// Copyright 2019 Yunion // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package models import ( "context" "database/sql" "fmt" "strings" "time" "yunion.io/x/jsonutils" "yunion.io/x/log" "yunion.io/x/pkg/errors" "yunion.io/x/pkg/tristate" "yunion.io/x/pkg/util/pinyinutils" "yunion.io/x/pkg/util/rbacscope" "yunion.io/x/sqlchemy" api "yunion.io/x/onecloud/pkg/apis/identity" "yunion.io/x/onecloud/pkg/cloudcommon/db" "yunion.io/x/onecloud/pkg/cloudcommon/db/lockman" "yunion.io/x/onecloud/pkg/cloudcommon/db/quotas" "yunion.io/x/onecloud/pkg/cloudcommon/db/taskman" "yunion.io/x/onecloud/pkg/cloudcommon/notifyclient" "yunion.io/x/onecloud/pkg/httperrors" "yunion.io/x/onecloud/pkg/keystone/options" "yunion.io/x/onecloud/pkg/mcclient" "yunion.io/x/onecloud/pkg/util/logclient" "yunion.io/x/onecloud/pkg/util/rbacutils" "yunion.io/x/onecloud/pkg/util/stringutils2" "yunion.io/x/onecloud/pkg/util/tagutils" ) type SProjectManager struct { SIdentityBaseResourceManager } var ProjectManager *SProjectManager func init() { ProjectManager = &SProjectManager{ SIdentityBaseResourceManager: NewIdentityBaseResourceManager( SProject{}, "project", "project", "projects", ), } ProjectManager.SetVirtualObject(ProjectManager) notifyclient.AddNotifyDBHookResources(ProjectManager.KeywordPlural(), ProjectManager.AliasPlural()) } /* +-------------+-------------+------+-----+---------+-------+ | Field | Type | Null | Key | Default | Extra | +-------------+-------------+------+-----+---------+-------+ | id | varchar(64) | NO | PRI | NULL | | | name | varchar(64) | NO | | NULL | | | extra | text | YES | | NULL | | | description | text | YES | | NULL | | | enabled | tinyint(1) | YES | | NULL | | | domain_id | varchar(64) | NO | MUL | NULL | | | parent_id | varchar(64) | YES | MUL | NULL | | | is_domain | tinyint(1) | NO | | 0 | | | created_at | datetime | YES | | NULL | | +-------------+-------------+------+-----+---------+-------+ */ type SProject struct { SIdentityBaseResource // 上级项目或域的ID ParentId string `width:"64" charset:"ascii" list:"domain" create:"domain_optional"` // 该项目是否为域(domain) IsDomain tristate.TriState `default:"false"` AdminId string `width:"64" charset:"ascii" nullable:"true" list:"domain"` } func (manager *SProjectManager) GetContextManagers() [][]db.IModelManager { return [][]db.IModelManager{ {UserManager}, {GroupManager}, } } func (manager *SProjectManager) InitializeData() error { ctx := context.TODO() err := manager.initSysProject(ctx) if err != nil { return errors.Wrap(err, "initSysProject") } return nil } func (manager *SProjectManager) initSysProject(ctx context.Context) error { q := manager.Query().Equals("name", api.SystemAdminProject) q = q.Equals("domain_id", api.DEFAULT_DOMAIN_ID) cnt, err := q.CountWithError() if err != nil { return errors.Wrap(err, "query") } if cnt == 1 { return nil } if cnt > 2 { // ??? log.Fatalf("duplicate system project???") } // insert project := SProject{} project.Name = api.SystemAdminProject project.DomainId = api.DEFAULT_DOMAIN_ID // project.Enabled = tristate.True project.Description = "Boostrap system default admin project" project.IsDomain = tristate.False project.ParentId = api.DEFAULT_DOMAIN_ID project.SetModelManager(manager, &project) err = manager.TableSpec().Insert(ctx, &project) if err != nil { return errors.Wrap(err, "insert") } return nil } func (project *SProject) resetAdminUser(ctx context.Context, userCred mcclient.TokenCredential) error { role, err := RoleManager.FetchRoleByName(options.Options.ProjectAdminRole, "", "") if err != nil { return errors.Wrapf(err, "FetchRoleByName %s", options.Options.ProjectAdminRole) } q := AssignmentManager.fetchProjectRoleUserIdsQuery(project.Id, role.Id) userId := struct { ActorId string }{} err = q.First(&userId) if err != nil && errors.Cause(err) != sql.ErrNoRows { return errors.Wrap(err, "query") } err = project.setAdminId(ctx, userCred, userId.ActorId) if err != nil { return errors.Wrap(err, "setAdminId") } return nil } func (manager *SProjectManager) NewQuery(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, useRawQuery bool) *sqlchemy.SQuery { return manager.Query() } func (manager *SProjectManager) Query(fields ...string) *sqlchemy.SQuery { return manager.SIdentityBaseResourceManager.Query(fields...).IsFalse("is_domain") } func (manager *SProjectManager) FetchProjectByName(projectName string, domainId, domainName string) (*SProject, error) { obj, err := db.NewModelObject(manager) if err != nil { return nil, errors.Wrap(err, "db.NewModelObject") } if len(domainId) == 0 && len(domainName) == 0 { q := manager.Query().Equals("name", projectName) cnt, err := q.CountWithError() if err != nil { return nil, errors.Wrap(err, "CountWithError") } if cnt == 0 { return nil, sql.ErrNoRows } if cnt > 1 { return nil, sqlchemy.ErrDuplicateEntry } err = q.First(obj) if err != nil { return nil, errors.Wrap(err, "q.First") } } else { domain, err := DomainManager.FetchDomain(domainId, domainName) if err != nil { return nil, errors.Wrap(err, "DomainManager.FetchDomain") } q := manager.Query().Equals("name", projectName).Equals("domain_id", domain.Id) err = q.First(obj) if err != nil { return nil, errors.Wrap(err, "q.First") } } return obj.(*SProject), nil } func (manager *SProjectManager) FetchProjectById(projectId string) (*SProject, error) { obj, err := db.NewModelObject(manager) if err != nil { return nil, err } q := manager.Query().Equals("id", projectId) err = q.First(obj) if err != nil { return nil, err } return obj.(*SProject), err } func (manager *SProjectManager) FetchProject(projectId, projectName string, domainId, domainName string) (*SProject, error) { if len(projectId) > 0 { return manager.FetchProjectById(projectId) } if len(projectName) > 0 { return manager.FetchProjectByName(projectName, domainId, domainName) } return nil, fmt.Errorf("no project Id or name provided") } // +onecloud:model-api-gen type SProjectExtended struct { SProject DomainName string } func (proj *SProject) getDomain() (*SDomain, error) { return DomainManager.FetchDomainById(proj.DomainId) } func (proj *SProject) FetchExtend() (*SProjectExtended, error) { domain, err := proj.getDomain() if err != nil { return nil, err } ext := SProjectExtended{ SProject: *proj, DomainName: domain.Name, } return &ext, nil } // 项目列表 func (manager *SProjectManager) ListItemFilter( ctx context.Context, q *sqlchemy.SQuery, userCred mcclient.TokenCredential, query api.ProjectListInput, ) (*sqlchemy.SQuery, error) { var err error q, err = manager.SIdentityBaseResourceManager.ListItemFilter(ctx, q, userCred, query.IdentityBaseResourceListInput) if err != nil { return nil, errors.Wrap(err, "SIdentityBaseResourceManager.ListItemFilter") } if !query.PolicyProjectTags.IsEmpty() { policyFilters := tagutils.STagFilters{} policyFilters.AddFilters(query.PolicyProjectTags) q = db.ObjectIdQueryWithTagFilters(ctx, q, "id", "project", policyFilters) } userStr := query.UserId if len(userStr) > 0 { userObj, err := UserManager.FetchById(userStr) if err != nil { if err == sql.ErrNoRows { return nil, httperrors.NewResourceNotFoundError2(UserManager.Keyword(), userStr) } else { return nil, httperrors.NewGeneralError(err) } } subq := AssignmentManager.fetchUserProjectIdsQuery(userObj.GetId()) if query.Jointable != nil && *query.Jointable { user := userObj.