feat: grade manager approver for custom policy application

saas/backend/apps/role/management/__init__.py

@@ -0,0 +1,10 @@
+# -*- coding: utf-8 -*-
+"""
+TencentBlueKing is pleased to support the open source community by making 蓝鲸智云-权限中心(BlueKing-IAM) available.
+Copyright (C) 2017-2021 THL A29 Limited, a Tencent company. All rights reserved.
+Licensed under the MIT License (the "License"); you may not use this file except in compliance with the License.
+You may obtain a copy of the License at http://opensource.org/licenses/MIT
+Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
+an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+specific language governing permissions and limitations under the License.
+"""

saas/backend/apps/role/management/commands/__init__.py

@@ -0,0 +1,10 @@
+# -*- coding: utf-8 -*-
+"""
+TencentBlueKing is pleased to support the open source community by making 蓝鲸智云-权限中心(BlueKing-IAM) available.
+Copyright (C) 2017-2021 THL A29 Limited, a Tencent company. All rights reserved.
+Licensed under the MIT License (the "License"); you may not use this file except in compliance with the License.
+You may obtain a copy of the License at http://opensource.org/licenses/MIT
+Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
+an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+specific language governing permissions and limitations under the License.
+"""

saas/backend/apps/role/management/commands/migrate_role_resource_label.py

@@ -0,0 +1,28 @@
+# -*- coding: utf-8 -*-
+"""
+TencentBlueKing is pleased to support the open source community by making 蓝鲸智云-权限中心(BlueKing-IAM) available.
+Copyright (C) 2017-2021 THL A29 Limited, a Tencent company. All rights reserved.
+Licensed under the MIT License (the "License"); you may not use this file except in compliance with the License.
+You may obtain a copy of the License at http://opensource.org/licenses/MIT
+Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
+an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+specific language governing permissions and limitations under the License.
+"""
+from django.core.management.base import BaseCommand
+from django.core.paginator import Paginator
+
+from backend.apps.role.models import Role
+from backend.biz.role import RoleResourceLabelHelper
+
+
+class Command(BaseCommand):
+    help = "migrate role resource label"
+
+    def handle(self, *args, **options):
+        queryset = Role.objects.filter(hidden=False).all()
+
+        paginator = Paginator(queryset, 100)
+
+        for i in paginator.page_range:
+            for role in paginator.page(i):
+                RoleResourceLabelHelper(role).handle()

saas/backend/apps/role/migrations/0015_roleresourcelabel.py

@@ -0,0 +1,32 @@
+# Generated by Django 3.2.16 on 2023-07-20 02:35
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('role', '0014_auto_20230518_1620'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='RoleResourceLabel',
+            fields=[
+                ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('creator', models.CharField(max_length=64, verbose_name='创建者')),
+                ('updater', models.CharField(max_length=64, verbose_name='更新者')),
+                ('created_time', models.DateTimeField(auto_now_add=True)),
+                ('updated_time', models.DateTimeField(auto_now=True)),
+                ('role_id', models.IntegerField(verbose_name='角色ID')),
+                ('system_id', models.CharField(max_length=32, verbose_name='资源系统')),
+                ('resource_type_id', models.CharField(max_length=32, verbose_name='资源类型')),
+                ('resource_id', models.CharField(max_length=36, verbose_name='资源ID')),
+            ],
+            options={
+                'verbose_name': '角色资源标签',
+                'verbose_name_plural': '角色资源标签',
+                'unique_together': {('resource_id', 'resource_type_id', 'system_id', 'role_id')},
+            },
+        ),
+    ]

saas/backend/apps/role/migrations/0016_auto_20230720_1602.py

@@ -0,0 +1,17 @@
+# Generated by Django 3.2.16 on 2023-07-20 08:02
+
+from django.core.management import call_command
+from django.db import migrations
+
+
+def run_migrate_role_resource_label(apps, schema_editor):
+    call_command("migrate_role_resource_label")
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("role", "0015_roleresourcelabel"),
+    ]
+
+    operations = [migrations.RunPython(run_migrate_role_resource_label)]

saas/backend/apps/role/models.py

@@ -301,6 +301,24 @@ def get_role_count(cls, role_type: str, system_id: str, source_type: str = RoleS
             return row[0]
 
 
+class RoleResourceLabel(BaseModel):
+    """
+    角色资源标签
+
+    用于自定义申请权限查询管理员审批人
+    """
+
+    role_id = models.IntegerField("角色ID")
+    system_id = models.CharField("资源系统", max_length=32)
+    resource_type_id = models.CharField("资源类型", max_length=32)
+    resource_id = models.CharField("资源ID", max_length=36)
+
+    class Meta:
+        verbose_name = "角色资源标签"
+        verbose_name_plural = "角色资源标签"
+        unique_together = ["resource_id", "resource_type_id", "system_id", "role_id"]
+
+
 class AnonymousRole:
     id = 0
     pk = 0

saas/backend/biz/application.py

@@ -11,7 +11,7 @@
 import logging
 from collections import defaultdict
 from itertools import groupby
-from typing import Any, Dict, List, Optional, Tuple
+from typing import Any, Dict, List, Optional, Tuple, Type
 
 from django.db import transaction
 from django.utils.translation import gettext as _
@@ -65,7 +65,12 @@
 from backend.service.role import RoleService
 from backend.service.system import SystemService
 
-from .application_process import InstanceApproverHandler, PolicyProcess, PolicyProcessHandler
+from .application_process import (
+    GradeManagerApproverHandler,
+    InstanceApproverHandler,
+    PolicyProcess,
+    PolicyProcessHandler,
+)
 from .group import GroupBiz, GroupMemberExpiredAtBean
 from .policy import PolicyBean, PolicyBeanList, PolicyOperationBiz, PolicyQueryBiz
 from .role import RoleBiz, RoleInfo, RoleInfoBean
@@ -419,9 +424,11 @@ def _get_approval_process_with_node_processor(
             elif node.processor_type == RoleType.SYSTEM_MANAGER.value:
                 processors = self.approval_processor_biz.get_system_manager_members(system_id=kwargs["system_id"])
             elif node.processor_type == RoleType.GRADE_MANAGER.value:
-                processors = self.approval_processor_biz.get_grade_manager_members_by_group_id(
-                    group_id=kwargs["group_id"]
-                )
+                # 如果是自定义权限, 需要后续流程中填充审批人
+                if "group_id" in kwargs:
+                    processors = self.approval_processor_biz.get_grade_manager_members_by_group_id(
+                        group_id=kwargs["group_id"]
+                    )
             # NOTE: 由于资源实例审批人节点的逻辑涉及到复杂的拆分, 合并逻辑, 不在这里处理
 
             node_with_processor.processors = processors
@@ -489,9 +496,12 @@ def create_for_policy(
             policy_process_list.append(PolicyProcess(policy=policy, process=process))
 
         # 5. 通过管道填充可能的资源实例审批人/分级管理员审批节点的审批人
-        pipeline: List[PolicyProcessHandler] = [InstanceApproverHandler()]  # NOTE: 未来需要实现分级管理员审批handler
+        pipeline: List[Type[PolicyProcessHandler]] = [
+            InstanceApproverHandler,
+            GradeManagerApproverHandler,
+        ]
         for pipe in pipeline:
-            policy_process_list = pipe.handle(policy_process_list)
+            policy_process_list = pipe(system_id).handle(policy_process_list)
 
         # 6. 依据审批流程合并策略
         policy_list_process = self._merge_policies_by_approval_process(system_id, policy_process_list)