feat: add management grade manager subject template list api (#2498)

TencentBlueKing · Jan 24, 2024 · a9e2278 · a9e2278
1 parent bc8c716
commit a9e2278
Show file tree

Hide file tree

Showing 12 changed files with 197 additions and 10 deletions.
diff --git a/saas/backend/api/management/constants.py b/saas/backend/api/management/constants.py
@@ -82,6 +82,8 @@ class ManagementAPIEnum(BaseAPIEnum):
     # 审批
     V2_APPLICATION_APPROVAL = auto()
     V2_APPLICATION_CANCEL = auto()
+    # 人员模版
+    V2_SUBJECT_TEMPLATE_LIST = auto()
 
     _choices_labels = skip(
         (

diff --git a/saas/backend/api/management/v2/filters.py b/saas/backend/api/management/v2/filters.py
@@ -11,6 +11,7 @@
 
 from backend.apps.group.models import Group
 from backend.apps.role.models import Role
+from backend.apps.subject_template.models import SubjectTemplate
 
 
 class GroupFilter(filters.FilterSet):
@@ -35,3 +36,17 @@ class Meta:
         fields = [
             "name",
         ]
+
+
+class SubjectTemplateFilter(filters.FilterSet):
+    id = filters.NumberFilter(label="ID")
+    name = filters.CharFilter(label="名字", lookup_expr="icontains")
+    description = filters.CharFilter(label="描述", lookup_expr="icontains")
+
+    class Meta:
+        model = SubjectTemplate
+        fields = [
+            "name",
+            "id",
+            "description",
+        ]
diff --git a/saas/backend/api/management/v2/serializers.py b/saas/backend/api/management/v2/serializers.py
@@ -16,6 +16,7 @@
 from backend.apps.group.models import Group
 from backend.apps.role.models import Role, RoleUser
 from backend.apps.role.serializers import GradeMangerBaseInfoSLZ, RoleScopeSubjectSLZ
+from backend.apps.subject_template.models import SubjectTemplate
 from backend.biz.role import RoleCheckBiz
 from backend.service.constants import GroupMemberType
 from backend.service.models import Subject
@@ -328,3 +329,9 @@ class Meta:
 
     def get_members(self, obj):
         return [one.username for one in RoleUser.objects.filter(role_id=obj.id)]
+
+
+class ManagementSubjectTemplateSLZ(serializers.ModelSerializer):
+    class Meta:
+        model = SubjectTemplate
+        fields = ("id", "name", "description", "readonly", "source_group_id", "creator", "created_time")
diff --git a/saas/backend/api/management/v2/urls.py b/saas/backend/api/management/v2/urls.py
@@ -144,4 +144,10 @@
         views.ManagementSubsetManagerViewSet.as_view({"get": "retrieve", "post": "update", "delete": "destroy"}),
         name="open.management.v2.subset_manager",
     ),
+    # -------------- Subject Template --------------
+    path(
+        "grade_managers/<int:id>/subject_templates/",
+        views.ManagementGradeManagerSubjectTemplateViewSet.as_view({"get": "list"}),
+        name="open.management.v2.grade_manager_subject_template",
+    ),
 ]
diff --git a/saas/backend/api/management/v2/views/__init__.py b/saas/backend/api/management/v2/views/__init__.py
@@ -28,6 +28,7 @@
     ManagementSystemManagerGroupViewSet,
 )
 from .subject import ManagementDepartmentGroupBelongViewSet, ManagementUserGroupBelongViewSet
+from .subject_template import ManagementGradeManagerSubjectTemplateViewSet
 from .subset_manager import ManagementSubsetManagerCreateListViewSet, ManagementSubsetManagerViewSet
 
 __all__ = [
@@ -50,4 +51,5 @@
     "ManagementApplicationCancelView",
     "ManagementGradeManagerViewSet",
     "ManagementSubsetManagerViewSet",
+    "ManagementGradeManagerSubjectTemplateViewSet",
 ]
diff --git a/saas/backend/api/management/v2/views/group.py b/saas/backend/api/management/v2/views/group.py
@@ -45,6 +45,7 @@
 )
 from backend.apps.group.models import Group
 from backend.apps.group.serializers import GroupAddMemberSLZ
+from backend.apps.group.views import split_members_to_subject_and_template
 from backend.apps.policy.models import Policy
 from backend.apps.policy.serializers import PolicySLZ
 from backend.apps.role.models import Role
@@ -59,6 +60,7 @@
 )
 from backend.biz.policy import PolicyOperationBiz, PolicyQueryBiz
 from backend.biz.role import RoleBiz, RoleListQuery
+from backend.biz.subject_template import SubjectTemplateBiz
 from backend.common.filters import NoCheckModelFilterBackend
 from backend.common.lock import gen_group_upsert_lock
 from backend.common.pagination import CompatiblePagination
@@ -342,6 +344,7 @@ class ManagementGroupMemberViewSet(GenericViewSet):
     biz = GroupBiz()
     group_check_biz = GroupCheckBiz()
     role_biz = RoleBiz()
+    subject_template_biz = SubjectTemplateBiz()
 