(*SUser) if user.DomainId == api.DEFAULT_DOMAIN_ID { q = q.Equals("domain_id", api.DEFAULT_DOMAIN_ID) } else { q = q.In("domain_id", []string{user.DomainId, api.DEFAULT_DOMAIN_ID}) } q = q.NotIn("id", subq.SubQuery()) } else { q = q.In("id", subq.SubQuery()) } } if len(query.AdminId) > 0 { sq := UserManager.Query("id") sq = sq.Filter( sqlchemy.OR( sqlchemy.In(sq.Field("id"), query.AdminId), sqlchemy.In(sq.Field("name"), query.AdminId), ), ) q = q.In("admin_id", sq.SubQuery()) } groupStr := query.GroupId if len(groupStr) > 0 { groupObj, err := GroupManager.FetchById(groupStr) if err != nil { if err == sql.ErrNoRows { return nil, httperrors.NewResourceNotFoundError2(GroupManager.Keyword(), groupStr) } else { return nil, httperrors.NewGeneralError(err) } } subq := AssignmentManager.fetchGroupProjectIdsQuery(groupObj.GetId()) if query.Jointable != nil && *query.Jointable { group := groupObj.(*SGroup) if group.DomainId == api.DEFAULT_DOMAIN_ID { q = q.Equals("domain_id", api.DEFAULT_DOMAIN_ID) } else { q = q.In("domain_id", []string{group.DomainId, api.DEFAULT_DOMAIN_ID}) } q = q.NotIn("id", subq.SubQuery()) } else { q = q.In("id", subq.SubQuery()) } } if len(query.IdpId) > 0 { idpObj, err := IdentityProviderManager.FetchByIdOrName(ctx, userCred, query.IdpId) if err != nil { if errors.Cause(err) == sql.ErrNoRows { return nil, httperrors.NewResourceNotFoundError2(IdentityProviderManager.Keyword(), query.IdpId) } else { return nil, errors.Wrap(err, "IdentityProviderManager.FetchByIdOrName") } } subq := IdmappingManager.FetchPublicIdsExcludesQuery(idpObj.GetId(), api.IdMappingEntityDomain, nil) q = q.In("domain_id", subq.SubQuery()) } return q, nil } func (manager *SProjectManager) OrderByExtraFields( ctx context.Context, q *sqlchemy.SQuery, userCred mcclient.TokenCredential, query api.ProjectListInput, ) (*sqlchemy.SQuery, error) { var err error q, err = manager.SIdentityBaseResourceManager.OrderByExtraFields(ctx, q, userCred, query.IdentityBaseResourceListInput) if err != nil { return nil, errors.Wrap(err, "SIdentityBaseResourceManager.OrderByExtraFields") } return q, nil } func (manager *SProjectManager) QueryDistinctExtraField(q *sqlchemy.SQuery, field string) (*sqlchemy.SQuery, error) { var err error q, err = manager.SIdentityBaseResourceManager.QueryDistinctExtraField(q, field) if err == nil { return q, nil } if field == "admin" { userQuery := UserManager.Query("name", "id").Distinct().SubQuery() q.AppendField(userQuery.Field("name", field)) q = q.Join(userQuery, sqlchemy.Equals(q.Field("admin_id"), userQuery.Field("id"))) q.GroupBy(userQuery.Field("name")) return q, nil } return q, httperrors.ErrNotFound } func (model *SProject) CustomizeCreate(ctx context.Context, userCred mcclient.TokenCredential, ownerId mcclient.IIdentityProvider, query jsonutils.JSONObject, data jsonutils.JSONObject) error { model.ParentId = ownerId.GetProjectDomainId() model.IsDomain = tristate.False return model.SIdentityBaseResource.CustomizeCreate(ctx, userCred, ownerId, query, data) } func (proj *SProject) GetUserCount() (int, error) { q := AssignmentManager.fetchProjectUserIdsQuery(proj.Id) return q.CountWithError() } func (proj *SProject) GetGroupCount() (int, error) { q := AssignmentManager.fetchProjectGroupIdsQuery(proj.Id) return q.CountWithError() } func (proj *SProject) ValidateDeleteCondition(ctx