fix: 增加项目鉴权 #7626

env.py

@@ -155,7 +155,7 @@
 BK_AUDIT_DATA_TOKEN = os.getenv("BK_AUDIT_DATA_TOKEN", None)
 
 # 流程商店
-ENABLE_TEMPLATE_MARKET = False if os.getenv("ENABLE_TEMPLATE_MARKET") is None else True
+ENABLE_TEMPLATE_MARKET = int(os.getenv("ENABLE_TEMPLATE_MARKET", 0))
 # 流程商店 API 地址
 TEMPLATE_MARKET_API_URL = os.getenv("TEMPLATE_MARKET_API_URL", "")
 # 模板市场路由

gcloud/apigw/views/copy_template_across_project.py

@@ -10,7 +10,6 @@
 an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
 specific language governing permissions and limitations under the License.
 """
-import logging
 import json
 from apigw_manager.apigw.decorators import apigw_require
 from blueapps.account.decorators import login_exempt
@@ -25,10 +24,11 @@
 )
 
 from gcloud.apigw.views.utils import logger
-from gcloud.contrib.template_market.models import TemplateSharedRecord
+from gcloud.iam_auth.intercept import iam_intercept
 from gcloud.tasktmpl3.models import TaskTemplate
 from gcloud.template_base.utils import format_import_result_to_response_data
 from gcloud.utils.decorators import request_validate
+from gcloud.iam_auth.view_interceptors.apigw import CopyTemplateInterceptor
 from gcloud.apigw.validators.copy_template_across_project import CopyTemplateAcrossProjectValidator
 
 
@@ -40,6 +40,7 @@
 @project_inject
 @request_validate(CopyTemplateAcrossProjectValidator)
 @mark_request_whether_is_trust
+@iam_intercept(CopyTemplateInterceptor())
 def copy_template_across_project(request, project_id):
     if not request.is_trust:
         return {
@@ -52,15 +53,6 @@ def copy_template_across_project(request, project_id):
     new_project_id = params_data["new_project_id"]
     template_id = params_data["template_id"]
 
-    record = TemplateSharedRecord.objects.filter(project_id=request.project.id, template_id=template_id).first()
-    if record is None:
-        logging.warning("The specified template could not be found")
-        return {
-            "result": False,
-            "message": "The specified template could not be found",
-            "code": err_code.REQUEST_FORBIDDEN_INVALID.code,
-        }
-
     try:
         export_data = TaskTemplate.objects.export_templates([template_id], is_full=False, project_id=request.project.id)
         import_result = TaskTemplate.objects.import_templates(

gcloud/contrib/template_market/viewsets.py

@@ -10,7 +10,6 @@
 an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
 specific language governing permissions and limitations under the License.
 """
-import json
 import logging
 
 from rest_framework import viewsets
@@ -65,7 +64,7 @@ class TemplateSceneViewSet(viewsets.ViewSet):
     def _build_template_data(self, serializer, **kwargs):
         templates = TaskTemplate.objects.filter(id__in=serializer.validated_data["template_ids"], is_deleted=False)
         template_info = [{"id": template.id, "name": template.name} for template in templates]
-        data = {"source_system": settings.APP_CODE, "templates": json.dumps(template_info), **serializer.validated_data}
+        data = {"source_system": settings.APP_CODE, "templates": template_info, **serializer.validated_data}
         market_record_id = kwargs.get("market_record_id")
         if market_record_id:
             data["id"] = market_record_id
@@ -186,9 +185,7 @@ def partial_update(self, request, *args, **kwargs):
         detail_response = self._handle_response(existing_records, "Failed to get details")
         if detail_response:
             return detail_response
-        existing_market_template_ids = set(
-            [template["id"] for template in json.loads(existing_records["data"]["templates"])]
-        )
+        existing_market_template_ids = set([template["id"] for template in existing_records["data"]["templates"]])
 
         data = self._build_template_data(serializer, market_record_id=market_record_id)
         response_data = client.patch_template_scene(data, market_record_id)

gcloud/iam_auth/view_interceptors/apigw/__init__.py

@@ -11,17 +11,18 @@
 specific language governing permissions and limitations under the License.
 """
 
+from .claim_functionalization_task import FunctionTaskInterceptor  # noqa
+from .common_flow_view import CommonFlowViewInterceptor  # noqa
+from .copy_template_across_project import CopyTemplateInterceptor  # noqa
 from .create_periodic_task import CreatePeriodicTaskInterceptor  # noqa
 from .create_task import CreateTaskInterceptor  # noqa
 from .fast_create_task import FastCreateTaskInterceptor  # noqa
-from .common_flow_view import CommonFlowViewInterceptor  # noqa
+from .flow_view import FlowViewInterceptor  # noqa
+from .functionalization_task_view import FunctionViewInterceptor  # noqa
 from .get_periodic_task_info import GetPeriodicTaskInfoInterceptor  # noqa
+from .get_template_info import GetTemplateInfoInterceptor  # noqa
+from .periodic_task_edit import PeriodicTaskEditInterceptor  # noqa
 from .project_view import ProjectViewInterceptor  # noqa
-from .task_view import TaskViewInterceptor  # noqa
 from .task_edit import TaskEditInterceptor  # noqa
 from .task_operate import TaskOperateInterceptor  # noqa
-from .get_template_info import GetTemplateInfoInterceptor  # noqa
-from .flow_view import FlowViewInterceptor  # noqa
-from .periodic_task_edit import PeriodicTaskEditInterceptor  # noqa
-from .functionalization_task_view import FunctionViewInterceptor  # noqa
-from .claim_functionalization_task import FunctionTaskInterceptor  # noqa
+from .task_view import TaskViewInterceptor  # noqa

gcloud/iam_auth/view_interceptors/apigw/copy_template_across_project.py

@@ -0,0 +1,43 @@
+# -*- coding: utf-8 -*-
+"""
+Tencent is pleased to support the open source community by making 蓝鲸智云PaaS平台社区版 (BlueKing PaaS Community
+Edition) available.
+Copyright (C) 2017 THL A29 Limited, a Tencent company. All rights reserved.
+Licensed under the MIT License (the "License"); you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+http://opensource.org/licenses/MIT
+Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
+an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+specific language governing permissions and limitations under the License.
+"""
+import json
+import logging
+
+from iam import Action, Subject
+from iam.shortcuts import allow_or_raise_auth_failed
+
+from gcloud.iam_auth import IAMMeta
+from gcloud.iam_auth import get_iam_client
+from gcloud.iam_auth import res_factory
+from gcloud.iam_auth.intercept import ViewInterceptor
+from gcloud.contrib.template_market.models import TemplateSharedRecord
+
+iam = get_iam_client()
+
+
+class CopyTemplateInterceptor(ViewInterceptor):
+    def process(self, request, *args, **kwargs):
+        data = json.loads(request.body)
+        new_project_id = data.get("new_project_id")
+        template_id = data.get("template_id")
+        subject = Subject("user", request.user.username)
+
+        record = TemplateSharedRecord.objects.filter(project_id=request.project.id, template_id=template_id).first()
+        if record is None:
+            error_message = f"Unable to find template {template_id} in project {request.project.id}."
+            logging.error(error_message)
+            raise ValueError(error_message)
+
+        action = Action(IAMMeta.FLOW_CREATE_ACTION)
+        resources = res_factory.resources_for_project(new_project_id)
+        allow_or_raise_auth_failed(iam, IAMMeta.SYSTEM_ID, subject, action, resources, cache=True)