Skip to content

Commit

Permalink
Merge pull request #2770 from bevis-canway/develop
Browse files Browse the repository at this point in the history
feat:超管接口增加模板列表和用户组添加成员API #2409 #2738--最新
  • Loading branch information
nannan00 authored Aug 22, 2024
2 parents 8077893 + 328a353 commit 02368a8
Show file tree
Hide file tree
Showing 6 changed files with 222 additions and 10 deletions.
2 changes: 2 additions & 0 deletions saas/backend/api/admin/constants.py
Original file line number Diff line number Diff line change
Expand Up @@ -25,11 +25,13 @@ class AdminAPIEnum(BaseAPIEnum):

# 用户组成员
GROUP_MEMBER_LIST = auto()
GROUP_MEMBER_ADD = auto()

# 用户组权限
GROUP_POLICY_GRANT = auto()

# 模板
TEMPLATE_LIST = auto()
TEMPLATE_CREATE = auto()

# Subject
Expand Down
16 changes: 14 additions & 2 deletions saas/backend/api/admin/serializers.py
Original file line number Diff line number Diff line change
Expand Up @@ -12,10 +12,10 @@

from backend.api.management.v2.serializers import ManagementGradeManagerGroupCreateSLZ
from backend.apps.group.models import Group
from backend.apps.group.serializers import GroupAuthorizationSLZ
from backend.apps.group.serializers import GroupAddMemberSLZ, GroupAuthorizationSLZ
from backend.apps.role.models import Role
from backend.apps.role.serializers import BaseGradeMangerSLZ
from backend.apps.template.serializers import TemplateCreateSLZ, TemplateIdSLZ
from backend.apps.template.serializers import TemplateCreateSLZ, TemplateIdSLZ, TemplateListSchemaSLZ, TemplateListSLZ
from backend.service.constants import GroupMemberType, RoleType


Expand All @@ -36,6 +36,10 @@ class AdminGroupMemberSLZ(serializers.Serializer):
expired_at = serializers.IntegerField(label="过期时间戳(单位秒)")


class AdminGroupAddMemberSLZ(GroupAddMemberSLZ):
pass


class AdminSubjectGroupSLZ(serializers.Serializer):
id = serializers.CharField(label="用户组id")
name = serializers.CharField(label="用户组名称")
Expand Down Expand Up @@ -91,6 +95,14 @@ class FreezeSubjectResponseSLZ(serializers.Serializer):
id = serializers.CharField(label="SubjectID")


class AdminTemplateListSchemaSLZ(TemplateListSchemaSLZ):
pass


class AdminTemplateListSLZ(TemplateListSLZ):
pass


class AdminTemplateCreateSLZ(TemplateCreateSLZ):
pass

Expand Down
8 changes: 6 additions & 2 deletions saas/backend/api/admin/urls.py
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@
# 用户组成员
path(
"groups/<int:id>/members/",
views.AdminGroupMemberViewSet.as_view({"get": "list"}),
views.AdminGroupMemberViewSet.as_view({"get": "list", "post": "create"}),
name="open.admin.group_member",
),
# 用户组授权
Expand All @@ -34,7 +34,11 @@
name="open.admin.group_policy",
),
# 模板
path("templates/", views.AdminTemplateViewSet.as_view({"post": "create"}), name="open.admin.template"),
path(
"templates/",
views.AdminTemplateViewSet.as_view({"get": "list", "post": "create"}),
name="open.admin.template",
),
# Subject
path(
"subjects/<str:subject_type>/<str:subject_id>/groups/",
Expand Down
50 changes: 48 additions & 2 deletions saas/backend/api/admin/views/group.py
Original file line number Diff line number Diff line change
Expand Up @@ -20,14 +20,19 @@
from backend.api.admin.filters import GroupFilter
from backend.api.admin.permissions import AdminAPIPermission
from backend.api.admin.serializers import (
AdminGroupAddMemberSLZ,
AdminGroupAuthorizationSLZ,
AdminGroupBasicSLZ,
AdminGroupCreateSLZ,
AdminGroupMemberSLZ,
)
from backend.api.authentication import ESBAuthentication
from backend.api.management.v2.views import ManagementGroupViewSet
from backend.apps.group.audit import GroupCreateAuditProvider, GroupTemplateCreateAuditProvider
from backend.apps.group.audit import (
GroupCreateAuditProvider,
GroupMemberCreateAuditProvider,
GroupTemplateCreateAuditProvider,
)
from backend.apps.group.constants import OperateEnum
from backend.apps.group.models import Group
from backend.apps.group.views import check_readonly_group
Expand All @@ -36,9 +41,11 @@
from backend.audit.constants import AuditSourceType
from backend.biz.group import GroupBiz, GroupCheckBiz, GroupCreationBean
from backend.biz.role import RoleBiz
from backend.biz.utils import remove_not_exist_subject
from backend.common.lock import gen_group_upsert_lock
from backend.common.pagination import CompatiblePagination
from backend.service.constants import GroupSaaSAttributeEnum, RoleType
from backend.service.models import Subject
from backend.trans.group import GroupTrans


