From 96d616afd0bf18614eea3ad2ca6b364ce1ea6151 Mon Sep 17 00:00:00 2001 From: zhansihu Date: Fri, 3 Nov 2023 09:38:34 +0800 Subject: [PATCH 1/5] =?UTF-8?q?refactor(permission-check):=20=E4=BC=98?= =?UTF-8?q?=E5=8C=96=E6=97=A5=E5=BF=97=EF=BC=9B=E4=BA=A7=E5=93=81=E6=9D=83?= =?UTF-8?q?=E9=99=90=E8=BF=87=E6=BB=A4?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../axzo/tyr/client/feign/TyrSaasAuthApi.java | 2 +- .../entity/ProductFeatureQuery.java | 2 + .../service/impl/TyrSaasAuthServiceImpl.java | 66 ++++++++++--------- 3 files changed, 38 insertions(+), 32 deletions(-) diff --git a/tyr-api/src/main/java/cn/axzo/tyr/client/feign/TyrSaasAuthApi.java b/tyr-api/src/main/java/cn/axzo/tyr/client/feign/TyrSaasAuthApi.java index f4142e85..46941e35 100644 --- a/tyr-api/src/main/java/cn/axzo/tyr/client/feign/TyrSaasAuthApi.java +++ b/tyr-api/src/main/java/cn/axzo/tyr/client/feign/TyrSaasAuthApi.java @@ -81,7 +81,7 @@ public interface TyrSaasAuthApi { * @return */ @PostMapping("/api/v2/auth/listIdentityFromPermission") - ApiResult listIdentityFromPermission(@RequestBody ListIdentityFromPermissionReq req); + ApiResult listIdentityFromPermission(@RequestBody @Valid ListIdentityFromPermissionReq req); @PostMapping("/api/v2/auth/batchListIdentityFromPermission") ApiResult> batchListIdentityFromPermission(@RequestBody List req); diff --git a/tyr-server/src/main/java/cn/axzo/tyr/server/repository/entity/ProductFeatureQuery.java b/tyr-server/src/main/java/cn/axzo/tyr/server/repository/entity/ProductFeatureQuery.java index 327656f9..b72f1969 100644 --- a/tyr-server/src/main/java/cn/axzo/tyr/server/repository/entity/ProductFeatureQuery.java +++ b/tyr-server/src/main/java/cn/axzo/tyr/server/repository/entity/ProductFeatureQuery.java @@ -22,4 +22,6 @@ public class ProductFeatureQuery { private String terminal; private Integer workspaceJoinType; + + private Set featureIds; } diff --git a/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/TyrSaasAuthServiceImpl.java b/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/TyrSaasAuthServiceImpl.java index 7c8238bc..691ee698 100644 --- a/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/TyrSaasAuthServiceImpl.java +++ b/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/TyrSaasAuthServiceImpl.java @@ -534,86 +534,86 @@ public class TyrSaasAuthServiceImpl implements TyrSaasAuthService { result.setWorkspaceId(req.getWorkspaceId()); //code查询权限点信息 + log.info("------trace-L-I-F-P---->"); List features = permissionPointService.listNodeWithChildrenByCode(req.getFeatureCode(), req.getTerminal()); + Set featureIds = features.stream().map(SaasFeature::getId).collect(Collectors.toSet()); + log.info("------trace-L-I-F-P----> features need to check:{}", featureIds); //权限匹配 - 工作台是否有指定权限 - List matchedFeature = matchWorkspaceFeature(req.getWorkspaceId(), req.getWorkspaceJoinType(), features); - if (CollectionUtil.isEmpty(matchedFeature)) { - log.warn("no matched feature in workspace"); + Set matchedFeatureIds = matchWorkspaceFeature(req.getWorkspaceId(), req.getWorkspaceJoinType(), featureIds); + if (CollectionUtil.isEmpty(matchedFeatureIds)) { + log.warn("------trace-L-I-F-P----> no matched feature in workspace"); return result; } + log.info("------trace-L-I-F-P----> matched feature in workspace:{}", matchedFeatureIds); //是否免授权权限点 - Optional freeFeature = matchedFeature.stream() + Optional freeFeature = features.stream() + .filter(f -> matchedFeatureIds.contains(f.getId())) .filter(f -> DelegatedType.NO_NEED.sameCode(f.getDelegatedType())) .findAny(); if (freeFeature.isPresent()) { - log.warn("free