Skip to content
项目
群组
代码片段
帮助
正在加载...
帮助
提交反馈
为 GitLab 提交贡献
登录
切换导航
I
ibzou
项目
项目
详情
动态
版本
周期分析
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
统计图
议题
0
议题
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
CI / CD
CI / CD
流水线
作业
计划
统计图
Wiki
Wiki
代码片段
代码片段
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
统计图
创建新议题
作业
提交
议题看板
打开侧边栏
ibiz4jteam
ibzou
提交
c788c5d7
提交
c788c5d7
编写于
5月 26, 2020
作者:
ibizdev
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
zhouweidong@lab.ibiz5.com 部署微服务接口
上级
4b44cda0
变更
10
隐藏空白字符变更
内嵌
并排
正在显示
10 个修改的文件
包含
158 行增加
和
178 行删除
+158
-178
config.xml
config.xml
+5
-0
systemResource.json
ibzou-core/src/main/resources/permission/systemResource.json
+2
-1
Dockerfile
ibzou-provider/ibzou-provider-api/src/main/docker/Dockerfile
+1
-1
ibzou-provider-api.yaml
...bzou-provider-api/src/main/docker/ibzou-provider-api.yaml
+13
-1
IBZUAAFallback.java
.../src/main/java/cn/ibizlab/util/client/IBZUAAFallback.java
+2
-2
IBZUAAFeignClient.java
...c/main/java/cn/ibizlab/util/client/IBZUAAFeignClient.java
+4
-5
PermissionSyncJob.java
.../src/main/java/cn/ibizlab/util/job/PermissionSyncJob.java
+6
-2
AppController.java
...til/src/main/java/cn/ibizlab/util/rest/AppController.java
+22
-13
AuthPermissionEvaluator.java
...ava/cn/ibizlab/util/security/AuthPermissionEvaluator.java
+99
-153
IBZUSERServiceImpl.java
...main/java/cn/ibizlab/util/service/IBZUSERServiceImpl.java
+4
-0
未找到文件。
config.xml
浏览文件 @
c788c5d7
...
...
@@ -37,6 +37,11 @@
git clone -b master $para2 ibzou/
export NODE_OPTIONS=--max-old-space-size=4096
cd ibzou/
mvn clean package -Papi
cd ibzou-provider/ibzou-provider-api
mvn -Papi docker:build
mvn -Papi docker:push
docker -H $para1 stack deploy --compose-file=src/main/docker/ibzou-provider-api.yaml ibzlab-rt --with-registry-auth
</command>
</hudson.tasks.Shell>
</builders>
...
...
ibzou-core/src/main/resources/permission/systemResource.json
浏览文件 @
c788c5d7
{
"systemid"
:
"ibzou"
,
"unires"
:[
],
],
"entities"
:[
{
"dename"
:
"IBZDeptMember"
,
...
...
ibzou-provider/ibzou-provider-api/src/main/docker/Dockerfile
浏览文件 @
c788c5d7
...
...
@@ -9,6 +9,6 @@ CMD echo "The application will start in ${IBZ_SLEEP}s..." && \
sleep ${IBZ_SLEEP} && \
java ${JAVA_OPTS} -Djava.security.egd=file:/dev/./urandom -jar /ibzou-provider-api.jar
EXPOSE
808
1
EXPOSE
4000
1
ADD
ibzou-provider-api.jar /ibzou-provider-api.jar
ibzou-provider/ibzou-provider-api/src/main/docker/ibzou-provider-api.yaml
浏览文件 @
c788c5d7
...
...
@@ -3,9 +3,21 @@ services:
ibzou-provider-api
:
image
:
registry.cn-shanghai.aliyuncs.com/ibizsys/ibzou-provider-api:latest
ports
:
-
"
8081:808
1"
-
"
40001:4000
1"
networks
:
-
agent_network
environment
:
-
SPRING_CLOUD_NACOS_DISCOVERY_IP=172.16.180.237
-
SERVER_PORT=40001
-
SPRING_CLOUD_NACOS_DISCOVERY_SERVER-ADDR=172.16.102.211:8848
-
SPRING_REDIS_HOST=172.16.100.243
-
SPRING_REDIS_PORT=6379
-
SPRING_REDIS_DATABASE=0
-
SPRING_DATASOURCE_USERNAME=a_A_5d9d78509
-
SPRING_DATASOURCE_PASSWORD=@6dEfb3@
-
SPRING_DATASOURCE_URL=jdbc:mysql://172.16.180.232:3306/a_A_5d9d78509?autoReconnect=true&useUnicode=true&characterEncoding=UTF-8&useOldAliasMetadataBehavior=true
-
SPRING_DATASOURCE_DRIVER-CLASS-NAME=com.mysql.jdbc.Driver
-
SPRING_DATASOURCE_DEFAULTSCHEMA=a_A_5d9d78509
deploy
:
mode
:
replicated
replicas
:
1
...
...
ibzou-util/src/main/java/cn/ibizlab/util/client/IBZUAAFallback.java
浏览文件 @
c788c5d7
...
...
