Merge branch 'hotfix/FIX-629' into 'master'
Hotfix/fix 629 See merge request universal/infrastructure/backend/tyr!8
This commit is contained in:
金海洋
commit
916b9c5ee3
@ -81,7 +81,7 @@ public interface TyrSaasAuthApi {
|
||||
* @return
|
||||
*/
|
||||
@PostMapping("/api/v2/auth/listIdentityFromPermission")
|
||||
ApiResult<ListIdentityFromPermissionResp> listIdentityFromPermission(@RequestBody ListIdentityFromPermissionReq req);
|
||||
ApiResult<ListIdentityFromPermissionResp> listIdentityFromPermission(@RequestBody @Valid ListIdentityFromPermissionReq req);
|
||||
|
||||
@PostMapping("/api/v2/auth/batchListIdentityFromPermission")
|
||||
ApiResult<List<ListIdentityFromPermissionResp>> batchListIdentityFromPermission(@RequestBody List<ListIdentityFromPermissionReq> req);
|
||||
|
||||
@ -48,4 +48,7 @@ public class PermissionPointTreeQueryReq {
|
||||
|
||||
/** featureType 层级过滤-过滤掉featureType大于该值的数据 **/
|
||||
private Integer maxFeatureType;
|
||||
|
||||
/** 节点匹配后是否继续匹配子节点 **/
|
||||
private boolean fiterChildren = false;
|
||||
}
|
||||
|
||||
@ -126,8 +126,7 @@ public class SaasRoleVO {
|
||||
}
|
||||
|
||||
}
|
||||
log.info("+======permissionPoint: {}", permissionPoint);
|
||||
return new ArrayList<>((Collection) permissionPoint);
|
||||
return new ArrayList<>(permissionPoint);
|
||||
}
|
||||
|
||||
private boolean match(boolean isMatch, Set<PermissionPointTreeNode> source, Collection<PermissionPointTreeNode> target, Long scopeId, Long workspaceId) {
|
||||
@ -138,6 +137,7 @@ public class SaasRoleVO {
|
||||
source.addAll(target);
|
||||
return true;
|
||||
}
|
||||
log.warn("------trace-L-I-F-P----> not match permission scope:{}", scopeId);
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
@ -22,4 +22,6 @@ public class ProductFeatureQuery {
|
||||
private String terminal;
|
||||
|
||||
private Integer workspaceJoinType;
|
||||
|
||||
private Set<Long> featureIds;
|
||||
}
|
||||
|
||||
@ -243,23 +243,24 @@ public class PermissionPointServiceImpl implements PermissionPointService {
|
||||
//条件匹配 - ID
|
||||
boolean matchId = CollectionUtil.isEmpty(request.getIds()) || request.getIds().contains(node.getPermissionPointId());
|
||||
|
||||
if (matchKeyword && matchDelegateType && matchId) {
|
||||
//如果匹配直接返回,否则过滤子节点
|
||||
boolean matched = matchKeyword && matchDelegateType && matchId;
|
||||
if (matched && !request.isFiterChildren()) {
|
||||
//如果匹配且不需要过滤子节点,直接返回,否则过滤子节点
|
||||
return true;
|
||||
}
|
||||
|
||||
if (CollectionUtil.isEmpty(node.getChildren())) {
|
||||
return false;
|
||||
return matched;
|
||||
}
|
||||
//过滤子节点 - 递归 - 必要时改为循环
|
||||
List<PermissionPointTreeNode> filterChildren = node.getChildren().stream()
|
||||
.filter(x -> recursionFilter(request, x))
|
||||
.collect(Collectors.toList());
|
||||
|
||||
if (CollectionUtil.isEmpty(filterChildren)) {
|
||||
return false;
|
||||
}
|
||||
//重置子节点
|
||||
node.setChildren(filterChildren);
|
||||
if (CollectionUtil.isEmpty(filterChildren)) {
|
||||
return matched;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
|
||||
@ -535,85 +535,83 @@ public class TyrSaasAuthServiceImpl implements TyrSaasAuthService {
|
||||
|
||||
//code查询权限点信息
|
||||
List<SaasFeature> features = permissionPointService.listNodeWithChildrenByCode(req.getFeatureCode(), req.getTerminal());
|
||||
