Merge pull request #204 from LeoMalik/feature/data-auth

Feature/data auth

Author: zhoutaoo

auth/authentication-client/pom.xml

@@ -42,6 +42,11 @@
     </dependencyManagement>
 
     <dependencies>
+        <dependency>
+            <groupId>com.springboot.cloud</groupId>
+            <artifactId>facade</artifactId>
+            <version>0.0.1-SNAPSHOT</version>
+        </dependency>
         <dependency>
             <groupId>com.springboot.cloud</groupId>
             <artifactId>core</artifactId>

auth/authentication-client/src/main/java/com/springboot/cloud/auth/client/provider/AuthProvider.java

@@ -1,10 +1,12 @@
 package com.springboot.cloud.auth.client.provider;
 
 import com.springboot.cloud.common.core.entity.vo.Result;
+import com.springboot.cloud.sysadmin.facade.dto.PermissionDTO;
 import org.springframework.cloud.openfeign.FeignClient;
 import org.springframework.http.HttpHeaders;
 import org.springframework.stereotype.Component;
 import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestHeader;
 import org.springframework.web.bind.annotation.RequestParam;
 
@@ -29,6 +31,10 @@ public interface AuthProvider {
     @PostMapping(value = "/auth/permission")
     Result auth(@RequestHeader(HttpHeaders.AUTHORIZATION) String authentication, @RequestParam("url") String url, @RequestParam("method") String method);
 
+    @PostMapping(value = "/auth/data/permission")
+    Result dataAuth(@RequestHeader(HttpHeaders.AUTHORIZATION) String authentication, @RequestBody PermissionDTO permissionDTO);
+
+
     @Component
     class AuthProviderFallback implements AuthProvider {
         /**
@@ -49,5 +55,17 @@ class AuthProviderFallback implements AuthProvider {
         public Result auth(String authentication, String url, String method) {
             return Result.fail();
         }
+
+        /**
+         * 降级统一返回无权限
+         *
+         * @param authentication 身份验证
+         * @param permissionDTO  许可dto
+         * @return {@link Result}
+         */
+        @Override
+        public Result dataAuth(String authentication,  PermissionDTO permissionDTO) {
+            return Result.fail();
+        }
     }
 }

auth/authentication-client/src/main/java/com/springboot/cloud/auth/client/service/IAuthService.java

@@ -1,10 +1,21 @@
 package com.springboot.cloud.auth.client.service;
 
 import com.springboot.cloud.common.core.entity.vo.Result;
+import com.springboot.cloud.sysadmin.facade.dto.PermissionDTO;
 import io.jsonwebtoken.Claims;
 import io.jsonwebtoken.Jws;
 
 public interface IAuthService {
+
+    /**
+     * 数据权限验证
+     *
+     * @param authentication 身份验证
+     * @param permissionDTO  许可dto
+     * @param groupCode      组织代码
+     * @return {@link Result}
+     */
+    Result dataAuthenticate(String authentication,String groupCode, PermissionDTO permissionDTO);
     /**
      * 调用签权服务，判断用户是否有权限
      *

auth/authentication-client/src/main/java/com/springboot/cloud/auth/client/service/impl/AuthService.java

@@ -3,6 +3,7 @@
 import com.springboot.cloud.auth.client.provider.AuthProvider;
 import com.springboot.cloud.auth.client.service.IAuthService;
 import com.springboot.cloud.common.core.entity.vo.Result;
+import com.springboot.cloud.sysadmin.facade.dto.PermissionDTO;
 import io.jsonwebtoken.*;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang.StringUtils;
@@ -36,6 +37,11 @@ public class AuthService implements IAuthService {
     @Value("${gate.ignore.authentication.startWith}")
     private String ignoreUrls = "/oauth";
 
+    @Override
+    public Result dataAuthenticate(String authentication, String groupCode, PermissionDTO permissionDTO) {
+        return authProvider.dataAuth(authentication,permissionDTO);
+    }
+
     @Override
     public Result authenticate(String authentication, String url, String method) {
         return authProvider.auth(authentication, url, method);

