forked from iod/ControlProxy
146 lines
4.4 KiB
Plaintext
146 lines
4.4 KiB
Plaintext
//访问控制规则:
|
||
//针对如果是DOIP请求的调用
|
||
//仅包括Repo.doipRetrive
|
||
//Registry的publish/subscribe不做访问控制
|
||
//如果是HTTP请求的调用
|
||
//管理员具有所有权限
|
||
//一些”写入接口“添加权限检查
|
||
module DOAuth {
|
||
function initDOAuth(req, createParam, doipFunctions) {
|
||
Global.owner = req;
|
||
Global.doipFunctions = doipFunctions;
|
||
Global.accessInfo = RocksDBUtil.loadDB("accessControl", "false");
|
||
Global.userInfo = RocksDBUtil.loadDB("authedUserInfo", "false");
|
||
Global.nodeInfo = RocksDBUtil.loadDB("authedNodeInfo", "false");
|
||
}
|
||
function isOwner(req) {
|
||
return req == Global.owner;
|
||
}
|
||
function doipAccessCheck(argPack) {
|
||
print("in doipAcceccCheck, requester:" + argPack.requester);
|
||
return hasDBSetItem(Global.accessInfo, argPack.arg.header.identifier, argPack.requester);
|
||
}
|
||
function checkByManager(action) {
|
||
return Global.doipFunctions.indexOf(action) == - 1;
|
||
}
|
||
|
||
@Description("针对某一DO,添加用户的访问权限")
|
||
@ArgSchema({
|
||
"doId" : "string", "publicKey" : "string", "info": "string"
|
||
})
|
||
@Access({
|
||
"ACFunction":"acceptOwner"
|
||
})
|
||
export function addAuthedUser(arg) {
|
||
//把requester和 arg.doId放到accessInfo里即可。
|
||
addDBSetItem(Global.accessInfo, arg.doId, arg.publicKey);
|
||
if(arg.info != null) {
|
||
Global.userInfo.put(arg.publicKey, arg.info);
|
||
}
|
||
return {
|
||
"code" : 0
|
||
};
|
||
}
|
||
|
||
function acceptJudgementInternal(argPack) {
|
||
if (checkByManager(argPack.action)){
|
||
return isOwner(argPack.requester);
|
||
} else {
|
||
return doipAccessCheck(argPack);
|
||
}
|
||
}
|
||
function acceptJudgement(argPack) {
|
||
if (! acceptJudgementInternal(argPack)){
|
||
print("acceptJudgement, requester:" + argPack.requester + "false!!");
|
||
YancloudUtil.exceptionReturn({
|
||
"code" : 401, "msg" : "no permission: " + argPack.action
|
||
});
|
||
} else print("acceptJudgement, requester:" + argPack.requester + "true!!");
|
||
}
|
||
|
||
function acceptOwner(argPack) {
|
||
if (argPack.requester !== Global.owner) {
|
||
YancloudUtil.exceptionReturn({
|
||
"code" : 401, "msg" : "no permission: " + argPack.action
|
||
});
|
||
}
|
||
}
|
||
|
||
@Description("针对某一DO,删除用户的访问权限")
|
||
@ArgSchema({
|
||
"doId" : "string", "publicKey" : "string"
|
||
})
|
||
@Access({
|
||
"ACFunction":"acceptOwner"
|
||
})
|
||
export function deleteAuthedUser(arg) {
|
||
deleteDBSetItem(Global.accessInfo, arg.doId, arg.publicKey);
|
||
return {
|
||
"code" : 0
|
||
};
|
||
}
|
||
|
||
@Description("针对某一DO,添加节点的访问权限,所有调用进带该节点授权的用户均可访问")
|
||
@ArgSchema({
|
||
"doId" : "string", "publicKey" : "string", "info" : "string"
|
||
})
|
||
@Access({
|
||
"ACFunction":"acceptOwner"
|
||
})
|
||
export function addAuthedNode(arg) {
|
||
addDBSetItem(Global.accessInfo, arg.doId, arg.publicKey);
|
||
if(arg.info != null) {
|
||
Global.nodeInfo.put(arg.publicKey, arg.info);
|
||
}
|
||
return {
|
||
"code" : 0
|
||
};
|
||
}
|
||
|
||
|
||
@Description("针对某一DO,删除节点的访问权限")
|
||
@ArgSchema({
|
||
"doId" : "string", "publicKey" : "string"
|
||
})
|
||
@Access({
|
||
"ACFunction":"acceptOwner"
|
||
})
|
||
export function deleteAuthedNode(arg) {
|
||
deleteDBSetItem(Global.accessInfo, arg.doId, arg.publicKey);
|
||
return {
|
||
"code" : 0
|
||
};
|
||
}
|
||
|
||
function getDBSet(db, key) {
|
||
var saved = db.get(key);
|
||
if (saved == null) {
|
||
saved = "[]";
|
||
}
|
||
return JSON.parse(saved);
|
||
}
|
||
|
||
function addDBSetItem(db, key, value) {
|
||
var savedSet = getDBSet(db, key);
|
||
if (savedSet.indexOf(value) === -1) {
|
||
savedSet.push(value);
|
||
var saved = JSON.stringify(savedSet);
|
||
db.put(key, saved);
|
||
}
|
||
}
|
||
|
||
function deleteDBSetItem(db, key, value) {
|
||
var savedSet = getDBSet(db, key);
|
||
var index = savedSet.indexOf(value);
|
||
if (index !== -1) {
|
||
savedSet.splice(index, 1);
|
||
var saved = JSON.stringify(savedSet);
|
||
db.put(key, saved);
|
||
}
|
||
}
|
||
|
||
function hasDBSetItem(db, key, value) {
|
||
var savedSet = getDBSet(db, key);
|
||
return savedSet.indexOf(value) !== -1;
|
||
}
|
||
} |