提交 65de4483 编写于 作者: ibizdev's avatar ibizdev

zhouweidong@lab.ibiz5.com 发布系统代码

上级 a918086d
...@@ -25,7 +25,7 @@ ...@@ -25,7 +25,7 @@
"file-saver": "^2.0.2", "file-saver": "^2.0.2",
"font-awesome": "^4.7.0", "font-awesome": "^4.7.0",
"ibiz-gantt-elastic": "^1.0.12", "ibiz-gantt-elastic": "^1.0.12",
"ibiz-vue-lib": "^0.1.6", "ibiz-vue-lib": "^0.1.7",
"interactjs": "^1.9.4", "interactjs": "^1.9.4",
"moment": "^2.24.0", "moment": "^2.24.0",
"path-to-regexp": "^6.1.0", "path-to-regexp": "^6.1.0",
......
...@@ -159,7 +159,7 @@ export default class IBizGroupPicker extends Vue { ...@@ -159,7 +159,7 @@ export default class IBizGroupPicker extends Vue {
* @memberof IBizGroupPicker * @memberof IBizGroupPicker
*/ */
public loadTree() { public loadTree() {
let orgid = this.viewParam.hasfilter ? this.viewParam.filtervalue : '450000'; let orgid = this.viewParam.filtervalue?this.viewParam.filtervalue:"alls";
let get = Http.getInstance().get(`/ibzorganizations/${orgid}/suborg/ibzdepartments/picker`, true); let get = Http.getInstance().get(`/ibzorganizations/${orgid}/suborg/ibzdepartments/picker`, true);
get.then((response: any) => { get.then((response: any) => {
if(response.status === 200) { if(response.status === 200) {
......
...@@ -166,10 +166,20 @@ export default class IBizGroupSelect extends Vue { ...@@ -166,10 +166,20 @@ export default class IBizGroupSelect extends Vue {
title: '分组选择' title: '分组选择'
}; };
const context: any = JSON.parse(JSON.stringify(this.context)); const context: any = JSON.parse(JSON.stringify(this.context));
let filtervalue:string = "";
if(this.filter){
if(this.data[this.filter]){
filtervalue = this.data[this.filter];
}else if(context[this.filter]){
filtervalue = context[this.filter];
}else{
filtervalue = context.srforgid;
}
}
const param: any = {}; const param: any = {};
Object.assign(param, { Object.assign(param, {
hasfilter: this.filter ? true : false, hasfilter: this.filter ? true : false,
filtervalue: this.filter ? this.data[this.filter] : '', filtervalue: filtervalue,
multiple: this.multiple, multiple: this.multiple,
selects: this.selects selects: this.selects
}); });
......
...@@ -37,11 +37,6 @@ ...@@ -37,11 +37,6 @@
git clone -b master $para2 ibzuaa/ git clone -b master $para2 ibzuaa/
export NODE_OPTIONS=--max-old-space-size=4096 export NODE_OPTIONS=--max-old-space-size=4096
cd ibzuaa/ cd ibzuaa/
mvn clean package -Pweb
cd ibzuaa-app/ibzuaa-app-web
mvn -Pweb docker:build
mvn -Pweb docker:push
docker -H $para1 stack deploy --compose-file=src/main/docker/ibzuaa-app-web.yaml ibzlab-rt --with-registry-auth
</command> </command>
</hudson.tasks.Shell> </hudson.tasks.Shell>
</builders> </builders>
......
...@@ -9,6 +9,6 @@ CMD echo "The application will start in ${IBZ_SLEEP}s..." && \ ...@@ -9,6 +9,6 @@ CMD echo "The application will start in ${IBZ_SLEEP}s..." && \
sleep ${IBZ_SLEEP} && \ sleep ${IBZ_SLEEP} && \
java ${JAVA_OPTS} -Djava.security.egd=file:/dev/./urandom -jar /ibzuaa-app-web.jar java ${JAVA_OPTS} -Djava.security.egd=file:/dev/./urandom -jar /ibzuaa-app-web.jar
EXPOSE 30002 EXPOSE 8080
ADD ibzuaa-app-web.jar /ibzuaa-app-web.jar ADD ibzuaa-app-web.jar /ibzuaa-app-web.jar
...@@ -3,23 +3,9 @@ services: ...@@ -3,23 +3,9 @@ services:
ibzuaa-app-web: ibzuaa-app-web:
image: registry.cn-shanghai.aliyuncs.com/ibizsys/ibzuaa-app-web:latest image: registry.cn-shanghai.aliyuncs.com/ibizsys/ibzuaa-app-web:latest
ports: ports:
- "30002:30002" - "8080:8080"
networks: networks:
- agent_network - agent_network
environment:
- SPRING_CLOUD_NACOS_DISCOVERY_IP=172.16.180.237
- SERVER_PORT=30002
- SPRING_CLOUD_NACOS_DISCOVERY_SERVER-ADDR=172.16.102.211:8848
- SPRING_REDIS_HOST=172.16.100.243
- SPRING_REDIS_PORT=6379
- SPRING_REDIS_DATABASE=0
- SPRING_DATASOURCE_USERNAME=a_A_5d9d78509
- SPRING_DATASOURCE_PASSWORD=@6dEfb3@
- SPRING_DATASOURCE_URL=jdbc:mysql://172.16.180.232:3306/a_A_5d9d78509?autoReconnect=true&useUnicode=true&characterEncoding=UTF-8&useOldAliasMetadataBehavior=true
- SPRING_DATASOURCE_DRIVER-CLASS-NAME=com.mysql.jdbc.Driver
- SPRING_DATASOURCE_DEFAULTSCHEMA=a_A_5d9d78509
- ABC=1
- DEC=2
deploy: deploy:
mode: replicated mode: replicated
replicas: 1 replicas: 1
......
