Skip to content

zadig
zadig

koderover / zadig
9 个月 前同步成功

通知 10
Star 2407
Fork 754
zadig
zadig

前往新版Gitcode,体验更适合开发者的 AI 搜索 >>

未验证 提交 58c79abe 编写于 作者: M Min Min 提交者: GitHub
浏览文件
操作

authorization system updates (#2868) 

* first commit
Signed-off-by: NMin Min <minmin@koderover.com>

* debug
Signed-off-by: NMin Min <minmin@koderover.com>

* authz api first try
Signed-off-by: NMin Min <minmin@koderover.com>

* service api done
Signed-off-by: NMin Min <minmin@koderover.com>

* change authz check order to avoid panic
Signed-off-by: NMin Min <minmin@koderover.com>

* change authorization logic to avoid possible panic
Signed-off-by: NMin Min <minmin@koderover.com>

* build module done & merge user client for picket(aslan)
Signed-off-by: NMin Min <minmin@koderover.com>

* fix policy(aslan)-user dependency
Signed-off-by: NMin Min <minmin@koderover.com>

* delivery module done
Signed-off-by: NMin Min <minmin@koderover.com>

* moving code
Signed-off-by: NMin Min <minmin@koderover.com>

* debug
Signed-off-by: NMin Min <jamsman94@gmail.com>

* update collaboration mode apis
Signed-off-by: NMin Min <jamsman94@gmail.com>

* env half done
Signed-off-by: NMin Min <minmin@koderover.com>

* environment part fully done
Signed-off-by: NMin Min <jamsman94@gmail.com>

* project done
Signed-off-by: NMin Min <minmin@koderover.com>

* remove unused package
Signed-off-by: NMin Min <minmin@koderover.com>

* debug logs & some system level authorization problems
Signed-off-by: NMin Min <minmin@koderover.com>

* fix project list logic
Signed-off-by: NMin Min <minmin@koderover.com>

* added query logic in mongodb
Signed-off-by: NMin Min <minmin@koderover.com>

* fix collaboration mode creation error
Signed-off-by: NMin Min <minmin@koderover.com>

* system authorization done
Signed-off-by: NMin Min <minmin@koderover.com>

* collaboration mode fix for environment
Signed-off-by: NMin Min <minmin@koderover.com>

* more collaboration mode fix for environments
Signed-off-by: NMin Min <minmin@koderover.com>

* minor debug
Signed-off-by: NMin Min <minmin@koderover.com>

* delivery center authz change
Signed-off-by: NMin Min <minmin@koderover.com>

* workflow view authz fix
Signed-off-by: NMin Min <minmin@koderover.com>

* workflow v4 filter & trigger filter
Signed-off-by: NMin Min <minmin@koderover.com>

* debug logs for list workflows
Signed-off-by: NMin Min <minmin@koderover.com>

* workflow module done for test
Signed-off-by: NMin Min <minmin@koderover.com>

* fix init_info api authz problem
Signed-off-by: NMin Min <minmin@koderover.com>

* fix production env creation problem
Signed-off-by: NMin Min <minmin@koderover.com>

* fixed envcfg related api authz
Signed-off-by: NMin Min <minmin@koderover.com>

* multiple authorization bugfix
Signed-off-by: NMin Min <minmin@koderover.com>

* remove admin initialization from aslan, moving it to user
Signed-off-by: NMin Min <minmin@koderover.com>

* remove useless code
Signed-off-by: NMin Min <minmin@koderover.com>

* user db moved
Signed-off-by: NMin Min <minmin@koderover.com>

* testing module done
Signed-off-by: NMin Min <minmin@koderover.com>

* debug
Signed-off-by: NMin Min <minmin@koderover.com>

* debug
Signed-off-by: NMin Min <minmin@koderover.com>

* debug
Signed-off-by: NMin Min <minmin@koderover.com>

* fix list test workflows
Signed-off-by: NMin Min <minmin@koderover.com>

* added todo in comment
Signed-off-by: NMin Min <minmin@koderover.com>

* system config related authorization done
Signed-off-by: NMin Min <minmin@koderover.com>

* minor bugfix
Signed-off-by: NMin Min <minmin@koderover.com>

* fix workflow plugin stuff
Signed-off-by: NMin Min <minmin@koderover.com>

* user related api update
Signed-off-by: NMin Min <minmin@koderover.com>

* workflow edit bug fix
Signed-off-by: NMin Min <minmin@koderover.com>

* debug for list workflow task in product workflow
Signed-off-by: NMin Min <minmin@koderover.com>

* added collaboration mode permission check in user and use it in aslan
Signed-off-by: NMin Min <minmin@koderover.com>

* build service module authorization fix
Signed-off-by: NMin Min <minmin@koderover.com>

* added list authorized env api to make life easier & multiple environment api authorization fix
Signed-off-by: NMin Min <minmin@koderover.com>

* fix multiple permission problem with comments
Signed-off-by: NMin Min <minmin@koderover.com>

* extend permission for multiple apis temporarily
Signed-off-by: NMin Min <minmin@koderover.com>

* debug
Signed-off-by: NMin Min <minmin@koderover.com>

* remove project-only authorization
Signed-off-by: NMin Min <minmin@koderover.com>

* get user role update
Signed-off-by: NMin Min <minmin@koderover.com>

* revert api deletion
Signed-off-by: NMin Min <minmin@koderover.com>

* read-project-only permission change
Signed-off-by: NMin Min <minmin@koderover.com>

* update collaboration mode handle logic
Signed-off-by: NMin Min <minmin@koderover.com>

* bugfix
Signed-off-by: NMin Min <minmin@koderover.com>

* debug info & warn log removal
Signed-off-by: NMin Min <minmin@koderover.com>

* even more debug logs
Signed-off-by: NMin Min <minmin@koderover.com>

* environment filter update
Signed-off-by: NMin Min <minmin@koderover.com>

* fixed wrong list env logic
Signed-off-by: NMin Min <minmin@koderover.com>

* fix panic bug
Signed-off-by: NMin Min <minmin@koderover.com>

* added testing filtering
Signed-off-by: NMin Min <minmin@koderover.com>

* debug logs & added project auth info for public project
Signed-off-by: NMin Min <minmin@koderover.com>

* new permission logic for menu
Signed-off-by: NMin Min <minmin@koderover.com>

* remove useless code
Signed-off-by: NMin Min <minmin@koderover.com>

* remove bundle
Signed-off-by: NMin Min <minmin@koderover.com>

* added some policies back
Signed-off-by: NMin Min <minmin@koderover.com>

* remove useless code
Signed-off-by: NMin Min <minmin@koderover.com>

* implement multiple authorization leaks on purpose
Signed-off-by: NMin Min <minmin@koderover.com>

* remove authorization check for helm chart version
Signed-off-by: NMin Min <minmin@koderover.com>

* debug
Signed-off-by: NMin Min <minmin@koderover.com>

* update production env support for user
Signed-off-by: NMin Min <minmin@koderover.com>

