Merge pull request pig-mesh#13 from Hccake/dev

移植 ballcat 的数据权限到 pig

pig-auth/src/main/java/com/pig4cloud/pig/auth/config/AuthorizationServerConfig.java

@@ -16,6 +16,7 @@
 
 package com.pig4cloud.pig.auth.config;
 
+import com.pig4cloud.pig.auth.converter.CustomAccessTokenConverter;
 import com.pig4cloud.pig.common.core.constant.CacheConstants;
 import com.pig4cloud.pig.common.core.constant.SecurityConstants;
 import com.pig4cloud.pig.common.security.component.PigWebResponseExceptionTranslator;
@@ -63,10 +64,7 @@ public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdap
 	@Override
 	@SneakyThrows
 	public void configure(ClientDetailsServiceConfigurer clients) {
-		PigClientDetailsService clientDetailsService = new PigClientDetailsService(dataSource);
-		clientDetailsService.setSelectClientDetailsSql(SecurityConstants.DEFAULT_SELECT_STATEMENT);
-		clientDetailsService.setFindClientDetailsSql(SecurityConstants.DEFAULT_FIND_STATEMENT);
-		clients.withClientDetails(clientDetailsService);
+		clients.withClientDetails(pigClientDetailsService());
 	}
 
 	@Override
@@ -80,7 +78,8 @@ public void configure(AuthorizationServerEndpointsConfigurer endpoints) {
 				.tokenEnhancer(tokenEnhancer()).userDetailsService(userDetailsService)
 				.authenticationManager(authenticationManager).reuseRefreshTokens(false)
 				.pathMapping("/oauth/confirm_access", "/token/confirm_access")
-				.exceptionTranslator(new PigWebResponseExceptionTranslator());
+				.exceptionTranslator(new PigWebResponseExceptionTranslator())
+				.accessTokenConverter(new CustomAccessTokenConverter(pigClientDetailsService()));
 	}
 
 	@Bean
@@ -104,4 +103,12 @@ public TokenEnhancer tokenEnhancer() {
 		};
 	}
 
+	@Bean
+	public PigClientDetailsService pigClientDetailsService() {
+		PigClientDetailsService clientDetailsService = new PigClientDetailsService(dataSource);
+		clientDetailsService.setSelectClientDetailsSql(SecurityConstants.DEFAULT_SELECT_STATEMENT);
+		clientDetailsService.setFindClientDetailsSql(SecurityConstants.DEFAULT_FIND_STATEMENT);
+		return clientDetailsService;
+	}
+
 }

pig-auth/src/main/java/com/pig4cloud/pig/auth/converter/CustomAccessTokenConverter.java

@@ -0,0 +1,37 @@
+package com.pig4cloud.pig.auth.converter;
+
+import com.pig4cloud.pig.common.core.constant.SecurityConstants;
+import com.pig4cloud.pig.common.security.service.PigClientDetailsService;
+import com.pig4cloud.pig.common.security.service.PigUser;
+import lombok.RequiredArgsConstructor;
+import org.springframework.security.oauth2.common.OAuth2AccessToken;
+import org.springframework.security.oauth2.provider.ClientDetails;
+import org.springframework.security.oauth2.provider.OAuth2Authentication;
+import org.springframework.security.oauth2.provider.token.DefaultAccessTokenConverter;
+
+import java.util.Map;
+
+/**
+ * @author hccake
+ */
+@RequiredArgsConstructor
+public class CustomAccessTokenConverter extends DefaultAccessTokenConverter {
+
+	final PigClientDetailsService pigClientDetailsService;
+
+	@Override
+	@SuppressWarnings("unchecked")
+	public Map<String, ?> convertAccessToken(OAuth2AccessToken token, OAuth2Authentication authentication) {
+		Map<String, Object> response = (Map<String, Object>) super.convertAccessToken(token, authentication);
+
+		ClientDetails clientDetails = pigClientDetailsService
+				.loadClientByClientId(authentication.getOAuth2Request().getClientId());
+		if (clientDetails != null && clientDetails.getScope().contains("read_data_scope")) {
+			PigUser principal = (PigUser) authentication.getPrincipal();
+			response.put(SecurityConstants.DETAILS_USER_DATA_SCOPE, principal.getUserDataScope());
+		}
+
+		return response;
+	}
+
+}

