lywsvip/cloudpods
1
0
Fork 0
mirror of https://github.com/yunionio/cloudpods.git synced 2026-06-01 05:22:24 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
7cf461e8b771ac8e8fef7bf052d5bf68a64e4e26
cloudpods/pkg/keystone/models/assignments.go
Jian Qiu a3aa26b8e2 fix: options of the maximal number of roles of a user in project (#17033) 
Co-authored-by: QIU Jian <qiujian@yunionyun.com>
2023-05-14 08:35:04 +08:00

979 lines
35 KiB
Go
Raw Blame History

// Copyright 2019 Yunion
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package models
import (
"context"
"database/sql"
"fmt"
"net/http"
"time"
"yunion.io/x/jsonutils"
"yunion.io/x/log"
"yunion.io/x/pkg/errors"
"yunion.io/x/pkg/tristate"
"yunion.io/x/pkg/util/rbacscope"
"yunion.io/x/pkg/utils"
"yunion.io/x/sqlchemy"
api "yunion.io/x/onecloud/pkg/apis/identity"
"yunion.io/x/onecloud/pkg/appsrv"
"yunion.io/x/onecloud/pkg/cloudcommon/db"
"yunion.io/x/onecloud/pkg/httperrors"
"yunion.io/x/onecloud/pkg/keystone/options"
"yunion.io/x/onecloud/pkg/mcclient"
"yunion.io/x/onecloud/pkg/mcclient/auth"
"yunion.io/x/onecloud/pkg/util/stringutils2"
)
// +onecloud:swagger-gen-ignore
type SAssignmentManager struct {
db.SResourceBaseManager
}
var AssignmentManager *SAssignmentManager
func init() {
AssignmentManager = &SAssignmentManager{
SResourceBaseManager: db.NewResourceBaseManager(
SAssignment{},
"assignment",
"assignment",
"assignments",
),
}
AssignmentManager.SetVirtualObject(AssignmentManager)
}
/*
+-----------+---------------------------------------------------------------+------+-----+---------+-------+
| Field | Type | Null | Key | Default | Extra |
+-----------+---------------------------------------------------------------+------+-----+---------+-------+
| type | enum('UserProject','GroupProject','UserDomain','GroupDomain') | NO | PRI | NULL | |
| actor_id | varchar(64) | NO | PRI | NULL | |
| target_id | varchar(64) | NO | PRI | NULL | |
| role_id | varchar(64) | NO | PRI | NULL | |
| inherited | tinyint(1) | NO | PRI | NULL | |
+-----------+---------------------------------------------------------------+------+-----+---------+-------+
*/
type SAssignment struct {
db.SResourceBase
// 关联类型,分为四类:'UserProject','GroupProject','UserDomain','GroupDomain'
Type string `width:"16" charset:"ascii" nullable:"false" primary:"true" list:"admin"`
// 用户或者用户组ID
ActorId string `width:"64" charset:"ascii" nullable:"false" primary:"true" list:"admin"`
// 项目或者域ID
TargetId string `width:"64" charset:"ascii" nullable:"false" primary:"true" list:"admin"`
// 角色ID
RoleId string `width:"64" charset:"ascii" nullable:"false" primary:"true" list:"admin"`
Inherited tristate.TriState `primary:"true" list:"admin"`
}
func (manager *SAssignmentManager) InitializeData() error {
return manager.initSysAssignment(context.TODO())
}
func (manager *SAssignmentManager) initSysAssignment(ctx context.Context) error {
adminUser, err := UserManager.FetchUserExtended("", api.SystemAdminUser, api.DEFAULT_DOMAIN_ID, "")
if err != nil {
return errors.Wrap(err, "FetchUserExtended")
}
adminProject, err := ProjectManager.FetchProjectByName(api.SystemAdminProject, api.DEFAULT_DOMAIN_ID, "")
if err != nil {
return errors.Wrap(err, "FetchProjectByName")
}
adminRole, err := RoleManager.FetchRoleByName(api.SystemAdminRole, api.DEFAULT_DOMAIN_ID, "")
if err != nil {
return errors.Wrap(err, "FetchRoleByName")
}
q := manager.Query().Equals("type", api.AssignmentUserProject)
q = q.Equals("actor_id", adminUser.Id)
q = q.Equals("target_id", adminProject.Id)
q = q.Equals("role_id", adminRole.Id)
q = q.IsFalse("inherited")
assign := SAssignment{}
assign.SetModelManager(manager, &assign)
err = q.First(&assign)
if err != nil && err != sql.ErrNoRows {
return errors.Wrap(err, "query")
}
if err == nil {
return nil
}
// no data
assign.Type = api.AssignmentUserProject
assign.ActorId = adminUser.Id
assign.TargetId = adminProject.Id
assign.RoleId = adminRole.Id
assign.Inherited = tristate.False
err = manager.TableSpec().Insert(ctx, &assign)
if err != nil {
return errors.Wrap(err, "insert")
}
return nil
}
func (manager *SAssignmentManager) fetchUserProjectRoleCount(userId, projId string) (int, error) {
q := manager.fetchUserProjectRoleIdsQuery(userId, projId)
return q.CountWithError()
}
func (manager *SAssignmentManager) fetchGroupProjectRoleCount(grpId, projId string) (int, error) {
