refactor(permission-check): 优化日志;产品权限过滤
This commit is contained in:
zhansihu
parent
135acb19b5
commit
96d616afd0
@ -81,7 +81,7 @@ public interface TyrSaasAuthApi {
|
||||
* @return
|
||||
*/
|
||||
@PostMapping("/api/v2/auth/listIdentityFromPermission")
|
||||
ApiResult<ListIdentityFromPermissionResp> listIdentityFromPermission(@RequestBody ListIdentityFromPermissionReq req);
|
||||
ApiResult<ListIdentityFromPermissionResp> listIdentityFromPermission(@RequestBody @Valid ListIdentityFromPermissionReq req);
|
||||
|
||||
@PostMapping("/api/v2/auth/batchListIdentityFromPermission")
|
||||
ApiResult<List<ListIdentityFromPermissionResp>> batchListIdentityFromPermission(@RequestBody List<ListIdentityFromPermissionReq> req);
|
||||
|
||||
@ -22,4 +22,6 @@ public class ProductFeatureQuery {
|
||||
private String terminal;
|
||||
|
||||
private Integer workspaceJoinType;
|
||||
|
||||
private Set<Long> featureIds;
|
||||
}
|
||||
|
||||
@ -534,86 +534,86 @@ public class TyrSaasAuthServiceImpl implements TyrSaasAuthService {
|
||||
result.setWorkspaceId(req.getWorkspaceId());
|
||||
|
||||
//code查询权限点信息
|
||||
log.info("------trace-L-I-F-P---->");
|
||||
List<SaasFeature> features = permissionPointService.listNodeWithChildrenByCode(req.getFeatureCode(), req.getTerminal());
|
||||
Set<Long> featureIds = features.stream().map(SaasFeature::getId).collect(Collectors.toSet());
|
||||
log.info("------trace-L-I-F-P----> features need to check:{}", featureIds);
|
||||
//权限匹配 - 工作台是否有指定权限
|
||||
List<SaasFeature> matchedFeature = matchWorkspaceFeature(req.getWorkspaceId(), req.getWorkspaceJoinType(), features);
|
||||
if (CollectionUtil.isEmpty(matchedFeature)) {
|
||||
log.warn("no matched feature in workspace");
|
||||
Set<Long> matchedFeatureIds = matchWorkspaceFeature(req.getWorkspaceId(), req.getWorkspaceJoinType(), featureIds);
|
||||
if (CollectionUtil.isEmpty(matchedFeatureIds)) {
|
||||
log.warn("------trace-L-I-F-P----> no matched feature in workspace");
|
||||
return result;
|
||||
}
|
||||
log.info("------trace-L-I-F-P----> matched feature in workspace:{}", matchedFeatureIds);
|
||||
|
||||
//是否免授权权限点
|
||||
Optional<SaasFeature> freeFeature = matchedFeature.stream()
|
||||
Optional<SaasFeature> freeFeature = features.stream()
|
||||
.filter(f -> matchedFeatureIds.contains(f.getId()))
|
||||
.filter(f -> DelegatedType.NO_NEED.sameCode(f.getDelegatedType()))
|
||||
.findAny();
|
||||
if (freeFeature.isPresent()) {
|
||||
log.warn("free feature found");
|
||||
log.warn("------trace-L-I-F-P----> free feature found :{}", freeFeature.get().getId());
|
||||
result.setFreePermission(true);
|
||||
return result;
|
||||
}
|
||||
|
||||
//从相关角色查询用户-超管和普通角色
|
||||
List<ListIdentityFromPermissionResp.UserVO> users = getUsersFromRole(req, matchedFeature);
|
||||
List<ListIdentityFromPermissionResp.UserVO> users = getUsersFromRole(req, matchedFeatureIds);
|
||||
result.setUsers(users);
|
||||
return result;
|
||||
}
|
||||
|
||||
private List<SaasFeature> matchWorkspaceFeature(Long workspaceId, Integer workspaceJoinType, List<SaasFeature> features) {
|
||||
private Set<Long> matchWorkspaceFeature(Long workspaceId, Integer workspaceJoinType, Set<Long> featureIds) {
|
||||
//查询工作台下产品
|
||||
List<ServicePkgProduct> productList = checkAndGetData(servicePkgClient.listProductInWorkSpace(workspaceId));
|
||||
if (CollectionUtil.isEmpty(productList)) {
|
||||
log.warn("no product found for workspace:{}", workspaceId);
|
||||
return new ArrayList<>();
|
||||
log.warn("------trace-L-I-F-P----> no product found for workspace");
|
||||
return Collections.emptySet();
|
||||
}
|
||||
//产品包含的权限-过滤参建类型
|
||||
Set<Long> workspaceFeatures = productFeatureRelationService.queryOnCondition(ProductFeatureQuery.builder()
|
||||
//产品包含的权限-过滤参建类型 和 feature
|
||||
return productFeatureRelationService.queryOnCondition(ProductFeatureQuery.builder()
|
||||
.productIds(productList.stream()
|
||||
.map(ServicePkgProduct::getProductId)
|
||||
.collect(Collectors.toSet()))
|
||||
