casgate · C0de4you · May 7, 2024 · May 8, 2024 · May 9, 2024 · May 16, 2024
diff --git a/authz/authz.go b/authz/authz.go
@@ -21,97 +21,19 @@ import (
 	"github.com/casdoor/casdoor/conf"
 	"github.com/casdoor/casdoor/object"
 	"github.com/casdoor/casdoor/util"
-	stringadapter "github.com/qiangmzsx/string-adapter/v2"
 )
 
-var Enforcer *casbin.Enforcer
+var casbinEnforcer *casbin.SyncedEnforcer
 
-func InitApi() {
-	e, err := object.GetInitializedEnforcer(util.GetId("built-in", "api-enforcer-built-in"))
+func InitApi(enforcer *casbin.SyncedEnforcer) error {
+	casbinEnforcer = enforcer
+
+	err := object.InitCasbinPolicy()
 	if err != nil {
-		panic(err)
+		return err
 	}
 
-	Enforcer = e.Enforcer
-	Enforcer.ClearPolicy()
-
-	// if len(Enforcer.GetPolicy()) == 0 {
-	if true {
-		ruleText := `
-p, built-in, *, *, *, *, *
-p, app, *, *, *, *, *
-p, *, *, POST, /api/signup, *, *
-p, *, *, GET, /api/get-email-and-phone, *, *
-p, *, *, POST, /api/login, *, *
-p, *, *, GET, /api/get-app-login, *, *
-p, *, *, POST, /api/logout, *, *
-p, *, *, GET, /api/logout, *, *
-p, *, *, POST, /api/callback, *, *
-p, *, *, GET, /api/get-account, *, *
-p, *, *, GET, /api/userinfo, *, *
-p, *, *, GET, /api/user, *, *
-p, *, *, GET, /api/health, *, *
-p, *, !anonymous, POST, /api/webhook, *, *
-p, *, *, GET, /api/get-webhook-event, *, *
-p, *, *, GET, /api/get-captcha-status, *, *
-p, *, *, *, /api/login/oauth, *, *
-p, *, *, GET, /api/get-application, *, *
-p, *, !anonymous, POST, /api/add-application, *, *
-p, *, *, GET, /api/get-organization-applications, *, *
-p, *, !anonymous, GET, /api/get-user, *, *
-p, *, *, GET, /api/get-user-application, *, *
-p, *, !anonymous, GET, /api/get-resources, *, *
-p, *, !anonymous, GET, /api/get-records, *, *
-p, *, !anonymous, GET, /api/get-product, *, *
-p, *, !anonymous, POST, /api/buy-product, *, *
-p, *, !anonymous, GET, /api/get-payment, *, *
-p, *, !anonymous, POST, /api/update-payment, *, *
-p, *, !anonymous, POST, /api/invoice-payment, *, *
-p, *, !anonymous, POST, /api/notify-payment, *, *
-p, *, *, POST, /api/unlink, *, *
-p, *, *, POST, /api/set-password, *, *
-p, *, *, POST, /api/send-verification-code, *, *
-p, *, *, GET, /api/get-captcha, *, *
-p, *, *, POST, /api/verify-captcha, *, *
-p, *, *, POST, /api/verify-code, *, *
-p, *, *, POST, /api/reset-email-or-phone, *, *
-p, *, !anonymous, POST, /api/upload-resource, *, *
-p, *, *, GET, /.well-known/openid-configuration, *, *
-p, *, *, *, /.well-known/jwks, *, *
-p, *, *, GET, /api/get-saml-login, *, *
-p, *, *, POST, /api/acs, *, *
-p, *, *, GET, /api/saml/metadata, *, *
-p, *, *, *, /cas, *, *
-p, *, *, *, /api/webauthn, *, *
-p, *, *, GET, /api/get-release, *, *
-p, *, *, GET, /api/get-default-application, *, *
-p, *, *, GET, /api/get-prometheus-info, *, *
-p, *, *, *, /api/metrics, *, *
-p, *, *, GET, /api/get-pricing, *, *
-p, *, *, GET, /api/get-plan, *, *
-p, *, !anonymous, GET, /api/get-subscriptions, *, *
-p, *, !anonymous, GET, /api/get-subscription, *, *
-p, *, *, GET, /api/get-provider, *, *
-p, *, *, GET, /api/get-organization-names, *, *
-p, *, *, GET, /api/get-ldap-server-names, *, *
-p, *, !anonymous, POST, /api/add-user-id-provider, *, *
-`
-
-		sa := stringadapter.NewAdapter(ruleText)
-		// load all rules from string adapter to enforcer's memory
-		err := sa.LoadPolicy(Enforcer.GetModel())
-		if err != nil {
-			panic(err)
-		}
-
-		// save all rules from enforcer's memory to Xorm adapter (DB)
-		// same as:
-		// a.SavePolicy(Enforcer.GetModel())
-		err = Enforcer.SavePolicy()
-		if err != nil {
-			panic(err)
-		}
-	}
+	return nil
 }
 
 func IsAllowed(subOwner string, subName string, method string, urlPath string, objOwner string, objName string, id string) bool {
@@ -126,28 +48,13 @@ func IsAllowed(subOwner string, subName string, method string, urlPath string, o
 		panic(err)
 	}
 
