CoSec v1.16.3 发布，基于 RBAC 和策略的多租户响应式安全框架

基于 RBAC 和策略的多租户响应式安全框架

更新内容（v1.16.3） 🎉 🎉 🎉

• 特性：新增 GroupedRateLimiterConditionMatcher 支持分组限流。

 { "groupedRateLimiter": { "part": "request.remoteIp", "permitsPerSecond": 10, "expireAfterAccessSecond": 1000 } }

• 特性：Policy / AppPermission 支持顶级 Condition，降低重复配置
• 重构：重构角色权限策略，提升易用性

 { "id": "manage", "condition": { "bool": { "and": [ { "authenticated": {} }, { "groupedRateLimiter": { "part": "request.remoteIp", "permitsPerSecond": 10, "expireAfterAccessSecond": 1000 } } ] } }, "groups": [ { "name": "订单管理", "permissions": [ { "id": "manage.order.ship", "name": "发货", "action": "/order/ship" }, { "id": "manage.order.issueInvoice", "name": "开票", "action": "/order/issueInvoice" } ] } ] }

• 重构：策略 Schema，增强自动补全，提升易用性
• 依赖：更新 CosId 版本到 v1.18.5

认证

授权

OAuth

建模类图

安全网关服务

授权策略流程

内置策略匹配器

ActionMatcher

如何自定义 ActionMatcher (SPI)

参考 PathActionMatcher

 class CustomConditionMatcherFactory : ConditionMatcherFactory { companion object { const val TYPE = "[CustomConditionType]" } override val type: String get() = TYPE override fun create(configuration: Configuration): ConditionMatcher { return CustomConditionMatcher(configuration) } } class CustomConditionMatcher(configuration: Configuration) : AbstractConditionMatcher(CustomConditionMatcherFactory.TYPE, configuration) { override fun internalMatch(request: Request, securityContext: SecurityContext): Boolean { //Custom matching logic } }

META-INF/services/me.ahoo.cosec.policy.action.ActionMatcherFactory

 # CustomActionMatcherFactory fully qualified name 

ConditionMatcher

如何自定义 ConditionMatcher (SPI)

参考 ContainsConditionMatcher

 class CustomConditionMatcherFactory : ConditionMatcherFactory {     companion object {         const val TYPE = "[CustomConditionType]"     }     override val type: String         get() = TYPE     override fun create(configuration: Configuration): ConditionMatcher {         return CustomConditionMatcher(configuration)     } } class CustomConditionMatcher(configuration: Configuration) :     AbstractConditionMatcher(CustomConditionMatcherFactory.TYPE, configuration) {     override fun internalMatch(request: Request, securityContext: SecurityContext): Boolean {         //Custom matching logic     } }

META-INF/services/me.ahoo.cosec.policy.condition.ConditionMatcherFactory

 # CustomConditionMatcherFactory fully qualified name 

策略 Schema

配置 Policy Schema 以支持 IDE (IntelliJ IDEA) 输入自动完成。

策略 Demo

 { "id": "id", "name": "name", "category": "category", "description": "description", "type": "global", "tenantId": "tenantId", "condition": { "bool": { "and": [ { "authenticated": {} }, { "rateLimiter": { "permitsPerSecond": 10 } } ] } }, "statements": [ { "action": { "path": { "pattern": "/user/#{principal.id}/*", "options": { "caseSensitive": false, "separator": "/", "decodeAndParseSegments": false } } } }, { "name": "Anonymous", "action": [ "/auth/register", "/auth/login" ] }, { "name": "UserScope", "action": "/user/#{principal.id}/*", "condition": { "authenticated": {} } }, { "name": "Developer", "action": "*", "condition": { "in": { "part": "context.principal.id", "value": [ "developerId" ] } } }, { "name": "RequestOriginDeny", "effect": "deny", "action": "*", "condition": { "regular": { "negate": true, "part": "request.origin", "pattern": "^(http|https)://github.com" } } }, { "name": "IpBlacklist", "effect": "deny", "action": "*", "condition": { "path": { "part": "request.remoteIp", "pattern": "192.168.0.*", "options": { "caseSensitive": false, "separator": ".", "decodeAndParseSegments": false } } } }, { "name": "RegionWhitelist", "effect": "deny", "action": "*", "condition": { "regular": { "negate": true, "part": "request.attributes.ipRegion", "pattern": "^中国\\|0\\|(上海|广东省)\\|.*" } } }, { "name": "AllowDeveloperOrIpRange", "action": "*", "condition": { "bool": { "and": [ { "authenticated": {} } ], "or": [ { "in": { "part": "context.principal.id", "value": [ "developerId" ] } }, { "path": { "part": "request.remoteIp", "pattern": "192.168.0.*", "options": { "caseSensitive": false, "separator": ".", "decodeAndParseSegments": false } } } ] } } }, { "name": "TestContains", "effect": "allow", "action": "*", "condition": { "contains": { "part": "request.attributes.ipRegion", "value": "上海" } } }, { "name": "TestStartsWith", "effect": "allow", "action": "*", "condition": { "startsWith": { "part": "request.attributes.ipRegion", "value": "中国" } } }, { "name": "TestEndsWith", "effect": "allow", "action": "*", "condition": { "endsWith": { "part": "request.attributes.remoteIp", "value": ".168.0.1" } } } ] }

应用权限元数据 Schema

配置 App Permission Schema 以支持 IDE (IntelliJ IDEA) 输入自动完成。

应用权限元数据 Demo

 { "id": "manage", "condition": { "bool": { "and": [ { "authenticated": {} }, { "groupedRateLimiter": { "part": "request.remoteIp", "permitsPerSecond": 10, "expireAfterAccessSecond": 1000 } }, { "inTenant": { "value": "default" } } ] } }, "groups": [ { "name": "order", "description": "order management", "permissions": [ { "id": "manage.order.ship", "name": "Ship", "description": "Ship", "action": "/order/ship" }, { "id": "manage.order.issueInvoice", "name": "Issue an invoice", "description": "Issue an invoice", "action": "/order/issueInvoice" } ] } ] }

OpenTelemetry

CoSec-OpenTelemetry

CoSec 遵循 OpenTelemetry General identity attributes 规范。

感谢

CoSec 权限策略设计参考 AWS IAM 。