wangli/tyr
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: (feature/REQ-2595) 修改查询用户有权限的菜单资源支持权限标签过滤

Browse Source
This commit is contained in:
lilong 2024-10-24 16:46:10 +08:00
parent 65363b6e48
commit 9a9ab39fcc
10 changed files with 51 additions and 193 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
tyr-api/src/main/java/cn/axzo/tyr/client/model/base/WorkspaceOUPair.java
View File

@ -1,10 +1,13 @@
package cn.axzo.tyr.client.model.base;
import cn.axzo.tyr.client.model.enums.RolePermissionTagEnum;
import lombok.AllArgsConstructor;
import lombok.Builder;
import lombok.Data;
import lombok.NoArgsConstructor;
import java.util.Set;
/**
* OU Workspace对
*
@ -22,7 +25,9 @@ public class WorkspaceOUPair {
private Long workspaceId;
private String buildKey() {
return ouId + "-" + workspaceId;
private Set<RolePermissionTagEnum> tags;
public String buildKey() {
return ouId + "_" + workspaceId;
}
}

2
tyr-api/src/main/java/cn/axzo/tyr/client/model/req/BatchPermissionCheckReq.java
View File

@ -26,6 +26,4 @@ public class BatchPermissionCheckReq {
@NotBlank(message = "itemCode不能为空")
private String itemCode;
private Set<String> tags;
}

2
tyr-api/src/main/java/cn/axzo/tyr/client/model/req/ListPermissionFeatureReq.java
View File

@ -4,6 +4,7 @@ import cn.axzo.tyr.client.common.enums.FeatureResourceStatus;
import cn.axzo.tyr.client.common.enums.FeatureResourceType;
import cn.axzo.tyr.client.common.enums.PageElementFeatureResourceRelationTypeEnum;
import cn.axzo.tyr.client.model.base.WorkspaceOUPair;
import cn.axzo.tyr.client.model.enums.RolePermissionTagEnum;
import lombok.AllArgsConstructor;
import lombok.Builder;
import lombok.Data;
@ -68,5 +69,4 @@ public class ListPermissionFeatureReq {
*/
private FeatureResourceStatus status;
private Set<String> tags;
}

6
tyr-api/src/main/java/cn/axzo/tyr/client/model/req/PermissionCheckReq.java
View File

@ -42,6 +42,8 @@ public class PermissionCheckReq {
*/
private String terminal;
@Builder.Default
private Set<RolePermissionTagEnum> tags = Sets.newHashSet(RolePermissionTagEnum.JOINED);
/**
* 权限标签
*/
private Set<RolePermissionTagEnum> tags;
}

2
tyr-api/src/main/java/cn/axzo/tyr/client/model/req/TreePermissionReq.java
View File

@ -4,6 +4,7 @@ import cn.axzo.tyr.client.common.enums.FeatureResourceStatus;
import cn.axzo.tyr.client.common.enums.FeatureResourceType;
import cn.axzo.tyr.client.common.enums.PageElementFeatureResourceRelationTypeEnum;
import cn.axzo.tyr.client.model.base.WorkspaceOUPair;
import cn.axzo.tyr.client.model.enums.RolePermissionTagEnum;
import lombok.AllArgsConstructor;
import lombok.Builder;
import lombok.Data;
@ -80,5 +81,4 @@ public class TreePermissionReq {
*/
private FeatureResourceStatus status;
private Set<String> tags;
}

1
tyr-server/src/main/java/cn/axzo/tyr/server/controller/permission/PermissionQueryController.java
View File

@ -97,7 +97,6 @@ public class PermissionQueryController implements PermissionQueryApi {
@Override
public ApiResult<List<ListPermissionFeatureResp>> listPermission(ListPermissionFeatureReq req) {
return ApiResult.ok(permissionService.listPermission(req));
}
}

6
tyr-server/src/main/java/cn/axzo/tyr/server/event/inner/CacheRoleSaasFeatureResourceHandler.java
View File

