feat: 优化访问限制 TencentBlueKing#2421

* feat: 优化访问限制 TencentBlueKing#2421

* feat: 优化访问限制 TencentBlueKing#2421

* feat：Generic 和 DDC 仓库支持按照目录管理权限 TencentBlueKing#2416

* feat: 优化访问限制 TencentBlueKing#2421

* feat：Generic 和 DDC 仓库支持按照目录管理权限 TencentBlueKing#2416

* feat: 优化访问限制 TencentBlueKing#2421

* feat：Generic 和 DDC 仓库支持按照目录管理权限 TencentBlueKing#2416

* feat：Generic 和 DDC 仓库支持按照目录管理权限 TencentBlueKing#2416

* feat：Generic 和 DDC 仓库支持按照目录管理权限 TencentBlueKing#2416

* feat：Generic 和 DDC 仓库支持按照目录管理权限 TencentBlueKing#2416

* feat: 优化访问限制 TencentBlueKing#2421

* feat: 增加发行模式 TencentBlueKing#2421

* feat：补充误删样式 TencentBlueKing#2416

* feat: 优化访问限制 TencentBlueKing#2421

* feat: 优化访问限制 TencentBlueKing#2421

---------

Co-authored-by: lannoy0523 <935275025@qq.com>

docs/install/env.md

@@ -29,7 +29,7 @@
 | BK_REPO_GATEWAY_DNS_ADDR   | 网关dns解析服务地址      | 127.0.0.1:53                                                                                          |
 | BK_REPO_SERVICE_PREFIX     | bkrepo微服务前缀      | bkrepo-                                                                                               |
 | BK_REPO_DEPLOY_MODE        | bkrepo部署模式       | standalone / ci                                                                                       |
-
+| BK_REPO_RELEASE_MODE        | bkrepo发行模式       | devx / community                                                                                             |
 ## consul配置项
 
 | 配置项                     | 说明            | 示例      |

src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/controller/user/RepoModeController.kt

@@ -65,7 +65,7 @@ class RepoModeController(
     ): Response<RepoModeStatus> {
         with(request) {
             preCheckProjectAdmin(projectId)
-            repoModeService.createOrUpdateConfig(projectId, repoName, controlEnable, officeDenyGroupSet)
+            repoModeService.createOrUpdateConfig(projectId, repoName, accessControlMode, officeDenyGroupSet)
             return ResponseBuilder.success(
                 repoModeService.getAccessControlStatus(projectId, repoName)
             )

src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/dao/RepoAuthConfigDao.kt

@@ -29,6 +29,7 @@
 package com.tencent.bkrepo.auth.dao
 
 import com.tencent.bkrepo.auth.model.TRepoAuthConfig
+import com.tencent.bkrepo.auth.pojo.enums.AccessControlMode
 import com.tencent.bkrepo.common.mongo.dao.simple.SimpleMongoDao
 import com.tencent.bkrepo.common.security.util.SecurityUtils
 import org.springframework.data.mongodb.core.FindAndModifyOptions
@@ -52,15 +53,15 @@ class RepoAuthConfigDao : SimpleMongoDao<TRepoAuthConfig>() {
     fun upsertProjectRepo(
         projectId: String,
         repoName: String,
-        status: Boolean,
+        accessControlMode: AccessControlMode,
         officeDenyGroupSet: Set<String>
     ): String {
         val query = Query.query(
             Criteria.where(TRepoAuthConfig::projectId.name).`is`(projectId)
                 .and(TRepoAuthConfig::repoName.name).`is`(repoName)
         )
         val options = FindAndModifyOptions().returnNew(true).upsert(true)
-        val update = Update().set(TRepoAuthConfig::accessControl.name, status)
+        val update = Update().set(TRepoAuthConfig::accessControlMode.name, accessControlMode)
             .set(TRepoAuthConfig::officeDenyGroupSet.name, officeDenyGroupSet)
             .set(TRepoAuthConfig::lastModifiedBy.name, SecurityUtils.getUserId())
             .set(TRepoAuthConfig::lastModifiedDate.name, LocalDateTime.now())

src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/model/TRepoAuthConfig.kt

@@ -31,6 +31,7 @@
 
 package com.tencent.bkrepo.auth.model
 
+import com.tencent.bkrepo.auth.pojo.enums.AccessControlMode
 import org.springframework.data.mongodb.core.index.CompoundIndex
 import org.springframework.data.mongodb.core.index.CompoundIndexes
 import org.springframework.data.mongodb.core.mapping.Document
@@ -39,13 +40,14 @@ import java.time.LocalDateTime
 @Document("repo_auth_mode")
 @CompoundIndexes(
     CompoundIndex(name = "repo_idx", def = "{'projectId': 1, 'repoName': 1}", background = true, unique = true),
-    CompoundIndex(name = "access_ctrl_idx", def = "{'accessControl': 1}", background = true)
+    CompoundIndex(name = "access_ctrl_idx", def = "{'accessControlMode': 1}", background = true)
 )
 data class TRepoAuthConfig(
     var id: String? = null,
     var projectId: String,
     var repoName: String,
-    var accessControl: Boolean,
+    var accessControl: Boolean?,
+    var accessControlMode: AccessControlMode?,
     var officeDenyGroupSet: Set<String>?,
     var lastModifiedBy: String,
     val lastModifiedDate: LocalDateTime

src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/pojo/authconfig/RepoAuthStatusRequest.kt

