diff --git a/.github/workflows/frontend.yml b/.github/workflows/frontend.yml
index cdc0aa42843..75a8fc5c6fe 100644
--- a/.github/workflows/frontend.yml
+++ b/.github/workflows/frontend.yml
@@ -5,7 +5,7 @@ name: Frontend CI
on:
push:
- branches: [master]
+ branches: ["*"]
paths:
- "src/frontend/**"
pull_request:
diff --git a/docs/overview/db/devops_ci_artifactory.md b/docs/overview/db/devops_ci_artifactory.md
index aa233af1dff..b13839df9a4 100644
--- a/docs/overview/db/devops_ci_artifactory.md
+++ b/docs/overview/db/devops_ci_artifactory.md
@@ -2,7 +2,7 @@
**数据库名:** devops_ci_artifactory
-**文档版本:** 1.0.2
+**文档版本:** 1.0.4
**文档描述:** devops_ci_artifactory 的数据库文档
| 表名 | 说明 |
diff --git a/docs/overview/db/devops_ci_auth.md b/docs/overview/db/devops_ci_auth.md
index a3b30e4d45c..ae8fd164cb8 100644
--- a/docs/overview/db/devops_ci_auth.md
+++ b/docs/overview/db/devops_ci_auth.md
@@ -2,7 +2,7 @@
**数据库名:** devops_ci_auth
-**文档版本:** 1.0.2
+**文档版本:** 1.0.4
**文档描述:** devops_ci_auth 的数据库文档
| 表名 | 说明 |
@@ -27,8 +27,12 @@
| T_AUTH_OAUTH2_SCOPE | 授权范围表 |
| T_AUTH_OAUTH2_SCOPE_OPERATION | 授权操作信息表 |
| T_AUTH_RESOURCE | 资源表 |
+| T_AUTH_RESOURCE_AUTHORIZATION | 资源授权管理表 |
| T_AUTH_RESOURCE_GROUP | 资源关联用户组表 |
+| T_AUTH_RESOURCE_GROUP_APPLY | 用户组申请记录表 |
| T_AUTH_RESOURCE_GROUP_CONFIG | 资源用户组配置表 |
+| T_AUTH_RESOURCE_GROUP_MEMBER | 资源组成员 |
+| T_AUTH_RESOURCE_SYNC | 同步 IAM 资源 |
| T_AUTH_RESOURCE_TYPE | 权限资源类型表 |
| T_AUTH_STRATEGY | 权限策略表 |
| T_AUTH_TEMPORARY_VERIFY_RECORD | 迁移-鉴权记录表 |
@@ -375,6 +379,25 @@
| 11 | CREATE_USER | varchar | 64 | 0 | N | N | | 创建者 |
| 12 | UPDATE_USER | varchar | 64 | 0 | N | N | | 修改人 |
+**表名:** T_AUTH_RESOURCE_AUTHORIZATION
+
+**说明:** 资源授权管理表
+
+**数据列:**
+
+| 序号 | 名称 | 数据类型 | 长度 | 小数位 | 允许空值 | 主键 | 默认值 | 说明 |
+| :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: |
+| 1 | ID | bigint | 20 | 0 | N | Y | | 主键 ID |
+| 2 | PROJECT_CODE | varchar | 32 | 0 | N | N | | 项目 ID |
+| 3 | RESOURCE_TYPE | varchar | 32 | 0 | N | N | | 资源类型 |
+| 4 | RESOURCE_CODE | varchar | 255 | 0 | N | N | | 资源 ID |
+| 5 | RESOURCE_NAME | varchar | 255 | 0 | N | N | | 资源名 |
+| 6 | HANDOVER_FROM | varchar | 64 | 0 | N | N | | 授予人 |
+| 7 | HANDOVER_FROM_CN_NAME | varchar | 64 | 0 | N | N | | 授予人中文名称 |
+| 8 | HANDOVER_TIME | timestamp | 19 | 0 | N | N | CURRENT_TIMESTAMP | 授予时间 |
+| 9 | CREATE_TIME | timestamp | 19 | 0 | Y | N | CURRENT_TIMESTAMP | 创建时间 |
+| 10 | UPDATE_TIME | timestamp | 19 | 0 | Y | N | CURRENT_TIMESTAMP | 更新时间 |
+
**表名:** T_AUTH_RESOURCE_GROUP
**说明:** 资源关联用户组表
@@ -395,6 +418,25 @@
| 10 | RELATION_ID | varchar | 32 | 0 | N | N | | 关联的 IAM 组 ID |
| 11 | CREATE_TIME | datetime | 19 | 0 | N | N | CURRENT_TIMESTAMP | 创建时间 |
| 12 | UPDATE_TIME | datetime | 19 | 0 | N | N | CURRENT_TIMESTAMP | 更新时间 |
+| 13 | DESCRIPTION | varchar | 512 | 0 | Y | N | | 用户组描述 |
+| 14 | IAM_TEMPLATE_ID | int | 10 | 0 | Y | N | | 人员模板 ID |
+
+**表名:** T_AUTH_RESOURCE_GROUP_APPLY
+
+**说明:** 用户组申请记录表
+
+**数据列:**
+
+| 序号 | 名称 | 数据类型 | 长度 | 小数位 | 允许空值 | 主键 | 默认值 | 说明 |
+| :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: |
+| 1 | ID | bigint | 20 | 0 | N | Y | | 主键 ID |
+| 2 | PROJECT_CODE | varchar | 64 | 0 | N | N | | 项目 ID |
+| 3 | MEMBER_ID | varchar | 64 | 0 | N | N | | 成员 ID |
+| 4 | IAM_GROUP_ID | int | 10 | 0 | N | N | | IAM 组 ID |
+| 5 | STATUS | int | 10 | 0 | Y | N | 0 | 状态,0-审批中,1-审批成功,2-审批超时 |
+| 6 | NUMBER_OF_CHECKS | int | 10 | 0 | Y | N | 0 | 检查次数,用于同步组数据 |
+| 7 | CREATE_TIME | datetime | 19 | 0 | N | N | CURRENT_TIMESTAMP | 创建时间 |
+| 8 | UPDATE_TIME | datetime | 19 | 0 | N | N | CURRENT_TIMESTAMP | 更新时间 |
**表名:** T_AUTH_RESOURCE_GROUP_CONFIG
@@ -416,6 +458,42 @@
| 10 | CREATE_TIME | datetime | 19 | 0 | N | N | CURRENT_TIMESTAMP | 创建时间 |
| 11 | UPDATE_TIME | datetime | 19 | 0 | N | N | CURRENT_TIMESTAMP | 更新时间 |
+**表名:** T_AUTH_RESOURCE_GROUP_MEMBER
+
+**说明:** 资源组成员
+
+**数据列:**
+
+| 序号 | 名称 | 数据类型 | 长度 | 小数位 | 允许空值 | 主键 | 默认值 | 说明 |
+| :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: |
+| 1 | ID | bigint | 20 | 0 | N | Y | | 主键 ID |
+| 2 | PROJECT_CODE | varchar | 64 | 0 | N | N | | 项目 ID |
+| 3 | RESOURCE_TYPE | varchar | 32 | 0 | N | N | | 资源类型 |
+| 4 | RESOURCE_CODE | varchar | 255 | 0 | N | N | | 资源 ID |
+| 5 | GROUP_CODE | varchar | 32 | 0 | N | N | | 用户组标识 |
+| 6 | IAM_GROUP_ID | int | 10 | 0 | N | N | | IAM 组 ID |
+| 7 | MEMBER_ID | varchar | 64 | 0 | N | N | | 成员 ID |
+| 8 | MEMBER_NAME | varchar | 512 | 0 | N | N | | 成员名 |
+| 9 | MEMBER_TYPE | varchar | 32 | 0 | N | N | | 成员类型,用户/组织/模板 |
+| 10 | EXPIRED_TIME | datetime | 19 | 0 | N | N | | 过期时间 |
+| 11 | CREATE_TIME | datetime | 19 | 0 | N | N | CURRENT_TIMESTAMP | 创建时间 |
+| 12 | UPDATE_TIME | datetime | 19 | 0 | N | N | CURRENT_TIMESTAMP | 更新时间 |
+
+**表名:** T_AUTH_RESOURCE_SYNC
+
+**说明:** 同步 IAM 资源
+
+**数据列:**
+
+| 序号 | 名称 | 数据类型 | 长度 | 小数位 | 允许空值 | 主键 | 默认值 | 说明 |
+| :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: |
+| 1 | PROJECT_CODE | varchar | 64 | 0 | N | Y | | 项目 ID |
+| 2 | STATUS | int | 10 | 0 | Y | N | 0 | 迁移状态,0-同步中,1-同步成功,2-同步失败 |
+| 3 | ERROR_MESSAGE | text | 65535 | 0 | Y | N | | 错误信息 |
+| 4 | TOTAL_TIME | bigint | 20 | 0 | Y | N | | 总耗时 |
+| 5 | CREATE_TIME | datetime | 19 | 0 | N | N | CURRENT_TIMESTAMP | 创建时间 |
+| 6 | UPDATE_TIME | datetime | 19 | 0 | N | N | CURRENT_TIMESTAMP | 更新时间 |
+
**表名:** T_AUTH_RESOURCE_TYPE
**说明:** 权限资源类型表
diff --git a/docs/overview/db/devops_ci_dispatch.md b/docs/overview/db/devops_ci_dispatch.md
index 1f54524f78c..6d2b38941b0 100644
--- a/docs/overview/db/devops_ci_dispatch.md
+++ b/docs/overview/db/devops_ci_dispatch.md
@@ -2,7 +2,7 @@
**数据库名:** devops_ci_dispatch
-**文档版本:** 1.0.2
+**文档版本:** 1.0.4
**文档描述:** devops_ci_dispatch 的数据库文档
| 表名 | 说明 |
diff --git a/docs/overview/db/devops_ci_environment.md b/docs/overview/db/devops_ci_environment.md
index f6f82037fee..ccd99671861 100644
--- a/docs/overview/db/devops_ci_environment.md
+++ b/docs/overview/db/devops_ci_environment.md
@@ -2,11 +2,12 @@
**数据库名:** devops_ci_environment
-**文档版本:** 1.0.2
+**文档版本:** 1.0.4
**文档描述:** devops_ci_environment 的数据库文档
| 表名 | 说明 |
| :---: | :---: |
+| T_AGENT_BATCH_INSTALL_TOKEN | |
| T_AGENT_FAILURE_NOTIFY_USER | |
| T_AGENT_PIPELINE_REF | |
| T_AGENT_SHARE_PROJECT | |
@@ -21,6 +22,20 @@
| T_NODE | 节点信息表 |
| T_PROJECT_CONFIG | |
+**表名:** T_AGENT_BATCH_INSTALL_TOKEN
+
+**说明:**
+
+**数据列:**
+
+| 序号 | 名称 | 数据类型 | 长度 | 小数位 | 允许空值 | 主键 | 默认值 | 说明 |
+| :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: |
+| 1 | PROJECT_ID | varchar | 64 | 0 | N | Y | | 项目 ID |
+| 2 | USER_ID | varchar | 64 | 0 | N | Y | | token 用户 |
+| 3 | TOKEN | varchar | 64 | 0 | N | N | | Base64 编码后 TOKEN |
+| 4 | CREATED_TIME | datetime | 19 | 0 | N | N | | 创建时间 |
+| 5 | EXPIRED_TIME | datetime | 19 | 0 | N | N | | 过期时间 |
+
**表名:** T_AGENT_FAILURE_NOTIFY_USER
**说明:**
diff --git a/docs/overview/db/devops_ci_image.md b/docs/overview/db/devops_ci_image.md
index 88dcb3cf826..026cda3dba6 100644
--- a/docs/overview/db/devops_ci_image.md
+++ b/docs/overview/db/devops_ci_image.md
@@ -2,7 +2,7 @@
**数据库名:** devops_ci_image
-**文档版本:** 1.0.2
+**文档版本:** 1.0.4
**文档描述:** devops_ci_image 的数据库文档
| 表名 | 说明 |
diff --git a/docs/overview/db/devops_ci_log.md b/docs/overview/db/devops_ci_log.md
index 2cde1010584..3a8c4f23dfe 100644
--- a/docs/overview/db/devops_ci_log.md
+++ b/docs/overview/db/devops_ci_log.md
@@ -2,7 +2,7 @@
**数据库名:** devops_ci_log
-**文档版本:** 1.0.2
+**文档版本:** 1.0.4
**文档描述:** devops_ci_log 的数据库文档
| 表名 | 说明 |
diff --git a/docs/overview/db/devops_ci_notify.md b/docs/overview/db/devops_ci_notify.md
index 23faa1c80be..342c4c6aaa8 100644
--- a/docs/overview/db/devops_ci_notify.md
+++ b/docs/overview/db/devops_ci_notify.md
@@ -2,7 +2,7 @@
**数据库名:** devops_ci_notify
-**文档版本:** 1.0.2
+**文档版本:** 1.0.4
**文档描述:** devops_ci_notify 的数据库文档
| 表名 | 说明 |
diff --git a/docs/overview/db/devops_ci_op.md b/docs/overview/db/devops_ci_op.md
index 061645ae86c..a303de8b68d 100644
--- a/docs/overview/db/devops_ci_op.md
+++ b/docs/overview/db/devops_ci_op.md
@@ -2,7 +2,7 @@
**数据库名:** devops_ci_op
-**文档版本:** 1.0.2
+**文档版本:** 1.0.4
**文档描述:** devops_ci_op 的数据库文档
| 表名 | 说明 |
diff --git a/docs/overview/db/devops_ci_openapi.md b/docs/overview/db/devops_ci_openapi.md
index ac602f24397..169895172c6 100644
--- a/docs/overview/db/devops_ci_openapi.md
+++ b/docs/overview/db/devops_ci_openapi.md
@@ -2,7 +2,7 @@
**数据库名:** devops_ci_openapi
-**文档版本:** 1.0.2
+**文档版本:** 1.0.4
**文档描述:** devops_ci_openapi 的数据库文档
| 表名 | 说明 |
diff --git a/docs/overview/db/devops_ci_plugin.md b/docs/overview/db/devops_ci_plugin.md
index ecaacc564ae..ac496d2a91b 100644
--- a/docs/overview/db/devops_ci_plugin.md
+++ b/docs/overview/db/devops_ci_plugin.md
@@ -2,7 +2,7 @@
**数据库名:** devops_ci_plugin
-**文档版本:** 1.0.2
+**文档版本:** 1.0.4
**文档描述:** devops_ci_plugin 的数据库文档
| 表名 | 说明 |
diff --git a/docs/overview/db/devops_ci_process.md b/docs/overview/db/devops_ci_process.md
index 82aba3c8d41..6a304b0b10d 100644
--- a/docs/overview/db/devops_ci_process.md
+++ b/docs/overview/db/devops_ci_process.md
@@ -2,7 +2,7 @@
**数据库名:** devops_ci_process
-**文档版本:** 1.0.2
+**文档版本:** 1.0.4
**文档描述:** devops_ci_process 的数据库文档
| 表名 | 说明 |
@@ -177,6 +177,7 @@
| 14 | CONTAINER_HASH_ID | varchar | 64 | 0 | Y | N | | 容器全局唯一 ID |
| 15 | MATRIX_GROUP_FLAG | bit | 1 | 0 | Y | N | | 是否为构建矩阵 |
| 16 | MATRIX_GROUP_ID | varchar | 64 | 0 | Y | N | | 所属的矩阵组 ID |
+| 17 | JOB_ID | varchar | 128 | 0 | Y | N | | jobid |
**表名:** T_PIPELINE_BUILD_DETAIL
@@ -403,6 +404,7 @@
| 16 | START_TIME | datetime | 23 | 0 | Y | N | | 开始时间 |
| 17 | END_TIME | datetime | 23 | 0 | Y | N | | 结束时间 |
| 18 | TIMESTAMPS | text | 65535 | 0 | Y | N | | 运行中产生的时间戳集合 |
+| 19 | ASYNC_STATUS | varchar | 32 | 0 | Y | N | | 插件异步执行状态 |
**表名:** T_PIPELINE_BUILD_STAGE
@@ -491,6 +493,7 @@
| 28 | PLATFORM_ERROR_CODE | int | 10 | 0 | Y | N | | 对接平台错误码 |
| 29 | CONTAINER_HASH_ID | varchar | 64 | 0 | Y | N | | 构建 Job 唯一标识 |
| 30 | STEP_ID | varchar | 64 | 0 | Y | N | | 标识上下文的自定义 ID |
+| 31 | JOB_ID | varchar | 128 | 0 | Y | N | | jobid |
**表名:** T_PIPELINE_BUILD_TEMPLATE_ACROSS_INFO
@@ -595,6 +598,7 @@
| 16 | PIPELINE_NAME_PINYIN | varchar | 1300 | 0 | Y | N | | 流水线名称拼音 |
| 17 | LATEST_START_TIME | datetime | 23 | 0 | Y | N | | 最近启动时间 |
| 18 | LATEST_VERSION_STATUS | varchar | 64 | 0 | Y | N | | 最新分布版本状态 |
+| 19 | LOCKED | bit | 1 | 0 | Y | N | b'0' | 是否锁定,PACv3.0 新增锁定,取代原来 setting 表中的 LOCK |
**表名:** T_PIPELINE_JOB_MUTEX_GROUP
@@ -775,7 +779,8 @@
| 18 | STATUS | varchar | 16 | 0 | Y | N | | 版本状态 |
| 19 | BRANCH_ACTION | varchar | 32 | 0 | Y | N | | 分支状态 |
| 20 | DESCRIPTION | text | 65535 | 0 | Y | N | | 版本变更说明 |
-| 21 | UPDATE_TIME | timestamp | 19 | 0 | N | N | CURRENT_TIMESTAMP | 更新时间 |
+| 21 | UPDATER | varchar | 64 | 0 | Y | N | | 最近更新人 |
+| 22 | UPDATE_TIME | timestamp | 19 | 0 | N | N | CURRENT_TIMESTAMP | 更新时间 |
**表名:** T_PIPELINE_RULE
diff --git a/docs/overview/db/devops_ci_project.md b/docs/overview/db/devops_ci_project.md
index 69eaef1ea59..a8be36ea8d3 100644
--- a/docs/overview/db/devops_ci_project.md
+++ b/docs/overview/db/devops_ci_project.md
@@ -2,7 +2,7 @@
**数据库名:** devops_ci_project
-**文档版本:** 1.0.2
+**文档版本:** 1.0.4
**文档描述:** devops_ci_project 的数据库文档
| 表名 | 说明 |
@@ -392,6 +392,7 @@
| 26 | new_window | bit | 1 | 0 | Y | N | b'0' | 是否打开新标签页 |
| 27 | new_windowUrl | varchar | 200 | 0 | Y | N | | 新标签页地址 |
| 28 | cluster_type | varchar | 32 | 0 | N | N | | 集群类型 |
+| 29 | DOC_URL | varchar | 255 | 0 | N | N | | 文档链接 |
**表名:** T_SERVICE_TYPE
diff --git a/docs/overview/db/devops_ci_quality.md b/docs/overview/db/devops_ci_quality.md
index 1d302f1919b..dc2183cf289 100644
--- a/docs/overview/db/devops_ci_quality.md
+++ b/docs/overview/db/devops_ci_quality.md
@@ -2,7 +2,7 @@
**数据库名:** devops_ci_quality
-**文档版本:** 1.0.2
+**文档版本:** 1.0.4
**文档描述:** devops_ci_quality 的数据库文档
| 表名 | 说明 |
diff --git a/docs/overview/db/devops_ci_repository.md b/docs/overview/db/devops_ci_repository.md
index c567433a243..0779c6f3556 100644
--- a/docs/overview/db/devops_ci_repository.md
+++ b/docs/overview/db/devops_ci_repository.md
@@ -2,7 +2,7 @@
**数据库名:** devops_ci_repository
-**文档版本:** 1.0.2
+**文档版本:** 1.0.4
**文档描述:** devops_ci_repository 的数据库文档
| 表名 | 说明 |
diff --git a/docs/overview/db/devops_ci_sign.md b/docs/overview/db/devops_ci_sign.md
index 681561a0748..590d3b62ee5 100644
--- a/docs/overview/db/devops_ci_sign.md
+++ b/docs/overview/db/devops_ci_sign.md
@@ -2,7 +2,7 @@
**数据库名:** devops_ci_sign
-**文档版本:** 1.0.2
+**文档版本:** 1.0.4
**文档描述:** devops_ci_sign 的数据库文档
| 表名 | 说明 |
diff --git a/docs/overview/db/devops_ci_store.md b/docs/overview/db/devops_ci_store.md
index d4065da48ff..8b7ba6c3d78 100644
--- a/docs/overview/db/devops_ci_store.md
+++ b/docs/overview/db/devops_ci_store.md
@@ -2,7 +2,7 @@
**数据库名:** devops_ci_store
-**文档版本:** 1.0.2
+**文档版本:** 1.0.4
**文档描述:** devops_ci_store 的数据库文档
| 表名 | 说明 |
diff --git a/docs/overview/db/devops_ci_ticket.md b/docs/overview/db/devops_ci_ticket.md
index be91dbe7aa7..14c3936daaf 100644
--- a/docs/overview/db/devops_ci_ticket.md
+++ b/docs/overview/db/devops_ci_ticket.md
@@ -2,7 +2,7 @@
**数据库名:** devops_ci_ticket
-**文档版本:** 1.0.2
+**文档版本:** 1.0.4
**文档描述:** devops_ci_ticket 的数据库文档
| 表名 | 说明 |
diff --git a/helm-charts/core/ci/Chart.lock b/helm-charts/core/ci/Chart.lock
index 16713a585e1..a1070e53a50 100644
--- a/helm-charts/core/ci/Chart.lock
+++ b/helm-charts/core/ci/Chart.lock
@@ -27,4 +27,4 @@ dependencies:
repository: file://./local_chart/kubernetes-management
version: 0.0.45
digest: sha256:bb11b7ac0e3487504f5563cd2b170d04038fc8971aaecbaca3dc5ecdcb792a43
-generated: "2024-06-21T18:05:57.191350067+08:00"
+generated: "2024-08-15T12:18:41.358254786+08:00"
diff --git a/helm-charts/core/ci/base/values.yaml b/helm-charts/core/ci/base/values.yaml
index 0094c6c3794..900c9f1e4d8 100644
--- a/helm-charts/core/ci/base/values.yaml
+++ b/helm-charts/core/ci/base/values.yaml
@@ -393,7 +393,7 @@ kubernetes-manager:
targetCPU: 80
targetMemory: 80
# 使用的镜像
- image: bkci/bkci-kubernetes-manager:0.0.31
+ image: bkci/bkci-kubernetes-manager:0.0.33
# 决定每次helm部署时的构建机所在的命名空间,同时dockerInitSh也在那里,为空时默认为 {{ .Release.Namespace }}
builderNamespace:
redis:
@@ -412,11 +412,13 @@ kubernetes-manager:
apiToken:
key: Devops-Token
value: landun
- rsaPrivateKey: |
+ rsaPrivateKey: ""
volumeMount:
# 流水线构建工作空间和agent日志在容器内的挂载点
dataPath: /data/devops/workspace
logPath: /data/devops/logs
+ docker:
+ enable: true
dockerInit:
# 是否使用当前chart的 dockerinit.sh
useDockerInit: true
diff --git a/helm-charts/core/ci/charts/kubernetes-manager-0.0.45.tgz b/helm-charts/core/ci/charts/kubernetes-manager-0.0.45.tgz
index bf049c9fea9..510864f540d 100644
Binary files a/helm-charts/core/ci/charts/kubernetes-manager-0.0.45.tgz and b/helm-charts/core/ci/charts/kubernetes-manager-0.0.45.tgz differ
diff --git a/helm-charts/core/ci/local_chart/kubernetes-management/templates/deployment.yaml b/helm-charts/core/ci/local_chart/kubernetes-management/templates/deployment.yaml
index 3038bb8ebd8..26c681cde45 100644
--- a/helm-charts/core/ci/local_chart/kubernetes-management/templates/deployment.yaml
+++ b/helm-charts/core/ci/local_chart/kubernetes-management/templates/deployment.yaml
@@ -76,6 +76,14 @@ spec:
value: {{ .Values.multiCluster.enabled | quote }}
- name: DEFAULT_NAMESPACE
value: {{ .Values.multiCluster.defaultNamespace }}
+ {{- if .Values.kubernetesManager.docker.enable }}
+ - name: DOCKER_HOST
+ value: tcp://localhost:2375
+ {{- end}}
+ {{- if .Values.kubernetesManager.debug }}
+ - name: KUBERNETES_MANAGER_DEBUG_ENABLE
+ value: "true"
+ {{- end}}
workingDir: /data/workspace/kubernetes-manager
livenessProbe:
tcpSocket:
@@ -99,8 +107,22 @@ spec:
mountPath: /data/workspace/kubernetes-manager/config
readOnly: true
{{- end}}
- {{- if .Values.configmap.enabled}}
+ {{- if .Values.kubernetesManager.docker.enable }}
+ - name: kuberentes-manager-docker
+ image: {{ .Values.kubernetesManager.docker.image }}
+ command: ["dockerd", "--host", "tcp://localhost:2375"]
+ {{- if .Values.kubernetesManager.docker.resources }}
+ resources: {{- toYaml .Values.kubernetesManager.docker.resources | nindent 12 }}
+ {{- end }}
+ securityContext:
+ privileged: true
+ volumeMounts:
+ - name: docker-graph-storage
+ mountPath: /var/lib/docker
+ {{- end }}
+
volumes:
+ {{- if .Values.configmap.enabled}}
- name: kubernetes-manager-config
configMap:
name: kubernetes-manager
@@ -110,6 +132,10 @@ spec:
{{- if .Values.kubeConfig.useKubeConfig}}
- key: kubeConfig.yaml
path: kubeConfig.yaml
- {{- end}}
+ {{- end}}
+ {{- if .Values.kubernetesManager.docker.enable }}
+ - name: docker-graph-storage
+ emptyDir: {}
+ {{- end}}
{{- end}}
{{- end -}}
diff --git a/helm-charts/core/ci/local_chart/kubernetes-management/templates/kubernetes-manager-configmap.yaml b/helm-charts/core/ci/local_chart/kubernetes-management/templates/kubernetes-manager-configmap.yaml
index a8dd052b646..c2a930b027a 100644
--- a/helm-charts/core/ci/local_chart/kubernetes-management/templates/kubernetes-manager-configmap.yaml
+++ b/helm-charts/core/ci/local_chart/kubernetes-management/templates/kubernetes-manager-configmap.yaml
@@ -135,6 +135,9 @@ data:
rsaPrivateKey: |
{{- .Values.kubernetesManager.apiserver.auth.rsaPrivateKey | nindent 10 }}
+ docker:
+ enable: {{ .Values.kubernetesManager.docker.enable }}
+
{{ if .Values.kubeConfig.useKubeConfig -}}
kubeConfig.yaml: |
{{- .Values.kubeConfig.content | nindent 4 }}
diff --git a/helm-charts/core/ci/local_chart/kubernetes-management/values.yaml b/helm-charts/core/ci/local_chart/kubernetes-management/values.yaml
index c11f424f3c2..93aef6e5a23 100644
--- a/helm-charts/core/ci/local_chart/kubernetes-management/values.yaml
+++ b/helm-charts/core/ci/local_chart/kubernetes-management/values.yaml
@@ -94,6 +94,7 @@ service:
# kubernetesManager Deployment
kubernetesManager:
enabled: true
+ debug: false
replicas: 1
resources:
requests:
@@ -147,11 +148,23 @@ kubernetesManager:
apiToken:
key: Devops-Token
value: landun
- rsaPrivateKey: |
+ rsaPrivateKey: ""
volumeMount:
# 流水线构建工作空间和agent日志在容器内的挂载点
dataPath: /data/devops/workspace
logPath: /data/devops/logs
+ # manager使用docker相关配置,会启用特权模式容器
+ docker:
+ enable: false
+ image: docker:24.0.1-dind
+ resources:
+ requests:
+ cpu: 50m
+ memory: 512Mi
+ limits:
+ cpu: 100m
+ memory: 1024Mi
+
dockerInit:
# 是否使用当前chart的 dockerinit.sh
useDockerInit: true
diff --git a/helm-charts/core/ci/templates/bklog.yaml b/helm-charts/core/ci/templates/bklog.yaml
index 1754ea65616..e26e31b1e44 100644
--- a/helm-charts/core/ci/templates/bklog.yaml
+++ b/helm-charts/core/ci/templates/bklog.yaml
@@ -17,7 +17,7 @@ spec:
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: Helm
path:
- - /data/logs/*-.log
+ - /data/workspace/*/logs/service.log
encoding: 'utf-8'
multiline:
pattern: '^[0-2][0-9][0-9][0-9].[0-1][0-9].[0-3][0-9]'
diff --git a/helm-charts/core/ci/templates/gateway/deployment.yaml b/helm-charts/core/ci/templates/gateway/deployment.yaml
index f1617fa095b..b5329e0cf51 100644
--- a/helm-charts/core/ci/templates/gateway/deployment.yaml
+++ b/helm-charts/core/ci/templates/gateway/deployment.yaml
@@ -63,8 +63,6 @@ spec:
- "-c"
- |
cp -r /data/workspace/frontend/* /tmp/frontend/
- sysctl -w net.ipv4.tcp_tw_reuse=0
- sysctl -w net.ipv4.tcp_max_tw_buckets=16384
containers:
- name: gateway
image: {{ include "bkci-gateway.image" . }}
diff --git a/helm-charts/core/ci/templates/init/init.bkrepo.yaml b/helm-charts/core/ci/templates/init/init.bkrepo.yaml
index ef3035e3f68..9d16cb9dd4e 100644
--- a/helm-charts/core/ci/templates/init/init.bkrepo.yaml
+++ b/helm-charts/core/ci/templates/init/init.bkrepo.yaml
@@ -33,7 +33,7 @@ spec:
REPO_CREATE_GENERIC_PATH="{{ .Values.config.bkRepoApiUrl }}/repository/api/repo/create"
REPO_INIT_GENERIC_METADATA_PATH="{{ .Values.config.bkRepoApiUrl }}/generic/"
create_repo_project_name_init_plugintransfer_project_generic (){
- for i in bk-store
+ for i in bk-store bkcdn
do
ret=0
echo "CI project is $i -------------------------------------------------->"
diff --git a/helm-charts/core/ci/templates/init/init.iam-rbac.yaml b/helm-charts/core/ci/templates/init/init.iam-rbac.yaml
index b802482e8a2..052741d1e3d 100644
--- a/helm-charts/core/ci/templates/init/init.iam-rbac.yaml
+++ b/helm-charts/core/ci/templates/init/init.iam-rbac.yaml
@@ -21,13 +21,13 @@ spec:
- name: init-iam
image: {{ include "bkci-backend.image" . }}
imagePullPolicy: {{ .Values.backendImage.pullPolicy }}
- workingDir: /data/workspace/support-files/
+ workingDir: /data/workspace/support-files/bkiam-rbac
command:
- "/bin/bash"
- "-c"
- |
# 修改auth链接
- sed -i 's/ci-auth.service.consul:21936/{{- .Values.config.bkCiHost -}}\/auth/g' bkiam-rbac/*.json
+ sed -i 's/ci-auth.service.consul:21936/{{- .Values.config.bkCiHost -}}\/auth/g' *.json
# 导入模型
for i in $(find . -name '*.json'|sort)
do
@@ -47,9 +47,22 @@ spec:
# 注册auth回调
echo "{{ include "bkci.names.fullname" . }}-auth is available";
- sed -i 's/bk-ci.service.consul/{{ include "bkci.names.fullname" . }}-gateway.{{ .Release.Namespace }}/g' ms-init/auth/iam-callback-resource-registere.conf
- iam_json_file="ms-init/auth/iam-callback-resource-registere.conf"
+ sed -i 's/bk-ci.service.consul/{{ include "bkci.names.fullname" . }}-gateway.{{ .Release.Namespace }}/g' ../ms-init/auth/iam-callback-resource-registere.conf
+ iam_json_file="../ms-init/auth/iam-callback-resource-registere.conf"
curl -X POST -H "Content-Type:application/json" -d "@$iam_json_file" "http://{{ include "bkci.names.fullname" . }}-auth.{{ .Release.Namespace }}.svc.cluster.local/api/op/auth/iam/callback/"
+
+ # 迁移所有项目的特定资源类型资源
+ curl -X 'POST' \
+ 'http://{{ include "bkci.names.fullname" . }}-auth.{{ .Release.Namespace }}.svc.cluster.local/api/op/auth/migrate/migrateSpecificResourceOfAllProject' \
+ -H 'accept: application/json' \
+ -H 'Content-Type: application/json' \
+ -d '{
+ "resourceType": "pipeline",
+ "includeNullRouterTag": true,
+ "migrateProjectResource": true,
+ "migrateProjectDefaultGroup": true,
+ "migrateOtherResource": true
+ }'
restartPolicy: OnFailure
{{- end -}}
{{- end -}}
diff --git a/helm-charts/core/ci/templates/init/init.iam.yaml b/helm-charts/core/ci/templates/init/init.iam.yaml
deleted file mode 100644
index 984171b3307..00000000000
--- a/helm-charts/core/ci/templates/init/init.iam.yaml
+++ /dev/null
@@ -1,56 +0,0 @@
-# 初始化iam
-{{ if .Values.init.iam }}
-{{- if eq .Values.config.bkCiAuthProvider "bk_login_v3" -}}
-apiVersion: batch/v1
-kind: Job
-metadata:
- name: {{ include "bkci.names.fullname" . }}-init-iam
- labels: {{- include "bkci.labels.standard" . | nindent 4 }}
- app.kubernetes.io/component: init-iam
- annotations:
- "helm.sh/hook": post-install,post-upgrade
- "helm.sh/hook-weight": "-4"
- "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
-spec:
- template:
- metadata:
- labels: {{- include "bkci.labels.standard" . | nindent 8 }}
- app.kubernetes.io/component: init-iam
- spec:
- containers:
- - name: init-iam
- image: {{ include "bkci-backend.image" . }}
- imagePullPolicy: {{ .Values.backendImage.pullPolicy }}
- workingDir: /data/workspace/support-files/
- {{ $mysqlData := split ":" (include "bkci.mysqlAddr" .) }}
- command:
- - "/bin/bash"
- - "-c"
- - |
- # 修改auth链接
- sed -i 's/ci-auth.service.consul:21936/{{- .Values.config.bkCiHost -}}\/auth/g' bkiam/*.json
- # 导入模型
- for i in $(find . -name '*.json'|sort)
- do
- python3 bkiam_do_migrate.py -t {{ .Values.config.bkIamPrivateUrl }} -a "{{ .Values.config.bkCiAppCode }}" -s "{{ .Values.config.bkCiAppToken }}" -f $i
- done
-
- services="auth"
- for service in $services
- do
- until curl --connect-timeout 3 -m 1 -s "http://{{ include "bkci.names.fullname" . }}-$service.{{ .Release.Namespace }}.svc.cluster.local" > nohup
- do
- echo "waiting for {{ include "bkci.names.fullname" . }}-$service";
- sleep 2;
- done
- echo "{{ include "bkci.names.fullname" . }}-$service is available";
- done
-
- # 注册auth回调
- echo "{{ include "bkci.names.fullname" . }}-auth is available";
- sed -i 's/bk-ci.service.consul/{{ include "bkci.names.fullname" . }}-gateway.{{ .Release.Namespace }}/g' ms-init/auth/iam-callback-resource-registere.conf
- iam_json_file="ms-init/auth/iam-callback-resource-registere.conf"
- curl -X POST -H "Content-Type:application/json" -d "@$iam_json_file" "http://{{ include "bkci.names.fullname" . }}-auth.{{ .Release.Namespace }}.svc.cluster.local/api/op/auth/iam/callback/"
- restartPolicy: OnFailure
-{{- end -}}
-{{- end -}}
diff --git a/src/agent/agent/src/pkg/agent/agent.go b/src/agent/agent/src/pkg/agent/agent.go
index 3441a61318e..b980f4d4aa7 100644
--- a/src/agent/agent/src/pkg/agent/agent.go
+++ b/src/agent/agent/src/pkg/agent/agent.go
@@ -51,9 +51,19 @@ func Run(isDebug bool) {
// 初始化国际化
i18n.InitAgentI18n()
+ // 启动 agent,需要等到上报启动成功才能继续
_, err := job.AgentStartup()
if err != nil {
- logs.Warn("agent startup failed: ", err.Error())
+ logs.WithError(err).Error("agent startup failed")
+ for {
+ _, err = job.AgentStartup()
+ if err == nil {
+ break
+ } else {
+ logs.WithError(err).Error("agent startup failed")
+ time.Sleep(5 * time.Second)
+ }
+ }
}
// 数据采集
diff --git a/src/backend/ci/build.gradle.kts b/src/backend/ci/build.gradle.kts
index 1ab5dc054c1..56d29d82890 100644
--- a/src/backend/ci/build.gradle.kts
+++ b/src/backend/ci/build.gradle.kts
@@ -1,3 +1,5 @@
+import java.net.URI
+
plugins {
id("com.tencent.devops.boot") version "0.0.7"
detektCheck
@@ -24,6 +26,11 @@ allprojects {
}
}
+ // 新增maven 仓库
+ repositories {
+ add(maven { url = URI("https://repo.jenkins-ci.org/releases") })
+ }
+
// 版本管理
dependencyManagement {
setApplyMavenExclusions(false)
@@ -167,4 +174,8 @@ allprojects {
}
}
}
+ configurations.all {
+ resolutionStrategy.cacheChangingModulesFor(0,"seconds")
+ resolutionStrategy.cacheDynamicVersionsFor(0,"seconds")
+ }
}
diff --git a/src/backend/ci/buildSrc/src/main/kotlin/constants/Versions.kt b/src/backend/ci/buildSrc/src/main/kotlin/constants/Versions.kt
index 7f53a5dc377..ff146df41fc 100644
--- a/src/backend/ci/buildSrc/src/main/kotlin/constants/Versions.kt
+++ b/src/backend/ci/buildSrc/src/main/kotlin/constants/Versions.kt
@@ -46,7 +46,7 @@ object Versions {
const val jjwt = "0.11.5"
const val Okhttp = "4.9.0"
const val jgit = "5.13.1.202206130422-r"
- const val iam = "1.0.6"
+ const val iam = "1.0.7"
const val disklrucache = "2.0.2"
const val BkCrypto = "1.1.3"
const val audit = "1.0.8"
diff --git a/src/backend/ci/core/artifactory/biz-artifactory/src/main/kotlin/com/tencent/devops/artifactory/service/impl/BkRepoArchiveFileServiceImpl.kt b/src/backend/ci/core/artifactory/biz-artifactory/src/main/kotlin/com/tencent/devops/artifactory/service/impl/BkRepoArchiveFileServiceImpl.kt
index b088d6229d8..a44a6b2057c 100644
--- a/src/backend/ci/core/artifactory/biz-artifactory/src/main/kotlin/com/tencent/devops/artifactory/service/impl/BkRepoArchiveFileServiceImpl.kt
+++ b/src/backend/ci/core/artifactory/biz-artifactory/src/main/kotlin/com/tencent/devops/artifactory/service/impl/BkRepoArchiveFileServiceImpl.kt
@@ -65,6 +65,7 @@ import com.tencent.devops.common.archive.util.MimeUtil
import com.tencent.devops.common.auth.api.AuthPermission
import com.tencent.devops.common.auth.api.AuthResourceType
import com.tencent.devops.common.service.utils.HomeHostUtil
+import com.tencent.devops.process.api.service.ServicePipelineResource
import org.slf4j.LoggerFactory
import org.springframework.beans.factory.annotation.Autowired
import org.springframework.beans.factory.annotation.Value
@@ -94,11 +95,12 @@ class BkRepoArchiveFileServiceImpl @Autowired constructor(
private val dockerRegistry: String? = null
override fun show(userId: String, projectId: String, artifactoryType: ArtifactoryType, path: String): FileDetail {
- val nodeDetail = bkRepoClient.getFileDetail(userId = userId,
+ val nodeDetail = bkRepoClient.getFileDetail(
+ userId = userId,
projectId = projectId,
repoName = BkRepoUtils.getRepoName(artifactoryType),
- path = path)
- ?: throw NotFoundException("file[$projectId|$artifactoryType|$path] not found")
+ path = path
+ ) ?: throw NotFoundException("file[$projectId|$artifactoryType|$path] not found")
return nodeDetail.toFileDetail()
}
@@ -267,11 +269,15 @@ class BkRepoArchiveFileServiceImpl @Autowired constructor(
page = page ?: 1,
pageSize = pageSize ?: DEFAULT_PAGE_SIZE,
totalPages = 1,
- records = nodeList.map { buildFileInfo(it) }
+ records = nodeList.map { buildFileInfo(it, getPipelineNames(nodeList), getBuildNums(nodeList)) }
)
}
- private fun buildFileInfo(it: QueryNodeInfo): FileInfo {
+ private fun buildFileInfo(
+ it: QueryNodeInfo,
+ pipelineNameMap: Map,
+ buildNumMap: Map
+ ): FileInfo {
return if (parseArtifactoryType(it.repoName) == ArtifactoryType.IMAGE) {
val (imageName, version) = DefaultPathUtils.getImageNameAndVersion(it.fullPath)
val packageVersion = bkRepoClient.getPackageVersionInfo(
@@ -297,18 +303,22 @@ class BkRepoArchiveFileServiceImpl @Autowired constructor(
)
}
} else {
- buildGenericFileInfo(it)
+ buildGenericFileInfo(it, pipelineNameMap, buildNumMap)
}
}
- private fun buildGenericFileInfo(nodeInfo: QueryNodeInfo): FileInfo {
+ private fun buildGenericFileInfo(
+ nodeInfo: QueryNodeInfo,
+ pipelineNameMap: Map,
+ buildNumMap: Map
+ ): FileInfo {
// 归档插件归档目录时,在目录多归档一个.bkci_pipeline文件, 记录归档目录的信息
return if (nodeInfo.name == ".bkci_pipeline") {
FileInfo(
name = nodeInfo.path.split("/").lastOrNull { it.isNotBlank() } ?: StringPool.ROOT,
- fullName = nodeInfo.name,
- path = nodeInfo.fullPath,
- fullPath = nodeInfo.fullPath,
+ fullName = nodeInfo.path,
+ path = nodeInfo.path,
+ fullPath = nodeInfo.path,
size = nodeInfo.size,
folder = nodeInfo.folder,
properties = nodeInfo.metadata?.map { m -> Property(m.key, m.value.toString()) },
@@ -319,7 +329,7 @@ class BkRepoArchiveFileServiceImpl @Autowired constructor(
} else {
FileInfo(
name = nodeInfo.name,
- fullName = nodeInfo.name,
+ fullName = getFullName(nodeInfo, pipelineNameMap, buildNumMap),
path = nodeInfo.fullPath,
fullPath = nodeInfo.fullPath,
size = nodeInfo.size,
@@ -332,6 +342,64 @@ class BkRepoArchiveFileServiceImpl @Autowired constructor(
}
}
+ private fun getPipelineNames(nodeList: List): Map {
+ val pipelineIds = mutableSetOf()
+ nodeList.filter { it.repoName == REPO_NAME_PIPELINE }.forEach {
+ val paths = it.fullPath.split("/")
+ if (paths.size < 3) {
+ logger.warn("illegal pipeline repo node fullPath: ${it.fullPath}")
+ return@forEach
+ }
+ pipelineIds.add(paths[1])
+ }
+ if (pipelineIds.size == 0) {
+ return emptyMap()
+ }
+ return client.get(ServicePipelineResource::class)
+ .getPipelineNameByIds(nodeList.first().projectId, pipelineIds).data.orEmpty()
+ }
+
+ private fun getBuildNums(nodeList: List): Map {
+ val buildIds = mutableSetOf()
+ nodeList.filter { it.repoName == REPO_NAME_PIPELINE }.forEach {
+ val paths = it.fullPath.split("/")
+ if (paths.size < 3) {
+ logger.warn("illegal pipeline repo node fullPath: ${it.fullPath}")
+ return@forEach
+ }
+ buildIds.add(paths[2])
+ }
+ if (buildIds.size == 0) {
+ return emptyMap()
+ }
+ return client.get(ServicePipelineResource::class)
+ .getBuildNoByBuildIds(buildIds, nodeList.first().projectId).data.orEmpty()
+ }
+
+ private fun getFullName(
+ nodeInfo: QueryNodeInfo,
+ pipelineNameMap: Map,
+ buildNumMap: Map
+ ): String {
+ if (nodeInfo.repoName != REPO_NAME_PIPELINE) {
+ return nodeInfo.fullPath
+ }
+ val paths = nodeInfo.fullPath.split("/")
+ if (paths.size < 3) {
+ logger.warn("illegal pipeline repo node fullPath: ${nodeInfo.fullPath}")
+ return nodeInfo.fullPath
+ }
+ val pipelineId = paths[1]
+ val buildId = paths[2]
+ val pipelineName = pipelineNameMap[pipelineId]
+ val buildNum = buildNumMap[buildId]
+ if (pipelineName.isNullOrEmpty() || buildNum.isNullOrEmpty()) {
+ logger.warn("illegal pipelineId or buildId: $pipelineId, $buildId")
+ return nodeInfo.fullPath
+ }
+ return nodeInfo.fullPath.replace("/$pipelineId/$buildId", "/$pipelineName/$buildNum")
+ }
+
override fun generateDestPath(
fileType: FileTypeEnum,
projectId: String,
@@ -341,14 +409,18 @@ class BkRepoArchiveFileServiceImpl @Autowired constructor(
): String {
val result = if (FileTypeEnum.BK_CUSTOM == fileType) {
if (customFilePath.isNullOrBlank() || customFilePath.contains("..")) {
- throw ErrorCodeException(errorCode = CommonMessageCode.PARAMETER_IS_NULL,
- params = arrayOf("customFilePath"))
+ throw ErrorCodeException(
+ errorCode = CommonMessageCode.PARAMETER_IS_NULL,
+ params = arrayOf("customFilePath")
+ )
}
customFilePath.removePrefix("/")
} else {
if (pipelineId.isNullOrBlank() || buildId.isNullOrBlank()) {
- throw ErrorCodeException(errorCode = CommonMessageCode.PARAMETER_IS_NULL,
- params = arrayOf("pipelineId or buildId"))
+ throw ErrorCodeException(
+ errorCode = CommonMessageCode.PARAMETER_IS_NULL,
+ params = arrayOf("pipelineId or buildId")
+ )
}
val filePath = if (customFilePath.isNullOrBlank()) {
""
@@ -383,7 +455,8 @@ class BkRepoArchiveFileServiceImpl @Autowired constructor(
projectId = projectId,
filePath = "/$filePath",
artifactoryType = artifactoryType,
- fileChannelType = fileChannelType, fullUrl = fullUrl)
+ fileChannelType = fileChannelType, fullUrl = fullUrl
+ )
}
override fun getFileDownloadUrls(
diff --git a/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/api/migrate/OpAuthMigrateResource.kt b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/api/migrate/OpAuthMigrateResource.kt
index 47b9b4af4a5..1d380c079d9 100644
--- a/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/api/migrate/OpAuthMigrateResource.kt
+++ b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/api/migrate/OpAuthMigrateResource.kt
@@ -140,4 +140,25 @@ interface OpAuthMigrateResource {
@Parameter(description = "按条件迁移项目实体", required = true)
projectConditionDTO: ProjectConditionDTO
): Result
+
+ @POST
+ @Path("/migrateResourceAuthorization")
+ @Operation(summary = "迁移资源授权-按照项目")
+ fun migrateResourceAuthorization(
+ @Parameter(description = "迁移项目", required = true)
+ projectCodes: List
+ ): Result
+
+ @POST
+ @Path("/migrateAllResourceAuthorization")
+ @Operation(summary = "迁移资源授权-全量")
+ fun migrateAllResourceAuthorization(): Result
+
+ @POST
+ @Path("/fixResourceGroups")
+ @Operation(summary = "修复资源组")
+ fun fixResourceGroups(
+ @Parameter(description = "迁移项目", required = true)
+ projectCodes: List
+ ): Result
}
diff --git a/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/api/service/ServiceAuthAuthorizationResource.kt b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/api/service/ServiceAuthAuthorizationResource.kt
new file mode 100644
index 00000000000..fef73e0e366
--- /dev/null
+++ b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/api/service/ServiceAuthAuthorizationResource.kt
@@ -0,0 +1,101 @@
+/*
+ * Tencent is pleased to support the open source community by making BK-CI 蓝鲸持续集成平台 available.