{ {
"systemid":"ibzuaa",
"unires":[ "unires":[
], ],
"entities":[ "entities":[
......
...@@ -9,8 +9,8 @@ import com.alibaba.fastjson.JSONObject; ...@@ -9,8 +9,8 @@ import com.alibaba.fastjson.JSONObject;
public class IBZUAAFallback implements IBZUAAFeignClient { public class IBZUAAFallback implements IBZUAAFeignClient {
@Override @Override
public boolean pushSystemPermissionData(String systemid,JSONObject systemPermissionData) { public Boolean syncSysAuthority(JSONObject system) {
return false; return null;
} }
@Override @Override
......
...@@ -10,13 +10,12 @@ import com.alibaba.fastjson.JSONObject; ...@@ -10,13 +10,12 @@ import com.alibaba.fastjson.JSONObject;
public interface IBZUAAFeignClient public interface IBZUAAFeignClient
{ {
/** /**
* 推送系统权限数据到uaa * 同步系统资源到uaa
* @param systemid * @param system 系统资源信息
* @param systemPermissionData
* @return * @return
*/ */
@PostMapping("/syspssystems/{systemid}/permissiondata") @PostMapping("/syspssystems/save")
boolean pushSystemPermissionData(@PathVariable("systemid") String systemid,@RequestBody JSONObject systemPermissionData); Boolean syncSysAuthority(@RequestBody JSONObject system);
/** /**
* 用户登录 * 用户登录
......
...@@ -36,10 +36,14 @@ public class PermissionSyncJob implements ApplicationRunner { ...@@ -36,10 +36,14 @@ public class PermissionSyncJob implements ApplicationRunner {
Thread.sleep(10000); Thread.sleep(10000);
InputStream permission= this.getClass().getResourceAsStream("/permission/systemResource.json"); //获取当前系统所有实体资源能力 InputStream permission= this.getClass().getResourceAsStream("/permission/systemResource.json"); //获取当前系统所有实体资源能力
String permissionResult = IOUtils.toString(permission,"UTF-8"); String permissionResult = IOUtils.toString(permission,"UTF-8");
if(client.pushSystemPermissionData(systemId,JSONObject.parseObject(permissionResult))){ JSONObject system= new JSONObject();
system.put("pssystemid",systemId);
system.put("pssystemname",systemId);
system.put("sysstructure",JSONObject.parseObject(permissionResult));
if(client.syncSysAuthority(system)){
log.info("向[UAA]同步系统资源成功"); log.info("向[UAA]同步系统资源成功");
}else{ }else{
log.info(String.format("向[UAA]同步系统资源失败")); log.error("向[UAA]同步系统资源失败");
} }
} }
catch (Exception ex) { catch (Exception ex) {
......
package cn.ibizlab.util.rest; package cn.ibizlab.util.rest;
import com.alibaba.fastjson.JSONArray;
import com.alibaba.fastjson.JSONObject; import com.alibaba.fastjson.JSONObject;
import cn.ibizlab.util.security.AuthenticationUser;
import cn.ibizlab.util.service.AuthenticationUserService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.http.HttpStatus; import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity; import org.springframework.http.ResponseEntity;
import org.springframework.util.ObjectUtils; import org.springframework.security.core.GrantedAuthority;
import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod; import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RestController; import org.springframework.web.bind.annotation.RestController;
import org.springframework.beans.factory.annotation.Value; import java.util.Collection;
import org.springframework.beans.factory.annotation.Autowired; import java.util.HashSet;
import cn.ibizlab.util.security.AuthenticationUser; import java.util.Iterator;
import cn.ibizlab.util.service.AuthenticationUserService; import java.util.Set;
@RestController @RestController
@RequestMapping(value = "") @RequestMapping(value = "")
...@@ -27,13 +30,19 @@ public class AppController { ...@@ -27,13 +30,19 @@ public class AppController {
public ResponseEntity<JSONObject> getAppData() { public ResponseEntity<JSONObject> getAppData() {
JSONObject appData = new JSONObject() ; JSONObject appData = new JSONObject() ;
JSONArray uniRes=new JSONArray(); Set<String> appMenu = new HashSet();
JSONArray appMenu=new JSONArray(); Set<String> uniRes = new HashSet();
if(enablePermissionValid){ if(enablePermissionValid){
JSONObject userPermission=AuthenticationUser.getAuthenticationUser().getPermissionList(); Collection<GrantedAuthority> authorities=AuthenticationUser.getAuthenticationUser().getAuthorities();
if(!ObjectUtils.isEmpty(userPermission)){ Iterator it = authorities.iterator();
uniRes = userPermission.getJSONArray("unires"); while(it.hasNext()) {
appMenu = userPermission.getJSONArray("appmenu"); GrantedAuthority authority = (GrantedAuthority)it.next();
String strAuthority=authority.getAuthority();
if(strAuthority.startsWith("UNIRES"))
uniRes.add(strAuthority);
else if(strAuthority.startsWith("APPMENU"))
appMenu.add(strAuthority);
} }
} }
appData.put("unires",uniRes); appData.put("unires",uniRes);
......
