补充统一的权限方案

devcloud/mcenter/apps/policy/model.go

@@ -1,14 +1,18 @@
 package policy
 
 import (
+	"encoding/json"
+	"fmt"
 	"time"
 
 	"122.51.31.227/go-course/go18/devcloud/mcenter/apps/namespace"
 	"122.51.31.227/go-course/go18/devcloud/mcenter/apps/role"
 	"122.51.31.227/go-course/go18/devcloud/mcenter/apps/user"
+	"github.com/infraboard/mcube/v2/ioc/config/datasource"
 	"github.com/infraboard/mcube/v2/ioc/config/validator"
 	"github.com/infraboard/mcube/v2/tools/pretty"
 	"github.com/infraboard/modules/iam/apps"
+	"gorm.io/gorm"
 )
 
 func NewPolicy() *Policy {
@@ -41,7 +45,7 @@ func (p *Policy) String() string {
 func NewCreatePolicyRequest() *CreatePolicyRequest {
 	return &CreatePolicyRequest{
 		ResourceScope: ResourceScope{
-			Scope: map[string]string{},
+			Scope: map[string][]string{},
 		},
 		RoleId:   []uint64{},
 		Extras:   map[string]string{},
@@ -70,11 +74,41 @@ type CreatePolicyRequest struct {
 	Extras map[string]string `json:"extras" bson:"extras" gorm:"column:extras;serializer:json;type:json" description:"扩展信息" optional:"true"`
 }
 
+// 资源需要组合ResourceLabel使用
 type ResourceScope struct {
 	// 空间
 	NamespaceId *uint64 `json:"namespace_id" bson:"namespace_id" gorm:"column:namespace_id;type:varchar(200);index" description:"策略生效的空间Id" optional:"true"`
 	// 访问范围, 需要提前定义scope, 比如环境, 后端开发小组，开发资源
-	Scope map[string]string `json:"scope" bson:"scope" gorm:"column:scope;serializer:json;type:json" description:"数据访问的范围" optional:"true"`
+	Scope map[string][]string `json:"scope" bson:"scope" gorm:"column:scope;serializer:json;type:json" description:"数据访问的范围" optional:"true"`
+}
+
+// 辅助函数：将字符串切片转换为 JSON 数组字符串
+func toJsonArray(arr []string) string {
+	b, _ := json.Marshal(arr)
+	return string(b)
+}
+
+func (r ResourceScope) GormResourceFilter(query *gorm.DB) {
+	if r.NamespaceId != nil {
+		query = query.Where("namespace = ?", r.NamespaceId)
+	}
+
+	switch datasource.Get().Provider {
+	case datasource.PROVIDER_POSTGRES:
+		for key, values := range r.Scope {
+			for k, v := range r.Scope {
+				// 创建一个临时 JSON 对象 {"key": ["value1", "value2"]}
+				jsonCondition := fmt.Sprintf(`{"%s": %s}`, k, toJsonArray(v))
+				query = query.Where("label @> ?", jsonCondition)
+			}
+			query = query.Where("label -->>? IN ?", key, values)
+		}
+	case datasource.PROVIDER_MYSQL:
+		// 过滤条件, Label
+		for key, values := range r.Scope {
+			query = query.Where("label->>? IN (?)", "$."+key, values)
+		}
+	}
 }
 
 func (r *CreatePolicyRequest) Validate() error {
@@ -85,3 +119,10 @@ func (r *CreatePolicyRequest) SetNamespaceId(namespaceId uint64) *CreatePolicyRe
 	r.NamespaceId = &namespaceId
 	return r
 }
+
+type ResourceLabel struct {
+	// 空间
+	NamespaceId *uint64 `json:"namespace_id" bson:"namespace_id" gorm:"column:namespace_id;type:varchar(200);index" description:"策略生效的空间Id" optional:"true"`
+	// 访问范围, 需要提前定义scope, 比如环境, 后端开发小组，开发资源
+	Label map[string]string `json:"label" bson:"label" gorm:"column:label;serializer:json;type:json" description:"数据访问的范围" optional:"true"`
+}

devcloud/mpaas/apps/application/impl/application.go

@@ -38,6 +38,8 @@ func (i *ApplicationServiceImpl) QueryApplication(ctx context.Context, in *appli
 		query = query.Where("ready = ?", *in.Ready)
 	}
 
+	in.GormResourceFilter(query)
+
 	err := query.Count(&set.Total).Error
 	if err != nil {
 		return nil, err

devcloud/mpaas/apps/application/interface.go

@@ -31,12 +31,12 @@ type Service interface {
 }
 
 type QueryApplicationRequest struct {
-	*request.PageRequest
 	policy.ResourceScope
 	QueryApplicationRequestSpec
 }
 
 type QueryApplicationRequestSpec struct {
+	*request.PageRequest
 	// 应用ID
 	Id string `json:"id" bson:"_id"`
 	// 应用名称

devcloud/mpaas/apps/application/model.go

@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"time"
 
+	"122.51.31.227/go-course/go18/devcloud/mcenter/apps/policy"
 	"github.com/google/uuid"
 	"github.com/infraboard/mcube/v2/ioc/config/validator"
 	"github.com/infraboard/mcube/v2/tools/pretty"
@@ -71,7 +72,6 @@ func (a *Application) BuildId() {
 func NewCreateApplicationRequest() *CreateApplicationRequest {
 	return &CreateApplicationRequest{
 		CreateApplicationSpec: CreateApplicationSpec{
-			Labels:          map[string]string{},
 			Extras:          map[string]string{},
 			ImageRepository: []ImageRepository{},
 		},
@@ -83,8 +83,8 @@ type CreateApplicationRequest struct {
 	CreateBy string `json:"create_by" bson:"create_by" gorm:"column:create_by" description:"创建人"`
 	// 创建时间
 	CreateAt time.Time `json:"create_at" bson:"create_at" gorm:"column:create_at" description:"创建时间"`
-	// 应用所属空间名称
+	// 资源范围, Namespace是继承的, Scope是API添加的
-	Namespace string `json:"namespace" bson:"namespace" description:"应用所属空间名称" gorm:"column:namespace"`
+	policy.ResourceLabel
 	// 应用创建参数
 	CreateApplicationSpec
 }
@@ -122,8 +122,6 @@ type CreateApplicationSpec struct {
 	Level *uint32 `json:"level" bson:"level" gorm:"column:level" description:"应用等级, 评估这个应用的重要程度"`
 	// 应用优先级, 应用启动的先后顺序
 	Priority *uint32 `json:"priority" bson:"priority" gorm:"column:priority" description:"应用优先级, 应用启动的先后顺序"`
-	// 应用标签
-	Labels map[string]string `json:"labels" bson:"labels" gorm:"column:labels;serializer:json" description:"应用标签"`
 	// 额外的其他属性
 	Extras map[string]string `json:"extras" form:"extras" bson:"extras" gorm:"column:extras;serializer:json;"`