feat:(REQ-2545) 修改菜单查询和鉴权相关接口,支持灰度版本并存
This commit is contained in:
lilong
parent
65310daadb
commit
bdb778db76
@ -0,0 +1,22 @@
|
||||
package cn.axzo.tyr.client.model.req;
|
||||
|
||||
import lombok.AllArgsConstructor;
|
||||
import lombok.Builder;
|
||||
import lombok.Data;
|
||||
import lombok.NoArgsConstructor;
|
||||
|
||||
import java.util.Set;
|
||||
|
||||
@Data
|
||||
@Builder
|
||||
@NoArgsConstructor
|
||||
@AllArgsConstructor
|
||||
public class FeatureIdPair {
|
||||
|
||||
/**
|
||||
* 区分新老菜单资源树
|
||||
*/
|
||||
private Integer type;
|
||||
|
||||
private Set<Long> featureIds;
|
||||
}
|
||||
@ -9,6 +9,7 @@ import lombok.Data;
|
||||
import lombok.NoArgsConstructor;
|
||||
|
||||
import java.util.List;
|
||||
import java.util.Set;
|
||||
|
||||
@Data
|
||||
@Builder
|
||||
@ -30,4 +31,10 @@ public class PageElementFeatureResourceRelationReq implements IPageReq {
|
||||
|
||||
@CriteriaField(field = "featureResourceUniCode", operator = Operator.IN)
|
||||
private List<String> featureResourceUniCodes;
|
||||
|
||||
@CriteriaField(field = "pageElementCode", operator = Operator.IN)
|
||||
private Set<String> pageElementCodes;
|
||||
|
||||
@CriteriaField(field = "terminal", operator = Operator.EQ)
|
||||
private String terminal;
|
||||
}
|
||||
|
||||
@ -52,4 +52,10 @@ public class PagePgroupPermissionRelationReq implements IPageReq {
|
||||
*/
|
||||
@CriteriaField(ignore = true)
|
||||
private String terminal;
|
||||
|
||||
/**
|
||||
* 新老版本两个情况,可以配对查询
|
||||
*/
|
||||
@CriteriaField(ignore = true)
|
||||
private List<FeatureIdPair> featureIdPairs;
|
||||
}
|
||||
|
||||
@ -12,6 +12,7 @@ import lombok.NoArgsConstructor;
|
||||
|
||||
import java.util.Collections;
|
||||
import java.util.List;
|
||||
import java.util.Set;
|
||||
|
||||
@Data
|
||||
@Builder
|
||||
@ -63,6 +64,12 @@ public class PageSaasFeatureResourceReq implements IPageReq {
|
||||
@CriteriaField(ignore = true)
|
||||
private Boolean needFeatureCodes;
|
||||
|
||||
@CriteriaField(field = "uniCode", operator = Operator.IN)
|
||||
private Set<String> uniCodes;
|
||||
|
||||
@CriteriaField(ignore = true)
|
||||
private Set<String> paths;
|
||||
|
||||
public PageResp toEmpty() {
|
||||
return PageResp.builder()
|
||||
.current(this.getPage())
|
||||
|
||||
@ -4,6 +4,7 @@ import cn.axzo.foundation.dao.support.wrapper.CriteriaField;
|
||||
import cn.axzo.foundation.dao.support.wrapper.Operator;
|
||||
import cn.axzo.tyr.client.common.enums.FeatureResourceType;
|
||||
import cn.axzo.tyr.client.model.enums.IdentityType;
|
||||
import cn.axzo.tyr.client.model.req.FeatureIdPair;
|
||||
import lombok.AllArgsConstructor;
|
||||
import lombok.Builder;
|
||||
import lombok.Data;
|
||||
@ -11,6 +12,7 @@ import lombok.NoArgsConstructor;
|
||||
import lombok.experimental.SuperBuilder;
|
||||
|
||||
import java.util.List;
|
||||
import java.util.Set;
|
||||
|
||||
@SuperBuilder
|
||||
@Data
|
||||
@ -82,6 +84,12 @@ public class ListRoleUserRelationParam {
|
||||
@CriteriaField(ignore = true)
|
||||
private String terminal;
|
||||
|
||||
/**
|
||||
* 权限点从saas_feature_resource表查询
|
||||
*/
|
||||
@CriteriaField(ignore = true)
|
||||
private Boolean needPermission;
|
||||
|
||||
@Data
|
||||
@Builder
|
||||
@NoArgsConstructor
|
||||
|
||||
@ -1,6 +1,7 @@
|
||||
package cn.axzo.tyr.server.repository.entity;
|
||||
|
||||
import cn.axzo.tyr.client.common.enums.FeatureResourceType;
|
||||
import cn.axzo.tyr.client.model.req.FeatureIdPair;
|
||||
import lombok.Builder;
|
||||
import lombok.Data;
|
||||
|
||||
@ -23,14 +24,16 @@ public class ProductFeatureQuery {
|
||||
private String terminal;
|
||||
|
||||
private Integer workspaceJoinType;
|
||||
|
||||
private Set<Long> featureIds;
|
||||
//
|
||||
// private Set<Long> featureIds;
|
||||
|
||||
/**
|
||||
* 菜单资源数节点类型
|
||||
*/
|
||||
private List<FeatureResourceType> featureResourceTypes;
|
||||
|
||||
private List<FeatureIdPair> featureIdPairs;
|
||||
|
||||
/**
|
||||
* 区分新老菜单资源树
|
||||
*/
|
||||
|
||||
@ -8,11 +8,13 @@ import com.baomidou.mybatisplus.annotation.TableName;
|
||||
import com.baomidou.mybatisplus.extension.handlers.FastjsonTypeHandler;
|
||||
import lombok.AllArgsConstructor;
|
||||
import lombok.Data;
|
||||
import lombok.Getter;
|
||||
import lombok.NoArgsConstructor;
|
||||
import org.apache.commons.lang3.StringUtils;
|
||||
|
||||
import java.util.Collections;
|
||||
import java.util.List;
|
||||
import java.util.Objects;
|
||||
import java.util.stream.Collectors;
|
||||
|
||||
/**
|
||||
@ -177,5 +179,18 @@ public class SaasFeatureResource extends BaseEntity<SaasFeatureResource> {
|
||||
return StrUtil.split(this.path, ",").stream().filter(StringUtils::isNotBlank).map(Long::valueOf).collect(Collectors.toList());
|
||||
}
|
||||
|
||||
@Getter
|
||||
@AllArgsConstructor
|
||||
public enum AuthType {
|
||||
ALL_ROLE(0, "全部角色"),
|
||||
ASSIGN_ROLE(1, "指定角色");
|
||||
|
||||
private Integer value;
|
||||
|
||||
private String desc;
|
||||
|
||||
public static boolean isAllRole(Integer authType) {
|
||||
return Objects.equals(ALL_ROLE.getValue(), authType);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -26,8 +26,6 @@ public interface SaasRoleMapper extends BaseMapper<SaasRole> {
|
||||
|
||||
List<SaasRole> listForOUWorkspace(Long ouId, Long workspaceId, Integer workspaceJoinType);
|
||||
|
||||
List<SaasRole> listRoleByFeatures(@Param("featureIds") Set<Long> featureIds);
|
||||
|
||||
List<RoleFeatureRelation> listFeatureByIds(@Param("roleIds") Set<Long> roleIds, @Param("featureIds") Set<Long> featureIds);
|
||||
}
|
||||
|
||||
|
||||
@ -7,6 +7,7 @@ import cn.axzo.framework.domain.page.PageResp;
|
||||
import cn.axzo.tyr.client.common.enums.FeatureResourceType;
|
||||
import cn.axzo.tyr.client.model.enums.IdentityType;
|
||||
import cn.axzo.tyr.client.model.req.ChangeGroupLeaderRoleReq;
|
||||
import cn.axzo.tyr.client.model.req.FeatureIdPair;
|
||||
import cn.axzo.tyr.client.model.req.FeatureRoleRelationReq;
|
||||
import cn.axzo.tyr.client.model.req.QueryByIdentityIdTypeReq;
|
||||
import cn.axzo.tyr.client.model.req.QueryRoleByNameReq;
|
||||
@ -83,8 +84,6 @@ public interface RoleService extends IService<SaasRole> {
|
||||
*/
|
||||
void deleteRole(DeleteRoleVO deleteRoleParam);
|
||||
|
||||
List<SaasRole> queryRoleByFeatures(Set<Long> matchedFeatureIds);
|
||||
|
||||
List<SaasRole> getByIds(Set<Long> ids);
|
||||
|
||||
List<SaasRoleCategoryVO> queryByCategoryCode(List<String> categoryCodes);
|
||||
|
||||
@ -54,9 +54,16 @@ public interface TyrSaasAuthService {
|
||||
List<ListPermissionFromRoleGroupResp> listAuthByResourceAndRoleGroup(ListPermissionFromRoleGroupReq listPermissionFromRoleGroupReq);
|
||||
|
||||
/**
|
||||
* 接口鉴权
|
||||
* 基于saas_feature的接口鉴权
|
||||
* @param req
|
||||
* @return
|
||||
*/
|
||||
boolean authPermission(PermissionCheckReq req);
|
||||
|
||||
/**
|
||||
* 基于saas_feature_resource的接口鉴权
|
||||
* @param req
|
||||
* @return
|
||||
*/
|
||||
boolean authNewPermission(PermissionCheckReq req);
|
||||
}
|
||||
|
||||
@ -1,6 +1,7 @@
|
||||
