feat: 修改account接口限制 TencentBlueKing#2264

src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/config/AuthServiceConfig.kt

@@ -33,7 +33,7 @@ package com.tencent.bkrepo.auth.config
 
 import com.tencent.bkrepo.auth.dao.PermissionDao
 import com.tencent.bkrepo.auth.dao.UserDao
-import com.tencent.bkrepo.auth.dao.repository.AccountRepository
+import com.tencent.bkrepo.auth.dao.AccountDao
 import com.tencent.bkrepo.auth.dao.repository.OauthTokenRepository
 import com.tencent.bkrepo.auth.dao.repository.RoleRepository
 import com.tencent.bkrepo.auth.condition.DevopsAuthCondition
@@ -64,7 +64,6 @@ import org.springframework.context.annotation.Conditional
 import org.springframework.context.annotation.Configuration
 import org.springframework.context.annotation.Lazy
 import org.springframework.core.Ordered
-import org.springframework.data.mongodb.core.MongoTemplate
 
 @Configuration
 @AutoConfigureOrder(Ordered.LOWEST_PRECEDENCE)
@@ -81,25 +80,24 @@ class AuthServiceConfig {
     @Bean
     @ConditionalOnMissingBean(AccountService::class)
     fun accountService(
-        accountRepository: AccountRepository,
+        accountDao: AccountDao,
         oauthTokenRepository: OauthTokenRepository,
-        userService: UserService,
-        mongoTemplate: MongoTemplate
-    ) = AccountServiceImpl(accountRepository, oauthTokenRepository, userService, mongoTemplate)
+        userDao: UserDao
+    ) = AccountServiceImpl(accountDao, oauthTokenRepository, userDao)
 
     @Bean
     @Conditional(LocalAuthCondition::class)
     fun permissionService(
         roleRepository: RoleRepository,
-        accountRepository: AccountRepository,
+        accountDao: AccountDao,
         permissionDao: PermissionDao,
         userDao: UserDao,
         personalPathDao: PersonalPathDao,
         repoAuthConfigDao: RepoAuthConfigDao
     ): PermissionService {
         return PermissionServiceImpl(
             roleRepository,
-            accountRepository,
+            accountDao,
             permissionDao,
             userDao,
             personalPathDao,
@@ -116,15 +114,15 @@ class AuthServiceConfig {
         personalPathDao: PersonalPathDao,
         repoAuthConfigDao: RepoAuthConfigDao,
         roleRepository: RoleRepository,
-        accountRepository: AccountRepository,
+        accountDao: AccountDao,
         permissionDao: PermissionDao,
         repoClient: RepositoryClient
     ): PermissionService {
         return BkIamV3PermissionServiceImpl(
             bkiamV3Service,
             userDao,
             roleRepository,
-            accountRepository,
+            accountDao,
             permissionDao,
             personalPathDao,
             repoAuthConfigDao,
@@ -137,7 +135,7 @@ class AuthServiceConfig {
     @Conditional(DevopsAuthCondition::class)
     fun bkAuthPermissionService(
         roleRepository: RoleRepository,
-        accountRepository: AccountRepository,
+        accountDao: AccountDao,
         permissionDao: PermissionDao,
         userDao: UserDao,
         personalPathDao: PersonalPathDao,
@@ -149,7 +147,7 @@ class AuthServiceConfig {
     ): PermissionService {
         return DevopsPermissionServiceImpl(
             roleRepository,
-            accountRepository,
+            accountDao,
             permissionDao,
             userDao,
             personalPathDao,

src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/controller/OpenResource.kt

@@ -35,6 +35,7 @@ import com.tencent.bkrepo.auth.message.AuthMessageCode
 import com.tencent.bkrepo.auth.pojo.enums.AuthPermissionType
 import com.tencent.bkrepo.auth.pojo.enums.PermissionAction
 import com.tencent.bkrepo.auth.pojo.enums.ResourceType
+import com.tencent.bkrepo.auth.pojo.oauth.AuthorizationGrantType
 import com.tencent.bkrepo.auth.pojo.permission.CheckPermissionRequest
 import com.tencent.bkrepo.auth.pojo.user.UserInfo
 import com.tencent.bkrepo.auth.service.PermissionService
@@ -88,6 +89,16 @@ open class OpenResource(private val permissionService: PermissionService) {
         }
     }
 
+    /**
+     * the userContext should be admin
+     * only use in user api
+     */
+    fun preCheckGrantTypes(grantTypes: Set<AuthorizationGrantType>) {
+        if (grantTypes.contains(AuthorizationGrantType.PLATFORM) || grantTypes.isEmpty()) {
+            preCheckUserAdmin()
+        }
+    }
+
     /**
      * only system scopeType account have the permission
      */
@@ -147,7 +158,7 @@ open class OpenResource(private val permissionService: PermissionService) {
             throw ErrorCodeException(AuthMessageCode.AUTH_USER_FORAUTH_NOT_PERM)
         }
     }
-    
+
 
     fun isContextUserProjectAdmin(projectId: String): Boolean {
         val userId = SecurityUtils.getUserId()

src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/controller/user/AccountController.kt

