Merge pull request #19 from TencentBlueKing/develop

update to 1.8.4
TencentBlueKing · Aug 17, 2021 · d1885d0 · d1885d0
2 parents 3f4d8f4 + 611e587
commit d1885d0
Show file tree

Hide file tree

Showing 18 changed files with 349 additions and 439 deletions.
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-1.8.3
+1.8.4
diff --git a/docs/CONTRIBUTING.md b/docs/CONTRIBUTING.md
@@ -14,7 +14,10 @@
 
 新建issues 时请提供详细的描述、截屏或者短视频来辅助我们定位问题
 
-### [分支管理](./VERSION.md)
+### 分支管理
+
+- develop: 开发分支, 所有PR 统一推到develop
+- master: 稳定分支, 验证通过的develop合并
 
 ###  Pull Requests
 

diff --git a/pkg/abac/pdp/condition/base_condition_test.go b/pkg/abac/pdp/condition/base_condition_test.go
@@ -23,51 +23,31 @@ func (c ctx) GetAttr(key string) (interface{}, error) {
 	return int(c), nil
 }
 
-func (c ctx) GetFullNameAttr(key string) (interface{}, error) {
-	return "test", nil
-}
-
 type strCtx string
 
 func (c strCtx) GetAttr(key string) (interface{}, error) {
 	return string(c), nil
 }
 
-func (c strCtx) GetFullNameAttr(key string) (interface{}, error) {
-	return "test", nil
-}
-
 type boolCtx bool
 
 func (c boolCtx) GetAttr(key string) (interface{}, error) {
 	return bool(c), nil
 }
 
-func (c boolCtx) GetFullNameAttr(key string) (interface{}, error) {
-	return "test", nil
-}
-
 type listCtx []interface{}
 
 func (c listCtx) GetAttr(key string) (interface{}, error) {
 	x := []interface{}(c)
 	return x, nil
 }
 
-func (c listCtx) GetFullNameAttr(key string) (interface{}, error) {
-	return "test", nil
-}
-
 type errCtx int
 
 func (c errCtx) GetAttr(key string) (interface{}, error) {
 	return nil, errors.New("missing key")
 }
 
-func (c errCtx) GetFullNameAttr(key string) (interface{}, error) {
-	return nil, errors.New("missing key")
-}
-
 var _ = Describe("BaseCondition", func() {
 
 	Describe("GetValues", func() {

diff --git a/pkg/abac/pdp/condition/condition_test.go b/pkg/abac/pdp/condition/condition_test.go
@@ -521,205 +521,3 @@ var _ = Describe("Condition", func() {
 	})
 
