diff --git a/README.md b/README.md index 0f97731..49b33af 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,19 @@ # 初始化配置说明 1. clone之后使用`git submodule update --init `初始化子仓库。 + +# 测试环境搭建说明 +测试环境中有一个bdtest/Repository(tcp://127.0.0.1:21035),和一个标识解析系统(tcp://127.0.0.1:21041) +## Repo测试 +进行Repo测试时,需要先在`http://127.0.0.1:21030/DOIP/GlobalRouter/assets/#/Suffix/suffixManage`中登录, +key填:` { "publicKey": "04180354fdb6507f8ab98ccfbe165ce11da74ba733f81af86ad6d32216b32cf4f797c559d50ceeefbf4c760c3483840471c67471b90acdffb388cd7d496d9a1610", +"privateKey": "1d4196947f59532db6f8f4055e58474a48db8f30b476ae3edc66406464521b3b"}`,由于该repo需要支持从本地的客户端发起调用, +因此Address建议填`tcp://127.0.0.1:port`。注意IP与Registry填写的IP的不同。 +添加一个`Repository2`,其中address填写的port范围建议在18034-18039之内。 + +## Registry测试 +进行Registry测试时,需要先在`http://127.0.0.1:21030/DOIP/GlobalRouter/assets/#/Suffix/suffixManage` 之中 +创建一个`Registry2`的标识。 +key填:` { "publicKey": "04180354fdb6507f8ab98ccfbe165ce11da74ba733f81af86ad6d32216b32cf4f797c559d50ceeefbf4c760c3483840471c67471b90acdffb388cd7d496d9a1610", +"privateKey": "1d4196947f59532db6f8f4055e58474a48db8f30b476ae3edc66406464521b3b"}` +由于Registry2需要支持从docker的repo去调用DOIP.publish,因此address填写:`tcp://host.docker.internal:port`,port的范围 +建议18034-18039之内。 \ No newline at end of file diff --git a/access-control-template/actemplate/IODAC.yjs b/access-control-template/actemplate/IODAC.yjs index 54fe818..2c16ac7 100644 --- a/access-control-template/actemplate/IODAC.yjs +++ b/access-control-template/actemplate/IODAC.yjs @@ -1,19 +1,80 @@ +//访问控制规则: +//针对如果是DOIP请求的调用 +//仅包括Repo.doipRetrive +//Registry的publish/subscribe不做访问控制 +//如果是HTTP请求的调用 +//管理员具有所有权限 +//一些”写入接口“添加权限检查 module DOAuth { + function initDOAuth(req, createParam, doipFunctions) { + Global.owner = req; + Global.doipFunctions = doipFunctions; + Global.accessInfo = RocksDBUtil.loadDB("accessControl", "false"); + Global.userInfo = RocksDBUtil.loadDB("authedUserInfo", "false"); + Global.nodeInfo = RocksDBUtil.loadDB("authedNodeInfo", "false"); + } + function isOwner(req) { + return req == Global.owner; + } + function doipAccessCheck(argPack) { + print("in doipAcceccCheck, requester:" + argPack.requester); + return hasDBSetItem(Global.accessInfo, argPack.arg.header.identifier, argPack.requester); + } + function checkByManager(action) { + return Global.doipFunctions.indexOf(action) == - 1; + } + @Description("针对某一DO,添加用户的访问权限") @ArgSchema({ - "doId" : "string", "publicKey" : "string" + "doId" : "string", "publicKey" : "string", "info": "string" + }) + @Access({ + "ACFunction":"acceptOwner" }) export function addAuthedUser(arg) { + //把requester和 arg.doId放到accessInfo里即可。 + addDBSetItem(Global.accessInfo, arg.doId, arg.publicKey); + if(arg.info != null) { + Global.userInfo.put(arg.publicKey, arg.info); + } return { "code" : 0 }; } + function acceptJudgementInternal(argPack) { + if (checkByManager(argPack.action)){ + return isOwner(argPack.requester); + } else { + return doipAccessCheck(argPack); + } + } + function acceptJudgement(argPack) { + if (! acceptJudgementInternal(argPack)){ + print("acceptJudgement, requester:" + argPack.requester + "false!!"); + YancloudUtil.exceptionReturn({ + "code" : 401, "msg" : "no permission: " + argPack.action + }); + } else print("acceptJudgement, requester:" + argPack.requester + "true!!"); + } + + function acceptOwner(argPack) { + if (argPack.requester !== Global.owner) { + YancloudUtil.exceptionReturn({ + "code" : 401, "msg" : "no permission: " + argPack.action + }); + } + } + @Description("针对某一DO,删除用户的访问权限") @ArgSchema({ "doId" : "string", "publicKey" : "string" }) + @Access({ + "ACFunction":"acceptOwner" + }) export function deleteAuthedUser(arg) { + deleteDBSetItem(Global.accessInfo, arg.doId, arg.publicKey); return { "code" : 0 }; @@ -21,9 +82,16 @@ module DOAuth { @Description("针对某一DO,添加节点的访问权限,所有调用进带该节点授权的用户均可访问") @ArgSchema({ - "doId" : "string", "publicKey" : "string" + "doId" : "string", "publicKey" : "string", "info" : "string" + }) + @Access({ + "ACFunction":"acceptOwner" }) export function addAuthedNode(arg) { + addDBSetItem(Global.accessInfo, arg.doId, arg.publicKey); + if(arg.info != null) { + Global.nodeInfo.put(arg.publicKey, arg.info); + } return { "code" : 0 }; @@ -34,10 +102,45 @@ module DOAuth { @ArgSchema({ "doId" : "string", "publicKey" : "string" }) + @Access({ + "ACFunction":"acceptOwner" + }) export function deleteAuthedNode(arg) { + deleteDBSetItem(Global.accessInfo, arg.doId, arg.publicKey); return { "code" : 0 }; } + function getDBSet(db, key) { + var saved = db.get(key); + if (saved == null) { + saved = "[]"; + } + return JSON.parse(saved); + } + + function addDBSetItem(db, key, value) { + var savedSet = getDBSet(db, key); + if (savedSet.indexOf(value) === -1) { + savedSet.push(value); + var saved = JSON.stringify(savedSet); + db.put(key, saved); + } + } + + function deleteDBSetItem(db, key, value) { + var savedSet = getDBSet(db, key); + var index = savedSet.indexOf(value); + if (index !== -1) { + savedSet.splice(index, 1); + var saved = JSON.stringify(savedSet); + db.put(key, saved); + } + } + + function hasDBSetItem(db, key, value) { + var savedSet = getDBSet(db, key); + return savedSet.indexOf(value) !== -1; + } } \ No newline at end of file diff --git a/gradle.properties b/gradle.properties index 93e1bc6..610533b 100644 --- a/gradle.properties +++ b/gradle.properties @@ -3,6 +3,6 @@ REPO_PASSWORD=527e259ef952a450d157fdb51ac4915154cea317 REPO_HOST=https://gitea.internetapi.cn/ YPKPackerVersion=0.6.5 DeployToolVersion=0.7.4 -CPVersion=1.9.9 +CPVersion=1.9.95 AuditToolVersion=1.4.0 DOIPVersion=1.5.0 \ No newline at end of file