package cn.axzo.tyr.server.service;
|
||||
|
||||
import cn.axzo.tyr.client.common.enums.FeatureResourceType;
|
||||
import cn.axzo.tyr.client.model.req.FeatureIdPair;
|
||||
import cn.axzo.tyr.server.repository.entity.SaasProductModuleFeatureRelation;
|
||||
import lombok.AllArgsConstructor;
|
||||
import lombok.Builder;
|
||||
@ -30,20 +31,19 @@ public interface WorkspaceProductService {
|
||||
*/
|
||||
private Set<Long> workspaceIds;
|
||||
|
||||
private Integer type;
|
||||
|
||||
/**
|
||||
* 查询菜单树节点类型
|
||||
*/
|
||||
private List<FeatureResourceType> featureResourceTypes;
|
||||
|
||||
/**
|
||||
* 区分新老菜单资源树
|
||||
* 因为存在一个租户不同版本的菜单资源
|
||||
*/
|
||||
private Integer type;
|
||||
|
||||
private Set<Long> featureIds;
|
||||
private List<FeatureIdPair> featureIdPairs;
|
||||
}
|
||||
|
||||
|
||||
@Data
|
||||
@Builder
|
||||
@NoArgsConstructor
|
||||
|
||||
@ -173,7 +173,8 @@ public class PermissionQueryServiceImpl implements PermissionQueryService {
|
||||
return hasPermissionV2(req);
|
||||
}
|
||||
log.info("user new auth");
|
||||
return saasAuthService.authPermission(req);
|
||||
// 因为会存在灰度的情况,只要在新版或者旧版有一个能鉴权通过就行
|
||||
return saasAuthService.authPermission(req) || saasAuthService.authNewPermission(req);
|
||||
}
|
||||
//权限编码转ID
|
||||
List<ResourcePermission> resourcePermissions = featureResourceService.permissionQuery(
|
||||
|
||||
@ -10,6 +10,7 @@ import cn.axzo.tyr.client.common.enums.FeatureResourceType;
|
||||
import cn.axzo.tyr.client.model.product.ProductFeatureRelationSearchReq;
|
||||
import cn.axzo.tyr.client.model.product.ProductFeatureRelationUpdateReq;
|
||||
import cn.axzo.tyr.client.model.product.ProductFeatureRelationVO;
|
||||
import cn.axzo.tyr.client.model.req.FeatureIdPair;
|
||||
import cn.axzo.tyr.server.repository.dao.ProductModuleDao;
|
||||
import cn.axzo.tyr.server.repository.dao.SaasFeatureDao;
|
||||
import cn.axzo.tyr.server.repository.dao.SaasFeatureResourceDao;
|
||||
@ -215,7 +216,7 @@ public class ProductFeatureRelationServiceImpl implements ProductFeatureRelation
|
||||
SaasProductModuleFeatureRelation::getProductModuleId, condition.getProductIds())
|
||||
.eq(Objects.nonNull(condition.getWorkspaceJoinType()),
|
||||
SaasProductModuleFeatureRelation::getDictCode, condition.getWorkspaceJoinType())
|
||||
.in(CollectionUtil.isNotEmpty(condition.getFeatureIds()), SaasProductModuleFeatureRelation::getFeatureId, condition.getFeatureIds())
|
||||
// .in(CollectionUtil.isNotEmpty(condition.getFeatureIds()), SaasProductModuleFeatureRelation::getFeatureId, condition.getFeatureIds())
|
||||
.eq(Objects.nonNull(condition.getType()), SaasProductModuleFeatureRelation::getType, condition.getType())
|
||||
.eq(StringUtils.hasLength(condition.getTerminal()), SaasProductModuleFeatureRelation::getTerminal, condition.getTerminal());
|
||||
|
||||
@ -223,6 +224,17 @@ public class ProductFeatureRelationServiceImpl implements ProductFeatureRelation
|
||||
wrapper.in(SaasProductModuleFeatureRelation::getFeatureType, Lists.transform(condition.getFeatureResourceTypes(), FeatureResourceType::getCode));
|
||||
}
|
||||
|
||||
if (!CollectionUtils.isEmpty(condition.getFeatureIdPairs())) {
|
||||
wrapper.and(j -> {
|
||||
for (FeatureIdPair featureIdPair : condition.getFeatureIdPairs()) {
|
||||
j.or(k -> {
|
||||
k.in(!CollectionUtils.isEmpty(featureIdPair.getFeatureIds()), SaasProductModuleFeatureRelation::getFeatureId, featureIdPair.getFeatureIds());
|
||||
k.eq(Objects.nonNull(featureIdPair.getType()), SaasProductModuleFeatureRelation::getType, featureIdPair.getType());
|
||||
});
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
return this.saasProductModuleFeatureRelationDao.list(wrapper);
|
||||
}
|
||||
|
||||
|
||||
@ -876,11 +876,6 @@ public class RoleServiceImpl extends ServiceImpl<SaasRoleMapper, SaasRole>
|
||||
saasPgroupRoleRelationDao.deleteByRoleId(deleteRoleParam.getRoleIds());
|
||||
}
|
||||
|
||||
@Override
|
||||
public List<SaasRole> queryRoleByFeatures(Set<Long> matchedFeatureIds) {
|
||||
return saasRoleDao.getBaseMapper().listRoleByFeatures(matchedFeatureIds);
|
||||
}
|
||||
|
||||
@Override
|
||||
public List<SaasRole> getByIds(Set<Long> ids) {
|
||||
return saasRoleDao.listByIds(ids);
|
||||
@ -1194,7 +1189,8 @@ public class RoleServiceImpl extends ServiceImpl<SaasRoleMapper, SaasRole>
|
||||
List<SaasPgroupPermissionRelation> saasPgroupPermissionRelations = saasPgroupPermissionRelationDao.lambdaQuery()
|
||||
.in(SaasPgroupPermissionRelation::getGroupId, Lists.transform(saasPgroupRoleRelations, SaasPgroupRoleRelation::getGroupId))
|
||||
.eq(SaasPgroupPermissionRelation::getIsDelete, TableIsDeleteEnum.NORMAL.value)
|
||||
.eq(Objects.nonNull(param.getType()), SaasPgroupPermissionRelation::getType, param.getType())
|
||||
.in(CollectionUtils.isNotEmpty(param.getFeatureIds()), SaasPgroupPermissionRelation::getFeatureId, param.getFeatureIds())
|
||||
.eq(SaasPgroupPermissionRelation::getType, NEW_FEATURE)
|
||||
.list();
|
||||
if (CollectionUtils.isEmpty(saasPgroupPermissionRelations)) {
|
||||
return Collections.emptyMap();
|
||||
@ -1415,6 +1411,7 @@ public class RoleServiceImpl extends ServiceImpl<SaasRoleMapper, SaasRole>
|
||||
.in(SaasPgroupPermissionRelation::getGroupId, Lists.transform(saasPgroupRoleRelations, SaasPgroupRoleRelation::getGroupId))
|
||||
.in(CollectionUtils.isNotEmpty(param.getFeatureIds()), SaasPgroupPermissionRelation::getFeatureId, param.getFeatureIds())
|
||||
.eq(SaasPgroupPermissionRelation::getIsDelete, TableIsDeleteEnum.NORMAL.value)
|
||||
.eq(SaasPgroupPermissionRelation::getType, OLD_FEATURE)
|
||||
.list();
|
||||
if (CollectionUtils.isEmpty(saasPgroupPermissionRelations)) {
|
||||
return Collections.emptyMap();
|
||||
|
||||
@ -514,6 +514,14 @@ public class SaasFeatureResourceServiceImpl extends ServiceImpl<SaasFeatureResou
|
||||
wrapper.eq("is_delete", 0);
|
||||
wrapper.likeRight(StringUtils.isNotBlank(parentPath), "path", parentPath);
|
||||
|
||||
if (CollectionUtils.isNotEmpty(param.getPaths())) {
|
||||
wrapper.and(j -> {
|
||||
for (String path : param.getPaths()) {
|
||||
j.or(k -> k.likeRight("path", path));
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
IPage<SaasFeatureResource> page = this.page(PageConverter.toMybatis(param, SaasFeatureResource.class), wrapper);
|
||||
|
||||
Map<String, Set<String>> uniCodeFeatureCodeMap = listFeatureCodes(param, page.getRecords());
|
||||
|
||||
@ -237,6 +237,7 @@ public class SaasRoleUserRelationServiceImpl extends ServiceImpl<SaasRoleUserRel
|
||||
.needPermissionRelation(param.getNeedPermissionRelation())
|
||||
.type(param.getType())
|
||||
.terminal(param.getTerminal())
|
||||
.needPermission(param.getNeedPermission())
|
||||
.build();
|
||||
return roleService.list(listSaasRoleParam).stream()
|
||||
.map(e -> {
|
||||
|
||||
@ -16,12 +16,15 @@ import cn.axzo.tyr.client.model.permission.PermissionPointListQueryRequest;
|
||||
import cn.axzo.tyr.client.model.permission.PermissionPointTreeNode;
|
||||
import cn.axzo.tyr.client.model.product.ProductFeatureRelationVO;
