From 84d5e3800e1557d7b315e3de2f94904d02a129f9 Mon Sep 17 00:00:00 2001
From: shylinux <shylinux@icloud.com>
Date: Wed, 17 Jun 2020 16:36:18 +0800
Subject: [PATCH] opt aaa

---
 base/aaa/role.go | 116 +++++++++++++++++++++++++++++++++++++++++++++++
 base/aaa/sess.go |  73 +++++++++++++++++++++++++++++
 base/aaa/user.go | 109 ++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 298 insertions(+)
 create mode 100644 base/aaa/role.go
 create mode 100644 base/aaa/sess.go
 create mode 100644 base/aaa/user.go

diff --git a/base/aaa/role.go b/base/aaa/role.go
new file mode 100644
index 00000000..540adb00
--- /dev/null
+++ b/base/aaa/role.go
@@ -0,0 +1,116 @@
+package aaa
+
+import (
+	"github.com/shylinux/icebergs"
+	"github.com/shylinux/toolkits"
+)
+
+const ( // 用户角色
+	ROOT = "root"
+	TECH = "tech"
+	VOID = "void"
+)
+const ( // 角色操作
+	White = "white"
+	Black = "black"
+	Right = "right"
+	Prune = "prune"
+	Clear = "clear"
+)
+const ( // 返回结果
+	OK = "ok"
+)
+
+func _role_list(m *ice.Message, userrole string) {
+	m.Richs(ROLE, nil, kit.Select(kit.MDB_FOREACH, userrole), func(key string, value map[string]interface{}) {
+		for k := range value[White].(map[string]interface{}) {
+			m.Push(ROLE, kit.Value(value, kit.MDB_NAME))
+			m.Push(kit.MDB_ZONE, White)
+			m.Push(kit.MDB_KEY, k)
+		}
+		for k := range value[Black].(map[string]interface{}) {
+			m.Push(ROLE, kit.Value(value, kit.MDB_NAME))
+			m.Push(kit.MDB_ZONE, Black)
+			m.Push(kit.MDB_KEY, k)
+		}
+	})
+}
+func _role_right(m *ice.Message, userrole string, keys ...string) (ok bool) {
+	if userrole == ROOT {
+		// 超级用户
+		return true
+	}
+
+	m.Richs(ROLE, nil, kit.Select(VOID, userrole), func(key string, value map[string]interface{}) {
+		ok = true
+		list := value[Black].(map[string]interface{})
+		for i := 0; i < len(keys); i++ {
+			if v, o := list[kit.Join(keys[:i+1], ".")]; o && v == true {
+				ok = false
+			}
+		}
+
+		if m.Warn(!ok, "%s black right %s", userrole, keys) {
+			return
+		}
+		if userrole == TECH {
+			// 管理用户
+			return
+		}
+
+		ok = false
+		list = value[White].(map[string]interface{})
+		for i := 0; i < len(keys); i++ {
+			if v, o := list[kit.Join(keys[:i+1], ".")]; o && v == true {
+				ok = true
+			}
+		}
+		if m.Warn(!ok, "%s no right %s", userrole, keys) {
+			return
+		}
+		// 普通用户
+	})
+	return ok
+}
+func _role_black(m *ice.Message, userrole, chain string, status bool) {
+	m.Richs(ROLE, nil, userrole, func(key string, value map[string]interface{}) {
+		m.Log_MODIFY(ROLE, userrole, Black, chain)
+		list := value[Black].(map[string]interface{})
+		list[chain] = status
+	})
+}
+func _role_white(m *ice.Message, userrole, chain string, status bool) {
+	m.Richs(ROLE, nil, userrole, func(key string, value map[string]interface{}) {
+		m.Log_MODIFY(ROLE, userrole, White, chain)
+		list := value[White].(map[string]interface{})
+		list[chain] = status
+	})
+}
+
+func RoleRight(m *ice.Message, userrole string, keys ...string) bool {
+	return _role_right(m, userrole, kit.Split(kit.Keys(keys), ".")...)
