refactor(permission): 重构人员权限查询
This commit is contained in:
zhansihu
parent
4b1d49f1a9
commit
6ea662e253
@ -60,6 +60,12 @@ public class SaasRoleVO {
|
||||
|
||||
private Date updateAt;
|
||||
|
||||
/**
|
||||
* 产品单位类型
|
||||
* 1:总包 2:建设单位 3:监理单位 4:劳务分包 5:专业分包 6:OMS通用 7:企业通用 8:企业内班组 9:项目内班组
|
||||
*/
|
||||
private Integer productUnitType;
|
||||
|
||||
/**
|
||||
* 获取角色对应所用的菜单,不管例外
|
||||
*
|
||||
|
||||
@ -54,7 +54,7 @@ public interface RoleService {
|
||||
* @param userRoleInfoMap
|
||||
* @return 按钮级别权限点ID
|
||||
*/
|
||||
Set<Long> filterPermissionPoint(Set<SaasRoleVO> role, TyrSaasAuthServiceImpl.UserRoleInfoMap userRoleInfoMap);
|
||||
Set<Long> filterPermissionPoint(Set<SaasRoleVO> role, TyrSaasAuthServiceImpl.OUWRoleInfo userRoleInfoMap);
|
||||
|
||||
/**
|
||||
* 通过角色名字获取角色信息
|
||||
|
||||
@ -5,7 +5,6 @@ import cn.axzo.basics.common.exception.ServiceException;
|
||||
import cn.axzo.framework.domain.page.PageResp;
|
||||
import cn.axzo.pokonyan.config.mybatisplus.BaseEntity;
|
||||
import cn.axzo.tyr.client.common.enums.RoleTypeEnum;
|
||||
import cn.axzo.tyr.client.model.BaseWorkspaceModel;
|
||||
import cn.axzo.tyr.client.model.enums.IdentityType;
|
||||
import cn.axzo.tyr.client.model.enums.PermissionGroupType;
|
||||
import cn.axzo.tyr.client.model.permission.PermissionPointTreeNode;
|
||||
@ -38,7 +37,6 @@ import org.springframework.stereotype.Service;
|
||||
import org.springframework.transaction.annotation.Transactional;
|
||||
|
||||
import java.util.*;
|
||||
import java.util.function.Consumer;
|
||||
import java.util.function.Function;
|
||||
import java.util.stream.Collectors;
|
||||
|
||||
@ -518,7 +516,7 @@ public class RoleServiceImpl implements RoleService {
|
||||
}
|
||||
|
||||
@Override
|
||||
public Set<Long> filterPermissionPoint(Set<SaasRoleVO> role, TyrSaasAuthServiceImpl.UserRoleInfoMap userRoleInfoMap) {
|
||||
public Set<Long> filterPermissionPoint(Set<SaasRoleVO> role, TyrSaasAuthServiceImpl.OUWRoleInfo userRoleInfoMap) {
|
||||
// 按钮级别权限点ID
|
||||
Set<Long> result = new HashSet<>();
|
||||
if (CollectionUtils.isEmpty(role)) {
|
||||
|
||||
@ -2,7 +2,6 @@ package cn.axzo.tyr.server.service.impl;
|
||||
|
||||
import cn.axzo.basics.common.BeanMapper;
|
||||
import cn.axzo.framework.domain.ServiceException;
|
||||
import cn.axzo.pokonyan.config.mybatisplus.BaseEntity;
|
||||
import cn.axzo.pokonyan.util.TraceSupplier;
|
||||
import cn.axzo.thrones.client.saas.ServicePkgClient;
|
||||
import cn.axzo.thrones.client.saas.entity.serivicepgkproduct.ServicePkgProduct;
|
||||
@ -33,14 +32,13 @@ import cn.axzo.tyr.server.util.KeyUtil;
|
||||
import cn.azxo.framework.common.model.CommonResponse;
|
||||
import cn.azxo.framework.common.utils.LogUtil;
|
||||
import cn.hutool.core.collection.CollectionUtil;
|
||||
import cn.hutool.core.collection.ListUtil;
|
||||
import cn.hutool.core.date.StopWatch;
|
||||
import cn.hutool.core.util.ArrayUtil;
|
||||
import cn.hutool.core.util.BooleanUtil;
|
||||
import cn.hutool.core.util.StrUtil;
|
||||
import cn.hutool.json.JSONUtil;
|
||||
import com.google.common.collect.Lists;
|
||||
import lombok.AllArgsConstructor;
|
||||
import lombok.Builder;
|
||||
