apollo-portal to support displaying configs only to team members, users could...

apollo-portal to support displaying configs only to team members, users could control this behavior by configuring configView.memberOnly.envs in ApolloPortalDB.ServerConfig.

apollo-portal to support displaying configs only to team members, users could...
apollo-portal to support displaying configs only to team members, users could control this behavior by configuring configView.memberOnly.envs in ApolloPortalDB.ServerConfig.
1794d3d2 · nobodyiam · b3fb3fac · 1794d3d2 · 1794d3d2 · 1794d3d2
Commit 1794d3d2 authored Oct 03, 2018 by nobodyiam
15 changed files
--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/component/PermissionValidator.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/component/PermissionValidator.java
@@ -3,6 +3,7 @@ package com.ctrip.framework.apollo.portal.component;
 import com.ctrip.framework.apollo.common.entity.AppNamespace;
 import com.ctrip.framework.apollo.portal.component.config.PortalConfig;
 import com.ctrip.framework.apollo.portal.constant.PermissionType;
+import com.ctrip.framework.apollo.portal.service.AppNamespaceService;
 import com.ctrip.framework.apollo.portal.service.RolePermissionService;
 import com.ctrip.framework.apollo.portal.spi.UserInfoHolder;
 import com.ctrip.framework.apollo.portal.util.RoleUtils;
@@ -18,6 +19,8 @@ public class PermissionValidator {
  private RolePermissionService rolePermissionService;
  @Autowired
  private PortalConfig portalConfig;
+  @Autowired
+  private AppNamespaceService appNamespaceService;
  public boolean hasModifyNamespacePermission(String appId, String namespaceName) {
    return rolePermissionService.userHasPermission(userInfoHolder.getUser().getUserId(),
@@ -94,4 +97,20 @@ public class PermissionValidator {
  public boolean isSuperAdmin() {
    return rolePermissionService.isSuperAdmin(userInfoHolder.getUser().getUserId());
  }
+  public boolean shouldHideConfigToCurrentUser(String appId, String env, String namespaceName) {
+    // 1. check whether the current environment enables member only function
+    if (!portalConfig.isConfigViewMemberOnly(env)) {
+      return false;
+    }
+    // 2. public namespace is open to every one
+    AppNamespace appNamespace = appNamespaceService.findByAppIdAndName(appId, namespaceName);
+    if (appNamespace != null && appNamespace.isPublic()) {
+      return false;
+    }
+    // 3. check app admin and operate permissions
+    return !isAppAdmin(appId) && !hasOperateNamespacePermission(appId, namespaceName, env);
+  }
 }
--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/component/config/PortalConfig.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/component/config/PortalConfig.java
@@ -74,6 +74,18 @@ public class PortalConfig extends RefreshableConfig {
    return result;
  }
+  public boolean isConfigViewMemberOnly(String env) {
+    String[] configViewMemberOnlyEnvs = getArrayProperty("configView.memberOnly.envs", new String[0]);
+    for (String memberOnlyEnv : configViewMemberOnlyEnvs) {
+      if (memberOnlyEnv.equalsIgnoreCase(env)) {
+        return true;
+      }
+    }
+    return false;
+  }
  /***
   * Level: normal
   **/

--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/CommitController.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/CommitController.java
@@ -3,8 +3,10 @@ package com.ctrip.framework.apollo.portal.controller;
 import com.ctrip.framework.apollo.common.dto.CommitDTO;
 import com.ctrip.framework.apollo.common.utils.RequestPrecondition;
 import com.ctrip.framework.apollo.core.enums.Env;
+import com.ctrip.framework.apollo.portal.component.PermissionValidator;
 import com.ctrip.framework.apollo.portal.service.CommitService;
+import java.util.Collections;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -21,10 +23,16 @@ public class CommitController {
  @Autowired
  private CommitService commitService;
+  @Autowired
+  private PermissionValidator permissionValidator;
  @RequestMapping(value = "/apps/{appId}/envs/{env}/clusters/{clusterName}/namespaces/{namespaceName}/commits", method = RequestMethod.GET)
  public List<CommitDTO> find(@PathVariable String appId, @PathVariable String env,
                              @PathVariable String clusterName, @PathVariable String namespaceName,
                              @RequestParam(defaultValue = "0") int page, @RequestParam(defaultValue = "10") int size) {
+    if (permissionValidator.shouldHideConfigToCurrentUser(appId, env, namespaceName)) {
+      return Collections.emptyList();
+    }
    RequestPrecondition.checkNumberPositive(size);
    RequestPrecondition.checkNumberNotNegative(page);

