[Feature] 应用授权: DatabasePermission 添加Model、APIView

apps/applications/serializers/database.py

@@ -14,8 +14,8 @@ class DatabaseSerializer(BulkOrgResourceModelSerializer):
         list_serializer_class = AdaptedBulkListSerializer
         fields = [
             'id', 'name', 'login_mode', 'type', 'host', 'port', 'user',
-            'password', 'database', 'comment', 'created_by', 'date_created',
-            'date_updated',
+            'password', 'database', 'created_by', 'date_created',
+            'date_updated', 'comment',
         ]
 
         read_only_fields = [
@@ -24,3 +24,18 @@ class DatabaseSerializer(BulkOrgResourceModelSerializer):
         extra_kwargs = {
             'password': {'write_only': True},
         }
+
+    @staticmethod
+    def clean_password(validated_data):
+        password = validated_data.get('password')
+        if not password:
+            validated_data.pop('password', None)
+
+    def create(self, validated_data):
+        self.clean_password(validated_data)
+        return super().create(validated_data)
+
+    def update(self, instance, validated_data):
+        self.clean_password(validated_data)
+        return super().update(instance, validated_data)
+

apps/perms/api/__init__.py

@@ -6,3 +6,4 @@ from .user_permission import *
 from .user_group_permission import *
 from .remote_app_permission import *
 from .user_remote_app_permission import *
+from .database_permission import *

apps/perms/api/database_permission.py

+#  coding: utf-8
+#
+
+
+from rest_framework import viewsets, generics
+from rest_framework.pagination import LimitOffsetPagination
+from rest_framework.views import Response
+
+from common.permissions import IsOrgAdmin
+
+from ..models import DatabasePermission
+from ..serializers import (
+    DatabasePermissionSerializer,
+    DatabasePermissionUpdateUserSerializer,
+    DatabasePermissionUpdateDatabaseSerializer,
+)
+
+
+__all__ = [
+    'DatabasePermissionViewSet',
+    'DatabasePermissionRemoveUserApi', 'DatabasePermissionAddUserApi',
+    'DatabasePermissionRemoveDatabaseApi', 'DatabasePermissionAddDatabaseApi',
+]
+
+
+class DatabasePermissionViewSet(viewsets.ModelViewSet):
+    filter_fields = ('name', )
+    search_fields = filter_fields
+    queryset = DatabasePermission.objects.all()
+    serializer_class = DatabasePermissionSerializer
+    pagination_class = LimitOffsetPagination
+    permission_classes = (IsOrgAdmin,)
+
+
+class DatabasePermissionAddUserApi(generics.RetrieveUpdateAPIView):
+    permission_classes = (IsOrgAdmin,)
+    serializer_class = DatabasePermissionUpdateUserSerializer
+    queryset = DatabasePermission.objects.all()
+
+    def update(self, request, *args, **kwargs):
+        perm = self.get_object()
+        serializer = self.serializer_class(data=request.data)
+        if serializer.is_valid():
+            users = serializer.validated_data.get('users')
+            if users:
+                perm.users.add(*tuple(users))
+            return Response({"msg": "ok"})
+        else:
+            return Response({"error": serializer.errors})
+
+
+class DatabasePermissionRemoveUserApi(generics.RetrieveUpdateAPIView):
+    permission_classes = (IsOrgAdmin,)
+    serializer_class = DatabasePermissionUpdateUserSerializer
+    queryset = DatabasePermission.objects.all()
+
+    def update(self, request, *args, **kwargs):
+        perm = self.get_object()
+        serializer = self.serializer_class(data=request.data)
+        if serializer.is_valid():
+            users = serializer.validated_data.get('users')
+            if users:
+                perm.users.remove(*tuple(users))
+            return Response({"msg": "ok"})
+        else:
+            return Response({"error": serializer.errors})
+
+
+class DatabasePermissionAddDatabaseApi(generics.RetrieveUpdateAPIView):
+    permission_classes = (IsOrgAdmin,)
+    serializer_class = DatabasePermissionUpdateDatabaseSerializer
+    queryset = DatabasePermission.objects.all()
+
+    def update(self, request, *args, **kwargs):
+        perm = self.get_object()
+        serializer = self.serializer_class(data=request.data)
+        if serializer.is_valid():
+            databases = serializer.validated_data.get('databases')
+            if databases:
+                perm.databases.add(*tuple(databases))
+            return Response({"msg": "ok"})
+        else:
+            return Response({"error": serializer.errors})
+
+
+class DatabasePermissionRemoveDatabaseApi(generics.RetrieveUpdateAPIView):
+    permission_classes = (IsOrgAdmin,)
+    serializer_class = DatabasePermissionUpdateDatabaseSerializer
+    queryset = DatabasePermission.objects.all()
+
+    def update(self, request, *args, **kwargs):
+        perm = self.get_object()
+        serializer = self.serializer_class(data=request.data)
+        if serializer.is_valid():
+            databases = serializer.validated_data.get('databases')
+            if databases:
+                perm.databases.remove(*tuple(databases))
+            return Response({"msg": "ok"})
+        else:
+            return Response({"error": serializer.errors})
+
+
+

