datasource/etcd/role.go - servicecomb-service-center - Git at Google

 /*
  * Licensed to the Apache Software Foundation (ASF) under one or more
  * contributor license agreements.  See the NOTICE file distributed with
  * this work for additional information regarding copyright ownership.
  * The ASF licenses this file to You under the Apache License, Version 2.0
  * (the "License"); you may not use this file except in compliance with
  * the License.  You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */

 package etcd

 import (
 	"context"
 	"encoding/json"
 	"fmt"
 	"strconv"
 	"time"

 	crbac "github.com/go-chassis/cari/rbac"
 	"github.com/little-cui/etcdadpt"

 	"github.com/apache/servicecomb-service-center/datasource"
 	"github.com/apache/servicecomb-service-center/datasource/etcd/path"
 	esync "github.com/apache/servicecomb-service-center/datasource/etcd/sync"
 	"github.com/apache/servicecomb-service-center/datasource/rbac"
 	"github.com/apache/servicecomb-service-center/pkg/log"
 	"github.com/apache/servicecomb-service-center/pkg/util"
 	rbacsvc "github.com/apache/servicecomb-service-center/server/service/rbac"
 )

 const isMigrated = "/cse-sr/role-migrated"

 var (
 	resources   = crbac.BuildResourceList(rbacsvc.ResourceConfig)
 	configPerms = &crbac.Permission{
 		Resources: resources,
 		Verbs:     []string{"*"},
 	}
 )

 func (rm *RbacDAO) CreateRole(ctx context.Context, r *crbac.Role) error {
 	key := path.GenerateRBACRoleKey(r.Name)
 	exist, err := rm.RoleExist(ctx, r.Name)
 	if err != nil {
 		log.Error("can not save role info", err)
 		return err
 	}
 	if exist {
 		return rbac.ErrRoleDuplicated
 	}
 	r.ID = util.GenerateUUID()
 	r.CreateTime = strconv.FormatInt(time.Now().Unix(), 10)
 	r.UpdateTime = r.CreateTime
 	value, err := json.Marshal(r)
 	if err != nil {
 		log.Error("role info is invalid", err)
 		return err
 	}
 	opts := []etcdadpt.OpOptions{
 		etcdadpt.OpPut(etcdadpt.WithStrKey(key), etcdadpt.WithValue(value)),
 	}
 	syncOpts, err := esync.GenCreateOpts(ctx, datasource.ResourceRole, r)
 	if err != nil {
 		log.Error("fail to create sync opts", err)
 		return err
 	}
 	opts = append(opts, syncOpts...)
 	err = etcdadpt.Txn(ctx, opts)
 	if err != nil {
 		log.Error("can not save account info", err)
 		return err
 	}
 	log.Info("create new role: " + r.ID)
 	return nil
 }

 func (rm *RbacDAO) RoleExist(ctx context.Context, name string) (bool, error) {
 	return etcdadpt.Exist(ctx, path.GenerateRBACRoleKey(name))
 }

 func (rm *RbacDAO) GetRole(ctx context.Context, name string) (*crbac.Role, error) {
 	kv, err := etcdadpt.Get(ctx, path.GenerateRBACRoleKey(name))
 	if err != nil {
 		return nil, err
 	}
 	if kv == nil {
 		return nil, rbac.ErrRoleNotExist
 	}
 	role := &crbac.Role{}
 	err = json.Unmarshal(kv.Value, role)
 	if err != nil {
 		log.Error("role info format invalid", err)
 		return nil, err
 	}
 	return role, nil
 }
 func (rm *RbacDAO) ListRole(ctx context.Context) ([]*crbac.Role, int64, error) {
 	kvs, n, err := etcdadpt.List(ctx, path.GenerateRBACRoleKey(""))
 	if err != nil {
 		return nil, 0, err
 	}
 	roles := make([]*crbac.Role, 0, n)
 	for _, v := range kvs {
 		r := &crbac.Role{}
 		err = json.Unmarshal(v.Value, r)
 		if err != nil {
 			log.Error("role info format invalid:", err)
 			continue //do not fail if some role is invalid
 		}

