feat: PermissionManager移除repository feign调用 TencentBlueKing#2695

zacYL · Oct 31, 2024 · b0680b3 · b0680b3
1 parent ab557ce
commit b0680b3
Show file tree

Hide file tree

Showing 63 changed files with 277 additions and 230 deletions.
diff --git a/...yst/src/main/kotlin/com/tencent/bkrepo/analyst/component/ScannerPermissionCheckHandler.kt b/...yst/src/main/kotlin/com/tencent/bkrepo/analyst/component/ScannerPermissionCheckHandler.kt
@@ -32,13 +32,13 @@ import com.tencent.bkrepo.auth.pojo.enums.ResourceType
 import com.tencent.bkrepo.common.artifact.constant.PROJECT_ID
 import com.tencent.bkrepo.common.artifact.repository.context.ArtifactContextHolder
 import com.tencent.bkrepo.common.security.exception.PermissionException
-import com.tencent.bkrepo.common.security.manager.PermissionManager
 import com.tencent.bkrepo.common.security.permission.Permission
 import com.tencent.bkrepo.common.security.permission.PermissionCheckHandler
 import com.tencent.bkrepo.common.security.permission.Principal
 import com.tencent.bkrepo.common.security.util.SecurityUtils
 import com.tencent.bkrepo.common.service.util.HttpContextHolder
 import com.tencent.bkrepo.analyst.model.SubScanTaskDefinition
+import com.tencent.bkrepo.common.metadata.permission.PermissionManager
 import com.tencent.bkrepo.common.artifact.pojo.RepositoryId
 import com.tencent.bkrepo.common.security.permission.PrincipalType
 import org.springframework.context.annotation.Primary

diff --git a/.../biz-archive/src/test/kotlin/com/tencent/bkrepo/archive/core/compress/BDZipManagerTest.kt b/.../biz-archive/src/test/kotlin/com/tencent/bkrepo/archive/core/compress/BDZipManagerTest.kt
@@ -13,7 +13,6 @@ import com.tencent.bkrepo.common.bksync.file.BkSyncDeltaSource.Companion.toBkSyn
 import com.tencent.bkrepo.common.metadata.service.file.FileReferenceService
 import com.tencent.bkrepo.common.storage.StorageAutoConfiguration
 import com.tencent.bkrepo.common.storage.core.StorageService
-import com.tencent.bkrepo.repository.api.RepositoryClient
 import org.junit.jupiter.api.AfterEach
 import org.junit.jupiter.api.Assertions
 import org.junit.jupiter.api.BeforeEach
@@ -44,9 +43,6 @@ class BDZipManagerTest @Autowired constructor(
     @MockBean
     lateinit var fileReferenceService: FileReferenceService
 
-    @MockBean
-    lateinit var repositoryClient: RepositoryClient
-
     private val timeout = Duration.ofSeconds(10)
 
     @BeforeEach

diff --git a/...nd/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/impl/ProxyServiceImpl.kt b/...nd/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/impl/ProxyServiceImpl.kt
@@ -27,6 +27,7 @@
 
 package com.tencent.bkrepo.auth.service.impl
 
+import com.tencent.bkrepo.auth.dao.ProxyDao
 import com.tencent.bkrepo.auth.message.AuthMessageCode
 import com.tencent.bkrepo.auth.model.TProxy
 import com.tencent.bkrepo.auth.pojo.enums.PermissionAction
@@ -37,15 +38,14 @@ import com.tencent.bkrepo.auth.pojo.proxy.ProxyListOption
 import com.tencent.bkrepo.auth.pojo.proxy.ProxyStatus
 import com.tencent.bkrepo.auth.pojo.proxy.ProxyStatusRequest
 import com.tencent.bkrepo.auth.pojo.proxy.ProxyUpdateRequest
-import com.tencent.bkrepo.auth.dao.ProxyDao
 import com.tencent.bkrepo.auth.service.ProxyService
 import com.tencent.bkrepo.common.api.constant.StringPool
 import com.tencent.bkrepo.common.api.exception.ErrorCodeException
 import com.tencent.bkrepo.common.api.pojo.Page
 import com.tencent.bkrepo.common.api.util.Preconditions
 import com.tencent.bkrepo.common.api.util.UrlFormatter
+import com.tencent.bkrepo.common.metadata.permission.PermissionManager
 import com.tencent.bkrepo.common.mongo.dao.util.Pages
-import com.tencent.bkrepo.common.security.manager.PermissionManager
 import com.tencent.bkrepo.common.security.util.AESUtils
 import com.tencent.bkrepo.common.security.util.SecurityUtils
 import com.tencent.bkrepo.common.service.util.HttpContextHolder