|
||||
import cn.axzo.tyr.client.model.req.CheckIdentityPermissionReq;
|
||||
import cn.axzo.tyr.client.model.req.FeatureIdPair;
|
||||
import cn.axzo.tyr.client.model.req.IdentityAuthReq;
|
||||
import cn.axzo.tyr.client.model.req.ListIdentityFromPermissionReq;
|
||||
import cn.axzo.tyr.client.model.req.ListPermissionFromFeatureReq;
|
||||
import cn.axzo.tyr.client.model.req.ListPermissionFromIdentityReq;
|
||||
import cn.axzo.tyr.client.model.req.ListPermissionFromRoleGroupReq;
|
||||
import cn.axzo.tyr.client.model.req.OUWorkspacePair;
|
||||
import cn.axzo.tyr.client.model.req.PageElementFeatureResourceRelationReq;
|
||||
import cn.axzo.tyr.client.model.req.PagePgroupPermissionRelationReq;
|
||||
import cn.axzo.tyr.client.model.req.PageSaasFeatureResourceReq;
|
||||
import cn.axzo.tyr.client.model.req.PermissionCheckReq;
|
||||
import cn.axzo.tyr.client.model.req.QueryPermissionByIdsReq;
|
||||
@ -31,6 +34,7 @@ import cn.axzo.tyr.client.model.res.IdentityAuthRes;
|
||||
import cn.axzo.tyr.client.model.res.ListIdentityFromPermissionResp;
|
||||
import cn.axzo.tyr.client.model.res.ListPermissionFromRoleGroupResp;
|
||||
import cn.axzo.tyr.client.model.res.QueryIdentityByPermissionResp;
|
||||
import cn.axzo.tyr.client.model.res.SaasFeatureResourceResp;
|
||||
import cn.axzo.tyr.client.model.res.SaasRoleRes;
|
||||
import cn.axzo.tyr.client.model.res.SimplePermissionPointResp;
|
||||
import cn.axzo.tyr.client.model.roleuser.dto.SaasRoleUserV2DTO;
|
||||
@ -45,9 +49,13 @@ import cn.axzo.tyr.server.repository.entity.ProductFeatureInfo;
|
||||
import cn.axzo.tyr.server.repository.entity.ProductFeatureQuery;
|
||||
import cn.axzo.tyr.server.repository.entity.RolePermission;
|
||||
import cn.axzo.tyr.server.repository.entity.SaasFeature;
|
||||
import cn.axzo.tyr.server.repository.entity.SaasFeatureResource;
|
||||
import cn.axzo.tyr.server.repository.entity.SaasPageElementFeatureResourceRelation;
|
||||
import cn.axzo.tyr.server.repository.entity.SaasPgroupPermissionRelation;
|
||||
import cn.axzo.tyr.server.repository.entity.SaasProductModuleFeatureRelation;
|
||||
import cn.axzo.tyr.server.repository.entity.SaasRole;
|
||||
import cn.axzo.tyr.server.repository.entity.SaasRoleGroup;
|
||||
import cn.axzo.tyr.server.repository.entity.SaasRoleGroupRelation;
|
||||
import cn.axzo.tyr.server.repository.entity.SaasRoleUserRelation;
|
||||
import cn.axzo.tyr.server.repository.entity.SaasRoleWithUser;
|
||||
import cn.axzo.tyr.server.repository.mapper.TyrSaasAuthMapper;
|
||||
@ -56,6 +64,9 @@ import cn.axzo.tyr.server.service.PermissionPointService;
|
||||
import cn.axzo.tyr.server.service.ProductFeatureRelationService;
|
||||
import cn.axzo.tyr.server.service.RoleService;
|
||||
import cn.axzo.tyr.server.service.SaasFeatureResourceService;
|
||||
import cn.axzo.tyr.server.service.SaasPageElementFeatureResourceRelationService;
|
||||
import cn.axzo.tyr.server.service.SaasPgroupPermissionRelationService;
|
||||
import cn.axzo.tyr.server.service.SaasRoleGroupRelationService;
|
||||
import cn.axzo.tyr.server.service.SaasRoleGroupService;
|
||||
import cn.axzo.tyr.server.service.SaasRoleUserRelationService;
|
||||
import cn.axzo.tyr.server.service.TyrSaasAuthService;
|
||||
@ -79,6 +90,7 @@ import lombok.NoArgsConstructor;
|
||||
import lombok.RequiredArgsConstructor;
|
||||
import lombok.extern.slf4j.Slf4j;
|
||||
import org.apache.commons.lang3.StringUtils;
|
||||
import org.springframework.beans.BeanUtils;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.beans.factory.annotation.Qualifier;
|
||||
import org.springframework.cloud.context.config.annotation.RefreshScope;
|
||||
@ -104,7 +116,6 @@ import java.util.stream.Collectors;
|
||||
import static cn.axzo.tyr.server.repository.entity.SaasPgroupPermissionRelation.NEW_FEATURE;
|
||||
import static cn.axzo.tyr.server.repository.entity.SaasPgroupPermissionRelation.OLD_FEATURE;
|
||||
import static cn.axzo.tyr.server.util.RpcInternalUtil.checkAndGetData;
|
||||
import static cn.axzo.tyr.server.util.RpcInternalUtil.rpcListProcessor;
|
||||
|
||||
/**
|
||||
* @author tanjie@axzo.cn
|
||||
@ -124,7 +135,7 @@ public class TyrSaasAuthServiceImpl implements TyrSaasAuthService {
|
||||
private final ServicePkgClient servicePkgClient;
|
||||
@Qualifier("authExecutor")
|
||||
@Autowired
|
||||
private Executor executor;
|
||||
private Executor executor;
|
||||
private final ProductFeatureRelationService productFeatureRelationService;
|
||||
private final PermissionPointService permissionPointService;
|
||||
|
||||
@ -135,6 +146,9 @@ public class TyrSaasAuthServiceImpl implements TyrSaasAuthService {
|
||||
private final SaasProductModuleFeatureRelationDao saasProductModuleFeatureRelationDao;
|
||||
private final WorkspaceProductService workspaceProductService;
|
||||
private final SaasFeatureResourceService saasFeatureResourceService;
|
||||
private final SaasPageElementFeatureResourceRelationService saasPageElementFeatureResourceRelationService;
|
||||
private final SaasPgroupPermissionRelationService saasPgroupPermissionRelationService;
|
||||
private final SaasRoleGroupRelationService saasRoleGroupRelationService;
|
||||
|
||||
/**
|
||||
* 通过身份查询人员权限
|
||||
@ -353,55 +367,6 @@ public class TyrSaasAuthServiceImpl implements TyrSaasAuthService {
|
||||
return permissionSet.containsAll(checkCodes);
|
||||
}
|
||||
|
||||
// private IdentityAuthRes listAllNotAuthPermission(IdentityAuthReq identityAuthReq) {
|
||||
// // 目前只有CMS端会同时在saas_feature和saas_feature_resource中使用
|
||||
// permissionPointService.queryList(PermissionPointListQueryRequest.builder()
|
||||
// .delegatedType(DelegatedType.NO_NEED.getCode())
|
||||
// .build());
|
||||
//
|
||||
// PageSaasFeatureResourceReq pageSaasFeatureResourceReq = PageSaasFeatureResourceReq.builder()
|
||||
// .terminal(TerminalInfo.NT_CMS_WEB_GENERAL)
|
||||
// .authType(FeatureResourceAuthType.ALL_ROLE.getCode())
|
||||
// .build();
|
||||
// saasFeatureResourceService.list(pageSaasFeatureResourceReq);
|
||||
//
|
||||
// Set<Long> workspaceIds = identityAuthReq.getWorkspaceOusPairs().stream()
|
||||
// .map(IdentityAuthReq.WorkspaceOuPair::getWorkspaceId)
|
||||
// .collect(Collectors.toSet());
|
||||
//
|
||||
// WorkspaceProductService.WorkspaceProductParam workspaceProductParam = WorkspaceProductService.WorkspaceProductParam.builder()
|
||||
// .workspaceIds(workspaceIds)
|
||||
// .featureIds()
|
||||
// .build();
|
||||
// workspaceProductService.listWorkspaceProduct(workspaceProductParam);
|
||||
//
|
||||
//
|
||||
// IdentityAuthRes result = new IdentityAuthRes();
|
||||
// result.setIdentity(identityAuthReq.getIdentityId());
|
||||
// result.setIdentityType(identityAuthReq.getIdentityType());
|
||||
// result.setPersonId(identityAuthReq.getPersonId());
|
||||
//
|
||||
// List<IdentityAuthRes.WorkspacePermission> workspacePermissions = identityAuthReq.getWorkspaceOusPairs().stream()
|
||||
// .map(e -> {
|
||||
//
|
||||
// IdentityAuthRes.WorkspacePermission workspacePermission = IdentityAuthRes.WorkspacePermission.builder()
