Merge pull request #9097 from fcfang123/issue-9093

实现openapi RBAC权限版本项目下用户组添加成员 #9093
TencentBlueKing · Jul 25, 2023 · ff0c14b · ff0c14b
2 parents 75ca730 + 62d0e3b
commit ff0c14b
Show file tree

Hide file tree

Showing 11 changed files with 156 additions and 26 deletions.
diff --git a/...pi-auth/src/main/kotlin/com/tencent/devops/auth/api/service/ServiceProjectAuthResource.kt b/...pi-auth/src/main/kotlin/com/tencent/devops/auth/api/service/ServiceProjectAuthResource.kt
@@ -166,7 +166,7 @@ interface ServiceProjectAuthResource {
 
     @POST
     @Path("/{projectCode}/createUser")
-    @ApiOperation("添加用户到指定项目指定分组")
+    @ApiOperation("添加单个用户到指定项目指定分组")
     fun createProjectUser(
         @HeaderParam(AUTH_HEADER_DEVOPS_BK_TOKEN)
         @ApiParam("认证token", required = true)
@@ -182,6 +182,26 @@ interface ServiceProjectAuthResource {
         roleCode: String
     ): Result<Boolean>
 
+    @POST
+    @Path("/{projectCode}/batchCreateProjectUser/{roleCode}")
+    @ApiOperation("批量添加用户到指定项目指定分组")
+    fun batchCreateProjectUser(
+        @HeaderParam(AUTH_HEADER_DEVOPS_BK_TOKEN)
+        @ApiParam("认证token", required = true)
+        token: String,
+        @ApiParam(name = "用户名", required = true)
+        @HeaderParam(AUTH_HEADER_USER_ID)
+        userId: String,
+        @ApiParam(name = "项目Code", required = true)
+        @PathParam("projectCode")
+        projectCode: String,
+        @ApiParam(name = "用户组Code", required = true)
+        @PathParam("roleCode")
+        roleCode: String,
+        @ApiParam("添加用户集合", required = true)
+        members: List<String>
+    ): Result<Boolean>
+
     @GET
     @Path("/{projectCode}/roles")
     @ApiOperation("获取项目角色")

diff --git a/...uth/biz-auth-rbac/src/main/kotlin/com/tencent/devops/auth/config/RbacAuthConfiguration.kt b/...uth/biz-auth-rbac/src/main/kotlin/com/tencent/devops/auth/config/RbacAuthConfiguration.kt
@@ -220,15 +220,19 @@ class RbacAuthConfiguration {
         iamConfiguration: IamConfiguration,
         authResourceGroupDao: AuthResourceGroupDao,
         dslContext: DSLContext,
-        rbacCacheService: RbacCacheService
+        rbacCacheService: RbacCacheService,
+        deptService: DeptService,
+        permissionGradeManagerService: PermissionGradeManagerService
     ) = RbacPermissionProjectService(
         authHelper = authHelper,
         authResourceService = authResourceService,
         iamV2ManagerService = iamV2ManagerService,
         iamConfiguration = iamConfiguration,
         authResourceGroupDao = authResourceGroupDao,
         dslContext = dslContext,
-        rbacCacheService = rbacCacheService
+        rbacCacheService = rbacCacheService,
+        deptService = deptService,
+        permissionGradeManagerService = permissionGradeManagerService
     )
 
     @Bean

diff --git a/...uth-rbac/src/main/kotlin/com/tencent/devops/auth/service/PermissionGradeManagerService.kt b/...uth-rbac/src/main/kotlin/com/tencent/devops/auth/service/PermissionGradeManagerService.kt
@@ -505,13 +505,13 @@ class PermissionGradeManagerService @Autowired constructor(
 
     fun listGroup(
         gradeManagerId: String,
+        searchGroupDTO: SearchGroupDTO,
         page: Int,
         pageSize: Int
     ): List<V2ManagerRoleGroupInfo> {
         val pageInfoDTO = V2PageInfoDTO()
         pageInfoDTO.page = page
         pageInfoDTO.pageSize = pageSize
-        val searchGroupDTO = SearchGroupDTO.builder().inherit(false).build()
         val iamGroupInfoList = iamV2ManagerService.getGradeManagerRoleGroupV2(
             gradeManagerId,
             searchGroupDTO,