package cn.ibizlab.util.security; package cn.ibizlab.util.security;
import com.alibaba.fastjson.JSONArray;
import com.alibaba.fastjson.JSONObject;
import com.baomidou.mybatisplus.core.conditions.query.QueryWrapper; import com.baomidou.mybatisplus.core.conditions.query.QueryWrapper;
import com.baomidou.mybatisplus.extension.service.impl.ServiceImpl; import com.baomidou.mybatisplus.extension.service.impl.ServiceImpl;
import com.mongodb.QueryBuilder; import com.mongodb.QueryBuilder;
...@@ -18,6 +16,7 @@ import org.springframework.data.mongodb.core.query.BasicQuery; ...@@ -18,6 +16,7 @@ import org.springframework.data.mongodb.core.query.BasicQuery;
import org.springframework.data.mongodb.core.query.Query; import org.springframework.data.mongodb.core.query.Query;
import org.springframework.security.access.PermissionEvaluator; import org.springframework.security.access.PermissionEvaluator;
import org.springframework.security.core.Authentication; import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.stereotype.Component; import org.springframework.stereotype.Component;
import org.springframework.util.ObjectUtils; import org.springframework.util.ObjectUtils;
import org.springframework.util.StringUtils; import org.springframework.util.StringUtils;
...@@ -35,10 +34,6 @@ public class AuthPermissionEvaluator implements PermissionEvaluator { ...@@ -35,10 +34,6 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
@Value("${ibiz.enablePermissionValid:false}") @Value("${ibiz.enablePermissionValid:false}")
boolean enablePermissionValid; //是否开启权限校验 boolean enablePermissionValid; //是否开启权限校验
/**
* 实体行为操作标识
*/
private String DEActionType="DEACTION";
/** /**
*实体主键标识 *实体主键标识
*/ */
...@@ -67,9 +62,6 @@ public class AuthPermissionEvaluator implements PermissionEvaluator { ...@@ -67,9 +62,6 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
List<String> ids=null; List<String> ids=null;
EntityBase entity; EntityBase entity;
List<EntityBase> entityList = null; List<EntityBase> entityList = null;
JSONObject userPermission= AuthenticationUser.getAuthenticationUser().getPermissionList();
if(userPermission==null)
return false;
MappingBase mappingBase= (MappingBase) paramList.get(1); MappingBase mappingBase= (MappingBase) paramList.get(1);
//参数准备 //参数准备
if(action.equalsIgnoreCase("remove")){ if(action.equalsIgnoreCase("remove")){
...@@ -86,26 +78,19 @@ public class AuthPermissionEvaluator implements PermissionEvaluator { ...@@ -86,26 +78,19 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
if (entity==null) if (entity==null)
return false; return false;
JSONObject permissionList=userPermission.getJSONObject("entities"); Set<String> entityDataRange = getAuthorities(authentication,entity.getClass().getSimpleName(),action);
String entityName = entity.getClass().getSimpleName(); if(entityDataRange.size()==0)
return false;
//拥有全部数据访问权限时,则跳过权限检查 //拥有全部数据访问权限时,则跳过权限检查
if(isAllData(entityName,action,permissionList)){ if(isAllData(action,entityDataRange)){
return true; return true;
} }
//检查是否有操作权限[create.update.delete.read]
if(!validDEActionHasPermission(entityName,action,permissionList)){
return false;
}
JSONArray dataRangeList=getDataRange(entityName,action,permissionList);
if(dataRangeList.size()==0)
return false;
if(action.equalsIgnoreCase("create")){ if(action.equalsIgnoreCase("create")){
return createBatchActionPermissionValid(entityList,dataRangeList); return createBatchActionPermissionValid(entityList,entityDataRange);
} }
else if(action.equalsIgnoreCase("save")){ else if(action.equalsIgnoreCase("save")){
return saveBatchActionPermissionValid(deStorageMode, entityList, dataRangeList); return saveBatchActionPermissionValid(deStorageMode, entityList, entityDataRange);
} }
else{ else{
if(!action.equalsIgnoreCase("remove")){ if(!action.equalsIgnoreCase("remove")){
...@@ -113,7 +98,7 @@ public class AuthPermissionEvaluator implements PermissionEvaluator { ...@@ -113,7 +98,7 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
} }
if(ids.size()==0) if(ids.size()==0)
return false; return false;
return otherBatchActionPermissionValidRouter(deStorageMode, entity ,ids, dataRangeList); return otherBatchActionPermissionValidRouter(deStorageMode, entity ,ids, entityDataRange);
} }
} }
...@@ -142,23 +127,15 @@ public class AuthPermissionEvaluator implements PermissionEvaluator { ...@@ -142,23 +127,15 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
if (StringUtils.isEmpty(entity)) if (StringUtils.isEmpty(entity))
return false; return false;
JSONObject userPermission= AuthenticationUser.getAuthenticationUser().getPermissionList(); Set<String> entityDataRange = getAuthorities(authentication,entity.getClass().getSimpleName(),action);
if(userPermission==null)
if(entityDataRange.size()==0)
