diff --git a/src/backend/auth/api-auth/src/main/kotlin/com/tencent/bkrepo/auth/constant/Constants.kt b/src/backend/auth/api-auth/src/main/kotlin/com/tencent/bkrepo/auth/constant/Constants.kt index 4f14971b35..8068d56a40 100644 --- a/src/backend/auth/api-auth/src/main/kotlin/com/tencent/bkrepo/auth/constant/Constants.kt +++ b/src/backend/auth/api-auth/src/main/kotlin/com/tencent/bkrepo/auth/constant/Constants.kt @@ -72,6 +72,7 @@ const val AUTH_API_ACCOUNT_PREFIX = "/api/account" const val AUTH_SERVICE_ACCOUNT_PREFIX = "/service/account" const val AUTH_API_OAUTH_PREFIX = "/api/oauth" const val AUTH_SERVICE_OAUTH_PREFIX = "/service/oauth" +const val AUTH_API_AUTH_MODE_PREFIX = "/api/mode/repo" const val AUTH_CLUSTER_TOKEN_INFO_PREFIX = "/cluster/temporary/token/info" const val AUTH_CLUSTER_TOKEN_DELETE_PREFIX = "/cluster/temporary/token/delete" const val AUTH_CLUSTER_TOKEN_DECREMENT_PREFIX = "/cluster/temporary/token/decrement" diff --git a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/config/AuthServiceConfig.kt b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/config/AuthServiceConfig.kt index a6e3b3959b..6d343dcf02 100644 --- a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/config/AuthServiceConfig.kt +++ b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/config/AuthServiceConfig.kt @@ -40,6 +40,7 @@ import com.tencent.bkrepo.auth.condition.DevopsAuthCondition import com.tencent.bkrepo.auth.condition.BkV3RbacAuthCondition import com.tencent.bkrepo.auth.condition.LocalAuthCondition import com.tencent.bkrepo.auth.dao.PersonalPathDao +import com.tencent.bkrepo.auth.dao.RepoAuthConfigDao import com.tencent.bkrepo.auth.service.AccountService import com.tencent.bkrepo.auth.service.PermissionService import com.tencent.bkrepo.auth.service.RoleService @@ -93,7 +94,8 @@ class AuthServiceConfig { accountRepository: AccountRepository, permissionDao: PermissionDao, userDao: UserDao, - personalPathDao: PersonalPathDao + personalPathDao: PersonalPathDao, + repoAuthConfigDao: RepoAuthConfigDao ): PermissionService { return PermissionServiceImpl( roleRepository, @@ -101,6 +103,7 @@ class AuthServiceConfig { permissionDao, userDao, personalPathDao, + repoAuthConfigDao, repositoryClient, projectClient ) @@ -111,6 +114,7 @@ class AuthServiceConfig { bkiamV3Service: BkIamV3Service, userDao: UserDao, personalPathDao: PersonalPathDao, + repoAuthConfigDao: RepoAuthConfigDao, roleRepository: RoleRepository, accountRepository: AccountRepository, permissionDao: PermissionDao, @@ -123,6 +127,7 @@ class AuthServiceConfig { accountRepository, permissionDao, personalPathDao, + repoAuthConfigDao, repoClient, projectClient ) @@ -136,6 +141,7 @@ class AuthServiceConfig { permissionDao: PermissionDao, userDao: UserDao, personalPathDao: PersonalPathDao, + repoAuthConfigDao: RepoAuthConfigDao, bkAuthConfig: DevopsAuthConfig, bkAuthPipelineService: DevopsPipelineService, bkAuthProjectService: DevopsProjectService, @@ -147,6 +153,7 @@ class AuthServiceConfig { permissionDao, userDao, personalPathDao, + repoAuthConfigDao, bkAuthConfig, bkAuthPipelineService, bkAuthProjectService, diff --git a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/controller/OpenResource.kt b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/controller/OpenResource.kt index 1aabed1727..54ef53a1de 100644 --- a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/controller/OpenResource.kt +++ b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/controller/OpenResource.kt @@ -116,8 +116,8 @@ open class OpenResource(private val permissionService: PermissionService) { fun preCheckUserInProject(type: AuthPermissionType, projectId: String, repoName: String?) { val checkRequest = CheckPermissionRequest( uid = SecurityUtils.getUserId(), - resourceType = ResourceType.PROJECT.toString(), - action = PermissionAction.WRITE.toString(), + resourceType = ResourceType.PROJECT.name, + action = PermissionAction.WRITE.name, projectId = projectId, appId = SecurityUtils.getPlatformId() ) diff --git a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/controller/service/ServicePermissionController.kt