import lombok.Data;
|
||||
import lombok.NoArgsConstructor;
|
||||
import lombok.RequiredArgsConstructor;
|
||||
import lombok.extern.slf4j.Slf4j;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
@ -302,208 +300,259 @@ public class TyrSaasAuthServiceImpl implements TyrSaasAuthService {
|
||||
|
||||
private IdentityAuthRes findIdentityAuth(IdentityAuthReq identityAuthReq) {
|
||||
StopWatch stopWatch = new StopWatch("find identity Auth");
|
||||
|
||||
//用户角色关系
|
||||
stopWatch.start("query role user relation");
|
||||
List<SaasRoleUserRelation> saasRoleUserRelations = listRoleUserRelations(identityAuthReq);
|
||||
stopWatch.stop();
|
||||
|
||||
|
||||
Set<Long> realWorkspaceId = saasRoleUserRelations.stream().map(SaasRoleUserRelation::getWorkspaceId).collect(Collectors.toSet());
|
||||
//工作台对应产品 key = workspaceId
|
||||
CompletableFuture<Map<Long, List<ProductFeatureRelationVO>>> workspacePermissionPointFuture = CompletableFuture
|
||||
.supplyAsync(TraceSupplier.create(() -> productFeatureRelationService.getByWorkspace(realWorkspaceId)), executor);
|
||||
//查询工作台下授予的角色和权限
|
||||
stopWatch.start("query role");
|
||||
List<OUWRoleInfo> owRoles = listRolesWithPermission(saasRoleUserRelations, identityAuthReq);
|
||||
stopWatch.stop();
|
||||
|
||||
Map<Long, List<ProductFeatureRelationVO>> workspaceProductPermissionMap = workspacePermissionPointFuture.join();
|
||||
|
||||
List<CompletableFuture<IdentityAuthRes.WorkspacePermission>> futureList = new ArrayList<>();
|
||||
for (OUWRoleInfo owRoleInfo : owRoles) {
|
||||
// 工作台的产品权限点
|
||||
List<ProductFeatureRelationVO> productFeatureRelationVOS = workspaceProductPermissionMap.get(owRoleInfo.getWorkspaceId());
|
||||
//构建每个工作台的实际权限点
|
||||
futureList.add(CompletableFuture.supplyAsync(TraceSupplier.create(() -> buildPermissions(owRoleInfo, productFeatureRelationVOS)), executor)
|
||||
.exceptionally(t -> {
|
||||
LogUtil.error("获取角色对应权限失败", t);
|
||||
throw new ServiceException(t);
|
||||
}));
|
||||
}
|
||||
|
||||
//汇总结果
|
||||
stopWatch.start("query and filter permissions ");
|
||||
IdentityAuthRes result = new IdentityAuthRes();
|
||||
result.setIdentity(identityAuthReq.getIdentityId());
|
||||
result.setIdentityType(identityAuthReq.getIdentityType());
|
||||
result.setPersonId(identityAuthReq.getPersonId());
|
||||
//1.查询人与角色关联表 匹配工作台ID 与单位ID
|
||||
List<IdentityAuthReq.WorkspaceOuPair> queryInfo = identityAuthReq.getWorkspaceOusPairs();
|
||||
// KEY : workspaceid-ouid
|
||||
Map<String,UserRoleInfoMap> queryKey = new HashMap<>();
|
||||
Set<Long> queryWorkspace = new HashSet<>();
|
||||
Set<Long> queryOuId = new HashSet<>();
|
||||
queryInfo.forEach(e -> {
|
||||
queryWorkspace.add(e.getWorkspaceId());
|
||||
queryOuId.add(e.getOuId());
|
||||
UserRoleInfoMap userRoleInfoMap = new UserRoleInfoMap();
|
||||
userRoleInfoMap.setWorkspaceId(e.getWorkspaceId());
|
||||
userRoleInfoMap.setOuId(e.getOuId());
|
||||
userRoleInfoMap.setWorkspaceType(e.getWorkspaceType());
|
||||
userRoleInfoMap.setWorkspaceJoinType(WorkspaceJoinType.matchValue(e.getWorkspaceJoinType()));
|
||||
queryKey.putIfAbsent(KeyUtil.buildKeyBySeparator(e.getWorkspaceId(), e.getOuId()), userRoleInfoMap);