@ -40,12 +40,6 @@ public class CacheRoleSaasFeatureResourceHandler implements InitializingBean {
log.info("begin cached role saasFeatureResource handler rocketmq event: {}", event);
RolePermissionCreatedPayload payload = event.normalizedData(RolePermissionCreatedPayload.class);
// 影响角色权限入口的代码没法简单重构导致发送的roleIds可能不准确所以一旦有角色权限的更新事件后全量更新角色权限角色权限数量不多
// 后续收口了代码就准确根据角色去更新缓存
// if (CollectionUtils.isEmpty(payload.getRoleIds())) {
// return;
// }
ListRoleReq listSaasRoleParam = ListRoleReq.builder()
.roleIds(Optional.ofNullable(payload.getRoleIds())
.map(Lists::newArrayList)

3
tyr-server/src/main/java/cn/axzo/tyr/server/service/RoleSaasFeatureResourceCacheService.java
View File

@ -1,5 +1,6 @@
package cn.axzo.tyr.server.service;
import cn.axzo.tyr.client.model.enums.RolePermissionTagEnum;
import lombok.AllArgsConstructor;
import lombok.Builder;
import lombok.Data;
@ -70,5 +71,7 @@ public interface RoleSaasFeatureResourceCacheService {
private Integer featureType;
private String uniCode;
private Set<RolePermissionTagEnum> tags;
}
}

211
tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/PermissionQueryServiceImpl.java
View File

