diff --git a/tyr-api/src/main/java/cn/axzo/tyr/client/feign/TyrSaasAuthApi.java b/tyr-api/src/main/java/cn/axzo/tyr/client/feign/TyrSaasAuthApi.java index f4142e85..46941e35 100644 --- a/tyr-api/src/main/java/cn/axzo/tyr/client/feign/TyrSaasAuthApi.java +++ b/tyr-api/src/main/java/cn/axzo/tyr/client/feign/TyrSaasAuthApi.java @@ -81,7 +81,7 @@ public interface TyrSaasAuthApi { * @return */ @PostMapping("/api/v2/auth/listIdentityFromPermission") - ApiResult listIdentityFromPermission(@RequestBody ListIdentityFromPermissionReq req); + ApiResult listIdentityFromPermission(@RequestBody @Valid ListIdentityFromPermissionReq req); @PostMapping("/api/v2/auth/batchListIdentityFromPermission") ApiResult> batchListIdentityFromPermission(@RequestBody List req); diff --git a/tyr-api/src/main/java/cn/axzo/tyr/client/model/permission/PermissionPointTreeQueryReq.java b/tyr-api/src/main/java/cn/axzo/tyr/client/model/permission/PermissionPointTreeQueryReq.java index 231b78a4..6506f93b 100644 --- a/tyr-api/src/main/java/cn/axzo/tyr/client/model/permission/PermissionPointTreeQueryReq.java +++ b/tyr-api/src/main/java/cn/axzo/tyr/client/model/permission/PermissionPointTreeQueryReq.java @@ -48,4 +48,7 @@ public class PermissionPointTreeQueryReq { /** featureType 层级过滤-过滤掉featureType大于该值的数据 **/ private Integer maxFeatureType; + + /** 节点匹配后是否继续匹配子节点 **/ + private boolean fiterChildren = false; } diff --git a/tyr-api/src/main/java/cn/axzo/tyr/client/model/vo/SaasRoleVO.java b/tyr-api/src/main/java/cn/axzo/tyr/client/model/vo/SaasRoleVO.java index 87ec7290..44b9705d 100644 --- a/tyr-api/src/main/java/cn/axzo/tyr/client/model/vo/SaasRoleVO.java +++ b/tyr-api/src/main/java/cn/axzo/tyr/client/model/vo/SaasRoleVO.java @@ -126,8 +126,7 @@ public class SaasRoleVO { } } - log.info("+======permissionPoint: {}", permissionPoint); - return new ArrayList<>((Collection) permissionPoint); + return new ArrayList<>(permissionPoint); } private boolean match(boolean isMatch, Set source, Collection target, Long scopeId, Long workspaceId) { @@ -138,6 +137,7 @@ public class SaasRoleVO { source.addAll(target); return true; } + log.warn("------trace-L-I-F-P----> not match permission scope:{}", scopeId); return false; } } diff --git a/tyr-server/src/main/java/cn/axzo/tyr/server/repository/entity/ProductFeatureQuery.java b/tyr-server/src/main/java/cn/axzo/tyr/server/repository/entity/ProductFeatureQuery.java index 327656f9..b72f1969 100644 --- a/tyr-server/src/main/java/cn/axzo/tyr/server/repository/entity/ProductFeatureQuery.java +++ b/tyr-server/src/main/java/cn/axzo/tyr/server/repository/entity/ProductFeatureQuery.java @@ -22,4 +22,6 @@ public class ProductFeatureQuery { private String terminal; private Integer workspaceJoinType; + + private Set featureIds; } diff --git a/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/PermissionPointServiceImpl.java b/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/PermissionPointServiceImpl.java index c891cabb..d461cbf8 100644 --- a/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/PermissionPointServiceImpl.java +++ b/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/PermissionPointServiceImpl.java @@ -243,23 +243,24 @@ public class PermissionPointServiceImpl implements PermissionPointService { //条件匹配 - ID boolean matchId = CollectionUtil.isEmpty(request.getIds()) || request.getIds().contains(node.getPermissionPointId()); - if (matchKeyword && matchDelegateType && matchId) { - //如果匹配直接返回,否则过滤子节点 + boolean matched = matchKeyword && matchDelegateType && matchId; + if (matched && !request.isFiterChildren()) { + //如果匹配且不需要过滤子节点,直接返回,否则过滤子节点 return true; } if (CollectionUtil.isEmpty(node.getChildren())) { - return false; + return matched; } //过滤子节点 - 递归 - 必要时改为循环 List filterChildren = node.getChildren().stream() .filter(x -> recursionFilter(request, x)) .collect(Collectors.toList()); - - if (CollectionUtil.isEmpty(filterChildren)) { - return false; - } + //重置子节点 node.setChildren(filterChildren); + if (CollectionUtil.isEmpty(filterChildren)) { + return matched; + } return true; } diff --git a/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/TyrSaasAuthServiceImpl.java b/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/TyrSaasAuthServiceImpl.java index 7c8238bc..d963818f 100644 --- a/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/TyrSaasAuthServiceImpl.java +++ b/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/TyrSaasAuthServiceImpl.java @@ -535,85 +535,83 @@ public class TyrSaasAuthServiceImpl implements TyrSaasAuthService { //code查询权限点信息 List features = permissionPointService.listNodeWithChildrenByCode(req.getFeatureCode(), req.getTerminal()); + Set featureIds = features.stream().map(SaasFeature::getId).collect(Collectors.toSet()); + log.info("------trace-L-I-F-P----> features need to check:{}", featureIds); //权限匹配 - 工作台是否有指定权限 - List matchedFeature = matchWorkspaceFeature(req.getWorkspaceId(), req.getWorkspaceJoinType(), features); - if (CollectionUtil.isEmpty(matchedFeature)) { - log.warn("no matched feature in workspace"); + Set matchedFeatureIds = matchWorkspaceFeature(req.getWorkspaceId(), req.getWorkspaceJoinType(), featureIds); + if (CollectionUtil.isEmpty(matchedFeatureIds)) { + log.warn("------trace-L-I-F-P----> no matched feature in workspace"); return result; } + log.info("------trace-L-I-F-P----> matched feature in workspace:{}", matchedFeatureIds); //是否免授权权限点 - Optional freeFeature = matchedFeature.stream() + Optional freeFeature = features.stream() + .filter(f -> matchedFeatureIds.contains(f.getId())) .filter(f -> DelegatedType.NO_NEED.sameCode(f.getDelegatedType())) .findAny(); if (freeFeature.isPresent()) { - log.warn("free feature found"); + log.warn("------trace-L-I-F-P----> free feature found :{}", freeFeature.get().getId()); result.setFreePermission(true); return result; } //从相关角色查询用户-超管和普通角色 - List users = getUsersFromRole(req, matchedFeature); + List users = getUsersFromRole(req, matchedFeatureIds); result.setUsers(users); return result; } - private List matchWorkspaceFeature(Long workspaceId, Integer workspaceJoinType, List features) { + private Set matchWorkspaceFeature(Long workspaceId, Integer workspaceJoinType, Set featureIds) { //查询工作台下产品 List productList = checkAndGetData(servicePkgClient.listProductInWorkSpace(workspaceId)); if (CollectionUtil.isEmpty(productList)) { - log.warn("no product found for workspace:{}", workspaceId); - return new ArrayList<>(); + log.warn("------trace-L-I-F-P----> no product found for workspace"); + return Collections.emptySet(); } - //产品包含的权限-过滤参建类型 - Set workspaceFeatures = productFeatureRelationService.queryOnCondition(ProductFeatureQuery.builder() + //产品包含的权限-过滤参建类型 和 feature + return