|
||||
// .workspaceId(e.getWorkspaceId())
|
||||
// .ouId(e.getOuId())
|
||||
// .build();
|
||||
//
|
||||
// IdentityAuthRes.PermissionPoint.builder()
|
||||
// .featureCode(e.getCode())
|
||||
// .featureId(e.getId())
|
||||
// .terminal(e.getTerminal())
|
||||
// .build();
|
||||
// return workspacePermission;
|
||||
// })
|
||||
// .collect(Collectors.toList());
|
||||
//
|
||||
// result.setPermissions(workspacePermissions);
|
||||
// return result;
|
||||
// }
|
||||
|
||||
private IdentityAuthRes findIdentityAuth(IdentityAuthReq identityAuthReq) {
|
||||
//用户角色关系
|
||||
List<SaasRoleUserRelation> saasRoleUserRelations = listRoleUserRelations(identityAuthReq);
|
||||
@ -516,14 +481,14 @@ public class TyrSaasAuthServiceImpl implements TyrSaasAuthService {
|
||||
.stream()
|
||||
.filter(e -> !CollectionUtils.isEmpty(e.getFeatureCodes()))
|
||||
.map(e ->
|
||||
// 兼容历史情况,根据featureCode组装数据
|
||||
e.getFeatureCodes().stream()
|
||||
.map(featureCode -> IdentityAuthRes.PermissionPoint.builder()
|
||||
.featureCode(featureCode)
|
||||
.featureId(e.getId())
|
||||
.terminal(e.getTerminal())
|
||||
.build())
|
||||
.collect(Collectors.toList()))
|
||||
// 兼容历史情况,根据featureCode组装数据
|
||||
e.getFeatureCodes().stream()
|
||||
.map(featureCode -> IdentityAuthRes.PermissionPoint.builder()
|
||||
.featureCode(featureCode)
|
||||
.featureId(e.getId())
|
||||
.terminal(e.getTerminal())
|
||||
.build())
|
||||
.collect(Collectors.toList()))
|
||||
.flatMap(Collection::stream)
|
||||
.collect(Collectors.toList());
|
||||
}
|
||||
@ -609,9 +574,9 @@ public class TyrSaasAuthServiceImpl implements TyrSaasAuthService {
|
||||
}
|
||||
|
||||
return permissionPointService.queryList(PermissionPointListQueryRequest.builder()
|
||||
.ids(featureIds)
|
||||
.delegatedType(DelegatedType.NO_NEED.getCode())
|
||||
.build())
|
||||
.ids(featureIds)
|
||||
.delegatedType(DelegatedType.NO_NEED.getCode())
|
||||
.build())
|
||||
.stream()
|
||||
.map(e -> FeatureWrapper.builder()
|
||||
.featureId(e.getPermissionPointId())
|
||||
@ -811,8 +776,47 @@ public class TyrSaasAuthServiceImpl implements TyrSaasAuthService {
|
||||
//比较code
|
||||
return authRes.getPermissions().stream()
|
||||
.anyMatch(e -> e.getPermissionPoint()
|
||||
.stream()
|
||||
.anyMatch(p -> codeSet.contains(p.getFeatureCode())));
|
||||
.stream()
|
||||
.anyMatch(p -> codeSet.contains(p.getFeatureCode())));
|
||||
}
|
||||
|
||||
@Data
|
||||
@Builder
|
||||
@NoArgsConstructor
|
||||
@AllArgsConstructor
|
||||
static class ListSaasFeatureResourceParam {
|
||||
private Set<String> featureCodes;
|
||||
|
||||
private String terminal;
|
||||
}
|
||||
|
||||
private List<SaasFeatureResourceResp> listSaasFeatureResource(ListSaasFeatureResourceParam req) {
|
||||
|
||||
PageElementFeatureResourceRelationReq pageElementFeatureResourceRelationReq = PageElementFeatureResourceRelationReq.builder()
|
||||
.pageElementCodes(req.getFeatureCodes())
|
||||
.terminal(req.getTerminal())
|
||||
.build();
|
||||
List<SaasPageElementFeatureResourceRelation> relations = saasPageElementFeatureResourceRelationService.list(pageElementFeatureResourceRelationReq);
|
||||
|
||||
if (CollectionUtils.isEmpty(relations)) {
|
||||
log.info("not found in SaasPageElementFeatureResourceRelation, featureCodes:{},terminal:{}",
|
||||
req.getFeatureCodes(), req.getTerminal());
|
||||
return Collections.emptyList();
|
||||
}
|
||||
|
||||
Set<String> uniCodes = relations.stream().map(SaasPageElementFeatureResourceRelation::getFeatureResourceUniCode).collect(Collectors.toSet());
|
||||
PageSaasFeatureResourceReq pageSaasFeatureResourceReq = PageSaasFeatureResourceReq.builder()
|
||||
.uniCodes(uniCodes)
|
||||
.build();
|
||||
List<SaasFeatureResourceResp> featureResources = saasFeatureResourceService.list(pageSaasFeatureResourceReq);
|
||||
|
||||
if (CollectionUtils.isEmpty(featureResources)) {
|
||||
log.info("not found in SaasFeatureResource, unicode:{}", uniCodes);
|
||||
return Collections.emptyList();
|
||||
}
|
||||
return saasFeatureResourceService.list(PageSaasFeatureResourceReq.builder()
|
||||
.paths(featureResources.stream().map(SaasFeatureResourceResp::getPath).collect(Collectors.toSet()))
|
||||
.build());
|
||||
}
|
||||
|
||||
@Override
|
||||
@ -823,7 +827,15 @@ public class TyrSaasAuthServiceImpl implements TyrSaasAuthService {
|
||||
|
||||
//code查询权限点信息
|
||||
List<SaasFeature> features = permissionPointService.listNodeWithChildrenByCode(req.getFeatureCode(), req.getTerminal());
|
||||
if (CollectionUtil.isEmpty(features)) {
|
||||
|
||||
// 兼容新老版本,需要通过featureCode查询新版本的features,原逻辑是查询当前菜单资源的所有子数据
|
||||
ListSaasFeatureResourceParam listSaasFeatureResourceParam = ListSaasFeatureResourceParam.builder()
|
||||
.featureCodes(Sets.newHashSet(req.getFeatureCode()))
|
||||
.terminal(req.getTerminal())
|
||||
.build();
|
||||
List<SaasFeatureResourceResp> saasFeatureResources = listSaasFeatureResource(listSaasFeatureResourceParam);
|
||||
|
||||
if (CollectionUtil.isEmpty(features) && CollectionUtils.isEmpty(saasFeatureResources)) {
|
||||
log.warn("no features data found for:{}", req.getFeatureCode());
|
||||
return result;
|
||||
}
|
||||
@ -831,20 +843,41 @@ public class TyrSaasAuthServiceImpl implements TyrSaasAuthService {
|
||||
Optional<SaasFeature> freeFeature = features.stream()
|
||||
.filter(f -> DelegatedType.NO_NEED.sameCode(f.getDelegatedType()))
|
||||
.findAny();
|
||||
if (freeFeature.isPresent()) {
|
||||
log.warn("free feature found :{}", freeFeature.get().getId());
|
||||
|
||||
Optional<SaasFeatureResourceResp> freeFeatureResource = saasFeatureResources.stream()
|
||||
.filter(e -> SaasFeatureResource.AuthType.isAllRole(e.getAuthType()))
|
||||
.findFirst();
|
||||
|
||||
if (freeFeature.isPresent() || freeFeatureResource.isPresent()) {
|
||||
log.warn("free feature found : featureId:{}, featureResourceId:{}",
|
||||
freeFeature.map(SaasFeature::getId).orElse(null),
|
||||
freeFeatureResource.map(SaasFeatureResourceResp::getId).orElse(null));
|
||||
throw new ServiceException("不能查询免授权权限点人员");
|
||||
}
|
||||
|
||||
Set<Long> featureIds = features.stream().map(SaasFeature::getId).collect(Collectors.toSet());
|
||||
//权限匹配 - 有该权限的工作台产品 productUnitType -> featureIds
|
||||
Map<Integer, Set<Long>> workspaceFeatureMap = matchWorkspaceFeature(req.getWorkspaceId(), featureIds);
|
||||
if (CollectionUtil.isEmpty(workspaceFeatureMap)) {
|
||||
Set<Long> newFeatureIds = saasFeatureResources.stream().map(SaasFeatureResourceResp::getId).collect(Collectors.toSet());
|
||||
|
||||
WorkspaceProductService.WorkspaceProductParam workspaceProductParam = WorkspaceProductService.WorkspaceProductParam.builder()
|
||||
.workspaceIds(Sets.newHashSet(req.getWorkspaceId()))
|
||||
.featureIdPairs(Lists.newArrayList(
|
||||
FeatureIdPair.builder().featureIds(featureIds).type(OLD_FEATURE).build(),
|
||||
FeatureIdPair.builder().featureIds(newFeatureIds).type(NEW_FEATURE).build()
|
||||
))
|
||||
.build();
|
||||