+ *
+ * Copyright (C) 2019 THL A29 Limited, a Tencent company. All rights reserved.
+ *
+ * BK-CI 蓝鲸持续集成平台 is licensed under the MIT license.
+ *
+ * A copy of the MIT License is included in this file.
+ *
+ *
+ * Terms of the MIT License:
+ * ---------------------------------------------------
+ * Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated
+ * documentation files (the "Software"), to deal in the Software without restriction, including without limitation the
+ * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
+ * permit persons to whom the Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all copies or substantial portions of
+ * the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
+ * LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
+ * NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+ * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+ * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ *
+ */
+
+package com.tencent.devops.auth.api.service
+
+import com.tencent.devops.common.api.model.SQLPage
+import com.tencent.devops.common.api.pojo.Result
+import com.tencent.devops.common.auth.api.pojo.ResourceAuthorizationConditionRequest
+import com.tencent.devops.common.auth.api.pojo.ResourceAuthorizationDTO
+import com.tencent.devops.common.auth.api.pojo.ResourceAuthorizationHandoverDTO
+import com.tencent.devops.common.auth.api.pojo.ResourceAuthorizationResponse
+import io.swagger.v3.oas.annotations.Operation
+import io.swagger.v3.oas.annotations.Parameter
+import io.swagger.v3.oas.annotations.tags.Tag
+import javax.ws.rs.Consumes
+import javax.ws.rs.GET
+import javax.ws.rs.POST
+import javax.ws.rs.PUT
+import javax.ws.rs.Path
+import javax.ws.rs.PathParam
+import javax.ws.rs.Produces
+import javax.ws.rs.core.MediaType
+
+@Tag(name = "SERVICE_RESOURCE_AUTHORIZATION", description = "权限-授权管理")
+@Path("/service/auth/authorization/{projectId}")
+@Produces(MediaType.APPLICATION_JSON)
+@Consumes(MediaType.APPLICATION_JSON)
+interface ServiceAuthAuthorizationResource {
+ @POST
+ @Path("/addResourceAuthorization")
+ @Operation(summary = "新增资源授权管理")
+ fun addResourceAuthorization(
+ @Parameter(description = "项目Id", required = true)
+ @PathParam("projectId")
+ projectId: String,
+ @Parameter(description = "资源授权实体", required = true)
+ resourceAuthorizationList: List
+ ): Result
+
+ @GET
+ @Path("/{resourceType}/{resourceCode}/getResourceAuthorization")
+ @Operation(summary = "获取资源授予记录")
+ fun getResourceAuthorization(
+ @Parameter(description = "项目Id", required = true)
+ @PathParam("projectId")
+ projectId: String,
+ @PathParam("resourceType")
+ @Parameter(description = "资源类型", required = true)
+ resourceType: String,
+ @PathParam("resourceCode")
+ @Parameter(description = "资源code", required = true)
+ resourceCode: String
+ ): Result
+
+ @POST
+ @Path("/listResourceAuthorization")
+ @Operation(summary = "获取资源授权管理")
+ fun listResourceAuthorization(
+ @Parameter(description = "项目ID", required = true)
+ @PathParam("projectId")
+ projectId: String,
+ @Parameter(description = "查询条件", required = true)
+ condition: ResourceAuthorizationConditionRequest
+ ): Result>
+
+ @PUT
+ @Path("/batchModifyHandoverFrom")
+ @Operation(summary = "批量重置资源授权人")
+ fun batchModifyHandoverFrom(
+ @Parameter(description = "项目Id", required = true)
+ @PathParam("projectId")
+ projectId: String,
+ @Parameter(description = "重置资源授权请求体", required = true)
+ resourceAuthorizationHandoverList: List
+ ): Result
+}
diff --git a/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/api/sync/OpAuthResourceGroupSyncResource.kt b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/api/sync/OpAuthResourceGroupSyncResource.kt
new file mode 100644
index 00000000000..a907ba8fb87
--- /dev/null
+++ b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/api/sync/OpAuthResourceGroupSyncResource.kt
@@ -0,0 +1,108 @@
+/*
+ * Tencent is pleased to support the open source community by making BK-CI 蓝鲸持续集成平台 available.
+ *
+ * Copyright (C) 2019 THL A29 Limited, a Tencent company. All rights reserved.
+ *
+ * BK-CI 蓝鲸持续集成平台 is licensed under the MIT license.
+ *
+ * A copy of the MIT License is included in this file.
+ *
+ *
+ * Terms of the MIT License:
+ * ---------------------------------------------------
+ * Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated
+ * documentation files (the "Software"), to deal in the Software without restriction, including without limitation the
+ * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
+ * permit persons to whom the Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all copies or substantial portions of
+ * the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
+ * LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
+ * NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+ * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+ * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ */
+
+package com.tencent.devops.auth.api.sync
+
+import com.tencent.devops.common.api.pojo.Result
+import com.tencent.devops.common.auth.api.pojo.ProjectConditionDTO
+import io.swagger.v3.oas.annotations.Operation
+import io.swagger.v3.oas.annotations.Parameter
+import io.swagger.v3.oas.annotations.tags.Tag
+import javax.ws.rs.Consumes
+import javax.ws.rs.POST
+import javax.ws.rs.Path
+import javax.ws.rs.PathParam
+import javax.ws.rs.Produces
+import javax.ws.rs.core.MediaType
+
+@Tag(name = "AUTH_SYNC", description = "权限-同步IAM")
+@Path("/op/auth/resource/group/sync/")
+@Produces(MediaType.APPLICATION_JSON)
+@Consumes(MediaType.APPLICATION_JSON)
+interface OpAuthResourceGroupSyncResource {
+
+ @POST
+ @Path("/syncByCondition")
+ @Operation(summary = "按条件同步组和成员")
+ fun syncByCondition(
+ @Parameter(description = "按条件迁移项目实体", required = true)
+ projectConditionDTO: ProjectConditionDTO
+ ): Result
+
+ @POST
+ @Path("/batchSyncGroupAndMember")
+ @Operation(summary = "批量同步所有用户组和成员")
+ fun batchSyncGroupAndMember(
+ @Parameter(description = "项目ID列表", required = true)
+ projectIds: List
+ ): Result
+
+ @POST
+ @Path("/batchSyncProjectGroup")
+ @Operation(summary = "批量同步项目下用户组")
+ fun batchSyncProjectGroup(
+ @Parameter(description = "项目ID列表", required = true)
+ projectIds: List
+ ): Result
+
+ @POST
+ @Path("/batchSyncAllMember")
+ @Operation(summary = "同步所有成员")
+ fun batchSyncAllMember(
+ @Parameter(description = "项目ID列表", required = true)
+ projectIds: List
+ ): Result
+
+ @POST
+ @Path("/{projectId}/{resourceType}/{resourceCode}/syncResourceMember")
+ @Operation(summary = "同步资源下用户组")
+ fun syncResourceMember(
+ @Parameter(description = "项目ID", required = true)
+ @PathParam(value = "projectId")
+ projectId: String,
+ @Parameter(description = "资源类型", required = true)
+ @PathParam(value = "resourceType")
+ resourceType: String,
+ @Parameter(description = "资源ID", required = true)
+ @PathParam(value = "resourceCode")
+ resourceCode: String
+ ): Result
+
+ @POST
+ @Path("/{projectId}/fixResourceGroupMember")
+ @Operation(summary = "修复用户组成员表")
+ fun fixResourceGroupMember(
+ @Parameter(description = "项目ID", required = true)
+ @PathParam(value = "projectId")
+ projectId: String
+ ): Result
+
+ @POST
+ @Path("/syncIamGroupMembersOfApply")
+ @Operation(summary = "同步iam组成员--用户申请加入")
+ fun syncIamGroupMembersOfApply(): Result
+}
diff --git a/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/api/user/UserAuthAuthorizationResource.kt b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/api/user/UserAuthAuthorizationResource.kt
new file mode 100644
index 00000000000..0f672983e72
--- /dev/null
+++ b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/api/user/UserAuthAuthorizationResource.kt
@@ -0,0 +1,141 @@
+/*
+ * Tencent is pleased to support the open source community by making BK-CI 蓝鲸持续集成平台 available.
+ *
+ * Copyright (C) 2019 THL A29 Limited, a Tencent company. All rights reserved.
+ *
+ * BK-CI 蓝鲸持续集成平台 is licensed under the MIT license.
+ *
+ * A copy of the MIT License is included in this file.
+ *
+ *
+ * Terms of the MIT License:
+ * ---------------------------------------------------
+ * Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated
+ * documentation files (the "Software"), to deal in the Software without restriction, including without limitation the
+ * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
+ * permit persons to whom the Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all copies or substantial portions of
+ * the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
+ * LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
+ * NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+ * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+ * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ *
+ */
+
+package com.tencent.devops.auth.api.user
+
+import com.tencent.devops.auth.pojo.vo.ResourceTypeInfoVo
+import com.tencent.devops.common.api.auth.AUTH_HEADER_USER_ID
+import com.tencent.devops.common.api.auth.AUTH_HEADER_USER_ID_DEFAULT_VALUE
+import com.tencent.devops.common.api.model.SQLPage
+import com.tencent.devops.common.api.pojo.Result
+import com.tencent.devops.common.auth.api.pojo.ResetAllResourceAuthorizationReq
+import com.tencent.devops.common.auth.api.pojo.ResourceAuthorizationConditionRequest
+import com.tencent.devops.common.auth.api.pojo.ResourceAuthorizationHandoverConditionRequest
+import com.tencent.devops.common.auth.api.pojo.ResourceAuthorizationHandoverDTO
+import com.tencent.devops.common.auth.api.pojo.ResourceAuthorizationResponse
+import com.tencent.devops.common.auth.enums.ResourceAuthorizationHandoverStatus
+import io.swagger.v3.oas.annotations.Operation
+import io.swagger.v3.oas.annotations.Parameter
+import io.swagger.v3.oas.annotations.tags.Tag
+import javax.ws.rs.Consumes
+import javax.ws.rs.GET
+import javax.ws.rs.HeaderParam
+import javax.ws.rs.POST
+import javax.ws.rs.Path
+import javax.ws.rs.PathParam
+import javax.ws.rs.Produces
+import javax.ws.rs.QueryParam
+import javax.ws.rs.core.MediaType
+
+@Tag(name = "USER_RESOURCE_AUTHORIZATION", description = "用户-权限-授权管理")
+@Path("/user/auth/authorization/")
+@Produces(MediaType.APPLICATION_JSON)
+@Consumes(MediaType.APPLICATION_JSON)
+interface UserAuthAuthorizationResource {
+
+ @POST
+ @Path("/{projectId}/listResourceAuthorization")
+ @Operation(summary = "根据条件获取资源授权管理")
+ fun listResourceAuthorization(
+ @Parameter(description = "用户名", required = true)
+ @HeaderParam(AUTH_HEADER_USER_ID)
+ userId: String,
+ @Parameter(description = "项目ID", required = true)
+ @PathParam("projectId")
+ projectId: String,
+ @Parameter(description = "查询条件", required = true)
+ condition: ResourceAuthorizationConditionRequest
+ ): Result>
+
+ @GET
+ @Path("/{projectId}/{resourceType}/getResourceAuthorization")
+ @Operation(summary = "获取资源授权管理")
+ fun getResourceAuthorization(
+ @Parameter(description = "用户名", required = true)
+ @HeaderParam(AUTH_HEADER_USER_ID)
+ userId: String,
+ @Parameter(description = "项目ID", required = true)
+ @PathParam("projectId")
+ projectId: String,
+ @Parameter(description = "资源类型", required = true)
+ @PathParam("resourceType")
+ resourceType: String,
+ @Parameter(description = "资源code", required = true)
+ @QueryParam("resourceCode")
+ resourceCode: String
+ ): Result
+
+ @GET
+ @Path("/{projectId}/{resourceType}/checkAuthorizationWhenRemoveGroupMember")
+ @Operation(summary = "当移出用户组时做授权检查")
+ fun checkAuthorizationWhenRemoveGroupMember(
+ @Parameter(description = "用户名", required = true)
+ @HeaderParam(AUTH_HEADER_USER_ID)
+ userId: String,
+ @Parameter(description = "项目ID", required = true)
+ @PathParam("projectId")
+ projectId: String,
+ @Parameter(description = "资源类型", required = true)
+ @PathParam("resourceType")
+ resourceType: String,
+ @Parameter(description = "资源code", required = true)
+ @QueryParam("resourceCode")
+ resourceCode: String,
+ @Parameter(description = "成员ID", required = true)
+ @QueryParam("memberId")
+ memberId: String
+ ): Result
+
+ @POST
+ @Path("/{projectId}/resetResourceAuthorization")
+ @Operation(summary = "重置资源授权管理")
+ fun resetResourceAuthorization(
+ @Parameter(description = "用户ID", required = true, example = AUTH_HEADER_USER_ID_DEFAULT_VALUE)
+ @HeaderParam(AUTH_HEADER_USER_ID)
+ userId: String,
+ @Parameter(description = "项目ID", required = true)
+ @PathParam("projectId")
+ projectId: String,
+ @Parameter(description = "资源授权交接条件实体", required = true)
+ condition: ResourceAuthorizationHandoverConditionRequest
+ ): Result>>
+
+ @POST
+ @Path("/{projectId}/resetAllResourceAuthorization")
+ @Operation(summary = "重置资源授权管理")
+ fun resetAllResourceAuthorization(
+ @Parameter(description = "用户ID", required = true, example = AUTH_HEADER_USER_ID_DEFAULT_VALUE)
+ @HeaderParam(AUTH_HEADER_USER_ID)
+ userId: String,
+ @Parameter(description = "项目ID", required = true)
+ @PathParam("projectId")
+ projectId: String,
+ @Parameter(description = "资源授权交接条件实体", required = true)
+ condition: ResetAllResourceAuthorizationReq
+ ): Result>
+}
diff --git a/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/api/user/UserAuthResourceGroupResource.kt b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/api/user/UserAuthResourceGroupResource.kt
index 9f3d3900624..50d7ce1996c 100644
--- a/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/api/user/UserAuthResourceGroupResource.kt
+++ b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/api/user/UserAuthResourceGroupResource.kt
@@ -30,13 +30,15 @@ package com.tencent.devops.auth.api.user
import com.tencent.devops.auth.pojo.dto.GroupMemberRenewalDTO
import com.tencent.devops.auth.pojo.dto.RenameGroupDTO
+import com.tencent.devops.auth.pojo.vo.GroupDetailsInfoVo
import com.tencent.devops.auth.pojo.vo.IamGroupPoliciesVo
import com.tencent.devops.common.api.annotation.BkInterfaceI18n
import com.tencent.devops.common.api.auth.AUTH_HEADER_USER_ID
+import com.tencent.devops.common.api.model.SQLPage
import com.tencent.devops.common.api.pojo.Result
-import io.swagger.v3.oas.annotations.tags.Tag
import io.swagger.v3.oas.annotations.Operation
import io.swagger.v3.oas.annotations.Parameter
+import io.swagger.v3.oas.annotations.tags.Tag
import javax.ws.rs.Consumes
import javax.ws.rs.DELETE
import javax.ws.rs.GET
@@ -45,12 +47,14 @@ import javax.ws.rs.PUT
import javax.ws.rs.Path
import javax.ws.rs.PathParam
import javax.ws.rs.Produces
+import javax.ws.rs.QueryParam
import javax.ws.rs.core.MediaType
@Tag(name = "AUTH_RESOURCE_GROUP", description = "用户态-iam用户组")
@Path("/user/auth/resource/group/{projectId}/{resourceType}")
@Produces(MediaType.APPLICATION_JSON)
@Consumes(MediaType.APPLICATION_JSON)
+@Suppress("LongParameterList")
interface UserAuthResourceGroupResource {
@GET
@@ -72,6 +76,30 @@ interface UserAuthResourceGroupResource {
groupId: Int
): Result>
+ @GET
+ @Path("getMemberGroupsDetails")
+ @Operation(summary = "获取项目成员有权限的用户组详情")
+ fun getMemberGroupsDetails(
+ @Parameter(description = "用户名", required = true)
+ @HeaderParam(AUTH_HEADER_USER_ID)
+ userId: String,
+ @Parameter(description = "项目ID", required = true)
+ @PathParam("projectId")
+ projectId: String,
+ @Parameter(description = "资源类型")
+ @PathParam("resourceType")
+ resourceType: String,
+ @QueryParam("memberId")
+ @Parameter(description = "组织ID/成员ID")
+ memberId: String,
+ @Parameter(description = "起始位置,从0开始")
+ @QueryParam("start")
+ start: Int,
+ @Parameter(description = "每页多少条")
+ @QueryParam("limit")
+ limit: Int
+ ): Result>
+
@PUT
@Path("{groupId}/member/renewal")
@Operation(summary = "用户续期")
diff --git a/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/api/user/UserDeptResource.kt b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/api/user/UserAuthResourceGroupSyncResource.kt
similarity index 51%
rename from src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/api/user/UserDeptResource.kt
rename to src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/api/user/UserAuthResourceGroupSyncResource.kt
index 1e575dd6958..92bd13e7273 100644
--- a/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/api/user/UserDeptResource.kt
+++ b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/api/user/UserAuthResourceGroupSyncResource.kt
@@ -27,92 +27,63 @@
package com.tencent.devops.auth.api.user
-import com.tencent.bk.sdk.iam.constants.ManagerScopesEnum
-import com.tencent.devops.auth.pojo.vo.DeptInfoVo
-import com.tencent.devops.auth.pojo.vo.UserAndDeptInfoVo
-import com.tencent.devops.common.api.auth.AUTH_HEADER_DEVOPS_ACCESS_TOKEN
+import com.tencent.devops.auth.pojo.enum.AuthMigrateStatus
import com.tencent.devops.common.api.auth.AUTH_HEADER_USER_ID
import com.tencent.devops.common.api.pojo.Result
-import io.swagger.v3.oas.annotations.tags.Tag
import io.swagger.v3.oas.annotations.Operation
import io.swagger.v3.oas.annotations.Parameter
+import io.swagger.v3.oas.annotations.tags.Tag
import javax.ws.rs.Consumes
import javax.ws.rs.GET
import javax.ws.rs.HeaderParam
+import javax.ws.rs.PUT
import javax.ws.rs.Path
import javax.ws.rs.PathParam
import javax.ws.rs.Produces
-import javax.ws.rs.QueryParam
import javax.ws.rs.core.MediaType
-@Tag(name = "USER_DEPT", description = "组织架构")
-@Path("/user/dept")
+@Tag(name = "AUTH_RESOURCE_GROUP_SYNC", description = "用户态-iam用户组_同步")
+@Path("/user/auth/resource/group/sync/{projectId}")
@Produces(MediaType.APPLICATION_JSON)
@Consumes(MediaType.APPLICATION_JSON)
-interface UserDeptResource {
+interface UserAuthResourceGroupSyncResource {
- @GET
- @Path("/levels/{level}")
- @Operation(summary = "按组织级别获取组织列表")
- fun getDeptByLevel(
+ @PUT
+ @Path("syncGroupAndMember")
+ @Operation(summary = "同步IAM组和成员")
+ fun syncGroupAndMember(
@Parameter(description = "用户名", required = true)
@HeaderParam(AUTH_HEADER_USER_ID)
userId: String,
- @Parameter(description = "access_token")
- @HeaderParam(AUTH_HEADER_DEVOPS_ACCESS_TOKEN)
- accessToken: String?,
- @PathParam("level")
- @Parameter(description = "组织级别", required = true)
- level: Int
- ): Result
+ @Parameter(description = "项目ID", required = true)
+ @PathParam("projectId")
+ projectId: String
+ ): Result
- @GET
- @Path("/parents/{parentId}")
- @Operation(summary = "按组织级别获取组织列表")
- fun getDeptByParent(
- @Parameter(description = "用户名", required = true)
- @HeaderParam(AUTH_HEADER_USER_ID)
- userId: String,
- @Parameter(description = "access_token")
- @HeaderParam(AUTH_HEADER_DEVOPS_ACCESS_TOKEN)
- accessToken: String?,
- @PathParam("parentId")
- @Parameter(description = "父组织Id", required = true)
- parentId: Int,
- @QueryParam("pageSize")
- @Parameter(description = "父组织Id", required = false)
- pageSize: Int?
- ): Result
-
- @GET
- @Path("/names/{name}")
- @Operation(summary = "按组织级别获取组织列表")
- fun getUserAndDeptByName(
+ @PUT
+ @Path("{groupId}/syncGroupMember")
+ @Operation(summary = "同步IAM")
+ fun syncGroupMember(
@Parameter(description = "用户名", required = true)
@HeaderParam(AUTH_HEADER_USER_ID)
userId: String,
- @Parameter(description = "access_token")
- @HeaderParam(AUTH_HEADER_DEVOPS_ACCESS_TOKEN)
- accessToken: String?,
- @PathParam("name")
- @Parameter(description = "模糊搜索名称", required = true)
- name: String,
- @QueryParam("type")
- @Parameter(description = "搜索类型", required = true)
- type: ManagerScopesEnum
- ): Result>
+ @Parameter(description = "项目ID", required = true)
+ @PathParam("projectId")
+ projectId: String,
+ @Parameter(description = "用户组Id")
+ @PathParam("groupId")
+ groupId: Int
+ ): Result
@GET
- @Path("/{deptId}/users")
- fun getDeptUsers(
+ @Path("/getStatusOfSync")
+ @Operation(summary = "获取同步状态")
+ fun getStatusOfSync(
@Parameter(description = "用户名", required = true)
@HeaderParam(AUTH_HEADER_USER_ID)
userId: String,
- @Parameter(description = "access_token")
- @HeaderParam(AUTH_HEADER_DEVOPS_ACCESS_TOKEN)
- accessToken: String?,
- @PathParam("deptId")
- @Parameter(description = "组织Id", required = true)
- deptId: Int
- ): Result?>
+ @Parameter(description = "项目ID", required = true)
+ @PathParam("projectId")
+ projectId: String
+ ): Result
}
diff --git a/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/api/user/UserAuthResourceMemberResource.kt b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/api/user/UserAuthResourceMemberResource.kt
new file mode 100644
index 00000000000..8e0da2fd2f1
--- /dev/null
+++ b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/api/user/UserAuthResourceMemberResource.kt
@@ -0,0 +1,182 @@
+package com.tencent.devops.auth.api.user
+
+import com.tencent.devops.auth.pojo.ResourceMemberInfo
+import com.tencent.devops.auth.pojo.enum.BatchOperateType
+import com.tencent.devops.auth.pojo.request.GroupMemberCommonConditionReq
+import com.tencent.devops.auth.pojo.request.GroupMemberHandoverConditionReq
+import com.tencent.devops.auth.pojo.request.GroupMemberRenewalConditionReq
+import com.tencent.devops.auth.pojo.request.GroupMemberSingleRenewalReq
+import com.tencent.devops.auth.pojo.request.RemoveMemberFromProjectReq
+import com.tencent.devops.auth.pojo.vo.BatchOperateGroupMemberCheckVo
+import com.tencent.devops.auth.pojo.vo.GroupDetailsInfoVo
+import com.tencent.devops.auth.pojo.vo.MemberGroupCountWithPermissionsVo
+import com.tencent.devops.common.api.auth.AUTH_HEADER_USER_ID
+import com.tencent.devops.common.api.model.SQLPage
+import com.tencent.devops.common.api.pojo.Result
+import io.swagger.v3.oas.annotations.Operation
+import io.swagger.v3.oas.annotations.Parameter
+import io.swagger.v3.oas.annotations.tags.Tag
+import javax.ws.rs.Consumes
+import javax.ws.rs.DELETE
+import javax.ws.rs.GET
+import javax.ws.rs.HeaderParam
+import javax.ws.rs.POST
+import javax.ws.rs.PUT
+import javax.ws.rs.Path
+import javax.ws.rs.PathParam
+import javax.ws.rs.Produces
+import javax.ws.rs.QueryParam
+import javax.ws.rs.core.MediaType
+
+@Tag(name = "AUTH_RESOURCE_MEMBER", description = "用户态-iam用户")
+@Path("/user/auth/resource/member/{projectId}/")
+@Produces(MediaType.APPLICATION_JSON)
+@Consumes(MediaType.APPLICATION_JSON)
+interface UserAuthResourceMemberResource {
+ @GET
+ @Path("/listProjectMembers")
+ @Operation(summary = "获取项目下全体成员")
+ @Suppress("LongParameterList")
+ fun listProjectMembers(
+ @Parameter(description = "用户名", required = true)
+ @HeaderParam(AUTH_HEADER_USER_ID)
+ userId: String,
+ @Parameter(description = "项目ID", required = true)
+ @PathParam("projectId")
+ projectId: String,
+ @Parameter(description = "成员类型")
+ @QueryParam("memberType")
+ memberType: String?,
+ @Parameter(description = "用户名称搜索")
+ @QueryParam("userName")
+ userName: String?,
+ @Parameter(description = "组织搜索")
+ @QueryParam("deptName")
+ deptName: String?,
+ @Parameter(description = "是否展示离职标识")
+ @QueryParam("departedFlag")
+ departedFlag: Boolean?,
+ @Parameter(description = "第几页")
+ @QueryParam("page")
+ page: Int,
+ @Parameter(description = "每页多少条")
+ @QueryParam("pageSize")
+ pageSize: Int
+ ): Result>
+
+ @PUT
+ @Path("/renewal")
+ @Operation(summary = "续期单个组成员权限--无需进行审批")
+ fun renewalGroupMember(
+ @Parameter(description = "用户名", required = true)
+ @HeaderParam(AUTH_HEADER_USER_ID)
+ userId: String,
+ @Parameter(description = "项目ID", required = true)
+ @PathParam("projectId")
+ projectId: String,
+ @Parameter(description = "续期成员请求实体")
+ renewalConditionReq: GroupMemberSingleRenewalReq
+ ): Result
+
+ @PUT
+ @Path("/batch/renewal")
+ @Operation(summary = "批量续期组成员权限--无需进行审批")
+ fun batchRenewalGroupMembers(
+ @Parameter(description = "用户名", required = true)
+ @HeaderParam(AUTH_HEADER_USER_ID)
+ userId: String,
+ @Parameter(description = "项目ID", required = true)
+ @PathParam("projectId")
+ projectId: String,
+ @Parameter(description = "批量续期成员请求实体")
+ renewalConditionReq: GroupMemberRenewalConditionReq
+ ): Result
+
+ @DELETE
+ @Path("/batch/remove")
+ @Operation(summary = "批量移除用户组成员")
+ fun batchRemoveGroupMembers(
+ @Parameter(description = "用户名", required = true)
+ @HeaderParam(AUTH_HEADER_USER_ID)
+ userId: String,
+ @Parameter(description = "项目ID", required = true)
+ @PathParam("projectId")
+ projectId: String,
+ @Parameter(description = "批量移除成员请求实体")
+ removeMemberDTO: GroupMemberCommonConditionReq
+ ): Result
+
+ @PUT
+ @Path("/batch/handover")
+ @Operation(summary = "批量交接用户组成员")
+ fun batchHandoverGroupMembers(
+ @Parameter(description = "用户名", required = true)
+ @HeaderParam(AUTH_HEADER_USER_ID)
+ userId: String,
+ @Parameter(description = "项目ID", required = true)
+ @PathParam("projectId")
+ projectId: String,
+ @Parameter(description = "批量交接成员请求实体")
+ handoverMemberDTO: GroupMemberHandoverConditionReq
+ ): Result
+
+ @POST
+ @Path("/batch/{batchOperateType}/check/")
+ @Operation(summary = "批量操作用户组检查")
+ fun batchOperateGroupMembersCheck(
+ @Parameter(description = "用户名", required = true)
+ @HeaderParam(AUTH_HEADER_USER_ID)
+ userId: String,
+ @Parameter(description = "项目ID", required = true)
+ @PathParam("projectId")
+ projectId: String,
+ @Parameter(description = "批量操作类型", required = true)
+ @PathParam("batchOperateType")
+ batchOperateType: BatchOperateType,
+ @Parameter(description = "批量操作成员检查请求体")
+ conditionReq: GroupMemberCommonConditionReq
+ ): Result
+
+ @PUT
+ @Path("/removeMemberFromProject")
+ @Operation(summary = "将用户移出项目")
+ fun removeMemberFromProject(
+ @Parameter(description = "用户名", required = true)
+ @HeaderParam(AUTH_HEADER_USER_ID)
+ userId: String,
+ @Parameter(description = "项目ID", required = true)
+ @PathParam("projectId")
+ projectId: String,
+ @Parameter(description = "一键移出用户出项目")
+ removeMemberFromProjectReq: RemoveMemberFromProjectReq
+ ): Result>
+
+ @POST
+ @Path("/removeMemberFromProjectCheck")
+ @Operation(summary = "将用户移出项目检查")
+ fun removeMemberFromProjectCheck(
+ @Parameter(description = "用户名", required = true)
+ @HeaderParam(AUTH_HEADER_USER_ID)
+ userId: String,
+ @Parameter(description = "项目ID", required = true)
+ @PathParam("projectId")
+ projectId: String,
+ @Parameter(description = "一键移出用户出项目")
+ removeMemberFromProjectReq: RemoveMemberFromProjectReq
+ ): Result
+
+ @GET
+ @Path("/getMemberGroupCount")
+ @Operation(summary = "获取项目成员有权限的用户组数量--以资源类型进行分类")
+ fun getMemberGroupCount(
+ @Parameter(description = "用户名", required = true)
+ @HeaderParam(AUTH_HEADER_USER_ID)
+ userId: String,
+ @Parameter(description = "项目ID", required = true)
+ @PathParam("projectId")
+ projectId: String,
+ @QueryParam("memberId")
+ @Parameter(description = "组织ID/成员ID")
+ memberId: String
+ ): Result>
+}
diff --git a/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/api/user/UserAuthResourceResource.kt b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/api/user/UserAuthResourceResource.kt
index b9ade443a7d..aa0f259134d 100644
--- a/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/api/user/UserAuthResourceResource.kt
+++ b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/api/user/UserAuthResourceResource.kt
@@ -106,6 +106,9 @@ interface UserAuthResourceResource {
@Parameter(description = "资源ID")
@PathParam("resourceCode")
resourceCode: String,
+ @Parameter(description = "获取所有成员标识")
+ @QueryParam("allProjectMembersGroupFlag")
+ allProjectMembersGroupFlag: Boolean?,
@Parameter(description = "第几页")
@QueryParam("page")
page: Int,
diff --git a/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/constant/AuthI18nConstants.kt b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/constant/AuthI18nConstants.kt
index 98e60fc1eb8..4be2b229dfc 100644
--- a/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/constant/AuthI18nConstants.kt
+++ b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/constant/AuthI18nConstants.kt
@@ -10,6 +10,7 @@ object AuthI18nConstants {
const val BK_YOU_AGREE_RENEW = "bkYouAgreeRenew" // 你已选择同意用户续期
const val BK_REFUSE_RENEW = "bkRefuseRenew" // 拒绝续期
const val BK_YOU_REFUSE_RENEW = "bkYouRefuseRenew" // 你已选择拒绝用户续期
+ const val BK_ALL_PROJECT_MEMBERS_GROUP = "bkAllProjectMembersGroup" // 全部项目成员组
// **蓝盾超级管理员权限续期申请审批**\n申请人:{0}\n授权名称:{1}\n授权详情:{2}\n用户权限过期时间:{3}\n请选择是否同意用户续期权限\n
const val BK_WEWORK_ROBOT_NOTIFY_MESSAGE = "bkWeworkRobotNotifyMessage"
@@ -43,4 +44,7 @@ object AuthI18nConstants {
const val BK_DEVOPS_NAME = "bkDevopsName" // 蓝盾名称
const val BK_MONITOR_NAME = "bkMonitorName" // 监控平台名称
const val BK_MONITOR_SPACE = "bkMonitorSpace" // 监控空间
+ const val BK_MEMBER_EXPIRED_AT_DISPLAY_EXPIRED = "bkMemberExpiredAtDisplayExpired" // 有效期: 已过期
+ const val BK_MEMBER_EXPIRED_AT_DISPLAY_NORMAL = "bkMemberExpiredAtDisplayNormal" // 有效期: {0}天
+ const val BK_MEMBER_EXPIRED_AT_DISPLAY_PERMANENT = "bkMemberExpiredAtDisplayPermanent" // 有效期: 永久
}
diff --git a/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/constant/AuthMessageCode.kt b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/constant/AuthMessageCode.kt
index 9e64cae5fed..4b66ce68fbb 100644
--- a/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/constant/AuthMessageCode.kt
+++ b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/constant/AuthMessageCode.kt
@@ -133,4 +133,13 @@ object AuthMessageCode {
const val ERROR_MOA_CREDENTIAL_KEY_VERIFY_FAIL = "2121082" // MOA票据校验失败
const val ERROR_USER_NOT_BELONG_TO_THE_PROJECT = "2121083" // 用户不属于项目
+
+ const val ERROR_RESOURCE_AUTHORIZATION_NOT_FOUND = "2121084" // 授权记录不存在
+ const val ERROR_BATCH_RENEWAL_GROUP_MEMBERS = "2121085" // 批量续期用户组成员失败
+ const val ERROR_GROUP_MEMBERS_NOT_EXIST = "2121086" // 用户组[{0}]下不存在成员[{1}]
+ const val ERROR_BATCH_OPERATE_GROUP_MEMBERS = "2121087" // 批量操作组成员失败
+ const val INVALID_HANDOVER_TO = "2121088" // 目标对象和交接人不允许相同
+ const val INVALID_EXPIRED_PERM_NOT_ALLOW_TO_HANDOVER = "2121089" // 已过期的权限不允许交接
+
+ const val ERROR_USER_INFORMATION_NOT_SYNCED = "2121090" // 请等待第二天用户信息同步后再尝试操作,因为新入职用户的信息尚未同步完成。
}
diff --git a/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/AuthResourceGroup.kt b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/AuthResourceGroup.kt
new file mode 100644
index 00000000000..4d898e9533b
--- /dev/null
+++ b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/AuthResourceGroup.kt
@@ -0,0 +1,62 @@
+/*
+ * Tencent is pleased to support the open source community by making BK-CI 蓝鲸持续集成平台 available.
+ *
+ * Copyright (C) 2019 THL A29 Limited, a Tencent company. All rights reserved.
+ *
+ * BK-CI 蓝鲸持续集成平台 is licensed under the MIT license.
+ *
+ * A copy of the MIT License is included in this file.
+ *
+ *
+ * Terms of the MIT License:
+ * ---------------------------------------------------
+ * Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated
+ * documentation files (the "Software"), to deal in the Software without restriction, including without limitation the
+ * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
+ * permit persons to whom the Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all copies or substantial portions of
+ * the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
+ * LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
+ * NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+ * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+ * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ */
+
+package com.tencent.devops.auth.pojo
+
+import io.swagger.v3.oas.annotations.media.Schema
+import java.time.LocalDateTime
+
+@Schema(title = "资源用户组信息")
+data class AuthResourceGroup(
+ val id: Long? = null,
+ @get:Schema(title = "项目ID", required = true)
+ val projectCode: String,
+ @get:Schema(title = "资源类型", required = true)
+ val resourceType: String,
+ @get:Schema(title = "资源ID", required = true)
+ val resourceCode: String,
+ @get:Schema(title = "资源名", required = true)
+ val resourceName: String,
+ @get:Schema(title = "IAM资源ID", required = true)
+ val iamResourceCode: String,
+ @get:Schema(title = "组编码, @See DefaultGroupType", required = true)
+ val groupCode: String,
+ @get:Schema(title = "用户组名, @See DefaultGroupType", required = true)
+ val groupName: String,
+ @get:Schema(title = "是否是默认组", required = true)
+ val defaultGroup: Boolean,
+ @get:Schema(title = "IAM 用户组ID, @See DefaultGroupType", required = true)
+ val relationId: Int,
+ @get:Schema(title = "创建时间", required = false)
+ val createTime: LocalDateTime? = null,
+ @get:Schema(title = "更新时间", required = false)
+ val updateTime: LocalDateTime? = null,
+ @get:Schema(title = "用户组描述", required = false)
+ val description: String? = null,
+ @get:Schema(title = "IAM人员模板ID", required = false)
+ val iamTemplateId: Int? = null
+)
diff --git a/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/AuthResourceGroupMember.kt b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/AuthResourceGroupMember.kt
new file mode 100644
index 00000000000..a70919105c4
--- /dev/null
+++ b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/AuthResourceGroupMember.kt
@@ -0,0 +1,54 @@
+/*
+ * Tencent is pleased to support the open source community by making BK-CI 蓝鲸持续集成平台 available.
+ *
+ * Copyright (C) 2019 THL A29 Limited, a Tencent company. All rights reserved.
+ *
+ * BK-CI 蓝鲸持续集成平台 is licensed under the MIT license.
+ *
+ * A copy of the MIT License is included in this file.
+ *
+ *
+ * Terms of the MIT License:
+ * ---------------------------------------------------
+ * Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated
+ * documentation files (the "Software"), to deal in the Software without restriction, including without limitation the
+ * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
+ * permit persons to whom the Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all copies or substantial portions of
+ * the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
+ * LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
+ * NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+ * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+ * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ */
+
+package com.tencent.devops.auth.pojo
+
+import io.swagger.v3.oas.annotations.media.Schema
+import java.time.LocalDateTime
+
+@Schema(title = "资源用户组成员信息")
+data class AuthResourceGroupMember(
+ val id: Long? = null,
+ @get:Schema(title = "项目ID", required = true)
+ val projectCode: String,
+ @get:Schema(title = "资源类型", required = true)
+ val resourceType: String,
+ @get:Schema(title = "资源ID", required = true)
+ val resourceCode: String,
+ @get:Schema(title = "资源ID", required = true)
+ val groupCode: String,
+ @get:Schema(title = "权限中心组ID", required = true)
+ val iamGroupId: Int,
+ @get:Schema(title = "成员ID, 用户: 英文名, 组织: 组织ID, 人员模板: 模板ID", required = true)
+ val memberId: String,
+ @get:Schema(title = "成员名", required = true)
+ val memberName: String,
+ @get:Schema(title = "成员类型, 用户/组织/人员模板", required = true)
+ val memberType: String,
+ @get:Schema(title = "过期时间", required = true)
+ val expiredTime: LocalDateTime
+)
diff --git a/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/BkUserInfo.kt b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/BkUserInfo.kt
index e2327421797..38ff6dbf65e 100644
--- a/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/BkUserInfo.kt
+++ b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/BkUserInfo.kt
@@ -1,5 +1,6 @@
package com.tencent.devops.auth.pojo
+import com.fasterxml.jackson.annotation.JsonProperty
import io.swagger.v3.oas.annotations.media.Schema
@Schema
@@ -7,9 +8,13 @@ data class BkUserInfo(
@get:Schema(title = "用户Id")
val id: Int,
@get:Schema(title = "用户名")
- val username: String,
+ @JsonProperty("username")
+ val userName: String,
+ @get:Schema(title = "别名")
+ @JsonProperty("display_name")
+ val displayName: String,
@get:Schema(title = "是否启用")
- val enabled: Boolean,
+ val enabled: Boolean?,
@get:Schema(title = "用户额外信息")
val extras: BkUserExtras?,
@get:Schema(title = "用户部门")
diff --git a/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/MemberInfo.kt b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/ResourceMemberInfo.kt
similarity index 52%
rename from src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/MemberInfo.kt
rename to src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/ResourceMemberInfo.kt
index 53f315d9223..892a06a845b 100644
--- a/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/MemberInfo.kt
+++ b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/ResourceMemberInfo.kt
@@ -3,11 +3,13 @@ package com.tencent.devops.auth.pojo
import io.swagger.v3.oas.annotations.media.Schema
@Schema(title = "成员信息")
-data class MemberInfo(
+data class ResourceMemberInfo(
@get:Schema(title = "成员id")
val id: String,
@get:Schema(title = "成员名称")
- val name: String,
- @get:Schema(title = "成员类别")
- val type: String
+ val name: String? = null,
+ @get:Schema(title = "成员类型")
+ val type: String,
+ @get:Schema(title = "是否离职")
+ val departed: Boolean? = null
)
diff --git a/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/dto/GroupMemberRenewalDTO.kt b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/dto/GroupMemberRenewalDTO.kt
index d0b85831b0a..352e41b892f 100644
--- a/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/dto/GroupMemberRenewalDTO.kt
+++ b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/dto/GroupMemberRenewalDTO.kt
@@ -31,6 +31,6 @@ import io.swagger.v3.oas.annotations.media.Schema
@Schema(title = "用户组成员续期")
data class GroupMemberRenewalDTO(
- @get:Schema(title = "过期时间戳(单位秒),即用户或部门在 expired_at 后将不具有该用户组的相关权限")
+ @get:Schema(title = "过期时间戳(单位秒)")
val expiredAt: Long
)
diff --git a/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/dto/ListGroupConditionDTO.kt b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/dto/ListGroupConditionDTO.kt
new file mode 100644
index 00000000000..02472a7e360
--- /dev/null
+++ b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/dto/ListGroupConditionDTO.kt
@@ -0,0 +1,19 @@
+package com.tencent.devops.auth.pojo.dto
+
+import io.swagger.v3.oas.annotations.media.Schema
+
+@Schema(title = "获取用户组列表条件")
+data class ListGroupConditionDTO(
+ @get:Schema(title = "项目ID")
+ val projectId: String,
+ @get:Schema(title = "资源类型")
+ val resourceType: String,
+ @get:Schema(title = "资源CODE")
+ val resourceCode: String,
+ @get:Schema(title = "是否获取项目成员组,该字段仅在resourceType为project时生效")
+ val getAllProjectMembersGroup: Boolean = false,
+ @get:Schema(title = "页数")
+ val page: Int,
+ @get:Schema(title = "页大小")
+ val pageSize: Int
+)
diff --git a/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/dto/MigrateResourceDTO.kt b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/dto/MigrateResourceDTO.kt
index e9b5bf3cd34..dc25af90f8a 100644
--- a/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/dto/MigrateResourceDTO.kt
+++ b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/dto/MigrateResourceDTO.kt
@@ -8,6 +8,8 @@ data class MigrateResourceDTO(
val resourceType: String? = null,
@get:Schema(title = "项目ID列表")
val projectCodes: List? = null,
+ @get:Schema(title = "是否包含router_tag为null的项目")
+ val includeNullRouterTag: Boolean? = false,
@get:Schema(title = "是否迁移项目级资源")
val migrateProjectResource: Boolean? = false,
@get:Schema(title = "是否迁移项目级默认用户组")
diff --git a/src/backend/ci/core/worker/worker-common/src/main/kotlin/com/tencent/devops/worker/common/service/RepoService.kt b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/enum/ApplyToGroupStatus.kt
similarity index 80%
rename from src/backend/ci/core/worker/worker-common/src/main/kotlin/com/tencent/devops/worker/common/service/RepoService.kt
rename to src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/enum/ApplyToGroupStatus.kt
index 1e0fa873f91..e1aa282decd 100644
--- a/src/backend/ci/core/worker/worker-common/src/main/kotlin/com/tencent/devops/worker/common/service/RepoService.kt
+++ b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/enum/ApplyToGroupStatus.kt
@@ -23,23 +23,18 @@
* NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
* WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
* SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ *
*/
-package com.tencent.devops.worker.common.service
+package com.tencent.devops.auth.pojo.enum
-import com.tencent.bkrepo.repository.pojo.token.TokenType
+enum class ApplyToGroupStatus(val value: Int) {
+ // 审批中
+ PENDING(0),
-interface RepoService {
+ // 审批成功
+ SUCCEED(1),
- /**
- * 获取仓库token
- */
- fun getRepoToken(
- userId: String,
- projectId: String,
- repoName: String,
- path: String,
- type: TokenType,
- expireSeconds: Long?
- ): String?
+ // 审批超时
+ TIME_OUT(2);
}
diff --git a/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/enum/AuthMigrateStatus.kt b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/enum/AuthMigrateStatus.kt
index c5baa506a9c..4c639452046 100644
--- a/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/enum/AuthMigrateStatus.kt
+++ b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/enum/AuthMigrateStatus.kt
@@ -31,8 +31,10 @@ package com.tencent.devops.auth.pojo.enum
enum class AuthMigrateStatus(val value: Int) {
// 迁移中
PENDING(0),
+
// 迁移成功
SUCCEED(1),
+
// 迁移失败
FAILED(2);
}
diff --git a/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/enum/BatchOperateType.kt b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/enum/BatchOperateType.kt
new file mode 100644
index 00000000000..ad8504dc6e0
--- /dev/null
+++ b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/enum/BatchOperateType.kt
@@ -0,0 +1,34 @@
+/*
+ * Tencent is pleased to support the open source community by making BK-CI 蓝鲸持续集成平台 available.
+ *
+ * Copyright (C) 2019 THL A29 Limited, a Tencent company. All rights reserved.
+ *
+ * BK-CI 蓝鲸持续集成平台 is licensed under the MIT license.
+ *
+ * A copy of the MIT License is included in this file.
+ *
+ *
+ * Terms of the MIT License:
+ * ---------------------------------------------------
+ * Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated
+ * documentation files (the "Software"), to deal in the Software without restriction, including without limitation the
+ * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
+ * permit persons to whom the Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all copies or substantial portions of
+ * the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
+ * LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
+ * NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+ * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+ * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ */
+
+package com.tencent.devops.auth.pojo.enum
+
+enum class BatchOperateType {
+ RENEWAL,
+ REMOVE,
+ HANDOVER
+}
diff --git a/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/enum/JoinedType.kt b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/enum/JoinedType.kt
new file mode 100644
index 00000000000..06b700c88bd
--- /dev/null
+++ b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/enum/JoinedType.kt
@@ -0,0 +1,36 @@
+/*
+ * Tencent is pleased to support the open source community by making BK-CI 蓝鲸持续集成平台 available.
+ *
+ * Copyright (C) 2019 THL A29 Limited, a Tencent company. All rights reserved.
+ *
+ * BK-CI 蓝鲸持续集成平台 is licensed under the MIT license.
+ *
+ * A copy of the MIT License is included in this file.
