Update casbin rbac verify to plugin (#513)

* Update casbin rbac verify to plugin

* Update requirements

* move sys api to casbin plugin

* Update plugin toml and parse

* Fix plugin router inject

* Update api prefix to apis

Author: wu-clan

backend/app/admin/api/v1/sys/__init__.py

@@ -2,8 +2,6 @@
 # -*- coding: utf-8 -*-
 from fastapi import APIRouter
 
-from backend.app.admin.api.v1.sys.api import router as api_router
-from backend.app.admin.api.v1.sys.casbin import router as casbin_router
 from backend.app.admin.api.v1.sys.config import router as config_router
 from backend.app.admin.api.v1.sys.data_rule import router as data_rule_router
 from backend.app.admin.api.v1.sys.dept import router as dept_router
@@ -16,8 +14,6 @@
 
 router = APIRouter(prefix='/sys')
 
-router.include_router(api_router, prefix='/apis', tags=['系统API'])
-router.include_router(casbin_router, prefix='/casbin', tags=['系统Casbin权限'])
 router.include_router(config_router, prefix='/configs', tags=['系统配置'])
 router.include_router(dept_router, prefix='/depts', tags=['系统部门'])
 router.include_router(dict_data_router, prefix='/dict-datas', tags=['系统字典数据'])

backend/app/admin/model/__init__.py

@@ -1,7 +1,5 @@
 #!/usr/bin/env python3
 # -*- coding: utf-8 -*-
-from backend.app.admin.model.api import Api
-from backend.app.admin.model.casbin_rule import CasbinRule
 from backend.app.admin.model.config import Config
 from backend.app.admin.model.data_rule import DataRule
 from backend.app.admin.model.dept import Dept

backend/common/security/permission.py

@@ -28,7 +28,7 @@ def __init__(self, value: str):
         self.value = value
 
     async def __call__(self, request: Request):
-        if settings.PERMISSION_MODE == 'role-menu':
+        if settings.RBAC_ROLE_MENU_MODE:
             if not isinstance(self.value, str):
                 raise ServerError
             # 附加权限标识

backend/common/security/rbac.py

@@ -1,119 +1,74 @@
 #!/usr/bin/env python3
 # -*- coding: utf-8 -*-
-import casbin
-import casbin_async_sqlalchemy_adapter
-
 from fastapi import Depends, Request
 
-from backend.app.admin.model import CasbinRule
 from backend.common.enums import MethodType, StatusType
 from backend.common.exception.errors import AuthorizationError, TokenError
 from backend.common.security.jwt import DependsJwtAuth
 from backend.core.conf import settings
-from backend.database.db import async_engine
-
-
-class RBAC:
-    @staticmethod
-    async def enforcer() -> casbin.AsyncEnforcer:
-        """
-        获取 casbin 执行器
-
-        :return:
-        """
-        # 模型定义：https://casbin.org/zh/docs/category/model
-        _CASBIN_RBAC_MODEL_CONF_TEXT = """
-        [request_definition]
-        r = sub, obj, act
-
-        [policy_definition]
-        p = sub, obj, act
-
-        [role_definition]
-        g = _, _
-
-        [policy_effect]
-        e = some(where (p.eft == allow))
-
-        [matchers]
-        m = g(r.sub, p.sub) && (keyMatch(r.obj, p.obj) || keyMatch3(r.obj, p.obj)) && (r.act == p.act || p.act == "*")
-        """
-        adapter = casbin_async_sqlalchemy_adapter.Adapter(async_engine, db_class=CasbinRule)
-        model = casbin.AsyncEnforcer.new_model(text=_CASBIN_RBAC_MODEL_CONF_TEXT)
-        enforcer = casbin.AsyncEnforcer(model, adapter)
-        await enforcer.load_policy()
-        return enforcer
-
-    async def rbac_verify(self, request: Request, _token: str = DependsJwtAuth) -> None:
-        """
-        RBAC 权限校验（鉴权顺序很重要，谨慎修改）
-
-        :param request:
-        :param _token:
-        :return:
-        """
-        path = request.url.path
-
-        # API 鉴权白名单
-        if path in settings.TOKEN_REQUEST_PATH_EXCLUDE:
-            return
+from backend.plugin.casbin.utils.rbac import casbin_verify
+
+
+async def rbac_verify(request: Request, _token: str = DependsJwtAuth) -> None:
+    """
+    RBAC 权限校验（鉴权顺序很重要，谨慎修改）
+
+    :param request:
+    :param _token:
+    :return:
+    """
+    path = request.url.path
+
+    # API 鉴权白名单
+    if path in settings.TOKEN_REQUEST_PATH_EXCLUDE:
+        return
+
+    # JWT 授权状态强制校验
+    if not request.auth.scopes:
+        raise TokenError
+
+    # 超级管理员免校验
+    if request.user.is_superuser:
+        return
 
-        # JWT 授权状态强制校验
-        if not request.auth.scopes:
-            raise TokenError
+    # 检测用户角色
+    user_roles = request.user.roles
+    if not user_roles or all(status == 0 for status in user_roles):
+        raise AuthorizationError(msg='用户未分配角色，请联系系统管理员')
 