* multiple auth leaks
Signed-off-by: NMin Min <minmin@koderover.com>

* debug
Signed-off-by: NMin Min <minmin@koderover.com>

* production env permission
Signed-off-by: NMin Min <minmin@koderover.com>

* ...'
Signed-off-by: NMin Min <minmin@koderover.com>

* bugfix for permission
Signed-off-by: NMin Min <minmin@koderover.com>

* debug update service
Signed-off-by: NMin Min <minmin@koderover.com>

* debug
Signed-off-by: NMin Min <minmin@koderover.com>

* remove useless comments
Signed-off-by: NMin Min <minmin@koderover.com>

---------
Signed-off-by: NMin Min <minmin@koderover.com>
Signed-off-by: NMin Min <jamsman94@gmail.com>
Co-authored-by: NMin Min <minmin@koderover.com>
上级 a1200a0a
展开全部 隐藏空白更改
内联 并排
Showing with 13925 addition and 3251 deletion
Makefile
浏览文件 @ 58c79abe
...@@ -8,7 +8,7 @@ IMAGE_REPOSITORY ?= koderover.tencentcloudcr.com/koderover-public ...@@ -8,7 +8,7 @@ IMAGE_REPOSITORY ?= koderover.tencentcloudcr.com/koderover-public
IMAGE_REPOSITORY := $(IMAGE_REPOSITORY) IMAGE_REPOSITORY := $(IMAGE_REPOSITORY)
VERSION ?= $(shell date +'%Y%m%d%H%M%S') VERSION ?= $(shell date +'%Y%m%d%H%M%S')
VERSION := $(VERSION) VERSION := $(VERSION)
MICROSERVICE_TARGETS = aslan cron executor hub-agent hub-server init jenkins-plugin packager-plugin predator-plugin ua warpdrive MICROSERVICE_TARGETS = aslan cron executor hub-agent hub-server init jenkins-plugin packager-plugin predator-plugin ua user warpdrive
BUILD_BASE_TARGETS = focal bionic BUILD_BASE_TARGETS = focal bionic
DEBUG_TOOLS_TARGETS = zadig-debug zgctl-sidecar DEBUG_TOOLS_TARGETS = zadig-debug zgctl-sidecar
......
cmd/user/main.go 0 → 100644
浏览文件 @ 58c79abe
/*
Copyright 2023 The KodeRover Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package main
import (
"context"
"log"
"os/signal"
"syscall"
"github.com/koderover/zadig/pkg/microservice/user/server"
)
func main() {
ctx, stop := signal.NotifyContext(context.Background(), syscall.SIGTERM, syscall.SIGINT)
go func() {
<-ctx.Done()
stop()
}()
if err := server.Serve(ctx); err != nil {
log.Fatal(err)
}
}
docker/user.Dockerfile 0 → 100644
浏览文件 @ 58c79abe
FROM golang:1.19.1-alpine as build
WORKDIR /app
ENV CGO_ENABLED=0 GOOS=linux
ENV GOPROXY=https://goproxy.cn,direct
ENV GOCACHE=/gocache
COPY go.mod go.sum ./
COPY cmd cmd
COPY pkg pkg
RUN go mod download
RUN --mount=type=cache,id=gobuild,target=/gocache \
go build -v -o /user ./cmd/user/main.go
FROM alpine/git:v2.36.3
# https://wiki.alpinelinux.org/wiki/Setting_the_timezone
RUN sed -i 's/dl-cdn.alpinelinux.org/mirrors.aliyun.com/g' /etc/apk/repositories && \
apk add tzdata && \
cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime && \
echo Asia/Shanghai > /etc/timezone && \
apk del tzdata
WORKDIR /app
COPY --from=build /user .
ENTRYPOINT ["/app/user"]
pkg/config/config.go
浏览文件 @ 58c79abe
...@@ -81,6 +81,10 @@ func AslanServiceInfo() *setting.ServiceInfo { ...@@ -81,6 +81,10 @@ func AslanServiceInfo() *setting.ServiceInfo {
return GetServiceByCode(setting.Aslan) return GetServiceByCode(setting.Aslan)
} }
func UserServiceInfo() *setting.ServiceInfo {
return GetServiceByCode(setting.User)
}
func SecretKey() string { func SecretKey() string {
return viper.GetString(setting.ENVSecretKey) return viper.GetString(setting.ENVSecretKey)
} }
...@@ -90,12 +94,9 @@ func AslanServiceAddress() string { ...@@ -90,12 +94,9 @@ func AslanServiceAddress() string {
return GetServiceAddress(s.Name, s.Port) return GetServiceAddress(s.Name, s.Port)
} }
func AslanServiceName() string { func UserServiceAddress() string {
return AslanServiceInfo().Name s := UserServiceInfo()
} return GetServiceAddress(s.Name, s.Port)
func AslanServicePort() int32 {
return AslanServiceInfo().Port
} }
func AslanxServiceInfo() *setting.ServiceInfo { func AslanxServiceInfo() *setting.ServiceInfo {
...@@ -107,14 +108,6 @@ func AslanxServiceAddress() string { ...@@ -107,14 +108,6 @@ func AslanxServiceAddress() string {
return GetServiceAddress(s.Name, s.Port) return GetServiceAddress(s.Name, s.Port)
} }
func AslanxServiceName() string {
return AslanxServiceInfo().Name
}
func AslanxServicePort() int32 {
return AslanxServiceInfo().Port
}
func HubServerServiceInfo() *setting.ServiceInfo { func HubServerServiceInfo() *setting.ServiceInfo {
return GetServiceByCode(setting.HubServer) return GetServiceByCode(setting.HubServer)
} }
...@@ -261,14 +254,6 @@ func MysqlHost() string { ...@@ -261,14 +254,6 @@ func MysqlHost() string {
return viper.GetString(setting.ENVMysqlHost) return viper.GetString(setting.ENVMysqlHost)
} }
func AdminEmail() string {
return viper.GetString(setting.ENVAdminEmail)
}
func AdminPassword() string {
return viper.GetString(setting.ENVAdminPassword)
}
func Namespace() string { func Namespace() string {
return viper.GetString(setting.ENVNamespace) return viper.GetString(setting.ENVNamespace)
} }
......
pkg/microservice/aslan/core/build/handler/build.go
浏览文件 @ 58c79abe
...@@ -19,9 +19,11 @@ package handler ...@@ -19,9 +19,11 @@ package handler
import ( import (
"bytes" "bytes"
"encoding/json" "encoding/json"
"fmt"
"io" "io"
"github.com/gin-gonic/gin" "github.com/gin-gonic/gin"
"github.com/koderover/zadig/pkg/types"
buildservice "github.com/koderover/zadig/pkg/microservice/aslan/core/build/service" buildservice "github.com/koderover/zadig/pkg/microservice/aslan/core/build/service"
commonmodels "github.com/koderover/zadig/pkg/microservice/aslan/core/common/repository/models" commonmodels "github.com/koderover/zadig/pkg/microservice/aslan/core/common/repository/models"
...@@ -31,22 +33,135 @@ import ( ...@@ -31,22 +33,135 @@ import (
) )
func FindBuildModule(c *gin.Context) { func FindBuildModule(c *gin.Context) {
ctx := internalhandler.NewContext(c) ctx, err := internalhandler.NewContextWithAuthorization(c)
defer func() { internalhandler.JSONResponse(c, ctx) }() defer func() { internalhandler.JSONResponse(c, ctx) }()
ctx.Resp, ctx.Err = buildservice.FindBuild(c.Param("name"), c.Query("projectName"), ctx.Logger) if err != nil {
ctx.Logger.Errorf("failed to generate authorization info for user: %s, error: %s", ctx.UserID, err)
ctx.Err = fmt.Errorf("authorization Info Generation failed: err %s", err)
ctx.UnAuthorized = true
return
}
projectKey := c.Query("projectName")
// authorization checks
if !ctx.Resources.IsSystemAdmin {
if _, ok := ctx.Resources.ProjectAuthInfo[projectKey]; !ok {
ctx.UnAuthorized = true
return
}
if !ctx.Resources.ProjectAuthInfo[projectKey].IsProjectAdmin &&
!ctx.Resources.ProjectAuthInfo[projectKey].Build.View {
ctx.UnAuthorized = true
return
}
}
ctx.Resp, ctx.Err = buildservice.FindBuild(c.Param("name"), projectKey, ctx.Logger)
} }
func ListBuildModules(c *gin.Context) { func ListBuildModules(c *gin.Context) {
ctx := internalhandler.NewContext(c) ctx, err := internalhandler.NewContextWithAuthorization(c)
defer func() { internalhandler.JSONResponse(c, ctx) }() defer func() { internalhandler.JSONResponse(c, ctx) }()
ctx.Resp, ctx.Err = buildservice.ListBuild(c.Query("name"), c.Query("targets"), c.Query("projectName"), ctx.Logger) if err != nil {
ctx.Logger.Errorf("failed to generate authorization info for user: %s, error: %s", ctx.UserID, err)
ctx.Err = fmt.Errorf("authorization Info Generation failed: err %s", err)
ctx.UnAuthorized = true
return
}
projectKey := c.Query("projectName")
// TODO: Authorization leak
// this API is sometimes used in edit env scenario, thus giving the edit/create workflow permission
// authorization check
permitted := false
if ctx.Resources.IsSystemAdmin {
permitted = true
}
if projectAuthInfo, ok := ctx.Resources.ProjectAuthInfo[projectKey]; ok {
// first check if the user is projectAdmin
if projectAuthInfo.IsProjectAdmin {
permitted = true
}
// then check if user has edit workflow permission
if projectAuthInfo.Env.EditConfig ||
projectAuthInfo.Build.View {
permitted = true
}
// finally check if the permission is given by collaboration mode
collaborationAuthorizedEdit, err := internalhandler.CheckPermissionGivenByCollaborationMode(ctx.UserID, projectKey, types.ResourceTypeEnvironment, types.EnvActionEditConfig)
if err == nil {
permitted = collaborationAuthorizedEdit
}
}
if !permitted {
ctx.UnAuthorized = true
return
}
ctx.Resp, ctx.Err = buildservice.ListBuild(c.Query("name"), c.Query("targets"), projectKey, ctx.Logger)
} }
func ListBuildModulesByServiceModule(c *gin.Context) { func ListBuildModulesByServiceModule(c *gin.Context) {
ctx := internalhandler.NewContext(c) ctx, err := internalhandler.NewContextWithAuthorization(c)
defer func() { internalhandler.JSONResponse(c, ctx) }() defer func() { internalhandler.JSONResponse(c, ctx) }()
if err != nil {
ctx.Logger.Errorf("failed to generate authorization info for user: %s, error: %s", ctx.UserID, err)
ctx.Err = fmt.Errorf("authorization Info Generation failed: err %s", err)
ctx.UnAuthorized = true
return
}
projectKey := c.Query("projectName")
// TODO: Authorization leak
// this API is sometimes used in edit/create workflow scenario, thus giving the edit/create workflow permission
// authorization check
permitted := false
if ctx.Resources.IsSystemAdmin {
permitted = true
}
if ctx.Resources.SystemActions.Template.Create ||
ctx.Resources.SystemActions.Template.Edit {
permitted = true
}
if projectAuthInfo, ok := ctx.Resources.ProjectAuthInfo[projectKey]; ok {
// first check if the user is projectAdmin
if projectAuthInfo.IsProjectAdmin {
permitted = true
}
// then check if user has edit workflow permission
if projectAuthInfo.Workflow.Edit ||
projectAuthInfo.Workflow.Create ||
projectAuthInfo.Build.View {
permitted = true
}
// finally check if the permission is given by collaboration mode
collaborationAuthorizedEdit, err := internalhandler.CheckPermissionGivenByCollaborationMode(ctx.UserID, projectKey, types.ResourceTypeWorkflow, types.WorkflowActionEdit)
if err == nil {
permitted = collaborationAuthorizedEdit
}
}
if !permitted {
ctx.UnAuthorized = true
return
}
var excludeJenkins, updateServiceRevision bool var excludeJenkins, updateServiceRevision bool
if c.Query("excludeJenkins") == "true" { if c.Query("excludeJenkins") == "true" {
excludeJenkins = true excludeJenkins = true
...@@ -54,13 +169,20 @@ func ListBuildModulesByServiceModule(c *gin.Context) { ...@@ -54,13 +169,20 @@ func ListBuildModulesByServiceModule(c *gin.Context) {
updateServiceRevision = c.Query("updateServiceRevision") == "true" updateServiceRevision = c.Query("updateServiceRevision") == "true"
envName := c.Query("envName") envName := c.Query("envName")
ctx.Resp, ctx.Err = buildservice.ListBuildModulesByServiceModule(c.Query("encryptedKey"), c.Query("projectName"), envName, excludeJenkins, updateServiceRevision, ctx.Logger) ctx.Resp, ctx.Err = buildservice.ListBuildModulesByServiceModule(c.Query("encryptedKey"), projectKey, envName, excludeJenkins, updateServiceRevision, ctx.Logger)
} }
func CreateBuildModule(c *gin.Context) { func CreateBuildModule(c *gin.Context) {
ctx := internalhandler.NewContext(c) ctx, err := internalhandler.NewContextWithAuthorization(c)
defer func() { internalhandler.JSONResponse(c, ctx) }() defer func() { internalhandler.JSONResponse(c, ctx) }()
if err != nil {
ctx.Logger.Errorf("failed to generate authorization info for user: %s, error: %s", ctx.UserID, err)
ctx.Err = fmt.Errorf("authorization Info Generation failed: err %s", err)
ctx.UnAuthorized = true
return
}
args := new(commonmodels.Build) args := new(commonmodels.Build)
data, err := c.GetRawData() data, err := c.GetRawData()
if err != nil { if err != nil {
...@@ -78,13 +200,33 @@ func CreateBuildModule(c *gin.Context) { ...@@ -78,13 +200,33 @@ func CreateBuildModule(c *gin.Context) {
return return
} }
// authorization checks
if !ctx.Resources.IsSystemAdmin {
if _, ok := ctx.Resources.ProjectAuthInfo[args.ProductName]; !ok {
ctx.UnAuthorized = true
return
}
if !ctx.Resources.ProjectAuthInfo[args.ProductName].IsProjectAdmin &&
!ctx.Resources.ProjectAuthInfo[args.ProductName].Build.Create {
ctx.UnAuthorized = true
return
}
}
ctx.Err = buildservice.CreateBuild(ctx.UserName, args, ctx.Logger) ctx.Err = buildservice.CreateBuild(ctx.UserName, args, ctx.Logger)
} }
func UpdateBuildModule(c *gin.Context) { func UpdateBuildModule(c *gin.Context) {
ctx := internalhandler.NewContext(c) ctx, err := internalhandler.NewContextWithAuthorization(c)
defer func() { internalhandler.JSONResponse(c, ctx) }() defer func() { internalhandler.JSONResponse(c, ctx) }()
if err != nil {
ctx.Logger.Errorf("failed to generate authorization info for user: %s, error: %s", ctx.UserID, err)
ctx.Err = fmt.Errorf("authorization Info Generation failed: err %s", err)
ctx.UnAuthorized = true
return
}
args := new(commonmodels.Build) args := new(commonmodels.Build)
data, err := c.GetRawData() data, err := c.GetRawData()
if err != nil { if err != nil {
...@@ -101,29 +243,72 @@ func UpdateBuildModule(c *gin.Context) { ...@@ -101,29 +243,72 @@ func UpdateBuildModule(c *gin.Context) {
ctx.Err = e.ErrInvalidParam.AddDesc("invalid Build args") ctx.Err = e.ErrInvalidParam.AddDesc("invalid Build args")
return return
} }
// authorization checks
if !ctx.Resources.IsSystemAdmin {
if _, ok := ctx.Resources.ProjectAuthInfo[args.ProductName]; !ok {
ctx.UnAuthorized = true
return
}
if !ctx.Resources.ProjectAuthInfo[args.ProductName].IsProjectAdmin &&
!ctx.Resources.ProjectAuthInfo[args.ProductName].Build.Edit {
ctx.UnAuthorized = true
return
}
}
ctx.Err = buildservice.UpdateBuild(ctx.UserName, args, ctx.Logger) ctx.Err = buildservice.UpdateBuild(ctx.UserName, args, ctx.Logger)
} }
func DeleteBuildModule(c *gin.Context) { func DeleteBuildModule(c *gin.Context) {
ctx := internalhandler.NewContext(c) ctx, err := internalhandler.NewContextWithAuthorization(c)
defer func() { internalhandler.JSONResponse(c, ctx) }() defer func() { internalhandler.JSONResponse(c, ctx) }()
if err != nil {
ctx.Logger.Errorf("failed to generate authorization info for user: %s, error: %s", ctx.UserID, err)
ctx.Err = fmt.Errorf("authorization Info Generation failed: err %s", err)
ctx.UnAuthorized = true
return
}
name := c.Query("name") name := c.Query("name")
productName := c.Query("projectName") projectKey := c.Query("projectName")
internalhandler.InsertOperationLog(c, ctx.UserName, productName, "删除", "项目管理-构建", name, "", ctx.Logger) internalhandler.InsertOperationLog(c, ctx.UserName, projectKey, "删除", "项目管理-构建", name, "", ctx.Logger)
// authorization checks
if !ctx.Resources.IsSystemAdmin {
if _, ok := ctx.Resources.ProjectAuthInfo[projectKey]; !ok {
ctx.UnAuthorized = true
return
}
if !ctx.Resources.ProjectAuthInfo[projectKey].IsProjectAdmin &&
!ctx.Resources.ProjectAuthInfo[projectKey].Build.Delete {
ctx.UnAuthorized = true
return
}
}
if name == "" { if name == "" {
ctx.Err = e.ErrInvalidParam.AddDesc("empty Name") ctx.Err = e.ErrInvalidParam.AddDesc("empty Name")
return return
} }
ctx.Err = buildservice.DeleteBuild(name, productName, ctx.Logger) ctx.Err = buildservice.DeleteBuild(name, projectKey, ctx.Logger)
} }
func UpdateBuildTargets(c *gin.Context) { func UpdateBuildTargets(c *gin.Context) {
ctx := internalhandler.NewContext(c) ctx, err := internalhandler.NewContextWithAuthorization(c)
defer func() { internalhandler.JSONResponse(c, ctx) }() defer func() { internalhandler.JSONResponse(c, ctx) }()
if err != nil {
ctx.Logger.Errorf("failed to generate authorization info for user: %s, error: %s", ctx.UserID, err)
ctx.Err = fmt.Errorf("authorization Info Generation failed: err %s", err)
ctx.UnAuthorized = true
return
}
projectKey := c.Query("projectName")
args := new(struct { args := new(struct {
Name string `json:"name" binding:"required"` Name string `json:"name" binding:"required"`
Targets []*commonmodels.ServiceModuleTarget `json:"targets" binding:"required"` Targets []*commonmodels.ServiceModuleTarget `json:"targets" binding:"required"`
...@@ -139,7 +324,7 @@ func UpdateBuildTargets(c *gin.Context) { ...@@ -139,7 +324,7 @@ func UpdateBuildTargets(c *gin.Context) {
ctx.Err = e.ErrInvalidParam.AddErr(err) ctx.Err = e.ErrInvalidParam.AddErr(err)
return return
} }
internalhandler.InsertOperationLog(c, ctx.UserName, c.Query("projectName"), "更新", "项目管理-服务组件", args.Name, string(data), ctx.Logger) internalhandler.InsertOperationLog(c, ctx.UserName, projectKey, "更新", "项目管理-服务组件", args.Name, string(data), ctx.Logger)
c.Request.Body = io.NopCloser(bytes.NewBuffer(data)) c.Request.Body = io.NopCloser(bytes.NewBuffer(data))
if err := c.BindJSON(args); err != nil { if err := c.BindJSON(args); err != nil {
...@@ -147,5 +332,18 @@ func UpdateBuildTargets(c *gin.Context) { ...@@ -147,5 +332,18 @@ func UpdateBuildTargets(c *gin.Context) {
return return
} }
// authorization checks
if !ctx.Resources.IsSystemAdmin {
if _, ok := ctx.Resources.ProjectAuthInfo[projectKey]; !ok {
ctx.UnAuthorized = true
return
}
if !ctx.Resources.ProjectAuthInfo[projectKey].IsProjectAdmin &&
!ctx.Resources.ProjectAuthInfo[projectKey].Build.Edit {
ctx.UnAuthorized = true
return
}
}
ctx.Err = buildservice.UpdateBuildTargets(args.Name, c.Query("projectName"), args.Targets, ctx.Logger) ctx.Err = buildservice.UpdateBuildTargets(args.Name, c.Query("projectName"), args.Targets, ctx.Logger)
} }
pkg/microservice/aslan/core/build/handler/openapi.go
浏览文件 @ 58c79abe
...@@ -17,6 +17,8 @@ limitations under the License. ...@@ -17,6 +17,8 @@ limitations under the License.
package handler package handler
import ( import (
"fmt"
"github.com/gin-gonic/gin" "github.com/gin-gonic/gin"
buildservice "github.com/koderover/zadig/pkg/microservice/aslan/core/build/service" buildservice "github.com/koderover/zadig/pkg/microservice/aslan/core/build/service"
...@@ -25,9 +27,16 @@ import ( ...@@ -25,9 +27,16 @@ import (
) )
func OpenAPICreateBuildModule(c *gin.Context) { func OpenAPICreateBuildModule(c *gin.Context) {
ctx := internalhandler.NewContext(c) ctx, err := internalhandler.NewContextWithAuthorization(c)