context.Context, info *api.ProjectDetails) error { if proj.IsAdminProject() { return httperrors.NewForbiddenError("cannot delete system project") } /*if len(info.ExtResource) > 0 { return httperrors.NewNotEmptyError("project contains external resources") }*/ if info.UserCount > 0 { return httperrors.NewNotEmptyError("project contains user") } if info.GroupCount > 0 { return httperrors.NewNotEmptyError("project contains group") } return proj.SIdentityBaseResource.ValidateDeleteCondition(ctx, nil) } func (proj *SProject) Delete(ctx context.Context, userCred mcclient.TokenCredential) error { err := proj.SIdentityBaseResource.Delete(ctx, userCred) if err != nil { return errors.Wrap(err, "project delete") } notifyclient.EventNotify(ctx, userCred, notifyclient.SEventNotifyParam{ Obj: proj, Action: notifyclient.ActionDelete, }) return nil } func (proj *SProject) IsAdminProject() bool { return proj.Name == api.SystemAdminProject && proj.DomainId == api.DEFAULT_DOMAIN_ID } func (proj *SProject) ValidateUpdateData(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, input api.ProjectUpdateInput) (api.ProjectUpdateInput, error) { if len(input.Name) > 0 { if proj.IsAdminProject() { return input, httperrors.NewForbiddenError("cannot alter system project name") } } var err error input.IdentityBaseUpdateInput, err = proj.SIdentityBaseResource.ValidateUpdateData(ctx, userCred, query, input.IdentityBaseUpdateInput) if err != nil { return input, errors.Wrap(err, "SIdentityBaseResource.ValidateUpdateData") } return input, nil } func (manager *SProjectManager) FetchCustomizeColumns( ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, objs []interface{}, fields stringutils2.SSortedStrings, isList bool, ) []api.ProjectDetails { rows := make([]api.ProjectDetails, len(objs)) identRows := manager.SIdentityBaseResourceManager.FetchCustomizeColumns(ctx, userCred, query, objs, fields, isList) projIds := make([]string, len(objs)) adminUserIds := make([]string, 0) for i := range rows { rows[i] = api.ProjectDetails{ IdentityBaseResourceDetails: identRows[i], } proj := objs[i].(*SProject) projIds[i] = proj.Id if len(proj.AdminId) > 0 { adminUserIds = append(adminUserIds, proj.AdminId) } } extResource, extLastUpdate, err := ScopeResourceManager.FetchProjectsScopeResources(projIds) if err != nil { return rows } groupCnt, userCnt, err := AssignmentManager.fetchUserAndGroups(projIds) if err != nil { return rows } userMaps := make(map[string]SUser) err = db.FetchModelObjectsByIds(UserManager, "id", adminUserIds, &userMaps) if err != nil { log.Errorf("FetchModelObjectsByIds fail %s", err) } for i := range rows { groups, _ := groupCnt[projIds[i]] users, _ := userCnt[projIds[i]] rows[i].GroupCount = len(groups) rows[i].UserCount = len(users) rows[i].ExtResource, _ = extResource[projIds[i]] rows[i].ExtResourcesLastUpdate, _ = extLastUpdate[projIds[i]] if len(rows[i].ExtResource) == 0 { if rows[i].ExtResourcesLastUpdate.IsZero() { rows[i].ExtResourcesLastUpdate = time.Now() } nextUpdate := rows[i].ExtResourcesLastUpdate.Add(time.Duration(options.Options.FetchScopeResourceCountIntervalSeconds) * time.Second) rows[i].ExtResourcesNextUpdate = nextUpdate } proj := objs[i].