iam:fix role.

ljl · ljl · commit 7b3ba960699f · 2023-11-16T14:36:22.000+08:00
diff --git a/services/bios-all/config/locale/zh-cn.iam b/services/bios-all/config/locale/zh-cn.iam
@@ -61,4 +61,7 @@
 404-iam-cert-phone-not-exist	当前手机号不存在
 409-iam-cert-phone-bind-already-exist	手机号已存在绑定关系
 409-iam-cert-email-bind-already-exist	邮箱已存在绑定关系
-404-sync-element-not-found-error	请先添加同步按钮
+404-sync-element-not-found-error	请先添加同步按钮
+
+409-role-is-not-app	该角色不属于app角色，不能删除
+409-role-is-extend	该角色是扩展角色，不能删除
diff --git a/support/iam/src/basic/serv/iam_role_serv.rs b/support/iam/src/basic/serv/iam_role_serv.rs
@@ -1,18 +1,18 @@
 use std::ops::Add;
 
 use async_trait::async_trait;
-use bios_basic::helper::request_helper::get_remote_ip;
-use bios_basic::process::task_processor::TaskProcessor;
+use tardis::{TardisFuns, TardisFunsInst};
 use tardis::basic::dto::TardisContext;
 use tardis::basic::field::TrimString;
 use tardis::basic::result::TardisResult;
-use tardis::db::sea_orm::sea_query::{Expr, SelectStatement};
-use tardis::db::sea_orm::EntityName;
 use tardis::db::sea_orm::*;
+use tardis::db::sea_orm::prelude::Expr;
+use tardis::db::sea_orm::sea_query::SelectStatement;
 use tardis::log::info;
 use tardis::web::web_resp::TardisPage;
-use tardis::{TardisFuns, TardisFunsInst};
 
+use bios_basic::helper::request_helper::get_remote_ip;
+use bios_basic::process::task_processor::TaskProcessor;
 use bios_basic::rbum::dto::rbum_filer_dto::{RbumBasicFilterReq, RbumRelFilterReq};
 use bios_basic::rbum::dto::rbum_item_dto::{RbumItemKernelAddReq, RbumItemKernelModifyReq};
 use bios_basic::rbum::dto::rbum_rel_dto::{RbumRelBoneResp, RbumRelCheckReq};
@@ -23,9 +23,10 @@ use bios_basic::rbum::serv::rbum_item_serv::RbumItemCrudOperation;
 use bios_basic::rbum::serv::rbum_rel_serv::RbumRelServ;
 
 use crate::basic::domain::iam_role;
-use crate::basic::dto::iam_filer_dto::IamRoleFilterReq;
+use crate::basic::dto::iam_filer_dto::{IamAppFilterReq, IamRoleFilterReq};
 use crate::basic::dto::iam_role_dto::{IamRoleAddReq, IamRoleAggAddReq, IamRoleAggModifyReq, IamRoleDetailResp, IamRoleModifyReq, IamRoleSummaryResp};
 use crate::basic::serv::iam_account_serv::IamAccountServ;
+use crate::basic::serv::iam_app_serv::IamAppServ;
 use crate::basic::serv::iam_key_cache_serv::IamIdentCacheServ;
 use crate::basic::serv::iam_rel_serv::IamRelServ;
 use crate::iam_config::{IamBasicConfigApi, IamBasicInfoManager, IamConfig};
@@ -240,6 +241,13 @@ impl RbumItemCrudOperation<iam_role::ActiveModel, IamRoleAddReq, IamRoleModifyRe
         {
             return Err(funs.err().conflict(&Self::get_obj_name(), "delete", "role is not private", "409-iam-delete-role-conflict"));
         }
+        let sub_role = Self::find_id_items(&IamRoleFilterReq{
+            extend_role_id: Some(id.to_string()),
+            ..Default::default()
+        },None,None,funs,ctx).await?;
+        for role_id in sub_role {
+            Self::delete_item_with_all_rels(&role_id,funs,ctx).await?;
+        }
         Ok(None)
     }
 
@@ -341,6 +349,7 @@ impl IamRoleServ {
                 },
                 kind: Some(kind.clone()),
                 in_embed: Some(true),
+                in_base: Some(true),
                 ..Default::default()
             },
             None,
@@ -374,6 +383,50 @@ impl IamRoleServ {
         Ok(())
     }
 
