Skip to content

Commit

Permalink
feat: 优化访问限制 TencentBlueKing#2421
Browse files Browse the repository at this point in the history
* feat: 优化访问限制 TencentBlueKing#2421

* feat: 优化访问限制 TencentBlueKing#2421

* feat:Generic 和 DDC 仓库支持按照目录管理权限 TencentBlueKing#2416

* feat: 优化访问限制 TencentBlueKing#2421

* feat:Generic 和 DDC 仓库支持按照目录管理权限 TencentBlueKing#2416

* feat: 优化访问限制 TencentBlueKing#2421

* feat:Generic 和 DDC 仓库支持按照目录管理权限 TencentBlueKing#2416

* feat:Generic 和 DDC 仓库支持按照目录管理权限 TencentBlueKing#2416

* feat:Generic 和 DDC 仓库支持按照目录管理权限 TencentBlueKing#2416

* feat:Generic 和 DDC 仓库支持按照目录管理权限 TencentBlueKing#2416

* feat: 优化访问限制 TencentBlueKing#2421

* feat: 增加发行模式 TencentBlueKing#2421

* feat:补充误删样式 TencentBlueKing#2416

* feat: 优化访问限制 TencentBlueKing#2421

* feat: 优化访问限制 TencentBlueKing#2421

---------

Co-authored-by: lannoy0523 <[email protected]>
  • Loading branch information
owenlxu and lannoy0523 authored Aug 2, 2024
1 parent bf27e16 commit 208871b
Show file tree
Hide file tree
Showing 19 changed files with 370 additions and 231 deletions.
2 changes: 1 addition & 1 deletion docs/install/env.md
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@
| BK_REPO_GATEWAY_DNS_ADDR | 网关dns解析服务地址 | 127.0.0.1:53 |
| BK_REPO_SERVICE_PREFIX | bkrepo微服务前缀 | bkrepo- |
| BK_REPO_DEPLOY_MODE | bkrepo部署模式 | standalone / ci |

| BK_REPO_RELEASE_MODE | bkrepo发行模式 | devx / community |
## consul配置项

| 配置项 | 说明 | 示例 |
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@ class RepoModeController(
): Response<RepoModeStatus> {
with(request) {
preCheckProjectAdmin(projectId)
repoModeService.createOrUpdateConfig(projectId, repoName, controlEnable, officeDenyGroupSet)
repoModeService.createOrUpdateConfig(projectId, repoName, accessControlMode, officeDenyGroupSet)
return ResponseBuilder.success(
repoModeService.getAccessControlStatus(projectId, repoName)
)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@
package com.tencent.bkrepo.auth.dao

import com.tencent.bkrepo.auth.model.TRepoAuthConfig
import com.tencent.bkrepo.auth.pojo.enums.AccessControlMode
import com.tencent.bkrepo.common.mongo.dao.simple.SimpleMongoDao
import com.tencent.bkrepo.common.security.util.SecurityUtils
import org.springframework.data.mongodb.core.FindAndModifyOptions
Expand All @@ -52,15 +53,15 @@ class RepoAuthConfigDao : SimpleMongoDao<TRepoAuthConfig>() {
fun upsertProjectRepo(
projectId: String,
repoName: String,
status: Boolean,
accessControlMode: AccessControlMode,
officeDenyGroupSet: Set<String>
): String {
val query = Query.query(
Criteria.where(TRepoAuthConfig::projectId.name).`is`(projectId)
.and(TRepoAuthConfig::repoName.name).`is`(repoName)
)
val options = FindAndModifyOptions().returnNew(true).upsert(true)
val update = Update().set(TRepoAuthConfig::accessControl.name, status)
val update = Update().set(TRepoAuthConfig::accessControlMode.name, accessControlMode)
.set(TRepoAuthConfig::officeDenyGroupSet.name, officeDenyGroupSet)
.set(TRepoAuthConfig::lastModifiedBy.name, SecurityUtils.getUserId())
.set(TRepoAuthConfig::lastModifiedDate.name, LocalDateTime.now())
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@

