fix(auth): check handle

2026-02-11 10:55:26 +08:00
parent e29926a62b
commit ba6e39d60a
9 changed files with 239 additions and 24 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -90,6 +90,7 @@ name = "auth-kit"
 version = "0.1.0"
 dependencies = [
 "axum",
 "axum-extra",
 "base64",
 "common-telemetry",
 "dashmap",
@@ -183,6 +184,28 @@ dependencies = [
 "tracing",
 ]
 [[package]]
 name = "axum-extra"
 version = "0.12.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "fef252edff26ddba56bbcdf2ee3307b8129acb86f5749b68990c168a6fcc9c76"
 dependencies = [
 "axum",
 "axum-core",
 "bytes",
 "cookie",
 "futures-core",
 "futures-util",
 "http",
 "http-body",
 "http-body-util",
 "mime",
 "pin-project-lite",
 "tower-layer",
 "tower-service",
 "tracing",
 ]
 [[package]]
 name = "backon"
 version = "1.6.0"
@@ -390,6 +413,17 @@ dependencies = [
 "unicode-segmentation",
 ]
 [[package]]
 name = "cookie"
 version = "0.18.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "4ddef33a339a91ea89fb53151bd0a4689cfce27055c291dfa69945475d22c747"
 dependencies = [
 "percent-encoding",
 "time",
 "version_check",
 ]
 [[package]]
 name = "core-foundation"
 version = "0.9.4"
--- a/docs/TEMP.md
+++ b/docs/TEMP.md
@@ -37,8 +37,8 @@
  "code": 0,
  "message": "Success",
  "data": {
-    "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6ImxvY2FsLWRldiJ9.eyJzdWIiOiI3YTgzYmJjMC0yZjA1LTQwMDItOGFmZC0yYWI1M2RkZDMxNWIiLCJ0ZW5hbnRfaWQiOiI0ZDc3OTQxNC1kYTA0LTQ5YzMtYjM0Mi1kYWJmOTNiNmExMTkiLCJleHAiOjE3NzAwOTc2NzYsImlhdCI6MTc3MDA5Njc3NiwiaXNzIjoiaWFtLXNlcnZpY2UiLCJyb2xlcyI6WyJBZG1pbiIsIm1hbmFnZXIiXSwicGVybWlzc2lvbnMiOlsiY21zOmFydGljbGU6Y3JlYXRlIiwiY21zOmFydGljbGU6ZWRpdCIsImNtczphcnRpY2xlOnB1Ymxpc2giLCJjbXM6Y2F0ZWdvcnk6bWFuYWdlIiwiY21zOm1lZGlhOm1hbmFnZSIsImNtczpzZXR0aW5nczptYW5hZ2UiLCJpYW06Y2xpZW50OnJlYWQiLCJpYW06Y2xpZW50OndyaXRlIiwicm9sZTpyZWFkIiwicm9sZTp3cml0ZSIsInRlbmFudDpyZWFkIiwidGVuYW50OndyaXRlIiwidXNlcjpwYXNzd29yZDpyZXNldDphbnkiLCJ1c2VyOnJlYWQiLCJ1c2VyOndyaXRlIl0sImFwcHMiOlsiY21zIl0sImFwcHNfdmVyc2lvbiI6MX0.Tt7fEQj8wtS5XzJ-GuwRF5yiOrtGaRr9P_V5RqNZagLXj0eRikf9U4oNkFS2uy8Pp75Ks4jL816DzeLXQsXZJfWEtvlTp0QmwyOhYIN1p-yyGS9Pitl0gb7wobjStGDyMSD-ctbHgEsU41qLrQd6ZQkpFl2IpaCSfCN0JZCpc7_3BeI6YLwAw_K4-TFF_1OTNRPm4sT3RnEZYOHXm6EcOUk-MsDBy1itADCdEEUdCSoslK6FGHIpbhkgA56Z7Qy5909BxXW34I21c2rZX-R_iB9q_eKzWd0GqBMIZi33ITbRy4F7_CtCQSwFNUt6-lvVvzXYLHsVQchcpOdYtj3h6w",
+    "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6ImRlZmF1bHQifQ.eyJzdWIiOiI3YTgzYmJjMC0yZjA1LTQwMDItOGFmZC0yYWI1M2RkZDMxNWIiLCJ0ZW5hbnRfaWQiOiI0ZDc3OTQxNC1kYTA0LTQ5YzMtYjM0Mi1kYWJmOTNiNmExMTkiLCJleHAiOjE3NzA3NzU0NDYsImlhdCI6MTc3MDc3NDU0NiwiaXNzIjoiaWFtLXNlcnZpY2UiLCJyb2xlcyI6WyJBZG1pbiIsIm1hbmFnZXIiXSwicGVybWlzc2lvbnMiOlsiY21zOmFydGljbGU6Y3JlYXRlIiwiY21zOmFydGljbGU6ZWRpdCIsImNtczphcnRpY2xlOnB1Ymxpc2giLCJjbXM6Y2F0ZWdvcnk6bWFuYWdlIiwiY21zOm1lZGlhOm1hbmFnZSIsImNtczpzZXR0aW5nczptYW5hZ2UiLCJpYW06Y2xpZW50OnJlYWQiLCJpYW06Y2xpZW50OndyaXRlIiwicm9sZTpyZWFkIiwicm9sZTp3cml