List<SaasProductModuleFeatureRelation> workspaceProducts = workspaceProductService.listWorkspaceProduct(workspaceProductParam)
|
||||
.stream()
|
||||
.map(WorkspaceProductService.WorkspaceProduct::getSaasProductModuleFeatureRelations)
|
||||
.filter(Objects::nonNull)
|
||||
.flatMap(Collection::stream)
|
||||
.collect(Collectors.toList());
|
||||
|
||||
if (CollectionUtil.isEmpty(workspaceProducts)) {
|
||||
log.warn("no matched product feature in workspace");
|
||||
return result;
|
||||
}
|
||||
|
||||
List<ListIdentityFromPermissionResp.UserVO> matchedUsers = getWorkspaceUser(req.getWorkspaceId(), req.getOuId(), workspaceFeatureMap);
|
||||
List<ListIdentityFromPermissionResp.UserVO> matchedUsers = getWorkspaceUser(req.getWorkspaceId(), req.getOuId(), workspaceProducts);
|
||||
if (CollectionUtil.isEmpty(matchedUsers)) {
|
||||
return result;
|
||||
}
|
||||
@ -852,25 +885,6 @@ public class TyrSaasAuthServiceImpl implements TyrSaasAuthService {
|
||||
return result;
|
||||
}
|
||||
|
||||
private Map<Integer, Set<Long>> matchWorkspaceFeature(Long workspaceId, Set<Long> featureIds) {
|
||||
//查询工作台下产品
|
||||
List<ServicePkgProduct> productList = checkAndGetData(servicePkgClient.listProductInWorkSpace(workspaceId));
|
||||
if (CollectionUtil.isEmpty(productList)) {
|
||||
log.warn("------trace-L-I-F-P----> no product found for workspace");
|
||||
return Collections.emptyMap();
|
||||
}
|
||||
//产品包含的权限-过滤参建类型 和 feature
|
||||
return productFeatureRelationService.queryOnCondition(ProductFeatureQuery.builder()
|
||||
.productIds(productList.stream()
|
||||
.map(ServicePkgProduct::getProductId)
|
||||
.collect(Collectors.toSet()))
|
||||
.featureIds(featureIds)
|
||||
.build())
|
||||
.stream()
|
||||
.collect(Collectors.groupingBy(r -> Integer.valueOf(r.getDictCode()),
|
||||
Collectors.mapping(SaasProductModuleFeatureRelation::getFeatureId, Collectors.toSet())));
|
||||
}
|
||||
|
||||
@Override
|
||||
public List<ListIdentityFromPermissionResp> batchListIdentityFromPermission(List<ListIdentityFromPermissionReq> reqList) {
|
||||
//异步处理
|
||||
@ -1033,10 +1047,12 @@ public class TyrSaasAuthServiceImpl implements TyrSaasAuthService {
|
||||
permissionInfo.forEach(e -> e.setSimpleFeatureInfos(authMap.get(NumberUtil.parseLong(e.getRoleId()))));
|
||||
return permissionInfo;
|
||||
}
|
||||
|
||||
/**
|
||||
* 通过工作台ID过滤指定角色的权限
|
||||
*
|
||||
* @param filterRoleAuths
|
||||
* @return KEY :role Id ; VALUE: feature id ;
|
||||
* @return KEY :role Id ; VALUE: feature id ;
|
||||
*/
|
||||
public Map<Long, Set<Long>> filterAuthByRoleAndProduct(List<FilterRoleAuth> filterRoleAuths) {
|
||||
List<Long> roleIds = filterRoleAuths.stream().map(FilterRoleAuth::getRoleId).distinct().collect(Collectors.toList());
|
||||
@ -1098,12 +1114,13 @@ public class TyrSaasAuthServiceImpl implements TyrSaasAuthService {
|
||||
return oldFeatureLists;
|
||||
}));
|
||||
}
|
||||
|
||||
@Data
|
||||
@Builder
|
||||
@NoArgsConstructor
|
||||
@AllArgsConstructor
|
||||
public static class OUWRoleInfo {
|
||||
|
||||
|
||||
Long workspaceId;
|
||||
Integer workspaceType;
|
||||
Long ouId;
|
||||
@ -1117,30 +1134,63 @@ public class TyrSaasAuthServiceImpl implements TyrSaasAuthService {
|
||||
|
||||
//code查询权限点信息
|
||||
List<SaasFeature> features = permissionPointService.listNodeWithChildrenByCodes(req.getFeatureCodes(), null);
|
||||
if (CollectionUtil.isEmpty(features)) {
|
||||
|
||||
// 兼容新老版本,需要通过featureCode查询新版本的features,原逻辑是查询当前菜单资源的所有子数据
|
||||
ListSaasFeatureResourceParam listSaasFeatureResourceParam = ListSaasFeatureResourceParam.builder()
|
||||
.featureCodes(Sets.newHashSet(req.getFeatureCodes()))
|
||||
.build();
|
||||
List<SaasFeatureResourceResp> saasFeatureResources = listSaasFeatureResource(listSaasFeatureResourceParam);
|
||||
|
||||
if (CollectionUtil.isEmpty(features) && CollectionUtils.isEmpty(saasFeatureResources)) {
|
||||
log.warn("no features data found for:{}", req.getFeatureCodes());
|
||||
return Collections.emptyList();
|
||||
}
|
||||
Set<Long> featureIds = features.stream().map(SaasFeature::getId).collect(Collectors.toSet());
|
||||
//权限匹配 - 工作台是否有指定权限 productUnitType -> featureIds
|
||||
Map<Integer, Set<Long>> workspaceFeatureMap = matchWorkspaceFeature(req.getWorkspaceId(), featureIds);
|
||||
if (CollectionUtil.isEmpty(workspaceFeatureMap)) {
|
||||
Set<Long> newFeatureIds = saasFeatureResources.stream().map(SaasFeatureResourceResp::getId).collect(Collectors.toSet());
|
||||
WorkspaceProductService.WorkspaceProductParam workspaceProductParam = WorkspaceProductService.WorkspaceProductParam.builder()
|
||||
.workspaceIds(Sets.newHashSet(req.getWorkspaceId()))
|
||||
.featureIdPairs(Lists.newArrayList(
|
||||
FeatureIdPair.builder().featureIds(featureIds).type(OLD_FEATURE).build(),
|
||||
FeatureIdPair.builder().featureIds(newFeatureIds).type(NEW_FEATURE).build()
|
||||
))
|
||||
.build();
|
||||
List<SaasProductModuleFeatureRelation> workspaceProducts = workspaceProductService.listWorkspaceProduct(workspaceProductParam)
|
||||
.stream()
|
||||
.map(WorkspaceProductService.WorkspaceProduct::getSaasProductModuleFeatureRelations)
|
||||
.filter(Objects::nonNull)
|
||||
.flatMap(Collection::stream)
|
||||
.collect(Collectors.toList());
|
||||
|
||||
if (CollectionUtil.isEmpty(workspaceProducts)) {
|
||||
log.warn("no matched feature in workspace product");
|
||||
return Collections.emptyList();
|
||||
}
|
||||
|
||||
//是否免授权权限点
|
||||
Set<Long> matchedFeatureIds = workspaceFeatureMap.values().stream().flatMap(Collection::stream).collect(Collectors.toSet());
|
||||
Set<Long> matchedOldFeatureIds = workspaceProducts.stream()
|
||||
.filter(e -> Objects.equals(OLD_FEATURE, e.getType()))
|
||||
.map(SaasProductModuleFeatureRelation::getFeatureId)
|
||||
.collect(Collectors.toSet());
|
||||
Optional<SaasFeature> freeFeature = features.stream()
|
||||
.filter(f -> matchedFeatureIds.contains(f.getId()))
|
||||
.filter(f -> matchedOldFeatureIds.contains(f.getId()))
|
||||
.filter(f -> DelegatedType.NO_NEED.sameCode(f.getDelegatedType()))
|
||||
.findAny();
|
||||
if (freeFeature.isPresent()) {
|
||||
|
||||
Set<Long> matchedNewFeatureIds = workspaceProducts.stream()
|
||||
.filter(e -> Objects.equals(NEW_FEATURE, e.getType()))
|
||||
.map(SaasProductModuleFeatureRelation::getFeatureId)
|
||||
.collect(Collectors.toSet());
|
||||
|
||||
Optional<SaasFeatureResourceResp> freeFeatureResource = saasFeatureResources.stream()
|
||||
.filter(f -> matchedNewFeatureIds.contains(f.getId()))
|
||||
.filter(e -> SaasFeatureResource.AuthType.isAllRole(e.getAuthType()))
|
||||
.findFirst();
|
||||
if (freeFeature.isPresent() || freeFeatureResource.isPresent()) {
|
||||
throw new ServiceException("免授权权限点调用查人接口");
|
||||
}
|
||||
|
||||
//从相关角色查询用户-超管和普通角色
|
||||
List<ListIdentityFromPermissionResp.UserVO> users = getWorkspaceUser(req.getWorkspaceId(), null, workspaceFeatureMap);
|
||||
List<ListIdentityFromPermissionResp.UserVO> users = getWorkspaceUser(req.getWorkspaceId(), null, workspaceProducts);
|
||||
if (CollectionUtil.isEmpty(users)) {
|
||||
