[系统用户]实现基础的权限校验

internal/configloaders/admin_module.go

@@ -1,6 +1,11 @@
 package configloaders
 
-import "github.com/iwind/TeaGo/maps"
+import (
+	"github.com/TeaOSLab/EdgeAdmin/internal/rpc"
+	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
+	"github.com/TeaOSLab/EdgeCommon/pkg/systemconfigs"
+	"github.com/iwind/TeaGo/maps"
+)
 
 type AdminModuleCode = string
 
@@ -13,60 +18,115 @@ const (
 	AdminModuleCodeSetting AdminModuleCode = "setting"
 )
 
-var adminModuleMapping = map[int64]*AdminModuleList{} // adminId => AdminModuleList
+var sharedAdminModuleMapping = map[int64]*AdminModuleList{} // adminId => AdminModuleList
 
-func LoadAdminModuleMapping() (map[int64]*AdminModuleList, error) {
+func loadAdminModuleMapping() (map[int64]*AdminModuleList, error) {
-	locker.Lock()
+	if len(sharedAdminModuleMapping) > 0 {
-	defer locker.Unlock()
+		return sharedAdminModuleMapping, nil
-
-	if len(adminModuleMapping) > 0 {
-		return adminModuleMapping, nil
 	}
 
-	// TODO
+	rpcClient, err := rpc.SharedRPC()
+	if err != nil {
+		return nil, err
+	}
+	modulesResp, err := rpcClient.AdminRPC().FindAllAdminModules(rpcClient.Context(0), &pb.FindAllAdminModulesRequest{})
+	if err != nil {
+		return nil, err
+	}
+	mapping := map[int64]*AdminModuleList{}
+	for _, m := range modulesResp.AdminModules {
+		list := &AdminModuleList{
+			IsSuper: m.IsSuper,
+		}
 
-	return nil, nil
+		for _, pbModule := range m.Modules {
+			list.Modules = append(list.Modules, &systemconfigs.AdminModule{
+				Code:     pbModule.Code,
+				AllowAll: pbModule.AllowAll,
+				Actions:  pbModule.Actions,
+			})
+		}
+
+		mapping[m.AdminId] = list
+	}
+
+	sharedAdminModuleMapping = mapping
+
+	return sharedAdminModuleMapping, nil
 }
 
 func NotifyAdminModuleMappingChange() error {
 	locker.Lock()
-	adminModuleMapping = map[int64]*AdminModuleList{}
+	defer locker.Unlock()
-	locker.Unlock() // 这里结束是为了避免和LoadAdminModuleMapping()造成死锁
+	sharedAdminModuleMapping = map[int64]*AdminModuleList{}
-	_, err := LoadAdminModuleMapping()
+	_, err := loadAdminModuleMapping()
 	return err
 }
 
-func IsAllowModule(adminId int64, module string) bool {
+// 检查模块是否允许访问
-	// TODO
+func AllowModule(adminId int64, module string) bool {
+	locker.Lock()
+	defer locker.Unlock()
+
+	if len(sharedAdminModuleMapping) == 0 {
+		_, _ = loadAdminModuleMapping()
+	}
+
+	list, ok := sharedAdminModuleMapping[adminId]
+	if ok {
+		return list.Allow(module)
+	}
+
 	return false
 }
 
+// 获取管理员第一个可访问模块
+func FindFirstAdminModule(adminId int64) (module AdminModuleCode, ok bool) {
+	locker.Lock()
+	defer locker.Unlock()
+	list, ok2 := sharedAdminModuleMapping[adminId]
+	if ok2 {
+		if list.IsSuper {
+			return AdminModuleCodeServer, true
+		} else if len(list.Modules) > 0 {
+			return list.Modules[0].Code, true
+		}
+	}
+	return
+}
+
 // 所有权限列表
 func AllModuleMaps() []maps.Map {
 	return []maps.Map{
 		{
 			"name": "网站服务",
 			"code": AdminModuleCodeServer,
+			"url":  "/servers",
 		},
 		{
 			"name": "边缘节点",
 			"code": AdminModuleCodeNode,
+			"url":  "/clusters",
 		},
 		{
 			"name": "域名解析",
 			"code": AdminModuleCodeDNS,
+			"url":  "/dns",
 		},
 		{
 			"name": "系统用户",
 			"code": AdminModuleCodeAdmin,
+			"url":  "/admins",
 		},
 		{
 			"name": "日志审计",
 			"code": AdminModuleCodeLog,
+			"url":  "/log",
 		},
 		{
 			"name": "系统设置",
 			"code": AdminModuleCodeSetting,
+			"url":  "/settings",
 		},
 	}
 }

internal/configloaders/admin_module_list.go

@@ -6,3 +6,15 @@ type AdminModuleList struct {
 	IsSuper bool
 	Modules []*systemconfigs.AdminModule
 }
+
+func (this *AdminModuleList) Allow(module string) bool {
+	if this.IsSuper {
+		return true
+	}
+	for _, m := range this.Modules {
+		if m.Code == module {
+			return true
+		}
+	}
+	return false
+}

internal/configloaders/admin_module_test.go

@@ -0,0 +1,14 @@
+package configloaders
+
+import (
+	"github.com/iwind/TeaGo/logs"
+	"testing"
+)
+
+func TestLoadAdminModuleMapping(t *testing.T) {
+	m, err := LoadAdminModuleMapping()
+	if err != nil {
+		t.Fatal(err)
+	}
+	logs.PrintAsJSON(m, t)
+}

internal/web/actions/default/admins/createPopup.go

@@ -88,7 +88,16 @@ func (this *CreatePopupAction) RunPost(params struct {
 		return
 	}
 