0ZSIsInRlbmFudDpyZWFkIiwidGVuYW50OndyaXRlIiwidXNlcjpwYXNzd29yZDpyZXNldDphbnkiLCJ1c2VyOnJlYWQiLCJ1c2VyOndyaXRlIl0sImFwcHMiOlsiY21zIl0sImFwcHNfdmVyc2lvbiI6MX0.yPCz0CgX4qc1AqFM_yi-IIthVRBzYykFAIdJQmB0O6EEWSMutG3WtW2L9lvvBEajmJuje-PIxj-UwpS6tInzUR0H7BKdqOwmao9CKJkaOjp6aSfOZUxQ90kaR1PnJtjmkI8r6rorvWtTyoLIMzwbHisXjMoYxZ5-JTrOmXdYs_MT50cn-tzb7eV_eM7g77J82-vxTVQq0olKA7rLpOFw2B4hHOoNjniL8Tas8zupHakVZzW7G1Q25tveqJtck9rDfEm2KpswKC_Kh4-kk1E5M1rESbpzM0h9VENTd2EPgxvOcIjPtczkMp89qlrovQqZteCCyDDSWnfGPWGsVrm7tQ",
-    "refresh_token": "7483624e8942aee112e62b2b58ec902fb01731dd7b098b4af6001e350b2303f0",
+    "refresh_token": "56923a401cf9bbf08f988dfff05b28aabbff0814a02f7760b5fbf34f56df8ed8",
    "token_type": "Bearer",
    "expires_in": 900
  }
@@ -46,7 +46,7 @@
 ```
 `user1@example.com`
-`user1secret`
+`user5secret`
 ```json
 {
--- a/src/application/services/authorization.rs
+++ b/src/application/services/authorization.rs
@@ -4,6 +4,8 @@ use sqlx::PgPool;
 use tracing::instrument;
 use uuid::Uuid;
 use crate::models::{PermissionExpr, PermissionExprItem};
 #[derive(Clone)]
 pub struct AuthorizationService {
    pool: PgPool,
@@ -88,6 +90,17 @@ impl AuthorizationService {
        }
    }
    pub async fn check_permission_expr(
        &self,
        tenant_id: Uuid,
        user_id: Uuid,
        expr: &PermissionExpr,
    ) -> Result<bool, AppError> {
        validate_expr_depth(expr, 32)?;
        let permissions = self.list_permissions_for_user(tenant_id, user_id).await?;
        Ok(evaluate_expr(&permissions, expr))
    }
    #[instrument(skip(self))]
    pub async fn list_platform_permissions_for_user(
        &self,
@@ -122,3 +135,45 @@ impl AuthorizationService {
        }
    }
 }
 fn validate_expr_depth(expr: &PermissionExpr, max_depth: usize) -> Result<(), AppError> {
    fn walk(expr: &PermissionExpr, depth: usize, max_depth: usize) -> Result<(), AppError> {
        if depth > max_depth {
            return Err(AppError::BadRequest("permission expr too deep".into()));
        }
        let items: &[PermissionExprItem] = match expr {
            PermissionExpr::Any(x) => &x.any,
            PermissionExpr::All(x) => &x.all,
        };
        for item in items {
            if let PermissionExprItem::Expr(e) = item {
                walk(e, depth + 1, max_depth)?;
            }
        }
        Ok(())
    }
    walk(expr, 1, max_depth)
 }
 fn evaluate_expr(user_permissions: &[String], expr: &PermissionExpr) -> bool {
    let items: &[PermissionExprItem] = match expr {
        PermissionExpr::Any(x) => &x.any,
        PermissionExpr::All(x) => &x.all,
    };
    match expr {
        PermissionExpr::Any(_) => items.iter().any(|item| match item {
            PermissionExprItem::Permission(required) => user_permissions
                .iter()
                .any(|granted| matches_permission(granted.as_str(), required.as_str())),
            PermissionExprItem::Expr(e) => evaluate_expr(user_permissions, e),