@@ -9,8 +9,8 @@ import com.alibaba.fastjson.JSONObject;
public
class
IBZUAAFallback
implements
IBZUAAFeignClient
{
@Override
public
boolean
pushSystemPermissionData
(
String
systemid
,
JSONObject
systemPermissionData
)
{
return
false
;
public
Boolean
syncSysAuthority
(
JSONObject
system
)
{
return
null
;
}
@Override
...
...
ibzou-util/src/main/java/cn/ibizlab/util/client/IBZUAAFeignClient.java
浏览文件 @
c788c5d7
...
...
@@ -10,13 +10,12 @@ import com.alibaba.fastjson.JSONObject;
public
interface
IBZUAAFeignClient
{
/**
* 推送系统权限数据到uaa
* @param systemid
* @param systemPermissionData
* 同步系统资源到uaa
* @param system 系统资源信息
* @return
*/
@PostMapping
(
"/syspssystems/
{systemid}/permissiondata
"
)
boolean
pushSystemPermissionData
(
@PathVariable
(
"systemid"
)
String
systemid
,
@RequestBody
JSONObject
systemPermissionData
);
@PostMapping
(
"/syspssystems/
save
"
)
Boolean
syncSysAuthority
(
@RequestBody
JSONObject
system
);
/**
* 用户登录
...
...
ibzou-util/src/main/java/cn/ibizlab/util/job/PermissionSyncJob.java
浏览文件 @
c788c5d7
...
...
@@ -36,10 +36,14 @@ public class PermissionSyncJob implements ApplicationRunner {
Thread
.
sleep
(
10000
);
InputStream
permission
=
this
.
getClass
().
getResourceAsStream
(
"/permission/systemResource.json"
);
//获取当前系统所有实体资源能力
String
permissionResult
=
IOUtils
.
toString
(
permission
,
"UTF-8"
);
if
(
client
.
pushSystemPermissionData
(
systemId
,
JSONObject
.
parseObject
(
permissionResult
))){
JSONObject
system
=
new
JSONObject
();
system
.
put
(
"pssystemid"
,
systemId
);
system
.
put
(
"pssystemname"
,
systemId
);
system
.
put
(
"sysstructure"
,
JSONObject
.
parseObject
(
permissionResult
));
if
(
client
.
syncSysAuthority
(
system
)){
log
.
info
(
"向[UAA]同步系统资源成功"
);
}
else
{
log
.
info
(
String
.
format
(
"向[UAA]同步系统资源失败"
)
);
log
.
error
(
"向[UAA]同步系统资源失败"
);
}
}
catch
(
Exception
ex
)
{
...
...
ibzou-util/src/main/java/cn/ibizlab/util/rest/AppController.java
浏览文件 @
c788c5d7
package
cn
.
ibizlab
.
util
.
rest
;
import
com.alibaba.fastjson.JSONArray
;
import
com.alibaba.fastjson.JSONObject
;
import
cn.ibizlab.util.security.AuthenticationUser
;
import
cn.ibizlab.util.service.AuthenticationUserService
;
import
org.springframework.beans.factory.annotation.Autowired
;
import
org.springframework.beans.factory.annotation.Value
;
import
org.springframework.http.HttpStatus
;
import
org.springframework.http.ResponseEntity
;
import
org.springframework.
util.ObjectUtils
;
import
org.springframework.
security.core.GrantedAuthority
;
import
org.springframework.web.bind.annotation.RequestMapping
;
import
org.springframework.web.bind.annotation.RequestMethod
;
import
org.springframework.web.bind.annotation.RestController
;
import
org.springframework.beans.factory.annotation.Value
;
import
org.springframework.beans.factory.annotation.Autowired
;
import
cn.ibizlab.util.security.AuthenticationUse
r
;
import
cn.ibizlab.util.service.AuthenticationUserService
;
import
java.util.Collection
;
import
java.util.HashSet
;
import
java.util.Iterato
r
;
import
java.util.Set
;
@RestController
@RequestMapping
(
value
=
""
)
...
...
@@ -27,14 +30,20 @@ public class AppController {
public
ResponseEntity
<
JSONObject
>
getAppData
()
{
JSONObject
appData
=
new
JSONObject
()
;
JSONArray
uniRes
=
new
JSONArray
();
JSONArray
appMenu
=
new
JSONArray
();
Set
<
String
>
appMenu
=
new
HashSet
();
Set
<
String
>
uniRes
=
new
HashSet
();
if
(
enablePermissionValid
){
JSONObject
userPermission
=
AuthenticationUser
.
getAuthenticationUser
().
getPermissionList
();
if
(!
ObjectUtils
.
isEmpty
(
userPermission
)){
uniRes
=
userPermission
.
getJSONArray
(
"unires"
);
appMenu
=
userPermission
.
getJSONArray
(
"appmenu"
);
}
Collection
<
GrantedAuthority
>
authorities
=
AuthenticationUser
.
getAuthenticationUser
().
getAuthorities
();
Iterator
it
=
authorities
.
iterator
();
while
(
it
.
hasNext
())
{
GrantedAuthority
authority
=
(
GrantedAuthority
)
it
.
next
();
String
strAuthority
=
authority
.
getAuthority
();
if
(
strAuthority
.
startsWith
(
"UNIRES"
))
uniRes
.
add
(
strAuthority
);
else
if
(
strAuthority
.
startsWith
(
"APPMENU"
))
appMenu
.
add
(
strAuthority
);
}
}
appData
.
put
(
"unires"
,
uniRes
);
appData
.
put
(
"appmenu"
,
appMenu
);
...
