Merge pull request #11215 from fcfang123/issue-11138

feat：用户个人视角权限管理优化 #11138
TencentBlueKing · Dec 26, 2024 · 346ca8c · 346ca8c
2 parents 3666b2d + 02fa3a0
commit 346ca8c
Show file tree

Hide file tree

Showing 107 changed files with 5,818 additions and 1,670 deletions.
diff --git a/...pi-auth/src/main/kotlin/com/tencent/devops/auth/api/service/ServiceProjectAuthResource.kt b/...pi-auth/src/main/kotlin/com/tencent/devops/auth/api/service/ServiceProjectAuthResource.kt
@@ -27,8 +27,10 @@
 
 package com.tencent.devops.auth.api.service
 
+import com.tencent.devops.auth.pojo.vo.AuthProjectVO
 import com.tencent.devops.auth.pojo.vo.ProjectPermissionInfoVO
 import com.tencent.devops.common.api.auth.AUTH_HEADER_DEVOPS_BK_TOKEN
+import com.tencent.devops.common.api.auth.AUTH_HEADER_DEVOPS_USER_ID
 import com.tencent.devops.common.api.auth.AUTH_HEADER_GIT_TYPE
 import com.tencent.devops.common.api.auth.AUTH_HEADER_USER_ID
 import com.tencent.devops.common.api.pojo.Result
@@ -259,4 +261,13 @@ interface ServiceProjectAuthResource {
         @Parameter(description = "项目Code", required = true)
         projectCode: String
     ): Result<ProjectPermissionInfoVO>
+
+    @GET
+    @Path("/listUserProjectsWithAuthorization")
+    @Operation(summary = "获取用户授权相关的项目")
+    fun listUserProjectsWithAuthorization(
+        @HeaderParam(AUTH_HEADER_DEVOPS_USER_ID)
+        @Parameter(description = "用户ID", required = true)
+        userId: String
+    ): Result<List<AuthProjectVO>>
 }
diff --git a/...pi-auth/src/main/kotlin/com/tencent/devops/auth/api/user/UserAuthAuthorizationResource.kt b/...pi-auth/src/main/kotlin/com/tencent/devops/auth/api/user/UserAuthAuthorizationResource.kt
@@ -28,7 +28,10 @@
 