 		roles = append(roles, r)
 	}
 	return roles, n, nil
 }
 func (rm *RbacDAO) DeleteRole(ctx context.Context, name string) (bool, error) {
 	exists, err := RoleBindingExists(ctx, name)
 	if err != nil {
 		log.Error("check role binding existence failed", err)
 		return false, err
 	}
 	if exists {
 		return false, rbac.ErrRoleBindingExist
 	}
 	opts := []etcdadpt.OpOptions{etcdadpt.OpDel(etcdadpt.WithStrKey(path.GenerateRBACRoleKey(name)))}
 	syncOpts, err := esync.GenDeleteOpts(ctx, datasource.ResourceRole, name, name)
 	if err != nil {
 		log.Error("fail to create sync opts", err)
 		return false, err
 	}
 	opts = append(opts, syncOpts...)
 	err = etcdadpt.Txn(ctx, opts)
 	if err != nil {
 		return false, err
 	}
 	return true, nil
 }
 func RoleBindingExists(ctx context.Context, role string) (bool, error) {
 	_, total, err := etcdadpt.List(ctx, path.GenRoleAccountPrefixIdxKey(role))
 	if err != nil {
 		log.Error("list role account failed", err)
 		return false, err
 	}
 	return total > 0, nil
 }
 func (rm *RbacDAO) UpdateRole(ctx context.Context, name string, role *crbac.Role) error {
 	role.UpdateTime = strconv.FormatInt(time.Now().Unix(), 10)
 	value, err := json.Marshal(role)
 	if err != nil {
 		log.Error("role info is invalid", err)
 		return err
 	}
 	opts := []etcdadpt.OpOptions{
 		etcdadpt.OpPut(etcdadpt.WithStrKey(path.GenerateRBACRoleKey(name)), etcdadpt.WithValue(value)),
 	}
 	syncOpts, err := esync.GenUpdateOpts(ctx, datasource.ResourceRole, role)
 	if err != nil {
 		log.Error("fail to create sync opts", err)
 		return err
 	}
 	opts = append(opts, syncOpts...)
 	return etcdadpt.Txn(ctx, opts)
 }
 func (rm *RbacDAO) MigrateOldRoles(ctx context.Context) error {
 	exist, err := etcdadpt.Exist(ctx, isMigrated)
 	if err != nil {
 		return err
 	}
 	if exist {
 		return nil
 	}
 	rs, _, err := rbac.Instance().ListRole(ctx)
 	if err != nil {
 		return err
 	}
 	for _, role := range rs {
 		role.Perms = append(role.Perms, configPerms)
 		err = rbac.Instance().UpdateRole(ctx, role.Name, role)
 		if err != nil {
 			log.Error(fmt.Sprintf("edit role [%s] info faied", role.Name), err)
 			return err
 		}
 	}
 	err = etcdadpt.Put(ctx, isMigrated, "true")
 	if err != nil {
 		log.Error("can not save migrated flag", err)
 		return err
 	}
 	return nil
 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one or more
	* contributor license agreements. See the NOTICE file distributed with
	* this work for additional information regarding copyright ownership.
	* The ASF licenses this file to You under the Apache License, Version 2.0
	* (the "License"); you may not use this file except in compliance with
	* the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/

	package etcd

	import (
	"context"
	"encoding/json"
	"fmt"
	"strconv"
	"time"

	crbac "github.com/go-chassis/cari/rbac"
	"github.com/little-cui/etcdadpt"

	"github.com/apache/servicecomb-service-center/datasource"
	"github.com/apache/servicecomb-service-center/datasource/etcd/path"
	esync "github.com/apache/servicecomb-service-center/datasource/etcd/sync"
	"github.com/apache/servicecomb-service-center/datasource/rbac"
	"github.com/apache/servicecomb-service-center/pkg/log"
	"github.com/apache/servicecomb-service-center/pkg/util"
	rbacsvc "github.com/apache/servicecomb-service-center/server/service/rbac"
	)

	const isMigrated = "/cse-sr/role-migrated"

	var (
	resources = crbac.BuildResourceList(rbacsvc.ResourceConfig)
	configPerms = &crbac.Permission{
	Resources: resources,
	Verbs: []string{"*"},
	}
	)

	func (rm RbacDAO) CreateRole(ctx context.Context, r crbac.Role) error {
	key := path.GenerateRBACRoleKey(r.Name)
	exist, err := rm.RoleExist(ctx, r.Name)
	if err != nil {
	log.Error("can not save role info", err)
	return err
	}
	if exist {
	return rbac.ErrRoleDuplicated
	}
	r.ID = util.GenerateUUID()
	r.CreateTime = strconv.FormatInt(time.Now().Unix(), 10)
	r.UpdateTime = r.CreateTime
	value, err := json.Marshal(r)
	if err != nil {
	log.Error("role info is invalid", err)
	return err
	}
	opts := []etcdadpt.OpOptions{
	etcdadpt.OpPut(etcdadpt.WithStrKey(key), etcdadpt.WithValue(value)),
	}
	syncOpts, err := esync.GenCreateOpts(ctx, datasource.ResourceRole, r)
	if err != nil {
	log.Error("fail to create sync opts", err)
	return err
	}
	opts = append(opts, syncOpts...)
	err = etcdadpt.Txn(ctx, opts)
	if err != nil {
	log.Error("can not save account info", err)
	return err
	}
	log.Info("create new role: " + r.ID)
	return nil
	}

