fix api can be accessed by any role when accessRole not config (#83)

core/src/main/java/com/usthe/sureness/processor/BaseProcessor.java

@@ -55,9 +55,8 @@ public SubjectSum process(Subject var) throws SurenessAuthenticationException, S
     public void authorized(Subject var) throws SurenessAuthorizationException {
         List<String> ownRoles = (List<String>)var.getOwnRoles();
         List<String> supportRoles = (List<String>)var.getSupportRoles();
-        if (supportRoles == null || supportRoles.isEmpty()) {
-            return;
-        } else if (ownRoles != null && supportRoles.stream().anyMatch(ownRoles::contains)) {
+        if (supportRoles != null && !supportRoles.isEmpty() && ownRoles != null
+                && supportRoles.stream().anyMatch(ownRoles::contains)) {
             return;
         }
         throw new UnauthorizedException("do not have the role to access resource");

core/src/main/java/com/usthe/sureness/processor/support/NoneProcessor.java

@@ -2,15 +2,12 @@
 
 import com.usthe.sureness.processor.BaseProcessor;
 import com.usthe.sureness.processor.exception.SurenessAuthenticationException;
-import com.usthe.sureness.processor.exception.SurenessAuthorizationException;
-import com.usthe.sureness.processor.exception.UnauthorizedException;
 import com.usthe.sureness.processor.exception.UnknownAccountException;
 import com.usthe.sureness.subject.Subject;
 import com.usthe.sureness.subject.support.NoneSubject;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import java.util.List;
 
 /**
  * the processor support nonToken
@@ -36,16 +33,4 @@ public Class<?> getSupportSubjectClass() {
     public Subject authenticated(Subject var) throws SurenessAuthenticationException {
         throw new UnknownAccountException("the request do not have the auth detail, please input your auth");
     }
-
-    @SuppressWarnings("unchecked")
-    @Override
-    public void authorized(Subject var) throws SurenessAuthorizationException {
-        List<String> supportRoles = (List<String>)var.getSupportRoles();
-        if (supportRoles != null && !supportRoles.isEmpty()) {
-            if (logger.isDebugEnabled()) {
-                logger.debug("NoneProcessor authorized fail, due {} need role access", var.getTargetResource());
-            }
-            throw new UnauthorizedException("authorized forbidden, the request do not have the role access");
-        }
-    }
 }

core/src/main/resources/sureness-sample.yml

@@ -2,8 +2,8 @@
 
 # load api resource which need be protected, config role who can access these resource.
 # resources that are not configured are also authenticated and protected by default, but not authorized
-# eg: /api/v2/host===post===[role2,role3,role4] means /api/v2/host===post is be role2,role3,role4 supported access
-# eg: /api/v1/getSource3===get===[] means /api/v1/getSource3===get is be all role or no role supported access
+# eg: /api/v2/host===post===[role2,role3,role4] means /api/v2/host===post can be access by role2,role3,role4
+# eg: /api/v1/getSource3===get===[] means /api/v1/getSource3===get can not be access by any role
 resourceRole:
   - /api/v2/host===post===[role2,role3,role4]
   - /api/v2/host===get===[role2,role3,role4]

core/src/test/java/com/usthe/sureness/mgt/SurenessSecurityManagerTest.java

@@ -47,7 +47,7 @@ void checkInBasicAuth() {
 
         expect(request.getHeader(AUTHORIZATION)).andStubReturn(BASIC + " "
                 + new String(Base64.getEncoder().encode("admin:admin".getBytes(StandardCharsets.UTF_8))));
-        expect(request.getRequestURI()).andStubReturn("/api/v1/book");
+        expect(request.getRequestURI()).andStubReturn("/api/v2/host");
         expect(request.getMethod()).andStubReturn("put");
         expect(request.getRemoteHost()).andStubReturn("192.167.2.1");
         replay(request);
@@ -56,7 +56,7 @@ void checkInBasicAuth() {
         assertNotNull(subjectSum.get());
         assertEquals("admin", subjectSum.get().getPrincipal());
         assertTrue(subjectSum.get().hasAllRoles(Arrays.asList("role1","role2")));
-        assertEquals("/api/v1/book===put", subjectSum.get().getTargetResource());
+        assertEquals("/api/v2/host===put", subjectSum.get().getTargetResource());
         verify(request);
 
