Merge pull request #835 from TencentBlueKing/v1.5.x

Merge V1.5.0 into master
TencentBlueKing · May 23, 2024 · d9d7b88 · d9d7b88
2 parents 291403c + 3f450e3
commit d9d7b88
Show file tree

Hide file tree

Showing 754 changed files with 83,149 additions and 14,766 deletions.
diff --git a/Makefile b/Makefile
@@ -38,7 +38,6 @@ pre:
 
 # 本地测试前后端编译
 all: pre ui server suite
-	@cd ${PRO_DIR}/cmd && make
 	@echo -e "\033[32;1mBuild All Success!\n\033[0m"
 
 # 后端本地测试编译

diff --git a/cmd/auth-server/service/auth/adaptor.go b/cmd/auth-server/service/auth/adaptor.go
@@ -90,6 +90,17 @@ func AdaptAuthOptions(a *meta.ResourceAttribute) (client.ActionID, []client.Reso
 		return sys.CloudSelectionRecommend, make([]client.Resource, 0), nil
 	case meta.ArgumentTemplate:
 		return genArgumentTemplateResource(a)
+	case meta.Cert:
+		return genCertResource(a)
+	case meta.LoadBalancer:
+		return genLoadBalancerResource(a)
+	case meta.Listener:
+		return genListenerResource(a)
+	case meta.TargetGroup:
+		return genTargetGroupResource(a)
+	case meta.UrlRuleAuditResType:
+		return genUrlRuleResource(a)
+
 	default:
 		return "", nil, errf.Newf(errf.InvalidParameter, "unsupported hcm auth type: %s", a.Basic.Type)
 	}

