feat: add get 3th kind cert by ak api (#731)

Author: RWDai

backend/basic/src/rbum/dto/rbum_filer_dto.rs

@@ -145,6 +145,10 @@ pub struct RbumCertFilterReq {
     ///
     /// 凭证状态
     pub status: Option<RbumCertStatusKind>,
+    /// Certificate extension information
+    ///
+    /// 凭证扩展信息
+    pub ext: Option<String>,
     /// Association type
     ///
     /// 关联类型

backend/basic/src/rbum/serv/rbum_cert_serv.rs

@@ -703,6 +703,9 @@ impl RbumCrudOperation<rbum_cert::ActiveModel, RbumCertAddReq, RbumCertModifyReq
         if let Some(status) = &filter.status {
             query.and_where(Expr::col((rbum_cert::Entity, rbum_cert::Column::Status)).eq(status.to_int()));
         }
+        if let Some(ext) = &filter.ext {
+            query.and_where(Expr::col((rbum_cert::Entity, rbum_cert::Column::Ext)).eq(ext.to_string()));
+        }
         if let Some(rel_rbum_cert_conf_ids) = &filter.rel_rbum_cert_conf_ids {
             query.and_where(Expr::col((rbum_cert::Entity, rbum_cert::Column::RelRbumCertConfId)).is_in(rel_rbum_cert_conf_ids.clone()));
         }

backend/gateways/spacegate-plugins/src/lib.rs

@@ -1,6 +1,6 @@
 #![warn(clippy::unwrap_used)]
 
-use crate::plugin::{anti_replay, anti_xss, audit_log, auth, ip_time, rewrite_ns_b_ip};
+pub use crate::plugin::{anti_replay, anti_xss, audit_log, auth, ip_time, rewrite_ns_b_ip};
 
 mod consts;
 mod extension;

backend/gateways/spacegate-plugins/tests/export_schemas.rs

@@ -1,4 +1,5 @@
-use spacegate_plugin::{plugins, Plugin, PluginSchemaExt};
+use spacegate_plugin::{Plugin, PluginSchemaExt};
+use spacegate_plugins::{anti_replay::AntiReplayPlugin, anti_xss::AntiXssPlugin, audit_log::AuditLogPlugin};
 use tardis::serde_json;
 fn export_plugin<P: PluginSchemaExt + Plugin>(dir: std::path::PathBuf) {
     let schema = P::schema();
@@ -18,15 +19,12 @@ macro_rules! export_plugins {
 
 #[test]
 fn export_schema() {
-    use spacegate_lib::plugin::{
-        anti_replay::AntiReplayPlugin, anti_xss::AntiXssPlugin, audit_log::AuditLogPlugin, auth::AuthPlugin, ip_time::IpTimePlugin, rewrite_ns_b_ip::RewriteNsPlugin,
-    };
     export_plugins!("schema":
         AntiReplayPlugin
         AntiXssPlugin
         AuditLogPlugin
         // AuthPlugin
         // SgIpTimePlugin
-        RewriteNsPlugin
+        // RewriteNsPlugin
     );
 }

backend/supports/iam/src/basic/serv/iam_cert_serv.rs

@@ -670,9 +670,11 @@ impl IamCertServ {
         }
     }
 
+    /// 通过关联rbum_item id 查询三方凭证
     pub async fn get_3th_kind_cert_by_rel_rbum_id(
         rel_rbum_id: &str,
         cert_supplier: Vec<String>,
+        show_sk: bool,
         funs: &TardisFunsInst,
         ctx: &TardisContext,
     ) -> TardisResult<RbumCertSummaryWithSkResp> {
@@ -688,8 +690,12 @@ impl IamCertServ {
         )
         .await?;
         if let Some(ext_cert) = ext_cert {
-            let now_sk = RbumCertServ::show_sk(ext_cert.id.as_str(), &RbumCertFilterReq::default(), funs, ctx).await?;
-            let encoded_sk = encode_cert(&ext_cert.id, now_sk, ext_cert.sk_invisible)?;
+            let encoded_sk = if show_sk {
+                let now_sk = RbumCertServ::show_sk(ext_cert.id.as_str(), &RbumCertFilterReq::default(), funs, ctx).await?;
+                encode_cert(&ext_cert.id, now_sk, ext_cert.sk_invisible)?
+            } else {
+                "".to_string()
+            };
             Ok(RbumCertSummaryWithSkResp {
                 id: ext_cert.id,
                 ak: ext_cert.ak,
@@ -721,7 +727,8 @@ impl IamCertServ {
         }
     }
 