return Collections.emptyList();
|
||||
}
|
||||
@ -1158,19 +1208,66 @@ public class TyrSaasAuthServiceImpl implements TyrSaasAuthService {
|
||||
return result;
|
||||
}
|
||||
|
||||
private List<ListIdentityFromPermissionResp.UserVO> getWorkspaceUser(Long workspaceId, Long ouId, Map<Integer, Set<Long>> workspaceFeatureMap) {
|
||||
private List<SaasRole> listFeatureRoles(Set<Long> featureIds, Integer type) {
|
||||
if (CollectionUtils.isEmpty(featureIds)) {
|
||||
return Collections.emptyList();
|
||||
}
|
||||
|
||||
Set<Integer> productTypes = workspaceFeatureMap.keySet();
|
||||
Set<Long> matchedFeatureIds = workspaceFeatureMap.values().stream().flatMap(Collection::stream).collect(Collectors.toSet());
|
||||
List<SaasPgroupPermissionRelation> relations = saasPgroupPermissionRelationService.list(PagePgroupPermissionRelationReq.builder()
|
||||
.featureIds(Lists.newArrayList(featureIds))
|
||||
.type(type)
|
||||
.build());
|
||||
if (CollectionUtils.isEmpty(relations)) {
|
||||
return Collections.emptyList();
|
||||
}
|
||||
|
||||
List<SaasRole> matchedRoles = new ArrayList<>();
|
||||
List<SaasRoleGroupRelation> roleGroupRelations = saasRoleGroupRelationService.list(SaasRoleGroupRelationService.ListSaasRoleGroupRelationParam.builder()
|
||||
.saasRoleGroupIds(Lists.transform(relations, SaasPgroupPermissionRelation::getGroupId))
|
||||
.build());
|
||||
if (CollectionUtils.isEmpty(roleGroupRelations)) {
|
||||
return Collections.emptyList();
|
||||
}
|
||||
|
||||
return roleService.list(RoleService.ListSaasRoleParam.builder()
|
||||
.roleIds(Lists.transform(roleGroupRelations, SaasRoleGroupRelation::getRoleId))
|
||||
.build())
|
||||
.stream()
|
||||
.map(e -> {
|
||||
SaasRole saasRole = new SaasRole();
|
||||
BeanUtils.copyProperties(e, saasRole);
|
||||
return saasRole;
|
||||
})
|
||||
.collect(Collectors.toList());
|
||||
}
|
||||
|
||||
private List<ListIdentityFromPermissionResp.UserVO> getWorkspaceUser(Long workspaceId, Long ouId,
|
||||
List<SaasProductModuleFeatureRelation> workspaceProducts) {
|
||||
Set<Integer> newProductTypes = workspaceProducts.stream()
|
||||
.filter(e -> Objects.equals(e.getType(), NEW_FEATURE))
|
||||
.map(SaasProductModuleFeatureRelation::getDictCode)
|
||||
.map(Integer::valueOf)
|
||||
.collect(Collectors.toSet());
|
||||
|
||||
Set<Long> newMatchedFeatureIds = workspaceProducts.stream()
|
||||
.filter(e -> Objects.equals(e.getType(), NEW_FEATURE))
|
||||
.map(SaasProductModuleFeatureRelation::getFeatureId)
|
||||
.collect(Collectors.toSet());
|
||||
|
||||
Set<Integer> oldProductTypes = workspaceProducts.stream()
|
||||
.filter(e -> Objects.equals(e.getType(), OLD_FEATURE))
|
||||
.map(SaasProductModuleFeatureRelation::getDictCode)
|
||||
.map(Integer::valueOf)
|
||||
.collect(Collectors.toSet());
|
||||
|
||||
Set<Long> oldMatchedFeatureIds = workspaceProducts.stream()
|
||||
.filter(e -> Objects.equals(e.getType(), OLD_FEATURE))
|
||||
.map(SaasProductModuleFeatureRelation::getFeatureId)
|
||||
.collect(Collectors.toSet());
|
||||
|
||||
//超管和管理员
|
||||
List<SaasRole> adminRoles = roleService.listAdmins(workspaceId, ouId);
|
||||
if (CollectionUtil.isEmpty(adminRoles)) {
|
||||
log.warn("no admin roles found for workspaceId:{}, ouId:{}", workspaceId, ouId);
|
||||
} else {
|
||||
matchedRoles.addAll(adminRoles);
|
||||
}
|
||||
|
||||
Set<Long> superAdmins = adminRoles.stream()
|
||||
@ -1179,18 +1276,32 @@ public class TyrSaasAuthServiceImpl implements TyrSaasAuthService {
|
||||
.collect(Collectors.toSet());
|
||||
|
||||
//普通角色 权限点查角色 -- 不考虑 角色权限集例外
|
||||
List<SaasRole> normalRoles = roleService.queryRoleByFeatures(matchedFeatureIds);
|
||||
if (CollectionUtil.isEmpty(normalRoles)) {
|
||||
log.warn("no role found for featureIds:{}", matchedFeatureIds);
|
||||
} else {
|
||||
matchedRoles.addAll(normalRoles);
|
||||
}
|
||||
// 多版本只会存在一段时间,减少代码复杂度,所以查询多次
|
||||
List<SaasRole> oldNormalSaasRoles = listFeatureRoles(oldMatchedFeatureIds, OLD_FEATURE);
|
||||
List<SaasRole> newNormalSaasRoles = listFeatureRoles(newMatchedFeatureIds, NEW_FEATURE);
|
||||
|
||||
//匹配角色和产品标签
|
||||
List<Long> roleIds = matchedRoles.stream()
|
||||
.filter(r -> productTypes.contains(r.getProductUnitType()))
|
||||
List<Long> roleIds = Lists.newArrayList();
|
||||
// 超管不用区分新老版本
|
||||
List<Long> adminRoleIds = adminRoles.stream()
|
||||
.filter(r -> newProductTypes.contains(r.getProductUnitType()) || oldProductTypes.contains(r.getProductUnitType()))
|
||||
.map(SaasRole::getId)
|
||||
.collect(Collectors.toList());
|
||||
|
||||
List<Long> oldNormalRoleIds = oldNormalSaasRoles.stream()
|
||||
.filter(r -> oldProductTypes.contains(r.getProductUnitType()))
|
||||
.map(SaasRole::getId)
|
||||
.collect(Collectors.toList());
|
||||
|
||||
List<Long> newNormalRoleIds = newNormalSaasRoles.stream()
|
||||
.filter(r -> newProductTypes.contains(r.getProductUnitType()))
|
||||
.map(SaasRole::getId)
|
||||
.collect(Collectors.toList());
|
||||
|
||||
//匹配角色和产品标签
|
||||
roleIds.addAll(adminRoleIds);
|
||||
roleIds.addAll(oldNormalRoleIds);
|
||||
roleIds.addAll(newNormalRoleIds);
|
||||
|
||||
if (CollectionUtil.isEmpty(roleIds)) {
|
||||
log.warn("no role matched product unit types");
|
||||
return Collections.emptyList();
|
||||
@ -1228,27 +1339,82 @@ public class TyrSaasAuthServiceImpl implements TyrSaasAuthService {
|
||||
}
|
||||
|
||||
/**
|
||||
* 判断用户是否有指定权限码的权限
|
||||
* 1、查询用户的角色id、租户的产品id(db)
|
||||
* 2、根据权限点找对应的产品、单位类型(redis)
|
||||
* 3、租户开通的产品是否在权限点对应的产品,不满足条件直接返回false
|
||||
* 4、查询是否有免授权的权限点
|
||||
* 4、有管理员角色:租户的产品要在权限点的产品里、单位类型要是管理员角色的单位类型,满足条件则返回true
|
||||
* 6、根据权限点找对应的角色(redis)
|
||||
* 7、有非管理员角色:
|
||||
* 基于saas_feature_resource的鉴权
|
||||
* @param req
|
||||
* @return
|
||||
*/
|
||||
@Override
|
||||
public boolean authNewPermission(PermissionCheckReq req) {
|
||||
ListSaasFeatureResourceParam listSaasFeatureResourceParam = ListSaasFeatureResourceParam.builder()
|
||||
.featureCodes(Sets.newHashSet(req.getFeatureCodes()))
|
||||
.terminal(req.getTerminal())
|
||||
.build();
|
||||
List<SaasFeatureResourceResp> saasFeatureResources = listSaasFeatureResource(listSaasFeatureResourceParam);
|
||||
|
||||
if (CollectionUtils.isEmpty(saasFeatureResources)) {
|
||||
log.info("featureCode not found in featureResource:{}", req.getFeatureCodes());
|
||||
return false;
|
||||
}
|
||||
|
||||
//用户角色关系,以及对应角色的权限点
|
||||
List<SaasRoleUserV2DTO> saasRoleUserRelations = listRoleUserRelationsNew(req, saasFeatureResources);
|
||||
if (CollectionUtils.isEmpty(saasRoleUserRelations)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
Set<Long> featureIds = saasFeatureResources.stream()
|
||||
.map(SaasFeatureResourceResp::getId)
|
||||
.collect(Collectors.toSet());
|
||||
|
||||
WorkspaceProductService.WorkspaceProductParam workspaceProductParam = WorkspaceProductService.WorkspaceProductParam.builder()
|
||||
.workspaceIds(Sets.newHashSet(req.getWorkspaceId()))
|
||||
.featureIdPairs(Lists.newArrayList(
|
||||
FeatureIdPair.builder().featureIds(featureIds).type(NEW_FEATURE).build()
|
||||