auth/authentication-server/docs/权限校验.md

@@ -0,0 +1,58 @@
+# 权限校验
+
+## 核心理念
+
+建立用户-组-权限资源的关系，对用户进行鉴权
+
+[![o4WeAI.png](https://s1.ax1x.com/2021/12/10/o4WeAI.png)](https://imgtu.com/i/o4WeAI)
+
+
+
+## 鉴权流程
+
+### 在权限表（permission）中插入资源信息
+
+```sql
+INSERT INTO permission (id, res_type, area, res_full_path, res_full_name, operation_bit, expire_date, created_time,
+                        updated_time, created_by, updated_by)
+VALUES (101, 'hive', 'china', '/test.db/test', '/测试库/测试表', 'select', '2099-12-26 10:45:26', now(), now(),
+        'system', 'system'),
+       (102, 'hive', 'china', '/test.db/test1', '/测试库/测试表1', 'select', '2099-12-26 10:45:26', now(), now(),
+        'system', 'system'),
+       (103, 'hive', 'china', '/test.db', '/测试库', 'select', '2099-12-26 10:45:26', now(), now(),
+        'system', 'system');
+```
+
+### 在组-权限表建立连接
+
+```sql
+INSERT INTO group_permission_relation (id, group_id, permission_id, created_time, updated_time, created_by, updated_by)
+VALUES (1, 101, 101, now(), now(), 'system', 'system'),
+       (2, 101, 102, now(), now(), 'system', 'system'),
+       (3, 101, 103, now(), now(), 'system', 'system'),
+       (4, 102, 101, now(), now(), 'system', 'system'),
+       (5, 102, 102, now(), now(), 'system', 'system'),
+       (6, 103, 101, now(), now(), 'system', 'system'),
+       (7, 103, 102, now(), now(), 'system', 'system'),
+       (8, 103, 103, now(), now(), 'system', 'system');
+```
+
+### 访问接口进行鉴权
+
+```shell
+curl --location --request POST 'http://127.0.0.1:8443/authentication-server/auth/data/permission' \
+--header 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX25hbWUiOiJhZG1pbiIsInNjb3BlIjpbInJlYWQiXSwib3JnYW5pemF0aW9uIjoiYWRtaW4iLCJleHAiOjE2MzkwNzQ1MTMsImF1dGhvcml0aWVzIjpbIkFETUlOIl0sImp0aSI6IllsVVhlV2d1VFBRbGdmSHYyY0VGOC1seEVGRSIsImNsaWVudF9pZCI6InRlc3RfY2xpZW50In0.1JqUvfv5i9wd9F7hWYW-Xafoc5bh9tFEupIoVYW09nU' \
+--header 'User-Agent: apifox/1.0.0 (https://www.apifox.cn)' \
+--header 'Content-Type: application/json' \
+--data-raw '{
+    "resFullName": "/测试库/测试表",
+    "area": "china",
+    "resType": "hive",
+    "operationBit": "select",
+    "resFullPath": "/test.db/test",
+    "groupCode": "101"
+}'
+```
+
+[![o4WzrQ.png](https://s1.ax1x.com/2021/12/10/o4WzrQ.png)](https://imgtu.com/i/o4WzrQ)
+

auth/authentication-server/pom.xml

@@ -18,6 +18,11 @@
     </parent>
 
     <dependencies>
+        <dependency>
+            <groupId>com.springboot.cloud</groupId>
+            <artifactId>facade</artifactId>
+            <version>0.0.1-SNAPSHOT</version>
+        </dependency>
         <dependency>
             <groupId>com.springboot.cloud</groupId>
             <artifactId>web</artifactId>

auth/authentication-server/src/main/java/com/springboot/cloud/auth/authentication/Oauth2AuthenticationApplication.java

@@ -1,6 +1,7 @@
 package com.springboot.cloud.auth.authentication;
 
 import com.alicp.jetcache.anno.config.EnableCreateCacheAnnotation;
+import com.alicp.jetcache.anno.config.EnableMethodCache;
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
 import org.springframework.cloud.client.discovery.EnableDiscoveryClient;
@@ -9,6 +10,7 @@
 @SpringBootApplication
 @EnableDiscoveryClient
 @EnableFeignClients
+@EnableMethodCache(basePackages = "com.springboot.cloud")
 @EnableCreateCacheAnnotation
 public class Oauth2AuthenticationApplication {
     public static void main(String[] args) {

auth/authentication-server/src/main/java/com/springboot/cloud/auth/authentication/config/BusConfig.java

@@ -3,7 +3,7 @@
 import com.fasterxml.jackson.annotation.JsonAutoDetect;
 import com.fasterxml.jackson.annotation.PropertyAccessor;
 import com.fasterxml.jackson.databind.ObjectMapper;
-import com.springboot.cloud.auth.authentication.events.BusReceiver;
+import com.springboot.cloud.auth.authentication.events.ResourceBusReceiver;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.amqp.core.*;
 import org.springframework.amqp.rabbit.connection.ConnectionFactory;
@@ -12,6 +12,7 @@
 import org.springframework.amqp.support.converter.ContentTypeDelegatingMessageConverter;
 import org.springframework.amqp.support.converter.Jackson2JsonMessageConverter;
 import org.springframework.amqp.support.converter.MessageConverter;
+import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
@@ -21,49 +22,74 @@
 public class BusConfig {
 
     private static final String EXCHANGE_NAME = "spring-boot-exchange";
-    private static final String ROUTING_KEY = "organization-resource";
+    private static final String RESOURCE_ROUTING_KEY = "organization-resource";
+    private static final String RESOURCE_QUEUE_SUFFIX = "resource";
 
     @Value("${spring.application.name}")
     private String appName;
 
     @Bean
-    Queue queue() {
-        String queueName = new Base64UrlNamingStrategy(appName + ".").generateName();
-        log.info("queue name:{}", queueName);
+    Queue resourceQueue() {
+        String queueName = new Base64UrlNamingStrategy(appName + ".").generateName() + RESOURCE_QUEUE_SUFFIX;
+        log.info("resource queue name:{}", queueName);
         return new Queue(queueName, false);
     }
 
