Merge pull request #11061 from fcfang123/issue-10895

feat：流水线列表展示权限控制 #10895

src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/api/migrate/OpAuthMigrateResource.kt

@@ -165,4 +165,12 @@ interface OpAuthMigrateResource {
         @Parameter(description = "迁移项目", required = true)
         projectCodes: List<String>
     ): Result<Boolean>
+
+    @POST
+    @Path("/enablePipelineListPermissionControl")
+    @Operation(summary = "开启流水线列表权限控制")
+    fun enablePipelineListPermissionControl(
+        @Parameter(description = "项目", required = true)
+        projectCodes: List<String>
+    ): Result<Boolean>
 }

src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/migrate/RbacPermissionMigrateService.kt

@@ -698,4 +698,15 @@ class RbacPermissionMigrateService constructor(
         }
         return true
     }
+
+    override fun enablePipelineListPermissionControl(projectCodes: List<String>): Boolean {
+        projectCodes.forEach {
+            val projectInfo = client.get(ServiceProjectResource::class).get(it).data!!
+            val properties = projectInfo.properties ?: ProjectProperties()
+            properties.pipelineListPermissionControl = true
+            logger.info("update project($it) properties|$properties")
+            client.get(ServiceProjectResource::class).updateProjectProperties(it, properties)
+        }
+        return true
+    }
 }

src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/sample/service/SamplePermissionMigrateService.kt

@@ -103,4 +103,6 @@ class SamplePermissionMigrateService(
     }
 
     override fun fixResourceGroups(projectCodes: List<String>): Boolean = true
+
+    override fun enablePipelineListPermissionControl(projectCodes: List<String>) = true
 }

src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/resources/OpAuthMigrateResourceImpl.kt

@@ -113,4 +113,8 @@ class OpAuthMigrateResourceImpl @Autowired constructor(
     override fun fixResourceGroups(projectCodes: List<String>): Result<Boolean> {
         return Result(permissionMigrateService.fixResourceGroups(projectCodes))
     }
+
+    override fun enablePipelineListPermissionControl(projectCodes: List<String>): Result<Boolean> {
+        return Result(permissionMigrateService.enablePipelineListPermissionControl(projectCodes))
+    }
 }

src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/service/iam/PermissionMigrateService.kt

@@ -117,4 +117,9 @@ interface PermissionMigrateService {
      * 修复资源组数据，存在同步iam资源组数据，数据库 iam组id为NULL的情况，需要进行修复
      */
     fun fixResourceGroups(projectCodes: List<String>): Boolean
+
+    /**
+     * 开启流水线列表权限控制开关
+     */
+    fun enablePipelineListPermissionControl(projectCodes: List<String>): Boolean
 }

src/backend/ci/core/process/biz-base/src/main/kotlin/com/tencent/devops/process/dao/label/PipelineViewGroupDao.kt

@@ -221,13 +221,15 @@ class PipelineViewGroupDao {
     fun countByViewId(
         dslContext: DSLContext,
         projectId: String,
-        viewIds: Collection<Long>
+        viewIds: Collection<Long>,
+        filterPipelineIds: List<String>? = null
     ): Map<Long, Int> {
         with(TPipelineViewGroup.T_PIPELINE_VIEW_GROUP) {
             return dslContext.select(VIEW_ID, count())
                 .from(this)
                 .where(PROJECT_ID.eq(projectId))
                 .and(VIEW_ID.`in`(viewIds))
+                .let { if (filterPipelineIds != null) it.and(PIPELINE_ID.`in`(filterPipelineIds)) else it }
                 .groupBy(VIEW_ID)
                 .fetch().map { it.value1() to it.value2() }.toMap()
         }

src/backend/ci/core/process/biz-base/src/main/kotlin/com/tencent/devops/process/engine/dao/PipelineInfoDao.kt