|
||||
});
|
||||
for (CompletableFuture<IdentityAuthRes.WorkspacePermission> future : futureList) {
|
||||
result.getPermissions().add(future.join());
|
||||
}
|
||||
stopWatch.stop();
|
||||
log.info("find identity auth cost:{}",stopWatch.prettyPrint(TimeUnit.MILLISECONDS));
|
||||
return result;
|
||||
}
|
||||
|
||||
final List<SaasRoleUserRelation> saasRoleUserRelations = new ArrayList<>();
|
||||
private IdentityAuthRes.WorkspacePermission buildPermissions(OUWRoleInfo ouwRoleInfo, List<ProductFeatureRelationVO> productFeatures) {
|
||||
|
||||
IdentityAuthRes.WorkspacePermission resultPermission = IdentityAuthRes.WorkspacePermission.builder()
|
||||
.workspaceId(ouwRoleInfo.getWorkspaceId())
|
||||
.ouId(ouwRoleInfo.getOuId())
|
||||
.build();
|
||||
|
||||
Set<SaasRoleVO> roles = ouwRoleInfo.getRoles();
|
||||
if (CollectionUtil.isEmpty(roles)) {
|
||||
return resultPermission;
|
||||
}
|
||||
|
||||
//超管和管理员权限
|
||||
boolean hasAdminPermission = buildAdminPermission(ouwRoleInfo, productFeatures, resultPermission);
|
||||
if (hasAdminPermission) {
|
||||
//有管理员角色 不再需要处理其他角色
|
||||
return resultPermission;
|
||||
}
|
||||
|
||||
//标准角和自定义角色权限
|
||||
buildNormalPermission(ouwRoleInfo, productFeatures, resultPermission);
|
||||
return resultPermission;
|
||||
}
|
||||
|
||||
private void buildNormalPermission(OUWRoleInfo userRoleInfoMap, List<ProductFeatureRelationVO> productFeatures, IdentityAuthRes.WorkspacePermission resultPermission) {
|
||||
|
||||
Set<Long> allMatchedProductFeatureIds = new HashSet<>();
|
||||
Set<Long> allAuthPermissionIds = new HashSet<>();
|
||||
//聚合实际授权的权限:角色权限和产品权限交集
|
||||
for (SaasRoleVO role : userRoleInfoMap.getRoles()) {
|
||||
Set<Long> rolePermissionIds = role.getMatchFeature(userRoleInfoMap.getWorkspaceId(), userRoleInfoMap.ouId)
|
||||
.stream()
|
||||
.map(PermissionPointTreeNode::getPermissionPointId)
|
||||
.collect(Collectors.toSet());
|
||||
//角色标签类型匹配产品标签类型
|
||||
Set<Long> productPermissionIds = productFeatures.stream()
|
||||
.filter(productFeatureRelationVO -> Objects.equals(productFeatureRelationVO.getDictCode(), String.valueOf(role.getProductUnitType())))
|
||||
.map(ProductFeatureRelationVO::getFeatureId)
|
||||
.collect(Collectors.toSet());
|
||||
allMatchedProductFeatureIds.addAll(productPermissionIds);
|
||||
// 产品对应权限点 与 角色权限点 取交集
|
||||
Collection<Long> resultHashAuthPointId = CollectionUtil.intersection(productPermissionIds, rolePermissionIds);
|
||||
if (CollectionUtil.isNotEmpty(resultHashAuthPointId)) {
|
||||
allAuthPermissionIds.addAll(resultHashAuthPointId);
|
||||
}
|
||||
}
|
||||
// 免授权权限点统一处理
|
||||
List<PermissionPointTreeNode> noNeedPermissionPoint = permissionPointService.queryList(PermissionPointListQueryRequest.builder()
|
||||
.ids(new ArrayList<>(allMatchedProductFeatureIds))
|
||||
.delegatedType(DelegatedType.NO_NEED.getCode())
|
||||
.build());
|
||||
allAuthPermissionIds.addAll(noNeedPermissionPoint.stream().map(PermissionPointTreeNode::getPermissionPointId).collect(Collectors.toSet()));
|
||||
|
||||
//查询权限点及父级权限点
|
||||
List<SimplePermissionPointResp> allPermissionPoint = permissionPointService.listPermissionByIds(
|
||||