...
ibzou-util/src/main/java/cn/ibizlab/util/security/AuthPermissionEvaluator.java
浏览文件 @
c788c5d7
package
cn
.
ibizlab
.
util
.
security
;
import
com.alibaba.fastjson.JSONArray
;
import
com.alibaba.fastjson.JSONObject
;
import
com.baomidou.mybatisplus.core.conditions.query.QueryWrapper
;
import
com.baomidou.mybatisplus.extension.service.impl.ServiceImpl
;
import
com.mongodb.QueryBuilder
;
...
...
@@ -18,6 +16,7 @@ import org.springframework.data.mongodb.core.query.BasicQuery;
import
org.springframework.data.mongodb.core.query.Query
;
import
org.springframework.security.access.PermissionEvaluator
;
import
org.springframework.security.core.Authentication
;
import
org.springframework.security.core.GrantedAuthority
;
import
org.springframework.stereotype.Component
;
import
org.springframework.util.ObjectUtils
;
import
org.springframework.util.StringUtils
;
...
...
@@ -35,10 +34,6 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
@Value
(
"${ibiz.enablePermissionValid:false}"
)
boolean
enablePermissionValid
;
//是否开启权限校验
/**
* 实体行为操作标识
*/
private
String
DEActionType
=
"DEACTION"
;
/**
*实体主键标识
*/
...
...
@@ -67,9 +62,6 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
List
<
String
>
ids
=
null
;
EntityBase
entity
;
List
<
EntityBase
>
entityList
=
null
;
JSONObject
userPermission
=
AuthenticationUser
.
getAuthenticationUser
().
getPermissionList
();
if
(
userPermission
==
null
)
return
false
;
MappingBase
mappingBase
=
(
MappingBase
)
paramList
.
get
(
1
);
//参数准备
if
(
action
.
equalsIgnoreCase
(
"remove"
)){
...
...
@@ -86,26 +78,19 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
if
(
entity
==
null
)
return
false
;
JSONObject
permissionList
=
userPermission
.
getJSONObject
(
"entities"
);
String
entityName
=
entity
.
getClass
().
getSimpleName
();
Set
<
String
>
entityDataRange
=
getAuthorities
(
authentication
,
entity
.
getClass
().
getSimpleName
(),
action
);
if
(
entityDataRange
.
size
()==
0
)
return
false
;
//拥有全部数据访问权限时,则跳过权限检查
if
(
isAllData
(
entityName
,
action
,
permissionList
)){
if
(
isAllData
(
action
,
entityDataRange
)){
return
true
;
}
//检查是否有操作权限[create.update.delete.read]
if
(!
validDEActionHasPermission
(
entityName
,
action
,
permissionList
)){
return
false
;
}
JSONArray
dataRangeList
=
getDataRange
(
entityName
,
action
,
permissionList
);
if
(
dataRangeList
.
size
()==
0
)
return
false
;
if
(
action
.
equalsIgnoreCase
(
"create"
)){
return
createBatchActionPermissionValid
(
entityList
,
dataRangeList
);
return
createBatchActionPermissionValid
(
entityList
,
entityDataRange
);
}
else
if
(
action
.
equalsIgnoreCase
(
"save"
)){
return
saveBatchActionPermissionValid
(
deStorageMode
,
entityList
,
dataRangeList
);
return
saveBatchActionPermissionValid
(
deStorageMode
,
entityList
,
entityDataRange
);
}
else
{
if
(!
action
.
equalsIgnoreCase
(
"remove"
)){
...
...
@@ -113,7 +98,7 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
}
if
(
ids
.
size
()==
0
)
return
false
;
return
otherBatchActionPermissionValidRouter
(
deStorageMode
,
entity
,
ids
,
dataRangeList
);
return
otherBatchActionPermissionValidRouter
(
deStorageMode
,
entity
,
ids
,
entityDataRange
);
}
}
...
...
@@ -142,23 +127,15 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
if
(
StringUtils
.
isEmpty
(
entity
))
return
false
;
JSONObject
userPermission
=
AuthenticationUser
.
getAuthenticationUser
().
getPermissionList
();
if
(
userPermission
==
null
)
Set
<
String
>
entityDataRange
=
getAuthorities
(
authentication
,
entity
.
getClass
().
getSimpleName
(),
action
);
if
(
entityDataRange
.
size
()==
0
)
return
false
;
JSONObject
permissionList
=
userPermission
.
getJSONObject
(
"entities"
);
String
entityName
=
entity
.
getClass
().
getSimpleName
();
//拥有全部数据访问权限时,则跳过权限检查
if
(
isAllData
(
entityName
,
action
,
permissionList
)){
if
(
isAllData
(
action
,
entityDataRange
)){
return
true
;
}
//检查是否有操作权限[create.update.delete.read]
if
(!
validDEActionHasPermission
(
entityName
,
action
,
permissionList
)){
return
false
;
}
JSONArray
dataRangeList
=
getDataRange
(
entityName
,
action
,
permissionList
);
if
(
dataRangeList
.
size
()==
0
)
return
false
;
if
(
action
.
equalsIgnoreCase
(
"save"
)){
Map
<
String
,
String
>
permissionField
=
getPermissionField
(
entity
);
...
