fix: cloudid 权限修复

yunionio · Jul 9, 2020 · dc32fe4 · dc32fe4
1 parent d54d839
commit dc32fe4
Show file tree

Hide file tree

Showing 8 changed files with 164 additions and 1 deletion.
diff --git a/pkg/apis/cloudid/cloudid.go b/pkg/apis/cloudid/cloudid.go
@@ -0,0 +1,22 @@
+// Copyright 2019 Yunion
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package cloudid
+
+import "yunion.io/x/onecloud/pkg/apis"
+
+const (
+	SERVICE_TYPE    = apis.SERVICE_TYPE_CLOUDID
+	SERVICE_VERSION = ""
+)
diff --git a/pkg/cloudid/models/cloudgroup.go b/pkg/cloudid/models/cloudgroup.go
@@ -61,7 +61,7 @@ type SCloudgroup struct {
 }
 
 func (manager *SCloudgroupManager) AllowListItems(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject) bool {
-	return db.IsDomainAllowList(userCred, manager)
+	return true
 }
 
 // 权限组列表

diff --git a/pkg/cloudid/models/clouduser.go b/pkg/cloudid/models/clouduser.go
@@ -1193,6 +1193,13 @@ func (self *SClouduser) AllowPerformChangeOwner(ctx context.Context, userCred mc
 
 // 变更子账号所属本地用户
 func (self *SClouduser) PerformChangeOwner(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, input api.ClouduserChangeOwnerInput) (jsonutils.JSONObject, error) {
+	if len(self.OwnerId) > 0 {
+		user, err := db.UserCacheManager.FetchUserById(ctx, self.OwnerId)
+		if err != nil || user.DomainId != self.DomainId && !userCred.HasSystemAdminPrivilege() {
+			return nil, httperrors.NewForbiddenError("Not allow to change owner")
+		}
+	}
+
 	user, err := db.UserCacheManager.FetchUserById(ctx, input.UserId)
 	if err != nil {
 		return nil, httperrors.NewGeneralError(errors.Wrapf(err, "Not found user %s", input.UserId))

diff --git a/pkg/cloudid/policy/defaults.go b/pkg/cloudid/policy/defaults.go
@@ -0,0 +1,93 @@
+// Copyright 2019 Yunion
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package policy
+
+import (
+	api "yunion.io/x/onecloud/pkg/apis/cloudid"
+	common_policy "yunion.io/x/onecloud/pkg/cloudcommon/policy"
+	"yunion.io/x/onecloud/pkg/util/rbacutils"
+)
+
+const (
+	PolicyActionPerform = common_policy.PolicyActionPerform
+	PolicyActionList    = common_policy.PolicyActionList
+	PolicyActionGet     = common_policy.PolicyActionGet
+	PolicyActionCreate  = common_policy.PolicyActionCreate
+	PolicyActionUpdate  = common_policy.PolicyActionUpdate
+	PolicyActionDelete  = common_policy.PolicyActionDelete
+)
+
+var (
+	predefinedDefaultPolicies = []rbacutils.SRbacPolicy{
+		{
+			Auth:  true,
+			Scope: rbacutils.ScopeSystem,
+			Rules: []rbacutils.SRbacRule{
+				{
+					Service:  api.SERVICE_TYPE,
+					Resource: "cloudpolicies",
+					Action:   PolicyActionList,
+					Result:   rbacutils.Allow,
+				},
+				{
+					Service:  api.SERVICE_TYPE,
+					Resource: "cloudpolicies",
+					Action:   PolicyActionGet,
+					Result:   rbacutils.Allow,
+				},
+			},
+		},
+		{
+			Auth:  true,
+			Scope: rbacutils.ScopeDomain,
+			Rules: []rbacutils.SRbacRule{
+				{
+					Service:  api.SERVICE_TYPE,
+					Resource: "cloudgroups",
+					Action:   PolicyActionList,
+					Result:   rbacutils.Allow,
+				},
+				{
+					Service:  api.SERVICE_TYPE,
+					Resource: "cloudgroups",
+					Action:   PolicyActionGet,
+					Result:   rbacutils.Allow,
+				},
+			},
+		},
+		{
+			Auth:  true,
+			Scope: rbacutils.ScopeUser,
+			Rules: []rbacutils.SRbacRule{
+				{
+					Service:  api.SERVICE_TYPE,
+					Resource: "cloudusers",
+					Action:   PolicyActionList,
+					Result:   rbacutils.Allow,
+				},
+				{
+					Service:  api.SERVICE_TYPE,
+					Resource: "cloudusers",
+					Action:   PolicyActionGet,
+					Result:   rbacutils.Allow,
+				},
+			},
+		},
+	}
+)
+
+func init() {
+	common_policy.AppendDefaultPolicies(predefinedDefaultPolicies)
+}
diff --git a/pkg/cloudid/policy/doc.go b/pkg/cloudid/policy/doc.go
@@ -0,0 +1 @@
+package policy // import "yunion.io/x/onecloud/pkg/cloudid/policy"
diff --git a/pkg/cloudid/policy/resources.go b/pkg/cloudid/policy/resources.go
@@ -0,0 +1,38 @@
+// Copyright 2019 Yunion
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package policy
+
+import (
+	api "yunion.io/x/onecloud/pkg/apis/cloudid"
+	common_policy "yunion.io/x/onecloud/pkg/cloudcommon/policy"
+)
+
+var (
+	cloudidSystemResources = []string{
+		"cloudpolicies",
+	}
+	cloudidDomainResources = []string{
+		"cloudgroups",
+	}
+	cloudidUserResources = []string{
+		"cloudusers",
+	}
+)
+
+func init() {
+	common_policy.RegisterSystemResources(api.SERVICE_TYPE, cloudidSystemResources)
+	common_policy.RegisterDomainResources(api.SERVICE_TYPE, cloudidDomainResources)
+	common_policy.RegisterUserResources(api.SERVICE_TYPE, cloudidUserResources)
+}
diff --git a/pkg/cloudid/service/service.go b/pkg/cloudid/service/service.go
@@ -27,6 +27,7 @@ import (
 	common_options "yunion.io/x/onecloud/pkg/cloudcommon/options"
 	"yunion.io/x/onecloud/pkg/cloudid/models"
 	"yunion.io/x/onecloud/pkg/cloudid/options"
+	_ "yunion.io/x/onecloud/pkg/cloudid/policy"
 	_ "yunion.io/x/onecloud/pkg/cloudid/tasks"
 	_ "yunion.io/x/onecloud/pkg/multicloud/loader"
 )

diff --git a/pkg/cloudid/tasks/clouduser_reset_password_task.go b/pkg/cloudid/tasks/clouduser_reset_password_task.go
@@ -75,6 +75,7 @@ func (self *ClouduserResetPasswordTask) OnInit(ctx context.Context, obj db.IStan
 	}
 
 	clouduser.SavePassword(password)
+	clouduser.SetStatus(self.GetUserCred(), api.CLOUD_USER_STATUS_AVAILABLE, "")
 	logclient.AddActionLogWithStartable(self, clouduser, logclient.ACT_RESET_PASSWORD, "", self.UserCred, true)
 	self.SetStageComplete(ctx, nil)
 }