--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ItemController.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ItemController.java
 package com.ctrip.framework.apollo.portal.controller;
+import com.ctrip.framework.apollo.common.dto.ItemChangeSets;
 import com.ctrip.framework.apollo.common.dto.ItemDTO;
 import com.ctrip.framework.apollo.common.exception.BadRequestException;
 import com.ctrip.framework.apollo.core.enums.Env;
@@ -107,6 +108,10 @@ public class ItemController {
                                 @PathVariable String clusterName, @PathVariable String namespaceName,
                                 @RequestParam(defaultValue = "lineNum") String orderBy) {
+    if (permissionValidator.shouldHideConfigToCurrentUser(appId, env, namespaceName)) {
+      return Collections.emptyList();
+    }
    List<ItemDTO> items = configService.findItems(appId, Env.valueOf(env), clusterName, namespaceName);
    if ("lastModifiedTime".equals(orderBy)) {
      Collections.sort(items, (o1, o2) -> {
@@ -136,7 +141,22 @@ public class ItemController {
  public List<ItemDiffs> diff(@RequestBody NamespaceSyncModel model) {
    checkModel(Objects.nonNull(model) && !model.isInvalid());
-    return configService.compare(model.getSyncToNamespaces(), model.getSyncItems());
+    List<ItemDiffs> itemDiffs = configService.compare(model.getSyncToNamespaces(), model.getSyncItems());
+    for (ItemDiffs diff : itemDiffs) {
+      NamespaceIdentifier namespace = diff.getNamespace();
+      if (namespace == null) {
+        continue;
+      }
+      if (permissionValidator
+          .shouldHideConfigToCurrentUser(namespace.getAppId(), namespace.getEnv().name(), namespace.getNamespaceName())) {
+        diff.setDiffs(new ItemChangeSets());
+        diff.setExtInfo("您不是该项目的管理员，也没有该Namespace在 " + namespace.getEnv() +  " 环境的编辑或发布权限");
+      }
+    }
+    return itemDiffs;
  }
  @RequestMapping(value = "/apps/{appId}/namespaces/{namespaceName}/items", method = RequestMethod.PUT, consumes = {

--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/NamespaceBranchController.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/NamespaceBranchController.java
@@ -43,7 +43,13 @@ public class NamespaceBranchController {
                                @PathVariable String env,
                                @PathVariable String clusterName,
                                @PathVariable String namespaceName) {
-    return namespaceBranchService.findBranch(appId, Env.valueOf(env), clusterName, namespaceName);
+    NamespaceBO namespaceBO = namespaceBranchService.findBranch(appId, Env.valueOf(env), clusterName, namespaceName);
+    if (namespaceBO != null && permissionValidator.shouldHideConfigToCurrentUser(appId, env, namespaceName)) {
+      namespaceBO.hideItems();
+    }
+    return namespaceBO;
  }
  @PreAuthorize(value = "@permissionValidator.hasModifyNamespacePermission(#appId, #namespaceName, #env)")

