Merge pull request #133 from TencentBlueKing/develop

1.11.7

VERSION

@@ -1 +1 @@
-1.11.6
+1.11.7

build/support-files/sql/0021_iam_20220425-1050_mysql.sql

@@ -0,0 +1,8 @@
+CREATE TABLE IF NOT EXISTS `bkiam`.`subject_black_list` (
+  `pk` INT UNSIGNED NOT NULL AUTO_INCREMENT,
+  `subject_pk` INT UNSIGNED NOT NULL,
+  `created_at` TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
+  `updated_at` TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
+  PRIMARY KEY (`pk`),
+  UNIQUE KEY `idx_uk_subject_pk` (`subject_pk`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;

cmd/iam.go

@@ -97,7 +97,7 @@ func Start() {
 	initSuperAppCode()
 	initSuperUser()
 	initSupportShieldFeatures()
-	initShareAppCode()
+	initSecurityAuditAppCode()
 	initComponents()
 	initQuota()
 	initSwitch()

cmd/init.go

@@ -151,8 +151,8 @@ func initSupportShieldFeatures() {
 	config.InitSupportShieldFeatures(globalConfig.SupportShieldFeatures)
 }
 
-func initShareAppCode() {
-	config.InitShareAppCode(globalConfig.ShareAppCode)
+func initSecurityAuditAppCode() {
+	config.InitSecurityAuditAppCode(globalConfig.SecurityAuditAppCode)
 }
 
 func initComponents() {

pkg/api/policy/handler/auth.go

@@ -12,6 +12,7 @@ package handler
 
 import (
 	"errors"
+	"fmt"
 	"time"
 
 	"github.com/TencentBlueKing/gopkg/errorx"
@@ -57,21 +58,30 @@ func Auth(c *gin.Context) {
 		return
 	}
 
+	// check blacklist
+	if cacheimpls.IsSubjectInBlackList(body.Subject.Type, body.Subject.ID) {
+		util.ForbiddenJSONResponse(
+			c,
+			fmt.Sprintf("subject(type=%s,id=%s) has been frozen", body.Subject.Type, body.Subject.ID),
+		)
+		return
+	}
+
 	hasSuperPerm, err := hasSystemSuperPermission(systemID, body.Subject.Type, body.Subject.ID)
 	if err != nil {
 		util.SystemErrorJSONResponse(c, err)
 		return
 	}
 
 	if hasSuperPerm {
-		util.SuccessJSONResponse(c, "ok", authResponse{
+		util.SuccessJSONResponse(c, "ok, as super_manager or system_manager", authResponse{
 			Allowed: true,
 		})
 		return
 	}
 
 	// 隔离结构体
-	var req = request.NewRequest()
+	req := request.NewRequest()
 	copyRequestFromAuthBody(req, &body)
 
 	// 鉴权
@@ -134,6 +144,15 @@ func BatchAuthByActions(c *gin.Context) {
 
 	result := make(authByActionsResponse, len(body.Actions))
 
+	// check blacklist
+	if cacheimpls.IsSubjectInBlackList(body.Subject.Type, body.Subject.ID) {
+		util.ForbiddenJSONResponse(
+			c,
+			fmt.Sprintf("subject(type=%s,id=%s) has been frozen", body.Subject.Type, body.Subject.ID),
+		)
+		return
+	}
+
 	// super admin and system admin
 	hasSuperPerm, err := hasSystemSuperPermission(systemID, body.Subject.Type, body.Subject.ID)
 	if err != nil {
@@ -145,7 +164,7 @@ func BatchAuthByActions(c *gin.Context) {
 		for _, action := range body.Actions {
 			result[action.ID] = true
 		}
-		util.SuccessJSONResponse(c, "ok", result)
+		util.SuccessJSONResponse(c, "ok, as super_manager or system_manager", result)
 		return
 	}
 
@@ -224,6 +243,14 @@ func BatchAuthByResources(c *gin.Context) {
 
 	data := make(authByResourcesResponse, len(body.ResourcesList))
 
