From 68809bcc387124ba99cb46d7a43692b3cd11b363 Mon Sep 17 00:00:00 2001 From: runzexia Date: Wed, 24 Apr 2019 11:04:06 +0800 Subject: [PATCH] mv get roles Signed-off-by: runzexia --- pkg/apiserver/tenant/tenant.go | 5 +- pkg/models/iam/am.go | 12 -- pkg/models/tenant/devops.go | 67 +++++++ pkg/models/types.go | 15 -- pkg/simple/client/kubesphere/devops.go | 186 ------------------ .../client/kubesphere/kubesphereclient.go | 6 - 6 files changed, 70 insertions(+), 221 deletions(-) delete mode 100644 pkg/simple/client/kubesphere/devops.go diff --git a/pkg/apiserver/tenant/tenant.go b/pkg/apiserver/tenant/tenant.go index 837b5eebc..af58bcff0 100644 --- a/pkg/apiserver/tenant/tenant.go +++ b/pkg/apiserver/tenant/tenant.go @@ -292,13 +292,14 @@ func ListNamespaceRules(req *restful.Request, resp *restful.Response) { } func ListDevopsRules(req *restful.Request, resp *restful.Response) { + devops := req.PathParameter("devops") username := req.HeaderParameter(constants.UserNameHeader) - rules, err := iam.GetUserDevopsSimpleRules(username, devops) + rules, err, code := tenant.GetUserDevopsSimpleRules(username, devops) if err != nil { - resp.WriteError(http.StatusInternalServerError, err) + resp.WriteError(code, err) return } diff --git a/pkg/models/iam/am.go b/pkg/models/iam/am.go index ab2a895b4..a6d047869 100644 --- a/pkg/models/iam/am.go +++ b/pkg/models/iam/am.go @@ -35,7 +35,6 @@ import ( "kubesphere.io/kubesphere/pkg/models/resources" "kubesphere.io/kubesphere/pkg/params" "kubesphere.io/kubesphere/pkg/simple/client/k8s" - "kubesphere.io/kubesphere/pkg/simple/client/kubesphere" "kubesphere.io/kubesphere/pkg/utils/k8sutil" "kubesphere.io/kubesphere/pkg/utils/sliceutil" "sort" @@ -48,17 +47,6 @@ const ( NamespaceViewerRoleBindName = "viewer" ) -func GetUserDevopsSimpleRules(username, projectId string) ([]models.SimpleRule, error) { - role, err := kubesphere.Client().GetUserDevopsRole(username, projectId) - - if err != nil { - glog.Errorln("get user devops role", username, projectId, err) - return nil, err - } - - return GetDevopsRoleSimpleRules(role), nil -} - func GetDevopsRoleSimpleRules(role string) []models.SimpleRule { var rules []models.SimpleRule diff --git a/pkg/models/tenant/devops.go b/pkg/models/tenant/devops.go index 4c5100337..683361bde 100644 --- a/pkg/models/tenant/devops.go +++ b/pkg/models/tenant/devops.go @@ -484,3 +484,70 @@ func CreateDevopsProject(username string, workspace string, req *devops.DevOpsPr } return project, nil, http.StatusOK } + +func GetUserDevopsSimpleRules(username, projectId string) ([]models.SimpleRule, error, int) { + err := CheckProjectUserInRole(username, projectId, AllRoleSlice) + if err != nil { + glog.Errorf("%+v", err) + return nil, err, http.StatusForbidden + } + dbconn := devops_mysql.OpenDatabase() + memberships := &devops.DevOpsProjectMembership{} + err = dbconn.Select(devops.DevOpsProjectMembershipColumns...). + From(devops.DevOpsProjectMembershipTableName). + Where(db.And( + db.Eq(devops.DevOpsProjectMembershipProjectIdColumn, projectId), + db.Eq(devops.DevOpsProjectMembershipUsernameColumn, username))). + LoadOne(&memberships) + if err != nil { + glog.Errorf("%+v", err) + + return nil, err, http.StatusInternalServerError + } + + return GetDevopsRoleSimpleRules(memberships.Role), nil, http.StatusOK +} + +func GetDevopsRoleSimpleRules(role string) []models.SimpleRule { + var rules []models.SimpleRule + + switch role { + case "developer": + rules = []models.SimpleRule{ + {Name: "pipelines", Actions: []string{"view", "trigger"}}, + {Name: "roles", Actions: []string{"view"}}, + {Name: "members", Actions: []string{"view"}}, + {Name: "devops", Actions: []string{"view"}}, + } + break + case "owner": + rules = []models.SimpleRule{ + {Name: "pipelines", Actions: []string{"create", "edit", "view", "delete", "trigger"}}, + {Name: "roles", Actions: []string{"view"}}, + {Name: "members", Actions: []string{"create", "edit", "view", "delete"}}, + {Name: "credentials", Actions: []string{"create", "edit", "view", "delete"}}, + {Name: "devops", Actions: []string{"edit", "view", "delete"}}, + } + break + case "maintainer": + rules = []models.SimpleRule{ + {Name: "pipelines", Actions: []string{"create", "edit", "view", "delete", "trigger"}}, + {Name: "roles", Actions: []string{"view"}}, + {Name: "members", Actions: []string{"view"}}, + {Name: "credentials", Actions: []string{"create", "edit", "view", "delete"}}, + {Name: "devops", Actions: []string{"view"}}, + } + break + case "reporter": + fallthrough + default: + rules = []models.SimpleRule{ + {Name: "pipelines", Actions: []string{"view"}}, + {Name: "roles", Actions: []string{"view"}}, + {Name: "members", Actions: []string{"view"}}, + {Name: "devops", Actions: []string{"view"}}, + } + break + } + return rules +} diff --git a/pkg/models/types.go b/pkg/models/types.go index a717462a4..bc91ad533 100644 --- a/pkg/models/types.go +++ b/pkg/models/types.go @@ -36,21 +36,6 @@ type Workspace struct { DevopsProjects []string `json:"devops_projects"` } -type WorkspaceDPBinding struct { - Workspace string `gorm:"primary_key"` - DevOpsProject string `gorm:"primary_key"` -} - -type DevopsProject struct { - ProjectId string `json:"project_id,omitempty"` - Name string `json:"name"` - Description string `json:"description"` - Creator string `json:"creator"` - CreateTime *time.Time `json:"create_time,omitempty"` - Status *string `json:"status"` - Visibility *string `json:"visibility,omitempty"` -} - type Action struct { Name string `json:"name"` Rules []v1.PolicyRule `json:"rules"` diff --git a/pkg/simple/client/kubesphere/devops.go b/pkg/simple/client/kubesphere/devops.go deleted file mode 100644 index c67cb3aeb..000000000 --- a/pkg/simple/client/kubesphere/devops.go +++ /dev/null @@ -1,186 +0,0 @@ -/* - - Copyright 2019 The KubeSphere Authors. - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. - -*/ -package kubesphere - -import ( - "bytes" - "encoding/json" - "fmt" - "github.com/golang/glog" - "io/ioutil" - "kubesphere.io/kubesphere/pkg/constants" - "kubesphere.io/kubesphere/pkg/models" - "net/http" -) - -func (c client) DeleteDevopsProject(username string, projectId string) error { - request, _ := http.NewRequest(http.MethodDelete, fmt.Sprintf("%s/api/v1alpha/projects/%s", devopsAPIServer, projectId), nil) - if username == "" { - username = constants.AdminUserName - } - request.Header.Add("X-Token-Username", username) - - resp, err := c.client.Do(request) - - if err != nil { - return err - } - defer resp.Body.Close() - data, err := ioutil.ReadAll(resp.Body) - if err != nil { - return err - } - if resp.StatusCode > http.StatusOK { - return Error{resp.StatusCode, string(data)} - } - return nil -} - -func (c client) GetUserDevopsRole(username string, projectId string) (string, error) { - - if username == "admin" { - return "owner", nil - } - - req, err := http.NewRequest(http.MethodGet, fmt.Sprintf("%s/api/v1alpha/projects/%s/members", devopsAPIServer, projectId), nil) - - if err != nil { - return "", err - } - req.Header.Set(constants.UserNameHeader, username) - resp, err := c.client.Do(req) - - if err != nil { - return "", err - } - - defer resp.Body.Close() - data, err := ioutil.ReadAll(resp.Body) - - if err != nil { - return "", err - } - - if resp.StatusCode > http.StatusOK { - return "", Error{resp.StatusCode, string(data)} - } - - var result []map[string]string - - err = json.Unmarshal(data, &result) - - if