Merge pull request #611 from actiontech/feature/sqle-ee-2265

[feature](base/Oauth2): update OAuth2 configuration and refresh token mechanism

Author: anny1021

packages/base/src/locale/zh-CN/dmsSystem.ts

@@ -144,11 +144,15 @@ export default {
     skipStateCheckTips:
       '跳过对请求发送来源的验证，可能会使您的账户面临安全风险，建议仅在可信环境下启用此选项。启用后，SQLE将不再验证回调中的state参数。',
     layoutUrl: '注销跳转地址',
+    backChannelLogoutUri: 'OIDC后端通道注销接口',
     layoutUrlTips:
       '用户登出时，系统自动将浏览器重定向至此地址进行注销操作，以关闭第三方平台的会话信息。格式示例：http://localhost:8080/logout?id_token_hint=${id_token}&post_logout_redirect_uri=${sqle_url}',
     userPassword: '默认登录密码',
     userPasswordTips:
-      '系统自动创建的新用户将使用此密码作为初始登录密码，请妥善保存。此外，为保证账户安全，建议用户首次登录后及时修改密码。如果之前配置过该项，更新时不填写该项代表不更新密钥。'
+      '系统自动创建的新用户将使用此密码作为初始登录密码，请妥善保存。此外，为保证账户安全，建议用户首次登录后及时修改密码。如果之前配置过该项，更新时不填写该项代表不更新密钥。',
+    loginPermissionQueryGJsonExpression: '登录权限查询GJSON表达式',
+    loginPermissionQueryGJsonExpressionTips:
+      '通过该表达式查询AccessToken载荷json，存在查询结果即有登录权限，不填默认有登录权限'
   },
 
   loginBasic: {

packages/base/src/page/System/LoginConnection/Oauth/__snapshots__/index.test.tsx.snap

@@ -285,6 +285,22 @@ const ConfigField = () => {
           })}
         />
       </FormItemLabel>
+      <FormItemLabel
+        className="has-label-tip"
+        label={
+          <CustomLabelContent
+            title={t('dmsSystem.oauth.loginPermissionQueryGJsonExpression')}
+            tips={t('dmsSystem.oauth.loginPermissionQueryGJsonExpressionTips')}
+          />
+        }
+        name="loginPermissionQueryGJsonExpression"
+      >
+        <BasicInput
+          placeholder={t('common.form.placeholder.input', {
+            name: t('dmsSystem.oauth.loginPermissionQueryGJsonExpression')
+          })}
+        />
+      </FormItemLabel>
       <FormItemLabel
         className="has-label-tip"
         label={

packages/base/src/page/System/LoginConnection/Oauth/components/ConfigField.tsx

@@ -650,6 +650,55 @@ exports[`base/System/LoginConnection/Oauth/ConfigField render snap 1`] = `
           </div>
         </div>
       </div>
+      <div
+        class="ant-form-item has-label-tip css-1jlm9cy css-dev-only-do-not-override-txh9fw"
+      >
+        <div
+          class="ant-row ant-form-item-row css-dev-only-do-not-override-txh9fw"
+        >
+          <div
+            class="ant-col ant-form-item-label css-dev-only-do-not-override-txh9fw"
+          >
+            <label
+              class=""
+              for="loginPermissionQueryGJsonExpression"
+              title=""
+            >
+              <div
+                class="label-cont-custom"
+              >
+                <div>
+                  登录权限查询GJSON表达式
+                </div>
+                <div
+                  class="tip-content-box"
+                >
+                  通过该表达式查询AccessToken载荷json，存在查询结果即有登录权限，不填默认有登录权限
+                </div>
+              </div>
+            </label>
+          </div>
+          <div
+            class="ant-col ant-form-item-control css-dev-only-do-not-override-txh9fw"
+          >
+            <div
+              class="ant-form-item-control-input"
+            >
+              <div
+                class="ant-form-item-control-input-content"
+              >
+                <input
+                  class="ant-input css-dev-only-do-not-override-ywkr0o basic-input-wrapper css-1pd1cd5"
+                  id="loginPermissionQueryGJsonExpression"
+                  placeholder="请输入登录权限查询GJSON表达式"
+                  type="text"
+                  value=""
+                />
+              </div>
+            </div>
+          </div>
+        </div>
+      </div>
       <div
         class="ant-form-item has-label-tip css-1jlm9cy css-dev-only-do-not-override-txh9fw"
       >

packages/base/src/page/System/LoginConnection/Oauth/components/__snapshots__/ConfigField.test.tsx.snap

@@ -118,7 +118,11 @@ describe('base/System/LoginConnection/Oauth', () => {
 
       expect(requestUpdateOauth2Configuration).toHaveBeenCalledTimes(1);
       expect(requestUpdateOauth2Configuration).toHaveBeenNthCalledWith(1, {
-        oauth2: { ...oauthConfig, enable_oauth2: true }
+        oauth2: {
+          ...oauthConfig,
+          enable_oauth2: true,
+          back_channel_logout_uri: undefined
+        }
       });
       await act(async () => jest.advanceTimersByTime(3000));
       expect(requestGetOauth2Configuration).toHaveBeenCalledTimes(2);
@@ -215,6 +219,15 @@ describe('base/System/LoginConnection/Oauth', () => {
         }
       });
 