+ *
+ *
+ * Terms of the MIT License:
+ * ---------------------------------------------------
+ * Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated
+ * documentation files (the "Software"), to deal in the Software without restriction, including without limitation the
+ * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
+ * permit persons to whom the Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all copies or substantial portions of
+ * the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
+ * LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
+ * NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+ * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+ * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ */
+
+package com.tencent.devops.auth.pojo.enum
+
+enum class JoinedType {
+ // 直接加入
+ DIRECT,
+
+ // 通过模板加入
+ TEMPLATE
+}
diff --git a/src/backend/ci/core/common/common-webhook/biz-common-webhook/src/main/kotlin/com/tencent/devops/common/webhook/service/code/filter/SkipCiFilter.kt b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/enum/RemoveMemberButtonControl.kt
similarity index 79%
rename from src/backend/ci/core/common/common-webhook/biz-common-webhook/src/main/kotlin/com/tencent/devops/common/webhook/service/code/filter/SkipCiFilter.kt
rename to src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/enum/RemoveMemberButtonControl.kt
index dfbe1421ee3..fc06012edd1 100644
--- a/src/backend/ci/core/common/common-webhook/biz-common-webhook/src/main/kotlin/com/tencent/devops/common/webhook/service/code/filter/SkipCiFilter.kt
+++ b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/enum/RemoveMemberButtonControl.kt
@@ -25,18 +25,18 @@
* SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
*/
-package com.tencent.devops.common.webhook.service.code.filter
+package com.tencent.devops.auth.pojo.enum
-class SkipCiFilter(
- private val pipelineId: String,
- private val triggerOnMessage: String?
-) : WebhookFilter {
+enum class RemoveMemberButtonControl {
+ // 唯一管理员,不允许移出组
+ UNIQUE_MANAGER,
- companion object {
- private const val SKIP_CI = "[skip ci]"
- }
+ // 唯一的拥有者,不允许移除组
+ UNIQUE_OWNER,
- override fun doFilter(response: WebhookFilterResponse): Boolean {
- return triggerOnMessage?.contains(SKIP_CI) != true
- }
+ // 通过模板加入,不允许移出组
+ TEMPLATE,
+
+ // 其他,允许移出组
+ OTHER
}
diff --git a/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/request/GroupMemberCommonConditionReq.kt b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/request/GroupMemberCommonConditionReq.kt
new file mode 100644
index 00000000000..db943b94c74
--- /dev/null
+++ b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/request/GroupMemberCommonConditionReq.kt
@@ -0,0 +1,24 @@
+package com.tencent.devops.auth.pojo.request
+
+import com.tencent.devops.auth.pojo.ResourceMemberInfo
+import io.swagger.v3.oas.annotations.media.Schema
+
+@Schema(title = "用户组成员处理公共请求体")
+open class GroupMemberCommonConditionReq(
+ @get:Schema(title = "组IDs")
+ open val groupIds: List = emptyList(),
+ @get:Schema(title = "全选的资源类型")
+ open val resourceTypes: List = emptyList(),
+ @get:Schema(title = "全量选择")
+ open val allSelection: Boolean = false,
+ @get:Schema(title = "是否排除唯一管理员组")
+ open var excludedUniqueManagerGroup: Boolean = false,
+ @get:Schema(title = "目标对象")
+ open val targetMember: ResourceMemberInfo
+) {
+ override fun toString(): String {
+ return "GroupMemberCommonConditionReq(groupIds=$groupIds,resourceTypes=$resourceTypes," +
+ "allSelection=$allSelection,excludedUniqueManagerGroup=$excludedUniqueManagerGroup," +
+ "targetMember=$targetMember)"
+ }
+}
diff --git a/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/request/GroupMemberHandoverConditionReq.kt b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/request/GroupMemberHandoverConditionReq.kt
new file mode 100644
index 00000000000..dc0f85b0daa
--- /dev/null
+++ b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/request/GroupMemberHandoverConditionReq.kt
@@ -0,0 +1,63 @@
+/*
+ * Tencent is pleased to support the open source community by making BK-CI 蓝鲸持续集成平台 available.
+ *
+ * Copyright (C) 2019 THL A29 Limited, a Tencent company. All rights reserved.
+ *
+ * BK-CI 蓝鲸持续集成平台 is licensed under the MIT license.
+ *
+ * A copy of the MIT License is included in this file.
+ *
+ *
+ * Terms of the MIT License:
+ * ---------------------------------------------------
+ * Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated
+ * documentation files (the "Software"), to deal in the Software without restriction, including without limitation the
+ * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
+ * permit persons to whom the Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all copies or substantial portions of
+ * the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
+ * LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
+ * NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+ * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+ * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ */
+
+package com.tencent.devops.auth.pojo.request
+
+import com.tencent.devops.auth.constant.AuthMessageCode.INVALID_HANDOVER_TO
+import com.tencent.devops.auth.pojo.ResourceMemberInfo
+import com.tencent.devops.common.api.exception.ErrorCodeException
+import io.swagger.v3.oas.annotations.media.Schema
+
+@Schema(title = "用户组成员交接条件请求体")
+data class GroupMemberHandoverConditionReq(
+ @get:Schema(title = "组IDs")
+ override val groupIds: List = emptyList(),
+ @get:Schema(title = "全选的资源类型")
+ override val resourceTypes: List = emptyList(),
+ @get:Schema(title = "全量选择")
+ override val allSelection: Boolean = false,
+ @get:Schema(title = "是否排除唯一管理员组")
+ override var excludedUniqueManagerGroup: Boolean = false,
+ @get:Schema(title = "目标对象")
+ override val targetMember: ResourceMemberInfo,
+ @get:Schema(title = "授予人")
+ val handoverTo: ResourceMemberInfo
+) : GroupMemberCommonConditionReq(
+ groupIds = groupIds,
+ resourceTypes = resourceTypes,
+ allSelection = allSelection,
+ excludedUniqueManagerGroup = excludedUniqueManagerGroup,
+ targetMember = targetMember
+) {
+ fun checkHandoverTo() {
+ if (handoverTo.id == targetMember.id) {
+ throw ErrorCodeException(
+ errorCode = INVALID_HANDOVER_TO
+ )
+ }
+ }
+}
diff --git a/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/request/GroupMemberRenewalConditionReq.kt b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/request/GroupMemberRenewalConditionReq.kt
new file mode 100644
index 00000000000..b8b6ce8598c
--- /dev/null
+++ b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/request/GroupMemberRenewalConditionReq.kt
@@ -0,0 +1,53 @@
+/*
+ * Tencent is pleased to support the open source community by making BK-CI 蓝鲸持续集成平台 available.
+ *
+ * Copyright (C) 2019 THL A29 Limited, a Tencent company. All rights reserved.
+ *
+ * BK-CI 蓝鲸持续集成平台 is licensed under the MIT license.
+ *
+ * A copy of the MIT License is included in this file.
+ *
+ *
+ * Terms of the MIT License:
+ * ---------------------------------------------------
+ * Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated
+ * documentation files (the "Software"), to deal in the Software without restriction, including without limitation the
+ * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
+ * permit persons to whom the Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all copies or substantial portions of
+ * the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
+ * LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
+ * NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+ * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+ * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ */
+
+package com.tencent.devops.auth.pojo.request
+
+import com.tencent.devops.auth.pojo.ResourceMemberInfo
+import io.swagger.v3.oas.annotations.media.Schema
+
+@Schema(title = "用户组成员续期")
+data class GroupMemberRenewalConditionReq(
+ @get:Schema(title = "组IDs")
+ override val groupIds: List,
+ @get:Schema(title = "全选某种资源类型下的用户组")
+ override val resourceTypes: List = emptyList(),
+ @get:Schema(title = "全量选择")
+ override val allSelection: Boolean = false,
+ @get:Schema(title = "是否排除唯一管理员组")
+ override var excludedUniqueManagerGroup: Boolean = false,
+ @get:Schema(title = "目标对象")
+ override val targetMember: ResourceMemberInfo,
+ @get:Schema(title = "续期时长(天)")
+ val renewalDuration: Int
+) : GroupMemberCommonConditionReq(
+ groupIds = groupIds,
+ resourceTypes = resourceTypes,
+ allSelection = allSelection,
+ excludedUniqueManagerGroup = excludedUniqueManagerGroup,
+ targetMember = targetMember
+)
diff --git a/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/request/GroupMemberSingleRenewalReq.kt b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/request/GroupMemberSingleRenewalReq.kt
new file mode 100644
index 00000000000..f765549d7ab
--- /dev/null
+++ b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/request/GroupMemberSingleRenewalReq.kt
@@ -0,0 +1,41 @@
+/*
+ * Tencent is pleased to support the open source community by making BK-CI 蓝鲸持续集成平台 available.
+ *
+ * Copyright (C) 2019 THL A29 Limited, a Tencent company. All rights reserved.
+ *
+ * BK-CI 蓝鲸持续集成平台 is licensed under the MIT license.
+ *
+ * A copy of the MIT License is included in this file.
+ *
+ *
+ * Terms of the MIT License:
+ * ---------------------------------------------------
+ * Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated
+ * documentation files (the "Software"), to deal in the Software without restriction, including without limitation the
+ * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
+ * permit persons to whom the Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all copies or substantial portions of
+ * the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
+ * LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
+ * NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+ * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+ * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ */
+
+package com.tencent.devops.auth.pojo.request
+
+import com.tencent.devops.auth.pojo.ResourceMemberInfo
+import io.swagger.v3.oas.annotations.media.Schema
+
+@Schema(title = "用户组成员单条续期")
+data class GroupMemberSingleRenewalReq(
+ @get:Schema(title = "组ID")
+ val groupId: Int,
+ @get:Schema(title = "目标对象")
+ val targetMember: ResourceMemberInfo,
+ @get:Schema(title = "续期时长(天)")
+ val renewalDuration: Int
+)
diff --git a/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/request/RemoveMemberFromProjectReq.kt b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/request/RemoveMemberFromProjectReq.kt
new file mode 100644
index 00000000000..b2a211530ab
--- /dev/null
+++ b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/request/RemoveMemberFromProjectReq.kt
@@ -0,0 +1,22 @@
+package com.tencent.devops.auth.pojo.request
+
+import com.tencent.devops.auth.constant.AuthMessageCode.INVALID_HANDOVER_TO
+import com.tencent.devops.auth.pojo.ResourceMemberInfo
+import com.tencent.devops.common.api.exception.ErrorCodeException
+import io.swagger.v3.oas.annotations.media.Schema
+
+@Schema(title = "一键移出用户出项目")
+data class RemoveMemberFromProjectReq(
+ @get:Schema(title = "目标对象")
+ val targetMember: ResourceMemberInfo,
+ @get:Schema(title = "授予人")
+ val handoverTo: ResourceMemberInfo?
+) {
+ fun checkHandoverTo() {
+ if (handoverTo != null && handoverTo.id == targetMember.id) {
+ throw ErrorCodeException(
+ errorCode = INVALID_HANDOVER_TO
+ )
+ }
+ }
+}
diff --git a/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/vo/BatchOperateGroupMemberCheckVo.kt b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/vo/BatchOperateGroupMemberCheckVo.kt
new file mode 100644
index 00000000000..501eb12299c
--- /dev/null
+++ b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/vo/BatchOperateGroupMemberCheckVo.kt
@@ -0,0 +1,11 @@
+package com.tencent.devops.auth.pojo.vo
+
+import io.swagger.v3.oas.annotations.media.Schema
+
+@Schema(title = "批量续期/删除/交接/组成员检查")
+data class BatchOperateGroupMemberCheckVo(
+ @get:Schema(title = "总数")
+ val totalCount: Int,
+ @get:Schema(title = "无法操作的数量")
+ val inoperableCount: Int? = null
+)
diff --git a/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/vo/GroupDetailsInfoVo.kt b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/vo/GroupDetailsInfoVo.kt
new file mode 100644
index 00000000000..26bd35b3aff
--- /dev/null
+++ b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/vo/GroupDetailsInfoVo.kt
@@ -0,0 +1,33 @@
+package com.tencent.devops.auth.pojo.vo
+
+import com.tencent.devops.auth.pojo.enum.JoinedType
+import com.tencent.devops.auth.pojo.enum.RemoveMemberButtonControl
+import io.swagger.v3.oas.annotations.media.Schema
+
+@Schema(title = "用户组详细信息")
+data class GroupDetailsInfoVo(
+ @get:Schema(title = "资源实例code")
+ val resourceCode: String,
+ @get:Schema(title = "资源实例名称")
+ val resourceName: String,
+ @get:Schema(title = "资源类型")
+ val resourceType: String,
+ @get:Schema(title = "用户组ID")
+ val groupId: Int,
+ @get:Schema(title = "用户组名称")
+ val groupName: String,
+ @get:Schema(title = "用户组描述")
+ val groupDesc: String? = null,
+ @get:Schema(title = "有效期,天")
+ val expiredAtDisplay: String,
+ @get:Schema(title = "过期时间戳,秒")
+ val expiredAt: Long,
+ @get:Schema(title = "加入时间")
+ val joinedTime: Long,
+ @get:Schema(title = "移除成员按钮控制")
+ val removeMemberButtonControl: RemoveMemberButtonControl,
+ @get:Schema(title = "加入方式")
+ val joinedType: JoinedType,
+ @get:Schema(title = "操作人")
+ val operator: String
+)
diff --git a/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/vo/IamGroupInfoVo.kt b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/vo/IamGroupInfoVo.kt
index 0bb72a20556..96ad44c2f53 100644
--- a/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/vo/IamGroupInfoVo.kt
+++ b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/vo/IamGroupInfoVo.kt
@@ -17,5 +17,9 @@ data class IamGroupInfoVo(
@get:Schema(title = "用户组人数")
val userCount: Int,
@get:Schema(title = "用户组部门数")
- val departmentCount: Int = 0
+ val departmentCount: Int = 0,
+ @get:Schema(title = "用户组模板数")
+ val templateCount: Int? = 0,
+ @get:Schema(title = "是否为项目成员组")
+ val projectMemberGroup: Boolean? = null
)
diff --git a/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/vo/MemberGroupCountWithPermissionsVo.kt b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/vo/MemberGroupCountWithPermissionsVo.kt
new file mode 100644
index 00000000000..293d3646046
--- /dev/null
+++ b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/vo/MemberGroupCountWithPermissionsVo.kt
@@ -0,0 +1,13 @@
+package com.tencent.devops.auth.pojo.vo
+
+import io.swagger.v3.oas.annotations.media.Schema
+
+@Schema(title = "用户有权限的用户组数量")
+data class MemberGroupCountWithPermissionsVo(
+ @get:Schema(title = "资源类型")
+ val resourceType: String,
+ @get:Schema(title = "资源类型名")
+ val resourceTypeName: String,
+ @get:Schema(title = "数量")
+ val count: Long
+)
diff --git a/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/vo/ProjectMembersVO.kt b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/vo/ProjectMembersVO.kt
index ef84c49a360..a8c65055f27 100644
--- a/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/vo/ProjectMembersVO.kt
+++ b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/vo/ProjectMembersVO.kt
@@ -1,6 +1,6 @@
package com.tencent.devops.auth.pojo.vo
-import com.tencent.devops.auth.pojo.MemberInfo
+import com.tencent.devops.auth.pojo.ResourceMemberInfo
import io.swagger.v3.oas.annotations.media.Schema
@Schema(title = "项目成员列表返回")
@@ -8,5 +8,5 @@ data class ProjectMembersVO(
@get:Schema(title = "数量")
val count: Int,
@get:Schema(title = "成员信息列表")
- val results: Set
+ val results: Set
)
diff --git a/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/vo/ResourceMemberCountVO.kt b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/vo/ResourceMemberCountVO.kt
new file mode 100644
index 00000000000..b533a9310d9
--- /dev/null
+++ b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/vo/ResourceMemberCountVO.kt
@@ -0,0 +1,11 @@
+package com.tencent.devops.auth.pojo.vo
+
+import io.swagger.v3.oas.annotations.media.Schema
+
+@Schema(title = "资源成员数量")
+data class ResourceMemberCountVO(
+ @get:Schema(title = "用户组人数")
+ val userCount: Int,
+ @get:Schema(title = "用户组部门数")
+ val departmentCount: Int
+)
diff --git a/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/vo/ResourceTypeInfoVo.kt b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/vo/ResourceTypeInfoVo.kt
index da485f5b3fa..a04974367e6 100644
--- a/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/vo/ResourceTypeInfoVo.kt
+++ b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/vo/ResourceTypeInfoVo.kt
@@ -6,14 +6,14 @@ import io.swagger.v3.oas.annotations.media.Schema
@Schema(title = "资源类型")
data class ResourceTypeInfoVo(
@get:Schema(title = "ID")
- val id: Int,
+ val id: Int = 0,
@get:Schema(title = "资源类型")
val resourceType: String,
@get:Schema(title = "资源类型名")
@BkFieldI18n(keyPrefixName = "resourceType")
val name: String,
@get:Schema(title = "父类资源")
- val parent: String,
+ val parent: String = "",
@get:Schema(title = "所属系统")
- val system: String
+ val system: String = ""
)
diff --git a/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/vo/UserAndDeptInfoVo.kt b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/vo/UserAndDeptInfoVo.kt
index 4bfea2cb17b..c03a529358d 100644
--- a/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/vo/UserAndDeptInfoVo.kt
+++ b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/vo/UserAndDeptInfoVo.kt
@@ -11,6 +11,8 @@ data class UserAndDeptInfoVo(
val id: Int,
@get:Schema(title = "名称")
val name: String,
+ @get:Schema(title = "别名")
+ val displayName: String,
@get:Schema(title = "信息类型")
val type: ManagerScopesEnum,
@get:Schema(title = "是否拥有子级")
diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/aspect/BkManagerCheckAspect.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/aspect/BkManagerCheckAspect.kt
new file mode 100644
index 00000000000..f751e972faa
--- /dev/null
+++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/aspect/BkManagerCheckAspect.kt
@@ -0,0 +1,99 @@
+/*
+ * Tencent is pleased to support the open source community by making BK-CI 蓝鲸持续集成平台 available.
+ *
+ * Copyright (C) 2019 THL A29 Limited, a Tencent company. All rights reserved.
+ *
+ * BK-CI 蓝鲸持续集成平台 is licensed under the MIT license.
+ *
+ * A copy of the MIT License is included in this file.
+ *
+ *
+ * Terms of the MIT License:
+ * ---------------------------------------------------
+ * Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated
+ * documentation files (the "Software"), to deal in the Software without restriction, including without limitation the
+ * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
+ * permit persons to whom the Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all copies or substantial portions of
+ * the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
+ * LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
+ * NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+ * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+ * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ */
+
+package com.tencent.devops.auth.aspect
+
+import com.tencent.devops.auth.constant.AuthMessageCode
+import com.tencent.devops.auth.service.iam.PermissionProjectService
+import com.tencent.devops.common.api.constant.CommonMessageCode.PARAMETER_IS_INVALID
+import com.tencent.devops.common.api.exception.ErrorCodeException
+import com.tencent.devops.common.api.exception.PermissionForbiddenException
+import com.tencent.devops.common.web.utils.I18nUtil
+import org.aspectj.lang.JoinPoint
+import org.aspectj.lang.annotation.Aspect
+import org.aspectj.lang.annotation.Before
+import org.aspectj.lang.annotation.Pointcut
+import org.aspectj.lang.reflect.MethodSignature
+import org.slf4j.LoggerFactory
+import org.springframework.stereotype.Component
+
+@Aspect
+@Component
+class BkManagerCheckAspect constructor(
+ private val permissionProjectService: PermissionProjectService
+) {
+ @Pointcut("@annotation(com.tencent.devops.common.auth.api.BkManagerCheck)")
+ fun pointCut() = Unit
+
+ /**
+ * Before advice: Executed before the target method
+ *
+ * @param jp ProceedingJoinPoint
+ */
+ @Before("pointCut()")
+ fun checkManager(jp: JoinPoint) {
+ val parameterValue = jp.args
+ val parameterNames = (jp.signature as MethodSignature).parameterNames
+ if (PROJECT_ID !in parameterNames || USER_ID !in parameterNames) {
+ logger.warn("The request parameters for this method are incorrect: $parameterValue|$parameterNames")
+ throw ErrorCodeException(
+ errorCode = PARAMETER_IS_INVALID,
+ defaultMessage = "The request parameters for this method are incorrect." +
+ "projectId and userId are required."
+ )
+ }
+ var projectId: String? = null
+ var userId: String? = null
+ parameterNames.forEachIndexed { index, name ->
+ when (name) {
+ PROJECT_ID -> projectId = parameterValue[index].toString()
+ USER_ID -> userId = parameterValue[index].toString()
+ }
+ }
+ if (userId.isNullOrEmpty() || projectId.isNullOrEmpty()) {
+ throw ErrorCodeException(
+ errorCode = PARAMETER_IS_INVALID,
+ defaultMessage = "projectId or userId cannot be empty or null!"
+ )
+ }
+ val hasProjectManagePermission = permissionProjectService.checkProjectManager(
+ userId = userId!!,
+ projectCode = projectId!!
+ )
+ if (!hasProjectManagePermission) {
+ throw PermissionForbiddenException(
+ message = I18nUtil.getCodeLanMessage(AuthMessageCode.ERROR_AUTH_NO_MANAGE_PERMISSION)
+ )
+ }
+ }
+
+ companion object {
+ private val logger = LoggerFactory.getLogger(BkManagerCheckAspect::class.java)
+ private const val PROJECT_ID = "projectId"
+ private const val USER_ID = "userId"
+ }
+}
diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/common/Constants.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/common/Constants.kt
index 9140e08e58b..dd56d40fc8e 100644
--- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/common/Constants.kt
+++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/common/Constants.kt
@@ -30,9 +30,11 @@ package com.tencent.devops.auth.common
object Constants {
const val SUPER_MANAGER = -1
const val DEPT_LABEL = "id,name,parent,enabled,has_children"
- const val USER_LABLE = "id,username,enabled,departments,extras"
+ const val USER_LABEL = "id,username,display_name,enabled,departments,extras"
+ const val USER_NAME_AND_DISPLAY_NAME_LABEL = "id,username,display_name"
const val LEVEL = "level"
const val PARENT = "parent"
+ const val ID = "id"
const val NAME = "name"
const val USERNAME = "username"
const val ALL_ACTION = "all_action"
diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/cron/AuthCronSyncGroupAndMember.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/cron/AuthCronSyncGroupAndMember.kt
new file mode 100644
index 00000000000..774607c5e2b
--- /dev/null
+++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/cron/AuthCronSyncGroupAndMember.kt
@@ -0,0 +1,66 @@
+package com.tencent.devops.auth.cron
+
+import com.tencent.devops.auth.service.iam.PermissionResourceGroupSyncService
+import com.tencent.devops.common.auth.api.pojo.ProjectConditionDTO
+import com.tencent.devops.common.redis.RedisLock
+import com.tencent.devops.common.redis.RedisOperation
+import org.slf4j.LoggerFactory
+import org.springframework.beans.factory.annotation.Value
+import org.springframework.scheduling.annotation.Scheduled
+import org.springframework.stereotype.Component
+
+@Component
+class AuthCronSyncGroupAndMember(
+ private val redisOperation: RedisOperation,
+ private val permissionResourceGroupSyncService: PermissionResourceGroupSyncService
+) {
+ @Value("\${sync.cron.enabled:#{false}}")
+ private var enable: Boolean = false
+
+ private val redisLock = RedisLock(redisOperation, SYNC_CRON_KEY, 10)
+
+ companion object {
+ private const val SYNC_CRON_KEY = "sync_cron_key"
+ private val logger = LoggerFactory.getLogger(AuthCronSyncGroupAndMember::class.java)
+ }
+
+ @Scheduled(cron = "0 0 0 ? * SAT")
+ fun syncGroupAndMemberRegularly() {
+ if (!enable) {
+ return
+ }
+ try {
+ logger.info("sync group and member regularly |start")
+ val lockSuccess = redisLock.tryLock()
+ if (lockSuccess) {
+ permissionResourceGroupSyncService.syncByCondition(
+ ProjectConditionDTO(enabled = true)
+ )
+ logger.info("sync group and member regularly |finish")
+ } else {
+ logger.info("sync group and member regularly |running")
+ }
+ } catch (e: Exception) {
+ logger.warn("sync group and member regularly |error", e)
+ }
+ }
+
+ @Scheduled(cron = "0 0 8,16 * * ?")
+ fun syncIamGroupMembersOfApplyRegularly() {
+ if (!enable) {
+ return
+ }
+ try {
+ logger.info("sync members of apply regularly | start")
+ val lockSuccess = redisLock.tryLock()
+ if (lockSuccess) {
+ permissionResourceGroupSyncService.syncIamGroupMembersOfApply()
+ logger.info("sync members of apply regularly | finish")
+ } else {
+ logger.info("sync members of apply regularly | running")
+ }
+ } catch (e: Exception) {
+ logger.warn("sync members of apply regularly | error", e)
+ }
+ }
+}
diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/dao/AuthAuthorizationDao.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/dao/AuthAuthorizationDao.kt
new file mode 100644
index 00000000000..ef94562a6fc
--- /dev/null
+++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/dao/AuthAuthorizationDao.kt
@@ -0,0 +1,219 @@
+package com.tencent.devops.auth.dao
+
+import com.tencent.devops.common.api.util.timestampmilli
+import com.tencent.devops.common.auth.api.pojo.ResourceAuthorizationConditionRequest
+import com.tencent.devops.common.auth.api.pojo.ResourceAuthorizationDTO
+import com.tencent.devops.common.auth.api.pojo.ResourceAuthorizationHandoverDTO
+import com.tencent.devops.common.auth.api.pojo.ResourceAuthorizationResponse
+import com.tencent.devops.model.auth.tables.TAuthResourceAuthorization
+import com.tencent.devops.model.auth.tables.records.TAuthResourceAuthorizationRecord
+import org.jooq.Condition
+import org.jooq.DSLContext
+import org.springframework.stereotype.Repository
+import java.sql.Timestamp
+import java.time.LocalDateTime
+
+@Repository
+class AuthAuthorizationDao {
+ fun batchAdd(
+ dslContext: DSLContext,
+ resourceAuthorizationList: List
+ ) {
+ with(TAuthResourceAuthorization.T_AUTH_RESOURCE_AUTHORIZATION) {
+ dslContext.batch(
+ resourceAuthorizationList.map { resourceAuthorizationDto ->
+ val handoverDateTime = Timestamp(resourceAuthorizationDto.handoverTime!!).toLocalDateTime()
+ dslContext.insertInto(
+ this,
+ PROJECT_CODE,
+ RESOURCE_TYPE,
+ RESOURCE_CODE,
+ RESOURCE_NAME,
+ HANDOVER_FROM,
+ HANDOVER_FROM_CN_NAME,
+ HANDOVER_TIME
+ ).values(
+ resourceAuthorizationDto.projectCode,
+ resourceAuthorizationDto.resourceType,
+ resourceAuthorizationDto.resourceCode,
+ resourceAuthorizationDto.resourceName,
+ resourceAuthorizationDto.handoverFrom,
+ resourceAuthorizationDto.handoverFromCnName,
+ handoverDateTime
+ )
+ }
+ ).execute()
+ }
+ }
+
+ fun migrate(
+ dslContext: DSLContext,
+ resourceAuthorizationList: List
+ ) {
+ with(TAuthResourceAuthorization.T_AUTH_RESOURCE_AUTHORIZATION) {
+ dslContext.batch(
+ resourceAuthorizationList.map { resourceAuthorizationDto ->
+ val handoverDateTime = Timestamp(resourceAuthorizationDto.handoverTime!!).toLocalDateTime()
+ dslContext.insertInto(
+ this,
+ PROJECT_CODE,
+ RESOURCE_TYPE,
+ RESOURCE_CODE,
+ RESOURCE_NAME,
+ HANDOVER_FROM,
+ HANDOVER_FROM_CN_NAME,
+ HANDOVER_TIME
+ ).values(
+ resourceAuthorizationDto.projectCode,
+ resourceAuthorizationDto.resourceType,
+ resourceAuthorizationDto.resourceCode,
+ resourceAuthorizationDto.resourceName,
+ resourceAuthorizationDto.handoverFrom,
+ resourceAuthorizationDto.handoverFromCnName,
+ handoverDateTime
+ ).onDuplicateKeyUpdate()
+ .set(HANDOVER_FROM, resourceAuthorizationDto.handoverFrom)
+ .set(HANDOVER_FROM_CN_NAME, resourceAuthorizationDto.handoverFromCnName)
+ .set(RESOURCE_NAME, resourceAuthorizationDto.resourceName)
+ .set(HANDOVER_TIME, handoverDateTime)
+ .where(CREATE_TIME.eq(UPDATE_TIME))
+ }
+ ).execute()
+ }
+ }
+
+ fun batchUpdate(
+ dslContext: DSLContext,
+ resourceAuthorizationHandoverList: List
+ ) {
+ with(TAuthResourceAuthorization.T_AUTH_RESOURCE_AUTHORIZATION) {
+ dslContext.batch(
+ resourceAuthorizationHandoverList.map { resourceAuthorizationDto ->
+ dslContext.update(this)
+ .let {
+ if (resourceAuthorizationDto is ResourceAuthorizationHandoverDTO) {
+ it.set(HANDOVER_FROM, resourceAuthorizationDto.handoverTo)
+ .set(HANDOVER_FROM_CN_NAME, resourceAuthorizationDto.handoverToCnName)
+ .set(HANDOVER_TIME, LocalDateTime.now())
+ } else {
+ it
+ }
+ }
+ .set(RESOURCE_NAME, resourceAuthorizationDto.resourceName)
+ .set(UPDATE_TIME, LocalDateTime.now())
+ .where(PROJECT_CODE.eq(resourceAuthorizationDto.projectCode))
+ .and(RESOURCE_TYPE.eq(resourceAuthorizationDto.resourceType))
+ .and(RESOURCE_CODE.eq(resourceAuthorizationDto.resourceCode))
+ }
+ ).execute()
+ }
+ }
+
+ fun delete(
+ dslContext: DSLContext,
+ projectCode: String,
+ resourceType: String,
+ resourceCode: String
+ ) {
+ with(TAuthResourceAuthorization.T_AUTH_RESOURCE_AUTHORIZATION) {
+ dslContext.deleteFrom(this)
+ .where(PROJECT_CODE.eq(projectCode))
+ .and(RESOURCE_TYPE.eq(resourceType))
+ .and(RESOURCE_CODE.eq(resourceCode))
+ .execute()
+ }
+ }
+
+ fun delete(
+ dslContext: DSLContext,
+ projectCode: String,
+ resourceType: String,
+ resourceCodes: List
+ ) {
+ with(TAuthResourceAuthorization.T_AUTH_RESOURCE_AUTHORIZATION) {
+ dslContext.deleteFrom(this)
+ .where(PROJECT_CODE.eq(projectCode))
+ .and(RESOURCE_TYPE.eq(resourceType))
+ .and(RESOURCE_CODE.notIn(resourceCodes))
+ .execute()
+ }
+ }
+
+ fun get(
+ dslContext: DSLContext,
+ projectCode: String,
+ resourceType: String,
+ resourceCode: String
+ ): ResourceAuthorizationResponse? {
+ return with(TAuthResourceAuthorization.T_AUTH_RESOURCE_AUTHORIZATION) {
+ dslContext.selectFrom(this)
+ .where(PROJECT_CODE.eq(projectCode))
+ .and(RESOURCE_TYPE.eq(resourceType))
+ .and(RESOURCE_CODE.eq(resourceCode))
+ .fetchAny()?.convert()
+ }
+ }
+
+ fun list(
+ dslContext: DSLContext,
+ condition: ResourceAuthorizationConditionRequest
+ ): List {
+ return with(TAuthResourceAuthorization.T_AUTH_RESOURCE_AUTHORIZATION) {
+ dslContext.selectFrom(this)
+ .where(buildQueryCondition(condition))
+ .let {
+ if (condition.page != null && condition.pageSize != null) {
+ it.limit((condition.page!! - 1) * condition.pageSize!!, condition.pageSize)
+ } else it
+ }
+ .fetch().map { it.convert() }
+ }
+ }
+
+ fun count(
+ dslContext: DSLContext,
+ condition: ResourceAuthorizationConditionRequest
+ ): Int {
+ return with(TAuthResourceAuthorization.T_AUTH_RESOURCE_AUTHORIZATION) {
+ dslContext.selectCount()
+ .from(this)
+ .where(buildQueryCondition(condition))
+ .fetchOne(0, Int::class.java)!!
+ }
+ }
+
+ fun TAuthResourceAuthorization.buildQueryCondition(
+ conditionReq: ResourceAuthorizationConditionRequest
+ ): MutableList {
+ val conditions = mutableListOf()
+ with(conditionReq) {
+ conditions.add(PROJECT_CODE.eq(projectCode))
+ if (resourceType != null) {
+ conditions.add(RESOURCE_TYPE.eq(resourceType))
+ }
+ if (resourceName != null) {
+ conditions.add(RESOURCE_NAME.like("%$resourceName%"))
+ }
+ if (handoverFrom != null) {
+ conditions.add(HANDOVER_FROM.eq(handoverFrom))
+ }
+ if (greaterThanHandoverTime != null && lessThanHandoverTime != null) {
+ conditions.add(HANDOVER_TIME.ge(Timestamp(greaterThanHandoverTime!!).toLocalDateTime()))
+ conditions.add(HANDOVER_TIME.le(Timestamp(lessThanHandoverTime!!).toLocalDateTime()))
+ }
+ }
+ return conditions
+ }
+
+ fun TAuthResourceAuthorizationRecord.convert(): ResourceAuthorizationResponse {
+ return ResourceAuthorizationResponse(
+ projectCode = projectCode,
+ resourceType = resourceType,
+ resourceName = resourceName,
+ resourceCode = resourceCode,
+ handoverTime = handoverTime.timestampmilli(),
+ handoverFrom = handoverFrom,
+ handoverFromCnName = handoverFromCnName
+ )
+ }
+}
diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/dao/AuthResourceGroupApplyDao.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/dao/AuthResourceGroupApplyDao.kt
new file mode 100644
index 00000000000..82fd8c51918
--- /dev/null
+++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/dao/AuthResourceGroupApplyDao.kt
@@ -0,0 +1,64 @@
+package com.tencent.devops.auth.dao
+
+import com.tencent.devops.auth.pojo.ApplyJoinGroupInfo
+import com.tencent.devops.auth.pojo.enum.ApplyToGroupStatus
+import com.tencent.devops.model.auth.tables.TAuthResourceGroupApply
+import com.tencent.devops.model.auth.tables.records.TAuthResourceGroupApplyRecord
+import org.jooq.DSLContext
+import org.jooq.Result
+import org.springframework.stereotype.Repository
+import java.time.LocalDateTime
+
+@Repository
+class AuthResourceGroupApplyDao {
+ fun list(
+ dslContext: DSLContext,
+ limit: Int,
+ offset: Int
+ ): Result {
+ return with(TAuthResourceGroupApply.T_AUTH_RESOURCE_GROUP_APPLY) {
+ dslContext.selectFrom(this)
+ .where(STATUS.eq(ApplyToGroupStatus.PENDING.value))
+ .orderBy(CREATE_TIME.asc())
+ .offset(offset)
+ .limit(limit)
+ .fetch()
+ }
+ }
+
+ fun batchUpdate(
+ dslContext: DSLContext,
+ ids: List,
+ applyToGroupStatus: ApplyToGroupStatus
+ ) {
+ with(TAuthResourceGroupApply.T_AUTH_RESOURCE_GROUP_APPLY) {
+ dslContext.batch(
+ ids.map { id ->
+ dslContext.update(this)
+ .set(STATUS, applyToGroupStatus.value)
+ .set(NUMBER_OF_CHECKS, NUMBER_OF_CHECKS + 1)
+ .set(UPDATE_TIME, LocalDateTime.now())
+ .where(ID.eq(id))
+ }
+ ).execute()
+ }
+ }
+
+ fun batchCreate(
+ dslContext: DSLContext,
+ applyJoinGroupInfo: ApplyJoinGroupInfo
+ ) {
+ with(TAuthResourceGroupApply.T_AUTH_RESOURCE_GROUP_APPLY) {
+ dslContext.batch(
+ applyJoinGroupInfo.groupIds.map { groupId ->
+ dslContext.insertInto(this)
+ .set(PROJECT_CODE, applyJoinGroupInfo.projectCode)
+ .set(MEMBER_ID, applyJoinGroupInfo.applicant)
+ .set(IAM_GROUP_ID, groupId)
+ .set(STATUS, ApplyToGroupStatus.PENDING.value)
+ .set(NUMBER_OF_CHECKS, 0)
+ }
+ ).execute()
+ }
+ }
+}
diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/dao/AuthResourceGroupDao.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/dao/AuthResourceGroupDao.kt
index 415fa087084..49efc0066bd 100644
--- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/dao/AuthResourceGroupDao.kt
+++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/dao/AuthResourceGroupDao.kt
@@ -28,10 +28,12 @@
package com.tencent.devops.auth.dao
+import com.tencent.devops.auth.pojo.AuthResourceGroup
import com.tencent.devops.model.auth.tables.TAuthResourceGroup
import com.tencent.devops.model.auth.tables.records.TAuthResourceGroupRecord
import org.jooq.DSLContext
import org.jooq.Result
+import org.slf4j.LoggerFactory
import org.springframework.stereotype.Repository
import java.time.LocalDateTime
@@ -83,6 +85,49 @@ class AuthResourceGroupDao {
}
}
+ fun batchCreate(
+ dslContext: DSLContext,
+ authResourceGroups: List
+ ) {
+ val now = LocalDateTime.now()
+ with(TAuthResourceGroup.T_AUTH_RESOURCE_GROUP) {
+ dslContext.batch(authResourceGroups.map {
+ dslContext.insertInto(
+ this,
+ PROJECT_CODE,
+ RESOURCE_TYPE,
+ RESOURCE_CODE,
+ RESOURCE_NAME,
+ IAM_RESOURCE_CODE,
+ GROUP_CODE,
+ GROUP_NAME,
+ DEFAULT_GROUP,
+ RELATION_ID,
+ CREATE_TIME,
+ UPDATE_TIME,
+ DESCRIPTION,
+ IAM_TEMPLATE_ID
+ ).values(
+ it.projectCode,
+ it.resourceType,
+ it.resourceCode,
+ it.resourceName,
+ it.iamResourceCode,
+ it.groupCode,
+ it.groupName,
+ it.defaultGroup,
+ it.relationId.toString(),
+ now,
+ now,
+ it.description,
+ it.iamTemplateId
+ ).onDuplicateKeyUpdate()
+ .set(GROUP_NAME, it.groupName)
+ .set(UPDATE_TIME, now)
+ }).execute()
+ }
+ }
+
fun update(
dslContext: DSLContext,
projectCode: String,
@@ -90,13 +135,15 @@ class AuthResourceGroupDao {
resourceCode: String,
resourceName: String,
groupCode: String,
- groupName: String
+ groupName: String,
+ relationId: String? = null
): Int {
val now = LocalDateTime.now()
return with(TAuthResourceGroup.T_AUTH_RESOURCE_GROUP) {
dslContext.update(this)
.set(GROUP_NAME, groupName)
.set(RESOURCE_NAME, resourceName)
+ .let { if (relationId != null) it.set(RELATION_ID, relationId) else it }
.set(UPDATE_TIME, now)
.where(PROJECT_CODE.eq(projectCode))
.and(RESOURCE_CODE.eq(resourceCode))
@@ -106,6 +153,24 @@ class AuthResourceGroupDao {
}
}
+ fun batchUpdate(
+ dslContext: DSLContext,
+ authResourceGroups: List
+ ) {
+ val now = LocalDateTime.now()
+ with(TAuthResourceGroup.T_AUTH_RESOURCE_GROUP) {
+ dslContext.batch(authResourceGroups.map {
+ dslContext.update(this)
+ .set(GROUP_NAME, it.groupName)
+ .set(DESCRIPTION, it.description)
+ .set(IAM_TEMPLATE_ID, it.iamTemplateId)
+ .set(UPDATE_TIME, now)
+ .where(PROJECT_CODE.eq(it.projectCode))
+ .and(ID.eq(it.id!!))
+ }).execute()
+ }
+ }
+
fun get(
dslContext: DSLContext,
projectCode: String,
@@ -184,6 +249,19 @@ class AuthResourceGroupDao {
}
}
+ fun listIamGroupIdsByConditions(
+ dslContext: DSLContext,
+ projectCode: String,
+ iamGroupIds: List
+ ): List {
+ return with(TAuthResourceGroup.T_AUTH_RESOURCE_GROUP) {
+ dslContext.select(RELATION_ID).from(this)
+ .where(PROJECT_CODE.eq(projectCode))
+ .and(RELATION_ID.`in`(iamGroupIds))
+ .fetch().map { it.value1().toInt() }
+ }
+ }
+
fun getByGroupName(
dslContext: DSLContext,
projectCode: String,
@@ -205,11 +283,29 @@ class AuthResourceGroupDao {
projectCode: String,
resourceType: String,
resourceCode: String
- ): List {
+ ): List {
return with(TAuthResourceGroup.T_AUTH_RESOURCE_GROUP) {
+ val result = mutableListOf()
dslContext.selectFrom(this).where(PROJECT_CODE.eq(projectCode))
.and(RESOURCE_CODE.eq(resourceCode))
.and(RESOURCE_TYPE.eq(resourceType))
+ .fetch().forEach {
+ val authResourceGroup = convert(it)
+ if (authResourceGroup != null) {
+ result.add(authResourceGroup)
+ }
+ }
+ result
+ }
+ }
+
+ fun listRecordsOfNeedToFix(
+ dslContext: DSLContext,
+ projectCode: String
+ ): Result {
+ return with(TAuthResourceGroup.T_AUTH_RESOURCE_GROUP) {
+ dslContext.selectFrom(this).where(PROJECT_CODE.eq(projectCode))
+ .and(RELATION_ID.eq("null"))
.fetch()
}
}
@@ -241,4 +337,60 @@ class AuthResourceGroupDao {
.fetchOne(0, Int::class.java)!!
}
}
+
+ fun listGroupByResourceType(
+ dslContext: DSLContext,
+ projectCode: String,
+ resourceType: String,
+ offset: Int,
+ limit: Int
+ ): List {
+ return with(TAuthResourceGroup.T_AUTH_RESOURCE_GROUP) {
+ val records = dslContext.selectFrom(this)
+ .where(PROJECT_CODE.eq(projectCode))
+ .and(RESOURCE_TYPE.eq(resourceType))
+ .offset(offset)
+ .limit(limit)
+ .fetch()
+ val result = mutableListOf()
+ records.forEach {
+ val authResourceGroup = convert(it)
+ if (authResourceGroup != null) {
+ result.add(authResourceGroup)
+ }
+ }
+ result
+ }
+ }
+
+ fun convert(record: TAuthResourceGroupRecord): AuthResourceGroup? {
+ // 同步iam数据时,可能会出现relationId为null的情况,此时转Int类型,会有异常
+ with(record) {
+ return try {
+ AuthResourceGroup(
+ id = id,
+ projectCode = projectCode,
+ resourceType = resourceType,
+ resourceCode = resourceCode,
+ resourceName = resourceName,
+ iamResourceCode = iamResourceCode,
+ groupCode = groupCode,
+ groupName = groupName,
+ defaultGroup = defaultGroup,
+ relationId = relationId.toInt(),
+ createTime = createTime,
+ updateTime = updateTime
+ )
+ } catch (ignore: Exception) {
+ logger.warn(
+ "convert Group Record failed!|$projectCode|$resourceType|$resourceCode", ignore
+ )
+ null
+ }
+ }
+ }
+
+ companion object {
+ private val logger = LoggerFactory.getLogger(AuthResourceGroupDao::class.java)
+ }
}
diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/dao/AuthResourceGroupMemberDao.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/dao/AuthResourceGroupMemberDao.kt
new file mode 100644
index 00000000000..1d95eb1b2f8
--- /dev/null
+++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/dao/AuthResourceGroupMemberDao.kt
@@ -0,0 +1,600 @@
+/*
+ * Tencent is pleased to support the open source community by making BK-CI 蓝鲸持续集成平台 available.
+ *
+ * Copyright (C) 2019 THL A29 Limited, a Tencent company. All rights reserved.
+ *
+ * BK-CI 蓝鲸持续集成平台 is licensed under the MIT license.
+ *
+ * A copy of the MIT License is included in this file.
