songchunqiao/ControlProxy
1
0
Fork 0
forked from iod/ControlProxy
Code Pull Requests Activity

Merge remote-tracking branch 'origin/master'

Browse Source
This commit is contained in:
zhaozihao 2023-12-04 12:12:22 +08:00
commit 9d90d4b17f
3 changed files with 123 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
README.md
View File

@ -1,2 +1,19 @@
# 初始化配置说明 # 初始化配置说明
1. clone之后使用`git submodule update --init `初始化子仓库。 1. clone之后使用`git submodule update --init `初始化子仓库。
# 测试环境搭建说明
测试环境中有一个bdtest/Repositorytcp://127.0.0.1:21035),和一个标识解析系统(tcp://127.0.0.1:21041)
## Repo测试
进行Repo测试时需要先在`http://127.0.0.1:21030/DOIP/GlobalRouter/assets/#/Suffix/suffixManage`中登录,
key填` { "publicKey": "04180354fdb6507f8ab98ccfbe165ce11da74ba733f81af86ad6d32216b32cf4f797c559d50ceeefbf4c760c3483840471c67471b90acdffb388cd7d496d9a1610",
"privateKey": "1d4196947f59532db6f8f4055e58474a48db8f30b476ae3edc66406464521b3b"}`由于该repo需要支持从本地的客户端发起调用
因此Address建议填`tcp://127.0.0.1:port`。注意IP与Registry填写的IP的不同。
添加一个`Repository2`其中address填写的port范围建议在18034-18039之内。
## Registry测试
进行Registry测试时需要先在`http://127.0.0.1:21030/DOIP/GlobalRouter/assets/#/Suffix/suffixManage` 之中
创建一个`Registry2`的标识。
key填` { "publicKey": "04180354fdb6507f8ab98ccfbe165ce11da74ba733f81af86ad6d32216b32cf4f797c559d50ceeefbf4c760c3483840471c67471b90acdffb388cd7d496d9a1610",
"privateKey": "1d4196947f59532db6f8f4055e58474a48db8f30b476ae3edc66406464521b3b"}`
由于Registry2需要支持从docker的repo去调用DOIP.publish因此address填写`tcp://host.docker.internal:port`port的范围
建议18034-18039之内。

