gin casbin xorm vue-admin权限认证。

1、因为用到是gin所以直接指定rbac吧。

一般都是使用:角色,操作路径,操作类型来做权限。如果还要弄更多,这里就不涉及更多了

首先配置文件

[request_definition]
r = sub, obj, act

[policy_definition]
p = sub, obj, act

[role_definition]
g = _, _

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = g(r.sub, p.sub) && keyMatch(r.obj, p.obj) && (r.act == p.act || p.act == "*")

2、从数据库加载角色配置

package main

import (
	"github.com/casbin/casbin/v2"
	_ "github.com/lib/pq"

	"github.com/casbin/xorm-adapter"
)

func main() {
	// Initialize a Xorm adapter and use it in a Casbin enforcer:
	// The adapter will use the Postgres database named "casbin".
	// If it doesn't exist, the adapter will create it automatically.
	a, _ := xormadapter.NewAdapter("postgres", "user=postgres_username password=postgres_password host=127.0.0.1 port=5432 sslmode=disable") // Your driver and data source.

	// Or you can use an existing DB "abc" like this:
	// The adapter will use the table named "casbin_rule".
	// If it doesn't exist, the adapter will create it automatically.
	// a := xormadapter.NewAdapter("postgres", "dbname=abc user=postgres_username password=postgres_password host=127.0.0.1 port=5432 sslmode=disable", true)

	e, _ := casbin.NewEnforcer("../examples/rbac_model.conf", a)

	// Load the policy from DB.
	e.LoadPolicy()
}

 上面这个是官方提供的从数据加载权限配置的案例。里面会给自动生成数据库,自动生成表。

    那么作为一个要集成到自己项目里面的功能,有一个表跟自己的表。。。nb_开头太格格不入了。所以可以拿它出来进行改写。

// Copyright 2017 The casbin Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//      http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package utils

import (
	"errors"
	model2 "notebooks/model"
	"runtime"
	"strings"

	"github.com/casbin/casbin/v2/model"
	"github.com/casbin/casbin/v2/persist"
	"github.com/lib/pq"
	"github.com/xormplus/xorm"
)

// Adapter represents the Xorm adapter for policy storage.
type Adapter struct {
	driverName     string
	dataSourceName string
	dbSpecified    bool
	engine         *xorm.Engine
}

// finalizer is the destructor for Adapter.
func finalizer(a *Adapter) {
	err := a.engine.Close()
	if err != nil {
		panic(err)
	}
}

// NewAdapter is the constructor for Adapter.
// dbSpecified is an optional bool parameter. The default value is false.
// It's up to whether you have specified an existing DB in dataSourceName.
// If dbSpecified == true, you need to make sure the DB in dataSourceName exists.
// If dbSpecified == false, the adapter will automatically create a DB named "casbin".
func NewAdapter() (*Adapter, error) {
	a := &Adapter{}
	// Open the DB, create it if not existed.
	err := a.open()
	if err != nil {
		return nil, err
	}

	// Call the destructor when the object is released.
	runtime.SetFinalizer(a, finalizer)

	return a, nil
}
//通过已有的engine生成
func NewAdapterByEngine(engine *xorm.Engine) (*Adapter, error) {
	a := &Adapter{
		engine: engine,
	}

	err := a.createTable()
	if err != nil {
		return nil, err
	}

	return a, nil
}
//生成数据库
func (a *Adapter) createDatabase() (err error) {

	if a.driverName == "postgres" {
		if _, err = AppEngine.Exec("CREATE DATABASE casbin"); err != nil {
			// 42P04 is	duplicate_database
			if pqerr, ok := err.(*pq.Error); ok && pqerr.Code == "42P04" {
				AppEngine.Close()
				return nil
			}
		}
	} else if a.driverName != "sqlite3" {
		_, err = AppEngine.Exec("CREATE DATABASE IF NOT EXISTS casbin")
	}
	if err != nil {
		AppEngine.Close()
		return err
	}

	return AppEngine.Close()
}

func (a *Adapter) open() error {
	a.engine = AppEngine

	return a.createTable()
}

func (a *Adapter) close() error {
	err := a.engine.Close()
	if err != nil {
		return err
	}

	a.engine = nil
	return nil
}

func (a *Adapter) createTable() error {
	return a.engine.Sync2(new(model2.NbCasbinRule))
}

func (a *Adapter) dropTable() error {
	return a.engine.DropTables(new(model2.NbCasbinRule))
}