	func (rm *RbacDAO) RoleExist(ctx context.Context, name string) (bool, error) {
	return etcdadpt.Exist(ctx, path.GenerateRBACRoleKey(name))
	}

	func (rm RbacDAO) GetRole(ctx context.Context, name string) (crbac.Role, error) {
	kv, err := etcdadpt.Get(ctx, path.GenerateRBACRoleKey(name))
	if err != nil {
	return nil, err
	}
	if kv == nil {
	return nil, rbac.ErrRoleNotExist
	}
	role := &crbac.Role{}
	err = json.Unmarshal(kv.Value, role)
	if err != nil {
	log.Error("role info format invalid", err)
	return nil, err
	}
	return role, nil
	}
	func (rm RbacDAO) ListRole(ctx context.Context) ([]crbac.Role, int64, error) {
	kvs, n, err := etcdadpt.List(ctx, path.GenerateRBACRoleKey(""))
	if err != nil {
	return nil, 0, err
	}
	roles := make([]*crbac.Role, 0, n)
	for _, v := range kvs {
	r := &crbac.Role{}
	err = json.Unmarshal(v.Value, r)
	if err != nil {
	log.Error("role info format invalid:", err)
	continue //do not fail if some role is invalid
	}

	roles = append(roles, r)
	}
	return roles, n, nil
	}
	func (rm *RbacDAO) DeleteRole(ctx context.Context, name string) (bool, error) {
	exists, err := RoleBindingExists(ctx, name)
	if err != nil {
	log.Error("check role binding existence failed", err)
	return false, err
	}
	if exists {
	return false, rbac.ErrRoleBindingExist
	}
	opts := []etcdadpt.OpOptions{etcdadpt.OpDel(etcdadpt.WithStrKey(path.GenerateRBACRoleKey(name)))}
	syncOpts, err := esync.GenDeleteOpts(ctx, datasource.ResourceRole, name, name)
	if err != nil {
	log.Error("fail to create sync opts", err)
	return false, err
	}
	opts = append(opts, syncOpts...)
	err = etcdadpt.Txn(ctx, opts)
	if err != nil {
	return false, err
	}
	return true, nil
	}
	func RoleBindingExists(ctx context.Context, role string) (bool, error) {
	_, total, err := etcdadpt.List(ctx, path.GenRoleAccountPrefixIdxKey(role))
	if err != nil {
	log.Error("list role account failed", err)
	return false, err
	}
	return total > 0, nil
	}
	func (rm RbacDAO) UpdateRole(ctx context.Context, name string, role crbac.Role) error {
	role.UpdateTime = strconv.FormatInt(time.Now().Unix(), 10)
	value, err := json.Marshal(role)
	if err != nil {
	log.Error("role info is invalid", err)
	return err
	}
	opts := []etcdadpt.OpOptions{
	etcdadpt.OpPut(etcdadpt.WithStrKey(path.GenerateRBACRoleKey(name)), etcdadpt.WithValue(value)),
	}
	syncOpts, err := esync.GenUpdateOpts(ctx, datasource.ResourceRole, role)
	if err != nil {
	log.Error("fail to create sync opts", err)
	return err
	}
	opts = append(opts, syncOpts...)
	return etcdadpt.Txn(ctx, opts)
	}
	func (rm *RbacDAO) MigrateOldRoles(ctx context.Context) error {
	exist, err := etcdadpt.Exist(ctx, isMigrated)
	if err != nil {
	return err
	}
	if exist {
	return nil
	}
	rs, _, err := rbac.Instance().ListRole(ctx)
	if err != nil {
	return err
	}
	for _, role := range rs {
	role.Perms = append(role.Perms, configPerms)
	err = rbac.Instance().UpdateRole(ctx, role.Name, role)
	if err != nil {
	log.Error(fmt.Sprintf("edit role [%s] info faied", role.Name), err)
	return err
	}
	}
	err = etcdadpt.Put(ctx, isMigrated, "true")
	if err != nil {
	log.Error("can not save migrated flag", err)
	return err
	}
	return nil
	}