(*SProject) if len(proj.AdminId) > 0 { if user, ok := userMaps[proj.AdminId]; ok { rows[i].Admin = user.Name rows[i].AdminDomain = user.GetDomain().Name rows[i].AdminDomainId = user.DomainId } } projOrg, err := proj.matchOrganizationNodes() if err != nil { log.Errorf("matchOrganizationNodes fail %s", err) } else { rows[i].Organization = projOrg } } return rows } func NormalizeProjectName(name string) string { name = pinyinutils.Text2Pinyin(name) newName := strings.Builder{} lastSlash := false for _, c := range name { if (c >= 'a' && c <= 'z') || (c >= '0' && c <= '9') { newName.WriteRune(c) lastSlash = false } else if c >= 'A' && c <= 'Z' { newName.WriteRune(c - 'A' + 'a') lastSlash = false } else if !lastSlash { newName.WriteRune('-') lastSlash = true } } return newName.String() } func (manager *SProjectManager) FetchUserProjects(userId string) ([]SProjectExtended, error) { projects := manager.Query().SubQuery() domains := DomainManager.Query().SubQuery() q := projects.Query( projects.Field("id"), projects.Field("name"), projects.Field("domain_id"), domains.Field("name").Label("domain_name"), ) q = q.Join(domains, sqlchemy.Equals(projects.Field("domain_id"), domains.Field("id"))) subq := AssignmentManager.fetchUserProjectIdsQuery(userId) q = q.Filter(sqlchemy.In(projects.Field("id"), subq)) ret := make([]SProjectExtended, 0) err := q.All(&ret) if err != nil && err != sql.ErrNoRows { return nil, errors.Wrap(err, "query.All") } for i := range ret { ret[i].SetModelManager(manager, &ret[i]) } return ret, nil } func (manager *SProjectManager) ValidateCreateData(ctx context.Context, userCred mcclient.TokenCredential, ownerId mcclient.IIdentityProvider, query jsonutils.JSONObject, input api.ProjectCreateInput) (api.ProjectCreateInput, error) { err := db.ValidateCreateDomainId(ownerId.GetProjectDomainId()) if err != nil { return input, errors.Wrap(err, "ValidateCreateDomainId") } input.IdentityBaseResourceCreateInput, err = manager.SIdentityBaseResourceManager.ValidateCreateData(ctx, userCred, ownerId, query, input.IdentityBaseResourceCreateInput) if err != nil { return input, errors.Wrap(err, "SIdentityBaseResourceManager.ValidateCreateData") } quota := &SIdentityQuota{Project: 1} quota.SetKeys(quotas.SBaseDomainQuotaKeys{DomainId: ownerId.GetProjectDomainId()}) err = quotas.CheckSetPendingQuota(ctx, userCred, quota) if err != nil { return input, errors.Wrap(err, "CheckSetPendingQuota") } return input, nil } func (project *SProject) PostCreate( ctx context.Context, userCred mcclient.TokenCredential, ownerId mcclient.IIdentityProvider, query jsonutils.JSONObject, data jsonutils.JSONObject, ) { project.SIdentityBaseResource.PostCreate(ctx, userCred, ownerId, query, data) quota := &SIdentityQuota{Project: 1} quota.SetKeys(quotas.SBaseDomainQuotaKeys{DomainId: ownerId.GetProjectDomainId()}) err := quotas.CancelPendingUsage(ctx, userCred, quota, quota, true) if err != nil { log.Errorf("CancelPendingUsage fail %s", err) } notifyclient.EventNotify(ctx, userCred, notifyclient.SEventNotifyParam{ Obj: project, Action: notifyclient.ActionCreate, }) } func threeMemberSystemValidatePolicies(userCred mcclient.TokenCredential, projectId string, assignPolicies rbacutils.TPolicyGroup) error { assignScope := assignPolicies.HighestScope() var checkRoles []string if assignScope == rbacscope.ScopeSystem { checkRoles = options.Options.SystemThreeAdminRoleNames } else if assignScope == rbacscope.ScopeDomain { checkRoles = options.Options.DomainThreeAdminRoleNames } else { return nil } var contains []string for _, roleName := range checkRoles { role, err := RoleManager.FetchRoleByName(roleName, "", "") if err != nil { return httperrors.NewResourceNotFoundError2(RoleManager.Keyword(), roleName) } _, adminPolicies, _ := RolePolicyManager.GetMatchPolicyGroup2(false, []string{role.Id}, projectId, "", time.Time{}, false) if