diff --git a/...in/kotlin/com/tencent/bkrepo/common/artifact/permission/ArtifactPermissionCheckHandler.kt b/...in/kotlin/com/tencent/bkrepo/common/artifact/permission/ArtifactPermissionCheckHandler.kt
@@ -34,8 +34,8 @@ package com.tencent.bkrepo.common.artifact.permission
 import com.tencent.bkrepo.auth.pojo.enums.ResourceType
 import com.tencent.bkrepo.common.artifact.constant.PROJECT_ID
 import com.tencent.bkrepo.common.artifact.repository.context.ArtifactContextHolder
+import com.tencent.bkrepo.common.metadata.permission.PermissionManager
 import com.tencent.bkrepo.common.security.exception.PermissionException
-import com.tencent.bkrepo.common.security.manager.PermissionManager
 import com.tencent.bkrepo.common.security.permission.Permission
 import com.tencent.bkrepo.common.security.permission.PermissionCheckHandler
 import com.tencent.bkrepo.common.security.permission.Principal

diff --git a/...n/kotlin/com/tencent/bkrepo/common/artifact/permission/ArtifactPermissionConfiguration.kt b/...n/kotlin/com/tencent/bkrepo/common/artifact/permission/ArtifactPermissionConfiguration.kt
@@ -31,7 +31,7 @@
 
 package com.tencent.bkrepo.common.artifact.permission
 
-import com.tencent.bkrepo.common.security.manager.PermissionManager
+import com.tencent.bkrepo.common.metadata.permission.PermissionManager
 import com.tencent.bkrepo.common.security.permission.PermissionCheckHandler
 import org.springframework.context.annotation.Bean
 import org.springframework.context.annotation.Configuration

diff --git a/.../main/kotlin/com/tencent/bkrepo/common/artifact/repository/redirect/CosRedirectService.kt b/.../main/kotlin/com/tencent/bkrepo/common/artifact/repository/redirect/CosRedirectService.kt
@@ -37,7 +37,7 @@ import com.tencent.bkrepo.common.artifact.stream.Range
 import com.tencent.bkrepo.common.artifact.util.http.HttpHeaderUtils.determineMediaType
 import com.tencent.bkrepo.common.artifact.util.http.HttpHeaderUtils.encodeDisposition
 import com.tencent.bkrepo.common.artifact.util.http.HttpRangeUtils
-import com.tencent.bkrepo.common.security.manager.PermissionManager
+import com.tencent.bkrepo.common.metadata.permission.PermissionManager
 import com.tencent.bkrepo.common.security.util.SecurityUtils
 import com.tencent.bkrepo.common.service.util.HttpContextHolder
 import com.tencent.bkrepo.common.storage.config.StorageProperties

diff --git a/...rc/main/kotlin/com/tencent/bkrepo/common/artifact/repository/virtual/VirtualRepository.kt b/...rc/main/kotlin/com/tencent/bkrepo/common/artifact/repository/virtual/VirtualRepository.kt
@@ -42,7 +42,7 @@ import com.tencent.bkrepo.common.artifact.repository.context.ArtifactSearchConte
 import com.tencent.bkrepo.common.artifact.repository.core.AbstractArtifactRepository
 import com.tencent.bkrepo.common.artifact.repository.core.ArtifactRepository
 import com.tencent.bkrepo.common.artifact.resolve.response.ArtifactResource
-import com.tencent.bkrepo.common.security.manager.PermissionManager
+import com.tencent.bkrepo.common.metadata.permission.PermissionManager
 import org.slf4j.LoggerFactory
 import org.springframework.beans.factory.annotation.Autowired
 

diff --git a/...a-service/src/main/kotlin/com/tencent/bkrepo/common/metadata/MetadataAutoConfiguration.kt b/...a-service/src/main/kotlin/com/tencent/bkrepo/common/metadata/MetadataAutoConfiguration.kt
@@ -27,15 +27,33 @@
 
