update: add subject template group update expried_at api

build/support-files/sql/0031_iam_20231025-1600_mysql.sql

@@ -7,5 +7,6 @@ CREATE TABLE `bkiam`.`subject_template_group` (
   `created_at` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,
   `updated_at` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
   PRIMARY KEY (`pk`),
-  UNIQUE KEY `idx_uk_subject_template_group` (`subject_pk`,`group_pk`,`template_id`)
+  UNIQUE KEY `idx_uk_subject_template_group` (`subject_pk`,`group_pk`,`template_id`),
+  INDEX `idx_group_template_subject` (`group_pk`, `template_id`,`subject_pk`)
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8;

pkg/abac/pap/group.go

@@ -63,6 +63,7 @@ type GroupController interface {
 	DeleteGroupMembers(_type, id string, members []Subject) (map[string]int64, error)
 	BulkCreateSubjectTemplateGroup(subjectTemplateGroups []SubjectTemplateGroup) error
 	BulkDeleteSubjectTemplateGroup(subjectTemplateGroups []SubjectTemplateGroup) error
+	UpdateSubjectTemplateGroupExpiredAt(subjectTemplateGroups []SubjectTemplateGroup) error
 
 	ListRbacGroupByResource(systemID string, resource abacTypes.Resource) ([]Subject, error)
 	ListRbacGroupByActionResource(systemID, actionID string, resource abacTypes.Resource) ([]Subject, error)
@@ -606,6 +607,89 @@ func (c *groupController) BulkCreateSubjectTemplateGroup(subjectTemplateGroups [
 	return nil
 }
 
+func (c *groupController) UpdateSubjectTemplateGroupExpiredAt(subjectTemplateGroups []SubjectTemplateGroup) error {
+	errorWrapf := errorx.NewLayerFunctionErrorWrapf(GroupCTL, "BulkRenewSubjectTemplateGroup")
+
+	relations, err := c.convertToSubjectTemplateGroups(subjectTemplateGroups)
+	if err != nil {
+		return errorWrapf(err, "convertToSubjectTemplateGroups subjectTemplateGroups=`%+v` fail", subjectTemplateGroups)
+	}
+
+	subjectGroupHelper := newSubjectGroupHelper(c.service)
+
+	noAuthorizedRelations := make([]types.SubjectTemplateGroup, 0, len(relations))
+	for i := range relations {
+		relation := &relations[i]
+
+		authorized, subjectGroup, err := subjectGroupHelper.getSubjectGroup(relation.SubjectPK, relation.GroupPK)
+		if err != nil {
+			return errorWrapf(
+				err,
+				"getSubjectGroup subjectPK=`%d`, groupPK=`%d` fail",
+				relation.SubjectPK,
+				relation.GroupPK,
+			)
+		}
+
+		// 1. 如果group未授权
+		if !authorized {
+			noAuthorizedRelations = append(noAuthorizedRelations, *relation)
+			continue
+		}
+
+		// 2. 如果已授权并且过期时间大于当前时间, 不需要更新
+		if subjectGroup != nil && subjectGroup.ExpiredAt > relation.ExpiredAt {
+			continue
+		}
+
+		// 3. 其余场景需要更新
+		relation.NeedUpdate = true
+	}
+
+	tx, err := database.GenerateDefaultDBTx()
+	defer database.RollBackWithLog(tx)
+	if err != nil {
+		return errorWrapf(err, "define tx error")
+	}
+
+	if len(noAuthorizedRelations) > 0 {
+		// 只更新subject template group的过期时间
+		err = c.service.UpdateSubjectTemplateGroupExpiredAtWithTx(tx, noAuthorizedRelations)
+		if err != nil {
+			return errorWrapf(
+				err, "service.UpdateSubjectTemplateGroupExpiredAtWithTx relations=`%+v` fail", noAuthorizedRelations,
+			)
+		}
+	}
+
+	// 更新subject system group
+	err = c.service.BulkUpdateSubjectSystemGroupBySubjectTemplateGroupWithTx(tx, relations)
+	if err != nil {
+		return errorWrapf(
+			err,
+			"service.BulkUpdateSubjectSystemGroupBySubjectTemplateGroupWithTx relations=`%+v` fail",
+			relations,
+		)
+	}
+
+	// 更新除了subject system group之外的subject group
+	err = c.updateSubjectGroupExpiredAtWithTx(tx, relations, true)
+	if err != nil {
+		return errorWrapf(err, "updateSubjectGroupExpiredAtWithTx relations=`%+v` fail", relations)
+	}
+
+	// 提交事务
+	err = tx.Commit()
+	if err != nil {
+		return errorWrapf(err, "tx commit error")
+	}
+
+	// 清理subject system group 缓存
+	c.deleteSubjectTemplateGroupCache(relations)
+
+	return nil
+}
+
 func (*groupController) convertToSubjectTemplateGroups(
 	subjectTemplateGroups []SubjectTemplateGroup,
 ) ([]types.SubjectTemplateGroup, error) {
@@ -649,7 +733,11 @@ func (c *groupController) BulkDeleteSubjectTemplateGroup(subjectTemplateGroups [
 	for i := range relations {
 		relation := &relations[i]
 