Expand Down Expand Up @@ -130,13 +137,17 @@ class AdminGroupMemberViewSet(GenericViewSet):
authentication_classes = [ESBAuthentication]
permission_classes = [AdminAPIPermission]

admin_api_permission = {"list": AdminAPIEnum.GROUP_MEMBER_LIST.value}
admin_api_permission = {
"list": AdminAPIEnum.GROUP_MEMBER_LIST.value,
"create": AdminAPIEnum.GROUP_MEMBER_ADD.value,
}

queryset = Group.objects.all()
lookup_field = "id"
pagination_class = CompatiblePagination

biz = GroupBiz()
group_check_biz = GroupCheckBiz()

@swagger_auto_schema(
operation_description="用户组成员列表",
Expand All @@ -153,6 +164,41 @@ def list(self, request, *args, **kwargs):
results = [one.dict(include={"type", "id", "name", "expired_at"}) for one in group_members]
return Response({"count": count, "results": results})

@swagger_auto_schema(
operation_description="用户组添加成员",
request_body=AdminGroupAddMemberSLZ(label="用户组成员"),
responses={status.HTTP_200_OK: serializers.Serializer()},
tags=["admin.group.member"],
)
@view_audit_decorator(GroupMemberCreateAuditProvider)
def create(self, request, *args, **kwargs):
group = self.get_object()

serializer = AdminGroupAddMemberSLZ(data=request.data)
serializer.is_valid(raise_exception=True)
data = serializer.validated_data

members_data = data["members"]
expired_at = data["expired_at"]
# 成员Dict结构转换为Subject结构,并去重
members = list(set(parse_obj_as(List[Subject], members_data)))

# 检测成员是否满足管理的授权范围
role = Role.objects.get(type=RoleType.SUPER_MANAGER.value)
self.group_check_biz.check_role_subject_scope(role, members)
self.group_check_biz.check_member_count(group.id, len(members))

# 排除组织架构中不存在的成员
members = remove_not_exist_subject(members)
if members:
# 添加成员
self.biz.add_members(group.id, members, expired_at)

# 写入审计上下文
audit_context_setter(group=group, members=[m.dict() for m in members])

return Response({})


class AdminGroupPolicyViewSet(GenericViewSet):
"""用户组授权"""
Expand Down
54 changes: 50 additions & 4 deletions saas/backend/api/admin/views/template.py
Original file line number Diff line number Diff line change
@@ -1,32 +1,78 @@
# -*- coding: utf-8 -*-
"""
TencentBlueKing is pleased to support the open source community by making 蓝鲸智云-权限中心(BlueKing-IAM) available.
Copyright (C) 2017-2021 THL A29 Limited, a Tencent company. All rights reserved.
Licensed under the MIT License (the "License"); you may not use this file except in compliance with the License.
You may obtain a copy of the License at http://opensource.org/licenses/MIT
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
specific language governing permissions and limitations under the License.
"""
from drf_yasg.utils import swagger_auto_schema
from rest_framework import status
from rest_framework.response import Response
from rest_framework.viewsets import GenericViewSet

from backend.api.admin.constants import AdminAPIEnum
from backend.api.admin.permissions import AdminAPIPermission
from backend.api.admin.serializers import AdminTemplateCreateSLZ, AdminTemplateIdSLZ
from backend.api.admin.serializers import (
AdminTemplateCreateSLZ,
AdminTemplateIdSLZ,
AdminTemplateListSchemaSLZ,
AdminTemplateListSLZ,
)
from backend.api.authentication import ESBAuthentication
from backend.apps.role.models import Role
from backend.apps.template.audit import TemplateCreateAuditProvider
from backend.apps.template.views import TemplateQueryMixin
from backend.audit.audit import audit_context_setter, view_audit_decorator
from backend.biz.role import RoleAuthorizationScopeChecker
from backend.biz.role import RoleAuthorizationScopeChecker, RoleListQuery
from backend.biz.template import TemplateBiz, TemplateCheckBiz, TemplateCreateBean
from backend.common.lock import gen_template_upsert_lock
from backend.service.constants import RoleType