defer func() { internalhandler.JSONResponse(c, ctx) }() defer func() { internalhandler.JSONResponse(c, ctx) }()
if err != nil {
ctx.Logger.Errorf("failed to generate authorization info for user: %s, error: %s", ctx.UserID, err)
ctx.Err = fmt.Errorf("authorization Info Generation failed: err %s", err)
ctx.UnAuthorized = true
return
}
source := c.Query("source") source := c.Query("source")
if source == "template" { if source == "template" {
...@@ -35,6 +44,20 @@ func OpenAPICreateBuildModule(c *gin.Context) { ...@@ -35,6 +44,20 @@ func OpenAPICreateBuildModule(c *gin.Context) {
err := c.BindJSON(args) err := c.BindJSON(args)
if err != nil { if err != nil {
ctx.Err = e.ErrInvalidParam.AddDesc(err.Error()) ctx.Err = e.ErrInvalidParam.AddDesc(err.Error())
return
}
// authorization checks
if !ctx.Resources.IsSystemAdmin {
if _, ok := ctx.Resources.ProjectAuthInfo[args.ProjectName]; !ok {
ctx.UnAuthorized = true
return
}
if !ctx.Resources.ProjectAuthInfo[args.ProjectName].IsProjectAdmin &&
!ctx.Resources.ProjectAuthInfo[args.ProjectName].Build.Create {
ctx.UnAuthorized = true
return
}
} }
isValid, err := args.Validate() isValid, err := args.Validate()
...@@ -48,9 +71,23 @@ func OpenAPICreateBuildModule(c *gin.Context) { ...@@ -48,9 +71,23 @@ func OpenAPICreateBuildModule(c *gin.Context) {
} }
args := new(buildservice.OpenAPIBuildCreationReq) args := new(buildservice.OpenAPIBuildCreationReq)
err := c.BindJSON(args) err = c.BindJSON(args)
if err != nil { if err != nil {
ctx.Err = e.ErrInvalidParam.AddDesc(err.Error()) ctx.Err = e.ErrInvalidParam.AddDesc(err.Error())
return
}
// authorization checks
if !ctx.Resources.IsSystemAdmin {
if _, ok := ctx.Resources.ProjectAuthInfo[args.ProjectName]; !ok {
ctx.UnAuthorized = true
return
}
if !ctx.Resources.ProjectAuthInfo[args.ProjectName].IsProjectAdmin &&
!ctx.Resources.ProjectAuthInfo[args.ProjectName].Build.Create {
ctx.UnAuthorized = true
return
}
} }
isValid, err := args.Validate() isValid, err := args.Validate()
...@@ -63,13 +100,33 @@ func OpenAPICreateBuildModule(c *gin.Context) { ...@@ -63,13 +100,33 @@ func OpenAPICreateBuildModule(c *gin.Context) {
} }
func OpenAPIDeleteBuildModule(c *gin.Context) { func OpenAPIDeleteBuildModule(c *gin.Context) {
ctx := internalhandler.NewContext(c) ctx, err := internalhandler.NewContextWithAuthorization(c)
defer func() { internalhandler.JSONResponse(c, ctx) }() defer func() { internalhandler.JSONResponse(c, ctx) }()
buildName := c.Query("buildName") if err != nil {
ctx.Logger.Errorf("failed to generate authorization info for user: %s, error: %s", ctx.UserID, err)
ctx.Err = fmt.Errorf("authorization Info Generation failed: err %s", err)
ctx.UnAuthorized = true
return
}
buildName := c.Query("name")
projectKey := c.Query("projectKey") projectKey := c.Query("projectKey")
internalhandler.InsertOperationLog(c, ctx.UserName, projectKey, "(OpenAPI)"+"删除", "项目管理-构建", buildName, "", ctx.Logger) internalhandler.InsertOperationLog(c, ctx.UserName, projectKey, "(OpenAPI)"+"删除", "项目管理-构建", buildName, "", ctx.Logger)
// authorization checks
if !ctx.Resources.IsSystemAdmin {
if _, ok := ctx.Resources.ProjectAuthInfo[projectKey]; !ok {
ctx.UnAuthorized = true
return
}
if !ctx.Resources.ProjectAuthInfo[projectKey].IsProjectAdmin &&
!ctx.Resources.ProjectAuthInfo[projectKey].Build.Delete {
ctx.UnAuthorized = true
return
}
}
if buildName == "" { if buildName == "" {
ctx.Err = e.ErrInvalidParam.AddDesc("empty build name.") ctx.Err = e.ErrInvalidParam.AddDesc("empty build name.")
return return
......
pkg/microservice/aslan/core/build/handler/target.go
浏览文件 @ 58c79abe
...@@ -17,29 +17,111 @@ limitations under the License. ...@@ -17,29 +17,111 @@ limitations under the License.
package handler package handler
import ( import (
"fmt"
"github.com/gin-gonic/gin" "github.com/gin-gonic/gin"
"github.com/koderover/zadig/pkg/types"
buildservice "github.com/koderover/zadig/pkg/microservice/aslan/core/build/service" buildservice "github.com/koderover/zadig/pkg/microservice/aslan/core/build/service"
internalhandler "github.com/koderover/zadig/pkg/shared/handler" internalhandler "github.com/koderover/zadig/pkg/shared/handler"
) )
func ListDeployTarget(c *gin.Context) { func ListDeployTarget(c *gin.Context) {
ctx := internalhandler.NewContext(c) ctx, err := internalhandler.NewContextWithAuthorization(c)
defer func() { internalhandler.JSONResponse(c, ctx) }() defer func() { internalhandler.JSONResponse(c, ctx) }()
ctx.Resp, ctx.Err = buildservice.ListDeployTarget(c.Query("projectName"), ctx.Logger) if err != nil {
ctx.Logger.Errorf("failed to generate authorization info for user: %s, error: %s", ctx.UserID, err)
ctx.Err = fmt.Errorf("authorization Info Generation failed: err %s", err)
ctx.UnAuthorized = true
return
}
projectKey := c.Query("projectName")
// TODO: Authorization leak
// this API is sometimes used in edit/create workflow scenario, thus giving the edit/create workflow permission
// authorization checks
permitted := false
if ctx.Resources.IsSystemAdmin {
permitted = true
}
if projectAuthInfo, ok := ctx.Resources.ProjectAuthInfo[projectKey]; ok {
// first check if the user is projectAdmin
if projectAuthInfo.IsProjectAdmin {
permitted = true
}
// then check if user has edit workflow permission
if projectAuthInfo.Service.View ||
projectAuthInfo.Env.EditConfig {
permitted = true
}
// finally check if the permission is given by collaboration mode
collaborationAuthorizedEdit, err := internalhandler.CheckPermissionGivenByCollaborationMode(ctx.UserID, projectKey, types.ResourceTypeEnvironment, types.EnvActionEditConfig)
if err == nil {
permitted = collaborationAuthorizedEdit
}
}
if !permitted {
ctx.UnAuthorized = true
return
}
ctx.Resp, ctx.Err = buildservice.ListDeployTarget(projectKey, ctx.Logger)
} }
func ListBuildModulesForProduct(c *gin.Context) { func ListBuildModulesForProduct(c *gin.Context) {
ctx := internalhandler.NewContext(c) ctx, err := internalhandler.NewContextWithAuthorization(c)
defer func() { internalhandler.JSONResponse(c, ctx) }() defer func() { internalhandler.JSONResponse(c, ctx) }()
productName := c.Param("productName") if err != nil {
containerList, err := buildservice.ListContainers(productName, ctx.Logger) ctx.Logger.Errorf("failed to generate authorization info for user: %s, error: %s", ctx.UserID, err)
ctx.Err = fmt.Errorf("authorization Info Generation failed: err %s", err)
ctx.UnAuthorized = true
return
}
projectKey := c.Param("productName")
// TODO: Authorization leak
// authorization checks
permitted := false
if ctx.Resources.IsSystemAdmin {
permitted = true
}
if projectedAuthInfo, ok := ctx.Resources.ProjectAuthInfo[projectKey]; ok {
if projectedAuthInfo.IsProjectAdmin {
permitted = true
}
if projectedAuthInfo.Build.View ||
projectedAuthInfo.Workflow.Execute {
permitted = true
}
collaborationAuthorizedEdit, err := internalhandler.CheckPermissionGivenByCollaborationMode(ctx.UserID, projectKey, types.ResourceTypeWorkflow, types.WorkflowActionRun)
if err == nil {
permitted = collaborationAuthorizedEdit
}
}
if !permitted {
ctx.UnAuthorized = true
return
}
containerList, err := buildservice.ListContainers(projectKey, ctx.Logger)
if err != nil { if err != nil {
ctx.Err = err ctx.Err = err
return return
} }
ctx.Resp, ctx.Err = buildservice.ListBuildForProduct(productName, containerList, ctx.Logger) ctx.Resp, ctx.Err = buildservice.ListBuildForProduct(projectKey, containerList, ctx.Logger)
} }
pkg/microservice/aslan/core/collaboration/handler/collaboration_mode.go
浏览文件 @ 58c79abe
...@@ -28,7 +28,7 @@ import ( ...@@ -28,7 +28,7 @@ import (
commonmodels "github.com/koderover/zadig/pkg/microservice/aslan/core/collaboration/repository/models" commonmodels "github.com/koderover/zadig/pkg/microservice/aslan/core/collaboration/repository/models"
"github.com/koderover/zadig/pkg/microservice/aslan/core/collaboration/service" "github.com/koderover/zadig/pkg/microservice/aslan/core/collaboration/service"
"github.com/koderover/zadig/pkg/microservice/aslan/core/common/service/collaboration" "github.com/koderover/zadig/pkg/microservice/aslan/core/common/service/collaboration"
"github.com/koderover/zadig/pkg/microservice/user/core/service/user" "github.com/koderover/zadig/pkg/shared/client/user"
internalhandler "github.com/koderover/zadig/pkg/shared/handler" internalhandler "github.com/koderover/zadig/pkg/shared/handler"
e "github.com/koderover/zadig/pkg/tool/errors" e "github.com/koderover/zadig/pkg/tool/errors"
"github.com/koderover/zadig/pkg/tool/log" "github.com/koderover/zadig/pkg/tool/log"
...@@ -164,7 +164,7 @@ func generateCollaborationDetailLog(username string, args *commonmodels.Collabor ...@@ -164,7 +164,7 @@ func generateCollaborationDetailLog(username string, args *commonmodels.Collabor
detail := "协作模式名称:" + args.Name + "\n\n" detail := "协作模式名称:" + args.Name + "\n\n"
// user part // user part
userResp, err := user.SearchUsersByUIDs(allUserIDSet.List(), logger) userResp, err := user.New().SearchUsersByIDList(allUserIDSet.List())
if err != nil { if err != nil {
return "", fmt.Errorf("failed to search users by uids(%v), err: %v", args.Members, err) return "", fmt.Errorf("failed to search users by uids(%v), err: %v", args.Members, err)
} }
......
pkg/microservice/aslan/core/common/repository/mongodb/template/product.go
浏览文件 @ 58c79abe
...@@ -138,18 +138,37 @@ type ProductListByFilterOpt struct { ...@@ -138,18 +138,37 @@ type ProductListByFilterOpt struct {
} }
func (c *ProductColl) PageListProjectByFilter(opt ProductListByFilterOpt) ([]*ProjectInfo, int, error) { func (c *ProductColl) PageListProjectByFilter(opt ProductListByFilterOpt) ([]*ProjectInfo, int, error) {
filter := bson.M{} fullFindOptions := []bson.M{
if opt.Filter != "" { {"public": true},
filter["$or"] = bson.A{
bson.M{"project_name": bson.M{"$regex": opt.Filter, "$options": "i"}},
bson.M{"product_name": bson.M{"$regex": opt.Filter, "$options": "i"}},
bson.M{"project_name_pinyin": bson.M{"$regex": opt.Filter, "$options": "i"}},
bson.M{"project_name_pinyin_first_letter": bson.M{"$regex": opt.Filter, "$options": "i"}},
}
} }
if len(opt.Names) > 0 { if len(opt.Names) > 0 {
filter["product_name"] = bson.M{"$in": opt.Names} fullFindOptions = append(fullFindOptions, bson.M{"product_name": bson.M{"$in": opt.Names}})
} else {
fullFindOptions = append(fullFindOptions, bson.M{"product_name": bson.M{"$ne": ""}})
}
findOption := bson.M{
"$or": fullFindOptions,
}
finalSearchCondition := []bson.M{
findOption,
}
if opt.Filter != "" {
finalSearchCondition = append(finalSearchCondition, bson.M{
"$or": bson.A{
bson.M{"project_name": bson.M{"$regex": opt.Filter, "$options": "i"}},
bson.M{"product_name": bson.M{"$regex": opt.Filter, "$options": "i"}},
bson.M{"project_name_pinyin": bson.M{"$regex": opt.Filter, "$options": "i"}},
bson.M{"project_name_pinyin_first_letter": bson.M{"$regex": opt.Filter, "$options": "i"}},
},
})
}
filter := bson.M{
"$and": finalSearchCondition,
} }
projection := bson.M{ projection := bson.M{
...@@ -240,14 +259,30 @@ func (c *ProductColl) ListProjectBriefs(inNames []string) ([]*ProjectInfo, error ...@@ -240,14 +259,30 @@ func (c *ProductColl) ListProjectBriefs(inNames []string) ([]*ProjectInfo, error
} }
func (c *ProductColl) listProjects(inNames []string, projection bson.M) ([]*ProjectInfo, error) { func (c *ProductColl) listProjects(inNames []string, projection bson.M) ([]*ProjectInfo, error) {
filter := bson.M{} filter := []bson.M{
{"public": true},
}
if len(inNames) > 0 { if len(inNames) > 0 {
filter["product_name"] = bson.M{"$in": inNames} filter = append(filter, bson.M{
"product_name": bson.M{
"$in": inNames,
},
})
} else {
filter = append(filter, bson.M{
"product_name": bson.M{
"$ne": "",
},
})
}
query := bson.M{
"$or": filter,
} }
pipeline := []bson.M{ pipeline := []bson.M{
{ {
"$match": filter, "$match": query,
}, },
{ {
"$project": projection, "$project": projection,
......
pkg/microservice/aslan/core/common/service/user/rsa.go 已删除 100644 → 0
浏览文件 @ a1200a0a
/*
Copyright 2021 The KodeRover Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package user
import (
"crypto/rand"
"crypto/rsa"
"crypto/x509"
"encoding/pem"
"errors"
"os"
)
var pub *rsa.PublicKey
func RSAEncrypt(plainText []byte) ([]byte, error) {
if err := LoadPubKey(""); err != nil {
return nil, err
}
//对明文进行加密
cipherText, err := rsa.EncryptPKCS1v15(rand.Reader, pub, plainText)
if err != nil {
return nil, err
}
//返回密文
return cipherText, nil
}
// LoadPubKey ...
func LoadPubKey(filename string) (err error) {
var block *pem.Block
if filename == "" {
block, _ = pem.Decode([]byte(defaultPublicKey))
} else {
b, err := os.ReadFile(filename)
if err != nil {
return err
}
block, _ = pem.Decode(b)
}
if block == nil {
return errors.New("public key error")
}
pubInterface, err := x509.ParsePKIXPublicKey(block.Bytes)
if err != nil {
return
}
pub = pubInterface.(*rsa.PublicKey)
return
}
var defaultPublicKey = `
-----BEGIN RSA PUBLIC KEY-----
MIIBpTANBgkqhkiG9w0BAQEFAAOCAZIAMIIBjQKCAYQAz5IqagSbovHGXmUf7wTB
XrR+DZ0u3p5jsgJW08ISJl83t0rCCGMEtcsRXJU8bE2dIIfndNwvmBiqh13/WnJd
+jgyIm6i1ZfNmf/R8pEqVXpOAOuyoD3VLT9tfWvz9nPQbjVI+PsUHH7nVR0Jwxem
NsH/7MC2O15t+2DVC1533UlhjT/pKFDdTri0mgDrLZHp6gPF5d7/yQ7cPbzv6/0p
0UgIdStT7IhkDfsJDRmLAz09znv5tQQtHfJIMdAKxwHw9mExcL2gE40sOezrgj7m
srOnJd65N8anoMGxQqNv+ycAHB9aI1Yrtgue2KKzpI/Fneghd/ZavGVFWKDYoFP3
531Ga/CiCwtKfM0vQezfLZKAo3qpb0Edy2BcDHhLwidmaFwh8ZlXuaHbNaF/FiVR
h7uu0/9B/gn81o2f+c8GSplWB5bALhQH8tJZnvmWZGI9OnrIlWmQZsuUBooTul9Q
ZJ/w3sE1Zoxa+Or1/eWijqtIfhukOJBNyGaj+esFg6uEeBgHAgMBAAE=
-----END RSA PUBLIC KEY-----
`
pkg/microservice/aslan/core/common/service/user/user.go 已删除 100644 → 0
浏览文件 @ a1200a0a
/*
Copyright 2023 The KodeRover Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package user
import (
"encoding/base64"
"encoding/json"
"time"
"github.com/gin-gonic/gin"
"go.uber.org/zap"
"github.com/koderover/zadig/pkg/config"
"github.com/koderover/zadig/pkg/microservice/policy/core/service"
userservice "github.com/koderover/zadig/pkg/microservice/user/core/service/user"
"github.com/koderover/zadig/pkg/setting"
internalhandler "github.com/koderover/zadig/pkg/shared/handler"
"github.com/koderover/zadig/pkg/tool/httpclient"
"github.com/koderover/zadig/pkg/tool/log"
)
func PresetSystemAdmin(email string, password, domain string, logger *zap.SugaredLogger) (string, bool, error) {
exist, err := userservice.CheckUserExist(logger)
if err != nil {
log.Errorf("failed to check user exist in db, error:%s", err)
return "", false, err
}
if exist {
log.Infof("User exists, skip it.")
return "", false, nil
}
userArgs := &userservice.User{
Name: setting.PresetAccount,
Password: password,
Account: setting.PresetAccount,
Email: email,
}
user, err := userservice.CreateUser(userArgs, logger)
if err != nil {
log.Errorf("created admin err:%s", err)
return "", false, err
}
// report register
err = reportRegister(domain, email)
if err != nil {
log.Errorf("reportRegister err: %s", err)
}
return user.UID, true, nil
}
func PresetRoleBinding(c *gin.Context, uid string, logger *zap.SugaredLogger) error {
args := &service.RoleBinding{
Name: config.RoleBindingNameFromUIDAndRole(uid, setting.SystemAdmin, "*"),
UID: uid,
Role: string(setting.SystemAdmin),
Type: setting.ResourceTypeSystem,
Preset: false,
}
data, err := json.Marshal(args)
if err != nil {
return err
}
detail := "用户:" + setting.PresetAccount + ",角色名称:" + args.Role
internalhandler.InsertDetailedOperationLog(c, "system", "", setting.OperationSceneSystem, "创建或更新", "系统角色绑定", detail, string(data), logger, args.Name)
return service.CreateOrUpdateSystemRoleBinding(service.SystemScope, args, logger)
}
type Register struct {
Domain string `json:"domain"`
Username string `json:"username"`
Email string `json:"email"`
CreatedAt int64 `json:"created_at"`
}
type Operation struct {
Data string `json:"data"`
}
func reportRegister(domain, email string) error {
register := Register{
Domain: domain,
Username: "admin",
Email: email,
CreatedAt: time.Now().Unix(),
}
registerByte, _ := json.Marshal(register)
encrypt, err := RSAEncrypt([]byte(registerByte))
if err != nil {
log.Errorf("RSAEncrypt err: %s", err)
return err
}
encodeString := base64.StdEncoding.EncodeToString(encrypt)
reqBody := Operation{Data: encodeString}
_, err = httpclient.Post("https://api.koderover.com/api/operation/admin/user", httpclient.SetBody(reqBody))
return err
}
pkg/microservice/aslan/core/delivery/handler/artifact.go
浏览文件 @ 58c79abe
...@@ -31,9 +31,24 @@ import ( ...@@ -31,9 +31,24 @@ import (
) )
func ListDeliveryArtifacts(c *gin.Context) { func ListDeliveryArtifacts(c *gin.Context) {
ctx := internalhandler.NewContext(c) ctx, err := internalhandler.NewContextWithAuthorization(c)
defer func() { internalhandler.JSONResponse(c, ctx) }() defer func() { internalhandler.JSONResponse(c, ctx) }()
if err != nil {
ctx.Logger.Errorf("failed to generate authorization info for user: %s, error: %s", ctx.UserID, err)
ctx.Err = fmt.Errorf("authorization Info Generation failed: err %s", err)
ctx.UnAuthorized = true
return
}
// authorization checks
if !ctx.Resources.IsSystemAdmin {
if !ctx.Resources.SystemActions.DeliveryCenter.ViewArtifact {
ctx.UnAuthorized = true
return
}
}
args := new(commonrepo.DeliveryArtifactArgs) args := new(commonrepo.DeliveryArtifactArgs)
args.Type = c.Query("type") args.Type = c.Query("type")
args.Image = c.Query("image") args.Image = c.Query("image")
...@@ -46,7 +61,6 @@ func ListDeliveryArtifacts(c *gin.Context) { ...@@ -46,7 +61,6 @@ func ListDeliveryArtifacts(c *gin.Context) {
perPageStr := c.Query("per_page") perPageStr := c.Query("per_page")
pageStr := c.Query("page") pageStr := c.Query("page")
var ( var (
err error
perPage int perPage int
page int page int
) )
