Merge remote-tracking branch 'upstream/main'

ruibaby · Sep 25, 2023 · 1196dba · 1196dba
2 parents 28ba181 + 5fa0056
commit 1196dba
Show file tree

Hide file tree

Showing 75 changed files with 4,002 additions and 781 deletions.
diff --git a/.github/ISSUE_TEMPLATE/bug_report.en.yml b/.github/ISSUE_TEMPLATE/bug_report.en.yml
@@ -30,15 +30,16 @@ body:
         - MariaDB
         - Other
   - type: dropdown
-    id: deployment-method
+    id: operation-method
     validations:
       required: true
     attributes:
-      label: "What is your deployment method?"
+      label: "What is the project operation method?"
       options:
         - Docker
         - Docker Compose
         - Fat Jar
+        - Source Code
   - type: input
     id: site-url
     attributes:
@@ -55,7 +56,7 @@ body:
     id: what-happened
     attributes:
       label: "What happened?"
-      description: "Also tell us, what did you expect to happen?"
+      description: "For ease of management, please do not report multiple unrelated issues under the same issue."
     validations:
       required: true
   - type: textarea

diff --git a/.github/ISSUE_TEMPLATE/bug_report.zh.yml b/.github/ISSUE_TEMPLATE/bug_report.zh.yml
@@ -31,15 +31,16 @@ body:
         - MariaDB
         - Other
   - type: dropdown
-    id: deployment-method
+    id: operation-method
     validations:
       required: true
     attributes:
-      label: "使用的哪种方式部署？"
+      label: "使用的哪种方式运行？"
       options:
         - Docker
         - Docker Compose
         - Fat Jar
+        - Source Code
   - type: input
     id: site-url
     attributes:
@@ -56,7 +57,7 @@ body:
     id: what-happened
     attributes:
       label: "发生了什么？"
-      description: "最好还告诉我们，你预计会发生什么。"
+      description: "为了方便我们管理，请不要在同一个 issue 下报告多个不相关的问题。"
     validations:
       required: true
   - type: textarea

diff --git a/.github/ISSUE_TEMPLATE/feature_request.en.yml b/.github/ISSUE_TEMPLATE/feature_request.en.yml
@@ -21,6 +21,7 @@ body:
     id: description
     attributes:
       label: "Describe this feature"
+      description: "For ease of management, please do not submit multiple unrelated features under the same issue."
     validations:
       required: true
   - type: textarea

diff --git a/.github/ISSUE_TEMPLATE/feature_request.zh.yml b/.github/ISSUE_TEMPLATE/feature_request.zh.yml
@@ -21,6 +21,7 @@ body:
     id: description
     attributes:
       label: "描述一下此特性"
+      description: "为了方便我们管理，请不要在同一个 issue 下提交多个没有相关性的特性。"
     validations:
       required: true
   - type: textarea

diff --git a/.github/workflows/halo.yaml b/.github/workflows/halo.yaml
@@ -60,5 +60,5 @@ jobs:
           ghcr-token: ${{ secrets.GHCR_TOKEN }}
           dockerhub-user: ${{ secrets.DOCKER_USERNAME }}
           dockerhub-token: ${{ secrets.DOCKER_TOKEN }}
-          push: ${{ github.event_name == 'push' || github.event_name == 'release' }} # we only push to GHCR if the push is to the next branch
+          push: ${{ github.event_name == 'pull_request' || github.event_name == 'push' || github.event_name == 'release' }}
           console-ref: ${{ github.event_name == 'release' &&  github.ref || 'main' }}
diff --git a/api/src/main/java/run/halo/app/core/extension/Role.java b/api/src/main/java/run/halo/app/core/extension/Role.java
@@ -38,6 +38,8 @@ public class Role extends AbstractExtension {
 
     public static final String SYSTEM_RESERVED_LABELS =
         "rbac.authorization.halo.run/system-reserved";
+    public static final String HIDDEN_LABEL_NAME = "halo.run/hidden";
+    public static final String TEMPLATE_LABEL_NAME = "halo.run/role-template";
     public static final String UI_PERMISSIONS_AGGREGATED_ANNO =
         "rbac.authorization.halo.run/ui-permissions-aggregated";
 