        }),
        PermissionExpr::All(_) => items.iter().all(|item| match item {
            PermissionExprItem::Permission(required) => user_permissions
                .iter()
                .any(|granted| matches_permission(granted.as_str(), required.as_str())),
            PermissionExprItem::Expr(e) => evaluate_expr(user_permissions, e),
        }),
    }
 }
--- a/src/application/services/client.rs
+++ b/src/application/services/client.rs
@@ -252,6 +252,13 @@ impl ClientService {
        let requested_path = requested.path().to_string();
        let requested_scheme = requested.scheme().to_string();
        if arr.is_empty()
            && cfg!(debug_assertions)
            && (requested_host == "localhost" || requested_host == "127.0.0.1")
        {
            return Ok(normalized);
        }
        let allowed = arr.iter().filter_map(|x| x.as_str()).any(|raw_allowed| {
            let allowed_norm = match self.normalize_redirect_uri(raw_allowed) {
                Ok(v) => v,
@@ -265,7 +272,14 @@ impl ClientService {
            let host = allowed_url.host_str().unwrap_or_default();
            let port = allowed_url.port_or_known_default().unwrap_or(0);
-            if allowed_url.scheme() != requested_scheme
+            let scheme_ok = allowed_url.scheme() == requested_scheme
                || (cfg!(debug_assertions)
                    && (requested_host == "localhost" || requested_host == "127.0.0.1")
                    && host == requested_host
                    && ((allowed_url.scheme() == "https" && requested_scheme == "http")
                        || (allowed_url.scheme() == "http" && requested_scheme == "https")));
            if !scheme_ok
                || host != requested_host
                || port != requested_port
                || allowed_url.path() != requested_path
@@ -376,4 +390,3 @@ impl ClientService {
            .collect())
    }
 }
--- a/src/models.rs
+++ b/src/models.rs
@@ -361,7 +361,6 @@ pub struct RefreshTokenRequest {
 }
 #[derive(Debug, Deserialize, ToSchema, IntoParams)]
 #[serde(rename_all = "camelCase")]
 pub struct LoginCodeRequest {
    #[schema(default = "", example = "user@example.com")]
    #[serde(default)]
@@ -371,17 +370,18 @@ pub struct LoginCodeRequest {
    pub password: String,
    #[schema(default = "", example = "cms")]
    #[serde(default)]
    #[serde(alias = "clientId")]
    pub client_id: String,
    #[schema(
        default = "",
        example = "https://cms-api.example.com/auth/callback?next=https%3A%2F%2Fcms.example.com%2F"
    )]
    #[serde(default)]
    #[serde(alias = "redirectUri")]
    pub redirect_uri: String,
 }
 #[derive(Debug, Serialize, ToSchema, IntoParams)]
 #[serde(rename_all = "camelCase")]
 pub struct LoginCodeResponse {
    #[schema(
        default = "",
@@ -395,21 +395,21 @@ pub struct LoginCodeResponse {
 }
 #[derive(Debug, Deserialize, ToSchema, IntoParams)]