@ -11,15 +11,14 @@ import cn.axzo.pokonyan.config.mybatisplus.BaseEntity;
import cn.axzo.thrones.client.saas.ServicePkgClient;
import cn.axzo.thrones.client.saas.entity.serivicepgkproduct.ServicePkgProduct;
import cn.axzo.thrones.client.saas.entity.servicepkg.ServicePkgDetailRes;
import cn.axzo.tyr.client.common.enums.FeatureResourceAuthType;
import cn.axzo.tyr.client.common.enums.FeatureResourceStatus;
import cn.axzo.tyr.client.common.enums.FeatureResourceType;
import cn.axzo.tyr.client.common.enums.RoleTypeEnum;
import cn.axzo.tyr.client.model.base.FeatureResourceExtraDO;
import cn.axzo.tyr.client.model.base.WorkspaceOUPair;
import cn.axzo.tyr.client.model.enums.IdentityType;
import cn.axzo.tyr.client.model.enums.RolePermissionTagEnum;
import cn.axzo.tyr.client.model.product.ProductFeatureRelationVO;
import cn.axzo.tyr.client.model.req.FeatureIdPair;
import cn.axzo.tyr.client.model.req.IdentityAuthReq;
import cn.axzo.tyr.client.model.req.ListPermissionFeatureReq;
import cn.axzo.tyr.client.model.req.NavTreeReq;
@ -35,7 +34,6 @@ import cn.axzo.tyr.client.model.res.ListPermissionFeatureResp;
import cn.axzo.tyr.client.model.res.NavTreeResp;
import cn.axzo.tyr.client.model.res.ProductFeatureResourceResp;
import cn.axzo.tyr.client.model.res.SaasFeatureResourceResp;
import cn.axzo.tyr.client.model.res.SaasPermissionRelationRes;
import cn.axzo.tyr.client.model.res.TreePermissionResp;
import cn.axzo.tyr.client.model.roleuser.dto.SaasRoleUserV2DTO;
import cn.axzo.tyr.client.model.roleuser.req.ListRoleUserRelationParam;
@ -49,7 +47,6 @@ import cn.axzo.tyr.server.model.WorkspaceFeatureRelation;
import cn.axzo.tyr.server.repository.dao.ProductModuleDao;
import cn.axzo.tyr.server.repository.dao.SaasFeatureResourceDao;
import cn.axzo.tyr.server.repository.entity.SaasFeatureResource;
import cn.axzo.tyr.server.repository.entity.SaasProductModuleFeatureRelation;
import cn.axzo.tyr.server.service.PermissionQueryService;
import cn.axzo.tyr.server.service.ProductFeatureRelationService;
import cn.axzo.tyr.server.service.ProductSaasFeatureResourceCacheService;
@ -89,7 +86,6 @@ import java.util.function.Function;
import java.util.stream.Collectors;
import static cn.axzo.tyr.server.repository.entity.SaasFeatureResource.DISPLAY_STATUS;
import static cn.axzo.tyr.server.repository.entity.SaasPgroupPermissionRelation.NEW_FEATURE;
/**
* 权限查询服务实现
*
@ -104,7 +100,6 @@ import static cn.axzo.tyr.server.repository.entity.SaasPgroupPermissionRelation.
public class PermissionQueryServiceImpl implements PermissionQueryService {
private final SaasFeatureResourceService featureResourceService;
private final RoleUserService roleUserService;
private final RoleService roleService;
private final TyrSaasAuthService saasAuthService;
private final ServicePkgClient servicePkgClient;
@ -114,7 +109,6 @@ public class PermissionQueryServiceImpl implements PermissionQueryService {
private final SaasRoleUserRelationService saasRoleUserRelationService;
private final WorkspaceProductService workspaceProductService;
private final RoleSaasFeatureResourceCacheService roleSaasFeatureResourceCacheService;
private final TyrSaasAuthService tyrSaasAuthService;
@Value("${not.auth.uniCodes:}")
private Set<String> notAuthUniCodes;
@ -317,125 +311,11 @@ public class PermissionQueryServiceImpl implements PermissionQueryService {
}
private List<Long> resolveFeatureIds(TreePermissionReq treePermissionReq) {
if (CollectionUtils.isEmpty(treePermissionReq.getUniCodes())) {
return Collections.emptyList();
}
PageSaasFeatureResourceReq pageSaasFeatureResourceReq = PageSaasFeatureResourceReq.builder()
.uniCodes(treePermissionReq.getUniCodes())
.build();