return false; return false;
JSONObject permissionList=userPermission.getJSONObject("entities");
String entityName = entity.getClass().getSimpleName();
//拥有全部数据访问权限时,则跳过权限检查 //拥有全部数据访问权限时,则跳过权限检查
if(isAllData(entityName,action,permissionList)){ if(isAllData(action,entityDataRange)){
return true; return true;
} }
//检查是否有操作权限[create.update.delete.read]
if(!validDEActionHasPermission(entityName,action,permissionList)){
return false;
}
JSONArray dataRangeList=getDataRange(entityName,action,permissionList);
if(dataRangeList.size()==0)
return false;
if(action.equalsIgnoreCase("save")){ if(action.equalsIgnoreCase("save")){
Map<String,String> permissionField=getPermissionField(entity); Map<String,String> permissionField=getPermissionField(entity);
...@@ -170,21 +147,41 @@ public class AuthPermissionEvaluator implements PermissionEvaluator { ...@@ -170,21 +147,41 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
action="update"; action="update";
} }
if(action.equalsIgnoreCase("create")){ if(action.equalsIgnoreCase("create")){
return createActionPermissionValid(entity,dataRangeList); return createActionPermissionValid(entity,entityDataRange);
} }
else{ else{
return otherActionPermissionValidRouter(deStorageMode, entity, id, dataRangeList); return otherActionPermissionValidRouter(deStorageMode, entity, id, entityDataRange);
} }
} }
/**
* 获取用户权限资源
* @param authentication
* @param entityName
* @param action
* @return
*/
private Set<String> getAuthorities(Authentication authentication,String entityName,String action){
Collection authorities=authentication.getAuthorities();
Set<String> entityDataRange = new HashSet();
Iterator var2 = authorities.iterator();
while(var2.hasNext()) {
GrantedAuthority authority = (GrantedAuthority)var2.next();
if(authority.getAuthority().contains(String.format("%s-%s-",entityName,action)))
entityDataRange.add(authority.getAuthority());
}
return entityDataRange;
}
/** /**
* 批save校验 * 批save校验
* @param deStorageMode * @param deStorageMode
* @param entityList * @param entityList
* @param dataRangeList * @param entityDataRange
* @return * @return
*/ */
private boolean saveBatchActionPermissionValid(String deStorageMode, List<EntityBase> entityList, JSONArray dataRangeList) { private boolean saveBatchActionPermissionValid(String deStorageMode, List<EntityBase> entityList, Set<String> entityDataRange) {
if(entityList==null || entityList.size()==0) if(entityList==null || entityList.size()==0)
return false; return false;
...@@ -202,12 +199,12 @@ public class AuthPermissionEvaluator implements PermissionEvaluator { ...@@ -202,12 +199,12 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
updateList.add(String.valueOf(id)); updateList.add(String.valueOf(id));
} }
if(updateList.size()>0){ if(updateList.size()>0){
boolean isUpdate = otherBatchActionPermissionValidRouter(deStorageMode, tempEntity ,updateList, dataRangeList); boolean isUpdate = otherBatchActionPermissionValidRouter(deStorageMode, tempEntity ,updateList, entityDataRange);
if(!isUpdate) if(!isUpdate)
return false; return false;
} }
if(createList.size()>0){ if(createList.size()>0){
boolean isCreate=createBatchActionPermissionValid(entityList,dataRangeList); boolean isCreate=createBatchActionPermissionValid(entityList,entityDataRange);
if(!isCreate) if(!isCreate)
return false; return false;
} }
...@@ -217,12 +214,12 @@ public class AuthPermissionEvaluator implements PermissionEvaluator { ...@@ -217,12 +214,12 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
/** /**
* 批处理新建权限校验 * 批处理新建权限校验
* @param entityList * @param entityList
* @param dataRangeList * @param entityDataRange
* @return * @return
*/ */
private boolean createBatchActionPermissionValid(List<EntityBase> entityList,JSONArray dataRangeList){ private boolean createBatchActionPermissionValid(List<EntityBase> entityList,Set<String> entityDataRange){
for(EntityBase entity : entityList){ for(EntityBase entity : entityList){
boolean isCreate = createActionPermissionValid(entity ,dataRangeList); boolean isCreate = createActionPermissionValid(entity ,entityDataRange);
if(!isCreate){ if(!isCreate){
return false; return false;
} }
...@@ -235,16 +232,16 @@ public class AuthPermissionEvaluator implements PermissionEvaluator { ...@@ -235,16 +232,16 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
* @param deStorageMode * @param deStorageMode
* @param entity * @param entity
* @param ids * @param ids
* @param dataRangeList * @param entityDataRange
* @return * @return
*/ */
private boolean otherBatchActionPermissionValidRouter(String deStorageMode , EntityBase entity , List<String> ids , JSONArray dataRangeList){ private boolean otherBatchActionPermissionValidRouter(String deStorageMode , EntityBase entity , List<String> ids , Set<String> entityDataRange){