@@ -43,6 +43,7 @@ import com.tencent.bkrepo.auth.service.AccountService
 import com.tencent.bkrepo.auth.service.PermissionService
 import com.tencent.bkrepo.common.api.pojo.Response
 import com.tencent.bkrepo.common.operate.api.annotation.LogOperate
+import com.tencent.bkrepo.common.security.util.SecurityUtils
 import com.tencent.bkrepo.common.service.util.ResponseBuilder
 import io.swagger.annotations.ApiOperation
 import org.springframework.beans.factory.annotation.Autowired
@@ -76,40 +77,46 @@ class AccountController @Autowired constructor(
     @ApiOperation("查询拥有的账号")
     @GetMapping("/own/list")
     fun listOwnAccount(): Response<List<Account>> {
-        return ResponseBuilder.success(accountService.listOwnAccount())
+        preCheckPlatformPermission()
+        val userId = SecurityUtils.getUserId()
+        return ResponseBuilder.success(accountService.listOwnAccount(userId))
     }
 
     @ApiOperation("查询已授权账号")
     @GetMapping("/authorized/list")
     @PutMapping("/update")
     fun listAuthorizedAccount(): Response<List<Account>> {
-        return ResponseBuilder.success(accountService.listAuthorizedAccount())
+        preCheckPlatformPermission()
+        val userId = SecurityUtils.getUserId()
+        return ResponseBuilder.success(accountService.listAuthorizedAccount(userId))
     }
 
     @ApiOperation("根据appId查询账号")
     @GetMapping("/detail/{appId}")
     fun getAccountDetail(@PathVariable appId: String): Response<Account> {
         preCheckPlatformPermission()
-        preCheckUserAdmin()
-        return ResponseBuilder.success(accountService.findAccountByAppId(appId))
+        val userId = SecurityUtils.getUserId()
+        return ResponseBuilder.success(accountService.findAccountByAppId(appId, userId))
     }
 
     @ApiOperation("创建账号")
     @PostMapping("/create")
     @LogOperate(type = "ACCOUNT_CREATE")
     fun createAccount(@RequestBody request: CreateAccountRequest): Response<Account> {
         preCheckPlatformPermission()
-        preCheckUserAdmin()
-        return ResponseBuilder.success(accountService.createAccount(request))
+        preCheckGrantTypes(request.authorizationGrantTypes)
+        val owner = SecurityUtils.getUserId()
+        return ResponseBuilder.success(accountService.createAccount(request, owner))
     }
 
     @ApiOperation("更新账号")
     @PutMapping("/update")
     @LogOperate(type = "ACCOUNT_UPDATE")
     fun updateAccount(@RequestBody request: UpdateAccountRequest): Response<Boolean> {
         preCheckPlatformPermission()
-        preCheckUserAdmin()
-        accountService.updateAccount(request)
+        preCheckGrantTypes(request.authorizationGrantTypes)
+        val owner = SecurityUtils.getUserId()
+        accountService.updateAccount(request, owner)
         return ResponseBuilder.success(true)
     }
 
@@ -118,26 +125,26 @@ class AccountController @Autowired constructor(
     @LogOperate(type = "ACCOUNT_DELETE")
     fun deleteAccount(@PathVariable appId: String): Response<Boolean> {
         preCheckPlatformPermission()
-        preCheckUserAdmin()
-        accountService.deleteAccount(appId)
+        val userId = SecurityUtils.getUserId()
+        accountService.deleteAccount(appId, userId)
         return ResponseBuilder.success(true)
     }
 
     @ApiOperation("卸载账号")
     @DeleteMapping("/uninstall/{appId}")
     fun uninstallAccount(@PathVariable appId: String): Response<Boolean> {
         preCheckPlatformPermission()
-        preCheckUserAdmin()
-        accountService.uninstallAccount(appId)
+        val userId = SecurityUtils.getUserId()
+        accountService.uninstallAccount(appId, userId)
         return ResponseBuilder.success(true)
     }
 
     @ApiOperation("获取账户下的ak/sk对")
     @GetMapping("/credential/list/{appId}")
     fun getCredential(@PathVariable appId: String): Response<List<CredentialSet>> {
         preCheckPlatformPermission()
-        preCheckUserAdmin()
-        val credential = accountService.listCredentials(appId)
+        val userId = SecurityUtils.getUserId()
+        val credential = accountService.listCredentials(appId, userId)
         return ResponseBuilder.success(credential)
     }
 
@@ -149,8 +156,8 @@ class AccountController @Autowired constructor(
         @RequestParam type: AuthorizationGrantType?
     ): Response<CredentialSet> {
         preCheckPlatformPermission()
-        preCheckUserAdmin()
-        val result = accountService.createCredential(appId, type ?: AuthorizationGrantType.PLATFORM)
+        val userId = SecurityUtils.getUserId()
+        val result = accountService.createCredential(appId, type ?: AuthorizationGrantType.PLATFORM, userId)
         return ResponseBuilder.success(result)
     }
 