--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/NamespaceController.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/NamespaceController.java
@@ -2,6 +2,7 @@ package com.ctrip.framework.apollo.portal.controller;
 import com.ctrip.framework.apollo.common.dto.AppNamespaceDTO;
 import com.ctrip.framework.apollo.common.utils.BeanUtils;
+import com.ctrip.framework.apollo.portal.component.PermissionValidator;
 import com.ctrip.framework.apollo.portal.listener.AppNamespaceDeletionEvent;
 import com.google.common.collect.Sets;
@@ -62,6 +63,8 @@ public class NamespaceController {
  private RolePermissionService rolePermissionService;
  @Autowired
  private PortalConfig portalConfig;
+  @Autowired
+  private PermissionValidator permissionValidator;
  @RequestMapping(value = "/appnamespaces/public", method = RequestMethod.GET)
@@ -73,14 +76,28 @@ public class NamespaceController {
  public List<NamespaceBO> findNamespaces(@PathVariable String appId, @PathVariable String env,
                                          @PathVariable String clusterName) {
-    return namespaceService.findNamespaceBOs(appId, Env.valueOf(env), clusterName);
+    List<NamespaceBO> namespaceBOs = namespaceService.findNamespaceBOs(appId, Env.valueOf(env), clusterName);
+    for (NamespaceBO namespaceBO : namespaceBOs) {
+      if (permissionValidator.shouldHideConfigToCurrentUser(appId, env, namespaceBO.getBaseInfo().getNamespaceName())) {
+        namespaceBO.hideItems();
+      }
+    }
+    return namespaceBOs;
  }
  @RequestMapping(value = "/apps/{appId}/envs/{env}/clusters/{clusterName}/namespaces/{namespaceName:.+}", method = RequestMethod.GET)
  public NamespaceBO findNamespace(@PathVariable String appId, @PathVariable String env,
                                   @PathVariable String clusterName, @PathVariable String namespaceName) {
-    return namespaceService.loadNamespaceBO(appId, Env.valueOf(env), clusterName, namespaceName);
+    NamespaceBO namespaceBO = namespaceService.loadNamespaceBO(appId, Env.valueOf(env), clusterName, namespaceName);
+    if (namespaceBO != null && permissionValidator.shouldHideConfigToCurrentUser(appId, env, namespaceName)) {
+      namespaceBO.hideItems();
+    }
+    return namespaceBO;
  }
  @RequestMapping(value = "/envs/{env}/apps/{appId}/clusters/{clusterName}/namespaces/{namespaceName}/associated-public-namespace",

--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ReleaseController.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ReleaseController.java
@@ -13,6 +13,7 @@ import com.ctrip.framework.apollo.portal.entity.bo.ReleaseBO;
 import com.ctrip.framework.apollo.portal.listener.ConfigPublishEvent;
 import com.ctrip.framework.apollo.portal.service.ReleaseService;
+import java.util.Collections;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.ApplicationEventPublisher;
 import org.springframework.security.access.AccessDeniedException;
@@ -113,6 +114,9 @@ public class ReleaseController {
                                         @PathVariable String namespaceName,
                                         @RequestParam(defaultValue = "0") int page,
                                         @RequestParam(defaultValue = "5") int size) {
+    if (permissionValidator.shouldHideConfigToCurrentUser(appId, env, namespaceName)) {
+      return Collections.emptyList();
+    }
    RequestPrecondition.checkNumberPositive(size);
    RequestPrecondition.checkNumberNotNegative(page);
@@ -128,6 +132,10 @@ public class ReleaseController {
                                             @RequestParam(defaultValue = "0") int page,
                                             @RequestParam(defaultValue = "5") int size) {
+    if (permissionValidator.shouldHideConfigToCurrentUser(appId, env, namespaceName)) {
+      return Collections.emptyList();
+    }
    RequestPrecondition.checkNumberPositive(size);
    RequestPrecondition.checkNumberNotNegative(page);