 package com.tencent.devops.auth.api.user
 
+import com.tencent.devops.auth.pojo.enum.OperateChannel
+import com.tencent.devops.auth.pojo.vo.AuthProjectVO
 import com.tencent.devops.auth.pojo.vo.ResourceTypeInfoVo
+import com.tencent.devops.common.api.auth.AUTH_HEADER_DEVOPS_USER_ID
 import com.tencent.devops.common.api.auth.AUTH_HEADER_USER_ID
 import com.tencent.devops.common.api.auth.AUTH_HEADER_USER_ID_DEFAULT_VALUE
 import com.tencent.devops.common.api.model.SQLPage
@@ -68,6 +71,9 @@ interface UserAuthAuthorizationResource {
         @Parameter(description = "项目ID", required = true)
         @PathParam("projectId")
         projectId: String,
+        @Parameter(description = "操作渠道", required = true)
+        @QueryParam("operateChannel")
+        operateChannel: OperateChannel?,
         @Parameter(description = "查询条件", required = true)
         condition: ResourceAuthorizationConditionRequest
     ): Result<SQLPage<ResourceAuthorizationResponse>>
@@ -138,4 +144,13 @@ interface UserAuthAuthorizationResource {
         @Parameter(description = "资源授权交接条件实体", required = true)
         condition: ResetAllResourceAuthorizationReq
     ): Result<List<ResourceTypeInfoVo>>
+
+    @GET
+    @Path("/listUserProjectsWithAuthorization")
+    @Operation(summary = "获取用户授权相关的项目")
+    fun listUserProjectsWithAuthorization(
+        @HeaderParam(AUTH_HEADER_DEVOPS_USER_ID)
+        @Parameter(description = "用户ID", required = true)
+        userId: String
+    ): Result<List<AuthProjectVO>>
 }
diff --git a/...uth/api-auth/src/main/kotlin/com/tencent/devops/auth/api/user/UserAuthHandoverResource.kt b/...uth/api-auth/src/main/kotlin/com/tencent/devops/auth/api/user/UserAuthHandoverResource.kt
@@ -0,0 +1,112 @@
+package com.tencent.devops.auth.api.user
+
+import com.tencent.devops.auth.pojo.request.HandoverDetailsQueryReq
+import com.tencent.devops.auth.pojo.request.HandoverOverviewBatchUpdateReq
+import com.tencent.devops.auth.pojo.request.HandoverOverviewQueryReq
+import com.tencent.devops.auth.pojo.request.HandoverOverviewUpdateReq
+import com.tencent.devops.auth.pojo.request.ResourceType2CountOfHandoverQuery
+import com.tencent.devops.auth.pojo.vo.HandoverAuthorizationDetailVo
+import com.tencent.devops.auth.pojo.vo.HandoverGroupDetailVo
+import com.tencent.devops.auth.pojo.vo.HandoverOverviewVo
+import com.tencent.devops.auth.pojo.vo.ResourceType2CountVo
+import com.tencent.devops.common.api.auth.AUTH_HEADER_USER_ID
+import com.tencent.devops.common.api.auth.AUTH_HEADER_USER_ID_DEFAULT_VALUE
+import com.tencent.devops.common.api.model.SQLPage
+import com.tencent.devops.common.api.pojo.Result
+import com.tencent.devops.common.auth.api.pojo.ResourceAuthorizationHandoverConditionRequest
+import io.swagger.v3.oas.annotations.Operation
+import io.swagger.v3.oas.annotations.Parameter
+import io.swagger.v3.oas.annotations.tags.Tag
+import javax.ws.rs.Consumes
+import javax.ws.rs.HeaderParam
+import javax.ws.rs.POST
+import javax.ws.rs.Path
+import javax.ws.rs.PathParam
+import javax.ws.rs.Produces
+import javax.ws.rs.core.MediaType
+
+@Tag(name = "USER_RESOURCE_AUTHORIZATION", description = "用户-权限-交接相关")
+@Path("/user/auth/handover/")
+@Produces(MediaType.APPLICATION_JSON)
+@Consumes(MediaType.APPLICATION_JSON)
+interface UserAuthHandoverResource {
+    @POST
+    @Path("/{projectId}/handoverAuthorizationsApplication")
+    @Operation(summary = "交接授权申请")
+    fun handoverAuthorizationsApplication(
+        @Parameter(description = "用户ID", required = true, example = AUTH_HEADER_USER_ID_DEFAULT_VALUE)
+        @HeaderParam(AUTH_HEADER_USER_ID)
+        userId: String,
+        @Parameter(description = "项目ID", required = true)
+        @PathParam("projectId")
+        projectId: String,
+        @Parameter(description = "资源授权交接条件实体", required = true)
+        condition: ResourceAuthorizationHandoverConditionRequest
+    ): Result<String>
+
+    @POST
+    @Path("/listHandoverOverviews")
+    @Operation(summary = "权限交接总览列表")
+    fun listHandoverOverviews(
+        @Parameter(description = "用户名", required = true)
+        @HeaderParam(AUTH_HEADER_USER_ID)
+        userId: String,
+        @Parameter(description = "权限交接总览查询", required = true)
+        queryRequest: HandoverOverviewQueryReq
+    ): Result<SQLPage<HandoverOverviewVo>>
+
+    @POST
+    @Path("/getResourceType2CountOfHandover")
+    @Operation(summary = "获取资源授权管理数量")
+    fun getResourceType2CountOfHandover(
+        @Parameter(description = "用户名", required = true)
+        @HeaderParam(AUTH_HEADER_USER_ID)
+        userId: String,
+        @Parameter(description = "查询请求体", required = true)
+        queryReq: ResourceType2CountOfHandoverQuery
+    ): Result<List<ResourceType2CountVo>>
+
+    @POST
+    @Path("/listAuthorizationsOfHandover")
+    @Operation(summary = "获取交接单中授权相关")
+    fun listAuthorizationsOfHandover(
+        @Parameter(description = "用户名", required = true)
+        @HeaderParam(AUTH_HEADER_USER_ID)
+        userId: String,
+        @Parameter(description = "权限交接详细查询请求体", required = true)
+        queryReq: HandoverDetailsQueryReq
+    ): Result<SQLPage<HandoverAuthorizationDetailVo>>
+
+    @POST
+    @Path("/listGroupsOfHandover")
+    @Operation(summary = "获取交接单中用户组相关")
+    fun listGroupsOfHandover(
+        @Parameter(description = "用户名", required = true)
+        @HeaderParam(AUTH_HEADER_USER_ID)
+        userId: String,
+        @Parameter(description = "权限交接详细查询请求体", required = true)
+        queryReq: HandoverDetailsQueryReq
+    ): Result<SQLPage<HandoverGroupDetailVo>>
+
+    @POST
+    @Path("/handleHanoverApplication")
+    @Operation(summary = "处理交接审批单")
+    fun handleHanoverApplication(
+        @Parameter(description = "用户名", required = true)
+        @HeaderParam(AUTH_HEADER_USER_ID)
+        userId: String,
+        @Parameter(description = "更新权限交接总览请求体", required = true)
+        request: HandoverOverviewUpdateReq
+    ): Result<Boolean>
+
+    @POST
+    @Path("/batchHandleHanoverApplications")
+    @Operation(summary = "批量处理交接审批单")
+    fun batchHandleHanoverApplications(
+        @Parameter(description = "用户名", required = true)
+        @HeaderParam(AUTH_HEADER_USER_ID)
+        userId: String,
+        @Parameter(description = "批量更新权限交接总览请求体", required = true)
+        request: HandoverOverviewBatchUpdateReq
+    ): Result<Boolean>
+}
diff --git a/...pi-auth/src/main/kotlin/com/tencent/devops/auth/api/user/UserAuthResourceGroupResource.kt b/...pi-auth/src/main/kotlin/com/tencent/devops/auth/api/user/UserAuthResourceGroupResource.kt
@@ -30,6 +30,7 @@ package com.tencent.devops.auth.api.user
 