Set<Long> featureIds = features.stream().map(SaasFeature::getId).collect(Collectors.toSet());
|
||||
log.info("------trace-L-I-F-P----> features need to check:{}", featureIds);
|
||||
//权限匹配 - 工作台是否有指定权限
|
||||
List<SaasFeature> matchedFeature = matchWorkspaceFeature(req.getWorkspaceId(), req.getWorkspaceJoinType(), features);
|
||||
if (CollectionUtil.isEmpty(matchedFeature)) {
|
||||
log.warn("no matched feature in workspace");
|
||||
Set<Long> matchedFeatureIds = matchWorkspaceFeature(req.getWorkspaceId(), req.getWorkspaceJoinType(), featureIds);
|
||||
if (CollectionUtil.isEmpty(matchedFeatureIds)) {
|
||||
log.warn("------trace-L-I-F-P----> no matched feature in workspace");
|
||||
return result;
|
||||
}
|
||||
log.info("------trace-L-I-F-P----> matched feature in workspace:{}", matchedFeatureIds);
|
||||
|
||||
//是否免授权权限点
|
||||
Optional<SaasFeature> freeFeature = matchedFeature.stream()
|
||||
Optional<SaasFeature> freeFeature = features.stream()
|
||||
.filter(f -> matchedFeatureIds.contains(f.getId()))
|
||||
.filter(f -> DelegatedType.NO_NEED.sameCode(f.getDelegatedType()))
|
||||
.findAny();
|
||||
if (freeFeature.isPresent()) {
|
||||
log.warn("free feature found");
|
||||
log.warn("------trace-L-I-F-P----> free feature found :{}", freeFeature.get().getId());
|
||||
result.setFreePermission(true);
|
||||
return result;
|
||||
}
|
||||
|
||||
//从相关角色查询用户-超管和普通角色
|
||||
List<ListIdentityFromPermissionResp.UserVO> users = getUsersFromRole(req, matchedFeature);
|
||||
List<ListIdentityFromPermissionResp.UserVO> users = getUsersFromRole(req, matchedFeatureIds);
|
||||
result.setUsers(users);
|
||||
return result;
|
||||
}
|
||||
|
||||
private List<SaasFeature> matchWorkspaceFeature(Long workspaceId, Integer workspaceJoinType, List<SaasFeature> features) {
|
||||
private Set<Long> matchWorkspaceFeature(Long workspaceId, Integer workspaceJoinType, Set<Long> featureIds) {
|
||||
//查询工作台下产品
|
||||
List<ServicePkgProduct> productList = checkAndGetData(servicePkgClient.listProductInWorkSpace(workspaceId));
|
||||
if (CollectionUtil.isEmpty(productList)) {
|
||||
log.warn("no product found for workspace:{}", workspaceId);
|
||||
return new ArrayList<>();
|
||||
log.warn("------trace-L-I-F-P----> no product found for workspace");
|
||||
return Collections.emptySet();
|
||||
}
|
||||
//产品包含的权限-过滤参建类型
|
||||
Set<Long> workspaceFeatures = productFeatureRelationService.queryOnCondition(ProductFeatureQuery.builder()
|
||||
//产品包含的权限-过滤参建类型 和 feature
|
||||
return productFeatureRelationService.queryOnCondition(ProductFeatureQuery.builder()
|
||||
.productIds(productList.stream()
|
||||
.map(ServicePkgProduct::getProductId)
|
||||
.collect(Collectors.toSet()))
|
||||
.workspaceJoinType(workspaceJoinType)
|
||||
.featureIds(featureIds)
|
||||
.build())
|
||||
.stream()
|
||||
.map(SaasProductModuleFeatureRelation::getFeatureId)
|
||||
.collect(Collectors.toSet());
|
||||
|
||||
//权限匹配
|
||||
return features.stream()
|
||||
.filter(x -> workspaceFeatures.contains(x.getId()))
|
||||
.collect(Collectors.toList());
|
||||
}
|
||||
|
||||
private List<ListIdentityFromPermissionResp.UserVO> getUsersFromRole(ListIdentityFromPermissionReq req, List<SaasFeature> features) {
|
||||
private List<ListIdentityFromPermissionResp.UserVO> getUsersFromRole(ListIdentityFromPermissionReq req, Set<Long> featureIds) {
