Bugfix group auth (#1587)

* fix: fix group costom policy auth action without resource type bug * docs: v1.9.3 * feat: update BKAPP_SUBJECT_GRADE_MANAGER_LIMIT default to 500
TencentBlueKing · Nov 2, 2022 · 2b95d40 · 2b95d40
1 parent ae70ca6
commit 2b95d40
Show file tree

Hide file tree

Showing 8 changed files with 64 additions and 29 deletions.
diff --git a/saas/VERSION b/saas/VERSION
@@ -1 +1 @@
-1.9.2
+1.9.3
diff --git a/saas/backend/service/models/policy.py b/saas/backend/service/models/policy.py
@@ -562,12 +562,11 @@ def calculate_pre_changed_content(self, system_id: str, old: "UniversalPolicy")
 
     def to_resource_expression(self, system_id: str) -> str:
         """将ABAC权限翻译为后台所需表达式"""
-        assert len(self.expression_resource_groups) > 0
         translator = ResourceExpressionTranslator()
         return translator.translate(system_id, self.expression_resource_groups.dict())
 
     def has_abac(self) -> bool:
-        return len(self.expression_resource_groups) > 0
+        return self.auth_type in (AuthTypeEnum.ABAC.value, AuthTypeEnum.ALL.value)
 
     def has_rbac(self) -> bool:
-        return len(self.instances) > 0
+        return self.auth_type in (AuthTypeEnum.RBAC.value, AuthTypeEnum.ALL.value)
diff --git a/saas/backend/service/utils/translate.py b/saas/backend/service/utils/translate.py
@@ -78,7 +78,9 @@ def translate(self, system_id: str, resource_groups: List[Dict]) -> str:
         ]
         """
         content = [self._translate_resource_group(system_id, r) for r in resource_groups]
-        if len(content) == 1:
+        if len(content) == 0:
+            expression: Any = content
+        elif len(content) == 1:
             expression = content[0]
         else:
             expression = {"OR": {"content": content}}

diff --git a/saas/config/default.py b/saas/config/default.py
@@ -341,7 +341,7 @@
 SUBJECT_AUTHORIZATION_LIMIT = {
     # -------- 用户 ---------
     # 用户能加入的分级管理员的最大数量
-    "subject_grade_manager_limit": env.int("BKAPP_SUBJECT_GRADE_MANAGER_LIMIT", default=100),
+    "subject_grade_manager_limit": env.int("BKAPP_SUBJECT_GRADE_MANAGER_LIMIT", default=500),
     # -------- 用户组 ---------
     # 用户组能加入同一个系统的权限模板的最大数量
     "default_subject_system_template_limit": env.int("BKAPP_DEFAULT_SUBJECT_SYSTEM_TEMPLATE_LIMIT", default=10),

diff --git a/saas/resources/version_log/V1.9.3_2022-11-2.md b/saas/resources/version_log/V1.9.3_2022-11-2.md
@@ -0,0 +1,4 @@
+# V1.9.3 版本更新日志
+
+### 缺陷修复
+* 用户组授权不关联资源类型的操作未生效问题
diff --git a/saas/resources/version_log/V1.9.3_2022-11-2_en.md b/saas/resources/version_log/V1.9.3_2022-11-2_en.md
@@ -0,0 +1,4 @@
+# V1.9.3 ChangeLog
+
+### Bug Fixes
+* The problem that the operation of user group authorization not associated with resource type does not take effect
diff --git a/saas/tests/service/models/policy_tests.py b/saas/tests/service/models/policy_tests.py
@@ -243,44 +243,42 @@ def test_is_absolute_abac(self, resource_groups, action_auth_type, expected):
         assert is_absolute_abac == expected
 
     @pytest.mark.parametrize(
-        "expression_resource_groups,expected",
+        "auth_type,expected",
         [
-            ([], False),
-            ([ResourceGroup(related_resource_types=[])], True),
-            ([ResourceGroup(related_resource_types=[]), ResourceGroup(related_resource_types=[])], True),
+            ("rbac", False),
+            ("none", False),
+            ("abac", True),
+            ("all", True),
         ],
     )
-    def test_has_abac(self, expression_resource_groups, expected):
+    def test_has_abac(self, auth_type, expected):
         p = UniversalPolicy(
             action_id="a",
             policy_id=0,
             expired_at=0,
             resource_groups=ResourceGroupList(__root__=[]),
-            expression_resource_groups=ResourceGroupList(__root__=expression_resource_groups),
+            expression_resource_groups=ResourceGroupList(__root__=[]),
+            auth_type=auth_type,
         )
         assert p.has_abac() == expected
 
