fix api can be accessed by any role when accessRole not config (#83)

9fc23cad · sinat_25235033 · GitHub · ad3ba2b0 · 9fc23cad · 9fc23cad
13 changed file
--- a/core/src/main/java/com/usthe/sureness/processor/BaseProcessor.java
+++ b/core/src/main/java/com/usthe/sureness/processor/BaseProcessor.java
@@ -55,9 +55,8 @@ public abstract class BaseProcessor implements Processor{
    public void authorized(Subject var) throws SurenessAuthorizationException {
        List<String> ownRoles = (List<String>)var.getOwnRoles();
        List<String> supportRoles = (List<String>)var.getSupportRoles();
-        if (supportRoles == null || supportRoles.isEmpty()) {
-            return;
-        } else if (ownRoles != null && supportRoles.stream().anyMatch(ownRoles::contains)) {
+        if (supportRoles != null && !supportRoles.isEmpty() && ownRoles != null
+                && supportRoles.stream().anyMatch(ownRoles::contains)) {
            return;
        }
        throw new UnauthorizedException("do not have the role to access resource");

--- a/core/src/main/java/com/usthe/sureness/processor/support/NoneProcessor.java
+++ b/core/src/main/java/com/usthe/sureness/processor/support/NoneProcessor.java
@@ -2,15 +2,12 @@ package com.usthe.sureness.processor.support;

 import com.usthe.sureness.processor.BaseProcessor;
 import com.usthe.sureness.processor.exception.SurenessAuthenticationException;
-import com.usthe.sureness.processor.exception.SurenessAuthorizationException;
-import com.usthe.sureness.processor.exception.UnauthorizedException;
 import com.usthe.sureness.processor.exception.UnknownAccountException;
 import com.usthe.sureness.subject.Subject;
 import com.usthe.sureness.subject.support.NoneSubject;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;

-import java.util.List;

 /**
 * the processor support nonToken
@@ -36,16 +33,4 @@ public class NoneProcessor extends BaseProcessor {
    public Subject authenticated(Subject var) throws SurenessAuthenticationException {
        throw new UnknownAccountException("the request do not have the auth detail, please input your auth");
    }
-
-    @SuppressWarnings("unchecked")
-    @Override
-    public void authorized(Subject var) throws SurenessAuthorizationException {
-        List<String> supportRoles = (List<String>)var.getSupportRoles();
-        if (supportRoles != null && !supportRoles.isEmpty()) {
-            if (logger.isDebugEnabled()) {
-                logger.debug("NoneProcessor authorized fail, due {} need role access", var.getTargetResource());
-            }
-            throw new UnauthorizedException("authorized forbidden, the request do not have the role access");
-        }
-    }
 }
--- a/core/src/main/resources/sureness-sample.yml
+++ b/core/src/main/resources/sureness-sample.yml
@@ -2,8 +2,8 @@

 # load api resource which need be protected, config role who can access these resource.
 # resources that are not configured are also authenticated and protected by default, but not authorized
-# eg: /api/v2/host===post===[role2,role3,role4] means /api/v2/host===post is be role2,role3,role4 supported access
-# eg: /api/v1/getSource3===get===[] means /api/v1/getSource3===get is be all role or no role supported access
+# eg: /api/v2/host===post===[role2,role3,role4] means /api/v2/host===post can be access by role2,role3,role4
+# eg: /api/v1/getSource3===get===[] means /api/v1/getSource3===get can not be access by any role
 resourceRole:
  - /api/v2/host===post===[role2,role3,role4]
  - /api/v2/host===get===[role2,role3,role4]

--- a/core/src/test/java/com/usthe/sureness/mgt/SurenessSecurityManagerTest.java
+++ b/core/src/test/java/com/usthe/sureness/mgt/SurenessSecurityManagerTest.java
@@ -47,7 +47,7 @@ class SurenessSecurityManagerTest {

        expect(request.getHeader(AUTHORIZATION)).andStubReturn(BASIC + " "
                + new String(Base64.getEncoder().encode("admin:admin".getBytes(StandardCharsets.UTF_8))));
-        expect(request.getRequestURI()).andStubReturn("/api/v1/book");
+        expect(request.getRequestURI()).andStubReturn("/api/v2/host");
        expect(request.getMethod()).andStubReturn("put");
        expect(request.getRemoteHost()).andStubReturn("192.167.2.1");
        replay(request);
@@ -56,7 +56,7 @@ class SurenessSecurityManagerTest {
        assertNotNull(subjectSum.get());
        assertEquals("admin", subjectSum.get().getPrincipal());
        assertTrue(subjectSum.get().hasAllRoles(Arrays.asList("role1","role2")));
-        assertEquals("/api/v1/book===put", subjectSum.get().getTargetResource());
+        assertEquals("/api/v2/host===put", subjectSum.get().getTargetResource());
        verify(request);