adminPolicies[assignScope].Contains(assignPolicies[assignScope]) { contains = append(contains, roleName) } } if len(contains) != 1 { return errors.Wrapf(httperrors.ErrNotSufficientPrivilege, "assigning roles violates three-member policy: %s", contains) } return nil } func normalValidatePolicies(userCred mcclient.TokenCredential, assignPolicies rbacutils.TPolicyGroup) error { _, opsPolicies, err := RolePolicyManager.GetMatchPolicyGroup(userCred, time.Time{}, false) if err != nil { return errors.Wrap(err, "RolePolicyManager.GetMatchPolicyGroup") } opsScope := opsPolicies.HighestScope() assignScope := assignPolicies.HighestScope() if assignScope.HigherThan(opsScope) { return errors.Wrap(httperrors.ErrNotSufficientPrivilege, "assigning roles requires higher privilege scope") } else if assignScope == opsScope && !opsPolicies[opsScope].Contains(assignPolicies[assignScope]) { return errors.Wrap(httperrors.ErrNotSufficientPrivilege, "assigning roles violates operator's policy") } return nil } func validateAssignPolicies(userCred mcclient.TokenCredential, projectId string, assignPolicies rbacutils.TPolicyGroup) error { if options.Options.NoPolicyViolationCheck { return nil } if options.Options.ThreeAdminRoleSystem { return threeMemberSystemValidatePolicies(userCred, projectId, assignPolicies) } else { return normalValidatePolicies(userCred, assignPolicies) } } func validateJoinProject(userCred mcclient.TokenCredential, project *SProject, roleIds []string) error { return ValidateJoinProjectRoles(userCred, project.Id, roleIds) } func ValidateJoinProjectRoles(userCred mcclient.TokenCredential, projectId string, roleIds []string) error { _, assignPolicies, err := RolePolicyManager.GetMatchPolicyGroup2(false, roleIds, projectId, "", time.Time{}, false) if err != nil { return errors.Wrap(err, "RolePolicyManager.GetMatchPolicyGroup2") } return validateAssignPolicies(userCred, projectId, assignPolicies) } // 将用户或组加入项目 func (project *SProject) PerformJoin( ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, input api.SProjectAddUserGroupInput, ) (jsonutils.JSONObject, error) { err := input.Validate() if err != nil { return nil, httperrors.NewInputParameterError("%v", err) } roleIds := make([]string, 0) roles := make([]*SRole, 0) for i := range input.Roles { obj, err := RoleManager.FetchByIdOrName(ctx, userCred, input.Roles[i]) if err != nil { if err == sql.ErrNoRows { return nil, httperrors.NewResourceNotFoundError2(RoleManager.Keyword(), input.Roles[i]) } else { return nil, httperrors.NewGeneralError(err) } } role := obj.(*SRole) roles = append(roles, role) roleIds = append(roleIds, role.Id) } err = validateJoinProject(userCred, project, roleIds) if err != nil { return nil, errors.Wrap(err, "validateJoinProject") } users := make([]*SUser, 0) for i := range input.Users { obj, err := UserManager.FetchByIdOrName(ctx, userCred, input.Users[i]) if err != nil { if err == sql.ErrNoRows { return nil, httperrors.NewResourceNotFoundError2(UserManager.Keyword(), input.Users[i]) } else { return nil, httperrors.NewGeneralError(err) } } users = append(users, obj.(*SUser)) } groups := make([]*SGroup, 0) for i := range input.Groups { obj, err := GroupManager.FetchByIdOrName(ctx, userCred, input.Groups[i]) if err != nil { if err == sql.ErrNoRows { return nil, httperrors.NewResourceNotFoundError2(GroupManager.Keyword(), input.Groups[i]) } else { return nil, httperrors.NewGeneralError(err) } } groups = append(groups, obj.