diff --git a/...auth-rbac/src/main/kotlin/com/tencent/devops/auth/service/RbacPermissionProjectService.kt b/...auth-rbac/src/main/kotlin/com/tencent/devops/auth/service/RbacPermissionProjectService.kt
@@ -32,12 +32,15 @@ import com.tencent.bk.sdk.iam.config.IamConfiguration
 import com.tencent.bk.sdk.iam.constants.ManagerScopesEnum
 import com.tencent.bk.sdk.iam.dto.InstanceDTO
 import com.tencent.bk.sdk.iam.dto.PageInfoDTO
-import com.tencent.bk.sdk.iam.dto.V2PageInfoDTO
+import com.tencent.bk.sdk.iam.dto.manager.ManagerMember
+import com.tencent.bk.sdk.iam.dto.manager.dto.ManagerMemberGroupDTO
 import com.tencent.bk.sdk.iam.dto.manager.dto.SearchGroupDTO
 import com.tencent.bk.sdk.iam.helper.AuthHelper
 import com.tencent.bk.sdk.iam.service.v2.V2ManagerService
+import com.tencent.devops.auth.constant.AuthMessageCode
 import com.tencent.devops.auth.dao.AuthResourceGroupDao
 import com.tencent.devops.auth.service.iam.PermissionProjectService
+import com.tencent.devops.common.api.exception.ErrorCodeException
 import com.tencent.devops.common.auth.api.AuthPermission
 import com.tencent.devops.common.auth.api.AuthResourceType
 import com.tencent.devops.common.auth.api.pojo.BKAuthProjectRolesResources
@@ -46,6 +49,7 @@ import com.tencent.devops.common.auth.api.pojo.BkAuthGroupAndUserList
 import com.tencent.devops.common.auth.utils.RbacAuthUtils
 import org.jooq.DSLContext
 import org.slf4j.LoggerFactory
+import java.util.concurrent.TimeUnit
 
 @Suppress("LongParameterList")
 class RbacPermissionProjectService(
@@ -55,11 +59,15 @@ class RbacPermissionProjectService(
     private val iamConfiguration: IamConfiguration,
     private val authResourceGroupDao: AuthResourceGroupDao,
     private val dslContext: DSLContext,
-    private val rbacCacheService: RbacCacheService
+    private val rbacCacheService: RbacCacheService,
+    private val deptService: DeptService,
+    private val permissionGradeManagerService: PermissionGradeManagerService
 ) : PermissionProjectService {
 
     companion object {
         private val logger = LoggerFactory.getLogger(RbacPermissionProjectService::class.java)
+        private const val expiredAt = 365L
+        private const val USER_TYPE = "user"
     }
 
     override fun getProjectUsers(projectCode: String, group: BkAuthGroup?): List<String> {
@@ -92,17 +100,13 @@ class RbacPermissionProjectService(
             resourceType = AuthResourceType.PROJECT.value,
             resourceCode = projectCode
         ).relationId
-        // 2、获取分级管理员下所有的用户组
-        val v2PageInfoDTO = V2PageInfoDTO().apply {
-            page = 1
-            pageSize = 1000
-        }
         val searchGroupDTO = SearchGroupDTO.builder().inherit(false).build()
-        val groupInfoList = iamV2ManagerService.getGradeManagerRoleGroupV2(
-            gradeManagerId,
-            searchGroupDTO,
-            v2PageInfoDTO
-        ).results
+        val groupInfoList = permissionGradeManagerService.listGroup(
+            gradeManagerId = gradeManagerId,
+            searchGroupDTO = searchGroupDTO,
+            page = 1,
+            pageSize = 1000
+        )
         logger.info(
             "[RBAC-IAM] getProjectGroupAndUserList: projectCode = $projectCode |" +
                 " gradeManagerId = $gradeManagerId | groupInfoList: $groupInfoList"
@@ -206,6 +210,51 @@ class RbacPermissionProjectService(
         return true
     }
 