-	if subOwner == "app" {
-		return true
-	}
-
-	if id != "" {
-		objIdOwner, _ := util.GetOwnerAndNameFromIdNoCheck(id)
-		if subOwner != "built-in" && objIdOwner != objOwner {
-			return false
-		}
-	}
-
 	if user != nil {
 		if user.IsDeleted {
 			return false
 		}
-
-		if user.IsAdmin && (subOwner == objOwner || (objOwner == "admin")) {
-			return true
-		}
 	}
 
-	res, err := Enforcer.Enforce(subOwner, subName, method, urlPath, objOwner, objName)
+	res, err := casbinEnforcer.Enforce(subOwner, subName, method, urlPath, objOwner, objName)
 	if err != nil {
 		panic(err)
 	}

diff --git a/conf/app.conf b/conf/app.conf
@@ -3,7 +3,7 @@ httpport = 8000
 runmode = dev
 copyrequestbody = true
 driverName = mysql
-dataSourceName = root:root@tcp(localhost:3306)/
+dataSourceName = root:123456@tcp(db:3306)/
 dbName = casdoor
 tableNamePrefix =
 showSql = false

diff --git a/controllers/session.go b/controllers/session.go
@@ -77,9 +77,16 @@ func (c *ApiController) GetSessions() {
 // @Success 200 {array} string The Response object
 // @router /get-session [get]
 func (c *ApiController) GetSingleSession() {
-	id := c.Input().Get("sessionPkId")
+	pkId := c.Input().Get("sessionPkId")
+	id := c.Input().Get("id")
+	idOwner, idName := util.GetOwnerAndNameFromId(id)
+	pkIdOwner, pkIdName, _ := util.GetOwnerAndNameAndOtherFromId(pkId)
+	if idOwner != pkIdOwner || idName != pkIdName {
+		c.ResponseUnauthorized(c.T("auth:Unauthorized operation"))
+		return
+	}
 
-	session, err := object.GetSingleSession(id)
+	session, err := object.GetSingleSession(pkId)
 	if err != nil {
 		c.ResponseError(err.Error())
 		return