        reset(request);
@@ -77,7 +77,7 @@ class SurenessSecurityManagerTest {
                null, Boolean.FALSE);
        HttpServletRequest request = createNiceMock(HttpServletRequest.class);
        expect(request.getHeader(AUTHORIZATION)).andStubReturn(BEARER + " " + jwt);
-        expect(request.getRequestURI()).andStubReturn("/api/v2/book");
+        expect(request.getRequestURI()).andStubReturn("/api/v1/source1");
        expect(request.getMethod()).andStubReturn("get");
        expect(request.getRemoteHost()).andStubReturn("192.167.2.1");
        replay(request);
@@ -86,7 +86,7 @@ class SurenessSecurityManagerTest {
        assertNotNull(subjectSum.get());
        assertEquals("tom", subjectSum.get().getPrincipal());
        assertTrue(subjectSum.get().hasAllRoles(Arrays.asList("role2","role3")));
-        assertEquals("/api/v2/book===get", subjectSum.get().getTargetResource());
+        assertEquals("/api/v1/source1===get", subjectSum.get().getTargetResource());
        verify(request);
    }
 }
\ No newline at end of file
--- a/docs/cn/default-datasource.md
+++ b/docs/cn/default-datasource.md
@@ -12,8 +12,8 @@

 # 加载到匹配字典的资源,也就是需要被保护的,设置了所支持角色访问的资源
 # 没有配置的资源也默认被认证保护,但不鉴权
-# eg: /api/v1/source1===get===[role2] 表示 /api/v2/host===post 这条资源支持 role2这一种角色访问
-# eg: /api/v1/source2===get===[] 表示 /api/v1/source2===get 这条资源支持所有角色或无角色访问 前提是认证成功
+# eg: /api/v1/source1===get===[role2] 表示 /api/v2/host===post 这条资源支持 role2 这一种角色访问
+# eg: /api/v1/source2===get===[] 表示 /api/v1/source2===get 这条资源不支持任何角色访问
 resourceRole:
  - /api/v1/source1===get===[role2]
  - /api/v1/source1===delete===[role3]

--- a/docs/default-datasource.md
+++ b/docs/default-datasource.md
@@ -10,8 +10,8 @@ eg:

 # load api resource which need be protected, config role who can access these resource.
 # resources that are not configured are also authenticated and protected by default, but not authorized
-# eg: /api/v2/host===post===[role2,role3,role4] means /api/v2/host===post is be role2,role3,role4 supported access
-# eg: /api/v1/getSource3===get===[] means /api/v1/getSource3===get is be all role or no role supported access
+# eg: /api/v2/host===post===[role2,role3,role4] means /api/v2/host===post can be access by role2,role3,role4
+# eg: /api/v1/getSource3===get===[] means /api/v1/getSource3===get can not be access by any role
 resourceRole:
  - /api/v2/host===post===[role2,role3,role4]
  - /api/v2/host===get===[role2,role3,role4]

--- a/sample-bootstrap/src/main/resources/sureness.yml
+++ b/sample-bootstrap/src/main/resources/sureness.yml
@@ -2,8 +2,8 @@

 # load api resource which need be protected, config role who can access these resource.
 # resources that are not configured are also authenticated and protected by default, but not authorized
-# eg: /api/v2/host===post===[role2,role3,role4] means /api/v2/host===post is be role2,role3,role4 supported access
-# eg: /api/v1/getSource3===get===[] means /api/v1/getSource3===get is be all role or no role supported access
+# eg: /api/v2/host===post===[role2,role3,role4] means /api/v2/host===post can be access by role2,role3,role4
+# eg: /api/v1/getSource3===get===[] means /api/v1/getSource3===get can not be access by any role
 resourceRole:
  - /api/v2/host===post===[role2,role3,role4]
  - /api/v2/host===get===[role2,role3,role4]

--- a/sample-tom/src/main/java/com/usthe/sureness/sample/tom/sureness/processor/CustomTokenProcessor.java
+++ b/sample-tom/src/main/java/com/usthe/sureness/sample/tom/sureness/processor/CustomTokenProcessor.java
@@ -83,9 +83,8 @@ public class CustomTokenProcessor extends BaseProcessor {
    public void authorized(Subject var) throws SurenessAuthorizationException {
        List<String> ownRoles = (List<String>)var.getOwnRoles();
        List<String> supportRoles = (List<String>)var.getSupportRoles();
-        if (supportRoles == null || supportRoles.isEmpty()) {
-            return;
-        } else if (ownRoles != null && supportRoles.stream().anyMatch(ownRoles::contains)) {
+        if (supportRoles != null && !supportRoles.isEmpty() && ownRoles != null
+                && supportRoles.stream().anyMatch(ownRoles::contains)) {
            return;
        }
        throw new UnauthorizedException("custom authorized: do not have the role to access resource");