+    pub async fn add_app_copy_role_agg(app_id: &str,  funs: &TardisFunsInst, ctx: &TardisContext)-> TardisResult<()>{
+        Self::copy_role_agg(app_id, &IamRoleKind::App, funs, ctx).await?;
+        let tenant_app_roles = Self::find_detail_items(
+            &IamRoleFilterReq {
+                basic: RbumBasicFilterReq {
+                    with_sub_own_paths: true,
+                    ..Default::default()
+                },
+                kind: Some(IamRoleKind::App),
+                in_embed: Some(false),
+                in_base: Some(false),
+                ..Default::default()
+            },
+            None,
+            None,
+            funs,
+            ctx,
+        )
+            .await?;
+        for app_role in tenant_app_roles {
+            Self::add_role_agg(
+                &mut IamRoleAggAddReq {
+                    role: IamRoleAddReq {
+                        code: Some(TrimString::from(format!("{}:{}", app_id, app_role.code))),
+                        name: TrimString::from(app_role.name),
+                        icon: Some(app_role.icon),
+                        sort: Some(app_role.sort),
+                        kind: Some(app_role.kind),
+                        scope_level: Some(RbumScopeLevelKind::Private),
+                        in_embed: Some(app_role.in_embed),
+                        extend_role_id: Some(app_role.id),
+                        disabled: Some(app_role.disabled),
+                        in_base: Some(false),
+                    },
+                    res_ids: None,
+                },
+                funs,
+                ctx,
+            )
+                .await?;
+        }
+        Ok(())
+    }
+
     pub async fn get_embed_subrole_id(extend_role_id: &str, funs: &TardisFunsInst, ctx: &TardisContext) -> TardisResult<String> {
         let scope_level = get_scope_level_by_context(ctx)?;
         info!(
@@ -398,6 +451,49 @@ impl IamRoleServ {
         Err(funs.err().not_found(&Self::get_obj_name(), "get_embed_subrole_id", "role not found", "404-iam-role-not-found"))
     }
 
+    /// 租户添加应用角色
+    pub async fn tenant_add_app_role_agg(add_req: &mut IamRoleAggAddReq, funs: &TardisFunsInst, ctx: &TardisContext) -> TardisResult<String> {
+        add_req.role.scope_level = Some(RbumScopeLevelKind::Private);
+        let app_role_id = Self::add_role_agg(add_req,funs,ctx).await?;
+        let app_ids = IamAppServ::find_id_items(&IamAppFilterReq {
+            basic: RbumBasicFilterReq{
+                with_sub_own_paths:true,
+                ..Default::default()
+            },
+            ..Default::default()
+        }, None, None, funs, ctx).await?;
+        let app_role = Self::get_item(&app_role_id,&IamRoleFilterReq {
+            basic: RbumBasicFilterReq{
+                with_sub_own_paths:true,
+                ..Default::default()
+            },
+            ..Default::default()
+        }, funs, ctx).await?;
+        for app_id in app_ids {
+            Self::add_role_agg(
+                &mut IamRoleAggAddReq {
+                    role: IamRoleAddReq {
+                        code: Some(TrimString::from(format!("{}:{}", app_id, app_role.code))),
+                        name: TrimString::from(app_role.name.clone()),
+                        icon: Some(app_role.icon.clone()),
+                        sort: Some(app_role.sort),
+                        kind: Some(app_role.kind.clone()),
+                        scope_level: Some(RbumScopeLevelKind::Private),
+                        in_embed: Some(app_role.in_embed),
+                        extend_role_id: Some(app_role_id.clone()),
+                        disabled: Some(app_role.disabled),
+                        in_base: Some(false),
+                    },
+                    res_ids: None,
+                },
+                funs,
+                ctx,
+            )
+                .await?;
+        }
+        Ok(app_role_id)
+    }
+
     pub async fn add_role_agg(add_req: &mut IamRoleAggAddReq, funs: &TardisFunsInst, ctx: &TardisContext) -> TardisResult<String> {
         let role_id = Self::add_item(&mut add_req.role, funs, ctx).await?;
         if let Some(res_ids) = &add_req.res_ids {
diff --git a/support/iam/src/console_app/api/iam_ca_role_api.rs b/support/iam/src/console_app/api/iam_ca_role_api.rs
@@ -1,9 +1,11 @@
-use bios_basic::process::task_processor::TaskProcessor;
 use tardis::web::context_extractor::TardisContextExtractor;
+use tardis::web::poem::Request;
 use tardis::web::poem_openapi;
 use tardis::web::poem_openapi::{param::Path, param::Query, payload::Json};
 use tardis::web::web_resp::{TardisApiResult, TardisPage, TardisResp, Void};
 