-    pub async fn get_3th_kind_cert_by_id(id: &str, funs: &TardisFunsInst, ctx: &TardisContext) -> TardisResult<RbumCertSummaryWithSkResp> {
+    /// 通过cert id 查询三方凭证
+    pub async fn get_3th_kind_cert_by_id(id: &str, show_sk: bool, funs: &TardisFunsInst, ctx: &TardisContext) -> TardisResult<RbumCertSummaryWithSkResp> {
         // query rel ,get owner
         let rels = IamRelServ::find_rels(
             &RbumRelFilterReq {
@@ -760,9 +767,12 @@ impl IamCertServ {
         )
         .await?;
         if let Some(ext_cert) = ext_cert {
-            let now_sk = RbumCertServ::show_sk(ext_cert.id.as_str(), &RbumCertFilterReq::default(), funs, &mock_ctx).await?;
-            let encoded_sk = encode_cert(&ext_cert.id, now_sk, ext_cert.sk_invisible)?;
-            // let encoded_sk = now_sk;
+            let encoded_sk = if show_sk {
+                let now_sk = RbumCertServ::show_sk(ext_cert.id.as_str(), &RbumCertFilterReq::default(), funs, ctx).await?;
+                encode_cert(&ext_cert.id, now_sk, ext_cert.sk_invisible)?
+            } else {
+                "".to_string()
+            };
             Ok(RbumCertSummaryWithSkResp {
                 id: ext_cert.id,
                 ak: ext_cert.ak,
@@ -794,6 +804,62 @@ impl IamCertServ {
         }
     }
 
+    /// 通过ak supplier 查询三方凭证
+    pub async fn get_3th_kind_cert_by_ak(supplier: &str, ak: &str, show_sk: bool, funs: &TardisFunsInst, ctx: &TardisContext) -> TardisResult<RbumCertSummaryWithSkResp> {
+        let query_cert = RbumCertServ::find_one_detail_rbum(
+            &RbumCertFilterReq {
+                basic: RbumBasicFilterReq {
+                    own_paths: Some(ctx.own_paths.clone()),
+                    ..Default::default()
+                },
+                ak: Some(ak.to_string()),
+                status: Some(RbumCertStatusKind::Enabled),
+                kind: Some(IamCertExtKind::ThirdParty.to_string()),
+                suppliers: Some(vec![supplier.to_string()]),
+                ..Default::default()
+            },
+            funs,
+            ctx,
+        )
+        .await?;
+        if let Some(ext_cert) = query_cert {
+            let encoded_sk = if show_sk {
+                let now_sk = RbumCertServ::show_sk(ext_cert.id.as_str(), &RbumCertFilterReq::default(), funs, ctx).await?;
+                encode_cert(&ext_cert.id, now_sk, ext_cert.sk_invisible)?
+            } else {
+                "".to_string()
+            };
+            Ok(RbumCertSummaryWithSkResp {
+                id: ext_cert.id,
+                ak: ext_cert.ak,
+                sk: encoded_sk,
+                sk_invisible: ext_cert.sk_invisible,
+                ext: ext_cert.ext,
+                conn_uri: ext_cert.conn_uri,
+                start_time: ext_cert.start_time,
+                end_time: ext_cert.end_time,
+                status: ext_cert.status,
+                kind: ext_cert.kind,
+                supplier: ext_cert.supplier,
+                rel_rbum_cert_conf_id: ext_cert.rel_rbum_cert_conf_id,
+                rel_rbum_cert_conf_name: ext_cert.rel_rbum_cert_conf_name,
+                rel_rbum_kind: ext_cert.rel_rbum_kind,
+                rel_rbum_id: ext_cert.rel_rbum_id,
+                own_paths: ext_cert.own_paths,
+                owner: ext_cert.owner,
+                create_time: ext_cert.create_time,
+                update_time: ext_cert.update_time,
+            })
+        } else {
+            Err(funs.err().not_found(
+                "iam_cert",
+                "get_3th_kind_cert_by_rel_rbum_id",
+                &format!("not found credential of ak {ak}"),
+                "404-iam-cert-kind-not-exist",
+            ))
+        }
+    }
+
     pub async fn paginate_certs(
         filter: &RbumCertFilterReq,
         page_number: u32,