-		expiredAt, err := c.service.GetMaxExpiredAtBySubjectGroup(relation.SubjectPK, relation.GroupPK)
+		expiredAt, err := c.service.GetMaxExpiredAtBySubjectGroup(
+			relation.SubjectPK,
+			relation.GroupPK,
+			relation.TemplateID,
+		)
 		if err != nil && !errors.Is(err, service.ErrGroupMemberNotFound) {
 			return errorWrapf(
 				err, "GetMaxExpiredAtBySubjectGroup subjectPK=`%d`, groupPK=`%d` fail",

pkg/abac/pap/group_test.go

@@ -1078,7 +1078,9 @@ var _ = Describe("GroupController", func() {
 
 		It("GetMaxExpiredAtBySubjectGroup fail", func() {
 			mockService := mock.NewMockGroupService(ctl)
-			mockService.EXPECT().GetMaxExpiredAtBySubjectGroup(int64(1), int64(2)).Return(int64(0), errors.New("err"))
+			mockService.EXPECT().
+				GetMaxExpiredAtBySubjectGroup(int64(1), int64(2), int64(1)).
+				Return(int64(0), errors.New("err"))
 
 			manager := &groupController{
 				service: mockService,
@@ -1099,7 +1101,9 @@ var _ = Describe("GroupController", func() {
 
 		It("BulkDeleteSubjectTemplateGroupWithTx fail", func() {
 			mockService := mock.NewMockGroupService(ctl)
-			mockService.EXPECT().GetMaxExpiredAtBySubjectGroup(int64(1), int64(2)).Return(time.Now().Unix()+10, nil)
+			mockService.EXPECT().
+				GetMaxExpiredAtBySubjectGroup(int64(1), int64(2), int64(1)).
+				Return(time.Now().Unix()+10, nil)
 			mockService.EXPECT().
 				BulkDeleteSubjectTemplateGroupWithTx(gomock.Any(), gomock.Any()).
 				Return(errors.New("err"))
@@ -1132,7 +1136,9 @@ var _ = Describe("GroupController", func() {
 
 		It("ok", func() {
 			mockService := mock.NewMockGroupService(ctl)
-			mockService.EXPECT().GetMaxExpiredAtBySubjectGroup(int64(1), int64(2)).Return(time.Now().Unix()+10, nil)
+			mockService.EXPECT().
+				GetMaxExpiredAtBySubjectGroup(int64(1), int64(2), int64(1)).
+				Return(time.Now().Unix()+10, nil)
 			mockService.EXPECT().BulkDeleteSubjectTemplateGroupWithTx(gomock.Any(), gomock.Any()).Return(nil)
 
 			db, mock := database.NewMockSqlxDB()

pkg/abac/pap/subject.go

@@ -97,6 +97,8 @@ func (c *subjectController) BulkUpdateName(subjects []Subject) error {
 func (c *subjectController) BulkDeleteGroup(subjects []Subject) error {
 	errorWrapf := errorx.NewLayerFunctionErrorWrapf(SubjectCTL, "BulkDeleteGroup")
 
+	// NOTE 用户组关联的subject template group由SaaS删除
+
 	svcSubjects := convertToServiceSubjects(subjects)
 
 	pks, err := c.service.ListPKsBySubjects(svcSubjects)

pkg/api/web/handler/subject_template_group.go

@@ -33,17 +33,7 @@ func BatchCreateSubjectTemplateGroup(c *gin.Context) {
 		return
 	}
 
