Merge pull request #15 from yeqown/feature/refactor-persistence

feature/refactor persistence
yeqown · Apr 1, 2021 · 351b5e3 · 351b5e3
2 parents b16e2f5 + 27236d4
commit 351b5e3
Show file tree

Hide file tree

Showing 54 changed files with 1,379 additions and 1,070 deletions.
diff --git a/cmd/cassemctl/commands_resctl_user.go b/cmd/cassemctl/commands_resctl_user.go
@@ -5,6 +5,10 @@ import (
 
 	"github.com/yeqown/cassem/internal/authorizer"
 
+	"github.com/yeqown/cassem/pkg/hash"
+
+	"github.com/yeqown/cassem/internal/persistence"
+
 	"github.com/pkg/errors"
 	"github.com/urfave/cli/v2"
 )
@@ -52,7 +56,7 @@ func addUserCommand() *cli.Command {
 		Category: "user",
 		Flags:    []cli.Flag{_userMetaDataFlag},
 		Action: func(ctx *cli.Context) error {
-			auth, err := getAuthorizer(ctx)
+			repo, err := getRepository(ctx)
 			if err != nil {
 				return err
 			}
@@ -62,7 +66,11 @@ func addUserCommand() *cli.Command {
 				return err
 			}
 
-			_, err = auth.AddUser(md.Account, md.Password, md.Name)
+			err = repo.CreateUser(&persistence.User{
+				Account:          md.Account,
+				PasswordWithSalt: hash.WithSalt(md.Password, "cassem"),
+				Name:             md.Name,
+			})
 			return err
 		},
 	}
@@ -75,7 +83,7 @@ func resetUserPasswordCommand() *cli.Command {
 		Category: "user",
 		Flags:    []cli.Flag{_userMetaDataFlag},
 		Action: func(ctx *cli.Context) error {
-			auth, err := getAuthorizer(ctx)
+			repo, err := getRepository(ctx)
 			if err != nil {
 				return err
 			}
@@ -85,7 +93,7 @@ func resetUserPasswordCommand() *cli.Command {
 				return err
 			}
 
-			return auth.ResetPassword(md.Account, md.Password)
+			return repo.ResetPassword(md.Account, hash.WithSalt(md.Password, "cassem"))
 		},
 	}
 }

diff --git a/internal/authorizer/authorizer_casbin_acl.go → internal/authorizer/enforcer.go b/internal/authorizer/authorizer_casbin_acl.go → internal/authorizer/enforcer.go
@@ -7,7 +7,6 @@ import (
 
 	"github.com/casbin/casbin/v2"
 	"github.com/casbin/casbin/v2/model"
-	gormadapter "github.com/casbin/gorm-adapter/v3"
 	"github.com/pkg/errors"
 	"github.com/yeqown/log"
 )
@@ -26,20 +25,40 @@ e = some(where (p.eft == allow))
 m = r.sub == p.sub && obj_match(r.obj, p.obj) && act_match(r.act, p.act)
 `
 
+type IEnforcer interface {
+	Enforce(req *EnforceRequest) bool
+	ListSubjectPolicies(subject string) []Policy
+	UpdateSubjectPolicies(subject string, policies []Policy) error
+}
+
+type IAuthorizer interface {
+	IEnforcer
+
+	Migrate() error
+}
+
+type EnforceRequest struct {
+	Subject string
+	Object  string
+	Action  string
+
+	//Namespace string
+	//Container string
+	//Pair      string
+}
+
 // casbinAuthorities implement IAuthorizer based on casbin.ACL model.
 type casbinAuthorities struct {
 	aclEnforcer *casbin.Enforcer
-	userRepo    persistence.UserRepository
+	repo        persistence.Repository
 }
 
 func New(c *conf.MySQL) (auth IAuthorizer, err error) {
-	db, err := mysql.Connect(c)
+	repo, err := mysql.New(c)
 	if err != nil {
-		return nil, errors.Wrap(err, "authorizer.New could not connect to DB")
+		return nil, errors.Wrap(err, "authorizer.New could not load persistence")
 	}
-
-	// adapter
-	a, err := gormadapter.NewAdapterByDBUseTableName(db, "cassem", "permission_policy")
+	a, err := repo.PolicyAdapter()
 	if err != nil {
 		return nil, err
 	}
@@ -87,7 +106,7 @@ func New(c *conf.MySQL) (auth IAuthorizer, err error) {
 	})
 
 	auth = casbinAuthorities{
-		userRepo:    mysql.NewUserRepository(db),
+		repo:        repo,
 		aclEnforcer: e,
 	}
 
