TencentBlueKing · owenlxu · Jan 2, 2024 · Dec 26, 2023 · Dec 26, 2023 · Dec 27, 2023
@@ -33,6 +33,7 @@ package com.tencent.bkrepo.auth.api
 
 import com.tencent.bkrepo.auth.constant.AUTH_SERVICE_PERMISSION_PREFIX
 import com.tencent.bkrepo.auth.pojo.permission.CheckPermissionRequest
+import com.tencent.bkrepo.auth.pojo.permission.ListPathResult
 import com.tencent.bkrepo.common.api.constant.AUTH_SERVICE_NAME
 import com.tencent.bkrepo.common.api.pojo.Response
 import io.swagger.annotations.Api
@@ -70,6 +71,17 @@ interface ServicePermissionClient {
         @RequestParam userId: String
     ): Response<List<String>>
 
+    @ApiOperation("list有权限路径")
+    @GetMapping("/path/list")
+    fun listPermissionPath(
+        @ApiParam(value = "用户ID")
+        @RequestParam userId: String,
+        @ApiParam(value = "项目ID")
+        @RequestParam projectId: String,
+        @ApiParam(value = "仓库名称")
+        @RequestParam repoName: String
+    ): Response<ListPathResult>
+
     @ApiOperation("校验权限")
     @PostMapping("/check")
     fun checkPermission(

@@ -0,0 +1,42 @@
+/*
+ * Tencent is pleased to support the open source community by making BK-CI 蓝鲸持续集成平台 available.
+ *
+ * Copyright (C) 2020 THL A29 Limited, a Tencent company.  All rights reserved.
+ *
+ * BK-CI 蓝鲸持续集成平台 is licensed under the MIT license.
+ *
+ * A copy of the MIT License is included in this file.
+ *
+ *
+ * Terms of the MIT License:
+ * ---------------------------------------------------
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package com.tencent.bkrepo.auth.pojo.permission
+
+import io.swagger.annotations.ApiModel
+import com.tencent.bkrepo.common.query.enums.OperationType
+
+@ApiModel("校验权限请求")
+data class ListPathResult(
+    // when true, need to compare
+    val status: Boolean,
+    val path: Map<OperationType, List<String>>,
+)
@@ -34,8 +34,10 @@ package com.tencent.bkrepo.auth.controller.service
 import com.tencent.bkrepo.auth.api.ServicePermissionClient
 import com.tencent.bkrepo.auth.controller.OpenResource
 import com.tencent.bkrepo.auth.pojo.permission.CheckPermissionRequest
+import com.tencent.bkrepo.auth.pojo.permission.ListPathResult
 import com.tencent.bkrepo.auth.service.PermissionService
 import com.tencent.bkrepo.common.api.pojo.Response
+import com.tencent.bkrepo.common.query.enums.OperationType
 import com.tencent.bkrepo.common.service.util.ResponseBuilder
 import org.springframework.beans.factory.annotation.Autowired
 import org.springframework.web.bind.annotation.RestController
@@ -45,6 +47,14 @@ class ServicePermissionController @Autowired constructor(
     private val permissionService: PermissionService
 ) : ServicePermissionClient, OpenResource(permissionService) {
 
+    override fun listPermissionPath(userId: String, projectId: String, repoName: String): Response<ListPathResult> {
+        val permissionPath = permissionService.listPermissionPath(userId, projectId, repoName)
+        val status = permissionPath.isNotEmpty()
+        val result = ListPathResult(status = status, path = mapOf(OperationType.NIN to permissionPath))
+        return ResponseBuilder.success(result)
+    }
+
+
     override fun checkPermission(request: CheckPermissionRequest): Response<Boolean> {
         checkRequest(request)
         return ResponseBuilder.success(permissionService.checkPermission(request))

@@ -62,6 +62,8 @@ interface PermissionRepository : MongoRepository<TPermission, String> {
         resourceType: ResourceType
     ): TPermission?
 
+
+
     fun findByUsers(userId: String): List<TPermission>
 
     fun findByProjectIdAndUsers(projectId: String, userId: String): List<TPermission>

@@ -64,6 +64,11 @@ interface PermissionService {
      */
     fun listPermissionProject(userId: String): List<String>
 
+    /**
+     * 获取有权限路径列表
+     */
+    fun listPermissionPath(userId: String, projectId: String, repoName: String): List<String>
+
     fun createPermission(request: CreatePermissionRequest): Boolean
 
     fun listPermission(projectId: String, repoName: String?): List<Permission>

@@ -83,7 +83,7 @@ class DevopsPermissionServiceImpl constructor(
         }
 
         // devops 体系
-        if (checkDevopsProjectPermission(userId, projectId, PermissionAction.READ.toString())) {
+        if (checkDevopsProjectPermission(userId, projectId, PermissionAction.READ.name)) {
             return getAllRepoByProjectId(projectId)
         }
         return super.listPermissionRepo(projectId, userId, appId)
@@ -113,6 +113,13 @@ class DevopsPermissionServiceImpl constructor(
         return allProjectList.distinct()
     }
 
+    override fun listPermissionPath(userId: String, projectId: String, repoName: String): List<String> {
+        if (checkDevopsProjectPermission(userId, projectId, PermissionAction.MANAGE.name)) {
+            return emptyList()
+        }
+        return super.listPermissionPath(userId, projectId, repoName)
+    }
+
     private fun parsePipelineId(path: String): String? {
         val roads = PathUtils.normalizeFullPath(path).split("/")
         return if (roads.size < 2 || roads[1].isBlank()) {
@@ -131,7 +138,7 @@ class DevopsPermissionServiceImpl constructor(
                 return true
             }
             // project权限
-            if (resourceType == ResourceType.PROJECT.toString()) {
+            if (resourceType == ResourceType.PROJECT.name) {
                 return checkDevopsProjectPermission(uid, projectId!!, action)
                     || super.checkBkIamV3ProjectPermission(projectId!!, uid, action)
             }
@@ -175,9 +182,9 @@ class DevopsPermissionServiceImpl constructor(
     }
 
     private fun checkDevopsReportPermission(action: String): Boolean {
-        return action == PermissionAction.READ.toString() ||
-                action == PermissionAction.WRITE.toString() ||
-                action == PermissionAction.VIEW.toString()
+        return action == PermissionAction.READ.name ||
+                action == PermissionAction.WRITE.name ||
+                action == PermissionAction.VIEW.name
     }
 
     private fun checkDevopsPipelinePermission(
@@ -188,8 +195,8 @@ class DevopsPermissionServiceImpl constructor(
         action: String
     ): Boolean {
         return when (resourceType) {
-            ResourceType.REPO.toString() -> checkDevopsProjectPermission(uid, projectId, action)
-            ResourceType.NODE.toString() -> {
+            ResourceType.REPO.name -> checkDevopsProjectPermission(uid, projectId, action)
+            ResourceType.NODE.name -> {
                 val pipelineId = parsePipelineId(path ?: return false) ?: return false
                 pipelinePermission(uid, projectId, pipelineId, action)
             }
@@ -200,7 +207,7 @@ class DevopsPermissionServiceImpl constructor(
     private fun checkDevopsProjectPermission(userId: String, projectId: String, action: String): Boolean {
         logger.debug("checkDevopsProjectPermission: [$userId,$projectId,$action]")
         return when (action) {
-            PermissionAction.MANAGE.toString() -> devopsProjectService.isProjectManager(userId, projectId)
+            PermissionAction.MANAGE.name -> devopsProjectService.isProjectManager(userId, projectId)
             else -> devopsProjectService.isProjectMember(userId, projectId, action)
         }
     }