fix hs-web#164

zhou-hao · zhou-hao · commit c0c4829ca825 · 2020-06-20T18:21:19.000+08:00
diff --git a/hsweb-authorization/hsweb-authorization-basic/src/main/java/org/hswebframework/web/authorization/basic/handler/DefaultAuthorizingHandler.java b/hsweb-authorization/hsweb-authorization-basic/src/main/java/org/hswebframework/web/authorization/basic/handler/DefaultAuthorizingHandler.java
@@ -160,8 +160,7 @@ protected void handleRBAC(Authentication authentication, AuthorizeDefinition def
         // 控制权限
         if (!definition.getPermissions().isEmpty()) {
             if (logger.isInfoEnabled()) {
-                logger.info("执行权限控制:权限{}({}),操作{}.",
-                        definition.getPermissionDescription(),
+                logger.info("执行权限控制:权限{},操作{}.",
                         permissionsDef,
                         actionsDef);
             }
@@ -192,35 +191,39 @@ protected void handleRBAC(Authentication authentication, AuthorizeDefinition def
                     CollectionUtils.isNotEmpty(permissions) :
                     //权限数量和配置的数量相同
                     permissions.size() == permissionsDef.size();
+        } else {
+            access = false;
         }
         //控制角色
         if (!rolesDef.isEmpty()) {
-            if (logger.isInfoEnabled()) {
-                logger.info("do role access handle : roles{} , definition:{}", rolesDef, definition.getRoles());
-            }
-            Function<Predicate<Role>, Boolean> func = logicalIsOr
-                    ? authentication.getRoles().stream()::anyMatch
-                    : authentication.getRoles().stream()::allMatch;
+            Set<String> roleIds = authentication.getRoles().stream().map(Role::getId).collect(Collectors.toSet());
+
+            Function<Predicate<String>, Boolean> func = logicalIsOr
+                    ? roleIds.stream()::anyMatch
+                    : roleIds.stream()::allMatch;
 
             access = logicalIsOr
-                    ? access || func.apply(role -> rolesDef.contains(role.getId()))
-                    : access && func.apply(role -> rolesDef.contains(role.getId()));
+                    ? access || func.apply(rolesDef::contains)
+                    : access && func.apply(rolesDef::contains);
+            if (logger.isInfoEnabled()) {
+                logger.info("执行角色权限控制{},当前角色:{},限制角色:{}.", access ? "通过" : "拒绝", roleIds, rolesDef);
+            }
         }
         //控制用户
         if (!usersDef.isEmpty()) {
-            if (logger.isInfoEnabled()) {
-                logger.info("do user access handle : users{} , definition:{} ", usersDef, definition.getUser());
-            }
+            String username = authentication.getUser().getUsername();
             Function<Predicate<String>, Boolean> func = logicalIsOr
                     ? usersDef.stream()::anyMatch
                     : usersDef.stream()::allMatch;
             access = logicalIsOr
-                    ? access || func.apply(authentication.getUser().getUsername()::equals)
-                    : access && func.apply(authentication.getUser().getUsername()::equals);
-
-        }
-        if (!access) {
-            throw new AccessDenyException(definition.getMessage());
+                    ? access || func.apply(username::equals)
+                    : access && func.apply(username::equals);
+            if (logger.isInfoEnabled()) {
+                logger.info("执行用户权限控制{},当前用户:{},限制用户:{}.", access ? "通过" : "拒绝", username, usersDef);
+            }
+            if (!access) {
+                throw new AccessDenyException(definition.getMessage());
+            }
         }
     }
 }
diff --git a/hsweb-authorization/hsweb-authorization-basic/src/test/groovy/org/hswebframework/web/authorization/AuthorizeTests.java b/hsweb-authorization/hsweb-authorization-basic/src/test/groovy/org/hswebframework/web/authorization/AuthorizeTests.java
@@ -12,6 +12,7 @@
 import org.hswebframework.web.authorization.define.AuthorizeDefinition;
 import org.hswebframework.web.authorization.define.AuthorizingContext;
 import org.hswebframework.web.authorization.define.Phased;
+import org.hswebframework.web.authorization.exception.AccessDenyException;
 import org.hswebframework.web.authorization.simple.*;
 import org.hswebframework.web.boost.aop.context.MethodInterceptorContext;
 import org.hswebframework.web.commons.entity.param.QueryParamEntity;
@@ -37,6 +38,9 @@ public class AuthorizeTests {
     @Mock
     private MethodInterceptorContext dynamicQuery;
 
+    @Mock
+    private MethodInterceptorContext handleRole;
+
     @Mock
     private Authentication authentication;
 
@@ -67,6 +71,12 @@ public void init() throws NoSuchMethodException {
         when(dynamicQuery.getParams()).thenReturn(Collections.singletonMap("paramEntity", entity));
         when(dynamicQuery.getParameter("paramEntity")).thenReturn(Optional.of(entity));
 
+        //mock MethodInterceptorContext
+        when(handleRole.getMethod()).thenReturn(TestClass.class.getMethod("handleRoleDeny", QueryParamEntity.class));
+        when(handleRole.getTarget()).thenReturn(testClass);
+        when(handleRole.getParams()).thenReturn(Collections.singletonMap("paramEntity", entity));
+        when(handleRole.getParameter("paramEntity")).thenReturn(Optional.of(entity));
+
 
         //过滤字段
         AbstractDataAccessConfig fieldFilter = new SimpleFieldFilterDataAccessConfig("password", "salt");
@@ -110,9 +120,26 @@ public void testAuthorizingHandler() {
         authorizingContext.setDefinition(definition);
         authorizingContext.setParamContext(queryById);
 
-        handler.handRBAC(authorizingContext);
+        try {
+            handler.handRBAC(authorizingContext);
+            Assert.fail("role access handle fail");
+        } catch (AccessDenyException ignore) {
+
+        }
+    }
+
+    @Test
+    public void testIssue164() {
+        DefaultAuthorizingHandler handler = new DefaultAuthorizingHandler();
+
+        AuthorizeDefinition definition = parser.parse(handleRole.getTarget().getClass(), handleRole.getMethod());
 
+        AuthorizingContext authorizingContext = new AuthorizingContext();
+        authorizingContext.setAuthentication(authentication);
+        authorizingContext.setDefinition(definition);
+        authorizingContext.setParamContext(handleRole);
 
+        handler.handRBAC(authorizingContext);
     }
 
     /**
@@ -190,6 +217,12 @@ public void dynamicQuery(QueryParamEntity paramEntity) {
             System.out.println(JSON.toJSON(paramEntity));
         }
 
+
+        @Authorize(role = "admin")
+        public void handleRoleDeny(QueryParamEntity paramEntity) {
+            System.out.println(JSON.toJSON(paramEntity));
+        }
+
     }
 
     public interface TestClassSuper {