feature found"); + log.warn("------trace-L-I-F-P----> free feature found :{}", freeFeature.get().getId()); result.setFreePermission(true); return result; } //从相关角色查询用户-超管和普通角色 - List users = getUsersFromRole(req, matchedFeature); + List users = getUsersFromRole(req, matchedFeatureIds); result.setUsers(users); return result; } - private List matchWorkspaceFeature(Long workspaceId, Integer workspaceJoinType, List features) { + private Set matchWorkspaceFeature(Long workspaceId, Integer workspaceJoinType, Set featureIds) { //查询工作台下产品 List productList = checkAndGetData(servicePkgClient.listProductInWorkSpace(workspaceId)); if (CollectionUtil.isEmpty(productList)) { - log.warn("no product found for workspace:{}", workspaceId); - return new ArrayList<>(); + log.warn("------trace-L-I-F-P----> no product found for workspace"); + return Collections.emptySet(); } - //产品包含的权限-过滤参建类型 - Set workspaceFeatures = productFeatureRelationService.queryOnCondition(ProductFeatureQuery.builder() + //产品包含的权限-过滤参建类型 和 feature + return productFeatureRelationService.queryOnCondition(ProductFeatureQuery.builder() .productIds(productList.stream() .map(ServicePkgProduct::getProductId) .collect(Collectors.toSet())) .workspaceJoinType(workspaceJoinType) + .featureIds(featureIds) .build()) .stream() .map(SaasProductModuleFeatureRelation::getFeatureId) .collect(Collectors.toSet()); - - //权限匹配 - return features.stream() - .filter(x -> workspaceFeatures.contains(x.getId())) - .collect(Collectors.toList()); } - private List getUsersFromRole(ListIdentityFromPermissionReq req, List features) { + private List getUsersFromRole(ListIdentityFromPermissionReq req, Set featureIds) { Long ouId = req.getOuId(); Long workspaceId = req.getWorkspaceId(); - //查询OU-工作台下的角色 + //查询OU-工作台下的角色-含superAdmin List roleList = roleService.listForOUWorkspace(ouId, workspaceId, req.getWorkspaceJoinType()); - log.info("====查询OU-工作台下的角色:{}===",roleList); + log.info("------trace-L-I-F-P---->"); + List roleIds = roleList.stream().map(SaasRole::getId).collect(Collectors.toList()); + log.info("------trace-L-I-F-P----> roles from ou-workspace:{}", roleIds); + if (CollectionUtil.isEmpty(roleList)) { + log.info("------trace-L-I-F-P----> no role found for ou-workspace and type"); + return Collections.emptyList(); + } //查询角色及权限 - List rolePermissions = roleService.getByIds(roleList.stream().map(SaasRole::getId).collect(Collectors.toList()), + List rolePermissions = roleService.getByIds(roleIds, null, Lists.newArrayList(workspaceId), Lists.newArrayList(ouId), true); - log.info("====查询角色及权限:{}===",rolePermissions); //计算角色实际的权限 - 匹配请求的权限 --> 实际拥有权限的角色 - Set featureIds = features.stream().map(SaasFeature::getId).collect(Collectors.toSet()); - List matchedRoleList = new ArrayList<>(); for (SaasRoleVO rolePermission : rolePermissions) { List filterFeature = rolePermission.getMatchFeature(workspaceId, ouId); if (filterFeature.stream().anyMatch(f -> featureIds.contains(f.getPermissionPointId()))) { - log.info("=====match role:{}", rolePermission.getId()); + log.info("------trace-L-I-F-P----> matched role:{}", rolePermission.getId()); matchedRoleList.add(rolePermission); } else { - log.info("=====not_match-role-id:{}", rolePermission.getId()); - log.warn("=========not match role: {}",JSON.toJSONString(rolePermission)); + log.info("------trace-L-I-F-P----> not matched role:{}", rolePermission.getId()); } } - log.info("-======matchedRoleList: {}", matchedRoleList); - log.info("====计算角色实际的权限 - 匹配请求的权限 --> 实际拥有权限的角色:{}===",featureIds); //查询角色下用户 List matchedRoleIds = matchedRoleList.stream().map(SaasRoleVO::getId).collect(Collectors.toList()); - log.info("====查询角色下用户:{}===",matchedRoleIds); //追加工作台超管 Set superAdmins = roleList .stream() @@ -621,9 +621,13 @@ public class TyrSaasAuthServiceImpl implements TyrSaasAuthService { .map(SaasRole::getId) .collect(Collectors.toSet()); matchedRoleIds.addAll(superAdmins); - log.info("====追加工作台超管:{}===",superAdmins); + log.info("------trace-L-I-F-P----> append super admins:{}, final roles:{}", superAdmins, matchedRoleIds); + if (CollectionUtil.isEmpty(matchedRoleIds)) { + log.info("------trace-L-I-F-P----> no matched role found for feature"); + return Collections.emptyList(); + } + List relationList = roleUserService.listByRoleIds(matchedRoleIds, workspaceId); - log.info("====追加工作台超管:{}===",relationList); //构建用户-去重(identityId-identityType) List users = new ArrayList<>(); Set filterSet = new HashSet<>(); From f240176451b5df4087713fdb05a91c314131a0d5 Mon Sep 17 00:00:00 2001 From: zhansihu Date: Fri, 3 Nov 2023 09:42:22 +0800 Subject: [PATCH 2/5] =?UTF-8?q?refactor(permission-check):=20=E4=BC=98?= =?UTF-8?q?=E5=8C=96=E6=97=A5=E5=BF=97?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../cn/axzo/tyr/server/service/impl/TyrSaasAuthServiceImpl.java | 2 -- 1 file changed, 2 deletions(-) diff --git a/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/TyrSaasAuthServiceImpl.java b/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/TyrSaasAuthServiceImpl.java index 691ee698..d963818f 100644 --- a/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/TyrSaasAuthServiceImpl.java +++ b/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/TyrSaasAuthServiceImpl.java @@ -534,7 +534,6 @@ public class TyrSaasAuthServiceImpl implements TyrSaasAuthService { result.setWorkspaceId(req.getWorkspaceId()); //code查询权限点信息 - log.info("------trace-L-I-F-P---->"); List features = permissionPointService.listNodeWithChildrenByCode(req.getFeatureCode(), req.getTerminal()); Set featureIds = features.stream().map(SaasFeature::getId).collect(Collectors.toSet()); log.info("------trace-L-I-F-P----> features need to check:{}", featureIds); @@ -589,7 +588,6 @@ public class TyrSaasAuthServiceImpl implements TyrSaasAuthService { //查询OU-工作台下的角色-含superAdmin List roleList = roleService.listForOUWorkspace(ouId, workspaceId, req.getWorkspaceJoinType()); - log.info("------trace-L-I-F-P---->"); List roleIds = roleList.stream().map(SaasRole::getId).collect(Collectors.toList()); log.info("------trace-L-I-F-P----> roles from ou-workspace:{}", roleIds); if (CollectionUtil.isEmpty(roleList)) { From 3872f8cd008a9a1653a87b7d3f23a4016ff23400 Mon Sep 17 00:00:00 2001 From: zhansihu Date: Fri, 3 Nov 2023 10:09:30 +0800 Subject: [PATCH 3/5] =?UTF-8?q?refactor(permission-check):=20=E4=BC=98?= =?UTF-8?q?=E5=8C=96=E6=97=A5=E5=BF=97+1?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../src/main/java/cn/axzo/tyr/client/model/vo/SaasRoleVO.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tyr-api/src/main/java/cn/axzo/tyr/client/model/vo/SaasRoleVO.java b/tyr-api/src/main/java/cn/axzo/tyr/client/model/vo/SaasRoleVO.java index 87ec7290..44b9705d 100644 --- a/tyr-api/src/main/java/cn/axzo/tyr/client/model/vo/SaasRoleVO.java +++ b/tyr-api/src/main/java/cn/axzo/tyr/client/model/vo/SaasRoleVO.java @@ -126,8 +126,7 @@ public class SaasRoleVO { } } - log.info("+======permissionPoint: {}", permissionPoint); - return new ArrayList<>((Collection) permissionPoint); + return new ArrayList<>(permissionPoint); } private boolean match(boolean isMatch, Set source, Collection target, Long scopeId, Long workspaceId) { @@ -138,6 +137,7 @@ public class SaasRoleVO { source.addAll(target); return true; } + log.warn("------trace-L-I-F-P----> not match permission scope:{}", scopeId); return false; } } From 1227e0a94fd0770019c6193a4f648d357fd720c0 Mon Sep 17 00:00:00 2001 From: zhansihu Date: Fri, 3 Nov 2023 11:52:43 +0800 Subject: [PATCH 4/5] =?UTF-8?q?refactor(permission-tree):=20=E5=A2=9E?