+ *
+ *
+ * Terms of the MIT License:
+ * ---------------------------------------------------
+ * Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated
+ * documentation files (the "Software"), to deal in the Software without restriction, including without limitation the
+ * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
+ * permit persons to whom the Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all copies or substantial portions of
+ * the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
+ * LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
+ * NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+ * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+ * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ */
+
+package com.tencent.devops.auth.dao
+
+import com.tencent.bk.sdk.iam.constants.ManagerScopesEnum
+import com.tencent.devops.auth.pojo.AuthResourceGroupMember
+import com.tencent.devops.auth.pojo.ResourceMemberInfo
+import com.tencent.devops.common.auth.api.pojo.BkAuthGroup
+import com.tencent.devops.model.auth.tables.TAuthResourceAuthorization
+import com.tencent.devops.model.auth.tables.TAuthResourceGroupMember
+import com.tencent.devops.model.auth.tables.records.TAuthResourceGroupMemberRecord
+import org.jooq.Condition
+import org.jooq.DSLContext
+import org.jooq.Table
+import org.jooq.impl.DSL.count
+import org.jooq.impl.DSL.countDistinct
+import org.jooq.impl.DSL.field
+import org.jooq.impl.DSL.inline
+import org.springframework.stereotype.Repository
+import java.time.LocalDateTime
+
+@Repository
+@Suppress("LongParameterList")
+class AuthResourceGroupMemberDao {
+ fun create(
+ dslContext: DSLContext,
+ projectCode: String,
+ resourceType: String,
+ resourceCode: String,
+ groupCode: String,
+ iamGroupId: Int,
+ memberId: String,
+ memberName: String,
+ memberType: String,
+ expiredTime: LocalDateTime
+ ) {
+ val now = LocalDateTime.now()
+ with(TAuthResourceGroupMember.T_AUTH_RESOURCE_GROUP_MEMBER) {
+ dslContext.insertInto(
+ this,
+ PROJECT_CODE,
+ RESOURCE_TYPE,
+ RESOURCE_CODE,
+ GROUP_CODE,
+ IAM_GROUP_ID,
+ MEMBER_ID,
+ MEMBER_NAME,
+ MEMBER_TYPE,
+ EXPIRED_TIME,
+ CREATE_TIME,
+ UPDATE_TIME
+ ).values(
+ projectCode,
+ resourceType,
+ resourceCode,
+ groupCode,
+ iamGroupId,
+ memberId,
+ memberName,
+ memberType,
+ expiredTime,
+ now,
+ now
+ ).onDuplicateKeyUpdate()
+ .set(MEMBER_NAME, memberName)
+ .set(EXPIRED_TIME, expiredTime)
+ .execute()
+ }
+ }
+
+ fun update(
+ dslContext: DSLContext,
+ projectCode: String,
+ iamGroupId: Int,
+ memberId: String,
+ memberName: String? = null,
+ expiredTime: LocalDateTime
+ ) {
+ with(TAuthResourceGroupMember.T_AUTH_RESOURCE_GROUP_MEMBER) {
+ dslContext.update(this)
+ .let { if (memberName != null) it.set(MEMBER_NAME, memberName) else it }
+ .set(EXPIRED_TIME, expiredTime)
+ .set(UPDATE_TIME, LocalDateTime.now())
+ .where(PROJECT_CODE.eq(projectCode))
+ .and(IAM_GROUP_ID.eq(iamGroupId))
+ .and(MEMBER_ID.eq(memberId))
+ .execute()
+ }
+ }
+
+ fun batchCreate(dslContext: DSLContext, groupMembers: List) {
+ val now = LocalDateTime.now()
+ with(TAuthResourceGroupMember.T_AUTH_RESOURCE_GROUP_MEMBER) {
+ dslContext.batch(groupMembers.map {
+ dslContext.insertInto(
+ this,
+ PROJECT_CODE,
+ RESOURCE_TYPE,
+ RESOURCE_CODE,
+ GROUP_CODE,
+ IAM_GROUP_ID,
+ MEMBER_ID,
+ MEMBER_NAME,
+ MEMBER_TYPE,
+ EXPIRED_TIME,
+ CREATE_TIME,
+ UPDATE_TIME
+ ).values(
+ it.projectCode,
+ it.resourceType,
+ it.resourceCode,
+ it.groupCode,
+ it.iamGroupId,
+ it.memberId,
+ it.memberName,
+ it.memberType,
+ it.expiredTime,
+ now,
+ now
+ ).onDuplicateKeyUpdate()
+ .set(MEMBER_NAME, it.memberName)
+ .set(EXPIRED_TIME, it.expiredTime)
+ }).execute()
+ }
+ }
+
+ fun batchUpdate(dslContext: DSLContext, groupMembers: List) {
+ with(TAuthResourceGroupMember.T_AUTH_RESOURCE_GROUP_MEMBER) {
+ dslContext.batch(groupMembers.map {
+ dslContext.update(this)
+ .set(MEMBER_NAME, it.memberName)
+ .set(EXPIRED_TIME, it.expiredTime)
+ .set(UPDATE_TIME, LocalDateTime.now())
+ .where(PROJECT_CODE.eq(it.projectCode))
+ .and(IAM_GROUP_ID.eq(it.iamGroupId))
+ .and(MEMBER_ID.eq(it.memberId))
+ }).execute()
+ }
+ }
+
+ fun batchDelete(dslContext: DSLContext, ids: Set) {
+ with(TAuthResourceGroupMember.T_AUTH_RESOURCE_GROUP_MEMBER) {
+ dslContext.delete(this)
+ .where(ID.`in`(ids))
+ .execute()
+ }
+ }
+
+ fun batchDeleteGroupMembers(
+ dslContext: DSLContext,
+ projectCode: String,
+ iamGroupId: Int,
+ memberIds: List
+ ) {
+ with(TAuthResourceGroupMember.T_AUTH_RESOURCE_GROUP_MEMBER) {
+ dslContext.delete(this)
+ .where(PROJECT_CODE.eq(projectCode))
+ .and(IAM_GROUP_ID.eq(iamGroupId))
+ .and(MEMBER_ID.`in`(memberIds))
+ .execute()
+ }
+ }
+
+ fun deleteByIamGroupId(
+ dslContext: DSLContext,
+ projectCode: String,
+ iamGroupId: Int
+ ) {
+ with(TAuthResourceGroupMember.T_AUTH_RESOURCE_GROUP_MEMBER) {
+ dslContext.delete(this)
+ .where(PROJECT_CODE.eq(projectCode))
+ .and(IAM_GROUP_ID.eq(iamGroupId))
+ .execute()
+ }
+ }
+
+ fun deleteByIamGroupIds(
+ dslContext: DSLContext,
+ projectCode: String,
+ iamGroupIds: List
+ ) {
+ with(TAuthResourceGroupMember.T_AUTH_RESOURCE_GROUP_MEMBER) {
+ dslContext.delete(this)
+ .where(PROJECT_CODE.eq(projectCode))
+ .and(IAM_GROUP_ID.`in`(iamGroupIds))
+ .execute()
+ }
+ }
+
+ fun deleteByResource(
+ dslContext: DSLContext,
+ projectCode: String,
+ resourceType: String,
+ resourceCode: String
+ ) {
+ with(TAuthResourceGroupMember.T_AUTH_RESOURCE_GROUP_MEMBER) {
+ dslContext.delete(this)
+ .where(PROJECT_CODE.eq(projectCode))
+ .and(RESOURCE_TYPE.eq(resourceType))
+ .and(RESOURCE_CODE.eq(resourceCode))
+ .execute()
+ }
+ }
+
+ fun isMemberInGroup(
+ dslContext: DSLContext,
+ projectCode: String,
+ iamGroupId: Int,
+ memberId: String
+ ): Boolean {
+ return with(TAuthResourceGroupMember.T_AUTH_RESOURCE_GROUP_MEMBER) {
+ dslContext.selectCount()
+ .from(this)
+ .where(PROJECT_CODE.eq(projectCode))
+ .and(IAM_GROUP_ID.eq(iamGroupId))
+ .and(MEMBER_ID.eq(memberId))
+ .fetchOne(0, Int::class.java) != 0
+ }
+ }
+
+ fun isMembersInProject(
+ dslContext: DSLContext,
+ projectCode: String,
+ memberNames: List,
+ memberType: String
+ ): List {
+ return with(TAuthResourceGroupMember.T_AUTH_RESOURCE_GROUP_MEMBER) {
+ dslContext.select(MEMBER_ID, MEMBER_NAME, MEMBER_TYPE)
+ .from(this)
+ .where(PROJECT_CODE.eq(projectCode))
+ .and(MEMBER_NAME.`in`(memberNames))
+ .and(MEMBER_TYPE.eq(memberType))
+ .groupBy(MEMBER_NAME, MEMBER_ID, MEMBER_TYPE)
+ .fetch().map {
+ ResourceMemberInfo(
+ id = it.value1(),
+ name = it.value2(),
+ type = it.value3()
+ )
+ }
+ }
+ }
+
+ fun handoverGroupMembers(
+ dslContext: DSLContext,
+ projectCode: String,
+ iamGroupId: Int,
+ handoverFrom: ResourceMemberInfo,
+ handoverTo: ResourceMemberInfo,
+ expiredTime: LocalDateTime
+ ) {
+ with(TAuthResourceGroupMember.T_AUTH_RESOURCE_GROUP_MEMBER) {
+ dslContext.update(this)
+ .set(MEMBER_ID, handoverTo.id)
+ .set(MEMBER_NAME, handoverTo.name)
+ .set(MEMBER_TYPE, handoverTo.type)
+ .set(EXPIRED_TIME, expiredTime)
+ .where(PROJECT_CODE.eq(projectCode))
+ .and(IAM_GROUP_ID.eq(iamGroupId))
+ .and(MEMBER_ID.eq(handoverFrom.id))
+ .execute()
+ }
+ }
+
+ fun listResourceGroupMember(
+ dslContext: DSLContext,
+ projectCode: String,
+ resourceType: String? = null,
+ memberId: String? = null,
+ memberName: String? = null,
+ memberType: String? = null,
+ iamGroupId: Int? = null
+ ): List {
+ return with(TAuthResourceGroupMember.T_AUTH_RESOURCE_GROUP_MEMBER) {
+ val select = dslContext.selectFrom(this)
+ .where(PROJECT_CODE.eq(projectCode))
+ resourceType?.let { select.and(RESOURCE_TYPE.eq(resourceType)) }
+ memberId?.let { select.and(MEMBER_ID.eq(memberId)) }
+ memberName?.let { select.and(MEMBER_NAME.eq(memberName)) }
+ memberType?.let { select.and(MEMBER_TYPE.eq(memberType)) }
+ iamGroupId?.let { select.and(IAM_GROUP_ID.eq(iamGroupId)) }
+ select.fetch().map { convert(it) }
+ }
+ }
+
+ fun listProjectGroups(
+ dslContext: DSLContext,
+ projectCode: String,
+ offset: Int,
+ limit: Int
+ ): List {
+ return with(TAuthResourceGroupMember.T_AUTH_RESOURCE_GROUP_MEMBER) {
+ dslContext.select(IAM_GROUP_ID).from(this)
+ .where(PROJECT_CODE.eq(projectCode))
+ .groupBy(IAM_GROUP_ID)
+ .orderBy(CREATE_TIME.desc())
+ .offset(offset).limit(limit)
+ .fetch().map { it.value1() }
+ }
+ }
+
+ fun listProjectMember(
+ dslContext: DSLContext,
+ projectCode: String,
+ memberType: String?,
+ userName: String?,
+ deptName: String?,
+ offset: Int,
+ limit: Int
+ ): List {
+ val resourceMemberUnionAuthorizationMember = createResourceMemberUnionAuthorizationMember(
+ dslContext = dslContext,
+ projectCode = projectCode
+ )
+
+ return dslContext
+ .select(
+ field(MEMBER_ID, String::class.java),
+ field(MEMBER_NAME, String::class.java),
+ field(MEMBER_TYPE, String::class.java)
+ )
+ .from(resourceMemberUnionAuthorizationMember)
+ .where(
+ buildResourceMemberConditions(
+ memberType = memberType,
+ userName = userName,
+ deptName = deptName
+ )
+ )
+ .groupBy(
+ field(MEMBER_ID)
+ )
+ .orderBy(field(MEMBER_ID))
+ .offset(offset).limit(limit)
+ .fetch().map {
+ ResourceMemberInfo(id = it.value1(), name = it.value2(), type = it.value3())
+ }
+ }
+
+ fun countProjectMember(
+ dslContext: DSLContext,
+ projectCode: String
+ ): Map {
+ val resourceMemberUnionAuthorizationMember = createResourceMemberUnionAuthorizationMember(
+ dslContext = dslContext,
+ projectCode = projectCode
+ )
+
+ return dslContext.select(
+ field(MEMBER_TYPE, String::class.java),
+ countDistinct(field(MEMBER_ID, Long::class.java))
+ ).from(resourceMemberUnionAuthorizationMember)
+ .groupBy(field(MEMBER_TYPE, Long::class.java))
+ .fetch().map { Pair(it.value1(), it.value2()) }.toMap()
+ }
+
+ fun countProjectMember(
+ dslContext: DSLContext,
+ projectCode: String,
+ memberType: String?,
+ userName: String?,
+ deptName: String?
+ ): Long {
+ val resourceMemberUnionAuthorizationMember = createResourceMemberUnionAuthorizationMember(
+ dslContext = dslContext,
+ projectCode = projectCode
+ )
+ return dslContext
+ .select(countDistinct(field(MEMBER_ID, Long::class.java)))
+ .from(resourceMemberUnionAuthorizationMember)
+ .where(
+ buildResourceMemberConditions(
+ memberType = memberType,
+ userName = userName,
+ deptName = deptName
+ )
+ )
+ .fetchOne(0, Long::class.java) ?: 0L
+ }
+
+ fun createResourceMemberUnionAuthorizationMember(dslContext: DSLContext, projectCode: String): Table<*> {
+ val tResourceGroupMember = TAuthResourceGroupMember.T_AUTH_RESOURCE_GROUP_MEMBER
+ val tResourceAuthorization = TAuthResourceAuthorization.T_AUTH_RESOURCE_AUTHORIZATION
+
+ return dslContext
+ .select(
+ tResourceGroupMember.MEMBER_ID,
+ tResourceGroupMember.MEMBER_NAME,
+ tResourceGroupMember.MEMBER_TYPE
+ )
+ .from(tResourceGroupMember)
+ .where(tResourceGroupMember.PROJECT_CODE.eq(projectCode))
+ .and(tResourceGroupMember.MEMBER_TYPE.notEqual(ManagerScopesEnum.getType(ManagerScopesEnum.TEMPLATE)))
+ .unionAll(
+ dslContext.select(
+ tResourceAuthorization.HANDOVER_FROM.`as`("MEMBER_ID"),
+ tResourceAuthorization.HANDOVER_FROM_CN_NAME.`as`("MEMBER_NAME"),
+ inline("user").`as`("MEMBER_TYPE")
+ )
+ .from(tResourceAuthorization)
+ .where(tResourceAuthorization.PROJECT_CODE.eq(projectCode))
+ )
+ .asTable(TABLE_NAME)
+ }
+
+ fun buildResourceMemberConditions(
+ memberType: String?,
+ userName: String?,
+ deptName: String?
+ ): MutableList {
+ val conditions = mutableListOf()
+ val memberId = field(MEMBER_ID, String::class.java)
+ val memberTypeField = field(MEMBER_TYPE, String::class.java)
+ val memberName = field(MEMBER_NAME, String::class.java)
+
+ if (memberType != null) {
+ conditions.add(memberTypeField.eq(memberType))
+ }
+ if (userName != null) {
+ conditions.add(memberTypeField.eq(ManagerScopesEnum.getType(ManagerScopesEnum.USER)))
+ conditions.add(memberId.like("%$userName%").or(memberName.like("%$userName%")))
+ }
+ if (deptName != null) {
+ conditions.add(memberTypeField.eq(ManagerScopesEnum.getType(ManagerScopesEnum.DEPARTMENT)))
+ conditions.add(memberName.like("%$deptName%"))
+ }
+ return conditions
+ }
+
+ /**
+ * 查询组下所有成员
+ */
+ fun listGroupMember(
+ dslContext: DSLContext,
+ projectCode: String,
+ iamGroupId: Int
+ ): List {
+ return with(TAuthResourceGroupMember.T_AUTH_RESOURCE_GROUP_MEMBER) {
+ dslContext.selectFrom(this)
+ .where(PROJECT_CODE.eq(projectCode))
+ .and(IAM_GROUP_ID.eq(iamGroupId))
+ .fetch().map {
+ convert(it)
+ }
+ }
+ }
+
+ /**
+ * 获取成员按资源类型分组数量
+ */
+ fun countMemberGroup(
+ dslContext: DSLContext,
+ projectCode: String,
+ memberId: String,
+ iamTemplateIds: List,
+ resourceType: String? = null,
+ iamGroupIds: List? = null
+ ): Map {
+ val conditions = buildMemberGroupCondition(
+ projectCode = projectCode,
+ memberId = memberId,
+ iamTemplateIds = iamTemplateIds,
+ resourceType = resourceType,
+ iamGroupIds = iamGroupIds
+ )
+ return with(TAuthResourceGroupMember.T_AUTH_RESOURCE_GROUP_MEMBER) {
+ val select = dslContext.select(RESOURCE_TYPE, count())
+ .from(this)
+ .where(conditions)
+ select.groupBy(RESOURCE_TYPE)
+ select.fetch().map { Pair(it.value1(), it.value2().toLong()) }.toMap()
+ }
+ }
+
+ /**
+ * 获取成员下用户组列表
+ */
+ fun listMemberGroupDetail(
+ dslContext: DSLContext,
+ projectCode: String,
+ memberId: String,
+ iamTemplateIds: List,
+ resourceType: String? = null,
+ iamGroupIds: List? = null,
+ offset: Int? = null,
+ limit: Int? = null
+ ): List {
+ val conditions = buildMemberGroupCondition(
+ projectCode = projectCode,
+ memberId = memberId,
+ iamTemplateIds = iamTemplateIds,
+ resourceType = resourceType,
+ iamGroupIds = iamGroupIds
+ )
+ return with(TAuthResourceGroupMember.T_AUTH_RESOURCE_GROUP_MEMBER) {
+ dslContext.selectFrom(this)
+ .where(conditions)
+ .orderBy(IAM_GROUP_ID.desc())
+ .let { if (offset != null && limit != null) it.offset(offset).limit(limit) else it }
+ .fetch()
+ .map { convert(it) }
+ }
+ }
+
+ private fun buildMemberGroupCondition(
+ projectCode: String,
+ memberId: String,
+ iamTemplateIds: List,
+ resourceType: String? = null,
+ iamGroupIds: List? = null
+ ): MutableList {
+ val conditions = mutableListOf()
+ with(TAuthResourceGroupMember.T_AUTH_RESOURCE_GROUP_MEMBER) {
+ conditions.add(PROJECT_CODE.eq(projectCode))
+ conditions.add(
+ (MEMBER_ID.eq(memberId).and(
+ MEMBER_TYPE.`in`(
+ listOf(
+ ManagerScopesEnum.getType(ManagerScopesEnum.USER),
+ ManagerScopesEnum.getType(ManagerScopesEnum.DEPARTMENT)
+ )
+ )
+ ))
+ .or(
+ MEMBER_ID.`in`(iamTemplateIds)
+ .and(MEMBER_TYPE.eq(ManagerScopesEnum.getType(ManagerScopesEnum.TEMPLATE)))
+ )
+ )
+ resourceType?.let { conditions.add(RESOURCE_TYPE.eq(resourceType)) }
+ iamGroupIds?.let { conditions.add(IAM_GROUP_ID.`in`(iamGroupIds)) }
+ }
+ return conditions
+ }
+
+ fun listProjectUniqueManagerGroups(
+ dslContext: DSLContext,
+ projectCode: String,
+ iamGroupIds: List
+ ): List {
+ return with(TAuthResourceGroupMember.T_AUTH_RESOURCE_GROUP_MEMBER) {
+ dslContext.select(IAM_GROUP_ID)
+ .from(this)
+ .where(PROJECT_CODE.eq(projectCode))
+ .and(GROUP_CODE.eq(BkAuthGroup.MANAGER.value))
+ .and(IAM_GROUP_ID.`in`(iamGroupIds))
+ .groupBy(IAM_GROUP_ID)
+ .having(count(MEMBER_ID).eq(1))
+ .fetch().map { it.value1() }
+ }
+ }
+
+ fun convert(record: TAuthResourceGroupMemberRecord): AuthResourceGroupMember {
+ return with(record) {
+ AuthResourceGroupMember(
+ id = id,
+ projectCode = projectCode,
+ resourceType = resourceType,
+ resourceCode = resourceCode,
+ groupCode = groupCode,
+ iamGroupId = iamGroupId,
+ memberId = memberId,
+ memberName = memberName,
+ memberType = memberType,
+ expiredTime = expiredTime
+ )
+ }
+ }
+
+ companion object {
+ private const val TABLE_NAME = "resourceMemberUnionAuthorizationMember"
+ private const val MEMBER_ID = "$TABLE_NAME.MEMBER_ID"
+ private const val MEMBER_NAME = "$TABLE_NAME.MEMBER_NAME"
+ private const val MEMBER_TYPE = "$TABLE_NAME.MEMBER_TYPE"
+ }
+}
diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/dao/AuthResourceSyncDao.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/dao/AuthResourceSyncDao.kt
new file mode 100644
index 00000000000..182fe21ef1f
--- /dev/null
+++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/dao/AuthResourceSyncDao.kt
@@ -0,0 +1,97 @@
+/*
+ * Tencent is pleased to support the open source community by making BK-CI 蓝鲸持续集成平台 available.
+ *
+ * Copyright (C) 2019 THL A29 Limited, a Tencent company. All rights reserved.
+ *
+ * BK-CI 蓝鲸持续集成平台 is licensed under the MIT license.
+ *
+ * A copy of the MIT License is included in this file.
+ *
+ *
+ * Terms of the MIT License:
+ * ---------------------------------------------------
+ * Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated
+ * documentation files (the "Software"), to deal in the Software without restriction, including without limitation the
+ * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
+ * permit persons to whom the Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all copies or substantial portions of
+ * the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
+ * LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
+ * NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+ * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+ * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ *
+ */
+
+package com.tencent.devops.auth.dao
+
+import com.tencent.devops.model.auth.tables.TAuthResourceSync
+import com.tencent.devops.model.auth.tables.records.TAuthResourceSyncRecord
+import org.jooq.DSLContext
+import org.springframework.stereotype.Repository
+import java.time.LocalDateTime
+
+@Repository
+class AuthResourceSyncDao {
+
+ fun createOrUpdate(
+ dslContext: DSLContext,
+ projectCode: String,
+ status: Int
+ ) {
+ val now = LocalDateTime.now()
+ with(TAuthResourceSync.T_AUTH_RESOURCE_SYNC) {
+ dslContext.insertInto(
+ this,
+ PROJECT_CODE,
+ STATUS,
+ CREATE_TIME,
+ UPDATE_TIME
+ ).values(
+ projectCode,
+ status,
+ now,
+ now
+ ).onDuplicateKeyUpdate()
+ .set(STATUS, status)
+ .set(ERROR_MESSAGE, "")
+ .set(UPDATE_TIME, now)
+ .execute()
+ }
+ }
+
+ fun updateStatus(
+ dslContext: DSLContext,
+ projectCode: String,
+ status: Int,
+ errorMessage: String? = null,
+ totalTime: Long?
+ ) {
+ with(TAuthResourceSync.T_AUTH_RESOURCE_SYNC) {
+ val update = dslContext.update(this)
+ .set(STATUS, status)
+ .set(UPDATE_TIME, LocalDateTime.now())
+ if (totalTime != null) {
+ update.set(TOTAL_TIME, totalTime)
+ }
+ if (errorMessage != null) {
+ update.set(ERROR_MESSAGE, errorMessage)
+ }
+ update.where(PROJECT_CODE.eq(projectCode)).execute()
+ }
+ }
+
+ fun get(
+ dslContext: DSLContext,
+ projectCode: String
+ ): TAuthResourceSyncRecord? {
+ with(TAuthResourceSync.T_AUTH_RESOURCE_SYNC) {
+ return dslContext.selectFrom(this)
+ .where(PROJECT_CODE.eq(projectCode))
+ .fetchOne()
+ }
+ }
+}
diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/dao/AuthResourceTypeDao.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/dao/AuthResourceTypeDao.kt
index 756f2e3c6bd..4bb7a6de6f1 100644
--- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/dao/AuthResourceTypeDao.kt
+++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/dao/AuthResourceTypeDao.kt
@@ -1,5 +1,6 @@
package com.tencent.devops.auth.dao
+import com.tencent.devops.common.db.utils.skipCheck
import com.tencent.devops.model.auth.tables.TAuthResourceType
import com.tencent.devops.model.auth.tables.records.TAuthResourceTypeRecord
import org.jooq.DSLContext
@@ -10,7 +11,11 @@ import org.springframework.stereotype.Repository
class AuthResourceTypeDao {
fun list(dslContext: DSLContext): Result {
return with(TAuthResourceType.T_AUTH_RESOURCE_TYPE) {
- dslContext.selectFrom(this).where(DELETE.eq(false)).orderBy(ID.asc()).fetch()
+ dslContext.selectFrom(this)
+ .where(DELETE.eq(false))
+ .orderBy(ID.asc())
+ .skipCheck()
+ .fetch()
}
}
@@ -23,6 +28,7 @@ class AuthResourceTypeDao {
dslContext.selectFrom(this)
.orderBy(CREATE_TIME.desc(), RESOURCE_TYPE)
.limit(pageSize).offset((page - 1) * pageSize)
+ .skipCheck()
.fetch()
}
}
diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/config/RbacAuthConfiguration.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/config/RbacAuthConfiguration.kt
index e7d3d85424c..f6dc9dd7779 100644
--- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/config/RbacAuthConfiguration.kt
+++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/config/RbacAuthConfiguration.kt
@@ -44,8 +44,11 @@ import com.tencent.bk.sdk.iam.service.v2.impl.V2ManagerServiceImpl
import com.tencent.bk.sdk.iam.service.v2.impl.V2PolicyServiceImpl
import com.tencent.devops.auth.dao.AuthMigrationDao
import com.tencent.devops.auth.dao.AuthMonitorSpaceDao
+import com.tencent.devops.auth.dao.AuthResourceGroupApplyDao
import com.tencent.devops.auth.dao.AuthResourceGroupConfigDao
import com.tencent.devops.auth.dao.AuthResourceGroupDao
+import com.tencent.devops.auth.dao.AuthResourceGroupMemberDao
+import com.tencent.devops.auth.dao.AuthResourceSyncDao
import com.tencent.devops.auth.provider.rbac.service.AuthResourceCodeConverter
import com.tencent.devops.auth.provider.rbac.service.AuthResourceService
import com.tencent.devops.auth.provider.rbac.service.ItsmService
@@ -61,6 +64,7 @@ import com.tencent.devops.auth.provider.rbac.service.RbacPermissionItsmCallbackS
import com.tencent.devops.auth.provider.rbac.service.RbacPermissionProjectService
import com.tencent.devops.auth.provider.rbac.service.RbacPermissionResourceCallbackService
import com.tencent.devops.auth.provider.rbac.service.RbacPermissionResourceGroupService
+import com.tencent.devops.auth.provider.rbac.service.RbacPermissionResourceGroupSyncService
import com.tencent.devops.auth.provider.rbac.service.RbacPermissionResourceMemberService
import com.tencent.devops.auth.provider.rbac.service.RbacPermissionResourceService
import com.tencent.devops.auth.provider.rbac.service.RbacPermissionResourceValidateService
@@ -68,7 +72,9 @@ import com.tencent.devops.auth.provider.rbac.service.RbacPermissionService
import com.tencent.devops.auth.provider.rbac.service.migrate.MigrateCreatorFixServiceImpl
import com.tencent.devops.auth.provider.rbac.service.migrate.MigrateIamApiService
import com.tencent.devops.auth.provider.rbac.service.migrate.MigratePermissionHandoverService
+import com.tencent.devops.auth.provider.rbac.service.migrate.MigrateResourceAuthorizationService
import com.tencent.devops.auth.provider.rbac.service.migrate.MigrateResourceCodeConverter
+import com.tencent.devops.auth.provider.rbac.service.migrate.MigrateResourceGroupService
import com.tencent.devops.auth.provider.rbac.service.migrate.MigrateResourceService
import com.tencent.devops.auth.provider.rbac.service.migrate.MigrateResultService
import com.tencent.devops.auth.provider.rbac.service.migrate.MigrateV0PolicyService
@@ -78,12 +84,14 @@ import com.tencent.devops.auth.service.AuthMonitorSpaceService
import com.tencent.devops.auth.service.AuthProjectUserMetricsService
import com.tencent.devops.auth.service.AuthVerifyRecordService
import com.tencent.devops.auth.service.DeptService
+import com.tencent.devops.auth.service.PermissionAuthorizationService
import com.tencent.devops.auth.service.ResourceService
import com.tencent.devops.auth.service.SuperManagerService
import com.tencent.devops.auth.service.iam.MigrateCreatorFixService
-import com.tencent.devops.auth.service.iam.PermissionProjectService
+import com.tencent.devops.auth.service.iam.PermissionResourceGroupSyncService
import com.tencent.devops.auth.service.iam.PermissionResourceMemberService
import com.tencent.devops.auth.service.iam.PermissionResourceService
+import com.tencent.devops.auth.service.iam.PermissionResourceValidateService
import com.tencent.devops.auth.service.iam.PermissionService
import com.tencent.devops.common.auth.api.AuthTokenApi
import com.tencent.devops.common.auth.code.ProjectAuthServiceCode
@@ -142,21 +150,19 @@ class RbacAuthConfiguration {
permissionGradeManagerService: PermissionGradeManagerService,
permissionSubsetManagerService: PermissionSubsetManagerService,
authResourceCodeConverter: AuthResourceCodeConverter,
- permissionService: PermissionService,
- permissionProjectService: PermissionProjectService,
traceEventDispatcher: TraceEventDispatcher,
iamV2ManagerService: V2ManagerService,
- client: Client
+ permissionAuthorizationService: PermissionAuthorizationService,
+ permissionResourceValidateService: PermissionResourceValidateService
) = RbacPermissionResourceService(
authResourceService = authResourceService,
permissionGradeManagerService = permissionGradeManagerService,
permissionSubsetManagerService = permissionSubsetManagerService,
authResourceCodeConverter = authResourceCodeConverter,
- permissionService = permissionService,
- permissionProjectService = permissionProjectService,
traceEventDispatcher = traceEventDispatcher,
iamV2ManagerService = iamV2ManagerService,
- client = client
+ permissionAuthorizationService = permissionAuthorizationService,
+ permissionResourceValidateService = permissionResourceValidateService
)
@Bean
@@ -165,26 +171,26 @@ class RbacAuthConfiguration {
iamV2ManagerService: V2ManagerService,
authResourceService: AuthResourceService,
permissionSubsetManagerService: PermissionSubsetManagerService,
- permissionProjectService: PermissionProjectService,
permissionGroupPoliciesService: PermissionGroupPoliciesService,
authResourceGroupDao: AuthResourceGroupDao,
dslContext: DSLContext,
v2ManagerService: V2ManagerService,
rbacCacheService: RbacCacheService,
monitorSpaceService: AuthMonitorSpaceService,
- authResourceGroupConfigDao: AuthResourceGroupConfigDao
+ authResourceGroupConfigDao: AuthResourceGroupConfigDao,
+ authResourceGroupMemberDao: AuthResourceGroupMemberDao
) = RbacPermissionResourceGroupService(
iamV2ManagerService = iamV2ManagerService,
authResourceService = authResourceService,
permissionSubsetManagerService = permissionSubsetManagerService,
- permissionProjectService = permissionProjectService,
permissionGroupPoliciesService = permissionGroupPoliciesService,
authResourceGroupDao = authResourceGroupDao,
dslContext = dslContext,
v2ManagerService = v2ManagerService,
rbacCacheService = rbacCacheService,
monitorSpaceService = monitorSpaceService,
- authResourceGroupConfigDao = authResourceGroupConfigDao
+ authResourceGroupConfigDao = authResourceGroupConfigDao,
+ authResourceGroupMemberDao = authResourceGroupMemberDao
)
@Bean
@@ -192,14 +198,22 @@ class RbacAuthConfiguration {
authResourceService: AuthResourceService,
iamV2ManagerService: V2ManagerService,
authResourceGroupDao: AuthResourceGroupDao,
+ authResourceGroupMemberDao: AuthResourceGroupMemberDao,
dslContext: DSLContext,
- deptService: DeptService
+ deptService: DeptService,
+ rbacCacheService: RbacCacheService,
+ permissionAuthorizationService: PermissionAuthorizationService,
+ syncIamGroupMemberService: PermissionResourceGroupSyncService
) = RbacPermissionResourceMemberService(
authResourceService = authResourceService,
iamV2ManagerService = iamV2ManagerService,
authResourceGroupDao = authResourceGroupDao,
+ authResourceGroupMemberDao = authResourceGroupMemberDao,
dslContext = dslContext,
- deptService = deptService
+ deptService = deptService,
+ rbacCacheService = rbacCacheService,
+ permissionAuthorizationService = permissionAuthorizationService,
+ syncIamGroupMemberService = syncIamGroupMemberService
)
@Bean
@@ -291,7 +305,9 @@ class RbacAuthConfiguration {
client: Client,
authResourceCodeConverter: AuthResourceCodeConverter,
permissionService: PermissionService,
- itsmService: ItsmService
+ itsmService: ItsmService,
+ deptService: DeptService,
+ authResourceGroupApplyDao: AuthResourceGroupApplyDao
) = RbacPermissionApplyService(
dslContext = dslContext,
v2ManagerService = v2ManagerService,
@@ -303,17 +319,21 @@ class RbacAuthConfiguration {
client = client,
authResourceCodeConverter = authResourceCodeConverter,
permissionService = permissionService,
- itsmService = itsmService
+ itsmService = itsmService,
+ deptService = deptService,
+ authResourceGroupApplyDao = authResourceGroupApplyDao
)
@Bean
@Primary
fun rbacPermissionResourceValidateService(
permissionService: PermissionService,
- rbacCacheService: RbacCacheService
+ rbacCacheService: RbacCacheService,
+ client: Client
) = RbacPermissionResourceValidateService(
permissionService = permissionService,
- rbacCacheService = rbacCacheService
+ rbacCacheService = rbacCacheService,
+ client = client
)
@Bean
@@ -356,6 +376,19 @@ class RbacAuthConfiguration {
authResourceGroupDao = authResourceGroupDao
)
+ @Bean
+ fun migrateResourceGroupService(
+ authResourceService: AuthResourceService,
+ dslContext: DSLContext,
+ authResourceGroupDao: AuthResourceGroupDao,
+ iamV2ManagerService: V2ManagerService
+ ) = MigrateResourceGroupService(
+ authResourceService = authResourceService,
+ dslContext = dslContext,
+ authResourceGroupDao = authResourceGroupDao,
+ iamV2ManagerService = iamV2ManagerService
+ )
+
@Bean
fun migrateIamApiService() = MigrateIamApiService()
@@ -469,7 +502,9 @@ class RbacAuthConfiguration {
authMigrationDao: AuthMigrationDao,
authMonitorSpaceDao: AuthMonitorSpaceDao,
cacheService: RbacCacheService,
- permissionResourceMemberService: RbacPermissionResourceMemberService
+ permissionResourceMemberService: RbacPermissionResourceMemberService,
+ migrateResourceAuthorizationService: MigrateResourceAuthorizationService,
+ migrateResourceGroupService: MigrateResourceGroupService
) = RbacPermissionMigrateService(
client = client,
migrateResourceService = migrateResourceService,
@@ -485,7 +520,9 @@ class RbacAuthConfiguration {
authMigrationDao = authMigrationDao,
authMonitorSpaceDao = authMonitorSpaceDao,
cacheService = cacheService,
- permissionResourceMemberService = permissionResourceMemberService
+ permissionResourceMemberService = permissionResourceMemberService,
+ migrateResourceAuthorizationService = migrateResourceAuthorizationService,
+ migrateResourceGroupService = migrateResourceGroupService
)
@Bean
@@ -533,4 +570,29 @@ class RbacAuthConfiguration {
objectMapper = objectMapper,
systemService = systemService
)
+
+ @Bean
+ fun permissionResourceGroupSyncService(
+ client: Client,
+ dslContext: DSLContext,
+ authResourceService: AuthResourceService,
+ authResourceGroupDao: AuthResourceGroupDao,
+ iamV2ManagerService: V2ManagerService,
+ authResourceGroupMemberDao: AuthResourceGroupMemberDao,
+ rbacCacheService: RbacCacheService,
+ redisOperation: RedisOperation,
+ authResourceSyncDao: AuthResourceSyncDao,
+ authResourceGroupApplyDao: AuthResourceGroupApplyDao
+ ) = RbacPermissionResourceGroupSyncService(
+ client = client,
+ dslContext = dslContext,
+ authResourceService = authResourceService,
+ authResourceGroupDao = authResourceGroupDao,
+ iamV2ManagerService = iamV2ManagerService,
+ authResourceGroupMemberDao = authResourceGroupMemberDao,
+ rbacCacheService = rbacCacheService,
+ redisOperation = redisOperation,
+ authResourceSyncDao = authResourceSyncDao,
+ authResourceGroupApplyDao = authResourceGroupApplyDao
+ )
}
diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/config/RbacMQConfiguration.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/config/RbacMQConfiguration.kt
index ea3e33d5493..d4476144f65 100644
--- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/config/RbacMQConfiguration.kt
+++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/config/RbacMQConfiguration.kt
@@ -32,8 +32,10 @@ import com.tencent.devops.auth.dao.AuthItsmCallbackDao
import com.tencent.devops.auth.provider.rbac.listener.AuthItsmCallbackListener
import com.tencent.devops.auth.provider.rbac.listener.AuthResourceGroupCreateListener
import com.tencent.devops.auth.provider.rbac.listener.AuthResourceGroupModifyListener
+import com.tencent.devops.auth.provider.rbac.listener.SyncGroupAndMemberListener
import com.tencent.devops.auth.provider.rbac.service.PermissionGradeManagerService
import com.tencent.devops.auth.provider.rbac.service.PermissionSubsetManagerService
+import com.tencent.devops.auth.service.iam.PermissionResourceGroupSyncService
import com.tencent.devops.common.client.Client
import com.tencent.devops.common.event.dispatcher.pipeline.mq.MQ
import com.tencent.devops.common.event.dispatcher.pipeline.mq.Tools
@@ -42,6 +44,7 @@ import org.jooq.DSLContext
import org.springframework.amqp.core.Binding
import org.springframework.amqp.core.BindingBuilder
import org.springframework.amqp.core.DirectExchange
+import org.springframework.amqp.core.FanoutExchange
import org.springframework.amqp.core.Queue
import org.springframework.amqp.rabbit.connection.ConnectionFactory
import org.springframework.amqp.rabbit.core.RabbitAdmin
@@ -62,6 +65,55 @@ class RbacMQConfiguration {
@Bean
fun traceEventDispatcher(rabbitTemplate: RabbitTemplate) = TraceEventDispatcher(rabbitTemplate)
+ @Bean
+ fun projectEnableExchange(): FanoutExchange {
+ val fanoutExchange = FanoutExchange(MQ.EXCHANGE_PROJECT_ENABLE_FANOUT, true, false)
+ fanoutExchange.isDelayed = true
+ return fanoutExchange
+ }
+
+ @Bean
+ fun syncWhenEnabledProjectQueue(): Queue {
+ return Queue(MQ.QUEUE_PROJECT_ENABLED_SYNC_GROUP_AND_MEMBER, true)
+ }
+
+ @Bean
+ fun syncWhenEnabledProjectBind(
+ @Autowired syncWhenEnabledProjectQueue: Queue,
+ @Autowired projectEnableExchange: FanoutExchange
+ ): Binding {
+ return BindingBuilder.bind(syncWhenEnabledProjectQueue).to(projectEnableExchange)
+ }
+
+ @Bean
+ fun syncGroupAndMemberListener(
+ permissionResourceGroupSyncService: PermissionResourceGroupSyncService
+ ) = SyncGroupAndMemberListener(
+ permissionResourceGroupSyncService = permissionResourceGroupSyncService
+ )
+
+ @Bean
+ fun syncEventListenerContainer(
+ @Autowired connectionFactory: ConnectionFactory,
+ @Autowired syncWhenEnabledProjectQueue: Queue,
+ @Autowired rabbitAdmin: RabbitAdmin,
+ @Autowired syncGroupAndMemberListener: SyncGroupAndMemberListener,
+ @Autowired messageConverter: Jackson2JsonMessageConverter
+ ): SimpleMessageListenerContainer {
+ val adapter = MessageListenerAdapter(syncGroupAndMemberListener, syncGroupAndMemberListener::execute.name)
+ adapter.setMessageConverter(messageConverter)
+ return Tools.createSimpleMessageListenerContainerByAdapter(
+ connectionFactory = connectionFactory,
+ queue = syncWhenEnabledProjectQueue,
+ rabbitAdmin = rabbitAdmin,
+ adapter = adapter,
+ startConsumerMinInterval = 5000,
+ consecutiveActiveTrigger = 5,
+ concurrency = 10,
+ maxConcurrency = 20
+ )
+ }
+
@Bean
fun authRbacExchange(): DirectExchange {
val directExchange = DirectExchange(MQ.EXCHANGE_AUTH_RBAC_LISTENER_EXCHANGE, true, false)
diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/config/RbacServiceConfiguration.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/config/RbacServiceConfiguration.kt
index d620b8c2d0a..1869a641a90 100644
--- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/config/RbacServiceConfiguration.kt
+++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/config/RbacServiceConfiguration.kt
@@ -37,6 +37,7 @@ import com.tencent.devops.auth.dao.AuthMonitorSpaceDao
import com.tencent.devops.auth.dao.AuthResourceDao
import com.tencent.devops.auth.dao.AuthResourceGroupConfigDao
import com.tencent.devops.auth.dao.AuthResourceGroupDao
+import com.tencent.devops.auth.dao.AuthResourceGroupMemberDao
import com.tencent.devops.auth.dao.AuthResourceTypeDao
import com.tencent.devops.auth.provider.rbac.service.AuthResourceCodeConverter
import com.tencent.devops.auth.provider.rbac.service.AuthResourceNameConverter
@@ -50,6 +51,7 @@ import com.tencent.devops.auth.service.AuthAuthorizationScopesService
import com.tencent.devops.auth.service.AuthProjectUserMetricsService
import com.tencent.devops.auth.service.BkHttpRequestService
import com.tencent.devops.auth.service.iam.PermissionResourceGroupService
+import com.tencent.devops.auth.service.iam.PermissionResourceGroupSyncService
import com.tencent.devops.common.client.Client
import com.tencent.devops.common.event.dispatcher.trace.TraceEventDispatcher
import org.jooq.DSLContext
@@ -88,7 +90,8 @@ class RbacServiceConfiguration {
dslContext: DSLContext,
authResourceGroupDao: AuthResourceGroupDao,
authResourceGroupConfigDao: AuthResourceGroupConfigDao,
- authResourceNameConverter: AuthResourceNameConverter
+ authResourceNameConverter: AuthResourceNameConverter,
+ resourceGroupSyncService: PermissionResourceGroupSyncService
) = PermissionSubsetManagerService(
permissionGroupPoliciesService = permissionGroupPoliciesService,
authAuthorizationScopesService = authAuthorizationScopesService,
@@ -96,7 +99,8 @@ class RbacServiceConfiguration {
dslContext = dslContext,
authResourceGroupDao = authResourceGroupDao,
authResourceGroupConfigDao = authResourceGroupConfigDao,
- authResourceNameConverter = authResourceNameConverter
+ authResourceNameConverter = authResourceNameConverter,
+ resourceGroupSyncService = resourceGroupSyncService
)
@Bean
@@ -113,7 +117,8 @@ class RbacServiceConfiguration {
traceEventDispatcher: TraceEventDispatcher,
itsmService: ItsmService,
authAuthorizationScopesService: AuthAuthorizationScopesService,
- permissionResourceGroupService: PermissionResourceGroupService
+ permissionResourceGroupService: PermissionResourceGroupService,
+ resourceGroupSyncService: PermissionResourceGroupSyncService
) = PermissionGradeManagerService(
client = client,
iamV2ManagerService = iamV2ManagerService,
@@ -127,7 +132,8 @@ class RbacServiceConfiguration {
traceEventDispatcher = traceEventDispatcher,
itsmService = itsmService,
authAuthorizationScopesService = authAuthorizationScopesService,
- permissionResourceGroupService = permissionResourceGroupService
+ permissionResourceGroupService = permissionResourceGroupService,
+ resourceGroupSyncService = resourceGroupSyncService
)
@Bean
@@ -156,11 +162,13 @@ class RbacServiceConfiguration {
fun authResourceService(
dslContext: DSLContext,
authResourceDao: AuthResourceDao,
- authResourceGroupDao: AuthResourceGroupDao
+ authResourceGroupDao: AuthResourceGroupDao,
+ authResourceGroupMemberDao: AuthResourceGroupMemberDao
) = AuthResourceService(
dslContext = dslContext,
authResourceDao = authResourceDao,
- authResourceGroupDao = authResourceGroupDao
+ authResourceGroupDao = authResourceGroupDao,
+ authResourceGroupMemberDao = authResourceGroupMemberDao
)
@Bean
diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/listener/SyncGroupAndMemberListener.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/listener/SyncGroupAndMemberListener.kt
new file mode 100644
index 00000000000..f8f142e02e0
--- /dev/null
+++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/listener/SyncGroupAndMemberListener.kt
@@ -0,0 +1,51 @@
+/*
+ * Tencent is pleased to support the open source community by making BK-CI 蓝鲸持续集成平台 available.
+ *
+ * Copyright (C) 2019 THL A29 Limited, a Tencent company. All rights reserved.
+ *
+ * BK-CI 蓝鲸持续集成平台 is licensed under the MIT license.
+ *
+ * A copy of the MIT License is included in this file.