b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/controller/service/ServicePermissionController.kt index 635b2c7d4f..c0d736107e 100644 --- a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/controller/service/ServicePermissionController.kt +++ b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/controller/service/ServicePermissionController.kt @@ -49,13 +49,26 @@ class ServicePermissionController @Autowired constructor( /** - * 本接口不做权限校验,返回空列表时可能表示所有路径均有权限,也可能为无项目仓库权限,因此需要单独做仓库权限校验 + * 本接口不做权限校验,status表明是否需要做校验 + * OperationType IN 表示有权限的路径列表,需要做交集 + * OperationType NIN 表示有无权限的路径列表,需要做差集 */ override fun listPermissionPath(userId: String, projectId: String, repoName: String): Response { - val permissionPath = permissionService.listNoPermissionPath(userId, projectId, repoName) - val status = permissionPath.isNotEmpty() - val result = ListPathResult(status = status, path = mapOf(OperationType.NIN to permissionPath)) - return ResponseBuilder.success(result) + val repoAccessControl = permissionService.checkRepoAccessControl(projectId, repoName) + if (repoAccessControl) { + val permissionPath = permissionService.listPermissionPath(userId, projectId, repoName) + if (permissionPath == null) { + val result = ListPathResult(status = false, path = mapOf(OperationType.IN to emptyList())) + return ResponseBuilder.success(result) + } + val result = ListPathResult(status = true, path = mapOf(OperationType.IN to permissionPath)) + return ResponseBuilder.success(result) + } else { + val permissionPath = permissionService.listNoPermissionPath(userId, projectId, repoName) + val status = permissionPath.isNotEmpty() + val result = ListPathResult(status = status, path = mapOf(OperationType.NIN to permissionPath)) + return ResponseBuilder.success(result) + } } diff --git a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/controller/user/RepoModeController.kt b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/controller/user/RepoModeController.kt new file mode 100644 index 0000000000..bfa4f1f293 --- /dev/null +++ b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/controller/user/RepoModeController.kt @@ -0,0 +1,75 @@ +/* + * Tencent is pleased to support the open source community by making BK-CI 蓝鲸持续集成平台 available. + * + * Copyright (C) 2024 THL A29 Limited, a Tencent company. All rights reserved. + * + * BK-CI 蓝鲸持续集成平台 is licensed under the MIT license. + * + * A copy of the MIT License is included in this file. + * + * + * Terms of the MIT License: + * --------------------------------------------------- + * Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated + * documentation files (the "Software"), to deal in the Software without restriction, including without limitation the + * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to + * permit persons to whom the Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all copies or substantial portions of + * the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT + * LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN + * NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, + * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE + * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + */ + + +package com.tencent.bkrepo.auth.controller.user + +import com.tencent.bkrepo.auth.controller.OpenResource +import com.tencent.bkrepo.auth.pojo.permission.RepoModeStatus +import com.tencent.bkrepo.auth.pojo.authconfig.RepoAuthStatusRequest +import com.tencent.bkrepo.auth.service.PermissionService +import com.tencent.bkrepo.auth.service.RepoModeService +import com.tencent.bkrepo.common.api.pojo.Response +import com.tencent.bkrepo.common.service.util.ResponseBuilder +import org.springframework.web.bind.annotation.RestController +import org.springframework.web.bind.annotation.RequestMapping +import org.springframework.web.bind.annotation.GetMapping +import org.springframework.web.bind.annotation.RequestParam +import org.springframework.web.bind.annotation.PostMapping +import org.springframework.web.bind.annotation.RequestBody + +@RestController +@RequestMapping("/api/mode/repo") +class RepoModeController( + private val repoModeService: RepoModeService, + permissionService: PermissionService +) : OpenResource(permissionService) { + + @GetMapping("/query") + fun getStatus( + @RequestParam projectId: String, + @RequestParam repoName: String, + ): Response { + preCheckProjectAdmin(projectId) + val result = repoModeService.getAccessControlStatus(projectId, repoName) + return ResponseBuilder.success(result) + } + + @PostMapping("/toggle") + fun toggleStatus( + @RequestBody request: RepoAuthStatusRequest + ): Response { + with(request) { + preCheckProjectAdmin(projectId) + repoModeService.createOrUpdateConfig(projectId, repoName, status) + return ResponseBuilder.success( + repoModeService.getAccessControlStatus(projectId, repoName) + ) + } + } + +} \ No newline at end of file diff --git a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/dao/RepoAuthConfigDao.kt b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/dao/RepoAuthConfigDao.kt new file mode 100644 index 0000000000..fb936c020c --- /dev/null +++ b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/dao/RepoAuthConfigDao.kt @@ -0,0 +1,63 @@ +/* + * Tencent is pleased to support the open source community by making BK-CI 蓝鲸持续集成平台 available. + * + * Copyright (C) 2019 THL A29 Limited, a Tencent company. All rights reserved. + * + * BK-CI 蓝鲸持续集成平台 is licensed under the MIT license. + * + * A copy of the MIT License is included in this file. + * + * + * Terms of the MIT License: + * --------------------------------------------------- + * Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated + * documentation files (the "Software"), to deal in the Software without restriction, including without limitation the + * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to + * permit persons to whom the Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all copies or substantial portions of + * the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT + * LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN + * NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, + * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE + * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + */ + + +package com.tencent.bkrepo.auth.dao + +import com.tencent.bkrepo.auth.model.TRepoAuthConfig +import com.tencent.bkrepo.common.mongo.dao.simple.SimpleMongoDao +import com.tencent.bkrepo.common.security.util.SecurityUtils +import org.springframework.data.mongodb.core.FindAndModifyOptions +import org.springframework.data.mongodb.core.query.Criteria +import org.springframework.data.mongodb.core.query.Query +import org.springframework.data.mongodb.core.query.Update +import org.springframework.stereotype.Repository +import java.time.LocalDateTime + +@Repository +class RepoAuthConfigDao : SimpleMongoDao() { + fun findOneByProjectRepo(projectId: String, repoName: String): TRepoAuthConfig? { + return this.findOne( + Query.query( + Criteria.where(TRepoAuthConfig::projectId.name).`is`(projectId) + .and(TRepoAuthConfig::repoName.name).`is`(repoName) + ) + ) + } + + fun upsertProjectRepo(projectId: String, repoName: String, status: Boolean): String { + val query = Query.query( + Criteria.where(TRepoAuthConfig::projectId.name).`is`(projectId) + .and(TRepoAuthConfig::repoName.name).`is`(repoName) + ) + val options = FindAndModifyOptions().returnNew(true).upsert(true) + val update = Update().set(TRepoAuthConfig::accessControl.name, status) + .set(TRepoAuthConfig::lastModifiedBy.name, SecurityUtils.getUserId()) + .set(TRepoAuthConfig::lastModifiedDate.name, LocalDateTime.now()) + return this.findAndModify(query, update, options, TRepoAuthConfig::class.java)!!.id!! + } +} \ No newline at end of file diff --git a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/helper/PermissionHelper.kt b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/helper/PermissionHelper.kt index ced0c74925..f23127b2fd 100644 --- a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/helper/PermissionHelper.kt +++ b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/helper/PermissionHelper.kt @@ -186,10 +186,11 @@ class PermissionHelper constructor( return request.projectId != null && request.action == READ.name && isProjectUser } - fun getNoPermissionPathFromConfig( + fun