= =?UTF-8?q?=E5=8A=A0=E6=94=AF=E6=8C=81=E6=98=AF=E5=90=A6=E8=BF=87=E6=BB=A4?= =?UTF-8?q?=E5=AD=90=E8=8A=82=E7=82=B9?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../model/permission/PermissionPointTreeQueryReq.java | 3 +++ .../server/service/impl/PermissionPointServiceImpl.java | 7 ++++--- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/tyr-api/src/main/java/cn/axzo/tyr/client/model/permission/PermissionPointTreeQueryReq.java b/tyr-api/src/main/java/cn/axzo/tyr/client/model/permission/PermissionPointTreeQueryReq.java index 231b78a4..6506f93b 100644 --- a/tyr-api/src/main/java/cn/axzo/tyr/client/model/permission/PermissionPointTreeQueryReq.java +++ b/tyr-api/src/main/java/cn/axzo/tyr/client/model/permission/PermissionPointTreeQueryReq.java @@ -48,4 +48,7 @@ public class PermissionPointTreeQueryReq { /** featureType 层级过滤-过滤掉featureType大于该值的数据 **/ private Integer maxFeatureType; + + /** 节点匹配后是否继续匹配子节点 **/ + private boolean fiterChildren = false; } diff --git a/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/PermissionPointServiceImpl.java b/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/PermissionPointServiceImpl.java index c891cabb..a67e6457 100644 --- a/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/PermissionPointServiceImpl.java +++ b/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/PermissionPointServiceImpl.java @@ -243,13 +243,14 @@ public class PermissionPointServiceImpl implements PermissionPointService { //条件匹配 - ID boolean matchId = CollectionUtil.isEmpty(request.getIds()) || request.getIds().contains(node.getPermissionPointId()); - if (matchKeyword && matchDelegateType && matchId) { - //如果匹配直接返回,否则过滤子节点 + boolean matched = matchKeyword && matchDelegateType && matchId; + if (matched && !request.isFiterChildren()) { + //如果匹配且不需要过滤子节点,直接返回,否则过滤子节点 return true; } if (CollectionUtil.isEmpty(node.getChildren())) { - return false; + return matched; } //过滤子节点 - 递归 - 必要时改为循环 List filterChildren = node.getChildren().stream() From aa2a098e78a41fab40f184220b11c41d24fcdc3d Mon Sep 17 00:00:00 2001 From: zhansihu Date: Fri, 3 Nov 2023 12:04:18 +0800 Subject: [PATCH 5/5] =?UTF-8?q?refactor(permission-tree):=20=E5=A2=9E?= =?UTF-8?q?=E5=8A=A0=E6=94=AF=E6=8C=81=E6=98=AF=E5=90=A6=E8=BF=87=E6=BB=A4?= =?UTF-8?q?=E5=AD=90=E8=8A=82=E7=82=B9?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../server/service/impl/PermissionPointServiceImpl.java | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/PermissionPointServiceImpl.java b/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/PermissionPointServiceImpl.java index a67e6457..d461cbf8 100644 --- a/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/PermissionPointServiceImpl.java +++ b/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/PermissionPointServiceImpl.java @@ -256,11 +256,11 @@ public class PermissionPointServiceImpl implements PermissionPointService { List filterChildren = node.getChildren().stream() .filter(x -> recursionFilter(request, x)) .collect(Collectors.toList()); - - if (CollectionUtil.isEmpty(filterChildren)) { - return false; - } + //重置子节点 node.setChildren(filterChildren); + if (CollectionUtil.isEmpty(filterChildren)) { + return matched; + } return true; }