
|
orgID := getOrgID(x)
|
|
|
|
|
|
for _, pid := range permissionIDs {
|
|
|
if err := a.checkPermission(x.Context(), userID, orgID, pid, ""); err != nil {
|
|
|
return err
|
|
|
}
|
|
|
}
|
|
|
return nil
|
|
|
}
|
|
|
}
|
|
|
|
|
|
// ========== 权限管理实现 ==========
|
|
|
|
|
|
func (a *appAuth) GrantRole(ctx context.Context, userID, orgID, roleCode string) error {
|
|
|
// 查找角色
|
|
|
var role models.Role
|
|
|
query := cfg.DB().Where("code = ?", roleCode)
|
|
|
if orgID != "" {
|
|
|
query = query.Where("org_id = ?", orgID)
|
|
|
} else {
|
|
|
query = query.Where("org_id = ''")
|
|
|
}
|
|
|
|
|
|
if err := query.First(&role).Error; err != nil {
|
|
|
// 如果指定了 OrgID 但没找到,尝试查找全局角色
|
|
|
if orgID != "" {
|
|
|
query = cfg.DB().Where("code = ? AND org_id = ''", roleCode)
|
|
|
if err := query.First(&role).Error; err != nil {
|
|
|
return fmt.Errorf("role not found: %s", roleCode)
|
|
|
}
|
|
|
} else {
|
|
|
return fmt.Errorf("role not found: %s", roleCode)
|
|
|
}
|
|
|
}
|
|
|
|
|
|
// 检查是否已存在
|
|
|
var count int64
|
|
|
cfg.DB().Model(&models.UserRole{}).
|
|
|
Where("user_id = ? AND org_id = ? AND role_id = ?", userID, orgID, role.ID).
|
|
|
Count(&count)
|
|
|
|
|
|
if count > 0 {
|
|
|
return nil // 已存在
|
|
|
}
|
|
|
|
|
|
userRole := models.UserRole{
|
|
|
UserID: userID,
|
|
|
OrgID: orgID,
|
|
|
RoleID: role.ID,
|
|
|
ExpireAt: nil, // 默认不过期
|
|
|
}
|
|
|
|
|
|
if err := cfg.DB().Create(&userRole).Error; err != nil {
|
|
|
return err
|
|
|
}
|
|
|
incUserPermVersion(userID)
|
|
|
return nil
|
|
|
}
|
|
|
|
|
|
func (a *appAuth) RevokeRole(ctx context.Context, userID, orgID, roleCode string) error {
|
|
|
var role models.Role
|
|
|
// 优先查找组织特定角色
|
|
|
query := cfg.DB().Where("code = ?", roleCode)
|
|
|
if orgID != "" {
|
|
|
query = query.Where("org_id = ?", orgID)
|
|
|
} else {
|
|
|
query = query.Where("org_id = ''")
|
|
|
}
|
|
|
|
|
|
if err := query.First(&role).Error; err != nil {
|
|
|
// 如果没找到,尝试查找全局角色
|
|
|
if orgID != "" {
|
|
|
if err := cfg.DB().Where("code = ? AND org_id = ''", roleCode).First(&role).Error; err != nil {
|
|
|
return nil // 角色不存在,无需撤销
|
|
|
}
|
|
|
} else {
|
|
|
return nil
|
|
|
}
|
|
|
}
|
|
|
|
|
|
if err := cfg.DB().Where("user_id = ? AND org_id = ? AND role_id = ?", userID, orgID, role.ID).
|
|
|
Delete(&models.UserRole{}).Error; err != nil {
|
|
|
return err
|
|
|
}
|
|
|
incUserPermVersion(userID)
|
|
|
return nil
|
|
|
}
|
|
|
|
|
|
func (a *appAuth) GrantResourcePerm(ctx context.Context, userID, orgID, permissionID, resourceID string) error {
|
|
|
if strings.Count(permissionID, ":") == 1 {
|
|
|
permissionID = fmt.Sprintf("%s:%s", a.appKey, permissionID)
|
|
|
}
|
|
|
// 检查权限是否存在
|
|
|
var perm models.Permission
|
|
|
if err := cfg.DB().Where("id = ?", permissionID).First(&perm).Error; err != nil {
|
|
|
return fmt.Errorf("permission not found: %s", permissionID)
|
|
|
}
|
|
|
|
|
|
// 检查是否已存在
|
|
|
var existing models.UserPermission
|
|
|
err := cfg.DB().Where("user_id = ? AND org_id = ? AND permission_id = ? AND resource_id = ?",
|
|
|
userID, orgID, permissionID, resourceID).