return featureResourceService.list(pageSaasFeatureResourceReq).stream()
.map(SaasFeatureResourceResp::getId)
.collect(Collectors.toList());
}
private List<SaasRoleUserV2DTO> listUserPermission(TreePermissionReq treePermissionReq, List<Long> featureIds) {
List<ListRoleUserRelationParam.WorkspaceOuPair> workspaceOuPairs = treePermissionReq.getWorkspaceOUPairs().stream()
.map(e -> ListRoleUserRelationParam.WorkspaceOuPair.builder()
.workspaceId(e.getWorkspaceId())
.ouId(e.getOuId())
.build())
.collect(Collectors.toList());
ListRoleUserRelationParam listRoleUserRelationParam = ListRoleUserRelationParam.builder()
.personId(treePermissionReq.getPersonId())
.workspaceOuPairs(Lists.newArrayList(workspaceOuPairs))
.needRole(true)
.needPermissionRelation(true)
.featureResourceTypes(treePermissionReq.getFeatureResourceTypes())
.type(NEW_FEATURE)
.terminal(treePermissionReq.getTerminal())
.featureIds(featureIds)
.build();
return saasRoleUserRelationService.listV2(listRoleUserRelationParam).stream()
.filter(e -> e.getSaasRole() != null)
.collect(Collectors.toList());
}
private Set<Long> listUserPermissionFeatureIdsFromDB(TreePermissionReq treePermissionReq) {
List<Long> featureIds = resolveFeatureIds(treePermissionReq);
if (CollectionUtils.isNotEmpty(treePermissionReq.getUniCodes()) && CollectionUtils.isEmpty(featureIds)) {
return Collections.emptySet();
}
List<SaasRoleUserV2DTO> saasRoleUserV2DTOS = listUserPermission(treePermissionReq, featureIds);
// 用户可能没有角色
if (CollectionUtils.isEmpty(saasRoleUserV2DTOS)) {
return Collections.emptySet();
}
List<WorkspaceProductService.WorkspaceProduct> workspaceProducts = listWorkspaceProducts(treePermissionReq, featureIds);
//免授权
Set<Long> authFreeFeatureIds = listNotAuthFeatures(treePermissionReq);
//取交集确定权限
return mixFeatureIds(saasRoleUserV2DTOS, workspaceProducts, authFreeFeatureIds);
}
private Set<Long> mixFeatureIds(List<SaasRoleUserV2DTO> saasRoleUsers,
List<WorkspaceProductService.WorkspaceProduct> workspaceProducts,
Set<Long> authFreeFeatureIds) {
Map<Long, WorkspaceProductService.WorkspaceProduct> workspaceProductMap = workspaceProducts.stream()
.collect(Collectors.toMap(WorkspaceProductService.WorkspaceProduct::getWorkspaceId, Function.identity()));
return saasRoleUsers.stream()
.filter(roleUser -> {
WorkspaceProductService.WorkspaceProduct workspaceProduct = workspaceProductMap.get(roleUser.getSaasRoleUser().getWorkspaceId());
if (workspaceProduct == null || CollectionUtils.isEmpty(workspaceProduct.getSaasProductModuleFeatureRelations())) {
log.warn("no workspace product feature found for id:{}", roleUser.getSaasRoleUser().getWorkspaceId());
return false;
}
return true;
})
.map(roleUser -> {
WorkspaceProductService.WorkspaceProduct workspaceProduct = workspaceProductMap.get(roleUser.getSaasRoleUser().getWorkspaceId());
SaasRoleUserV2DTO.SaasRole saasRole = roleUser.getSaasRole();
if (RoleTypeEnum.isAdmin(saasRole.getRoleType())) {
return resolveAdminRole(workspaceProduct, saasRole);
}
return resolveNormalRole(workspaceProduct, saasRole, authFreeFeatureIds);
})
.flatMap(Collection::stream)
.collect(Collectors.toSet());
}
private List<WorkspaceProductService.WorkspaceProduct> listWorkspaceProducts(TreePermissionReq treePermissionReq,
List<Long> featureIds) {
//查询租户产品权限点
Set<Long> workspaceIds = treePermissionReq.getWorkspaceOUPairs().stream()
.map(WorkspaceOUPair::getWorkspaceId)
.collect(Collectors.toSet());
WorkspaceProductService.WorkspaceProductParam workspaceProductParam = WorkspaceProductService.WorkspaceProductParam.builder()
.terminal(treePermissionReq.getTerminal())
.workspaceIds(workspaceIds)
.featureResourceTypes(treePermissionReq.getFeatureResourceTypes())
.type(NEW_FEATURE)
.build();