@@ -31,11 +31,12 @@
 
 package com.tencent.bkrepo.auth.pojo.authconfig
 
+import com.tencent.bkrepo.auth.pojo.enums.AccessControlMode
+
 data class RepoAuthStatusRequest(
     val projectId: String,
     val repoName: String,
-    val status: Boolean = false,
-    val controlEnable: Boolean = false,
+    val accessControlMode: AccessControlMode?,
     val officeDenyGroupSet: Set<String> = emptySet()
 
 )

src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/pojo/enums/AccessControlMode.kt

@@ -0,0 +1,41 @@
+/*
+ * Tencent is pleased to support the open source community by making BK-CI 蓝鲸持续集成平台 available.
+ *
+ * Copyright (C) 2020 THL A29 Limited, a Tencent company.  All rights reserved.
+ *
+ * BK-CI 蓝鲸持续集成平台 is licensed under the MIT license.
+ *
+ * A copy of the MIT License is included in this file.
+ *
+ *
+ * Terms of the MIT License:
+ * ---------------------------------------------------
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package com.tencent.bkrepo.auth.pojo.enums
+
+enum class AccessControlMode {
+    // 严格模式
+    STRICT,
+    // 任意下载
+    DEFAULT,
+    // 目录控制
+    DIR_CTRL
+}

src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/pojo/permission/RepoModeStatus.kt

@@ -1,8 +1,9 @@
 package com.tencent.bkrepo.auth.pojo.permission
 
+import com.tencent.bkrepo.auth.pojo.enums.AccessControlMode
+
 data class RepoModeStatus(
     val id: String,
-    val status: Boolean = false,
-    val controlEnable: Boolean =false,
+    val accessControlMode: AccessControlMode?,
     val officeDenyGroupSet: Set<String> = emptySet()
 )

src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/RepoModeService.kt

@@ -33,16 +33,17 @@
 package com.tencent.bkrepo.auth.service
 
 
+import com.tencent.bkrepo.auth.pojo.enums.AccessControlMode
 import com.tencent.bkrepo.auth.pojo.permission.RepoModeStatus
 
 interface RepoModeService {
 
     fun createOrUpdateConfig(
         projectId: String,
         repoName: String,
-        controlEnable: Boolean,
+        accessControlMode: AccessControlMode?,
         officeDenyGroupSet: Set<String>
-    ): RepoModeStatus
+    ): RepoModeStatus?
 
     fun getAccessControlStatus(projectId: String, repoName: String): RepoModeStatus
 

src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkdevops/DevopsPermissionServiceImpl.kt

@@ -122,10 +122,13 @@ class DevopsPermissionServiceImpl constructor(
         return allProjectList.distinct()
     }
 
+    override fun listPermissionPath(userId: String, projectId: String, repoName: String): List<String>? {
+        if (isDevopsProjectAdmin(userId, projectId)) return null
+        return super.listPermissionPath(userId, projectId, repoName)
+    }
+
     override fun listNoPermissionPath(userId: String, projectId: String, repoName: String): List<String> {
-        if (isDevopsProjectAdmin(userId, projectId)) {
-            return emptyList()
-        }
+        if (isDevopsProjectAdmin(userId, projectId)) return emptyList()
         return super.listNoPermissionPath(userId, projectId, repoName)
     }
 
@@ -258,7 +261,7 @@ class DevopsPermissionServiceImpl constructor(
     }
 
     private fun needCheckPathPermission(resourceType: String, projectId: String, repoName: String): Boolean {
-        return devopsAuthConfig.enablePathCheck && resourceType == NODE.name && needNodeCheck(projectId, repoName)
+        return resourceType == NODE.name && needNodeCheck(projectId, repoName)
     }
 
     private fun checkDevopsPipelinePermission(context: CheckPermissionContext): Boolean {

src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/impl/RepoModeServiceImpl.kt

@@ -31,44 +31,61 @@
 
 package com.tencent.bkrepo.auth.service.impl
 
+import com.tencent.bkrepo.auth.dao.PermissionDao
 import com.tencent.bkrepo.auth.dao.RepoAuthConfigDao
+import com.tencent.bkrepo.auth.pojo.enums.AccessControlMode
+import com.tencent.bkrepo.auth.pojo.enums.ResourceType
 import com.tencent.bkrepo.auth.pojo.permission.RepoModeStatus
 import com.tencent.bkrepo.auth.service.RepoModeService
+import com.tencent.bkrepo.repository.api.RepositoryClient
 import org.springframework.stereotype.Service
 