+}
+func init() {
+	Index.Merge(&ice.Context{
+		Configs: map[string]*ice.Config{
+			ROLE: {Name: "role", Help: "角色", Value: kit.Data(kit.MDB_SHORT, kit.MDB_NAME)},
+		},
+		Commands: map[string]*ice.Command{
+			ROLE: {Name: "role [role]", Help: "角色", Action: map[string]*ice.Action{
+				White: {Name: "white role chain...", Help: "白名单", Hand: func(m *ice.Message, arg ...string) {
+					_role_white(m, arg[0], kit.Keys(arg[1:]), true)
+				}},
+				Black: {Name: "black role chain...", Help: "黑名单", Hand: func(m *ice.Message, arg ...string) {
+					_role_black(m, arg[0], kit.Keys(arg[1:]), true)
+				}},
+				Right: {Name: "right role chain...", Help: "查看权限", Hand: func(m *ice.Message, arg ...string) {
+					if _role_right(m, arg[0], kit.Split(kit.Keys(arg[1:]), ".")...) {
+						m.Echo(OK)
+					}
+				}},
+			}, Hand: func(m *ice.Message, c *ice.Context, cmd string, arg ...string) {
+				_role_list(m, kit.Select("", arg, 0))
+			}},
+		},
+	}, nil)
+}
diff --git a/base/aaa/sess.go b/base/aaa/sess.go
new file mode 100644
index 00000000..c9a9cd7c
--- /dev/null
+++ b/base/aaa/sess.go
@@ -0,0 +1,73 @@
+package aaa
+
+import (
+	"github.com/shylinux/icebergs"
+	"github.com/shylinux/toolkits"
+)
+
+func _sess_list(m *ice.Message) {
+	m.Richs(SESS, nil, kit.MDB_FOREACH, func(key string, value map[string]interface{}) {
+		m.Push(key, value, []string{kit.MDB_TIME, kit.MDB_KEY, USERNAME, USERROLE})
+	})
+}
+func _sess_auth(m *ice.Message, sessid string, username string, userrole string) {
+	m.Richs(SESS, nil, sessid, func(value map[string]interface{}) {
+		if m.Option(ice.MSG_USERROLE) == ROOT {
+			value[USERROLE] = userrole
+		} else if m.Option(ice.MSG_USERROLE) == TECH && userrole != ROOT {
+			value[USERROLE] = userrole
+		} else {
+			return
+		}
+		value["username"] = username
+		m.Log_AUTH(SESSID, sessid, USERNAME, username, USERROLE, userrole)
+		m.Echo("%v", value[USERROLE])
+	})
+}
+func _sess_check(m *ice.Message, sessid string) {
+	m.Richs(SESS, nil, sessid, func(value map[string]interface{}) {
+		m.Push(sessid, value, []string{USERNAME, USERROLE})
+		m.Echo("%s", value[USERROLE])
+	})
+}
+func _sess_create(m *ice.Message, username string) string {
+	h := m.Rich(SESS, nil, kit.Dict(
+		USERNAME, username, "from", m.Option(ice.MSG_SESSID),
+	))
+	m.Log_CREATE(SESSID, h, USERNAME, username)
+	m.Echo(h)
+	return h
+}
+
+func SessCheck(m *ice.Message, sessid string) *ice.Message {
+	_sess_check(m, sessid)
+	return m
+}
+func SessCreate(m *ice.Message, username, userrole string) string {
+	_sess_auth(m, _sess_create(m, username), username, userrole)
+	return m.Result()
+}
+func init() {
+	Index.Merge(&ice.Context{
+		Configs: map[string]*ice.Config{
+			SESS: {Name: "sess", Help: "会话", Value: kit.Data(
+				kit.MDB_SHORT, "uniq", "expire", "720h",
+			)},
+		},
+		Commands: map[string]*ice.Command{
+			SESS: {Name: "sess check|login", Help: "会话", Action: map[string]*ice.Action{
+				kit.MDB_CREATE: {Name: "create [username]", Help: "创建", Hand: func(m *ice.Message, arg ...string) {
+					_sess_create(m, arg[0])
+				}},
+				"check": {Name: "check sessid", Help: "校验", Hand: func(m *ice.Message, arg ...string) {
+					_sess_check(m, arg[0])
+				}},
+				"auth": {Name: "auth sessid username [userrole]", Help: "授权", Hand: func(m *ice.Message, arg ...string) {
+					_sess_auth(m, arg[0], arg[1], kit.Select("", arg, 2))