+	if cacheimpls.IsSubjectInBlackList(body.Subject.Type, body.Subject.ID) {
+		util.ForbiddenJSONResponse(
+			c,
+			fmt.Sprintf("subject(type=%s,id=%s) has been frozen", body.Subject.Type, body.Subject.ID),
+		)
+		return
+	}
+
 	// super admin and system admin
 	hasSuperPerm, err := hasSystemSuperPermission(systemID, body.Subject.Type, body.Subject.ID)
 	if err != nil {
@@ -236,12 +263,12 @@ func BatchAuthByResources(c *gin.Context) {
 			data[buildResourceID(r)] = true
 		}
 
-		util.SuccessJSONResponse(c, "ok", data)
+		util.SuccessJSONResponse(c, "ok, as super_manager or system_manager", data)
 		return
 	}
 
 	// 隔离结构体
-	var req = request.NewRequest()
+	req := request.NewRequest()
 	copyRequestFromAuthByResourcesBody(req, &body)
 
 	// 鉴权

pkg/api/policy/handler/query.go

@@ -12,13 +12,15 @@ package handler
 
 import (
 	"errors"
+	"fmt"
 
 	"github.com/TencentBlueKing/gopkg/errorx"
 	"github.com/gin-gonic/gin"
 
 	"iam/pkg/abac/pdp"
 	"iam/pkg/abac/types"
 	"iam/pkg/abac/types/request"
+	"iam/pkg/cacheimpls"
 	"iam/pkg/logging/debug"
 	"iam/pkg/util"
 )
@@ -55,19 +57,27 @@ func Query(c *gin.Context) {
 		return
 	}
 
+	if cacheimpls.IsSubjectInBlackList(body.Subject.Type, body.Subject.ID) {
+		util.ForbiddenJSONResponse(
+			c,
+			fmt.Sprintf("subject(type=%s,id=%s) has been frozen", body.Subject.Type, body.Subject.ID),
+		)
+		return
+	}
+
 	hasSuperPerm, err := hasSystemSuperPermission(systemID, body.Subject.Type, body.Subject.ID)
 	if err != nil {
 		util.SystemErrorJSONResponse(c, err)
 		return
 	}
 
 	if hasSuperPerm {
-		util.SuccessJSONResponse(c, "ok", AnyExpression)
+		util.SuccessJSONResponse(c, "ok, as super_manager or system_manager", AnyExpression)
 		return
 	}
 
 	// 隔离结构体
-	var req = request.NewRequest()
+	req := request.NewRequest()
 	copyRequestFromQueryBody(req, &body)
 
 	var entry *debug.Entry
@@ -133,6 +143,14 @@ func BatchQueryByActions(c *gin.Context) {
 
 	policies := make([]actionPoliciesResponse, 0, len(body.Actions))
 
+	if cacheimpls.IsSubjectInBlackList(body.Subject.Type, body.Subject.ID) {
+		util.ForbiddenJSONResponse(
+			c,
+			fmt.Sprintf("subject(type=%s,id=%s) has been frozen", body.Subject.Type, body.Subject.ID),
+		)
+		return
+	}
+
 	hasSuperPerm, err := hasSystemSuperPermission(systemID, body.Subject.Type, body.Subject.ID)
 	if err != nil {
 		util.SystemErrorJSONResponse(c, err)
@@ -146,7 +164,7 @@ func BatchQueryByActions(c *gin.Context) {
 				Condition: AnyExpression,
 			})
 		}
-		util.SuccessJSONResponse(c, "ok", policies)
+		util.SuccessJSONResponse(c, "ok, as super_manager or system_manager", policies)
 		return
 	}
 