class AdminTemplateViewSet(GenericViewSet):
class AdminTemplateViewSet(TemplateQueryMixin, GenericViewSet):
"""模板"""

authentication_classes = [ESBAuthentication]
permission_classes = [AdminAPIPermission]

admin_api_permission = {"create": AdminAPIEnum.TEMPLATE_CREATE.value}
admin_api_permission = {
"list": AdminAPIEnum.TEMPLATE_LIST.value,
"create": AdminAPIEnum.TEMPLATE_CREATE.value,
}

template_biz = TemplateBiz()
template_check_biz = TemplateCheckBiz()

@swagger_auto_schema(
operation_description="模板列表",
responses={status.HTTP_200_OK: AdminTemplateListSchemaSLZ(label="模板", many=True)},
tags=["admin.template"],
)
def list(self, request, *args, **kwargs):
role = Role.objects.get(type=RoleType.SUPER_MANAGER.value)
queryset = RoleListQuery(role, request.user).query_template()

# 查询 role 的 system-actions set
role_system_actions = RoleListQuery(role).get_scope_system_actions()

# 强制分页
paginator = self.pagination_class()
page = paginator.paginate_queryset(queryset, request, view=self)

if page is None:
return Response(
{
"detail": "Pagination is required, but no valid page parameters were provided."},
status=status.HTTP_400_BAD_REQUEST
)

serializer = AdminTemplateListSLZ(page, many=True,
role_system_actions=role_system_actions)
return paginator.get_paginated_response(serializer.data)

@swagger_auto_schema(
operation_description="创建模板",
request_body=AdminTemplateCreateSLZ(label="模板"),
Expand Down
102 changes: 102 additions & 0 deletions saas/resources/apigateway/bk_apigw_resources_bk-iam.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -3233,6 +3233,58 @@ paths:
disabledStages: [ ]
descriptionEn:
/api/v1/open/admin/groups/{id}/policies/:
post:
operationId: admin_groups_policies_grant
description: 超管授权用户组
tags:
- open
responses:
default:
description: ''
x-bk-apigateway-resource:
isPublic: true
allowApplyPermission: true
matchSubpath: false
backend:
type: HTTP
method: post
path: /api/v1/open/admin/groups/{id}/policies/
matchSubpath: false
timeout: 0
upstreams: { }
transformHeaders: { }
authConfig:
userVerifiedRequired: false
resourcePermissionRequired: false
disabledStages: [ ]
descriptionEn:
/api/v1/open/admin/groups/{id}/members/:
post:
operationId: admin_add_group_members
description: 超管用户组添加成员
tags:
- open
- v2
responses:
default:
description: ''
x-bk-apigateway-resource:
isPublic: true
allowApplyPermission: true
matchSubpath: false
backend:
type: HTTP
method: post
path: /api/v1/open/admin/groups/{id}/members/
matchSubpath: false
timeout: 0
upstreams: {}
transformHeaders: {}
authConfig:
userVerifiedRequired: false
resourcePermissionRequired: false
disabledStages: []
descriptionEn:
post:
operationId: admin_groups_policies_grant
description: 超管授权用户组
Expand Down Expand Up @@ -3394,3 +3446,53 @@ paths:
resourcePermissionRequired: false
disabledStages: [ ]
descriptionEn:
get:
operationId: admin_list_templates
description: 超管获取模板列表
tags:
- open
responses:
default:
description: ''
x-bk-apigateway-resource:
isPublic: true
allowApplyPermission: true
matchSubpath: false
backend:
type: HTTP
method: get
path: /api/v1/open/admin/templates/
matchSubpath: false
timeout: 0
upstreams: { }
transformHeaders: { }
authConfig:
userVerifiedRequired: false
resourcePermissionRequired: false
disabledStages: [ ]
descriptionEn:
post:
operationId: admin_create_templates
description: 超管创建模板
tags:
- open
responses:
default:
description: ''
x-bk-apigateway-resource:
isPublic: true
allowApplyPermission: true
matchSubpath: false
backend:
type: HTTP
method: post
path: /api/v1/open/admin/templates/
matchSubpath: false
timeout: 0
upstreams: { }
transformHeaders: { }
authConfig:
userVerifiedRequired: false
resourcePermissionRequired: false
disabledStages: [ ]
descriptionEn:

0 comments on commit 02368a8

Please sign in to comment.