 import com.tencent.devops.auth.pojo.dto.GroupMemberRenewalDTO
 import com.tencent.devops.auth.pojo.dto.RenameGroupDTO
+import com.tencent.devops.auth.pojo.enum.OperateChannel
 import com.tencent.devops.auth.pojo.vo.GroupDetailsInfoVo
 import com.tencent.devops.auth.pojo.vo.IamGroupPoliciesVo
 import com.tencent.devops.common.api.annotation.BkInterfaceI18n
@@ -110,6 +111,9 @@ interface UserAuthResourceGroupResource {
         @QueryParam("action")
         @Parameter(description = "操作")
         action: String?,
+        @QueryParam("operateChannel")
+        @Parameter(description = "操作渠道")
+        operateChannel: OperateChannel?,
         @Parameter(description = "起始位置,从0开始")
         @QueryParam("start")
         start: Int,
@@ -118,6 +122,27 @@ interface UserAuthResourceGroupResource {
         limit: Int
     ): Result<SQLPage<GroupDetailsInfoVo>>
 
+    @GET
+    @Path("{groupId}/getMemberGroupDetails/")
+    @Operation(summary = "获取用户加入单个组的详情")
+    fun getMemberGroupDetails(
+        @Parameter(description = "用户名", required = true)
+        @HeaderParam(AUTH_HEADER_USER_ID)
+        userId: String,
+        @Parameter(description = "项目ID", required = true)
+        @PathParam("projectId")
+        projectId: String,
+        @Parameter(description = "资源类型", required = true)
+        @PathParam("resourceType")
+        resourceType: String,
+        @Parameter(description = "用户组Id")
+        @PathParam("groupId")
+        groupId: Int,
+        @QueryParam("memberId")
+        @Parameter(description = "组织ID/成员ID")
+        memberId: String
+    ): Result<GroupDetailsInfoVo>
+
     @PUT
     @Path("{groupId}/member/renewal")
     @Operation(summary = "用户续期")

diff --git a/...i-auth/src/main/kotlin/com/tencent/devops/auth/api/user/UserAuthResourceMemberResource.kt b/...i-auth/src/main/kotlin/com/tencent/devops/auth/api/user/UserAuthResourceMemberResource.kt
@@ -2,15 +2,17 @@ package com.tencent.devops.auth.api.user
 
 import com.tencent.devops.auth.pojo.ResourceMemberInfo
 import com.tencent.devops.auth.pojo.enum.BatchOperateType
+import com.tencent.devops.auth.pojo.enum.OperateChannel
 import com.tencent.devops.auth.pojo.request.GroupMemberCommonConditionReq
 import com.tencent.devops.auth.pojo.request.GroupMemberHandoverConditionReq
+import com.tencent.devops.auth.pojo.request.GroupMemberRemoveConditionReq
 import com.tencent.devops.auth.pojo.request.GroupMemberRenewalConditionReq
 import com.tencent.devops.auth.pojo.request.GroupMemberSingleRenewalReq
 import com.tencent.devops.auth.pojo.request.ProjectMembersQueryConditionReq
 import com.tencent.devops.auth.pojo.request.RemoveMemberFromProjectReq
 import com.tencent.devops.auth.pojo.vo.BatchOperateGroupMemberCheckVo
 import com.tencent.devops.auth.pojo.vo.GroupDetailsInfoVo
-import com.tencent.devops.auth.pojo.vo.MemberGroupCountWithPermissionsVo
+import com.tencent.devops.auth.pojo.vo.ResourceType2CountVo
 import com.tencent.devops.common.api.auth.AUTH_HEADER_USER_ID
 import com.tencent.devops.common.api.model.SQLPage
 import com.tencent.devops.common.api.pojo.Result
@@ -96,8 +98,8 @@ interface UserAuthResourceMemberResource {
 