q := manager.fetchGroupProjectRoleIdsQuery(grpId, projId)
return q.CountWithError()
}
func (manager *SAssignmentManager) FetchUserProjectRoles(userId, projId string) ([]SRole, error) {
subq := manager.fetchUserProjectRoleIdsQuery(userId, projId)
q := RoleManager.Query().In("id", subq.SubQuery())
roles := make([]SRole, 0)
err := db.FetchModelObjects(RoleManager, q, &roles)
if err != nil && err != sql.ErrNoRows {
return nil, err
}
return roles, nil
}
func (manager *SAssignmentManager) fetchRoleUserIdsQuery(roleId string) *sqlchemy.SQuery {
q := manager.Query("actor_id").Equals("role_id", roleId).Equals("type", api.AssignmentUserProject).Distinct().SubQuery()
return q.Query()
}
func (manager *SAssignmentManager) fetchRoleGroupIdsQuery(roleId string) *sqlchemy.SQuery {
q := manager.Query("actor_id").Equals("role_id", roleId).Equals("type", api.AssignmentGroupProject).Distinct().SubQuery()
return q.Query()
}
func (manager *SAssignmentManager) fetchRoleProjectIdsQuery(roleId string) *sqlchemy.SQuery {
q := manager.Query("target_id").Equals("role_id", roleId).Distinct().SubQuery()
return q.Query()
}
func (manager *SAssignmentManager) fetchUserProjectRoleIdsQuery(userId, projId string) *sqlchemy.SQuery {
subq := AssignmentManager.Query("role_id")
subq = subq.Equals("type", api.AssignmentUserProject)
subq = subq.Equals("actor_id", userId)
subq = subq.Equals("target_id", projId)
subq = subq.IsFalse("inherited")
assigns := AssignmentManager.Query().SubQuery()
usergroups := UsergroupManager.Query().SubQuery()
subq2 := assigns.Query(assigns.Field("role_id"))
subq2 = subq2.Join(usergroups, sqlchemy.Equals(
usergroups.Field("group_id"), assigns.Field("actor_id"),
))
subq2 = subq2.Filter(sqlchemy.Equals(assigns.Field("type"), api.AssignmentGroupProject))
subq2 = subq2.Filter(sqlchemy.Equals(assigns.Field("target_id"), projId))
subq2 = subq2.Filter(sqlchemy.Equals(usergroups.Field("user_id"), userId))
subq2 = subq2.Filter(sqlchemy.IsFalse(assigns.Field("inherited")))
return sqlchemy.Union(subq, subq2).Query().Distinct()
}
func (manager *SAssignmentManager) fetchGroupProjectRoleIdsQuery(groupId, projId string) *sqlchemy.SQuery {
subq := AssignmentManager.Query("role_id")
subq = subq.Equals("type", api.AssignmentGroupProject)
subq = subq.Equals("actor_id", groupId)
subq = subq.Equals("target_id", projId)
subq = subq.IsFalse("inherited")
return subq.Distinct()
}
func (manager *SAssignmentManager) fetchGroupProjectIdsQuery(groupId string) *sqlchemy.SQuery {
q := manager.Query("target_id")
q = q.Equals("type", api.AssignmentGroupProject)
q = q.Equals("actor_id", groupId)
q = q.IsFalse("inherited")
return q.Distinct()
}
func (manager *SAssignmentManager) fetchProjectGroupIdsQuery(projId string) *sqlchemy.SQuery {
q := manager.Query("actor_id")
q = q.Equals("type", api.AssignmentGroupProject)
q = q.Equals("target_id", projId)
q = q.IsFalse("inherited")
return q.Distinct()
}
func (manager *SAssignmentManager) fetchUserProjectIdsQuery(userId string) *sqlchemy.SQuery {
q1 := manager.Query("target_id")
q1 = q1.Equals("type", api.AssignmentUserProject)
q1 = q1.Equals("actor_id", userId)
q1 = q1.IsFalse("inherited")
assigns := AssignmentManager.Query().SubQuery()
usergroups := UsergroupManager.Query().SubQuery()
q2 := assigns.Query(assigns.Field("target_id"))
q2 = q2.Join(usergroups, sqlchemy.Equals(
usergroups.Field("group_id"), assigns.Field("actor_id"),
))
q2 = q2.Filter(sqlchemy.Equals(assigns.Field("type"), api.AssignmentGroupProject))
q2 = q2.Filter(sqlchemy.Equals(usergroups.Field("user_id"), userId))
q2 = q2.Filter(sqlchemy.IsFalse(assigns.Field("inherited")))
union := sqlchemy.Union(q1, q2)
return union.Query().Distinct()
}
func (manager *SAssignmentManager) fetchProjectUserIdsQuery(projId string) *sqlchemy.SQuery {
return manager.fetchProjectRoleUserIdsQuery(projId, "")
}
func (manager *SAssignmentManager) fetchProjectRoleUserIdsQuery(projId, roleId string) *sqlchemy.SQuery {
q1 := manager.Query("actor_id")
q1 = q1.Equals("type", api.AssignmentUserProject)
q1 = q1.Equals("target_id", projId)
q1 = q1.IsFalse("inherited")
if len(roleId) > 0 {
q1 = q1.Equals("role_id", roleId)
}
assigns := AssignmentManager.Query().SubQuery()
usergroups := UsergroupManager.Query().SubQuery()
q2 := usergroups.Query(usergroups.Field("user_id", "actor_id"))