getPermissionPathFromConfig( userId: String, roles: List, - config: List + config: List, + include: Boolean ): List { val excludePath = mutableListOf() val includePath = mutableListOf() @@ -221,6 +222,9 @@ class PermissionHelper constructor( } } } + if (include) { + return includePath.distinct() + } val filterPath = includePath.distinct() return excludePath.distinct().filter { !filterPath.contains(it) } } @@ -336,16 +340,14 @@ class PermissionHelper constructor( return permissionDao.updateById(id, key, value) } - fun checkNodeAction(request: CheckPermissionRequest, userRoles: List?, isProjectUser: Boolean): Boolean { + fun checkNodeActionWithOutCtrl( + request: CheckPermissionRequest, + userRoles: List?, + isProjectUser: Boolean + ): Boolean { with(request) { - var roles = userRoles if (resourceType != NODE.name || path == null) return false - if (roles == null) { - val user = userDao.findFirstByUserId(uid) ?: run { - throw ErrorCodeException(AuthMessageCode.AUTH_USER_NOT_EXIST) - } - roles = user.roles - } + val roles = getUserRoles(uid, userRoles) val result = permissionDao.listInPermission(projectId!!, repoName!!, uid, resourceType, roles) result.forEach { if (checkIncludePatternAction(it.includePattern, path!!, it.actions, action)) return true @@ -363,16 +365,35 @@ class PermissionHelper constructor( return isProjectUser } + fun checkNodeActionWithCtrl(request: CheckPermissionRequest, userRoles: List?): Boolean { + with(request) { + if (resourceType != NODE.name || path == null) return false + val roles = getUserRoles(uid, userRoles) + val result = permissionDao.listInPermission(projectId!!, repoName!!, uid, resourceType, roles) + result.forEach { + if (checkIncludePatternAction(it.includePattern, path!!, it.actions, action)) return true + } + val personalPathCheck = checkPersonalPath(uid, projectId!!, repoName!!, path!!) + if (personalPathCheck != null) return personalPathCheck + return false + } + } + + private fun getUserRoles(userId: String, userRoles: List?): List { + var roles = userRoles + if (roles == null) { + val user = userDao.findFirstByUserId(userId) ?: run { + throw ErrorCodeException(AuthMessageCode.AUTH_USER_NOT_EXIST) + } + roles = user.roles + } + return roles + } + private fun checkPersonalPath(userId: String, projectId: String, repoName: String, path: String): Boolean? { // check personal path val personalPath = personalPathDao.findOneByProjectAndRepo(userId, projectId, repoName) if (personalPath != null && path.startsWith(personalPath.fullPath)) return true - - // check personal exclude path - val personalExcludePath = personalPathDao.listByProjectAndRepoAndExcludeUser(userId, projectId, repoName) - personalExcludePath.forEach { - if (path.startsWith(it.fullPath)) return false - } return null } diff --git a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/interceptor/AuthInterceptor.kt b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/interceptor/AuthInterceptor.kt index 4dd58bea6d..8e9bda5317 100644 --- a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/interceptor/AuthInterceptor.kt +++ b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/interceptor/AuthInterceptor.kt @@ -37,6 +37,7 @@ import com.tencent.bkrepo.auth.constant.AUTH_API_PERMISSION_PREFIX import com.tencent.bkrepo.auth.constant.AUTH_API_OAUTH_PREFIX import com.tencent.bkrepo.auth.constant.AUTH_API_USER_PREFIX import com.tencent.bkrepo.auth.constant.AUTH_API_ROLE_PREFIX +import com.tencent.bkrepo.auth.constant.AUTH_API_AUTH_MODE_PREFIX import com.tencent.bkrepo.auth.constant.AUTH_CLUSTER_PERMISSION_CHECK_PREFIX import com.tencent.bkrepo.auth.constant.AUTH_CLUSTER_TOKEN_DECREMENT_PREFIX import com.tencent.bkrepo.auth.constant.AUTH_CLUSTER_TOKEN_DELETE_PREFIX @@ -241,6 +242,7 @@ class AuthInterceptor( AUTH_API_ROLE_PREFIX, AUTH_API_PERMISSION_PREFIX, AUTH_API_OAUTH_PREFIX, + AUTH_API_AUTH_MODE_PREFIX ) diff --git a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/model/TRepoAuthConfig.kt b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/model/TRepoAuthConfig.kt new file mode 100644 index 0000000000..54ee4d8a78 --- /dev/null +++ b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/model/TRepoAuthConfig.kt @@ -0,0 +1,51 @@ +/* + * Tencent is pleased to support the open source community by making BK-CI 蓝鲸持续集成平台 available. + * + * Copyright (C) 2024 THL A29 Limited, a Tencent company. All rights reserved. + * + * BK-CI 蓝鲸持续集成平台 is licensed under the MIT license. + * + * A copy of the MIT License is included in this file. + * + * + * Terms of the MIT License: + * --------------------------------------------------- + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + +package com.tencent.bkrepo.auth.model + +import org.springframework.data.mongodb.core.index.CompoundIndex +import org.springframework.data.mongodb.core.index.CompoundIndexes +import org.springframework.data.mongodb.core.mapping.Document +import java.time.LocalDateTime + +@Document("repo_auth_mode") +@CompoundIndexes( + CompoundIndex(name = "repo_idx", def = "{'projectId': 1, 'repoName': 1}", background = true, unique = true), + CompoundIndex(name = "access_ctrl_idx", def = "{'accessControl': 1}", background = true) +) +data class TRepoAuthConfig( + var id: String? = null, + var projectId: String, + var repoName: String, + var accessControl: Boolean, + var lastModifiedBy: String, + val lastModifiedDate: LocalDateTime +) diff --git a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/pojo/authconfig/RepoAuthStatusRequest.kt b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/pojo/authconfig/RepoAuthStatusRequest.kt new file mode 100644 index 0000000000..14c6945de3 --- /dev/null +++ b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/pojo/authconfig/RepoAuthStatusRequest.kt @@ -0,0 +1,39 @@ +/* + * Tencent is pleased to support the open source community by making BK-CI 蓝鲸持续集成平台 available. + * + * Copyright (C) 2024 THL A29 Limited, a Tencent company. All rights reserved. + * + * BK-CI 蓝鲸持续集成平台 is licensed under the MIT license. + * + * A copy of the MIT License is included in this file. + * + * + * Terms of the MIT License: + * --------------------------------------------------- + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + +package com.tencent.bkrepo.auth.pojo.authconfig + +data class RepoAuthStatusRequest( + val status: Boolean, + val projectId: String, + val repoName: String +) + diff --git a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/pojo/permission/RepoModeStatus.kt b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/pojo/permission/RepoModeStatus.kt new file mode 100644 index 0000000000..9d08a248ea --- /dev/null +++ b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/pojo/permission/RepoModeStatus.kt @@ -0,0 +1,6 @@ +package com.tencent.bkrepo.auth.pojo.permission + +data class RepoModeStatus( + val id: String, + val status: Boolean +) diff --git a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/PermissionService.kt b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/PermissionService.kt index d350caa411..c4cffa4152 100644 --- a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/PermissionService.kt +++ b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/PermissionService.kt @@ -65,10 +65,20 @@ interface PermissionService { fun listPermissionProject(userId: String): List /** - * 获取有权限路径列表 + * 获取无权限路径列表 */ fun listNoPermissionPath(userId: String, projectId: String, repoName: String): List + /** + * 获取有权限路径列表 + */ + fun listPermissionPath(userId: String, projectId: String, repoName: String): List? + + /** + * 查询是否开启仓库访问限制 + */ + fun checkRepoAccessControl(projectId: String, repoName: String): Boolean + fun createPermission(request: CreatePermissionRequest): Boolean fun listPermission(projectId: String, repoName: String?, resourceType: String): List diff --git a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/RepoModeService.kt b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/RepoModeService.kt new file mode 100644 index 0000000000..a082786ea7 --- /dev/null +++ b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/RepoModeService.kt @@ -0,0 +1,44 @@ +/* + * Tencent is pleased to support the open source community by making BK-CI 蓝鲸持续集成平台 available. + * + * Copyright (C) 2024 THL A29 Limited, a Tencent company. All rights reserved. + * + * BK-CI 蓝鲸持续集成平台 is licensed