     @PUT
     @Path("/batch/renewal")
-    @Operation(summary = "批量续期组成员权限--无需进行审批")
-    fun batchRenewalGroupMembers(
+    @Operation(summary = "批量续期组成员权限--管理员视角")
+    fun batchRenewalGroupMembersFromManager(
         @Parameter(description = "用户名", required = true)
         @HeaderParam(AUTH_HEADER_USER_ID)
         userId: String,
@@ -110,22 +112,56 @@ interface UserAuthResourceMemberResource {
 
     @DELETE
     @Path("/batch/remove")
-    @Operation(summary = "批量移除用户组成员")
-    fun batchRemoveGroupMembers(
+    @Operation(summary = "批量移除用户组成员--管理员视角")
+    fun batchRemoveGroupMembersFromManager(
         @Parameter(description = "用户名", required = true)
         @HeaderParam(AUTH_HEADER_USER_ID)
         userId: String,
         @Parameter(description = "项目ID", required = true)
         @PathParam("projectId")
         projectId: String,
         @Parameter(description = "批量移除成员请求实体")
-        removeMemberDTO: GroupMemberCommonConditionReq
+        removeMemberDTO: GroupMemberRemoveConditionReq
+    ): Result<Boolean>
+
+    @DELETE
+    @Path("/batch/personal/remove")
+    @Operation(summary = "批量退出用户组成员--个人视角")
+    fun batchRemoveGroupMembersFromPersonal(
+        @Parameter(description = "用户名", required = true)
+        @HeaderParam(AUTH_HEADER_USER_ID)
+        userId: String,
+        @Parameter(description = "项目ID", required = true)
+        @PathParam("projectId")
+        projectId: String,
+        @Parameter(description = "批量移除成员请求实体")
+        removeMemberDTO: GroupMemberRemoveConditionReq
+    ): Result<String>
+
+    @DELETE
+    @Path("/single/{groupId}/{operateChannel}/remove")
+    @Operation(summary = "退出单个组")
+    fun deleteResourceGroupMembers(
+        @Parameter(description = "用户名", required = true)
+        @HeaderParam(AUTH_HEADER_USER_ID)
+        userId: String,
+        @Parameter(description = "项目ID", required = true)
+        @PathParam("projectId")
+        projectId: String,
+        @Parameter(description = "组ID", required = true)
+        @PathParam("groupId")
+        groupId: Int,
+        @Parameter(description = "操作渠道", required = true)
+        @PathParam("operateChannel")
+        operateChannel: OperateChannel,
+        @Parameter(description = "操作对象", required = true)
+        targetMember: ResourceMemberInfo
     ): Result<Boolean>
 
     @PUT
     @Path("/batch/handover")
-    @Operation(summary = "批量交接用户组成员")
-    fun batchHandoverGroupMembers(
+    @Operation(summary = "批量交接用户组成员--管理员视角")
+    fun batchHandoverGroupMembersFromManager(
         @Parameter(description = "用户名", required = true)
         @HeaderParam(AUTH_HEADER_USER_ID)
         userId: String,
@@ -136,6 +172,20 @@ interface UserAuthResourceMemberResource {
         handoverMemberDTO: GroupMemberHandoverConditionReq
     ): Result<Boolean>
 