+ *
+ *
+ * Terms of the MIT License:
+ * ---------------------------------------------------
+ * Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated
+ * documentation files (the "Software"), to deal in the Software without restriction, including without limitation the
+ * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
+ * permit persons to whom the Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all copies or substantial portions of
+ * the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
+ * LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
+ * NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+ * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+ * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ *
+ */
+
+package com.tencent.devops.auth.provider.rbac.listener
+
+import com.tencent.devops.auth.service.iam.PermissionResourceGroupSyncService
+import com.tencent.devops.common.event.listener.Listener
+import com.tencent.devops.project.pojo.mq.ProjectEnableStatusBroadCastEvent
+import org.slf4j.LoggerFactory
+import org.springframework.beans.factory.annotation.Autowired
+
+class SyncGroupAndMemberListener @Autowired constructor(
+ private val permissionResourceGroupSyncService: PermissionResourceGroupSyncService
+) : Listener {
+
+ override fun execute(event: ProjectEnableStatusBroadCastEvent) {
+ logger.info("sync group and member when enabled project $event")
+ if (event.enabled) {
+ permissionResourceGroupSyncService.syncGroupAndMember(projectCode = event.projectId)
+ }
+ }
+
+ companion object {
+ private val logger = LoggerFactory.getLogger(SyncGroupAndMemberListener::class.java)
+ }
+}
diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/AuthResourceService.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/AuthResourceService.kt
index 364c1edc35d..bad925ae680 100644
--- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/AuthResourceService.kt
+++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/AuthResourceService.kt
@@ -31,6 +31,7 @@ package com.tencent.devops.auth.provider.rbac.service
import com.tencent.devops.auth.constant.AuthMessageCode
import com.tencent.devops.auth.dao.AuthResourceDao
import com.tencent.devops.auth.dao.AuthResourceGroupDao
+import com.tencent.devops.auth.dao.AuthResourceGroupMemberDao
import com.tencent.devops.auth.pojo.AuthResourceInfo
import com.tencent.devops.common.api.exception.ErrorCodeException
import com.tencent.devops.common.auth.api.pojo.DefaultGroupType
@@ -45,7 +46,8 @@ import java.time.ZoneId
class AuthResourceService @Autowired constructor(
private val dslContext: DSLContext,
private val authResourceDao: AuthResourceDao,
- private val authResourceGroupDao: AuthResourceGroupDao
+ private val authResourceGroupDao: AuthResourceGroupDao,
+ private val authResourceGroupMemberDao: AuthResourceGroupMemberDao
) {
companion object {
@@ -111,6 +113,12 @@ class AuthResourceService @Autowired constructor(
resourceType = resourceType,
resourceCode = resourceCode
)
+ authResourceGroupMemberDao.deleteByResource(
+ dslContext = transactionContext,
+ projectCode = projectCode,
+ resourceType = resourceType,
+ resourceCode = resourceCode
+ )
}
}
@@ -174,7 +182,7 @@ class AuthResourceService @Autowired constructor(
resourceCode = resourceCode
).filter {
it.groupCode != DefaultGroupType.MANAGER.value
- }.map { it.id }
+ }.map { it.id!! }
dslContext.transaction { configuration ->
val transactionContext = DSL.using(configuration)
authResourceDao.disable(
diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/PermissionGradeManagerService.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/PermissionGradeManagerService.kt
index 2b1bf267987..cd5ac421c25 100644
--- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/PermissionGradeManagerService.kt
+++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/PermissionGradeManagerService.kt
@@ -50,6 +50,7 @@ import com.tencent.devops.auth.provider.rbac.pojo.event.AuthResourceGroupCreateE
import com.tencent.devops.auth.provider.rbac.pojo.event.AuthResourceGroupModifyEvent
import com.tencent.devops.auth.service.AuthAuthorizationScopesService
import com.tencent.devops.auth.service.iam.PermissionResourceGroupService
+import com.tencent.devops.auth.service.iam.PermissionResourceGroupSyncService
import com.tencent.devops.common.api.exception.ErrorCodeException
import com.tencent.devops.common.api.util.PageUtil
import com.tencent.devops.common.api.util.UUIDUtil
@@ -87,7 +88,8 @@ class PermissionGradeManagerService @Autowired constructor(
private val traceEventDispatcher: TraceEventDispatcher,
private val itsmService: ItsmService,
private val authAuthorizationScopesService: AuthAuthorizationScopesService,
- private val permissionResourceGroupService: PermissionResourceGroupService
+ private val permissionResourceGroupService: PermissionResourceGroupService,
+ private val resourceGroupSyncService: PermissionResourceGroupSyncService
) {
companion object {
@@ -422,6 +424,8 @@ class PermissionGradeManagerService @Autowired constructor(
groupCode = groupConfig.groupCode
)
}
+ // 分级管理员创建后,需要同步下组、成员和分级管理员
+ resourceGroupSyncService.syncGroupAndMember(projectCode = projectCode)
}
fun modifyGradeDefaultGroup(
diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/PermissionSubsetManagerService.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/PermissionSubsetManagerService.kt
index d21766e46b8..2b26f9d4fef 100644
--- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/PermissionSubsetManagerService.kt
+++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/PermissionSubsetManagerService.kt
@@ -39,6 +39,7 @@ import com.tencent.devops.auth.dao.AuthResourceGroupConfigDao
import com.tencent.devops.auth.dao.AuthResourceGroupDao
import com.tencent.devops.auth.provider.rbac.pojo.enums.AuthGroupCreateMode
import com.tencent.devops.auth.service.AuthAuthorizationScopesService
+import com.tencent.devops.auth.service.iam.PermissionResourceGroupSyncService
import com.tencent.devops.common.api.exception.ErrorCodeException
import com.tencent.devops.common.api.util.PageUtil
import com.tencent.devops.common.auth.api.AuthResourceType
@@ -54,7 +55,8 @@ class PermissionSubsetManagerService @Autowired constructor(
private val dslContext: DSLContext,
private val authResourceGroupDao: AuthResourceGroupDao,
private val authResourceGroupConfigDao: AuthResourceGroupConfigDao,
- private val authResourceNameConverter: AuthResourceNameConverter
+ private val authResourceNameConverter: AuthResourceNameConverter,
+ private val resourceGroupSyncService: PermissionResourceGroupSyncService
) {
companion object {
@@ -265,6 +267,8 @@ class PermissionSubsetManagerService @Autowired constructor(
resourceName = resourceName,
iamGroupId = iamGroupId
)
+ // 这里做个兜底,刚创建的组应该是没有成员
+ resourceGroupSyncService.syncIamGroupMember(projectCode = projectCode, iamGroupId = iamGroupId)
}
}
@@ -308,6 +312,8 @@ class PermissionSubsetManagerService @Autowired constructor(
defaultGroup = true,
relationId = iamGroupInfo.id.toString()
)
+ // 同步拥有者组里面的成员
+ resourceGroupSyncService.syncIamGroupMember(projectCode = projectCode, iamGroupId = iamGroupInfo.id)
}
}
@@ -351,7 +357,7 @@ class PermissionSubsetManagerService @Autowired constructor(
it.groupCode != DefaultGroupType.MANAGER.value
}.forEach {
logger.info("delete subset manage default group|$subsetManagerId|${it.relationId}")
- iamV2ManagerService.deleteRoleGroupV2(it.relationId.toInt())
+ iamV2ManagerService.deleteRoleGroupV2(it.relationId)
}
}
}
diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionApplyService.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionApplyService.kt
index a0cd0e7ea2b..7e670bf6409 100644
--- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionApplyService.kt
+++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionApplyService.kt
@@ -11,6 +11,7 @@ import com.tencent.devops.auth.constant.AuthI18nConstants
import com.tencent.devops.auth.constant.AuthI18nConstants.ACTION_NAME_SUFFIX
import com.tencent.devops.auth.constant.AuthI18nConstants.AUTH_RESOURCE_GROUP_CONFIG_GROUP_NAME_SUFFIX
import com.tencent.devops.auth.constant.AuthMessageCode
+import com.tencent.devops.auth.dao.AuthResourceGroupApplyDao
import com.tencent.devops.auth.dao.AuthResourceGroupConfigDao
import com.tencent.devops.auth.dao.AuthResourceGroupDao
import com.tencent.devops.auth.pojo.ApplyJoinGroupFormDataInfo
@@ -25,6 +26,7 @@ import com.tencent.devops.auth.pojo.vo.AuthApplyRedirectInfoVo
import com.tencent.devops.auth.pojo.vo.AuthRedirectGroupInfoVo
import com.tencent.devops.auth.pojo.vo.ManagerRoleGroupVO
import com.tencent.devops.auth.pojo.vo.ResourceTypeInfoVo
+import com.tencent.devops.auth.service.DeptService
import com.tencent.devops.auth.service.GroupUserService
import com.tencent.devops.auth.service.iam.PermissionApplyService
import com.tencent.devops.auth.service.iam.PermissionService
@@ -62,7 +64,9 @@ class RbacPermissionApplyService @Autowired constructor(
val client: Client,
val authResourceCodeConverter: AuthResourceCodeConverter,
val permissionService: PermissionService,
- val itsmService: ItsmService
+ val itsmService: ItsmService,
+ val deptService: DeptService,
+ val authResourceGroupApplyDao: AuthResourceGroupApplyDao
) : PermissionApplyService {
@Value("\${auth.iamSystem:}")
private val systemId = ""
@@ -89,7 +93,8 @@ class RbacPermissionApplyService @Autowired constructor(
): ManagerRoleGroupVO {
logger.info("RbacPermissionApplyService|listGroups:searchGroupInfo=$searchGroupInfo")
verifyProjectRouterTag(projectId)
-
+ // 校验新用户信息是否同步完成
+ isUserExists(userId)
val projectInfo = authResourceService.get(
projectCode = projectId,
resourceType = AuthResourceType.PROJECT.value,
@@ -147,6 +152,17 @@ class RbacPermissionApplyService @Autowired constructor(
)
}
+ private fun isUserExists(userId: String) {
+ // 校验新用户信息是否同步完成
+ val userExists = deptService.getUserInfo(userId = "admin", name = userId) != null
+ if (!userExists) {
+ logger.warn("user($userId) does not exist")
+ throw ErrorCodeException(
+ errorCode = AuthMessageCode.ERROR_USER_INFORMATION_NOT_SYNCED
+ )
+ }
+ }
+
private fun buildBkIamPath(
userId: String,
resourceType: String?,
@@ -334,6 +350,11 @@ class RbacPermissionApplyService @Autowired constructor(
.reason(applyJoinGroupInfo.reason).build()
logger.info("apply to join group: iamApplicationDTO=$iamApplicationDTO")
v2ManagerService.createRoleGroupApplicationV2(iamApplicationDTO)
+ // 记录单据,用于同步用户组
+ authResourceGroupApplyDao.batchCreate(
+ dslContext = dslContext,
+ applyJoinGroupInfo = applyJoinGroupInfo
+ )
} catch (e: Exception) {
throw ErrorCodeException(
errorCode = AuthMessageCode.APPLY_TO_JOIN_GROUP_FAIL,
diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceGroupService.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceGroupService.kt
index 3fe23381ab8..62e0309f4e4 100644
--- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceGroupService.kt
+++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceGroupService.kt
@@ -28,6 +28,7 @@
package com.tencent.devops.auth.provider.rbac.service
+import com.tencent.bk.sdk.iam.constants.ManagerScopesEnum
import com.tencent.bk.sdk.iam.dto.InstancesDTO
import com.tencent.bk.sdk.iam.dto.V2PageInfoDTO
import com.tencent.bk.sdk.iam.dto.manager.ManagerRoleGroup
@@ -44,8 +45,10 @@ import com.tencent.devops.auth.constant.AuthMessageCode.ERROR_GROUP_NAME_TO_SHOR
import com.tencent.devops.auth.constant.AuthMessageCode.GROUP_EXIST
import com.tencent.devops.auth.dao.AuthResourceGroupConfigDao
import com.tencent.devops.auth.dao.AuthResourceGroupDao
+import com.tencent.devops.auth.dao.AuthResourceGroupMemberDao
import com.tencent.devops.auth.pojo.RelatedResourceInfo
import com.tencent.devops.auth.pojo.dto.GroupAddDTO
+import com.tencent.devops.auth.pojo.dto.ListGroupConditionDTO
import com.tencent.devops.auth.pojo.dto.RenameGroupDTO
import com.tencent.devops.auth.pojo.enum.GroupMemberStatus
import com.tencent.devops.auth.pojo.vo.GroupPermissionDetailVo
@@ -53,33 +56,33 @@ import com.tencent.devops.auth.pojo.vo.IamGroupInfoVo
import com.tencent.devops.auth.pojo.vo.IamGroupMemberInfoVo
import com.tencent.devops.auth.pojo.vo.IamGroupPoliciesVo
import com.tencent.devops.auth.service.AuthMonitorSpaceService
-import com.tencent.devops.auth.service.iam.PermissionProjectService
import com.tencent.devops.auth.service.iam.PermissionResourceGroupService
import com.tencent.devops.common.api.exception.ErrorCodeException
-import com.tencent.devops.common.api.exception.PermissionForbiddenException
import com.tencent.devops.common.api.pojo.Pagination
import com.tencent.devops.common.api.util.DateTimeUtil
+import com.tencent.devops.common.api.util.MessageUtil
import com.tencent.devops.common.api.util.PageUtil
import com.tencent.devops.common.auth.api.AuthResourceType
import com.tencent.devops.common.web.utils.I18nUtil
import org.jooq.DSLContext
+import org.jooq.impl.DSL
import org.slf4j.LoggerFactory
import org.springframework.beans.factory.annotation.Autowired
import org.springframework.beans.factory.annotation.Value
-@Suppress("LongParameterList")
+@Suppress("LongParameterList", "IMPLICIT_CAST_TO_ANY")
class RbacPermissionResourceGroupService @Autowired constructor(
private val iamV2ManagerService: V2ManagerService,
private val authResourceService: AuthResourceService,
private val permissionSubsetManagerService: PermissionSubsetManagerService,
- private val permissionProjectService: PermissionProjectService,
private val permissionGroupPoliciesService: PermissionGroupPoliciesService,
private val dslContext: DSLContext,
private val authResourceGroupDao: AuthResourceGroupDao,
private val v2ManagerService: V2ManagerService,
private val rbacCacheService: RbacCacheService,
private val monitorSpaceService: AuthMonitorSpaceService,
- private val authResourceGroupConfigDao: AuthResourceGroupConfigDao
+ private val authResourceGroupConfigDao: AuthResourceGroupConfigDao,
+ private val authResourceGroupMemberDao: AuthResourceGroupMemberDao
) : PermissionResourceGroupService {
@Value("\${auth.iamSystem:}")
private val systemId = ""
@@ -94,76 +97,116 @@ class RbacPermissionResourceGroupService @Autowired constructor(
private val logger = LoggerFactory.getLogger(RbacPermissionResourceGroupService::class.java)
private const val MAX_GROUP_NAME_LENGTH = 32
private const val MIN_GROUP_NAME_LENGTH = 5
-
- // 毫秒转换
- private const val MILLISECOND = 1000
+ private const val FIRST_PAGE = 1
}
override fun listGroup(
- projectId: String,
- resourceType: String,
- resourceCode: String,
- page: Int,
- pageSize: Int
+ userId: String,
+ listGroupConditionDTO: ListGroupConditionDTO
): Pagination {
- val resourceInfo = authResourceService.get(
- projectCode = projectId,
- resourceType = resourceType,
- resourceCode = resourceCode
- )
- val validPage = PageUtil.getValidPage(page)
- val validPageSize = PageUtil.getValidPageSize(pageSize)
- val iamGroupInfoList = if (resourceType == AuthResourceType.PROJECT.value) {
- val searchGroupDTO = SearchGroupDTO.builder().inherit(false).build()
- val pageInfoDTO = V2PageInfoDTO()
- pageInfoDTO.page = page
- pageInfoDTO.pageSize = pageSize
- val iamGroupInfoList = iamV2ManagerService.getGradeManagerRoleGroupV2(
- resourceInfo.relationId,
- searchGroupDTO,
- pageInfoDTO
- )
- iamGroupInfoList.results
- } else {
- permissionSubsetManagerService.listGroup(
- subsetManagerId = resourceInfo.relationId,
- page = validPage,
- pageSize = validPageSize
+ with(listGroupConditionDTO) {
+ val resourceInfo = authResourceService.get(
+ projectCode = projectId,
+ resourceType = resourceType,
+ resourceCode = resourceCode
)
- }
- val resourceGroupMap = authResourceGroupDao.getByResourceCode(
- dslContext = dslContext,
- projectCode = projectId,
- resourceType = resourceType,
- resourceCode = resourceCode
- ).associateBy { it.relationId.toInt() }
- val iamGroupInfoVoList = iamGroupInfoList.map {
- val resourceGroup = resourceGroupMap[it.id]
- val defaultGroup = resourceGroup?.defaultGroup ?: false
- // 默认组名需要支持国际化
- val groupName = if (defaultGroup) {
- I18nUtil.getCodeLanMessage(
- messageCode = "${resourceGroup!!.resourceType}.${resourceGroup.groupCode}" +
- AuthI18nConstants.AUTH_RESOURCE_GROUP_CONFIG_GROUP_NAME_SUFFIX,
- defaultMessage = resourceGroup.groupName
+ val validPage = PageUtil.getValidPage(page)
+ val validPageSize = PageUtil.getValidPageSize(pageSize)
+ val iamGroupInfoList = if (resourceType == AuthResourceType.PROJECT.value) {
+ val searchGroupDTO = SearchGroupDTO.builder().inherit(false).build()
+ val pageInfoDTO = V2PageInfoDTO()
+ pageInfoDTO.page = page
+ pageInfoDTO.pageSize = pageSize
+ val iamGroupInfoList = iamV2ManagerService.getGradeManagerRoleGroupV2(
+ resourceInfo.relationId,
+ searchGroupDTO,
+ pageInfoDTO
)
+ iamGroupInfoList.results
} else {
- it.name
+ permissionSubsetManagerService.listGroup(
+ subsetManagerId = resourceInfo.relationId,
+ page = validPage,
+ pageSize = validPageSize
+ )
}
- IamGroupInfoVo(
+ val resourceGroupMap = authResourceGroupDao.getByResourceCode(
+ dslContext = dslContext,
+ projectCode = projectId,
+ resourceType = resourceType,
+ resourceCode = resourceCode
+ ).associateBy { it.relationId }
+ val iamGroupInfoVoList = iamGroupInfoList.map {
+ val resourceGroup = resourceGroupMap[it.id]
+ val defaultGroup = resourceGroup?.defaultGroup ?: false
+ // 默认组名需要支持国际化
+ val groupName = if (defaultGroup) {
+ I18nUtil.getCodeLanMessage(
+ messageCode = "${resourceGroup!!.resourceType}.${resourceGroup.groupCode}" +
+ AuthI18nConstants.AUTH_RESOURCE_GROUP_CONFIG_GROUP_NAME_SUFFIX,
+ defaultMessage = resourceGroup.groupName
+ )
+ } else {
+ it.name
+ }
+ IamGroupInfoVo(
+ managerId = resourceInfo.relationId.toInt(),
+ defaultGroup = defaultGroup,
+ groupId = it.id,
+ name = groupName,
+ displayName = it.name,
+ userCount = it.userCount,
+ departmentCount = it.departmentCount,
+ templateCount = it.templateCount
+ )
+ }.toMutableList().plusAllProjectMemberGroup(
+ userId = userId,
managerId = resourceInfo.relationId.toInt(),
- defaultGroup = defaultGroup,
- groupId = it.id,
- name = groupName,
- displayName = it.name,
- userCount = it.userCount,
- departmentCount = it.departmentCount
+ condition = listGroupConditionDTO
+ ).sortedBy { it.groupId }
+ return Pagination(
+ hasNext = iamGroupInfoVoList.size == pageSize,
+ records = iamGroupInfoVoList
)
- }.sortedBy { it.groupId }
- return Pagination(
- hasNext = iamGroupInfoVoList.size == pageSize,
- records = iamGroupInfoVoList
- )
+ }
+ }
+
+ private fun MutableList.plusAllProjectMemberGroup(
+ userId: String,
+ managerId: Int,
+ condition: ListGroupConditionDTO
+ ): List {
+ val shouldPlusAllProjectMemberGroup =
+ condition.page == FIRST_PAGE &&
+ condition.resourceType == AuthResourceType.PROJECT.value &&
+ condition.getAllProjectMembersGroup
+
+ if (shouldPlusAllProjectMemberGroup) {
+ val projectMemberCount = authResourceGroupMemberDao.countProjectMember(
+ dslContext = dslContext,
+ projectCode = condition.projectId
+ )
+ val userCount = projectMemberCount[ManagerScopesEnum.getType(ManagerScopesEnum.USER)] ?: 0
+ val departmentCount = projectMemberCount[ManagerScopesEnum.getType(ManagerScopesEnum.DEPARTMENT)] ?: 0
+ val allProjectMemberGroup = IamGroupInfoVo(
+ managerId = managerId,
+ defaultGroup = true,
+ groupId = 0,
+ name = MessageUtil.getMessageByLocale(
+ AuthI18nConstants.BK_ALL_PROJECT_MEMBERS_GROUP,
+ I18nUtil.getLanguage(userId)
+ ),
+ displayName = MessageUtil.getMessageByLocale(
+ AuthI18nConstants.BK_ALL_PROJECT_MEMBERS_GROUP,
+ I18nUtil.getLanguage(userId)
+ ),
+ userCount = userCount,
+ departmentCount = departmentCount,
+ projectMemberGroup = true
+ )
+ this.add(0, allProjectMemberGroup)
+ }
+ return this
}
override fun listUserBelongGroup(
@@ -199,8 +242,7 @@ class RbacPermissionResourceGroupService @Autowired constructor(
Pair(
GroupMemberStatus.EXPIRED.name,
I18nUtil.getCodeLanMessage(
- AUTH_GROUP_MEMBER_EXPIRED_DESC,
- "expired"
+ AUTH_GROUP_MEMBER_EXPIRED_DESC
)
)
} else {
@@ -253,12 +295,6 @@ class RbacPermissionResourceGroupService @Autowired constructor(
groupId: Int
): Boolean {
logger.info("delete group|$userId|$projectId|$resourceType|$groupId")
- if (userId != null) {
- checkProjectManager(
- userId = userId,
- projectId = projectId
- )
- }
val authResourceGroup = authResourceGroupDao.getByRelationId(
dslContext = dslContext,
projectCode = projectId,
@@ -273,29 +309,22 @@ class RbacPermissionResourceGroupService @Autowired constructor(
iamV2ManagerService.deleteRoleGroupV2(groupId)
// 迁移的用户组,非默认的也会保存,删除时也应该删除
if (authResourceGroup != null) {
- authResourceGroupDao.deleteByIds(
- dslContext = dslContext,
- ids = listOf(authResourceGroup.id)
- )
+ dslContext.transaction { configuration ->
+ val context = DSL.using(configuration)
+ authResourceGroupDao.deleteByIds(
+ dslContext = context,
+ ids = listOf(authResourceGroup.id)
+ )
+ authResourceGroupMemberDao.deleteByIamGroupId(
+ dslContext = context,
+ projectCode = projectId,
+ iamGroupId = groupId
+ )
+ }
}
return true
}
- private fun checkProjectManager(
- userId: String,
- projectId: String
- ) {
- val hasProjectManagePermission = permissionProjectService.checkProjectManager(
- userId = userId,
- projectCode = projectId
- )
- if (!hasProjectManagePermission) {
- throw PermissionForbiddenException(
- message = I18nUtil.getCodeLanMessage(AuthMessageCode.ERROR_AUTH_NO_MANAGE_PERMISSION)
- )
- }
- }
-
override fun createGroup(
projectId: String,
groupAddDTO: GroupAddDTO
@@ -367,10 +396,6 @@ class RbacPermissionResourceGroupService @Autowired constructor(
defaultMessage = "group name cannot be less than 5 characters"
)
}
- checkProjectManager(
- userId = userId,
- projectId = projectId
- )
val authResourceGroup = authResourceGroupDao.getByRelationId(
dslContext = dslContext,
projectCode = projectId,
diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceGroupSyncService.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceGroupSyncService.kt
new file mode 100644
index 00000000000..6a2a651e8ee
--- /dev/null
+++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceGroupSyncService.kt
@@ -0,0 +1,678 @@
+/*
+ * Tencent is pleased to support the open source community by making BK-CI 蓝鲸持续集成平台 available.
+ *
+ * Copyright (C) 2019 THL A29 Limited, a Tencent company. All rights reserved.
+ *
+ * BK-CI 蓝鲸持续集成平台 is licensed under the MIT license.
+ *
+ * A copy of the MIT License is included in this file.
+ *
+ *
+ * Terms of the MIT License:
+ * ---------------------------------------------------
+ * Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated
+ * documentation files (the "Software"), to deal in the Software without restriction, including without limitation the
+ * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
+ * permit persons to whom the Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all copies or substantial portions of
+ * the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
+ * LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
+ * NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+ * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+ * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ */
+
+package com.tencent.devops.auth.provider.rbac.service
+
+import com.tencent.bk.sdk.iam.constants.ManagerScopesEnum
+import com.tencent.bk.sdk.iam.dto.V2PageInfoDTO
+import com.tencent.bk.sdk.iam.dto.manager.dto.SearchGroupDTO
+import com.tencent.bk.sdk.iam.exception.IamException
+import com.tencent.bk.sdk.iam.service.v2.V2ManagerService
+import com.tencent.devops.auth.dao.AuthResourceGroupApplyDao
+import com.tencent.devops.auth.dao.AuthResourceGroupDao
+import com.tencent.devops.auth.dao.AuthResourceGroupMemberDao
+import com.tencent.devops.auth.dao.AuthResourceSyncDao
+import com.tencent.devops.auth.pojo.AuthResourceGroup
+import com.tencent.devops.auth.pojo.AuthResourceGroupMember
+import com.tencent.devops.auth.pojo.enum.ApplyToGroupStatus
+import com.tencent.devops.auth.pojo.enum.AuthMigrateStatus
+import com.tencent.devops.auth.service.iam.PermissionResourceGroupSyncService
+import com.tencent.devops.auth.service.lock.SyncGroupAndMemberLock
+import com.tencent.devops.common.api.exception.ErrorCodeException
+import com.tencent.devops.common.api.util.DateTimeUtil
+import com.tencent.devops.common.api.util.PageUtil
+import com.tencent.devops.common.auth.api.AuthResourceType
+import com.tencent.devops.common.auth.api.pojo.DefaultGroupType
+import com.tencent.devops.common.auth.api.pojo.ProjectConditionDTO
+import com.tencent.devops.common.client.Client
+import com.tencent.devops.common.redis.RedisOperation
+import com.tencent.devops.common.service.trace.TraceTag
+import com.tencent.devops.model.auth.tables.records.TAuthResourceGroupApplyRecord
+import com.tencent.devops.project.api.service.ServiceProjectResource
+import org.jooq.DSLContext
+import org.jooq.impl.DSL
+import org.slf4j.LoggerFactory
+import org.slf4j.MDC
+import org.springframework.beans.factory.annotation.Autowired
+import java.util.concurrent.CompletableFuture
+import java.util.concurrent.CompletionException
+import java.util.concurrent.Executors
+
+@Suppress("LongParameterList")
+class RbacPermissionResourceGroupSyncService @Autowired constructor(
+ private val client: Client,
+ private val dslContext: DSLContext,
+ private val authResourceService: AuthResourceService,
+ private val authResourceGroupDao: AuthResourceGroupDao,
+ private val iamV2ManagerService: V2ManagerService,
+ private val authResourceGroupMemberDao: AuthResourceGroupMemberDao,
+ private val rbacCacheService: RbacCacheService,
+ private val redisOperation: RedisOperation,
+ private val authResourceSyncDao: AuthResourceSyncDao,
+ private val authResourceGroupApplyDao: AuthResourceGroupApplyDao
+) : PermissionResourceGroupSyncService {
+ companion object {
+ private val logger = LoggerFactory.getLogger(RbacPermissionResourceGroupSyncService::class.java)
+ private val syncExecutorService = Executors.newFixedThreadPool(5)
+ private val syncProjectsExecutorService = Executors.newFixedThreadPool(10)
+ private val syncResourceMemberExecutorService = Executors.newFixedThreadPool(50)
+ private const val MAX_NUMBER_OF_CHECKS = 120
+ }
+
+ override fun syncByCondition(projectConditionDTO: ProjectConditionDTO) {
+ logger.info("start to migrate project by condition|$projectConditionDTO")
+ val traceId = MDC.get(TraceTag.BIZID)
+ syncExecutorService.submit {
+ MDC.put(TraceTag.BIZID, traceId)
+ var offset = 0
+ val limit = PageUtil.MAX_PAGE_SIZE / 2
+ do {
+ val projectCodes = client.get(ServiceProjectResource::class).listProjectsByCondition(
+ projectConditionDTO = projectConditionDTO,
+ limit = limit,
+ offset = offset
+ ).data ?: break
+ batchSyncGroupAndMember(projectCodes = projectCodes.map { it.englishName })
+ offset += limit
+ } while (projectCodes.size == limit)
+ }
+ }
+
+ override fun batchSyncGroupAndMember(projectCodes: List) {
+ logger.info("sync all group and member|$projectCodes")
+ if (projectCodes.isEmpty()) return
+ projectCodes.forEach { projectCode ->
+ syncGroupAndMember(projectCode = projectCode)
+ }
+ }
+
+ override fun batchSyncProjectGroup(projectCodes: List) {
+ logger.info("sync all group|$projectCodes")
+ if (projectCodes.isEmpty()) return
+ val traceId = MDC.get(TraceTag.BIZID)
+ projectCodes.forEach { projectCode ->
+ syncProjectsExecutorService.submit {
+ MDC.put(TraceTag.BIZID, traceId)
+ syncProjectGroup(projectCode = projectCode)
+ }
+ }
+ }
+
+ override fun batchSyncAllMember(projectCodes: List) {
+ logger.info("sync all member|$projectCodes")
+ if (projectCodes.isEmpty()) return
+ val traceId = MDC.get(TraceTag.BIZID)
+ projectCodes.forEach { projectCode ->
+ syncProjectsExecutorService.submit {
+ MDC.put(TraceTag.BIZID, traceId)
+ syncResourceGroupMember(projectCode = projectCode)
+ }
+ }
+ }
+
+ override fun syncResourceMember(projectCode: String, resourceType: String, resourceCode: String) {
+ logger.info("sync resource member|$projectCode|$resourceType|$resourceCode")
+ val resourceGroups = authResourceGroupDao.getByResourceCode(
+ dslContext = dslContext,
+ projectCode = projectCode,
+ resourceType = resourceType,
+ resourceCode = resourceCode
+ )
+ resourceGroups.forEach { resourceGroup ->
+ syncResourceGroupMember(
+ projectCode = projectCode,
+ resourceType = resourceType,
+ resourceCode = resourceCode,
+ groupCode = resourceGroup.groupCode,
+ iamGroupId = resourceGroup.relationId
+ )
+ }
+ }
+
+ override fun syncIamGroupMember(projectCode: String, iamGroupId: Int) {
+ logger.info("sync resource member|$projectCode|$iamGroupId")
+ val resourceGroup = authResourceGroupDao.getByRelationId(
+ dslContext = dslContext,
+ projectCode = projectCode,
+ iamGroupId = iamGroupId.toString()
+ ) ?: return
+ syncResourceGroupMember(
+ projectCode = projectCode,
+ resourceType = resourceGroup.resourceType,
+ resourceCode = resourceGroup.resourceCode,
+ groupCode = resourceGroup.groupCode,
+ iamGroupId = iamGroupId
+ )
+ }
+
+ override fun syncIamGroupMembersOfApply() {
+ val traceId = MDC.get(TraceTag.BIZID)
+ syncExecutorService.submit {
+ MDC.put(TraceTag.BIZID, traceId)
+ val limit = 100
+ var offset = 0
+ val startEpoch = System.currentTimeMillis()
+ val finalRecordIdsOfTimeOut = mutableListOf()
+ val finalRecordsOfPending = mutableListOf()
+ val finalRecordsOfSuccess = mutableListOf()
+ do {
+ logger.info("sync members of apply | start")
+ val records = authResourceGroupApplyDao.list(
+ dslContext = dslContext,
+ limit = limit,
+ offset = offset
+ )
+ val recordIdsOfTimeOut = records.filter { it.numberOfChecks >= MAX_NUMBER_OF_CHECKS }.map { it.id }
+ val (recordsOfSuccess, recordsOfPending) = records.filterNot {
+ recordIdsOfTimeOut.contains(it.id)
+ }.partition {
+ try {
+ val isMemberJoinedToGroup = iamV2ManagerService.verifyGroupValidMember(
+ it.memberId,
+ it.iamGroupId.toString()
+ )[it.iamGroupId]?.belong == true
+ isMemberJoinedToGroup
+ } catch (ignore: Exception) {
+ logger.warn("verify group valid member failed,${it.memberId}|${it.iamGroupId}", ignore)
+ false
+ }
+ }
+ finalRecordIdsOfTimeOut.addAll(recordIdsOfTimeOut)
+ finalRecordsOfPending.addAll(recordsOfPending)
+ finalRecordsOfSuccess.addAll(recordsOfSuccess)
+ offset += limit
+ } while (records.size == limit)
+ if (finalRecordIdsOfTimeOut.isNotEmpty()) {
+ authResourceGroupApplyDao.batchUpdate(
+ dslContext = dslContext,
+ ids = finalRecordIdsOfTimeOut,
+ applyToGroupStatus = ApplyToGroupStatus.TIME_OUT
+ )
+ }
+ if (finalRecordsOfPending.isNotEmpty()) {
+ authResourceGroupApplyDao.batchUpdate(
+ dslContext = dslContext,
+ ids = finalRecordsOfPending.map { it.id },
+ applyToGroupStatus = ApplyToGroupStatus.PENDING
+ )
+ }
+ if (finalRecordsOfSuccess.isNotEmpty()) {
+ finalRecordsOfSuccess.forEach {
+ syncIamGroupMember(
+ projectCode = it.projectCode,
+ iamGroupId = it.iamGroupId
+ )
+ }
+ authResourceGroupApplyDao.batchUpdate(
+ dslContext = dslContext,
+ ids = finalRecordsOfSuccess.map { it.id },
+ applyToGroupStatus = ApplyToGroupStatus.SUCCEED
+ )
+ }
+ logger.info("It take(${System.currentTimeMillis() - startEpoch})ms to sync members of apply")
+ }
+ }
+
+ override fun syncGroupAndMember(projectCode: String) {
+ val traceId = MDC.get(TraceTag.BIZID)
+ syncProjectsExecutorService.submit {
+ MDC.put(TraceTag.BIZID, traceId)
+ SyncGroupAndMemberLock(redisOperation, projectCode).use { lock ->
+ if (!lock.tryLock()) {
+ logger.info("sync group and member|running:$projectCode")
+ return@use
+ }
+ val startEpoch = System.currentTimeMillis()
+ try {
+ logger.info("sync group and member|start:$projectCode")
+ authResourceSyncDao.createOrUpdate(
+ dslContext = dslContext,
+ projectCode = projectCode,
+ status = AuthMigrateStatus.PENDING.value
+ )
+ // 同步项目下的组信息
+ syncProjectGroup(projectCode = projectCode)
+ // 同步组成员
+ syncResourceGroupMember(projectCode = projectCode)
+ // 防止出现用户组表的数据已经删了,但是用户组成员表的数据未删除,导致出现不同步,调用iam接口报错问题。
+ fixResourceGroupMember(projectCode = projectCode)
+ // 记录完成状态
+ authResourceSyncDao.updateStatus(
+ dslContext = dslContext,
+ projectCode = projectCode,
+ status = AuthMigrateStatus.SUCCEED.value,
+ totalTime = System.currentTimeMillis() - startEpoch
+ )
+ logger.info(
+ "It take(${System.currentTimeMillis() - startEpoch})ms to sync " +
+ "project group and members $projectCode"
+ )
+ } catch (ex: Exception) {
+ handleException(
+ exception = ex,
+ projectCode = projectCode,
+ totalTime = System.currentTimeMillis() - startEpoch
+ )
+ }
+ }
+ }
+ }
+
+ override fun getStatusOfSync(projectCode: String): AuthMigrateStatus {
+ val syncRecord = authResourceSyncDao.get(
+ dslContext = dslContext,
+ projectCode = projectCode
+ ) ?: return AuthMigrateStatus.SUCCEED
+ return AuthMigrateStatus.values().first { it.value == syncRecord.status }
+ }
+
+ private fun handleException(
+ totalTime: Long,
+ exception: Exception,
+ projectCode: String
+ ) {
+ val errorMessage = when (exception) {
+ is IamException -> {
+ exception.errorMsg
+ }
+ is ErrorCodeException -> {
+ exception.defaultMessage
+ }
+ is CompletionException -> {
+ exception.cause?.message ?: exception.message
+ }
+ else -> {
+ exception.toString()
+ }
+ }
+ logger.warn("sync group and member error! $projectCode", errorMessage)
+ authResourceSyncDao.updateStatus(
+ dslContext = dslContext,
+ projectCode = projectCode,
+ status = AuthMigrateStatus.FAILED.value,
+ errorMessage = errorMessage,
+ totalTime = totalTime
+ )
+ }
+
+ @Suppress("NestedBlockDepth")
+ private fun syncProjectGroup(projectCode: String) {
+ val startEpoch = System.currentTimeMillis()
+ logger.info("start to sync project group :$projectCode")
+ try {
+ val projectInfo = authResourceService.get(
+ projectCode = projectCode,
+ resourceType = AuthResourceType.PROJECT.value,
+ resourceCode = projectCode
+ )
+
+ val projectGroupMap = authResourceGroupDao.getByResourceCode(
+ dslContext = dslContext,
+ projectCode = projectCode,
+ resourceType = AuthResourceType.PROJECT.value,
+ resourceCode = projectCode
+ ).associateBy { it.relationId }
+
+ // 查询项目下用户组列表
+ val searchGroupDTO = SearchGroupDTO.builder().inherit(false).build()
+ val pageInfoDTO = V2PageInfoDTO().apply {
+ page = 1
+ pageSize = 1000
+ }
+ val iamGroupList = iamV2ManagerService.getGradeManagerRoleGroupV2(
+ projectInfo.relationId,
+ searchGroupDTO,
+ pageInfoDTO
+ ).results
+
+ // 查询人员模板列表
+ val templatePageInfoDTO = V2PageInfoDTO().apply {
+ page = 1
+ pageSize = 500
+ }
+ val templateMap = iamV2ManagerService.getGradeManagerRoleTemplate(
+ projectInfo.relationId,
+ null,
+ templatePageInfoDTO
+ ).results.associateBy { it.sourceGroupId }
+
+ val iamGroupMap = iamGroupList.associateBy { it.id }
+ val toDeleteGroups = projectGroupMap.filterKeys { !iamGroupMap.contains(it) }.values
+ val toUpdateGroups = mutableListOf()
+ val toAddGroups = mutableListOf()
+ if (toDeleteGroups.isNotEmpty()) {
+ logger.info("sync project group|delete group|${toDeleteGroups.map { it.groupName }}")
+ }
+
+ iamGroupList.forEach { iamGroupInfo ->
+ val templateId = templateMap[iamGroupInfo.id]?.id
+ if (projectGroupMap.contains(iamGroupInfo.id)) {
+ val projectGroup = projectGroupMap[iamGroupInfo.id]!!
+ // 用户组只有名称和描述可能会修改
+ if (projectGroup.groupName != iamGroupInfo.name ||
+ projectGroup.description != iamGroupInfo.description ||
+ projectGroup.iamTemplateId != templateId
+ ) {
+ toUpdateGroups.add(
+ projectGroup.copy(
+ groupName = iamGroupInfo.name,
+ description = iamGroupInfo.description,
+ iamTemplateId = templateId
+ )
+ )
+ }
+ } else {
+ toAddGroups.add(
+ AuthResourceGroup(
+ projectCode = projectCode,
+ resourceType = AuthResourceType.PROJECT.value,
+ resourceCode = projectCode,
+ resourceName = projectInfo.resourceName,
+ iamResourceCode = projectCode,
+ groupCode = DefaultGroupType.CUSTOM.value,
+ groupName = iamGroupInfo.name,
+ defaultGroup = false,
+ relationId = iamGroupInfo.id,
+ description = iamGroupInfo.description,
+ iamTemplateId = templateId
+ )
+ )
+ }
+ }
+ dslContext.transaction { configuration ->
+ val transactionContext = DSL.using(configuration)
+ authResourceGroupDao.deleteByIds(transactionContext, toDeleteGroups.map { it.id!! })
+ authResourceGroupDao.batchCreate(transactionContext, toAddGroups)
+ authResourceGroupDao.batchUpdate(transactionContext, toUpdateGroups)
+ }
+ } finally {
+ logger.info(
+ "It take(${System.currentTimeMillis() - startEpoch})ms to sync project group $projectCode"
+ )
+ }
+ }
+
+ @Suppress("SpreadOperator")
+ private fun syncResourceGroupMember(projectCode: String) {
+ val startEpoch = System.currentTimeMillis()
+ logger.info("start to sync resource group member:$projectCode")
+ try {
+ val resourceTypes = rbacCacheService.listResourceTypes().map { it.resourceType }
+ val traceId = MDC.get(TraceTag.BIZID)
+ val resourceTypeFuture = resourceTypes.map { resourceType ->
+ CompletableFuture.supplyAsync(
+ {
+ MDC.put(TraceTag.BIZID, traceId)
+ syncResourceGroupMember(
+ projectCode = projectCode,
+ resourceType = resourceType
+ )
+ },
+ syncResourceMemberExecutorService
+ )
+ }
+ CompletableFuture.allOf(*resourceTypeFuture.toTypedArray()).join()
+ } finally {
+ logger.info(
+ "It take(${System.currentTimeMillis() - startEpoch})ms to sync resource group member $projectCode"
+ )
+ }
+ }
+
+ override fun fixResourceGroupMember(projectCode: String) {
+ val limit = 100
+ var offset = 0
+ val startEpoch = System.currentTimeMillis()
+ logger.info("start to fix resource group member|$projectCode")
+ try {
+ do {
+ val resourceMemberGroupIds = authResourceGroupMemberDao.listProjectGroups(
+ dslContext = dslContext,
+ projectCode = projectCode,
+ offset = offset,
+ limit = limit
+ )
+ val resourceGroupIds = authResourceGroupDao.listIamGroupIdsByConditions(
+ dslContext = dslContext,
+ projectCode = projectCode,
+ iamGroupIds = resourceMemberGroupIds.map { it.toString() }
+ )
+ val unsyncGroupIds = resourceMemberGroupIds.filterNot { resourceGroupIds.contains(it) }
+ if (unsyncGroupIds.isNotEmpty()) {
+ authResourceGroupMemberDao.deleteByIamGroupIds(
+ dslContext = dslContext,
+ projectCode = projectCode,
+ iamGroupIds = unsyncGroupIds
+ )
+ }
+ offset += limit
+ } while (resourceMemberGroupIds.size == limit)
+ } catch (ignored: Exception) {
+ logger.error("Failed to fix resource group member|$projectCode", ignored)
+ throw ignored
+ } finally {
+ logger.info(
+ "It take(${System.currentTimeMillis() - startEpoch})ms to fix resource group member|$projectCode"
+ )
+ }
+ }
+
+ private fun syncResourceGroupMember(projectCode: String, resourceType: String) {
+ val limit = 100
+ var offset = 0
+ val startEpoch = System.currentTimeMillis()
+ logger.info("start to sync resource group member|$projectCode|$resourceType")
+ try {
+ do {
+ val authResourceGroups = authResourceGroupDao.listGroupByResourceType(
+ dslContext = dslContext,
+ projectCode = projectCode,
+ resourceType = resourceType,
+ offset = offset,
+ limit = limit
+ )
+ authResourceGroups.forEach { authResourceGroup ->
+ try {
+ syncResourceGroupMember(
+ projectCode = projectCode,
+ resourceType = resourceType,
+ resourceCode = authResourceGroup.resourceCode,
+ groupCode = authResourceGroup.groupCode,
+ iamGroupId = authResourceGroup.relationId
+ )
+ } catch (ignore: Exception) {
+ logger.warn(
+ "sync resource group member failed!" +
+ "|$projectCode|${authResourceGroup.relationId}|$ignore"
+ )
+ }
+ }
+ offset += limit
+ } while (authResourceGroups.size == limit)
+ } catch (ignored: Exception) {
+ logger.error("Failed to sync resource group member|$projectCode|$resourceType", ignored)
+ throw ignored
+ } finally {
+ logger.info(
+ "It take(${System.currentTimeMillis() - startEpoch})ms to migrate resource|$projectCode|$resourceType"
+ )
+ }
+ }
+
+ private fun syncResourceGroupMember(
+ projectCode: String,
+ resourceType: String,
+ resourceCode: String,
+ groupCode: String,
+ iamGroupId: Int
+ ) {
+ val resourceGroupMembers = authResourceGroupMemberDao.listResourceGroupMember(
+ dslContext = dslContext,
+ projectCode = projectCode,
+ resourceType = resourceType,
+ iamGroupId = iamGroupId
+ )
+ val toDeleteMembers = mutableListOf()
+ val toUpdateMembers = mutableListOf()
+ val toAddMembers = mutableListOf()
+ syncIamGroupMember(
+ projectCode = projectCode,
+ resourceType = resourceType,
+ resourceCode = resourceCode,
+ groupCode = groupCode,
+ iamGroupId = iamGroupId,
+ resourceGroupMembers = resourceGroupMembers,
+ toDeleteMembers = toDeleteMembers,
+ toUpdateMembers = toUpdateMembers,
+ toAddMembers = toAddMembers
+ )
+ syncIamGroupTemplate(
+ projectCode = projectCode,
+ resourceType = resourceType,
+ resourceCode = resourceCode,
+ groupCode = groupCode,
+ iamGroupId = iamGroupId,
+ resourceGroupMembers = resourceGroupMembers,
+ toDeleteMembers = toDeleteMembers,
+ toUpdateMembers = toUpdateMembers,
+ toAddMembers = toAddMembers
+ )
+ if (toDeleteMembers.isNotEmpty()) {
+ logger.info("sync resource group member|delete group|${toDeleteMembers.map { it.memberId }}")
+ }
+
+ dslContext.transaction { configuration ->
+ val transactionContext = DSL.using(configuration)
+ authResourceGroupMemberDao.batchDelete(transactionContext, toDeleteMembers.map { it.id!! }.toSet())
+ authResourceGroupMemberDao.batchCreate(transactionContext, toAddMembers)
+ authResourceGroupMemberDao.batchUpdate(transactionContext, toUpdateMembers)
+ }
+ }
+
+ /**
+ * 同步IAM用户组成员/组织
+ */
+ private fun syncIamGroupMember(
+ projectCode: String,
+ resourceType: String,
+ resourceCode: String,
+ groupCode: String,
+ iamGroupId: Int,
+ resourceGroupMembers: List,
+ toDeleteMembers: MutableList,
+ toUpdateMembers: MutableList,
+ toAddMembers: MutableList
+ ) {
+ val resourceGroupMemberMap = resourceGroupMembers.filter {
+ it.memberType != ManagerScopesEnum.TEMPLATE.name
+ }.associateBy { it.memberId }
+
+ val pageInfoDTO = V2PageInfoDTO().apply {
+ pageSize = 1000
+ page = 1
+ }
+ val iamGroupMemberList = iamV2ManagerService.getRoleGroupMemberV2(iamGroupId, pageInfoDTO).results
+ val iamGroupMemberMap = iamGroupMemberList.associateBy { it.id }
+
+ toDeleteMembers.addAll(resourceGroupMemberMap.filterKeys { !iamGroupMemberMap.contains(it) }.values)
+ iamGroupMemberList.forEach { iamGroupMember ->
+ val expiredTime = DateTimeUtil.convertTimestampToLocalDateTime(iamGroupMember.expiredAt)
+ if (resourceGroupMemberMap.contains(iamGroupMember.id)) {
+ val resourceGroupMember = resourceGroupMemberMap[iamGroupMember.id]!!
+ if (expiredTime != resourceGroupMember.expiredTime) {
+ toUpdateMembers.add(resourceGroupMember.copy(expiredTime = expiredTime))
+ }
+ } else {
+ toAddMembers.add(
+ AuthResourceGroupMember(
+ projectCode = projectCode,
+ resourceType = resourceType,
+ resourceCode = resourceCode,
+ groupCode = groupCode,
+ iamGroupId = iamGroupId,
+ memberId = iamGroupMember.id,
+ memberName = iamGroupMember.name,
+ memberType = iamGroupMember.type,
+ expiredTime = expiredTime
+ )
+ )
+ }
+ }
+ }
+
+ /**
+ * 同步IAM用户组人员模板
+ */
+ private fun syncIamGroupTemplate(
+ projectCode: String,
+ resourceType: String,
+ resourceCode: String,
+ groupCode: String,
+ iamGroupId: Int,
+ resourceGroupMembers: List,
+ toDeleteMembers: MutableList,
+ toUpdateMembers: MutableList,
+ toAddMembers: MutableList
+ ) {
+ val resourceGroupMemberMap = resourceGroupMembers.filter {
+ it.memberType == ManagerScopesEnum.TEMPLATE.name
+ }.associateBy { it.memberId }
+
+ val pageInfoDTO = V2PageInfoDTO().apply {
+ pageSize = 1000
+ page = 1
+ }
+ // 查询人员模板列表
+ val iamGroupTemplateList = iamV2ManagerService.listRoleGroupTemplates(iamGroupId, pageInfoDTO).results
+ val iamGroupTemplateMap = iamGroupTemplateList.associateBy { it.id }
+
+ toDeleteMembers.addAll(resourceGroupMemberMap.filterKeys { !iamGroupTemplateMap.contains(it) }.values)
+ iamGroupTemplateList.forEach { iamGroupTemplate ->
+ val expiredTime = DateTimeUtil.convertTimestampToLocalDateTime(iamGroupTemplate.expiredAt)
+ if (resourceGroupMemberMap.contains(iamGroupTemplate.id)) {
+ val resourceGroupMember = resourceGroupMemberMap[iamGroupTemplate.id]!!