@@ -97,18 +116,14 @@ func New(c *conf.MySQL) (auth IAuthorizer, err error) {
 // Migrate ...
 // DONE(@yeqown): migrate to init data, only be called cassemctl.
 func (c casbinAuthorities) Migrate() error {
-	if err := c.userRepo.Migrate(); err != nil {
-		return errors.Wrap(err, "failed to migrate user table")
-	}
-
 	// DONE(@yeqown) add root account automatically, and add all permissions to root account.
-	u, err := c.AddUser("admin", "cassem", "admin")
-	if err != nil {
+	u := &persistence.User{Account: "admin", PasswordWithSalt: "cassem", Name: "admin"}
+	if err := c.repo.CreateUser(u); err != nil {
 		return errors.Wrap(err, "failed to create root account")
 	}
 
 	token := NewToken(int(u.ID))
-	if err = c.UpdateSubjectPolicies(token.Subject(), allPolicies); err != nil {
+	if err := c.UpdateSubjectPolicies(token.Subject(), AllPolicies); err != nil {
 		return errors.Wrap(err, "failed to assign all policy to root account")
 	}
 
@@ -140,31 +155,6 @@ func (c casbinAuthorities) Enforce(req *EnforceRequest) bool {
 	return allow
 }
 
-func (c casbinAuthorities) UpdateSubjectPolicies(subject string, policies []Policy) error {
-	_, err := c.aclEnforcer.RemoveFilteredPolicy(0, subject)
-	if err != nil {
-		return err
-	}
-
-	in := make([][]string, 0, len(policies))
-	for _, policy := range policies {
-		if err = validPolicy(subject, policy); err != nil {
-			log.WithFields(log.Fields{
-				"subject": subject,
-				"policy":  policy,
-			}).Warnf("policy invalid, skip")
-		}
-		in = append(in, []string{policy.Subject, policy.Object, policy.Action})
-	}
-
-	_, err = c.aclEnforcer.AddPolicies(in)
-	if err != nil {
-		return err
-	}
-
-	return nil
-}
-
 func (c casbinAuthorities) ListSubjectPolicies(subject string) []Policy {
 	out := c.aclEnforcer.GetFilteredPolicy(0, subject)
 
@@ -188,3 +178,28 @@ func (c casbinAuthorities) ListSubjectPolicies(subject string) []Policy {
 
 	return policies
 }
+
+func (c casbinAuthorities) UpdateSubjectPolicies(subject string, policies []Policy) error {
+	_, err := c.aclEnforcer.RemoveFilteredPolicy(0, subject)
+	if err != nil {
+		return err
+	}
+
+	in := make([][]string, 0, len(policies))
+	for _, policy := range policies {
+		if err = ValidPolicy(subject, policy); err != nil {
+			log.WithFields(log.Fields{
+				"subject": subject,
+				"policy":  policy,
+			}).Warnf("policy invalid, skip")
+		}
+		in = append(in, []string{policy.Subject, policy.Object, policy.Action})
+	}
+
+	_, err = c.aclEnforcer.AddPolicies(in)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
diff --git a/internal/authorizer/authorizer_test.go → internal/authorizer/enforcer_test.go b/internal/authorizer/authorizer_test.go → internal/authorizer/enforcer_test.go
@@ -86,19 +86,20 @@ func Test_IAuthorizer_AddPolicy(t *testing.T) {
 	assert.Equal(t, false, allow)
 }
 
-func Test_IAuthorizer_LoginAndSession(t *testing.T) {
-	a, err := authorizer.New(_conf)
-	require.Nil(t, err)
-
-	tokenString, err := a.Login("root", "123456")
-	require.Nil(t, err)
-	t.Log(tokenString)
-
-	token, err := a.Session(tokenString)
-	require.Nil(t, err)
-
-	assert.NotEmpty(t, token.UserId)
-}
+//
+//func Test_IAuthorizer_LoginAndSession(t *testing.T) {
+//	a, err := authorizer.New(_conf)
+//	require.Nil(t, err)
+//
+//	_, tokenString, err := a.Login("root", "123456")
+//	require.Nil(t, err)
+//	t.Log(tokenString)
+//
+//	token, err := authorizer.Session(tokenString)
+//	require.Nil(t, err)
+//
+//	assert.NotEmpty(t, token.UserId)
+//}
 
 func Test_IAuthorizer_ListPolicy(t *testing.T) {
 	a, err := authorizer.New(_conf)

diff --git a/internal/authorizer/authorizer_manager.go → internal/authorizer/token.go b/internal/authorizer/authorizer_manager.go → internal/authorizer/token.go
@@ -2,9 +2,9 @@ package authorizer
 
 import (
 	"fmt"
+	"strconv"
 
 	"github.com/yeqown/cassem/internal/persistence"
-	"github.com/yeqown/cassem/pkg/hash"
 
 	"github.com/dgrijalva/jwt-go"
 	"github.com/pkg/errors"
@@ -15,32 +15,20 @@ var (
 	_SECRET_ = []byte("cassem")
 )
 