...
@@ -170,21 +147,41 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
action
=
"update"
;
}
if
(
action
.
equalsIgnoreCase
(
"create"
)){
return
createActionPermissionValid
(
entity
,
dataRangeList
);
return
createActionPermissionValid
(
entity
,
entityDataRange
);
}
else
{
return
otherActionPermissionValidRouter
(
deStorageMode
,
entity
,
id
,
dataRangeList
);
return
otherActionPermissionValidRouter
(
deStorageMode
,
entity
,
id
,
entityDataRange
);
}
}
/**
* 获取用户权限资源
* @param authentication
* @param entityName
* @param action
* @return
*/
private
Set
<
String
>
getAuthorities
(
Authentication
authentication
,
String
entityName
,
String
action
){
Collection
authorities
=
authentication
.
getAuthorities
();
Set
<
String
>
entityDataRange
=
new
HashSet
();
Iterator
var2
=
authorities
.
iterator
();
while
(
var2
.
hasNext
())
{
GrantedAuthority
authority
=
(
GrantedAuthority
)
var2
.
next
();
if
(
authority
.
getAuthority
().
contains
(
String
.
format
(
"%s-%s-"
,
entityName
,
action
)))
entityDataRange
.
add
(
authority
.
getAuthority
());
}
return
entityDataRange
;
}
/**
* 批save校验
* @param deStorageMode
* @param entityList
* @param
dataRangeList
* @param
entityDataRange
* @return
*/
private
boolean
saveBatchActionPermissionValid
(
String
deStorageMode
,
List
<
EntityBase
>
entityList
,
JSONArray
dataRangeList
)
{
private
boolean
saveBatchActionPermissionValid
(
String
deStorageMode
,
List
<
EntityBase
>
entityList
,
Set
<
String
>
entityDataRange
)
{
if
(
entityList
==
null
||
entityList
.
size
()==
0
)
return
false
;
...
...
@@ -202,12 +199,12 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
updateList
.
add
(
String
.
valueOf
(
id
));
}
if
(
updateList
.
size
()>
0
){
boolean
isUpdate
=
otherBatchActionPermissionValidRouter
(
deStorageMode
,
tempEntity
,
updateList
,
dataRangeList
);
boolean
isUpdate
=
otherBatchActionPermissionValidRouter
(
deStorageMode
,
tempEntity
,
updateList
,
entityDataRange
);
if
(!
isUpdate
)
return
false
;
}
if
(
createList
.
size
()>
0
){
boolean
isCreate
=
createBatchActionPermissionValid
(
entityList
,
dataRangeList
);
boolean
isCreate
=
createBatchActionPermissionValid
(
entityList
,
entityDataRange
);
if
(!
isCreate
)
return
false
;
}
...
...
@@ -217,12 +214,12 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
/**
* 批处理新建权限校验
* @param entityList
* @param
dataRangeList
* @param
entityDataRange
* @return
*/
private
boolean
createBatchActionPermissionValid
(
List
<
EntityBase
>
entityList
,
JSONArray
dataRangeList
){
private
boolean
createBatchActionPermissionValid
(
List
<
EntityBase
>
entityList
,
Set
<
String
>
entityDataRange
){
for
(
EntityBase
entity
:
entityList
){
boolean
isCreate
=
createActionPermissionValid
(
entity
,
dataRangeList
);
boolean
isCreate
=
createActionPermissionValid
(
entity
,
entityDataRange
);
if
(!
isCreate
){
return
false
;
}
...
...
@@ -235,16 +232,16 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
* @param deStorageMode
* @param entity
* @param ids
* @param
dataRangeList
* @param
entityDataRange
* @return
*/
private
boolean
otherBatchActionPermissionValidRouter
(
String
deStorageMode
,
EntityBase
entity
,
List
<
String
>
ids
,
JSONArray
dataRangeList
){
private
boolean
otherBatchActionPermissionValidRouter
(
String
deStorageMode
,
EntityBase
entity
,
List
<
String
>
ids
,
Set
<
String
>
entityDataRange
){
if
(
deStorageMode
.
equalsIgnoreCase
(
"sql"
)){
return
sqlBatchPermissionValid
(
entity
,
ids
,
dataRangeList
);
return
sqlBatchPermissionValid
(
entity
,
ids
,
entityDataRange
);
}
else
if
(
deStorageMode
.
equalsIgnoreCase
(
"nosql"
)){
return
noSqlBatchPermissionValid
(
entity
,
ids
,
dataRangeList
);
return
noSqlBatchPermissionValid
(
entity
,
ids
,
entityDataRange
);
}
else
if
(
deStorageMode
.
equalsIgnoreCase
(
"serviceapi"
)){
return
true
;
...
...