pig-common/pig-common-bom/pom.xml

@@ -25,6 +25,9 @@
 		<fastjson.version>1.2.75</fastjson.version>
 		<swagger.core.version>1.5.24</swagger.core.version>
 		<mybatis-plus.version>3.4.3.3</mybatis-plus.version>
+		<mybatis.version>3.5.7</mybatis.version>
+		<jsqlparser.version>4.1</jsqlparser.version>
+		<rocksdbjni.version>5.18.3</rocksdbjni.version>
 		<nacos.version>2.0.3</nacos.version>
 		<excel.version>1.0.0</excel.version>
 		<oss.version>1.0.1</oss.version>
@@ -38,6 +41,11 @@
 				<artifactId>pig-common-core</artifactId>
 				<version>${pig.common.version}</version>
 			</dependency>
+			<dependency>
+				<groupId>com.pig4cloud</groupId>
+				<artifactId>pig-common-datascope</artifactId>
+				<version>${pig.common.version}</version>
+			</dependency>
 			<dependency>
 				<groupId>com.pig4cloud</groupId>
 				<artifactId>pig-common-datasource</artifactId>
@@ -123,12 +131,22 @@
 				<artifactId>oss-spring-boot-starter</artifactId>
 				<version>${oss.version}</version>
 			</dependency>
-			<!--mybatis-plus-->
+			<!--orm 相关-->
 			<dependency>
 				<groupId>com.baomidou</groupId>
 				<artifactId>mybatis-plus-boot-starter</artifactId>
 				<version>${mybatis-plus.version}</version>
 			</dependency>
+			<dependency>
+				<groupId>org.mybatis</groupId>
+				<artifactId>mybatis</artifactId>
+				<version>${mybatis.version}</version>
+			</dependency>
+			<dependency>
+				<groupId>com.github.jsqlparser</groupId>
+				<artifactId>jsqlparser</artifactId>
+				<version>${jsqlparser.version}</version>
+			</dependency>
 			<!--web 模块-->
 			<dependency>
 				<groupId>org.springframework.boot</groupId>

pig-common/pig-common-core/src/main/java/com/pig4cloud/pig/common/core/constant/SecurityConstants.java

@@ -109,6 +109,11 @@ public interface SecurityConstants {
 	 */
 	String DETAILS_LICENSE = "license";
 
+	/**
+	 * 用户数据权限信息
+	 */
+	String DETAILS_USER_DATA_SCOPE = "user_data_scope";
+
 	/**
 	 * 验证码有效期,默认 60秒
 	 */

pig-common/pig-common-core/src/main/java/com/pig4cloud/pig/common/core/constant/enums/DataScopeTypeEnum.java

@@ -0,0 +1,49 @@
+package com.pig4cloud.pig.common.core.constant.enums;
+
+import lombok.AllArgsConstructor;
+import lombok.Getter;
+
+/**
+ * 数据权限范围类型
+ * @author hccake
+ */
+@Getter
+@AllArgsConstructor
+public enum DataScopeTypeEnum {
+
+	/**
+	 * 查询全部数据
+	 */
+	ALL(0),
+
+	/**
+	 * 本人
+	 */
+	SELF(1),
+
+	/**
+	 * 本人及子级
+	 */
+	SELF_CHILD_LEVEL(2),
+
+	/**
+	 * 本级
+	 */
+	LEVEL(3),
+
+	/**
+	 * 本级及子级
+	 */
+	LEVEL_CHILD_LEVEL(4),
+
+	/**
+	 * 自定义
+	 */
+	CUSTOM(5);
+
+	/**
+	 * 类型
+	 */
+	private final Integer type;
+
+}

pig-common/pig-common-datascope/pom.xml

@@ -0,0 +1,38 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+		 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		 xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+	<parent>
+		<artifactId>pig-common</artifactId>
+		<groupId>com.pig4cloud</groupId>
+		<version>3.3.4</version>
+	</parent>
+	<modelVersion>4.0.0</modelVersion>
+
+	<artifactId>pig-common-datascope</artifactId>
+
+	<dependencies>
+		<!-- slf4j日志 -->
+		<dependency>
+			<groupId>org.slf4j</groupId>
+			<artifactId>slf4j-api</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>com.github.jsqlparser</groupId>
+			<artifactId>jsqlparser</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>org.mybatis</groupId>
+			<artifactId>mybatis</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework</groupId>
+			<artifactId>spring-context</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-autoconfigure</artifactId>
+		</dependency>
+	</dependencies>
+
+</project>

pig-common/pig-common-datascope/src/main/java/com/pigcloud/pig/common/datascope/DataScope.java

@@ -0,0 +1,36 @@
+package com.pigcloud.pig.common.datascope;
+
+import net.sf.jsqlparser.expression.Alias;
+import net.sf.jsqlparser.expression.Expression;
+
+import java.util.Collection;
+
+/**
+ * @author Hccake 2020/9/28
+ * @version 1.0
+ */
+public interface DataScope {
+
+	/**
+	 * 数据所对应的资源
+	 * @return 资源标识
+	 */
+	String getResource();
+
+	/**
+	 * 该资源相关的所有表，推荐使用 Set 类型。 <br/>
+	 * 如需忽略表名大小写判断，则可以使用 TreeSet，并设置忽略大小写的自定义Comparator。 <br/>
+	 * eg. new TreeSet<>(String.CASE_INSENSITIVE_ORDER);
+	 * @return tableNames
+	 */
+	Collection<String> getTableNames();
+
+	/**
+	 * 根据表名和表别名，动态生成的 where/or 筛选条件
+	 * @param tableName 表名
+	 * @param tableAlias 表别名，可能为空
+	 * @return 数据规则表达式
+	 */
+	Expression getExpression(String tableName, Alias tableAlias);
+
+}

pig-common/pig-common-datascope/src/main/java/com/pigcloud/pig/common/datascope/DataScopeAutoConfiguration.java