...@@ -78,9 +92,24 @@ func ListDeliveryArtifacts(c *gin.Context) { ...@@ -78,9 +92,24 @@ func ListDeliveryArtifacts(c *gin.Context) {
} }
func GetDeliveryArtifactIDByImage(c *gin.Context) { func GetDeliveryArtifactIDByImage(c *gin.Context) {
ctx := internalhandler.NewContext(c) ctx, err := internalhandler.NewContextWithAuthorization(c)
defer func() { internalhandler.JSONResponse(c, ctx) }() defer func() { internalhandler.JSONResponse(c, ctx) }()
if err != nil {
ctx.Logger.Errorf("failed to generate authorization info for user: %s, error: %s", ctx.UserID, err)
ctx.Err = fmt.Errorf("authorization Info Generation failed: err %s", err)
ctx.UnAuthorized = true
return
}
// authorization checks
if !ctx.Resources.IsSystemAdmin {
if !ctx.Resources.SystemActions.DeliveryCenter.ViewArtifact {
ctx.UnAuthorized = true
return
}
}
image := c.Query("image") image := c.Query("image")
if image == "" { if image == "" {
ctx.Err = e.ErrInvalidParam.AddDesc("image can't be empty!") ctx.Err = e.ErrInvalidParam.AddDesc("image can't be empty!")
...@@ -94,9 +123,24 @@ func GetDeliveryArtifactIDByImage(c *gin.Context) { ...@@ -94,9 +123,24 @@ func GetDeliveryArtifactIDByImage(c *gin.Context) {
} }
func GetDeliveryArtifact(c *gin.Context) { func GetDeliveryArtifact(c *gin.Context) {
ctx := internalhandler.NewContext(c) ctx, err := internalhandler.NewContextWithAuthorization(c)
defer func() { internalhandler.JSONResponse(c, ctx) }() defer func() { internalhandler.JSONResponse(c, ctx) }()
if err != nil {
ctx.Logger.Errorf("failed to generate authorization info for user: %s, error: %s", ctx.UserID, err)
ctx.Err = fmt.Errorf("authorization Info Generation failed: err %s", err)
ctx.UnAuthorized = true
return
}
// authorization checks
if !ctx.Resources.IsSystemAdmin {
if !ctx.Resources.SystemActions.DeliveryCenter.ViewArtifact {
ctx.UnAuthorized = true
return
}
}
id := c.Param("id") id := c.Param("id")
if id == "" { if id == "" {
ctx.Err = e.ErrInvalidParam.AddDesc("id can't be empty!") ctx.Err = e.ErrInvalidParam.AddDesc("id can't be empty!")
...@@ -109,6 +153,7 @@ func GetDeliveryArtifact(c *gin.Context) { ...@@ -109,6 +153,7 @@ func GetDeliveryArtifact(c *gin.Context) {
ctx.Resp, ctx.Err = deliveryservice.GetDeliveryArtifact(args, ctx.Logger) ctx.Resp, ctx.Err = deliveryservice.GetDeliveryArtifact(args, ctx.Logger)
} }
// CreateDeliveryArtifacts is not used by any API for now, disabling it in router and see if anything happens
func CreateDeliveryArtifacts(c *gin.Context) { func CreateDeliveryArtifacts(c *gin.Context) {
ctx := internalhandler.NewContext(c) ctx := internalhandler.NewContext(c)
defer func() { internalhandler.JSONResponse(c, ctx) }() defer func() { internalhandler.JSONResponse(c, ctx) }()
...@@ -129,6 +174,7 @@ type deliveryArtifactUpdate struct { ...@@ -129,6 +174,7 @@ type deliveryArtifactUpdate struct {
ImageTag string `json:"image_tag"` ImageTag string `json:"image_tag"`
} }
// UpdateDeliveryArtifact is not used by any API for now, disabling it in router and see if anything happens
func UpdateDeliveryArtifact(c *gin.Context) { func UpdateDeliveryArtifact(c *gin.Context) {
ctx := internalhandler.NewContext(c) ctx := internalhandler.NewContext(c)
defer func() { internalhandler.JSONResponse(c, ctx) }() defer func() { internalhandler.JSONResponse(c, ctx) }()
...@@ -149,9 +195,24 @@ func UpdateDeliveryArtifact(c *gin.Context) { ...@@ -149,9 +195,24 @@ func UpdateDeliveryArtifact(c *gin.Context) {
} }
func CreateDeliveryActivities(c *gin.Context) { func CreateDeliveryActivities(c *gin.Context) {
ctx := internalhandler.NewContext(c) ctx, err := internalhandler.NewContextWithAuthorization(c)
defer func() { internalhandler.JSONResponse(c, ctx) }() defer func() { internalhandler.JSONResponse(c, ctx) }()
if err != nil {
ctx.Logger.Errorf("failed to generate authorization info for user: %s, error: %s", ctx.UserID, err)
ctx.Err = fmt.Errorf("authorization Info Generation failed: err %s", err)
ctx.UnAuthorized = true
return
}
// authorization checks
if !ctx.Resources.IsSystemAdmin {
if !ctx.Resources.SystemActions.DeliveryCenter.ViewArtifact {
ctx.UnAuthorized = true
return
}
}
var deliveryActivity commonmodels.DeliveryActivity var deliveryActivity commonmodels.DeliveryActivity
if err := c.ShouldBindWith(&deliveryActivity, binding.JSON); err != nil { if err := c.ShouldBindWith(&deliveryActivity, binding.JSON); err != nil {
ctx.Logger.Infof("ShouldBindWith err :%v", err) ctx.Logger.Infof("ShouldBindWith err :%v", err)
......
pkg/microservice/aslan/core/delivery/handler/product.go
浏览文件 @ 58c79abe
...@@ -24,6 +24,7 @@ import ( ...@@ -24,6 +24,7 @@ import (
e "github.com/koderover/zadig/pkg/tool/errors" e "github.com/koderover/zadig/pkg/tool/errors"
) )
// GetProductByDeliveryInfo is not used by any API for now, disabling it in router and see if anything happens
func GetProductByDeliveryInfo(c *gin.Context) { func GetProductByDeliveryInfo(c *gin.Context) {
ctx := internalhandler.NewContext(c) ctx := internalhandler.NewContext(c)
defer func() { internalhandler.JSONResponse(c, ctx) }() defer func() { internalhandler.JSONResponse(c, ctx) }()
......
pkg/microservice/aslan/core/delivery/handler/router.go
浏览文件 @ 58c79abe
...@@ -29,15 +29,15 @@ func (*Router) Inject(router *gin.RouterGroup) { ...@@ -29,15 +29,15 @@ func (*Router) Inject(router *gin.RouterGroup) {
deliveryArtifact.GET("", ListDeliveryArtifacts) deliveryArtifact.GET("", ListDeliveryArtifacts)
deliveryArtifact.GET("/:id", GetDeliveryArtifact) deliveryArtifact.GET("/:id", GetDeliveryArtifact)
deliveryArtifact.GET("/image", GetDeliveryArtifactIDByImage) deliveryArtifact.GET("/image", GetDeliveryArtifactIDByImage)
deliveryArtifact.POST("", CreateDeliveryArtifacts) //deliveryArtifact.POST("", CreateDeliveryArtifacts)
deliveryArtifact.POST("/:id", UpdateDeliveryArtifact) //deliveryArtifact.POST("/:id", UpdateDeliveryArtifact)
deliveryArtifact.POST("/:id/activities", CreateDeliveryActivities) deliveryArtifact.POST("/:id/activities", CreateDeliveryActivities)
} }
deliveryProduct := router.Group("products") //deliveryProduct := router.Group("products")
{ //{
deliveryProduct.GET("/:releaseId", GetProductByDeliveryInfo) // deliveryProduct.GET("/:releaseId", GetProductByDeliveryInfo)
} //}
deliveryRelease := router.Group("releases") deliveryRelease := router.Group("releases")
{ {
...@@ -53,20 +53,22 @@ func (*Router) Inject(router *gin.RouterGroup) { ...@@ -53,20 +53,22 @@ func (*Router) Inject(router *gin.RouterGroup) {
deliveryRelease.GET("/helm/charts/fileContent", GetDeliveryChartFileContent) deliveryRelease.GET("/helm/charts/fileContent", GetDeliveryChartFileContent)
} }
deliveryPackage := router.Group("packages") //deliveryPackage := router.Group("packages")
{ //{
deliveryPackage.GET("", ListPackagesVersion) // deliveryPackage.GET("", ListPackagesVersion)
} //}
// deprecated, this functionality is removed
deliveryService := router.Group("servicenames") deliveryService := router.Group("servicenames")
{ {
deliveryService.GET("", ListDeliveryServiceNames) deliveryService.GET("", ListDeliveryServiceNames)
} }
deliverySecurity := router.Group("security") // TODO: used by task type security in product workflow, now deprecated, removing after one version
{ //deliverySecurity := router.Group("security")
deliverySecurity.GET("/stats", ListDeliverySecurityStatistics) //{
deliverySecurity.GET("", ListDeliverySecurity) // deliverySecurity.GET("/stats", ListDeliverySecurityStatistics)
deliverySecurity.POST("", CreateDeliverySecurity) // deliverySecurity.GET("", ListDeliverySecurity)
} // deliverySecurity.POST("", CreateDeliverySecurity)
//}
} }
pkg/microservice/aslan/core/delivery/handler/security.go
浏览文件 @ 58c79abe
...@@ -29,6 +29,7 @@ import ( ...@@ -29,6 +29,7 @@ import (
e "github.com/koderover/zadig/pkg/tool/errors" e "github.com/koderover/zadig/pkg/tool/errors"
) )
// Deprecated: functionality removed for system
func ListDeliverySecurityStatistics(c *gin.Context) { func ListDeliverySecurityStatistics(c *gin.Context) {
ctx := internalhandler.NewContext(c) ctx := internalhandler.NewContext(c)
defer func() { internalhandler.JSONResponse(c, ctx) }() defer func() { internalhandler.JSONResponse(c, ctx) }()
......
pkg/microservice/aslan/core/delivery/handler/version.go
浏览文件 @ 58c79abe
...@@ -51,9 +51,24 @@ func GetProductNameByDelivery(c *gin.Context) { ...@@ -51,9 +51,24 @@ func GetProductNameByDelivery(c *gin.Context) {
} }
func GetDeliveryVersion(c *gin.Context) { func GetDeliveryVersion(c *gin.Context) {
ctx := internalhandler.NewContext(c) ctx, err := internalhandler.NewContextWithAuthorization(c)
defer func() { internalhandler.JSONResponse(c, ctx) }() defer func() { internalhandler.JSONResponse(c, ctx) }()
if err != nil {
ctx.Logger.Errorf("failed to generate authorization info for user: %s, error: %s", ctx.UserID, err)
ctx.Err = fmt.Errorf("authorization Info Generation failed: err %s", err)
ctx.UnAuthorized = true
return
}
// authorization checks
if !ctx.Resources.IsSystemAdmin {
if !ctx.Resources.SystemActions.DeliveryCenter.ViewVersion {
ctx.UnAuthorized = true
return
}
}
//params validate //params validate
ID := c.Param("id") ID := c.Param("id")
if ID == "" { if ID == "" {
...@@ -66,16 +81,50 @@ func GetDeliveryVersion(c *gin.Context) { ...@@ -66,16 +81,50 @@ func GetDeliveryVersion(c *gin.Context) {
} }
func ListDeliveryVersion(c *gin.Context) { func ListDeliveryVersion(c *gin.Context) {
ctx := internalhandler.NewContext(c) ctx, err := internalhandler.NewContextWithAuthorization(c)
defer func() { internalhandler.JSONResponse(c, ctx) }() defer func() { internalhandler.JSONResponse(c, ctx) }()
if err != nil {
ctx.Logger.Errorf("failed to generate authorization info for user: %s, error: %s", ctx.UserID, err)
ctx.Err = fmt.Errorf("authorization Info Generation failed: err %s", err)
ctx.UnAuthorized = true
return
}
args := new(deliveryservice.ListDeliveryVersionArgs) args := new(deliveryservice.ListDeliveryVersionArgs)
err := c.BindQuery(args) err = c.BindQuery(args)
if err != nil { if err != nil {
ctx.Err = e.ErrInvalidParam.AddErr(err) ctx.Err = e.ErrInvalidParam.AddErr(err)
return return
} }
projectKey := args.ProjectName
// FIXME: when called directly from delivery center, the project key is empty, we do a dc authz check
if projectKey == "" {
// authorization checks
if !ctx.Resources.IsSystemAdmin {
if !ctx.Resources.SystemActions.DeliveryCenter.ViewVersion {
ctx.UnAuthorized = true
return
}
}
} else {
// FIXME: otherwise it is called from version control in a project, we check for the project authz
if !ctx.Resources.IsSystemAdmin {
if _, ok := ctx.Resources.ProjectAuthInfo[projectKey]; !ok {
ctx.UnAuthorized = true
return
}
if !ctx.Resources.ProjectAuthInfo[projectKey].IsProjectAdmin &&
!ctx.Resources.ProjectAuthInfo[projectKey].Version.View {
ctx.UnAuthorized = true
return
}
}
}
if args.Page <= 0 { if args.Page <= 0 {
args.Page = 1 args.Page = 1
} }
...@@ -166,17 +215,38 @@ func ListPackagesVersion(c *gin.Context) { ...@@ -166,17 +215,38 @@ func ListPackagesVersion(c *gin.Context) {
} }
func CreateHelmDeliveryVersion(c *gin.Context) { func CreateHelmDeliveryVersion(c *gin.Context) {
ctx := internalhandler.NewContext(c) ctx, err := internalhandler.NewContextWithAuthorization(c)
defer func() { internalhandler.JSONResponse(c, ctx) }() defer func() { internalhandler.JSONResponse(c, ctx) }()
if err != nil {
ctx.Logger.Errorf("failed to generate authorization info for user: %s, error: %s", ctx.UserID, err)
ctx.Err = fmt.Errorf("authorization Info Generation failed: err %s", err)
ctx.UnAuthorized = true
return
}
args := new(deliveryservice.CreateHelmDeliveryVersionArgs) args := new(deliveryservice.CreateHelmDeliveryVersionArgs)
err := c.ShouldBindJSON(args) err = c.ShouldBindJSON(args)
if err != nil { if err != nil {
ctx.Err = e.ErrInvalidParam.AddErr(err) ctx.Err = e.ErrInvalidParam.AddErr(err)
return return
} }
args.CreateBy = ctx.UserName args.CreateBy = ctx.UserName
// authorization checks
if !ctx.Resources.IsSystemAdmin {
if _, ok := ctx.Resources.ProjectAuthInfo[args.ProductName]; !ok {
ctx.UnAuthorized = true
return
}
if !ctx.Resources.ProjectAuthInfo[args.ProductName].IsProjectAdmin &&
!ctx.Resources.ProjectAuthInfo[args.ProductName].Version.Create {
ctx.UnAuthorized = true
return
}
}
bs, _ := json.Marshal(args) bs, _ := json.Marshal(args)
internalhandler.InsertOperationLog(c, ctx.UserName, args.ProductName, "新建", "版本交付", fmt.Sprintf("%s-%s", args.EnvName, args.Version), string(bs), ctx.Logger) internalhandler.InsertOperationLog(c, ctx.UserName, args.ProductName, "新建", "版本交付", fmt.Sprintf("%s-%s", args.EnvName, args.Version), string(bs), ctx.Logger)
...@@ -184,9 +254,33 @@ func CreateHelmDeliveryVersion(c *gin.Context) { ...@@ -184,9 +254,33 @@ func CreateHelmDeliveryVersion(c *gin.Context) {
} }
func DeleteDeliveryVersion(c *gin.Context) { func DeleteDeliveryVersion(c *gin.Context) {
ctx := internalhandler.NewContext(c) ctx, err := internalhandler.NewContextWithAuthorization(c)
defer func() { internalhandler.JSONResponse(c, ctx) }() defer func() { internalhandler.JSONResponse(c, ctx) }()
internalhandler.InsertOperationLog(c, ctx.UserName, c.GetString("productName"), "删除", "版本交付", c.Param("id"), "", ctx.Logger)
if err != nil {
ctx.Logger.Errorf("failed to generate authorization info for user: %s, error: %s", ctx.UserID, err)
ctx.Err = fmt.Errorf("authorization Info Generation failed: err %s", err)
ctx.UnAuthorized = true
return
}
projectKey := c.GetString("productName")
internalhandler.InsertOperationLog(c, ctx.UserName, projectKey, "删除", "版本交付", c.Param("id"), "", ctx.Logger)
// authorization checks
if !ctx.Resources.IsSystemAdmin {
if _, ok := ctx.Resources.ProjectAuthInfo[projectKey]; !ok {
ctx.UnAuthorized = true
return
}
if !ctx.Resources.ProjectAuthInfo[projectKey].IsProjectAdmin &&
!ctx.Resources.ProjectAuthInfo[projectKey].Version.Delete {
ctx.UnAuthorized = true
return
}
}
//params validate //params validate
ID := c.Param("id") ID := c.Param("id")
...@@ -199,7 +293,7 @@ func DeleteDeliveryVersion(c *gin.Context) { ...@@ -199,7 +293,7 @@ func DeleteDeliveryVersion(c *gin.Context) {
ctx.Err = deliveryservice.DeleteDeliveryVersion(version, ctx.Logger) ctx.Err = deliveryservice.DeleteDeliveryVersion(version, ctx.Logger)
errs := make([]string, 0) errs := make([]string, 0)
err := deliveryservice.DeleteDeliveryBuild(&commonrepo.DeliveryBuildArgs{ReleaseID: ID}, ctx.Logger) err = deliveryservice.DeleteDeliveryBuild(&commonrepo.DeliveryBuildArgs{ReleaseID: ID}, ctx.Logger)
if err != nil { if err != nil {
errs = append(errs, err.Error()) errs = append(errs, err.Error())
} }
...@@ -222,17 +316,65 @@ func DeleteDeliveryVersion(c *gin.Context) { ...@@ -222,17 +316,65 @@ func DeleteDeliveryVersion(c *gin.Context) {
} }
func ListDeliveryServiceNames(c *gin.Context) { func ListDeliveryServiceNames(c *gin.Context) {
ctx := internalhandler.NewContext(c) ctx, err := internalhandler.NewContextWithAuthorization(c)
defer func() { internalhandler.JSONResponse(c, ctx) }() defer func() { internalhandler.JSONResponse(c, ctx) }()
productName := c.Query("projectName") if err != nil {
ctx.Resp, ctx.Err = deliveryservice.ListDeliveryServiceNames(productName, ctx.Logger) ctx.Logger.Errorf("failed to generate authorization info for user: %s, error: %s", ctx.UserID, err)
ctx.Err = fmt.Errorf("authorization Info Generation failed: err %s", err)
ctx.UnAuthorized = true
return
}
projectKey := c.Query("projectName")
// FIXME: when called directly from delivery center, the project key is empty, we do a dc authz check
if projectKey == "" {
// authorization checks
if !ctx.Resources.IsSystemAdmin {
if !ctx.Resources.SystemActions.DeliveryCenter.ViewVersion {
ctx.UnAuthorized = true
return
}
}
} else {
// FIXME: otherwise it is called from version control in a project, we check for the project authz
if !ctx.Resources.IsSystemAdmin {
if _, ok := ctx.Resources.ProjectAuthInfo[projectKey]; !ok {
ctx.UnAuthorized = true
return
}
if !ctx.Resources.ProjectAuthInfo[projectKey].IsProjectAdmin &&
!ctx.Resources.ProjectAuthInfo[projectKey].Version.View {
ctx.UnAuthorized = true
return
}
}
}
ctx.Resp, ctx.Err = deliveryservice.ListDeliveryServiceNames(projectKey, ctx.Logger)
} }
func DownloadDeliveryChart(c *gin.Context) { func DownloadDeliveryChart(c *gin.Context) {
ctx := internalhandler.NewContext(c) ctx, err := internalhandler.NewContextWithAuthorization(c)
defer func() { internalhandler.JSONResponse(c, ctx) }() defer func() { internalhandler.JSONResponse(c, ctx) }()
if err != nil {
ctx.Logger.Errorf("failed to generate authorization info for user: %s, error: %s", ctx.UserID, err)
ctx.Err = fmt.Errorf("authorization Info Generation failed: err %s", err)
ctx.UnAuthorized = true
return
}
// authorization checks
if !ctx.Resources.IsSystemAdmin {
if !ctx.Resources.SystemActions.DeliveryCenter.ViewVersion {
ctx.UnAuthorized = true
return
}
}
versionName := c.Query("version") versionName := c.Query("version")
chartName := c.Query("chartName") chartName := c.Query("chartName")
projectName := c.Query("projectName") projectName := c.Query("projectName")
...@@ -248,9 +390,25 @@ func DownloadDeliveryChart(c *gin.Context) { ...@@ -248,9 +390,25 @@ func DownloadDeliveryChart(c *gin.Context) {
} }
func GetChartVersionFromRepo(c *gin.Context) { func GetChartVersionFromRepo(c *gin.Context) {
ctx := internalhandler.NewContext(c) ctx, err := internalhandler.NewContextWithAuthorization(c)
defer func() { internalhandler.JSONResponse(c, ctx) }() defer func() { internalhandler.JSONResponse(c, ctx) }()
if err != nil {
ctx.Logger.Errorf("failed to generate authorization info for user: %s, error: %s", ctx.UserID, err)
ctx.Err = fmt.Errorf("authorization Info Generation failed: err %s", err)
ctx.UnAuthorized = true
return
}
// TODO: Authorization leak
// authorization checks
