🐛 Fix decoding permission nodes from db

This commit is contained in:
LittleSheep 2024-05-17 20:34:34 +08:00
parent 1e2d5e9f9d
commit ebef35a619
4 changed files with 44 additions and 38 deletions

View File

@ -838,50 +838,50 @@ false Zulu
<Replication>1</Replication> <Replication>1</Replication>
<SuperRole>1</SuperRole> <SuperRole>1</SuperRole>
</role> </role>
<role id="8" parent="1" name="pg_checkpoint"> <role id="8" parent="1" name="pg_database_owner">
<ObjectId>4544</ObjectId>
</role>
<role id="9" parent="1" name="pg_create_subscription">
<ObjectId>6304</ObjectId>
</role>
<role id="10" parent="1" name="pg_database_owner">
<ObjectId>6171</ObjectId> <ObjectId>6171</ObjectId>
</role> </role>
<role id="11" parent="1" name="pg_execute_server_program"> <role id="9" parent="1" name="pg_read_all_data">
<ObjectId>4571</ObjectId> <ObjectId>6181</ObjectId>
</role> </role>
<role id="12" parent="1" name="pg_monitor"> <role id="10" parent="1" name="pg_write_all_data">
<ObjectId>6182</ObjectId>
</role>
<role id="11" parent="1" name="pg_monitor">
<ObjectId>3373</ObjectId> <ObjectId>3373</ObjectId>
<RoleGrants>3374 <RoleGrants>3374
3375 3375
3377</RoleGrants> 3377</RoleGrants>
</role> </role>
<role id="13" parent="1" name="pg_read_all_data"> <role id="12" parent="1" name="pg_read_all_settings">
<ObjectId>6181</ObjectId>
</role>
<role id="14" parent="1" name="pg_read_all_settings">
<ObjectId>3374</ObjectId> <ObjectId>3374</ObjectId>
</role> </role>
<role id="15" parent="1" name="pg_read_all_stats"> <role id="13" parent="1" name="pg_read_all_stats">
<ObjectId>3375</ObjectId> <ObjectId>3375</ObjectId>
</role> </role>
<role id="16" parent="1" name="pg_read_server_files"> <role id="14" parent="1" name="pg_stat_scan_tables">
<ObjectId>4569</ObjectId>
</role>
<role id="17" parent="1" name="pg_signal_backend">
<ObjectId>4200</ObjectId>
</role>
<role id="18" parent="1" name="pg_stat_scan_tables">
<ObjectId>3377</ObjectId> <ObjectId>3377</ObjectId>
</role> </role>
<role id="19" parent="1" name="pg_use_reserved_connections"> <role id="15" parent="1" name="pg_read_server_files">
<ObjectId>4569</ObjectId>
</role>
<role id="16" parent="1" name="pg_write_server_files">
<ObjectId>4570</ObjectId>
</role>
<role id="17" parent="1" name="pg_execute_server_program">
<ObjectId>4571</ObjectId>
</role>
<role id="18" parent="1" name="pg_signal_backend">
<ObjectId>4200</ObjectId>
</role>
<role id="19" parent="1" name="pg_checkpoint">
<ObjectId>4544</ObjectId>
</role>
<role id="20" parent="1" name="pg_use_reserved_connections">
<ObjectId>4550</ObjectId> <ObjectId>4550</ObjectId>
</role> </role>
<role id="20" parent="1" name="pg_write_all_data"> <role id="21" parent="1" name="pg_create_subscription">
<ObjectId>6182</ObjectId> <ObjectId>6304</ObjectId>
</role>
<role id="21" parent="1" name="pg_write_server_files">
<ObjectId>4570</ObjectId>
</role> </role>
<role id="22" parent="1" name="postgres"> <role id="22" parent="1" name="postgres">
<CanLogin>1</CanLogin> <CanLogin>1</CanLogin>

