iam: fix bug (#593)

ideal-world · Jan 16, 2024 · 1132b8b · 1132b8b
1 parent f126ce8
commit 1132b8b
Show file tree

Hide file tree

Showing 6 changed files with 15 additions and 4 deletions.
diff --git a/basic/src/rbum/serv/rbum_cert_serv.rs b/basic/src/rbum/serv/rbum_cert_serv.rs
@@ -737,7 +737,7 @@ impl RbumCertServ {
             .and_where(Expr::col(rbum_cert::Column::StartTime).lte(Utc::now().naive_utc()));
         let rbum_cert = funs.db().get_dto::<IdAndSkResp>(&query).await?;
         if let Some(rbum_cert) = rbum_cert {
-            if funs.cache().exists(&format!("{}{}", funs.rbum_conf_cache_key_cert_locked_(), rbum_cert.rel_rbum_id)).await? {
+            if Self::cert_is_locked(&rbum_cert.rel_rbum_id, funs).await {
                 return Err(funs.err().unauthorized(&Self::get_obj_name(), "valid", "cert is locked", "400-rbum-cert-lock"));
             }
             if !ignore_end_time && rbum_cert.end_time < Utc::now() {
@@ -860,7 +860,7 @@ impl RbumCertServ {
         }
         let rbum_cert = funs.db().get_dto::<IdAndSkResp>(&query).await?;
         if let Some(rbum_cert) = rbum_cert {
-            if funs.cache().exists(&format!("{}{}", funs.rbum_conf_cache_key_cert_locked_(), rbum_cert.rel_rbum_id)).await? {
+            if Self::cert_is_locked(&rbum_cert.rel_rbum_id, funs).await {
                 return Err(funs.err().unauthorized(&Self::get_obj_name(), "valid_lock", "cert is locked", "401-rbum-cert-lock"));
             }
             if let Some(rbum_cert_conf_id) = Some(rbum_cert.rel_rbum_cert_conf_id) {
@@ -1281,4 +1281,8 @@ impl RbumCertServ {
     fn encrypt_sk(sk: &str, ak: &str, rbum_cert_conf_id: &str) -> TardisResult<String> {
         TardisFuns::crypto.digest.sha512(format!("{sk}-{ak}-{rbum_cert_conf_id}").as_str())
     }
+
+    pub async fn cert_is_locked(rel_rbum_id: &str, funs: &TardisFunsInst) -> bool {
+        funs.cache().exists(&format!("{}{}", funs.rbum_conf_cache_key_cert_locked_(), rel_rbum_id)).await.is_ok()
+    }
 }
diff --git a/middleware/flow/src/serv/flow_external_serv.rs b/middleware/flow/src/serv/flow_external_serv.rs
@@ -177,7 +177,7 @@ impl FlowExternalServ {
             .body
             .ok_or_else(|| funs.err().internal_error("flow_external", "do_notify_changes", "illegal response", "500-external-illegal-response"))?;
         if resp.code != *"200" {
-            return Err(funs.err().internal_error("flow_external", "do_find_embed_subrole_id", "illegal response", "500-external-illegal-response"));
+            return Err(funs.err().internal_error("flow_external", "do_notify_changes", "illegal response", "500-external-illegal-response"));
         }
         if let Some(data) = resp.body {
             Ok(data)

diff --git a/support/iam/Cargo.toml b/support/iam/Cargo.toml
@@ -36,7 +36,7 @@ tardis = { workspace = true, features = [
     "mail",
 ] }
 bios-basic = { path = "../../basic", features = ["default", "with-mq"] }
-bios-sdk-invoke = { path = "../../sdk/invoke", features = ["default"] }
+bios-sdk-invoke = { path = "../../sdk/invoke", features = ["default", "event"] }
 
 # ldap
 ldap3_proto = { version = "0.3", optional = true }

diff --git a/support/iam/src/console_passport/api/iam_cp_cert_api.rs b/support/iam/src/console_passport/api/iam_cp_cert_api.rs
@@ -9,6 +9,7 @@ use tardis::web::poem_openapi::param::Query;
 use tardis::web::poem_openapi::{param::Path, payload::Json};
 use tardis::web::web_resp::{TardisApiResult, TardisResp, Void};
 use tardis::TardisFuns;
+use tardis::log;
 
 use crate::basic::dto::iam_account_dto::{IamAccountInfoResp, IamAccountInfoWithUserPwdAkResp, IamCpUserPwdBindResp};
 use crate::basic::dto::iam_cert_dto::{
@@ -81,6 +82,7 @@ impl IamCpCertApi {
     #[oai(path = "/logout/:token", method = "delete")]
     async fn logout(&self, token: Path<String>, request: &Request) -> TardisApiResult<Void> {
         let funs = iam_constants::get_tardis_inst();
+        log::debug!("logout headers: {:?}", request.headers());
         IamCertTokenServ::delete_cert(&token.0, get_ip(request).await?, &funs).await?;
         TardisResp::ok(Void {})
     }

diff --git a/support/iam/src/console_passport/serv/iam_cp_cert_ldap_serv.rs b/support/iam/src/console_passport/serv/iam_cp_cert_ldap_serv.rs
@@ -4,6 +4,7 @@ use crate::basic::serv::iam_cert_serv::IamCertServ;
 use crate::console_passport::dto::iam_cp_cert_dto::{IamCpLdapLoginReq, IamCpUserPwdBindWithLdapReq, IamCpUserPwdCheckReq};
 use crate::iam_enumeration::{IamCertKernelKind, IamCertTokenKind};
 use std::collections::HashMap;
+use bios_basic::rbum::serv::rbum_cert_serv::RbumCertServ;
 use tardis::basic::dto::TardisContext;
 use tardis::basic::result::TardisResult;
 use tardis::TardisFunsInst;
@@ -22,6 +23,9 @@ impl IamCpCertLdapServ {
         .await?;
         let mock_ctx = IamCertLdapServ::generate_default_mock_ctx(login_req.code.as_ref(), login_req.tenant_id.clone(), funs).await;
         let resp = if let Some((account_id, access_token)) = ldap_info {
+            if RbumCertServ::cert_is_locked(&account_id, funs).await {
+                return Err(funs.err().unauthorized("iam_cp_cert_ldap", "login_or_register", "cert is locked", "400-rbum-cert-lock"));
+            }
             let (ak, status) = Self::get_pwd_cert_name(&account_id, funs, &mock_ctx).await?;
             let iam_account_info_resp = IamCertServ::package_tardis_context_and_resp(
                 login_req.tenant_id.clone(),

diff --git a/support/iam/tests/test_iam_scenes_system.rs b/support/iam/tests/test_iam_scenes_system.rs
@@ -685,6 +685,7 @@ pub async fn sys_console_res_mgr_page(client: &mut BIOSWebTestClient) -> TardisR
             &format!("/cs/res/{}", res_api_id),
             &IamResModifyReq {
                 name: None,
+                code: None,
                 icon: Some("/static/img/icon/api.png".to_string()),
                 sort: None,
                 hide: None,