q2 = q2.Join(assigns, sqlchemy.Equals(
usergroups.Field("group_id"), assigns.Field("actor_id"),
))
q2 = q2.Filter(sqlchemy.Equals(assigns.Field("type"), api.AssignmentGroupProject))
q2 = q2.Filter(sqlchemy.Equals(assigns.Field("target_id"), projId))
q2 = q2.Filter(sqlchemy.IsFalse(assigns.Field("inherited")))
if len(roleId) > 0 {
q2 = q2.Equals("role_id", roleId)
}
union := sqlchemy.Union(q1, q2)
return union.Query().Distinct()
}
func (manager *SAssignmentManager) fetchUserAndGroups(projIds []string) (map[string][]string, map[string][]string, error) {
q1 := manager.Query().In("type", []string{api.AssignmentGroupProject, api.AssignmentUserProject}).IsFalse("inherited").In("target_id", projIds)
groupCnt, userCnt := map[string][]string{}, map[string][]string{}
assignments := []SAssignment{}
err := q1.All(&assignments)
if err != nil {
return groupCnt, userCnt, errors.Wrapf(err, "q1.All")
}
for i := range assignments {
switch assignments[i].Type {
case api.AssignmentGroupProject:
_, ok := groupCnt[assignments[i].TargetId]
if !ok {
groupCnt[assignments[i].TargetId] = []string{}
}
if !utils.IsInStringArray(assignments[i].ActorId, groupCnt[assignments[i].TargetId]) {
groupCnt[assignments[i].TargetId] = append(groupCnt[assignments[i].TargetId], assignments[i].ActorId)
}
case api.AssignmentUserProject:
_, ok := userCnt[assignments[i].TargetId]
if !ok {
userCnt[assignments[i].TargetId] = []string{}
}
if !utils.IsInStringArray(assignments[i].ActorId, userCnt[assignments[i].TargetId]) {
userCnt[assignments[i].TargetId] = append(userCnt[assignments[i].TargetId], assignments[i].ActorId)
}
}
}
assigns := AssignmentManager.Query().SubQuery()
usergroups := UsergroupManager.Query().SubQuery()
q2 := usergroups.Query(usergroups.Field("user_id", "actor_id"))
q2 = q2.Join(assigns, sqlchemy.Equals(
usergroups.Field("group_id"), assigns.Field("actor_id"),
))
q2 = q2.Filter(sqlchemy.Equals(assigns.Field("type"), api.AssignmentGroupProject))
q2 = q2.Filter(sqlchemy.In(assigns.Field("target_id"), projIds))
q2 = q2.Filter(sqlchemy.IsFalse(assigns.Field("inherited")))
err = q2.All(&assignments)
if err != nil {
return groupCnt, userCnt, errors.Wrapf(err, "q2.All")
}
for i := range assignments {
_, ok := userCnt[assignments[i].TargetId]
if !ok {
userCnt[assignments[i].TargetId] = []string{}
}
if !utils.IsInStringArray(assignments[i].ActorId, userCnt[assignments[i].TargetId]) {
userCnt[assignments[i].TargetId] = append(userCnt[assignments[i].TargetId], assignments[i].ActorId)
}
}
return groupCnt, userCnt, nil
}
func (manager *SAssignmentManager) ProjectAddUser(ctx context.Context, userCred mcclient.TokenCredential, project *SProject, user *SUser, role *SRole) error {
err := db.ValidateCreateDomainId(project.DomainId)
if err != nil {
return err
}
if project.DomainId != user.DomainId {
// if project.DomainId != api.DEFAULT_DOMAIN_ID && !options.Options.AllowJoinProjectsAcrossDomains {
// return httperrors.NewInputParameterError("join user into project of default domain or identical domain")
// } else
if !db.IsAllowPerform(ctx, rbacscope.ScopeSystem, userCred, user, "join-project") {
return httperrors.NewForbiddenError("not enough privilege")
}
} else {
if !db.IsAllowPerform(ctx, rbacscope.ScopeDomain, userCred, user, "join-project") {
return httperrors.NewForbiddenError("not enough privilege")
}
}
roleCnt, err := manager.fetchUserProjectRoleCount(user.Id, project.Id)
if err != nil {
return errors.Wrap(err, "FetchUserProjectRoleCount")
}
if roleCnt >= options.Options.MaxUserRolesInProject {
return errors.Wrapf(httperrors.ErrTooLarge, "user %s has joined project %s %d roles more than %d", user.Name, project.Name, roleCnt, options.Options.MaxUserRolesInProject)
}
err = manager.add(ctx, api.AssignmentUserProject, user.Id, project.Id, role.Id)
if err != nil {
return errors.Wrap(err, "manager.add")
}
db.OpsLog.LogEvent(user, db.ACT_ATTACH, project.GetShortDesc(ctx), userCred)
db.OpsLog.LogEvent(project, db.ACT_ATTACH, user.GetShortDesc(ctx), userCred)
if len(project.AdminId) == 0 && role.Name == options.Options.ProjectAdminRole {
err := project.resetAdminUser(ctx, userCred)
if err != nil {
log.Errorf("rsetAdminUser fail: %s", err)
}
}
return nil
}
func (assign *SAssignment) getRole() (*SRole, error) {
return RoleManager.FetchRoleById(assign.RoleId)
}