+    override fun batchCreateProjectUser(
+        userId: String,
+        projectCode: String,
+        roleCode: String,
+        members: List<String>
+    ): Boolean {
+        logger.info("batchCreateProjectUser:$userId|$projectCode|$roleCode|$members")
+        members.forEach {
+            deptService.getUserInfo(
+                userId = "admin",
+                name = it
+            ) ?: throw ErrorCodeException(
+                errorCode = AuthMessageCode.USER_NOT_EXIST,
+                params = arrayOf(it),
+                defaultMessage = "user $it not exist"
+            )
+        }
+        val iamGroupId = if (roleCode == BkAuthGroup.CI_MANAGER.value) {
+            authResourceGroupDao.getByGroupName(
+                dslContext = dslContext,
+                projectCode = projectCode,
+                resourceType = AuthResourceType.PROJECT.value,
+                resourceCode = projectCode,
+                groupName = BkAuthGroup.CI_MANAGER.groupName
+            )?.relationId
+        } else {
+            authResourceGroupDao.get(
+                dslContext = dslContext,
+                projectCode = projectCode,
+                resourceType = AuthResourceType.PROJECT.value,
+                resourceCode = projectCode,
+                groupCode = roleCode
+            )?.relationId
+        } ?: throw ErrorCodeException(
+            errorCode = AuthMessageCode.ERROR_AUTH_GROUP_NOT_EXIST,
+            params = arrayOf(roleCode),
+            defaultMessage = "group $roleCode not exist"
+        )
+        val iamMemberInfos = members.map { ManagerMember(USER_TYPE, it) }
+        val expiredTime = System.currentTimeMillis() / 1000 + TimeUnit.DAYS.toSeconds(expiredAt)
+        val managerMemberGroup = ManagerMemberGroupDTO.builder().members(iamMemberInfos).expiredAt(expiredTime).build()
+        iamV2ManagerService.createRoleGroupMemberV2(iamGroupId.toInt(), managerMemberGroup)
+        return true
+    }
+
     override fun getProjectRoles(projectCode: String, projectId: String): List<BKAuthProjectRolesResources> {
         return emptyList()
     }

diff --git a/...bac/src/main/kotlin/com/tencent/devops/auth/service/RbacPermissionResourceGroupService.kt b/...bac/src/main/kotlin/com/tencent/devops/auth/service/RbacPermissionResourceGroupService.kt
@@ -92,8 +92,10 @@ class RbacPermissionResourceGroupService @Autowired constructor(
         val validPage = PageUtil.getValidPage(page)
         val validPageSize = PageUtil.getValidPageSize(pageSize)
         val iamGroupInfoList = if (resourceType == AuthResourceType.PROJECT.value) {
+            val searchGroupDTO = SearchGroupDTO.builder().inherit(false).build()
             permissionGradeManagerService.listGroup(
                 gradeManagerId = resourceInfo.relationId,
+                searchGroupDTO = searchGroupDTO,
                 page = validPage,
                 pageSize = validPageSize
             )

diff --git a/...c/main/kotlin/com/tencent/devops/auth/resources/service/ServiceProjectAuthResourceImpl.kt b/...c/main/kotlin/com/tencent/devops/auth/resources/service/ServiceProjectAuthResourceImpl.kt
@@ -129,6 +129,23 @@ class ServiceProjectAuthResourceImpl @Autowired constructor(
         )
     }
 
+    override fun batchCreateProjectUser(
+        token: String,
+        userId: String,
+        projectCode: String,
+        roleCode: String,
+        members: List<String>
+    ): Result<Boolean> {
+        return Result(
+            permissionProjectService.batchCreateProjectUser(
+                userId = userId,
+                projectCode = projectCode,
+                roleCode = roleCode,
+                members = members
+            )
+        )
+    }
+
     override fun getProjectRoles(
         token: String,
         projectCode: String,

diff --git a/.../biz-auth/src/main/kotlin/com/tencent/devops/auth/service/iam/PermissionProjectService.kt b/.../biz-auth/src/main/kotlin/com/tencent/devops/auth/service/iam/PermissionProjectService.kt
@@ -47,5 +47,12 @@ interface PermissionProjectService {
 
     fun createProjectUser(userId: String, projectCode: String, roleCode: String): Boolean
 
+    fun batchCreateProjectUser(
+        userId: String,
+        projectCode: String,
+        roleCode: String,
+        members: List<String>
+    ): Boolean
+
     fun getProjectRoles(projectCode: String, projectId: String): List<BKAuthProjectRolesResources>
 }
diff --git a/...h/src/main/kotlin/com/tencent/devops/auth/service/iam/impl/AbsPermissionProjectService.kt b/...h/src/main/kotlin/com/tencent/devops/auth/service/iam/impl/AbsPermissionProjectService.kt
@@ -178,6 +178,13 @@ abstract class AbsPermissionProjectService @Autowired constructor(
         return true
     }
 