-func (c casbinAuthorities) AddUser(account, password, name string) (*persistence.UserDO, error) {
-	u := &persistence.UserDO{
-		Account:          account,
-		PasswordWithSalt: hash.WithSalt(password, "cassem"),
-		Name:             name,
-	}
-
-	return u, c.userRepo.Create(u)
+// Token is the bridge between authorizer and HTTP API.
+type Token struct {
+	UserId int
 }
 
-func (c casbinAuthorities) Login(account, password string) (*persistence.UserDO, string, error) {
-	u, err := c.userRepo.QueryUser(account)
-	if err != nil {
-		return nil, "", err
-	}
-
-	if u.PasswordWithSalt != hash.WithSalt(password, "cassem") {
-		return nil, "", errors.New("account and password could not match")
-	}
+func NewToken(uid int) *Token {
+	return &Token{UserId: uid}
+}
 
-	// DONE(@yeqown): generate jwt token
-	token, err := genToken(u)
-	return u, token, err
+func (t Token) Subject() string {
+	return "uid:" + strconv.Itoa(t.UserId)
 }
 
-func (c casbinAuthorities) Session(tokenString string) (*Token, error) {
+func Session(tokenString string) (*Token, error) {
 	uid, err := parseToken(tokenString)
 	if err != nil {
 		return nil, err
@@ -50,7 +38,7 @@ func (c casbinAuthorities) Session(tokenString string) (*Token, error) {
 }
 
 // DONE(@yeqown): extract secret from code to global.
-func genToken(u *persistence.UserDO) (string, error) {
+func GenToken(u *persistence.User) (string, error) {
 	atClaims := jwt.MapClaims{}
 	atClaims["authorized"] = true
 	atClaims["user_id"] = u.ID
@@ -90,15 +78,3 @@ func parseToken(tokenString string) (int, error) {
 
 	return int(uid), nil
 }
-
-func (c casbinAuthorities) ResetPassword(account, password string) error {
-	return c.userRepo.ResetPassword(account, hash.WithSalt(password, "cassem"))
-}
-
-func (c casbinAuthorities) PagingUsers(limit, offset int, accountPattern string) ([]*persistence.UserDO, int, error) {
-	return c.userRepo.PagingUsers(&persistence.PagingUsersFilter{
-		Limit:          limit,
-		Offset:         offset,
-		AccountPattern: accountPattern,
-	})
-}
diff --git a/internal/authorizer/authorizer.go → internal/authorizer/types.go b/internal/authorizer/authorizer.go → internal/authorizer/types.go
@@ -1,10 +1,6 @@
 package authorizer
 
 import (
-	"strconv"
-
-	"github.com/yeqown/cassem/internal/persistence"
-
 	"github.com/pkg/errors"
 )
 
@@ -24,7 +20,7 @@ const (
 )
 
 var (
-	allPolicies = []Policy{
+	AllPolicies = []Policy{
 		{Subject: "", Object: OBJ_NAMESPACE, Action: ACTION_ANY},
 		{Subject: "", Object: OBJ_CONTAINER, Action: ACTION_ANY},
 		{Subject: "", Object: OBJ_PAIR, Action: ACTION_ANY},
@@ -39,31 +35,14 @@ var (
 	}
 )
 
-type EnforceRequest struct {
-	Subject string
-	Object  string
-	Action  string
-
-	//Namespace string
-	//Container string
-	//Pair      string
-}
-
-// IAuthorizer
-type IAuthorizer interface {
-	IAuthorizeManager
-
-	Enforce(req *EnforceRequest) bool
-}
-
 // Policy contains whole data what describes a ACL rule.
 type Policy struct {
 	Subject string
 	Object  string
 	Action  string
 }
 
-func validPolicy(subject string, p Policy) (err error) {
+func ValidPolicy(subject string, p Policy) (err error) {
 	var errmsg string
 	defer func() {
 		if errmsg != "" {
@@ -84,32 +63,3 @@ func validPolicy(subject string, p Policy) (err error) {
 
 	return
 }
-
-// Token is the bridge between authorizer and HTTP API.
-type Token struct {
-	UserId int
-}
-
-func NewToken(uid int) *Token {
-	return &Token{UserId: uid}
-}
-
-func (t Token) Subject() string {
-	return "uid:" + strconv.Itoa(t.UserId)
-}
-
-// IAuthorizeManager manages user, roles.
-type IAuthorizeManager interface {
-	Migrate() error
-
-	// user permissions manage API
-	ListSubjectPolicies(subject string) []Policy
-	UpdateSubjectPolicies(subject string, policies []Policy) error
-
-	// user and session manage API
-	AddUser(account, password, name string) (*persistence.UserDO, error)
-	Login(account, password string) (*persistence.UserDO, string, error)
-	Session(tokenString string) (*Token, error)
-	ResetPassword(account, password string) error
-	PagingUsers(limit, offset int, accountPattern string) ([]*persistence.UserDO, int, error)
-}