(*SGroup)) } for i := range users { for j := range roles { err = AssignmentManager.ProjectAddUser(ctx, userCred, project, users[i], roles[j]) if err != nil { return nil, httperrors.NewGeneralError(err) } } } for i := range groups { for j := range roles { err = AssignmentManager.projectAddGroup(ctx, userCred, project, groups[i], roles[j]) if err != nil { return nil, httperrors.NewGeneralError(err) } } } if input.EnableAllUsers { for i := range users { db.EnabledPerformEnable(users[i], ctx, userCred, true) } } return nil, nil } // 将用户或组移出项目 func (project *SProject) PerformLeave( ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, input api.SProjectRemoveUserGroupInput, ) (jsonutils.JSONObject, error) { err := input.Validate() if err != nil { return nil, httperrors.NewInputParameterError("%v", err) } for i := range input.UserRoles { userObj, err := UserManager.FetchByIdOrName(ctx, userCred, input.UserRoles[i].User) if err != nil { if err == sql.ErrNoRows { return nil, httperrors.NewResourceNotFoundError2(UserManager.Keyword(), input.UserRoles[i].User) } else { return nil, httperrors.NewGeneralError(err) } } roleObj, err := RoleManager.FetchByIdOrName(ctx, userCred, input.UserRoles[i].Role) if err != nil { if err == sql.ErrNoRows { return nil, httperrors.NewResourceNotFoundError2(RoleManager.Keyword(), input.UserRoles[i].Role) } else { return nil, httperrors.NewGeneralError(err) } } err = AssignmentManager.projectRemoveUser(ctx, userCred, project, userObj.(*SUser), roleObj.(*SRole)) if err != nil { return nil, httperrors.NewGeneralError(err) } } for i := range input.GroupRoles { groupObj, err := GroupManager.FetchByIdOrName(ctx, userCred, input.GroupRoles[i].Group) if err != nil { if err == sql.ErrNoRows { return nil, httperrors.NewResourceNotFoundError2(GroupManager.Keyword(), input.GroupRoles[i].Group) } else { return nil, httperrors.NewGeneralError(err) } } roleObj, err := RoleManager.FetchByIdOrName(ctx, userCred, input.GroupRoles[i].Role) if err != nil { if err == sql.ErrNoRows { return nil, httperrors.NewResourceNotFoundError2(RoleManager.Keyword(), input.GroupRoles[i].Role) } else { return nil, httperrors.NewGeneralError(err) } } err = AssignmentManager.projectRemoveGroup(ctx, userCred, project, groupObj.(*SGroup), roleObj.(*SRole)) if err != nil { return nil, httperrors.NewGeneralError(err) } } return nil, nil } func (project *SProject) GetUsages() []db.IUsage { if project.Deleted { return nil } usage := SIdentityQuota{Project: 1} usage.SetKeys(quotas.SBaseDomainQuotaKeys{DomainId: project.DomainId}) return []db.IUsage{ &usage, } } func (manager *SProjectManager) NewProject(ctx context.Context, projectName string, desc string, domainId string) (*SProject, error) { project := &SProject{} project.SetModelManager(ProjectManager, project) ownerId := &db.SOwnerId{} if manager.NamespaceScope() == rbacscope.ScopeDomain { ownerId.DomainId = domainId } project.DomainId = domainId project.Description = desc project.IsDomain = tristate.False project.ParentId = domainId var err = func() error { lockman.LockRawObject(ctx, manager.Keyword(), "name") defer lockman.ReleaseRawObject(ctx, manager.Keyword(), "name") newName, err := db.GenerateName(ctx, ProjectManager, ownerId, projectName) if err != nil { // ignore the error log.Errorf("db.GenerateName error %s for default domain project %s", err, projectName) newName = projectName } project.Name = newName return ProjectManager.TableSpec().Insert(ctx, project) }() if err != nil { return nil, errors.Wrap(err, "Insert") } return project, nil } func (project *SProject) PerformSetAdmin( ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, input api.SProjectSetAdminInput, ) (jsonutils.JSONObject, error) { // unset admin if len(input.UserId) == 0 { return nil, project.setAdminId(ctx, userCred, input.UserId) } var user *SUser var role *SRole { obj, err := UserManager.FetchByIdOrName(ctx, userCred, input.UserId) if err != nil { if err == sql.ErrNoRows { return nil, httperrors.NewResourceNotFoundError2(UserManager.Keyword(), input.UserId) } else { return nil, httperrors.NewGeneralError(err) } } user = obj.