diff --git a/basic/src/rbum/serv/rbum_cert_serv.rs b/basic/src/rbum/serv/rbum_cert_serv.rs index 6512725fd..95a6ec781 100644 --- a/basic/src/rbum/serv/rbum_cert_serv.rs +++ b/basic/src/rbum/serv/rbum_cert_serv.rs @@ -737,7 +737,7 @@ impl RbumCertServ { .and_where(Expr::col(rbum_cert::Column::StartTime).lte(Utc::now().naive_utc())); let rbum_cert = funs.db().get_dto::(&query).await?; if let Some(rbum_cert) = rbum_cert { - if funs.cache().exists(&format!("{}{}", funs.rbum_conf_cache_key_cert_locked_(), rbum_cert.rel_rbum_id)).await? { + if Self::cert_is_locked(&rbum_cert.rel_rbum_id, funs).await { return Err(funs.err().unauthorized(&Self::get_obj_name(), "valid", "cert is locked", "400-rbum-cert-lock")); } if !ignore_end_time && rbum_cert.end_time < Utc::now() { @@ -860,7 +860,7 @@ impl RbumCertServ { } let rbum_cert = funs.db().get_dto::(&query).await?; if let Some(rbum_cert) = rbum_cert { - if funs.cache().exists(&format!("{}{}", funs.rbum_conf_cache_key_cert_locked_(), rbum_cert.rel_rbum_id)).await? { + if Self::cert_is_locked(&rbum_cert.rel_rbum_id, funs).await { return Err(funs.err().unauthorized(&Self::get_obj_name(), "valid_lock", "cert is locked", "401-rbum-cert-lock")); } if let Some(rbum_cert_conf_id) = Some(rbum_cert.rel_rbum_cert_conf_id) { @@ -1281,4 +1281,8 @@ impl RbumCertServ { fn encrypt_sk(sk: &str, ak: &str, rbum_cert_conf_id: &str) -> TardisResult { TardisFuns::crypto.digest.sha512(format!("{sk}-{ak}-{rbum_cert_conf_id}").as_str()) } + + pub async fn cert_is_locked(rel_rbum_id: &str, funs: &TardisFunsInst) -> bool { + funs.cache().exists(&format!("{}{}", funs.rbum_conf_cache_key_cert_locked_(), rel_rbum_id)).await.is_ok() + } } diff --git a/middleware/flow/src/serv/flow_external_serv.rs b/middleware/flow/src/serv/flow_external_serv.rs index 19fd4ec60..e9f16a2e1 100644 --- a/middleware/flow/src/serv/flow_external_serv.rs +++ b/middleware/flow/src/serv/flow_external_serv.rs @@ -177,7 +177,7 @@ impl FlowExternalServ { .body .ok_or_else(|| funs.err().internal_error("flow_external", "do_notify_changes", "illegal response", "500-external-illegal-response"))?; if resp.code != *"200" { - return Err(funs.err().internal_error("flow_external", "do_find_embed_subrole_id", "illegal response", "500-external-illegal-response")); + return Err(funs.err().internal_error("flow_external", "do_notify_changes", "illegal response", "500-external-illegal-response")); } if let Some(data) = resp.body { Ok(data) diff --git a/support/iam/Cargo.toml b/support/iam/Cargo.toml index c02738e62..67500b1ca 100644 --- a/support/iam/Cargo.toml +++ b/support/iam/Cargo.toml @@ -36,7 +36,7 @@ tardis = { workspace = true, features = [ "mail", ] } bios-basic = { path = "../../basic", features = ["default", "with-mq"] } -bios-sdk-invoke = { path = "../../sdk/invoke", features = ["default"] } +bios-sdk-invoke = { path = "../../sdk/invoke", features = ["default", "event"] } # ldap ldap3_proto = { version = "0.3", optional = true } diff --git a/support/iam/src/console_passport/api/iam_cp_cert_api.rs b/support/iam/src/console_passport/api/iam_cp_cert_api.rs index d74cbf2a0..0c270e662 100644 --- a/support/iam/src/console_passport/api/iam_cp_cert_api.rs +++ b/support/iam/src/console_passport/api/iam_cp_cert_api.rs @@ -9,6 +9,7 @@ use tardis::web::poem_openapi::param::Query; use tardis::web::poem_openapi::{param::Path, payload::Json}; use tardis::web::web_resp::{TardisApiResult, TardisResp, Void}; use tardis::TardisFuns; +use tardis::log; use crate::basic::dto::iam_account_dto::{IamAccountInfoResp, IamAccountInfoWithUserPwdAkResp, IamCpUserPwdBindResp}; use crate::basic::dto::iam_cert_dto::{ @@ -81,6 +82,7 @@ impl IamCpCertApi { #[oai(path = "/logout/:token", method = "delete")] async fn logout(&self, token: Path, request: &Request) -> TardisApiResult { let funs = iam_constants::get_tardis_inst(); + log::debug!("logout headers: {:?}", request.headers()); IamCertTokenServ::delete_cert(&token.0, get_ip(request).await?, &funs).await?; TardisResp::ok(Void {}) } diff --git a/support/iam/src/console_passport/serv/iam_cp_cert_ldap_serv.rs b/support/iam/src/console_passport/serv/iam_cp_cert_ldap_serv.rs index 2d2c56287..af89af758 100644 --- a/support/iam/src/console_passport/serv/iam_cp_cert_ldap_serv.rs +++ b/support/iam/src/console_passport/serv/iam_cp_cert_ldap_serv.rs @@ -4,6 +4,7 @@ use crate::basic::serv::iam_cert_serv::IamCertServ; use crate::console_passport::dto::iam_cp_cert_dto::{IamCpLdapLoginReq, IamCpUserPwdBindWithLdapReq, IamCpUserPwdCheckReq}; use crate::iam_enumeration::{IamCertKernelKind, IamCertTokenKind}; use std::collections::HashMap; +use bios_basic::rbum::serv::rbum_cert_serv::RbumCertServ; use tardis::basic::dto::TardisContext; use tardis::basic::result::TardisResult; use tardis::TardisFunsInst; @@ -22,6 +23,9 @@ impl IamCpCertLdapServ { .await?; let mock_ctx = IamCertLdapServ::generate_default_mock_ctx(login_req.code.as_ref(), login_req.tenant_id.clone(), funs).await; let resp = if let Some((account_id, access_token)) = ldap_info { + if RbumCertServ::cert_is_locked(&account_id, funs).await { + return Err(funs.err().unauthorized("iam_cp_cert_ldap", "login_or_register", "cert is locked", "400-rbum-cert-lock")); + } let (ak, status) = Self::get_pwd_cert_name(&account_id, funs, &mock_ctx).await?; let iam_account_info_resp = IamCertServ::package_tardis_context_and_resp( login_req.tenant_id.clone(), diff --git a/support/iam/tests/test_iam_scenes_system.rs b/support/iam/tests/test_iam_scenes_system.rs index 6ce2c897d..ac8117bb9 100644 --- a/support/iam/tests/test_iam_scenes_system.rs +++ b/support/iam/tests/test_iam_scenes_system.rs @@ -685,6 +685,7 @@ pub async fn sys_console_res_mgr_page(client: &mut BIOSWebTestClient) -> TardisR &format!("/cs/res/{}", res_api_id), &IamResModifyReq { name: None, + code: None, icon: Some("/static/img/icon/api.png".to_string()), sort: None, hide: None,