+    @PUT
+    @Path("/batch/personal/handover")
+    @Operation(summary = "批量交接用户组成员--个人视角")
+    fun batchHandoverApplicationFromPersonal(
+        @Parameter(description = "用户名", required = true)
+        @HeaderParam(AUTH_HEADER_USER_ID)
+        userId: String,
+        @Parameter(description = "项目ID", required = true)
+        @PathParam("projectId")
+        projectId: String,
+        @Parameter(description = "批量交接成员请求实体")
+        handoverMemberDTO: GroupMemberHandoverConditionReq
+    ): Result<String>
+
     @POST
     @Path("/batch/{batchOperateType}/check/")
     @Operation(summary = "批量操作用户组检查")
@@ -211,6 +261,9 @@ interface UserAuthResourceMemberResource {
         relatedResourceCode: String?,
         @QueryParam("action")
         @Parameter(description = "操作")
-        action: String?
-    ): Result<List<MemberGroupCountWithPermissionsVo>>
+        action: String?,
+        @QueryParam("operateChannel")
+        @Parameter(description = "操作渠道")
+        operateChannel: OperateChannel?
+    ): Result<List<ResourceType2CountVo>>
 }
diff --git a/...uth/api-auth/src/main/kotlin/com/tencent/devops/auth/api/user/UserAuthResourceResource.kt b/...uth/api-auth/src/main/kotlin/com/tencent/devops/auth/api/user/UserAuthResourceResource.kt
@@ -34,9 +34,9 @@ import com.tencent.devops.auth.pojo.vo.IamGroupMemberInfoVo
 import com.tencent.devops.common.api.auth.AUTH_HEADER_USER_ID
 import com.tencent.devops.common.api.pojo.Pagination
 import com.tencent.devops.common.api.pojo.Result
-import io.swagger.v3.oas.annotations.tags.Tag
 import io.swagger.v3.oas.annotations.Operation
 import io.swagger.v3.oas.annotations.Parameter
+import io.swagger.v3.oas.annotations.tags.Tag
 import javax.ws.rs.Consumes
 import javax.ws.rs.GET
 import javax.ws.rs.HeaderParam

diff --git a/.../core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/constant/AuthI18nConstants.kt b/.../core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/constant/AuthI18nConstants.kt
@@ -47,4 +47,9 @@ object AuthI18nConstants {
     const val BK_MEMBER_EXPIRED_AT_DISPLAY_EXPIRED = "bkMemberExpiredAtDisplayExpired" // 有效期: 已过期
     const val BK_MEMBER_EXPIRED_AT_DISPLAY_NORMAL = "bkMemberExpiredAtDisplayNormal" // 有效期: {0}天
     const val BK_MEMBER_EXPIRED_AT_DISPLAY_PERMANENT = "bkMemberExpiredAtDisplayPermanent" // 有效期: 永久
+
+    const val BK_APPLY_TO_HANDOVER = "bkApplyToHandover" // 申请移交
+    const val BK_HANDOVER_GROUPS = "bkHandoverGroups" // 个权限用户组
+    const val BK_HANDOVER_AUTHORIZATIONS = "bkHandoverAuthorizations" // 个授权
+    const val BK_PROJECT = "bk_project" // 蓝盾项目
 }
diff --git a/...ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/constant/AuthMessageCode.kt b/...ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/constant/AuthMessageCode.kt
@@ -142,4 +142,12 @@ object AuthMessageCode {
     const val INVALID_EXPIRED_PERM_NOT_ALLOW_TO_HANDOVER = "2121089" // 已过期的权限不允许交接
 
     const val ERROR_USER_INFORMATION_NOT_SYNCED = "2121090" // 请等待第二天用户信息同步后再尝试操作，因为新入职用户的信息尚未同步完成。
+
+    const val ERROR_HANDOVER_OVERVIEW_NOT_EXIST = "2121091" // 权限交接记录不存在
+    const val ERROR_HANDOVER_FINISH = "2121092" // 该交接申请单已被处理，不允许重复操作
+    const val ERROR_HANDOVER_REVOKE = "2121093" // 由于您不是该交接申请单的发起人，无法进行撤销操作
+    const val ERROR_HANDOVER_APPROVAL = "2121094" // 由于您不是该交接申请单的审批人，无法进行任何操作
+    const val ERROR_HANDOVER_HANDLE = "2121095" // 该交接申请单正在被处理中，请耐心等待
+    const val ERROR_REPERTORY_HANDOVER_AUTHORIZATION = "2121096" // 交接操作不合法，用户没有对应代码库授权的权限
+    const val ERROR_SINGLE_GROUP_REMOVE = "2121098" // 由于直接退出用户组，会导致授权失效，必须进行用户组移交
 }
diff --git a/.../core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/dto/HandoverDetailDTO.kt b/.../core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/dto/HandoverDetailDTO.kt
@@ -0,0 +1,20 @@
+package com.tencent.devops.auth.pojo.dto
+
+import com.tencent.devops.auth.pojo.enum.HandoverType
+import io.swagger.v3.oas.annotations.media.Schema
+
+@Schema(title = "权限交接详细表")
+data class HandoverDetailDTO(
+    @get:Schema(title = "项目ID")
+    val projectCode: String,
+    @get:Schema(title = "流程单号")
+    var flowNo: String? = null,
+    @get:Schema(title = "授权/组ID")
+    val itemId: String,
+    @get:Schema(title = "组/授权资源关联的资源类型")
+    val resourceType: String,
+    @get:Schema(title = "交接类型")
+    val handoverType: HandoverType,
+    @get:Schema(title = "审批人")
+    var approver: String? = null
+)