 })
-
-//func TestConditions_Eval(t *testing.T) {
-//	conditions, err := NewConditionByJSON([]byte(`{
-//		"OR": {
-//			"content": [
-//				{
-//					"AND": {
-//						"content": [
-//							{
-//								"StringEquals": {
-//									"system": ["linux"]
-//								}
-//							},
-//							{
-//								"StringPrefix": {
-//									"path": ["/biz,1/"]
-//								}
-//							}
-//						]
-//					}
-//				},
-//				{
-//					"NumericEquals": {
-//						"number": [1]
-//					}
-//				},
-//				{
-//					"Bool": {
-//						"online": [true]
-//					}
-//				}
-//			]
-//		}
-//	}`))
-//
-//	assert.NoError(t, err)
-//
-//	type args struct {
-//		ctx pdptypes.AttributeGetter
-//	}
-//	tests := []struct {
-//		name string
-//		cs   Condition
-//		args args
-//		want bool
-//	}{
-//		{
-//			name: "right",
-//			cs:   conditions,
-//			args: args{
-//				ctx: &pdptypes.ExprContext{
-//					Request: &request.Request{
-//						System: "iam",
-//						Subject: types.Subject{
-//							Type: "user",
-//							ID:   "admin",
-//						},
-//						Action: types.Action{
-//							ID: "execute_job",
-//						},
-//					},
-//					Resource: &types.Resource{
-//						System: "iam",
-//						Type:   "job",
-//						ID:     "job1",
-//						Attribute: map[string]interface{}{
-//							"path":   []interface{}{"/biz,1/set,2/", "/biz,1/set,3/"},
-//							"system": "linux",
-//							"owner":  "admin",
-//						},
-//					},
-//				},
-//			},
-//			want: true,
-//		},
-//		{
-//			name: "wrong_path",
-//			cs:   conditions,
-//			args: args{
-//				ctx: &pdptypes.ExprContext{
-//					Request: &request.Request{
-//						System: "iam",
-//						Subject: types.Subject{
-//							Type: "user",
-//							ID:   "admin",
-//						},
-//						Action: types.Action{
-//							ID: "execute_job",
-//						},
-//					},
-//					Resource: &types.Resource{
-//						System: "iam",
-//						Type:   "job",
-//						ID:     "job1",
-//						Attribute: map[string]interface{}{
-//							"path":   []interface{}{"/biz,2/set,3"},
-//							"system": "linux",
-//							"owner":  "admin",
-//						},
-//					},
-//				},
-//			},
-//			want: false,
-//		},
-//		{
-//			name: "or_bool",
-//			cs:   conditions,
-//			args: args{
-//				ctx: &pdptypes.ExprContext{
-//					Request: &request.Request{
-//						System: "iam",
-//						Subject: types.Subject{
-//							Type: "user",
-//							ID:   "admin",
-//						},
-//						Action: types.Action{
-//							ID: "execute_job",
-//						},
-//					},
-//					Resource: &types.Resource{
-//						System: "iam",
-//						Type:   "job",
-//						ID:     "job1",
-//						Attribute: map[string]interface{}{
-//							"online": true,
-//						},
-//					},
-//				},
-//			},
-//			want: true,
-//		},
-//		{
-//			name: "or_number_eq",
-//			cs:   conditions,
-//			args: args{
-//				ctx: &pdptypes.ExprContext{
-//					Request: &request.Request{
-//						System: "iam",
-//						Subject: types.Subject{
-//							Type: "user",
-//							ID:   "admin",
-//						},
-//						Action: types.Action{
-//							ID: "execute_job",
-//						},
-//					},
-//					Resource: &types.Resource{
-//						System: "iam",
-//						Type:   "job",
-//						ID:     "job1",
-//						Attribute: map[string]interface{}{
-//							"number": float64(1),
-//						},
-//					},
-//				},
-//			},
-//			want: true,
-//		},
-//	}
-//	for _, tt := range tests {
-//		t.Run(tt.name, func(t *testing.T) {
-//			if got := tt.cs.Eval(tt.args.ctx); got != tt.want {
-//				t.Errorf("Conditions.Eval() = %v, want %v", got, tt.want)
-//			}
-//		})
-//	}
-//}
-//
-//func TestNewConditionByJSON(t *testing.T) {
-//	type args struct {
-//		data []byte
-//	}
-//	tests := []struct {
-//		name    string
-//		args    args
-//		want    Condition
-//		wantErr bool
-//	}{
-//		,
-//		{
-//			name: "any",
-//			args: args{
-//				data: []byte(`{
-//					"Any": {"id": []}
-//				}`),
-//			},
-//			wantErr: false,
-//			want:    &AnyCondition{baseCondition: baseCondition{Key: "id", Value: []interface{}{}}},
-//		},
-//	}
-//	for _, tt := range tests {
-//		t.Run(tt.name, func(t *testing.T) {
-//			got, err := NewConditionByJSON(tt.args.data)
-//			if (err != nil) != tt.wantErr {
-//				t.Errorf("NewConditionByJSON() error = %v, wantErr %v", err, tt.wantErr)
-//				return
-//			}
-//			assert.Equal(t, got, tt.want)
-//		})
-//	}
-//}
-//
diff --git a/pkg/abac/pdp/condition/policy.go b/pkg/abac/pdp/condition/policy.go
@@ -65,13 +65,24 @@ func ParseResourceConditionFromExpression(
 	policyExpression string,
 	policyExpressionSignature string,
 ) (Condition, error) {
+	// TODO: newExpression, 对于这里的改造,
+	//       - 需要支持兼容老的 []types.ResourceExpression
+	//       - 需要支持新的 condition(这里就是一个表达式, 或者一个 AND/OR嵌套的condition
+	// TODO 问题:  这里返回的是命中类型的condition, 一旦支持 and/or嵌套, 将无法返回指定的 condition => getKeys or EvalForPass
+	//            - 原来的逻辑Eval可以通过两阶段计算, 得到结果 -> 进而达到 filter policies的目的
+	//              => 0. 从上层解决, 而不是从这一层解决(这一层解决不了)
+	//              => 1. 变更现有的filter逻辑, 构造好, 直接执行! 去掉 filterPolicies (EVAL)
+	//              => 2. 支持 eval part, 得到的是表达式的剩余无法计算的部分 (EvalPart => For query)
+
 	expressions, err := impls.GetUnmarshalledResourceExpression(policyExpression, policyExpressionSignature)
 	if err != nil {
 		err = fmt.Errorf("pdp impls.GetUnmarshalledResourceExpression expression=`%s`,signature=`%s` fail %w",
 			policyExpression, policyExpressionSignature, err)
 		return nil, err
 	}
 