diff --git a/cmd/auth-server/service/auth/gen_id.go b/cmd/auth-server/service/auth/gen_id.go
@@ -529,3 +529,113 @@ func genCostManageResource(a *meta.ResourceAttribute) (client.ActionID, []client
 func genArgumentTemplateResource(a *meta.ResourceAttribute) (client.ActionID, []client.Resource, error) {
 	return genIaaSResourceResource(a)
 }
+
+// genCertResource generate cert related iam resource.
+func genCertResource(a *meta.ResourceAttribute) (client.ActionID, []client.Resource, error) {
+	res := client.Resource{
+		System: sys.SystemIDHCM,
+		Type:   sys.Account,
+	}
+
+	// compatible for authorize any
+	if len(a.ResourceID) > 0 {
+		res.ID = a.ResourceID
+	}
+
+	bizRes := client.Resource{
+		System: sys.SystemIDCMDB,
+		Type:   sys.Biz,
+		ID:     strconv.FormatInt(a.BizID, 10),
+	}
+
+	switch a.Basic.Action {
+	case meta.Find, meta.Assign:
+		return genIaaSResourceResource(a)
+	case meta.Create:
+		if a.BizID > 0 {
+			return sys.BizCertResCreate, []client.Resource{bizRes}, nil
+		}
+		return sys.CertResCreate, []client.Resource{res}, nil
+	case meta.Update:
+		// update resource is related to hcm account resource
+		if a.BizID > 0 {
+			return sys.BizIaaSResOperate, []client.Resource{bizRes}, nil
+		}
+		return sys.IaaSResOperate, []client.Resource{res}, nil
+	case meta.Delete:
+		if a.BizID > 0 {
+			return sys.BizCertResDelete, []client.Resource{bizRes}, nil
+		}
+		return sys.CertResDelete, []client.Resource{res}, nil
+	default:
+		return "", nil, errf.Newf(errf.InvalidParameter, "unsupported hcm action: %s", a.Basic.Action)
+	}
+}
+
+// genLoadBalancerResource generate load balancer related iam resource.
+func genLoadBalancerResource(a *meta.ResourceAttribute) (client.ActionID, []client.Resource, error) {
+	res := client.Resource{
+		System: sys.SystemIDHCM,
+		Type:   sys.Account,
+	}
+
+	// compatible for authorize any
+	if len(a.ResourceID) > 0 {
+		res.ID = a.ResourceID
+	}
+
+	bizRes := client.Resource{
+		System: sys.SystemIDCMDB,
+		Type:   sys.Biz,
+		ID:     strconv.FormatInt(a.BizID, 10),
+	}
+
+	switch a.Basic.Action {
+	case meta.Associate, meta.Disassociate:
+		if a.BizID > 0 {
+			return sys.BizIaaSResOperate, []client.Resource{bizRes}, nil
+		}
+		return sys.IaaSResOperate, []client.Resource{res}, nil
+	default:
+		return genIaaSResourceResource(a)
+	}
+}
+
+// genListenerResource generate clb listener related iam resource.
+func genListenerResource(a *meta.ResourceAttribute) (client.ActionID, []client.Resource, error) {
+	return genIaaSResourceResource(a)
+}
+
+// genTargetGroupResource generate target group related iam resource.
+func genTargetGroupResource(a *meta.ResourceAttribute) (client.ActionID, []client.Resource, error) {
+	res := client.Resource{
+		System: sys.SystemIDHCM,
+		Type:   sys.Account,
+	}
+
+	// compatible for authorize any
+	if len(a.ResourceID) > 0 {
+		res.ID = a.ResourceID
+	}
+
+	bizRes := client.Resource{
+		System: sys.SystemIDCMDB,
+		Type:   sys.Biz,
+		ID:     strconv.FormatInt(a.BizID, 10),
+	}
+
+	switch a.Basic.Action {
+	case meta.Associate, meta.Disassociate:
+		if a.BizID > 0 {
+			return sys.BizIaaSResOperate, []client.Resource{bizRes}, nil
+		}
+		return sys.IaaSResOperate, []client.Resource{res}, nil
+	default:
+		return genIaaSResourceResource(a)
+	}
+}
+
+// genUrlRuleResource generate clb listener related iam resource.
+func genUrlRuleResource(a *meta.ResourceAttribute) (client.ActionID, []client.Resource, error) {
+	return genIaaSResourceResource(a)
+}
diff --git a/cmd/cloud-server/logics/cert/assign.go b/cmd/cloud-server/logics/cert/assign.go
@@ -0,0 +1,94 @@
+/*
+ * TencentBlueKing is pleased to support the open source community by making
+ * 蓝鲸智云 - 混合云管理平台 (BlueKing - Hybrid Cloud Management System) available.
+ * Copyright (C) 2022 THL A29 Limited,
+ * a Tencent company. All rights reserved.
+ * Licensed under the MIT License (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at http://opensource.org/licenses/MIT
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on
+ * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
+ * either express or implied. See the License for the
+ * specific language governing permissions and limitations under the License.
+ *
+ * We undertake not to change the open source license (MIT license) applicable
+ *
+ * to the current version of the project delivered to anyone in the future.
+ */
+
+package cert
+
+import (
+	"fmt"
+
+	logicaudit "hcm/cmd/cloud-server/logics/audit"
+	"hcm/pkg/api/core"
+	corecert "hcm/pkg/api/core/cloud/cert"
+	protocloud "hcm/pkg/api/data-service/cloud"
+	dataservice "hcm/pkg/client/data-service"
+	"hcm/pkg/criteria/constant"
+	"hcm/pkg/criteria/enumor"
+	"hcm/pkg/kit"
+	"hcm/pkg/logs"
+	"hcm/pkg/runtime/filter"
+	"hcm/pkg/tools/slice"
+)
+
+// Assign 分配证书到业务下
+func Assign(kt *kit.Kit, cli *dataservice.Client, ids []string, bizID int64) error {
+	if len(ids) == 0 {
+		return fmt.Errorf("ids is required")
+	}
+
+	if err := ValidateBeforeAssign(kt, cli, ids); err != nil {
+		return err
+	}
+
+	// create cert assign audit
+	audit := logicaudit.NewAudit(cli)
+	if err := audit.ResBizAssignAudit(kt, enumor.SslCertAuditResType, ids, bizID); err != nil {
+		logs.Errorf("create assign cert audit failed, ids: %v, bizID: %d, err: %v, rid: %s", ids, bizID, err, kt.Rid)
+		return err
+	}
+
+	// assign
+	req := &protocloud.CertBatchUpdateExprReq{
+		IDs:     ids,
+		BkBizID: bizID,
+	}
+	_, err := cli.Global.BatchUpdateCert(kt, req)
+	if err != nil {
+		logs.Errorf("batch update cert db failed, ids: %v, bizID: %d, err: %v, rid: %s", ids, bizID, err, kt.Rid)
+		return err
+	}
+
+	return nil
+}
+
+// ValidateBeforeAssign 分配前置校验
+func ValidateBeforeAssign(kt *kit.Kit, cli *dataservice.Client, ids []string) error {
+	// 判断是否已经分配
+	listReq := &core.ListReq{
+		Filter: &filter.Expression{
+			Op: filter.And,
+			Rules: []filter.RuleFactory{
+				&filter.AtomRule{Field: "id", Op: filter.In.Factory(), Value: ids},
+				&filter.AtomRule{Field: "bk_biz_id", Op: filter.NotEqual.Factory(), Value: constant.UnassignedBiz},
+			},
+		},
+		Page: core.NewDefaultBasePage(),
+	}
+	listResp, err := cli.Global.ListCert(kt, listReq)
+	if err != nil {
+		logs.Errorf("list cert failed, req: %+v, err: %v, rid: %s", listReq, err, kt.Rid)
+		return err
+	}
+
+	if len(listResp.Details) != 0 {
+		return fmt.Errorf("cert(ids=%v) already assigned", slice.Map(listResp.Details,
+			func(cert corecert.BaseCert) string { return cert.ID }))
+	}
+
+	return nil
+}
diff --git a/cmd/cloud-server/logics/cvm/assign.go b/cmd/cloud-server/logics/cvm/assign.go
@@ -57,7 +57,7 @@ func Assign(kt *kit.Kit, cli *dataservice.Client, ids []string, bizID int64) err
 	}
 