+      fireEvent.change(
+        getBySelector('#loginPermissionQueryGJsonExpression', baseElement),
+        {
+          target: {
+            value: 'resource_access.sqle.roles.#(=="logout")'
+          }
+        }
+      );
+
       fireEvent.click(getBySelector('#autoCreateUser', baseElement));
       await act(async () => jest.advanceTimersByTime(0));
 
@@ -251,7 +264,8 @@ describe('base/System/LoginConnection/Oauth', () => {
           auto_create_user: true,
           skip_check_state: true,
           server_logout_url: 'server layout url',
-          auto_create_user_pwd: '123'
+          auto_create_user_pwd: '123',
+          login_perm_expr: 'resource_access.sqle.roles.#(=="logout")'
         }
       });
       await act(async () => jest.advanceTimersByTime(3000));

packages/base/src/page/System/LoginConnection/Oauth/index.test.tsx

@@ -109,7 +109,8 @@ const Oauth = () => {
       user_wechat_tag: value.userWechatTag,
       auto_create_user: value.autoCreateUser,
       auto_create_user_pwd: value.userPassword,
-      skip_check_state: value.skipCheckState
+      skip_check_state: value.skipCheckState,
+      login_perm_expr: value.loginPermissionQueryGJsonExpression
     };
 
     if (!!value.scopes) {
@@ -149,7 +150,8 @@ const Oauth = () => {
       userWechatTag: oauthConfig?.user_wechat_tag,
       autoCreateUser: oauthConfig?.auto_create_user,
       // userPassword: oauthConfig?.auto_create_user_pwd,
-      skipCheckState: oauthConfig?.skip_check_state
+      skipCheckState: oauthConfig?.skip_check_state,
+      loginPermissionQueryGJsonExpression: oauthConfig?.login_perm_expr
     });
   }, [form, oauthConfig]);
 
@@ -250,6 +252,12 @@ const Oauth = () => {
           dataIndex: 'server_logout_url',
           hidden: !oauthConfig?.enable_oauth2
         },
+        {
+          label: t('dmsSystem.oauth.backChannelLogoutUri'),
+          span: 3,
+          dataIndex: 'back_channel_logout_uri',
+          hidden: !oauthConfig?.enable_oauth2
+        },
         {
           label: t('dmsSystem.oauth.scopes'),
           span: 3,
@@ -343,6 +351,27 @@ const Oauth = () => {
           dataIndex: 'user_wechat_tag',
           hidden: !oauthConfig?.enable_oauth2
         },
+        {
+          label: (
+            <BasicToolTip
+              title={t(
+                'dmsSystem.oauth.loginPermissionQueryGJsonExpressionTips'
+              )}
+              suffixIcon={
+                <InfoCircleOutlined
+                  width={14}
+                  height={14}
+                  color={baseTheme.icon.system.basicTitleTips}
+                />
+              }
+            >
+              {t('dmsSystem.oauth.loginPermissionQueryGJsonExpression')}
+            </BasicToolTip>
+          ),
+          span: 3,
+          dataIndex: 'login_perm_expr',
+          hidden: !oauthConfig?.enable_oauth2
+        },
         {
           label: (
             <BasicToolTip

packages/base/src/page/System/LoginConnection/Oauth/index.tsx

@@ -16,4 +16,5 @@ export type OauthFormField = {
   userPassword?: string;
   skipCheckState: boolean;
   oauth2ButtonText: string;
+  loginPermissionQueryGJsonExpression: string;
 };

