feat：用户个人视角权限管理优化 #11138

TencentBlueKing · Dec 9, 2024 · 6c303d9 · 6c303d9
1 parent a0fb5f1
commit 6c303d9
Show file tree

Hide file tree

Showing 10 changed files with 154 additions and 57 deletions.
diff --git a/...re/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/dto/MemberGroupJoinedDTO.kt b/...re/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/dto/MemberGroupJoinedDTO.kt
@@ -0,0 +1,11 @@
+package com.tencent.devops.auth.pojo.dto
+
+import com.tencent.devops.auth.pojo.enum.MemberType
+import io.swagger.v3.oas.annotations.media.Schema
+
+data class MemberGroupJoinedDTO(
+    @get:Schema(title = "组id")
+    val id: Int,
+    @get:Schema(title = "组成员类型")
+    val memberType: MemberType
+)
diff --git a/...uth/src/main/kotlin/com/tencent/devops/auth/pojo/request/GroupMemberCommonConditionReq.kt b/...uth/src/main/kotlin/com/tencent/devops/auth/pojo/request/GroupMemberCommonConditionReq.kt
@@ -1,13 +1,14 @@
 package com.tencent.devops.auth.pojo.request
 
 import com.tencent.devops.auth.pojo.ResourceMemberInfo
+import com.tencent.devops.auth.pojo.dto.MemberGroupJoinedDTO
 import com.tencent.devops.auth.pojo.enum.OperateChannel
 import io.swagger.v3.oas.annotations.media.Schema
 
 @Schema(title = "用户组成员处理公共请求体")
 open class GroupMemberCommonConditionReq(
     @get:Schema(title = "组IDs")
-    open val groupIds: List<Int> = emptyList(),
+    open val groupIds: List<MemberGroupJoinedDTO> = emptyList(),
     @get:Schema(title = "全选的资源类型")
     open val resourceTypes: List<String> = emptyList(),
     @get:Schema(title = "全量选择")

diff --git a/...h/src/main/kotlin/com/tencent/devops/auth/pojo/request/GroupMemberHandoverConditionReq.kt b/...h/src/main/kotlin/com/tencent/devops/auth/pojo/request/GroupMemberHandoverConditionReq.kt
@@ -29,14 +29,15 @@ package com.tencent.devops.auth.pojo.request
 
 import com.tencent.devops.auth.constant.AuthMessageCode.INVALID_HANDOVER_TO
 import com.tencent.devops.auth.pojo.ResourceMemberInfo
+import com.tencent.devops.auth.pojo.dto.MemberGroupJoinedDTO
 import com.tencent.devops.auth.pojo.enum.OperateChannel
 import com.tencent.devops.common.api.exception.ErrorCodeException
 import io.swagger.v3.oas.annotations.media.Schema
 
 @Schema(title = "用户组成员交接条件请求体")
 data class GroupMemberHandoverConditionReq(
     @get:Schema(title = "组IDs")
-    override val groupIds: List<Int> = emptyList(),
+    override val groupIds: List<MemberGroupJoinedDTO> = emptyList(),
     @get:Schema(title = "全选的资源类型")
     override val resourceTypes: List<String> = emptyList(),
     @get:Schema(title = "全量选择")

diff --git a/...uth/src/main/kotlin/com/tencent/devops/auth/pojo/request/GroupMemberRemoveConditionReq.kt b/...uth/src/main/kotlin/com/tencent/devops/auth/pojo/request/GroupMemberRemoveConditionReq.kt
@@ -29,14 +29,15 @@ package com.tencent.devops.auth.pojo.request
 
 import com.tencent.devops.auth.constant.AuthMessageCode.INVALID_HANDOVER_TO
 import com.tencent.devops.auth.pojo.ResourceMemberInfo
+import com.tencent.devops.auth.pojo.dto.MemberGroupJoinedDTO
 import com.tencent.devops.auth.pojo.enum.OperateChannel
 import com.tencent.devops.common.api.exception.ErrorCodeException
 import io.swagger.v3.oas.annotations.media.Schema
 
 @Schema(title = "用户组成员移除条件请求体")
 data class GroupMemberRemoveConditionReq(
     @get:Schema(title = "组IDs")
-    override val groupIds: List<Int> = emptyList(),
+    override val groupIds: List<MemberGroupJoinedDTO> = emptyList(),
     @get:Schema(title = "全选的资源类型")
     override val resourceTypes: List<String> = emptyList(),
     @get:Schema(title = "全量选择")

diff --git a/...th/src/main/kotlin/com/tencent/devops/auth/pojo/request/GroupMemberRenewalConditionReq.kt b/...th/src/main/kotlin/com/tencent/devops/auth/pojo/request/GroupMemberRenewalConditionReq.kt
@@ -28,13 +28,14 @@
 package com.tencent.devops.auth.pojo.request
 
 import com.tencent.devops.auth.pojo.ResourceMemberInfo
+import com.tencent.devops.auth.pojo.dto.MemberGroupJoinedDTO
 import com.tencent.devops.auth.pojo.enum.OperateChannel
 import io.swagger.v3.oas.annotations.media.Schema
 
