pkg/bufman/services/authz_service.go - dubbo-kubernetes - Git at Google

 // Licensed to the Apache Software Foundation (ASF) under one or more
 // contributor license agreements.  See the NOTICE file distributed with
 // this work for additional information regarding copyright ownership.
 // The ASF licenses this file to You under the Apache License, Version 2.0
 // (the "License"); you may not use this file except in compliance with
 // the License.  You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.

 package services

 import (
 	"errors"
 	"fmt"
 )

 import (
 	"gorm.io/gorm"
 )

 import (
 	"github.com/apache/dubbo-kubernetes/pkg/bufman/e"
 	registryv1alpha1 "github.com/apache/dubbo-kubernetes/pkg/bufman/gen/proto/go/registry/v1alpha1"
 	"github.com/apache/dubbo-kubernetes/pkg/bufman/mapper"
 	"github.com/apache/dubbo-kubernetes/pkg/bufman/model"
 )

 // AuthorizationService 用户权限验证
 type AuthorizationService interface {
 	CheckRepositoryCanAccess(userID, ownerName, repositoryName string) (*model.Repository, e.ResponseError) // 检查user id用户是否可以访问repo
 	CheckRepositoryCanAccessByID(userID, repositoryID string) (*model.Repository, e.ResponseError)
 	CheckRepositoryCanEdit(userID, ownerName, repositoryName string) (*model.Repository, e.ResponseError) // 检查user是否可以修改repo
 	CheckRepositoryCanEditByID(userID, repositoryID string) (*model.Repository, e.ResponseError)
 	CheckRepositoryCanDelete(userID, ownerName, repositoryName string) (*model.Repository, e.ResponseError) // 检查用户是否可以删除repo
 	CheckRepositoryCanDeleteByID(userID, repositoryID string) (*model.Repository, e.ResponseError)
 }

 func NewAuthorizationService() AuthorizationService {
 	return &AuthorizationServiceImpl{
 		repositoryMapper: &mapper.RepositoryMapperImpl{},
 	}
 }

 type AuthorizationServiceImpl struct {
 	repositoryMapper mapper.RepositoryMapper
 }

 func (authorizationService *AuthorizationServiceImpl) CheckRepositoryCanAccess(userID, ownerName, repositoryName string) (*model.Repository, e.ResponseError) {
 	repository, err := authorizationService.repositoryMapper.FindByUserNameAndRepositoryName(ownerName, repositoryName)
 	if err != nil {
 		if errors.Is(err, gorm.ErrRecordNotFound) {
 			return nil, e.NewNotFoundError(fmt.Errorf("repository [name=%s/%s]", ownerName, repositoryName))
 		}

 		return nil, e.NewInternalError(err)
 	}

 	if registryv1alpha1.Visibility(repository.Visibility) != registryv1alpha1.Visibility_VISIBILITY_PUBLIC && repository.UserID != userID {
 		return nil, e.NewPermissionDeniedError(fmt.Errorf("repository [name=%s/%s]", ownerName, repositoryName))
 	}

 	return repository, nil
 }

 func (authorizationService *AuthorizationServiceImpl) CheckRepositoryCanAccessByID(userID, repositoryID string) (*model.Repository, e.ResponseError) {
 	repository, err := authorizationService.repositoryMapper.FindByRepositoryID(repositoryID)
 	if err != nil {
 		if errors.Is(err, gorm.ErrRecordNotFound) {
 			return nil, e.NewNotFoundError(fmt.Errorf("repository [id=%s]", repositoryID))
 		}

 		return nil, e.NewInternalError(err)
 	}

 	if registryv1alpha1.Visibility(repository.Visibility) != registryv1alpha1.Visibility_VISIBILITY_PUBLIC && repository.UserID != userID {
 		return nil, e.NewPermissionDeniedError(fmt.Errorf("repository [id=%s]", repositoryID))
 	}

 	return repository, nil
 }

 func (authorizationService *AuthorizationServiceImpl) CheckRepositoryCanEdit(userID, ownerName, repositoryName string) (*model.Repository, e.ResponseError) {
 	repository, err := authorizationService.repositoryMapper.FindByUserNameAndRepositoryName(ownerName, repositoryName)
 	if err != nil {
 		if errors.Is(err, gorm.ErrRecordNotFound) {
 			return nil, e.NewNotFoundError(fmt.Errorf("repository [name=%s/%s]", ownerName, repositoryName))
 		}

 		return nil, e.NewInternalError(err)
 	}

 	// 只有所属用户才能修改
 	if repository.UserID != userID {
 		return nil, e.NewPermissionDeniedError(fmt.Errorf("repository [name=%s/%s]", ownerName, repositoryName))
 	}