if(deStorageMode.equalsIgnoreCase("sql")){ if(deStorageMode.equalsIgnoreCase("sql")){
return sqlBatchPermissionValid(entity ,ids, dataRangeList); return sqlBatchPermissionValid(entity ,ids, entityDataRange);
} }
else if(deStorageMode.equalsIgnoreCase("nosql")){ else if(deStorageMode.equalsIgnoreCase("nosql")){
return noSqlBatchPermissionValid(entity, ids , dataRangeList); return noSqlBatchPermissionValid(entity, ids , entityDataRange);
} }
else if(deStorageMode.equalsIgnoreCase("serviceapi")){ else if(deStorageMode.equalsIgnoreCase("serviceapi")){
return true; return true;
...@@ -258,16 +255,16 @@ public class AuthPermissionEvaluator implements PermissionEvaluator { ...@@ -258,16 +255,16 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
* SQL批处理权限校验 * SQL批处理权限校验
* @param entity * @param entity
* @param ids * @param ids
* @param dataRangeList * @param entityDataRange
* @return * @return
*/ */
private boolean sqlBatchPermissionValid(EntityBase entity , List<String> ids, JSONArray dataRangeList){ private boolean sqlBatchPermissionValid(EntityBase entity , List<String> ids, Set<String> entityDataRange){
Map<String,String> permissionField=getPermissionField(entity);//获取组织、部门预置属性 Map<String,String> permissionField=getPermissionField(entity);//获取组织、部门预置属性
String keyFieldName=permissionField.get(keyFieldTag); String keyFieldName=permissionField.get(keyFieldTag);
ServiceImpl service= SpringContextHolder.getBean(String.format("%s%s",entity.getClass().getSimpleName(),"ServiceImpl"));//获取实体service对象 ServiceImpl service= SpringContextHolder.getBean(String.format("%s%s",entity.getClass().getSimpleName(),"ServiceImpl"));//获取实体service对象
//通过权限表达式来获取sql //通过权限表达式来获取sql
String permissionSQL= String.format(" (%s) AND ( %s in (%s) ) ",getPermissionSQL(entity,dataRangeList),keyFieldName,getEntityKeyCond(ids)); //拼接权限条件-编辑 String permissionSQL= String.format(" (%s) AND ( %s in (%s) ) ",getPermissionSQL(entity,entityDataRange),keyFieldName,getEntityKeyCond(ids)); //拼接权限条件-编辑
//执行sql进行权限检查 //执行sql进行权限检查
QueryWrapper permissionWrapper=getPermissionWrapper(permissionSQL);//构造权限条件 QueryWrapper permissionWrapper=getPermissionWrapper(permissionSQL);//构造权限条件
List list=service.list(permissionWrapper); List list=service.list(permissionWrapper);
...@@ -282,15 +279,15 @@ public class AuthPermissionEvaluator implements PermissionEvaluator { ...@@ -282,15 +279,15 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
* NoSQL批处理权限校验 * NoSQL批处理权限校验
* @param entity * @param entity
* @param ids * @param ids
* @param dataRange * @param entityDataRange
* @return * @return
*/ */
private boolean noSqlBatchPermissionValid(EntityBase entity, List<String> ids, JSONArray dataRange) { private boolean noSqlBatchPermissionValid(EntityBase entity, List<String> ids, Set<String> entityDataRange) {
Map<String,String> permissionField=getPermissionField(entity);//获取组织、部门预置属性 Map<String,String> permissionField=getPermissionField(entity);//获取组织、部门预置属性
String keyFieldName=permissionField.get(keyFieldTag); String keyFieldName=permissionField.get(keyFieldTag);
//根据权限表达式填充权限条件 //根据权限表达式填充权限条件
QueryBuilder permissionCond=getNoSqlPermissionCond(entity,dataRange); QueryBuilder permissionCond=getNoSqlPermissionCond(entity,entityDataRange);
//权限条件拼接主键 //权限条件拼接主键
permissionCond.and(keyFieldName).in(ids); permissionCond.and(keyFieldName).in(ids);
//执行权限检查 //执行权限检查
...@@ -306,59 +303,26 @@ public class AuthPermissionEvaluator implements PermissionEvaluator { ...@@ -306,59 +303,26 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
/** /**
* 是否为全部数据 * 是否为全部数据
* @param permissionList
* @param entityName
* @param action * @param action
* @param entityDataRange
* @return * @return
*/ */
private boolean isAllData( String entityName, String action ,JSONObject permissionList) { private boolean isAllData(String action , Set<String> entityDataRange) {
for(String dataRange : entityDataRange ){
if(permissionList==null) if(dataRange.endsWith(String.format("%s-all",action))){
return false;
if(!permissionList.containsKey(entityName))
return false;
JSONObject entity=permissionList.getJSONObject(entityName);
if(!entity.containsKey(DEActionType))
return false;
JSONObject dataRange=entity.getJSONObject(DEActionType);//获取实体行为对应的数据范围
if(dataRange.containsKey(action) && dataRange.getJSONArray(action).contains("all"))
return true; return true;
return false;
} }
/**
* 实体行为权限校验
* @param userPermission
* @param entityName
* @param action
* userPermission:{"ENTITY":{"DEACTION":{"READ":["CURORG"]},"DATASET":{"Default":["CURORG"]}}}
* @return
*/
private boolean validDEActionHasPermission(String entityName , String action ,JSONObject userPermission){
boolean hasPermission=false;
if(userPermission==null)
return false;
