From 66705e30c106bab1b46b52e944a56d3a5a66bd4e Mon Sep 17 00:00:00 2001
From: zhouchunhai <111631755+zhouchunhai@users.noreply.github.com>
Date: Thu, 5 Dec 2024 17:28:12 +0800
Subject: [PATCH] =?UTF-8?q?The=20error=20message=20is=20not=20user-friendl?=
 =?UTF-8?q?y=20when=20adding=20duplicate=20permissi=E2=80=A6=20(#12805)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* The error message is not user-friendly when adding duplicate permissions. (#12273)

* The error message is not user-friendly when adding duplicate permissions. (#12773)

* add some unit test.

* fix ci fail.
---
 .../impl/controller/PermissionController.java | 15 ++++++++++++
 .../auth/impl/roles/NacosRoleServiceImpl.java | 24 +++++++++++++++++++
 .../controller/PermissionControllerTest.java  |  9 +++++++
 .../impl/roles/NacosRoleServiceImplTest.java  | 15 ++++++++++++
 4 files changed, 63 insertions(+)

diff --git a/plugin-default-impl/nacos-default-auth-plugin/src/main/java/com/alibaba/nacos/plugin/auth/impl/controller/PermissionController.java b/plugin-default-impl/nacos-default-auth-plugin/src/main/java/com/alibaba/nacos/plugin/auth/impl/controller/PermissionController.java
index 1392f7d2129..fdd57ccee29 100644
--- a/plugin-default-impl/nacos-default-auth-plugin/src/main/java/com/alibaba/nacos/plugin/auth/impl/controller/PermissionController.java
+++ b/plugin-default-impl/nacos-default-auth-plugin/src/main/java/com/alibaba/nacos/plugin/auth/impl/controller/PermissionController.java
@@ -16,6 +16,7 @@
 
 package com.alibaba.nacos.plugin.auth.impl.controller;
 
+import com.alibaba.nacos.api.model.v2.Result;
 import com.alibaba.nacos.auth.annotation.Secured;
 import com.alibaba.nacos.common.model.RestResultUtils;
 import com.alibaba.nacos.common.utils.StringUtils;
@@ -105,4 +106,18 @@ public Object deletePermission(@RequestParam String role, @RequestParam String r
         nacosRoleService.deletePermission(role, resource, action);
         return RestResultUtils.success("delete permission ok!");
     }
+
+    /**
+     * Judge whether a permission is duplicate.
+     *
+     * @param role     the role
+     * @param resource the related resource
+     * @param action   the related action
+     * @return true if duplicate, false otherwise
+     */
+    @GetMapping
+    @Secured(resource = AuthConstants.CONSOLE_RESOURCE_NAME_PREFIX + "permissions", action = ActionTypes.READ)
+    public Result<Boolean> isDuplicatePermission(@RequestParam String role, @RequestParam String resource, @RequestParam String action) {
+        return nacosRoleService.isDuplicatePermission(role, resource, action);
+    }
 }
diff --git a/plugin-default-impl/nacos-default-auth-plugin/src/main/java/com/alibaba/nacos/plugin/auth/impl/roles/NacosRoleServiceImpl.java b/plugin-default-impl/nacos-default-auth-plugin/src/main/java/com/alibaba/nacos/plugin/auth/impl/roles/NacosRoleServiceImpl.java
index 7e6803d4b5d..e2907d1a37c 100644
--- a/plugin-default-impl/nacos-default-auth-plugin/src/main/java/com/alibaba/nacos/plugin/auth/impl/roles/NacosRoleServiceImpl.java
+++ b/plugin-default-impl/nacos-default-auth-plugin/src/main/java/com/alibaba/nacos/plugin/auth/impl/roles/NacosRoleServiceImpl.java
@@ -16,6 +16,7 @@
 
 package com.alibaba.nacos.plugin.auth.impl.roles;
 
