TencentBlueKing · Canway-shiisa · Jul 4, 2022 · Jul 4, 2022 · Jul 5, 2022 · Jul 8, 2022
diff --git a/saas/backend/apps/mgmt/serializers.py b/saas/backend/apps/mgmt/serializers.py
@@ -177,3 +177,16 @@ class SubTaskSLZ(serializers.Serializer):
 
     def get_status(self, obj):
         return TaskStatus.get_choice_label(obj.status)
+
+
+class QueryRoleSubjectScopeSLZ(serializers.Serializer):
+    group_id = serializers.IntegerField(label="用户组ID")
+
+
+class QueryRoleAuthorizationScopeSLZ(serializers.Serializer):
+    system_id = serializers.CharField(required=True)
+    group_id = serializers.IntegerField(label="用户组ID")
+
+
+class QuerySystemSLZ(serializers.Serializer):
+    group_id = serializers.IntegerField(label="用户组ID")
diff --git a/saas/backend/apps/mgmt/urls.py b/saas/backend/apps/mgmt/urls.py
@@ -70,6 +70,95 @@
                     name="mgmt.long_task",
                 ),
             ]
-        ),
+        )
+    ),
+    path(
+        "group/",
+        include(
+            [
+                path("", views.MgmtGroupViewSet.as_view({"get": "list"}), name="mgmt.group"),
+                path("transfer/", views.MgmtGroupTransferView.as_view(), name="mgmt.group.transfer"),
+                # 用户组详情
+                path(
+                    "<str:id>/",
+                    views.MgmtGroupViewSet.as_view({"get": "retrieve", "put": "update", "delete": "destroy"}),
+                    name="mgmt.group.detail",
+                ),
+                path(
+                    "<str:id>/members/",
+                    views.MgmtGroupMemberViewSet.as_view({"get": "list", "post": "create", "delete": "destroy"}),
+                    name="mgmt.group.members",
+                ),
+                path(
+                    "<str:id>/members_renew/",
+                    views.MgmtGroupMemberUpdateExpiredAtViewSet.as_view({"post": "create"}),
+                    name="mgmt.group.members.renew",
+                ),
+                path("<str:id>/templates/", views.MgmtGroupTemplateViewSet.as_view({"get": "list"}),
+                     name="mgmt.group.templates"),
+                path(
+                    "<str:id>/templates/<int:template_id>/",
+                    views.MgmtGroupTemplateViewSet.as_view({"get": "retrieve"}),
+                    name="mgmt.group.template_detail",
+                ),
+                # 用户组有权限的系统
+                path("<str:id>/systems/",
+                     views.GroupSystemViewSet.as_view({"get": "list"}),
+                     name="mgmt.group.list_policy_system"),
+                # 权限模板和自定义权限
+                path(
+                    "<str:id>/policies/",
+                    views.MgmtGroupPolicyViewSet.as_view(
+                        {"get": "list", "post": "create", "delete": "destroy", "put": "update"}),
+                    name="mgmt.group.list_policy",
+                ),
+
+            ]
+        )
     ),
+    path(
+        "role/",
+        include(
+            [
+                path(
+                    "subject_scope/",
+                    views.MgmtRoleSubjectScopeView.as_view(),
+                    name="mgmt.role.subject_scope"),
+                path(
+                    "authorization_scope_actions/",
+                    views.MgmtRoleAuthorizationScopeView.as_view(),
+                    name="mgmt.role.authorization_scope_actions",
+                ),
+            ]
+        )
+    ),
+    path(
+        "system/",
+        include(
+            [
+                path(
+                    "",
+                    views.MgmtSystemViewSet.as_view({"get": "list"}),
+                    name="mgmt.role.subject_scope"),
+            ]
+        )
+    ),
+    path(
+        "action/",
+        include(
+            [
+                path("", views.MgmtActionViewSet.as_view({"get": "list"}), name="mgmt.action.list_action"),
+
+            ]
+        )
+    ),
+    path(
+        "template/",
+        include(
+            [
+                path("", views.MgmtTemplateViewSet.as_view({"get": "list"}), name="mgmt.action.list_action"),
+
+            ]
+        )
+    )
 ]
diff --git a/saas/backend/apps/mgmt/views/__init__.py b/saas/backend/apps/mgmt/views/__init__.py
@@ -9,7 +9,20 @@
 specific language governing permissions and limitations under the License.