if (CollectionUtils.isNotEmpty(featureIds)) {
workspaceProductParam.setFeatureIdPairs(Lists.newArrayList(FeatureIdPair.builder()
.featureIds(Sets.newHashSet(featureIds))
.type(NEW_FEATURE)
.build()));
}
return workspaceProductService.listWorkspaceProduct(workspaceProductParam);
}
@Override
public List<TreePermissionResp> treePermission(TreePermissionReq req) {
Set<Long> allFeatureIds = Sets.newHashSet();
Set<Long> featureIds = resovlePermission(req);
Set<Long> featureIds = listUserPermissionFeatureIds(req);
Set<Long> defaultFeatureIds = listNotAuthFeatureIds(req);
allFeatureIds.addAll(featureIds);
@ -533,20 +413,6 @@ public class PermissionQueryServiceImpl implements PermissionQueryService {
.collect(Collectors.toList());
}
private Set<Long> resovlePermission(TreePermissionReq req) {
if (tyrSaasAuthService.permissionFromDB()) {
return listUserPermissionFeatureIdsFromDB(req);
}
try {
return listUserPermissionFeatureIds(req);
} catch (Exception ex) {
log.error("查询权限异常,执行降级处理");
return listUserPermissionFeatureIdsFromDB(req);
}
}
private List<SaasFeatureResourceResp> filterFeature(List<SaasFeatureResourceResp> saasFeatureResources) {
if (CollectionUtils.isEmpty(saasFeatureResources)) {
return Collections.emptyList();
@ -843,6 +709,11 @@ public class PermissionQueryServiceImpl implements PermissionQueryService {
.orElse(Collections.emptyList());
}
/**
* 用户可能只有子节点的权限但是要构建这个菜单树所以需要先查询这个端的所有菜单然后根据用户的权限找到对应的父节点构建树
* @param treePermissionReq
* @return
*/
private Set<Long> listUserPermissionFeatureIds(TreePermissionReq treePermissionReq) {
List<SaasFeatureResourceService.SaasFeatureResourceCache> allFeatureResources = listAllFeatureResources(treePermissionReq);
@ -882,16 +753,6 @@ public class PermissionQueryServiceImpl implements PermissionQueryService {
allFeatureIds);
}
private Set<Long> listNotAuthFeatures(TreePermissionReq treePermissionReq) {
PageSaasFeatureResourceReq pageSaasFeatureResourceReq = PageSaasFeatureResourceReq.builder()
.terminal(treePermissionReq.getTerminal())
.authType(FeatureResourceAuthType.ALL_ROLE.getCode())
.build();
return featureResourceService.list(pageSaasFeatureResourceReq).stream()
.map(SaasFeatureResourceResp::getId)
.collect(Collectors.toSet());
}
private List<WorkspaceProductService.WorkspaceProductFeatureSource> listWorkspaceProducts(TreePermissionReq treePermissionReq) {
//查询租户产品权限点
Set<Long> workspaceIds = treePermissionReq.getWorkspaceOUPairs().stream()
@ -957,6 +818,9 @@ public class PermissionQueryServiceImpl implements PermissionQueryService {
.map(e -> e.stream().map(FeatureResourceType::getCode).collect(Collectors.toSet()))
.orElseGet(Sets::newHashSet);
Map<String, WorkspaceOUPair> workspaceOuPairs = treePermissionReq.getWorkspaceOUPairs().stream()
.collect(Collectors.toMap(WorkspaceOUPair::buildKey, Function.identity(), (f, s) -> f));
return saasRoleUsers.stream()
.map(roleUser -> {
List<ProductSaasFeatureResourceCacheService.FeatureResourceDTO> productFeatureSources = workspaceProductMap.get(roleUser.getSaasRoleUser().getWorkspaceId())
@ -974,15 +838,30 @@ public class PermissionQueryServiceImpl implements PermissionQueryService {
SaasRoleUserV2DTO.SaasRole saasRole = roleUser.getSaasRole();
Set<Long> adminFeatureIds = resolveAdminRole(productFeatureSources, saasRole);
Set<Long> notAuthFeatureIds = resolveNotAuthFeatureIds(productFeatureSources, authFreeFeatureIds);
WorkspaceOUPair workspaceOUPair = workspaceOuPairs.get(roleUser.getSaasRoleUser().buildOuWorkspaceKey());
if (Objects.isNull(workspaceOUPair)) {
return null;
}
Set<Long> adminFeatureIds = resolveAdminRole(productFeatureSources, saasRole, workspaceOUPair);
Set<Long> notAuthFeatureIds = resolveNotAuthFeatureIds(productFeatureSources, authFreeFeatureIds);
