From 8d2f677db9c9b79f82debf94e659f0030c42a60b Mon Sep 17 00:00:00 2001 From: greysonfang Date: Mon, 25 Nov 2024 12:01:10 +0800 Subject: [PATCH 1/3] =?UTF-8?q?feat=EF=BC=9A=E8=8E=B7=E5=8F=96=E6=9C=89?= =?UTF-8?q?=E6=9D=83=E9=99=90=E7=9A=84=E8=B5=84=E6=BA=90=E6=8E=A5=E5=8F=A3?= =?UTF-8?q?=E4=BC=98=E5=8C=96=20#11246?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../rbac/service/RbacPermissionService.kt | 22 ++++++++ .../AbstractPipelinePermissionService.kt | 2 +- .../RbacPipelinePermissionService.kt | 50 +++++-------------- 3 files changed, 36 insertions(+), 38 deletions(-) diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionService.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionService.kt index 3523cbf55445..1fb82327a86d 100644 --- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionService.kt +++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionService.kt @@ -51,6 +51,7 @@ import com.tencent.devops.common.auth.rbac.utils.RbacAuthUtils import com.tencent.devops.common.client.Client import com.tencent.devops.common.service.trace.TraceTag import com.tencent.devops.common.service.utils.LogUtils +import com.tencent.devops.process.api.service.ServicePipelineViewResource import com.tencent.devops.process.api.user.UserPipelineViewResource import org.slf4j.LoggerFactory import org.slf4j.MDC @@ -360,6 +361,27 @@ class RbacPermissionService( projectCode = projectCode, resourceType = resourceType ) + + resourceType == AuthResourceType.PIPELINE_DEFAULT.value -> { + val authViewPipelineIds = instanceMap[AuthResourceType.PIPELINE_GROUP.value]?.let { authViewIds -> + client.get(ServicePipelineViewResource::class).listPipelineIdByViewIds(projectCode, authViewIds).data + } ?: emptyList() + + val authPipelineIamIds = instanceMap[AuthResourceType.PIPELINE_DEFAULT.value] ?: emptyList() + val pipelineIds = mutableSetOf().apply { + addAll(authViewPipelineIds) + addAll( + getFinalResourceCodes( + projectCode = projectCode, + resourceType = resourceType, + iamResourceCodes = authPipelineIamIds, + createUser = userId + ) + ) + } + pipelineIds.toList() + } + // 返回具体资源列表 else -> { val iamResourceCodes = instanceMap[resourceType] ?: emptyList() diff --git a/src/backend/ci/core/process/biz-process/src/main/kotlin/com/tencent/devops/process/permission/AbstractPipelinePermissionService.kt b/src/backend/ci/core/process/biz-process/src/main/kotlin/com/tencent/devops/process/permission/AbstractPipelinePermissionService.kt index 0ddfb5f80d67..59bfb9489688 100644 --- a/src/backend/ci/core/process/biz-process/src/main/kotlin/com/tencent/devops/process/permission/AbstractPipelinePermissionService.kt +++ b/src/backend/ci/core/process/biz-process/src/main/kotlin/com/tencent/devops/process/permission/AbstractPipelinePermissionService.kt @@ -242,6 +242,6 @@ abstract class AbstractPipelinePermissionService constructor( } override fun isControlPipelineListPermission(projectId: String): Boolean { - return true + return false } } diff --git a/src/backend/ci/core/process/biz-process/src/main/kotlin/com/tencent/devops/process/permission/RbacPipelinePermissionService.kt b/src/backend/ci/core/process/biz-process/src/main/kotlin/com/tencent/devops/process/permission/RbacPipelinePermissionService.kt index e841cecf1f05..e56409ea909f 100644 --- a/src/backend/ci/core/process/biz-process/src/main/kotlin/com/tencent/devops/process/permission/RbacPipelinePermissionService.kt +++ b/src/backend/ci/core/process/biz-process/src/main/kotlin/com/tencent/devops/process/permission/RbacPipelinePermissionService.kt @@ -186,43 +186,19 @@ class RbacPipelinePermissionService( } } - override fun getResourceByPermission(userId: String, projectId: String, permission: AuthPermission): List { - logger.info("[rbac] get resource by permission|$userId|$projectId|$permission") - val startEpoch = System.currentTimeMillis() - try { - // 获取有权限的流水线、流水线组、项目列表 - val instanceMap = authPermissionApi.getUserResourceAndParentByPermission( - user = userId, - serviceCode = pipelineAuthServiceCode, - projectCode = projectId, - permission = permission, - resourceType = resourceType - ) - return when { - // 如果有项目下所有该资源权限,返回项目下流水线列表 - instanceMap[AuthResourceType.PROJECT.value]?.contains(projectId) == true -> - getAllAuthPipelineIds(projectId = projectId) - - else -> { - // 获取有权限流水线组下的流水线 - val authViewPipelineIds = instanceMap[AuthResourceType.PIPELINE_GROUP.value]?.let { authViewIds -> - pipelineViewGroupCommonService.listPipelineIdsByViewIds(projectId, authViewIds) - } ?: emptyList() - // 获取有权限的流水线列表 - val authPipelineIds = instanceMap[AuthResourceType.PIPELINE_DEFAULT.value] ?: emptyList() - - val pipelineIds = mutableSetOf() - pipelineIds.addAll(authViewPipelineIds) - pipelineIds.addAll(authPipelineIds) - pipelineIds.toList() - } - } - } finally { - logger.info( - "It take(${System.currentTimeMillis() - startEpoch})ms to get resource by permission|" + - "$userId|$projectId|$permission" - ) - } + override fun getResourceByPermission( + userId: String, + projectId: String, + permission: AuthPermission + ): List { + return authPermissionApi.getUserResourceByPermission( + user = userId, + serviceCode = pipelineAuthServiceCode, + resourceType = resourceType, + projectCode = projectId, + permission = permission, + supplier = null + ) } override fun filterPipelines( From cde273d591763143ca6082d39e0d3560b45ccb4c Mon Sep 17 00:00:00 2001 From: greysonfang Date: Mon, 6 Jan 2025 19:22:37 +0800 Subject: [PATCH 2/3] =?UTF-8?q?feat=EF=BC=9A=E8=8E=B7=E5=8F=96=E6=9C=89?= =?UTF-8?q?=E6=9D=83=E9=99=90=E7=9A=84=E8=B5=84=E6=BA=90=E6=8E=A5=E5=8F=A3?= =?UTF-8?q?=E4=BC=98=E5=8C=96=20#11246?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../auth/provider/rbac/service/RbacPermissionService.kt | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionService.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionService.kt index 1fb82327a86d..447bb9168ded 100644 --- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionService.kt +++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionService.kt @@ -364,7 +364,10 @@ class RbacPermissionService( resourceType == AuthResourceType.PIPELINE_DEFAULT.value -> { val authViewPipelineIds = instanceMap[AuthResourceType.PIPELINE_GROUP.value]?.let { authViewIds -> - client.get(ServicePipelineViewResource::class).listPipelineIdByViewIds(projectCode, authViewIds).data + client.get(ServicePipelineViewResource::class).listPipelineIdByViewIds( + projectId = projectCode, + viewIdsEncode = authViewIds + ).data } ?: emptyList() val authPipelineIamIds = instanceMap[AuthResourceType.PIPELINE_DEFAULT.value] ?: emptyList() From 9049080596c6465df757a9a42df18aa8cb27bb5e Mon Sep 17 00:00:00 2001 From: greysonfang Date: Wed, 11 Dec 2024 10:55:30 +0800 Subject: [PATCH 3/3] =?UTF-8?q?bug=EF=BC=9A=E7=94=A8=E6=88=B7=E7=BB=84?= =?UTF-8?q?=E7=BB=AD=E6=9C=9F=E7=9B=B8=E5=85=B3=E9=80=BB=E8=BE=91=E4=BC=98?= =?UTF-8?q?=E5=8C=96=20#11305?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../RbacPermissionResourceGroupSyncService.kt | 15 +++++++++++---- .../RbacPermissionResourceMemberService.kt | 2 +- 2 files changed, 12 insertions(+), 5 deletions(-) diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceGroupSyncService.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceGroupSyncService.kt index dd986dbebbda..477c5043982e 100644 --- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceGroupSyncService.kt +++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceGroupSyncService.kt @@ -29,6 +29,7 @@ package com.tencent.devops.auth.provider.rbac.service import com.tencent.bk.sdk.iam.constants.ManagerScopesEnum import com.tencent.bk.sdk.iam.dto.V2PageInfoDTO +import com.tencent.bk.sdk.iam.dto.manager.GroupMemberVerifyInfo import com.tencent.bk.sdk.iam.dto.manager.dto.SearchGroupDTO import com.tencent.bk.sdk.iam.exception.IamException import com.tencent.bk.sdk.iam.service.v2.V2ManagerService @@ -161,10 +162,16 @@ class RbacPermissionResourceGroupSyncService @Autowired constructor( if (deptService.isUserDeparted(memberId)) { return@forEach } - val verifyResults = iamV2ManagerService.verifyGroupValidMember( - memberId, - groupInfos.joinToString(",") { it.iamGroupId.toString() } - ) + // 获取用户加入组的有效期 + val groupIds = groupInfos.map { it.iamGroupId } + val verifyResults = mutableMapOf() + groupIds.chunked(20).forEach { batchGroupIds -> + val batchVerifyGroupValidMember = iamV2ManagerService.verifyGroupValidMember( + memberId, + batchGroupIds.joinToString(",") + ) + verifyResults.putAll(batchVerifyGroupValidMember) + } verifyResults.forEach { (groupId, verifyResult) -> if (verifyResult.belong == true && verifyResult.expiredAt > LocalDateTime.now().timestamp()) { logger.info("The member of group needs to be renewed:$projectCode|$groupId|$memberId") diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceMemberService.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceMemberService.kt index b0ad89bd2453..9c44f61526e1 100644 --- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceMemberService.kt +++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceMemberService.kt @@ -589,7 +589,7 @@ class RbacPermissionResourceMemberService( groupId: Int, memberRenewalDTO: GroupMemberRenewalDTO ): Boolean { - logger.info("renewal group member|$userId|$projectCode|$resourceType|$groupId") + logger.info("renewal group member|$userId|$projectCode|$resourceType|$groupId|${memberRenewalDTO.expiredAt}") val managerMemberGroupDTO = GroupMemberRenewApplicationDTO.builder() .groupIds(listOf(groupId)) .expiredAt(memberRenewalDTO.expiredAt)