@@ -0,0 +1,54 @@
+package com.pigcloud.pig.common.datascope;
+
+import com.pigcloud.pig.common.datascope.handler.DataPermissionHandler;
+import com.pigcloud.pig.common.datascope.handler.DefaultDataPermissionHandler;
+import com.pigcloud.pig.common.datascope.interceptor.DataPermissionAnnotationAdvisor;
+import com.pigcloud.pig.common.datascope.interceptor.DataPermissionInterceptor;
+import com.pigcloud.pig.common.datascope.processor.DataScopeSqlProcessor;
+import lombok.RequiredArgsConstructor;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
+import org.springframework.context.annotation.Bean;
+
+import java.util.List;
+
+/**
+ * @author hccake
+ */
+@RequiredArgsConstructor
+@ConditionalOnBean(DataScope.class)
+public class DataScopeAutoConfiguration {
+
+	/**
+	 * 数据权限处理器
+	 * @param dataScopeList 需要控制的数据范围集合
+	 * @return DataPermissionHandler
+	 */
+	@Bean
+	@ConditionalOnMissingBean
+	public DataPermissionHandler dataPermissionHandler(List<DataScope> dataScopeList) {
+		return new DefaultDataPermissionHandler(dataScopeList);
+	}
+
+	/**
+	 * 数据权限注解 Advisor，用于处理数据权限的链式调用关系
+	 * @return DataPermissionAnnotationAdvisor
+	 */
+	@Bean
+	@ConditionalOnMissingBean(DataPermissionAnnotationAdvisor.class)
+	public DataPermissionAnnotationAdvisor dataPermissionAnnotationAdvisor() {
+		return new DataPermissionAnnotationAdvisor();
+	}
+
+	/**
+	 * mybatis 拦截器，用于拦截处理 sql
+	 * @param dataPermissionHandler 数据权限处理器
+	 * @return DataPermissionInterceptor
+	 */
+	@Bean
+	@ConditionalOnMissingBean
+	public DataPermissionInterceptor dataPermissionInterceptor(DataPermissionHandler dataPermissionHandler) {
+		return new DataPermissionInterceptor(new DataScopeSqlProcessor(), dataPermissionHandler);
+	}
+
+}

pig-common/pig-common-datascope/src/main/java/com/pigcloud/pig/common/datascope/annotation/DataPermission.java

@@ -0,0 +1,35 @@
+package com.pigcloud.pig.common.datascope.annotation;
+
+import java.lang.annotation.*;
+
+/**
+ * 数据权限注解，注解在 Mapper类 或者 对应方法上 用于提供该 mapper 对应表，所需控制的实体信息
+ * @author Hccake 2020/9/27
+ * @version 1.0
+ */
+@Target({ ElementType.TYPE, ElementType.METHOD })
+@Retention(RetentionPolicy.RUNTIME)
+@Documented
+public @interface DataPermission {
+
+	/**
+	 * 当前类或方法是否忽略数据权限
+	 * @return boolean 默认返回 false
+	 */
+	boolean ignore() default false;
+
+	/**
+	 * 仅对指定资源类型进行数据权限控制，只在开启情况下有效，当该数组有值时，exclude不生效
+	 * @see DataPermission#excludeResources
+	 * @return 资源类型数组
+	 */
+	String[] includeResources() default {};
+
+	/**
+	 * 对指定资源类型跳过数据权限控制，只在开启情况下有效，当该includeResources有值时，exclude不生效
+	 * @see DataPermission#includeResources
+	 * @return 资源类型数组
+	 */
+	String[] excludeResources() default {};
+
+}

pig-common/pig-common-datascope/src/main/java/com/pigcloud/pig/common/datascope/handler/DataPermissionHandler.java

@@ -0,0 +1,35 @@
+package com.pigcloud.pig.common.datascope.handler;
+
+import com.pigcloud.pig.common.datascope.DataScope;
+
+import java.util.List;
+
+/**
+ * 数据权限处理器
+ *
+ * @author Hccake 2020/9/28
+ * @version 1.0
+ */
+public interface DataPermissionHandler {
+
+	/**
+	 * 系统配置的所有的数据范围
+	 * @return 数据范围集合
+	 */
+	List<DataScope> dataScopes();
+
+	/**
+	 * 根据权限注解过滤后的数据范围集合
+	 * @param mappedStatementId Mapper方法ID
+	 * @return 数据范围集合
+	 */
+	List<DataScope> filterDataScopes(String mappedStatementId);
+
+	/**
+	 * 是否忽略权限控制，用于及早的忽略控制，例如管理员直接放行，而不必等到DataScope中再进行过滤处理，提升效率
+	 * @return boolean true: 忽略，false: 进行权限控制
+	 * @param mappedStatementId Mapper方法ID
+	 */
+	boolean ignorePermissionControl(String mappedStatementId);
+
+}