))
|
||||
.build();
|
||||
Set<SaasProductModuleFeatureRelation> workspaceProductFeatures = workspaceProductService.listWorkspaceProduct(workspaceProductParam).stream()
|
||||
.map(WorkspaceProductService.WorkspaceProduct::getSaasProductModuleFeatureRelations)
|
||||
.filter(Objects::nonNull)
|
||||
.flatMap(Collection::stream)
|
||||
.collect(Collectors.toSet());
|
||||
|
||||
if (CollectionUtils.isEmpty(workspaceProductFeatures)) {
|
||||
log.info("product not found:{}", req.getWorkspaceId());
|
||||
return false;
|
||||
}
|
||||
|
||||
// 是否有免授权的权限码,且在租户开通了这个产品
|
||||
boolean matchedNoNeedAuthFeature = matchNoAuthFeatureNew(saasFeatureResources, workspaceProductFeatures);
|
||||
if (BooleanUtil.isTrue(matchedNoNeedAuthFeature)) {
|
||||
log.info("has no need auth feature:{}", req.getWorkspaceId());
|
||||
return true;
|
||||
}
|
||||
|
||||
// 是否有管理员角色,且租户开通了管理员角色的单位类型对应的产品权限码
|
||||
boolean matchedAdminRole = matchAdminRole(saasRoleUserRelations, workspaceProductFeatures);
|
||||
if (BooleanUtil.isTrue(matchedAdminRole)) {
|
||||
log.info("admin role has permission:{}", req.getWorkspaceId());
|
||||
return true;
|
||||
}
|
||||
|
||||
return matchNormalRole(saasRoleUserRelations, workspaceProductFeatures);
|
||||
}
|
||||
|
||||
/**
|
||||
* 基于saas_feature的鉴权,后续会去掉
|
||||
* @param req
|
||||
* @return
|
||||
*/
|
||||
@Override
|
||||
public boolean authPermission(PermissionCheckReq req) {
|
||||
// saas_feature表会被废弃,所以直接查询,没提供统一的查询
|
||||
// 会存在灰度用户的情况,接口对应的featureCode分别是saas_feature和saas_feature_resource的权限码
|
||||
List<SaasFeature> saasFeatures = saasFeatureDao.lambdaQuery()
|
||||
.in(SaasFeature::getFeatureCode, req.getFeatureCodes())
|
||||
.eq(SaasFeature::getIsDelete, TableIsDeleteEnum.NORMAL.value)
|
||||
.eq(StringUtils.isNotBlank(req.getTerminal()), SaasFeature::getTerminal, req.getTerminal())
|
||||
.list();
|
||||
if (CollectionUtils.isEmpty(saasFeatures)) {
|
||||
log.info("featureCode not found:{}", req.getFeatureCodes());
|
||||
log.info("featureCode not found in saasFeature:{}", req.getFeatureCodes());
|
||||
return false;
|
||||
}
|
||||
|
||||
@ -1258,89 +1424,46 @@ public class TyrSaasAuthServiceImpl implements TyrSaasAuthService {
|
||||
return false;
|
||||
}
|
||||
|
||||
// 查询租户开通的所有产品
|
||||
Set<Long> productIds = listProducts(req);
|
||||
if (CollectionUtils.isEmpty(productIds)) {
|
||||
Set<Long> featureIds = saasFeatures.stream()
|
||||
.map(SaasFeature::getId)
|
||||
.collect(Collectors.toSet());
|
||||
|
||||
WorkspaceProductService.WorkspaceProductParam workspaceProductParam = WorkspaceProductService.WorkspaceProductParam.builder()
|
||||
.workspaceIds(Sets.newHashSet(req.getWorkspaceId()))
|
||||
.featureIdPairs(Lists.newArrayList(
|
||||
FeatureIdPair.builder().featureIds(featureIds).type(NEW_FEATURE).build()
|
||||
))
|
||||
.build();
|
||||
Set<SaasProductModuleFeatureRelation> workspaceProductFeatures = workspaceProductService.listWorkspaceProduct(workspaceProductParam).stream()
|
||||
.map(WorkspaceProductService.WorkspaceProduct::getSaasProductModuleFeatureRelations)
|
||||
.filter(Objects::nonNull)
|
||||
.flatMap(Collection::stream)
|
||||
.collect(Collectors.toSet());
|
||||
|
||||
if (CollectionUtils.isEmpty(workspaceProductFeatures)) {
|
||||
log.info("product not found:{}", req.getWorkspaceId());
|
||||
return false;
|
||||
}
|
||||
|
||||
// 查询产品开通的这些权限点的信息
|
||||
List<SaasProductModuleFeatureRelation> permissionProducts = listPermissionProduct(saasFeatures, productIds);
|
||||
if (CollectionUtils.isEmpty(productIds)) {
|
||||
log.info("permission product not found:{}", req.getWorkspaceId());
|
||||
return false;
|
||||
}
|
||||
|
||||
// 是否有免授权的权限码,且在租户开通了这个产品
|
||||
boolean matchedNoNeedAuthFeature = matchNoAuthFeature(saasFeatures, permissionProducts);
|
||||
boolean matchedNoNeedAuthFeature = matchNoAuthFeature(saasFeatures, workspaceProductFeatures);
|
||||
if (BooleanUtil.isTrue(matchedNoNeedAuthFeature)) {
|
||||
log.info("has no need auth feature:{}", req.getWorkspaceId());
|
||||
return true;
|
||||
}
|
||||
|
||||
// 是否有管理员角色,且租户开通了管理员角色的单位类型对应的产品权限码
|
||||
boolean matchedAdminRole = matchAdminRole(saasRoleUserRelations, permissionProducts);
|
||||
boolean matchedAdminRole = matchAdminRole(saasRoleUserRelations, workspaceProductFeatures);
|
||||
if (BooleanUtil.isTrue(matchedAdminRole)) {
|
||||
log.info("admin role has permission:{}", req.getWorkspaceId());
|
||||
return true;
|
||||
}
|
||||
|
||||
return matchNormalRole(saasRoleUserRelations, permissionProducts);
|
||||
return matchNormalRole(saasRoleUserRelations, workspaceProductFeatures);
|
||||
}
|
||||
|
||||
// private boolean authPermissionNewFeature(PermissionCheckReq req) {
|
||||
// // saas_feature表会被废弃,所以直接查询,没提供统一的查询
|
||||
// // 会存在灰度用户的情况,接口对应的featureCode分别是saas_feature和saas_feature_resource的权限码
|
||||
// List<SaasFeature> saasFeatures = saasFeatureResourceService.lambdaQuery()
|
||||
// .in(SaasFeature::getFeatureCode, req.getFeatureCodes())
|
||||
// .eq(SaasFeature::getIsDelete, TableIsDeleteEnum.NORMAL.value)
|
||||
// .eq(StringUtils.isNotBlank(req.getTerminal()), SaasFeature::getTerminal, req.getTerminal())
|
||||
// .list();
|
||||
// if (CollectionUtils.isEmpty(saasFeatures)) {
|
||||
// log.info("featureCode not found:{}", req.getFeatureCodes());
|
||||
// return false;
|
||||
// }
|
||||
//
|
||||
// //用户角色关系,以及对应角色的权限点
|
||||
// List<SaasRoleUserV2DTO> saasRoleUserRelations = listRoleUserRelations(req, saasFeatures);
|
||||
// if (CollectionUtils.isEmpty(saasRoleUserRelations)) {
|
||||
// return false;
|
||||
// }
|
||||
//
|
||||
// // 查询租户开通的所有产品
|
||||
// Set<Long> productIds = listProducts(req);
|
||||
// if (CollectionUtils.isEmpty(productIds)) {
|
||||
// log.info("product not found:{}", req.getWorkspaceId());
|
||||
// return false;
|
||||
// }
|
||||
//
|
||||
// // 查询产品开通的这些权限点的信息
|
||||
// List<SaasProductModuleFeatureRelation> permissionProducts = listPermissionProduct(saasFeatures, productIds);
|
||||
// if (CollectionUtils.isEmpty(productIds)) {
|
||||
// log.info("permission product not found:{}", req.getWorkspaceId());
|
||||
// return false;
|
||||
// }
|
||||
//
|
||||
// // 是否有免授权的权限码,且在租户开通了这个产品
|
||||
// boolean matchedNoNeedAuthFeature = matchNoAuthFeature(saasFeatures, permissionProducts);
|
||||
// if (BooleanUtil.isTrue(matchedNoNeedAuthFeature)) {
|
||||
// log.info("has no need auth feature:{}", req.getWorkspaceId());
|
||||
// return true;
|
||||
// }
|
||||
//
|
||||
// // 是否有管理员角色,且租户开通了管理员角色的单位类型对应的产品权限码
|
||||
// boolean matchedAdminRole = matchAdminRole(saasRoleUserRelations, permissionProducts);
|
||||
// if (BooleanUtil.isTrue(matchedAdminRole)) {
|
||||
// log.info("admin role has permission:{}", req.getWorkspaceId());
|
||||
// return true;
|
||||
// }
|
||||
//
|
||||
// return matchNormalRole(saasRoleUserRelations, permissionProducts);
|
||||
// }
|
||||
|
||||
private boolean matchNormalRole(List<SaasRoleUserV2DTO> saasRoleUserRelations,
|
||||
List<SaasProductModuleFeatureRelation> permissionProducts) {
|
||||