@@ -226,6 +244,14 @@ func QueryByExtResources(c *gin.Context) {
 		return
 	}
 
+	if cacheimpls.IsSubjectInBlackList(body.Subject.Type, body.Subject.ID) {
+		util.ForbiddenJSONResponse(
+			c,
+			fmt.Sprintf("subject(type=%s,id=%s) has been frozen", body.Subject.Type, body.Subject.ID),
+		)
+		return
+	}
+
 	hasSuperPerm, err := hasSystemSuperPermission(systemID, body.Subject.Type, body.Subject.ID)
 	if err != nil {
 		util.SystemErrorJSONResponse(c, err)
@@ -250,15 +276,15 @@ func QueryByExtResources(c *gin.Context) {
 			extResourcesWithAttr = append(extResourcesWithAttr, extResourceWithAttr)
 		}
 
-		util.SuccessJSONResponse(c, "ok", map[string]interface{}{
+		util.SuccessJSONResponse(c, "ok, as super_manager or system_manager", map[string]interface{}{
 			"expression":    AnyExpression,
 			"ext_resources": extResourcesWithAttr,
 		})
 		return
 	}
 
 	// 隔离结构体
-	var req = request.NewRequest()
+	req := request.NewRequest()
 	copyRequestFromQueryBody(req, &body.queryRequest)
 
 	var entry *debug.Entry

pkg/api/policy/handler/util.go

@@ -153,7 +153,9 @@ func buildResourceID(rs []resource) string {
 	return strings.Join(nodes, "/")
 }
 
-// ValidateSystemMatchClient ...
+// ValidateSystemMatchClient will check if the client can call the system's policy/[query/auth]
+// note that, the audit app_code can access all system's policy/[query/auth]
+// so, this function should be only called in this module: policy/handler
 func ValidateSystemMatchClient(systemID, clientID string) error {
 	if systemID == "" || clientID == "" {
 		return fmt.Errorf("system_id or client_id do not allow empty")
@@ -164,6 +166,11 @@ func ValidateSystemMatchClient(systemID, clientID string) error {
 		return fmt.Errorf("get system(%s) valid clients fail, err=%w", systemID, err)
 	}
 
+	// security audit app can be the valid client of all systems
+	if config.SecurityAuditAppCode.Has(clientID) {
+		return nil
+	}
+
 	for _, c := range validClients {
 		if clientID == c {
 			return nil

pkg/api/policy/handler/util_test.go

@@ -17,6 +17,7 @@ import (
 
 	"github.com/TencentBlueKing/gopkg/cache"
 	"github.com/TencentBlueKing/gopkg/cache/memory"
+	"github.com/TencentBlueKing/gopkg/collection/set"
 	"github.com/agiledragon/gomonkey/v2"
 	. "github.com/onsi/ginkgo/v2"
 	"github.com/stretchr/testify/assert"
@@ -217,7 +218,6 @@ func TestAnyExpression(t *testing.T) {
 }
 
 var _ = Describe("util", func() {
-
 	Describe("validateSystemSuperUser", func() {
 		var patches *gomonkey.Patches
 		BeforeEach(func() {
@@ -279,7 +279,6 @@ var _ = Describe("util", func() {
 	})
 
 	Describe("buildResourceID", func() {
-
 		It("empty", func() {
 			uid := buildResourceID([]resource{})
 			assert.Equal(GinkgoT(), uid, "")
@@ -315,16 +314,16 @@ var _ = Describe("util", func() {
 })
 
 func Test_validateSystemMatchClient(t *testing.T) {
-	var (
-		expiration = 5 * time.Minute
-	)
+	expiration := 5 * time.Minute
 	retrieveFunc := func(key cache.Key) (interface{}, error) {
 		return []string{"test"}, nil
 	}
 	mockCache := memory.NewCache(
 		"mockCache", false, retrieveFunc, expiration, nil)
 	cacheimpls.LocalSystemClientsCache = mockCache
 
+	config.SecurityAuditAppCode = set.NewStringSetWithValues([]string{"audit_app"})
+
 	type args struct {
 		systemID string
 		clientID string
@@ -342,6 +341,14 @@ func Test_validateSystemMatchClient(t *testing.T) {
 			},
 			want: true,
 		},
+		{
+			name: "right, secure audit app",
+			args: args{
+				systemID: "test",
+				clientID: "audit_app",
+			},
+			want: true,
+		},
 		{
 			name: "empty_system",
 			args: args{