diff --git a/api/src/main/java/run/halo/app/security/PersonalAccessToken.java b/api/src/main/java/run/halo/app/security/PersonalAccessToken.java
@@ -0,0 +1,53 @@
+package run.halo.app.security;
+
+import static io.swagger.v3.oas.annotations.media.Schema.RequiredMode.REQUIRED;
+
+import io.swagger.v3.oas.annotations.media.Schema;
+import java.time.Instant;
+import java.util.List;
+import lombok.Data;
+import lombok.EqualsAndHashCode;
+import lombok.ToString;
+import run.halo.app.extension.AbstractExtension;
+import run.halo.app.extension.GVK;
+
+@Data
+@ToString(callSuper = true)
+@EqualsAndHashCode(callSuper = true)
+@GVK(group = "security.halo.run", version = "v1alpha1", kind = PersonalAccessToken.KIND,
+    plural = "personalaccesstokens", singular = "personalaccesstoken")
+public class PersonalAccessToken extends AbstractExtension {
+
+    public static final String KIND = "PersonalAccessToken";
+
+    private Spec spec = new Spec();
+
+    @Data
+    @Schema(name = "PatSpec")
+    public static class Spec {
+
+        @Schema(requiredMode = REQUIRED)
+        private String name;
+
+        private String description;
+
+        private Instant expiresAt;
+
+        private List<String> roles;
+
+        private List<String> scopes;
+
+        @Schema(requiredMode = REQUIRED)
+        private String username;
+
+        private boolean revoked;
+
+        private Instant revokesAt;
+
+        private Instant lastUsed;
+
+        @Schema(requiredMode = REQUIRED)
+        private String tokenId;
+
+    }
+}
diff --git a/application/src/main/java/run/halo/app/config/WebServerSecurityConfig.java b/application/src/main/java/run/halo/app/config/WebServerSecurityConfig.java
@@ -1,6 +1,7 @@
 package run.halo.app.config;
 
 import static org.springframework.security.config.Customizer.withDefaults;
+import static org.springframework.security.web.server.authentication.ServerWebExchangeDelegatingReactiveAuthenticationManagerResolver.builder;
 import static org.springframework.security.web.server.util.matcher.ServerWebExchangeMatchers.pathMatchers;
 
 import java.util.Set;
@@ -26,6 +27,7 @@
 import org.springframework.web.reactive.function.server.ServerResponse;
 import run.halo.app.core.extension.service.RoleService;
 import run.halo.app.core.extension.service.UserService;
+import run.halo.app.extension.ReactiveExtensionClient;
 import run.halo.app.infra.AnonymousUserConst;
 import run.halo.app.infra.properties.HaloProperties;
 import run.halo.app.plugin.extensionpoint.ExtensionGetter;
@@ -37,6 +39,9 @@
 import run.halo.app.security.authentication.login.PublicKeyRouteBuilder;
 import run.halo.app.security.authentication.login.RsaKeyScheduledGenerator;
 import run.halo.app.security.authentication.login.impl.RsaKeyService;
+import run.halo.app.security.authentication.pat.PatAuthenticationManager;
+import run.halo.app.security.authentication.pat.PatJwkSupplier;
+import run.halo.app.security.authentication.pat.PatServerWebExchangeMatcher;
 import run.halo.app.security.authorization.RequestInfoAuthorizationManager;
 
 /**
@@ -55,7 +60,9 @@ SecurityWebFilterChain apiFilterChain(ServerHttpSecurity http,
         RoleService roleService,
         ObjectProvider<SecurityConfigurer> securityConfigurers,
         ServerSecurityContextRepository securityContextRepository,
-        ExtensionGetter extensionGetter) {
+        ExtensionGetter extensionGetter,
+        ReactiveExtensionClient client,
+        PatJwkSupplier patJwkSupplier) {
 
         http.securityMatcher(pathMatchers("/api/**", "/apis/**", "/oauth2/**",
                 "/login/**", "/logout", "/actuator/**"))
@@ -68,6 +75,14 @@ SecurityWebFilterChain apiFilterChain(ServerHttpSecurity http,
             })
             .securityContextRepository(securityContextRepository)
             .httpBasic(withDefaults())
+            .oauth2ResourceServer(oauth2 -> {
+                var authManagerResolver = builder().add(
+                        new PatServerWebExchangeMatcher(),
+                        new PatAuthenticationManager(client, patJwkSupplier))
+                    // TODO Add other authentication mangers here. e.g.: JwtAuthentiationManager.
+                    .build();
+                oauth2.authenticationManagerResolver(authManagerResolver);
+            })
             .exceptionHandling(
                 spec -> spec.authenticationEntryPoint(new DefaultServerAuthenticationEntryPoint()));
 