 @Schema(title = "用户组成员续期")
 data class GroupMemberRenewalConditionReq(
     @get:Schema(title = "组IDs")
-    override val groupIds: List<Int>,
+    override val groupIds: List<MemberGroupJoinedDTO>,
     @get:Schema(title = "全选某种资源类型下的用户组")
     override val resourceTypes: List<String> = emptyList(),
     @get:Schema(title = "全量选择")

diff --git a/.../core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/vo/GroupDetailsInfoVo.kt b/.../core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/vo/GroupDetailsInfoVo.kt
@@ -1,6 +1,7 @@
 package com.tencent.devops.auth.pojo.vo
 
 import com.tencent.devops.auth.pojo.enum.JoinedType
+import com.tencent.devops.auth.pojo.enum.MemberType
 import com.tencent.devops.auth.pojo.enum.RemoveMemberButtonControl
 import io.swagger.v3.oas.annotations.media.Schema
 
@@ -31,5 +32,7 @@ data class GroupDetailsInfoVo(
     @get:Schema(title = "操作人")
     val operator: String,
     @get:Schema(title = "是否正在交接")
-    val beingHandedOver: Boolean? = null
+    val beingHandedOver: Boolean? = null,
+    @get:Schema(title = "组成员类型")
+    val memberType: MemberType? = null
 )
diff --git a/...e/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/dao/AuthResourceGroupMemberDao.kt b/...e/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/dao/AuthResourceGroupMemberDao.kt
@@ -548,7 +548,6 @@ class AuthResourceGroupMemberDao {
         iamTemplateIds: List<String>,
         resourceType: String? = null,
         iamGroupIds: List<Int>? = null,
-        excludeIamGroupIds: List<Int>? = null,
         minExpiredAt: LocalDateTime? = null,
         maxExpiredAt: LocalDateTime? = null,
         memberDeptInfos: List<String>? = null
@@ -559,7 +558,6 @@ class AuthResourceGroupMemberDao {
             iamTemplateIds = iamTemplateIds,
             resourceType = resourceType,
             iamGroupIds = iamGroupIds,
-            excludeIamGroupIds = excludeIamGroupIds,
             minExpiredAt = minExpiredAt,
             maxExpiredAt = maxExpiredAt,
             memberDeptInfos = memberDeptInfos
@@ -584,28 +582,58 @@ class AuthResourceGroupMemberDao {
         minExpiredAt: LocalDateTime? = null,
         maxExpiredAt: LocalDateTime? = null,
         memberDeptInfos: List<String>? = null,
-        operateChannel: OperateChannel?
+        filterMemberType: MemberType? = null,
+        onlyExcludeUserDirectlyJoined: Boolean? = false
     ): Long {
         val conditions = buildMemberGroupCondition(
             projectCode = projectCode,
             memberId = memberId,
             iamTemplateIds = iamTemplateIds,
             resourceType = resourceType,
             iamGroupIds = iamGroupIds,
-            excludeIamGroupIds = excludeIamGroupIds,
             minExpiredAt = minExpiredAt,
             maxExpiredAt = maxExpiredAt,
             memberDeptInfos = memberDeptInfos,
-            operateChannel = operateChannel
+            filterMemberType = filterMemberType
+        )
+        val excludeConditions = buildExcludeMemberGroupCondition(
+            excludeIamGroupIds = excludeIamGroupIds,
+            onlyExcludeUserDirectlyJoined = onlyExcludeUserDirectlyJoined
         )
         return with(TAuthResourceGroupMember.T_AUTH_RESOURCE_GROUP_MEMBER) {
             dslContext.select(count())
                 .from(this)
                 .where(conditions)
+                .let {
+                    excludeConditions.forEach { excludeCondition ->
+                        it.andNot(excludeCondition)
+                    }
+                    it
+                }
                 .fetchOne(0, Long::class.java) ?: 0L
         }
     }
 