@@ -258,16 +255,16 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
* SQL批处理权限校验
* @param entity
* @param ids
* @param
dataRangeList
* @param
entityDataRange
* @return
*/
private
boolean
sqlBatchPermissionValid
(
EntityBase
entity
,
List
<
String
>
ids
,
JSONArray
dataRangeList
){
private
boolean
sqlBatchPermissionValid
(
EntityBase
entity
,
List
<
String
>
ids
,
Set
<
String
>
entityDataRange
){
Map
<
String
,
String
>
permissionField
=
getPermissionField
(
entity
);
//获取组织、部门预置属性
String
keyFieldName
=
permissionField
.
get
(
keyFieldTag
);
ServiceImpl
service
=
SpringContextHolder
.
getBean
(
String
.
format
(
"%s%s"
,
entity
.
getClass
().
getSimpleName
(),
"ServiceImpl"
));
//获取实体service对象
//通过权限表达式来获取sql
String
permissionSQL
=
String
.
format
(
" (%s) AND ( %s in (%s) ) "
,
getPermissionSQL
(
entity
,
dataRangeList
),
keyFieldName
,
getEntityKeyCond
(
ids
));
//拼接权限条件-编辑
String
permissionSQL
=
String
.
format
(
" (%s) AND ( %s in (%s) ) "
,
getPermissionSQL
(
entity
,
entityDataRange
),
keyFieldName
,
getEntityKeyCond
(
ids
));
//拼接权限条件-编辑
//执行sql进行权限检查
QueryWrapper
permissionWrapper
=
getPermissionWrapper
(
permissionSQL
);
//构造权限条件
List
list
=
service
.
list
(
permissionWrapper
);
...
...
@@ -282,15 +279,15 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
* NoSQL批处理权限校验
* @param entity
* @param ids
* @param
d
ataRange
* @param
entityD
ataRange
* @return
*/
private
boolean
noSqlBatchPermissionValid
(
EntityBase
entity
,
List
<
String
>
ids
,
JSONArray
d
ataRange
)
{
private
boolean
noSqlBatchPermissionValid
(
EntityBase
entity
,
List
<
String
>
ids
,
Set
<
String
>
entityD
ataRange
)
{
Map
<
String
,
String
>
permissionField
=
getPermissionField
(
entity
);
//获取组织、部门预置属性
String
keyFieldName
=
permissionField
.
get
(
keyFieldTag
);
//根据权限表达式填充权限条件
QueryBuilder
permissionCond
=
getNoSqlPermissionCond
(
entity
,
d
ataRange
);
QueryBuilder
permissionCond
=
getNoSqlPermissionCond
(
entity
,
entityD
ataRange
);
//权限条件拼接主键
permissionCond
.
and
(
keyFieldName
).
in
(
ids
);
//执行权限检查
...
...
@@ -306,59 +303,26 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
/**
* 是否为全部数据
* @param permissionList
* @param entityName
* @param action
* @return
*/
private
boolean
isAllData
(
String
entityName
,
String
action
,
JSONObject
permissionList
)
{
if
(
permissionList
==
null
)
return
false
;
if
(!
permissionList
.
containsKey
(
entityName
))
return
false
;
JSONObject
entity
=
permissionList
.
getJSONObject
(
entityName
);
if
(!
entity
.
containsKey
(
DEActionType
))
return
false
;
JSONObject
dataRange
=
entity
.
getJSONObject
(
DEActionType
);
//获取实体行为对应的数据范围
if
(
dataRange
.
containsKey
(
action
)
&&
dataRange
.
getJSONArray
(
action
).
contains
(
"all"
))
return
true
;
return
false
;
}
/**
* 实体行为权限校验
* @param userPermission
* @param entityName
* @param action
*
userPermission:{"ENTITY":{"DEACTION":{"READ":["CURORG"]},"DATASET":{"Default":["CURORG"]}}}
*
@param entityDataRange
* @return
*/
private
boolean
validDEActionHasPermission
(
String
entityName
,
String
action
,
JSONObject
userPermission
){
boolean
hasPermission
=
false
;
if
(
userPermission
==
null
)
return
false
;
if
(!
userPermission
.
containsKey
(
entityName
))
return
false
;
JSONObject
entity
=
userPermission
.
getJSONObject
(
entityName
);
//获取实体
if
(!
entity
.
containsKey
(
DEActionType
))
return
false
;
JSONObject
dataRange
=
entity
.
getJSONObject
(
DEActionType
);
//获取实体行为对应的数据范围
if
(
dataRange
.
containsKey
(
action
)){
hasPermission
=
true
;
private
boolean
isAllData
(
String
action
,
Set
<
String
>
entityDataRange
)
{
for
(
String
dataRange
:
entityDataRange
){
if
(
dataRange
.
endsWith
(
String
.
format
(
"%s-all"
,
action
))){
return
true
;
}
}
return
hasPermission
;
return
false
;
}
/**
* 新建行为校验
* @param entity
* @param
dataRangeList
* @param
entityDataRange
* @return
*/
private
boolean
createActionPermissionValid
(
EntityBase
entity
,
JSONArray
dataRangeList
){
private
boolean
createActionPermissionValid
(
EntityBase
entity
,
Set
<
String
>
entityDataRange
){
boolean
isCreate
=
true
;
Map
<
String
,
String
>
permissionField
=
getPermissionField
(
entity
);
//获取组织、部门预置属性
...
...