 #[serde(rename_all = "camelCase")]
 pub struct Code2TokenRequest {
    #[schema(default = "", example = "one_time_code_jwt")]
    #[serde(default)]
    pub code: String,
    #[schema(default = "", example = "cms")]
    #[serde(default)]
    #[serde(alias = "clientId")]
    pub client_id: String,
    #[schema(default = "", example = "client_secret")]
    #[serde(default)]
    #[serde(alias = "clientSecret")]
    pub client_secret: String,
 }
 #[derive(Debug, Serialize, ToSchema, IntoParams)]
 #[serde(rename_all = "camelCase")]
 pub struct Code2TokenResponse {
    #[schema(default = "", example = "access_token")]
    #[serde(default)]
@@ -432,20 +432,20 @@ pub struct Code2TokenResponse {
 }
 #[derive(Debug, Deserialize, ToSchema, IntoParams)]
 #[serde(rename_all = "camelCase")]
 pub struct CreateClientRequest {
    #[schema(default = "", example = "cms")]
    #[serde(default)]
    #[serde(alias = "clientId")]
    pub client_id: String,
    #[serde(default)]
    pub name: Option<String>,
    #[schema(example = "[\"https://cms.example.com/auth/callback\"]")]
    #[serde(default)]
    #[serde(alias = "redirectUris")]
    pub redirect_uris: Option<Vec<String>>,
 }
 #[derive(Debug, Serialize, ToSchema, IntoParams)]
 #[serde(rename_all = "camelCase")]
 pub struct CreateClientResponse {
    #[schema(default = "", example = "cms")]
    #[serde(default)]
@@ -456,7 +456,6 @@ pub struct CreateClientResponse {
 }
 #[derive(Debug, Serialize, ToSchema, IntoParams)]
 #[serde(rename_all = "camelCase")]
 pub struct RotateClientSecretResponse {
    #[schema(default = "", example = "cms")]
    #[serde(default)]
@@ -467,7 +466,6 @@ pub struct RotateClientSecretResponse {
 }
 #[derive(Debug, Serialize, ToSchema, IntoParams)]
 #[serde(rename_all = "camelCase")]
 pub struct ClientSummary {
    #[schema(default = "", example = "cms")]
    #[serde(default)]
@@ -476,6 +474,7 @@ pub struct ClientSummary {
    pub name: Option<String>,
    #[schema(example = "[\"https://cms.example.com/auth/callback\"]")]
    #[serde(default)]
    #[serde(alias = "redirectUris")]
    pub redirect_uris: Vec<String>,
    #[schema(default = "", example = "2026-02-02T12:00:00Z")]
    #[serde(default)]
@@ -486,10 +485,10 @@ pub struct ClientSummary {
 }
 #[derive(Debug, Deserialize, ToSchema, IntoParams)]
 #[serde(rename_all = "camelCase")]
 pub struct UpdateClientRedirectUrisRequest {
    #[schema(example = "[\"https://cms.example.com/auth/callback\"]")]
    #[serde(default)]
    #[serde(alias = "redirectUris")]
    pub redirect_uris: Vec<String>,
 }
@@ -552,3 +551,39 @@ pub struct AuthorizationCheckResponse {
    #[serde(default)]
    pub allowed: bool,
 }
 #[derive(Debug, Deserialize, Serialize, ToSchema, IntoParams)]
 pub struct AuthorizationExprCheckRequest {
    pub expr: PermissionExpr,
 }
 #[derive(Debug, Serialize, ToSchema, IntoParams)]
 pub struct AuthorizationExprCheckResponse {
    pub allowed: bool,
 }
 #[derive(Debug, Deserialize, Serialize, ToSchema)]