List<RoleSaasFeatureResourceCacheService.SaasFeatureResourceDTO> roleFeatureResources = Optional.ofNullable(roleFeatureResourceMap.get(saasRole.getId()))
.map(role -> role.stream()
.filter(e -> StringUtils.isBlank(treePermissionReq.getTerminal())
|| Objects.equals(e.getTerminal(), treePermissionReq.getTerminal()))
.filter(e -> CollectionUtils.isEmpty(featureTypes) || featureTypes.contains(e.getFeatureType()))
.filter(e -> {
if (CollectionUtils.isEmpty(workspaceOUPair.getTags())) {
return true;
}
if (Sets.intersection(workspaceOUPair.getTags(), e.getTags()).isEmpty()) {
return false;
}
return true;
})
.collect(Collectors.toList()))
.orElseGet(Lists::newArrayList);
@ -1001,12 +880,17 @@ public class PermissionQueryServiceImpl implements PermissionQueryService {
}
private Set<Long> resolveAdminRole(List<ProductSaasFeatureResourceCacheService.FeatureResourceDTO> productFeatureSources,
SaasRoleUserV2DTO.SaasRole saasRole) {
SaasRoleUserV2DTO.SaasRole saasRole,
WorkspaceOUPair workspaceOUPair) {
if (!RoleTypeEnum.isAdmin(saasRole.getRoleType())) {
return Collections.emptySet();
}
if (!CollectionUtils.isEmpty(workspaceOUPair.getTags()) && !workspaceOUPair.getTags().contains(RolePermissionTagEnum.JOINED)) {
return Collections.emptySet();
}
//超管和管理员 直接取和角色类型匹配的租户产品权限
return productFeatureSources.stream()
.filter(e -> Objects.equals(e.getCooperateType(), saasRole.getProductUnitType().toString())
@ -1047,33 +931,4 @@ public class PermissionQueryServiceImpl implements PermissionQueryService {
.filter(authFreeFeatureIds::contains)
.collect(Collectors.toSet());
}
private List<Long> resolveAdminRole(WorkspaceProductService.WorkspaceProduct workspaceProduct,
SaasRoleUserV2DTO.SaasRole saasRole) {
//超管和管理员 直接取和角色类型匹配的租户产品权限
return workspaceProduct.getSaasProductModuleFeatureRelations().stream()
.filter(f -> Objects.equals(f.getDictCode(), saasRole.getProductUnitType().toString())
|| !NumberUtil.isPositiveNumber(saasRole.getProductUnitType()))
.map(SaasProductModuleFeatureRelation::getFeatureId)
.collect(Collectors.toList());
}
private List<Long> resolveNormalRole(WorkspaceProductService.WorkspaceProduct workspaceProduct,
SaasRoleUserV2DTO.SaasRole saasRole,
Set<Long> authFreeFeatureIds) {
//普通角色角色同类型的租户产品权限已分配 且角色上已分配 + 免授权
Set<Long> roleFeatureIds = Optional.ofNullable(saasRole.getPermissionRelations())
.map(e -> e.stream()
.map(SaasPermissionRelationRes::getFeatureId)
.collect(Collectors.toSet()))
.orElseGet(Collections::emptySet);
return workspaceProduct.getSaasProductModuleFeatureRelations().stream()
.filter(f -> Objects.equals(f.getDictCode(), saasRole.getProductUnitType().toString())
|| !NumberUtil.isPositiveNumber(saasRole.getProductUnitType()))
.map(SaasProductModuleFeatureRelation::getFeatureId)
.filter(id -> roleFeatureIds.contains(id) || authFreeFeatureIds.contains(id))
.collect(Collectors.toList());
}
}

2
tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/RoleSaasFeatureResourceCacheServiceImpl.java
View File

@ -162,6 +162,7 @@ public class RoleSaasFeatureResourceCacheServiceImpl implements RoleSaasFeatureR
.featureType(featureResource.getFeatureType())
.terminal(featureResource.getTerminal())
.uniCode(featureResource.getUniCode())
.tags(permissionRelation.getTags())
.build());
List<RoleSaasFeatureResourceCacheService.SaasFeatureResourceDTO> parentPermissions = featureResource.resolvePath().stream()
.map(parentFeatureResources::get)
@ -177,6 +178,7 @@ public class RoleSaasFeatureResourceCacheServiceImpl implements RoleSaasFeatureR
.featureType(f.getFeatureType())
.terminal(f.getTerminal())
.uniCode(f.getUniCode())
.tags(permissionRelation.getTags())
.build();
})
.filter(Objects::nonNull)