.workspaceJoinType(workspaceJoinType)
|
||||
.featureIds(featureIds)
|
||||
.build())
|
||||
.stream()
|
||||
.map(SaasProductModuleFeatureRelation::getFeatureId)
|
||||
.collect(Collectors.toSet());
|
||||
|
||||
//权限匹配
|
||||
return features.stream()
|
||||
.filter(x -> workspaceFeatures.contains(x.getId()))
|
||||
.collect(Collectors.toList());
|
||||
}
|
||||
|
||||
private List<ListIdentityFromPermissionResp.UserVO> getUsersFromRole(ListIdentityFromPermissionReq req, List<SaasFeature> features) {
|
||||
private List<ListIdentityFromPermissionResp.UserVO> getUsersFromRole(ListIdentityFromPermissionReq req, Set<Long> featureIds) {
|
||||
Long ouId = req.getOuId();
|
||||
Long workspaceId = req.getWorkspaceId();
|
||||
|
||||
//查询OU-工作台下的角色
|
||||
//查询OU-工作台下的角色-含superAdmin
|
||||
List<SaasRole> roleList = roleService.listForOUWorkspace(ouId, workspaceId, req.getWorkspaceJoinType());
|
||||
log.info("====查询OU-工作台下的角色:{}===",roleList);
|
||||
log.info("------trace-L-I-F-P---->");
|
||||
List<Long> roleIds = roleList.stream().map(SaasRole::getId).collect(Collectors.toList());
|
||||
log.info("------trace-L-I-F-P----> roles from ou-workspace:{}", roleIds);
|
||||
if (CollectionUtil.isEmpty(roleList)) {
|
||||
log.info("------trace-L-I-F-P----> no role found for ou-workspace and type");
|
||||
return Collections.emptyList();
|
||||
}
|
||||
|
||||
//查询角色及权限
|
||||
List<SaasRoleVO> rolePermissions = roleService.getByIds(roleList.stream().map(SaasRole::getId).collect(Collectors.toList()),
|
||||
List<SaasRoleVO> rolePermissions = roleService.getByIds(roleIds,
|
||||
null, Lists.newArrayList(workspaceId), Lists.newArrayList(ouId), true);
|
||||
log.info("====查询角色及权限:{}===",rolePermissions);
|
||||
//计算角色实际的权限 - 匹配请求的权限 --> 实际拥有权限的角色
|
||||
Set<Long> featureIds = features.stream().map(SaasFeature::getId).collect(Collectors.toSet());
|
||||
|
||||
List<SaasRoleVO> matchedRoleList = new ArrayList<>();
|
||||
for (SaasRoleVO rolePermission : rolePermissions) {
|
||||
List<PermissionPointTreeNode> filterFeature = rolePermission.getMatchFeature(workspaceId, ouId);
|
||||
if (filterFeature.stream().anyMatch(f -> featureIds.contains(f.getPermissionPointId()))) {
|
||||
log.info("=====match role:{}", rolePermission.getId());
|
||||
log.info("------trace-L-I-F-P----> matched role:{}", rolePermission.getId());
|
||||
matchedRoleList.add(rolePermission);
|
||||
} else {
|
||||
log.info("=====not_match-role-id:{}", rolePermission.getId());
|
||||
log.warn("=========not match role: {}",JSON.toJSONString(rolePermission));
|
||||
log.info("------trace-L-I-F-P----> not matched role:{}", rolePermission.getId());
|
||||
}
|
||||
}
|
||||
|
||||
log.info("-======matchedRoleList: {}", matchedRoleList);
|
||||
log.info("====计算角色实际的权限 - 匹配请求的权限 --> 实际拥有权限的角色:{}===",featureIds);
|
||||
//查询角色下用户
|
||||
List<Long> matchedRoleIds = matchedRoleList.stream().map(SaasRoleVO::getId).collect(Collectors.toList());
|
||||
log.info("====查询角色下用户:{}===",matchedRoleIds);
|
||||
//追加工作台超管
|
||||
Set<Long> superAdmins = roleList
|
||||
.stream()
|
||||
@ -621,9 +621,13 @@ public class TyrSaasAuthServiceImpl implements TyrSaasAuthService {
|
||||
.map(SaasRole::getId)
|
||||
.collect(Collectors.toSet());
|
||||
matchedRoleIds.addAll(superAdmins);
|
||||
log.info("====追加工作台超管:{}===",superAdmins);
|
||||
log.info("------trace-L-I-F-P----> append super admins:{}, final roles:{}", superAdmins, matchedRoleIds);
|
||||
if (CollectionUtil.isEmpty(matchedRoleIds)) {
|
||||
log.info("------trace-L-I-F-P----> no matched role found for feature");
|
||||
return Collections.emptyList();
|
||||
}
|
||||
|
||||
List<SaasRoleUserRelation> relationList = roleUserService.listByRoleIds(matchedRoleIds, workspaceId);
|
||||
log.info("====追加工作台超管:{}===",relationList);
|
||||
//构建用户-去重(identityId-identityType)
|
||||
List<ListIdentityFromPermissionResp.UserVO> users = new ArrayList<>();
|
||||
Set<String> filterSet = new HashSet<>();
|
||||
|
||||
Loading…
Reference in New Issue
Block a user