func (assign *SAssignment) getProject() (*SProject, error) {
if assign.Type == api.AssignmentUserProject || assign.Type == api.AssignmentGroupProject {
return ProjectManager.FetchProjectById(assign.TargetId)
}
return nil, nil
}
func (assign *SAssignment) getDomain() (*SDomain, error) {
if assign.Type == api.AssignmentUserDomain || assign.Type == api.AssignmentGroupDomain {
return DomainManager.FetchDomainById(assign.TargetId)
}
return nil, nil
}
func (manager *SAssignmentManager) batchRemove(ctx context.Context, userCred mcclient.TokenCredential, actorId string, typeStrs []string) error {
q := manager.Query()
q = q.In("type", typeStrs)
q = q.Equals("actor_id", actorId)
q = q.IsFalse("inherited")
assigns := make([]SAssignment, 0)
err := db.FetchModelObjects(manager, q, &assigns)
if err != nil && err != sql.ErrNoRows {
return errors.Wrap(err, "db.FetchModelObjects")
}
for i := range assigns {
_, err := db.Update(&assigns[i], func() error {
assigns[i].MarkDelete()
return nil
})
if err != nil {
return errors.Wrap(err, "db.Update")
}
// clear project admin Id
role, _ := assigns[i].getRole()
if role.Name == options.Options.ProjectAdminRole {
project, _ := assigns[i].getProject()
if project != nil && project.AdminId == actorId {
err := project.resetAdminUser(ctx, userCred)
if err != nil {
log.Errorf("batchRemove project resetAdminUser fail %s", err)
}
}
}
}
return nil
}
func (manager *SAssignmentManager) projectRemoveAllUser(ctx context.Context, userCred mcclient.TokenCredential, user *SUser) error {
if user.IsAdminUser() {
return httperrors.NewForbiddenError("sysadmin is protected")
}
// allow remove current user from current project. user takes the consequence
// if user.Id == userCred.GetUserId() {
// return httperrors.NewForbiddenError("cannot remove current user from current project")
// }
err := manager.batchRemove(ctx, userCred, user.Id, []string{api.AssignmentUserProject, api.AssignmentUserDomain})
if err != nil {
return errors.Wrap(err, "manager.batchRemove")
}
db.OpsLog.LogEvent(user, "leave_all_projects", user.GetShortDesc(ctx), userCred)
return nil
}
func (manager *SAssignmentManager) projectRemoveAllGroup(ctx context.Context, userCred mcclient.TokenCredential, group *SGroup) error {
err := manager.batchRemove(ctx, userCred, group.Id, []string{api.AssignmentGroupProject, api.AssignmentGroupDomain})
if err != nil {
return errors.Wrap(err, "manager.batchRemove")
}
db.OpsLog.LogEvent(group, "leave_all_projects", group.GetShortDesc(ctx), userCred)
return nil
}
func (manager *SAssignmentManager) projectRemoveUser(ctx context.Context, userCred mcclient.TokenCredential, project *SProject, user *SUser, role *SRole) error {
if project.IsAdminProject() && user.IsAdminUser() && role.IsSystemRole() {
return httperrors.NewForbiddenError("sysadmin is protected")
}
// allow remove current user from current project, user takes the consequence
// prevent remove current user from current project
// if project.Id == userCred.GetProjectId() && user.Id == userCred.GetUserId() {
// return httperrors.NewForbiddenError("cannot remove current user from current project")
// }
if project.DomainId != user.DomainId {
// if project.DomainId != api.DEFAULT_DOMAIN_ID {
// return httperrors.NewInputParameterError("join user into project of default domain or identical domain")
// } else
if !db.IsAllowPerform(ctx, rbacscope.ScopeSystem, userCred, user, "leave-project") {
return httperrors.NewForbiddenError("not enough privilege")
}
} else {
if !db.IsAllowPerform(ctx, rbacscope.ScopeDomain, userCred, user, "leave-project") {
return httperrors.NewForbiddenError("not enough privilege")
}
}
err := manager.remove(api.AssignmentUserProject, user.Id, project.Id, role.Id)
if err != nil {
return errors.Wrap(err, "manager.remove")
}
db.OpsLog.LogEvent(user, db.ACT_DETACH, project.GetShortDesc(ctx), userCred)
db.OpsLog.LogEvent(project, db.ACT_DETACH, user.GetShortDesc(ctx), userCred)
if project.AdminId == user.Id && role.Name == options.Options.ProjectAdminRole {
err := project.resetAdminUser(ctx, userCred)
if err != nil {
log.Errorf("resetAdminUser fail %s", err)
}
}
return nil
}
func (manager *SAssignmentManager) projectAddGroup(ctx context.Context, userCred mcclient.TokenCredential, project *SProject, group *SGroup, role *SRole) error {
err := db.ValidateCreateDomainId(project.DomainId)
if err != nil {