if(!userPermission.containsKey(entityName))
return false;
JSONObject entity=userPermission.getJSONObject(entityName);//获取实体
if(!entity.containsKey(DEActionType))
return false;
JSONObject dataRange=entity.getJSONObject(DEActionType);//获取实体行为对应的数据范围
if(dataRange.containsKey(action)){
hasPermission=true;
} }
return hasPermission; return false;
} }
/** /**
* 新建行为校验 * 新建行为校验
* @param entity * @param entity
* @param dataRangeList * @param entityDataRange
* @return * @return
*/ */
private boolean createActionPermissionValid(EntityBase entity, JSONArray dataRangeList){ private boolean createActionPermissionValid(EntityBase entity, Set<String> entityDataRange){
boolean isCreate=true; boolean isCreate=true;
Map<String,String> permissionField=getPermissionField(entity);//获取组织、部门预置属性 Map<String,String> permissionField=getPermissionField(entity);//获取组织、部门预置属性
...@@ -379,24 +343,23 @@ public class AuthPermissionEvaluator implements PermissionEvaluator { ...@@ -379,24 +343,23 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
Set<String> userOrg = new HashSet<>(); Set<String> userOrg = new HashSet<>();
Set<String> userOrgDept = new HashSet<>(); Set<String> userOrgDept = new HashSet<>();
for(int a=0;a<dataRangeList.size();a++){ for(String permissionCond:entityDataRange){
String permissionCond=dataRangeList.getString(a);//权限配置条件 if(permissionCond.endsWith("curorg")){ //本单位
if(permissionCond.equals("curorg")){ //本单位
userOrg.add(authenticationUser.getOrgid()); userOrg.add(authenticationUser.getOrgid());
} }
else if(permissionCond.equals("porg")){//上级单位 else if(permissionCond.endsWith("porg")){//上级单位
userOrg.addAll(orgParent); userOrg.addAll(orgParent);
} }
else if(permissionCond.equals("sorg")){//下级单位 else if(permissionCond.endsWith("sorg")){//下级单位
userOrg.addAll(orgChild); userOrg.addAll(orgChild);
} }
else if(permissionCond.equals("curorgdept")){//本部门 else if(permissionCond.endsWith("curorgdept")){//本部门
userOrgDept.add(authenticationUser.getMdeptid()); userOrgDept.add(authenticationUser.getMdeptid());
} }
else if(permissionCond.equals("porgdept")){//上级部门 else if(permissionCond.endsWith("porgdept")){//上级部门
userOrgDept.addAll(orgDeptParent); userOrgDept.addAll(orgDeptParent);
} }
else if(permissionCond.equals("sorgdept")){//下级部门 else if(permissionCond.endsWith("sorgdept")){//下级部门
userOrgDept.addAll(orgDeptChild); userOrgDept.addAll(orgDeptChild);
} }
} }
...@@ -419,16 +382,16 @@ public class AuthPermissionEvaluator implements PermissionEvaluator { ...@@ -419,16 +382,16 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
* @param deStorageMode * @param deStorageMode
* @param entity * @param entity
* @param id * @param id
* @param dataRangeList * @param entityDataRange
* @return * @return
*/ */
private boolean otherActionPermissionValidRouter(String deStorageMode, EntityBase entity , Object id , JSONArray dataRangeList){ private boolean otherActionPermissionValidRouter(String deStorageMode, EntityBase entity , Object id , Set<String> entityDataRange){
if(deStorageMode.equalsIgnoreCase("sql")){ if(deStorageMode.equalsIgnoreCase("sql")){
return sqlPermissionValid(entity , id, dataRangeList); return sqlPermissionValid(entity , id, entityDataRange);
} }
else if(deStorageMode.equalsIgnoreCase("nosql")){ else if(deStorageMode.equalsIgnoreCase("nosql")){
return noSqlPermissionValid(entity , id, dataRangeList); return noSqlPermissionValid(entity , id, entityDataRange);
} }
else if(deStorageMode.equalsIgnoreCase("serviceapi")){ else if(deStorageMode.equalsIgnoreCase("serviceapi")){
return true; return true;
...@@ -442,15 +405,15 @@ public class AuthPermissionEvaluator implements PermissionEvaluator { ...@@ -442,15 +405,15 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
* sql存储模式实体行为鉴权 * sql存储模式实体行为鉴权
* @param entity * @param entity
* @param id * @param id
* @param dataRangeList * @param entityDataRange
* @return * @return
*/ */
private boolean sqlPermissionValid(EntityBase entity , Object id, JSONArray dataRangeList){ private boolean sqlPermissionValid(EntityBase entity , Object id, Set<String> entityDataRange){
ServiceImpl service= SpringContextHolder.getBean(String.format("%s%s",entity.getClass().getSimpleName(),"ServiceImpl"));//获取实体service对象 ServiceImpl service= SpringContextHolder.getBean(String.format("%s%s",entity.getClass().getSimpleName(),"ServiceImpl"));//获取实体service对象
Map<String,String> permissionField=getPermissionField(entity);//获取组织、部门预置属性 Map<String,String> permissionField=getPermissionField(entity);//获取组织、部门预置属性
//通过权限表达式来获取sql //通过权限表达式来获取sql
String permissionSQL= String.format(" (%s) AND (%s='%s')",getPermissionSQL(entity,dataRangeList),permissionField.get(keyFieldTag),id); //拼接权限条件-编辑 String permissionSQL= String.format(" (%s) AND (%s='%s')",getPermissionSQL(entity,entityDataRange),permissionField.get(keyFieldTag),id); //拼接权限条件-编辑