--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ReleaseHistoryController.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ReleaseHistoryController.java
@@ -2,9 +2,11 @@ package com.ctrip.framework.apollo.portal.controller;
 import com.ctrip.framework.apollo.core.enums.Env;
+import com.ctrip.framework.apollo.portal.component.PermissionValidator;
 import com.ctrip.framework.apollo.portal.entity.bo.ReleaseHistoryBO;
 import com.ctrip.framework.apollo.portal.service.ReleaseHistoryService;
+import java.util.Collections;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -19,6 +21,8 @@ public class ReleaseHistoryController {
  @Autowired
  private ReleaseHistoryService releaseHistoryService;
+  @Autowired
+  private PermissionValidator permissionValidator;
  @RequestMapping(value = "/apps/{appId}/envs/{env}/clusters/{clusterName}/namespaces/{namespaceName}/releases/histories",
      method = RequestMethod.GET)
@@ -29,6 +33,10 @@ public class ReleaseHistoryController {
                                                                @RequestParam(value = "page", defaultValue = "0") int page,
                                                                @RequestParam(value = "size", defaultValue = "10") int size) {
+    if (permissionValidator.shouldHideConfigToCurrentUser(appId, env, namespaceName)) {
+      return Collections.emptyList();
+    }
   return releaseHistoryService.findNamespaceReleaseHistory(appId, Env.valueOf(env), clusterName ,namespaceName, page, size);
  }

--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/entity/bo/NamespaceBO.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/entity/bo/NamespaceBO.java
@@ -12,7 +12,8 @@ public class NamespaceBO {
  private boolean isPublic;
  private String parentAppId;
  private String comment;
+  // is the configs hidden to current user?
+  private boolean isConfigHidden;
  public NamespaceDTO getBaseInfo() {
    return baseInfo;
@@ -70,4 +71,17 @@ public class NamespaceBO {
    this.comment = comment;
  }
+  public boolean isConfigHidden() {
+    return isConfigHidden;
+  }
+  public void setConfigHidden(boolean hidden) {
+    isConfigHidden = hidden;
+  }
+  public void hideItems() {
+    setConfigHidden(true);
+    items.clear();
+    setItemModifiedCnt(0);
+  }
 }
--- a/apollo-portal/src/main/resources/static/config/history.html
+++ b/apollo-portal/src/main/resources/static/config/history.html
@@ -48,7 +48,7 @@
        </div>
-        <div class="release-history-container panel-body row" ng-show="releaseHistories && releaseHistories.length > 0">
+        <div class="release-history-container panel-body row" ng-show="!isConfigHidden && releaseHistories && releaseHistories.length > 0">
            <div class="release-history-list col-md-3">
                <div class="media hover" ng-class="{'active': releaseHistory.id == selectedReleaseHistory}"
@@ -232,8 +232,9 @@
        </div>
-        <div class="panel-body" ng-show="!releaseHistories || releaseHistories.length == 0">
+        <div class="panel-body" ng-show="isConfigHidden || !releaseHistories || releaseHistories.length == 0">
-            <h4 class="text-center empty-container">无发布历史信息</h4>
+            <h4 class="text-center empty-container" ng-show="isConfigHidden">您不是该项目的管理员，也没有该Namespace的编辑或发布权限，无法查看发布历史</h4>
+            <h4 class="text-center empty-container" ng-show="!isConfigHidden">无发布历史信息</h4>
        </div>
    </section>

--- a/apollo-portal/src/main/resources/static/scripts/controller/config/ReleaseHistoryController.js
+++ b/apollo-portal/src/main/resources/static/scripts/controller/config/ReleaseHistoryController.js
@@ -26,6 +26,8 @@ function releaseHistoryController($scope, $location, AppUtil,
    $scope.hasLoadAll = false;
    $scope.selectedReleaseHistory = 0;
    $scope.isTextNamespace = false;
+    // whether current user can view config
+    $scope.isConfigHidden = false;
    $scope.showReleaseHistoryDetail = showReleaseHistoryDetail;
    $scope.switchConfigViewType = switchConfigViewType;
@@ -99,6 +101,7 @@ function releaseHistoryController($scope, $location, AppUtil,
                if ($scope.isTextNamespace) {
                  fixTextNamespaceViewType();
                }
+                $scope.isConfigHidden = result.isConfigHidden;
            })
    }

