客户端角色路由认证规则修改

V0.5.x
xiwa 2022-05-22 13:30:42 +08:00
parent 4768358395
commit 4b8c442ceb
2 changed files with 28 additions and 180 deletions

View File

@ -3,6 +3,7 @@ package cc.iotkit.manager.config;
import cn.dev33.satoken.interceptor.SaAnnotationInterceptor;
import cn.dev33.satoken.interceptor.SaRouteInterceptor;
import cn.dev33.satoken.router.SaRouter;
import cn.dev33.satoken.router.SaRouterStaff;
import cn.dev33.satoken.stp.StpUtil;
import lombok.extern.slf4j.Slf4j;
import org.springframework.context.annotation.Configuration;
@ -20,28 +21,35 @@ public class SaTokenConfigure implements WebMvcConfigurer {
// 注册路由拦截器,自定义认证规则
registry.addInterceptor(new SaRouteInterceptor((req, res, handler) -> {
log.info("resource role check,path:{}", req.getRequestPath());
SaRouter
//管理员、系统、客户端用户角色能使用的功能
.match("/space/addSpace/**",
"/space/saveSpace/**",
"/space/delSpace/**",
"/space/saveHome/**",
"/space/currentHome/**",
"/space/myRecentDevices/**",
"/space/spaces/**",
"/space/myDevices/**",
"/space/findDevice/**",
"/space/addDevice/**",
"/space/saveDevice",
"/space/removeDevice",
"/space/device/*",
"/device/*/consumer/*",
"/device/*/service/property/set",
"/device/*/service/*/invoke"
)
.check(c -> StpUtil.checkRoleOr("iot_admin", "iot_system", "iot_client"));
//客户端角色能使用的功能
if (StpUtil.hasRole("iot_client")) {
if (SaRouter
.match("/space/addSpace/**",
"/space/saveSpace/**",
"/space/delSpace/**",
"/space/saveHome/**",
"/space/currentHome/**",
"/space/myRecentDevices/**",
"/space/spaces/**",
"/space/myDevices/**",
"/space/findDevice/**",
"/space/addDevice/**",
"/space/saveDevice",
"/space/removeDevice",
"/space/device/*",
"/device/*/consumer/*",
"/device/*/service/property/set",
"/device/*/service/*/invoke"
).isHit()) {
return;
}
}
SaRouter
//除了以上所有功能都需要 管理员或系统用户角色
.match("/**")
.check(c -> StpUtil.checkRoleOr("iot_admin", "iot_system"))
//需要有可写权限的功能
.match(
"/**/save*/**",
@ -54,12 +62,6 @@ public class SaTokenConfigure implements WebMvcConfigurer {
"/**/invoke"
).check(c -> StpUtil.checkPermission("write"));
SaRouter
//管理员、系统用户角色能使用的功能
.match("/**")
.check(c -> StpUtil.checkRoleOr("iot_admin", "iot_system", "iot_client"))
;
})).addPathPatterns("/**")
.excludePathPatterns(
"/*.png",

View File

@ -1,154 +0,0 @@
package cc.iotkit.manager.service;
import cc.iotkit.common.exception.BizException;
import cc.iotkit.common.utils.JsonUtil;
import cc.iotkit.model.UserInfo;
import lombok.extern.slf4j.Slf4j;
import org.keycloak.admin.client.Keycloak;
import org.keycloak.admin.client.KeycloakBuilder;
import org.keycloak.admin.client.resource.UserResource;
import org.keycloak.admin.client.resource.UsersResource;
import org.keycloak.representations.idm.CredentialRepresentation;
import org.keycloak.representations.idm.UserRepresentation;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Service;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
@Slf4j
@Service
public class KeycloakAdminService {
@Value("${keycloak.realm}")
private String realm;
@Value("${keycloak.auth-server-url}")
private String authServerUrl;
@Value("${keycloak-admin-user}")
private String adminUser;
@Value("${keycloak-admin-password}")
private String adminPassword;
@Value("${keycloak-admin-clientid}")
private String adminClientId;
private Keycloak keycloak;
private Keycloak getKeycloak() {
if (keycloak == null) {
keycloak = KeycloakBuilder.builder()
.serverUrl(authServerUrl)
.username(adminUser)
.password(adminPassword)
.clientId(adminClientId)
.realm(realm)
.build();
}
return keycloak;
}
public String createUser(UserInfo user, String pwd) {
Keycloak keycloak = getKeycloak();
UsersResource usersResource = keycloak.realm(realm)
.users();
UserRepresentation userRepresentation = new UserRepresentation();
userRepresentation.setUsername(user.getUid());
userRepresentation.setGroups(Collections.singletonList(getGroup(user.getType())));
userRepresentation.setRealmRoles(user.getRoles());
if (user.getEmail() != null) {
userRepresentation.setEmail(user.getEmail());
}
userRepresentation.setEnabled(true);
userRepresentation.setFirstName(user.getNickName());
CredentialRepresentation credentialRepresentation = new CredentialRepresentation();
credentialRepresentation.setType(CredentialRepresentation.PASSWORD);
credentialRepresentation.setValue(pwd);
credentialRepresentation.setTemporary(false);
userRepresentation.setCredentials(Collections.singletonList(credentialRepresentation));
javax.ws.rs.core.Response response = usersResource.create(userRepresentation);
String url = response.getLocation().getPath();
String newUid = url.substring(url.lastIndexOf("/") + 1);
if (response.getStatus() >= 300) {
log.error("create userRepresentation response:{}", JsonUtil.toJsonString(response));
throw new BizException("create keycloak user failed");
}
return newUid;
}
public void updateUser(UserInfo user) {
Keycloak keycloak = getKeycloak();
UserResource userResource = keycloak.realm(realm)
.users().get(user.getId());
UserRepresentation userRepresentation = userResource.toRepresentation();
if (user.getUid() != null) {
userRepresentation.setUsername(user.getUid());
}
if (user.getEmail() != null) {
userRepresentation.setEmail(user.getEmail());
}
if (user.getType() != null) {
userRepresentation.setGroups(Arrays.asList(getGroup(user.getType())));
}
if (user.getRoles() != null) {
userRepresentation.setRealmRoles(user.getRoles());
}
userResource.update(userRepresentation);
}
public UserInfo getUser(String uid) {
Keycloak keycloak = getKeycloak();
List<UserRepresentation> users = keycloak.realm(realm)
.users().search(uid);
if (users.size() == 0) {
return null;
}
UserRepresentation user = users.get(0);
return UserInfo.builder()
.id(user.getId())
.uid(uid)
.build();
}
public void resetUserPwd(String id, String pwd) {
Keycloak keycloak = getKeycloak();
UserResource userResource = keycloak.realm(realm)
.users().get(id);
UserRepresentation userRepresentation = userResource.toRepresentation();
CredentialRepresentation credentialRepresentation = new CredentialRepresentation();
credentialRepresentation.setType(CredentialRepresentation.PASSWORD);
credentialRepresentation.setValue(pwd);
credentialRepresentation.setTemporary(false);
userRepresentation.setCredentials(Arrays.asList(credentialRepresentation));
userResource.update(userRepresentation);
}
public void deleteUser(String id) {
Keycloak keycloak = getKeycloak();
UserResource userResource = keycloak.realm(realm)
.users().get(id);
try {
userResource.remove();
} catch (javax.ws.rs.NotFoundException e) {
log.warn("user does not exist");
}
}
private String getGroup(Integer type) {
if (type == null) {
return "";
}
return type == UserInfo.USER_TYPE_PLATFORM
? "platform" : "client";
}
}