|
|
|
First(&existing).Error
|
|
|
|
|
|
if err == nil {
|
|
|
// 已存在
|
|
|
return nil
|
|
|
}
|
|
|
|
|
|
userPerm := models.UserPermission{
|
|
|
UserID: userID,
|
|
|
OrgID: orgID,
|
|
|
PermissionID: permissionID,
|
|
|
ResourceID: resourceID,
|
|
|
ExpireAt: nil, // 默认不过期
|
|
|
GrantedBy: "", // 默认空
|
|
|
}
|
|
|
|
|
|
if err := cfg.DB().Create(&userPerm).Error; err != nil {
|
|
|
return err
|
|
|
}
|
|
|
incUserPermVersion(userID)
|
|
|
return nil
|
|
|
}
|
|
|
|
|
|
func (a *appAuth) RevokeResourcePerm(ctx context.Context, userID, orgID, permissionID, resourceID string) error {
|
|
|
if strings.Count(permissionID, ":") == 1 {
|
|
|
permissionID = fmt.Sprintf("%s:%s", a.appKey, permissionID)
|
|
|
}
|
|
|
if err := cfg.DB().Where("user_id = ? AND org_id = ? AND permission_id = ? AND resource_id = ?",
|
|
|
userID, orgID, permissionID, resourceID).
|
|
|
Delete(&models.UserPermission{}).Error; err != nil {
|
|
|
return err
|
|
|
}
|
|
|
incUserPermVersion(userID)
|
|
|
return nil
|
|
|
}
|
|
|
|
|
|
func (a *appAuth) RevokeAll(ctx context.Context, userID, orgID string) error {
|
|
|
// 删除用户角色
|
|
|
if err := cfg.DB().Where("user_id = ? AND org_id = ?", userID, orgID).
|
|
|
Delete(&models.UserRole{}).Error; err != nil {
|
|
|
return err
|
|
|
}
|
|
|
|
|
|
// 删除用户特定权限
|
|
|
if err := cfg.DB().Where("user_id = ? AND org_id = ?", userID, orgID).
|
|
|
Delete(&models.UserPermission{}).Error; err != nil {
|
|
|
return err
|
|
|
}
|
|
|
|
|
|
incUserPermVersion(userID)
|
|
|
return nil
|
|
|
}
|
|
|
|
|
|
// ========== 权限查询实现 ==========
|
|
|
|
|
|
func (a *appAuth) CheckPermission(ctx context.Context, userID, orgID, permissionID, resourceID string) (bool, error) {
|
|
|
if strings.Count(permissionID, ":") == 1 {
|
|
|
permissionID = fmt.Sprintf("%s:%s", a.appKey, permissionID)
|
|
|
}
|
|
|
|
|
|
// Check cache
|
|
|
var cacheKey string
|
|
|
if cache.IsEnabled() {
|
|
|
ver := getUserPermVersion(userID)
|
|
|
cacheKey = fmt.Sprintf("auth:check:%s:%s:%s:%s:%s", userID, ver, orgID, permissionID, resourceID)
|
|
|
if val, err := cache.Get(cacheKey); err == nil {
|
|
|
return val == "1", nil
|
|
|
}
|
|
|
}
|
|
|
|
|
|
result, err := a.checkPermissionDB(ctx, userID, orgID, permissionID, resourceID)
|
|
|
if err != nil {
|
|
|
return false, err
|
|
|
}
|
|
|
|
|
|
// Cache result
|
|
|
if cache.IsEnabled() {
|
|
|
val := "0"
|
|
|
if result {
|
|
|
val = "1"
|
|
|
}
|
|
|
cache.Set(cacheKey, val, 5*time.Minute)
|
|
|
}
|
|
|
|
|
|
return result, nil
|
|
|
}
|
|
|
|
|
|
func (a *appAuth) checkPermissionDB(ctx context.Context, userID, orgID, permissionID, resourceID string) (bool, error) {
|
|
|
fmt.Printf("[DEBUG] CheckPermission: userID=%s, orgID=%s, permID=%s, resID=%s\n", userID, orgID, permissionID, resourceID)
|
|
|
|
|
|
// 1. 检查用户是否有该权限的角色(包括当前组织角色和系统全局角色)
|
|
|
var roleIDs []string
|
|
|
roleQuery := cfg.DB().Model(&models.UserRole{}).