         reset(request);
@@ -77,7 +77,7 @@ void checkInJwtAuth() {
                 null, Boolean.FALSE);
         HttpServletRequest request = createNiceMock(HttpServletRequest.class);
         expect(request.getHeader(AUTHORIZATION)).andStubReturn(BEARER + " " + jwt);
-        expect(request.getRequestURI()).andStubReturn("/api/v2/book");
+        expect(request.getRequestURI()).andStubReturn("/api/v1/source1");
         expect(request.getMethod()).andStubReturn("get");
         expect(request.getRemoteHost()).andStubReturn("192.167.2.1");
         replay(request);
@@ -86,7 +86,7 @@ void checkInJwtAuth() {
         assertNotNull(subjectSum.get());
         assertEquals("tom", subjectSum.get().getPrincipal());
         assertTrue(subjectSum.get().hasAllRoles(Arrays.asList("role2","role3")));
-        assertEquals("/api/v2/book===get", subjectSum.get().getTargetResource());
+        assertEquals("/api/v1/source1===get", subjectSum.get().getTargetResource());
         verify(request);
     }
 }

docs/cn/default-datasource.md

@@ -12,8 +12,8 @@
 
 # 加载到匹配字典的资源,也就是需要被保护的,设置了所支持角色访问的资源
 # 没有配置的资源也默认被认证保护,但不鉴权
-# eg: /api/v1/source1===get===[role2] 表示 /api/v2/host===post 这条资源支持 role2这一种角色访问
-# eg: /api/v1/source2===get===[] 表示 /api/v1/source2===get 这条资源支持所有角色或无角色访问 前提是认证成功
+# eg: /api/v1/source1===get===[role2] 表示 /api/v2/host===post 这条资源支持 role2 这一种角色访问
+# eg: /api/v1/source2===get===[] 表示 /api/v1/source2===get 这条资源不支持任何角色访问
 resourceRole:
   - /api/v1/source1===get===[role2]
   - /api/v1/source1===delete===[role3]

docs/default-datasource.md

@@ -10,8 +10,8 @@ eg:
 
 # load api resource which need be protected, config role who can access these resource.
 # resources that are not configured are also authenticated and protected by default, but not authorized
-# eg: /api/v2/host===post===[role2,role3,role4] means /api/v2/host===post is be role2,role3,role4 supported access
-# eg: /api/v1/getSource3===get===[] means /api/v1/getSource3===get is be all role or no role supported access
+# eg: /api/v2/host===post===[role2,role3,role4] means /api/v2/host===post can be access by role2,role3,role4
+# eg: /api/v1/getSource3===get===[] means /api/v1/getSource3===get can not be access by any role
 resourceRole:
   - /api/v2/host===post===[role2,role3,role4]
   - /api/v2/host===get===[role2,role3,role4]

sample-bootstrap/src/main/resources/sureness.yml

@@ -2,8 +2,8 @@
 
 # load api resource which need be protected, config role who can access these resource.
 # resources that are not configured are also authenticated and protected by default, but not authorized
-# eg: /api/v2/host===post===[role2,role3,role4] means /api/v2/host===post is be role2,role3,role4 supported access
-# eg: /api/v1/getSource3===get===[] means /api/v1/getSource3===get is be all role or no role supported access
+# eg: /api/v2/host===post===[role2,role3,role4] means /api/v2/host===post can be access by role2,role3,role4
+# eg: /api/v1/getSource3===get===[] means /api/v1/getSource3===get can not be access by any role
 resourceRole:
   - /api/v2/host===post===[role2,role3,role4]
   - /api/v2/host===get===[role2,role3,role4]

sample-tom/src/main/java/com/usthe/sureness/sample/tom/sureness/processor/CustomTokenProcessor.java