 package com.tencent.bkrepo.common.metadata
 
+import com.tencent.bkrepo.auth.api.ServiceExternalPermissionClient
+import com.tencent.bkrepo.auth.api.ServicePermissionClient
+import com.tencent.bkrepo.auth.api.ServiceUserClient
+import com.tencent.bkrepo.common.api.pojo.ClusterArchitecture
+import com.tencent.bkrepo.common.api.pojo.ClusterNodeType
 import com.tencent.bkrepo.common.artifact.properties.ArtifactEventProperties
 import com.tencent.bkrepo.common.artifact.properties.RouterControllerProperties
+import com.tencent.bkrepo.common.metadata.condition.SyncCondition
 import com.tencent.bkrepo.common.metadata.config.RepositoryProperties
+import com.tencent.bkrepo.common.metadata.permission.EdgePermissionManager
+import com.tencent.bkrepo.common.metadata.permission.PermissionManager
+import com.tencent.bkrepo.common.metadata.permission.ProxyPermissionManager
 import com.tencent.bkrepo.common.metadata.properties.OperateProperties
 import com.tencent.bkrepo.common.metadata.properties.ProjectUsageStatisticsProperties
+import com.tencent.bkrepo.common.metadata.service.node.NodeService
+import com.tencent.bkrepo.common.metadata.service.project.ProjectService
+import com.tencent.bkrepo.common.metadata.service.repo.RepositoryService
+import com.tencent.bkrepo.common.security.http.core.HttpAuthProperties
+import com.tencent.bkrepo.common.security.manager.PrincipalManager
+import com.tencent.bkrepo.common.service.cluster.properties.ClusterProperties
 import com.tencent.bkrepo.common.storage.config.StorageProperties
+import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication
 import org.springframework.boot.context.properties.EnableConfigurationProperties
+import org.springframework.context.annotation.Bean
 import org.springframework.context.annotation.ComponentScan
+import org.springframework.context.annotation.Conditional
 import org.springframework.context.annotation.Configuration
 
 @Configuration
@@ -49,4 +67,73 @@ import org.springframework.context.annotation.Configuration
     ArtifactEventProperties::class,
     RepositoryProperties::class,
 )
-class MetadataAutoConfiguration
+class MetadataAutoConfiguration {
+
+    @Bean
+    @Suppress("LongParameterList")
+    @Conditional(SyncCondition::class)
+    fun permissionManager(
+        projectService: ProjectService,
+        repositoryService: RepositoryService,
+        permissionResource: ServicePermissionClient,
+        externalPermissionResource: ServiceExternalPermissionClient,
+        userResource: ServiceUserClient,
+        nodeService: NodeService,
+        clusterProperties: ClusterProperties,
+        httpAuthProperties: HttpAuthProperties,
+        principalManager: PrincipalManager
+    ): PermissionManager {
+        return if (clusterProperties.role == ClusterNodeType.EDGE
+            && clusterProperties.architecture == ClusterArchitecture.COMMIT_EDGE
+            && clusterProperties.commitEdge.auth.center
+        ) {
+            EdgePermissionManager(
+                projectService = projectService,
+                repositoryService = repositoryService,
+                permissionResource = permissionResource,
+                externalPermissionResource = externalPermissionResource,
+                userResource = userResource,
+                nodeService = nodeService,
+                clusterProperties = clusterProperties,
+                httpAuthProperties = httpAuthProperties,
+                principalManager = principalManager
+            )
+        } else {
+            PermissionManager(
+                projectService = projectService,
+                repositoryService = repositoryService,
+                permissionResource = permissionResource,
+                externalPermissionResource = externalPermissionResource,
+                userResource = userResource,
+                nodeService = nodeService,
+                httpAuthProperties = httpAuthProperties,
+                principalManager = principalManager
+            )
+        }
+    }
+
+    @Bean
+    @ConditionalOnMissingBean
+    @Conditional(SyncCondition::class)
+    fun proxyPermissionManager(
+        projectService: ProjectService,
+        repositoryService: RepositoryService,
+        permissionResource: ServicePermissionClient,
+        externalPermissionResource: ServiceExternalPermissionClient,
+        userResource: ServiceUserClient,
+        nodeService: NodeService,
+        httpAuthProperties: HttpAuthProperties,
+        principalManager: PrincipalManager
+    ): ProxyPermissionManager {
+        return ProxyPermissionManager(
+            projectService = projectService,
+            repositoryService = repositoryService,
+            permissionResource = permissionResource,
+            externalPermissionResource = externalPermissionResource,
+            userResource = userResource,
+            nodeService = nodeService,
+            httpAuthProperties = httpAuthProperties,
+            principalManager = principalManager
+        )
+    }
+}
diff --git a/...ity/manager/edge/EdgePermissionManager.kt → ...adata/permission/EdgePermissionManager.kt b/...ity/manager/edge/EdgePermissionManager.kt → ...adata/permission/EdgePermissionManager.kt
@@ -25,39 +25,41 @@
  * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
  */
 