productFeatureRelationService.queryOnCondition(ProductFeatureQuery.builder() .productIds(productList.stream() .map(ServicePkgProduct::getProductId) .collect(Collectors.toSet())) .workspaceJoinType(workspaceJoinType) + .featureIds(featureIds) .build()) .stream() .map(SaasProductModuleFeatureRelation::getFeatureId) .collect(Collectors.toSet()); - - //权限匹配 - return features.stream() - .filter(x -> workspaceFeatures.contains(x.getId())) - .collect(Collectors.toList()); } - private List getUsersFromRole(ListIdentityFromPermissionReq req, List features) { + private List getUsersFromRole(ListIdentityFromPermissionReq req, Set featureIds) { Long ouId = req.getOuId(); Long workspaceId = req.getWorkspaceId(); - //查询OU-工作台下的角色 + //查询OU-工作台下的角色-含superAdmin List roleList = roleService.listForOUWorkspace(ouId, workspaceId, req.getWorkspaceJoinType()); - log.info("====查询OU-工作台下的角色:{}===",roleList); + List roleIds = roleList.stream().map(SaasRole::getId).collect(Collectors.toList()); + log.info("------trace-L-I-F-P----> roles from ou-workspace:{}", roleIds); + if (CollectionUtil.isEmpty(roleList)) { + log.info("------trace-L-I-F-P----> no role found for ou-workspace and type"); + return Collections.emptyList(); + } //查询角色及权限 - List rolePermissions = roleService.getByIds(roleList.stream().map(SaasRole::getId).collect(Collectors.toList()), + List rolePermissions = roleService.getByIds(roleIds, null, Lists.newArrayList(workspaceId), Lists.newArrayList(ouId), true); - log.info("====查询角色及权限:{}===",rolePermissions); //计算角色实际的权限 - 匹配请求的权限 --> 实际拥有权限的角色 - Set featureIds = features.stream().map(SaasFeature::getId).collect(Collectors.toSet()); - List matchedRoleList = new ArrayList<>(); for (SaasRoleVO rolePermission : rolePermissions) { List filterFeature = rolePermission.getMatchFeature(workspaceId, ouId); if (filterFeature.stream().anyMatch(f -> featureIds.contains(f.getPermissionPointId()))) { - log.info("=====match role:{}", rolePermission.getId()); + log.info("------trace-L-I-F-P----> matched role:{}", rolePermission.getId()); matchedRoleList.add(rolePermission); } else { - log.info("=====not_match-role-id:{}", rolePermission.getId()); - log.warn("=========not match role: {}",JSON.toJSONString(rolePermission)); + log.info("------trace-L-I-F-P----> not matched role:{}", rolePermission.getId()); } } - log.info("-======matchedRoleList: {}", matchedRoleList); - log.info("====计算角色实际的权限 - 匹配请求的权限 --> 实际拥有权限的角色:{}===",featureIds); //查询角色下用户 List matchedRoleIds = matchedRoleList.stream().map(SaasRoleVO::getId).collect(Collectors.toList()); - log.info("====查询角色下用户:{}===",matchedRoleIds); //追加工作台超管 Set superAdmins = roleList .stream() @@ -621,9 +619,13 @@ public class TyrSaasAuthServiceImpl implements TyrSaasAuthService { .map(SaasRole::getId) .collect(Collectors.toSet()); matchedRoleIds.addAll(superAdmins); - log.info("====追加工作台超管:{}===",superAdmins); + log.info("------trace-L-I-F-P----> append super admins:{}, final roles:{}", superAdmins, matchedRoleIds); + if (CollectionUtil.isEmpty(matchedRoleIds)) { + log.info("------trace-L-I-F-P----> no matched role found for feature"); + return Collections.emptyList(); + } + List relationList = roleUserService.listByRoleIds(matchedRoleIds, workspaceId); - log.info("====追加工作台超管:{}===",relationList); //构建用户-去重(identityId-identityType) List users = new ArrayList<>(); Set filterSet = new HashSet<>();