ControlProxy/access-control-template/actemplate/IODAC.yjs

//访问控制规则：
//针对如果是DOIP请求的调用
//仅包括Repo.doipRetrive
//Registry的publish/subscribe不做访问控制
//如果是HTTP请求的调用
//管理员具有所有权限
//一些”写入接口“添加权限检查
module DOAuth {
    function initDOAuth(req, createParam, doipFunctions) {
        Global.owner = req;
        Global.doipFunctions = doipFunctions;
        Global.accessInfo = RocksDBUtil.loadDB("accessControl", "false");
        Global.userInfo = RocksDBUtil.loadDB("authedUserInfo", "false");
        Global.nodeInfo = RocksDBUtil.loadDB("authedNodeInfo", "false");
    }
    function isOwner(req) {
        return req == Global.owner;
    }
    function doipAccessCheck(argPack) {
        print("in doipAcceccCheck, requester:" + argPack.requester);
        return hasDBSetItem(Global.accessInfo, argPack.arg.header.identifier, argPack.requester);
    }
    function checkByManager(action) {
        return Global.doipFunctions.indexOf(action) == - 1;
    }

    @Description("针对某一DO，添加用户的访问权限")
    @ArgSchema({
        "doId" : "string", "publicKey" : "string", "info": "string"
    })
    export function addAuthedUser(arg) {
    //把requester和 arg.doId放到accessInfo里即可。
        addDBSetItem(Global.accessInfo, arg.doId, arg.publicKey);
        if(arg.info != null) {
            Global.userInfo.put(arg.publicKey, arg.info);
        }
        return {
            "code" : 0
        };
    }

    function acceptJudgementInternal(argPack) {
        if (checkByManager(argPack.action)){
            return isOwner(argPack.requester);
        } else {
            return doipAccessCheck(argPack);
        }
    }
    function acceptJudgement(argPack) {
        if (! acceptJudgementInternal(argPack)){
            print("acceptJudgement, requester:" + argPack.requester + "false!!");
            YancloudUtil.exceptionReturn({
                "code" : 401, "msg" : "no permission: " + argPack.action
            });
        } else print("acceptJudgement, requester:" + argPack.requester + "true!!");
    }

    @Description("针对某一DO，删除用户的访问权限")
    @ArgSchema({
        "doId" : "string", "publicKey" : "string"
    })
    export function deleteAuthedUser(arg) {
        deleteDBSetItem(Global.accessInfo, arg.doId, arg.publicKey);
        return {
            "code" : 0
        };
    }

    @Description("针对某一DO，添加节点的访问权限，所有调用进带该节点授权的用户均可访问")
    @ArgSchema({
        "doId" : "string", "publicKey" : "string", "info" : "string"
    })
    export function addAuthedNode(arg) {
        addDBSetItem(Global.accessInfo, arg.doId, arg.publicKey);
        if(arg.info != null) {
            Global.nodeInfo.put(arg.publicKey, arg.info);
        }
        return {
            "code" : 0
        };
    }


    @Description("针对某一DO，删除节点的访问权限")
    @ArgSchema({
        "doId" : "string", "publicKey" : "string"
    })
    export function deleteAuthedNode(arg) {
        deleteDBSetItem(Global.accessInfo, arg.doId, arg.publicKey);
        return {
            "code" : 0
        };
    }

    function getDBSet(db, key) {
        var saved = db.get(key);
        if (saved == null) {
            saved = "[]";
        }
        return JSON.parse(saved);
    }

    function addDBSetItem(db, key, value) {
        var savedSet = getDBSet(db, key);
        if (savedSet.indexOf(value) === -1) {
            savedSet.push(value);
            var saved = JSON.stringify(savedSet);
            db.put(key, saved);
        }
    }

    function deleteDBSetItem(db, key, value) {
        var savedSet = getDBSet(db, key);
        var index = savedSet.indexOf(value);
        if (index !== -1) {
            savedSet.splice(index, 1);
            var saved = JSON.stringify(savedSet);
            db.put(key, saved);
        }
    }

    function hasDBSetItem(db, key, value) {
        var savedSet = getDBSet(db, key);
        return savedSet.indexOf(value) !== -1;
    }
}