err != nil { - return "", err - } - - for _, item := range result { - if item["username"] == username { - return item["role"], nil - } - } - - return "", nil -} - -func (c client) CreateDevopsProject(username string, project *models.DevopsProject) (*models.DevopsProject, error) { - data, err := json.Marshal(project) - - if err != nil { - return nil, err - } - - request, _ := http.NewRequest(http.MethodPost, fmt.Sprintf("%s/api/v1alpha/projects", devopsAPIServer), bytes.NewReader(data)) - request.Header.Add("X-Token-Username", username) - request.Header.Add("Content-Type", "application/json") - resp, err := c.client.Do(request) - - if err != nil { - return nil, err - } - - defer resp.Body.Close() - data, err = ioutil.ReadAll(resp.Body) - - if err != nil { - return nil, err - } - - if resp.StatusCode > http.StatusOK { - return nil, Error{resp.StatusCode, string(data)} - } - - var created models.DevopsProject - - err = json.Unmarshal(data, &created) - - if err != nil { - return nil, err - } - - return &created, nil -} - -func (c client) CreateDevopsRoleBinding(projectId string, user string, role string) { - - projects := make([]string, 0) - projects = append(projects, projectId) - - for _, project := range projects { - data := []byte(fmt.Sprintf(`{"username":"%s","role":"%s"}`, user, role)) - request, _ := http.NewRequest(http.MethodPost, fmt.Sprintf("%s/api/v1alpha/projects/%s/members", devopsAPIServer, project), bytes.NewReader(data)) - request.Header.Add("Content-Type", "application/json") - request.Header.Add("X-Token-Username", "admin") - resp, err := c.client.Do(request) - if err != nil || resp.StatusCode > 200 { - glog.Warning(fmt.Sprintf("create devops role binding failed %s,%s,%s", project, user, role)) - } - if resp != nil { - resp.Body.Close() - } - } -} - -func (c client) ListDevopsProjects(username string) ([]models.DevopsProject, error) { - projects := make([]models.DevopsProject, 0) - - request, _ := http.NewRequest(http.MethodGet, fmt.Sprintf("%s/api/v1alpha/projects", devopsAPIServer), nil) - request.Header.Add(constants.UserNameHeader, username) - - resp, err := c.client.Do(request) - if err != nil { - return nil, err - } - defer resp.Body.Close() - data, err := ioutil.ReadAll(resp.Body) - - if err != nil { - return nil, err - } - - if resp.StatusCode > http.StatusOK { - return nil, Error{resp.StatusCode, string(data)} - } - - err = json.Unmarshal(data, &projects) - - if err != nil { - return nil, err - } - - return projects, nil -} diff --git a/pkg/simple/client/kubesphere/kubesphereclient.go b/pkg/simple/client/kubesphere/kubesphereclient.go index 6c72e976e..d287bf096 100644 --- a/pkg/simple/client/kubesphere/kubesphereclient.go +++ b/pkg/simple/client/kubesphere/kubesphereclient.go @@ -42,11 +42,6 @@ type Interface interface { UpdateGroup(group *models.Group) (*models.Group, error) DescribeGroup(name string) (*models.Group, error) DeleteGroup(name string) error - DeleteDevopsProject(username string, projectId string) error - GetUserDevopsRole(username string, projectId string) (string, error) - CreateDevopsProject(username string, project *models.DevopsProject) (*models.DevopsProject, error) - CreateDevopsRoleBinding(projectId string, user string, role string) - ListDevopsProjects(username string) ([]models.DevopsProject, error) } type client struct { @@ -55,7 +50,6 @@ type client struct { func init() { flag.StringVar(&accountAPIServer, "ks-account-api-server", "http://ks-account.kubesphere-system.svc", "kubesphere account api server") - flag.StringVar(&devopsAPIServer, "ks-devops-api-server", "http://ks-devops.kubesphere-devops-system.svc", "kubesphere devops api server") } func Client() Interface {