@@ -159,8 +166,8 @@ class AccountController @Autowired constructor(
     @LogOperate(type = "KEYS_DELETE")
     fun deleteCredential(@PathVariable appId: String, @PathVariable accesskey: String): Response<Boolean> {
         preCheckPlatformPermission()
-        preCheckUserAdmin()
-        val result = accountService.deleteCredential(appId, accesskey)
+        val userId = SecurityUtils.getUserId()
+        val result = accountService.deleteCredential(appId, accesskey, userId)
         return ResponseBuilder.success(result)
     }
 
@@ -181,6 +188,7 @@ class AccountController @Autowired constructor(
     @ApiOperation("校验ak/sk")
     @GetMapping("/credential/{accesskey}/{secretkey}")
     fun checkCredential(@PathVariable accesskey: String, @PathVariable secretkey: String): Response<String?> {
+        preCheckPlatformPermission()
         preCheckUserAdmin()
         val result = accountService.checkCredential(accesskey, secretkey)
         return ResponseBuilder.success(result)

src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/controller/user/PermissionController.kt

@@ -44,6 +44,7 @@ import com.tencent.bkrepo.auth.pojo.role.ExternalRoleResult
 import com.tencent.bkrepo.auth.pojo.role.RoleSource
 import com.tencent.bkrepo.auth.service.PermissionService
 import com.tencent.bkrepo.common.api.pojo.Response
+import com.tencent.bkrepo.common.security.util.SecurityUtils
 import com.tencent.bkrepo.common.service.util.ResponseBuilder
 import io.swagger.annotations.ApiOperation
 import org.springframework.beans.factory.annotation.Autowired
@@ -182,7 +183,8 @@ class PermissionController @Autowired constructor(
         @RequestParam repoName: String
     ): Response<String> {
         preCheckUserInProject(AuthPermissionType.REPO, projectId, repoName)
-        return ResponseBuilder.success(permissionService.getOrCreatePersonalPath(projectId, repoName))
+        val userId = SecurityUtils.getUserId()
+        return ResponseBuilder.success(permissionService.getOrCreatePersonalPath(projectId, repoName, userId))
     }
 
     @ApiOperation("查询外部用户组")

src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/dao/AccountDao.kt

@@ -0,0 +1,33 @@
+package com.tencent.bkrepo.auth.dao
+
+import com.tencent.bkrepo.auth.model.TAccount
+import com.tencent.bkrepo.common.mongo.dao.simple.SimpleMongoDao
+import org.springframework.data.mongodb.core.query.Criteria
+import org.springframework.data.mongodb.core.query.Query
+import org.springframework.stereotype.Repository
+
+
+@Repository
+class AccountDao : SimpleMongoDao<TAccount>() {
+
+    fun findOneByAppId(appId: String): TAccount? {
+        val query = Query(Criteria(TAccount::appId.name).`is`(appId))
+        return this.findOne(query)
+    }
+
+    fun findAllBy(): List<TAccount> {
+        return this.findAll()
+    }
+
+
+    fun findByOwner(owner: String): List<TAccount> {
+        val query = Query(Criteria(TAccount::owner.name).`is`(owner))
+        return this.find(query)
+    }
+
+    fun findByIdIn(ids: List<String>): List<TAccount> {
+        val query = Query(Criteria(TAccount::id.name).`in`(ids))
+        return this.find(query)
+    }
+
+}

src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/helper/PermissionHelper.kt

@@ -45,10 +45,12 @@ import com.tencent.bkrepo.auth.pojo.enums.ResourceType.ENDPOINT
 import com.tencent.bkrepo.auth.pojo.enums.RoleType
 import com.tencent.bkrepo.auth.pojo.permission.Permission
 import com.tencent.bkrepo.auth.dao.repository.RoleRepository
+import com.tencent.bkrepo.auth.model.TAccount
 import com.tencent.bkrepo.auth.model.TPermission
 import com.tencent.bkrepo.auth.pojo.enums.PermissionAction
 import com.tencent.bkrepo.auth.pojo.enums.PermissionAction.READ
 import com.tencent.bkrepo.auth.pojo.enums.PermissionAction.MANAGE
+import com.tencent.bkrepo.auth.pojo.oauth.AuthorizationGrantType
 import com.tencent.bkrepo.auth.pojo.permission.CheckPermissionRequest
 import com.tencent.bkrepo.auth.util.scope.RuleUtil
 import com.tencent.bkrepo.common.api.exception.ErrorCodeException
@@ -312,6 +314,14 @@ class PermissionHelper constructor(
         return projectList
     }
 
+    fun isPlatformApp(platform: TAccount): Boolean {
+        val grantTypes = platform.authorizationGrantTypes ?: return true
+
+        if (grantTypes.contains(AuthorizationGrantType.PLATFORM)) return true
+
+        return false
+    }
+
     private fun checkIncludePatternAction(
         patternList: List<String>,
         path: String,