 """
 
+from backend.apps.group.views import GroupSystemViewSet
+from backend.apps.mgmt.views.action import MgmtActionViewSet
+from backend.apps.mgmt.views.group import (
+    MgmtGroupMemberUpdateExpiredAtViewSet,
+    MgmtGroupMemberViewSet,
+    MgmtGroupPolicyViewSet,
+    MgmtGroupTemplateViewSet,
+    MgmtGroupTransferView,
+    MgmtGroupViewSet,
+)
 from backend.apps.mgmt.views.long_task import LongTaskViewSet
+from backend.apps.mgmt.views.role import MgmtRoleAuthorizationScopeView, MgmtRoleSubjectScopeView
+from backend.apps.mgmt.views.system import MgmtSystemViewSet
+from backend.apps.mgmt.views.template import MgmtTemplateViewSet
 from backend.apps.mgmt.views.white_list import (
     AdminApiWhiteListViewSet,
     ApiViewSet,
@@ -23,4 +36,17 @@
     "AuthorizationApiWhiteListViewSet",
     "ManagementApiWhiteListViewSet",
     "LongTaskViewSet",
+    "MgmtGroupViewSet",
+    "MgmtGroupMemberViewSet",
+    "MgmtGroupMemberUpdateExpiredAtViewSet",
+    "MgmtGroupMemberUpdateExpiredAtViewSet",
+    "MgmtGroupPolicyViewSet",
+    "GroupSystemViewSet",
+    "MgmtGroupTransferView",
+    "MgmtGroupTemplateViewSet",
+    "MgmtRoleSubjectScopeView",
+    "MgmtRoleAuthorizationScopeView",
+    "MgmtTemplateViewSet",
+    "MgmtSystemViewSet",
+    "MgmtActionViewSet",
 ]
diff --git a/saas/backend/apps/mgmt/views/action.py b/saas/backend/apps/mgmt/views/action.py
@@ -0,0 +1,78 @@
+# -*- coding: utf-8 -*-
+"""
+TencentBlueKing is pleased to support the open source community by making 蓝鲸智云-权限中心(BlueKing-IAM) available.
+Copyright (C) 2017-2021 THL A29 Limited, a Tencent company. All rights reserved.
+Licensed under the MIT License (the "License"); you may not use this file except in compliance with the License.
+You may obtain a copy of the License at http://opensource.org/licenses/MIT
+Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
+an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+specific language governing permissions and limitations under the License.
+"""
+from drf_yasg.utils import swagger_auto_schema
+from rest_framework import exceptions, status
+from rest_framework.response import Response
+from rest_framework.viewsets import GenericViewSet
+
+from backend.apps.action.serializers import ActionSLZ, GroupActionQuerySLZ
+from backend.biz.action import ActionBiz
+from backend.biz.action_group import ActionGroupBiz
+from backend.biz.open import ApplicationPolicyListCache
+from backend.biz.role import RoleBiz
+from backend.service.constants import SubjectType
+from backend.service.models import Subject
+
+
+class MgmtActionViewSet(GenericViewSet):
+
+    paginator = None  # 去掉swagger中的limit offset参数
+
+    biz = ActionBiz()
+    role_biz = RoleBiz()
+
+    action_group_biz = ActionGroupBiz()
+
+    application_policy_list_cache = ApplicationPolicyListCache()
+
+    @swagger_auto_schema(
+        operation_description="用户的操作列表",
+        query_serializer=GroupActionQuerySLZ,
+        responses={status.HTTP_200_OK: ActionSLZ(label="操作", many=True)},
+        tags=["action"],
+    )
+    def list(self, request, *args, **kwargs):
+        slz = GroupActionQuerySLZ(data=request.query_params)
+        slz.is_valid(raise_exception=True)
+
+        system_id = slz.validated_data["system_id"]
+        cache_id = slz.validated_data["cache_id"]
+        group_id = slz.validated_data["group_id"]
+        user_id = slz.validated_data["user_id"]
+
+        role = self.role_biz.get_role_by_group_id(group_id=group_id)
+
+        # 1. 获取用户的权限列表
+        if user_id != "" and user_id == request.user.username:
+            actions = self.biz.list_by_subject(
+                system_id, role, Subject(type=SubjectType.USER.value, id=user_id)
+            )
+        elif user_id != "" and user_id != request.user.username:
+            raise exceptions.PermissionDenied
+        elif group_id != -1:
+            actions = self.biz.list_by_subject(
+                system_id, role, Subject(type=SubjectType.GROUP.value, id=group_id)
+            )
+        # 3. 获取的预申请的权限列表
+        elif cache_id != "":
+            # 从缓存里获取预申请的操作ID列表
+            policy_list = self.application_policy_list_cache.get(cache_id)
+            # 根据预申请的操作ID列表，获取对应的操作列表
+            actions = self.biz.list_pre_application_actions(
+                system_id, role, request.user.username, [p.action_id for p in policy_list.policies]
+            )
+        else:
+            actions = self.biz.list_by_role(system_id, role)
+
+        # 对操作分组, 填入到分组的数据中
+        action_groups = self.action_group_biz.list_by_actions(system_id, actions)
+
+        return Response([one.dict() for one in action_groups])