 	// 校验主机关联资源信息
-	if err := ValidateCvmRelResBeforeAssign(kt, cli, eipIDs, diskIDs, niIDs); err != nil {
+	if err := ValidateCvmRelResBeforeAssign(kt, cli, bizID, eipIDs, diskIDs, niIDs); err != nil {
 		return err
 	}
 
@@ -158,23 +158,23 @@ func GetCvmRelResIDs(kt *kit.Kit, cli *dataservice.Client, ids []string) (
 }
 
 // ValidateCvmRelResBeforeAssign 校验主机关联资源在分配前
-func ValidateCvmRelResBeforeAssign(kt *kit.Kit, cli *dataservice.Client, eipIDs []string,
+func ValidateCvmRelResBeforeAssign(kt *kit.Kit, cli *dataservice.Client, targetBizId int64, eipIDs []string,
 	diskIDs []string, niIDs []string) error {
 
 	if len(eipIDs) != 0 {
-		if err := eip.ValidateBeforeAssign(kt, cli, eipIDs, true); err != nil {
+		if err := eip.ValidateBeforeAssign(kt, cli, targetBizId, eipIDs, true); err != nil {
 			return err
 		}
 	}
 
 	if len(diskIDs) != 0 {
-		if err := disk.ValidateBeforeAssign(kt, cli, diskIDs, true); err != nil {
+		if err := disk.ValidateBeforeAssign(kt, cli, targetBizId, diskIDs, true); err != nil {
 			return err
 		}
 	}
 
 	if len(niIDs) != 0 {
-		if err := logicsni.ValidateBeforeAssign(kt, cli, niIDs, true); err != nil {
+		if err := logicsni.ValidateBeforeAssign(kt, cli, targetBizId, niIDs, true); err != nil {
 			return err
 		}
 	}

diff --git a/cmd/cloud-server/logics/disk/assign.go b/cmd/cloud-server/logics/disk/assign.go
@@ -33,7 +33,6 @@ import (
 	"hcm/pkg/dal/dao/tools"
 	"hcm/pkg/kit"
 	"hcm/pkg/logs"
-	"hcm/pkg/runtime/filter"
 	"hcm/pkg/tools/slice"
 )
 
@@ -44,7 +43,7 @@ func Assign(kt *kit.Kit, cli *dataservice.Client, ids []string, bizID uint64, is
 		return fmt.Errorf("ids is required")
 	}
 
-	if err := ValidateBeforeAssign(kt, cli, ids, isBind); err != nil {
+	if err := ValidateBeforeAssign(kt, cli, int64(bizID), ids, isBind); err != nil {
 		return err
 	}
 
@@ -69,16 +68,15 @@ func Assign(kt *kit.Kit, cli *dataservice.Client, ids []string, bizID uint64, is
 }
 
 // ValidateBeforeAssign 分配前置校验
-func ValidateBeforeAssign(kt *kit.Kit, cli *dataservice.Client, ids []string, isBind bool) error {
+func ValidateBeforeAssign(kt *kit.Kit, cli *dataservice.Client,
+	targetBizId int64, diskIds []string, isBind bool) error {
+
 	// 判断是否已经分配
 	listReq := &core.ListReq{
-		Filter: &filter.Expression{
-			Op: filter.And,
-			Rules: []filter.RuleFactory{
-				&filter.AtomRule{Field: "id", Op: filter.In.Factory(), Value: ids},
-				&filter.AtomRule{Field: "bk_biz_id", Op: filter.NotEqual.Factory(), Value: constant.UnassignedBiz},
-			},
-		},
+		Filter: tools.ExpressionAnd(
+			tools.RuleIn("id", diskIds),
+			tools.RuleNotIn("bk_biz_id", []int64{constant.UnassignedBiz, targetBizId}),
+		),
 		Page: core.NewDefaultBasePage(),
 	}
 	listResp, err := cli.Global.ListDisk(kt, listReq)
@@ -94,7 +92,7 @@ func ValidateBeforeAssign(kt *kit.Kit, cli *dataservice.Client, ids []string, is
 