packages/base/src/page/System/LoginConnection/Oauth/index.type.ts

@@ -1452,6 +1452,55 @@ exports[`base/System/LoginConnection render snap 1`] = `
                     </div>
                   </div>
                 </div>
+                <div
+                  class="ant-form-item has-label-tip css-1jlm9cy css-dev-only-do-not-override-txh9fw"
+                >
+                  <div
+                    class="ant-row ant-form-item-row css-dev-only-do-not-override-txh9fw"
+                  >
+                    <div
+                      class="ant-col ant-col-11 ant-form-item-label ant-form-item-label-left css-dev-only-do-not-override-txh9fw"
+                    >
+                      <label
+                        class="ant-form-item-no-colon"
+                        for="loginPermissionQueryGJsonExpression"
+                        title=""
+                      >
+                        <div
+                          class="label-cont-custom"
+                        >
+                          <div>
+                            登录权限查询GJSON表达式
+                          </div>
+                          <div
+                            class="tip-content-box"
+                          >
+                            通过该表达式查询AccessToken载荷json，存在查询结果即有登录权限，不填默认有登录权限
+                          </div>
+                        </div>
+                      </label>
+                    </div>
+                    <div
+                      class="ant-col ant-col-11 ant-col-push-2 ant-form-item-control css-dev-only-do-not-override-txh9fw"
+                    >
+                      <div
+                        class="ant-form-item-control-input"
+                      >
+                        <div
+                          class="ant-form-item-control-input-content"
+                        >
+                          <input
+                            class="ant-input css-dev-only-do-not-override-ywkr0o basic-input-wrapper css-1pd1cd5"
+                            id="loginPermissionQueryGJsonExpression"
+                            placeholder="请输入登录权限查询GJSON表达式"
+                            type="text"
+                            value=""
+                          />
+                        </div>
+                      </div>
+                    </div>
+                  </div>
+                </div>
                 <div
                   class="ant-form-item has-label-tip css-1jlm9cy css-dev-only-do-not-override-txh9fw"
                 >
@@ -3201,6 +3250,55 @@ exports[`base/System/LoginConnection render snap 2`] = `
                     </div>
                   </div>
                 </div>
+                <div
+                  class="ant-form-item has-label-tip css-1jlm9cy css-dev-only-do-not-override-txh9fw"
+                >
+                  <div
+                    class="ant-row ant-form-item-row css-dev-only-do-not-override-txh9fw"
+                  >
+                    <div
+                      class="ant-col ant-col-11 ant-form-item-label ant-form-item-label-left css-dev-only-do-not-override-txh9fw"
+                    >
+                      <label
+                        class="ant-form-item-no-colon"
+                        for="loginPermissionQueryGJsonExpression"
+                        title=""
+                      >
+                        <div
+                          class="label-cont-custom"
+                        >
+                          <div>
+                            登录权限查询GJSON表达式
+                          </div>
+                          <div
+                            class="tip-content-box"
+                          >
+                            通过该表达式查询AccessToken载荷json，存在查询结果即有登录权限，不填默认有登录权限
+                          </div>
+                        </div>
+                      </label>
+                    </div>
+                    <div
+                      class="ant-col ant-col-11 ant-col-push-2 ant-form-item-control css-dev-only-do-not-override-txh9fw"
+                    >
+                      <div
+                        class="ant-form-item-control-input"
+                      >
+                        <div
+                          class="ant-form-item-control-input-content"
+                        >
+                          <input
+                            class="ant-input css-dev-only-do-not-override-ywkr0o basic-input-wrapper css-1pd1cd5"
+                            id="loginPermissionQueryGJsonExpression"
+                            placeholder="请输入登录权限查询GJSON表达式"
+                            type="text"
+                            value=""
+                          />
+                        </div>
+                      </div>
+                    </div>
+                  </div>
+                </div>
                 <div
                   class="ant-form-item has-label-tip css-1jlm9cy css-dev-only-do-not-override-txh9fw"
                 >

packages/base/src/page/System/LoginConnection/__snapshots__/index.test.tsx.snap

@@ -33,7 +33,9 @@ export const oauthConfig = {
   server_logout_url: 'http://10.186.59.87:8080/realms/test/',
   user_id_tag: 'NFkVxY[4Xv^UFU&x&t5y',
   auto_create_user: false,
-  skip_check_state: false
+  skip_check_state: false,
+  login_perm_expr: 'resource_access.sqle.roles.#(=="login")',
+  back_channel_logout_uri: '/v1/dms/oauth2/backchannel_logout'
 };
 
 export const SMTPConfig: ISMTPConfigurationResData = {

packages/base/src/testUtils/mockApi/system/data.ts

@@ -11,6 +11,8 @@ export interface IAddSessionReturn extends IAddSessionReply {}
 
 export interface IDelSessionReturn extends IDelSessionReply {}
 
+export interface IRefreshSessionReturn extends IAddSessionReply {}
+
 export interface IGetUserBySessionParams {
   user_uid?: string;
 }

packages/shared/lib/api/base/service/Session/index.d.ts

@@ -10,6 +10,7 @@ import {
   IAddSessionParams,
   IAddSessionReturn,
   IDelSessionReturn,
+  IRefreshSessionReturn,
   IGetUserBySessionParams,
   IGetUserBySessionReturn
 } from './index.d';
@@ -32,6 +33,14 @@ class SessionService extends ServiceBase {
     );
   }
 
+  public RefreshSession(options?: AxiosRequestConfig) {
+    return this.post<IRefreshSessionReturn>(
+      '/v1/dms/sessions/refresh',
+      undefined,
+      options
+    );
+  }
+
   public GetUserBySession(
     params: IGetUserBySessionParams,
     options?: AxiosRequestConfig

packages/shared/lib/api/base/service/Session/index.ts

@@ -767,12 +767,16 @@ export interface IGetOauth2ConfigurationResData {
 
   auto_create_user?: boolean;
 
+  back_channel_logout_uri?: string;
+
   client_host?: string;
 
   client_id?: string;
 
   enable_oauth2?: boolean;
 
+  login_perm_expr?: string;
+
   login_tip?: string;
 
   scopes?: string[];
@@ -1645,6 +1649,8 @@ export interface IOauth2Configuration {
 
   enable_oauth2?: boolean;
 
+  login_perm_expr?: string;
+
   login_tip?: string;
 
   scopes?: string[];