feat: add xpackee permission-aware settings flow

Author: ssongliu

agent/router/entry_xpackee.go

@@ -0,0 +1,19 @@
+//go:build xpackee
+
+package router
+
+import (
+	xpackRouter "github.com/1Panel-dev/1Panel/agent/xpack/router"
+)
+
+func RouterGroups() []CommonRouter {
+	baseRouter := commonGroups()
+	for _, ro := range xpackRouter.XpackGroups() {
+		if val, ok := ro.(CommonRouter); ok {
+			baseRouter = append(baseRouter, val)
+		}
+	}
+	return baseRouter
+}
+
+var RouterGroupApp = RouterGroups()

agent/server/init_xpackee.go

@@ -0,0 +1,11 @@
+//go:build xpackee
+
+package server
+
+import (
+	xpack "github.com/1Panel-dev/1Panel/agent/xpack"
+)
+
+func InitOthers() {
+	xpack.Init()
+}

agent/utils/xpack/xpackee.go

@@ -0,0 +1,74 @@
+//go:build xpackee
+
+package xpack
+
+import (
+	"net/http"
+
+	"github.com/1Panel-dev/1Panel/agent/app/dto"
+	"github.com/1Panel-dev/1Panel/agent/app/model"
+	edition "github.com/1Panel-dev/1Panel/agent/xpack/edition"
+	"github.com/gin-gonic/gin"
+)
+
+func RemoveTamper(website string) {
+	edition.RemoveTamper(website)
+}
+
+func StartClam(startClam *model.Clam, isUpdate bool) (int, error) {
+	return edition.StartClam(startClam, isUpdate)
+}
+
+func LoadNodeInfo(isBase bool) (model.NodeInfo, error) {
+	return edition.LoadNodeInfo(isBase)
+}
+
+func GetImagePrefix() string {
+	return edition.GetImagePrefix()
+}
+
+func IsUseCustomApp() bool {
+	return edition.IsUseCustomApp()
+}
+
+func IsXpack() bool {
+	return edition.IsXpack()
+}
+
+func CreateTaskScanSMSAlertLog(info dto.AlertDTO, alertType string, create dto.AlertLogCreate, pushAlert dto.PushAlert, method string) error {
+	return edition.CreateTaskScanSMSAlertLog(info, alertType, create, pushAlert, method)
+}
+
+func CreateSMSAlertLog(alertType string, info dto.AlertDTO, create dto.AlertLogCreate, project string, params []dto.Param, method string) error {
+	return edition.CreateSMSAlertLog(alertType, info, create, project, params, method)
+}
+
+func CreateTaskScanWebhookAlertLog(alert dto.AlertDTO, alertType string, create dto.AlertLogCreate, pushAlert dto.PushAlert, method string, transport *http.Transport, agentInfo *dto.AgentInfo) error {
+	return edition.CreateTaskScanWebhookAlertLog(alert, alertType, create, pushAlert, method, transport, agentInfo)
+}
+
+func CreateWebhookAlertLog(alertType string, info dto.AlertDTO, create dto.AlertLogCreate, project string, params []dto.Param, method string, transport *http.Transport, agentInfo *dto.AgentInfo) error {
+	return edition.CreateWebhookAlertLog(alertType, info, create, project, params, method, transport, agentInfo)
+}
+
+func GetLicenseErrorAlert() (uint, error) {
+	return edition.GetLicenseErrorAlert()
+}
+
+func GetNodeErrorAlert() (uint, error) {
+	return edition.GetNodeErrorAlert()
+}
+
+func LoadRequestTransport() *http.Transport { return edition.LoadRequestTransport() }
+
+func ValidateCertificate(c *gin.Context) bool {
+	return edition.ValidateCertificate(c)
+}
+
+func PushSSLToNode(websiteSSL *model.WebsiteSSL) error {
+	return edition.PushSSLToNode(websiteSSL)
+}
+
+func GetAgentInfo() (*dto.AgentInfo, error) {
+	return edition.GetAgentInfo()
+}

core/app/api/v2/helper/helper.go

@@ -22,6 +22,15 @@ func ErrorWithDetail(ctx *gin.Context, code int, msgKey string, err error) {
 		res.Code = 401
 		res.Message = msgKey
 	}
+	if msgKey == "ErrRBAC" {
+		res.Code = 412
+		if err != nil {
+			res.Message = err.Error()
+			ctx.JSON(http.StatusOK, res)
+			ctx.Abort()
+			return
+		}
+	}
 	res.Message = i18n.GetMsgWithMap(msgKey, map[string]interface{}{"detail": err})
 	ctx.JSON(http.StatusOK, res)
 	ctx.Abort()

core/app/api/v2/setting.go

@@ -109,7 +109,7 @@ func (b *BaseApi) UpdateSetting(c *gin.Context) {
 		req.Value = value
 	}
 
-	if err := settingService.Update(req.Key, req.Value); err != nil {
+	if err := settingService.Update(c, req.Key, req.Value); err != nil {
 		helper.InternalServer(c, err)
 		return
 	}
@@ -187,7 +187,7 @@ func (b *BaseApi) UpdateMenu(c *gin.Context) {
 		return
 	}
 
