From 208871b068c593fedbe4c8fb47d9bb36282c8d30 Mon Sep 17 00:00:00 2001 From: owen Date: Fri, 2 Aug 2024 20:11:32 +0800 Subject: [PATCH] =?UTF-8?q?feat:=20=E4=BC=98=E5=8C=96=E8=AE=BF=E9=97=AE?= =?UTF-8?q?=E9=99=90=E5=88=B6=20#2421?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * feat: 优化访问限制 #2421 * feat: 优化访问限制 #2421 * feat:Generic 和 DDC 仓库支持按照目录管理权限 #2416 * feat: 优化访问限制 #2421 * feat:Generic 和 DDC 仓库支持按照目录管理权限 #2416 * feat: 优化访问限制 #2421 * feat:Generic 和 DDC 仓库支持按照目录管理权限 #2416 * feat:Generic 和 DDC 仓库支持按照目录管理权限 #2416 * feat:Generic 和 DDC 仓库支持按照目录管理权限 #2416 * feat:Generic 和 DDC 仓库支持按照目录管理权限 #2416 * feat: 优化访问限制 #2421 * feat: 增加发行模式 #2421 * feat:补充误删样式 #2416 * feat: 优化访问限制 #2421 * feat: 优化访问限制 #2421 --------- Co-authored-by: lannoy0523 <935275025@qq.com> --- docs/install/env.md | 2 +- .../controller/user/RepoModeController.kt | 2 +- .../bkrepo/auth/dao/RepoAuthConfigDao.kt | 5 +- .../bkrepo/auth/model/TRepoAuthConfig.kt | 6 +- .../pojo/authconfig/RepoAuthStatusRequest.kt | 5 +- .../auth/pojo/enums/AccessControlMode.kt | 41 ++++ .../auth/pojo/permission/RepoModeStatus.kt | 5 +- .../bkrepo/auth/service/RepoModeService.kt | 5 +- .../bkdevops/DevopsPermissionServiceImpl.kt | 11 +- .../auth/service/impl/RepoModeServiceImpl.kt | 47 ++-- .../service/local/PermissionServiceImpl.kt | 9 +- .../views/repoConfig/controlConfig/index.vue | 211 ++++++++++-------- .../src/views/repoConfig/index.vue | 115 +++------- .../permissionConfig/permissionConfig.vue | 1 - .../src/views/repoList/createRepoDialog.vue | 98 ++++++-- src/frontend/locale/repository/en-US.json | 16 +- src/frontend/locale/repository/zh-CN.json | 18 +- .../bkrepo/templates/gateway/deployment.yaml | 2 + .../kubernetes/charts/bkrepo/values.yaml | 2 + 19 files changed, 370 insertions(+), 231 deletions(-) create mode 100644 src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/pojo/enums/AccessControlMode.kt diff --git a/docs/install/env.md b/docs/install/env.md index 6f64f1db66..4787fb757a 100644 --- a/docs/install/env.md +++ b/docs/install/env.md @@ -29,7 +29,7 @@ | BK_REPO_GATEWAY_DNS_ADDR | 网关dns解析服务地址 | 127.0.0.1:53 | | BK_REPO_SERVICE_PREFIX | bkrepo微服务前缀 | bkrepo- | | BK_REPO_DEPLOY_MODE | bkrepo部署模式 | standalone / ci | - +| BK_REPO_RELEASE_MODE | bkrepo发行模式 | devx / community | ## consul配置项 | 配置项 | 说明 | 示例 | diff --git a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/controller/user/RepoModeController.kt b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/controller/user/RepoModeController.kt index 8a7a3c386b..b6462b6f04 100644 --- a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/controller/user/RepoModeController.kt +++ b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/controller/user/RepoModeController.kt @@ -65,7 +65,7 @@ class RepoModeController( ): Response { with(request) { preCheckProjectAdmin(projectId) - repoModeService.createOrUpdateConfig(projectId, repoName, controlEnable, officeDenyGroupSet) + repoModeService.createOrUpdateConfig(projectId, repoName, accessControlMode, officeDenyGroupSet) return ResponseBuilder.success( repoModeService.getAccessControlStatus(projectId, repoName) ) diff --git a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/dao/RepoAuthConfigDao.kt b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/dao/RepoAuthConfigDao.kt index 829210e1b8..2b2316c0ec 100644 --- a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/dao/RepoAuthConfigDao.kt +++ b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/dao/RepoAuthConfigDao.kt @@ -29,6 +29,7 @@ package com.tencent.bkrepo.auth.dao import com.tencent.bkrepo.auth.model.TRepoAuthConfig +import com.tencent.bkrepo.auth.pojo.enums.AccessControlMode import com.tencent.bkrepo.common.mongo.dao.simple.SimpleMongoDao import com.tencent.bkrepo.common.security.util.SecurityUtils import org.springframework.data.mongodb.core.FindAndModifyOptions @@ -52,7 +53,7 @@ class RepoAuthConfigDao : SimpleMongoDao() { fun upsertProjectRepo( projectId: String, repoName: String, - status: Boolean, + accessControlMode: AccessControlMode, officeDenyGroupSet: Set ): String { val query = Query.query( @@ -60,7 +61,7 @@ class RepoAuthConfigDao : SimpleMongoDao() { .and(TRepoAuthConfig::repoName.name).