feat: get TenantID from header for OpenAPI (#2033)

src/bk-user/bkuser/apis/open_v3/mixins.py

@@ -14,11 +14,28 @@
 #
 # We undertake not to change the open source license (MIT license) applicable
 # to the current version of the project delivered to anyone in the future.
+from functools import cached_property
+
 from apigw_manager.drf.authentication import ApiGatewayJWTAuthentication
+from rest_framework.exceptions import ValidationError
+from rest_framework.request import Request
 
 from .permissions import ApiGatewayAppVerifiedPermission
 
 
 class OpenApiCommonMixin:
     authentication_classes = [ApiGatewayJWTAuthentication]
     permission_classes = [ApiGatewayAppVerifiedPermission]
+
+    request: Request
+
+    TenantHeaderKey = "HTTP_X_BK_TENANT_ID"
+
+    @cached_property
+    def tenant_id(self) -> str:
+        tenant_id = self.request.META.get(self.TenantHeaderKey)
+
+        if not tenant_id:
+            raise ValidationError("X-Bk-Tenant-Id header is required")
+
+        return tenant_id

src/bk-user/bkuser/apis/open_v3/views/user.py

@@ -61,7 +61,7 @@ def get_queryset(self):
         # TODO: 由于目前 DisplayName 渲染只与 full_name 相关，所以只查询 full_name
         # 后续支持表达式，则需要查询表达式可配置的所有字段
         return (
-            TenantUser.objects.filter(id__in=data["bk_usernames"])
+            TenantUser.objects.filter(id__in=data["bk_usernames"], tenant_id=self.tenant_id)
             .select_related("data_source_user")
             .only("id", "data_source_user__full_name")
         )
@@ -93,7 +93,8 @@ class TenantUserRetrieveApi(OpenApiCommonMixin, generics.RetrieveAPIView):
         responses={status.HTTP_200_OK: TenantUserRetrieveOutputSLZ()},
     )
     def get(self, request, *args, **kwargs):
-        return self.retrieve(request, *args, **kwargs)
+        tenant_user = get_object_or_404(TenantUser.objects.filter(tenant_id=self.tenant_id), id=kwargs["id"])
+        return Response(TenantUserRetrieveOutputSLZ(tenant_user).data)
 
 
 class TenantUserDepartmentListApi(OpenApiCommonMixin, generics.ListAPIView):
@@ -117,7 +118,7 @@ def get(self, request, *args, **kwargs):
         slz.is_valid(raise_exception=True)
         data = slz.validated_data
 
-        tenant_user = get_object_or_404(TenantUser.objects.all(), id=kwargs["id"])
+        tenant_user = get_object_or_404(TenantUser.objects.filter(tenant_id=self.tenant_id), id=kwargs["id"])
 
         return Response(
             TenantUserDepartmentListOutputSLZ(self._get_dept_info(tenant_user, data["with_ancestors"]), many=True).data
@@ -202,7 +203,7 @@ class TenantUserLeaderListApi(OpenApiCommonMixin, generics.ListAPIView):
     serializer_class = TenantUserLeaderListOutputSLZ
 
     def get_queryset(self) -> QuerySet[TenantUser]:
-        tenant_user = get_object_or_404(TenantUser.objects.all(), id=self.kwargs["id"])
+        tenant_user = get_object_or_404(TenantUser.objects.filter(tenant_id=self.tenant_id), id=self.kwargs["id"])
 
         leader_ids = list(
             DataSourceUserLeaderRelation.objects.filter(user=tenant_user.data_source_user).values_list(

src/bk-user/tests/apis/open_v3/conftest.py

@@ -24,8 +24,9 @@
 
 
 @pytest.fixture
-def api_client():
+def api_client(random_tenant):
     client = APIClient()
+    client.defaults["HTTP_X_BK_TENANT_ID"] = random_tenant.id
     with mock.patch.object(OpenApiCommonMixin, "authentication_classes", []), mock.patch.object(
         OpenApiCommonMixin, "permission_classes", []
     ):