+				}},
+			}, Hand: func(m *ice.Message, c *ice.Context, cmd string, arg ...string) {
+				_sess_list(m)
+			}},
+		},
+	}, nil)
+}
diff --git a/base/aaa/user.go b/base/aaa/user.go
new file mode 100644
index 00000000..679c1b87
--- /dev/null
+++ b/base/aaa/user.go
@@ -0,0 +1,109 @@
+package aaa
+
+import (
+	"github.com/shylinux/icebergs"
+	"github.com/shylinux/icebergs/base/cli"
+	"github.com/shylinux/toolkits"
+)
+
+func _user_list(m *ice.Message) {
+	m.Richs(USER, nil, kit.MDB_FOREACH, func(key string, value map[string]interface{}) {
+		m.Push(key, value, []string{kit.MDB_TIME, USERNAME, USERNODE})
+	})
+}
+func _user_login(m *ice.Message, name, word string) (ok bool) {
+	m.Richs(USER, nil, name, func(key string, value map[string]interface{}) {
+		if value[PASSWORD] == "" {
+			ok, value[PASSWORD] = true, word
+		} else if value[PASSWORD] == word {
+			ok = true
+		}
+	})
+	return ok
+}
+func _user_create(m *ice.Message, name, word string) {
+	// 创建用户
+	m.Rich(USER, nil, kit.Dict(
+		USERNAME, name, PASSWORD, word,
+		USERNICK, name, USERNODE, m.Conf(ice.CLI_RUNTIME, "boot.hostname"),
+	))
+	m.Log_CREATE(USERNAME, name)
+	m.Event(ice.USER_CREATE, name)
+}
+
+func UserRole(m *ice.Message, username string) string {
+	if username == cli.UserName {
+		return ROOT
+	}
+	return VOID
+}
+func UserLogin(m *ice.Message, username, password string) bool {
+	if _user_login(m, username, password) {
+		m.Option(ice.MSG_USERNAME, username)
+		m.Option(ice.MSG_USERROLE, UserRole(m, username))
+		m.Option(ice.MSG_SESSID, SessCreate(m, m.Option(ice.MSG_USERNAME), m.Option(ice.MSG_USERROLE)))
+
+		m.Log_AUTH(
+			USERROLE, m.Option(ice.MSG_USERROLE),
+			USERNAME, m.Option(ice.MSG_USERNAME),
+			SESSID, m.Option(ice.MSG_SESSID),
+		)
+		return true
+	}
+	return false
+}
+func init() {
+	Index.Merge(&ice.Context{
+		Configs: map[string]*ice.Config{
+			USER: {Name: "user", Help: "用户", Value: kit.Data(kit.MDB_SHORT, USERNAME)},
+		},
+		Commands: map[string]*ice.Command{
+			USER: {Name: "user first|login", Help: "用户", Action: map[string]*ice.Action{
+				kit.MDB_CREATE: {Name: "create username [password]", Help: "创建", Hand: func(m *ice.Message, arg ...string) {
+					_user_create(m, arg[0], kit.Select("", arg, 1))
+				}},
+				"login": {Name: "login username password", Help: "login", Hand: func(m *ice.Message, arg ...string) {
+					_user_login(m, arg[0], arg[1])
+				}},
+			}, Hand: func(m *ice.Message, c *ice.Context, cmd string, arg ...string) {
+				if len(arg) == 0 {
+					_user_list(m)
+					return
+				}
+
+				switch arg[0] {
+				case "first":
+					// 超级用户
+					if m.Richs(ice.AAA_USER, nil, "%", nil) == nil {
+					}
+
+				case "login":
+					// 用户认证
+					user := m.Richs(USER, nil, arg[1], nil)
+					if word := kit.Select("", arg, 2); user == nil {
+						nick := arg[1]
+						if len(nick) > 8 {
+							nick = nick[:8]
+						}
+						_user_create(m, arg[1], word)
+
+					} else if word != "" {
+						if !_user_login(m, arg[1], word) {
+							m.Info("login fail user: %s", arg[1])
+							break
+						}
+					}
+
+					if m.Options(ice.MSG_SESSID) && m.Cmdx(ice.AAA_SESS, "check", m.Option(ice.MSG_SESSID)) == arg[1] {
+						// 复用会话
+						m.Echo(m.Option(ice.MSG_SESSID))
+						break
+					}
+
+					// 创建会话
+					m.Echo(m.Cmdx(ice.AAA_SESS, "create", arg[1]))
+				}
+			}},
+		},
+	}, nil)
+}