 	return repository, nil
 }

 func (authorizationService *AuthorizationServiceImpl) CheckRepositoryCanEditByID(userID, repositoryID string) (*model.Repository, e.ResponseError) {
 	repository, err := authorizationService.repositoryMapper.FindByRepositoryID(repositoryID)
 	if err != nil {
 		if errors.Is(err, gorm.ErrRecordNotFound) {
 			return nil, e.NewNotFoundError(fmt.Errorf("repository [id=%s]", repositoryID))
 		}

 		return nil, e.NewInternalError(err)
 	}

 	// 只有所属用户才能修改
 	if repository.UserID != userID {
 		return nil, e.NewPermissionDeniedError(fmt.Errorf("repository [id=%s]", repositoryID))
 	}

 	return repository, nil
 }

 func (authorizationService *AuthorizationServiceImpl) CheckRepositoryCanDelete(userID, ownerName, repositoryName string) (*model.Repository, e.ResponseError) {
 	repository, err := authorizationService.repositoryMapper.FindByUserNameAndRepositoryName(ownerName, repositoryName)
 	if err != nil {
 		if errors.Is(err, gorm.ErrRecordNotFound) {
 			return nil, e.NewNotFoundError(fmt.Errorf("repository [name=%s/%s]", ownerName, repositoryName))
 		}

 		return nil, e.NewInternalError(err)
 	}

 	// 只有所属用户才能修改
 	if repository.UserID != userID {
 		return nil, e.NewPermissionDeniedError(fmt.Errorf("repository [name=%s/%s]", ownerName, repositoryName))
 	}

 	return repository, nil
 }

 func (authorizationService *AuthorizationServiceImpl) CheckRepositoryCanDeleteByID(userID, repositoryID string) (*model.Repository, e.ResponseError) {
 	repository, err := authorizationService.repositoryMapper.FindByRepositoryID(repositoryID)
 	if err != nil {
 		if errors.Is(err, gorm.ErrRecordNotFound) {
 			return nil, e.NewNotFoundError(fmt.Errorf("repository [id=%s]", repositoryID))
 		}

 		return nil, e.NewInternalError(err)
 	}

 	// 只有所属用户才能修改
 	if repository.UserID != userID {
 		return nil, e.NewPermissionDeniedError(fmt.Errorf("repository [id=%s]", repositoryID))
 	}

 	return repository, nil
 }
	// Licensed to the Apache Software Foundation (ASF) under one or more
	// contributor license agreements. See the NOTICE file distributed with
	// this work for additional information regarding copyright ownership.
	// The ASF licenses this file to You under the Apache License, Version 2.0
	// (the "License"); you may not use this file except in compliance with
	// the License. You may obtain a copy of the License at
	//
	// http://www.apache.org/licenses/LICENSE-2.0
	//
	// Unless required by applicable law or agreed to in writing, software
	// distributed under the License is distributed on an "AS IS" BASIS,
	// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	// See the License for the specific language governing permissions and
	// limitations under the License.

	package services

	import (
	"errors"
	"fmt"
	)

	import (
	"gorm.io/gorm"
	)

	import (
	"github.com/apache/dubbo-kubernetes/pkg/bufman/e"
	registryv1alpha1 "github.com/apache/dubbo-kubernetes/pkg/bufman/gen/proto/go/registry/v1alpha1"
	"github.com/apache/dubbo-kubernetes/pkg/bufman/mapper"
	"github.com/apache/dubbo-kubernetes/pkg/bufman/model"
	)

	// AuthorizationService 用户权限验证
	type AuthorizationService interface {
	CheckRepositoryCanAccess(userID, ownerName, repositoryName string) (*model.Repository, e.ResponseError) // 检查user id用户是否可以访问repo
	CheckRepositoryCanAccessByID(userID, repositoryID string) (*model.Repository, e.ResponseError)
	CheckRepositoryCanEdit(userID, ownerName, repositoryName string) (*model.Repository, e.ResponseError) // 检查user是否可以修改repo
	CheckRepositoryCanEditByID(userID, repositoryID string) (*model.Repository, e.ResponseError)
	CheckRepositoryCanDelete(userID, ownerName, repositoryName string) (*model.Repository, e.ResponseError) // 检查用户是否可以删除repo
	CheckRepositoryCanDeleteByID(userID, repositoryID string) (*model.Repository, e.ResponseError)
	}

	func NewAuthorizationService() AuthorizationService {
	return &AuthorizationServiceImpl{
	repositoryMapper: &mapper.RepositoryMapperImpl{},
	}
	}

	type AuthorizationServiceImpl struct {
	repositoryMapper mapper.RepositoryMapper
	}