QueryPermissionByIdsReq.builder()
|
||||
.ids(new HashSet<>(allAuthPermissionIds))
|
||||
.includeParent(true)
|
||||
.build());
|
||||
//构建返回值
|
||||
resultPermission.getPermissionPoint().addAll(allPermissionPoint.stream()
|
||||
.map(permissionPointTreeNode -> IdentityAuthRes.PermissionPoint.builder()
|
||||
.featureCode(permissionPointTreeNode.getCode())
|
||||
.featureId(permissionPointTreeNode.getId())
|
||||
.terminal(permissionPointTreeNode.getTerminal())
|
||||
// .featureType(FeatureType.apply(permissionPointTreeNode.getFeatureType()))
|
||||
.build())
|
||||
.collect(Collectors.toList()));
|
||||
}
|
||||
|
||||
private boolean buildAdminPermission(OUWRoleInfo userRoleInfoMap, List<ProductFeatureRelationVO> productFeatures, IdentityAuthRes.WorkspacePermission resultPermission) {
|
||||
//超管和管理员角色
|
||||
List<SaasRoleVO> adminRoles = userRoleInfoMap.getRoles().stream()
|
||||
.filter(r -> RoleTypeEnum.SUPER_ADMIN.getValue().equals(r.getRoleType())
|
||||
|| RoleTypeEnum.ADMIN.getValue().equals(r.getRoleType()))
|
||||
.collect(Collectors.toList());
|
||||
if (CollectionUtil.isEmpty(adminRoles)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
//聚合超管和管理员的权限点: 直接取角色标签和产品标签相匹配的权限点
|
||||
Set<Long> permissionIds = new HashSet<>();
|
||||
for (SaasRoleVO adminRole : adminRoles) {
|
||||
//超管:查询工作台对应产品,获取权限点, ( 权限点通过单位类型过滤)
|
||||
if (RoleTypeEnum.SUPER_ADMIN.getValue().equals(adminRole.getRoleType())) {
|
||||
resultPermission.setSuperAdmin(true);
|
||||
}
|
||||
//角色标签类型匹配产品标签类型
|
||||
Set<Long> buttonPermissionPointId = productFeatures.stream()
|
||||
.filter(productFeatureRelationVO -> Objects.equals(productFeatureRelationVO.getDictCode(),
|
||||
String.valueOf(adminRole.getProductUnitType())))
|
||||
.map(ProductFeatureRelationVO::getFeatureId)
|
||||
.collect(Collectors.toSet());
|
||||
|
||||
if (CollectionUtil.isEmpty(buttonPermissionPointId)) {
|
||||
continue;
|
||||
}
|
||||
permissionIds.addAll(buttonPermissionPointId);
|
||||
}
|
||||
|
||||
//查询权限点及父级权限点
|
||||
List<SimplePermissionPointResp> allPermissionPoint = permissionPointService.listPermissionByIds(
|
||||
QueryPermissionByIdsReq.builder()
|
||||
.ids(permissionIds)
|
||||
.includeParent(true)
|
||||
.build());
|
||||
//组装返回值
|
||||
resultPermission.getPermissionPoint().addAll(allPermissionPoint.stream()
|
||||
.map(permissionPointTreeNode -> IdentityAuthRes.PermissionPoint.builder()
|
||||
.featureCode(permissionPointTreeNode.getCode())
|
||||
.featureId(permissionPointTreeNode.getId())
|
||||
.terminal(permissionPointTreeNode.getTerminal())
|
||||
.build())
|
||||
.collect(Collectors.toList()));
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
private List<OUWRoleInfo> listRolesWithPermission(List<SaasRoleUserRelation> roleUserRelations, IdentityAuthReq identityAuthReq) {
|
||||
|
||||
//拼装参数
|
||||
Set<Long> realWorkspaceIds = new HashSet<>();
|
||||
Set<Long> realOuIds = new HashSet<>();
|
||||
Set<Long> roleIds = new HashSet<>();
|
||||
//按ow分组角色ID
|
||||
Map<String, Set<Long>> owRoleIdMap = new HashMap<>();
|
||||
for (SaasRoleUserRelation relation : roleUserRelations) {
|
||||
realWorkspaceIds.add(relation.getWorkspaceId());
|
||||