 #[serde(deny_unknown_fields)]
 pub struct AnyExpr {
    pub any: Vec<PermissionExprItem>,
 }
 #[derive(Debug, Deserialize, Serialize, ToSchema)]
 #[serde(deny_unknown_fields)]
 pub struct AllExpr {
    pub all: Vec<PermissionExprItem>,
 }
 #[derive(Debug, Deserialize, Serialize, ToSchema)]
 #[serde(untagged)]
 pub enum PermissionExpr {
    Any(AnyExpr),
    All(AllExpr),
 }
 #[derive(Debug, Deserialize, Serialize, ToSchema)]
 #[serde(untagged)]
 pub enum PermissionExprItem {
    Permission(String),
    Expr(Box<PermissionExpr>),
 }
--- a/src/presentation/http/api.rs
+++ b/src/presentation/http/api.rs
@@ -26,6 +26,7 @@ pub fn routes() -> Vec<(&'static str, &'static str)> {
        ("POST", "/internal/auth/code2token"),
        ("GET", "/me/permissions"),
        ("POST", "/authorize/check"),
        ("POST", "/authorize/check-expr"),
        ("GET", "/users"),
        ("GET", "/users/{id}"),
        ("PATCH", "/users/{id}"),
@@ -144,6 +145,10 @@ pub fn build_app(state: AppState) -> Router {
            "/authorize/check",
            post(authorization::authorization_check_handler),
        )
        .route(
            "/authorize/check-expr",
            post(authorization::authorization_check_expr_handler),
        )
        .route("/users", get(user::list_users_handler))
        .route(
            "/users/me/password/reset",
--- a/src/presentation/http/handlers/authorization.rs
+++ b/src/presentation/http/handlers/authorization.rs
@@ -1,6 +1,9 @@
 use crate::middleware::TenantId;
 use crate::middleware::auth::AuthContext;
-use crate::models::{AuthorizationCheckRequest, AuthorizationCheckResponse};
+use crate::models::{
    AuthorizationCheckRequest, AuthorizationCheckResponse, AuthorizationExprCheckRequest,
    AuthorizationExprCheckResponse,
 };
 use crate::presentation::http::state::AppState;
 use axum::{Json, extract::State};
 use common_telemetry::{AppError, AppResponse};
@@ -89,3 +92,45 @@ pub async fn authorization_check_handler(
    Ok(AppResponse::ok(AuthorizationCheckResponse { allowed }))
 }
 #[utoipa::path(
    post,
    path = "/authorize/check-expr",
    tag = "Policy",
    security(
        ("bearer_auth" = [])
    ),
    request_body = AuthorizationExprCheckRequest,
    responses(
        (status = 200, description = "鉴权校验结果", body = AuthorizationExprCheckResponse),
        (status = 400, description = "表达式不合法"),
        (status = 401, description = "未认证"),
        (status = 403, description = "租户不匹配")
    ),
    params(
        ("Authorization" = String, Header, description = "Bearer <access_token>（访问令牌）"),
        ("X-Tenant-ID" = String, Header, description = "租户 UUID（可选，若提供需与 Token 中 tenant_id 一致）")
    )
 )]
 #[instrument(skip(state, body))]
 pub async fn authorization_check_expr_handler(
    TenantId(tenant_id): TenantId,
    State(state): State<AppState>,
    AuthContext {
        tenant_id: auth_tenant_id,
        user_id,
        ..