|
|
|
Where("user_id = ? AND (expire_at IS NULL OR expire_at > ?)", userID, time.Now())
|
|
|
|
|
|
if orgID != "" {
|
|
|
roleQuery = roleQuery.Where("org_id = ? OR org_id = ''", orgID)
|
|
|
} else {
|
|
|
roleQuery = roleQuery.Where("org_id = ''")
|
|
|
}
|
|
|
|
|
|
if err := roleQuery.Pluck("role_id", &roleIDs).Error; err != nil {
|
|
|
fmt.Printf("[DEBUG] CheckPermission: failed to get roles: %v\n", err)
|
|
|
return false, err
|
|
|
}
|
|
|
fmt.Printf("[DEBUG] CheckPermission: roleIDs=%v\n", roleIDs)
|
|
|
|
|
|
if len(roleIDs) > 0 {
|
|
|
// 构造可能的通配符权限ID
|
|
|
permsToCheck := []string{permissionID}
|
|
|
parts := strings.Split(permissionID, ":")
|
|
|
if len(parts) == 3 {
|
|
|
// app:resource:*
|
|
|
permsToCheck = append(permsToCheck, fmt.Sprintf("%s:%s:*", parts[0], parts[1]))
|
|
|
// app:*:*
|
|
|
permsToCheck = append(permsToCheck, fmt.Sprintf("%s:*:*", parts[0]))
|
|
|
}
|
|
|
|
|
|
// 检查这些角色是否有所需权限
|
|
|
var count int64
|
|
|
if err := cfg.DB().Model(&models.RolePermission{}).
|
|
|
Where("role_id IN ? AND permission_id IN ?", roleIDs, permsToCheck).
|
|
|
Count(&count).Error; err != nil {
|
|
|
return false, err
|
|
|
}
|
|
|
fmt.Printf("[DEBUG] CheckPermission: role perm count=%d checked=%v\n", count, permsToCheck)
|
|
|
if count > 0 {
|
|
|
return true, nil
|
|
|
}
|
|
|
}
|
|
|
|
|
|
// 2. 检查用户是否有特定的资源权限
|
|
|
// 构造可能的通配符权限ID (同上)
|
|
|
permsToCheck := []string{permissionID}
|
|
|
parts := strings.Split(permissionID, ":")
|
|
|
if len(parts) == 3 {
|
|
|
permsToCheck = append(permsToCheck, fmt.Sprintf("%s:%s:*", parts[0], parts[1]))
|
|
|
permsToCheck = append(permsToCheck, fmt.Sprintf("%s:*:*", parts[0]))
|
|
|
}
|
|
|
|
|
|
var userPermCount int64
|
|
|
query := cfg.DB().Model(&models.UserPermission{}).
|
|
|
Where("user_id = ? AND org_id = ? AND permission_id IN ? AND (expire_at IS NULL OR expire_at > ?)",
|
|
|
userID, orgID, permsToCheck, time.Now())
|
|
|
|
|
|
if resourceID != "" {
|
|
|
query = query.Where("resource_id = ? OR resource_id = '*'", resourceID)
|
|
|
}
|
|
|
|
|
|
if err := query.Count(&userPermCount).Error; err != nil {
|
|
|
return false, err
|
|
|
}
|
|
|
|
|
|
return userPermCount > 0, nil
|
|
|
}
|
|
|
|
|
|
func (a *appAuth) ListUserPermissions(ctx context.Context, userID, orgID string) ([]models.UserPermissionResult, error) {
|
|
|
result := make([]models.UserPermissionResult, 0)
|
|
|
|
|
|
// 1. 获取用户角色对应的权限
|
|
|
var roleIDs []string
|
|
|
if err := cfg.DB().Model(&models.UserRole{}).
|
|
|
Where("user_id = ? AND org_id = ? AND (expire_at IS NULL OR expire_at > ?)",
|
|
|
userID, orgID, time.Now()).
|
|
|
Pluck("role_id", &roleIDs).Error; err != nil {
|
|
|
return nil, err
|
|
|
}
|
|
|
|
|
|
if len(roleIDs) > 0 {
|
|
|
var permIDs []string
|
|
|
if err := cfg.DB().Model(&models.RolePermission{}).
|
|
|
Where("role_id IN ?", roleIDs).
|
|
|
Pluck("permission_id", &permIDs).Error; err != nil {
|
|
|
return nil, err
|
|
|
}
|
|
|
|
|
|
for _, permID := range permIDs {
|
|
|
result = append(result, models.UserPermissionResult{
|
|
|
PermissionID: permID,
|
|
|
ResourceID: "*",
|
|
|
Actions: []string{"*"},
|
|
|
})
|
|
|
}
|
|
|
}
|
|
|
|
|
|
// 2. 获取用户特定资源权限
|
|
|
var userPerms []models.UserPermission
|
|
|
if err := cfg.DB().Where("user_id = ? AND org_id = ? AND (expire_at IS NULL OR expire_at > ?)",
|
|
|
userID, orgID, time.Now()).