+ if (expiredTime != resourceGroupMember.expiredTime) {
+ toUpdateMembers.add(resourceGroupMember.copy(expiredTime = expiredTime))
+ }
+ } else {
+ toAddMembers.add(
+ AuthResourceGroupMember(
+ projectCode = projectCode,
+ resourceType = resourceType,
+ resourceCode = resourceCode,
+ groupCode = groupCode,
+ iamGroupId = iamGroupId,
+ memberId = iamGroupTemplate.id,
+ memberName = iamGroupTemplate.name,
+ memberType = ManagerScopesEnum.getType(ManagerScopesEnum.TEMPLATE),
+ expiredTime = expiredTime
+ )
+ )
+ }
+ }
+ }
+}
diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceMemberService.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceMemberService.kt
index 07d713b7c55..ee46893139b 100644
--- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceMemberService.kt
+++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceMemberService.kt
@@ -8,29 +8,64 @@ import com.tencent.bk.sdk.iam.dto.manager.V2ManagerRoleGroupInfo
import com.tencent.bk.sdk.iam.dto.manager.dto.GroupMemberRenewApplicationDTO
import com.tencent.bk.sdk.iam.dto.manager.dto.ManagerMemberGroupDTO
import com.tencent.bk.sdk.iam.dto.manager.dto.SearchGroupDTO
+import com.tencent.bk.sdk.iam.dto.response.MemberGroupDetailsResponse
import com.tencent.bk.sdk.iam.service.v2.V2ManagerService
+import com.tencent.devops.auth.constant.AuthI18nConstants
import com.tencent.devops.auth.constant.AuthMessageCode
import com.tencent.devops.auth.dao.AuthResourceGroupDao
+import com.tencent.devops.auth.dao.AuthResourceGroupMemberDao
+import com.tencent.devops.auth.pojo.AuthResourceGroupMember
+import com.tencent.devops.auth.pojo.ResourceMemberInfo
import com.tencent.devops.auth.pojo.dto.GroupMemberRenewalDTO
+import com.tencent.devops.auth.pojo.enum.BatchOperateType
+import com.tencent.devops.auth.pojo.enum.JoinedType
+import com.tencent.devops.auth.pojo.enum.RemoveMemberButtonControl
+import com.tencent.devops.auth.pojo.request.GroupMemberCommonConditionReq
+import com.tencent.devops.auth.pojo.request.GroupMemberHandoverConditionReq
+import com.tencent.devops.auth.pojo.request.GroupMemberRenewalConditionReq
+import com.tencent.devops.auth.pojo.request.GroupMemberSingleRenewalReq
+import com.tencent.devops.auth.pojo.request.RemoveMemberFromProjectReq
+import com.tencent.devops.auth.pojo.vo.BatchOperateGroupMemberCheckVo
+import com.tencent.devops.auth.pojo.vo.GroupDetailsInfoVo
+import com.tencent.devops.auth.pojo.vo.MemberGroupCountWithPermissionsVo
+import com.tencent.devops.auth.pojo.vo.ResourceMemberCountVO
import com.tencent.devops.auth.service.DeptService
+import com.tencent.devops.auth.service.PermissionAuthorizationService
+import com.tencent.devops.auth.service.iam.PermissionResourceGroupSyncService
import com.tencent.devops.auth.service.iam.PermissionResourceMemberService
import com.tencent.devops.common.api.exception.ErrorCodeException
+import com.tencent.devops.common.api.model.SQLPage
+import com.tencent.devops.common.api.util.DateTimeUtil
+import com.tencent.devops.common.api.util.PageUtil
+import com.tencent.devops.common.api.util.timestamp
+import com.tencent.devops.common.api.util.timestampmilli
import com.tencent.devops.common.auth.api.AuthResourceType
import com.tencent.devops.common.auth.api.pojo.BkAuthGroup
import com.tencent.devops.common.auth.api.pojo.BkAuthGroupAndUserList
+import com.tencent.devops.common.auth.api.pojo.ResetAllResourceAuthorizationReq
+import com.tencent.devops.common.auth.api.pojo.ResourceAuthorizationConditionRequest
+import com.tencent.devops.common.service.utils.RetryUtils
+import com.tencent.devops.common.web.utils.I18nUtil
+import com.tencent.devops.model.auth.tables.records.TAuthResourceGroupRecord
import com.tencent.devops.project.constant.ProjectMessageCode
import org.apache.commons.lang3.RandomUtils
import org.jooq.DSLContext
import org.slf4j.LoggerFactory
+import java.util.concurrent.CompletableFuture
import java.util.concurrent.Executors
import java.util.concurrent.TimeUnit
+@Suppress("SpreadOperator", "LongParameterList")
class RbacPermissionResourceMemberService constructor(
private val authResourceService: AuthResourceService,
private val iamV2ManagerService: V2ManagerService,
private val authResourceGroupDao: AuthResourceGroupDao,
+ private val authResourceGroupMemberDao: AuthResourceGroupMemberDao,
private val dslContext: DSLContext,
- private val deptService: DeptService
+ private val deptService: DeptService,
+ private val rbacCacheService: RbacCacheService,
+ private val permissionAuthorizationService: PermissionAuthorizationService,
+ private val syncIamGroupMemberService: PermissionResourceGroupSyncService
) : PermissionResourceMemberService {
override fun getResourceGroupMembers(
projectCode: String,
@@ -97,6 +132,196 @@ class RbacPermissionResourceMemberService constructor(
}.map { it.get() }
}
+ override fun getProjectMemberCount(projectCode: String): ResourceMemberCountVO {
+ val projectMemberCount = authResourceGroupMemberDao.countProjectMember(
+ dslContext = dslContext,
+ projectCode = projectCode
+ )
+ return ResourceMemberCountVO(
+ userCount = projectMemberCount[ManagerScopesEnum.getType(ManagerScopesEnum.USER)] ?: 0,
+ departmentCount = projectMemberCount[ManagerScopesEnum.getType(ManagerScopesEnum.DEPARTMENT)] ?: 0
+ )
+ }
+
+ override fun listProjectMembers(
+ projectCode: String,
+ memberType: String?,
+ userName: String?,
+ deptName: String?,
+ departedFlag: Boolean?,
+ page: Int,
+ pageSize: Int
+ ): SQLPage {
+ logger.info("list project members:$projectCode|$departedFlag|$memberType|$userName|$deptName")
+ if (!userName.isNullOrEmpty() && !deptName.isNullOrEmpty()) {
+ return SQLPage(count = 0, records = emptyList())
+ }
+
+ val limit = PageUtil.convertPageSizeToSQLLimit(page, pageSize)
+ val count = authResourceGroupMemberDao.countProjectMember(
+ dslContext = dslContext,
+ projectCode = projectCode,
+ memberType = memberType,
+ userName = userName,
+ deptName = deptName
+ )
+ val records = authResourceGroupMemberDao.listProjectMember(
+ dslContext = dslContext,
+ projectCode = projectCode,
+ memberType = memberType,
+ userName = userName,
+ deptName = deptName,
+ offset = limit.offset,
+ limit = limit.limit
+ )
+
+ // 不查询离职相关信息,防止调用用户管理接口,响应慢
+ if (departedFlag == false) {
+ return SQLPage(count = count, records = records)
+ }
+
+ val userMembers = records.filter {
+ it.type == ManagerScopesEnum.getType(ManagerScopesEnum.USER)
+ }.map { it.id }
+
+ val departedMembers = if (userMembers.isNotEmpty()) {
+ deptService.listDepartedMembers(
+ memberIds = userMembers
+ )
+ } else {
+ return SQLPage(count = count, records = records)
+ }
+
+ val recordsWithDepartedFlag = records.map {
+ if (it.type != ManagerScopesEnum.getType(ManagerScopesEnum.USER)) {
+ it.copy(departed = false)
+ } else {
+ it.copy(departed = departedMembers.contains(it.id))
+ }
+ }
+ return SQLPage(count = count, records = recordsWithDepartedFlag)
+ }
+
+ override fun getMemberGroupsCount(
+ projectCode: String,
+ memberId: String
+ ): List {
+ // 1. 查询项目下包含该成员的组列表
+ val projectGroupIds = authResourceGroupMemberDao.listResourceGroupMember(
+ dslContext = dslContext,
+ projectCode = projectCode,
+ resourceType = AuthResourceType.PROJECT.value,
+ memberId = memberId
+ ).map { it.iamGroupId.toString() }
+ // 2. 通过项目组ID获取人员模板ID
+ val iamTemplateId = authResourceGroupDao.listByRelationId(
+ dslContext = dslContext,
+ projectCode = projectCode,
+ iamGroupIds = projectGroupIds
+ ).filter { it.iamTemplateId != null }
+ .map { it.iamTemplateId.toString() }
+ // 3. 获取成员直接加入的组和通过模板加入的组
+ val memberGroupCountMap = authResourceGroupMemberDao.countMemberGroup(
+ dslContext = dslContext,
+ projectCode = projectCode,
+ memberId = memberId,
+ iamTemplateIds = iamTemplateId
+ )
+ val memberGroupCountList = mutableListOf()
+ // 项目排在第一位
+ memberGroupCountMap[AuthResourceType.PROJECT.value]?.let { projectCount ->
+ memberGroupCountList.add(
+ MemberGroupCountWithPermissionsVo(
+ resourceType = AuthResourceType.PROJECT.value,
+ resourceTypeName = I18nUtil.getCodeLanMessage(
+ messageCode = AuthResourceType.PROJECT.value + AuthI18nConstants.RESOURCE_TYPE_NAME_SUFFIX
+ ),
+ count = projectCount
+ )
+ )
+ }
+
+ rbacCacheService.listResourceTypes()
+ .filter { it.resourceType != AuthResourceType.PROJECT.value }
+ .forEach { resourceTypeInfoVo ->
+ memberGroupCountMap[resourceTypeInfoVo.resourceType]?.let { count ->
+ val memberGroupCount = MemberGroupCountWithPermissionsVo(
+ resourceType = resourceTypeInfoVo.resourceType,
+ resourceTypeName = I18nUtil.getCodeLanMessage(
+ messageCode = resourceTypeInfoVo.resourceType + AuthI18nConstants.RESOURCE_TYPE_NAME_SUFFIX,
+ defaultMessage = resourceTypeInfoVo.name
+ ),
+ count = count
+ )
+ memberGroupCountList.add(memberGroupCount)
+ }
+ }
+
+ return memberGroupCountList
+ }
+
+ override fun addGroupMember(
+ projectCode: String,
+ memberId: String,
+ /*user 或 department*/
+ memberType: String,
+ expiredAt: Long,
+ iamGroupId: Int
+ ): Boolean {
+ if (memberType == ManagerScopesEnum.getType(ManagerScopesEnum.USER) &&
+ deptService.isUserDeparted(memberId)) {
+ return true
+ }
+ // 获取对应的资源组
+ val authResourceGroup = authResourceGroupDao.get(
+ dslContext = dslContext,
+ projectCode = projectCode,
+ relationId = iamGroupId.toString()
+ ) ?: throw ErrorCodeException(
+ errorCode = AuthMessageCode.GROUP_NOT_EXIST
+ )
+ val managerMember = ManagerMember(memberType, memberId)
+ addIamGroupMember(
+ groupId = iamGroupId,
+ members = listOf(managerMember),
+ expiredAt = expiredAt
+ )
+
+ val memberDetails = deptService.getMemberInfo(
+ memberId = memberId,
+ memberType = ManagerScopesEnum.valueOf(memberType.uppercase())
+ )
+ with(authResourceGroup) {
+ authResourceGroupMemberDao.create(
+ dslContext = dslContext,
+ projectCode = projectCode,
+ resourceType = resourceType,
+ resourceCode = resourceCode,
+ groupCode = groupCode,
+ iamGroupId = relationId.toInt(),
+ memberId = memberId,
+ memberName = memberDetails.displayName,
+ memberType = memberType,
+ expiredTime = DateTimeUtil.convertTimestampToLocalDateTime(expiredAt)
+ )
+ }
+ return true
+ }
+
+ override fun addIamGroupMember(
+ groupId: Int,
+ members: List,
+ expiredAt: Long
+ ): Boolean {
+ val membersOfNeedToAdd = members.toMutableList().removeDepartedMembers()
+ if (membersOfNeedToAdd.isNotEmpty()) {
+ val managerMemberGroup =
+ ManagerMemberGroupDTO.builder().members(membersOfNeedToAdd).expiredAt(expiredAt).build()
+ iamV2ManagerService.createRoleGroupMemberV2(groupId, managerMemberGroup)
+ }
+ return true
+ }
+
override fun batchAddResourceGroupMembers(
projectCode: String,
iamGroupId: Int,
@@ -121,27 +346,68 @@ class RbacPermissionResourceMemberService constructor(
val groupDepartmentSet = groupMembers.filter { it.type == deptType }.map { it.id }.toSet()
// 校验用户是否应该加入用户组
val iamMemberInfos = mutableListOf()
- members?.forEach {
- val shouldAddUserToGroup = shouldAddUserToGroup(
- groupUserMap = groupUserMap,
- groupDepartmentSet = groupDepartmentSet,
- member = it
+ if (!members.isNullOrEmpty()) {
+ val departedMembers = deptService.listDepartedMembers(
+ memberIds = members
)
- if (shouldAddUserToGroup) {
- iamMemberInfos.add(ManagerMember(userType, it))
+ members.filterNot { departedMembers.contains(it) }.forEach {
+ val shouldAddUserToGroup = shouldAddUserToGroup(
+ groupUserMap = groupUserMap,
+ groupDepartmentSet = groupDepartmentSet,
+ member = it
+ )
+ if (shouldAddUserToGroup) {
+ iamMemberInfos.add(ManagerMember(userType, it))
+ }
}
}
-
- departments?.forEach {
- if (!groupDepartmentSet.contains(it)) {
- iamMemberInfos.add(ManagerMember(deptType, it))
+ if (!departments.isNullOrEmpty()) {
+ departments.forEach {
+ if (!groupDepartmentSet.contains(it)) {
+ iamMemberInfos.add(ManagerMember(deptType, it))
+ }
}
}
+
logger.info("batch add project user:|$projectCode|$iamGroupId|$expiredTime|$iamMemberInfos")
if (iamMemberInfos.isNotEmpty()) {
- val managerMemberGroup =
- ManagerMemberGroupDTO.builder().members(iamMemberInfos).expiredAt(expiredTime).build()
- iamV2ManagerService.createRoleGroupMemberV2(iamGroupId, managerMemberGroup)
+ addIamGroupMember(
+ groupId = iamGroupId,
+ members = iamMemberInfos,
+ expiredAt = expiredTime
+ )
+ // 获取对应的资源组
+ val authResourceGroup = authResourceGroupDao.get(
+ dslContext = dslContext,
+ projectCode = projectCode,
+ relationId = iamGroupId.toString()
+ ) ?: throw ErrorCodeException(
+ errorCode = AuthMessageCode.GROUP_NOT_EXIST
+ )
+ val groupMembersList = mutableListOf()
+ iamMemberInfos.forEach {
+ val memberDetails = deptService.getMemberInfo(
+ memberId = it.id,
+ memberType = ManagerScopesEnum.valueOf(it.type.uppercase())
+ )
+ groupMembersList.add(
+ AuthResourceGroupMember(
+ projectCode = projectCode,
+ resourceType = authResourceGroup.resourceType,
+ resourceCode = authResourceGroup.resourceCode,
+ groupCode = authResourceGroup.groupCode,
+ iamGroupId = authResourceGroup.relationId.toInt(),
+ memberId = it.id,
+ memberName = memberDetails.displayName,
+ memberType = it.type,
+ expiredTime = DateTimeUtil.convertTimestampToLocalDateTime(expiredTime)
+ )
+ )
+ }
+ authResourceGroupMemberDao.batchCreate(
+ dslContext = dslContext,
+ groupMembers = groupMembersList
+ )
}
return true
}
@@ -207,12 +473,29 @@ class RbacPermissionResourceMemberService constructor(
)
val userType = ManagerScopesEnum.getType(ManagerScopesEnum.USER)
val deptType = ManagerScopesEnum.getType(ManagerScopesEnum.DEPARTMENT)
+ val allMemberIds = mutableListOf()
if (!members.isNullOrEmpty()) {
- iamV2ManagerService.deleteRoleGroupMemberV2(iamGroupId, userType, members.joinToString(","))
+ deleteIamGroupMembers(
+ groupId = iamGroupId,
+ type = userType,
+ memberIds = members
+ )
+ allMemberIds.addAll(members)
}
if (!departments.isNullOrEmpty()) {
- iamV2ManagerService.deleteRoleGroupMemberV2(iamGroupId, deptType, departments.joinToString(","))
+ deleteIamGroupMembers(
+ groupId = iamGroupId,
+ type = deptType,
+ memberIds = departments
+ )
+ allMemberIds.addAll(departments)
}
+ authResourceGroupMemberDao.batchDeleteGroupMembers(
+ dslContext = dslContext,
+ projectCode = projectCode,
+ iamGroupId = iamGroupId,
+ memberIds = allMemberIds
+ )
return true
}
@@ -335,12 +618,15 @@ class RbacPermissionResourceMemberService constructor(
// 自动续期时间由半年+随机天数,防止同一时间同时过期
val expiredTime = currentTime + AUTO_RENEWAL_EXPIRED_AT +
TimeUnit.DAYS.toSeconds(RandomUtils.nextLong(0, 180))
- val managerMemberGroup =
- ManagerMemberGroupDTO.builder().members(listOf(ManagerMember(member.type, member.id)))
- .expiredAt(expiredTime).build()
autoRenewalMembers.add(member.id)
try {
- iamV2ManagerService.createRoleGroupMemberV2(iamGroupId, managerMemberGroup)
+ addGroupMember(
+ projectCode = projectCode,
+ memberId = member.id,
+ memberType = member.type,
+ expiredAt = expiredTime,
+ iamGroupId = iamGroupId
+ )
} catch (ignored: Exception) {
// 用户不存在时,iam会抛异常
logger.error(
@@ -372,37 +658,868 @@ class RbacPermissionResourceMemberService constructor(
return true
}
- override fun deleteGroupMember(
+ override fun renewalGroupMember(
userId: String,
projectCode: String,
- resourceType: String,
- groupId: Int
+ renewalConditionReq: GroupMemberSingleRenewalReq
+ ): GroupDetailsInfoVo {
+ logger.info("renewal group member $userId|$projectCode|$renewalConditionReq")
+ val groupId = renewalConditionReq.groupId
+ batchOperateGroupMembers(
+ projectCode = projectCode,
+ conditionReq = GroupMemberRenewalConditionReq(
+ groupIds = listOf(groupId),
+ targetMember = renewalConditionReq.targetMember,
+ renewalDuration = renewalConditionReq.renewalDuration
+ ),
+ operateGroupMemberTask = ::renewalTask
+ )
+ return getMemberGroupsDetails(
+ projectId = projectCode,
+ memberId = renewalConditionReq.targetMember.id,
+ iamGroupIds = listOf(groupId),
+ resourceType = null,
+ start = null,
+ limit = null
+ ).records.first { it.groupId == groupId }
+ }
+
+ override fun renewalIamGroupMembers(
+ groupId: Int,
+ members: List,
+ expiredAt: Long
+ ): Boolean {
+ val membersOfNeedToRenewal = members.toMutableList().removeDepartedMembers()
+ if (membersOfNeedToRenewal.isNotEmpty()) {
+ iamV2ManagerService.renewalRoleGroupMemberV2(
+ groupId,
+ ManagerMemberGroupDTO.builder()
+ .members(membersOfNeedToRenewal)
+ .expiredAt(expiredAt)
+ .build()
+ )
+ }
+ return true
+ }
+
+ override fun batchRenewalGroupMembers(
+ userId: String,
+ projectCode: String,
+ renewalConditionReq: GroupMemberRenewalConditionReq
): Boolean {
- logger.info("delete group member|$userId|$projectCode|$resourceType|$groupId")
- iamV2ManagerService.deleteRoleGroupMemberV2(
- groupId,
- ManagerScopesEnum.getType(ManagerScopesEnum.USER),
- userId
+ logger.info("batch renewal group member $userId|$projectCode|$renewalConditionReq")
+ batchOperateGroupMembers(
+ projectCode = projectCode,
+ conditionReq = renewalConditionReq,
+ operateGroupMemberTask = ::renewalTask
)
return true
}
- override fun addGroupMember(
+ private fun renewalTask(
+ projectCode: String,
+ groupId: Int,
+ renewalConditionReq: GroupMemberRenewalConditionReq,
+ expiredAt: Long
+ ) {
+ logger.info("renewal group member ${renewalConditionReq.targetMember}|$projectCode|$groupId|$expiredAt")
+ val targetMember = renewalConditionReq.targetMember
+ if (targetMember.type == ManagerScopesEnum.getType(ManagerScopesEnum.USER) &&
+ deptService.isUserDeparted(targetMember.id)) {
+ return
+ }
+ val secondsOfRenewalDuration = TimeUnit.DAYS.toSeconds(renewalConditionReq.renewalDuration.toLong())
+ val secondsOfCurrentTime = System.currentTimeMillis() / 1000
+ // 若权限已过期,则为当前时间+续期天数,若未过期,则为有效期+续期天数
+ val finalExpiredAt = if (expiredAt < secondsOfCurrentTime) {
+ secondsOfCurrentTime
+ } else {
+ expiredAt
+ } + secondsOfRenewalDuration
+ if (!isNeedToRenewal(finalExpiredAt)) {
+ return
+ }
+ renewalIamGroupMembers(
+ groupId = groupId,
+ members = listOf(ManagerMember(targetMember.type, targetMember.id)),
+ expiredAt = finalExpiredAt
+ )
+ authResourceGroupMemberDao.update(
+ dslContext = dslContext,
+ projectCode = projectCode,
+ iamGroupId = groupId,
+ expiredTime = DateTimeUtil.convertTimestampToLocalDateTime(expiredAt),
+ memberId = targetMember.id
+ )
+ }
+
+ private fun isNeedToRenewal(expiredAt: Long): Boolean {
+ return expiredAt < PERMANENT_EXPIRED_TIME
+ }
+
+ override fun batchDeleteResourceGroupMembers(
userId: String,
- /*user 或 department*/
- memberType: String,
- expiredAt: Long,
- groupId: Int
+ projectCode: String,
+ removeMemberDTO: GroupMemberCommonConditionReq
+ ): Boolean {
+ logger.info("batch delete group members $userId|$projectCode|$removeMemberDTO")
+ removeMemberDTO.excludedUniqueManagerGroup = true
+ batchOperateGroupMembers(
+ projectCode = projectCode,
+ conditionReq = removeMemberDTO,
+ operateGroupMemberTask = ::deleteTask
+ )
+ return true
+ }
+
+ override fun deleteIamGroupMembers(
+ groupId: Int,
+ type: String,
+ memberIds: List
+ ): Boolean {
+ val membersOfNeedToDelete = if (type == ManagerScopesEnum.getType(ManagerScopesEnum.USER)) {
+ memberIds.filterNot { deptService.isUserDeparted(it) }
+ } else {
+ memberIds
+ }
+ if (membersOfNeedToDelete.isNotEmpty()) {
+ iamV2ManagerService.deleteRoleGroupMemberV2(
+ groupId,
+ type,
+ membersOfNeedToDelete.joinToString(",")
+ )
+ }
+ return true
+ }
+
+ private fun deleteTask(
+ projectCode: String,
+ groupId: Int,
+ removeMemberDTO: GroupMemberCommonConditionReq,
+ expiredAt: Long
+ ) {
+ val targetMember = removeMemberDTO.targetMember
+ logger.info("delete group member $projectCode|$groupId|$targetMember")
+ deleteIamGroupMembers(
+ groupId = groupId,
+ type = targetMember.type,
+ memberIds = listOf(targetMember.id)
+ )
+ authResourceGroupMemberDao.batchDeleteGroupMembers(
+ dslContext = dslContext,
+ projectCode = projectCode,
+ iamGroupId = groupId,
+ memberIds = listOf(removeMemberDTO.targetMember.id)
+ )
+ }
+
+ override fun batchHandoverGroupMembers(
+ userId: String,
+ projectCode: String,
+ handoverMemberDTO: GroupMemberHandoverConditionReq
): Boolean {
- val managerMember = ManagerMember(memberType, userId)
- val managerMemberGroupDTO = ManagerMemberGroupDTO.builder()
- .members(listOf(managerMember))
- .expiredAt(expiredAt)
- .build()
- iamV2ManagerService.createRoleGroupMemberV2(groupId, managerMemberGroupDTO)
+ logger.info("batch handover group members $userId|$projectCode|$handoverMemberDTO")
+ handoverMemberDTO.checkHandoverTo()
+ batchOperateGroupMembers(
+ projectCode = projectCode,
+ conditionReq = handoverMemberDTO,
+ operateGroupMemberTask = ::handoverTask
+ )
return true
}
+ override fun batchOperateGroupMembersCheck(
+ userId: String,
+ projectCode: String,
+ batchOperateType: BatchOperateType,
+ conditionReq: GroupMemberCommonConditionReq
+ ): BatchOperateGroupMemberCheckVo {
+ logger.info("batch operate group member check|$userId|$projectCode|$batchOperateType|$conditionReq")
+ // 获取用户加入的用户组
+ val (groupIdsOfDirectJoined, groupInfoIdsOfTemplateJoined) = getGroupIdsByCondition(
+ projectCode = projectCode,
+ commonCondition = conditionReq
+ )
+ val totalCount = groupIdsOfDirectJoined.size + groupInfoIdsOfTemplateJoined.size
+ val groupCountOfTemplateJoined = groupInfoIdsOfTemplateJoined.size
+
+ return when (batchOperateType) {
+ BatchOperateType.REMOVE -> {
+ val groupCountOfUniqueManager = authResourceGroupMemberDao.listProjectUniqueManagerGroups(
+ dslContext = dslContext,
+ projectCode = projectCode,
+ iamGroupIds = groupIdsOfDirectJoined
+ ).size
+ BatchOperateGroupMemberCheckVo(
+ totalCount = totalCount,
+ inoperableCount = groupCountOfUniqueManager + groupCountOfTemplateJoined
+ )
+ }
+ BatchOperateType.RENEWAL -> {
+ with(conditionReq) {
+ val isUserDeparted = targetMember.type == ManagerScopesEnum.getType(ManagerScopesEnum.USER) &&
+ deptService.isUserDeparted(targetMember.id)
+ // 离职用户不允许续期
+ if (isUserDeparted) {
+ BatchOperateGroupMemberCheckVo(
+ totalCount = totalCount,
+ inoperableCount = totalCount
+ )
+ } else {
+ // 永久期限 不允许再续期
+ val groupCountOfPermanentExpiredTime = listMemberGroupsDetails(
+ projectCode = projectCode,
+ memberId = targetMember.id,
+ memberType = targetMember.type,
+ groupIds = groupIdsOfDirectJoined
+ ).filter {
+ // iam用的是秒级时间戳
+ it.expiredAt == PERMANENT_EXPIRED_TIME / 1000
+ }.size
+ BatchOperateGroupMemberCheckVo(
+ totalCount = totalCount,
+ inoperableCount = groupCountOfPermanentExpiredTime + groupCountOfTemplateJoined
+ )
+ }
+ }
+ }
+ BatchOperateType.HANDOVER -> {
+ // 已过期(除唯一管理员组)或通过模板加入的不允许移交
+ with(conditionReq) {
+ val finalGroupIds = groupIdsOfDirectJoined.toMutableList()
+ val uniqueManagerGroupIds = authResourceGroupMemberDao.listProjectUniqueManagerGroups(
+ dslContext = dslContext,
+ projectCode = projectCode,
+ iamGroupIds = groupIdsOfDirectJoined
+ )
+ // 去除唯一管理员组
+ if (uniqueManagerGroupIds.isNotEmpty()) {
+ finalGroupIds.removeAll(uniqueManagerGroupIds)
+ }
+ val groupCountOfExpired = listMemberGroupsDetails(
+ projectCode = projectCode,
+ memberId = targetMember.id,
+ memberType = targetMember.type,
+ groupIds = finalGroupIds
+ ).filter {
+ // iam用的是秒级时间戳
+ it.expiredAt < System.currentTimeMillis() / 1000
+ }.size
+ BatchOperateGroupMemberCheckVo(
+ totalCount = totalCount,
+ inoperableCount = groupCountOfTemplateJoined + groupCountOfExpired
+ )
+ }
+ }
+ else -> {
+ BatchOperateGroupMemberCheckVo(
+ totalCount = totalCount,
+ inoperableCount = groupCountOfTemplateJoined
+ )
+ }
+ }
+ }
+
+ override fun removeMemberFromProject(
+ userId: String,
+ projectCode: String,
+ removeMemberFromProjectReq: RemoveMemberFromProjectReq
+ ): List {
+ logger.info("remove member from project $userId|$projectCode|$removeMemberFromProjectReq")
+ return with(removeMemberFromProjectReq) {
+ val memberType = targetMember.type
+ val isNeedToHandover = handoverTo != null
+ if (memberType == ManagerScopesEnum.getType(ManagerScopesEnum.USER) && isNeedToHandover) {
+ removeMemberFromProjectReq.checkHandoverTo()
+ val handoverMemberDTO = GroupMemberHandoverConditionReq(
+ allSelection = true,
+ targetMember = targetMember,
+ handoverTo = handoverTo!!
+ )
+ batchOperateGroupMembers(
+ projectCode = projectCode,
+ conditionReq = handoverMemberDTO,
+ operateGroupMemberTask = ::handoverTask
+ )
+ permissionAuthorizationService.resetAllResourceAuthorization(
+ operator = userId,
+ projectCode = projectCode,
+ condition = ResetAllResourceAuthorizationReq(
+ projectCode = projectCode,
+ handoverFrom = removeMemberFromProjectReq.targetMember.id,
+ handoverTo = removeMemberFromProjectReq.handoverTo!!.id,
+ preCheck = false,
+ checkPermission = false
+ )
+ )
+ } else {
+ val removeMemberDTO = GroupMemberCommonConditionReq(
+ allSelection = true,
+ targetMember = targetMember
+ )
+ batchOperateGroupMembers(
+ projectCode = projectCode,
+ conditionReq = removeMemberDTO,
+ operateGroupMemberTask = ::deleteTask
+ )
+ }
+
+ if (memberType == ManagerScopesEnum.getType(ManagerScopesEnum.USER)) {
+ // 查询用户还存在那些组织中
+ val userDeptInfos = deptService.getUserInfo(
+ userId = "admin",
+ name = targetMember.id
+ )?.deptInfo?.map { it.name!! }
+ if (userDeptInfos != null) {
+ return authResourceGroupMemberDao.isMembersInProject(
+ dslContext = dslContext,
+ projectCode = projectCode,
+ memberNames = userDeptInfos,
+ memberType = ManagerScopesEnum.getType(ManagerScopesEnum.DEPARTMENT)
+ )
+ }
+ }
+ return emptyList()
+ }
+ }
+
+ override fun removeMemberFromProjectCheck(
+ userId: String,
+ projectCode: String,
+ removeMemberFromProjectReq: RemoveMemberFromProjectReq
+ ): Boolean {
+ val targetMember = removeMemberFromProjectReq.targetMember
+ val isMemberHasNoPermission = batchOperateGroupMembersCheck(
+ userId = userId,
+ projectCode = projectCode,
+ batchOperateType = BatchOperateType.HANDOVER,
+ conditionReq = GroupMemberCommonConditionReq(
+ allSelection = true,
+ targetMember = removeMemberFromProjectReq.targetMember
+ )
+ ).let { it.totalCount == it.inoperableCount }
+
+ val isMemberHasNoAuthorizations =
+ if (targetMember.type == ManagerScopesEnum.getType(ManagerScopesEnum.USER)) {
+ permissionAuthorizationService.listResourceAuthorizations(
+ condition = ResourceAuthorizationConditionRequest(
+ projectCode = projectCode,
+ handoverFrom = targetMember.id
+ )
+ ).count == 0L
+ } else {
+ true
+ }
+ return isMemberHasNoPermission && isMemberHasNoAuthorizations
+ }
+
+ private fun handoverTask(
+ projectCode: String,
+ groupId: Int,
+ handoverMemberDTO: GroupMemberHandoverConditionReq,
+ expiredAt: Long
+ ) {
+ logger.info(
+ "handover group member $projectCode|$groupId|" +
+ "${handoverMemberDTO.targetMember}|${handoverMemberDTO.handoverTo}"
+ )
+ val currentTimeSeconds = System.currentTimeMillis() / 1000
+ var finalExpiredAt = expiredAt
+ when {
+ // 若权限已过期,如果是唯一管理员组,允许交接,交接人将获得半年权限;其他的直接删除。
+ expiredAt < currentTimeSeconds -> {
+ val isUniqueManagerGroup = authResourceGroupMemberDao.listProjectUniqueManagerGroups(
+ dslContext = dslContext,
+ projectCode = projectCode,
+ iamGroupIds = listOf(groupId)
+ ).isNotEmpty()
+ if (isUniqueManagerGroup) {
+ finalExpiredAt = currentTimeSeconds + TimeUnit.DAYS.toSeconds(180)
+ } else {
+ deleteTask(
+ projectCode = projectCode,
+ groupId = groupId,
+ removeMemberDTO = GroupMemberCommonConditionReq(
+ targetMember = handoverMemberDTO.targetMember
+ ),
+ expiredAt = finalExpiredAt
+ )
+ return
+ }
+ }
+ // 若交接人已经在用户组内,无需交接。
+ authResourceGroupMemberDao.isMemberInGroup(
+ dslContext = dslContext,
+ projectCode = projectCode,
+ iamGroupId = groupId,
+ memberId = handoverMemberDTO.handoverTo.id
+ ) -> {
+ deleteTask(
+ projectCode = projectCode,
+ groupId = groupId,
+ removeMemberDTO = GroupMemberCommonConditionReq(
+ targetMember = handoverMemberDTO.targetMember
+ ),
+ expiredAt = finalExpiredAt
+ )
+ return
+ }
+ }
+
+ val members = listOf(
+ ManagerMember(
+ handoverMemberDTO.handoverTo.type,
+ handoverMemberDTO.handoverTo.id
+ )
+ )
+ if (finalExpiredAt < currentTimeSeconds) {
+ throw ErrorCodeException(
+ errorCode = AuthMessageCode.INVALID_EXPIRED_PERM_NOT_ALLOW_TO_HANDOVER
+ )
+ }
+
+ addIamGroupMember(
+ groupId = groupId,
+ members = members,
+ expiredAt = finalExpiredAt
+ )
+ deleteIamGroupMembers(
+ groupId = groupId,
+ type = handoverMemberDTO.targetMember.type,
+ memberIds = listOf(handoverMemberDTO.targetMember.id)
+ )
+ authResourceGroupMemberDao.handoverGroupMembers(
+ dslContext = dslContext,
+ projectCode = projectCode,
+ iamGroupId = groupId,
+ handoverFrom = handoverMemberDTO.targetMember,
+ handoverTo = handoverMemberDTO.handoverTo,
+ expiredTime = DateTimeUtil.convertTimestampToLocalDateTime(finalExpiredAt)
+ )
+ }
+
+ private fun batchOperateGroupMembers(
+ projectCode: String,
+ conditionReq: T,
+ operateGroupMemberTask: (
+ projectCode: String,
+ groupId: Int,
+ conditionReq: T,
+ expiredAt: Long
+ ) -> Unit
+ ): Boolean {
+ val groupIds = getGroupIdsByCondition(
+ projectCode = projectCode,
+ commonCondition = conditionReq
+ ).first
+ val targetMember = conditionReq.targetMember
+ val memberGroupsDetailsList = listMemberGroupsDetails(
+ projectCode = projectCode,
+ memberId = targetMember.id,
+ memberType = targetMember.type,
+ groupIds = groupIds
+ )
+ val outOfSyncGroupIds = mutableListOf()
+ val futures = groupIds.map { groupId ->
+ CompletableFuture.supplyAsync(
+ {
+ val memberGroupsDetails = memberGroupsDetailsList.firstOrNull { it.id == groupId }
+ if (memberGroupsDetails == null) {
+ logger.warn(
+ "The data is out of sync, and the record no longer exists in the iam.$groupId"
+ )
+ outOfSyncGroupIds.add(groupId)
+ return@supplyAsync
+ }
+ val expiredAt = memberGroupsDetails.expiredAt
+ RetryUtils.retry(3) {
+ operateGroupMemberTask.invoke(
+ projectCode,
+ groupId,
+ conditionReq,
+ expiredAt
+ )
+ }
+ }, executorService
+ )
+ }
+ handleFutures(
+ projectCode = projectCode,
+ outOfSyncGroupIds = outOfSyncGroupIds,
+ futures = futures
+ )
+ return true
+ }
+
+ private fun handleFutures(
+ projectCode: String,
+ outOfSyncGroupIds: List,
+ futures: List>
+ ) {
+ try {
+ CompletableFuture.allOf(*futures.toTypedArray()).join()
+ // 存在iam那边已经把用户组下成员删除,但蓝盾数据库未同步问题
+ outOfSyncGroupIds.forEach {
+ syncIamGroupMemberService.syncIamGroupMember(
+ projectCode = projectCode,
+ iamGroupId = it
+ )
+ }
+ } catch (ignore: Exception) {
+ logger.warn("batch operate group members failed", ignore)
+ throw ErrorCodeException(
+ errorCode = AuthMessageCode.ERROR_BATCH_OPERATE_GROUP_MEMBERS
+ )
+ }
+ }
+
+ private fun getGroupIdsByCondition(
+ projectCode: String,
+ commonCondition: GroupMemberCommonConditionReq
+ ): Pair, List> /*直接加入,模板加入*/ {
+ val finalResourceGroupMembers = mutableListOf()
+ with(commonCondition) {
+ val resourceGroupMembersByCondition = when {
+ // 全选
+ allSelection -> {
+ listResourceGroupMembers(
+ projectCode = projectCode,
+ memberId = commonCondition.targetMember.id
+ ).second
+ }
+ // 全选某些资源类型用户组
+ resourceTypes.isNotEmpty() -> {
+ resourceTypes.flatMap { resourceType ->
+ listResourceGroupMembers(
+ projectCode = projectCode,
+ memberId = commonCondition.targetMember.id,
+ resourceType = resourceType
+ ).second
+ }
+ }
+ else -> {
+ emptyList()
+ }
+ }
+
+ if (resourceGroupMembersByCondition.isNotEmpty()) {
+ finalResourceGroupMembers.addAll(resourceGroupMembersByCondition)
+ }
+
+ // Select specific groups individually
+ if (groupIds.isNotEmpty()) {
+ val resourceGroupMembersOfSelect = listResourceGroupMembers(
+ projectCode = projectCode,
+ memberId = commonCondition.targetMember.id,
+ iamGroupIds = groupIds
+ ).second
+ finalResourceGroupMembers.addAll(resourceGroupMembersOfSelect)
+ }
+
+ val (groupIdsOfDirectJoined, groupInfoIdsOfTemplateJoined) = finalResourceGroupMembers.partition {
+ it.memberType != ManagerScopesEnum.getType(ManagerScopesEnum.TEMPLATE)
+ }.run {
+ first.map { it.iamGroupId }.toMutableList() to second.map { it.iamGroupId }.toMutableList()
+ }
+
+ // When batch removing, if the user is the only manager of the group, ignore and do not transfer
+ if (excludedUniqueManagerGroup) {
+ val excludedUniqueManagerGroupIds = authResourceGroupMemberDao.listProjectUniqueManagerGroups(
+ dslContext = dslContext,
+ projectCode = projectCode,
+ iamGroupIds = groupIdsOfDirectJoined
+ )
+ groupIdsOfDirectJoined.removeAll {
+ excludedUniqueManagerGroupIds.contains(it)
+ }
+ }
+ return Pair(groupIdsOfDirectJoined, groupInfoIdsOfTemplateJoined)
+ }
+ }
+
+ private fun listMemberGroupsDetails(
+ projectCode: String,
+ memberId: String,
+ memberType: String,
+ groupIds: List
+ ): List {
+ val memberGroupsDetailsList = mutableListOf()
+ val groupIdsChunk = groupIds.chunked(100)
+ val futures = groupIdsChunk.map {
+ CompletableFuture.supplyAsync(
+ {
+ memberGroupsDetailsList.addAll(
+ // 若离职,则从数据库获取用户加入组的过期时间,调用iam接口会报错。
+ // 虽然数据库的过期时间可能不是最新的。
+ if (memberType == ManagerScopesEnum.getType(ManagerScopesEnum.USER) &&
+ deptService.isUserDeparted(userId = memberId)) {
+ val records = authResourceGroupMemberDao.listMemberGroupDetail(
+ dslContext = dslContext,
+ projectCode = projectCode,
+ memberId = memberId,
+ iamTemplateIds = emptyList(),
+ iamGroupIds = it
+ )
+ records.map { record ->
+ MemberGroupDetailsResponse().apply {
+ id = record.iamGroupId
+ expiredAt = record.expiredTime.timestamp()
+ }
+ }
+ } else {
+ iamV2ManagerService.listMemberGroupsDetails(
+ memberType,
+ memberId,
+ it.joinToString(",")
+ )
+ }
+ )
+ }, executorService
+ )
+ }
+ try {
+ CompletableFuture.allOf(*futures.toTypedArray()).join()
+ } catch (ignore: Exception) {
+ logger.warn("list member groups details failed!$ignore")
+ throw ignore
+ }
+ return memberGroupsDetailsList
+ }
+
+ @Suppress("CyclomaticComplexMethod")
+ override fun getMemberGroupsDetails(
+ projectId: String,
+ memberId: String,
+ resourceType: String?,
+ iamGroupIds: List?,
+ start: Int?,
+ limit: Int?
+ ): SQLPage {
+ // 查询成员所在资源用户组列表,直接加入+通过用户组(模板)加入
+ val (count, resourceGroupMembers) = listResourceGroupMembers(
+ projectCode = projectId,
+ memberId = memberId,
+ resourceType = resourceType,
+ iamGroupIds = iamGroupIds,
+ start = start,
+ limit = limit
+ )
+ // 用户组对应的资源信息
+ val resourceGroupMap = authResourceGroupDao.listByRelationId(
+ dslContext = dslContext,
+ projectCode = projectId,
+ iamGroupIds = resourceGroupMembers.map { it.iamGroupId.toString() }
+ ).associateBy { it.relationId }
+ // 只有一个成员的管理员组
+ val uniqueManagerGroups = authResourceGroupMemberDao.listProjectUniqueManagerGroups(
+ dslContext = dslContext,
+ projectCode = projectId,
+ iamGroupIds = resourceGroupMembers.map { it.iamGroupId }
+ )
+ // 用户组成员详情
+ val groupMemberDetailMap = getGroupMemberDetailMap(
+ memberId = memberId,
+ resourceGroupMembers = resourceGroupMembers
+ )
+ val records = mutableListOf()
+ resourceGroupMembers.forEach {
+ val resourceGroup = resourceGroupMap[it.iamGroupId.toString()]!!