+use bios_basic::helper::request_helper::add_remote_ip;
+use bios_basic::process::task_processor::TaskProcessor;
 use bios_basic::rbum::dto::rbum_filer_dto::{RbumBasicFilterReq, RbumItemRelFilterReq};
 use bios_basic::rbum::dto::rbum_rel_dto::RbumRelBoneResp;
 use bios_basic::rbum::rbum_enumeration::RbumRelFromKind;
@@ -17,8 +19,7 @@ use crate::basic::serv::iam_role_serv::IamRoleServ;
 use crate::iam_constants;
 use crate::iam_constants::RBUM_SCOPE_LEVEL_APP;
 use crate::iam_enumeration::{IamRelKind, IamRoleKind};
-use bios_basic::helper::request_helper::add_remote_ip;
-use tardis::web::poem::Request;
+
 #[derive(Clone, Default)]
 pub struct IamCaRoleApi;
 
@@ -128,6 +129,29 @@ impl IamCaRoleApi {
         add_remote_ip(request, &ctx.0).await?;
         let mut funs = iam_constants::get_tardis_inst();
         funs.begin().await?;
+        let app_role = IamRoleServ::get_item(&id.0,&IamRoleFilterReq{
+            basic: RbumBasicFilterReq {
+                with_sub_own_paths: true,
+                ..Default::default()
+            },
+            ..Default::default()
+        },&funs,&ctx.0).await?;
+        if app_role.kind != IamRoleKind::App {
+            Err(funs.err().conflict(
+                &IamRoleServ::get_obj_name(),
+                "delete",
+                "This role is not an app role, cannot be deleted",
+                "409-role-is-not-app",
+            ))?;
+        }
+        if app_role.extend_role_id != "".to_string() {
+            Err(funs.err().conflict(
+                &IamRoleServ::get_obj_name(),
+                "delete",
+                "This role is extend role, cannot be deleted",
+                "409-role-is-extend",
+            ))?;
+        }
         IamRoleServ::delete_item_with_all_rels(&id.0, &funs, &ctx.0).await?;
         funs.commit().await?;
         ctx.0.execute_task().await?;
diff --git a/support/iam/src/console_tenant/api/iam_ct_role_api.rs b/support/iam/src/console_tenant/api/iam_ct_role_api.rs
@@ -27,12 +27,18 @@ pub struct IamCtRoleApi;
 impl IamCtRoleApi {
     /// Add Role
     #[oai(path = "/", method = "post")]
-    async fn add(&self, mut add_req: Json<IamRoleAggAddReq>, ctx: TardisContextExtractor, request: &Request) -> TardisApiResult<String> {
+    async fn add(&self,is_app: Query<Option<bool>>, mut add_req: Json<IamRoleAggAddReq>, ctx: TardisContextExtractor, request: &Request) -> TardisApiResult<String> {
         add_remote_ip(request, &ctx.0).await?;
         let mut funs = iam_constants::get_tardis_inst();
         funs.begin().await?;
-        add_req.0.role.kind = Some(IamRoleKind::Tenant);
-        let result = IamRoleServ::add_role_agg(&mut add_req.0, &funs, &ctx.0).await?;
+        let mut result = "".to_string();
+        if is_app.0.unwrap_or(false) {
+            add_req.0.role.kind = Some(IamRoleKind::App);
+            result = IamRoleServ::tenant_add_app_role_agg(&mut add_req.0, &funs, &ctx.0).await?;
+        }else{
+            add_req.0.role.kind = Some(IamRoleKind::Tenant);
+            result = IamRoleServ::add_role_agg(&mut add_req.0, &funs, &ctx.0).await?;
+        }
         funs.commit().await?;
         ctx.0.execute_task().await?;
         TardisResp::ok(result)
@@ -95,7 +101,7 @@ impl IamCtRoleApi {
                     with_sub_own_paths: with_sub.0.unwrap_or(false),
                     ..Default::default()
                 },
-                kind: Some(IamRoleKind::Tenant),
+                // kind: Some(IamRoleKind::Tenant),
                 in_base: in_base.0,
                 in_embed: in_embed.0,
                 extend_role_id: extend_role_id.0,