13
.idea/workspace.xml generated
View File

@ -4,13 +4,10 @@
<option name="autoReloadType" value="ALL" /> <option name="autoReloadType" value="ALL" />
</component> </component>
<component name="ChangeListManager"> <component name="ChangeListManager">
<list default="true" id="3fefb2c4-b6f9-466b-a523-53352e8d6f95" name="更改" comment=":sparkles: Bug fixes of permission check"> <list default="true" id="3fefb2c4-b6f9-466b-a523-53352e8d6f95" name="更改" comment=":sparkles: Check permissions GRPC method">
<change beforePath="$PROJECT_DIR$/.idea/dataSources/74bcf3ef-a2b9-435b-b9e5-f32902a33b25.xml" beforeDir="false" afterPath="$PROJECT_DIR$/.idea/dataSources/74bcf3ef-a2b9-435b-b9e5-f32902a33b25.xml" afterDir="false" />
<change beforePath="$PROJECT_DIR$/.idea/workspace.xml" beforeDir="false" afterPath="$PROJECT_DIR$/.idea/workspace.xml" afterDir="false" /> <change beforePath="$PROJECT_DIR$/.idea/workspace.xml" beforeDir="false" afterPath="$PROJECT_DIR$/.idea/workspace.xml" afterDir="false" />
<change beforePath="$PROJECT_DIR$/pkg/grpc/auth.go" beforeDir="false" afterPath="$PROJECT_DIR$/pkg/grpc/auth.go" afterDir="false" /> <change beforePath="$PROJECT_DIR$/pkg/grpc/auth.go" beforeDir="false" afterPath="$PROJECT_DIR$/pkg/grpc/auth.go" afterDir="false" />
<change beforePath="$PROJECT_DIR$/pkg/grpc/proto/auth.pb.go" beforeDir="false" afterPath="$PROJECT_DIR$/pkg/grpc/proto/auth.pb.go" afterDir="false" />
<change beforePath="$PROJECT_DIR$/pkg/grpc/proto/auth.proto" beforeDir="false" afterPath="$PROJECT_DIR$/pkg/grpc/proto/auth.proto" afterDir="false" />
<change beforePath="$PROJECT_DIR$/pkg/grpc/proto/auth_grpc.pb.go" beforeDir="false" afterPath="$PROJECT_DIR$/pkg/grpc/proto/auth_grpc.pb.go" afterDir="false" />
<change beforePath="$PROJECT_DIR$/pkg/server/auth_middleware.go" beforeDir="false" afterPath="$PROJECT_DIR$/pkg/server/auth_middleware.go" afterDir="false" />
<change beforePath="$PROJECT_DIR$/pkg/services/auth.go" beforeDir="false" afterPath="$PROJECT_DIR$/pkg/services/auth.go" afterDir="false" /> <change beforePath="$PROJECT_DIR$/pkg/services/auth.go" beforeDir="false" afterPath="$PROJECT_DIR$/pkg/services/auth.go" afterDir="false" />
</list> </list>
<option name="SHOW_DIALOG" value="false" /> <option name="SHOW_DIALOG" value="false" />
@ -49,7 +46,7 @@
<component name="PropertiesComponent"><![CDATA[{ <component name="PropertiesComponent"><![CDATA[{
"keyToString": { "keyToString": {
"DefaultGoTemplateProperty": "Go File", "DefaultGoTemplateProperty": "Go File",
"Go 构建.Backend.executor": "Run", "Go 构建.Backend.executor": "Debug",
"RunOnceActivity.ShowReadmeOnStart": "true", "RunOnceActivity.ShowReadmeOnStart": "true",
"RunOnceActivity.go.formatter.settings.were.checked": "true", "RunOnceActivity.go.formatter.settings.were.checked": "true",
"RunOnceActivity.go.migrated.go.modules.settings": "true", "RunOnceActivity.go.migrated.go.modules.settings": "true",
@ -144,7 +141,6 @@
</option> </option>
</component> </component>
<component name="VcsManagerConfiguration"> <component name="VcsManagerConfiguration">
<MESSAGE value=":truck: Update well known" />
<MESSAGE value=":sparkles: Others userinfo" /> <MESSAGE value=":sparkles: Others userinfo" />
<MESSAGE value=":lipstick: Fix ui design" /> <MESSAGE value=":lipstick: Fix ui design" />
<MESSAGE value=":bug: Bug fixes of design" /> <MESSAGE value=":bug: Bug fixes of design" />
@ -169,7 +165,8 @@
<MESSAGE value=":sparkles: Permission check" /> <MESSAGE value=":sparkles: Permission check" />
<MESSAGE value=":zap: In memory auth context cache" /> <MESSAGE value=":zap: In memory auth context cache" />
<MESSAGE value=":sparkles: Bug fixes of permission check" /> <MESSAGE value=":sparkles: Bug fixes of permission check" />
<option name="LAST_COMMIT_MESSAGE" value=":sparkles: Bug fixes of permission check" /> <MESSAGE value=":sparkles: Check permissions GRPC method" />
<option name="LAST_COMMIT_MESSAGE" value=":sparkles: Check permissions GRPC method" />
</component> </component>
<component name="VgoProject"> <component name="VgoProject">
<settings-migrated>true</settings-migrated> <settings-migrated>true</settings-migrated>

View File

@ -48,9 +48,13 @@ func (v *Server) CheckPerm(_ context.Context, in *proto.CheckPermRequest) (*prot
return nil, err return nil, err
} }
var heldPerms map[string]any
rawHeldPerms, _ := jsoniter.Marshal(ctx.Account.PermNodes)
_ = jsoniter.Unmarshal(rawHeldPerms, &heldPerms)
var value any var value any
_ = jsoniter.Unmarshal(in.GetValue(), &value) _ = jsoniter.Unmarshal(in.GetValue(), &value)
perms := services.FilterPermNodes(ctx.Account.PermNodes, ctx.Ticket.Claims) perms := services.FilterPermNodes(heldPerms, ctx.Ticket.Claims)
valid := services.HasPermNode(perms, in.GetKey(), value) valid := services.HasPermNode(perms, in.GetKey(), value)
return &proto.CheckPermReply{ return &proto.CheckPermReply{

View File

@ -2,6 +2,7 @@ package services
import ( import (
"fmt" "fmt"
jsoniter "github.com/json-iterator/go"
"time" "time"
"git.solsynth.dev/hydrogen/passport/pkg/models" "git.solsynth.dev/hydrogen/passport/pkg/models"
@ -30,7 +31,11 @@ func Authenticate(access, refresh string, depth int) (ctx models.AuthContext, pe
newRefresh = refresh newRefresh = refresh
if ctx, err = GetAuthContext(claims.ID); err == nil { if ctx, err = GetAuthContext(claims.ID); err == nil {
perms = FilterPermNodes(ctx.Account.PermNodes, ctx.Ticket.Claims) var heldPerms map[string]any
rawHeldPerms, _ := jsoniter.Marshal(ctx.Account.PermNodes)
_ = jsoniter.Unmarshal(rawHeldPerms, &heldPerms)
perms = FilterPermNodes(heldPerms, ctx.Ticket.Claims)
return return
} }