-package com.tencent.bkrepo.common.security.manager.edge
+package com.tencent.bkrepo.common.metadata.permission
 
-import com.tencent.bkrepo.auth.api.cluster.ClusterPermissionClient
-import com.tencent.bkrepo.auth.api.cluster.ClusterUserClient
 import com.tencent.bkrepo.auth.api.ServiceExternalPermissionClient
 import com.tencent.bkrepo.auth.api.ServicePermissionClient
 import com.tencent.bkrepo.auth.api.ServiceUserClient
+import com.tencent.bkrepo.auth.api.cluster.ClusterPermissionClient
+import com.tencent.bkrepo.auth.api.cluster.ClusterUserClient
 import com.tencent.bkrepo.auth.pojo.permission.CheckPermissionRequest
+import com.tencent.bkrepo.common.metadata.service.node.NodeService
+import com.tencent.bkrepo.common.metadata.service.project.ProjectService
+import com.tencent.bkrepo.common.metadata.service.repo.RepositoryService
 import com.tencent.bkrepo.common.security.http.core.HttpAuthProperties
-import com.tencent.bkrepo.common.security.manager.PermissionManager
+import com.tencent.bkrepo.common.security.manager.PrincipalManager
 import com.tencent.bkrepo.common.service.cluster.properties.ClusterProperties
 import com.tencent.bkrepo.common.service.feign.FeignClientFactory
-import com.tencent.bkrepo.repository.api.NodeClient
-import com.tencent.bkrepo.repository.api.ProjectClient
-import com.tencent.bkrepo.repository.api.RepositoryClient
 
 class EdgePermissionManager(
-    projectClient: ProjectClient,
-    repositoryClient: RepositoryClient,
+    projectService: ProjectService,
+    repositoryService: RepositoryService,
     permissionResource: ServicePermissionClient,
     externalPermissionResource: ServiceExternalPermissionClient,
     userResource: ServiceUserClient,
-    nodeClient: NodeClient,
+    nodeService: NodeService,
     clusterProperties: ClusterProperties,
-    httpAuthProperties: HttpAuthProperties
+    httpAuthProperties: HttpAuthProperties,
+    principalManager: PrincipalManager
 ) : PermissionManager(
-    projectClient,
-    repositoryClient,
+    projectService,
+    repositoryService,
     permissionResource,
     externalPermissionResource,
     userResource,
-    nodeClient,
-    httpAuthProperties
+    nodeService,
+    httpAuthProperties,
+    principalManager
 ) {
 
     private val centerPermissionClient: ClusterPermissionClient

diff --git a/...mon/security/manager/PermissionManager.kt → .../metadata/permission/PermissionManager.kt b/...mon/security/manager/PermissionManager.kt → .../metadata/permission/PermissionManager.kt
@@ -29,7 +29,7 @@
  * SOFTWARE.
  */
 
-package com.tencent.bkrepo.common.security.manager
+package com.tencent.bkrepo.common.metadata.permission
 
 import com.google.common.cache.CacheBuilder
 import com.google.common.cache.CacheLoader
@@ -48,20 +48,22 @@ import com.tencent.bkrepo.common.api.constant.MediaTypes
 import com.tencent.bkrepo.common.api.pojo.Response
 import com.tencent.bkrepo.common.api.util.readJsonString
 import com.tencent.bkrepo.common.api.util.toJsonString
+import com.tencent.bkrepo.common.artifact.api.ArtifactInfo
 import com.tencent.bkrepo.common.artifact.constant.PIPELINE
 import com.tencent.bkrepo.common.artifact.exception.NodeNotFoundException
 import com.tencent.bkrepo.common.artifact.exception.RepoNotFoundException
 import com.tencent.bkrepo.common.artifact.path.PathUtils
+import com.tencent.bkrepo.common.metadata.service.node.NodeService
+import com.tencent.bkrepo.common.metadata.service.project.ProjectService
+import com.tencent.bkrepo.common.metadata.service.repo.RepositoryService
 import com.tencent.bkrepo.common.security.exception.AuthenticationException
 import com.tencent.bkrepo.common.security.exception.PermissionException
 import com.tencent.bkrepo.common.security.http.core.HttpAuthProperties
+import com.tencent.bkrepo.common.security.manager.PrincipalManager
 import com.tencent.bkrepo.common.security.permission.PrincipalType
 import com.tencent.bkrepo.common.security.util.SecurityUtils
 import com.tencent.bkrepo.common.service.util.HttpContextHolder
 import com.tencent.bkrepo.common.service.util.LocaleMessageUtils
-import com.tencent.bkrepo.repository.api.NodeClient
-import com.tencent.bkrepo.repository.api.ProjectClient
-import com.tencent.bkrepo.repository.api.RepositoryClient
 import com.tencent.bkrepo.repository.constant.NODE_DETAIL_LIST_KEY
 import com.tencent.bkrepo.repository.constant.SYSTEM_USER
 import com.tencent.bkrepo.repository.pojo.node.NodeDetail
@@ -81,13 +83,14 @@ import java.util.concurrent.TimeUnit
  * 权限管理类
  */
 open class PermissionManager(
-    private val projectClient: ProjectClient,
-    private val repositoryClient: RepositoryClient,
+    private val projectService: ProjectService,
+    private val repositoryService: RepositoryService,
     private val permissionResource: ServicePermissionClient,
     private val externalPermissionResource: ServiceExternalPermissionClient,
     private val userResource: ServiceUserClient,
-    private val nodeClient: NodeClient,
-    private val httpAuthProperties: HttpAuthProperties
+    private val nodeService: NodeService,
+    private val httpAuthProperties: HttpAuthProperties,
+    private val principalManager: PrincipalManager
 ) {
 