--- a/sample-tom/src/main/resources/sureness.yml
+++ b/sample-tom/src/main/resources/sureness.yml
@@ -2,8 +2,8 @@

 # load api resource which need be protected, config role who can access these resource.
 # resources that are not configured are also authenticated and protected by default, but not authorized
-# eg: /api/v2/host===post===[role2,role3,role4] means /api/v2/host===post is be role2,role3,role4 supported access
-# eg: /api/v1/getSource3===get===[] means /api/v1/getSource3===get is be all role or no role supported access
+# eg: /api/v2/host===post===[role2,role3,role4] means /api/v2/host===post can be access by role2,role3,role4
+# eg: /api/v1/getSource3===get===[] means /api/v1/getSource3===get can not be access by any role
 resourceRole:
  - /api/v2/host===post===[role2,role3,role4]
  - /api/v1/getSource3===get===[]

--- a/samples/javalin-sureness/src/main/resources/sureness.yml
+++ b/samples/javalin-sureness/src/main/resources/sureness.yml
@@ -2,8 +2,8 @@

 # load api resource which need be protected, config role who can access these resource.
 # resources that are not configured are also authenticated and protected by default, but not authorized
-# eg: /api/v2/host===post===[role2,role3,role4] means /api/v2/host===post is be role2,role3,role4 supported access
-# eg: /api/v1/getSource3===get===[] means /api/v1/getSource3===get is be all role or no role supported access
+# eg: /api/v2/host===post===[role2,role3,role4] means /api/v2/host===post can be access by role2,role3,role4
+# eg: /api/v1/getSource3===get===[] means /api/v1/getSource3===get can not be access by any role
 resourceRole:
  - /api/v2/host===post===[role2,role3,role4]
  - /api/v2/host===get===[role2,role3,role4]

--- a/samples/ktor-sureness/resources/sureness.yml
+++ b/samples/ktor-sureness/resources/sureness.yml
@@ -2,8 +2,8 @@

 # load api resource which need be protected, config role who can access these resource.
 # resources that are not configured are also authenticated and protected by default, but not authorized
-# eg: /api/v2/host===post===[role2,role3,role4] means /api/v2/host===post is be role2,role3,role4 supported access
-# eg: /api/v1/getSource3===get===[] means /api/v1/getSource3===get is be all role or no role supported access
+# eg: /api/v2/host===post===[role2,role3,role4] means /api/v2/host===post can be access by role2,role3,role4
+# eg: /api/v1/getSource3===get===[] means /api/v1/getSource3===get can not be access by any role
 resourceRole:
  - /api/v2/host===post===[role2,role3,role4]
  - /api/v2/host===get===[role2,role3,role4]

--- a/samples/quarkus-sureness/src/main/resources/sureness.yml
+++ b/samples/quarkus-sureness/src/main/resources/sureness.yml
@@ -2,8 +2,8 @@

 # load api resource which need be protected, config role who can access these resource.
 # resources that are not configured are also authenticated and protected by default, but not authorized
-# eg: /api/v2/host===post===[role2,role3,role4] means /api/v2/host===post is be role2,role3,role4 supported access
-# eg: /api/v1/getSource3===get===[] means /api/v1/getSource3===get is be all role or no role supported access
+# eg: /api/v2/host===post===[role2,role3,role4] means /api/v2/host===post can be access by role2,role3,role4
+# eg: /api/v1/getSource3===get===[] means /api/v1/getSource3===get can not be access by any role
 resourceRole:
  - /api/v2/host===post===[role2,role3,role4]
  - /api/v2/host===get===[role2,role3,role4]

--- a/samples/spring-webflux-sureness/src/main/resources/sureness.yml
+++ b/samples/spring-webflux-sureness/src/main/resources/sureness.yml
@@ -2,8 +2,8 @@

 # load api resource which need be protected, config role who can access these resource.
 # resources that are not configured are also authenticated and protected by default, but not authorized
-# eg: /api/v2/host===post===[role2,role3,role4] means /api/v2/host===post is be role2,role3,role4 supported access
-# eg: /api/v1/getSource3===get===[] means /api/v1/getSource3===get is be all role or no role supported access
+# eg: /api/v2/host===post===[role2,role3,role4] means /api/v2/host===post can be access by role2,role3,role4
+# eg: /api/v1/getSource3===get===[] means /api/v1/getSource3===get can not be access by any role
 resourceRole:
  - /api/v2/host===post===[role2,role3,role4]
  - /api/v2/host===get===[role2,role3,role4]