@@ -729,7 +729,8 @@ class PipelineInfoDao {
         projectId: String,
         excludePipelineIds: List<String>,
         channelCode: ChannelCode? = null,
-        includeDelete: Boolean = false
+        includeDelete: Boolean = false,
+        filterPipelineIds: List<String>? = null
     ): Int {
         with(T_PIPELINE_INFO) {
             return dslContext.selectCount()
@@ -738,6 +739,7 @@ class PipelineInfoDao {
                 .and(PIPELINE_ID.notIn(excludePipelineIds))
                 .let { if (channelCode == null) it else it.and(CHANNEL.eq(channelCode.name)) }
                 .let { if (includeDelete) it else it.and(DELETE.eq(false)) }
+                .let { if (filterPipelineIds != null) it.and(PIPELINE_ID.`in`(filterPipelineIds)) else it }
                 .fetchOne()?.value1() ?: 0
         }
     }

src/backend/ci/core/process/biz-process/src/main/kotlin/com/tencent/devops/process/permission/AbstractPipelinePermissionService.kt

@@ -240,4 +240,8 @@ abstract class AbstractPipelinePermissionService constructor(
             serviceCode = pipelineAuthServiceCode
         )
     }
+
+    override fun isControlPipelineListPermission(projectId: String): Boolean {
+        return true
+    }
 }

src/backend/ci/core/process/biz-process/src/main/kotlin/com/tencent/devops/process/permission/PipelinePermissionService.kt

@@ -154,4 +154,10 @@ interface PipelinePermissionService {
         userId: String,
         projectId: String
     ): Boolean
+
+    /**
+     * 判断该项目是否进行列表权限控制
+     * @param projectId projectId
+     */
+    fun isControlPipelineListPermission(projectId: String): Boolean
 }

src/backend/ci/core/process/biz-process/src/main/kotlin/com/tencent/devops/process/permission/RbacPipelinePermissionService.kt

@@ -37,20 +37,24 @@ import com.tencent.devops.common.auth.api.AuthResourceType
 import com.tencent.devops.common.auth.api.pojo.AuthResourceInstance
 import com.tencent.devops.common.auth.api.pojo.BkAuthGroup
 import com.tencent.devops.common.auth.code.PipelineAuthServiceCode
+import com.tencent.devops.common.client.Client
 import com.tencent.devops.process.engine.dao.PipelineInfoDao
-import com.tencent.devops.process.service.view.PipelineViewGroupService
+import com.tencent.devops.process.service.view.PipelineViewGroupCommonService
+import com.tencent.devops.project.api.service.ServiceProjectResource
 import org.jooq.DSLContext
 import org.slf4j.LoggerFactory
+import javax.ws.rs.NotFoundException
 
 @Suppress("LongParameterList")
-class RbacPipelinePermissionService constructor(
+class RbacPipelinePermissionService(
     val authPermissionApi: AuthPermissionApi,
     val authProjectApi: AuthProjectApi,
     val pipelineAuthServiceCode: PipelineAuthServiceCode,
     val dslContext: DSLContext,
     val pipelineInfoDao: PipelineInfoDao,
-    val pipelineViewGroupService: PipelineViewGroupService,
-    val authResourceApi: AuthResourceApi
+    val pipelineViewGroupCommonService: PipelineViewGroupCommonService,
+    val authResourceApi: AuthResourceApi,
+    val client: Client
 ) : PipelinePermissionService {
 