+    override fun batchCreateProjectUser(
+        userId: String,
+        projectCode: String,
+        roleCode: String,
+        members: List<String>
+    ): Boolean = true
+
     override fun getProjectRoles(projectCode: String, projectId: String): List<BKAuthProjectRolesResources> {
         val roleInfos = permissionRoleService.getPermissionRole(projectId.toInt())
         logger.info("[IAM] getProjectRoles : roleInfos = $roleInfos")

diff --git a/.../main/kotlin/com/tencent/devops/auth/service/sample/SampleAuthPermissionProjectService.kt b/.../main/kotlin/com/tencent/devops/auth/service/sample/SampleAuthPermissionProjectService.kt
@@ -34,6 +34,13 @@ class SampleAuthPermissionProjectService : PermissionProjectService {
         return true
     }
 
+    override fun batchCreateProjectUser(
+        userId: String,
+        projectCode: String,
+        roleCode: String,
+        members: List<String>
+    ): Boolean = true
+
     override fun getProjectRoles(projectCode: String, projectId: String): List<BKAuthProjectRolesResources> {
         return emptyList()
     }

diff --git a/.../main/kotlin/com/tencent/devops/auth/service/stream/StreamPermissionProjectServiceImpl.kt b/.../main/kotlin/com/tencent/devops/auth/service/stream/StreamPermissionProjectServiceImpl.kt
@@ -79,6 +79,13 @@ class StreamPermissionProjectServiceImpl @Autowired constructor(
         return false
     }
 
+    override fun batchCreateProjectUser(
+        userId: String,
+        projectCode: String,
+        roleCode: String,
+        members: List<String>
+    ): Boolean = true
+
     override fun getProjectRoles(
         projectCode: String,
         projectId: String

diff --git a/...th/common-auth-api/src/main/kotlin/com/tencent/devops/common/auth/api/pojo/BkAuthGroup.kt b/...th/common-auth-api/src/main/kotlin/com/tencent/devops/common/auth/api/pojo/BkAuthGroup.kt
@@ -32,23 +32,26 @@ package com.tencent.devops.common.auth.api.pojo
  */
 enum class BkAuthGroup(
     val value: String,
-    val groupName: String
+    val groupName: String,
+    /*用于兼容v0的角色ID*/
+    val roleId: Int
 ) {
-    CIADMIN("ciAdmin", "CI管理员"), // CI管理员
-    MANAGER("manager", "管理员"), // 管理员
-    DEVELOPER("developer", "开发人员"), // 开发人员
-    MAINTAINER("maintainer", "运维人员"), // 运维人员
-    TESTER("tester", "测试人员"), // 测试人员
-    PM("pm", "产品人员"), // 产品人员
-    QC("qc", "质量管理员"), // 质量管理员
-    CI_MANAGER("ci_manager", "CI管理员,流水线组使用"); // CI 管理员
+    CIADMIN("ciAdmin", "CI管理员", 1), // CI管理员
+    MANAGER("manager", "管理员", 2), // 管理员
+    DEVELOPER("developer", "开发人员", 4), // 开发人员
+    MAINTAINER("maintainer", "运维人员", 5), // 运维人员
+    TESTER("tester", "测试人员", 8), // 测试人员
+    PM("pm", "产品人员", 6), // 产品人员
+    QC("qc", "质量管理员", 7), // 质量管理员
+    CI_MANAGER("ci_manager", "CI管理员", 9), // CI 管理员,流水线组及v0会使用到，新版RBAC废除
+    GRADE_ADMIN("gradeAdmin", "分级管理员", 0); // 分级管理员
 
     companion object {
         fun get(value: String): BkAuthGroup {
             values().forEach {
                 if (value == it.value) return it
             }
-            throw IllegalArgumentException("No enum for constant $value")
+            throw IllegalArgumentException("roleName($value) does not exist!")
         }
 
         fun contains(value: String): Boolean {
@@ -57,5 +60,12 @@ enum class BkAuthGroup(
             }
             return false
         }
+
+        fun getByRoleId(roleId: Int): BkAuthGroup {
+            values().forEach {
+                if (roleId == it.roleId) return it
+            }
+            throw IllegalArgumentException("roleId($roleId) does not exist!")
+        }
     }
 }