 @Service
 class RepoModeServiceImpl(
-    private val repoAuthConfigDao: RepoAuthConfigDao
+    private val repoAuthConfigDao: RepoAuthConfigDao,
+    private val permissionDao: PermissionDao,
+    private val repoClient: RepositoryClient,
 ) : RepoModeService {
 
     override fun createOrUpdateConfig(
         projectId: String,
         repoName: String,
-        controlEnable: Boolean,
+        accessControlMode: AccessControlMode?,
         officeDenyGroupSet: Set<String>
-    ): RepoModeStatus {
-        val id = repoAuthConfigDao.upsertProjectRepo(projectId, repoName, controlEnable, officeDenyGroupSet)
-        return RepoModeStatus(id, controlEnable, controlEnable, officeDenyGroupSet)
+    ): RepoModeStatus? {
+        val repoDetail = repoClient.getRepoDetail(projectId, repoName).data ?: return null
+        if (repoDetail.public) return null
+        var controlMode = accessControlMode
+        if (accessControlMode == null) {
+            controlMode = AccessControlMode.DEFAULT
+        }
+
+        val id = repoAuthConfigDao.upsertProjectRepo(projectId, repoName, controlMode!!, officeDenyGroupSet)
+        return RepoModeStatus(id, accessControlMode, officeDenyGroupSet)
     }
 
 
     override fun getAccessControlStatus(projectId: String, repoName: String): RepoModeStatus {
+        var controlMode = AccessControlMode.DEFAULT
+        var officeDenyGroupSet = emptySet<String>()
+        if (permissionDao.listByResourceAndRepo(ResourceType.NODE.name, projectId, repoName).isNotEmpty()) {
+            controlMode = AccessControlMode.DIR_CTRL
+        }
         val result = repoAuthConfigDao.findOneByProjectRepo(projectId, repoName)
         if (result != null) {
-            var officeDenyGroupSet = emptySet<String>()
             if (result.officeDenyGroupSet != null) {
                 officeDenyGroupSet = result.officeDenyGroupSet!!
             }
-            return RepoModeStatus(
-                id = result.id!!,
-                status = result.accessControl,
-                controlEnable = result.accessControl,
-                officeDenyGroupSet = officeDenyGroupSet
-            )
+            if (result.accessControlMode != null) {
+                controlMode = result.accessControlMode!!
+            }
+            // 老的数据， 严格模式直接切换
+            if (result.accessControl != null && result.accessControl!! && result.accessControlMode == null) {
+                controlMode = AccessControlMode.STRICT
+            }
         }
-        val id = repoAuthConfigDao.upsertProjectRepo(projectId, repoName, false, emptySet())
-        return RepoModeStatus(id = id)
+        val id = repoAuthConfigDao.upsertProjectRepo(projectId, repoName, controlMode, officeDenyGroupSet)
+        return RepoModeStatus(id = id, accessControlMode = controlMode, officeDenyGroupSet = officeDenyGroupSet)
     }
 
-
 }

src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/local/PermissionServiceImpl.kt

@@ -52,6 +52,8 @@ import com.tencent.bkrepo.auth.helper.PermissionHelper
 import com.tencent.bkrepo.auth.helper.UserHelper
 import com.tencent.bkrepo.auth.model.TPersonalPath
 import com.tencent.bkrepo.auth.model.TUser
+import com.tencent.bkrepo.auth.pojo.enums.AccessControlMode.DEFAULT
+import com.tencent.bkrepo.auth.pojo.enums.AccessControlMode.STRICT
 import com.tencent.bkrepo.auth.pojo.enums.PermissionAction.WRITE
 import com.tencent.bkrepo.auth.pojo.enums.PermissionAction.DELETE
 import com.tencent.bkrepo.auth.pojo.enums.PermissionAction.MANAGE
@@ -452,17 +454,18 @@ open class PermissionServiceImpl constructor(
 
     fun needNodeCheck(projectId: String, repoName: String): Boolean {
         val projectPermission = permissionDao.listByResourceAndRepo(NODE.name, projectId, repoName)
-        return projectPermission.isNotEmpty()
+        val repoCheckConfig = repoAuthConfigDao.findOneByProjectRepo(projectId, repoName) ?: return false
+        return projectPermission.isNotEmpty() && repoCheckConfig.accessControlMode != DEFAULT
     }
 
     override fun checkRepoAccessControl(projectId: String, repoName: String): Boolean {
         val result = repoAuthConfigDao.findOneByProjectRepo(projectId, repoName) ?: return false
-        return result.accessControl
+        return result.accessControlMode != null && result.accessControlMode == STRICT
     }
 
     /**
      * 校验是否在访问控制组
-     * true , 代码需要拦截
+     * true,代码需要拦截
      */
     fun checkRepoAccessDenyGroup(
         userId: String,