     private val httpClient =
@@ -202,25 +205,7 @@ open class PermissionManager(
      * @param principalType 身份类型
      */
     open fun checkPrincipal(userId: String, principalType: PrincipalType) {
-        val platformId = SecurityUtils.getPlatformId()
-        checkAnonymous(userId, platformId)
-
-        if (principalType == PrincipalType.ADMIN) {
-            if (!isAdminUser(userId)) {
-                throw PermissionException()
-            }
-        } else if (principalType == PrincipalType.PLATFORM) {
-            if (userId.isEmpty()) {
-                logger.warn("platform auth with empty userId[$platformId,$userId]")
-            }
-            if (platformId == null && !isAdminUser(userId)) {
-                throw PermissionException()
-            }
-        } else if (principalType == PrincipalType.GENERAL) {
-            if (userId.isEmpty() || userId == ANONYMOUS_USER) {
-                throw PermissionException()
-            }
-        }
+        principalManager.checkPrincipal(userId, principalType)
     }
 
     /**
@@ -286,7 +271,7 @@ open class PermissionManager(
      */
     open fun queryProjectEnabledStatus(projectId: String): Boolean {
         return try {
-            projectClient.isProjectEnabled(projectId).data!!
+            projectService.isProjectEnabled(projectId)
         } catch (e: Exception) {
             true
         }
@@ -296,7 +281,7 @@ open class PermissionManager(
      * 查询仓库信息
      */
     open fun queryRepositoryInfo(projectId: String, repoName: String): RepositoryInfo {
-        return repositoryClient.getRepoInfo(projectId, repoName).data ?: throw RepoNotFoundException(repoName)
+        return repositoryService.getRepoInfo(projectId, repoName) ?: throw RepoNotFoundException(repoName)
     }
 
     private fun serviceRequestCheck(): Boolean {
@@ -326,6 +311,7 @@ open class PermissionManager(
         anonymous: Boolean = false,
         userId: String = SecurityUtils.getUserId(),
     ) {
+
         // 判断是否开启认证
         if (!httpAuthProperties.enabled) {
             return
@@ -458,9 +444,8 @@ open class PermissionManager(
         val nodeDetailList = if (repoName.isNullOrBlank() || paths.isNullOrEmpty()) {
             null
         } else if (paths.size == 1) {
-            val node = nodeClient.getNodeDetail(projectId, repoName, paths.first()).data ?: throw NodeNotFoundException(
-                paths.first()
-            )
+            val node = nodeService.getNodeDetail(ArtifactInfo(projectId, repoName, paths.first()))
+                ?: throw NodeNotFoundException(paths.first())
             listOf(node)
         } else {
             queryNodeDetailList(projectId, repoName, paths)
@@ -483,8 +468,8 @@ open class PermissionManager(
             val option = NodeListOption(
                 pageNumber = pageNumber, pageSize = 1000, includeFolder = true, includeMetadata = true, deep = true
             )
-            val records = nodeClient.listNodePage(projectId, repoName, prefix, option).data?.records
-            if (records.isNullOrEmpty()) {
+            val records = nodeService.listNodePage(ArtifactInfo(projectId, repoName, prefix), option).records
+            if (records.isEmpty()) {
                 break
             }
             nodeDetailList.addAll(records.filter { paths.contains(it.fullPath) }.map { NodeDetail(it) })