107
access-control-template/actemplate/IODAC.yjs
View File

@ -1,19 +1,80 @@
//访问控制规则:
//针对如果是DOIP请求的调用
//仅包括Repo.doipRetrive
//Registry的publish/subscribe不做访问控制
//如果是HTTP请求的调用
//管理员具有所有权限
//一些”写入接口“添加权限检查
module DOAuth { module DOAuth {
function initDOAuth(req, createParam, doipFunctions) {
Global.owner = req;
Global.doipFunctions = doipFunctions;
Global.accessInfo = RocksDBUtil.loadDB("accessControl", "false");
Global.userInfo = RocksDBUtil.loadDB("authedUserInfo", "false");
Global.nodeInfo = RocksDBUtil.loadDB("authedNodeInfo", "false");
}
function isOwner(req) {
return req == Global.owner;
}
function doipAccessCheck(argPack) {
print("in doipAcceccCheck, requester:" + argPack.requester);
return hasDBSetItem(Global.accessInfo, argPack.arg.header.identifier, argPack.requester);
}
function checkByManager(action) {
return Global.doipFunctions.indexOf(action) == - 1;
}
@Description("针对某一DO添加用户的访问权限") @Description("针对某一DO添加用户的访问权限")
@ArgSchema({ @ArgSchema({
"doId" : "string", "publicKey" : "string" "doId" : "string", "publicKey" : "string", "info": "string"
})
@Access({
"ACFunction":"acceptOwner"
}) })
export function addAuthedUser(arg) { export function addAuthedUser(arg) {
//把requester和 arg.doId放到accessInfo里即可。
addDBSetItem(Global.accessInfo, arg.doId, arg.publicKey);
if(arg.info != null) {
Global.userInfo.put(arg.publicKey, arg.info);
}
return { return {
"code" : 0 "code" : 0
}; };
} }
function acceptJudgementInternal(argPack) {
if (checkByManager(argPack.action)){
return isOwner(argPack.requester);
} else {
return doipAccessCheck(argPack);
}
}
function acceptJudgement(argPack) {
if (! acceptJudgementInternal(argPack)){
print("acceptJudgement, requester:" + argPack.requester + "false!!");
YancloudUtil.exceptionReturn({
"code" : 401, "msg" : "no permission: " + argPack.action
});
} else print("acceptJudgement, requester:" + argPack.requester + "true!!");
}
function acceptOwner(argPack) {
if (argPack.requester !== Global.owner) {
YancloudUtil.exceptionReturn({
"code" : 401, "msg" : "no permission: " + argPack.action
});
}
}
@Description("针对某一DO删除用户的访问权限") @Description("针对某一DO删除用户的访问权限")
@ArgSchema({ @ArgSchema({
"doId" : "string", "publicKey" : "string" "doId" : "string", "publicKey" : "string"
}) })
@Access({
"ACFunction":"acceptOwner"
})
export function deleteAuthedUser(arg) { export function deleteAuthedUser(arg) {
deleteDBSetItem(Global.accessInfo, arg.doId, arg.publicKey);
return { return {
"code" : 0 "code" : 0
}; };
@ -21,9 +82,16 @@ module DOAuth {
@Description("针对某一DO添加节点的访问权限所有调用进带该节点授权的用户均可访问") @Description("针对某一DO添加节点的访问权限所有调用进带该节点授权的用户均可访问")
@ArgSchema({ @ArgSchema({
"doId" : "string", "publicKey" : "string" "doId" : "string", "publicKey" : "string", "info" : "string"
})
@Access({
"ACFunction":"acceptOwner"
}) })
export function addAuthedNode(arg) { export function addAuthedNode(arg) {
addDBSetItem(Global.accessInfo, arg.doId, arg.publicKey);
if(arg.info != null) {
Global.nodeInfo.put(arg.publicKey, arg.info);
}
return { return {
"code" : 0 "code" : 0
}; };
@ -34,10 +102,45 @@ module DOAuth {
@ArgSchema({ @ArgSchema({
"doId" : "string", "publicKey" : "string" "doId" : "string", "publicKey" : "string"
}) })
@Access({
"ACFunction":"acceptOwner"
})
export function deleteAuthedNode(arg) { export function deleteAuthedNode(arg) {
deleteDBSetItem(Global.accessInfo, arg.doId, arg.publicKey);
return { return {
"code" : 0 "code" : 0
}; };
} }
function getDBSet(db, key) {
var saved = db.get(key);
if (saved == null) {
saved = "[]";
}
return JSON.parse(saved);
}
function addDBSetItem(db, key, value) {
var savedSet = getDBSet(db, key);
if (savedSet.indexOf(value) === -1) {
savedSet.push(value);
var saved = JSON.stringify(savedSet);
db.put(key, saved);
}
}
function deleteDBSetItem(db, key, value) {
var savedSet = getDBSet(db, key);
var index = savedSet.indexOf(value);
if (index !== -1) {
savedSet.splice(index, 1);
var saved = JSON.stringify(savedSet);
db.put(key, saved);
}
}
function hasDBSetItem(db, key, value) {
var savedSet = getDBSet(db, key);
return savedSet.indexOf(value) !== -1;
}
} }

2
gradle.properties
View File

@ -3,6 +3,6 @@ REPO_PASSWORD=527e259ef952a450d157fdb51ac4915154cea317
REPO_HOST=https://gitea.internetapi.cn/ REPO_HOST=https://gitea.internetapi.cn/
YPKPackerVersion=0.6.5 YPKPackerVersion=0.6.5
DeployToolVersion=0.7.4 DeployToolVersion=0.7.4
CPVersion=1.9.9 CPVersion=1.9.95
AuditToolVersion=1.4.0 AuditToolVersion=1.4.0
DOIPVersion=1.5.0 DOIPVersion=1.5.0