//if !ctx.Resources.IsSystemAdmin {
// if !ctx.Resources.SystemActions.DeliveryCenter.ViewVersion {
// ctx.UnAuthorized = true
// return
// }
//}
chartName := c.Query("chartName") chartName := c.Query("chartName")
chartRepoName := c.Query("chartRepoName") chartRepoName := c.Query("chartRepoName")
...@@ -258,9 +416,24 @@ func GetChartVersionFromRepo(c *gin.Context) { ...@@ -258,9 +416,24 @@ func GetChartVersionFromRepo(c *gin.Context) {
} }
func PreviewGetDeliveryChart(c *gin.Context) { func PreviewGetDeliveryChart(c *gin.Context) {
ctx := internalhandler.NewContext(c) ctx, err := internalhandler.NewContextWithAuthorization(c)
defer func() { internalhandler.JSONResponse(c, ctx) }() defer func() { internalhandler.JSONResponse(c, ctx) }()
if err != nil {
ctx.Logger.Errorf("failed to generate authorization info for user: %s, error: %s", ctx.UserID, err)
ctx.Err = fmt.Errorf("authorization Info Generation failed: err %s", err)
ctx.UnAuthorized = true
return
}
// authorization checks
if !ctx.Resources.IsSystemAdmin {
if !ctx.Resources.SystemActions.DeliveryCenter.ViewVersion {
ctx.UnAuthorized = true
return
}
}
versionName := c.Query("version") versionName := c.Query("version")
chartName := c.Query("chartName") chartName := c.Query("chartName")
projectName := c.Query("projectName") projectName := c.Query("projectName")
...@@ -269,11 +442,26 @@ func PreviewGetDeliveryChart(c *gin.Context) { ...@@ -269,11 +442,26 @@ func PreviewGetDeliveryChart(c *gin.Context) {
} }
func GetDeliveryChartFilePath(c *gin.Context) { func GetDeliveryChartFilePath(c *gin.Context) {
ctx := internalhandler.NewContext(c) ctx, err := internalhandler.NewContextWithAuthorization(c)
defer func() { internalhandler.JSONResponse(c, ctx) }() defer func() { internalhandler.JSONResponse(c, ctx) }()
if err != nil {
ctx.Logger.Errorf("failed to generate authorization info for user: %s, error: %s", ctx.UserID, err)
ctx.Err = fmt.Errorf("authorization Info Generation failed: err %s", err)
ctx.UnAuthorized = true
return
}
// authorization checks
if !ctx.Resources.IsSystemAdmin {
if !ctx.Resources.SystemActions.DeliveryCenter.ViewVersion {
ctx.UnAuthorized = true
return
}
}
args := new(deliveryservice.DeliveryChartFilePathArgs) args := new(deliveryservice.DeliveryChartFilePathArgs)
err := c.BindQuery(args) err = c.BindQuery(args)
if err != nil { if err != nil {
ctx.Err = e.ErrInvalidParam.AddErr(err) ctx.Err = e.ErrInvalidParam.AddErr(err)
return return
...@@ -283,11 +471,26 @@ func GetDeliveryChartFilePath(c *gin.Context) { ...@@ -283,11 +471,26 @@ func GetDeliveryChartFilePath(c *gin.Context) {
} }
func GetDeliveryChartFileContent(c *gin.Context) { func GetDeliveryChartFileContent(c *gin.Context) {
ctx := internalhandler.NewContext(c) ctx, err := internalhandler.NewContextWithAuthorization(c)
defer func() { internalhandler.JSONResponse(c, ctx) }() defer func() { internalhandler.JSONResponse(c, ctx) }()
if err != nil {
ctx.Logger.Errorf("failed to generate authorization info for user: %s, error: %s", ctx.UserID, err)
ctx.Err = fmt.Errorf("authorization Info Generation failed: err %s", err)
ctx.UnAuthorized = true
return
}
// authorization checks
if !ctx.Resources.IsSystemAdmin {
if !ctx.Resources.SystemActions.DeliveryCenter.ViewVersion {
ctx.UnAuthorized = true
return
}
}
args := new(deliveryservice.DeliveryChartFileContentArgs) args := new(deliveryservice.DeliveryChartFileContentArgs)
err := c.BindQuery(args) err = c.BindQuery(args)
if err != nil { if err != nil {
ctx.Err = e.ErrInvalidParam.AddErr(err) ctx.Err = e.ErrInvalidParam.AddErr(err)
return return
...@@ -296,11 +499,26 @@ func GetDeliveryChartFileContent(c *gin.Context) { ...@@ -296,11 +499,26 @@ func GetDeliveryChartFileContent(c *gin.Context) {
} }
func ApplyDeliveryGlobalVariables(c *gin.Context) { func ApplyDeliveryGlobalVariables(c *gin.Context) {
ctx := internalhandler.NewContext(c) ctx, err := internalhandler.NewContextWithAuthorization(c)
defer func() { internalhandler.JSONResponse(c, ctx) }() defer func() { internalhandler.JSONResponse(c, ctx) }()
if err != nil {
ctx.Logger.Errorf("failed to generate authorization info for user: %s, error: %s", ctx.UserID, err)
ctx.Err = fmt.Errorf("authorization Info Generation failed: err %s", err)
ctx.UnAuthorized = true
return
}
// authorization checks
if !ctx.Resources.IsSystemAdmin {
if !ctx.Resources.SystemActions.DeliveryCenter.ViewVersion {
ctx.UnAuthorized = true
return
}
}
args := new(deliveryservice.DeliveryVariablesApplyArgs) args := new(deliveryservice.DeliveryVariablesApplyArgs)
err := c.BindJSON(args) err = c.BindJSON(args)
if err != nil { if err != nil {
ctx.Err = e.ErrInvalidParam.AddErr(err) ctx.Err = e.ErrInvalidParam.AddErr(err)
return return
......
pkg/microservice/aslan/core/environment/handler/common_env_cfg.go
浏览文件 @ 58c79abe
...@@ -24,6 +24,7 @@ import ( ...@@ -24,6 +24,7 @@ import (
"strconv" "strconv"
"github.com/gin-gonic/gin" "github.com/gin-gonic/gin"
"github.com/koderover/zadig/pkg/types"
"github.com/koderover/zadig/pkg/microservice/aslan/config" "github.com/koderover/zadig/pkg/microservice/aslan/config"
"github.com/koderover/zadig/pkg/microservice/aslan/core/common/repository/models" "github.com/koderover/zadig/pkg/microservice/aslan/core/common/repository/models"
...@@ -35,26 +36,96 @@ import ( ...@@ -35,26 +36,96 @@ import (
) )
func DeleteCommonEnvCfg(c *gin.Context) { func DeleteCommonEnvCfg(c *gin.Context) {
ctx := internalhandler.NewContext(c) ctx, err := internalhandler.NewContextWithAuthorization(c)
defer func() { internalhandler.JSONResponse(c, ctx) }() defer func() { internalhandler.JSONResponse(c, ctx) }()
if err != nil {
ctx.Logger.Errorf("failed to generate authorization info for user: %s, error: %s", ctx.UserID, err)
ctx.Err = fmt.Errorf("authorization Info Generation failed: err %s", err)
ctx.UnAuthorized = true
return
}
envName := c.Param("name") envName := c.Param("name")
productName := c.Query("projectName") projectKey := c.Query("projectName")
commonEnvCfgType := c.Query("commonEnvCfgType") commonEnvCfgType := c.Query("commonEnvCfgType")
objectName := c.Param("objectName") objectName := c.Param("objectName")
if envName == "" || productName == "" || objectName == "" { if envName == "" || projectKey == "" || objectName == "" {
ctx.Err = e.ErrInvalidParam.AddDesc("param envName or projectName or objectName is invalid") ctx.Err = e.ErrInvalidParam.AddDesc("param envName or projectName or objectName is invalid")
return return
} }
internalhandler.InsertDetailedOperationLog(c, ctx.UserName, productName, setting.OperationSceneEnv, "删除", "环境配置", fmt.Sprintf("%s:%s:%s", envName, commonEnvCfgType, objectName), "", ctx.Logger, envName) internalhandler.InsertDetailedOperationLog(c, ctx.UserName, projectKey, setting.OperationSceneEnv, "删除", "环境配置", fmt.Sprintf("%s:%s:%s", envName, commonEnvCfgType, objectName), "", ctx.Logger, envName)
ctx.Err = service.DeleteCommonEnvCfg(envName, productName, objectName, config.CommonEnvCfgType(commonEnvCfgType), ctx.Logger) // authorization checks
if !ctx.Resources.IsSystemAdmin {
if _, ok := ctx.Resources.ProjectAuthInfo[projectKey]; !ok {
ctx.UnAuthorized = true
return
}
if !ctx.Resources.ProjectAuthInfo[projectKey].IsProjectAdmin &&
!ctx.Resources.ProjectAuthInfo[projectKey].Env.EditConfig {
permitted, err := internalhandler.GetCollaborationModePermission(ctx.UserID, projectKey, types.ResourceTypeEnvironment, envName, types.EnvActionEditConfig)
if err != nil || !permitted {
ctx.UnAuthorized = true
return
}
}
}
ctx.Err = service.DeleteCommonEnvCfg(envName, projectKey, objectName, config.CommonEnvCfgType(commonEnvCfgType), ctx.Logger)
}
func DeleteProductionCommonEnvCfg(c *gin.Context) {
ctx, err := internalhandler.NewContextWithAuthorization(c)
defer func() { internalhandler.JSONResponse(c, ctx) }()
if err != nil {
ctx.Logger.Errorf("failed to generate authorization info for user: %s, error: %s", ctx.UserID, err)
ctx.Err = fmt.Errorf("authorization Info Generation failed: err %s", err)
ctx.UnAuthorized = true
return
}
envName := c.Param("name")
projectKey := c.Query("projectName")
commonEnvCfgType := c.Query("commonEnvCfgType")
objectName := c.Param("objectName")
if envName == "" || projectKey == "" || objectName == "" {
ctx.Err = e.ErrInvalidParam.AddDesc("param envName or projectName or objectName is invalid")
return
}
internalhandler.InsertDetailedOperationLog(c, ctx.UserName, projectKey, setting.OperationSceneEnv, "删除", "环境配置", fmt.Sprintf("%s:%s:%s", envName, commonEnvCfgType, objectName), "", ctx.Logger, envName)
// authorization checks
if !ctx.Resources.IsSystemAdmin {
if _, ok := ctx.Resources.ProjectAuthInfo[projectKey]; !ok {
ctx.UnAuthorized = true
return
}
if !ctx.Resources.ProjectAuthInfo[projectKey].IsProjectAdmin &&
!ctx.Resources.ProjectAuthInfo[projectKey].ProductionEnv.EditConfig {
ctx.UnAuthorized = true
return
}
}
ctx.Err = service.DeleteCommonEnvCfg(envName, projectKey, objectName, config.CommonEnvCfgType(commonEnvCfgType), ctx.Logger)
} }
func CreateCommonEnvCfg(c *gin.Context) { func CreateCommonEnvCfg(c *gin.Context) {
ctx := internalhandler.NewContext(c) ctx, err := internalhandler.NewContextWithAuthorization(c)
defer func() { internalhandler.JSONResponse(c, ctx) }() defer func() { internalhandler.JSONResponse(c, ctx) }()
if err != nil {
ctx.Logger.Errorf("failed to generate authorization info for user: %s, error: %s", ctx.UserID, err)
ctx.Err = fmt.Errorf("authorization Info Generation failed: err %s", err)
ctx.UnAuthorized = true
return
}
projectKey := c.Query("projectName")
envName := c.Param("name")
args := new(models.CreateUpdateCommonEnvCfgArgs) args := new(models.CreateUpdateCommonEnvCfgArgs)
data, err := c.GetRawData() data, err := c.GetRawData()
if err != nil { if err != nil {
...@@ -70,6 +141,22 @@ func CreateCommonEnvCfg(c *gin.Context) { ...@@ -70,6 +141,22 @@ func CreateCommonEnvCfg(c *gin.Context) {
internalhandler.InsertDetailedOperationLog(c, ctx.UserName, c.Query("projectName"), setting.OperationSceneEnv, "新建", "环境配置", fmt.Sprintf("%s:%s", args.EnvName, args.CommonEnvCfgType), string(data), ctx.Logger, c.Param("name")) internalhandler.InsertDetailedOperationLog(c, ctx.UserName, c.Query("projectName"), setting.OperationSceneEnv, "新建", "环境配置", fmt.Sprintf("%s:%s", args.EnvName, args.CommonEnvCfgType), string(data), ctx.Logger, c.Param("name"))
c.Request.Body = io.NopCloser(bytes.NewBuffer(data)) c.Request.Body = io.NopCloser(bytes.NewBuffer(data))
// authorization checks
if !ctx.Resources.IsSystemAdmin {
if _, ok := ctx.Resources.ProjectAuthInfo[projectKey]; !ok {
ctx.UnAuthorized = true
return
}
if !ctx.Resources.ProjectAuthInfo[projectKey].IsProjectAdmin &&
!ctx.Resources.ProjectAuthInfo[projectKey].Env.EditConfig {
permitted, err := internalhandler.GetCollaborationModePermission(ctx.UserID, projectKey, types.ResourceTypeEnvironment, envName, types.EnvActionEditConfig)
if err != nil || !permitted {
ctx.UnAuthorized = true
return
}
}
}
if err := c.BindJSON(args); err != nil { if err := c.BindJSON(args); err != nil {
ctx.Err = e.ErrInvalidParam.AddDesc(err.Error()) ctx.Err = e.ErrInvalidParam.AddDesc(err.Error())
return return
...@@ -78,15 +165,143 @@ func CreateCommonEnvCfg(c *gin.Context) { ...@@ -78,15 +165,143 @@ func CreateCommonEnvCfg(c *gin.Context) {
ctx.Err = e.ErrInvalidParam ctx.Err = e.ErrInvalidParam
return return
} }
args.EnvName = c.Param("name") args.EnvName = envName
args.ProductName = c.Query("projectName") args.ProductName = projectKey
ctx.Err = service.CreateCommonEnvCfg(args, ctx.UserName, ctx.Logger)
}
func CreateProductionCommonEnvCfg(c *gin.Context) {
ctx, err := internalhandler.NewContextWithAuthorization(c)
defer func() { internalhandler.JSONResponse(c, ctx) }()
if err != nil {
ctx.Logger.Errorf("failed to generate authorization info for user: %s, error: %s", ctx.UserID, err)
ctx.Err = fmt.Errorf("authorization Info Generation failed: err %s", err)
ctx.UnAuthorized = true
return
}
projectKey := c.Query("projectName")
envName := c.Param("name")
args := new(models.CreateUpdateCommonEnvCfgArgs)
data, err := c.GetRawData()
if err != nil {
log.Errorf("CreateCommonEnvCfg c.GetRawData() err : %v", err)
ctx.Err = e.ErrInvalidParam.AddDesc(err.Error())
return
}
if err = json.Unmarshal(data, args); err != nil {
log.Errorf("CreateCommonEnvCfg json.Unmarshal err : %v", err)
ctx.Err = e.ErrInvalidParam.AddDesc(err.Error())
return
}
internalhandler.InsertDetailedOperationLog(c, ctx.UserName, c.Query("projectName"), setting.OperationSceneEnv, "新建", "环境配置", fmt.Sprintf("%s:%s", args.EnvName, args.CommonEnvCfgType), string(data), ctx.Logger, c.Param("name"))
c.Request.Body = io.NopCloser(bytes.NewBuffer(data))
// authorization checks
if !ctx.Resources.IsSystemAdmin {
if _, ok := ctx.Resources.ProjectAuthInfo[projectKey]; !ok {
ctx.UnAuthorized = true
return
}
if !ctx.Resources.ProjectAuthInfo[projectKey].IsProjectAdmin &&
!ctx.Resources.ProjectAuthInfo[projectKey].ProductionEnv.EditConfig {
ctx.UnAuthorized = true
return
}
}
if err := c.BindJSON(args); err != nil {
ctx.Err = e.ErrInvalidParam.AddDesc(err.Error())
return
}
if args.YamlData == "" {
ctx.Err = e.ErrInvalidParam
return
}
args.EnvName = envName
args.ProductName = projectKey
ctx.Err = service.CreateCommonEnvCfg(args, ctx.UserName, ctx.Logger) ctx.Err = service.CreateCommonEnvCfg(args, ctx.UserName, ctx.Logger)
} }
func UpdateCommonEnvCfg(c *gin.Context) { func UpdateCommonEnvCfg(c *gin.Context) {
ctx := internalhandler.NewContext(c) ctx, err := internalhandler.NewContextWithAuthorization(c)
defer func() { internalhandler.JSONResponse(c, ctx) }()
if err != nil {
ctx.Logger.Errorf("failed to generate authorization info for user: %s, error: %s", ctx.UserID, err)
ctx.Err = fmt.Errorf("authorization Info Generation failed: err %s", err)
ctx.UnAuthorized = true
return
}
projectKey := c.Query("projectName")
envName := c.Param("name")
args := new(models.CreateUpdateCommonEnvCfgArgs)
data, err := c.GetRawData()
if err != nil {
log.Errorf("UpdateCommonEnvCfg c.GetRawData() err : %v", err)
}
if err = json.Unmarshal(data, args); err != nil {
log.Errorf("UpdateCommonEnvCfg json.Unmarshal err : %v", err)
}
internalhandler.InsertDetailedOperationLog(c, ctx.UserName, c.Query("projectName"), setting.OperationSceneEnv, "更新", "环境配置", fmt.Sprintf("%s:%s:%s", args.EnvName, args.CommonEnvCfgType, args.Name), string(data), ctx.Logger, c.Param("name"))
c.Request.Body = io.NopCloser(bytes.NewBuffer(data))
// authorization checks
if !ctx.Resources.IsSystemAdmin {
if _, ok := ctx.Resources.ProjectAuthInfo[projectKey]; !ok {
ctx.UnAuthorized = true
return
}
if !ctx.Resources.ProjectAuthInfo[projectKey].IsProjectAdmin &&
!ctx.Resources.ProjectAuthInfo[projectKey].Env.EditConfig {
permitted, err := internalhandler.GetCollaborationModePermission(ctx.UserID, projectKey, types.ResourceTypeEnvironment, envName, types.EnvActionEditConfig)
if err != nil || !permitted {
ctx.UnAuthorized = true
return
}
}
}
if err := c.BindJSON(args); err != nil {
ctx.Err = e.ErrInvalidParam.AddDesc(err.Error())
return
}
if len(args.YamlData) == 0 {
ctx.Err = e.ErrInvalidParam.AddDesc("yaml info can't be nil")
return
}
args.EnvName = envName
args.ProductName = projectKey
isRollBack := false
if len(c.Query("rollback")) > 0 {
isRollBack, err = strconv.ParseBool(c.Query("rollback"))
if err != nil {
ctx.Err = e.ErrInvalidParam.AddErr(err)
return
}
}
ctx.Err = service.UpdateCommonEnvCfg(args, ctx.UserName, isRollBack, ctx.Logger)
}
func UpdateProductionCommonEnvCfg(c *gin.Context) {
ctx, err := internalhandler.NewContextWithAuthorization(c)
defer func() { internalhandler.JSONResponse(c, ctx) }() defer func() { internalhandler.JSONResponse(c, ctx) }()
if err != nil {
ctx.Logger.Errorf("failed to generate authorization info for user: %s, error: %s", ctx.UserID, err)
ctx.Err = fmt.Errorf("authorization Info Generation failed: err %s", err)
ctx.UnAuthorized = true
return
}
projectKey := c.Query("projectName")
envName := c.Param("name")
args := new(models.CreateUpdateCommonEnvCfgArgs) args := new(models.CreateUpdateCommonEnvCfgArgs)
data, err := c.GetRawData() data, err := c.GetRawData()
if err != nil { if err != nil {
...@@ -98,6 +313,19 @@ func UpdateCommonEnvCfg(c *gin.Context) { ...@@ -98,6 +313,19 @@ func UpdateCommonEnvCfg(c *gin.Context) {
internalhandler.InsertDetailedOperationLog(c, ctx.UserName, c.Query("projectName"), setting.OperationSceneEnv, "更新", "环境配置", fmt.Sprintf("%s:%s:%s", args.EnvName, args.CommonEnvCfgType, args.Name), string(data), ctx.Logger, c.Param("name")) internalhandler.InsertDetailedOperationLog(c, ctx.UserName, c.Query("projectName"), setting.OperationSceneEnv, "更新", "环境配置", fmt.Sprintf("%s:%s:%s", args.EnvName, args.CommonEnvCfgType, args.Name), string(data), ctx.Logger, c.Param("name"))
c.Request.Body = io.NopCloser(bytes.NewBuffer(data)) c.Request.Body = io.NopCloser(bytes.NewBuffer(data))
// authorization checks
if !ctx.Resources.IsSystemAdmin {
if _, ok := ctx.Resources.ProjectAuthInfo[projectKey]; !ok {
ctx.UnAuthorized = true
return
}
if !ctx.Resources.ProjectAuthInfo[projectKey].IsProjectAdmin &&
!ctx.Resources.ProjectAuthInfo[projectKey].ProductionEnv.EditConfig {
ctx.UnAuthorized = true
return
}
}
if err := c.BindJSON(args); err != nil { if err := c.BindJSON(args); err != nil {
ctx.Err = e.ErrInvalidParam.AddDesc(err.Error()) ctx.Err = e.ErrInvalidParam.AddDesc(err.Error())
return return
...@@ -106,8 +334,8 @@ func UpdateCommonEnvCfg(c *gin.Context) { ...@@ -106,8 +334,8 @@ func UpdateCommonEnvCfg(c *gin.Context) {
ctx.Err = e.ErrInvalidParam.AddDesc("yaml info can't be nil") ctx.Err = e.ErrInvalidParam.AddDesc("yaml info can't be nil")
return return
} }
args.EnvName = c.Param("name") args.EnvName = envName
args.ProductName = c.Query("projectName") args.ProductName = projectKey