@@ -379,24 +343,23 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
Set
<
String
>
userOrg
=
new
HashSet
<>();
Set
<
String
>
userOrgDept
=
new
HashSet
<>();
for
(
int
a
=
0
;
a
<
dataRangeList
.
size
();
a
++){
String
permissionCond
=
dataRangeList
.
getString
(
a
);
//权限配置条件
if
(
permissionCond
.
equals
(
"curorg"
)){
//本单位
for
(
String
permissionCond:
entityDataRange
){
if
(
permissionCond
.
endsWith
(
"curorg"
)){
//本单位
userOrg
.
add
(
authenticationUser
.
getOrgid
());
}
else
if
(
permissionCond
.
e
quals
(
"porg"
)){
//上级单位
else
if
(
permissionCond
.
e
ndsWith
(
"porg"
)){
//上级单位
userOrg
.
addAll
(
orgParent
);
}
else
if
(
permissionCond
.
e
quals
(
"sorg"
)){
//下级单位
else
if
(
permissionCond
.
e
ndsWith
(
"sorg"
)){
//下级单位
userOrg
.
addAll
(
orgChild
);
}
else
if
(
permissionCond
.
e
quals
(
"curorgdept"
)){
//本部门
else
if
(
permissionCond
.
e
ndsWith
(
"curorgdept"
)){
//本部门
userOrgDept
.
add
(
authenticationUser
.
getMdeptid
());
}
else
if
(
permissionCond
.
e
quals
(
"porgdept"
)){
//上级部门
else
if
(
permissionCond
.
e
ndsWith
(
"porgdept"
)){
//上级部门
userOrgDept
.
addAll
(
orgDeptParent
);
}
else
if
(
permissionCond
.
e
quals
(
"sorgdept"
)){
//下级部门
else
if
(
permissionCond
.
e
ndsWith
(
"sorgdept"
)){
//下级部门
userOrgDept
.
addAll
(
orgDeptChild
);
}
}
...
...
@@ -419,16 +382,16 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
* @param deStorageMode
* @param entity
* @param id
* @param
dataRangeList
* @param
entityDataRange
* @return
*/
private
boolean
otherActionPermissionValidRouter
(
String
deStorageMode
,
EntityBase
entity
,
Object
id
,
JSONArray
dataRangeList
){
private
boolean
otherActionPermissionValidRouter
(
String
deStorageMode
,
EntityBase
entity
,
Object
id
,
Set
<
String
>
entityDataRange
){
if
(
deStorageMode
.
equalsIgnoreCase
(
"sql"
)){
return
sqlPermissionValid
(
entity
,
id
,
dataRangeList
);
return
sqlPermissionValid
(
entity
,
id
,
entityDataRange
);
}
else
if
(
deStorageMode
.
equalsIgnoreCase
(
"nosql"
)){
return
noSqlPermissionValid
(
entity
,
id
,
dataRangeList
);
return
noSqlPermissionValid
(
entity
,
id
,
entityDataRange
);
}
else
if
(
deStorageMode
.
equalsIgnoreCase
(
"serviceapi"
)){
return
true
;
...
...
@@ -442,15 +405,15 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
* sql存储模式实体行为鉴权
* @param entity
* @param id
* @param
dataRangeList
* @param
entityDataRange
* @return
*/
private
boolean
sqlPermissionValid
(
EntityBase
entity
,
Object
id
,
JSONArray
dataRangeList
){
private
boolean
sqlPermissionValid
(
EntityBase
entity
,
Object
id
,
Set
<
String
>
entityDataRange
){
ServiceImpl
service
=
SpringContextHolder
.
getBean
(
String
.
format
(
"%s%s"
,
entity
.
getClass
().
getSimpleName
(),
"ServiceImpl"
));
//获取实体service对象
Map
<
String
,
String
>
permissionField
=
getPermissionField
(
entity
);
//获取组织、部门预置属性
//通过权限表达式来获取sql
String
permissionSQL
=
String
.
format
(
" (%s) AND (%s='%s')"
,
getPermissionSQL
(
entity
,
dataRangeList
),
permissionField
.
get
(
keyFieldTag
),
id
);
//拼接权限条件-编辑
String
permissionSQL
=
String
.
format
(
" (%s) AND (%s='%s')"
,
getPermissionSQL
(
entity
,
entityDataRange
),
permissionField
.
get
(
keyFieldTag
),
id
);
//拼接权限条件-编辑
//执行sql进行权限检查
QueryWrapper
permissionWrapper
=
getPermissionWrapper
(
permissionSQL
);
//构造权限条件
List
list
=
service
.
list
(
permissionWrapper
);
...
...
@@ -466,15 +429,15 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
* NoSQL实体行为鉴权
* @param entity
* @param id
* @param
dataRangeList
* @param
entityDataRange
* @return
*/
private
boolean
noSqlPermissionValid
(
EntityBase
entity
,
Object
id
,
JSONArray
dataRangeList
)
{
private
boolean
noSqlPermissionValid
(
EntityBase
entity
,
Object
id
,
Set
<
String
>
entityDataRange
)
{
Map
<
String
,
String
>
permissionField
=
getPermissionField
(
entity
);
//获取组织、部门预置属性
String
keyField
=
permissionField
.
get
(
keyFieldTag
);
//根据权限表达式填充权限条件
QueryBuilder
permissionCond
=
getNoSqlPermissionCond
(
entity
,
dataRangeList
);
QueryBuilder
permissionCond
=
getNoSqlPermissionCond
(
entity
,
entityDataRange
);
//权限条件拼接主键
permissionCond
.
and
(
keyField
).
is
(
id
);
//执行权限检查
...
