新增权限中心某个资源的查看权限的接口

gcloud/iam_auth/api.py

@@ -18,6 +18,7 @@
 
 from django.views.decorators.http import require_POST
 from django.views.decorators.csrf import csrf_exempt
+from iam.shortcuts import allow_or_raise_auth_failed
 from rest_framework.decorators import api_view
 
 from iam import Subject, Action, Resource, Request, MultiActionRequest
@@ -26,6 +27,12 @@
 from gcloud.iam_auth import conf
 from gcloud.iam_auth import IAMMeta
 from gcloud.iam_auth import get_iam_client, get_iam_api_client
+from gcloud.iam_auth.res_factory import (
+    resources_for_flow,
+    resources_for_task,
+    resources_for_common_flow,
+    resources_list_for_mini_app,
+)
 from gcloud.shortcuts.http import standard_response
 from gcloud.openapi.schema import AnnotationAutoSchema
 
@@ -59,7 +66,6 @@ def apply_perms_url(request):
 @csrf_exempt
 @require_POST
 def is_allow(request):
-
     data = json.loads(request.body)
 
     action_id = data["action"]
@@ -79,6 +85,51 @@ def is_allow(request):
     return standard_response(True, "success", {"is_allow": is_allow})
 
 
+@csrf_exempt
+@require_POST
+def is_view_action_allow(request):
+    """
+    @param request:
+    @return:
+    """
+    action_map = {
+        IAMMeta.FLOW_RESOURCE: IAMMeta.FLOW_VIEW_ACTION,
+        IAMMeta.TASK_RESOURCE: IAMMeta.TASK_VIEW_ACTION,
+        IAMMeta.COMMON_FLOW_RESOURCE: IAMMeta.COMMON_FLOW_VIEW_ACTION,
+        IAMMeta.MINI_APP_RESOURCE: IAMMeta.MINI_APP_VIEW_ACTION,
+    }
+
+    resource_map = {
+        IAMMeta.FLOW_RESOURCE: resources_for_flow,
+        IAMMeta.TASK_RESOURCE: resources_for_task,
+        IAMMeta.COMMON_FLOW_RESOURCE: resources_for_common_flow,
+        IAMMeta.MINI_APP_RESOURCE: resources_list_for_mini_app,
+    }
+
+    data = json.loads(request.body)
+    resource_id = data["resource_id"]
+    resource_type = data["resource_type"]
+    subject = Subject("user", request.user.username)
+
+    try:
+        action = Action(action_map[resource_type])
+        resources = resource_map[resource_type](resource_id)
+    except Exception as e:
+        return standard_response(False, str(e))
+
+    iam = get_iam_client()
+
+    allow_or_raise_auth_failed(
+        iam=iam,
+        system=IAMMeta.SYSTEM_ID,
+        subject=subject,
+        action=action,
+        resources=resources,
+    )
+
+    return standard_response(True, "success", {"is_allow": is_allow})
+
+
 @swagger_auto_schema(methods=["GET"], auto_schema=AnnotationAutoSchema)
 @api_view(["GET"])
 def is_allow_common_flow_management(request):

gcloud/iam_auth/res_factory.py

@@ -22,6 +22,7 @@
 from gcloud.contrib.appmaker.models import AppMaker
 from gcloud.iam_auth import IAMMeta
 
+
 # flow
 
 
@@ -312,6 +313,22 @@ def resources_for_mini_app_obj(mini_app_obj):
     ]
 
 
+def resources_list_for_mini_app(mini_app_id):
+    min_app_obj = AppMaker.objects.get(id=mini_app_id).values("id", "creator", "name", "project_id")
+    return [
+        Resource(
+            IAMMeta.SYSTEM_ID,
+            IAMMeta.MINI_APP_RESOURCE,
+            str(min_app_obj.id),
+            {
+                "iam_resource_owner": min_app_obj.creator,
+                "_bk_iam_path_": "/project,{}/".format(min_app_obj.project_id),
+                "name": min_app_obj.name,
+            },
+        )
+    ]
+
+
 def resources_list_for_mini_apps(mini_app_id_list):
     qs = AppMaker.objects.filter(id__in=mini_app_id_list).values("id", "creator", "project_id")
 

gcloud/iam_auth/urls.py

@@ -19,5 +19,6 @@
     url(r"^meta/$", api.meta_info),
     url(r"^apply_perms_url/$", api.apply_perms_url),
     url(r"^is_allow/$", api.is_allow),
+    url(r"^is_view_action_allow/$", api.is_view_action_allow),
     url(r"^is_allow/common_flow_management/$", api.is_allow_common_flow_management),
 ]