diff --git a/application/src/main/java/run/halo/app/core/extension/endpoint/UserEndpoint.java b/application/src/main/java/run/halo/app/core/extension/endpoint/UserEndpoint.java
@@ -13,6 +13,7 @@
 import static run.halo.app.extension.ListResult.generateGenericClass;
 import static run.halo.app.extension.router.QueryParamBuildUtil.buildParametersFromType;
 import static run.halo.app.extension.router.selector.SelectorUtil.labelAndFieldSelectorToPredicate;
+import static run.halo.app.security.authorization.AuthorityUtils.authoritiesToRoles;
 
 import com.fasterxml.jackson.core.type.TypeReference;
 import com.google.common.io.Files;
@@ -21,6 +22,7 @@
 import io.swagger.v3.oas.annotations.media.Schema;
 import java.time.Duration;
 import java.util.ArrayList;
+import java.util.Collections;
 import java.util.Comparator;
 import java.util.HashMap;
 import java.util.HashSet;
@@ -31,8 +33,9 @@
 import java.util.Set;
 import java.util.UUID;
 import java.util.concurrent.atomic.AtomicInteger;
-import java.util.function.Function;
 import java.util.function.Predicate;
+import java.util.stream.Collectors;
+import lombok.Data;
 import lombok.RequiredArgsConstructor;
 import org.apache.commons.lang3.StringUtils;
 import org.springdoc.core.fn.builders.requestbody.Builder;
@@ -483,45 +486,86 @@ record GrantRequest(Set<String> roles) {
 
     @NonNull
     private Mono<ServerResponse> getUserPermission(ServerRequest request) {
-        String name = request.pathVariable("name");
-        return ReactiveSecurityContextHolder.getContext()
-            .map(ctx -> SELF_USER.equals(name) ? ctx.getAuthentication().getName() : name)
-            .flatMapMany(userService::listRoles)
-            .reduce(new LinkedHashSet<Role>(), (list, role) -> {
-                list.add(role);
-                return list;
-            })
-            .flatMap(roles -> uiPermissions(roles)
-                .collectList()
-                .map(uiPermissions -> new UserPermission(roles, Set.copyOf(uiPermissions)))
-                .defaultIfEmpty(new UserPermission(roles, Set.of()))
-            )
-            .flatMap(result -> ServerResponse.ok()
-                .contentType(MediaType.APPLICATION_JSON)
-                .bodyValue(result)
-            );
+        var name = request.pathVariable("name");
+        Mono<UserPermission> userPermission;
+        if (SELF_USER.equals(name)) {
+            userPermission = ReactiveSecurityContextHolder.getContext()
+                .map(SecurityContext::getAuthentication)
+                .flatMap(auth -> {
+                    var roleNames = authoritiesToRoles(auth.getAuthorities());
+                    var up = new UserPermission();
+                    var roles = roleService.list(roleNames)
+                        .collect(Collectors.toSet())
+                        .doOnNext(up::setRoles)
+                        .then();
+                    var permissions = roleService.listPermissions(roleNames)
+                        .distinct()
+                        .collectList()
+                        .doOnNext(up::setPermissions)
+                        .doOnNext(perms -> {
+                            var uiPermissions = uiPermissions(new HashSet<>(perms));
+                            up.setUiPermissions(uiPermissions);
+                        })
+                        .then();
+                    return roles.and(permissions).thenReturn(up);
+                });
+        } else {
+            // get roles from username
+            userPermission = userService.listRoles(name)
+                .collect(Collectors.toSet())
+                .flatMap(roles -> {
+                    var up = new UserPermission();
+                    var setRoles = Mono.fromRunnable(() -> up.setRoles(roles)).then();
+                    var roleNames = roles.stream()
+                        .map(role -> role.getMetadata().getName())
+                        .collect(Collectors.toSet());
+                    var setPermissions = roleService.listPermissions(roleNames)
+                        .distinct()
+                        .collectList()
+                        .doOnNext(up::setPermissions)
+                        .doOnNext(perms -> {
+                            var uiPermissions = uiPermissions(new HashSet<>(perms));
+                            up.setUiPermissions(uiPermissions);
+                        })
+                        .then();
+                    return setRoles.and(setPermissions).thenReturn(up);
+                });
+        }
+
+        return ServerResponse.ok().body(userPermission, UserPermission.class);
     }
 