`is`(repoName) ) val options = FindAndModifyOptions().returnNew(true).upsert(true) - val update = Update().set(TRepoAuthConfig::accessControl.name, status) + val update = Update().set(TRepoAuthConfig::accessControlMode.name, accessControlMode) .set(TRepoAuthConfig::officeDenyGroupSet.name, officeDenyGroupSet) .set(TRepoAuthConfig::lastModifiedBy.name, SecurityUtils.getUserId()) .set(TRepoAuthConfig::lastModifiedDate.name, LocalDateTime.now()) diff --git a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/model/TRepoAuthConfig.kt b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/model/TRepoAuthConfig.kt index a53545175a..1c6bb21b52 100644 --- a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/model/TRepoAuthConfig.kt +++ b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/model/TRepoAuthConfig.kt @@ -31,6 +31,7 @@ package com.tencent.bkrepo.auth.model +import com.tencent.bkrepo.auth.pojo.enums.AccessControlMode import org.springframework.data.mongodb.core.index.CompoundIndex import org.springframework.data.mongodb.core.index.CompoundIndexes import org.springframework.data.mongodb.core.mapping.Document @@ -39,13 +40,14 @@ import java.time.LocalDateTime @Document("repo_auth_mode") @CompoundIndexes( CompoundIndex(name = "repo_idx", def = "{'projectId': 1, 'repoName': 1}", background = true, unique = true), - CompoundIndex(name = "access_ctrl_idx", def = "{'accessControl': 1}", background = true) + CompoundIndex(name = "access_ctrl_idx", def = "{'accessControlMode': 1}", background = true) ) data class TRepoAuthConfig( var id: String? = null, var projectId: String, var repoName: String, - var accessControl: Boolean, + var accessControl: Boolean?, + var accessControlMode: AccessControlMode?, var officeDenyGroupSet: Set?, var lastModifiedBy: String, val lastModifiedDate: LocalDateTime diff --git a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/pojo/authconfig/RepoAuthStatusRequest.kt b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/pojo/authconfig/RepoAuthStatusRequest.kt index 3236650327..0d42f04689 100644 --- a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/pojo/authconfig/RepoAuthStatusRequest.kt +++ b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/pojo/authconfig/RepoAuthStatusRequest.kt @@ -31,11 +31,12 @@ package com.tencent.bkrepo.auth.pojo.authconfig +import com.tencent.bkrepo.auth.pojo.enums.AccessControlMode + data class RepoAuthStatusRequest( val projectId: String, val repoName: String, - val status: Boolean = false, - val controlEnable: Boolean = false, + val accessControlMode: AccessControlMode?, val officeDenyGroupSet: Set = emptySet() ) diff --git a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/pojo/enums/AccessControlMode.kt b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/pojo/enums/AccessControlMode.kt new file mode 100644 index 0000000000..b14027c2a4 --- /dev/null +++ b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/pojo/enums/AccessControlMode.kt @@ -0,0 +1,41 @@ +/* + * Tencent is pleased to support the open source community by making BK-CI 蓝鲸持续集成平台 available. + * + * Copyright (C) 2020 THL A29 Limited, a Tencent company. All rights reserved. + * + * BK-CI 蓝鲸持续集成平台 is licensed under the MIT license. + * + * A copy of the MIT License is included in this file. + * + * + * Terms of the MIT License: + * --------------------------------------------------- + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + +package com.tencent.bkrepo.auth.pojo.enums + +enum class AccessControlMode { + // 严格模式 + STRICT, + // 任意下载 + DEFAULT, + // 目录控制 + DIR_CTRL +} diff --git a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/pojo/permission/RepoModeStatus.kt b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/pojo/permission/RepoModeStatus.kt index 341d722f8b..8f970b8e2a 100644 --- a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/pojo/permission/RepoModeStatus.kt +++ b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/pojo/permission/RepoModeStatus.kt @@ -1,8 +1,9 @@ package com.tencent.bkrepo.auth.pojo.permission +import com.tencent.bkrepo.auth.pojo.enums.AccessControlMode + data class RepoModeStatus( val id: String, - val status: Boolean = false, - val controlEnable: Boolean =false, + val accessControlMode: AccessControlMode?, val officeDenyGroupSet: Set = emptySet() ) diff --git a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/RepoModeService.kt b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/RepoModeService.kt index caf09d5cf8..7d36e6933c 100644 --- a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/RepoModeService.kt +++ b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/RepoModeService.kt @@ -33,6 +33,7 @@ package com.tencent.bkrepo.auth.service +import com.tencent.bkrepo.auth.pojo.enums.AccessControlMode import com.tencent.bkrepo.auth.pojo.permission.RepoModeStatus interface RepoModeService { @@ -40,9 +41,9 @@ interface RepoModeService { fun createOrUpdateConfig( projectId: String, repoName: String, - controlEnable: Boolean, + accessControlMode: AccessControlMode?, officeDenyGroupSet: Set - ): RepoModeStatus + ): RepoModeStatus? fun getAccessControlStatus(projectId: String, repoName: String): RepoModeStatus diff --git a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkdevops/DevopsPermissionServiceImpl.kt b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkdevops/DevopsPermissionServiceImpl.kt index 6592e86f50..a77423d0dd 100644 --- a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkdevops/DevopsPermissionServiceImpl.kt +++ b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkdevops/DevopsPermissionServiceImpl.kt @@ -122,10 +122,13 @@ class DevopsPermissionServiceImpl constructor( return allProjectList.distinct() } + override fun listPermissionPath(userId: String, projectId: String, repoName: String): List? { + if (isDevopsProjectAdmin(userId, projectId)) return null + return super.listPermissionPath(userId, projectId, repoName) + } + override fun listNoPermissionPath(userId: String, projectId: String, repoName: String): List { - if (isDevopsProjectAdmin(userId, projectId)) { - return emptyList() - } + if (isDevopsProjectAdmin(userId, projectId)) return emptyList() return super.listNoPermissionPath(userId, projectId, repoName) } @@ -258,7 +261,7 @@ class DevopsPermissionServiceImpl constructor( } private fun needCheckPathPermission(resourceType: String, projectId: String, repoName: String): Boolean { - return devopsAuthConfig.enablePathCheck && resourceType == NODE.name && needNodeCheck(projectId, repoName) + return resourceType == NODE.name && needNodeCheck(projectId, repoName) } private fun checkDevopsPipelinePermission(context: CheckPermissionContext): Boolean { diff --git a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/impl/RepoModeServiceImpl.kt b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/impl/RepoModeServiceImpl.kt index c8ad92e94f..e8e4239c63 100644 --- a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/impl/RepoModeServiceImpl.kt +++ b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/impl/RepoModeServiceImpl.kt @@ -31,44 +31,61 @@ package com.tencent.bkrepo.auth.service.impl +import com.tencent.bkrepo.auth.dao.PermissionDao import com.tencent.bkrepo.auth.dao.RepoAuthConfigDao +import com.tencent.bkrepo.auth.pojo.enums.AccessControlMode +import com.tencent.bkrepo.auth.pojo.enums.ResourceType import com.tencent.bkrepo.auth.pojo.permission.RepoModeStatus import com.tencent.bkrepo.auth.service.RepoModeService +import com.tencent.bkrepo.repository.api.RepositoryClient import org.springframework.stereotype.Service @Service class RepoModeServiceImpl( - private val repoAuthConfigDao: RepoAuthConfigDao + private val repoAuthConfigDao: RepoAuthConfigDao, + private val permissionDao: PermissionDao, + private val repoClient: RepositoryClient, ) : RepoModeService { override fun createOrUpdateConfig( projectId: String, repoName: String, - controlEnable: Boolean, + accessControlMode: AccessControlMode?, officeDenyGroupSet: Set - ): RepoModeStatus { - val id = repoAuthConfigDao.upsertProjectRepo(projectId, repoName, controlEnable, officeDenyGroupSet) - return RepoModeStatus(id, controlEnable, controlEnable, officeDenyGroupSet) + ): RepoModeStatus? { + val repoDetail = repoClient.getRepoDetail(projectId, repoName).data ?: return null + if (repoDetail.public) return null + var controlMode = accessControlMode + if (accessControlMode == null) { + controlMode = AccessControlMode.DEFAULT + } + + val id = repoAuthConfigDao.upsertProjectRepo(projectId, repoName, controlMode!!, officeDenyGroupSet) + return RepoModeStatus(id, accessControlMode, officeDenyGroupSet) } override fun getAccessControlStatus(projectId: String, repoName: String): RepoModeStatus { + var controlMode = AccessControlMode.DEFAULT + var officeDenyGroupSet = emptySet() + if (permissionDao.listByResourceAndRepo(ResourceType.NODE.name, projectId, repoName).isNotEmpty()) { + controlMode = AccessControlMode.DIR_CTRL + } val result = repoAuthConfigDao.findOneByProjectRepo(projectId, repoName) if (result != null) { - var officeDenyGroupSet = emptySet() if (result.officeDenyGroupSet != null) { officeDenyGroupSet = result.officeDenyGroupSet!! } - return RepoModeStatus( - id = result.id!!, - status = result.accessControl, - controlEnable = result.accessControl, - officeDenyGroupSet = officeDenyGroupSet - ) + if (result.accessControlMode != null) { + controlMode = result.accessControlMode!! + } + // 老的数据, 严格模式直接切换 + if (result.accessControl != null && result.accessControl!! && result.accessControlMode == null) { + controlMode = AccessControlMode.STRICT + } } - val id = repoAuthConfigDao.upsertProjectRepo(projectId, repoName, false, emptySet()) - return RepoModeStatus(id = id) + val id = repoAuthConfigDao.upsertProjectRepo(projectId, repoName, controlMode, officeDenyGroupSet) + return RepoModeStatus(id = id, accessControlMode = controlMode, officeDenyGroupSet = officeDenyGroupSet) } - } \ No newline at end of file diff --git a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/local/PermissionServiceImpl.kt b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/local/PermissionServiceImpl.kt index 112802376d..556e7e85fc 100644 --- a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/local/PermissionServiceImpl.kt +++ b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/local/PermissionServiceImpl.kt @@ -52,6 +52,8 @@ import com.tencent.bkrepo.auth.helper.PermissionHelper import com.tencent.bkrepo.auth.helper.UserHelper import com.tencent.bkrepo.auth.model.TPersonalPath import com.tencent.bkrepo.auth.model.TUser +import com.tencent.bkrepo.auth.pojo.enums.AccessControlMode.DEFAULT +import com.tencent.bkrepo.auth.pojo.enums.AccessControlMode.STRICT import com.tencent.bkrepo.auth.pojo.enums.PermissionAction.WRITE import com.tencent.bkrepo.auth.pojo.enums.PermissionAction.DELETE import com.tencent.bkrepo.auth.pojo.enums.PermissionAction.MANAGE @@ -452,17 +454,18 @@ open class PermissionServiceImpl constructor( fun needNodeCheck(projectId: String, repoName: String): Boolean { val projectPermission = permissionDao.listByResourceAndRepo(NODE.name, projectId, repoName) - return projectPermission.isNotEmpty() + val repoCheckConfig = repoAuthConfigDao.findOneByProjectRepo(projectId, repoName) ?: return false + return projectPermission.isNotEmpty() && repoCheckConfig.accessControlMode != DEFAULT } override fun checkRepoAccessControl(projectId: String, repoName: String): Boolean { val result = repoAuthConfigDao.findOneByProjectRepo(projectId, repoName) ?: return false - return result.accessControl + return result.accessControlMode != null && result.accessControlMode == STRICT } /** * 校验是否在访问控制组 - * true , 代码需要拦截 + * true,代码需要拦截 */ fun checkRepoAccessDenyGroup( userId: String, diff --git a/src/frontend/devops-repository/src/views/repoConfig/controlConfig/index.vue b/src/frontend/devops-repository/src/views/repoConfig/controlConfig/index.vue index acf2060553..e1e77dea78 100644 --- a/src/frontend/devops-repository/src/views/repoConfig/controlConfig/index.vue +++ b/src/frontend/devops-repository/src/views/repoConfig/controlConfig/index.vue @@ -1,14 +1,14 @@