package com.tencent.bkrepo.auth.model

import com.tencent.bkrepo.auth.pojo.enums.AccessControlMode
import org.springframework.data.mongodb.core.index.CompoundIndex
import org.springframework.data.mongodb.core.index.CompoundIndexes
import org.springframework.data.mongodb.core.mapping.Document
Expand All @@ -39,13 +40,14 @@ import java.time.LocalDateTime
@Document("repo_auth_mode")
@CompoundIndexes(
CompoundIndex(name = "repo_idx", def = "{'projectId': 1, 'repoName': 1}", background = true, unique = true),
CompoundIndex(name = "access_ctrl_idx", def = "{'accessControl': 1}", background = true)
CompoundIndex(name = "access_ctrl_idx", def = "{'accessControlMode': 1}", background = true)
)
data class TRepoAuthConfig(
var id: String? = null,
var projectId: String,
var repoName: String,
var accessControl: Boolean,
var accessControl: Boolean?,
var accessControlMode: AccessControlMode?,
var officeDenyGroupSet: Set<String>?,
var lastModifiedBy: String,
val lastModifiedDate: LocalDateTime
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -31,11 +31,12 @@

package com.tencent.bkrepo.auth.pojo.authconfig

import com.tencent.bkrepo.auth.pojo.enums.AccessControlMode

data class RepoAuthStatusRequest(
val projectId: String,
val repoName: String,
val status: Boolean = false,
val controlEnable: Boolean = false,
val accessControlMode: AccessControlMode?,
val officeDenyGroupSet: Set<String> = emptySet()

)
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
/*
* Tencent is pleased to support the open source community by making BK-CI 蓝鲸持续集成平台 available.
*
* Copyright (C) 2020 THL A29 Limited, a Tencent company. All rights reserved.
*
* BK-CI 蓝鲸持续集成平台 is licensed under the MIT license.
*
* A copy of the MIT License is included in this file.
*
*
* Terms of the MIT License:
* ---------------------------------------------------
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/

package com.tencent.bkrepo.auth.pojo.enums

enum class AccessControlMode {
// 严格模式
STRICT,
// 任意下载
DEFAULT,
// 目录控制
DIR_CTRL
}
Original file line number Diff line number Diff line change
@@ -1,8 +1,9 @@
package com.tencent.bkrepo.auth.pojo.permission

import com.tencent.bkrepo.auth.pojo.enums.AccessControlMode

data class RepoModeStatus(
val id: String,
val status: Boolean = false,
val controlEnable: Boolean =false,
val accessControlMode: AccessControlMode?,
val officeDenyGroupSet: Set<String> = emptySet()
)
Original file line number Diff line number Diff line change
Expand Up @@ -33,16 +33,17 @@
package com.tencent.bkrepo.auth.service


import com.tencent.bkrepo.auth.pojo.enums.AccessControlMode
import com.tencent.bkrepo.auth.pojo.permission.RepoModeStatus

interface RepoModeService {

fun createOrUpdateConfig(
projectId: String,
repoName: String,
controlEnable: Boolean,
accessControlMode: AccessControlMode?,
officeDenyGroupSet: Set<String>
): RepoModeStatus
): RepoModeStatus?

fun getAccessControlStatus(projectId: String, repoName: String): RepoModeStatus

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -122,10 +122,13 @@ class DevopsPermissionServiceImpl constructor(
return allProjectList.distinct()
}

override fun listPermissionPath(userId: String, projectId: String, repoName: String): List<String>? {
if (isDevopsProjectAdmin(userId, projectId)) return null
return super.listPermissionPath(userId, projectId, repoName)
}

override fun listNoPermissionPath(userId: String, projectId: String, repoName: String): List<String> {
if (isDevopsProjectAdmin(userId, projectId)) {
return emptyList()
}
if (isDevopsProjectAdmin(userId, projectId)) return emptyList()
return super.listNoPermissionPath(userId, projectId, repoName)
}

Expand Down Expand Up @@ -258,7 +261,7 @@ class DevopsPermissionServiceImpl constructor(
}

private fun needCheckPathPermission(resourceType: String, projectId: String, repoName: String): Boolean {
return devopsAuthConfig.enablePathCheck && resourceType == NODE.name && needNodeCheck(projectId, repoName)
return resourceType == NODE.name && needNodeCheck(projectId, repoName)
}

private fun checkDevopsPipelinePermission(context: CheckPermissionContext): Boolean {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -31,44 +31,61 @@

package com.tencent.bkrepo.auth.service.impl

import com.tencent.bkrepo.auth.dao.PermissionDao
import com.tencent.bkrepo.auth.dao.RepoAuthConfigDao
import com.tencent.bkrepo.auth.pojo.enums.AccessControlMode
import com.tencent.bkrepo.auth.pojo.enums.ResourceType
import com.tencent.bkrepo.auth.pojo.permission.RepoModeStatus
import com.tencent.bkrepo.auth.service.RepoModeService
import com.tencent.bkrepo.repository.api.RepositoryClient
import org.springframework.stereotype.Service