under the MIT license. + * + * A copy of the MIT License is included in this file. + * + * + * Terms of the MIT License: + * --------------------------------------------------- + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +package com.tencent.bkrepo.auth.service + + +import com.tencent.bkrepo.auth.pojo.permission.RepoModeStatus + +interface RepoModeService { + + fun createOrUpdateConfig(projectId: String, repoName: String, status: Boolean): RepoModeStatus + + fun getAccessControlStatus(projectId: String, repoName: String): RepoModeStatus + +} \ No newline at end of file diff --git a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkauth/DevopsPermissionServiceImpl.kt b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkauth/DevopsPermissionServiceImpl.kt index 812292a5b2..3b483627fc 100644 --- a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkauth/DevopsPermissionServiceImpl.kt +++ b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkauth/DevopsPermissionServiceImpl.kt @@ -42,6 +42,7 @@ import com.tencent.bkrepo.auth.constant.LOG import com.tencent.bkrepo.auth.constant.PIPELINE import com.tencent.bkrepo.auth.constant.REPORT import com.tencent.bkrepo.auth.dao.PersonalPathDao +import com.tencent.bkrepo.auth.dao.RepoAuthConfigDao import com.tencent.bkrepo.auth.pojo.enums.PermissionAction.MANAGE import com.tencent.bkrepo.auth.pojo.enums.PermissionAction.READ import com.tencent.bkrepo.auth.pojo.enums.PermissionAction.WRITE @@ -65,6 +66,7 @@ class DevopsPermissionServiceImpl constructor( permissionDao: PermissionDao, userDao: UserDao, personalPathDao: PersonalPathDao, + repoAuthConfigDao: RepoAuthConfigDao, private val devopsAuthConfig: DevopsAuthConfig, private val devopsPipelineService: DevopsPipelineService, private val devopsProjectService: DevopsProjectService, @@ -78,6 +80,7 @@ class DevopsPermissionServiceImpl constructor( accountRepository, permissionDao, personalPathDao, + repoAuthConfigDao, repoClient, projectClient, ) { diff --git a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkiamv3/BkIamV3PermissionServiceImpl.kt b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkiamv3/BkIamV3PermissionServiceImpl.kt index 86d0f1bcb1..3312179a57 100644 --- a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkiamv3/BkIamV3PermissionServiceImpl.kt +++ b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkiamv3/BkIamV3PermissionServiceImpl.kt @@ -33,6 +33,7 @@ import com.tencent.bkrepo.auth.constant.PIPELINE import com.tencent.bkrepo.auth.constant.REPORT import com.tencent.bkrepo.auth.dao.PermissionDao import com.tencent.bkrepo.auth.dao.PersonalPathDao +import com.tencent.bkrepo.auth.dao.RepoAuthConfigDao import com.tencent.bkrepo.auth.dao.UserDao import com.tencent.bkrepo.auth.dao.repository.AccountRepository import com.tencent.bkrepo.auth.dao.repository.RoleRepository @@ -56,6 +57,7 @@ open class BkIamV3PermissionServiceImpl( accountRepository: AccountRepository, permissionDao: PermissionDao, personalPathDao: PersonalPathDao, + repoAuthConfigDao: RepoAuthConfigDao, repoClient: RepositoryClient, projectClient: ProjectClient ) : PermissionServiceImpl( @@ -64,6 +66,7 @@ open class BkIamV3PermissionServiceImpl( permissionDao, userDao, personalPathDao, + repoAuthConfigDao, repoClient, projectClient ) { diff --git a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/impl/RepoModeServiceImpl.kt b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/impl/RepoModeServiceImpl.kt new file mode 100644 index 0000000000..68c9e82b2a --- /dev/null +++ b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/impl/RepoModeServiceImpl.kt @@ -0,0 +1,60 @@ +/* + * Tencent is pleased to support the open source community by making BK-CI 蓝鲸持续集成平台 available. + * + * Copyright (C) 2024 THL A29 Limited, a Tencent company. All rights reserved. + * + * BK-CI 蓝鲸持续集成平台 is licensed under the MIT license. + * + * A copy of the MIT License is included in this file. + * + * + * Terms of the MIT License: + * --------------------------------------------------- + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + +package com.tencent.bkrepo.auth.service.impl + +import com.tencent.bkrepo.auth.dao.RepoAuthConfigDao +import com.tencent.bkrepo.auth.pojo.permission.RepoModeStatus +import com.tencent.bkrepo.auth.service.RepoModeService +import org.springframework.stereotype.Service + +@Service +class RepoModeServiceImpl( + private val repoAuthConfigDao: RepoAuthConfigDao +) : RepoModeService { + + override fun createOrUpdateConfig(projectId: String, repoName: String, status: Boolean): RepoModeStatus { + val id = repoAuthConfigDao.upsertProjectRepo(projectId, repoName, status) + return RepoModeStatus(id, status) + } + + + override fun getAccessControlStatus(projectId: String, repoName: String): RepoModeStatus { + val result = repoAuthConfigDao.findOneByProjectRepo(projectId, repoName) + if (result != null) { + return RepoModeStatus(result.id!!, result.accessControl) + } + val id = repoAuthConfigDao.upsertProjectRepo(projectId, repoName, false) + return RepoModeStatus(id, false) + } + + +} \ No newline at end of file diff --git a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/local/PermissionServiceImpl.kt b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/local/PermissionServiceImpl.kt index bd34de726f..d11fdb1976 100644 --- a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/local/PermissionServiceImpl.kt +++ b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/local/PermissionServiceImpl.kt @@ -38,6 +38,7 @@ import com.tencent.bkrepo.auth.constant.PROJECT_MANAGE_ID import com.tencent.bkrepo.auth.constant.PROJECT_VIEWER_ID import com.tencent.bkrepo.auth.dao.PermissionDao import com.tencent.bkrepo.auth.dao.PersonalPathDao +import com.tencent.bkrepo.auth.dao.RepoAuthConfigDao import com.tencent.bkrepo.auth.dao.UserDao import com.tencent.bkrepo.auth.message.AuthMessageCode import com.tencent.bkrepo.auth.model.TPermission @@ -77,6 +78,7 @@ open class PermissionServiceImpl constructor( private val permissionDao: PermissionDao, private val userDao: UserDao, private val personalPathDao: PersonalPathDao, + private val repoAuthConfigDao: RepoAuthConfigDao, val repoClient: RepositoryClient, val projectClient: ProjectClient ) : PermissionService { @@ -302,12 +304,26 @@ open class PermissionServiceImpl constructor( return emptyList() } val projectPermission = permissionDao.listByResourceAndRepo(NODE.name, projectId, repoName) - val configPath = permHelper.getNoPermissionPathFromConfig(userId, user.roles, projectPermission) + val configPath = permHelper.getPermissionPathFromConfig(userId, user.roles, projectPermission, false) val personalPath = personalPathDao.listByProjectAndRepoAndExcludeUser(userId, projectId, repoName) .map { it.fullPath } return (configPath + personalPath).distinct() } + override fun listPermissionPath(userId: String, projectId: String, repoName: String): List? { + val user = userDao.findFirstByUserId(userId) ?: return emptyList() + if (user.admin || isUserLocalProjectAdmin(userId, projectId)) { + return null + } + val permission = permissionDao.listByResourceAndRepo(NODE.name, projectId, repoName) + val configPath = permHelper.getPermissionPathFromConfig(userId, user.roles, permission, true).toMutableList() + val personalPath = personalPathDao.findOneByProjectAndRepo(userId, projectId, repoName) + if (personalPath != null) { + configPath.add(personalPath.fullPath) + } + return configPath.distinct() + } + fun getAllRepoByProjectId(projectId: String): List { return repoClient.listRepo(projectId).data?.map { it.name } ?: emptyList() } @@ -396,7 +412,13 @@ open class PermissionServiceImpl constructor( } fun checkNodeAction(request: CheckPermissionRequest, userRoles: List?, isProjectUser: Boolean): Boolean { - return permHelper.checkNodeAction(request, userRoles, isProjectUser) + with(request) { + if (checkRepoAccessControl(projectId!!, repoName!!)) { + return permHelper.checkNodeActionWithCtrl(request, userRoles) + } + return permHelper.checkNodeActionWithOutCtrl(request, userRoles, isProjectUser) + } + } fun needNodeCheck(projectId: String, repoName: String): Boolean { @@ -404,6 +426,11 @@ open class PermissionServiceImpl constructor( return projectPermission.isNotEmpty() } + override fun checkRepoAccessControl(projectId: String, repoName: String): Boolean { + val result = repoAuthConfigDao.findOneByProjectRepo(projectId, repoName) ?: return false + return result.accessControl + } + companion object { private val logger = LoggerFactory.getLogger(PermissionServiceImpl::class.java) private const val defaultPersonalPrefix = "/Personal" diff --git a/src/backend/common/common-artifact/artifact-cache/src/test/kotlin/com/tencent/bkrepo/common/artifact/cache/service/impl/ArtifactPreloadPlanServiceImplTest.kt b/src/backend/common/common-artifact/artifact-cache/src/test/kotlin/com/tencent/bkrepo/common/artifact/cache/service/impl/ArtifactPreloadPlanServiceImplTest.kt index fc57912c67..9d407befa3 100644 --- a/src/backend/common/common-artifact/artifact-cache/src/test/kotlin/com/tencent/bkrepo/common/artifact/cache/service/impl/ArtifactPreloadPlanServiceImplTest.kt +++ b/src/backend/common/common-artifact/artifact-cache/src/test/kotlin/com/tencent/bkrepo/common/artifact/cache/service/impl/ArtifactPreloadPlanServiceImplTest.kt @@ -253,7 +253,7 @@ class ArtifactPreloadPlanServiceImplTest @Autowired constructor( lastModifiedDate = "", quota = null, display = true, - used = null, + used = null ) private fun buildNodeInfo(projectId: String = UT_PROJECT_ID, repoName: String = UT_REPO_NAME): NodeInfo { diff --git a/src/backend/repository/biz-repository/src/main/kotlin/com/tencent/bkrepo/repository/controller/user/UserRepositoryController.kt b/src/backend/repository/biz-repository/src/main/kotlin/com/tencent/bkrepo/repository/controller/user/UserRepositoryController.kt index 6c7baf7d86..bce63881f5 100644 --- a/src/backend/repository/biz-repository/src/main/kotlin/com/tencent/bkrepo/repository/controller/user/UserRepositoryController.kt +++ b/src/backend/repository/biz-repository/src/main/kotlin/com/tencent/bkrepo/repository/controller/user/UserRepositoryController.kt @@ -236,7 +236,7 @@ class UserRepositoryController( description = request.description, configuration = request.configuration, operator = userId, - display = request.display, + display = request.display ) repositoryService.updateRepo(repoUpdateRequest) return ResponseBuilder.success() diff --git a/src/backend/repository/biz-repository/src/main/kotlin/com/tencent/bkrepo/repository/service/repo/impl/RepositoryServiceImpl.kt b/src/backend/repository/biz-repository/src/main/kotlin/com/tencent/bkrepo/repository/service/repo/impl/RepositoryServiceImpl.kt index 2b9c03f497..6931cee086 100644 --- a/src/backend/repository/biz-repository/src/main/kotlin/com/tencent/bkrepo/repository/service/repo/impl/RepositoryServiceImpl.kt +++ b/src/backend/repository/biz-repository/src/main/kotlin/com/tencent/bkrepo/repository/service/repo/impl/RepositoryServiceImpl.kt @@ -772,7 +772,7 @@ class RepositoryServiceImpl( lastModifiedDate = it.lastModifiedDate.format(DateTimeFormatter.ISO_DATE_TIME), quota = it.quota, used = it.used, - display = it.display, + display = it.display ) } } diff --git a/src/frontend/devops-repository/src/store/actions/permission.js b/src/frontend/devops-repository/src/store/actions/permission.js index ccb203731b..606bcd5592 100644 --- a/src/frontend/devops-repository/src/store/actions/permission.js +++ b/src/frontend/devops-repository/src/store/actions/permission.js @@ -308,5 +308,24 @@ export default { return Vue.prototype.$ajax.get(`${authPrefix}/permission/permission/available`).then(res => { commit('SET_REPO_PERMISSION_LIMIT', res) }) + }, + // 获取当前repo的根目录权限 + getRootPermission (_, { projectId, repoName }) { + return Vue.prototype.$ajax.get( + `${authPrefix}/mode/repo/query`, + { + params: { + projectId: projectId, + repoName: repoName + } + } + ) + }, + // 创建或更新当前根目录权限 + createOrUpdateRootPermission (_, { body }) { + return Vue.prototype.$ajax.post( + `${authPrefix}/mode/repo/toggle`, + body + ) } } diff --git a/src/frontend/devops-repository/src/views/repoConfig/permissionConfig/permissionConfig.vue b/src/frontend/devops-repository/src/views/repoConfig/permissionConfig/permissionConfig.vue index f10115f26d..83a26970b7 100644 --- a/src/frontend/devops-repository/src/views/repoConfig/permissionConfig/permissionConfig.vue +++ b/src/frontend/devops-repository/src/views/repoConfig/permissionConfig/permissionConfig.vue @@ -1,5 +1,11 @@