+
+    /**
+     * 交换机
+     *
+     * @return {@link TopicExchange}
+     */
     @Bean
     TopicExchange exchange() {
         log.info("exchange:{}", EXCHANGE_NAME);
         return new TopicExchange(EXCHANGE_NAME);
     }
 
+
+    /**
+     * 绑定资源更新的队列
+     *
+     * @param queue    队列
+     * @param exchange 交换机
+     * @return {@link Binding}
+     */
     @Bean
-    Binding binding(Queue queue, TopicExchange exchange) {
-        log.info("binding {} to {} with {}", queue, exchange, ROUTING_KEY);
-        return BindingBuilder.bind(queue).to(exchange).with(ROUTING_KEY);
+    Binding resourceBinding(@Qualifier("resourceQueue") Queue queue, TopicExchange exchange) {
+        log.info("binding {} to {} with {}", queue, exchange, RESOURCE_ROUTING_KEY);
+        return BindingBuilder.bind(queue).to(exchange).with(RESOURCE_ROUTING_KEY);
     }
 
+
+
+
+    ////////////////////
+    ////////////////////  资源更新相关配置
+    ////////////////////
     @Bean
-    SimpleMessageListenerContainer simpleMessageListenerContainer(ConnectionFactory connectionFactory, MessageListenerAdapter messageListenerAdapter, Queue queue) {
-        log.info("init simpleMessageListenerContainer {}", queue.getName());
+    SimpleMessageListenerContainer resourceMessageListenerContainer(ConnectionFactory connectionFactory, @Qualifier("resourceMessageListenerAdapter") MessageListenerAdapter messageListenerAdapter, @Qualifier("resourceQueue") Queue queue) {
+        log.info("init resourceMessageListenerContainer {}", queue.getName());
         SimpleMessageListenerContainer container = new SimpleMessageListenerContainer(connectionFactory);
         container.setQueueNames(queue.getName());
         container.setMessageListener(messageListenerAdapter);
         return container;
     }
 
+
     @Bean
-    MessageListenerAdapter messageListenerAdapter(BusReceiver busReceiver, MessageConverter messageConverter) {
+    MessageListenerAdapter resourceMessageListenerAdapter(ResourceBusReceiver resourceBusReceiver, @Qualifier("resourceMessageConverter") MessageConverter messageConverter) {
         log.info("new listener");
-        return new MessageListenerAdapter(busReceiver, messageConverter);
+        return new MessageListenerAdapter(resourceBusReceiver, messageConverter);
     }
 
     @Bean
-    public MessageConverter messageConverter() {
+    public MessageConverter resourceMessageConverter() {
         ObjectMapper objectMapper = new ObjectMapper();
         objectMapper.setVisibility(PropertyAccessor.ALL, JsonAutoDetect.Visibility.ANY);
         return new ContentTypeDelegatingMessageConverter(new Jackson2JsonMessageConverter(objectMapper));
     }
+
+
+
 }

auth/authentication-server/src/main/java/com/springboot/cloud/auth/authentication/events/BusReceiver.java renamed to auth/authentication-server/src/main/java/com/springboot/cloud/auth/authentication/events/ResourceBusReceiver.java

@@ -8,7 +8,7 @@
 
 @Component
 @Slf4j
-public class BusReceiver {
+public class ResourceBusReceiver {
 
     @Autowired
     private ResourceService resourceService;

auth/authentication-server/src/main/java/com/springboot/cloud/auth/authentication/provider/ResourceProvider.java

@@ -1,11 +1,13 @@
 package com.springboot.cloud.auth.authentication.provider;
 
-import com.springboot.cloud.sysadmin.organization.entity.po.Resource;
 import com.springboot.cloud.common.core.entity.vo.Result;
+import com.springboot.cloud.sysadmin.facade.dto.GroupDTO;
+import com.springboot.cloud.sysadmin.facade.dto.PermissionDTO;
+import com.springboot.cloud.sysadmin.organization.entity.po.Resource;
 import org.springframework.cloud.openfeign.FeignClient;
-import org.springframework.web.bind.annotation.GetMapping;
-import org.springframework.web.bind.annotation.PathVariable;
+import org.springframework.web.bind.annotation.*;
 
+import java.util.List;
 import java.util.Set;
 
 @FeignClient(name = "organization", fallback = ResourceProviderFallback.class)
@@ -16,4 +18,10 @@ public interface ResourceProvider {
 
     @GetMapping(value = "/resource/user/{username}")
     Result<Set<Resource>> resources(@PathVariable("username") String username);
+
+    @PostMapping(value = "/permission/group")
+    Result<List<PermissionDTO>> permissions(@RequestBody PermissionDTO permissionDTO);
+
+    @GetMapping(value = "/group/user/{username}")
+    Result<List<GroupDTO>> groups(@PathVariable("username") String username);
 }