@Service
class RepoModeServiceImpl(
private val repoAuthConfigDao: RepoAuthConfigDao
private val repoAuthConfigDao: RepoAuthConfigDao,
private val permissionDao: PermissionDao,
private val repoClient: RepositoryClient,
) : RepoModeService {

override fun createOrUpdateConfig(
projectId: String,
repoName: String,
controlEnable: Boolean,
accessControlMode: AccessControlMode?,
officeDenyGroupSet: Set<String>
): RepoModeStatus {
val id = repoAuthConfigDao.upsertProjectRepo(projectId, repoName, controlEnable, officeDenyGroupSet)
return RepoModeStatus(id, controlEnable, controlEnable, officeDenyGroupSet)
): RepoModeStatus? {
val repoDetail = repoClient.getRepoDetail(projectId, repoName).data ?: return null
if (repoDetail.public) return null
var controlMode = accessControlMode
if (accessControlMode == null) {
controlMode = AccessControlMode.DEFAULT
}

val id = repoAuthConfigDao.upsertProjectRepo(projectId, repoName, controlMode!!, officeDenyGroupSet)
return RepoModeStatus(id, accessControlMode, officeDenyGroupSet)
}


override fun getAccessControlStatus(projectId: String, repoName: String): RepoModeStatus {
var controlMode = AccessControlMode.DEFAULT
var officeDenyGroupSet = emptySet<String>()
if (permissionDao.listByResourceAndRepo(ResourceType.NODE.name, projectId, repoName).isNotEmpty()) {
controlMode = AccessControlMode.DIR_CTRL
}
val result = repoAuthConfigDao.findOneByProjectRepo(projectId, repoName)
if (result != null) {
var officeDenyGroupSet = emptySet<String>()
if (result.officeDenyGroupSet != null) {
officeDenyGroupSet = result.officeDenyGroupSet!!
}
return RepoModeStatus(
id = result.id!!,
status = result.accessControl,
controlEnable = result.accessControl,
officeDenyGroupSet = officeDenyGroupSet
)
if (result.accessControlMode != null) {
controlMode = result.accessControlMode!!
}
// 老的数据, 严格模式直接切换
if (result.accessControl != null && result.accessControl!! && result.accessControlMode == null) {
controlMode = AccessControlMode.STRICT
}
}
val id = repoAuthConfigDao.upsertProjectRepo(projectId, repoName, false, emptySet())
return RepoModeStatus(id = id)
val id = repoAuthConfigDao.upsertProjectRepo(projectId, repoName, controlMode, officeDenyGroupSet)
return RepoModeStatus(id = id, accessControlMode = controlMode, officeDenyGroupSet = officeDenyGroupSet)
}


}
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,8 @@ import com.tencent.bkrepo.auth.helper.PermissionHelper
import com.tencent.bkrepo.auth.helper.UserHelper
import com.tencent.bkrepo.auth.model.TPersonalPath
import com.tencent.bkrepo.auth.model.TUser
import com.tencent.bkrepo.auth.pojo.enums.AccessControlMode.DEFAULT
import com.tencent.bkrepo.auth.pojo.enums.AccessControlMode.STRICT
import com.tencent.bkrepo.auth.pojo.enums.PermissionAction.WRITE
import com.tencent.bkrepo.auth.pojo.enums.PermissionAction.DELETE
import com.tencent.bkrepo.auth.pojo.enums.PermissionAction.MANAGE
Expand Down Expand Up @@ -452,17 +454,18 @@ open class PermissionServiceImpl constructor(

fun needNodeCheck(projectId: String, repoName: String): Boolean {
val projectPermission = permissionDao.listByResourceAndRepo(NODE.name, projectId, repoName)
return projectPermission.isNotEmpty()
val repoCheckConfig = repoAuthConfigDao.findOneByProjectRepo(projectId, repoName) ?: return false
return projectPermission.isNotEmpty() && repoCheckConfig.accessControlMode != DEFAULT
}

override fun checkRepoAccessControl(projectId: String, repoName: String): Boolean {
val result = repoAuthConfigDao.findOneByProjectRepo(projectId, repoName) ?: return false
return result.accessControl
return result.accessControlMode != null && result.accessControlMode == STRICT
}

/**
* 校验是否在访问控制组
* true , 代码需要拦截
* true,代码需要拦截
*/
fun checkRepoAccessDenyGroup(
userId: String,
Expand Down
Loading

0 comments on commit 208871b

Please sign in to comment.