isRollBack := false isRollBack := false
if len(c.Query("rollback")) > 0 { if len(c.Query("rollback")) > 0 {
isRollBack, err = strconv.ParseBool(c.Query("rollback")) isRollBack, err = strconv.ParseBool(c.Query("rollback"))
...@@ -121,12 +349,76 @@ func UpdateCommonEnvCfg(c *gin.Context) { ...@@ -121,12 +349,76 @@ func UpdateCommonEnvCfg(c *gin.Context) {
} }
func ListCommonEnvCfgHistory(c *gin.Context) { func ListCommonEnvCfgHistory(c *gin.Context) {
ctx := internalhandler.NewContext(c) ctx, err := internalhandler.NewContextWithAuthorization(c)
defer func() { internalhandler.JSONResponse(c, ctx) }() defer func() { internalhandler.JSONResponse(c, ctx) }()
if err != nil {
ctx.Logger.Errorf("failed to generate authorization info for user: %s, error: %s", ctx.UserID, err)
ctx.Err = fmt.Errorf("authorization Info Generation failed: err %s", err)
ctx.UnAuthorized = true
return
}
projectKey := c.Query("projectName")
envName := c.Param("name")
// authorization checks
if !ctx.Resources.IsSystemAdmin {
if _, ok := ctx.Resources.ProjectAuthInfo[projectKey]; !ok {
ctx.UnAuthorized = true
return
}
if !ctx.Resources.ProjectAuthInfo[projectKey].IsProjectAdmin &&
!ctx.Resources.ProjectAuthInfo[projectKey].Env.View {
permitted, err := internalhandler.GetCollaborationModePermission(ctx.UserID, projectKey, types.ResourceTypeEnvironment, envName, types.EnvActionView)
if err != nil || !permitted {
ctx.UnAuthorized = true
return
}
}
}
args := new(service.ListCommonEnvCfgHistoryArgs)
args.EnvName = envName
args.ProjectName = projectKey
args.CommonEnvCfgType = config.CommonEnvCfgType(c.Query("commonEnvCfgType"))
args.Name = c.Param("objectName")
ctx.Resp, ctx.Err = service.ListEnvResourceHistory(args, ctx.Logger)
}
func ListProductionCommonEnvCfgHistory(c *gin.Context) {
ctx, err := internalhandler.NewContextWithAuthorization(c)
defer func() { internalhandler.JSONResponse(c, ctx) }()
if err != nil {
ctx.Logger.Errorf("failed to generate authorization info for user: %s, error: %s", ctx.UserID, err)
ctx.Err = fmt.Errorf("authorization Info Generation failed: err %s", err)
ctx.UnAuthorized = true
return
}
projectKey := c.Query("projectName")
envName := c.Param("name")
// authorization checks
if !ctx.Resources.IsSystemAdmin {
if _, ok := ctx.Resources.ProjectAuthInfo[projectKey]; !ok {
ctx.UnAuthorized = true
return
}
if !ctx.Resources.ProjectAuthInfo[projectKey].IsProjectAdmin &&
!ctx.Resources.ProjectAuthInfo[projectKey].ProductionEnv.View {
ctx.UnAuthorized = true
return
}
}
args := new(service.ListCommonEnvCfgHistoryArgs) args := new(service.ListCommonEnvCfgHistoryArgs)
args.EnvName = c.Param("name") args.EnvName = envName
args.ProjectName = c.Query("projectName") args.ProjectName = projectKey
args.CommonEnvCfgType = config.CommonEnvCfgType(c.Query("commonEnvCfgType")) args.CommonEnvCfgType = config.CommonEnvCfgType(c.Query("commonEnvCfgType"))
args.Name = c.Param("objectName") args.Name = c.Param("objectName")
...@@ -134,24 +426,76 @@ func ListCommonEnvCfgHistory(c *gin.Context) { ...@@ -134,24 +426,76 @@ func ListCommonEnvCfgHistory(c *gin.Context) {
} }
func ListLatestEnvCfg(c *gin.Context) { func ListLatestEnvCfg(c *gin.Context) {
ctx := internalhandler.NewContext(c) ctx, err := internalhandler.NewContextWithAuthorization(c)
defer func() { internalhandler.JSONResponse(c, ctx) }() defer func() { internalhandler.JSONResponse(c, ctx) }()
if err != nil {
ctx.Logger.Errorf("failed to generate authorization info for user: %s, error: %s", ctx.UserID, err)
ctx.Err = fmt.Errorf("authorization Info Generation failed: err %s", err)
ctx.UnAuthorized = true
return
}
args := new(service.ListCommonEnvCfgHistoryArgs) args := new(service.ListCommonEnvCfgHistoryArgs)
if err := c.ShouldBindQuery(args); err != nil { if err := c.ShouldBindQuery(args); err != nil {
ctx.Err = e.ErrInvalidParam.AddErr(err) ctx.Err = e.ErrInvalidParam.AddErr(err)
return return
} }
// authorization checks
if !ctx.Resources.IsSystemAdmin {
if _, ok := ctx.Resources.ProjectAuthInfo[args.ProjectName]; !ok {
ctx.UnAuthorized = true
return
}
if !ctx.Resources.ProjectAuthInfo[args.ProjectName].IsProjectAdmin &&
!ctx.Resources.ProjectAuthInfo[args.ProjectName].Env.View {
permitted, err := internalhandler.GetCollaborationModePermission(ctx.UserID, args.ProjectName, types.ResourceTypeEnvironment, args.EnvName, types.EnvActionEditConfig)
if err != nil || !permitted {
ctx.UnAuthorized = true
return
}
}
}
ctx.Resp, ctx.Err = service.ListLatestEnvResources(args, ctx.Logger) ctx.Resp, ctx.Err = service.ListLatestEnvResources(args, ctx.Logger)
} }
func SyncEnvResource(c *gin.Context) { func SyncEnvResource(c *gin.Context) {
ctx := internalhandler.NewContext(c) ctx, err := internalhandler.NewContextWithAuthorization(c)
defer func() { internalhandler.JSONResponse(c, ctx) }() defer func() { internalhandler.JSONResponse(c, ctx) }()
if err != nil {
ctx.Logger.Errorf("failed to generate authorization info for user: %s, error: %s", ctx.UserID, err)
ctx.Err = fmt.Errorf("authorization Info Generation failed: err %s", err)
ctx.UnAuthorized = true
return
}
projectKey := c.Query("projectName")
envName := c.Param("name")
// authorization checks
if !ctx.Resources.IsSystemAdmin {
if _, ok := ctx.Resources.ProjectAuthInfo[projectKey]; !ok {
ctx.UnAuthorized = true
return
}
if !ctx.Resources.ProjectAuthInfo[projectKey].IsProjectAdmin &&
!ctx.Resources.ProjectAuthInfo[projectKey].Env.EditConfig {
permitted, err := internalhandler.GetCollaborationModePermission(ctx.UserID, projectKey, types.ResourceTypeEnvironment, envName, types.EnvActionEditConfig)
if err != nil || !permitted {
ctx.UnAuthorized = true
return
}
}
}
args := &service.SyncEnvResourceArg{ args := &service.SyncEnvResourceArg{
EnvName: c.Param("name"), EnvName: envName,
ProductName: c.Query("projectName"), ProductName: projectKey,
Name: c.Param("objectName"), Name: c.Param("objectName"),
Type: c.Param("type"), Type: c.Param("type"),
} }
......
pkg/microservice/aslan/core/environment/handler/configmap.go
浏览文件 @ 58c79abe
...@@ -23,6 +23,7 @@ import ( ...@@ -23,6 +23,7 @@ import (
"io" "io"
"github.com/gin-gonic/gin" "github.com/gin-gonic/gin"
"github.com/koderover/zadig/pkg/types"
"github.com/koderover/zadig/pkg/microservice/aslan/core/environment/service" "github.com/koderover/zadig/pkg/microservice/aslan/core/environment/service"
"github.com/koderover/zadig/pkg/setting" "github.com/koderover/zadig/pkg/setting"
...@@ -32,12 +33,74 @@ import ( ...@@ -32,12 +33,74 @@ import (
) )
func ListConfigMaps(c *gin.Context) { func ListConfigMaps(c *gin.Context) {
ctx := internalhandler.NewContext(c) ctx, err := internalhandler.NewContextWithAuthorization(c)
defer func() { internalhandler.JSONResponse(c, ctx) }() defer func() { internalhandler.JSONResponse(c, ctx) }()
if err != nil {
ctx.Logger.Errorf("failed to generate authorization info for user: %s, error: %s", ctx.UserID, err)
ctx.Err = fmt.Errorf("authorization Info Generation failed: err %s", err)
ctx.UnAuthorized = true
return
}
projectKey := c.Query("projectName")
envName := c.Param("name")
// authorization checks
if !ctx.Resources.IsSystemAdmin {
if _, ok := ctx.Resources.ProjectAuthInfo[projectKey]; !ok {
ctx.UnAuthorized = true
return
}
if !ctx.Resources.ProjectAuthInfo[projectKey].IsProjectAdmin &&
!ctx.Resources.ProjectAuthInfo[projectKey].Env.View {
permitted, err := internalhandler.GetCollaborationModePermission(ctx.UserID, projectKey, types.ResourceTypeEnvironment, envName, types.EnvActionView)
if err != nil || !permitted {
ctx.UnAuthorized = true
return
}
}
}
args := &service.ListConfigMapArgs{
EnvName: envName,
ProductName: projectKey,
ServiceName: c.Query("serviceName"),
}
ctx.Resp, ctx.Err = service.ListConfigMaps(args, ctx.Logger)
}
func ListProductionConfigMaps(c *gin.Context) {
ctx, err := internalhandler.NewContextWithAuthorization(c)
defer func() { internalhandler.JSONResponse(c, ctx) }()
if err != nil {
ctx.Logger.Errorf("failed to generate authorization info for user: %s, error: %s", ctx.UserID, err)
ctx.Err = fmt.Errorf("authorization Info Generation failed: err %s", err)
ctx.UnAuthorized = true
return
}
projectKey := c.Query("projectName")
envName := c.Param("name")
// authorization checks
if !ctx.Resources.IsSystemAdmin {
if _, ok := ctx.Resources.ProjectAuthInfo[projectKey]; !ok {
ctx.UnAuthorized = true
return
}
if !ctx.Resources.ProjectAuthInfo[projectKey].IsProjectAdmin &&
!ctx.Resources.ProjectAuthInfo[projectKey].ProductionEnv.View {
ctx.UnAuthorized = true
return
}
}
args := &service.ListConfigMapArgs{ args := &service.ListConfigMapArgs{
EnvName: c.Param("name"), EnvName: envName,
ProductName: c.Query("projectName"), ProductName: projectKey,
ServiceName: c.Query("serviceName"), ServiceName: c.Query("serviceName"),
} }
...@@ -45,9 +108,16 @@ func ListConfigMaps(c *gin.Context) { ...@@ -45,9 +108,16 @@ func ListConfigMaps(c *gin.Context) {
} }
func RollBackConfigMap(c *gin.Context) { func RollBackConfigMap(c *gin.Context) {
ctx := internalhandler.NewContext(c) ctx, err := internalhandler.NewContextWithAuthorization(c)
defer func() { internalhandler.JSONResponse(c, ctx) }() defer func() { internalhandler.JSONResponse(c, ctx) }()
if err != nil {
ctx.Logger.Errorf("failed to generate authorization info for user: %s, error: %s", ctx.UserID, err)
ctx.Err = fmt.Errorf("authorization Info Generation failed: err %s", err)
ctx.UnAuthorized = true
return
}
args := new(service.RollBackConfigMapArgs) args := new(service.RollBackConfigMapArgs)
data, err := c.GetRawData() data, err := c.GetRawData()
if err != nil { if err != nil {
...@@ -64,6 +134,22 @@ func RollBackConfigMap(c *gin.Context) { ...@@ -64,6 +134,22 @@ func RollBackConfigMap(c *gin.Context) {
return return
} }
// authorization checks
if !ctx.Resources.IsSystemAdmin {
if _, ok := ctx.Resources.ProjectAuthInfo[args.ProductName]; !ok {
ctx.UnAuthorized = true
return
}
if !ctx.Resources.ProjectAuthInfo[args.ProductName].IsProjectAdmin &&
!ctx.Resources.ProjectAuthInfo[args.ProductName].Env.EditConfig {
permitted, err := internalhandler.GetCollaborationModePermission(ctx.UserID, args.ProductName, types.ResourceTypeEnvironment, args.EnvName, types.EnvActionEditConfig)
if err != nil || !permitted {
ctx.UnAuthorized = true
return
}
}
}
if args.SrcConfigName == args.DestinConfigName { if args.SrcConfigName == args.DestinConfigName {
ctx.Err = e.ErrRollBackConfigMap.AddDesc("same source and destination configmap name.") ctx.Err = e.ErrRollBackConfigMap.AddDesc("same source and destination configmap name.")
return return
...@@ -73,11 +159,34 @@ func RollBackConfigMap(c *gin.Context) { ...@@ -73,11 +159,34 @@ func RollBackConfigMap(c *gin.Context) {
} }
func MigrateHistoryConfigMaps(c *gin.Context) { func MigrateHistoryConfigMaps(c *gin.Context) {
ctx := internalhandler.NewContext(c) ctx, err := internalhandler.NewContextWithAuthorization(c)
defer func() { internalhandler.JSONResponse(c, ctx) }() defer func() { internalhandler.JSONResponse(c, ctx) }()
if err != nil {
ctx.Logger.Errorf("failed to generate authorization info for user: %s, error: %s", ctx.UserID, err)
ctx.Err = fmt.Errorf("authorization Info Generation failed: err %s", err)
ctx.UnAuthorized = true
return
}
envName := c.Query("envName") envName := c.Query("envName")
productName := c.Query("projectName") projectKey := c.Query("projectName")
// authorization checks
if !ctx.Resources.IsSystemAdmin {
if _, ok := ctx.Resources.ProjectAuthInfo[projectKey]; !ok {
ctx.UnAuthorized = true
return
}
if !ctx.Resources.ProjectAuthInfo[projectKey].IsProjectAdmin &&
!ctx.Resources.ProjectAuthInfo[projectKey].Env.EditConfig {
permitted, err := internalhandler.GetCollaborationModePermission(ctx.UserID, projectKey, types.ResourceTypeEnvironment, envName, types.EnvActionEditConfig)
if err != nil || !permitted {
ctx.UnAuthorized = true
return
}
}
}
ctx.Resp, ctx.Err = service.MigrateHistoryConfigMaps(envName, productName, ctx.Logger) ctx.Resp, ctx.Err = service.MigrateHistoryConfigMaps(envName, projectKey, ctx.Logger)
} }
pkg/microservice/aslan/core/environment/handler/debug.go
浏览文件 @ 58c79abe
...@@ -17,6 +17,8 @@ limitations under the License. ...@@ -17,6 +17,8 @@ limitations under the License.
package handler package handler
import ( import (
"fmt"
"github.com/gin-gonic/gin" "github.com/gin-gonic/gin"
"github.com/koderover/zadig/pkg/microservice/aslan/core/environment/service" "github.com/koderover/zadig/pkg/microservice/aslan/core/environment/service"
...@@ -26,18 +28,41 @@ import ( ...@@ -26,18 +28,41 @@ import (
) )
func PatchDebugContainer(c *gin.Context) { func PatchDebugContainer(c *gin.Context) {
ctx := internalhandler.NewContext(c) ctx, err := internalhandler.NewContextWithAuthorization(c)
defer func() { internalhandler.JSONResponse(c, ctx) }() defer func() { internalhandler.JSONResponse(c, ctx) }()
if err != nil {
ctx.Logger.Errorf("failed to generate authorization info for user: %s, error: %s", ctx.UserID, err)
ctx.Err = fmt.Errorf("authorization Info Generation failed: err %s", err)
ctx.UnAuthorized = true
return
}
envName := c.Param("env") envName := c.Param("env")
podName := c.Param("podName") podName := c.Param("podName")
projectName := c.Query("projectName") projectKey := c.Query("projectName")
debugImage := c.Query("debugImage") debugImage := c.Query("debugImage")
if debugImage == "" { if debugImage == "" {
debugImage = types.DebugImage debugImage = types.DebugImage
} }
internalhandler.InsertDetailedOperationLog(c, ctx.UserName, projectName, setting.OperationSceneEnv, "启动调试容器", "环境", envName, "", ctx.Logger, envName) internalhandler.InsertDetailedOperationLog(c, ctx.UserName, projectKey, setting.OperationSceneEnv, "启动调试容器", "环境", envName, "", ctx.Logger, envName)
// authorization checks
if !ctx.Resources.IsSystemAdmin {
if _, ok := ctx.Resources.ProjectAuthInfo[projectKey]; !ok {
ctx.UnAuthorized = true
return
}
if !ctx.Resources.ProjectAuthInfo[projectKey].IsProjectAdmin &&
!ctx.Resources.ProjectAuthInfo[projectKey].Env.EditConfig {
permitted, err := internalhandler.GetCollaborationModePermission(ctx.UserID, projectKey, types.ResourceTypeEnvironment, envName, types.EnvActionEditConfig)
if err != nil || !permitted {
ctx.UnAuthorized = true
return
}
}
}
ctx.Err = service.PatchDebugContainer(c, projectName, envName, podName, debugImage) ctx.Err = service.PatchDebugContainer(c, projectKey, envName, podName, debugImage)
} }
pkg/microservice/aslan/core/environment/handler/diff.go
浏览文件 @ 58c79abe
...@@ -17,16 +17,73 @@ limitations under the License. ...@@ -17,16 +17,73 @@ limitations under the License.
package handler package handler
import ( import (
"github.com/gin-gonic/gin" "fmt"
"github.com/gin-gonic/gin"
"github.com/koderover/zadig/pkg/microservice/aslan/core/environment/service" "github.com/koderover/zadig/pkg/microservice/aslan/core/environment/service"
internalhandler "github.com/koderover/zadig/pkg/shared/handler" internalhandler "github.com/koderover/zadig/pkg/shared/handler"
"github.com/koderover/zadig/pkg/types"
) )
func ServiceDiff(c *gin.Context) { func ServiceDiff(c *gin.Context) {
ctx := internalhandler.NewContext(c) ctx, err := internalhandler.NewContextWithAuthorization(c)
defer func() { internalhandler.JSONResponse(c, ctx) }() defer func() { internalhandler.JSONResponse(c, ctx) }()
if err != nil {
ctx.Logger.Errorf("failed to generate authorization info for user: %s, error: %s", ctx.UserID, err)
ctx.Err = fmt.Errorf("authorization Info Generation failed: err %s", err)
ctx.UnAuthorized = true
return
}
envName := c.Query("envName") envName := c.Query("envName")
projectKey := c.Param("productName")
// authorization checks
if !ctx.Resources.IsSystemAdmin {
if _, ok := ctx.Resources.ProjectAuthInfo[projectKey]; !ok {
ctx.UnAuthorized = true
return
}
if !ctx.Resources.ProjectAuthInfo[projectKey].IsProjectAdmin &&
!ctx.Resources.ProjectAuthInfo[projectKey].Env.View {
permitted, err := internalhandler.GetCollaborationModePermission(ctx.UserID, projectKey, types.ResourceTypeEnvironment, envName, types.EnvActionView)
if err != nil || !permitted {
ctx.UnAuthorized = true
return
}
}
}
ctx.Resp, ctx.Err = service.GetServiceDiff(envName, projectKey, c.Param("serviceName"), ctx.Logger)
}
func ProductionServiceDiff(c *gin.Context) {
ctx, err := internalhandler.NewContextWithAuthorization(c)
defer func() { internalhandler.JSONResponse(c, ctx) }()
if err != nil {
ctx.Logger.Errorf("failed to generate authorization info for user: %s, error: %s", ctx.UserID, err)
ctx.Err = fmt.Errorf("authorization Info Generation failed: err %s", err)
ctx.UnAuthorized = true
return
}
envName := c.Query("envName")
projectKey := c.Param("productName")
// authorization checks
if !ctx.Resources.IsSystemAdmin {
if _, ok := ctx.Resources.ProjectAuthInfo[projectKey]; !ok {
ctx.UnAuthorized = true
return
}
if !ctx.Resources.ProjectAuthInfo[projectKey].IsProjectAdmin &&
!ctx.Resources.ProjectAuthInfo[projectKey].ProductionEnv.View {
ctx.UnAuthorized = true
return
}
}
ctx.Resp, ctx.Err = service.GetServiceDiff(envName, c.Param("productName"), c.Param("serviceName"), ctx.Logger) ctx.Resp, ctx.Err = service.GetServiceDiff(envName, projectKey, c.Param("serviceName"), ctx.Logger)
} }
pkg/microservice/aslan/core/environment/handler/export.go
浏览文件 @ 58c79abe
...@@ -17,31 +17,76 @@ limitations under the License. ...@@ -17,31 +17,76 @@ limitations under the License.
package handler package handler
import ( import (
"github.com/gin-gonic/gin" "fmt"
"github.com/gin-gonic/gin"
"github.com/koderover/zadig/pkg/microservice/aslan/core/environment/service" "github.com/koderover/zadig/pkg/microservice/aslan/core/environment/service"
internalhandler "github.com/koderover/zadig/pkg/shared/handler" internalhandler "github.com/koderover/zadig/pkg/shared/handler"