+
+
 	defer this.CreateLogInfo("创建系统用户 %d", createResp.AdminId)
 
+	// 通知更改
+	err = configloaders.NotifyAdminModuleMappingChange()
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+
 	this.Success()
 }

internal/web/actions/default/admins/delete.go

@@ -1,6 +1,7 @@
 package admins
 
 import (
+	"github.com/TeaOSLab/EdgeAdmin/internal/configloaders"
 	"github.com/TeaOSLab/EdgeAdmin/internal/web/actions/actionutils"
 	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
 )
@@ -20,5 +21,12 @@ func (this *DeleteAction) RunPost(params struct {
 		return
 	}
 
+	// 通知更改
+	err = configloaders.NotifyAdminModuleMappingChange()
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+
 	this.Success()
 }

internal/web/actions/default/admins/init.go

@@ -10,12 +10,12 @@ func init() {
 		server.
 			Helper(helpers.NewUserMustAuth()).
 			Data("teaMenu", "admins").
+			Data("teaModule", "admin").
 			Prefix("/admins").
 			Get("", new(IndexAction)).
 			GetPost("/createPopup", new(CreatePopupAction)).
 			GetPost("/updatePopup", new(UpdatePopupAction)).
 			Post("/delete", new(DeleteAction)).
-			Post("/updateOn", new(UpdateOnAction)).
 			EndAll()
 	})
 }

internal/web/actions/default/admins/updateOn.go

@@ -1,11 +0,0 @@
-package admins
-
-import "github.com/TeaOSLab/EdgeAdmin/internal/web/actions/actionutils"
-
-type UpdateOnAction struct {
-	actionutils.ParentAction
-}
-
-func (this *UpdateOnAction) RunPost(params struct{}) {
-	this.Success()
-}

internal/web/actions/default/admins/updatePopup.go

@@ -125,5 +125,12 @@ func (this *UpdatePopupAction) RunPost(params struct {
 		return
 	}
 
+	// 通知更改
+	err = configloaders.NotifyAdminModuleMappingChange()
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+
 	this.Success()
 }

internal/web/actions/default/clusters/init.go

@@ -11,6 +11,7 @@ func init() {
 		server.
 			Helper(helpers.NewUserMustAuth()).
 			Helper(clusterutils.NewClustersHelper()).
+			Data("teaModule", "node").
 			Prefix("/clusters").
 			Get("", new(IndexAction)).
 			GetPost("/create", new(CreateAction)).

internal/web/actions/default/dashboard/index.go

@@ -1,6 +1,9 @@
 package dashboard
 
-import "github.com/TeaOSLab/EdgeAdmin/internal/web/actions/actionutils"
+import (
+	"github.com/TeaOSLab/EdgeAdmin/internal/configloaders"
+	"github.com/TeaOSLab/EdgeAdmin/internal/web/actions/actionutils"
+)
 
 type IndexAction struct {
 	actionutils.ParentAction
@@ -11,5 +14,14 @@ func (this *IndexAction) Init() {
 }
 
 func (this *IndexAction) RunGet(params struct{}) {
-	this.RedirectURL("/servers")
+	// 取得用户的权限
+	module, ok := configloaders.FindFirstAdminModule(this.AdminId())
+	if ok {
+		for _, m := range configloaders.AllModuleMaps() {
+			if m.GetString("code") == module {
+				this.RedirectURL(m.GetString("url"))
+				return
+			}
+		}
+	}
 }

internal/web/actions/default/dns/init.go

@@ -14,6 +14,7 @@ func init() {
 		server.
 			Helper(new(helpers.UserMustAuth)).
 			Helper(new(Helper)).
+			Data("teaModule", "dns").
 			Prefix("/dns").
 			Get("", new(IndexAction)).
 			GetPost("/updateClusterPopup", new(UpdateClusterPopupAction)).

internal/web/actions/default/log/init.go

@@ -10,6 +10,7 @@ func init() {
 		server.
 			Helper(new(helpers.UserMustAuth)).
 			Helper(new(Helper)).
+			Data("teaModule", "log").
 			Prefix("/log").
 			Get("", new(IndexAction)).
 			Get("/exportExcel", new(ExportExcelAction)).

internal/web/actions/default/servers/init.go

@@ -10,6 +10,7 @@ func init() {
 		server.
 			Helper(helpers.NewUserMustAuth()).
 			Helper(NewHelper()).
+			Data("teaModule", "server").
 			Prefix("/servers").
 			Get("", new(IndexAction)).
 			GetPost("/create", new(CreateAction)).

