From 4b8c442cebcb2d551a3b2fd804d7a68d3fd3d131 Mon Sep 17 00:00:00 2001 From: xiwa Date: Sun, 22 May 2022 13:30:42 +0800 Subject: [PATCH] =?UTF-8?q?=E5=AE=A2=E6=88=B7=E7=AB=AF=E8=A7=92=E8=89=B2?= =?UTF-8?q?=E8=B7=AF=E7=94=B1=E8=AE=A4=E8=AF=81=E8=A7=84=E5=88=99=E4=BF=AE?= =?UTF-8?q?=E6=94=B9?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../manager/config/SaTokenConfigure.java | 54 +++--- .../service/KeycloakAdminService.java1 | 154 ------------------ 2 files changed, 28 insertions(+), 180 deletions(-) delete mode 100755 manager/src/main/java/cc/iotkit/manager/service/KeycloakAdminService.java1 diff --git a/manager/src/main/java/cc/iotkit/manager/config/SaTokenConfigure.java b/manager/src/main/java/cc/iotkit/manager/config/SaTokenConfigure.java index 51ef6d7d..2970de92 100755 --- a/manager/src/main/java/cc/iotkit/manager/config/SaTokenConfigure.java +++ b/manager/src/main/java/cc/iotkit/manager/config/SaTokenConfigure.java @@ -3,6 +3,7 @@ package cc.iotkit.manager.config; import cn.dev33.satoken.interceptor.SaAnnotationInterceptor; import cn.dev33.satoken.interceptor.SaRouteInterceptor; import cn.dev33.satoken.router.SaRouter; +import cn.dev33.satoken.router.SaRouterStaff; import cn.dev33.satoken.stp.StpUtil; import lombok.extern.slf4j.Slf4j; import org.springframework.context.annotation.Configuration; @@ -20,28 +21,35 @@ public class SaTokenConfigure implements WebMvcConfigurer { // 注册路由拦截器,自定义认证规则 registry.addInterceptor(new SaRouteInterceptor((req, res, handler) -> { log.info("resource role check,path:{}", req.getRequestPath()); - SaRouter - //管理员、系统、客户端用户角色能使用的功能 - .match("/space/addSpace/**", - "/space/saveSpace/**", - "/space/delSpace/**", - "/space/saveHome/**", - "/space/currentHome/**", - "/space/myRecentDevices/**", - "/space/spaces/**", - "/space/myDevices/**", - "/space/findDevice/**", - "/space/addDevice/**", - "/space/saveDevice", - "/space/removeDevice", - "/space/device/*", - "/device/*/consumer/*", - "/device/*/service/property/set", - "/device/*/service/*/invoke" - ) - .check(c -> StpUtil.checkRoleOr("iot_admin", "iot_system", "iot_client")); + + //客户端角色能使用的功能 + if (StpUtil.hasRole("iot_client")) { + if (SaRouter + .match("/space/addSpace/**", + "/space/saveSpace/**", + "/space/delSpace/**", + "/space/saveHome/**", + "/space/currentHome/**", + "/space/myRecentDevices/**", + "/space/spaces/**", + "/space/myDevices/**", + "/space/findDevice/**", + "/space/addDevice/**", + "/space/saveDevice", + "/space/removeDevice", + "/space/device/*", + "/device/*/consumer/*", + "/device/*/service/property/set", + "/device/*/service/*/invoke" + ).isHit()) { + return; + } + } SaRouter + //除了以上所有功能都需要 管理员或系统用户角色 + .match("/**") + .check(c -> StpUtil.checkRoleOr("iot_admin", "iot_system")) //需要有可写权限的功能 .match( "/**/save*/**", @@ -54,12 +62,6 @@ public class SaTokenConfigure implements WebMvcConfigurer { "/**/invoke" ).check(c -> StpUtil.checkPermission("write")); - SaRouter - //管理员、系统用户角色能使用的功能 - .match("/**") - .check(c -> StpUtil.checkRoleOr("iot_admin", "iot_system", "iot_client")) - - ; })).addPathPatterns("/**") .excludePathPatterns( "/*.png", diff --git a/manager/src/main/java/cc/iotkit/manager/service/KeycloakAdminService.java1 b/manager/src/main/java/cc/iotkit/manager/service/KeycloakAdminService.java1 deleted file mode 100755 index 9e12f639..00000000 --- a/manager/src/main/java/cc/iotkit/manager/service/KeycloakAdminService.java1 +++ /dev/null @@ -1,154 +0,0 @@ -package cc.iotkit.manager.service; - -import cc.iotkit.common.exception.BizException; -import cc.iotkit.common.utils.JsonUtil; -import cc.iotkit.model.UserInfo; -import lombok.extern.slf4j.Slf4j; -import org.keycloak.admin.client.Keycloak; -import org.keycloak.admin.client.KeycloakBuilder; -import org.keycloak.admin.client.resource.UserResource; -import org.keycloak.admin.client.resource.UsersResource; -import org.keycloak.representations.idm.CredentialRepresentation; -import org.keycloak.representations.idm.UserRepresentation; -import org.springframework.beans.factory.annotation.Value; -import org.springframework.stereotype.Service; - -import