From 6dcf1804e3ea7b3aebd11104e58bad35612df349 Mon Sep 17 00:00:00 2001 From: greysonfang Date: Mon, 9 Dec 2024 20:33:56 +0800 Subject: [PATCH] =?UTF-8?q?feat=EF=BC=9A=E7=94=A8=E6=88=B7=E4=B8=AA?= =?UTF-8?q?=E4=BA=BA=E8=A7=86=E8=A7=92=20=E6=9D=83=E9=99=90=E7=AE=A1?= =?UTF-8?q?=E7=90=86=E4=BC=98=E5=8C=96=20#11138?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../tencent/devops/auth/constant/AuthMessageCode.kt | 2 +- .../RbacPermissionHandoverApplicationService.kt | 3 +-- .../RbacPermissionManageFacadeServiceImpl.kt | 13 +++++++++---- .../service/PermissionAuthorizationServiceImpl.kt | 6 +++--- support-files/i18n/auth/message_zh_CN.properties | 3 +-- 5 files changed, 15 insertions(+), 12 deletions(-) diff --git a/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/constant/AuthMessageCode.kt b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/constant/AuthMessageCode.kt index 9d7683c9531..fcc1f10c576 100644 --- a/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/constant/AuthMessageCode.kt +++ b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/constant/AuthMessageCode.kt @@ -148,6 +148,6 @@ object AuthMessageCode { const val ERROR_HANDOVER_REVOKE = "2121093" // 由于您不是该交接申请单的发起人,无法进行撤销操作 const val ERROR_HANDOVER_APPROVAL = "2121094" // 由于您不是该交接申请单的审批人,无法进行任何操作 const val ERROR_HANDOVER_HANDLE = "2121095" // 该交接申请单正在被处理中,请耐心等待 - const val ERROR_HANDOVER_AUTHORIZATION = "2121096" // 交接操作不合法,用户没有对应授权的权限 + const val ERROR_REPERTORY_HANDOVER_AUTHORIZATION = "2121096" // 交接操作不合法,用户没有对应代码库授权的权限 const val ERROR_SINGLE_GROUP_REMOVE = "2121098" // 由于直接退出用户组,会导致授权失效,必须进行用户组移交 } diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionHandoverApplicationService.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionHandoverApplicationService.kt index 60a46e4dad0..22d41a73015 100644 --- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionHandoverApplicationService.kt +++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionHandoverApplicationService.kt @@ -66,8 +66,7 @@ class RbacPermissionHandoverApplicationService( return I18nUtil.getCodeLanMessage(messageCode = AuthI18nConstants.BK_APPLY_TO_HANDOVER).let { when { groupCount > 0 && authorizationCount > 0 -> { - it.plus(I18nUtil.getCodeLanMessage(AuthI18nConstants.BK_HANDOVER_GROUPS, params = arrayOf(groupCount.toString()))).plus(",") - it.plus( + it.plus(I18nUtil.getCodeLanMessage(AuthI18nConstants.BK_HANDOVER_GROUPS, params = arrayOf(groupCount.toString()))).plus(",").plus( I18nUtil.getCodeLanMessage(AuthI18nConstants.BK_HANDOVER_AUTHORIZATIONS, params = arrayOf(authorizationCount.toString())) ) } diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionManageFacadeServiceImpl.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionManageFacadeServiceImpl.kt index 3f1cc5fca64..8305fafe844 100644 --- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionManageFacadeServiceImpl.kt +++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionManageFacadeServiceImpl.kt @@ -712,7 +712,7 @@ class RbacPermissionManageFacadeServiceImpl( ).second ) }.map { it.iamGroupId } - logger.debug("list user groups joined after operated groups:{}", userGroupsJoinedAfterOperatedGroups) + logger.debug("list pipeline and project groups joined after operated groups:{}", userGroupsJoinedAfterOperatedGroups) // 3.查询未退出的流水线/项目级别的用户组中是否包含项目级别的流水线执行权限。 // 查询用户在未退出的用户组中否还有整个项目的流水线执行权限。若有的话,则对流水线的代持人权限未造成影响。 