     override fun checkPipelinePermission(
@@ -89,7 +93,7 @@ class RbacPipelinePermissionService constructor(
         } finally {
             logger.info(
                 "It take(${System.currentTimeMillis() - startEpoch})ms to check pipeline permission|" +
-                        "$userId|$projectId|$pipelineId|$permission|$authResourceType"
+                    "$userId|$projectId|$pipelineId|$permission|$authResourceType"
             )
         }
     }
@@ -105,7 +109,7 @@ class RbacPipelinePermissionService constructor(
             resourceCode = projectId
         )
         parents.add(projectInstance)
-        pipelineViewGroupService.listViewIdsByPipelineId(projectId, pipelineId).forEach { viewId ->
+        pipelineViewGroupCommonService.listViewIdsByPipelineId(projectId, pipelineId).forEach { viewId ->
             parents.add(
                 AuthResourceInstance(
                     resourceType = AuthResourceType.PIPELINE_GROUP.value,
@@ -125,7 +129,7 @@ class RbacPipelinePermissionService constructor(
         projectId: String,
         pipelineIds: List<String>
     ): List<AuthResourceInstance> {
-        val listViewIdsMap = pipelineViewGroupService.listViewIdsMap(
+        val listViewIdsMap = pipelineViewGroupCommonService.listViewIdsMap(
             projectId = projectId,
             pipelineIds = pipelineIds
         )
@@ -198,10 +202,11 @@ class RbacPipelinePermissionService constructor(
                 // 如果有项目下所有该资源权限,返回项目下流水线列表
                 instanceMap[AuthResourceType.PROJECT.value]?.contains(projectId) == true ->
                     getAllAuthPipelineIds(projectId = projectId)
+
                 else -> {
                     // 获取有权限流水线组下的流水线
                     val authViewPipelineIds = instanceMap[AuthResourceType.PIPELINE_GROUP.value]?.let { authViewIds ->
-                        pipelineViewGroupService.listPipelineIdsByViewIds(projectId, authViewIds)
+                        pipelineViewGroupCommonService.listPipelineIdsByViewIds(projectId, authViewIds)
                     } ?: emptyList()
                     // 获取有权限的流水线列表
                     val authPipelineIds = instanceMap[AuthResourceType.PIPELINE_DEFAULT.value] ?: emptyList()
@@ -295,6 +300,12 @@ class RbacPipelinePermissionService constructor(
         return authProjectApi.checkProjectManager(userId, pipelineAuthServiceCode, projectId)
     }
 
+    override fun isControlPipelineListPermission(projectId: String): Boolean {
+        val projectInfo = client.get(ServiceProjectResource::class).get(englishName = projectId).data
+            ?: throw NotFoundException("Fail to find the project info of project($projectId)")
+        return projectInfo.properties?.pipelineListPermissionControl == true
+    }
+
     companion object {
         private val resourceType = AuthResourceType.PIPELINE_DEFAULT
         private val logger = LoggerFactory.getLogger(RbacPipelinePermissionService::class.java)

src/backend/ci/core/process/biz-process/src/main/kotlin/com/tencent/devops/process/permission/StreamPipelinePermissionServiceImpl.kt

@@ -157,6 +157,8 @@ class StreamPipelinePermissionServiceImpl @Autowired constructor(
         ).data ?: false
     }
 
+    override fun isControlPipelineListPermission(projectId: String) = false
+
     private fun getProjectAllInstance(projectId: String): List<String> {
         return pipelineInfoDao.searchByProject(dslContext, projectId)?.map { it.pipelineId } ?: emptyList()
     }

src/backend/ci/core/process/biz-process/src/main/kotlin/com/tencent/devops/process/permission/config/PipelinePermConfiguration.kt

@@ -38,7 +38,7 @@ import com.tencent.devops.process.permission.MockPipelinePermissionService
 import com.tencent.devops.process.permission.PipelinePermissionService
 import com.tencent.devops.process.permission.RbacPipelinePermissionService
 import com.tencent.devops.process.permission.StreamPipelinePermissionServiceImpl
-import com.tencent.devops.process.service.view.PipelineViewGroupService
+import com.tencent.devops.process.service.view.PipelineViewGroupCommonService
 import org.jooq.DSLContext
 import org.springframework.boot.autoconfigure.AutoConfigureOrder
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty
@@ -107,15 +107,17 @@ class PipelinePermConfiguration {
         pipelineAuthServiceCode: PipelineAuthServiceCode,
         dslContext: DSLContext,
         pipelineInfoDao: PipelineInfoDao,
-        pipelineViewGroupService: PipelineViewGroupService,
-        authResourceApi: AuthResourceApi
+        pipelineViewGroupCommonService: PipelineViewGroupCommonService,
+        authResourceApi: AuthResourceApi,
+        client: Client
     ): PipelinePermissionService = RbacPipelinePermissionService(
         authPermissionApi = authPermissionApi,
         authProjectApi = authProjectApi,
         pipelineAuthServiceCode = pipelineAuthServiceCode,
         dslContext = dslContext,
         pipelineInfoDao = pipelineInfoDao,
-        pipelineViewGroupService = pipelineViewGroupService,
-        authResourceApi = authResourceApi
+        pipelineViewGroupCommonService = pipelineViewGroupCommonService,
+        authResourceApi = authResourceApi,
+        client = client
     )
 }