return err
}
if project.DomainId != group.DomainId {
// if project.DomainId != api.DEFAULT_DOMAIN_ID && !options.Options.AllowJoinProjectsAcrossDomains {
// return httperrors.NewInputParameterError("join group into project of default domain or identical domain")
// } else
if !db.IsAllowPerform(ctx, rbacscope.ScopeSystem, userCred, group, "join-project") {
return httperrors.NewForbiddenError("not enough privilege")
}
} else {
if !db.IsAllowPerform(ctx, rbacscope.ScopeDomain, userCred, group, "join-project") {
return httperrors.NewForbiddenError("not enough privilege")
}
}
roleCnt, err := manager.fetchGroupProjectRoleCount(group.Id, project.Id)
if err != nil {
return errors.Wrap(err, "fetchGroupProjectRoleCount")
}
if roleCnt >= options.Options.MaxGroupRolesInProject {
return errors.Wrapf(httperrors.ErrTooLarge, "group %s has joined project %s %d roles more than %d", group.Name, project.Name, roleCnt, options.Options.MaxGroupRolesInProject)
}
err = manager.add(ctx, api.AssignmentGroupProject, group.Id, project.Id, role.Id)
if err != nil {
return errors.Wrap(err, "manager.add")
}
db.OpsLog.LogEvent(group, db.ACT_ATTACH, project.GetShortDesc(ctx), userCred)
db.OpsLog.LogEvent(project, db.ACT_ATTACH, group.GetShortDesc(ctx), userCred)
if len(project.AdminId) == 0 && role.Name == options.Options.ProjectAdminRole {
err := project.resetAdminUser(ctx, userCred)
if err != nil {
log.Errorf("rsetAdminUser fail: %s", err)
}
}
return nil
}
func (manager *SAssignmentManager) projectRemoveGroup(ctx context.Context, userCred mcclient.TokenCredential, project *SProject, group *SGroup, role *SRole) error {
if project.DomainId != group.DomainId {
// if project.DomainId != api.DEFAULT_DOMAIN_ID {
// return httperrors.NewInputParameterError("join group into project of default domain or identical domain")
// } else
if !db.IsAllowPerform(ctx, rbacscope.ScopeSystem, userCred, group, "leave-project") {
return httperrors.NewForbiddenError("not enough privilege")
}
} else {
if !db.IsAllowPerform(ctx, rbacscope.ScopeDomain, userCred, group, "leave-project") {
return httperrors.NewForbiddenError("not enough privilege")
}
}
err := manager.remove(api.AssignmentGroupProject, group.Id, project.Id, role.Id)
if err != nil {
return errors.Wrap(err, "manager.remove")
}
db.OpsLog.LogEvent(group, db.ACT_DETACH, project.GetShortDesc(ctx), userCred)
db.OpsLog.LogEvent(project, db.ACT_DETACH, group.GetShortDesc(ctx), userCred)
if len(project.AdminId) > 0 && role.Name == options.Options.ProjectAdminRole {
err := project.resetAdminUser(ctx, userCred)
if err != nil {
log.Errorf("rsetAdminUser fail: %s", err)
}
}
return nil
}
func (manager *SAssignmentManager) remove(typeStr, actorId, projectId, roleId string) error {
assign := SAssignment{
Type: typeStr,
ActorId: actorId,
TargetId: projectId,
RoleId: roleId,
Inherited: tristate.False,
}
assign.SetModelManager(manager, &assign)
_, err := db.Update(&assign, func() error {
return assign.MarkDelete()
})
if err != nil && err != sql.ErrNoRows {
return err
}
return nil
}
func (manager *SAssignmentManager) add(ctx context.Context, typeStr, actorId, projectId, roleId string) error {
assign := SAssignment{
Type: typeStr,
ActorId: actorId,
TargetId: projectId,
RoleId: roleId,
Inherited: tristate.False,
}
assign.SetModelManager(manager, &assign)
err := manager.TableSpec().InsertOrUpdate(ctx, &assign)
if err != nil {
return errors.Wrap(err, "InsertOrUpdate")
}
return nil
}
func AddAdhocHandlers(version string, app *appsrv.Application) {
app.AddHandler2("GET", fmt.Sprintf("%s/role_assignments", version), auth.Authenticate(roleAssignmentHandler), nil, "list_role_assignments", nil)
}
func roleAssignmentHandler(ctx context.Context, w http.ResponseWriter, r *http.Request) {
_, query, _ := appsrv.FetchEnv(ctx, w, r)
input := api.RoleAssignmentsInput{}
err := query.Unmarshal(&input)
if err != nil {
httperrors.GeneralServerError(ctx, w, err)
return
}
includeNames := (input.IncludeNames != nil)
effective := (input.Effective != nil)
includeSub := (input.IncludeSubtree != nil)
includeSystem := (input.IncludeSystem != nil)
includePolicies := (input.IncludePolicies != nil)
limit := 0
if input.Limit != nil {
limit = *input.Limit
}
offset := 0
if input.Offset != nil {
offset = *input.Offset
}
results, total, err := AssignmentManager.FetchAll(
input.User.Id,