realOuIds.add(relation.getOuId());
|
||||
roleIds.add(relation.getRoleId());
|
||||
String key = KeyUtil.buildKeyBySeparator(relation.getWorkspaceId(), relation.getOuId());
|
||||
Set<Long> owRoleIds = owRoleIdMap.getOrDefault(key, new HashSet<>());
|
||||
owRoleIds.add(relation.getRoleId());
|
||||
owRoleIdMap.put(key, owRoleIds);
|
||||
}
|
||||
//获取角色信息
|
||||
List<SaasRoleVO> roles = roleService.query(QuerySaasRoleReq.builder()
|
||||
//角色ID
|
||||
.ids(new ArrayList<>(roleIds))
|
||||
.workspaceId(new ArrayList<>(realWorkspaceIds))
|
||||
.ouId(new ArrayList<>(realOuIds))
|
||||
.includePermissionGroup(true)
|
||||
.build());
|
||||
|
||||
//按ow组装拥有的角色
|
||||
List<OUWRoleInfo> owRoleMap = new ArrayList<>();
|
||||
for (IdentityAuthReq.WorkspaceOuPair ow : identityAuthReq.getWorkspaceOusPairs()) {
|
||||
OUWRoleInfo owRoleInfo = OUWRoleInfo.builder()
|
||||
.workspaceId(ow.getWorkspaceId())
|
||||
.ouId(ow.getOuId())
|
||||
.workspaceType(ow.getWorkspaceType())
|
||||
.workspaceJoinType(WorkspaceJoinType.matchValue(ow.getWorkspaceJoinType()))
|
||||
.build();
|
||||
String key = KeyUtil.buildKeyBySeparator(ow.getWorkspaceId(), ow.getOuId());
|
||||
Set<Long> owRoleIds = owRoleIdMap.get(key);
|
||||
if (CollectionUtil.isEmpty(owRoleIds)) {
|
||||
owRoleInfo.setRoles(Collections.emptySet());
|
||||
} else {
|
||||
owRoleInfo.setRoles(roles.stream()
|
||||
.filter(r -> owRoleIds.contains(r.getId()))
|
||||
.filter(r -> r.getProductUnitType().equals(ow.getWorkspaceJoinType())) //匹配标签
|
||||
.collect(Collectors.toSet()));
|
||||
}
|
||||
owRoleMap.add(owRoleInfo);
|
||||
}
|
||||
|
||||
return owRoleMap;
|
||||
}
|
||||
|
||||
private List<SaasRoleUserRelation> listRoleUserRelations(IdentityAuthReq identityAuthReq) {
|
||||
if (CollectionUtil.isNotEmpty(identityAuthReq.getSpecifyRoleIds())) {
|
||||
final List<SaasRoleUserRelation> relations = new ArrayList<>();
|
||||
//指定了角色 则不需要去查用户角色关系
|
||||
// mock 看做已有所有角色
|
||||
queryKey.values().forEach(k -> {
|
||||
List<SaasRoleUserRelation> relations = identityAuthReq.getSpecifyRoleIds().stream().map(id -> {
|
||||
// mock 看做已有指定的角色
|
||||
identityAuthReq.getWorkspaceOusPairs().forEach(ow -> {
|
||||
List<SaasRoleUserRelation> mockRelations = identityAuthReq.getSpecifyRoleIds().stream().map(id -> {
|
||||
SaasRoleUserRelation relation = new SaasRoleUserRelation();
|
||||
relation.setRoleId(id);
|
||||
relation.setOuId(k.getOuId());
|
||||
relation.setWorkspaceId(k.getWorkspaceId());
|
||||
relation.setOuId(ow.getOuId());
|
||||
relation.setWorkspaceId(ow.getWorkspaceId());
|
||||
relation.setIdentityId(identityAuthReq.getIdentityId());
|
||||
relation.setIdentityType(identityAuthReq.getIdentityType().getCode());
|
||||
// 使用角色ID替代,不需要在查询一次
|
||||
relation.setId(id);
|
||||
return relation;
|
||||
}).collect(Collectors.toList());
|
||||
saasRoleUserRelations.addAll(relations);
|
||||
relations.addAll(mockRelations);
|
||||
});
|
||||
} else {
|
||||
stopWatch.start("query role user relation");
|
||||
List<SaasRoleUserRelation> relations = roleUserService.queryByWorkspaceIdOrOu(identityAuthReq.getPersonId(), identityAuthReq.getIdentityId(), identityAuthReq.getIdentityType(), queryWorkspace, queryOuId);