//执行sql进行权限检查 //执行sql进行权限检查
QueryWrapper permissionWrapper=getPermissionWrapper(permissionSQL);//构造权限条件 QueryWrapper permissionWrapper=getPermissionWrapper(permissionSQL);//构造权限条件
List list=service.list(permissionWrapper); List list=service.list(permissionWrapper);
...@@ -466,15 +429,15 @@ public class AuthPermissionEvaluator implements PermissionEvaluator { ...@@ -466,15 +429,15 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
* NoSQL实体行为鉴权 * NoSQL实体行为鉴权
* @param entity * @param entity
* @param id * @param id
* @param dataRangeList * @param entityDataRange
* @return * @return
*/ */
private boolean noSqlPermissionValid(EntityBase entity, Object id, JSONArray dataRangeList) { private boolean noSqlPermissionValid(EntityBase entity, Object id, Set<String> entityDataRange) {
Map<String,String> permissionField=getPermissionField(entity);//获取组织、部门预置属性 Map<String,String> permissionField=getPermissionField(entity);//获取组织、部门预置属性
String keyField=permissionField.get(keyFieldTag); String keyField=permissionField.get(keyFieldTag);
//根据权限表达式填充权限条件 //根据权限表达式填充权限条件
QueryBuilder permissionCond=getNoSqlPermissionCond(entity,dataRangeList); QueryBuilder permissionCond=getNoSqlPermissionCond(entity,entityDataRange);
//权限条件拼接主键 //权限条件拼接主键
permissionCond.and(keyField).is(id); permissionCond.and(keyField).is(id);
//执行权限检查 //执行权限检查
...@@ -492,10 +455,10 @@ public class AuthPermissionEvaluator implements PermissionEvaluator { ...@@ -492,10 +455,10 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
/** /**
* 为NoSQL存储模式的表格查询填充权限条件 * 为NoSQL存储模式的表格查询填充权限条件
* @param entity * @param entity
* @param dataRangeList * @param entityDataRange
* @return * @return
*/ */
private QueryBuilder getNoSqlPermissionCond( EntityBase entity ,JSONArray dataRangeList ){ private QueryBuilder getNoSqlPermissionCond( EntityBase entity ,Set<String> entityDataRange){
QueryBuilder permissionSQL=new QueryBuilder(); QueryBuilder permissionSQL=new QueryBuilder();
Map<String,String> permissionField=getPermissionField(entity);//获取组织、部门预置属性 Map<String,String> permissionField=getPermissionField(entity);//获取组织、部门预置属性
...@@ -509,30 +472,29 @@ public class AuthPermissionEvaluator implements PermissionEvaluator { ...@@ -509,30 +472,29 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
Set<String> orgDeptParent = userInfo.get("parentdept"); Set<String> orgDeptParent = userInfo.get("parentdept");
Set<String> orgDeptChild = userInfo.get("subdept"); Set<String> orgDeptChild = userInfo.get("subdept");
for(int i=0;i<dataRangeList.size();i++){ for(String permissionCond:entityDataRange){
String permissionCond=dataRangeList.getString(i);//权限配置条件 if(permissionCond.endsWith("curorg")){ //本单位
if(permissionCond.equals("curorg")){ //本单位
permissionSQL.or(new QueryBuilder().and(orgField).is(AuthenticationUser.getAuthenticationUser().getOrgid()).get()); permissionSQL.or(new QueryBuilder().and(orgField).is(AuthenticationUser.getAuthenticationUser().getOrgid()).get());
} }
else if(permissionCond.equals("porg")){//上级单位 else if(permissionCond.endsWith("porg")){//上级单位
permissionSQL.or(new QueryBuilder().and(orgField).in(formatStringArr(orgParent)).get()); permissionSQL.or(new QueryBuilder().and(orgField).in(formatStringArr(orgParent)).get());
} }
else if(permissionCond.equals("sorg")){//下级单位 else if(permissionCond.endsWith("sorg")){//下级单位
permissionSQL.or(new QueryBuilder().and(orgField).in(formatStringArr(orgChild)).get()); permissionSQL.or(new QueryBuilder().and(orgField).in(formatStringArr(orgChild)).get());
} }
else if(permissionCond.equals("createman")){//建立人 else if(permissionCond.endsWith("createman")){//建立人
permissionSQL.or(new QueryBuilder().and(createManField).is(AuthenticationUser.getAuthenticationUser().getUserid()).get()); permissionSQL.or(new QueryBuilder().and(createManField).is(AuthenticationUser.getAuthenticationUser().getUserid()).get());
} }
else if(permissionCond.equals("curorgdept")){//本部门 else if(permissionCond.endsWith("curorgdept")){//本部门
permissionSQL.or(new QueryBuilder().and(orgDeptField).is(AuthenticationUser.getAuthenticationUser().getMdeptid()).get()); permissionSQL.or(new QueryBuilder().and(orgDeptField).is(AuthenticationUser.getAuthenticationUser().getMdeptid()).get());
} }
else if(permissionCond.equals("porgdept")){//上级部门 else if(permissionCond.endsWith("porgdept")){//上级部门
permissionSQL.or(new QueryBuilder().and(orgDeptField).in(formatStringArr(orgDeptParent)).get()); permissionSQL.or(new QueryBuilder().and(orgDeptField).in(formatStringArr(orgDeptParent)).get());
} }
else if(permissionCond.equals("sorgdept")){//下级部门 else if(permissionCond.endsWith("sorgdept")){//下级部门