input.Group.Id,
input.Role.Id,
input.Scope.Domain.Id,
input.Scope.Project.Id,
input.ProjectDomainId,
input.Users,
input.Groups,
input.Roles,
input.Domains,
input.Projects,
input.ProjectDomains,
includeNames, effective, includeSub, includeSystem, includePolicies,
limit, offset)
if err != nil {
httperrors.GeneralServerError(ctx, w, err)
return
}
output := api.RoleAssignmentsOutput{}
output.RoleAssignments = results
output.Total = total
output.Limit = limit
output.Offset = offset
appsrv.SendJSON(w, jsonutils.Marshal(output))
}
func (manager *SAssignmentManager) queryAll(
userId, groupId, roleId, domainId, projectId string, projectDomainId string,
users, groups, roles, domains, projects, projectDomains []string,
) *sqlchemy.SQuery {
assigments := manager.Query().SubQuery()
q := assigments.Query(
assigments.Field("type"),
sqlchemy.NewFunction(
sqlchemy.NewCase().When(sqlchemy.OR(
sqlchemy.Equals(assigments.Field("type"), sqlchemy.NewStringField(api.AssignmentUserProject)),
sqlchemy.Equals(assigments.Field("type"), sqlchemy.NewStringField(api.AssignmentUserDomain)),
), assigments.Field("actor_id")).Else(sqlchemy.NewStringField("")),
"user_id",
),
sqlchemy.NewFunction(
sqlchemy.NewCase().When(sqlchemy.OR(
sqlchemy.Equals(assigments.Field("type"), sqlchemy.NewStringField(api.AssignmentGroupProject)),
sqlchemy.Equals(assigments.Field("type"), sqlchemy.NewStringField(api.AssignmentGroupDomain)),
), assigments.Field("actor_id")).Else(sqlchemy.NewStringField("")),
"group_id",
),
sqlchemy.NewFunction(
sqlchemy.NewCase().When(sqlchemy.OR(
sqlchemy.Equals(assigments.Field("type"), sqlchemy.NewStringField(api.AssignmentUserDomain)),
sqlchemy.Equals(assigments.Field("type"), sqlchemy.NewStringField(api.AssignmentGroupDomain)),
), assigments.Field("target_id")).Else(sqlchemy.NewStringField("")),
"domain_id",
),
sqlchemy.NewFunction(
sqlchemy.NewCase().When(sqlchemy.OR(
sqlchemy.Equals(assigments.Field("type"), sqlchemy.NewStringField(api.AssignmentUserProject)),
sqlchemy.Equals(assigments.Field("type"), sqlchemy.NewStringField(api.AssignmentGroupProject)),
), assigments.Field("target_id")).Else(sqlchemy.NewStringField("")),
"project_id",
),
assigments.Field("role_id"),
)
// here use subquery.query to produce a effective reference to case function fields
q = q.SubQuery().Query()
if len(userId) > 0 {
q = q.In("type", []string{api.AssignmentUserProject, api.AssignmentUserDomain}).Equals("user_id", userId)
}
if len(users) > 0 {
subq := UserManager.Query("id")
subq = subq.Filter(sqlchemy.OR(
sqlchemy.In(subq.Field("id"), stringutils2.RemoveUtf8Strings(users)),
sqlchemy.ContainsAny(subq.Field("name"), users),
))
q = q.In("type", []string{api.AssignmentUserProject, api.AssignmentUserDomain}).In("user_id", subq.SubQuery())
}
if len(groupId) > 0 {
q = q.In("type", []string{api.AssignmentGroupProject, api.AssignmentGroupDomain}).Equals("group_id", groupId)
}
if len(groups) > 0 {
subq := GroupManager.Query("id")
subq = subq.Filter(sqlchemy.OR(
sqlchemy.In(subq.Field("id"), stringutils2.RemoveUtf8Strings(groups)),
sqlchemy.ContainsAny(subq.Field("name"), groups),
))
q = q.In("type", []string{api.AssignmentGroupProject, api.AssignmentGroupDomain}).In("group_id", subq.SubQuery())
}
if len(roleId) > 0 {
q = q.Equals("role_id", roleId)
}
if len(roles) > 0 {
subq := RoleManager.Query("id")
subq = subq.Filter(sqlchemy.OR(
sqlchemy.In(subq.Field("id"), stringutils2.RemoveUtf8Strings(roles)),
sqlchemy.ContainsAny(subq.Field("name"), roles),
))
q = q.In("role_id", subq.SubQuery())
}
if len(projectId) > 0 {
q = q.Equals("project_id", projectId).In("type", []string{api.AssignmentUserProject, api.AssignmentGroupProject})
}
if len(projects) > 0 {
subq := ProjectManager.Query("id")
subq = subq.Filter(sqlchemy.OR(
sqlchemy.In(subq.Field("id"), stringutils2.RemoveUtf8Strings(projects)),
sqlchemy.ContainsAny(subq.Field("name"), projects),
))
q = q.In("project_id", subq.SubQuery()).In("type", []string{api.AssignmentUserProject, api.AssignmentGroupProject})
}
if len(projectDomainId) > 0 {
subq := ProjectManager.Query("id").Equals("domain_id", projectDomainId)
q = q.In("project_id", subq.SubQuery()).In("type", []string{api.AssignmentUserProject, api.AssignmentGroupProject})
}
if len(projectDomains) > 0 {
subq := ProjectManager.Query("id")
domainQ := DomainManager.Query("id", "name").SubQuery()