backend/supports/iam/src/console_app/api/iam_ca_cert_manage_api.rs

@@ -25,7 +25,7 @@ impl IamCaCertManageApi {
         try_set_real_ip_from_req_to_ctx(request, &ctx.0).await?;
         let funs = iam_constants::get_tardis_inst();
         let ctx = IamCertServ::use_sys_or_tenant_ctx_unsafe(ctx.0)?;
-        let cert = IamCertServ::get_3th_kind_cert_by_id(&id.0, &funs, &ctx).await?;
+        let cert = IamCertServ::get_3th_kind_cert_by_id(&id.0, true, &funs, &ctx).await?;
         ctx.execute_task().await?;
         TardisResp::ok(cert)
     }

backend/supports/iam/src/console_interface/api/iam_ci_account_api.rs

@@ -164,8 +164,8 @@ impl IamCiAccountApi {
         TardisResp::ok(result)
     }
 
-    /// Find Account Id By Ak
-    /// 通过Ak查找帐户Id
+    /// Find Account By Ak
+    /// 通过Ak查找帐户
     ///
     /// if kind is none,query default kind(UserPwd)
     /// 如果kind为空，则查询默认kind(UserPwd)
@@ -230,6 +230,32 @@ impl IamCiAccountApi {
         TardisResp::ok(result)
     }
 
+    /// Find Account By ThirdParty Cert ak
+    /// 通过三方凭证ak查找帐户
+    ///
+    #[oai(path = "/:supplier/:ak/third-party", method = "get")]
+    async fn find_by_third_party(&self, supplier: Path<String>, ak: Path<String>, mut ctx: TardisContextExtractor, request: &Request) -> TardisApiResult<IamAccountDetailResp> {
+        let funs = iam_constants::get_tardis_inst();
+        check_without_owner_and_unsafe_fill_ctx(request, &funs, &mut ctx.0)?;
+        let cert = IamCertServ::get_3th_kind_cert_by_ak(&supplier.0, &ak.0, true, &funs, &ctx.0).await?;
+        let result = IamAccountServ::get_item(
+            &cert.rel_rbum_id,
+            &IamAccountFilterReq {
+                basic: RbumBasicFilterReq {
+                    own_paths: Some("".to_string()),
+                    with_sub_own_paths: true,
+                    ..Default::default()
+                },
+                ..Default::default()
+            },
+            &funs,
+            &ctx.0,
+        )
+        .await?;
+
+        TardisResp::ok(result)
+    }
+
     /// Find App Set Items (Account) ctx
     /// 查找应用集合项（帐户）上下文
     #[oai(path = "/apps/item/ctx", method = "get")]

backend/supports/iam/src/console_interface/api/iam_ci_cert_api.rs

@@ -162,6 +162,7 @@ impl IamCiCertApi {
     }
 
     /// Add Third-kind Cert
+    ///
     /// 添加第三方证书
     #[oai(path = "/third-kind", method = "put")]
     async fn add_third_cert(
@@ -182,6 +183,7 @@ impl IamCiCertApi {
     }
 
     /// Get Third-kind Certs By Account Id
+    ///
     /// 根据账号id获取第三方证书
     #[oai(path = "/third-kind", method = "get")]
     async fn get_third_cert(
@@ -194,7 +196,7 @@ impl IamCiCertApi {
         let funs = iam_constants::get_tardis_inst();
         check_without_owner_and_unsafe_fill_ctx(request, &funs, &mut ctx.0)?;
         try_set_real_ip_from_req_to_ctx(request, &ctx.0).await?;
-        let rbum_cert = IamCertServ::get_3th_kind_cert_by_rel_rbum_id(&account_id.0, vec![supplier.0], &funs, &ctx.0).await?;
+        let rbum_cert = IamCertServ::get_3th_kind_cert_by_rel_rbum_id(&account_id.0, vec![supplier.0], true, &funs, &ctx.0).await?;
         ctx.0.execute_task().await?;
         TardisResp::ok(rbum_cert)
     }
@@ -212,7 +214,8 @@ impl IamCiCertApi {
         TardisResp::ok(msg)
     }
 