+	// TODO: newExpression, got an expression, only get part of them(specific resource_type)
+
 	// NOTE: 这里只会返回第一个condition
 	for _, expression := range expressions {
 		if resource.System == expression.System && resource.Type == expression.Type {

diff --git a/pkg/abac/pdp/evaluation/evaluation.go b/pkg/abac/pdp/evaluation/evaluation.go
@@ -76,6 +76,8 @@ func EvalPolicy(ctx *pdptypes.ExprContext, policy types.AuthPolicy) (bool, error
 		return false, fmt.Errorf("evalPolicy action: %s get resource nil", ctx.Action.ID)
 	}
 
+	// TODO: newExpression, 两阶段计算
+
 	cond, err := condition.ParseResourceConditionFromExpression(ctx.Resource,
 		policy.Expression,
 		policy.ExpressionSignature)

diff --git a/pkg/abac/pdp/translate/expression.go b/pkg/abac/pdp/translate/expression.go
@@ -46,27 +46,34 @@ func PoliciesTranslate(
 				policy.ID, policy.Expression, resourceTypeSet)
 			return nil, err
 		}
+		// NOTE: if got an `any`, return `any`!
+		if condition.Op() == "any" {
+			return ExprCell{
+				"op":    "any",
+				"field": "",
+				"value": []string{},
+			}, nil
+		}
+
 		content = append(content, condition)
+
 	}
 
+	// merge same field `eq` and `in`; to `in`
 	if len(content) > 1 {
 		// 合并条件中field相同, op为eq, in的条件
 		content = mergeContentField(content)
 	}
 
-	var policiesCondition ExprCell
-
 	switch len(content) {
 	case 1:
-		policiesCondition = content[0]
+		return content[0], nil
 	default:
-		policiesCondition = ExprCell{
+		return ExprCell{
 			"op":      "OR",
 			"content": content,
-		}
+		}, nil
 	}
-
-	return policiesCondition, nil
 }
 
 // PolicyTranslate ...
@@ -76,6 +83,7 @@ func PolicyTranslate(
 ) (ExprCell, error) {
 	errorWrapf := errorx.NewLayerFunctionErrorWrapf(Translate, "PolicyTranslate")
 
+	// TODO: newExpression, do translate here
 	expressions := []pdptypes.ResourceExpression{}
 
 	// NOTE: if expression == "" or expression == "[]", all return any
@@ -88,7 +96,7 @@ func PolicyTranslate(
 		}
 	}
 
-	// 注意, 如果resourceType不匹配, 那么最终会返回any
+	// 注意, 如果resourceType不匹配, 那么最终会返回any => 这里有没有问题? 两阶段计算?
 	content := make([]ExprCell, 0, len(expressions))
 	for _, expression := range expressions {
 		key := expression.System + ":" + expression.Type
@@ -113,6 +121,7 @@ func PolicyTranslate(
 	case 1:
 		return content[0], nil
 	default:
+		// NOTE: 这里是满足 一个操作依赖两个资源的场景, 所以是 AND => 两阶段计算
 		return ExprCell{
 			"op":      "AND",
 			"content": content,