|
||||
stopWatch.stop();
|
||||
if (CollectionUtil.isEmpty(relations)) {
|
||||
return result;
|
||||
}
|
||||
// 有工作台和单位的查询条件,通过单位与工作台在过滤一次
|
||||
if (CollectionUtil.isNotEmpty(queryInfo)) {
|
||||
saasRoleUserRelations.addAll(relations.stream()
|
||||
.filter(roleUserService -> queryKey.containsKey(
|
||||
KeyUtil.buildKeyBySeparator(roleUserService.getWorkspaceId(), roleUserService.getOuId())))
|
||||
.collect(Collectors.toList()));
|
||||
}
|
||||
return relations;
|
||||
}
|
||||
|
||||
|
||||
Set<Long> realWorkspaceId = saasRoleUserRelations.stream().map(SaasRoleUserRelation::getWorkspaceId).collect(Collectors.toSet());
|
||||
Set<Long> realOuId = saasRoleUserRelations.stream().map(SaasRoleUserRelation::getOuId).collect(Collectors.toSet());
|
||||
//工作台对应产品 key = workapceId
|
||||
CompletableFuture<Map<Long, List<ProductFeatureRelationVO>>> workspacePermissionPointFuture = CompletableFuture.supplyAsync(() -> {
|
||||
return productFeatureRelationService.getByWorkspace(realWorkspaceId);
|
||||
}, executor);
|
||||
|
||||
// Key = saas_role_user_relation的ID VALUE= saas_role的ID
|
||||
// 后续需要根据这个映射的结构返回,并且工作台ID和单位ID只有saas_role_user_relation上是正常的,不可以取saas_role表
|
||||
Map<Long, Long> userRoleMap = saasRoleUserRelations.stream().collect(Collectors.toMap(BaseEntity::getId, SaasRoleUserRelation::getRoleId));
|
||||
stopWatch.start("query role");
|
||||
//2.获取角色信息, 判断是否是超管,
|
||||
List<SaasRoleVO> existsRole = roleService.query(QuerySaasRoleReq.builder()
|
||||
//角色ID
|
||||
.ids(new ArrayList<>(userRoleMap.values()))
|
||||
.workspaceId(new ArrayList<>(realWorkspaceId))
|
||||
.ouId(new ArrayList<>(realOuId))
|
||||
.includePermissionGroup(true)
|
||||
.build());
|
||||
stopWatch.stop();
|
||||
// KEY 角色ID
|
||||
Map<Long, SaasRoleVO> roleMap = existsRole.stream().collect(Collectors.toMap(SaasRoleVO::getId, Function.identity()));
|
||||
|
||||
// 组装成MAP 为了workspace和ou合并 不可以使用queryKey,这边的map是结果的过滤
|
||||
HashMap<String, UserRoleInfoMap> map = new HashMap<>();
|
||||
for (SaasRoleUserRelation saasRoleUserRelation : saasRoleUserRelations) {
|
||||
String key = KeyUtil.buildKeyBySeparator(saasRoleUserRelation.getWorkspaceId(), saasRoleUserRelation.getOuId());
|
||||
UserRoleInfoMap userRoleInfoMap = queryKey.get(key);
|
||||
if (null == userRoleInfoMap) {
|
||||
throw new ServiceException("查询权限信息失败未获取到人员角色映射");
|
||||
}
|
||||
SaasRoleVO saasRoleVO = roleMap.get(saasRoleUserRelation.getRoleId());
|
||||
if (null == saasRoleVO) {
|
||||
LogUtil.error("获取权限时发生了用户的角色与实际存在的角色不对应(saas_role_user与cn.axzo.tyr.server.service.RoleService.query接口):{}", JSONUtil.toJsonStr(identityAuthReq));
|
||||
map.put(key, userRoleInfoMap);
|
||||
continue;
|
||||
}
|
||||
userRoleInfoMap.getRoles().addAll(ListUtil.toList(saasRoleVO));
|
||||
map.put(key, userRoleInfoMap);
|
||||
}
|
||||
stopWatch.start(" query product feature relation by workspace");
|
||||
Map<Long, List<ProductFeatureRelationVO>> workspacePermissionPoint = workspacePermissionPointFuture.join();
|
||||
stopWatch.stop();
|
||||
List<CompletableFuture> futureList = new ArrayList<>();
|
||||
map.values().forEach(userRoleInfoMap -> {
|
||||