|
||||
Long ouId = req.getOuId();
|
||||
Long workspaceId = req.getWorkspaceId();
|
||||
|
||||
//查询OU-工作台下的角色
|
||||
//查询OU-工作台下的角色-含superAdmin
|
||||
List<SaasRole> roleList = roleService.listForOUWorkspace(ouId, workspaceId, req.getWorkspaceJoinType());
|
||||
log.info("====查询OU-工作台下的角色:{}===",roleList);
|
||||
List<Long> roleIds = roleList.stream().map(SaasRole::getId).collect(Collectors.toList());
|
||||
log.info("------trace-L-I-F-P----> roles from ou-workspace:{}", roleIds);
|
||||
if (CollectionUtil.isEmpty(roleList)) {
|
||||
log.info("------trace-L-I-F-P----> no role found for ou-workspace and type");
|
||||
return Collections.emptyList();
|
||||
}
|
||||
|
||||
//查询角色及权限
|
||||
List<SaasRoleVO> rolePermissions = roleService.getByIds(roleList.stream().map(SaasRole::getId).collect(Collectors.toList()),
|
||||
List<SaasRoleVO> rolePermissions = roleService.getByIds(roleIds,
|
||||
null, Lists.newArrayList(workspaceId), Lists.newArrayList(ouId), true);
|
||||
log.info("====查询角色及权限:{}===",rolePermissions);
|
||||
//计算角色实际的权限 - 匹配请求的权限 --> 实际拥有权限的角色
|
||||
Set<Long> featureIds = features.stream().map(SaasFeature::getId).collect(Collectors.toSet());
|
||||
|
||||
List<SaasRoleVO> matchedRoleList = new ArrayList<>();
|
||||
for (SaasRoleVO rolePermission : rolePermissions) {
|
||||
List<PermissionPointTreeNode> filterFeature = rolePermission.getMatchFeature(workspaceId, ouId);
|
||||
if (filterFeature.stream().anyMatch(f -> featureIds.contains(f.getPermissionPointId()))) {
|
||||
log.info("=====match role:{}", rolePermission.getId());
|
||||
log.info("------trace-L-I-F-P----> matched role:{}", rolePermission.getId());
|
||||
matchedRoleList.add(rolePermission);
|
||||
} else {
|
||||
log.info("=====not_match-role-id:{}", rolePermission.getId());
|
||||
log.warn("=========not match role: {}",JSON.toJSONString(rolePermission));
|
||||
log.info("------trace-L-I-F-P----> not matched role:{}", rolePermission.getId());
|
||||
}
|
||||
}
|
||||
|
||||
log.info("-======matchedRoleList: {}", matchedRoleList);
|
||||
log.info("====计算角色实际的权限 - 匹配请求的权限 --> 实际拥有权限的角色:{}===",featureIds);
|
||||
//查询角色下用户
|
||||
List<Long> matchedRoleIds = matchedRoleList.stream().map(SaasRoleVO::getId).collect(Collectors.toList());
|
||||
log.info("====查询角色下用户:{}===",matchedRoleIds);
|
||||
//追加工作台超管
|
||||
Set<Long> superAdmins = roleList
|
||||
.stream()
|
||||
@ -621,9 +619,13 @@ public class TyrSaasAuthServiceImpl implements TyrSaasAuthService {
|
||||
.map(SaasRole::getId)
|
||||
.collect(Collectors.toSet());
|
||||
matchedRoleIds.addAll(superAdmins);
|
||||
log.info("====追加工作台超管:{}===",superAdmins);
|
||||
log.info("------trace-L-I-F-P----> append super admins:{}, final roles:{}", superAdmins, matchedRoleIds);
|
||||
if (CollectionUtil.isEmpty(matchedRoleIds)) {
|
||||
log.info("------trace-L-I-F-P----> no matched role found for feature");
|
||||
return Collections.emptyList();
|
||||
}
|
||||
|
||||
List<SaasRoleUserRelation> relationList = roleUserService.listByRoleIds(matchedRoleIds, workspaceId);
|
||||
log.info("====追加工作台超管:{}===",relationList);
|
||||
//构建用户-去重(identityId-identityType)
|
||||
List<ListIdentityFromPermissionResp.UserVO> users = new ArrayList<>();
|
||||
Set<String> filterSet = new HashSet<>();
|
||||
|
||||
Loading…
Reference in New Issue
Block a user