-        # 超级管理员免校验
-        if request.user.is_superuser:
+    # 检测用户所属角色菜单
+    if not any(len(role.menus) > 0 for role in user_roles):
+        raise AuthorizationError(msg='用户未分配菜单，请联系系统管理员')
+
+    # 检测后台管理操作权限
+    method = request.method
+    if method != MethodType.GET or method != MethodType.OPTIONS:
+        if not request.user.is_staff:
+            raise AuthorizationError(msg='用户已被禁止后台管理操作，请联系系统管理员')
+
+    # RBAC 鉴权
+    if settings.RBAC_ROLE_MENU_MODE:
+        path_auth_perm = getattr(request.state, 'permission', None)
+
+        # 没有菜单操作权限标识不校验
+        if not path_auth_perm:
             return
 
-        # 检测用户角色
-        user_roles = request.user.roles
-        if not user_roles or all(status == 0 for status in user_roles):
-            raise AuthorizationError(msg='用户未分配角色，请联系系统管理员')
-
-        # 检测用户所属角色菜单
-        if not any(len(role.menus) > 0 for role in user_roles):
-            raise AuthorizationError(msg='用户未分配菜单，请联系系统管理员')
-
-        # 检测后台管理操作权限
-        method = request.method
-        if method != MethodType.GET or method != MethodType.OPTIONS:
-            if not request.user.is_staff:
-                raise AuthorizationError(msg='用户已被禁止后台管理操作，请联系系统管理员')
-
-        # RBAC 鉴权
-        if settings.PERMISSION_MODE == 'role-menu':
-            path_auth_perm = getattr(request.state, 'permission', None)
-
-            # 没有菜单操作权限标识不校验
-            if not path_auth_perm:
-                return
-
-            # 菜单鉴权白名单
-            if path_auth_perm in settings.RBAC_ROLE_MENU_EXCLUDE:
-                return
-
-            # 已分配菜单权限校验
-            allow_perms = []
-            for role in user_roles:
-                for menu in role.menus:
-                    if menu.perms and menu.status == StatusType.enable:
-                        allow_perms.extend(menu.perms.split(','))
-            if path_auth_perm not in allow_perms:
-                raise AuthorizationError
-        else:
-            # casbin 鉴权白名单
-            if (method, path) in settings.RBAC_CASBIN_EXCLUDE:
-                return
-
-            # casbin 权限校验
-            # 实现机制：backend/app/admin/api/v1/sys/casbin.py
-            user_uuid = request.user.uuid
-            enforcer = await self.enforcer()
-            if not enforcer.enforce(user_uuid, path, method):
-                raise AuthorizationError
-
-
-rbac: RBAC = RBAC()
+        # 菜单鉴权白名单
+        if path_auth_perm in settings.RBAC_ROLE_MENU_EXCLUDE:
+            return
+
+        # 已分配菜单权限校验
+        allow_perms = []
+        for role in user_roles:
+            for menu in role.menus:
+                if menu.perms and menu.status == StatusType.enable:
+                    allow_perms.extend(menu.perms.split(','))
+        if path_auth_perm not in allow_perms:
+            raise AuthorizationError
+    else:
+        await casbin_verify(request)
+
+
 # RBAC 授权依赖注入
-DependsRBAC = Depends(rbac.rbac_verify)
+DependsRBAC = Depends(rbac_verify)

backend/core/conf.py

@@ -75,18 +75,8 @@ class Settings(BaseSettings):
     JWT_USER_REDIS_PREFIX: str = 'fba:user'
     JWT_USER_REDIS_EXPIRE_SECONDS: int = 60 * 60 * 24 * 7
 
-    # Permission (RBAC)
-    PERMISSION_MODE: Literal['casbin', 'role-menu'] = 'casbin'
-    PERMISSION_REDIS_PREFIX: str = 'fba:permission'
-
     # RBAC
-    # Casbin
-    RBAC_CASBIN_EXCLUDE: set[tuple[str, str]] = {
-        ('POST', f'{FASTAPI_API_V1_PATH}/auth/logout'),
-        ('POST', f'{FASTAPI_API_V1_PATH}/auth/token/new'),
-    }
-
-    # Role-Menu
+    RBAC_ROLE_MENU_MODE: bool = False
     RBAC_ROLE_MENU_EXCLUDE: list[str] = [
         'sys:monitor:redis',
         'sys:monitor:server',

backend/plugin/casbin/__init__.py

@@ -0,0 +1,2 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-

backend/plugin/casbin/api/__init__.py

@@ -0,0 +1,2 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-

backend/plugin/casbin/api/v1/__init__.py

@@ -0,0 +1,2 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-

backend/plugin/casbin/api/v1/sys/__init__.py

@@ -0,0 +1,2 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-

backend/app/admin/api/v1/sys/api.py renamed to backend/plugin/casbin/api/v1/sys/api.py

@@ -4,14 +4,14 @@
 
 from fastapi import APIRouter, Depends, Path, Query, Request
 
-from backend.app.admin.schema.api import CreateApiParam, GetApiDetail, UpdateApiParam
-from backend.app.admin.service.api_service import api_service
 from backend.common.pagination import DependsPagination, PageData, paging_data
 from backend.common.response.response_schema import ResponseModel, ResponseSchemaModel, response_base
 from backend.common.security.jwt import DependsJwtAuth
 from backend.common.security.permission import RequestPermission
 from backend.common.security.rbac import DependsRBAC
 from backend.database.db import CurrentSession
+from backend.plugin.casbin.schema.api import CreateApiParam, GetApiDetail, UpdateApiParam
+from backend.plugin.casbin.service.api_service import api_service
 
 router = APIRouter()