futureList.add(CompletableFuture.runAsync(() -> {
|
||||
|
||||
//参数
|
||||
Long workspaceId = userRoleInfoMap.getWorkspaceId();
|
||||
Long ouId = userRoleInfoMap.getOuId();
|
||||
WorkspaceJoinType workspaceJoinType = userRoleInfoMap.getWorkspaceJoinType();
|
||||
Set<SaasRoleVO> role = userRoleInfoMap.getRoles();
|
||||
IdentityAuthRes.WorkspacePermission workspacePermission = new IdentityAuthRes.WorkspacePermission();
|
||||
workspacePermission.setWorkspaceId(workspaceId);
|
||||
workspacePermission.setOuId(ouId);
|
||||
if (CollectionUtil.isEmpty(role)) {
|
||||
result.getPermissions().add(workspacePermission);
|
||||
return;
|
||||
}
|
||||
// 工作台的菜单(产品维度)
|
||||
List<ProductFeatureRelationVO> productFeatureRelationVOS = workspacePermissionPoint.get(workspaceId);
|
||||
//同单位资质的产品过滤
|
||||
Set<Long> buttonPermissionPointId = productFeatureRelationVOS.stream().filter(productFeatureRelationVO ->
|
||||
Objects.equals(productFeatureRelationVO.getDictCode(), workspaceJoinType.getValue().toString())
|
||||
).map(ProductFeatureRelationVO::getFeatureId).collect(Collectors.toSet());
|
||||
|
||||
|
||||
List<IdentityAuthRes.WorkspacePermission> permissions = result.getPermissions();
|
||||
Optional<SaasRoleVO> superAdminRole = role.stream().filter(r -> RoleTypeEnum.SUPER_ADMIN.getValue().equals(r.getRoleType())).findFirst();
|
||||
if (superAdminRole.isPresent()) {
|
||||
//超管:查询工作台对应产品,获取权限点, ( 权限点通过单位类型过滤)
|
||||
workspacePermission.setSuperAdmin(Boolean.TRUE);
|
||||
|
||||
if (CollectionUtil.isEmpty(buttonPermissionPointId)) {
|
||||
permissions.add(workspacePermission);
|
||||
return;
|
||||
}
|
||||
|
||||
//查询权限点及父级权限点
|
||||
List<SimplePermissionPointResp> allPermissionPoint = permissionPointService.listPermissionByIds(
|
||||
QueryPermissionByIdsReq.builder()
|
||||
.ids(buttonPermissionPointId)
|
||||
.includeParent(true)
|
||||
.build());
|
||||
|
||||
workspacePermission.getPermissionPoint().addAll(allPermissionPoint.stream()
|
||||
.map(permissionPointTreeNode -> IdentityAuthRes.PermissionPoint.builder()
|
||||
.featureCode(permissionPointTreeNode.getCode())
|
||||
.featureId(permissionPointTreeNode.getId())
|
||||
.terminal(permissionPointTreeNode.getTerminal())
|
||||
// .featureType(FeatureType.apply(permissionPointTreeNode.getFeatureType()))
|
||||
.build())
|
||||
.collect(Collectors.toList()));
|
||||
permissions.add(workspacePermission);
|
||||
return;
|
||||
}
|
||||
// 非超管
|
||||
// 获取产品所对应的权限点
|
||||
// List<Long> productFeatureIds = productFeatureRelationVOS.stream().map(ProductFeatureRelationVO::getFeatureId).distinct().collect(Collectors.toList());
|
||||
// 获取免授权型
|
||||
List<PermissionPointTreeNode> noNeedPermissionPoint = permissionPointService.queryList(PermissionPointListQueryRequest.builder()
|
||||
.ids(new ArrayList<>(buttonPermissionPointId))
|
||||
.delegatedType(DelegatedType.NO_NEED.getCode())
|
||||
.build());
|
||||
|
||||
Set<Long> buttonPermissionPointIds = roleService.filterPermissionPoint(role, userRoleInfoMap);
|
||||
|
||||
//获取免授权型
|
||||
// Set<Long> noNeedPermissionPoint = productPermissionInfo.stream().filter(permission -> Objects.equals(permission.getDelegatedType(), DelegatedType.NO_NEED.getCode())).mapToLong(PermissionPointTreeNode::getPermissionPointId).boxed().collect(Collectors.toSet());