permissionSQL.or(new QueryBuilder().and(orgDeptField).in(formatStringArr(orgDeptChild)).get()); permissionSQL.or(new QueryBuilder().and(orgDeptField).in(formatStringArr(orgDeptChild)).get());
} }
else if(permissionCond.equals("all")){ else if(permissionCond.endsWith("all")){
permissionSQL.or(new QueryBuilder().get()); permissionSQL.or(new QueryBuilder().get());
} }
} }
...@@ -543,10 +505,10 @@ public class AuthPermissionEvaluator implements PermissionEvaluator { ...@@ -543,10 +505,10 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
/** /**
* SQL获取权限条件 * SQL获取权限条件
* @param entity * @param entity
* @param oppriList * @param entityDataRange
* @return * @return
*/ */
private String getPermissionSQL(EntityBase entity, JSONArray oppriList){ private String getPermissionSQL(EntityBase entity, Set<String> entityDataRange){
Map<String,String> permissionField=getPermissionField(entity);//获取组织、部门预置属性 Map<String,String> permissionField=getPermissionField(entity);//获取组织、部门预置属性
String nPermissionSQL = "1<>1"; String nPermissionSQL = "1<>1";
...@@ -561,31 +523,30 @@ public class AuthPermissionEvaluator implements PermissionEvaluator { ...@@ -561,31 +523,30 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
Set<String> orgDeptParent = userInfo.get("parentdept"); Set<String> orgDeptParent = userInfo.get("parentdept");
Set<String> orgDeptChild = userInfo.get("subdept"); Set<String> orgDeptChild = userInfo.get("subdept");
for(int i=0;i<oppriList.size();i++){ for(String permissionCond: entityDataRange){
permissionSQL.append("OR"); permissionSQL.append("OR");
String permissionCond=oppriList.getString(i);//权限配置条件 if(permissionCond.endsWith("curorg")){ //本单位
if(permissionCond.equals("curorg")){ //本单位
permissionSQL.append(String.format("(%s='%s')",orgField,AuthenticationUser.getAuthenticationUser().getOrgid())); permissionSQL.append(String.format("(%s='%s')",orgField,AuthenticationUser.getAuthenticationUser().getOrgid()));
} }
else if(permissionCond.equals("porg")){//上级单位 else if(permissionCond.endsWith("porg")){//上级单位
permissionSQL.append(String.format(" %s in(%s) ", orgField, formatStringArr(orgParent))); permissionSQL.append(String.format(" %s in(%s) ", orgField, formatStringArr(orgParent)));
} }
else if(permissionCond.equals("sorg")){//下级单位 else if(permissionCond.endsWith("sorg")){//下级单位
permissionSQL.append(String.format(" %s in(%s) ", orgField, formatStringArr(orgChild))); permissionSQL.append(String.format(" %s in(%s) ", orgField, formatStringArr(orgChild)));
} }
else if(permissionCond.equals("createman")){//建立人 else if(permissionCond.endsWith("createman")){//建立人
permissionSQL.append(String.format("(%s='%s')",createManField,AuthenticationUser.getAuthenticationUser().getUserid())); permissionSQL.append(String.format("(%s='%s')",createManField,AuthenticationUser.getAuthenticationUser().getUserid()));
} }
else if(permissionCond.equals("curorgdept")){//本部门 else if(permissionCond.endsWith("curorgdept")){//本部门
permissionSQL.append(String.format("(%s='%s')",orgDeptField,AuthenticationUser.getAuthenticationUser().getMdeptid())); permissionSQL.append(String.format("(%s='%s')",orgDeptField,AuthenticationUser.getAuthenticationUser().getMdeptid()));
} }
else if(permissionCond.equals("porgdept")){//上级部门 else if(permissionCond.endsWith("porgdept")){//上级部门
permissionSQL.append(String.format(" %s in (%s) ", orgDeptField, formatStringArr(orgDeptParent))); permissionSQL.append(String.format(" %s in (%s) ", orgDeptField, formatStringArr(orgDeptParent)));
} }
else if(permissionCond.equals("sorgdept")){//下级部门 else if(permissionCond.endsWith("sorgdept")){//下级部门
permissionSQL.append(String.format(" %s in (%s) ", orgDeptField, formatStringArr(orgDeptChild))); permissionSQL.append(String.format(" %s in (%s) ", orgDeptField, formatStringArr(orgDeptChild)));
} }
else if(permissionCond.equals("all")){//全部数据 else if(permissionCond.endsWith("all")){//全部数据
permissionSQL.append("(1=1)"); permissionSQL.append("(1=1)");
} }
else{ else{
...@@ -701,21 +662,6 @@ public class AuthPermissionEvaluator implements PermissionEvaluator { ...@@ -701,21 +662,6 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
return "'" + String.join("','", arr) + "'"; return "'" + String.join("','", arr) + "'";
} }
/**
* 获取数据范围
* @param entityName
* @param action
* @param permissionList
* @return
*/
private JSONArray getDataRange(String entityName, String action , JSONObject permissionList){
//获取权限表达式[全部数据、本单位、本部门等]
JSONObject entityObj=permissionList.getJSONObject(entityName);//获取实体
JSONObject permissionType= entityObj.getJSONObject(DEActionType);
JSONArray dataRangeList=permissionType.getJSONArray(action);//行为:read;insert...
return dataRangeList;
}
/** /**
* 获取实体主键集合 * 获取实体主键集合
* @param entityBase * @param entityBase
......
Markdown 格式
0% or
您添加了 0 到此讨论。请谨慎行事。
先完成此消息的编辑!
想要评论请 注册