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -10,11 +10,13 @@ services:
     ports:
       - "8000:8000"
     depends_on:
-      - db
+      db:
+        condition: service_healthy
     environment:
       RUNNING_IN_DOCKER: "true"
     volumes:
       - ./conf:/conf/
+
   db:
     restart: always
     image: mysql:8.0.25
@@ -25,3 +27,8 @@ services:
       MYSQL_ROOT_PASSWORD: 123456
     volumes:
       - /usr/local/docker/mysql:/var/lib/mysql
+    healthcheck:
+      test: ["CMD", "mysqladmin", "ping", "-h", "localhost"]
+      timeout: 10s
+      retries: 10
+      interval: 5s
diff --git a/go.mod b/go.mod
@@ -37,7 +37,6 @@ require (
 	github.com/pquerna/otp v1.4.0
 	github.com/prometheus/client_golang v1.11.1
 	github.com/prometheus/client_model v0.3.0
-	github.com/qiangmzsx/string-adapter/v2 v2.1.0
 	github.com/robfig/cron/v3 v3.0.1
 	github.com/russellhaering/gosaml2 v0.9.0
 	github.com/russellhaering/goxmldsig v1.2.0
@@ -90,6 +89,7 @@ require (
 	github.com/blinkbean/dingtalk v0.0.0-20210905093040-7d935c0f7e19 // indirect
 	github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc // indirect
 	github.com/bwmarrin/discordgo v0.27.1 // indirect
+	github.com/casbin/xorm-adapter/v2 v2.5.1 // indirect
 	github.com/cenkalti/backoff/v4 v4.1.3 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/cschomburg/go-pushbullet v0.0.0-20171206132031-67759df45fbb // indirect
@@ -210,4 +210,6 @@ require (
 	modernc.org/opt v0.1.1 // indirect
 	modernc.org/strutil v1.1.3 // indirect
 	modernc.org/token v1.0.1 // indirect
+	xorm.io/builder v0.3.7 // indirect
+	xorm.io/xorm v1.0.3 // indirect
 )
diff --git a/go.sum b/go.sum
@@ -75,6 +75,7 @@ github.com/Knetic/govaluate v3.0.1-0.20171022003610-9aa49832a739+incompatible/go
 github.com/Masterminds/squirrel v1.5.3 h1:YPpoceAcxuzIljlr5iWpNKaql7hLeG1KLSrhvdHpkZc=
 github.com/Masterminds/squirrel v1.5.3/go.mod h1:NNaOrjSoIDfDA40n7sr2tPNZRfjzjA400rg+riTZj10=
 github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
+github.com/PuerkitoBio/goquery v1.5.1/go.mod h1:GsLWisAFVj4WgDibEWF4pvYnkVQBpKBKeU+7zCJoLcc=
 github.com/RobotsAndPencils/go-saml v0.0.0-20170520135329-fb13cb52a46b h1:EgJ6N2S0h1WfFIjU5/VVHWbMSVYXAluop97Qxpr/lfQ=
 github.com/RobotsAndPencils/go-saml v0.0.0-20170520135329-fb13cb52a46b/go.mod h1:3SAoF0F5EbcOuBD5WT9nYkbIJieBS84cUQXADbXeBsU=
 github.com/RocketChat/Rocket.Chat.Go.SDK v0.0.0-20221121042443-a3fd332d56d9 h1:vuu1KBsr6l7XU3CHsWESP/4B1SNd+VZkrgeFZsUXrsY=
@@ -101,6 +102,7 @@ github.com/aliyun/alibaba-cloud-sdk-go v1.62.545 h1:0LfzeUr4quwrrrTHn1kfLA0FBdsC
 github.com/aliyun/alibaba-cloud-sdk-go v1.62.545/go.mod h1:Api2AkmMgGaSUAhmk76oaFObkoeCPc/bKAqcyplPODs=
 github.com/aliyun/aliyun-oss-go-sdk v2.2.2+incompatible h1:9gWa46nstkJ9miBReJcN8Gq34cBFbzSpQZVVT9N09TM=
 github.com/aliyun/aliyun-oss-go-sdk v2.2.2+incompatible/go.mod h1:T/Aws4fEfogEE9v+HPhhw+CntffsBHJ8nXQCwKr0/g8=
+github.com/andybalholm/cascadia v1.1.0/go.mod h1:GsXiBklL0woXo1j/WYWtSYYC4ouU9PqHO0sqidkEA4Y=
 github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY=
 github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=
 github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
@@ -147,6 +149,8 @@ github.com/casbin/casbin/v2 v2.28.3/go.mod h1:vByNa/Fchek0KZUgG5wEsl7iFsiviAYKRt
 github.com/casbin/casbin/v2 v2.37.0/go.mod h1:vByNa/Fchek0KZUgG5wEsl7iFsiviAYKRtgrQfcJqHg=
 github.com/casbin/casbin/v2 v2.77.2 h1:yQinn/w9x8AswiwqwtrXz93VU48R1aYTXdHEx4RI3jM=
 github.com/casbin/casbin/v2 v2.77.2/go.mod h1:mzGx0hYW9/ksOSpw3wNjk3NRAroq5VMFYUQ6G43iGPk=
+github.com/casbin/xorm-adapter/v2 v2.5.1 h1:BkpIxRHKa0s3bSMx173PpuU7oTs+Zw7XmD0BIta0HGM=
+github.com/casbin/xorm-adapter/v2 v2.5.1/go.mod h1:AeH4dBKHC9/zYxzdPVHhPDzF8LYLqjDdb767CWJoV54=
 github.com/casdoor/go-sms-sender v0.14.0 h1:yqrzWIHUg64OYPynzF5Fr0XDuCWIWxtXIjOQAAkRKuw=
 github.com/casdoor/go-sms-sender v0.14.0/go.mod h1:cQs7qqohMJBgIVZebOCB8ko09naG1vzFJEH59VNIscs=
 github.com/casdoor/gomail/v2 v2.0.1 h1:J+FG6x80s9e5lBHUn8Sv0Y56mud34KiWih5YdmudR/w=
@@ -213,6 +217,7 @@ github.com/deckarep/golang-set v1.7.1/go.mod h1:93vsz/8Wt4joVM7c2AVqh+YRMiUSc14y
 github.com/decred/dcrd/crypto/blake256 v1.0.0/go.mod h1:sQl2p6Y26YV+ZOcSTP6thNdn47hh8kt6rqSlvmrXFAc=
 github.com/decred/dcrd/dcrec/secp256k1/v4 v4.0.0-20210816181553-5444fa50b93d h1:1iy2qD6JEhHKKhUOA9IWs7mjco7lnw2qx8FsRI2wirE=
 github.com/decred/dcrd/dcrec/secp256k1/v4 v4.0.0-20210816181553-5444fa50b93d/go.mod h1:tmAIfUFEirG/Y8jhZ9M+h36obRZAk/1fcSpXwAVlfqE=
+github.com/denisenkom/go-mssqldb v0.0.0-20200428022330-06a60b6afbbc/go.mod h1:xbL0rPBG9cCiLr28tMa8zpbdarY27NDyej4t/EjAShU=
 github.com/denisenkom/go-mssqldb v0.9.0 h1:RSohk2RsiZqLZ0zCjtfn3S4Gp4exhpBWHyQ7D0yGjAk=
 github.com/denisenkom/go-mssqldb v0.9.0/go.mod h1:xbL0rPBG9cCiLr28tMa8zpbdarY27NDyej4t/EjAShU=
 github.com/dghubble/oauth1 v0.7.2 h1:pwcinOZy8z6XkNxvPmUDY52M7RDPxt0Xw1zgZ6Cl5JA=
@@ -594,6 +599,7 @@ github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Ky
 github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94=
 github.com/mattn/go-isatty v0.0.16 h1:bq3VjFmv/sOjHtdEhmkEV4x1AJtvUvOJ2PFAZ5+peKQ=
 github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
+github.com/mattn/go-sqlite3 v1.14.0/go.mod h1:JIl7NbARA7phWnGvh0LKTyg7S9BA+6gx71ShQilpsus=
 github.com/mattn/go-sqlite3 v1.14.6/go.mod h1:NyWgC/yNuGj7Q9rpYnZvas74GogHl5/Z4A/KQRfk6bU=
 github.com/mattn/go-sqlite3 v2.0.3+incompatible h1:gXHsfypPkaMZrKbD5209QV9jbUTJKjyR5WD3HYQSd+U=
 github.com/mattn/go-sqlite3 v2.0.3+incompatible/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc=
@@ -1012,6 +1018,7 @@ golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.11.0 h1:bUO06HqtnRcc/7l71XBe4WcqTZ+3AH1J59zWDDwLKgU=
 golang.org/x/mod v0.11.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/net v0.0.0-20171115151908-9dfe39835686/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20180218175443-cbe0f9307d01/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -1493,3 +1500,7 @@ rsc.io/pdf v0.1.1/go.mod h1:n8OzWcQ6Sp37PL01nO98y4iUCRdTGarVfzxY20ICaU4=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
 sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc=
+xorm.io/builder v0.3.7 h1:2pETdKRK+2QG4mLX4oODHEhn5Z8j1m8sXa7jfu+/SZI=
+xorm.io/builder v0.3.7/go.mod h1:aUW0S9eb9VCaPohFCH3j7czOx1PMW3i1HrSzbLYGBSE=
+xorm.io/xorm v1.0.3 h1:3dALAohvINu2mfEix5a5x5ZmSVGSljinoSGgvGbaZp0=
+xorm.io/xorm v1.0.3/go.mod h1:uF9EtbhODq5kNWxMbnBEj8hRRZnlcNSz2t2N7HW/+A4=
diff --git a/main.go b/main.go
@@ -16,6 +16,7 @@ package main
 