--- a/apollo-portal/src/main/resources/static/views/component/namespace-panel-branch-tab.html
+++ b/apollo-portal/src/main/resources/static/views/component/namespace-panel-branch-tab.html
@@ -53,8 +53,13 @@
    </header>
    <div id="BODY{{namespace.branch.id}}" class="collapse in">
+        <div class="J_namespace-release-tip well well-sm no-radius text-center"
+             ng-show="namespace.isConfigHidden">
+            <span style="color: red">您不是该项目的管理员，也没有该Namespace的编辑或发布权限，无法查看配置信息。</span>
+        </div>
        <!--second header-->
-        <header class="panel-heading second-panel-heading">
+        <header class="panel-heading second-panel-heading" ng-show="!namespace.isConfigHidden">
            <div class="row">
                <div class="col-md-12 pull-left">
                    <ul class="nav nav-tabs">
@@ -92,7 +97,7 @@
            </div>
        </header>
        <!--namespace body-->
-        <section>
+        <section ng-show="!namespace.isConfigHidden">
            <!--items-->
            <div class="namespace-view-table" ng-show="namespace.branch.viewType == 'table'">

--- a/apollo-portal/src/main/resources/static/views/component/namespace-panel-master-tab.html
+++ b/apollo-portal/src/main/resources/static/views/component/namespace-panel-master-tab.html
@@ -92,9 +92,16 @@
        </div>
    </header>
    <div id="BODY{{namespace.id}}" class="collapse in">
+        <div class="J_namespace-release-tip well well-sm no-radius text-center"
+             ng-show="namespace.isConfigHidden">
+            <span style="color: red">您不是该项目的管理员，也没有该Namespace的编辑或发布权限，无法查看配置信息。</span>
+        </div>
        <!--second header-->
-        <header class="panel-heading second-panel-heading">
+        <header class="panel-heading second-panel-heading" ng-show="!namespace.isConfigHidden">
            <div class="row">
                <div class="col-md-6 col-sm-6 pull-left">
                    <!--master branch nav tabs-->
@@ -182,7 +189,7 @@
        </header>
        <!--namespace body-->
-        <section>
+        <section ng-show="!namespace.isConfigHidden">
            <!--table view-->
            <div class="namespace-view-table" ng-show="namespace.viewType == 'table'">

--- a/scripts/apollo-on-kubernetes/db/portal-db/apolloportaldb.sql
+++ b/scripts/apollo-on-kubernetes/db/portal-db/apolloportaldb.sql
@@ -312,7 +312,8 @@ VALUES
    ('superAdmin', 'apollo', 'Portal超级管理员'),
    ('api.readTimeout', '10000', 'http接口read timeout'),
    ('consumer.token.salt', 'someSalt', 'consumer token salt'),
-    ('admin.createPrivateNamespace.switch', 'true', '是否允许项目管理员创建私有namespace');
+    ('admin.createPrivateNamespace.switch', 'true', '是否允许项目管理员创建私有namespace'),
+    ('configView.memberOnly.envs', 'pro', '只对项目成员显示配置信息的环境列表，多个env以英文逗号分隔');
 INSERT INTO `Users` (`Username`, `Password`, `Email`, `Enabled`)
 VALUES

--- a/scripts/sql/apolloportaldb.sql
+++ b/scripts/sql/apolloportaldb.sql
@@ -312,7 +312,9 @@ VALUES
    ('superAdmin', 'apollo', 'Portal超级管理员'),
    ('api.readTimeout', '10000', 'http接口read timeout'),
    ('consumer.token.salt', 'someSalt', 'consumer token salt'),
-    ('admin.createPrivateNamespace.switch', 'true', '是否允许项目管理员创建私有namespace');
+    ('admin.createPrivateNamespace.switch', 'true', '是否允许项目管理员创建私有namespace'),
+    ('configView.memberOnly.envs', 'pro', '只对项目成员显示配置信息的环境列表，多个env以英文逗号分隔');
 INSERT INTO `Users` (`Username`, `Password`, `Email`, `Enabled`)
 VALUES