|
||||
buttonPermissionPointIds.addAll(noNeedPermissionPoint.stream().map(PermissionPointTreeNode::getPermissionPointId).collect(Collectors.toSet()));
|
||||
// 产品对应权限点(权限点的授权类型为免授权型)+角色对应权限点 与 产品对应权限点 取交集
|
||||
Collection<Long> resultHashAuthPointId = CollectionUtil.intersection(buttonPermissionPointIds, buttonPermissionPointId);
|
||||
if (CollectionUtil.isEmpty(resultHashAuthPointId)) {
|
||||
permissions.add(workspacePermission);
|
||||
return;
|
||||
}
|
||||
//查询权限点及父级权限点
|
||||
List<SimplePermissionPointResp> allPermissionPoint = permissionPointService.listPermissionByIds(
|
||||
QueryPermissionByIdsReq.builder()
|
||||
.ids(new HashSet<>(resultHashAuthPointId))
|
||||
.includeParent(true)
|
||||
.build());
|
||||
|
||||
workspacePermission.getPermissionPoint().addAll(allPermissionPoint.stream()
|
||||
.map(permissionPointTreeNode -> IdentityAuthRes.PermissionPoint.builder()
|
||||
.featureCode(permissionPointTreeNode.getCode())
|
||||
.featureId(permissionPointTreeNode.getId())
|
||||
.terminal(permissionPointTreeNode.getTerminal())
|
||||
// .featureType(FeatureType.apply(permissionPointTreeNode.getFeatureType()))
|
||||
.build())
|
||||
.collect(Collectors.toList()));
|
||||
|
||||
permissions.add(workspacePermission);
|
||||
}
|
||||
, executor
|
||||
).exceptionally(t -> {
|
||||
LogUtil.error("获取角色对应权限失败", t);
|
||||
throw new ServiceException(t);
|
||||
}));
|
||||
|
||||
//查询人员角色关系
|
||||
Set<Long> workspaceIds = new HashSet<>();
|
||||
Set<Long> ouIds = new HashSet<>();
|
||||
Set<String> owKeys = new HashSet<>();
|
||||
identityAuthReq.getWorkspaceOusPairs().forEach(ow -> {
|
||||
workspaceIds.add(ow.getWorkspaceId());
|
||||
ouIds.add(ow.getOuId());
|
||||
owKeys.add(KeyUtil.buildKeyBySeparator(ow.getWorkspaceId(), ow.getOuId()));
|
||||
});
|
||||
stopWatch.start("query and filter permissions ");
|
||||
CompletableFuture.allOf(ArrayUtil.toArray(futureList, CompletableFuture.class)).join();
|
||||
stopWatch.stop();
|
||||
log.info("find identity auth cost:{}",stopWatch.prettyPrint(TimeUnit.MILLISECONDS));
|
||||
return result;
|
||||
List<SaasRoleUserRelation> relations = roleUserService.queryByWorkspaceIdOrOu(identityAuthReq.getPersonId(),
|
||||
identityAuthReq.getIdentityId(), identityAuthReq.getIdentityType(), workspaceIds, ouIds);
|
||||
if (CollectionUtil.isEmpty(relations)) {
|
||||
return relations;
|
||||
}
|
||||
//工作台和单位需成对查询, 对结果二次过滤
|
||||
return relations.stream()
|
||||
.filter(roleUserService -> owKeys.contains(
|
||||
KeyUtil.buildKeyBySeparator(roleUserService.getWorkspaceId(), roleUserService.getOuId())))
|
||||
.collect(Collectors.toList());
|
||||
}
|
||||
|
||||
@Override
|
||||
@ -798,7 +847,10 @@ public class TyrSaasAuthServiceImpl implements TyrSaasAuthService {
|
||||
}
|
||||
|
||||
@Data
|
||||
public static class UserRoleInfoMap {
|
||||
@Builder
|
||||
@NoArgsConstructor
|
||||
@AllArgsConstructor
|
||||
public static class OUWRoleInfo {
|
||||
|
||||
Long workspaceId;
|
||||
Integer workspaceType;
|
||||
|
||||
Loading…
Reference in New Issue
Block a user