 import (
 	"fmt"
+	"log"
 	"net/http"
 
 	"github.com/beego/beego"
@@ -42,12 +43,20 @@ func main() {
 	object.CreateTables()
 	object.DoMigration()
 
+	myEnforcer, err := object.InitCasbinEnforcer()
+	if err != nil {
+		log.Fatal(err)
+	}
+
 	object.InitDb()
 	object.InitFromFile()
 	object.InitDefaultStorageProvider()
 	object.InitLdapAutoSynchronizer()
 	proxy.InitHttpClient()
-	authz.InitApi()
+	err = authz.InitApi(myEnforcer)
+	if err != nil {
+		log.Fatal(err)
+	}
 	object.InitUserManager()
 
 	util.SafeGoroutine(func() { object.RunSyncUsersJob() })
@@ -79,7 +88,7 @@ func main() {
 	beego.BConfig.WebConfig.Session.SessionCookieLifeTime = 3600 * 24 * 30
 	beego.BConfig.WebConfig.Session.SessionCookieSameSite = http.SameSiteLaxMode
 
-	err := logs.SetLogger(logs.AdapterFile, conf.GetConfigString("logConfig"))
+	err = logs.SetLogger(logs.AdapterFile, conf.GetConfigString("logConfig"))
 	if err != nil {
 		panic(err)
 	}