    }: AuthContext,
    Json(body): Json<AuthorizationExprCheckRequest>,
 ) -> Result<AppResponse<AuthorizationExprCheckResponse>, AppError> {
    if auth_tenant_id != tenant_id {
        return Err(AppError::PermissionDenied("tenant:mismatch".into()));
    }
    let allowed = state
        .authorization_service
        .check_permission_expr(tenant_id, user_id, &body.expr)
        .await?;
    Ok(AppResponse::ok(AuthorizationExprCheckResponse { allowed }))
 }
--- a/tests/authorization_expr.rs
+++ b/tests/authorization_expr.rs
@@ -0,0 +1,27 @@
 use iam_service::models::{AuthorizationExprCheckRequest, PermissionExpr};
 #[test]
 fn deserialize_any_expr() {
    let json = r#"{ "expr": { "any": ["cms:article:edit", "cms:article:create"] } }"#;
    let parsed: AuthorizationExprCheckRequest = serde_json::from_str(json).unwrap();
    match parsed.expr {
        PermissionExpr::Any(x) => {
            assert_eq!(x.any.len(), 2);
        }
        _ => panic!("expected any"),
    }
 }
 #[test]
 fn deserialize_nested_expr() {
    let json =
        r#"{ "expr": { "all": ["cms:article:edit", { "any": ["cms:article:create", "cms:article:publish"] }] } }"#;
    let parsed: AuthorizationExprCheckRequest = serde_json::from_str(json).unwrap();
    match parsed.expr {
        PermissionExpr::All(x) => {
            assert_eq!(x.all.len(), 2);
        }
        _ => panic!("expected all"),
    }
 }
--- a/tests/code2token_modes.rs
+++ b/tests/code2token_modes.rs
@@ -1,14 +1,15 @@
 use axum::body::Body;
 use axum::http::{Request, StatusCode};
 use iam_service::presentation::http::api;
 use iam_service::presentation::http::state::AppState;
 use iam_service::infrastructure::repositories::tenant_config_repo::TenantConfigRepoPg;
 use iam_service::models::CreateTenantRequest;
 use iam_service::models::CreateUserRequest;
 use iam_service::application::services::{
    AppService, AuthService, AuthorizationService, ClientService, PermissionService, RoleService,
    TenantService, UserService,
 };
 use iam_service::constants::CANONICAL_BASE;
 use iam_service::infrastructure::repositories::tenant_config_repo::TenantConfigRepoPg;
 use iam_service::models::CreateTenantRequest;
 use iam_service::models::CreateUserRequest;
 use iam_service::presentation::http::api;
 use iam_service::presentation::http::state::AppState;
 use redis::aio::ConnectionManager;
 use sqlx::PgPool;
 use tower::ServiceExt;
@@ -106,7 +107,7 @@ async fn code2token_modes_requirements() -> Result<(), Box<dyn std::error::Error
        .oneshot(
            Request::builder()
                .method("POST")
-                .uri("/api/v1/auth/login-code")
+                .uri(format!("{}/auth/login-code", CANONICAL_BASE))
                .header("Content-Type", "application/json")
                .header("X-Tenant-ID", tenant.id.to_string())
                .body(Body::from(login_code_req.to_string()))?,
@@ -134,7 +135,7 @@ async fn code2token_modes_requirements() -> Result<(), Box<dyn std::error::Error
        .oneshot(
            Request::builder()
                .method("POST")
-                .uri("/api/v1/auth/code2token")
+                .uri(format!("{}/auth/code2token", CANONICAL_BASE))
                .header("Content-Type", "application/json")
                .header("X-Tenant-ID", tenant.id.to_string())
                .body(Body::from(code2token_req.to_string()))?,
@@ -152,7 +153,7 @@ async fn code2token_modes_requirements() -> Result<(), Box<dyn std::error::Error
        .oneshot(
            Request::builder()
                .method("POST")
-                .uri("/api/v1/auth/code2token")
+                .uri(format!("{}/auth/code2token", CANONICAL_BASE))
                .header("Content-Type", "application/json")
                .body(Body::from(code2token_req_missing_tenant.to_string()))?,
        )
@@ -168,7 +169,7 @@ async fn code2token_modes_requirements() -> Result<(), Box<dyn std::error::Error
        .oneshot(
            Request::builder()
                .method("POST")
-                .uri("/api/v1/internal/auth/code2token")
+                .uri(format!("{}/internal/auth/code2token", CANONICAL_BASE))
                .header("Content-Type", "application/json")
                .header("X-Internal-Token", internal_psk)
                .body(Body::from(code2token_req_internal.to_string()))?,