"github.com/koderover/zadig/pkg/types"
) )
func ExportYaml(c *gin.Context) { func ExportYaml(c *gin.Context) {
ctx := internalhandler.NewContext(c) ctx, err := internalhandler.NewContextWithAuthorization(c)
defer func() { internalhandler.JSONResponse(c, ctx) }() defer func() { internalhandler.JSONResponse(c, ctx) }()
if err != nil {
ctx.Logger.Errorf("failed to generate authorization info for user: %s, error: %s", ctx.UserID, err)
ctx.Err = fmt.Errorf("authorization Info Generation failed: err %s", err)
ctx.UnAuthorized = true
return
}
serviceName := c.Query("serviceName") serviceName := c.Query("serviceName")
envName := c.Query("envName") envName := c.Query("envName")
productName := c.Query("projectName") projectKey := c.Query("projectName")
source := c.Query("source") source := c.Query("source")
ctx.Resp = service.ExportYaml(envName, productName, serviceName, source, ctx.Logger) // authorization checks
if !ctx.Resources.IsSystemAdmin {
if _, ok := ctx.Resources.ProjectAuthInfo[projectKey]; !ok {
ctx.UnAuthorized = true
return
}
if !ctx.Resources.ProjectAuthInfo[projectKey].IsProjectAdmin &&
!ctx.Resources.ProjectAuthInfo[projectKey].Env.View {
permitted, err := internalhandler.GetCollaborationModePermission(ctx.UserID, projectKey, types.ResourceTypeEnvironment, envName, types.EnvActionView)
if err != nil || !permitted {
ctx.UnAuthorized = true
return
}
}
}
ctx.Resp = service.ExportYaml(envName, projectKey, serviceName, source, ctx.Logger)
} }
func ExportProductionServiceYaml(c *gin.Context) { func ExportProductionServiceYaml(c *gin.Context) {
ctx := internalhandler.NewContext(c) ctx, err := internalhandler.NewContextWithAuthorization(c)
defer func() { internalhandler.JSONResponse(c, ctx) }() defer func() { internalhandler.JSONResponse(c, ctx) }()
if err != nil {
ctx.Logger.Errorf("failed to generate authorization info for user: %s, error: %s", ctx.UserID, err)
ctx.Err = fmt.Errorf("authorization Info Generation failed: err %s", err)
ctx.UnAuthorized = true
return
}
serviceName := c.Param("serviceName") serviceName := c.Param("serviceName")
envName := c.Param("name") envName := c.Param("name")
productName := c.Query("projectName") projectKey := c.Query("projectName")
// authorization checks
if !ctx.Resources.IsSystemAdmin {
if _, ok := ctx.Resources.ProjectAuthInfo[projectKey]; !ok {
ctx.UnAuthorized = true
return
}
if !ctx.Resources.ProjectAuthInfo[projectKey].IsProjectAdmin &&
!ctx.Resources.ProjectAuthInfo[projectKey].ProductionEnv.View {
ctx.UnAuthorized = true
return
}
}
ctx.Resp, ctx.Err = service.ExportProductionYaml(envName, productName, serviceName, ctx.Logger) ctx.Resp, ctx.Err = service.ExportProductionYaml(envName, projectKey, serviceName, ctx.Logger)
} }
pkg/microservice/aslan/core/environment/handler/helm.go
浏览文件 @ 58c79abe
...@@ -17,7 +17,10 @@ limitations under the License. ...@@ -17,7 +17,10 @@ limitations under the License.
package handler package handler
import ( import (
"fmt"
"github.com/gin-gonic/gin" "github.com/gin-gonic/gin"
"github.com/koderover/zadig/pkg/types"
commonservice "github.com/koderover/zadig/pkg/microservice/aslan/core/common/service" commonservice "github.com/koderover/zadig/pkg/microservice/aslan/core/common/service"
"github.com/koderover/zadig/pkg/microservice/aslan/core/environment/service" "github.com/koderover/zadig/pkg/microservice/aslan/core/environment/service"
...@@ -25,8 +28,16 @@ import ( ...@@ -25,8 +28,16 @@ import (
) )
func ListReleases(c *gin.Context) { func ListReleases(c *gin.Context) {
ctx := internalhandler.NewContext(c) ctx, err := internalhandler.NewContextWithAuthorization(c)
defer func() { internalhandler.JSONResponse(c, ctx) }() defer func() { internalhandler.JSONResponse(c, ctx) }()
if err != nil {
ctx.Logger.Errorf("failed to generate authorization info for user: %s, error: %s", ctx.UserID, err)
ctx.Err = fmt.Errorf("authorization Info Generation failed: err %s", err)
ctx.UnAuthorized = true
return
}
envName := c.Param("name") envName := c.Param("name")
args := &service.HelmReleaseQueryArgs{} args := &service.HelmReleaseQueryArgs{}
...@@ -35,12 +46,38 @@ func ListReleases(c *gin.Context) { ...@@ -35,12 +46,38 @@ func ListReleases(c *gin.Context) {
return return
} }
// TODO: Authorization leak
// authorization checks
if !ctx.Resources.IsSystemAdmin {
if _, ok := ctx.Resources.ProjectAuthInfo[args.ProjectName]; !ok {
ctx.UnAuthorized = true
return
}
if !ctx.Resources.ProjectAuthInfo[args.ProjectName].IsProjectAdmin &&
!ctx.Resources.ProjectAuthInfo[args.ProjectName].Env.View &&
!ctx.Resources.ProjectAuthInfo[args.ProjectName].Version.Create {
permitted, err := internalhandler.GetCollaborationModePermission(ctx.UserID, args.ProjectName, types.ResourceTypeEnvironment, envName, types.EnvActionView)
if err != nil || !permitted {
ctx.UnAuthorized = true
return
}
}
}
ctx.Resp, ctx.Err = service.ListReleases(args, envName, false, ctx.Logger) ctx.Resp, ctx.Err = service.ListReleases(args, envName, false, ctx.Logger)
} }
func ListProductionReleases(c *gin.Context) { func ListProductionReleases(c *gin.Context) {
ctx := internalhandler.NewContext(c) ctx, err := internalhandler.NewContextWithAuthorization(c)
defer func() { internalhandler.JSONResponse(c, ctx) }() defer func() { internalhandler.JSONResponse(c, ctx) }()
if err != nil {
ctx.Logger.Errorf("failed to generate authorization info for user: %s, error: %s", ctx.UserID, err)
ctx.Err = fmt.Errorf("authorization Info Generation failed: err %s", err)
ctx.UnAuthorized = true
return
}
envName := c.Param("name") envName := c.Param("name")
args := &service.HelmReleaseQueryArgs{} args := &service.HelmReleaseQueryArgs{}
...@@ -49,17 +86,54 @@ func ListProductionReleases(c *gin.Context) { ...@@ -49,17 +86,54 @@ func ListProductionReleases(c *gin.Context) {
return return
} }
// authorization checks
if !ctx.Resources.IsSystemAdmin {
if _, ok := ctx.Resources.ProjectAuthInfo[args.ProjectName]; !ok {
ctx.UnAuthorized = true
return
}
if !ctx.Resources.ProjectAuthInfo[args.ProjectName].IsProjectAdmin &&
!ctx.Resources.ProjectAuthInfo[args.ProjectName].ProductionEnv.View {
ctx.UnAuthorized = true
return
}
}
ctx.Resp, ctx.Err = service.ListReleases(args, envName, true, ctx.Logger) ctx.Resp, ctx.Err = service.ListReleases(args, envName, true, ctx.Logger)
} }
func GetChartValues(c *gin.Context) { func GetChartValues(c *gin.Context) {
ctx := internalhandler.NewContext(c) ctx, err := internalhandler.NewContextWithAuthorization(c)
defer func() { internalhandler.JSONResponse(c, ctx) }() defer func() { internalhandler.JSONResponse(c, ctx) }()
if err != nil {
ctx.Logger.Errorf("failed to generate authorization info for user: %s, error: %s", ctx.UserID, err)
ctx.Err = fmt.Errorf("authorization Info Generation failed: err %s", err)
ctx.UnAuthorized = true
return
}
envName := c.Param("name") envName := c.Param("name")
projectName := c.Query("projectName") projectKey := c.Query("projectName")
serviceName := c.Query("serviceName") serviceName := c.Query("serviceName")
ctx.Resp, ctx.Err = commonservice.GetChartValues(projectName, envName, serviceName, false, false) // authorization checks
if !ctx.Resources.IsSystemAdmin {
if _, ok := ctx.Resources.ProjectAuthInfo[projectKey]; !ok {
ctx.UnAuthorized = true
return
}
if !ctx.Resources.ProjectAuthInfo[projectKey].IsProjectAdmin &&
!ctx.Resources.ProjectAuthInfo[projectKey].Env.View {
permitted, err := internalhandler.GetCollaborationModePermission(ctx.UserID, projectKey, types.ResourceTypeEnvironment, envName, types.EnvActionView)
if err != nil || !permitted {
ctx.UnAuthorized = true
return
}
}
}
ctx.Resp, ctx.Err = commonservice.GetChartValues(projectKey, envName, serviceName, false, false)
} }
// @Summary Get Production Chart Values // @Summary Get Production Chart Values
...@@ -76,35 +150,106 @@ func GetChartValues(c *gin.Context) { ...@@ -76,35 +150,106 @@ func GetChartValues(c *gin.Context) {
// @Success 200 {object} commonservice.ValuesResp // @Success 200 {object} commonservice.ValuesResp
// @Router /api/aslan/environment/production/environments/{name}/helm/values [get] // @Router /api/aslan/environment/production/environments/{name}/helm/values [get]
func GetProductionChartValues(c *gin.Context) { func GetProductionChartValues(c *gin.Context) {
ctx := internalhandler.NewContext(c) ctx, err := internalhandler.NewContextWithAuthorization(c)
defer func() { internalhandler.JSONResponse(c, ctx) }() defer func() { internalhandler.JSONResponse(c, ctx) }()
if err != nil {
ctx.Logger.Errorf("failed to generate authorization info for user: %s, error: %s", ctx.UserID, err)
ctx.Err = fmt.Errorf("authorization Info Generation failed: err %s", err)
ctx.UnAuthorized = true
return
}
envName := c.Param("name") envName := c.Param("name")
projectName := c.Query("projectName") projectKey := c.Query("projectName")
serviceName := c.Query("serviceName") serviceName := c.Query("serviceName")
isHelmChartDeploy := c.Query("isHelmChartDeploy") isHelmChartDeploy := c.Query("isHelmChartDeploy")
releaseName := c.Query("releaseName") releaseName := c.Query("releaseName")
// authorization checks
if !ctx.Resources.IsSystemAdmin {
if _, ok := ctx.Resources.ProjectAuthInfo[projectKey]; !ok {
ctx.UnAuthorized = true
return
}
if !ctx.Resources.ProjectAuthInfo[projectKey].IsProjectAdmin &&
!ctx.Resources.ProjectAuthInfo[projectKey].ProductionEnv.View {
ctx.UnAuthorized = true
return
}
}
if isHelmChartDeploy == "false" { if isHelmChartDeploy == "false" {
ctx.Resp, ctx.Err = commonservice.GetChartValues(projectName, envName, serviceName, false, true) ctx.Resp, ctx.Err = commonservice.GetChartValues(projectKey, envName, serviceName, false, true)
} else { } else {
ctx.Resp, ctx.Err = commonservice.GetChartValues(projectName, envName, releaseName, true, true) ctx.Resp, ctx.Err = commonservice.GetChartValues(projectKey, envName, releaseName, true, true)
} }
} }
func GetChartInfos(c *gin.Context) { func GetChartInfos(c *gin.Context) {
ctx := internalhandler.NewContext(c) ctx, err := internalhandler.NewContextWithAuthorization(c)
defer func() { internalhandler.JSONResponse(c, ctx) }() defer func() { internalhandler.JSONResponse(c, ctx) }()
if err != nil {
ctx.Logger.Errorf("failed to generate authorization info for user: %s, error: %s", ctx.UserID, err)
ctx.Err = fmt.Errorf("authorization Info Generation failed: err %s", err)
ctx.UnAuthorized = true
return
}
envName := c.Param("name") envName := c.Param("name")
servicesName := c.Query("serviceName") servicesName := c.Query("serviceName")
projectName := c.Query("projectName") projectKey := c.Query("projectName")
ctx.Resp, ctx.Err = service.GetChartInfos(projectName, envName, servicesName, ctx.Logger)
// authorization checks
if !ctx.Resources.IsSystemAdmin {
if _, ok := ctx.Resources.ProjectAuthInfo[projectKey]; !ok {
ctx.UnAuthorized = true
return
}
if !ctx.Resources.ProjectAuthInfo[projectKey].IsProjectAdmin &&
!ctx.Resources.ProjectAuthInfo[projectKey].Env.View {
permitted, err := internalhandler.GetCollaborationModePermission(ctx.UserID, projectKey, types.ResourceTypeEnvironment, envName, types.EnvActionView)
if err != nil || !permitted {
ctx.UnAuthorized = true
return
}
}
}
ctx.Resp, ctx.Err = service.GetChartInfos(projectKey, envName, servicesName, ctx.Logger)
} }
func GetImageInfos(c *gin.Context) { func GetImageInfos(c *gin.Context) {
ctx := internalhandler.NewContext(c) ctx, err := internalhandler.NewContextWithAuthorization(c)
defer func() { internalhandler.JSONResponse(c, ctx) }() defer func() { internalhandler.JSONResponse(c, ctx) }()
if err != nil {
ctx.Logger.Errorf("failed to generate authorization info for user: %s, error: %s", ctx.UserID, err)
ctx.Err = fmt.Errorf("authorization Info Generation failed: err %s", err)
ctx.UnAuthorized = true
return
}
envName := c.Param("name") envName := c.Param("name")
projectName := c.Query("projectName") projectKey := c.Query("projectName")
servicesName := c.Query("serviceName") servicesName := c.Query("serviceName")
ctx.Resp, ctx.Err = service.GetImageInfos(projectName, envName, servicesName, ctx.Logger)
// authorization checks
if !ctx.Resources.IsSystemAdmin {
if _, ok := ctx.Resources.ProjectAuthInfo[projectKey]; !ok {
ctx.UnAuthorized = true
return
}
if !ctx.Resources.ProjectAuthInfo[projectKey].IsProjectAdmin &&
!ctx.Resources.ProjectAuthInfo[projectKey].Env.View {
permitted, err := internalhandler.GetCollaborationModePermission(ctx.UserID, projectKey, types.ResourceTypeEnvironment, envName, types.EnvActionView)
if err != nil || !permitted {
ctx.UnAuthorized = true
return
}
}
}
ctx.Resp, ctx.Err = service.GetImageInfos(projectKey, envName, servicesName, ctx.Logger)
} }
pkg/microservice/aslan/core/environment/handler/ide.go
浏览文件 @ 58c79abe
...@@ -18,6 +18,7 @@ package handler ...@@ -18,6 +18,7 @@ package handler
import ( import (
"errors" "errors"
"fmt"
"github.com/gin-gonic/gin" "github.com/gin-gonic/gin"
...@@ -27,12 +28,35 @@ import ( ...@@ -27,12 +28,35 @@ import (
) )
func PatchWorkload(c *gin.Context) { func PatchWorkload(c *gin.Context) {
ctx := internalhandler.NewContext(c) ctx, err := internalhandler.NewContextWithAuthorization(c)
defer func() { internalhandler.JSONResponse(c, ctx) }() defer func() { internalhandler.JSONResponse(c, ctx) }()
if err != nil {
ctx.Logger.Errorf("failed to generate authorization info for user: %s, error: %s", ctx.UserID, err)
ctx.Err = fmt.Errorf("authorization Info Generation failed: err %s", err)
ctx.UnAuthorized = true
return
}
envName := c.Param("name") envName := c.Param("name")
serviceName := c.Param("serviceName") serviceName := c.Param("serviceName")
projectName := c.Query("projectName") projectKey := c.Query("projectName")
// authorization checks
if !ctx.Resources.IsSystemAdmin {
if _, ok := ctx.Resources.ProjectAuthInfo[projectKey]; !ok {
ctx.UnAuthorized = true
return
}
if !ctx.Resources.ProjectAuthInfo[projectKey].IsProjectAdmin &&
!ctx.Resources.ProjectAuthInfo[projectKey].Env.EditConfig {
permitted, err := internalhandler.GetCollaborationModePermission(ctx.UserID, projectKey, types.ResourceTypeEnvironment, envName, types.EnvActionEditConfig)
if err != nil || !permitted {
ctx.UnAuthorized = true
return
}
}
}
var staretInfo types.StartDevmodeInfo var staretInfo types.StartDevmodeInfo
if err := c.BindJSON(&staretInfo); err != nil { if err := c.BindJSON(&staretInfo); err != nil {
...@@ -40,16 +64,39 @@ func PatchWorkload(c *gin.Context) { ...@@ -40,16 +64,39 @@ func PatchWorkload(c *gin.Context) {
return return
} }
ctx.Resp, ctx.Err = service.PatchWorkload(c, projectName, envName, serviceName, staretInfo.DevImage) ctx.Resp, ctx.Err = service.PatchWorkload(c, projectKey, envName, serviceName, staretInfo.DevImage)
} }
func RecoverWorkload(c *gin.Context) { func RecoverWorkload(c *gin.Context) {
ctx := internalhandler.NewContext(c) ctx, err := internalhandler.NewContextWithAuthorization(c)
defer func() { internalhandler.JSONResponse(c, ctx) }() defer func() { internalhandler.JSONResponse(c, ctx) }()
if err != nil {
ctx.Logger.Errorf("failed to generate authorization info for user: %s, error: %s", ctx.UserID, err)
ctx.Err = fmt.Errorf("authorization Info Generation failed: err %s", err)
ctx.UnAuthorized = true
return
}
envName := c.Param("name") envName := c.Param("name")
serviceName := c.Param("serviceName") serviceName := c.Param("serviceName")
projectName := c.Query("projectName") projectKey := c.Query("projectName")
// authorization checks
if !ctx.Resources.IsSystemAdmin {
if _, ok := ctx.Resources.ProjectAuthInfo[projectKey]; !ok {
ctx.UnAuthorized = true
return
}
if !ctx.Resources.ProjectAuthInfo[projectKey].IsProjectAdmin &&
!ctx.Resources.ProjectAuthInfo[projectKey].Env.EditConfig {
permitted, err := internalhandler.GetCollaborationModePermission(ctx.UserID, projectKey, types.ResourceTypeEnvironment, envName, types.EnvActionEditConfig)
if err != nil || !permitted {
ctx.UnAuthorized = true
return
}
}
}
ctx.Err = service.RecoverWorkload(c, projectName, envName, serviceName) ctx.Err = service.RecoverWorkload(c, projectKey, envName, serviceName)
} }
pkg/microservice/aslan/core/environment/handler/image.go
浏览文件 @ 58c79abe
...@@ -23,6 +23,7 @@ import ( ...@@ -23,6 +23,7 @@ import (
"io" "io"
"github.com/gin-gonic/gin" "github.com/gin-gonic/gin"
"github.com/koderover/zadig/pkg/types"
"github.com/koderover/zadig/pkg/microservice/aslan/core/environment/service" "github.com/koderover/zadig/pkg/microservice/aslan/core/environment/service"
"github.com/koderover/zadig/pkg/setting" "github.com/koderover/zadig/pkg/setting"
...@@ -32,9 +33,16 @@ import ( ...@@ -32,9 +33,16 @@ import (
) )
func UpdateStatefulSetContainerImage(c *gin.Context) { func UpdateStatefulSetContainerImage(c *gin.Context) {
ctx := internalhandler.NewContext(c) ctx, err := internalhandler.NewContextWithAuthorization(c)
defer func() { internalhandler.JSONResponse(c, ctx) }() defer func() { internalhandler.JSONResponse(c, ctx) }()
if err != nil {
ctx.Logger.Errorf("failed to generate authorization info for user: %s, error: %s", ctx.UserID, err)
ctx.Err = fmt.Errorf("authorization Info Generation failed: err %s", err)
ctx.UnAuthorized = true
return
}
args := new(service.UpdateContainerImageArgs) args := new(service.UpdateContainerImageArgs)
args.Type = setting.StatefulSet args.Type = setting.StatefulSet
...@@ -54,6 +62,22 @@ func UpdateStatefulSetContainerImage(c *gin.Context) { ...@@ -54,6 +62,22 @@ func UpdateStatefulSetContainerImage(c *gin.Context) {
fmt.Sprintf("环境名称:%s,服务名称:%s,StatefulSet:%s", args.EnvName, args.ServiceName, args.Name), fmt.Sprintf("环境名称:%s,服务名称:%s,StatefulSet:%s", args.EnvName, args.ServiceName, args.Name),
string(data), ctx.Logger, args.EnvName) string(data), ctx.Logger, args.EnvName)
// authorization checks
if !ctx.Resources.IsSystemAdmin {
if _, ok := ctx.Resources.ProjectAuthInfo[args.ProductName]; !ok {