+ val groupMemberDetail = groupMemberDetailMap["${it.iamGroupId}_${it.memberId}"]
+ records.add(
+ convertGroupDetailsInfoVo(
+ resourceGroup = resourceGroup,
+ groupMemberDetail = groupMemberDetail,
+ uniqueManagerGroups = uniqueManagerGroups,
+ authResourceGroupMember = it
+ )
+ )
+ }
+ return SQLPage(count = count, records = records)
+ }
+
+ // 查询成员所在资源用户组列表,直接加入+通过用户组(模板)加入
+ @Suppress("LongParameterList")
+ private fun listResourceGroupMembers(
+ projectCode: String,
+ memberId: String,
+ resourceType: String? = null,
+ iamGroupIds: List? = null,
+ start: Int? = null,
+ limit: Int? = null
+ ): Pair> {
+ // 获取用户加入的项目级用户组模板ID
+ val iamTemplateIds = listProjectMemberGroupTemplateIds(
+ projectCode = projectCode,
+ memberId = memberId
+ )
+ val count = authResourceGroupMemberDao.countMemberGroup(
+ dslContext = dslContext,
+ projectCode = projectCode,
+ memberId = memberId,
+ iamTemplateIds = iamTemplateIds,
+ resourceType = resourceType,
+ iamGroupIds = iamGroupIds
+ )[resourceType] ?: 0L
+ val resourceGroupMembers = authResourceGroupMemberDao.listMemberGroupDetail(
+ dslContext = dslContext,
+ projectCode = projectCode,
+ memberId = memberId,
+ iamTemplateIds = iamTemplateIds,
+ resourceType = resourceType,
+ iamGroupIds = iamGroupIds,
+ offset = start,
+ limit = limit
+ )
+ return Pair(count, resourceGroupMembers)
+ }
+
+ // 获取用户加入的项目级用户组模板ID
+ private fun listProjectMemberGroupTemplateIds(
+ projectCode: String,
+ memberId: String
+ ): List {
+ // 查询项目下包含该成员的组列表
+ val projectGroupIds = authResourceGroupMemberDao.listResourceGroupMember(
+ dslContext = dslContext,
+ projectCode = projectCode,
+ resourceType = AuthResourceType.PROJECT.value,
+ memberId = memberId
+ ).map { it.iamGroupId.toString() }
+ // 通过项目组ID获取人员模板ID
+ return authResourceGroupDao.listByRelationId(
+ dslContext = dslContext,
+ projectCode = projectCode,
+ iamGroupIds = projectGroupIds
+ ).filter { it.iamTemplateId != null }
+ .map { it.iamTemplateId.toString() }
+ }
+
+ private fun getGroupMemberDetailMap(
+ memberId: String,
+ resourceGroupMembers: List
+ ): Map {
+ // 如果用户离职,查询权限中心接口会报错
+ if (deptService.isUserDeparted(memberId)) {
+ return emptyMap()
+ }
+ // 用户组成员详情
+ val groupMemberDetailMap = mutableMapOf()
+ // 直接加入的用户
+ val userGroupIds = resourceGroupMembers
+ .filter { it.memberType == ManagerScopesEnum.getType(ManagerScopesEnum.USER) }
+ .map { it.iamGroupId }
+ if (userGroupIds.isNotEmpty()) {
+ iamV2ManagerService.listMemberGroupsDetails(
+ ManagerScopesEnum.getType(ManagerScopesEnum.USER),
+ memberId,
+ userGroupIds.joinToString(",")
+ ).forEach {
+ groupMemberDetailMap["${it.id}_$memberId"] = it
+ }
+ }
+ // 直接加入的组织
+ val deptGroupIds = resourceGroupMembers
+ .filter { it.memberType == ManagerScopesEnum.getType(ManagerScopesEnum.DEPARTMENT) }
+ .map { it.iamGroupId }
+ if (deptGroupIds.isNotEmpty()) {
+ iamV2ManagerService.listMemberGroupsDetails(
+ ManagerScopesEnum.getType(ManagerScopesEnum.DEPARTMENT),
+ memberId,
+ deptGroupIds.joinToString(",")
+ ).forEach {
+ groupMemberDetailMap["${it.id}_$memberId"] = it
+ }
+ }
+ // 人员模板加入的组
+ resourceGroupMembers.filter { it.memberType == ManagerScopesEnum.getType(ManagerScopesEnum.TEMPLATE) }
+ .groupBy({ it.memberId }, { it.iamGroupId.toString() })
+ .forEach { (iamTemplateId, iamGroupIds) ->
+ if (iamGroupIds.isEmpty()) return@forEach
+ iamV2ManagerService.listMemberGroupsDetails(
+ ManagerScopesEnum.getType(ManagerScopesEnum.TEMPLATE),
+ iamTemplateId,
+ iamGroupIds.joinToString(",")
+ ).forEach {
+ groupMemberDetailMap["${it.id}_$iamTemplateId"] = it
+ }
+ }
+ return groupMemberDetailMap
+ }
+
+ private fun convertGroupDetailsInfoVo(
+ resourceGroup: TAuthResourceGroupRecord,
+ groupMemberDetail: MemberGroupDetailsResponse?,
+ uniqueManagerGroups: List,
+ authResourceGroupMember: AuthResourceGroupMember
+ ): GroupDetailsInfoVo {
+ // 如果用户离职,查询权限中心接口会报错,因此从数据库直接取数据,而不去调用权限中心接口。
+ val (expiredAt, joinedTime) = if (groupMemberDetail != null) {
+ Pair(
+ TimeUnit.SECONDS.toMillis(groupMemberDetail.expiredAt),
+ TimeUnit.SECONDS.toMillis(groupMemberDetail.createdAt)
+ )
+ } else {
+ Pair(
+ authResourceGroupMember.expiredTime.timestampmilli(),
+ 0L
+ )
+ }
+ val between = expiredAt - System.currentTimeMillis()
+ return GroupDetailsInfoVo(
+ resourceCode = resourceGroup.resourceCode,
+ resourceName = resourceGroup.resourceName,
+ resourceType = resourceGroup.resourceType,
+ groupId = resourceGroup.relationId.toInt(),
+ groupName = resourceGroup.groupName,
+ groupDesc = resourceGroup.description,
+ expiredAtDisplay = when {
+ expiredAt == PERMANENT_EXPIRED_TIME ->
+ I18nUtil.getCodeLanMessage(messageCode = AuthI18nConstants.BK_MEMBER_EXPIRED_AT_DISPLAY_PERMANENT)
+
+ between >= 0 -> I18nUtil.getCodeLanMessage(
+ messageCode = AuthI18nConstants.BK_MEMBER_EXPIRED_AT_DISPLAY_NORMAL,
+ params = arrayOf(DateTimeUtil.formatDay(between))
+ )
+
+ else -> I18nUtil.getCodeLanMessage(
+ messageCode = AuthI18nConstants.BK_MEMBER_EXPIRED_AT_DISPLAY_EXPIRED
+ )
+ },
+ expiredAt = expiredAt,
+ joinedTime = joinedTime,
+ removeMemberButtonControl = when {
+ authResourceGroupMember.memberType == ManagerScopesEnum.getType(ManagerScopesEnum.TEMPLATE) ->
+ RemoveMemberButtonControl.TEMPLATE
+ resourceGroup.resourceType == AuthResourceType.PROJECT.value &&
+ uniqueManagerGroups.contains(authResourceGroupMember.iamGroupId) ->
+ RemoveMemberButtonControl.UNIQUE_MANAGER
+ uniqueManagerGroups.contains(authResourceGroupMember.iamGroupId) ->
+ RemoveMemberButtonControl.UNIQUE_OWNER
+
+ else ->
+ RemoveMemberButtonControl.OTHER
+ },
+ joinedType = when (authResourceGroupMember.memberType) {
+ ManagerScopesEnum.getType(ManagerScopesEnum.TEMPLATE) -> JoinedType.TEMPLATE
+ else -> JoinedType.DIRECT
+ },
+ operator = ""
+ )
+ }
+
+ private fun MutableList.removeDepartedMembers(): List {
+ val userMemberIds = this.filter { it.type == ManagerScopesEnum.getType(ManagerScopesEnum.USER) }.map { it.id }
+ if (userMemberIds.isEmpty()) return this
+ // 获取离职的人员
+ val departedMembers = deptService.listDepartedMembers(
+ memberIds = userMemberIds
+ )
+ return this.filterNot {
+ it.type == ManagerScopesEnum.getType(ManagerScopesEnum.USER) &&
+ departedMembers.contains(it.id)
+ }
+ }
+
companion object {
private val logger = LoggerFactory.getLogger(RbacPermissionResourceMemberService::class.java)
@@ -416,5 +1533,8 @@ class RbacPermissionResourceMemberService constructor(
private val AUTO_RENEWAL_EXPIRED_AT = TimeUnit.DAYS.toSeconds(180)
private val executorService = Executors.newFixedThreadPool(30)
+
+ // 永久过期时间
+ private const val PERMANENT_EXPIRED_TIME = 4102444800000L
}
}
diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceService.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceService.kt
index 80abe63e43a..67cac81018b 100644
--- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceService.kt
+++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceService.kt
@@ -35,24 +35,16 @@ import com.tencent.devops.auth.pojo.AuthResourceInfo
import com.tencent.devops.auth.provider.rbac.pojo.enums.AuthGroupCreateMode
import com.tencent.devops.auth.provider.rbac.pojo.event.AuthResourceGroupCreateEvent
import com.tencent.devops.auth.provider.rbac.pojo.event.AuthResourceGroupModifyEvent
-import com.tencent.devops.auth.service.iam.PermissionProjectService
+import com.tencent.devops.auth.service.PermissionAuthorizationService
import com.tencent.devops.auth.service.iam.PermissionResourceService
-import com.tencent.devops.auth.service.iam.PermissionService
+import com.tencent.devops.auth.service.iam.PermissionResourceValidateService
import com.tencent.devops.common.api.exception.ErrorCodeException
-import com.tencent.devops.common.api.exception.PermissionForbiddenException
import com.tencent.devops.common.api.pojo.Pagination
import com.tencent.devops.common.api.util.PageUtil
-import com.tencent.devops.common.auth.api.AuthPermission
import com.tencent.devops.common.auth.api.AuthResourceType
-import com.tencent.devops.common.auth.rbac.utils.RbacAuthUtils
-import com.tencent.devops.common.client.Client
+import com.tencent.devops.common.auth.api.pojo.ResourceAuthorizationDTO
import com.tencent.devops.common.event.dispatcher.trace.TraceEventDispatcher
-import com.tencent.devops.common.web.utils.I18nUtil
-import com.tencent.devops.project.api.service.ServiceProjectResource
-import com.tencent.devops.project.constant.ProjectMessageCode
-import com.tencent.devops.project.pojo.enums.ProjectApproveStatus
import org.slf4j.LoggerFactory
-import javax.ws.rs.NotFoundException
@SuppressWarnings("LongParameterList", "TooManyFunctions")
class RbacPermissionResourceService(
@@ -60,11 +52,10 @@ class RbacPermissionResourceService(
private val permissionGradeManagerService: PermissionGradeManagerService,
private val permissionSubsetManagerService: PermissionSubsetManagerService,
private val authResourceCodeConverter: AuthResourceCodeConverter,
- private val permissionService: PermissionService,
- private val permissionProjectService: PermissionProjectService,
private val traceEventDispatcher: TraceEventDispatcher,
private val iamV2ManagerService: V2ManagerService,
- private val client: Client
+ private val permissionAuthorizationService: PermissionAuthorizationService,
+ private val permissionResourceValidateService: PermissionResourceValidateService
) : PermissionResourceService {
companion object {
@@ -266,6 +257,16 @@ class RbacPermissionResourceService(
resourceCode = resourceCode,
resourceName = resourceName
)
+ permissionAuthorizationService.modifyResourceAuthorization(
+ listOf(
+ ResourceAuthorizationDTO(
+ projectCode = projectCode,
+ resourceType = resourceType,
+ resourceCode = resourceCode,
+ resourceName = resourceName
+ )
+ )
+ )
traceEventDispatcher.dispatch(
AuthResourceGroupModifyEvent(
managerId = resourceInfo.relationId.toInt(),
@@ -301,6 +302,11 @@ class RbacPermissionResourceService(
resourceType = resourceType,
resourceCode = resourceCode
)
+ permissionAuthorizationService.deleteResourceAuthorization(
+ projectCode = projectCode,
+ resourceType = resourceType,
+ resourceCode = resourceCode
+ )
return true
}
@@ -321,64 +327,6 @@ class RbacPermissionResourceService(
return true
}
- override fun hasManagerPermission(
- userId: String,
- projectId: String,
- resourceType: String,
- resourceCode: String
- ): Boolean {
- checkProjectApprovalStatus(resourceType, resourceCode)
- val checkProjectManage = permissionProjectService.checkProjectManager(
- userId = userId,
- projectCode = projectId
- )
- if (checkProjectManage) {
- return true
- }
-
- // TODO 流水线组一期先不上,流水线组权限由项目控制
- if (resourceType == AuthResourceType.PROJECT.value || resourceType == AuthResourceType.PIPELINE_GROUP.value) {
- throw PermissionForbiddenException(
- message = I18nUtil.getCodeLanMessage(AuthMessageCode.ERROR_AUTH_NO_MANAGE_PERMISSION)
- )
- } else {
- val checkResourceManage = permissionService.validateUserResourcePermissionByRelation(
- userId = userId,
- action = RbacAuthUtils.buildAction(
- authPermission = AuthPermission.MANAGE,
- authResourceType = RbacAuthUtils.getResourceTypeByStr(resourceType)
- ),
- projectCode = projectId,
- resourceType = resourceType,
- resourceCode = resourceCode,
- relationResourceType = null
- )
- if (!checkResourceManage) {
- throw PermissionForbiddenException(
- message = I18nUtil.getCodeLanMessage(AuthMessageCode.ERROR_AUTH_NO_MANAGE_PERMISSION)
- )
- }
- }
- return true
- }
-
- private fun checkProjectApprovalStatus(resourceType: String, resourceCode: String) {
- if (resourceType == AuthResourceType.PROJECT.value) {
- val projectInfo =
- client.get(ServiceProjectResource::class).get(resourceCode).data
- ?: throw NotFoundException("project - $resourceCode is not exist!")
- val approvalStatus = ProjectApproveStatus.parse(projectInfo.approvalStatus)
- if (approvalStatus.isCreatePending()) {
- throw ErrorCodeException(
- errorCode = ProjectMessageCode.UNDER_APPROVAL_PROJECT,
- params = arrayOf(resourceCode),
- defaultMessage = "project $resourceCode is being approved, " +
- "please wait patiently, or contact the approver"
- )
- }
- }
- }
-
override fun isEnablePermission(
userId: String,
projectId: String,
@@ -387,7 +335,7 @@ class RbacPermissionResourceService(
): Boolean {
// 项目不能进入[成员管理]页面,其他资源不需要校验权限,有普通成员视角查看权限页面
if (resourceType == AuthResourceType.PROJECT.value) {
- hasManagerPermission(
+ permissionResourceValidateService.hasManagerPermission(
userId = userId,
projectId = projectId,
resourceType = resourceType,
@@ -408,7 +356,7 @@ class RbacPermissionResourceService(
resourceCode: String
): Boolean {
logger.info("enable resource permission|$userId|$projectId|$resourceType|$resourceCode")
- hasManagerPermission(
+ permissionResourceValidateService.hasManagerPermission(
userId = userId,
projectId = projectId,
resourceType = resourceType,
@@ -455,11 +403,11 @@ class RbacPermissionResourceService(
resourceCode: String
): Boolean {
logger.info("disable resource permission|$userId|$projectId|$resourceType|$resourceCode")
- hasManagerPermission(
+ permissionResourceValidateService.hasManagerPermission(
userId = userId,
projectId = projectId,
resourceType = resourceType,
- resourceCode
+ resourceCode = resourceCode
)
if (resourceType == AuthResourceType.PROJECT.value) {
throw ErrorCodeException(
diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceValidateService.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceValidateService.kt
index d371901d2f5..c0baf8abee1 100644
--- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceValidateService.kt
+++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceValidateService.kt
@@ -28,17 +28,29 @@
package com.tencent.devops.auth.provider.rbac.service
+import com.tencent.devops.auth.constant.AuthMessageCode
import com.tencent.devops.auth.pojo.dto.PermissionBatchValidateDTO
import com.tencent.devops.auth.service.iam.PermissionResourceValidateService
import com.tencent.devops.auth.service.iam.PermissionService
+import com.tencent.devops.common.api.exception.ErrorCodeException
+import com.tencent.devops.common.api.exception.PermissionForbiddenException
import com.tencent.devops.common.api.util.Watcher
+import com.tencent.devops.common.auth.api.AuthPermission
import com.tencent.devops.common.auth.api.AuthResourceType
+import com.tencent.devops.common.auth.rbac.utils.RbacAuthUtils
+import com.tencent.devops.common.client.Client
import com.tencent.devops.common.service.utils.LogUtils
+import com.tencent.devops.common.web.utils.I18nUtil
+import com.tencent.devops.project.api.service.ServiceProjectResource
+import com.tencent.devops.project.constant.ProjectMessageCode
+import com.tencent.devops.project.pojo.enums.ProjectApproveStatus
import org.slf4j.LoggerFactory
+import javax.ws.rs.NotFoundException
class RbacPermissionResourceValidateService(
private val permissionService: PermissionService,
- private val rbacCacheService: RbacCacheService
+ private val rbacCacheService: RbacCacheService,
+ private val client: Client
) : PermissionResourceValidateService {
companion object {
@@ -98,6 +110,65 @@ class RbacPermissionResourceValidateService(
}
}
+ override fun hasManagerPermission(
+ userId: String,
+ projectId: String,
+ resourceType: String,
+ resourceCode: String
+ ): Boolean {
+ checkProjectApprovalStatus(resourceType, resourceCode)
+ val checkProjectManage = rbacCacheService.checkProjectManager(
+ userId = userId,
+ projectCode = projectId
+ )
+
+ if (checkProjectManage) {
+ return true
+ }
+
+ // TODO 流水线组一期先不上,流水线组权限由项目控制
+ if (resourceType == AuthResourceType.PROJECT.value || resourceType == AuthResourceType.PIPELINE_GROUP.value) {
+ throw PermissionForbiddenException(
+ message = I18nUtil.getCodeLanMessage(AuthMessageCode.ERROR_AUTH_NO_MANAGE_PERMISSION)
+ )
+ } else {
+ val checkResourceManage = permissionService.validateUserResourcePermissionByRelation(
+ userId = userId,
+ action = RbacAuthUtils.buildAction(
+ authPermission = AuthPermission.MANAGE,
+ authResourceType = RbacAuthUtils.getResourceTypeByStr(resourceType)
+ ),
+ projectCode = projectId,
+ resourceType = resourceType,
+ resourceCode = resourceCode,
+ relationResourceType = null
+ )
+ if (!checkResourceManage) {
+ throw PermissionForbiddenException(
+ message = I18nUtil.getCodeLanMessage(AuthMessageCode.ERROR_AUTH_NO_MANAGE_PERMISSION)
+ )
+ }
+ }
+ return true
+ }
+
+ private fun checkProjectApprovalStatus(resourceType: String, resourceCode: String) {
+ if (resourceType == AuthResourceType.PROJECT.value) {
+ val projectInfo =
+ client.get(ServiceProjectResource::class).get(resourceCode).data
+ ?: throw NotFoundException("project - $resourceCode is not exist!")
+ val approvalStatus = ProjectApproveStatus.parse(projectInfo.approvalStatus)
+ if (approvalStatus.isCreatePending()) {
+ throw ErrorCodeException(
+ errorCode = ProjectMessageCode.UNDER_APPROVAL_PROJECT,
+ params = arrayOf(resourceCode),
+ defaultMessage = "project $resourceCode is being approved, " +
+ "please wait patiently, or contact the approver"
+ )
+ }
+ }
+ }
+
private fun validateProjectPermission(
userId: String,
actions: List,
diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/migrate/AbMigratePolicyService.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/migrate/AbMigratePolicyService.kt
index bc4cd211bac..4fae9d617a7 100644
--- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/migrate/AbMigratePolicyService.kt
+++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/migrate/AbMigratePolicyService.kt
@@ -31,12 +31,10 @@ package com.tencent.devops.auth.provider.rbac.service.migrate
import com.tencent.bk.sdk.iam.config.IamConfiguration
import com.tencent.bk.sdk.iam.constants.ManagerScopesEnum
import com.tencent.bk.sdk.iam.dto.manager.AuthorizationScopes
-import com.tencent.bk.sdk.iam.dto.manager.ManagerMember
import com.tencent.bk.sdk.iam.dto.manager.ManagerPath
import com.tencent.bk.sdk.iam.dto.manager.ManagerResources
import com.tencent.bk.sdk.iam.dto.manager.ManagerRoleGroup
import com.tencent.bk.sdk.iam.dto.manager.RoleGroupMemberInfo
-import com.tencent.bk.sdk.iam.dto.manager.dto.ManagerMemberGroupDTO
import com.tencent.bk.sdk.iam.dto.manager.dto.ManagerRoleGroupDTO
import com.tencent.bk.sdk.iam.service.v2.V2ManagerService
import com.tencent.devops.auth.constant.AuthMessageCode
@@ -50,6 +48,7 @@ import com.tencent.devops.auth.provider.rbac.service.migrate.MigrateIamApiServic
import com.tencent.devops.auth.provider.rbac.service.migrate.MigrateIamApiService.Companion.GROUP_WEB_POLICY
import com.tencent.devops.auth.provider.rbac.service.migrate.MigrateIamApiService.Companion.USER_CUSTOM_POLICY
import com.tencent.devops.auth.service.DeptService
+import com.tencent.devops.auth.service.iam.PermissionResourceMemberService
import com.tencent.devops.auth.service.iam.PermissionService
import com.tencent.devops.common.api.exception.ErrorCodeException
import com.tencent.devops.common.api.util.DateTimeUtil
@@ -78,7 +77,8 @@ abstract class AbMigratePolicyService(
private val permissionService: PermissionService,
private val rbacCacheService: RbacCacheService,
private val deptService: DeptService,
- private val permissionGroupPoliciesService: PermissionGroupPoliciesService
+ private val permissionGroupPoliciesService: PermissionGroupPoliciesService,
+ private val permissionResourceMemberService: PermissionResourceMemberService
) {
companion object {
@@ -157,7 +157,7 @@ abstract class AbMigratePolicyService(
projectName = groupInfo.resourceName
)
authorizationScopeList.forEach { authorizationScope ->
- v2ManagerService.grantRoleGroupV2(groupInfo.relationId.toInt(), authorizationScope)
+ v2ManagerService.grantRoleGroupV2(groupInfo.relationId, authorizationScope)
}
}
}
@@ -258,6 +258,7 @@ abstract class AbMigratePolicyService(
}
// 往用户组添加成员
batchAddGroupMember(
+ projectCode = projectCode,
groupId = groupId,
defaultGroup = defaultGroup,
members = result.members,
@@ -276,6 +277,7 @@ abstract class AbMigratePolicyService(
): Pair/*组授权范围*/, List/*流水线用户组ID(关联流水线动作组)*/>
abstract fun batchAddGroupMember(
+ projectCode: String,
groupId: Int,
defaultGroup: Boolean,
members: List?,
@@ -377,13 +379,14 @@ abstract class AbMigratePolicyService(
permission = permission
)
groupIds.forEach { groupId ->
- val managerMember = ManagerMember(ManagerScopesEnum.getType(ManagerScopesEnum.USER), userId)
- val managerMemberGroupDTO = ManagerMemberGroupDTO.builder()
- .members(listOf(managerMember))
- .expiredAt(
- System.currentTimeMillis() / MILLISECOND + TimeUnit.DAYS.toSeconds(DEFAULT_EXPIRED_DAY)
- ).build()
- v2ManagerService.createRoleGroupMemberV2(groupId, managerMemberGroupDTO)
+ permissionResourceMemberService.addGroupMember(
+ projectCode = projectCode,
+ memberId = userId,
+ memberType = ManagerScopesEnum.getType(ManagerScopesEnum.USER),
+ expiredAt = System.currentTimeMillis() / MILLISECOND +
+ TimeUnit.DAYS.toSeconds(DEFAULT_EXPIRED_DAY),
+ iamGroupId = groupId
+ )
}
}
}
diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/migrate/MigratePermissionHandoverService.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/migrate/MigratePermissionHandoverService.kt
index 7bffe471d60..0c26c1ebac0 100644
--- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/migrate/MigratePermissionHandoverService.kt
+++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/migrate/MigratePermissionHandoverService.kt
@@ -60,10 +60,11 @@ class MigratePermissionHandoverService constructor(
)
handoverToList.forEach { handoverTo ->
permissionResourceMemberService.addGroupMember(
- userId = handoverTo,
+ projectCode = projectCode,
+ memberId = handoverTo,
memberType = USER_TYPE,
expiredAt = GROUP_EXPIRED_TIME,
- groupId = projectManagerGroupId!!.relationId.toInt()
+ iamGroupId = projectManagerGroupId!!.relationId.toInt()
)
}
}
@@ -91,15 +92,16 @@ class MigratePermissionHandoverService constructor(
)
try {
permissionResourceMemberService.addGroupMember(
- userId = handoverTo,
+ projectCode = projectCode,
+ memberId = handoverTo,
memberType = USER_TYPE,
expiredAt = GROUP_EXPIRED_TIME,
- groupId = resourceManagerGroup!!.relationId.toInt()
+ iamGroupId = resourceManagerGroup!!.relationId.toInt()
)
- v2ManagerService.deleteRoleGroupMemberV2(
- resourceManagerGroup.relationId.toInt(),
- USER_TYPE,
- handoverFrom
+ permissionResourceMemberService.batchDeleteResourceGroupMembers(
+ projectCode = projectCode,
+ iamGroupId = resourceManagerGroup.relationId.toInt(),
+ members = listOf(handoverFrom)
)
} catch (ignore: Exception) {
logger.warn(
diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/migrate/MigrateResourceAuthorizationService.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/migrate/MigrateResourceAuthorizationService.kt
new file mode 100644
index 00000000000..188249cb23d
--- /dev/null
+++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/migrate/MigrateResourceAuthorizationService.kt
@@ -0,0 +1,226 @@
+/*
+ * Tencent is pleased to support the open source community by making BK-CI 蓝鲸持续集成平台 available.
+ *
+ * Copyright (C) 2019 THL A29 Limited, a Tencent company. All rights reserved.
+ *
+ * BK-CI 蓝鲸持续集成平台 is licensed under the MIT license.
+ *
+ * A copy of the MIT License is included in this file.
+ *
+ *
+ * Terms of the MIT License:
+ * ---------------------------------------------------
+ * Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated
+ * documentation files (the "Software"), to deal in the Software without restriction, including without limitation the
+ * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
+ * permit persons to whom the Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all copies or substantial portions of
+ * the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
+ * LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
+ * NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+ * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+ * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ *
+ */
+
+package com.tencent.devops.auth.provider.rbac.service.migrate
+
+import com.tencent.bk.sdk.iam.constants.CallbackMethodEnum
+import com.tencent.bk.sdk.iam.dto.PageInfoDTO
+import com.tencent.bk.sdk.iam.dto.PathInfoDTO
+import com.tencent.bk.sdk.iam.dto.callback.request.CallbackRequestDTO
+import com.tencent.bk.sdk.iam.dto.callback.request.FilterDTO
+import com.tencent.devops.auth.service.PermissionAuthorizationService
+import com.tencent.devops.auth.service.ResourceService
+import com.tencent.devops.common.api.util.PageUtil
+import com.tencent.devops.common.auth.api.AuthResourceType
+import com.tencent.devops.common.auth.api.AuthTokenApi
+import com.tencent.devops.common.auth.api.pojo.ProjectConditionDTO
+import com.tencent.devops.common.auth.api.pojo.ResourceAuthorizationDTO
+import com.tencent.devops.common.auth.callback.ListResourcesAuthorizationDTO
+import com.tencent.devops.common.auth.code.ProjectAuthServiceCode
+import com.tencent.devops.common.client.Client
+import com.tencent.devops.common.service.trace.TraceTag
+import com.tencent.devops.project.api.service.ServiceProjectResource
+import org.slf4j.LoggerFactory
+import org.slf4j.MDC
+import org.springframework.beans.factory.annotation.Autowired
+import org.springframework.stereotype.Service
+import java.util.concurrent.CompletableFuture
+import java.util.concurrent.Executors
+
+/**
+ * 迁移资源授权
+ */
+@Service
+class MigrateResourceAuthorizationService @Autowired constructor(
+ private val resourceService: ResourceService,
+ private val tokenApi: AuthTokenApi,
+ private val projectAuthServiceCode: ProjectAuthServiceCode,
+ private val permissionAuthorizationService: PermissionAuthorizationService,
+ private val client: Client
+) {
+ fun migrateResourceAuthorization(projectCodes: List): Boolean {
+ logger.info("start to migrate resource authorization by project list:$projectCodes")
+ executorService.submit {
+ projectCodes.forEach {
+ migrateResourceAuthorization(
+ projectCode = it
+ )
+ }
+ }
+ return true
+ }
+
+ fun migrateAllResourceAuthorization(): Boolean {
+ logger.info("start to migrate all project resource authorization")
+ executorService.submit {
+ var offset = 0
+ val limit = PageUtil.MAX_PAGE_SIZE / 2
+ do {
+ val migrateProjects = client.get(ServiceProjectResource::class).listProjectsByCondition(
+ projectConditionDTO = ProjectConditionDTO(),
+ limit = limit,
+ offset = offset
+ ).data ?: break
+ migrateProjects.forEach {
+ migrateResourceAuthorization(it.englishName)
+ }
+ offset += limit
+ } while (migrateProjects.size == limit)
+ }
+ return true
+ }
+
+ private fun migrateResourceAuthorization(projectCode: String) {
+ val startEpoch = System.currentTimeMillis()
+ logger.info("start to migrate resource authorization:$projectCode")
+ try {
+ val resourceTypes = listOf(
+ AuthResourceType.PIPELINE_DEFAULT.value,
+ AuthResourceType.ENVIRONMENT_ENV_NODE.value,
+ AuthResourceType.CODE_REPERTORY.value
+ )
+
+ logger.info("MigrateResourceAuthorization|resourceTypes:$resourceTypes")
+ // 迁移各个资源类型下的资源授权
+ val traceId = MDC.get(TraceTag.BIZID)
+ resourceTypes.forEach { resourceType ->
+ CompletableFuture.supplyAsync(
+ {
+ MDC.put(TraceTag.BIZID, traceId)
+ migrateResourceAuthorization(
+ projectCode = projectCode,
+ resourceType = resourceType
+ )
+ },
+ executorService
+ )
+ }
+ } finally {
+ logger.info("It take(${System.currentTimeMillis() - startEpoch})ms to migrate resource $projectCode")
+ }
+ }
+
+ private fun migrateResourceAuthorization(
+ projectCode: String,
+ resourceType: String
+ ) {
+ val startEpoch = System.currentTimeMillis()
+ logger.info("start to migrate resource authorization|$projectCode|$resourceType")
+ try {
+ createResourceAuthorization(
+ resourceType = resourceType,
+ projectCode = projectCode
+ )
+ } catch (ignore: Exception) {
+ logger.error("Failed to migrate resource authorization|$projectCode|$resourceType", ignore)
+ throw ignore
+ } finally {
+ logger.info(
+ "It take(${System.currentTimeMillis() - startEpoch})ms to migrate " +
+ "resource authorization|$projectCode|$resourceType"
+ )
+ }
+ }
+
+ private fun createResourceAuthorization(
+ resourceType: String,
+ projectCode: String
+ ) {
+ var offset = 0L
+ val limit = 100L
+ val resourceAuthorizationIds = mutableListOf()
+ do {
+ val resourceAuthorizationData = listResourceAuthorization(
+ offset = offset,
+ limit = limit,
+ resourceType = resourceType,
+ projectCode = projectCode
+ )?.data
+
+ logger.info(
+ "MigrateResourceAuthorizationService|projectCode:$projectCode|resourceType:$resourceType" +
+ "|resourceAuthorizationData:$resourceAuthorizationData"
+ )
+ if (resourceAuthorizationData == null || resourceAuthorizationData.result.isNullOrEmpty()) {
+ return
+ }
+ permissionAuthorizationService.migrateResourceAuthorization(
+ resourceAuthorizationList = resourceAuthorizationData.result.map {
+ ResourceAuthorizationDTO(
+ projectCode = projectCode,
+ resourceType = resourceType,
+ resourceName = it.resourceName,
+ resourceCode = it.resourceCode,
+ handoverTime = it.handoverTime,
+ handoverFrom = it.handoverFrom
+ )
+ }
+ )
+ resourceAuthorizationIds.addAll(resourceAuthorizationData.result.map { it.resourceCode })
+ offset += limit
+ } while (resourceAuthorizationData!!.result.size.toLong() == limit)
+ // 由于生产和灰度不是同时发布,可能会出现生产删除资源,但是授权记录未删除,而导致出现的脏数据,需要进行删除。
+ permissionAuthorizationService.fixResourceAuthorization(
+ projectCode = projectCode,
+ resourceType = resourceType,
+ resourceAuthorizationIds = resourceAuthorizationIds
+ )
+ }
+
+ private fun listResourceAuthorization(
+ offset: Long,
+ limit: Long,
+ resourceType: String,
+ projectCode: String
+ ): ListResourcesAuthorizationDTO? {
+ val pathInfoDTO = PathInfoDTO().apply {
+ type = AuthResourceType.PROJECT.value
+ id = projectCode
+ }
+ val filterDTO = FilterDTO().apply {
+ parent = pathInfoDTO
+ }
+ return resourceService.getInstanceByResource(
+ callBackInfo = CallbackRequestDTO().apply {
+ type = resourceType
+ method = CallbackMethodEnum.LIST_RESOURCE_AUTHORIZATION
+ filter = filterDTO
+ page = PageInfoDTO().apply {
+ this.offset = offset
+ this.limit = limit
+ }
+ },
+ token = tokenApi.getAccessToken(projectAuthServiceCode)
+ ) as ListResourcesAuthorizationDTO?
+ }
+
+ companion object {
+ private val logger = LoggerFactory.getLogger(MigrateResourceAuthorizationService::class.java)
+ private val executorService = Executors.newFixedThreadPool(10)
+ }
+}
diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/migrate/MigrateResourceGroupService.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/migrate/MigrateResourceGroupService.kt
new file mode 100644
index 00000000000..74402c2bd59
--- /dev/null
+++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/migrate/MigrateResourceGroupService.kt
@@ -0,0 +1,103 @@
+/*
+ * Tencent is pleased to support the open source community by making BK-CI 蓝鲸持续集成平台 available.
+ *
+ * Copyright (C) 2019 THL A29 Limited, a Tencent company. All rights reserved.
+ *
+ * BK-CI 蓝鲸持续集成平台 is licensed under the MIT license.
+ *
+ * A copy of the MIT License is included in this file.
+ *
+ *
+ * Terms of the MIT License:
+ * ---------------------------------------------------
+ * Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated
+ * documentation files (the "Software"), to deal in the Software without restriction, including without limitation the
+ * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
+ * permit persons to whom the Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all copies or substantial portions of
+ * the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
+ * LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
+ * NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+ * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+ * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ *
+ */
+
+package com.tencent.devops.auth.provider.rbac.service.migrate
+
+import com.tencent.bk.sdk.iam.dto.V2PageInfoDTO
+import com.tencent.bk.sdk.iam.dto.manager.dto.SearchGroupDTO
+import com.tencent.bk.sdk.iam.service.v2.V2ManagerService
+import com.tencent.devops.auth.dao.AuthResourceGroupDao
+import com.tencent.devops.auth.provider.rbac.service.AuthResourceService
+import com.tencent.devops.common.api.util.PageUtil
+import com.tencent.devops.common.auth.api.AuthResourceType
+import org.jooq.DSLContext
+import org.slf4j.LoggerFactory
+import org.springframework.beans.factory.annotation.Autowired
+
+/**
+ * 将资源组迁移到权限中心
+ */
+@Suppress("LongParameterList", "MagicNumber")
+class MigrateResourceGroupService @Autowired constructor(
+ private val authResourceService: AuthResourceService,
+ private val dslContext: DSLContext,
+ private val authResourceGroupDao: AuthResourceGroupDao,
+ private val iamV2ManagerService: V2ManagerService
+) {
+ fun fixResourceGroups(projectCode: String) {
+ logger.info("start to fix resource groups,$projectCode ")
+ val recordsOfNeedToFix = authResourceGroupDao.listRecordsOfNeedToFix(
+ dslContext = dslContext,
+ projectCode = projectCode
+ )
+ logger.info("resource groups need to fix ,$projectCode|$recordsOfNeedToFix")
+ recordsOfNeedToFix.forEach { resourceGroupInfo ->
+ val resourceInfo = authResourceService.get(
+ projectCode = projectCode,
+ resourceType = resourceGroupInfo.resourceType,
+ resourceCode = resourceGroupInfo.resourceCode
+ )
+ val pageInfoDTO = V2PageInfoDTO()
+ pageInfoDTO.page = PageUtil.DEFAULT_PAGE
+ pageInfoDTO.pageSize = PageUtil.DEFAULT_PAGE_SIZE
+ val iamGroupInfo = if (resourceInfo.resourceType == AuthResourceType.PROJECT.value) {
+ val searchGroupDTO = SearchGroupDTO.builder()
+ .inherit(false)
+ .name(resourceGroupInfo.groupName)
+ .build()
+ iamV2ManagerService.getGradeManagerRoleGroupV2(
+ resourceInfo.relationId,
+ searchGroupDTO,
+ pageInfoDTO
+ )
+ } else {
+ iamV2ManagerService.getSubsetManagerRoleGroup(
+ resourceInfo.relationId.toInt(),
+ pageInfoDTO
+ )
+ }.results.firstOrNull { it.name == resourceGroupInfo.groupName }
+ logger.info("resource groups need to fix,iam group info $projectCode|$iamGroupInfo")
+ if (iamGroupInfo != null) {
+ authResourceGroupDao.update(
+ dslContext = dslContext,
+ projectCode = projectCode,
+ resourceType = resourceGroupInfo.resourceType,
+ resourceCode = resourceGroupInfo.resourceCode,
+ resourceName = resourceInfo.resourceName,
+ groupCode = resourceGroupInfo.groupCode,
+ groupName = resourceGroupInfo.groupName,
+ relationId = iamGroupInfo.id.toString()
+ )
+ }
+ }
+ }
+
+ companion object {
+ private val logger = LoggerFactory.getLogger(MigrateResourceGroupService::class.java)
+ }
+}
diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/migrate/MigrateV0PolicyService.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/migrate/MigrateV0PolicyService.kt
index ef9401ee8da..c5ce1b2976b 100644
--- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/migrate/MigrateV0PolicyService.kt
+++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/migrate/MigrateV0PolicyService.kt
@@ -84,7 +84,8 @@ class MigrateV0PolicyService constructor(
permissionService = permissionService,
rbacCacheService = rbacCacheService,
deptService = deptService,
- permissionGroupPoliciesService = permissionGroupPoliciesService
+ permissionGroupPoliciesService = permissionGroupPoliciesService,
+ permissionResourceMemberService = permissionResourceMemberService
) {
companion object {
@@ -459,6 +460,7 @@ class MigrateV0PolicyService constructor(
}
override fun batchAddGroupMember(
+ projectCode: String,
groupId: Int,
defaultGroup: Boolean,
members: List?,
@@ -480,6 +482,7 @@ class MigrateV0PolicyService constructor(
groupIdOfPipelineActionGroupList.forEach {
logger.info("add subject template to group of pipeline:$it|$subjectTemplateId")
addGroupMember(
+ projectCode = projectCode,
groupId = it.toInt(),
defaultGroup = true,
member = RoleGroupMemberInfo().apply {
@@ -503,6 +506,7 @@ class MigrateV0PolicyService constructor(
}
members.forEach member@{ member ->
addGroupMember(
+ projectCode = projectCode,
defaultGroup = defaultGroup,
member = member,
groupId = groupId
@@ -511,6 +515,7 @@ class MigrateV0PolicyService constructor(
}
private fun addGroupMember(
+ projectCode: String,
defaultGroup: Boolean,
member: RoleGroupMemberInfo,
groupId: Int
@@ -523,11 +528,12 @@ class MigrateV0PolicyService constructor(
V0_GROUP_EXPIRED_DAY[RandomUtils.nextInt(0, 2)]
}
permissionResourceMemberService.addGroupMember(
- userId = member.id,
+ projectCode = projectCode,
+ memberId = member.id,
memberType = member.type,
expiredAt = System.currentTimeMillis() / MILLISECOND + TimeUnit.DAYS.toSeconds(expiredDay) +
TimeUnit.DAYS.toSeconds(RandomUtils.nextLong(0, 180)),
- groupId = groupId
+ iamGroupId = groupId
)
}
diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/migrate/MigrateV3PolicyService.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/migrate/MigrateV3PolicyService.kt
index c2e42c529b6..3b218db28e3 100644
--- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/migrate/MigrateV3PolicyService.kt
+++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/migrate/MigrateV3PolicyService.kt
@@ -88,7 +88,8 @@ class MigrateV3PolicyService constructor(
permissionService = permissionService,
rbacCacheService = rbacCacheService,
deptService = deptService,
- permissionGroupPoliciesService = permissionGroupPoliciesService
+ permissionGroupPoliciesService = permissionGroupPoliciesService,
+ permissionResourceMemberService = permissionResourceMemberService
) {
companion object {
@@ -156,6 +157,7 @@ class MigrateV3PolicyService constructor(
val rbacAuthorizationScopes = mutableListOf()
result.permissions.forEach permission@{ permission ->
val (isManager, rbacActions) = buildRbacActions(
+ projectCode = projectCode,
managerGroupId = managerGroupId,
permission = permission,
members = result.members
@@ -181,6 +183,7 @@ class MigrateV3PolicyService constructor(
}
private fun buildRbacActions(
+ projectCode: String,
managerGroupId: Int,
permission: AuthorizationScopes,
members: List?
@@ -191,7 +194,12 @@ class MigrateV3PolicyService constructor(
// 如果包含all_action,则直接添加到管理员组
Constants.ALL_ACTION -> {
logger.info("match all_action,member add to manager group $managerGroupId")
- batchAddGroupMember(groupId = managerGroupId, defaultGroup = true, members = members)
+ batchAddGroupMember(
+ projectCode = projectCode,
+ groupId = managerGroupId,
+ defaultGroup = true,
+ members = members
+ )
return Pair(true, emptyList())
}
PROJECT_VIEWS_MANAGER, PROJECT_DELETE, QUALITY_GROUP_ENABLE -> {
@@ -376,6 +384,7 @@ class MigrateV3PolicyService constructor(
}
override fun batchAddGroupMember(
+ projectCode: String,
groupId: Int,
defaultGroup: Boolean,
members: List?,
@@ -391,10 +400,11 @@ class MigrateV3PolicyService constructor(
member.expiredAt
}
permissionResourceMemberService.addGroupMember(
- userId = member.id,
+ projectCode = projectCode,
+ memberId = member.id,
memberType = member.type,
expiredAt = expiredAt,
- groupId = groupId
+ iamGroupId = groupId
)
}
}
diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/migrate/RbacPermissionMigrateService.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/migrate/RbacPermissionMigrateService.kt
index 4a0e5807bbd..7523c4fff65 100644
--- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/migrate/RbacPermissionMigrateService.kt
+++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/migrate/RbacPermissionMigrateService.kt
@@ -83,7 +83,9 @@ class RbacPermissionMigrateService constructor(
private val authMigrationDao: AuthMigrationDao,
private val authMonitorSpaceDao: AuthMonitorSpaceDao,
private val cacheService: RbacCacheService,
- private val permissionResourceMemberService: PermissionResourceMemberService
+ private val permissionResourceMemberService: PermissionResourceMemberService,
+ private val migrateResourceAuthorizationService: MigrateResourceAuthorizationService,
+ private val migrateResourceGroupService: MigrateResourceGroupService
) : PermissionMigrateService {
companion object {
@@ -209,8 +211,12 @@ class RbacPermissionMigrateService constructor(
resourceType != null
val projectInfoList = client.get(ServiceProjectResource::class).listByProjectCode(projectCodes.toSet())
.data!!.filter {
- it.routerTag != null && (
- it.routerTag!!.contains(AuthSystemType.RBAC_AUTH_TYPE.value) || it.routerTag!!.contains("devx"))
+ val r = it.routerTag
+ if (migrateResourceDTO.includeNullRouterTag == true) {
+ r == null || r.contains(AuthSystemType.RBAC_AUTH_TYPE.value) || r.contains("devx")
+ } else {
+ r != null && (r.contains(AuthSystemType.RBAC_AUTH_TYPE.value) || r.contains("devx"))
+ }
}
val traceId = MDC.get(TraceTag.BIZID)
projectInfoList.forEach {
@@ -273,7 +279,8 @@ class RbacPermissionMigrateService constructor(
val migrateProjects = client.get(ServiceProjectResource::class).listProjectsByCondition(
projectConditionDTO = ProjectConditionDTO(
routerTag = AuthSystemType.RBAC_AUTH_TYPE,
- enabled = true
+ enabled = true,
+ includeNullRouterTag = migrateResourceDTO.includeNullRouterTag
),
limit = limit,
offset = offset
@@ -449,6 +456,7 @@ class RbacPermissionMigrateService constructor(
watcher = watcher
)
}
+
AuthSystemType.V3_AUTH_TYPE -> {
migrateV3Auth(
projectCode = projectCode,
@@ -585,12 +593,15 @@ class RbacPermissionMigrateService constructor(
is IamException -> {
exception.errorMsg
}
+
is ErrorCodeException -> {
exception.defaultMessage
}
+
is CompletionException -> {
exception.cause?.message ?: exception.message
}
+
else -> {
exception.toString()
}
@@ -665,4 +676,23 @@ class RbacPermissionMigrateService constructor(
} while (resourceSize == limit)
logger.info("Finish to auto renewal|$projectCode|${System.currentTimeMillis() - startTime}")
}
+
+ override fun migrateResourceAuthorization(projectCodes: List): Boolean {
+ return migrateResourceAuthorizationService.migrateResourceAuthorization(
+ projectCodes = projectCodes
+ )
+ }
+
+ override fun migrateAllResourceAuthorization(): Boolean {
+ return migrateResourceAuthorizationService.migrateAllResourceAuthorization()
+ }
+
+ override fun fixResourceGroups(projectCodes: List): Boolean {
+ projectCodes.forEach {
+ migrateResourceGroupService.fixResourceGroups(
+ projectCode = it
+ )
+ }
+ return true
+ }
}
diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/sample/config/MockAuthConfiguration.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/sample/config/MockAuthConfiguration.kt
index cab51428097..383c3f2642a 100644
--- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/sample/config/MockAuthConfiguration.kt
+++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/sample/config/MockAuthConfiguration.kt
@@ -1,5 +1,6 @@
package com.tencent.devops.auth.provider.sample.config
+import com.tencent.devops.auth.provider.rbac.service.migrate.MigrateResourceAuthorizationService
import com.tencent.devops.auth.provider.sample.service.SampleAuthAuthorizationScopesService
import com.tencent.devops.auth.provider.sample.service.SampleAuthMonitorSpaceService
import com.tencent.devops.auth.provider.sample.service.SampleAuthPermissionProjectService
@@ -12,6 +13,7 @@ import com.tencent.devops.auth.provider.sample.service.SamplePermissionGradeServ
import com.tencent.devops.auth.provider.sample.service.SamplePermissionItsmCallbackService
import com.tencent.devops.auth.provider.sample.service.SamplePermissionMigrateService
import com.tencent.devops.auth.provider.sample.service.SamplePermissionResourceGroupService
+import com.tencent.devops.auth.provider.sample.service.SamplePermissionResourceGroupSyncService
import com.tencent.devops.auth.provider.sample.service.SamplePermissionResourceMemberService
import com.tencent.devops.auth.provider.sample.service.SamplePermissionResourceService
import com.tencent.devops.auth.provider.sample.service.SamplePermissionResourceValidateService
@@ -24,6 +26,7 @@ import com.tencent.devops.auth.service.AuthMonitorSpaceService
import com.tencent.devops.auth.service.DefaultDeptServiceImpl
import com.tencent.devops.auth.service.DeptService
import com.tencent.devops.auth.service.OrganizationService
+import com.tencent.devops.auth.service.PermissionAuthorizationService
import com.tencent.devops.auth.service.SuperManagerService
import com.tencent.devops.auth.service.iam.PermissionApplyService
import com.tencent.devops.auth.service.iam.PermissionExtService
@@ -33,6 +36,7 @@ import com.tencent.devops.auth.service.iam.PermissionItsmCallbackService
import com.tencent.devops.auth.service.iam.PermissionMigrateService
import com.tencent.devops.auth.service.iam.PermissionProjectService
import com.tencent.devops.auth.service.iam.PermissionResourceGroupService
+import com.tencent.devops.auth.service.iam.PermissionResourceGroupSyncService
import com.tencent.devops.auth.service.iam.PermissionResourceMemberService
import com.tencent.devops.auth.service.iam.PermissionResourceService
import com.tencent.devops.auth.service.iam.PermissionResourceValidateService
@@ -97,7 +101,11 @@ class MockAuthConfiguration {
@Bean
@ConditionalOnMissingBean(PermissionResourceService::class)
- fun samplePermissionResourceService() = SamplePermissionResourceService()
+ fun samplePermissionResourceService(
+ permissionAuthorizationService: PermissionAuthorizationService
+ ) = SamplePermissionResourceService(
+ permissionAuthorizationService = permissionAuthorizationService
+ )
@Bean
@ConditionalOnMissingBean(PermissionResourceGroupService::class)
@@ -121,7 +129,11 @@ class MockAuthConfiguration {
@Bean
@ConditionalOnMissingBean(PermissionMigrateService::class)
- fun samplePermissionMigrateService() = SamplePermissionMigrateService()
+ fun samplePermissionMigrateService(
+ migrateResourceAuthorizationService: MigrateResourceAuthorizationService
+ ) = SamplePermissionMigrateService(
+ migrateResourceAuthorizationService = migrateResourceAuthorizationService
+ )
@Bean
@ConditionalOnMissingBean(AuthAuthorizationScopesService::class)
@@ -130,4 +142,8 @@ class MockAuthConfiguration {
@Bean
@ConditionalOnMissingBean(AuthMonitorSpaceService::class)
fun sampleAuthMonitorSpaceService() = SampleAuthMonitorSpaceService()
+
+ @Bean
+ @ConditionalOnMissingBean(PermissionResourceGroupSyncService::class)
+ fun samplePermissionResourceGroupSyncService() = SamplePermissionResourceGroupSyncService()
}
diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/sample/service/SamplePermissionMigrateService.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/sample/service/SamplePermissionMigrateService.kt
index f18f94ec79d..13b3f743a0e 100644
--- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/sample/service/SamplePermissionMigrateService.kt
+++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/sample/service/SamplePermissionMigrateService.kt
@@ -32,8 +32,11 @@ import com.tencent.devops.auth.pojo.dto.MigrateResourceDTO
import com.tencent.devops.auth.service.iam.PermissionMigrateService
import com.tencent.devops.common.auth.api.pojo.ProjectConditionDTO
import com.tencent.devops.auth.pojo.dto.PermissionHandoverDTO
+import com.tencent.devops.auth.provider.rbac.service.migrate.MigrateResourceAuthorizationService
-class SamplePermissionMigrateService : PermissionMigrateService {
+class SamplePermissionMigrateService(
+ val migrateResourceAuthorizationService: MigrateResourceAuthorizationService
+) : PermissionMigrateService {
override fun v3ToRbacAuth(projectCodes: List): Boolean {
return true
}
@@ -85,4 +88,16 @@ class SamplePermissionMigrateService : PermissionMigrateService {
override fun autoRenewal(projectConditionDTO: ProjectConditionDTO): Boolean {
return true
}
+
+ override fun migrateResourceAuthorization(projectCodes: List): Boolean {
+ return migrateResourceAuthorizationService.migrateResourceAuthorization(
+ projectCodes = projectCodes
+ )
+ }
+
+ override fun migrateAllResourceAuthorization(): Boolean {
+ return migrateResourceAuthorizationService.migrateAllResourceAuthorization()
+ }
+
+ override fun fixResourceGroups(projectCodes: List): Boolean = true
}
diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/sample/service/SamplePermissionResourceGroupService.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/sample/service/SamplePermissionResourceGroupService.kt
index a0069dc9698..30a8fc341af 100644
--- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/sample/service/SamplePermissionResourceGroupService.kt
+++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/sample/service/SamplePermissionResourceGroupService.kt
@@ -29,6 +29,7 @@
package com.tencent.devops.auth.provider.sample.service
import com.tencent.devops.auth.pojo.dto.GroupAddDTO
+import com.tencent.devops.auth.pojo.dto.ListGroupConditionDTO
import com.tencent.devops.auth.pojo.dto.RenameGroupDTO
import com.tencent.devops.auth.pojo.vo.GroupPermissionDetailVo
import com.tencent.devops.auth.pojo.vo.IamGroupInfoVo
@@ -40,11 +41,8 @@ import com.tencent.devops.common.api.pojo.Pagination
class SamplePermissionResourceGroupService : PermissionResourceGroupService {
override fun listGroup(
- projectId: String,
- resourceType: String,
- resourceCode: String,
- page: Int,
- pageSize: Int
+ userId: String,
+ listGroupConditionDTO: ListGroupConditionDTO
): Pagination {
return Pagination(false, emptyList())
}
diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/sample/service/SamplePermissionResourceGroupSyncService.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/sample/service/SamplePermissionResourceGroupSyncService.kt
new file mode 100644
index 00000000000..eceb19c8a3c
--- /dev/null
+++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/sample/service/SamplePermissionResourceGroupSyncService.kt
@@ -0,0 +1,55 @@
+/*
+ * Tencent is pleased to support the open source community by making BK-CI 蓝鲸持续集成平台 available.