...
@@ -492,10 +455,10 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
/**
* 为NoSQL存储模式的表格查询填充权限条件
* @param entity
* @param
dataRangeList
* @param
entityDataRange
* @return
*/
private
QueryBuilder
getNoSqlPermissionCond
(
EntityBase
entity
,
JSONArray
dataRangeList
){
private
QueryBuilder
getNoSqlPermissionCond
(
EntityBase
entity
,
Set
<
String
>
entityDataRange
){
QueryBuilder
permissionSQL
=
new
QueryBuilder
();
Map
<
String
,
String
>
permissionField
=
getPermissionField
(
entity
);
//获取组织、部门预置属性
...
...
@@ -509,30 +472,29 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
Set
<
String
>
orgDeptParent
=
userInfo
.
get
(
"parentdept"
);
Set
<
String
>
orgDeptChild
=
userInfo
.
get
(
"subdept"
);
for
(
int
i
=
0
;
i
<
dataRangeList
.
size
();
i
++){
String
permissionCond
=
dataRangeList
.
getString
(
i
);
//权限配置条件
if
(
permissionCond
.
equals
(
"curorg"
)){
//本单位
for
(
String
permissionCond:
entityDataRange
){
if
(
permissionCond
.
endsWith
(
"curorg"
)){
//本单位
permissionSQL
.
or
(
new
QueryBuilder
().
and
(
orgField
).
is
(
AuthenticationUser
.
getAuthenticationUser
().
getOrgid
()).
get
());
}
else
if
(
permissionCond
.
e
quals
(
"porg"
)){
//上级单位
else
if
(
permissionCond
.
e
ndsWith
(
"porg"
)){
//上级单位
permissionSQL
.
or
(
new
QueryBuilder
().
and
(
orgField
).
in
(
formatStringArr
(
orgParent
)).
get
());
}
else
if
(
permissionCond
.
e
quals
(
"sorg"
)){
//下级单位
else
if
(
permissionCond
.
e
ndsWith
(
"sorg"
)){
//下级单位
permissionSQL
.
or
(
new
QueryBuilder
().
and
(
orgField
).
in
(
formatStringArr
(
orgChild
)).
get
());
}
else
if
(
permissionCond
.
e
quals
(
"createman"
)){
//建立人
else
if
(
permissionCond
.
e
ndsWith
(
"createman"
)){
//建立人
permissionSQL
.
or
(
new
QueryBuilder
().
and
(
createManField
).
is
(
AuthenticationUser
.
getAuthenticationUser
().
getUserid
()).
get
());
}
else
if
(
permissionCond
.
e
quals
(
"curorgdept"
)){
//本部门
else
if
(
permissionCond
.
e
ndsWith
(
"curorgdept"
)){
//本部门
permissionSQL
.
or
(
new
QueryBuilder
().
and
(
orgDeptField
).
is
(
AuthenticationUser
.
getAuthenticationUser
().
getMdeptid
()).
get
());
}
else
if
(
permissionCond
.
e
quals
(
"porgdept"
)){
//上级部门
else
if
(
permissionCond
.
e
ndsWith
(
"porgdept"
)){
//上级部门
permissionSQL
.
or
(
new
QueryBuilder
().
and
(
orgDeptField
).
in
(
formatStringArr
(
orgDeptParent
)).
get
());
}
else
if
(
permissionCond
.
e
quals
(
"sorgdept"
)){
//下级部门
else
if
(
permissionCond
.
e
ndsWith
(
"sorgdept"
)){
//下级部门
permissionSQL
.
or
(
new
QueryBuilder
().
and
(
orgDeptField
).
in
(
formatStringArr
(
orgDeptChild
)).
get
());
}
else
if
(
permissionCond
.
e
quals
(
"all"
)){
else
if
(
permissionCond
.
e
ndsWith
(
"all"
)){
permissionSQL
.
or
(
new
QueryBuilder
().
get
());
}
}
...
...
@@ -543,10 +505,10 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
/**
* SQL获取权限条件
* @param entity
* @param
oppriList
* @param
entityDataRange
* @return
*/
private
String
getPermissionSQL
(
EntityBase
entity
,
JSONArray
oppriList
){
private
String
getPermissionSQL
(
EntityBase
entity
,
Set
<
String
>
entityDataRange
){
Map
<
String
,
String
>
permissionField
=
getPermissionField
(
entity
);
//获取组织、部门预置属性
String
nPermissionSQL
=
"1<>1"
;
...
...