java.util.Arrays; -import java.util.Collections; -import java.util.List; - -@Slf4j -@Service -public class KeycloakAdminService { - - @Value("${keycloak.realm}") - private String realm; - - @Value("${keycloak.auth-server-url}") - private String authServerUrl; - - @Value("${keycloak-admin-user}") - private String adminUser; - - @Value("${keycloak-admin-password}") - private String adminPassword; - - @Value("${keycloak-admin-clientid}") - private String adminClientId; - - private Keycloak keycloak; - - private Keycloak getKeycloak() { - if (keycloak == null) { - keycloak = KeycloakBuilder.builder() - .serverUrl(authServerUrl) - .username(adminUser) - .password(adminPassword) - .clientId(adminClientId) - .realm(realm) - .build(); - } - return keycloak; - } - - public String createUser(UserInfo user, String pwd) { - Keycloak keycloak = getKeycloak(); - UsersResource usersResource = keycloak.realm(realm) - .users(); - UserRepresentation userRepresentation = new UserRepresentation(); - userRepresentation.setUsername(user.getUid()); - userRepresentation.setGroups(Collections.singletonList(getGroup(user.getType()))); - userRepresentation.setRealmRoles(user.getRoles()); - if (user.getEmail() != null) { - userRepresentation.setEmail(user.getEmail()); - } - userRepresentation.setEnabled(true); - userRepresentation.setFirstName(user.getNickName()); - - CredentialRepresentation credentialRepresentation = new CredentialRepresentation(); - credentialRepresentation.setType(CredentialRepresentation.PASSWORD); - credentialRepresentation.setValue(pwd); - credentialRepresentation.setTemporary(false); - userRepresentation.setCredentials(Collections.singletonList(credentialRepresentation)); - javax.ws.rs.core.Response response = usersResource.create(userRepresentation); - String url = response.getLocation().getPath(); - String newUid = url.substring(url.lastIndexOf("/") + 1); - - if (response.getStatus() >= 300) { - log.error("create userRepresentation response:{}", JsonUtil.toJsonString(response)); - throw new BizException("create keycloak user failed"); - } - - return newUid; - } - - public void updateUser(UserInfo user) { - Keycloak keycloak = getKeycloak(); - UserResource userResource = keycloak.realm(realm) - .users().get(user.getId()); - UserRepresentation userRepresentation = userResource.toRepresentation(); - if (user.getUid() != null) { - userRepresentation.setUsername(user.getUid()); - } - if (user.getEmail() != null) { - userRepresentation.setEmail(user.getEmail()); - } - if (user.getType() != null) { - userRepresentation.setGroups(Arrays.asList(getGroup(user.getType()))); - } - if (user.getRoles() != null) { - userRepresentation.setRealmRoles(user.getRoles()); - } - userResource.update(userRepresentation); - } - - public UserInfo getUser(String uid) { - Keycloak keycloak = getKeycloak(); - List users = keycloak.realm(realm) - .users().search(uid); - if (users.size() == 0) { - return null; - } - UserRepresentation user = users.get(0); - - return UserInfo.builder() - .id(user.getId()) - .uid(uid) - .build(); - } - - public void resetUserPwd(String id, String pwd) { - Keycloak keycloak = getKeycloak(); - UserResource userResource = keycloak.realm(realm) - .users().get(id); - UserRepresentation userRepresentation = userResource.toRepresentation(); - - CredentialRepresentation credentialRepresentation = new CredentialRepresentation(); - credentialRepresentation.setType(CredentialRepresentation.PASSWORD); - credentialRepresentation.setValue(pwd); - credentialRepresentation.setTemporary(false); - userRepresentation.setCredentials(Arrays.asList(credentialRepresentation)); - - userResource.update(userRepresentation); - } - - public void deleteUser(String id) { - Keycloak keycloak = getKeycloak(); - UserResource userResource = keycloak.realm(realm) - .users().get(id); - try { - userResource.remove(); - } catch (javax.ws.rs.NotFoundException e) { - log.warn("user does not exist"); - } - } - - private String getGroup(Integer type) { - if (type == null) { - return ""; - } - return type == UserInfo.USER_TYPE_PLATFORM - ? "platform" : "client"; - } - -}