     @pytest.mark.parametrize(
-        "instances,expected",
+        "auth_type,expected",
         [
-            ([], False),
-            ([PathNode(id="id", name="name", system_id="s_id", type="rt_id")], True),
-            (
-                [
-                    PathNode(id="id1", name="name1", system_id="s_id1", type="rt_id1"),
-                    PathNode(id="id2", name="name2", system_id="s_id2", type="rt_id2"),
-                ],
-                True,
-            ),
+            ("rbac", True),
+            ("none", False),
+            ("abac", False),
+            ("all", True),
         ],
     )
-    def test_has_rbac(self, instances, expected):
+    def test_has_rbac(self, auth_type, expected):
         p = UniversalPolicy(
             action_id="a",
             policy_id=0,
             expired_at=0,
             resource_groups=ResourceGroupList(__root__=[]),
-            instances=instances,
+            instances=[],
+            auth_type=auth_type,
         )
         assert p.has_rbac() == expected
 
@@ -348,7 +346,7 @@ def test_parse_abac_and_rbac(self, related_resource, expected):
                     [],
                 ),
                 # old(auth_type, abac_data, rbac_data)
-                (AuthTypeEnum.ABAC.value, [], []),
+                (AuthTypeEnum.NONE.value, [], []),
                 # expected(auth_type, abac_data, rbac_data)
                 (
                     AuthTypeEnum.ABAC.value,

diff --git a/saas/tests/service/policy/common_tests.py b/saas/tests/service/policy/common_tests.py
@@ -11,7 +11,8 @@
 import pytest
 from mock import patch
 
-from backend.service.models import Policy, UniversalPolicyChangedContent
+from backend.service.constants import AbacPolicyChangeType
+from backend.service.models import AbacPolicyChangeContent, Policy, UniversalPolicyChangedContent
 from backend.service.policy.common import UniversalPolicyChangedContentAnalyzer
 
 
@@ -28,7 +29,17 @@ class TestUniversalPolicyChangedContentAnalyzer:
                 # mock_action_auth_types
                 {"test": "abac"},
                 # expected_result
-                [UniversalPolicyChangedContent(action_id="test", auth_type="abac", abac=None, rbac=None)],
+                [
+                    UniversalPolicyChangedContent(
+                        action_id="test",
+                        auth_type="abac",
+                        abac=AbacPolicyChangeContent(
+                            change_type=AbacPolicyChangeType.CREATED.value,
+                            resource_expression="[]",
+                        ),
+                        rbac=None,
+                    )
+                ],
             ),
         ],
     )
@@ -50,7 +61,14 @@ def test_cal_for_created(self, create_policies, mock_action_auth_types, expected
                 # mock_action_auth_types
                 {"test": "abac"},
                 # expected_result
-                [UniversalPolicyChangedContent(action_id="test", auth_type="none", abac=None, rbac=None)],
+                [
+                    UniversalPolicyChangedContent(
+                        action_id="test",
+                        auth_type="none",
+                        abac=AbacPolicyChangeContent(change_type=AbacPolicyChangeType.DELETED.value, id=0),
+                        rbac=None,
+                    )
+                ],
             ),
         ],
     )
@@ -75,7 +93,17 @@ def test_cal_cal_for_deleted(self, delete_policies, mock_action_auth_types, expe
                 # mock_action_auth_types
                 {"test": "abac"},
                 # expected_result
-                [UniversalPolicyChangedContent(action_id="test", auth_type="abac", abac=None, rbac=None)],
+                [
+                    UniversalPolicyChangedContent(
+                        action_id="test",
+                        auth_type="abac",
+                        abac=AbacPolicyChangeContent(
+                            change_type=AbacPolicyChangeType.UPDATED.value,
+                            resource_expression="[]",
+                        ),
+                        rbac=None,
+                    )
+                ],
             ),
         ],
     )