//原生加载一条权限
func loadPolicyLine(line *model2.NbCasbinRule, model model.Model) {
	const prefixLine = ", "
	var sb strings.Builder

	sb.WriteString(line.PType)
	if len(line.V0) > 0 {
		sb.WriteString(prefixLine)
		sb.WriteString(line.V0)
	}
	if len(line.V1) > 0 {
		sb.WriteString(prefixLine)
		sb.WriteString(line.V1)
	}
	if len(line.V2) > 0 {
		sb.WriteString(prefixLine)
		sb.WriteString(line.V2)
	}
	if len(line.V3) > 0 {
		sb.WriteString(prefixLine)
		sb.WriteString(line.V3)
	}
	if len(line.V4) > 0 {
		sb.WriteString(prefixLine)
		sb.WriteString(line.V4)
	}
	if len(line.V5) > 0 {
		sb.WriteString(prefixLine)
		sb.WriteString(line.V5)
	}

	persist.LoadPolicyLine(sb.String(), model)
}

// 从数据库查询权限
func (a *Adapter) LoadPolicy(model model.Model) error {
	var lines []*model2.NbCasbinRule
	if err := a.engine.Find(&lines); err != nil {
		return err
	}
   //一条一条地加载
	for _, line := range lines {
		loadPolicyLine(line, model)
	}

	return nil
}

//这个是配置一条权限,返回一条数据
func savePolicyLine(ptype string, rule []string, colId int) *model2.NbCasbinRule {
	line := &model2.NbCasbinRule{PType: ptype}

	l := len(rule)
	if l > 0 {
		line.V0 = rule[0]
	}
	if l > 1 {
		line.V1 = rule[1]
	}
	if l > 2 {
		line.V2 = rule[2]
	}
	if l > 3 {
		line.V3 = rule[3]
	}
	if l > 4 {
		line.V4 = rule[4]
	}
	if l > 5 {
		line.V5 = rule[5]
	}
    line.ColId=colId
	return line
}

// 这个是将文件里写好的配置文件,写入数据库不能使用
func (a *Adapter) SavePolicy(model model.Model) error {
	if 1==1{
		return errors.New("不能使用本方法")
	}
	return nil
	/*
	err := a.dropTable()
	if err != nil {
		return err
	}
	err = a.createTable()
	if err != nil {
		return err
	}

	var lines []*model2.NbCasbinRule

	for ptype, ast := range model["p"] {
		for _, rule := range ast.Policy {
			line := savePolicyLine(ptype, rule)
			lines = append(lines, line)
		}
	}

	for ptype, ast := range model["g"] {
		for _, rule := range ast.Policy {
			line := savePolicyLine(ptype, rule)
			lines = append(lines, line)
		}
	}

	_, err = a.engine.Insert(&lines)
	return err
	*/
}

// 添加一条权限,但是只是添加,没有入配置的,要重新使用loadPolicy(看情况处理,后期可能要做一下性能处理,再加载)
func (a *Adapter) AddPolicyNew(sec string, ptype string, rule []string,colId int) error {
	line := savePolicyLine(ptype, rule,colId)
	_, err := a.engine.Insert(line)
	return err
}
// 添加一条权限,但是只是添加,没有入配置的,要重新使用loadPolicy(看情况处理,后期可能要做一下性能处理,再加载)
func (a *Adapter) AddPolicy(sec string, ptype string, rule []string) error {
	line := savePolicyLine(ptype, rule,0)
	_, err := a.engine.Insert(line)
	return err
}
// 删除一条权限,同样没有入配置(看情况处理,后期可能要做一下性能处理,再加载)
func (a *Adapter) RemovePolicyNew(sec string, ptype string, rule []string,colId int) error {
	line := savePolicyLine(ptype, rule,colId)
	_, err := a.engine.Delete(line)
	return err
}
// 删除一条权限,同样没有入配置(看情况处理,后期可能要做一下性能处理,再加载)
func (a *Adapter) RemovePolicy(sec string, ptype string, rule []string) error {
	line := savePolicyLine(ptype, rule,0)
	_, err := a.engine.Delete(line)
	return err
}