internal/web/actions/default/settings/init.go

@@ -10,6 +10,7 @@ func init() {
 		server.
 			Helper(helpers.NewUserMustAuth()).
 			Helper(NewHelper()).
+			Data("teaModule", "setting").
 			Prefix("/settings").
 			Get("", new(IndexAction)).
 			EndAll()

internal/web/helpers/user_must_auth.go

@@ -15,7 +15,7 @@ import (
 
 // 认证拦截
 type UserMustAuth struct {
-	AdminId int
+	AdminId int64
 	Grant   string
 }
 
@@ -48,12 +48,19 @@ func (this *UserMustAuth) BeforeAction(actionPtr actions.ActionWrapper, paramNam
 	}
 
 	var session = action.Session()
-	var adminId = session.GetInt("adminId")
+	var adminId = session.GetInt64("adminId")
 	if adminId <= 0 {
 		this.login(action)
 		return false
 	}
 
+	// 检查用户权限
+	teaModule := action.Data.GetString("teaModule")
+	if len(teaModule) > 0 && !configloaders.AllowModule(adminId, teaModule) {
+		action.WriteString("Permission Denied.")
+		return false
+	}
+
 	// 检查用户是否存在
 	rpc, err := nodes.SharedRPC()
 	if err != nil {
@@ -111,7 +118,7 @@ func (this *UserMustAuth) BeforeAction(actionPtr actions.ActionWrapper, paramNam
 	if !action.Data.Has("teaMenu") {
 		action.Data["teaMenu"] = ""
 	}
-	action.Data["teaModules"] = this.modules()
+	action.Data["teaModules"] = this.modules(adminId)
 	action.Data["teaSubMenus"] = []map[string]interface{}{}
 	action.Data["teaTabbar"] = []map[string]interface{}{}
 	if len(config.Version) == 0 {
@@ -142,12 +149,13 @@ func (this *UserMustAuth) BeforeAction(actionPtr actions.ActionWrapper, paramNam
 }
 
 // 菜单配置
-func (this *UserMustAuth) modules() []maps.Map {
+func (this *UserMustAuth) modules(adminId int64) []maps.Map {
-	return []maps.Map{
+	allMaps := []maps.Map{
 		{
-			"code": "servers",
+			"code":   "servers",
-			"name": "网站服务",
+			"module": configloaders.AdminModuleCodeServer,
-			"icon": "clone outsize",
+			"name":   "网站服务",
+			"icon":   "clone outsize",
 			"subItems": []maps.Map{
 				{
 					"name": "通用设置",
@@ -177,9 +185,10 @@ func (this *UserMustAuth) modules() []maps.Map {
 			},
 		},
 		{
-			"code": "clusters",
+			"code":   "clusters",
-			"name": "边缘节点",
+			"module": configloaders.AdminModuleCodeNode,
-			"icon": "cloud",
+			"name":   "边缘节点",
+			"icon":   "cloud",
 			"subItems": []maps.Map{
 				{
 					"name": "SSH认证",
@@ -189,9 +198,10 @@ func (this *UserMustAuth) modules() []maps.Map {
 			},
 		},
 		{
-			"code": "dns",
+			"code":   "dns",
-			"name": "域名解析",
+			"module": configloaders.AdminModuleCodeDNS,
-			"icon": "globe",
+			"name":   "域名解析",
+			"icon":   "globe",
 			"subItems": []maps.Map{
 				{
 					"name": "问题修复",
@@ -206,21 +216,33 @@ func (this *UserMustAuth) modules() []maps.Map {
 			},
 		},
 		{
-			"code": "admins",
+			"code":   "admins",
-			"name": "系统用户",
+			"module": configloaders.AdminModuleCodeAdmin,
-			"icon": "users",
+			"name":   "系统用户",
+			"icon":   "users",
 		},
 		{
-			"code": "log",
+			"code":   "log",
-			"name": "日志审计",
+			"module": configloaders.AdminModuleCodeLog,
-			"icon": "history",
+			"name":   "日志审计",
+			"icon":   "history",
 		},
 		{
-			"code": "settings",
+			"code":   "settings",
-			"name": "系统设置",
+			"module": configloaders.AdminModuleCodeSetting,
-			"icon": "setting",
+			"name":   "系统设置",
+			"icon":   "setting",
 		},
 	}
+
+	result := []maps.Map{}
+	for _, m := range allMaps {
+		module := m.GetString("module")
+		if configloaders.AllowModule(adminId, module) {
+			result = append(result, m)
+		}
+	}
+	return result
 }
 
 // 跳转到登录页

web/views/@default/admins/index.html

@@ -23,7 +23,7 @@
 			<label-on :v-is-on="admin.isOn"></label-on>
 		</td>
 		<td>
-			<a href="" @click.prevent="updateAdmin(admin.id)">修改</a> &nbsp; <a href="" v-if="!admin.isSuper" @click.prevent="deleteAdmin(admin.id)">删除</a>
+			<a href="" @click.prevent="updateAdmin(admin.id)" v-if="!admin.isSuper">修改</a> &nbsp; <a href="" v-if="!admin.isSuper" @click.prevent="deleteAdmin(admin.id)">删除</a>
 		</td>
 	</tr>
 </table>