@@ -561,31 +523,30 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
Set
<
String
>
orgDeptParent
=
userInfo
.
get
(
"parentdept"
);
Set
<
String
>
orgDeptChild
=
userInfo
.
get
(
"subdept"
);
for
(
int
i
=
0
;
i
<
oppriList
.
size
();
i
++
){
for
(
String
permissionCond:
entityDataRange
){
permissionSQL
.
append
(
"OR"
);
String
permissionCond
=
oppriList
.
getString
(
i
);
//权限配置条件
if
(
permissionCond
.
equals
(
"curorg"
)){
//本单位
if
(
permissionCond
.
endsWith
(
"curorg"
)){
//本单位
permissionSQL
.
append
(
String
.
format
(
"(%s='%s')"
,
orgField
,
AuthenticationUser
.
getAuthenticationUser
().
getOrgid
()));
}
else
if
(
permissionCond
.
e
quals
(
"porg"
)){
//上级单位
else
if
(
permissionCond
.
e
ndsWith
(
"porg"
)){
//上级单位
permissionSQL
.
append
(
String
.
format
(
" %s in(%s) "
,
orgField
,
formatStringArr
(
orgParent
)));
}
else
if
(
permissionCond
.
e
quals
(
"sorg"
)){
//下级单位
else
if
(
permissionCond
.
e
ndsWith
(
"sorg"
)){
//下级单位
permissionSQL
.
append
(
String
.
format
(
" %s in(%s) "
,
orgField
,
formatStringArr
(
orgChild
)));
}
else
if
(
permissionCond
.
e
quals
(
"createman"
)){
//建立人
else
if
(
permissionCond
.
e
ndsWith
(
"createman"
)){
//建立人
permissionSQL
.
append
(
String
.
format
(
"(%s='%s')"
,
createManField
,
AuthenticationUser
.
getAuthenticationUser
().
getUserid
()));
}
else
if
(
permissionCond
.
e
quals
(
"curorgdept"
)){
//本部门
else
if
(
permissionCond
.
e
ndsWith
(
"curorgdept"
)){
//本部门
permissionSQL
.
append
(
String
.
format
(
"(%s='%s')"
,
orgDeptField
,
AuthenticationUser
.
getAuthenticationUser
().
getMdeptid
()));
}
else
if
(
permissionCond
.
e
quals
(
"porgdept"
)){
//上级部门
else
if
(
permissionCond
.
e
ndsWith
(
"porgdept"
)){
//上级部门
permissionSQL
.
append
(
String
.
format
(
" %s in (%s) "
,
orgDeptField
,
formatStringArr
(
orgDeptParent
)));
}
else
if
(
permissionCond
.
e
quals
(
"sorgdept"
)){
//下级部门
else
if
(
permissionCond
.
e
ndsWith
(
"sorgdept"
)){
//下级部门
permissionSQL
.
append
(
String
.
format
(
" %s in (%s) "
,
orgDeptField
,
formatStringArr
(
orgDeptChild
)));
}
else
if
(
permissionCond
.
e
quals
(
"all"
)){
//全部数据
else
if
(
permissionCond
.
e
ndsWith
(
"all"
)){
//全部数据
permissionSQL
.
append
(
"(1=1)"
);
}
else
{
...
...
@@ -701,21 +662,6 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
return
"'"
+
String
.
join
(
"','"
,
arr
)
+
"'"
;
}
/**
* 获取数据范围
* @param entityName
* @param action
* @param permissionList
* @return
*/
private
JSONArray
getDataRange
(
String
entityName
,
String
action
,
JSONObject
permissionList
){
//获取权限表达式[全部数据、本单位、本部门等]
JSONObject
entityObj
=
permissionList
.
getJSONObject
(
entityName
);
//获取实体
JSONObject
permissionType
=
entityObj
.
getJSONObject
(
DEActionType
);
JSONArray
dataRangeList
=
permissionType
.
getJSONArray
(
action
);
//行为:read;insert...
return
dataRangeList
;
}
/**
* 获取实体主键集合
* @param entityBase
...
...
ibzou-util/src/main/java/cn/ibizlab/util/service/IBZUSERServiceImpl.java
浏览文件 @
c788c5d7
...
...
@@ -14,6 +14,7 @@ import cn.ibizlab.util.domain.IBZUSER;
import
org.springframework.util.DigestUtils
;
import
org.springframework.util.StringUtils
;
import
org.springframework.boot.autoconfigure.condition.ConditionalOnExpression
;
import
org.springframework.security.core.authority.AuthorityUtils
;
/**
* 实体[IBZUSER] 服务对象接口实现
...
...
@@ -72,6 +73,9 @@ public class IBZUSERServiceImpl extends ServiceImpl<IBZUSERMapper, IBZUSER> impl
public
AuthenticationUser
createUserDetails
(
IBZUSER
user
)
{
AuthenticationUser
userdatail
=
new
AuthenticationUser
();
CachedBeanCopier
.
copy
(
user
,
userdatail
);
if
(
userdatail
.
getSuperuser
()==
1
){
userdatail
.
setAuthorities
(
AuthorityUtils
.
createAuthorityList
(
"ROLE_SUPERADMIN"
));
}
return
userdatail
;
}
}
\ No newline at end of file
编辑
预览
Markdown
格式
0%
请重试
or
添加新附件
添加附件
取消
您添加了
0
人
到此讨论。请谨慎行事。
先完成此消息的编辑!
取消
想要评论请
注册
或
登录