diff --git a/gcloud/iam_auth/api.py b/gcloud/iam_auth/api.py index c49567556f..6f511d9fe3 100644 --- a/gcloud/iam_auth/api.py +++ b/gcloud/iam_auth/api.py @@ -18,6 +18,7 @@ from django.views.decorators.http import require_POST from django.views.decorators.csrf import csrf_exempt +from iam.shortcuts import allow_or_raise_auth_failed from rest_framework.decorators import api_view from iam import Subject, Action, Resource, Request, MultiActionRequest @@ -26,6 +27,12 @@ from gcloud.iam_auth import conf from gcloud.iam_auth import IAMMeta from gcloud.iam_auth import get_iam_client, get_iam_api_client +from gcloud.iam_auth.res_factory import ( + resources_for_flow, + resources_for_task, + resources_for_common_flow, + resources_list_for_mini_app, +) from gcloud.shortcuts.http import standard_response from gcloud.openapi.schema import AnnotationAutoSchema @@ -59,7 +66,6 @@ def apply_perms_url(request): @csrf_exempt @require_POST def is_allow(request): - data = json.loads(request.body) action_id = data["action"] @@ -79,6 +85,51 @@ def is_allow(request): return standard_response(True, "success", {"is_allow": is_allow}) +@csrf_exempt +@require_POST +def is_view_action_allow(request): + """ + @param request: + @return: + """ + action_map = { + IAMMeta.FLOW_RESOURCE: IAMMeta.FLOW_VIEW_ACTION, + IAMMeta.TASK_RESOURCE: IAMMeta.TASK_VIEW_ACTION, + IAMMeta.COMMON_FLOW_RESOURCE: IAMMeta.COMMON_FLOW_VIEW_ACTION, + IAMMeta.MINI_APP_RESOURCE: IAMMeta.MINI_APP_VIEW_ACTION, + } + + resource_map = { + IAMMeta.FLOW_RESOURCE: resources_for_flow, + IAMMeta.TASK_RESOURCE: resources_for_task, + IAMMeta.COMMON_FLOW_RESOURCE: resources_for_common_flow, + IAMMeta.MINI_APP_RESOURCE: resources_list_for_mini_app, + } + + data = json.loads(request.body) + resource_id = data["resource_id"] + resource_type = data["resource_type"] + subject = Subject("user", request.user.username) + + try: + action = Action(action_map[resource_type]) + resources = resource_map[resource_type](resource_id) + except Exception as e: + return standard_response(False, str(e)) + + iam = get_iam_client() + + allow_or_raise_auth_failed( + iam=iam, + system=IAMMeta.SYSTEM_ID, + subject=subject, + action=action, + resources=resources, + ) + + return standard_response(True, "success", {"is_allow": is_allow}) + + @swagger_auto_schema(methods=["GET"], auto_schema=AnnotationAutoSchema) @api_view(["GET"]) def is_allow_common_flow_management(request): diff --git a/gcloud/iam_auth/res_factory.py b/gcloud/iam_auth/res_factory.py index 3a6e8f0108..e7a05f7880 100644 --- a/gcloud/iam_auth/res_factory.py +++ b/gcloud/iam_auth/res_factory.py @@ -22,6 +22,7 @@ from gcloud.contrib.appmaker.models import AppMaker from gcloud.iam_auth import IAMMeta + # flow @@ -312,6 +313,22 @@ def resources_for_mini_app_obj(mini_app_obj): ] +def resources_list_for_mini_app(mini_app_id): + min_app_obj = AppMaker.objects.get(id=mini_app_id).values("id", "creator", "name", "project_id") + return [ + Resource( + IAMMeta.SYSTEM_ID, + IAMMeta.MINI_APP_RESOURCE, + str(min_app_obj.id), + { + "iam_resource_owner": min_app_obj.creator, + "_bk_iam_path_": "/project,{}/".format(min_app_obj.project_id), + "name": min_app_obj.name, + }, + ) + ] + + def resources_list_for_mini_apps(mini_app_id_list): qs = AppMaker.objects.filter(id__in=mini_app_id_list).values("id", "creator", "project_id") diff --git a/gcloud/iam_auth/urls.py b/gcloud/iam_auth/urls.py index 4b444b8c9f..289526de4d 100644 --- a/gcloud/iam_auth/urls.py +++ b/gcloud/iam_auth/urls.py @@ -19,5 +19,6 @@ url(r"^meta/$", api.meta_info), url(r"^apply_perms_url/$", api.apply_perms_url), url(r"^is_allow/$", api.is_allow), + url(r"^is_view_action_allow/$", api.is_view_action_allow), url(r"^is_allow/common_flow_management/$", api.is_allow_common_flow_management), ]