-    private Flux<String> uiPermissions(Set<Role> roles) {
-        return Flux.fromIterable(roles)
-            .map(role -> role.getMetadata().getName())
-            .collectList()
-            .flatMapMany(roleNames -> roleService.listDependenciesFlux(Set.copyOf(roleNames)))
-            .map(role -> {
-                Map<String, String> annotations = MetadataUtil.nullSafeAnnotations(role);
-                String uiPermissionStr = annotations.get(Role.UI_PERMISSIONS_ANNO);
-                if (StringUtils.isBlank(uiPermissionStr)) {
-                    return new HashSet<String>();
+    private Set<String> uiPermissions(Set<Role> roles) {
+        if (CollectionUtils.isEmpty(roles)) {
+            return Collections.emptySet();
+        }
+        return roles.stream()
+            .<Set<String>>map(role -> {
+                var annotations = role.getMetadata().getAnnotations();
+                if (annotations == null) {
+                    return Set.of();
                 }
-                return JsonUtils.jsonToObject(uiPermissionStr,
+                var uiPermissionsJson = annotations.get(Role.UI_PERMISSIONS_ANNO);
+                if (StringUtils.isBlank(uiPermissionsJson)) {
+                    return Set.of();
+                }
+                return JsonUtils.jsonToObject(uiPermissionsJson,
                     new TypeReference<LinkedHashSet<String>>() {
                     });
             })
-            .flatMapIterable(Function.identity());
+            .flatMap(Set::stream)
+            .collect(Collectors.toSet());
     }
 
-    record UserPermission(@Schema(requiredMode = REQUIRED) Set<Role> roles,
-                          @Schema(requiredMode = REQUIRED) Set<String> uiPermissions) {
+    @Data
+    public static class UserPermission {
+        @Schema(requiredMode = REQUIRED)
+        private Set<Role> roles;
+        @Schema(requiredMode = REQUIRED)
+        private List<Role> permissions;
+        @Schema(requiredMode = REQUIRED)
+        private Set<String> uiPermissions;
+
     }
 
     public class ListRequest extends IListRequest.QueryListRequest {

diff --git a/application/src/main/java/run/halo/app/core/extension/reconciler/PluginReconciler.java b/application/src/main/java/run/halo/app/core/extension/reconciler/PluginReconciler.java
@@ -142,7 +142,7 @@ boolean readinessDetection(String name) {
                 if (waitForSettingCreation(plugin)) {
                     return true;
                 }
-                createInitialReverseProxyIfNotPresent(plugin);
+                recreateDefaultReverseProxy(plugin);
 
                 updateStatus(name, status -> {
                     String logoUrl = generateAccessibleLogoUrl(plugin);
@@ -764,7 +764,7 @@ Path determinePluginLocation(Plugin plugin) {
         return Paths.get(pluginLocation);
     }
 
-    void createInitialReverseProxyIfNotPresent(Plugin plugin) {
+    void recreateDefaultReverseProxy(Plugin plugin) {
         String pluginName = plugin.getMetadata().getName();
         String reverseProxyName = initialReverseProxyName(pluginName);
         ReverseProxy reverseProxy = new ReverseProxy();
@@ -785,11 +785,9 @@ void createInitialReverseProxyIfNotPresent(Plugin plugin) {
 
         client.fetch(ReverseProxy.class, reverseProxyName)
             .ifPresentOrElse(persisted -> {
-                if (isDevelopmentMode(pluginName)) {
-                    reverseProxy.getMetadata()
-                        .setVersion(persisted.getMetadata().getVersion());
-                    client.update(reverseProxy);
-                }
+                reverseProxy.getMetadata()
+                    .setVersion(persisted.getMetadata().getVersion());
+                client.update(reverseProxy);
             }, () -> client.create(reverseProxy));
     }
 

diff --git a/application/src/main/java/run/halo/app/core/extension/service/DefaultRoleBindingService.java b/application/src/main/java/run/halo/app/core/extension/service/DefaultRoleBindingService.java
@@ -6,6 +6,7 @@
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.web.authentication.AnonymousAuthenticationFilter;
+import run.halo.app.security.authorization.AuthorityUtils;
 
 /**
  * <p>Obtain the authorities from the authenticated authentication and construct it as a RoleBinding
@@ -21,8 +22,8 @@
  */
 @Slf4j
 public class DefaultRoleBindingService implements RoleBindingService {
-    private static final String SCOPE_AUTHORITY_PREFIX = "SCOPE_";
-    private static final String ROLE_AUTHORITY_PREFIX = "ROLE_";
+    private static final String SCOPE_AUTHORITY_PREFIX = AuthorityUtils.SCOPE_PREFIX;
+    private static final String ROLE_AUTHORITY_PREFIX = AuthorityUtils.ROLE_PREFIX;
 
     @Override
     public Set<String> listBoundRoleNames(Collection<? extends GrantedAuthority> authorities) {