-    /// decode cert
+    /// Decode cert
+    ///
     /// 解码证书
     #[oai(path = "/decode", method = "post")]
     async fn decode_certs(&self, body: Json<IamCertDecodeRequest>, mut ctx: TardisContextExtractor, request: &Request) -> TardisApiResult<HashMap<String, String>> {

backend/supports/iam/src/console_passport/api/iam_cp_cert_api.rs

@@ -137,8 +137,7 @@ impl IamCpCertApi {
     async fn get_third_cert(&self, supplier: Query<String>, ctx: TardisContextExtractor, request: &Request) -> TardisApiResult<RbumCertSummaryWithSkResp> {
         try_set_real_ip_from_req_to_ctx(request, &ctx.0).await?;
         let funs = iam_constants::get_tardis_inst();
-        // let ctx = IamCertServ::try_use_tenant_ctx(ctx.0, tenant_id.0)?;
-        let rbum_cert = IamCertServ::get_3th_kind_cert_by_rel_rbum_id(&ctx.0.owner, vec![supplier.0], &funs, &ctx.0).await?;
+        let rbum_cert = IamCertServ::get_3th_kind_cert_by_rel_rbum_id(&ctx.0.owner, vec![supplier.0], true, &funs, &ctx.0).await?;
         ctx.0.execute_task().await?;
         TardisResp::ok(rbum_cert)
     }

backend/supports/iam/src/console_tenant/api/iam_ct_cert_api.rs

@@ -85,7 +85,7 @@ impl IamCtCertApi {
         let ctx = IamCertServ::try_use_tenant_ctx(ctx.0, tenant_id.0)?;
         try_set_real_ip_from_req_to_ctx(request, &ctx).await?;
         let funs = iam_constants::get_tardis_inst();
-        let rbum_cert = IamCertServ::get_3th_kind_cert_by_rel_rbum_id(&account_id.0, vec![cert_supplier.0], &funs, &ctx).await?;
+        let rbum_cert = IamCertServ::get_3th_kind_cert_by_rel_rbum_id(&account_id.0, vec![cert_supplier.0], true, &funs, &ctx).await?;
         ctx.execute_task().await?;
         TardisResp::ok(rbum_cert)
     }

backend/supports/iam/src/console_tenant/api/iam_ct_cert_manage_api.rs

@@ -100,7 +100,7 @@ impl IamCtCertManageApi {
         let funs = iam_constants::get_tardis_inst();
         let ctx = IamCertServ::use_sys_or_tenant_ctx_unsafe(ctx.0)?;
         try_set_real_ip_from_req_to_ctx(request, &ctx).await?;
-        let cert = IamCertServ::get_3th_kind_cert_by_id(&id.0, &funs, &ctx).await?;
+        let cert = IamCertServ::get_3th_kind_cert_by_id(&id.0, true, &funs, &ctx).await?;
         ctx.execute_task().await?;
         TardisResp::ok(cert)
     }
@@ -112,7 +112,7 @@ impl IamCtCertManageApi {
         try_set_real_ip_from_req_to_ctx(request, &ctx.0).await?;
         let mut funs = iam_constants::get_tardis_inst();
         funs.begin().await?;
-        let cert = IamCertServ::get_3th_kind_cert_by_id(&id.0, &funs, &ctx.0).await?;
+        let cert = IamCertServ::get_3th_kind_cert_by_id(&id.0, false, &funs, &ctx.0).await?;
         IamCertServ::delete_manage_cert(&id.0, &funs, &ctx.0).await?;
         let _ = SpiLogClient::add_dynamic_log(
             &LogDynamicContentReq {

backend/supports/iam/tests/test_cc_cert.rs

@@ -167,7 +167,7 @@ async fn test_single_level(context: &TardisContext, ak: &str, another_context: &
     .await?;
 
     info!("【test_cc_cert】 : test_single_level : Add Ext Cert - Gitlab");
-    assert!(IamCertServ::get_3th_kind_cert_by_rel_rbum_id(&account_info.account_id, vec!["gitlab".to_string()], &funs, context).await.is_err());
+    assert!(IamCertServ::get_3th_kind_cert_by_rel_rbum_id(&account_info.account_id, vec!["gitlab".to_string()], false, &funs, context).await.is_err());
     IamCertServ::add_3th_kind_cert(
         &mut IamThirdPartyCertExtAddReq {
             ak: "GitlabUserId".to_string(),
@@ -181,7 +181,7 @@ async fn test_single_level(context: &TardisContext, ak: &str, another_context: &
     )
     .await?;
     assert_eq!(
-        IamCertServ::get_3th_kind_cert_by_rel_rbum_id(&account_info.account_id, vec!["gitlab".to_string()], &funs, context).await?.ak,
+        IamCertServ::get_3th_kind_cert_by_rel_rbum_id(&account_info.account_id, vec!["gitlab".to_string()], false, &funs, context).await?.ak,
         "GitlabUserId"
     );