ctx.UnAuthorized = true
return
}
if !ctx.Resources.ProjectAuthInfo[args.ProductName].IsProjectAdmin &&
!ctx.Resources.ProjectAuthInfo[args.ProductName].Env.EditConfig {
permitted, err := internalhandler.GetCollaborationModePermission(ctx.UserID, args.ProductName, types.ResourceTypeEnvironment, args.EnvName, types.EnvActionEditConfig)
if err != nil || !permitted {
ctx.UnAuthorized = true
return
}
}
}
c.Request.Body = io.NopCloser(bytes.NewBuffer(data)) c.Request.Body = io.NopCloser(bytes.NewBuffer(data))
if err := c.BindJSON(args); err != nil { if err := c.BindJSON(args); err != nil {
...@@ -65,9 +89,16 @@ func UpdateStatefulSetContainerImage(c *gin.Context) { ...@@ -65,9 +89,16 @@ func UpdateStatefulSetContainerImage(c *gin.Context) {
} }
func UpdateDeploymentContainerImage(c *gin.Context) { func UpdateDeploymentContainerImage(c *gin.Context) {
ctx := internalhandler.NewContext(c) ctx, err := internalhandler.NewContextWithAuthorization(c)
defer func() { internalhandler.JSONResponse(c, ctx) }() defer func() { internalhandler.JSONResponse(c, ctx) }()
if err != nil {
ctx.Logger.Errorf("failed to generate authorization info for user: %s, error: %s", ctx.UserID, err)
ctx.Err = fmt.Errorf("authorization Info Generation failed: err %s", err)
ctx.UnAuthorized = true
return
}
args := new(service.UpdateContainerImageArgs) args := new(service.UpdateContainerImageArgs)
args.Type = setting.Deployment args.Type = setting.Deployment
...@@ -85,6 +116,106 @@ func UpdateDeploymentContainerImage(c *gin.Context) { ...@@ -85,6 +116,106 @@ func UpdateDeploymentContainerImage(c *gin.Context) {
fmt.Sprintf("环境名称:%s,服务名称:%s,Deployment:%s", args.EnvName, args.ServiceName, args.Name), fmt.Sprintf("环境名称:%s,服务名称:%s,Deployment:%s", args.EnvName, args.ServiceName, args.Name),
string(data), ctx.Logger, args.EnvName) string(data), ctx.Logger, args.EnvName)
// authorization checks
permitted := false
if ctx.Resources.IsSystemAdmin {
permitted = true
}
if projectAuthInfo, ok := ctx.Resources.ProjectAuthInfo[args.ProductName]; ok {
if projectAuthInfo.IsProjectAdmin {
permitted = true
}
if projectAuthInfo.Env.EditConfig || projectAuthInfo.Env.ManagePods {
permitted = true
}
collabPermittedConfig, err := internalhandler.GetCollaborationModePermission(ctx.UserID, args.ProductName, types.ResourceTypeEnvironment, args.EnvName, types.EnvActionEditConfig)
if err == nil {
permitted = collabPermittedConfig
}
collabPermittedManagePod, err := internalhandler.GetCollaborationModePermission(ctx.UserID, args.ProductName, types.ResourceTypeEnvironment, args.EnvName, types.EnvActionManagePod)
if err == nil {
permitted = collabPermittedManagePod
}
}
if !permitted {
ctx.UnAuthorized = true
return
}
c.Request.Body = io.NopCloser(bytes.NewBuffer(data))
if err := c.BindJSON(args); err != nil {
ctx.Err = e.ErrInvalidParam.AddDesc(err.Error())
return
}
ctx.Err = service.UpdateContainerImage(ctx.RequestID, args, ctx.Logger)
}
func UpdateProductionDeploymentContainerImage(c *gin.Context) {
ctx, err := internalhandler.NewContextWithAuthorization(c)
defer func() { internalhandler.JSONResponse(c, ctx) }()
if err != nil {
ctx.Logger.Errorf("failed to generate authorization info for user: %s, error: %s", ctx.UserID, err)
ctx.Err = fmt.Errorf("authorization Info Generation failed: err %s", err)
ctx.UnAuthorized = true
return
}
args := new(service.UpdateContainerImageArgs)
args.Type = setting.Deployment
data, err := c.GetRawData()
if err != nil {
log.Errorf("UpdateDeploymentContainerImage c.GetRawData() err : %v", err)
}
if err = json.Unmarshal(data, args); err != nil {
log.Errorf("UpdateDeploymentContainerImage json.Unmarshal err : %v", err)
}
internalhandler.InsertDetailedOperationLog(
c, ctx.UserName, args.ProductName, setting.OperationSceneEnv,
"更新", "环境-服务镜像",
fmt.Sprintf("环境名称:%s,服务名称:%s,Deployment:%s", args.EnvName, args.ServiceName, args.Name),
string(data), ctx.Logger, args.EnvName)
// authorization checks
permitted := false
if ctx.Resources.IsSystemAdmin {
permitted = true
}
if projectAuthInfo, ok := ctx.Resources.ProjectAuthInfo[args.ProductName]; ok {
if projectAuthInfo.IsProjectAdmin {
permitted = true
}
if projectAuthInfo.ProductionEnv.EditConfig || projectAuthInfo.ProductionEnv.ManagePods {
permitted = true
}
collabPermittedConfig, err := internalhandler.GetCollaborationModePermission(ctx.UserID, args.ProductName, types.ResourceTypeEnvironment, args.EnvName, types.EnvActionEditConfig)
if err == nil {
permitted = collabPermittedConfig
}
collabPermittedManagePod, err := internalhandler.GetCollaborationModePermission(ctx.UserID, args.ProductName, types.ResourceTypeEnvironment, args.EnvName, types.EnvActionManagePod)
if err == nil {
permitted = collabPermittedManagePod
}
}
if !permitted {
ctx.UnAuthorized = true
return
}
c.Request.Body = io.NopCloser(bytes.NewBuffer(data)) c.Request.Body = io.NopCloser(bytes.NewBuffer(data))
if err := c.BindJSON(args); err != nil { if err := c.BindJSON(args); err != nil {
...@@ -96,9 +227,16 @@ func UpdateDeploymentContainerImage(c *gin.Context) { ...@@ -96,9 +227,16 @@ func UpdateDeploymentContainerImage(c *gin.Context) {
} }
func UpdateCronJobContainerImage(c *gin.Context) { func UpdateCronJobContainerImage(c *gin.Context) {
ctx := internalhandler.NewContext(c) ctx, err := internalhandler.NewContextWithAuthorization(c)
defer func() { internalhandler.JSONResponse(c, ctx) }() defer func() { internalhandler.JSONResponse(c, ctx) }()
if err != nil {
ctx.Logger.Errorf("failed to generate authorization info for user: %s, error: %s", ctx.UserID, err)
ctx.Err = fmt.Errorf("authorization Info Generation failed: err %s", err)
ctx.UnAuthorized = true
return
}
args := new(service.UpdateContainerImageArgs) args := new(service.UpdateContainerImageArgs)
args.Type = setting.CronJob args.Type = setting.CronJob
...@@ -116,6 +254,22 @@ func UpdateCronJobContainerImage(c *gin.Context) { ...@@ -116,6 +254,22 @@ func UpdateCronJobContainerImage(c *gin.Context) {
fmt.Sprintf("环境名称:%s,服务名称:%s,CronJob:%s", args.EnvName, args.ServiceName, args.Name), fmt.Sprintf("环境名称:%s,服务名称:%s,CronJob:%s", args.EnvName, args.ServiceName, args.Name),
string(data), ctx.Logger, args.EnvName) string(data), ctx.Logger, args.EnvName)
// authorization checks
if !ctx.Resources.IsSystemAdmin {
if _, ok := ctx.Resources.ProjectAuthInfo[args.ProductName]; !ok {
ctx.UnAuthorized = true
return
}
if !ctx.Resources.ProjectAuthInfo[args.ProductName].IsProjectAdmin &&
!ctx.Resources.ProjectAuthInfo[args.ProductName].Env.EditConfig {
permitted, err := internalhandler.GetCollaborationModePermission(ctx.UserID, args.ProductName, types.ResourceTypeEnvironment, args.EnvName, types.EnvActionEditConfig)
if err != nil || !permitted {
ctx.UnAuthorized = true
return
}
}
}
c.Request.Body = io.NopCloser(bytes.NewBuffer(data)) c.Request.Body = io.NopCloser(bytes.NewBuffer(data))
if err := c.BindJSON(args); err != nil { if err := c.BindJSON(args); err != nil {
......
pkg/microservice/aslan/core/environment/handler/ingress.go
浏览文件 @ 58c79abe
...@@ -17,22 +17,82 @@ limitations under the License. ...@@ -17,22 +17,82 @@ limitations under the License.
package handler package handler
import ( import (
"fmt"
"github.com/gin-gonic/gin" "github.com/gin-gonic/gin"
"github.com/koderover/zadig/pkg/microservice/aslan/core/environment/service" "github.com/koderover/zadig/pkg/microservice/aslan/core/environment/service"
internalhandler "github.com/koderover/zadig/pkg/shared/handler" internalhandler "github.com/koderover/zadig/pkg/shared/handler"
e "github.com/koderover/zadig/pkg/tool/errors" e "github.com/koderover/zadig/pkg/tool/errors"
"github.com/koderover/zadig/pkg/types"
) )
func ListIngresses(c *gin.Context) { func ListIngresses(c *gin.Context) {
ctx := internalhandler.NewContext(c) ctx, err := internalhandler.NewContextWithAuthorization(c)
defer func() { internalhandler.JSONResponse(c, ctx) }()
if err != nil {
ctx.Logger.Errorf("failed to generate authorization info for user: %s, error: %s", ctx.UserID, err)
ctx.Err = fmt.Errorf("authorization Info Generation failed: err %s", err)
ctx.UnAuthorized = true
return
}
envName := c.Param("name")
projectKey := c.Query("projectName")
if envName == "" || projectKey == "" {
ctx.Err = e.ErrInvalidParam.AddDesc("param envName or projectName is invalid")
return
}
// authorization checks
if !ctx.Resources.IsSystemAdmin {
if _, ok := ctx.Resources.ProjectAuthInfo[projectKey]; !ok {
ctx.UnAuthorized = true
return
}
if !ctx.Resources.ProjectAuthInfo[projectKey].IsProjectAdmin &&
!ctx.Resources.ProjectAuthInfo[projectKey].Env.View {
permitted, err := internalhandler.GetCollaborationModePermission(ctx.UserID, projectKey, types.ResourceTypeEnvironment, envName, types.EnvActionView)
if err != nil || !permitted {
ctx.UnAuthorized = true
return
}
}
}
ctx.Resp, ctx.Err = service.ListIngresses(envName, projectKey, ctx.Logger)
}
func ListProductionIngresses(c *gin.Context) {
ctx, err := internalhandler.NewContextWithAuthorization(c)
defer func() { internalhandler.JSONResponse(c, ctx) }() defer func() { internalhandler.JSONResponse(c, ctx) }()
if err != nil {
ctx.Logger.Errorf("failed to generate authorization info for user: %s, error: %s", ctx.UserID, err)
ctx.Err = fmt.Errorf("authorization Info Generation failed: err %s", err)
ctx.UnAuthorized = true
return
}
envName := c.Param("name") envName := c.Param("name")
productName := c.Query("projectName") projectKey := c.Query("projectName")
if envName == "" || productName == "" { if envName == "" || projectKey == "" {
ctx.Err = e.ErrInvalidParam.AddDesc("param envName or projectName is invalid") ctx.Err = e.ErrInvalidParam.AddDesc("param envName or projectName is invalid")
return return
} }
ctx.Resp, ctx.Err = service.ListIngresses(envName, productName, ctx.Logger) // authorization checks
if !ctx.Resources.IsSystemAdmin {
if _, ok := ctx.Resources.ProjectAuthInfo[projectKey]; !ok {
ctx.UnAuthorized = true
return
}
if !ctx.Resources.ProjectAuthInfo[projectKey].IsProjectAdmin &&
!ctx.Resources.ProjectAuthInfo[projectKey].ProductionEnv.View {
ctx.UnAuthorized = true
return
}
}
ctx.Resp, ctx.Err = service.ListIngresses(envName, projectKey, ctx.Logger)
} }
pkg/microservice/aslan/core/environment/handler/kube.go
浏览文件 @ 58c79abe
...@@ -29,6 +29,8 @@ import ( ...@@ -29,6 +29,8 @@ import (
e "github.com/koderover/zadig/pkg/tool/errors" e "github.com/koderover/zadig/pkg/tool/errors"
) )
// kubernetes resources apis will not have authorization for now
type ListServicePodsArgs struct { type ListServicePodsArgs struct {
serviceName string `json:"service_name"` serviceName string `json:"service_name"`
ProductName string `json:"product_name"` ProductName string `json:"product_name"`
......
pkg/microservice/aslan/core/environment/handler/openapi.go
浏览文件 @ 58c79abe
...@@ -35,6 +35,7 @@ import ( ...@@ -35,6 +35,7 @@ import (
e "github.com/koderover/zadig/pkg/tool/errors" e "github.com/koderover/zadig/pkg/tool/errors"
) )
// TODO: deal with openapi later
func generalOpenAPIRequestValidate(c *gin.Context) (string, string, error) { func generalOpenAPIRequestValidate(c *gin.Context) (string, string, error) {
projectName := c.Query("projectKey") projectName := c.Query("projectKey")
if projectName == "" { if projectName == "" {
......
pkg/microservice/aslan/core/environment/handler/operation.go
浏览文件 @ 58c79abe
...@@ -17,15 +17,16 @@ limitations under the License. ...@@ -17,15 +17,16 @@ limitations under the License.
package handler package handler
import ( import (
"fmt"
"strconv" "strconv"
"github.com/gin-gonic/gin" "github.com/gin-gonic/gin"
"github.com/koderover/zadig/pkg/microservice/aslan/core/system/repository/models" "github.com/koderover/zadig/pkg/microservice/aslan/core/system/repository/models"
"github.com/koderover/zadig/pkg/microservice/aslan/core/system/service" "github.com/koderover/zadig/pkg/microservice/aslan/core/system/service"
"github.com/koderover/zadig/pkg/setting" "github.com/koderover/zadig/pkg/setting"
internalhandler "github.com/koderover/zadig/pkg/shared/handler" internalhandler "github.com/koderover/zadig/pkg/shared/handler"
e "github.com/koderover/zadig/pkg/tool/errors" e "github.com/koderover/zadig/pkg/tool/errors"
"github.com/koderover/zadig/pkg/types"
) )
type OperationLog struct { type OperationLog struct {
...@@ -34,9 +35,39 @@ type OperationLog struct { ...@@ -34,9 +35,39 @@ type OperationLog struct {
} }
func GetOperationLogs(c *gin.Context) { func GetOperationLogs(c *gin.Context) {
ctx := internalhandler.NewContext(c) ctx, err := internalhandler.NewContextWithAuthorization(c)
defer func() { internalhandler.JSONResponse(c, ctx) }() defer func() { internalhandler.JSONResponse(c, ctx) }()
if err != nil {
ctx.Logger.Errorf("failed to generate authorization info for user: %s, error: %s", ctx.UserID, err)
ctx.Err = fmt.Errorf("authorization Info Generation failed: err %s", err)
ctx.UnAuthorized = true
return
}
envName := c.Query("envName")
projectKey := c.Query("projectName")
if len(projectKey) == 0 {
ctx.Err = e.ErrFindOperationLog.AddDesc("projectName can't be nil")
return
}
// authorization checks
if !ctx.Resources.IsSystemAdmin {
if _, ok := ctx.Resources.ProjectAuthInfo[projectKey]; !ok {
ctx.UnAuthorized = true
return
}
if !ctx.Resources.ProjectAuthInfo[projectKey].IsProjectAdmin &&
!ctx.Resources.ProjectAuthInfo[projectKey].Env.EditConfig {
permitted, err := internalhandler.GetCollaborationModePermission(ctx.UserID, projectKey, types.ResourceTypeEnvironment, envName, types.EnvActionEditConfig)
if err != nil || !permitted {
ctx.UnAuthorized = true
return
}
}
}
page, err := strconv.Atoi(c.DefaultQuery("page", "1")) page, err := strconv.Atoi(c.DefaultQuery("page", "1"))
if err != nil { if err != nil {
ctx.Err = e.ErrFindOperationLog.AddErr(err) ctx.Err = e.ErrFindOperationLog.AddErr(err)
...@@ -55,18 +86,12 @@ func GetOperationLogs(c *gin.Context) { ...@@ -55,18 +86,12 @@ func GetOperationLogs(c *gin.Context) {
return return
} }
projectName := c.Query("projectName")
if len(projectName) == 0 {
ctx.Err = e.ErrFindOperationLog.AddDesc("projectName can't be nil")
return
}
args := &service.OperationLogArgs{ args := &service.OperationLogArgs{
ExactProduct: projectName, ExactProduct: projectKey,
Username: c.Query("username"), Username: c.Query("username"),
Function: c.Query("function"), Function: c.Query("function"),
Scene: setting.OperationSceneEnv, Scene: setting.OperationSceneEnv,
TargetID: c.Query("envName"), TargetID: envName,
Status: status, Status: status,
PerPage: pageSize, PerPage: pageSize,
Page: page, Page: page,
......
pkg/microservice/aslan/core/project/handler/render.go
浏览文件 @ 58c79abe
...@@ -26,6 +26,9 @@ import ( ...@@ -26,6 +26,9 @@ import (
e "github.com/koderover/zadig/pkg/tool/errors" e "github.com/koderover/zadig/pkg/tool/errors"
) )
// Deprecated apis
// TODO: remove this file
func GetRenderSetInfo(c *gin.Context) { func GetRenderSetInfo(c *gin.Context) {
ctx := internalhandler.NewContext(c) ctx := internalhandler.NewContext(c)
defer func() { internalhandler.JSONResponse(c, ctx) }() defer func() { internalhandler.JSONResponse(c, ctx) }()
......
pkg/microservice/aslan/core/project/handler/variable.go
浏览文件 @ 58c79abe
...@@ -24,6 +24,7 @@ import ( ...@@ -24,6 +24,7 @@ import (
e "github.com/koderover/zadig/pkg/tool/errors" e "github.com/koderover/zadig/pkg/tool/errors"
) )
// TODO: no authorization, fix this
func ListVariableSets(c *gin.Context) { func ListVariableSets(c *gin.Context) {
ctx := internalhandler.NewContext(c) ctx := internalhandler.NewContext(c)
defer func() { internalhandler.JSONResponse(c, ctx) }() defer func() { internalhandler.JSONResponse(c, ctx) }()
......
pkg/microservice/aslan/core/service/handler/router.go
浏览文件 @ 58c79abe
...@@ -74,7 +74,7 @@ func (*Router) Inject(router *gin.RouterGroup) { ...@@ -74,7 +74,7 @@ func (*Router) Inject(router *gin.RouterGroup) {
k8s.GET("/:name", GetServiceTemplateOption) k8s.GET("/:name", GetServiceTemplateOption)
k8s.POST("", GetServiceTemplateProductName, CreateServiceTemplate) k8s.POST("", GetServiceTemplateProductName, CreateServiceTemplate)
k8s.PUT("/:name/variable", UpdateServiceVariable) k8s.PUT("/:name/variable", UpdateServiceVariable)
k8s.PUT("", UpdateServiceTemplate) //k8s.PUT("", UpdateServiceTemplate)
k8s.PUT("/yaml/validator", YamlValidator) k8s.PUT("/yaml/validator", YamlValidator)
k8s.DELETE("/:name/:type", DeleteServiceTemplate) k8s.DELETE("/:name/:type", DeleteServiceTemplate)
k8s.GET("/:name/:type/ports", ListServicePort) k8s.GET("/:name/:type/ports", ListServicePort)
......
pkg/microservice/user/core/handler/user/authz.go 0 → 100644
浏览文件 @ 58c79abe
此差异已折叠。
pkg/microservice/user/core/repository/instance.go 0 → 100644
浏览文件 @ 58c79abe
此差异已折叠。
pkg/microservice/user/core/repository/models/role.go 0 → 100644
浏览文件 @ 58c79abe
此差异已折叠。
pkg/microservice/user/core/repository/mongodb/role.go 0 → 100644
浏览文件 @ 58c79abe
此差异已折叠。
pkg/microservice/user/core/service/user/authz.go 0 → 100644
浏览文件 @ 58c79abe
此差异已折叠。
pkg/microservice/user/core/service/user/types.go 0 → 100644
浏览文件 @ 58c79abe
此差异已折叠。
pkg/microservice/user/server/rest/server.go 0 → 100644
浏览文件 @ 58c79abe
此差异已折叠。
pkg/microservice/user/server/server.go 0 → 100644
浏览文件 @ 58c79abe
此差异已折叠。
pkg/setting/types.go
浏览文件 @ 58c79abe
此差异已折叠。
pkg/shared/client/user/client.go
浏览文件 @ 58c79abe
此差异已折叠。
pkg/shared/client/user/user.go
浏览文件 @ 58c79abe
此差异已折叠。
pkg/shared/client/user/user_auth.go 0 → 100644
浏览文件 @ 58c79abe
此差异已折叠。
pkg/shared/handler/base.go
浏览文件 @ 58c79abe
此差异已折叠。
pkg/shared/handler/repository/models/user.go 0 → 100644
浏览文件 @ 58c79abe
此差异已折叠。
pkg/tool/metrics/prometheus.go
浏览文件 @ 58c79abe
此差异已折叠。
pkg/tool/rsa/rsa.go
浏览文件 @ 58c79abe
此差异已折叠。
pkg/types/authz.go 0 → 100644
浏览文件 @ 58c79abe
此差异已折叠。
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册