	func (authorizationService AuthorizationServiceImpl) CheckRepositoryCanAccess(userID, ownerName, repositoryName string) (model.Repository, e.ResponseError) {
	repository, err := authorizationService.repositoryMapper.FindByUserNameAndRepositoryName(ownerName, repositoryName)
	if err != nil {
	if errors.Is(err, gorm.ErrRecordNotFound) {
	return nil, e.NewNotFoundError(fmt.Errorf("repository [name=%s/%s]", ownerName, repositoryName))
	}

	return nil, e.NewInternalError(err)
	}

	if registryv1alpha1.Visibility(repository.Visibility) != registryv1alpha1.Visibility_VISIBILITY_PUBLIC && repository.UserID != userID {
	return nil, e.NewPermissionDeniedError(fmt.Errorf("repository [name=%s/%s]", ownerName, repositoryName))
	}

	return repository, nil
	}

	func (authorizationService AuthorizationServiceImpl) CheckRepositoryCanAccessByID(userID, repositoryID string) (model.Repository, e.ResponseError) {
	repository, err := authorizationService.repositoryMapper.FindByRepositoryID(repositoryID)
	if err != nil {
	if errors.Is(err, gorm.ErrRecordNotFound) {
	return nil, e.NewNotFoundError(fmt.Errorf("repository [id=%s]", repositoryID))
	}

	return nil, e.NewInternalError(err)
	}

	if registryv1alpha1.Visibility(repository.Visibility) != registryv1alpha1.Visibility_VISIBILITY_PUBLIC && repository.UserID != userID {
	return nil, e.NewPermissionDeniedError(fmt.Errorf("repository [id=%s]", repositoryID))
	}

	return repository, nil
	}

	func (authorizationService AuthorizationServiceImpl) CheckRepositoryCanEdit(userID, ownerName, repositoryName string) (model.Repository, e.ResponseError) {
	repository, err := authorizationService.repositoryMapper.FindByUserNameAndRepositoryName(ownerName, repositoryName)
	if err != nil {
	if errors.Is(err, gorm.ErrRecordNotFound) {
	return nil, e.NewNotFoundError(fmt.Errorf("repository [name=%s/%s]", ownerName, repositoryName))
	}

	return nil, e.NewInternalError(err)
	}

	// 只有所属用户才能修改
	if repository.UserID != userID {
	return nil, e.NewPermissionDeniedError(fmt.Errorf("repository [name=%s/%s]", ownerName, repositoryName))
	}

	return repository, nil
	}

	func (authorizationService AuthorizationServiceImpl) CheckRepositoryCanEditByID(userID, repositoryID string) (model.Repository, e.ResponseError) {
	repository, err := authorizationService.repositoryMapper.FindByRepositoryID(repositoryID)
	if err != nil {
	if errors.Is(err, gorm.ErrRecordNotFound) {
	return nil, e.NewNotFoundError(fmt.Errorf("repository [id=%s]", repositoryID))
	}

	return nil, e.NewInternalError(err)
	}

	// 只有所属用户才能修改
	if repository.UserID != userID {
	return nil, e.NewPermissionDeniedError(fmt.Errorf("repository [id=%s]", repositoryID))
	}

	return repository, nil
	}

	func (authorizationService AuthorizationServiceImpl) CheckRepositoryCanDelete(userID, ownerName, repositoryName string) (model.Repository, e.ResponseError) {
	repository, err := authorizationService.repositoryMapper.FindByUserNameAndRepositoryName(ownerName, repositoryName)
	if err != nil {
	if errors.Is(err, gorm.ErrRecordNotFound) {
	return nil, e.NewNotFoundError(fmt.Errorf("repository [name=%s/%s]", ownerName, repositoryName))
	}

	return nil, e.NewInternalError(err)
	}

	// 只有所属用户才能修改
	if repository.UserID != userID {
	return nil, e.NewPermissionDeniedError(fmt.Errorf("repository [name=%s/%s]", ownerName, repositoryName))
	}

	return repository, nil
	}

	func (authorizationService AuthorizationServiceImpl) CheckRepositoryCanDeleteByID(userID, repositoryID string) (model.Repository, e.ResponseError) {
	repository, err := authorizationService.repositoryMapper.FindByRepositoryID(repositoryID)
	if err != nil {
	if errors.Is(err, gorm.ErrRecordNotFound) {
	return nil, e.NewNotFoundError(fmt.Errorf("repository [id=%s]", repositoryID))
	}

	return nil, e.NewInternalError(err)
	}

	// 只有所属用户才能修改
	if repository.UserID != userID {
	return nil, e.NewPermissionDeniedError(fmt.Errorf("repository [id=%s]", repositoryID))
	}

	return repository, nil
	}