 	// 判断是否关联资源
 	listRelReq := &core.ListReq{
-		Filter: tools.ContainersExpression("disk_id", ids),
+		Filter: tools.ContainersExpression("disk_id", diskIds),
 		Page:   core.NewDefaultBasePage(),
 	}
 	listRelResp, err := cli.Global.ListDiskCvmRel(kt, listRelReq)
@@ -116,8 +114,8 @@ func ValidateBeforeAssign(kt *kit.Kit, cli *dataservice.Client, ids []string, is
 			diskBindMap[one.DiskID] = true
 		}
 
-		if len(ids) != len(diskBindMap) {
-			unBindIDs := slice.Filter(ids, func(id string) bool {
+		if len(diskIds) != len(diskBindMap) {
+			unBindIDs := slice.Filter(diskIds, func(id string) bool {
 				return !diskBindMap[id]
 			})
 			return fmt.Errorf("disk(ids=%v) not bind cvm", unBindIDs)

diff --git a/cmd/cloud-server/logics/eip/assign.go b/cmd/cloud-server/logics/eip/assign.go
@@ -32,7 +32,6 @@ import (
 	"hcm/pkg/dal/dao/tools"
 	"hcm/pkg/kit"
 	"hcm/pkg/logs"
-	"hcm/pkg/runtime/filter"
 	"hcm/pkg/tools/slice"
 )
 
@@ -43,7 +42,7 @@ func Assign(kt *kit.Kit, cli *dataservice.Client, ids []string, bizID uint64, is
 		return fmt.Errorf("ids is required")
 	}
 
-	if err := ValidateBeforeAssign(kt, cli, ids, isBind); err != nil {
+	if err := ValidateBeforeAssign(kt, cli, int64(bizID), ids, isBind); err != nil {
 		return err
 	}
 
@@ -68,16 +67,14 @@ func Assign(kt *kit.Kit, cli *dataservice.Client, ids []string, bizID uint64, is
 }
 
 // ValidateBeforeAssign 分配前置校验
-func ValidateBeforeAssign(kt *kit.Kit, cli *dataservice.Client, ids []string, isBind bool) error {
+func ValidateBeforeAssign(kt *kit.Kit, cli *dataservice.Client, targetBizId int64, eipIds []string, isBind bool) error {
 	// 判断是否已经分配
+	// 允许已经在目标业务下
 	listReq := &core.ListReq{
-		Filter: &filter.Expression{
-			Op: filter.And,
-			Rules: []filter.RuleFactory{
-				&filter.AtomRule{Field: "id", Op: filter.In.Factory(), Value: ids},
-				&filter.AtomRule{Field: "bk_biz_id", Op: filter.NotEqual.Factory(), Value: constant.UnassignedBiz},
-			},
-		},
+		Filter: tools.ExpressionAnd(
+			tools.RuleIn("id", eipIds),
+			tools.RuleNotIn("bk_biz_id", []int64{constant.UnassignedBiz, targetBizId}),
+		),
 		Page: core.NewDefaultBasePage(),
 	}
 	listResp, err := cli.Global.ListEip(kt, listReq)
@@ -93,7 +90,7 @@ func ValidateBeforeAssign(kt *kit.Kit, cli *dataservice.Client, ids []string, is
 
 	// 判断是否关联资源
 	listRelReq := &core.ListReq{
-		Filter: tools.ContainersExpression("eip_id", ids),
+		Filter: tools.ContainersExpression("eip_id", eipIds),
 		Page:   core.NewDefaultBasePage(),
 	}
 	listRelResp, err := cli.Global.ListEipCvmRel(kt, listRelReq)
@@ -115,8 +112,8 @@ func ValidateBeforeAssign(kt *kit.Kit, cli *dataservice.Client, ids []string, is
 			eipBindMap[one.EipID] = true
 		}
 
-		if len(ids) != len(eipBindMap) {
-			unBindIDs := slice.Filter(ids, func(id string) bool {
+		if len(eipIds) != len(eipBindMap) {
+			unBindIDs := slice.Filter(eipIds, func(id string) bool {
 				return !eipBindMap[id]
 			})
 			return fmt.Errorf("eip(ids=%v) not bind cvm", unBindIDs)