subq = subq.Join(domainQ, sqlchemy.Equals(subq.Field("domain_id"), domainQ.Field("id")))
subq = subq.Filter(sqlchemy.OR(
sqlchemy.In(domainQ.Field("id"), stringutils2.RemoveUtf8Strings(projectDomains)),
sqlchemy.ContainsAny(domainQ.Field("name"), projectDomains),
))
q = q.In("project_id", subq.SubQuery()).In("type", []string{api.AssignmentUserProject, api.AssignmentGroupProject})
}
if len(domainId) > 0 {
q = q.Equals("domain_id", domainId).In("type", []string{api.AssignmentUserDomain, api.AssignmentGroupDomain})
}
if len(domains) > 0 {
subq := DomainManager.Query("id")
subq = subq.Filter(sqlchemy.OR(
sqlchemy.In(subq.Field("id"), stringutils2.RemoveUtf8Strings(domains)),
sqlchemy.ContainsAny(subq.Field("name"), domains),
))
q = q.In("domain_id", subq.SubQuery()).In("type", []string{api.AssignmentUserDomain, api.AssignmentGroupDomain})
}
return q
}
func fetchRoleAssignmentPolicies(ra *api.SRoleAssignment) {
policyNames, _, _ := RolePolicyManager.GetMatchPolicyGroup(ra, time.Time{}, true)
ra.Policies.Project, _ = policyNames[rbacscope.ScopeProject]
ra.Policies.Domain, _ = policyNames[rbacscope.ScopeDomain]
ra.Policies.System, _ = policyNames[rbacscope.ScopeSystem]
}
type sAssignmentInternal struct {
Type string `json:"type"`
UserId string `json:"user_id"`
GroupId string `json:"group_id"`
DomainId string `json:"domain_id"`
ProjectId string `json:"project_id"`
RoleId string `json:"role_id"`
}
func (assign *sAssignmentInternal) getRoleAssignment(domains, projects, groups, users, roles map[string]api.SFetchDomainObject, fetchPolicies bool, projectMetadata map[string]map[string]string) api.SRoleAssignment {
ra := api.SRoleAssignment{}
ra.Role.Id = assign.RoleId
ra.Role.Name = roles[assign.RoleId].Name
ra.Role.Domain.Id = roles[assign.RoleId].DomainId
ra.Role.Domain.Name = roles[assign.RoleId].Domain
if len(assign.UserId) > 0 {
ra.User.Id = assign.UserId
ra.User.Name = users[assign.UserId].Name
ra.User.Domain.Id = users[assign.UserId].DomainId
ra.User.Domain.Name = users[assign.UserId].Domain
}
if len(assign.GroupId) > 0 {
ra.Group.Id = assign.GroupId
ra.Group.Name = groups[assign.GroupId].Name
ra.Group.Domain.Id = groups[assign.GroupId].DomainId
ra.Group.Domain.Name = groups[assign.GroupId].Domain
}
if len(assign.ProjectId) > 0 {
ra.Scope.Project.Id = assign.ProjectId
ra.Scope.Project.Name = projects[assign.ProjectId].Name
ra.Scope.Project.Metadata, _ = projectMetadata[assign.ProjectId]
ra.Scope.Project.Domain.Id = projects[assign.ProjectId].DomainId
ra.Scope.Project.Domain.Name = projects[assign.ProjectId].Domain
if fetchPolicies {
fetchRoleAssignmentPolicies(&ra)
}
} else if len(assign.DomainId) > 0 {
ra.Scope.Domain.Id = assign.DomainId
ra.Scope.Domain.Name = domains[assign.DomainId].Name
}
return ra
}
func (manager *SAssignmentManager) FetchAll(
userId, groupId, roleId, domainId, projectId string, projectDomainId string,
userStrs, groupStrs, roleStrs, domainStrs, projectStrs, projectDomainStrs []string,
includeNames, effective, includeSub, includeSystem, includePolicies bool,
limit, offset int) ([]api.SRoleAssignment, int64, error) {
var q *sqlchemy.SQuery
if effective {
usrq := manager.queryAll(userId, "", roleId, domainId, projectId, projectDomainId, userStrs, nil, roleStrs, domainStrs, projectStrs, projectDomainStrs).In("type", []string{api.AssignmentUserProject, api.AssignmentUserDomain})
memberships := UsergroupManager.Query("user_id", "group_id").SubQuery()
grpproj := manager.queryAll("", groupId, roleId, domainId, projectId, projectDomainId, nil, groupStrs, roleStrs, domainStrs, projectStrs, projectDomainStrs).In("type", []string{api.AssignmentGroupProject, api.AssignmentGroupDomain}).SubQuery()
q2 := grpproj.Query(
grpproj.Field("type"),
memberships.Field("user_id"),
grpproj.Field("group_id"),
grpproj.Field("domain_id"),
grpproj.Field("project_id"),
grpproj.Field("role_id"),
)
q2 = q2.LeftJoin(memberships, sqlchemy.Equals(grpproj.Field("group_id"), memberships.Field("group_id")))
if len(userId) > 0 {
q2 = q2.Filter(sqlchemy.Equals(memberships.Field("user_id"), userId))
}
if len(userStrs) > 0 {
subq := UserManager.Query("id")
subq = subq.Filter(sqlchemy.OR(
sqlchemy.In(subq.Field("id"), stringutils2.RemoveUtf8Strings(userStrs)),
sqlchemy.ContainsAny(subq.Field("name"), userStrs),
))
q2 = q2.Filter(sqlchemy.In(memberships.Field("user_id"), subq.SubQuery()))