+ *
+ * Copyright (C) 2019 THL A29 Limited, a Tencent company. All rights reserved.
+ *
+ * BK-CI 蓝鲸持续集成平台 is licensed under the MIT license.
+ *
+ * A copy of the MIT License is included in this file.
+ *
+ *
+ * Terms of the MIT License:
+ * ---------------------------------------------------
+ * Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated
+ * documentation files (the "Software"), to deal in the Software without restriction, including without limitation the
+ * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
+ * permit persons to whom the Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all copies or substantial portions of
+ * the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
+ * LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
+ * NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+ * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+ * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ */
+
+package com.tencent.devops.auth.provider.sample.service
+
+import com.tencent.devops.auth.pojo.enum.AuthMigrateStatus
+import com.tencent.devops.auth.service.iam.PermissionResourceGroupSyncService
+import com.tencent.devops.common.auth.api.pojo.ProjectConditionDTO
+
+class SamplePermissionResourceGroupSyncService : PermissionResourceGroupSyncService {
+
+ override fun syncByCondition(projectConditionDTO: ProjectConditionDTO) = Unit
+
+ override fun batchSyncGroupAndMember(projectCodes: List) = Unit
+
+ override fun syncGroupAndMember(projectCode: String) = Unit
+
+ override fun getStatusOfSync(projectCode: String): AuthMigrateStatus = AuthMigrateStatus.SUCCEED
+
+ override fun batchSyncProjectGroup(projectCodes: List) = Unit
+
+ override fun batchSyncAllMember(projectCodes: List) = Unit
+
+ override fun syncResourceMember(projectCode: String, resourceType: String, resourceCode: String) = Unit
+
+ override fun syncIamGroupMember(projectCode: String, iamGroupId: Int) = Unit
+
+ override fun syncIamGroupMembersOfApply() = Unit
+
+ override fun fixResourceGroupMember(projectCode: String) = Unit
+}
diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/sample/service/SamplePermissionResourceMemberService.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/sample/service/SamplePermissionResourceMemberService.kt
index 9210ca39780..e6f5eddc799 100644
--- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/sample/service/SamplePermissionResourceMemberService.kt
+++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/sample/service/SamplePermissionResourceMemberService.kt
@@ -1,7 +1,22 @@
package com.tencent.devops.auth.provider.sample.service
+import com.tencent.bk.sdk.iam.dto.manager.ManagerMember
+import com.tencent.devops.auth.pojo.ResourceMemberInfo
import com.tencent.devops.auth.pojo.dto.GroupMemberRenewalDTO
+import com.tencent.devops.auth.pojo.enum.BatchOperateType
+import com.tencent.devops.auth.pojo.enum.JoinedType
+import com.tencent.devops.auth.pojo.enum.RemoveMemberButtonControl
+import com.tencent.devops.auth.pojo.request.GroupMemberCommonConditionReq
+import com.tencent.devops.auth.pojo.request.GroupMemberHandoverConditionReq
+import com.tencent.devops.auth.pojo.request.GroupMemberRenewalConditionReq
+import com.tencent.devops.auth.pojo.request.GroupMemberSingleRenewalReq
+import com.tencent.devops.auth.pojo.request.RemoveMemberFromProjectReq
+import com.tencent.devops.auth.pojo.vo.BatchOperateGroupMemberCheckVo
+import com.tencent.devops.auth.pojo.vo.GroupDetailsInfoVo
+import com.tencent.devops.auth.pojo.vo.MemberGroupCountWithPermissionsVo
+import com.tencent.devops.auth.pojo.vo.ResourceMemberCountVO
import com.tencent.devops.auth.service.iam.PermissionResourceMemberService
+import com.tencent.devops.common.api.model.SQLPage
import com.tencent.devops.common.auth.api.pojo.BkAuthGroup
import com.tencent.devops.common.auth.api.pojo.BkAuthGroupAndUserList
@@ -43,7 +58,11 @@ class SamplePermissionResourceMemberService : PermissionResourceMemberService {
roleCode: String
): Int = 0
- override fun autoRenewal(projectCode: String, resourceType: String, resourceCode: String) = Unit
+ override fun autoRenewal(
+ projectCode: String,
+ resourceType: String,
+ resourceCode: String
+ ) = Unit
override fun renewalGroupMember(
userId: String,
@@ -53,17 +72,122 @@ class SamplePermissionResourceMemberService : PermissionResourceMemberService {
memberRenewalDTO: GroupMemberRenewalDTO
): Boolean = true
- override fun deleteGroupMember(
+ override fun renewalGroupMember(
userId: String,
projectCode: String,
- resourceType: String,
- groupId: Int
+ renewalConditionReq: GroupMemberSingleRenewalReq
+ ): GroupDetailsInfoVo = GroupDetailsInfoVo(
+ resourceCode = "resourceCode",
+ resourceName = "resourceName",
+ resourceType = "resourceType",
+ groupId = 0,
+ groupName = "",
+ groupDesc = "",
+ expiredAtDisplay = "",
+ expiredAt = 0,
+ joinedTime = 0,
+ removeMemberButtonControl = RemoveMemberButtonControl.OTHER,
+ joinedType = JoinedType.DIRECT,
+ operator = ""
+ )
+
+ override fun renewalIamGroupMembers(
+ groupId: Int,
+ members: List,
+ expiredAt: Long
): Boolean = true
- override fun addGroupMember(
+ override fun batchRenewalGroupMembers(
+ userId: String,
+ projectCode: String,
+ renewalConditionReq: GroupMemberRenewalConditionReq
+ ): Boolean = true
+
+ override fun batchDeleteResourceGroupMembers(
+ userId: String,
+ projectCode: String,
+ removeMemberDTO: GroupMemberCommonConditionReq
+ ): Boolean = true
+
+ override fun deleteIamGroupMembers(
+ groupId: Int,
+ type: String,
+ memberIds: List
+ ): Boolean = true
+
+ override fun batchHandoverGroupMembers(
+ userId: String,
+ projectCode: String,
+ handoverMemberDTO: GroupMemberHandoverConditionReq
+ ): Boolean = true
+
+ override fun batchOperateGroupMembersCheck(
userId: String,
+ projectCode: String,
+ batchOperateType: BatchOperateType,
+ conditionReq: GroupMemberCommonConditionReq
+ ): BatchOperateGroupMemberCheckVo = BatchOperateGroupMemberCheckVo(
+ totalCount = 0,
+ inoperableCount = 0
+ )
+
+ override fun removeMemberFromProject(
+ userId: String,
+ projectCode: String,
+ removeMemberFromProjectReq: RemoveMemberFromProjectReq
+ ): List = emptyList()
+
+ override fun removeMemberFromProjectCheck(
+ userId: String,
+ projectCode: String,
+ removeMemberFromProjectReq: RemoveMemberFromProjectReq
+ ): Boolean = true
+
+ override fun addGroupMember(
+ projectCode: String,
+ memberId: String,
memberType: String,
expiredAt: Long,
- groupId: Int
+ iamGroupId: Int
): Boolean = true
+
+ override fun addIamGroupMember(groupId: Int, members: List, expiredAt: Long): Boolean {
+ TODO("Not yet implemented")
+ }
+
+ override fun getProjectMemberCount(projectCode: String): ResourceMemberCountVO =
+ ResourceMemberCountVO(
+ userCount = 0,
+ departmentCount = 0
+ )
+
+ override fun listProjectMembers(
+ projectCode: String,
+ memberType: String?,
+ userName: String?,
+ deptName: String?,
+ departedFlag: Boolean?,
+ page: Int,
+ pageSize: Int
+ ): SQLPage {
+ return SQLPage(count = 0, records = emptyList())
+ }
+
+ override fun getMemberGroupsCount(
+ projectCode: String,
+ memberId: String
+ ): List {
+ return emptyList()
+ }
+
+ override fun getMemberGroupsDetails(
+ projectId: String,
+ memberId: String,
+ resourceType: String?,
+ iamGroupIds: List?,
+ start: Int?,
+ limit: Int?
+ ): SQLPage {
+ return SQLPage(0, records = emptyList())
+ }
}
diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/sample/service/SamplePermissionResourceService.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/sample/service/SamplePermissionResourceService.kt
index 383dd80f809..c85c667a096 100644
--- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/sample/service/SamplePermissionResourceService.kt
+++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/sample/service/SamplePermissionResourceService.kt
@@ -29,11 +29,15 @@
package com.tencent.devops.auth.provider.sample.service
import com.tencent.devops.auth.pojo.AuthResourceInfo
+import com.tencent.devops.common.auth.api.pojo.ResourceAuthorizationDTO
+import com.tencent.devops.auth.service.PermissionAuthorizationService
import com.tencent.devops.auth.service.iam.PermissionResourceService
import com.tencent.devops.common.api.pojo.Pagination
import java.time.LocalDateTime
-class SamplePermissionResourceService : PermissionResourceService {
+class SamplePermissionResourceService constructor(
+ private val permissionAuthorizationService: PermissionAuthorizationService
+) : PermissionResourceService {
override fun resourceCreateRelation(
userId: String,
projectCode: String,
@@ -48,13 +52,32 @@ class SamplePermissionResourceService : PermissionResourceService {
resourceType: String,
resourceCode: String,
resourceName: String
- ) = true
+ ): Boolean {
+ permissionAuthorizationService.modifyResourceAuthorization(
+ listOf(
+ ResourceAuthorizationDTO(
+ projectCode = projectCode,
+ resourceType = resourceType,
+ resourceCode = resourceCode,
+ resourceName = resourceName
+ )
+ )
+ )
+ return true
+ }
override fun resourceDeleteRelation(
projectCode: String,
resourceType: String,
resourceCode: String
- ) = true
+ ): Boolean {
+ permissionAuthorizationService.deleteResourceAuthorization(
+ projectCode = projectCode,
+ resourceType = resourceType,
+ resourceCode = resourceCode
+ )
+ return true
+ }
override fun resourceCancelRelation(
userId: String,
@@ -63,13 +86,6 @@ class SamplePermissionResourceService : PermissionResourceService {
resourceCode: String
) = true
- override fun hasManagerPermission(
- userId: String,
- projectId: String,
- resourceType: String,
- resourceCode: String
- ) = true
-
override fun isEnablePermission(
userId: String,
projectId: String,
diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/sample/service/SamplePermissionResourceValidateService.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/sample/service/SamplePermissionResourceValidateService.kt
index 2aa4ee86d90..b2ba564a4cf 100644
--- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/sample/service/SamplePermissionResourceValidateService.kt
+++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/sample/service/SamplePermissionResourceValidateService.kt
@@ -39,4 +39,11 @@ class SamplePermissionResourceValidateService : PermissionResourceValidateServic
): Map {
return permissionBatchValidateDTO.actionList.associateWith { true }
}
+
+ override fun hasManagerPermission(
+ userId: String,
+ projectId: String,
+ resourceType: String,
+ resourceCode: String
+ ): Boolean = true
}
diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/stream/service/CentralizedStramPermissionServiceImpl.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/stream/service/CentralizedStramPermissionServiceImpl.kt
index 0adda249404..7d3705549cd 100644
--- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/stream/service/CentralizedStramPermissionServiceImpl.kt
+++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/stream/service/CentralizedStramPermissionServiceImpl.kt
@@ -29,12 +29,17 @@ package com.tencent.devops.auth.provider.stream.service
import com.tencent.devops.auth.utils.GitTypeUtils
import com.tencent.devops.common.auth.api.AuthPermission
+import com.tencent.devops.common.auth.api.pojo.BkAuthGroup
import com.tencent.devops.common.client.Client
import org.springframework.beans.factory.annotation.Autowired
class CentralizedStramPermissionServiceImpl @Autowired constructor(
val client: Client
) : StreamPermissionServiceImpl() {
+ override fun getProjectUsers(projectCode: String, group: BkAuthGroup?): List {
+ return emptyList()
+ }
+
override fun isPublicProject(projectCode: String, userId: String?): Boolean {
val gitType = GitTypeUtils.getType()
// type: github, gitlab, svn, tgitd等
diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/stream/service/GithubStreamPermissionServiceImpl.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/stream/service/GithubStreamPermissionServiceImpl.kt
index ebac1e08273..06bdf7aece0 100644
--- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/stream/service/GithubStreamPermissionServiceImpl.kt
+++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/stream/service/GithubStreamPermissionServiceImpl.kt
@@ -29,6 +29,7 @@ package com.tencent.devops.auth.provider.stream.service
import com.google.common.cache.CacheBuilder
import com.tencent.devops.common.auth.api.AuthPermission
+import com.tencent.devops.common.auth.api.pojo.BkAuthGroup
import com.tencent.devops.common.client.Client
import com.tencent.devops.repository.api.github.ServiceGithubPermissionResource
import com.tencent.devops.stream.api.service.ServiceStreamBasicSettingResource
@@ -64,6 +65,10 @@ class GithubStreamPermissionServiceImpl @Autowired constructor(
.expireAfterAccess(5, TimeUnit.MINUTES)
.build()
+ override fun getProjectUsers(projectCode: String, group: BkAuthGroup?): List {
+ return emptyList()
+ }
+
override fun isPublicProject(projectCode: String, userId: String?): Boolean {
if (publicProjectCache.getIfPresent(projectCode) != null) {
return publicProjectCache.getIfPresent(projectCode)!!
diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/stream/service/GitlabStreamPermissionServiceImpl.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/stream/service/GitlabStreamPermissionServiceImpl.kt
index 0e619dd21f8..e9858dd8ffc 100644
--- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/stream/service/GitlabStreamPermissionServiceImpl.kt
+++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/stream/service/GitlabStreamPermissionServiceImpl.kt
@@ -28,9 +28,14 @@
package com.tencent.devops.auth.provider.stream.service
import com.tencent.devops.common.auth.api.AuthPermission
+import com.tencent.devops.common.auth.api.pojo.BkAuthGroup
import org.springframework.beans.factory.annotation.Autowired
class GitlabStreamPermissionServiceImpl @Autowired constructor() : StreamPermissionServiceImpl() {
+ override fun getProjectUsers(projectCode: String, group: BkAuthGroup?): List {
+ return emptyList()
+ }
+
override fun isPublicProject(projectCode: String, userId: String?): Boolean {
TODO("Not yet implemented")
}
diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/stream/service/StreamPermissionProjectServiceImpl.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/stream/service/StreamPermissionProjectServiceImpl.kt
index 56e0ed3e370..696894dcd42 100644
--- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/stream/service/StreamPermissionProjectServiceImpl.kt
+++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/stream/service/StreamPermissionProjectServiceImpl.kt
@@ -38,8 +38,7 @@ class StreamPermissionProjectServiceImpl @Autowired constructor(
private val streamPermissionService: StreamPermissionServiceImpl
) : PermissionProjectService {
override fun getProjectUsers(projectCode: String, group: BkAuthGroup?): List {
- // stream场景下使用不到此接口。占做默认实现
- return emptyList()
+ return streamPermissionService.getProjectUsers(projectCode, group)
}
override fun getProjectGroupAndUserList(projectCode: String): List {
diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/stream/service/StreamPermissionServiceImpl.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/stream/service/StreamPermissionServiceImpl.kt
index 96d50afb4a9..f6c34e9e292 100644
--- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/stream/service/StreamPermissionServiceImpl.kt
+++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/stream/service/StreamPermissionServiceImpl.kt
@@ -30,6 +30,7 @@ package com.tencent.devops.auth.provider.stream.service
import com.tencent.devops.auth.service.iam.PermissionService
import com.tencent.devops.common.auth.api.AuthPermission
import com.tencent.devops.common.auth.api.pojo.AuthResourceInstance
+import com.tencent.devops.common.auth.api.pojo.BkAuthGroup
import com.tencent.devops.common.auth.utils.ActionTypeUtils
import org.slf4j.LoggerFactory
@@ -191,6 +192,8 @@ abstract class StreamPermissionServiceImpl : PermissionService {
return emptyMap()
}
+ abstract fun getProjectUsers(projectCode: String, group: BkAuthGroup?): List
+
/**
* 是否是开源项目
* projectCode: stream侧项目编码
diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/resources/OpAuthMigrateResourceImpl.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/resources/OpAuthMigrateResourceImpl.kt
index ce52985b790..945d6c3c838 100644
--- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/resources/OpAuthMigrateResourceImpl.kt
+++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/resources/OpAuthMigrateResourceImpl.kt
@@ -98,4 +98,16 @@ class OpAuthMigrateResourceImpl @Autowired constructor(
permissionMigrateService.autoRenewal(projectConditionDTO)
return Result(true)
}
+
+ override fun migrateResourceAuthorization(projectCodes: List): Result {
+ return Result(permissionMigrateService.migrateResourceAuthorization(projectCodes))
+ }
+
+ override fun migrateAllResourceAuthorization(): Result {
+ return Result(permissionMigrateService.migrateAllResourceAuthorization())
+ }
+
+ override fun fixResourceGroups(projectCodes: List): Result {
+ return Result(permissionMigrateService.fixResourceGroups(projectCodes))
+ }
}
diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/resources/OpAuthResourceGroupSyncResourceImpl.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/resources/OpAuthResourceGroupSyncResourceImpl.kt
new file mode 100644
index 00000000000..40cccbbb9ba
--- /dev/null
+++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/resources/OpAuthResourceGroupSyncResourceImpl.kt
@@ -0,0 +1,80 @@
+/*
+ * Tencent is pleased to support the open source community by making BK-CI 蓝鲸持续集成平台 available.
+ *
+ * Copyright (C) 2019 THL A29 Limited, a Tencent company. All rights reserved.
+ *
+ * BK-CI 蓝鲸持续集成平台 is licensed under the MIT license.
+ *
+ * A copy of the MIT License is included in this file.
+ *
+ *
+ * Terms of the MIT License:
+ * ---------------------------------------------------
+ * Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated
+ * documentation files (the "Software"), to deal in the Software without restriction, including without limitation the
+ * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
+ * permit persons to whom the Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all copies or substantial portions of
+ * the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
+ * LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
+ * NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+ * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+ * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ */
+
+package com.tencent.devops.auth.resources
+
+import com.tencent.devops.auth.api.sync.OpAuthResourceGroupSyncResource
+import com.tencent.devops.auth.service.iam.PermissionResourceGroupSyncService
+import com.tencent.devops.common.api.pojo.Result
+import com.tencent.devops.common.auth.api.pojo.ProjectConditionDTO
+import com.tencent.devops.common.web.RestResource
+import org.springframework.beans.factory.annotation.Autowired
+
+@RestResource
+class OpAuthResourceGroupSyncResourceImpl @Autowired constructor(
+ private val permissionResourceGroupSyncService: PermissionResourceGroupSyncService
+) : OpAuthResourceGroupSyncResource {
+
+ override fun syncByCondition(projectConditionDTO: ProjectConditionDTO): Result {
+ permissionResourceGroupSyncService.syncByCondition(projectConditionDTO)
+ return Result(true)
+ }
+
+ override fun batchSyncGroupAndMember(projectIds: List): Result {
+ permissionResourceGroupSyncService.batchSyncGroupAndMember(projectIds)
+ return Result(true)
+ }
+
+ override fun batchSyncProjectGroup(projectIds: List): Result {
+ permissionResourceGroupSyncService.batchSyncProjectGroup(projectIds)
+ return Result(true)
+ }
+
+ override fun batchSyncAllMember(projectIds: List): Result {
+ permissionResourceGroupSyncService.batchSyncAllMember(projectIds)
+ return Result(true)
+ }
+
+ override fun syncResourceMember(projectId: String, resourceType: String, resourceCode: String): Result {
+ permissionResourceGroupSyncService.syncResourceMember(
+ projectCode = projectId,
+ resourceType = resourceType,
+ resourceCode = resourceCode
+ )
+ return Result(true)
+ }
+
+ override fun fixResourceGroupMember(projectId: String): Result {
+ permissionResourceGroupSyncService.fixResourceGroupMember(projectId)
+ return Result(true)
+ }
+
+ override fun syncIamGroupMembersOfApply(): Result {
+ permissionResourceGroupSyncService.syncIamGroupMembersOfApply()
+ return Result(true)
+ }
+}
diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/resources/UserAuthAuthorizationResourceImpl.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/resources/UserAuthAuthorizationResourceImpl.kt
new file mode 100644
index 00000000000..a184fd8cf63
--- /dev/null
+++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/resources/UserAuthAuthorizationResourceImpl.kt
@@ -0,0 +1,96 @@
+package com.tencent.devops.auth.resources
+
+import com.tencent.devops.auth.api.user.UserAuthAuthorizationResource
+import com.tencent.devops.auth.pojo.vo.ResourceTypeInfoVo
+import com.tencent.devops.auth.service.PermissionAuthorizationService
+import com.tencent.devops.common.api.model.SQLPage
+import com.tencent.devops.common.api.pojo.Result
+import com.tencent.devops.common.auth.api.BkManagerCheck
+import com.tencent.devops.common.auth.api.pojo.ResetAllResourceAuthorizationReq
+import com.tencent.devops.common.auth.api.pojo.ResourceAuthorizationConditionRequest
+import com.tencent.devops.common.auth.api.pojo.ResourceAuthorizationHandoverConditionRequest
+import com.tencent.devops.common.auth.api.pojo.ResourceAuthorizationHandoverDTO
+import com.tencent.devops.common.auth.api.pojo.ResourceAuthorizationResponse
+import com.tencent.devops.common.auth.enums.ResourceAuthorizationHandoverStatus
+import com.tencent.devops.common.web.RestResource
+
+@RestResource
+class UserAuthAuthorizationResourceImpl(
+ val permissionAuthorizationService: PermissionAuthorizationService
+) : UserAuthAuthorizationResource {
+ @BkManagerCheck
+ override fun listResourceAuthorization(
+ userId: String,
+ projectId: String,
+ condition: ResourceAuthorizationConditionRequest
+ ): Result> {
+ return Result(
+ permissionAuthorizationService.listResourceAuthorizations(
+ condition = condition
+ )
+ )
+ }
+
+ override fun getResourceAuthorization(
+ userId: String,
+ projectId: String,
+ resourceType: String,
+ resourceCode: String
+ ): Result {
+ return Result(
+ permissionAuthorizationService.getResourceAuthorization(
+ resourceType = resourceType,
+ projectCode = projectId,
+ resourceCode = resourceCode,
+ executePermissionCheck = true
+ )
+ )
+ }
+
+ override fun checkAuthorizationWhenRemoveGroupMember(
+ userId: String,
+ projectId: String,
+ resourceType: String,
+ resourceCode: String,
+ memberId: String
+ ): Result {
+ return Result(
+ permissionAuthorizationService.checkAuthorizationWhenRemoveGroupMember(
+ userId = userId,
+ projectCode = projectId,
+ resourceType = resourceType,
+ resourceCode = resourceCode,
+ memberId = memberId
+ )
+ )
+ }
+
+ override fun resetResourceAuthorization(
+ userId: String,
+ projectId: String,
+ condition: ResourceAuthorizationHandoverConditionRequest
+ ): Result>> {
+ return Result(
+ permissionAuthorizationService.resetResourceAuthorizationByResourceType(
+ operator = userId,
+ projectCode = projectId,
+ condition = condition
+ )
+ )
+ }
+
+ @BkManagerCheck
+ override fun resetAllResourceAuthorization(
+ userId: String,
+ projectId: String,
+ condition: ResetAllResourceAuthorizationReq
+ ): Result> {
+ return Result(
+ permissionAuthorizationService.resetAllResourceAuthorization(
+ operator = userId,
+ projectCode = projectId,
+ condition = condition
+ )
+ )
+ }
+}
diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/resources/UserAuthResourceGroupResourceImpl.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/resources/UserAuthResourceGroupResourceImpl.kt
index 1b56fa3fef1..43ed6851abe 100644
--- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/resources/UserAuthResourceGroupResourceImpl.kt
+++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/resources/UserAuthResourceGroupResourceImpl.kt
@@ -28,13 +28,19 @@
package com.tencent.devops.auth.resources
+import com.tencent.bk.sdk.iam.constants.ManagerScopesEnum
import com.tencent.devops.auth.api.user.UserAuthResourceGroupResource
+import com.tencent.devops.auth.pojo.ResourceMemberInfo
import com.tencent.devops.auth.pojo.dto.GroupMemberRenewalDTO
import com.tencent.devops.auth.pojo.dto.RenameGroupDTO
+import com.tencent.devops.auth.pojo.request.GroupMemberCommonConditionReq
+import com.tencent.devops.auth.pojo.vo.GroupDetailsInfoVo
import com.tencent.devops.auth.pojo.vo.IamGroupPoliciesVo
import com.tencent.devops.auth.service.iam.PermissionResourceGroupService
import com.tencent.devops.auth.service.iam.PermissionResourceMemberService
+import com.tencent.devops.common.api.model.SQLPage
import com.tencent.devops.common.api.pojo.Result
+import com.tencent.devops.common.auth.api.BkManagerCheck
import com.tencent.devops.common.web.RestResource
import org.springframework.beans.factory.annotation.Autowired
@@ -59,6 +65,26 @@ class UserAuthResourceGroupResourceImpl @Autowired constructor(
)
}
+ @BkManagerCheck
+ override fun getMemberGroupsDetails(
+ userId: String,
+ projectId: String,
+ resourceType: String,
+ memberId: String,
+ start: Int,
+ limit: Int
+ ): Result> {
+ return Result(
+ permissionResourceMemberService.getMemberGroupsDetails(
+ projectId = projectId,
+ resourceType = resourceType,
+ memberId = memberId,
+ start = start,
+ limit = limit
+ )
+ )
+ }
+
override fun renewal(
userId: String,
projectId: String,
@@ -84,15 +110,21 @@ class UserAuthResourceGroupResourceImpl @Autowired constructor(
groupId: Int
): Result {
return Result(
- permissionResourceMemberService.deleteGroupMember(
+ permissionResourceMemberService.batchDeleteResourceGroupMembers(
userId = userId,
projectCode = projectId,
- resourceType = resourceType,
- groupId = groupId
+ removeMemberDTO = GroupMemberCommonConditionReq(
+ groupIds = listOf(groupId),
+ targetMember = ResourceMemberInfo(
+ id = userId,
+ type = ManagerScopesEnum.getType(ManagerScopesEnum.USER)
+ )
+ )
)
)
}
+ @BkManagerCheck
override fun deleteGroup(
userId: String,
projectId: String,
@@ -109,6 +141,7 @@ class UserAuthResourceGroupResourceImpl @Autowired constructor(
)
}
+ @BkManagerCheck
override fun rename(
userId: String,
projectId: String,
diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/resources/UserDeptResourceImpl.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/resources/UserAuthResourceGroupSyncResourceImpl.kt
similarity index 57%
rename from src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/resources/UserDeptResourceImpl.kt
rename to src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/resources/UserAuthResourceGroupSyncResourceImpl.kt
index 701d2e8bfaf..b7f6aa8ad3c 100644
--- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/resources/UserDeptResourceImpl.kt
+++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/resources/UserAuthResourceGroupSyncResourceImpl.kt
@@ -27,42 +27,31 @@
package com.tencent.devops.auth.resources
-import com.tencent.bk.sdk.iam.constants.ManagerScopesEnum
-import com.tencent.devops.auth.api.user.UserDeptResource
-import com.tencent.devops.auth.pojo.vo.DeptInfoVo
-import com.tencent.devops.auth.pojo.vo.UserAndDeptInfoVo
-import com.tencent.devops.auth.service.DeptService
+import com.tencent.devops.auth.api.user.UserAuthResourceGroupSyncResource
+import com.tencent.devops.auth.pojo.enum.AuthMigrateStatus
+import com.tencent.devops.auth.service.iam.PermissionResourceGroupSyncService
import com.tencent.devops.common.api.pojo.Result
import com.tencent.devops.common.web.RestResource
import org.springframework.beans.factory.annotation.Autowired
@RestResource
-class UserDeptResourceImpl @Autowired constructor(
- val deptService: DeptService
-) : UserDeptResource {
- override fun getDeptByLevel(userId: String, accessToken: String?, level: Int): Result {
- return Result(deptService.getDeptByLevel(level, accessToken, userId))
- }
+class UserAuthResourceGroupSyncResourceImpl @Autowired constructor(
+ private val permissionResourceGroupSyncService: PermissionResourceGroupSyncService
+) : UserAuthResourceGroupSyncResource {
- override fun getDeptByParent(
- userId: String,
- accessToken: String?,
- parentId: Int,
- pageSize: Int?
- ): Result {
- return Result(deptService.getDeptByParent(parentId, accessToken, userId, pageSize))
+ override fun syncGroupAndMember(userId: String, projectId: String): Result {
+ permissionResourceGroupSyncService.syncGroupAndMember(projectId)
+ return Result(true)
}
- override fun getUserAndDeptByName(
- userId: String,
- accessToken: String?,
- name: String,
- type: ManagerScopesEnum
- ): Result> {
- return Result(deptService.getUserAndDeptByName(name, accessToken, userId, type))
+ override fun syncGroupMember(userId: String, projectId: String, groupId: Int): Result {
+ permissionResourceGroupSyncService.syncIamGroupMember(projectCode = projectId, iamGroupId = groupId)
+ return Result(true)
}
- override fun getDeptUsers(userId: String, accessToken: String?, deptId: Int): Result?> {
- return Result(deptService.getDeptUser(deptId, accessToken))
+ override fun getStatusOfSync(userId: String, projectId: String): Result {
+ return Result(
+ permissionResourceGroupSyncService.getStatusOfSync(projectCode = projectId)
+ )
}
}
diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/resources/UserAuthResourceMemberResourceImpl.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/resources/UserAuthResourceMemberResourceImpl.kt
new file mode 100644
index 00000000000..47912b3d569
--- /dev/null
+++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/resources/UserAuthResourceMemberResourceImpl.kt
@@ -0,0 +1,168 @@
+package com.tencent.devops.auth.resources
+
+import com.tencent.devops.auth.api.user.UserAuthResourceMemberResource
+import com.tencent.devops.auth.pojo.ResourceMemberInfo
+import com.tencent.devops.auth.pojo.enum.BatchOperateType
+import com.tencent.devops.auth.pojo.request.GroupMemberCommonConditionReq
+import com.tencent.devops.auth.pojo.request.GroupMemberHandoverConditionReq
+import com.tencent.devops.auth.pojo.request.GroupMemberRenewalConditionReq
+import com.tencent.devops.auth.pojo.request.GroupMemberSingleRenewalReq
+import com.tencent.devops.auth.pojo.request.RemoveMemberFromProjectReq
+import com.tencent.devops.auth.pojo.vo.BatchOperateGroupMemberCheckVo
+import com.tencent.devops.auth.pojo.vo.GroupDetailsInfoVo
+import com.tencent.devops.auth.pojo.vo.MemberGroupCountWithPermissionsVo
+import com.tencent.devops.auth.service.iam.PermissionResourceMemberService
+import com.tencent.devops.common.api.model.SQLPage
+import com.tencent.devops.common.api.pojo.Result
+import com.tencent.devops.common.auth.api.BkManagerCheck
+import com.tencent.devops.common.web.RestResource
+
+@RestResource
+class UserAuthResourceMemberResourceImpl(
+ private val permissionResourceMemberService: PermissionResourceMemberService
+) : UserAuthResourceMemberResource {
+ @BkManagerCheck
+ override fun listProjectMembers(
+ userId: String,
+ projectId: String,
+ memberType: String?,
+ userName: String?,
+ deptName: String?,
+ departedFlag: Boolean?,
+ page: Int,
+ pageSize: Int
+ ): Result> {
+ return Result(
+ permissionResourceMemberService.listProjectMembers(
+ projectCode = projectId,
+ memberType = memberType,
+ userName = userName,
+ deptName = deptName,
+ departedFlag = departedFlag ?: false,
+ page = page,
+ pageSize = pageSize
+ )
+ )
+ }
+
+ @BkManagerCheck
+ override fun renewalGroupMember(
+ userId: String,
+ projectId: String,
+ renewalConditionReq: GroupMemberSingleRenewalReq
+ ): Result {
+ return Result(
+ permissionResourceMemberService.renewalGroupMember(
+ userId = userId,
+ projectCode = projectId,
+ renewalConditionReq = renewalConditionReq
+ )
+ )
+ }
+
+ @BkManagerCheck
+ override fun batchRenewalGroupMembers(
+ userId: String,
+ projectId: String,
+ renewalConditionReq: GroupMemberRenewalConditionReq
+ ): Result {
+ return Result(
+ permissionResourceMemberService.batchRenewalGroupMembers(
+ userId = userId,
+ projectCode = projectId,
+ renewalConditionReq = renewalConditionReq
+ )
+ )
+ }
+
+ @BkManagerCheck
+ override fun batchRemoveGroupMembers(
+ userId: String,
+ projectId: String,
+ removeMemberDTO: GroupMemberCommonConditionReq
+ ): Result {
+ return Result(
+ permissionResourceMemberService.batchDeleteResourceGroupMembers(
+ userId = userId,
+ projectCode = projectId,
+ removeMemberDTO = removeMemberDTO
+ )
+ )
+ }
+
+ @BkManagerCheck
+ override fun batchHandoverGroupMembers(
+ userId: String,
+ projectId: String,
+ handoverMemberDTO: GroupMemberHandoverConditionReq
+ ): Result {
+ return Result(
+ permissionResourceMemberService.batchHandoverGroupMembers(
+ userId = userId,
+ projectCode = projectId,
+ handoverMemberDTO = handoverMemberDTO
+ )
+ )
+ }
+
+ @BkManagerCheck
+ override fun batchOperateGroupMembersCheck(
+ userId: String,
+ projectId: String,
+ batchOperateType: BatchOperateType,
+ conditionReq: GroupMemberCommonConditionReq
+ ): Result {
+ return Result(
+ permissionResourceMemberService.batchOperateGroupMembersCheck(
+ userId = userId,
+ projectCode = projectId,
+ batchOperateType = batchOperateType,
+ conditionReq = conditionReq
+ )
+ )
+ }
+
+ @BkManagerCheck
+ override fun removeMemberFromProject(
+ userId: String,
+ projectId: String,
+ removeMemberFromProjectReq: RemoveMemberFromProjectReq
+ ): Result> {
+ return Result(
+ permissionResourceMemberService.removeMemberFromProject(
+ userId = userId,
+ projectCode = projectId,
+ removeMemberFromProjectReq = removeMemberFromProjectReq
+ )
+ )
+ }
+
+ @BkManagerCheck
+ override fun removeMemberFromProjectCheck(
+ userId: String,
+ projectId: String,
+ removeMemberFromProjectReq: RemoveMemberFromProjectReq
+ ): Result {
+ return Result(
+ permissionResourceMemberService.removeMemberFromProjectCheck(
+ userId = userId,
+ projectCode = projectId,
+ removeMemberFromProjectReq = removeMemberFromProjectReq
+ )
+ )
+ }
+
+ @BkManagerCheck
+ override fun getMemberGroupCount(
+ userId: String,
+ projectId: String,
+ memberId: String
+ ): Result> {
+ return Result(
+ permissionResourceMemberService.getMemberGroupsCount(
+ projectCode = projectId,
+ memberId = memberId
+ )
+ )
+ }
+}
diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/resources/UserAuthResourceResourceImpl.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/resources/UserAuthResourceResourceImpl.kt
index 00884871858..5ee46656fe5 100644
--- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/resources/UserAuthResourceResourceImpl.kt
+++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/resources/UserAuthResourceResourceImpl.kt
@@ -30,10 +30,12 @@ package com.tencent.devops.auth.resources
import com.tencent.devops.auth.api.user.UserAuthResourceResource
import com.tencent.devops.auth.pojo.AuthResourceInfo
+import com.tencent.devops.auth.pojo.dto.ListGroupConditionDTO
import com.tencent.devops.auth.pojo.vo.IamGroupInfoVo
import com.tencent.devops.auth.pojo.vo.IamGroupMemberInfoVo
import com.tencent.devops.auth.service.iam.PermissionResourceGroupService
import com.tencent.devops.auth.service.iam.PermissionResourceService
+import com.tencent.devops.auth.service.iam.PermissionResourceValidateService
import com.tencent.devops.common.api.pojo.Pagination
import com.tencent.devops.common.api.pojo.Result
import com.tencent.devops.common.web.RestResource
@@ -42,6 +44,7 @@ import org.springframework.beans.factory.annotation.Autowired
@RestResource
class UserAuthResourceResourceImpl @Autowired constructor(
private val permissionResourceService: PermissionResourceService,
+ private val permissionResourceValidateService: PermissionResourceValidateService,
private val permissionResourceGroupService: PermissionResourceGroupService
) : UserAuthResourceResource {
override fun hasManagerPermission(
@@ -51,7 +54,7 @@ class UserAuthResourceResourceImpl @Autowired constructor(
resourceCode: String
): Result {
return Result(
- permissionResourceService.hasManagerPermission(
+ permissionResourceValidateService.hasManagerPermission(
userId = userId,
projectId = projectId,
resourceType = resourceType,
@@ -81,16 +84,21 @@ class UserAuthResourceResourceImpl @Autowired constructor(
projectId: String,
resourceType: String,
resourceCode: String,
+ allProjectMembersGroupFlag: Boolean?,
page: Int,
pageSize: Int
): Result> {
return Result(
permissionResourceGroupService.listGroup(
- projectId = projectId,
- resourceType = resourceType,
- resourceCode = resourceCode,
- page = page,
- pageSize = pageSize
+ userId = userId,
+ ListGroupConditionDTO(
+ projectId = projectId,
+ resourceType = resourceType,
+ resourceCode = resourceCode,
+ getAllProjectMembersGroup = allProjectMembersGroupFlag ?: true,
+ page = page,
+ pageSize = pageSize
+ )
)
)
}
diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/resources/service/ServiceAuthAuthorizationResourceImpl.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/resources/service/ServiceAuthAuthorizationResourceImpl.kt
new file mode 100644
index 00000000000..16ffdbd9801
--- /dev/null
+++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/resources/service/ServiceAuthAuthorizationResourceImpl.kt
@@ -0,0 +1,63 @@
+package com.tencent.devops.auth.resources.service
+
+import com.tencent.devops.auth.api.service.ServiceAuthAuthorizationResource
+import com.tencent.devops.auth.service.PermissionAuthorizationService
+import com.tencent.devops.common.api.model.SQLPage
+import com.tencent.devops.common.api.pojo.Result
+import com.tencent.devops.common.auth.api.pojo.ResourceAuthorizationConditionRequest
+import com.tencent.devops.common.auth.api.pojo.ResourceAuthorizationDTO
+import com.tencent.devops.common.auth.api.pojo.ResourceAuthorizationHandoverDTO
+import com.tencent.devops.common.auth.api.pojo.ResourceAuthorizationResponse
+import com.tencent.devops.common.web.RestResource
+
+@RestResource
+class ServiceAuthAuthorizationResourceImpl constructor(
+ val permissionAuthorizationService: PermissionAuthorizationService
+) : ServiceAuthAuthorizationResource {
+ override fun addResourceAuthorization(
+ projectId: String,
+ resourceAuthorizationList: List
+ ): Result {
+ return Result(
+ permissionAuthorizationService.addResourceAuthorization(
+ resourceAuthorizationList = resourceAuthorizationList
+ )
+ )
+ }
+
+ override fun getResourceAuthorization(
+ projectId: String,
+ resourceType: String,
+ resourceCode: String
+ ): Result {
+ return Result(
+ permissionAuthorizationService.getResourceAuthorization(
+ projectCode = projectId,
+ resourceType = resourceType,
+ resourceCode = resourceCode
+ )
+ )
+ }
+
+ override fun listResourceAuthorization(
+ projectId: String,
+ condition: ResourceAuthorizationConditionRequest
+ ): Result> {
+ return Result(
+ permissionAuthorizationService.listResourceAuthorizations(
+ condition = condition
+ )
+ )
+ }
+
+ override fun batchModifyHandoverFrom(
+ projectId: String,
+ resourceAuthorizationHandoverList: List
+ ): Result {
+ return Result(
+ permissionAuthorizationService.batchModifyHandoverFrom(
+ resourceAuthorizationHandoverList = resourceAuthorizationHandoverList
+ )
+ )
+ }
+}
diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/service/AuthDeptServiceImpl.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/service/AuthDeptServiceImpl.kt
index 80e2c8360e3..bedb4278b84 100644
--- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/service/AuthDeptServiceImpl.kt
+++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/service/AuthDeptServiceImpl.kt
@@ -33,39 +33,47 @@ import com.fasterxml.jackson.module.kotlin.readValue
import com.google.common.cache.CacheBuilder
import com.tencent.bk.sdk.iam.constants.ManagerScopesEnum
import com.tencent.bk.sdk.iam.dto.response.ResponseDTO
+import com.tencent.devops.auth.common.Constants.DEPT_LABEL
import com.tencent.devops.auth.common.Constants.HTTP_RESULT
+import com.tencent.devops.auth.common.Constants.ID
import com.tencent.devops.auth.common.Constants.LEVEL
import com.tencent.devops.auth.common.Constants.NAME
import com.tencent.devops.auth.common.Constants.PARENT
import com.tencent.devops.auth.common.Constants.USERNAME
-import com.tencent.devops.auth.common.Constants.USER_LABLE
+import com.tencent.devops.auth.common.Constants.USER_LABEL
+import com.tencent.devops.auth.common.Constants.USER_NAME_AND_DISPLAY_NAME_LABEL
import com.tencent.devops.auth.constant.AuthMessageCode
import com.tencent.devops.auth.entity.SearchDeptUserEntity
import com.tencent.devops.auth.entity.SearchProfileDeptEntity
import com.tencent.devops.auth.entity.SearchRetrieveDeptEntity
import com.tencent.devops.auth.entity.SearchUserAndDeptEntity
import com.tencent.devops.auth.entity.UserDeptTreeInfo
+import com.tencent.devops.auth.pojo.BkUserDeptInfo
+import com.tencent.devops.auth.pojo.BkUserInfo
+import com.tencent.devops.auth.pojo.DeptInfo
import com.tencent.devops.auth.pojo.vo.BkUserInfoVo
import com.tencent.devops.auth.pojo.vo.DeptInfoVo
import com.tencent.devops.auth.pojo.vo.UserAndDeptInfoVo
+import com.tencent.devops.common.api.exception.ErrorCodeException
import com.tencent.devops.common.api.exception.OperationException
import com.tencent.devops.common.api.util.JsonUtil
import com.tencent.devops.common.api.util.OkhttpUtils
import com.tencent.devops.common.auth.api.pojo.EsbBaseReq
import com.tencent.devops.common.redis.RedisOperation
import com.tencent.devops.common.web.utils.I18nUtil
+import okhttp3.Headers.Companion.toHeaders
import okhttp3.MediaType.Companion.toMediaTypeOrNull
import okhttp3.Request
import okhttp3.RequestBody
import org.slf4j.LoggerFactory
import org.springframework.beans.factory.annotation.Autowired
import org.springframework.beans.factory.annotation.Value
-import java.util.Optional
+import java.util.concurrent.CopyOnWriteArrayList
import java.util.concurrent.TimeUnit
class AuthDeptServiceImpl @Autowired constructor(
- val redisOperation: RedisOperation,
- val objectMapper: ObjectMapper
+ private val redisOperation: RedisOperation,
+ private val objectMapper: ObjectMapper
) : DeptService {
@Value("\${esb.code:#{null}}")
@@ -90,7 +98,15 @@ class AuthDeptServiceImpl @Autowired constructor(
private val userInfoCache = CacheBuilder.newBuilder()
.maximumSize(10000)
.expireAfterWrite(24, TimeUnit.HOURS)
- .build>()
+ .build()
+
+ private val memberInfoCache = CacheBuilder.newBuilder()
+ .maximumSize(10000)
+ .expireAfterWrite(24, TimeUnit.HOURS)
+ .build()
+
+ // 已离职成员
+ private val departedMembersCache = CopyOnWriteArrayList()
override fun getDeptByLevel(level: Int, accessToken: String?, userId: String): DeptInfoVo {
val search = SearchUserAndDeptEntity(
@@ -141,7 +157,7 @@ class AuthDeptServiceImpl @Autowired constructor(
bk_app_code = appCode,
bk_app_secret = appSecret,
bk_username = userId,
- fields = USER_LABLE,
+ fields = USER_LABEL,
lookupField = USERNAME,
accessToken = accessToken
)
@@ -160,51 +176,27 @@ class AuthDeptServiceImpl @Autowired constructor(
val userInfos = getUserInfo(userSearch)
userInfos.results.forEach {
userAndDeptInfos.add(
- UserAndDeptInfoVo(
- id = it.id,
- name = it.username,
- type = ManagerScopesEnum.USER,
- deptInfo = it.departments,
- extras = it.extras
- )
+ it.toUserAndDeptInfoVo()
)
}
}
ManagerScopesEnum.DEPARTMENT -> {
- val depteInfos = getDeptInfo(deptSearch)
- depteInfos.results.forEach {
- userAndDeptInfos.add(
- UserAndDeptInfoVo(
- id = it.id,
- name = it.name,
- type = ManagerScopesEnum.DEPARTMENT,
- hasChild = it.hasChildren
- )
- )
+ val deptInfos = getDeptInfo(deptSearch)
+ deptInfos.results.forEach {
+ it.toUserAndDeptInfoVo()
}
}
ManagerScopesEnum.ALL -> {
val userInfos = getUserInfo(userSearch)
userInfos.results.forEach {
userAndDeptInfos.add(
- UserAndDeptInfoVo(
- id = it.id,
- name = it.username,
- type = ManagerScopesEnum.USER,
- deptInfo = it.departments,
- extras = it.extras
- )
+ it.toUserAndDeptInfoVo()
)
}
val deptInfos = getDeptInfo(deptSearch)
deptInfos.results.forEach {
userAndDeptInfos.add(
- UserAndDeptInfoVo(
- id = it.id,
- name = it.name,
- type = ManagerScopesEnum.DEPARTMENT,
- hasChild = it.hasChildren
- )
+ it.toUserAndDeptInfoVo()
)
}
}
@@ -250,6 +242,8 @@ class AuthDeptServiceImpl @Autowired constructor(
}
override fun getUserDeptInfo(userId: String): Set {
+ if (userId.endsWith("@tai"))
+ return emptySet()
if (userDeptCache.getIfPresent(userId) != null) {
return userDeptCache.getIfPresent(userId)!!
}
@@ -260,17 +254,138 @@ class AuthDeptServiceImpl @Autowired constructor(
}
override fun getUserInfo(userId: String, name: String): UserAndDeptInfoVo? {
- return userInfoCache.getIfPresent(name)?.get() ?: getUserAndPutInCache(userId, name)
+ return userInfoCache.getIfPresent(name) ?: getUserAndPutInCache(userId, name)
+ }
+
+ override fun getMemberInfo(
+ memberId: String,
+ memberType: ManagerScopesEnum
+ ): UserAndDeptInfoVo {
+ return listMemberInfos(
+ memberIds = listOf(memberId),
+ memberType = memberType
+ ).firstOrNull() ?: throw ErrorCodeException(
+ errorCode = AuthMessageCode.USER_NOT_EXIST,
+ params = arrayOf(memberId),
+ defaultMessage = "member $memberId not exist"
+ )
+ }
+
+ override fun listMemberInfos(
+ memberIds: List