Merge branch 'main' of https://github.com/ideal-world/bios

Author: ljl

basic/src/helper.rs

@@ -1,3 +1,4 @@
+pub mod bios_ctx_helper;
 pub mod db_helper;
 pub mod request_helper;
 pub mod url_helper;

basic/src/helper/bios_ctx_helper.rs

@@ -0,0 +1,134 @@
+use crate::rbum::rbum_config::RbumConfigApi;
+use tardis::{
+    basic::{dto::TardisContext, error::TardisError, result::TardisResult},
+    web::poem::Request,
+    TardisFuns, TardisFunsInst,
+};
+
+fn unsafe_check_ctx<F>(request: &Request, f: F, check: bool, funs: &TardisFunsInst, ctx: &mut TardisContext) -> TardisResult<()>
+where
+    F: FnOnce(TardisContext, &mut TardisContext),
+{
+    if check && !ctx.owner.is_empty() {
+        return Ok(());
+    }
+    let bios_ctx = if let Some(bios_ctx) = request.header(&funs.rbum_head_key_bios_ctx()).or_else(|| request.header(&funs.rbum_head_key_bios_ctx().to_lowercase())) {
+        TardisFuns::json.str_to_obj::<TardisContext>(&TardisFuns::crypto.base64.decode_to_string(bios_ctx)?)?
+    } else {
+        return Err(TardisError::unauthorized(
+            &format!("[Basic] Request is not legal, missing header [{}]", funs.rbum_head_key_bios_ctx()),
+            "401-auth-req-ak-not-exist",
+        ));
+    };
+
+    if bios_ctx.own_paths.contains(&ctx.own_paths) {
+        f(bios_ctx, ctx);
+
+        Ok(())
+    } else {
+        Err(TardisError::forbidden(
+            &format!("[Basic] Request is not legal from head [{}]", funs.rbum_head_key_bios_ctx()),
+            "403-auth-req-permission-denied",
+        ))
+    }
+}
+
+// xxx_check_own function will check the owner is empty or not.
+pub fn check_own_fill_ctx(request: &Request, funs: &TardisFunsInst, ctx: &mut TardisContext) -> TardisResult<()> {
+    unsafe_check_ctx(
+        request,
+        |bios_ctx, ctx| {
+            let mut roles = bios_ctx.roles.clone();
+            for role in bios_ctx.roles.clone() {
+                if role.contains(':') {
+                    let extend_role = role.split(':').collect::<Vec<_>>()[0];
+                    roles.push(extend_role.to_string());
+                }
+            }
+            ctx.owner = bios_ctx.owner.clone();
+            ctx.roles = roles;
+            ctx.groups = bios_ctx.groups;
+            ctx.own_paths = bios_ctx.own_paths;
+        },
+        true,
+        funs,
+        ctx,
+    )
+}
+
+pub fn unsafe_fill_ctx(request: &Request, funs: &TardisFunsInst, ctx: &mut TardisContext) -> TardisResult<()> {
+    unsafe_check_ctx(
+        request,
+        |bios_ctx, ctx| {
+            let mut roles = bios_ctx.roles.clone();
+            for role in bios_ctx.roles.clone() {
+                if role.contains(':') {
+                    let extend_role = role.split(':').collect::<Vec<_>>()[0];
+                    roles.push(extend_role.to_string());
+                }
+            }
+            ctx.owner = bios_ctx.owner.clone();
+            ctx.roles = roles;
+            ctx.groups = bios_ctx.groups;
+            ctx.own_paths = bios_ctx.own_paths;
+        },
+        false,
+        funs,
+        ctx,
+    )
+}
+
+pub fn unsfae_fill_owner_only(request: &Request, funs: &TardisFunsInst, ctx: &mut TardisContext) -> TardisResult<()> {
+    unsafe_check_ctx(
+        request,
+        |bios_ctx, ctx| {
+            ctx.owner = bios_ctx.owner.clone();
+        },
+        false,
+        funs,
+        ctx,
+    )
+}
+
+pub fn unsfae_fill_own_paths_only(request: &Request, funs: &TardisFunsInst, ctx: &mut TardisContext) -> TardisResult<()> {
+    unsafe_check_ctx(
+        request,
+        |bios_ctx, ctx| {
+            ctx.own_paths = bios_ctx.own_paths;
+        },
+        false,
+        funs,
+        ctx,
+    )
+}
+
+pub fn unsfae_fill_roles_only(request: &Request, funs: &TardisFunsInst, ctx: &mut TardisContext) -> TardisResult<()> {
+    unsafe_check_ctx(
+        request,
+        |bios_ctx, ctx| {
+            let mut roles = bios_ctx.roles.clone();
+            for role in bios_ctx.roles.clone() {
+                if role.contains(':') {
+                    let extend_role = role.split(':').collect::<Vec<_>>()[0];
+                    roles.push(extend_role.to_string());
+                }
+            }
+            ctx.roles = roles;
+        },
+        false,
+        funs,
+        ctx,
+    )
+}
+
+pub fn unsfae_fill_groups_only(request: &Request, funs: &TardisFunsInst, ctx: &mut TardisContext) -> TardisResult<()> {
+    unsafe_check_ctx(
+        request,
+        |bios_ctx, ctx| {
+            ctx.groups = bios_ctx.groups;
+        },
+        false,
+        funs,
+        ctx,
+    )
+}