val hasAllPipelineExecutePermAfterOperateGroups = groupPermissionService.isGroupsHasProjectLevelPermission( @@ -817,9 +817,10 @@ class RbacPermissionManageFacadeServiceImpl( onlyExcludeUserDirectlyJoined = true, operateChannel = OperateChannel.PERSONAL ) - + logger.debug("list all user groups joined after operated groups:{}|{}", count, records) // 如果退出/交接了项目下所有组,直接返回用户无效代码库oauth列表 if (count == 0L) { + logger.debug("The user has removed/handover all user groups") return authAuthorizationDao.list( dslContext = dslContext, condition = ResourceAuthorizationConditionRequest( @@ -838,11 +839,15 @@ class RbacPermissionManageFacadeServiceImpl( relatedResourceCode = projectCode, action = ActionId.PROJECT_VISIT ) - + logger.debug("whether the user has project visit perm after operated groups {}", isHasProjectVisitPermOperatedGroups) // 如果有访问权限,返回空列表,否则直接返回用户无效代码库oauth列表 return if (isHasProjectVisitPermOperatedGroups) { emptyList() } else { + logger.debug( + "user does not have perm to visit the project after operated groups|{}|{}|{}", + projectCode, memberId, iamGroupIds + ) authAuthorizationDao.list( dslContext = dslContext, condition = ResourceAuthorizationConditionRequest( @@ -1357,7 +1362,7 @@ class RbacPermissionManageFacadeServiceImpl( targetMember: ResourceMemberInfo ): Boolean { logger.info("delete single group members from personal:$userId|$targetMember|$projectCode|$groupId") - if (targetMember.type == MemberType.USER.type){ + if (targetMember.type == MemberType.USER.type) { // 获取导致流水线代持人权限受到影响的用户组及流水线 val (invalidGroups, invalidPipelines, invalidRepertoryIds) = listInvalidAuthorizationsAfterOperatedGroups( diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/service/PermissionAuthorizationServiceImpl.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/service/PermissionAuthorizationServiceImpl.kt index 3d8b2405209..c429b0d207a 100644 --- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/service/PermissionAuthorizationServiceImpl.kt +++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/service/PermissionAuthorizationServiceImpl.kt @@ -3,7 +3,7 @@ package com.tencent.devops.auth.service import com.tencent.bk.sdk.iam.constants.ManagerScopesEnum import com.tencent.devops.auth.constant.AuthI18nConstants import com.tencent.devops.auth.constant.AuthMessageCode -import com.tencent.devops.auth.constant.AuthMessageCode.ERROR_HANDOVER_AUTHORIZATION +import com.tencent.devops.auth.constant.AuthMessageCode.ERROR_REPERTORY_HANDOVER_AUTHORIZATION import com.tencent.devops.auth.dao.AuthAuthorizationDao import com.tencent.devops.auth.pojo.dto.HandoverDetailDTO import com.tencent.devops.auth.pojo.dto.HandoverOverviewCreateDTO @@ -297,7 +297,7 @@ class PermissionAuthorizationServiceImpl( condition = finalCondition ) if (!handoverResult[ResourceAuthorizationHandoverStatus.FAILED].isNullOrEmpty()) { - throw ErrorCodeException(errorCode = ERROR_HANDOVER_AUTHORIZATION) + throw ErrorCodeException(errorCode = ERROR_REPERTORY_HANDOVER_AUTHORIZATION) } val resourceAuthorizationList = getResourceAuthorizationList(condition = finalCondition) val authorizationCount = resourceAuthorizationList.size @@ -394,7 +394,7 @@ class PermissionAuthorizationServiceImpl( )[ResourceAuthorizationHandoverStatus.FAILED].isNullOrEmpty() if (!canHandoverRepertory) { throw ErrorCodeException( - errorCode = ERROR_HANDOVER_AUTHORIZATION + errorCode = ERROR_REPERTORY_HANDOVER_AUTHORIZATION ) } } diff --git a/support-files/i18n/auth/message_zh_CN.properties b/support-files/i18n/auth/message_zh_CN.properties index abebe7e22b6..57048a94aae 100644 --- a/support-files/i18n/auth/message_zh_CN.properties +++ b/support-files/i18n/auth/message_zh_CN.properties @@ -88,7 +88,7 @@ 2121093=由于您不是该交接申请单的发起人,无法进行撤销操作 2121094=由于您不是该交接申请单的审批人,无法进行任何操作 2121095=该交接申请单正在被处理中,请耐心等待 -2121096=交接操作不合法,用户没有对应授权的权限 +2121096=交接操作不合法,用户没有对应代码库授权的权限,请交接完代码库授权后再进行重试。 2121098=由于直接退出用户组,会导致授权失效,必须进行用户组移交 bkAdministratorNotExpired=权限还未过期,不需要操作 @@ -343,7 +343,6 @@ rule.resourceType.name=质量红线规则 bkMemberExpiredAtDisplayExpired=已过期 bkMemberExpiredAtDisplayNormal={0} 天 bkMemberExpiredAtDisplayPermanent=永久 - bkApplyToHandover=申请移交 bkHandoverGroups={0}个权限用户组 bkHandoverAuthorizations={0}个授权