+import com.alibaba.nacos.api.model.v2.Result;
 import com.alibaba.nacos.auth.config.AuthConfigs;
 import com.alibaba.nacos.common.utils.CollectionUtils;
 import com.alibaba.nacos.common.utils.ConcurrentHashSet;
@@ -370,5 +371,28 @@ public boolean hasGlobalAdminRole() {
         authConfigs.setHasGlobalAdminRole(hasGlobalAdminRole);
         return hasGlobalAdminRole;
     }
+
+    /**
+     * judge whether the permission is duplicate.
+     *
+     * @param role role name
+     * @param resource resource
+     * @param action action
+     * @return true if duplicate, false otherwise
+     */
+    public Result<Boolean> isDuplicatePermission(String role, String resource, String action) {
+        List<PermissionInfo> permissionInfos = getPermissions(role);
+        if (CollectionUtils.isEmpty(permissionInfos)) {
+            return Result.success(Boolean.FALSE);
+        }
+        for (PermissionInfo permissionInfo : permissionInfos) {
+            boolean resourceMatch = StringUtils.equals(resource, permissionInfo.getResource());
+            boolean actionMatch = StringUtils.equals(action, permissionInfo.getAction()) || "rw".equals(permissionInfo.getAction());
+            if (resourceMatch && actionMatch) {
+                return Result.success(Boolean.TRUE);
+            }
+        }
+        return Result.success(Boolean.FALSE);
+    }
     
 }
diff --git a/plugin-default-impl/nacos-default-auth-plugin/src/test/java/com/alibaba/nacos/plugin/auth/impl/controller/PermissionControllerTest.java b/plugin-default-impl/nacos-default-auth-plugin/src/test/java/com/alibaba/nacos/plugin/auth/impl/controller/PermissionControllerTest.java
index 6f73ec63859..60eba753336 100644
--- a/plugin-default-impl/nacos-default-auth-plugin/src/test/java/com/alibaba/nacos/plugin/auth/impl/controller/PermissionControllerTest.java
+++ b/plugin-default-impl/nacos-default-auth-plugin/src/test/java/com/alibaba/nacos/plugin/auth/impl/controller/PermissionControllerTest.java
@@ -16,6 +16,7 @@
 
 package com.alibaba.nacos.plugin.auth.impl.controller;
 
+import com.alibaba.nacos.api.model.v2.Result;
 import com.alibaba.nacos.common.model.RestResult;
 import com.alibaba.nacos.persistence.model.Page;
 import com.alibaba.nacos.plugin.auth.impl.persistence.PermissionInfo;
@@ -86,4 +87,12 @@ void testDeletePermission() {
         assertEquals(200, result.getCode());
     }
     
+    @Test
+    void testDuplicatePermission() {
+        when(nacosRoleService.isDuplicatePermission(anyString(), anyString(), anyString())).thenReturn(
+                Result.success(Boolean.TRUE));
+        Result<Boolean> result = permissionController.isDuplicatePermission("admin", "test", "test");
+        assertEquals(0, result.getCode());
+    }
+    
 }
diff --git a/plugin-default-impl/nacos-default-auth-plugin/src/test/java/com/alibaba/nacos/plugin/auth/impl/roles/NacosRoleServiceImplTest.java b/plugin-default-impl/nacos-default-auth-plugin/src/test/java/com/alibaba/nacos/plugin/auth/impl/roles/NacosRoleServiceImplTest.java
index 315b3b3cac2..5405b9ce523 100644
--- a/plugin-default-impl/nacos-default-auth-plugin/src/test/java/com/alibaba/nacos/plugin/auth/impl/roles/NacosRoleServiceImplTest.java
+++ b/plugin-default-impl/nacos-default-auth-plugin/src/test/java/com/alibaba/nacos/plugin/auth/impl/roles/NacosRoleServiceImplTest.java
@@ -36,6 +36,7 @@
 
 import java.lang.reflect.Field;
 import java.lang.reflect.Method;
+import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
 import java.util.Properties;
@@ -45,6 +46,8 @@
 import static org.junit.jupiter.api.Assertions.assertNotNull;
 import static org.junit.jupiter.api.Assertions.assertNull;
 import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.mockito.Mockito.spy;
+import static org.mockito.Mockito.when;
 
 /**
  * NacosRoleServiceImpl Test.
@@ -203,4 +206,16 @@ void joinResource() throws Exception {
         Object invoke = method.invoke(nacosRoleService, new Resource[] {resource});
         assertNotNull(invoke);
     }
+    
+    @Test
+    void duplicatePermission() {
+        List<PermissionInfo> permissionInfos = new ArrayList<>();
+        PermissionInfo permissionInfo = new PermissionInfo();
+        permissionInfo.setAction("rw");
+        permissionInfo.setResource("test");
+        permissionInfos.add(permissionInfo);
+        NacosRoleServiceImpl spy = spy(nacosRoleService);
+        when(spy.getPermissions("admin")).thenReturn(permissionInfos);
+        spy.isDuplicatePermission("admin", "test", "r");
+    }
 }