apps/perms/models/__init__.py

@@ -3,3 +3,4 @@
 
 from .asset_permission import *
 from .remote_app_permission import *
+from .database_permission import *

apps/perms/models/database_permission.py

+#  coding: utf-8
+#
+
+from django.db import models
+from django.utils.translation import ugettext_lazy as _
+
+from .base import BasePermission
+
+__all__ = [
+    'DatabasePermission',
+]
+
+
+class DatabasePermission(BasePermission):
+    databases = models.ManyToManyField(
+        'applications.Database', related_name='granted_by_permissions',
+        blank=True, verbose_name=_("Database")
+    )
+
+    class Meta:
+        unique_together = [('org_id', 'name')]
+        verbose_name = _('Database permission')
+        ordering = ('name',)
+
+    def get_all_databases(self):
+        return set(self.databases.all())
+

apps/perms/models/remote_app_permission.py

@@ -12,7 +12,10 @@ __all__ = [
 
 
 class RemoteAppPermission(BasePermission):
-    remote_apps = models.ManyToManyField('applications.RemoteApp', related_name='granted_by_permissions', blank=True, verbose_name=_("RemoteApp"))
+    remote_apps = models.ManyToManyField(
+        'applications.RemoteApp', related_name='granted_by_permissions',
+        blank=True, verbose_name=_("RemoteApp")
+    )
 
     class Meta:
         unique_together = [('org_id', 'name')]

apps/perms/serializers/__init__.py

@@ -4,3 +4,4 @@
 from .asset_permission import *
 from .user_permission import *
 from .remote_app_permission import *
+from .database_permission import *

apps/perms/serializers/database_permission.py

+#  coding: utf-8
+#
+
+from rest_framework import serializers
+
+from common.serializers import AdaptedBulkListSerializer
+from orgs.mixins import BulkOrgResourceModelSerializer
+from ..models import DatabasePermission
+
+
+__all__ = [
+    'DatabasePermissionSerializer',
+    'DatabasePermissionUpdateUserSerializer',
+    'DatabasePermissionUpdateDatabaseSerializer'
+]
+
+
+class DatabasePermissionSerializer(BulkOrgResourceModelSerializer):
+    class Meta:
+        model = DatabasePermission
+        list_serializer_class = AdaptedBulkListSerializer
+        fields = [
+            'id', 'name', 'users', 'user_groups', 'databases', 'comment',
+            'is_active', 'date_start', 'date_expired', 'is_valid',
+            'created_by', 'date_created',
+        ]
+        read_only_fields = ['created_by', 'date_created']
+
+
+class DatabasePermissionUpdateUserSerializer(serializers.ModelSerializer):
+    class Meta:
+        model = DatabasePermission
+        fields = ['id', 'users']
+
+
+class DatabasePermissionUpdateDatabaseSerializer(serializers.ModelSerializer):
+    class Meta:
+        model = DatabasePermission
+        fields = ['id', 'databases']
+

apps/perms/urls/api_urls.py

@@ -10,6 +10,7 @@ app_name = 'perms'
 router = routers.DefaultRouter()
 router.register('asset-permissions', api.AssetPermissionViewSet, 'asset-permission')
 router.register('remote-app-permissions', api.RemoteAppPermissionViewSet, 'remote-app-permission')
+router.register('database-permissions', api.DatabasePermissionViewSet, 'database-permission')
 
 
 asset_permission_urlpatterns = [
@@ -85,11 +86,20 @@ remote_app_permission_urlpatterns = [
     path('remote-app-permissions/<uuid:pk>/remote-app/add/', api.RemoteAppPermissionAddRemoteAppApi.as_view(), name='remote-app-permission-add-remote-app'),
 ]
 
+database_permission_urlpatterns = [
+    # 用户和Database变更
+    path('database-permissions/<uuid:pk>/user/add/', api.DatabasePermissionAddUserApi.as_view(), name='database-permission-add-user'),
+    path('database-permissions/<uuid:pk>/user/remove/', api.DatabasePermissionRemoveUserApi.as_view(), name='database-permission-remove-user'),
+    path('database-permissions/<uuid:pk>/database/remove/', api.DatabasePermissionRemoveDatabaseApi.as_view(), name='database-permission-remove-database'),
+    path('database-permissions/<uuid:pk>/database/add/', api.DatabasePermissionAddDatabaseApi.as_view(), name='database-permission-add-database'),
+
+]
+
 old_version_urlpatterns = [
-    re_path('(?P<resource>user|user-group|asset-permission|remote-app-permission)/.*', capi.redirect_plural_name_api)
+    re_path('(?P<resource>user|user-group|asset-permission|remote-app-permission|database-permission)/.*', capi.redirect_plural_name_api)
 ]
 
-urlpatterns = asset_permission_urlpatterns + remote_app_permission_urlpatterns + old_version_urlpatterns
+urlpatterns = asset_permission_urlpatterns + remote_app_permission_urlpatterns + database_permission_urlpatterns + old_version_urlpatterns
 
 urlpatterns += router.urls