-	// 数据转换, subject -> subjectPK, groupID -> groupPK
-	papSubjectTemplateGroups := make([]pap.SubjectTemplateGroup, 0, len(body))
-	for _, m := range body {
-		papSubjectTemplateGroups = append(papSubjectTemplateGroups, pap.SubjectTemplateGroup{
-			Type:       m.Type,
-			ID:         m.ID,
-			TemplateID: m.TemplateID,
-			GroupID:    m.GroupID,
-			ExpiredAt:  m.ExpiredAt,
-		})
-	}
+	papSubjectTemplateGroups := convertToPapSubjectTemplateGroup(body)
 
 	ctl := pap.NewGroupController()
 	err := ctl.BulkCreateSubjectTemplateGroup(papSubjectTemplateGroups)
@@ -74,17 +64,7 @@ func BatchDeleteSubjectTemplateGroup(c *gin.Context) {
 		return
 	}
 
-	// 数据转换, subject -> subjectPK, groupID -> groupPK
-	papSubjectTemplateGroups := make([]pap.SubjectTemplateGroup, 0, len(body))
-	for _, m := range body {
-		papSubjectTemplateGroups = append(papSubjectTemplateGroups, pap.SubjectTemplateGroup{
-			Type:       m.Type,
-			ID:         m.ID,
-			TemplateID: m.TemplateID,
-			GroupID:    m.GroupID,
-			ExpiredAt:  m.ExpiredAt,
-		})
-	}
+	papSubjectTemplateGroups := convertToPapSubjectTemplateGroup(body)
 
 	ctl := pap.NewGroupController()
 	err := ctl.BulkDeleteSubjectTemplateGroup(papSubjectTemplateGroups)
@@ -101,3 +81,49 @@ func BatchDeleteSubjectTemplateGroup(c *gin.Context) {
 
 	util.SuccessJSONResponse(c, "ok", nil)
 }
+
+// BatchUpdateSubjectTemplateGroupExpiredAt 批量更新subject-template-group过期时间
+func BatchUpdateSubjectTemplateGroupExpiredAt(c *gin.Context) {
+	errorWrapf := errorx.NewLayerFunctionErrorWrapf("Handler", "BatchUpdateSubjectTemplateGroupExpiredAt")
+
+	var body []subjectTemplateGroupSerializer
+	if err := c.ShouldBindJSON(&body); err != nil {
+		util.BadRequestErrorJSONResponse(c, util.ValidationErrorMessage(err))
+		return
+	}
+	if ok, message := common.ValidateArray(body); !ok {
+		util.BadRequestErrorJSONResponse(c, message)
+		return
+	}
+
+	papSubjectTemplateGroups := convertToPapSubjectTemplateGroup(body)
+
+	ctl := pap.NewGroupController()
+	err := ctl.UpdateSubjectTemplateGroupExpiredAt(papSubjectTemplateGroups)
+	if err != nil {
+		err = errorWrapf(
+			err,
+			"ctl.UpdateSubjectTemplateGroupExpiredAt",
+			"subjectTemplateGroups=`%+v`",
+			papSubjectTemplateGroups,
+		)
+		util.SystemErrorJSONResponse(c, err)
+		return
+	}
+
+	util.SuccessJSONResponse(c, "ok", nil)
+}
+
+func convertToPapSubjectTemplateGroup(body []subjectTemplateGroupSerializer) []pap.SubjectTemplateGroup {
+	papSubjectTemplateGroups := make([]pap.SubjectTemplateGroup, 0, len(body))
+	for _, m := range body {
+		papSubjectTemplateGroups = append(papSubjectTemplateGroups, pap.SubjectTemplateGroup{
+			Type:       m.Type,
+			ID:         m.ID,
+			TemplateID: m.TemplateID,
+			GroupID:    m.GroupID,
+			ExpiredAt:  m.ExpiredAt,
+		})
+	}
+	return papSubjectTemplateGroups
+}

pkg/api/web/router.go

@@ -112,7 +112,9 @@ func Register(r *gin.RouterGroup) {
 		// 创建subject-template-group
 		r.POST("/subject-template-groups", handler.BatchCreateSubjectTemplateGroup)
 		// 删除subject-template-group
-		r.DELETE("/subject-template-groups", handler.BatchDeleteSubjectTemplateGroup)
+		r.DELETE("/subject-template-groups", handler.BatchDeleteSubjectTemplateGroup) // NEED FIX
+		// 批量subject-template-group成员过期时间
+		r.PUT("/subject-template-groups/expired_at", handler.BatchUpdateSubjectTemplateGroupExpiredAt)
 	}
 
 	// Resource: subject-departments