basic/src/rbum/rbum_config.rs

@@ -30,6 +30,7 @@ pub struct RbumConfig {
     pub cache_key_cert_err_times_: String,
     // table name (support prefix matching) -> <c><u><d>
     pub event_domains: HashMap<String, String>,
+    pub head_key_bios_ctx: String,
 }
 
 impl Default for RbumConfig {
@@ -49,6 +50,7 @@ impl Default for RbumConfig {
             cache_key_cert_locked_: "rbum:cert:locked:".to_string(),
             cache_key_cert_err_times_: "rbum:cert:err_times:".to_string(),
             event_domains: HashMap::from([("rbum_".to_string(), "cud".to_string())]),
+            head_key_bios_ctx: "Bios-Ctx".to_string(),
         }
     }
 }
@@ -95,6 +97,7 @@ pub trait RbumConfigApi {
     fn rbum_conf_cache_key_cert_locked_(&self) -> String;
     fn rbum_conf_cache_key_cert_err_times_(&self) -> String;
     fn rbum_conf_match_event(&self, table_name: &str, operate: &str) -> bool;
+    fn rbum_head_key_bios_ctx(&self) -> String;
 }
 
 impl RbumConfigApi for TardisFunsInst {
@@ -153,4 +156,7 @@ impl RbumConfigApi for TardisFunsInst {
     fn rbum_conf_match_event(&self, table_name: &str, operate: &str) -> bool {
         RbumConfigManager::match_event(self.module_code(), table_name, operate)
     }
+    fn rbum_head_key_bios_ctx(&self) -> String {
+        RbumConfigManager::get_config(self.module_code(), |conf| conf.head_key_bios_ctx.to_string())
+    }
 }

basic/src/rbum/serv/rbum_item_serv.rs

@@ -1100,13 +1100,13 @@ impl RbumCrudOperation<rbum_item_attr::ActiveModel, RbumItemAttrAddReq, RbumItem
                 (rbum_item_attr::Entity, rbum_item_attr::Column::CreateTime),
                 (rbum_item_attr::Entity, rbum_item_attr::Column::UpdateTime),
             ])
-            .expr_as(Expr::col((rbum_item::Entity, rbum_item::Column::Name)), Alias::new("rel_rbum_item_name"))
+            // .expr_as(Expr::col((rbum_item::Entity, rbum_item::Column::Name)), Alias::new("rel_rbum_item_name"))
             .expr_as(Expr::col((rbum_kind_attr::Entity, rbum_kind_attr::Column::Name)), Alias::new("rel_rbum_kind_attr_name"))
             .from(rbum_item_attr::Entity)
-            .inner_join(
-                rbum_item::Entity,
-                Expr::col((rbum_item::Entity, rbum_item::Column::Id)).equals((rbum_item_attr::Entity, rbum_item_attr::Column::RelRbumItemId)),
-            )
+            // .inner_join(
+            //     rbum_item::Entity,
+            //     Expr::col((rbum_item::Entity, rbum_item::Column::Id)).equals((rbum_item_attr::Entity, rbum_item_attr::Column::RelRbumItemId)),
+            // )
             .inner_join(
                 rbum_kind_attr::Entity,
                 Expr::col((rbum_kind_attr::Entity, rbum_kind_attr::Column::Id)).equals((rbum_item_attr::Entity, rbum_item_attr::Column::RelRbumKindAttrId)),

gateway/spacegate-lib/src/marker.rs

@@ -0,0 +1 @@
+

gateway/spacegate-lib/src/plugin.rs

@@ -3,4 +3,4 @@ pub mod anti_xss;
 pub mod audit_log;
 pub mod auth;
 pub mod ip_time;
-pub mod rewrite_ns_b_ip;
+pub mod rewrite_ns_b_ip;