|
|
|
Find(&userPerms).Error; err != nil {
|
|
|
return nil, err
|
|
|
}
|
|
|
|
|
|
for _, up := range userPerms {
|
|
|
result = append(result, models.UserPermissionResult{
|
|
|
PermissionID: up.PermissionID,
|
|
|
ResourceID: up.ResourceID,
|
|
|
Actions: []string{"*"},
|
|
|
})
|
|
|
}
|
|
|
|
|
|
return result, nil
|
|
|
}
|
|
|
|
|
|
func (a *appAuth) ListResourceUsers(ctx context.Context, orgID, permissionID, resourceID string) ([]models.ResourceUser, error) {
|
|
|
result := make([]models.ResourceUser, 0)
|
|
|
|
|
|
// 查询有该资源权限的用户
|
|
|
var userPerms []models.UserPermission
|
|
|
query := cfg.DB().Where("org_id = ? AND permission_id = ?", orgID, permissionID)
|
|
|
if resourceID != "" {
|
|
|
query = query.Where("resource_id = ? OR resource_id = '*'", resourceID)
|
|
|
}
|
|
|
|
|
|
if err := query.Find(&userPerms).Error; err != nil {
|
|
|
return nil, err
|
|
|
}
|
|
|
|
|
|
userMap := make(map[string][]string)
|
|
|
for _, up := range userPerms {
|
|
|
userMap[up.UserID] = append(userMap[up.UserID], "*")
|
|
|
}
|
|
|
|
|
|
for userID, actions := range userMap {
|
|
|
result = append(result, models.ResourceUser{
|
|
|
UserID: userID,
|
|
|
Actions: actions,
|
|
|
})
|
|
|
}
|
|
|
|
|
|
return result, nil
|
|
|
}
|
|
|
|
|
|
// ========== 辅助方法 ==========
|
|
|
|
|
|
func (a *appAuth) isAdmin(ctx context.Context, userID, orgID string) (bool, error) {
|
|
|
// 检查用户是否有管理员角色
|
|
|
var adminRoleIDs []string
|
|
|
if err := cfg.DB().Model(&models.Role{}).
|
|
|
Where("code = 'admin'").
|
|
|
Pluck("id", &adminRoleIDs).Error; err != nil {
|
|
|
return false, err
|
|
|
}
|
|
|
|
|
|
if len(adminRoleIDs) == 0 {
|
|
|
return false, nil
|
|
|
}
|
|
|
|
|
|
var count int64
|
|
|
if err := cfg.DB().Model(&models.UserRole{}).
|
|
|
Where("user_id = ? AND org_id = ? AND role_id IN ?", userID, orgID, adminRoleIDs).
|
|
|
Count(&count).Error; err != nil {
|
|
|
return false, err
|
|
|
}
|
|
|
|
|
|
return count > 0, nil
|
|
|
}
|
|
|
|
|
|
// 从 context 获取用户ID
|
|
|
func getUserID(x *vigo.X) string {
|
|
|
if userID, ok := x.Get("user_id").(string); ok {
|
|
|
return userID
|
|
|
}
|
|
|
return ""
|
|
|
}
|
|
|
|
|
|
// 从 context 获取组织ID
|
|
|
func getOrgID(x *vigo.X) string {
|
|
|
if orgID, ok := x.Get("org_id").(string); ok {
|
|
|
return orgID
|
|
|
}
|
|
|
return ""
|
|
|
}
|
|
|
|
|
|
// ========== Cache Helpers ==========
|
|
|
|
|
|
func getUserPermVersion(userID string) string {
|
|
|
if !cache.IsEnabled() {
|
|
|
return "0"
|
|
|
}
|
|
|
key := fmt.Sprintf("auth:user_ver:%s", userID)
|
|
|
ver, err := cache.Client.Get(cache.Ctx, key).Result()
|
|
|
if err != nil {
|
|
|
return "0"
|
|
|
}
|
|
|
return ver
|
|
|
}
|
|
|
|
|
|
func incUserPermVersion(userID string) {
|
|
|
if !cache.IsEnabled() {
|
|
|
return
|
|
|
}
|
|
|
key := fmt.Sprintf("auth:user_ver:%s", userID)
|
|
|
cache.Client.Incr(cache.Ctx, key)
|
|
|
}
|