     @swagger_auto_schema(
         operation_description="用户组成员列表",
@@ -375,18 +378,26 @@ def create(self, request, *args, **kwargs):
         members_data = data["members"]
         expired_at = data["expired_at"]
         # 成员Dict结构转换为Subject结构，并去重
-        members = list(set(parse_obj_as(List[Subject], members_data)))
+        members, subject_template_ids = split_members_to_subject_and_template(members_data)
 
         # 检测成员是否满足管理的授权范围
         role = self.role_biz.get_role_by_group_id(group.id)
         self.group_check_biz.check_role_subject_scope(role, members)
         self.group_check_biz.check_member_count(group.id, len(members))
 
-        # 添加成员
-        self.biz.add_members(group.id, members, expired_at)
+        # 检查人员模版是否在role的授权范围内
+        self.group_check_biz.check_subject_template(request.role, subject_template_ids)
+
+        if members:
+            # 添加成员
+            self.biz.add_members(group.id, members, expired_at)
+
+        # 增加人员模版授权操作
+        for _id in subject_template_ids:
+            self.biz.grant_subject_template(group.id, _id, expired_at, request.user.username)
 
         # 写入审计上下文
-        audit_context_setter(group=group, members=[m.dict() for m in members])
+        audit_context_setter(group=group, members=members_data)
 
         return Response({})
 
@@ -404,11 +415,18 @@ def destroy(self, request, *args, **kwargs):
         serializer.is_valid(raise_exception=True)
         data = serializer.validated_data
 
-        members = [Subject(**{"type": data["type"], "id": _id}) for _id in data["ids"]]
-        self.biz.remove_members(str(group.id), members)
+        members_data = [{"type": data["type"], "id": _id} for _id in data["ids"]]
+        # 成员Dict结构转换为Subject结构，并去重
+        members, subject_template_ids = split_members_to_subject_and_template(members_data)
+
+        if members:
+            self.biz.remove_members(str(group.id), members)
+
+        for _id in subject_template_ids:
+            self.subject_template_biz.delete_group(_id, group.id)
 
         # 写入审计上下文
-        audit_context_setter(group=group, members=[m.dict() for m in members])
+        audit_context_setter(group=group, members=members_data)
 
         return Response({})
 

diff --git a/saas/backend/api/management/v2/views/subject_template.py b/saas/backend/api/management/v2/views/subject_template.py
@@ -0,0 +1,62 @@
+"""
+TencentBlueKing is pleased to support the open source community by making 蓝鲸智云-权限中心(BlueKing-IAM) available.
+Copyright (C) 2017-2021 THL A29 Limited, a Tencent company. All rights reserved.
+Licensed under the MIT License (the "License"); you may not use this file except in compliance with the License.
+You may obtain a copy of the License at http://opensource.org/licenses/MIT
+Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
+an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+specific language governing permissions and limitations under the License.
+"""
+
+from django.shortcuts import get_object_or_404
+from drf_yasg.utils import swagger_auto_schema
+from rest_framework import status
+from rest_framework.response import Response
+from rest_framework.viewsets import GenericViewSet
+
+from backend.api.authentication import ESBAuthentication
+from backend.api.management.constants import ManagementAPIEnum, VerifyApiParamLocationEnum
+from backend.api.management.v2.permissions import ManagementAPIPermission
+from backend.api.management.v2.serializers import ManagementSubjectTemplateSLZ
+from backend.apps.role.models import Role
+from backend.apps.subject_template.filters import SubjectTemplateFilter
+from backend.biz.role import RoleListQuery
+from backend.common.filters import NoCheckModelFilterBackend
+from backend.service.constants import RoleType
+
+
+class ManagementGradeManagerSubjectTemplateViewSet(GenericViewSet):
+    """分级管理员下人员模版"""
+
+    authentication_classes = [ESBAuthentication]
+    permission_classes = [ManagementAPIPermission]
+
+    management_api_permission = {
+        "list": (VerifyApiParamLocationEnum.ROLE_IN_PATH.value, ManagementAPIEnum.V2_SUBJECT_TEMPLATE_LIST.value),
+    }
+
+    lookup_field = "id"
+    queryset = Role.objects.filter(type__in=[RoleType.GRADE_MANAGER.value, RoleType.SUBSET_MANAGER.value]).order_by(
+        "-updated_time"
+    )
+    filterset_class = SubjectTemplateFilter
+    filter_backends = [NoCheckModelFilterBackend]
+
+    @swagger_auto_schema(
+        operation_description="人员模版列表",
+        responses={status.HTTP_200_OK: ManagementSubjectTemplateSLZ(label="人员模版", many=True)},
+        tags=["management.role.subject_template"],
+    )
+    def list(self, request, *args, **kwargs):
+        role = get_object_or_404(self.queryset, id=kwargs["id"])
+
+        queryset = RoleListQuery(role).query_subject_template()
+        queryset = self.filter_queryset(queryset)
+
+        page = self.paginate_queryset(queryset)
+        if page is not None:
+            serializer = ManagementSubjectTemplateSLZ(page, many=True)
+            return self.get_paginated_response(serializer.data)
+
+        serializer = ManagementSubjectTemplateSLZ(queryset, many=True)
+        return Response(serializer.data)
diff --git a/saas/backend/apps/group/views.py b/saas/backend/apps/group/views.py
@@ -382,7 +382,7 @@ def create(self, request, *args, **kwargs):
             self.group_biz.grant_subject_template(group.id, _id, expired_at, request.user.username)
 