}
q = sqlchemy.Union(usrq, q2).Query().Distinct()
} else {
q = manager.queryAll(userId, groupId, roleId, domainId, projectId, projectDomainId, userStrs, groupStrs, roleStrs, domainStrs, projectStrs, projectDomainStrs).Distinct()
}
if !includeSystem {
users := UserManager.Query().SubQuery()
q = q.LeftJoin(users, sqlchemy.Equals(q.Field("user_id"), users.Field("id")))
q = q.Filter(sqlchemy.OR(
sqlchemy.IsFalse(users.Field("is_system_account")),
sqlchemy.IsNull(users.Field("is_system_account")),
))
}
total, err := q.CountWithError()
if err != nil {
return nil, -1, errors.Wrap(err, "q.Count")
}
if limit > 0 {
q = q.Limit(limit)
}
if offset > 0 {
q = q.Offset(offset)
}
assigns := make([]sAssignmentInternal, 0)
err = q.All(&assigns)
if err != nil && err != sql.ErrNoRows {
return nil, -1, httperrors.NewInternalServerError("query error %s", err)
}
domainIds := stringutils2.SSortedStrings{}
projectIds := stringutils2.SSortedStrings{}
groupIds := stringutils2.SSortedStrings{}
userIds := stringutils2.SSortedStrings{}
roleIds := stringutils2.SSortedStrings{}
for i := range assigns {
if len(assigns[i].UserId) > 0 {
userIds = stringutils2.Append(userIds, assigns[i].UserId)
}
if len(assigns[i].GroupId) > 0 {
groupIds = stringutils2.Append(groupIds, assigns[i].GroupId)
}
if len(assigns[i].DomainId) > 0 {
domainIds = stringutils2.Append(domainIds, assigns[i].DomainId)
}
if len(assigns[i].ProjectId) > 0 {
projectIds = stringutils2.Append(projectIds, assigns[i].ProjectId)
}
roleIds = stringutils2.Append(roleIds, assigns[i].RoleId)
}
domains, err := fetchObjects(DomainManager, domainIds)
if err != nil {
return nil, -1, errors.Wrap(err, "fetchObjects DomainManager")
}
projects, err := fetchObjects(ProjectManager, projectIds)
if err != nil {
return nil, -1, errors.Wrap(err, "fetchObjects ProjectManager")
}
projectMetadatas := fetchProjectMetadatas(projectIds)
groups, err := fetchObjects(GroupManager, groupIds)
if err != nil {
return nil, -1, errors.Wrap(err, "fetchObjects GroupManager")
}
users, err := fetchObjects(UserManager, userIds)
if err != nil {
return nil, -1, errors.Wrap(err, "fetchObjects UserManager")
}
roles, err := fetchObjects(RoleManager, roleIds)
if err != nil {
return nil, -1, errors.Wrap(err, "fetchObjects RoleManager")
}
results := make([]api.SRoleAssignment, len(assigns))
for i := range assigns {
results[i] = assigns[i].getRoleAssignment(domains, projects, groups, users, roles, includePolicies, projectMetadatas)
}
return results, int64(total), nil
}
func (manager *SAssignmentManager) isUserInProjectWithRole(userId, projectId, roleId string) (bool, error) {
q := manager.fetchUserProjectRoleIdsQuery(userId, projectId)
q = q.Equals("role_id", roleId)
cnt, err := q.CountWithError()
if err != nil {
return false, errors.Wrap(err, "CountWithError")
}
if cnt > 0 {
return true, nil
} else {
return false, nil
}
}
func fetchProjectMetadatas(idList []string) map[string]map[string]string {
ret := map[string]map[string]string{}
if len(idList) == 0 {
return ret
}
q := db.Metadata.Query().Equals("obj_type", "project").In("obj_id", idList)
result := []db.SMetadata{}
err := q.All(&result)
if err != nil {
return ret
}
for i := range result {
_, ok := ret[result[i].ObjId]
if !ok {
ret[result[i].ObjId] = map[string]string{}
}
ret[result[i].ObjId][result[i].Key] = result[i].Value
}
return ret
}
func fetchObjects(manager db.IModelManager, idList []string) (map[string]api.SFetchDomainObject, error) {
results := make(map[string]api.SFetchDomainObject)
if len(idList) == 0 {
return results, nil
}
var q *sqlchemy.SQuery
if manager == DomainManager {
q = DomainManager.Query().In("id", idList)
} else {
resq := manager.Query().SubQuery()
domains := DomainManager.Query().SubQuery()
q = resq.Query(resq.Field("id"), resq.Field("name"), resq.Field("domain_id"), domains.Field("name", "domain"))
q = q.Join(domains, sqlchemy.Equals(domains.Field("id"), resq.Field("domain_id")))
q = q.Filter(sqlchemy.IsTrue(domains.Field("is_domain")))
q = q.Filter(sqlchemy.In(resq.Field("id"), idList))
}
objs := make([]api.SFetchDomainObject, 0)
err := q.All(&objs)
if err != nil && err != sql.ErrNoRows {
return nil, errors.Wrap(err, "query")
}
for i := range objs {
results[objs[i].Id] = objs[i]
}
return results, nil
}
Reference in New Issue View Git Blame Copy Permalink