@@ -83,9 +83,8 @@ public Subject authenticated(Subject var) throws SurenessAuthenticationException
     public void authorized(Subject var) throws SurenessAuthorizationException {
         List<String> ownRoles = (List<String>)var.getOwnRoles();
         List<String> supportRoles = (List<String>)var.getSupportRoles();
-        if (supportRoles == null || supportRoles.isEmpty()) {
-            return;
-        } else if (ownRoles != null && supportRoles.stream().anyMatch(ownRoles::contains)) {
+        if (supportRoles != null && !supportRoles.isEmpty() && ownRoles != null
+                && supportRoles.stream().anyMatch(ownRoles::contains)) {
             return;
         }
         throw new UnauthorizedException("custom authorized: do not have the role to access resource");

sample-tom/src/main/resources/sureness.yml

@@ -2,8 +2,8 @@
 
 # load api resource which need be protected, config role who can access these resource.
 # resources that are not configured are also authenticated and protected by default, but not authorized
-# eg: /api/v2/host===post===[role2,role3,role4] means /api/v2/host===post is be role2,role3,role4 supported access
-# eg: /api/v1/getSource3===get===[] means /api/v1/getSource3===get is be all role or no role supported access
+# eg: /api/v2/host===post===[role2,role3,role4] means /api/v2/host===post can be access by role2,role3,role4
+# eg: /api/v1/getSource3===get===[] means /api/v1/getSource3===get can not be access by any role
 resourceRole:
   - /api/v2/host===post===[role2,role3,role4]
   - /api/v1/getSource3===get===[]

samples/javalin-sureness/src/main/resources/sureness.yml

@@ -2,8 +2,8 @@
 
 # load api resource which need be protected, config role who can access these resource.
 # resources that are not configured are also authenticated and protected by default, but not authorized
-# eg: /api/v2/host===post===[role2,role3,role4] means /api/v2/host===post is be role2,role3,role4 supported access
-# eg: /api/v1/getSource3===get===[] means /api/v1/getSource3===get is be all role or no role supported access
+# eg: /api/v2/host===post===[role2,role3,role4] means /api/v2/host===post can be access by role2,role3,role4
+# eg: /api/v1/getSource3===get===[] means /api/v1/getSource3===get can not be access by any role
 resourceRole:
   - /api/v2/host===post===[role2,role3,role4]
   - /api/v2/host===get===[role2,role3,role4]

samples/ktor-sureness/resources/sureness.yml

@@ -2,8 +2,8 @@
 
 # load api resource which need be protected, config role who can access these resource.
 # resources that are not configured are also authenticated and protected by default, but not authorized
-# eg: /api/v2/host===post===[role2,role3,role4] means /api/v2/host===post is be role2,role3,role4 supported access
-# eg: /api/v1/getSource3===get===[] means /api/v1/getSource3===get is be all role or no role supported access
+# eg: /api/v2/host===post===[role2,role3,role4] means /api/v2/host===post can be access by role2,role3,role4
+# eg: /api/v1/getSource3===get===[] means /api/v1/getSource3===get can not be access by any role
 resourceRole:
   - /api/v2/host===post===[role2,role3,role4]
   - /api/v2/host===get===[role2,role3,role4]

samples/quarkus-sureness/src/main/resources/sureness.yml

@@ -2,8 +2,8 @@
 
 # load api resource which need be protected, config role who can access these resource.
 # resources that are not configured are also authenticated and protected by default, but not authorized
-# eg: /api/v2/host===post===[role2,role3,role4] means /api/v2/host===post is be role2,role3,role4 supported access
-# eg: /api/v1/getSource3===get===[] means /api/v1/getSource3===get is be all role or no role supported access
+# eg: /api/v2/host===post===[role2,role3,role4] means /api/v2/host===post can be access by role2,role3,role4
+# eg: /api/v1/getSource3===get===[] means /api/v1/getSource3===get can not be access by any role
 resourceRole:
   - /api/v2/host===post===[role2,role3,role4]
   - /api/v2/host===get===[role2,role3,role4]

samples/spring-webflux-sureness/src/main/resources/sureness.yml

@@ -2,8 +2,8 @@
 
 # load api resource which need be protected, config role who can access these resource.
 # resources that are not configured are also authenticated and protected by default, but not authorized
-# eg: /api/v2/host===post===[role2,role3,role4] means /api/v2/host===post is be role2,role3,role4 supported access
-# eg: /api/v1/getSource3===get===[] means /api/v1/getSource3===get is be all role or no role supported access
+# eg: /api/v2/host===post===[role2,role3,role4] means /api/v2/host===post can be access by role2,role3,role4
+# eg: /api/v1/getSource3===get===[] means /api/v1/getSource3===get can not be access by any role
 resourceRole:
   - /api/v2/host===post===[role2,role3,role4]
   - /api/v2/host===get===[role2,role3,role4]