// 根据配置删除相应的一条权限(少用吧),同样要重新加载
func (a *Adapter) RemoveFilteredPolicy(sec string, ptype string, fieldIndex int, fieldValues ...string) error {
	if 1==1{
		return errors.New("不能使用本方法")
	}
	line := &model2.NbCasbinRule{PType: ptype}

	idx := fieldIndex + len(fieldValues)
	if fieldIndex <= 0 && idx > 0 {
		line.V0 = fieldValues[0-fieldIndex]
	}
	if fieldIndex <= 1 && idx > 1 {
		line.V1 = fieldValues[1-fieldIndex]
	}
	if fieldIndex <= 2 && idx > 2 {
		line.V2 = fieldValues[2-fieldIndex]
	}
	if fieldIndex <= 3 && idx > 3 {
		line.V3 = fieldValues[3-fieldIndex]
	}
	if fieldIndex <= 4 && idx > 4 {
		line.V4 = fieldValues[4-fieldIndex]
	}
	if fieldIndex <= 5 && idx > 5 {
		line.V5 = fieldValues[5-fieldIndex]
	}

	_, err := a.engine.Delete(line)
	return err
}

 

在这里,直接把里面的生成结构写成与自己风格一致的struct,并放在model里,这样,它就不会生成原版的表,而是生成model里的表了,在里面使用到的engine可以使用自己全局的定义的db engine。保证配置数据库连接只有一个地方。

里面的方法基本上根据自己的业务写在自己的service里,并不一定要用它原来的写法。

3、到这里,已经可以从数据库里加载自己想要的权限了。那么,要怎么放入权限呢

casbinrule原表有,ptype,v0,v1,v2,v3,v4,v5.目前只使用到ptype,v0,v1,v2

ptype写死为p,v0为角色,v1为操作路径v2为方式,如:ptype:p,v0:supperAdmin,v1:/money/all_in_my_card,v2:POST

说明supperAdmin有路径/money/all_in_my_card操作post的权限

根据自己的业务要求,把对应的数据生成放到表后。下面使用中间件来进行验证

func CheckPermission() gin.HandlerFunc {
	return func(c *gin.Context) {
		//根据上下文获取载荷claims 从claims获得role
		strClaims, has := c.Get("claims")
		if has {
			claims := strClaims.(*CustomClaims)
			role := claims.Role
			if len(role) < 3 {
				c.JSON(http.StatusOK, gin.H{
					"errno":  403,
					"errmsg": "验证权限出错",
				})
				c.Abort()
				return
			}
			rolsString := role[1 : len(role)-1]
			roleArr := strings.Split(rolsString, ",")
			var fitErr error
			var has bool
			var err error
			for _, oneRole := range roleArr {
				has, err = utils.CasbinEn.Enforce( oneRole, c.Request.URL.Path, c.Request.Method)
				if err != nil {
					fitErr = err
					break
				}
				if has {
					break
				}
			}
			if fitErr != nil {
				c.JSON(http.StatusOK, gin.H{
					"errno":  403,
					"errmsg": "验证权限出错",
				})
				c.Abort()
				return
			}
			if has {
				c.Next()
			} else {
				c.JSON(http.StatusOK, gin.H{
					"errno": 403,
					"msg":   "很抱歉您没有此权限",
				})
				c.Abort()
				return
			}
		} else {
			c.Next()
		}
	}
}

  

4、上面是处理好的后台权限的控制。(需搭配jwt验证一起使用)。那么vue-admin里怎么控制呢.

vue-admin有一个perms的权限处理。在后台生成"perms":["GET /sys/admin","GET /sys/log","GET /sys/os","GET /sys/role"]给到前台就行。

其实就是根据用户的角色,查询casbinrule里的v1,v2,组成json list返回就可以。

 

上面是这段时间改写casbin权限用到的一点看法,以及实际的步骤。  

posted @ 2020-05-15 17:19  你好啊,再见了  阅读(1047)  评论(0编辑  收藏  举报