-	if err := settingService.Update(req.Key, req.Value); err != nil {
+	if err := settingService.Update(c, req.Key, req.Value); err != nil {
 		helper.InternalServer(c, err)
 		return
 	}
@@ -411,17 +411,17 @@ func (b *BaseApi) MFABind(c *gin.Context) {
 		return
 	}
 
-	if err := settingService.Update("MFAInterval", req.Interval); err != nil {
+	if err := settingService.Update(c, "MFAInterval", req.Interval); err != nil {
 		helper.InternalServer(c, err)
 		return
 	}
 
-	if err := settingService.Update("MFAStatus", constant.StatusEnable); err != nil {
+	if err := settingService.Update(c, "MFAStatus", constant.StatusEnable); err != nil {
 		helper.InternalServer(c, err)
 		return
 	}
 
-	if err := settingService.Update("MFASecret", req.Secret); err != nil {
+	if err := settingService.Update(c, "MFASecret", req.Secret); err != nil {
 		helper.InternalServer(c, err)
 		return
 	}

core/app/service/auth.go

@@ -142,7 +142,7 @@ func (u *AuthService) generateSession(c *gin.Context, name string) (*dto.UserLog
 		return nil, err
 	}
 
-	sessionUser := psession.SessionUser{Name: name, Role: "ADMIN"}
+	sessionUser := psession.SessionUser{ID: psession.SuperAdminSessionUserID, Name: name, Role: "ADMIN"}
 	lifeTime = xpack.LoadSessionTimeout(sessionUser, lifeTime)
 	if err := global.SESSION.SetFresh(c, sessionUser, httpsSetting.Value == constant.StatusEnable, lifeTime); err != nil {
 		return nil, err

core/app/service/setting.go

@@ -44,7 +44,7 @@ type SettingService struct{}
 type ISettingService interface {
 	GetSettingInfo() (*dto.SettingInfo, error)
 	LoadInterfaceAddr() ([]string, error)
-	Update(key, value string) error
+	Update(c *gin.Context, key, value string) error
 	UpdatePassword(c *gin.Context, old, new string) error
 	UpdatePort(port uint) error
 	UpdateBindInfo(req dto.BindInfo) error
@@ -127,7 +127,7 @@ func sortShowMenus(menus []dto.ShowMenu) {
 	})
 }
 
-func (u *SettingService) Update(key, value string) error {
+func (u *SettingService) Update(c *gin.Context, key, value string) error {
 	oldVal, err := settingRepo.Get(repo.WithByKey(key))
 	if err != nil {
 		return err
@@ -180,7 +180,7 @@ func (u *SettingService) Update(key, value string) error {
 			return err
 		}
 	case "UserName", "Password":
-		_ = global.SESSION.DeleteByID("")
+		u.deleteCurrentSession(c)
 	case "Language":
 		i18n.SetCachedDBLanguage(value)
 		if err := xpack.Sync(constant.SyncLanguage); err != nil {
@@ -566,10 +566,21 @@ func (u *SettingService) UpdatePassword(c *gin.Context, old, new string) error {
 	if err := u.HandlePasswordExpired(c, old, new); err != nil {
 		return err
 	}
-	_ = global.SESSION.DeleteByID("")
+	u.deleteCurrentSession(c)
 	return nil
 }
 
+func (u *SettingService) deleteCurrentSession(c *gin.Context) {
+	if c == nil {
+		return
+	}
+	sessionUser, err := global.SESSION.Get(c)
+	if err != nil || sessionUser.ID == "" {
+		return
+	}
+	_ = global.SESSION.DeleteByID(sessionUser.ID)
+}
+
 func (u *SettingService) clearPasskeySettings() error {
 	if err := settingRepo.Update(passkey.PasskeyUserIDSettingKey, ""); err != nil {
 		return err

core/cmd/server/validator_linux_amd64

@@ -55,6 +55,8 @@ AppInstallCheck: 'Check application installation environment'
 
 # backup
 ErrBackupInUsed: "This backup account is used in scheduled tasks and cannot be deleted"
+ErrRolePresetCannotDelete: "System preset roles cannot be deleted"
+ErrRoleBoundToUser: "This role is already bound to users and cannot be deleted"
 ErrBackupCheck: "Backup account connection test failed {{ .err }}"
 ErrBackupLocal: "Local server backup account does not support this operation!"
 ErrBackupPublic: "Detected that this backup account is not public, check and try again!"

core/i18n/lang/en.yaml

@@ -54,6 +54,8 @@ AppInstallCheck: 'Verificar entorno de instalación de aplicación'
 
 # backup
 ErrBackupInUsed: 'Cuenta de respaldo en uso por tarea programada'
+ErrRolePresetCannotDelete: "System preset roles cannot be deleted"
+ErrRoleBoundToUser: "This role is already bound to users and cannot be deleted"
 ErrBackupCheck: 'Conexión de respaldo falló: {{ .err }}'
 ErrBackupLocal: "La cuenta de respaldo del servidor local no admite esta operación"
 ErrBackupPublic: "Se detectó que esta cuenta de respaldo no es pública, verifique e intente de nuevo"