Set<SaasProductModuleFeatureRelation> permissionProducts) {
|
||||
List<SaasRoleUserV2DTO> normalRoles = saasRoleUserRelations.stream()
|
||||
.filter(e -> !RoleTypeEnum.isAdmin(e.getSaasRole().getRoleType()))
|
||||
.collect(Collectors.toList());
|
||||
@ -1377,14 +1500,32 @@ public class TyrSaasAuthServiceImpl implements TyrSaasAuthService {
|
||||
return false;
|
||||
}
|
||||
|
||||
private boolean matchNoAuthFeatureNew(List<SaasFeatureResourceResp> saasFeatureResources,
|
||||
Set<SaasProductModuleFeatureRelation> permissionProducts) {
|
||||
|
||||
Set<Long> noNeedAuthFeatureIds = saasFeatureResources.stream()
|
||||
.filter(e -> SaasFeatureResource.AuthType.isAllRole(e.getAuthType()))
|
||||
.map(SaasFeatureResourceResp::getId)
|
||||
.collect(Collectors.toSet());
|
||||
|
||||
if (CollectionUtils.isEmpty(noNeedAuthFeatureIds)) {
|
||||
log.info("not found no need auth featureCode");
|
||||
return false;
|
||||
}
|
||||
|
||||
return permissionProducts.stream()
|
||||
.anyMatch(e -> noNeedAuthFeatureIds.contains(e.getFeatureId()));
|
||||
}
|
||||
|
||||
/**
|
||||
* 租户开通的产品是否有不需要鉴权的权限码
|
||||
*
|
||||
* @param saasFeatures
|
||||
* @param permissionProducts
|
||||
* @return
|
||||
*/
|
||||
private boolean matchNoAuthFeature(List<SaasFeature> saasFeatures,
|
||||
List<SaasProductModuleFeatureRelation> permissionProducts) {
|
||||
Set<SaasProductModuleFeatureRelation> permissionProducts) {
|
||||
|
||||
Set<Long> noNeedAuthFeatureIds = saasFeatures.stream()
|
||||
.filter(e -> Objects.equals(e.getDelegatedType(), DelegatedType.NO_NEED.getCode()))
|
||||
@ -1402,12 +1543,13 @@ public class TyrSaasAuthServiceImpl implements TyrSaasAuthService {
|
||||
|
||||
/**
|
||||
* 匹配管理员角色是否有权限点的权限
|
||||
*
|
||||
* @param saasRoleUserRelations
|
||||
* @param permissionProducts
|
||||
* @return
|
||||
*/
|
||||
private boolean matchAdminRole(List<SaasRoleUserV2DTO> saasRoleUserRelations,
|
||||
List<SaasProductModuleFeatureRelation> permissionProducts) {
|
||||
Set<SaasProductModuleFeatureRelation> permissionProducts) {
|
||||
|
||||
List<SaasRoleUserV2DTO> adminRoles = saasRoleUserRelations.stream()
|
||||
.filter(e -> RoleTypeEnum.isAdmin(e.getSaasRole().getRoleType()))
|
||||
@ -1425,18 +1567,13 @@ public class TyrSaasAuthServiceImpl implements TyrSaasAuthService {
|
||||
.anyMatch(adminRole -> ouTypes.contains(String.valueOf(adminRole.getSaasRole().getProductUnitType())));
|
||||
}
|
||||
|
||||
private List<SaasProductModuleFeatureRelation> listPermissionProduct(List<SaasFeature> saasFeatures,
|
||||
Set<Long> productIds) {
|
||||
|
||||
return saasProductModuleFeatureRelationDao.lambdaQuery()
|
||||
.in(SaasProductModuleFeatureRelation::getProductModuleId, productIds)
|
||||
.in(SaasProductModuleFeatureRelation::getFeatureId, Lists.transform(saasFeatures, SaasFeature::getId))
|
||||
.eq(SaasProductModuleFeatureRelation::getIsDelete, TableIsDeleteEnum.NORMAL.value)
|
||||
.list();
|
||||
}
|
||||
|
||||
private List<SaasRoleUserV2DTO> listRoleUserRelations(PermissionCheckReq identityAuthReq,
|
||||
List<SaasFeature> saasFeatures) {
|
||||
/**
|
||||
* 兼容历史版本,全部切完后去掉
|
||||
* @param identityAuthReq
|
||||
* @param saasFeatures
|
||||
* @return
|
||||
*/
|
||||
private List<SaasRoleUserV2DTO> listRoleUserRelations(PermissionCheckReq identityAuthReq, List<SaasFeature> saasFeatures) {
|
||||
|
||||
List<ListRoleUserRelationParam.WorkspaceOuPair> workspaceOuPairs = Lists.newArrayList(
|
||||
ListRoleUserRelationParam.WorkspaceOuPair.builder()
|
||||
@ -1456,20 +1593,23 @@ public class TyrSaasAuthServiceImpl implements TyrSaasAuthService {
|
||||
.collect(Collectors.toList());
|
||||
}
|
||||
|
||||
public Set<Long> listProducts(PermissionCheckReq req) {
|
||||
private List<SaasRoleUserV2DTO> listRoleUserRelationsNew(PermissionCheckReq identityAuthReq, List<SaasFeatureResourceResp> saasFeatureResources) {
|
||||
|
||||
List<ServicePkgDetailRes> servicePkgDetailRes = rpcListProcessor(() -> servicePkgClient.getServicePkgDetailBySpaceId(Sets.newHashSet(req.getWorkspaceId())),
|
||||
"查询租户的产品", req.getWorkspaceId()).getData();
|
||||
|
||||
if (CollectionUtil.isEmpty(servicePkgDetailRes)) {
|
||||
return Collections.emptySet();
|
||||
}
|
||||
|
||||
return servicePkgDetailRes.stream()
|
||||
.map(ServicePkgDetailRes::getProducts)
|
||||
.filter(CollectionUtil::isNotEmpty)
|
||||
.flatMap(Collection::stream)
|
||||
.map(ServicePkgProduct::getProductId)
|
||||
.collect(Collectors.toSet());
|
||||
List<ListRoleUserRelationParam.WorkspaceOuPair> workspaceOuPairs = Lists.newArrayList(
|
||||
ListRoleUserRelationParam.WorkspaceOuPair.builder()
|
||||
.workspaceId(identityAuthReq.getWorkspaceId())
|
||||
.ouId(identityAuthReq.getOuId())
|
||||
.build()
|
||||
);
|
||||
ListRoleUserRelationParam listRoleUserRelationParam = ListRoleUserRelationParam.builder()
|
||||
.personId(identityAuthReq.getPersonId())
|
||||
.workspaceOuPairs(Lists.newArrayList(workspaceOuPairs))
|
||||
.needRole(true)
|
||||
.needPermission(true)
|
||||
.featureIds(Lists.transform(saasFeatureResources, SaasFeatureResourceResp::getId))
|
||||
.build();
|
||||
return saasRoleUserRelationService.listV2(listRoleUserRelationParam).stream()
|
||||
.filter(e -> e.getSaasRole() != null)
|
||||
.collect(Collectors.toList());
|
||||
}
|
||||
}
|
||||
|
||||
@ -74,9 +74,9 @@ public class WorkspaceProductServiceImpl implements WorkspaceProductService {
|
||||
ProductFeatureQuery productFeatureQuery = ProductFeatureQuery.builder()
|
||||
.productIds(productIds)
|
||||
.featureResourceTypes(param.getFeatureResourceTypes())
|
||||
.type(param.getType())
|
||||
.terminal(param.getTerminal())
|
||||
.featureIds(param.getFeatureIds())
|
||||
.type(param.getType())
|
||||
.featureIdPairs(param.getFeatureIdPairs())
|
||||
.build();
|
||||
Map<Long, List<SaasProductModuleFeatureRelation>> saasProductModuleFeatureRelations = productFeatureRelationService.queryOnCondition(productFeatureQuery).stream()
|
||||
.collect(Collectors.groupingBy(SaasProductModuleFeatureRelation::getProductModuleId));
|
||||
|
||||
@ -115,17 +115,6 @@
|
||||
<include refid="sql-queryForOUWorkspace"/>
|
||||
</select>
|
||||
|
||||
<select id="listRoleByFeatures" resultType="cn.axzo.tyr.server.repository.entity.SaasRole">
|
||||
SELECT DISTINCT r.id, r.`NAME`, r.product_unit_type AS productUnitType
|
||||
FROM saas_pgroup_permission_relation pg, saas_pgroup_role_relation rg, saas_role r
|
||||
WHERE pg.is_delete = 0 AND rg.is_delete = 0 AND r.is_delete = 0
|
||||
AND pg.group_id = rg.group_id AND rg.role_id = r.id
|
||||
AND pg.feature_id IN
|
||||
<foreach collection="featureIds" open="(" close=")" separator="," index="index" item="item">
|
||||
#{item, jdbcType=NUMERIC}
|
||||
</foreach>
|
||||
</select>
|
||||
|
||||
<select id="listFeatureByIds" resultType="cn.axzo.tyr.server.model.RoleFeatureRelation">
|
||||
SELECT rg.role_id AS roleId, pg.feature_id AS featureId
|
||||
FROM saas_pgroup_role_relation rg, saas_pgroup_permission_relation pg
|
||||
|
||||
Loading…
Reference in New Issue
Block a user