         # 写入审计上下文
-        audit_context_setter(group=group, members=[m.dict() for m in members])
+        audit_context_setter(group=group, members=members_data)
 
         return Response({}, status=status.HTTP_201_CREATED)
 

diff --git a/saas/resources/apigateway/bk_apigw_resources_bk-iam.yaml b/saas/resources/apigateway/bk_apigw_resources_bk-iam.yaml
@@ -2244,6 +2244,33 @@ paths:
           resourcePermissionRequired: false
         disabledStages: []
         descriptionEn:
+  /api/v2/open/management/systems/{system_id}/grade_managers/{id}/subject_templates/:
+    get:
+      operationId: v2_management_grade_manager_list_subject_templates
+      description: 分级管理员人员模版列表
+      tags:
+      - open
+      - v2
+      responses:
+        default:
+          description: ''
+      x-bk-apigateway-resource:
+        isPublic: true
+        allowApplyPermission: true
+        matchSubpath: false
+        backend:
+          type: HTTP
+          method: get
+          path: /api/v2/open/management/systems/{system_id}/grade_managers/{id}/subject_templates/
+          matchSubpath: false
+          timeout: 0
+          upstreams: {}
+          transformHeaders: {}
+        authConfig:
+          userVerifiedRequired: false
+          resourcePermissionRequired: false
+        disabledStages: []
+        descriptionEn:
   /api/v2/open/management/systems/{system_id}/grade_managers/{id}/subset_managers/:
     get:
       operationId: v2_management_grade_manager_list_subset_manager

diff --git a/saas/resources/apigateway/docs/zh/v2_management_add_group_members.md.j2 b/saas/resources/apigateway/docs/zh/v2_management_add_group_members.md.j2
@@ -13,7 +13,7 @@ members列表元素
 
 | 字段 | 类型 | 位置 | 必须 | 描述 |
 |---|---|---|---|---|
-| type | string | body | 是 | 成员类型，user 表示用户，department 表示部门 |
+| type | string | body | 是 | 成员类型，user 表示用户，department 表示部门, template 表示人员模版 |
 | id | string | body | 是 | 用户或部门 ID |
 
 #### Request

diff --git a/saas/resources/apigateway/docs/zh/v2_management_delete_group_members.md.j2 b/saas/resources/apigateway/docs/zh/v2_management_delete_group_members.md.j2
@@ -6,7 +6,7 @@
 |---|---|---|---|---|
 | system_id | string | path | 是 | 接入系统唯一标识 |
 | group_id | int | path | 是 | 用户组ID |
-| type | string | query | 是 | 成员类型，user 表示用户，department 表示部门 |
+| type | string | query | 是 | 成员类型，user 表示用户，department 表示部门, template 表示人员模版 |
 | ids | string | query | 是  | 成员 ID 列表，多个以英文逗号分隔, 对于 type=user，则 ID 为用户名，对于 type=department，则为部门 ID |
 
 #### Response

diff --git a/saas/resources/apigateway/docs/zh/v2_management_grade_manager_list_subject_templates.md.j2 b/saas/resources/apigateway/docs/zh/v2_management_grade_manager_list_subject_templates.md.j2
@@ -0,0 +1,48 @@
+### 查询分级管理员下人员模版列表
+
+#### Parameters
+| 字段 | 类型 | 位置 | 必须 | 描述 |
+|---|---|---|---|---|
+| name | string | query | 否 | 人员模版名称筛选 |
+| id | int | query | 否 | 人员模版id筛选 |
+| description | string | query | 否 | 人员模版描述筛选 |
+| page_size | int | query | 是 | 分页大小, 最大500 |
+| page | int | query | 是 | 分页 |
+
+#### Request
+```json
+GET /api/v2/open/management/systems/demo/grade_managers/1/subject_templates/?page_size=100&page=1
+```
+
+#### Response
+
+> Status: 200 OK
+
+| 字段 | 类型 | 描述 |
+|---|---|---|
+| id| int | 人员模版ID |
+| name| string | 人员模版名称 |
+| description| string | 人员模版描述 |
+| readonly| bool| 是否是只读人员模版|
+| source_group_id| int| 来源用户组ID |
+
+```json
+{
+  "code": 0,
+  "message": "ok",
+  "data": {
+    "count": 1,
+    "results": [
+      {
+        "id": 1,
+        "name": "人员模版",
+        "description": "人员模版",
+        "readonly": false,
+        "source_group_id": 0
+      }
+    ]
+  }
+}
+```
+
+{% include '_api_v2_status_code.md.j2' %}