+    fun buildExcludeMemberGroupCondition(
+        excludeIamGroupIds: List<Int>?,
+        // 仅排除用户直接加入的组
+        onlyExcludeUserDirectlyJoined: Boolean?,
+    ): MutableList<Condition> {
+        val conditions = mutableListOf<Condition>()
+        with(TAuthResourceGroupMember.T_AUTH_RESOURCE_GROUP_MEMBER) {
+            if (!excludeIamGroupIds.isNullOrEmpty()) {
+                // 仅排除用户直接加入的用户组
+                if (onlyExcludeUserDirectlyJoined == true) {
+                    conditions.add(IAM_GROUP_ID.notIn(excludeIamGroupIds).and(MEMBER_TYPE.eq(MemberType.USER.type)))
+                } else {
+                    // 会把组织/用户/模板加入的組都排除
+                    conditions.add(IAM_GROUP_ID.notIn(excludeIamGroupIds))
+                }
+            }
+        }
+        return conditions
+    }
+
     fun listMemberGroupIdsInProject(
         dslContext: DSLContext,
         projectCode: String,
@@ -638,7 +666,8 @@ class AuthResourceGroupMemberDao {
         minExpiredAt: LocalDateTime? = null,
         maxExpiredAt: LocalDateTime? = null,
         memberDeptInfos: List<String>? = null,
-        operateChannel: OperateChannel? = null,
+        filterMemberType: MemberType? = null,
+        onlyExcludeUserDirectlyJoined: Boolean? = false,
         offset: Int? = null,
         limit: Int? = null
     ): List<AuthResourceGroupMember> {
@@ -648,15 +677,24 @@ class AuthResourceGroupMemberDao {
             iamTemplateIds = iamTemplateIds,
             resourceType = resourceType,
             iamGroupIds = iamGroupIds,
-            excludeIamGroupIds = excludeIamGroupIds,
             minExpiredAt = minExpiredAt,
             maxExpiredAt = maxExpiredAt,
             memberDeptInfos = memberDeptInfos,
-            operateChannel = operateChannel
+            filterMemberType = filterMemberType
+        )
+        val excludeConditions = buildExcludeMemberGroupCondition(
+            excludeIamGroupIds = excludeIamGroupIds,
+            onlyExcludeUserDirectlyJoined = onlyExcludeUserDirectlyJoined
         )
         return with(TAuthResourceGroupMember.T_AUTH_RESOURCE_GROUP_MEMBER) {
             dslContext.selectFrom(this)
                 .where(conditions)
+                .let {
+                    excludeConditions.forEach { excludeCondition ->
+                        it.andNot(excludeCondition)
+                    }
+                    it
+                }
                 .orderBy(IAM_GROUP_ID.desc())
                 .let { if (offset != null && limit != null) it.offset(offset).limit(limit) else it }
                 .fetch()
@@ -670,11 +708,10 @@ class AuthResourceGroupMemberDao {
         iamTemplateIds: List<String>,
         resourceType: String? = null,
         iamGroupIds: List<Int>? = null,
-        excludeIamGroupIds: List<Int>? = null,
         minExpiredAt: LocalDateTime? = null,
         maxExpiredAt: LocalDateTime? = null,
         memberDeptInfos: List<String>? = null,
-        operateChannel: OperateChannel? = null
+        filterMemberType: MemberType? = null
     ): MutableList<Condition> {
         val conditions = mutableListOf<Condition>()
         with(TAuthResourceGroupMember.T_AUTH_RESOURCE_GROUP_MEMBER) {
@@ -698,20 +735,13 @@ class AuthResourceGroupMemberDao {
                         it
                     }
                 })
+            filterMemberType?.let { conditions.add(MEMBER_TYPE.eq(filterMemberType.type)) }
             resourceType?.let { conditions.add(RESOURCE_TYPE.eq(resourceType)) }
             minExpiredAt?.let { conditions.add(EXPIRED_TIME.ge(minExpiredAt)) }
             maxExpiredAt?.let { conditions.add(EXPIRED_TIME.le(maxExpiredAt)) }
             if (!iamGroupIds.isNullOrEmpty()) {
                 conditions.add(IAM_GROUP_ID.`in`(iamGroupIds))
             }
-            if (!excludeIamGroupIds.isNullOrEmpty()) {
-                // 个人渠道排除用户组ID时，仅排除用户直接加入的组
-                if (operateChannel == OperateChannel.PERSONAL) {
-                    conditions.add(IAM_GROUP_ID.notIn(excludeIamGroupIds).and(MEMBER_TYPE.eq(MemberType.USER.type)))
-                } else {
-                    conditions.add(IAM_GROUP_ID.notIn(excludeIamGroupIds))
-                }
-            }
         }
         return conditions
     }