(*SUser) } { obj, err := RoleManager.FetchByIdOrName(ctx, userCred, options.Options.ProjectAdminRole) if err != nil { if err == sql.ErrNoRows { return nil, httperrors.NewResourceNotFoundError2(RoleManager.Keyword(), options.Options.ProjectAdminRole) } else { return nil, httperrors.NewGeneralError(err) } } role = obj.(*SRole) } inProject, err := AssignmentManager.isUserInProjectWithRole(user.Id, project.Id, role.Id) if err != nil { return nil, errors.Wrap(err, "isUserInProjectWithRole") } if !inProject { err = AssignmentManager.ProjectAddUser(ctx, userCred, project, user, role) if err != nil { return nil, httperrors.NewGeneralError(err) } } err = project.setAdminId(ctx, userCred, user.Id) if err != nil { return nil, errors.Wrap(err, "setAdminId") } return nil, nil } func (project *SProject) setAdminId(ctx context.Context, userCred mcclient.TokenCredential, userId string) error { if project.AdminId != userId { diff, err := db.Update(project, func() error { project.AdminId = userId return nil }) if err != nil { return errors.Wrap(err, "update adminId") } db.OpsLog.LogEvent(project, db.ACT_UPDATE, diff, userCred) logclient.AddSimpleActionLog(project, logclient.ACT_UPDATE, diff, userCred, true) } return nil } func (project *SProject) matchOrganizationNodes() (*api.SProjectOrganization, error) { orgs, err := OrganizationManager.FetchOrgnaizations(func(q *sqlchemy.SQuery) *sqlchemy.SQuery { q = q.Equals("type", api.OrgTypeProject) q = q.IsTrue("enabled") return q }) if err != nil { return nil, errors.Wrap(err, "FetchOrgnaizations") } if len(orgs) == 0 { return nil, nil } else if len(orgs) > 1 { return nil, errors.Wrap(httperrors.ErrDuplicateResource, "multiple enabled organizations") } org := &orgs[0] tags, err := project.GetAllOrganizationMetadata() if err != nil { return nil, errors.Wrap(err, "GetAllOrganizationMetadata") } if len(tags) == 0 { return nil, nil } log.Debugf("matchOrganizationNodes %s", jsonutils.Marshal(tags)) projOrg, err := org.getProjectOrganization(tags) if err != nil { return nil, errors.Wrap(err, "getProjectOrganization") } return projOrg, nil } func (manager *SProjectManager) FilterByOwner(ctx context.Context, q *sqlchemy.SQuery, man db.FilterByOwnerProvider, userCred mcclient.TokenCredential, owner mcclient.IIdentityProvider, scope rbacscope.TRbacScope) *sqlchemy.SQuery { if userCred != nil && scope != rbacscope.ScopeSystem && scope != rbacscope.ScopeDomain { q = q.Equals("id", owner.GetProjectId()) } return manager.SIdentityBaseResourceManager.FilterByOwner(ctx, q, man, userCred, owner, scope) } func (manager *SProjectManager) GetSystemProject() (*SProject, error) { q := manager.Query().Equals("name", api.SystemAdminProject) ret := &SProject{} ret.SetModelManager(manager, ret) err := q.First(ret) if err != nil { return nil, err } return ret, nil } func (self *SProject) StartProjectCleanTask(ctx context.Context, userCred mcclient.TokenCredential) error { task, err := taskman.TaskManager.NewTask(ctx, "ProjectCleanTask", self, userCred, nil, "", "", nil) if err != nil { return err } return task.ScheduleRun(nil) } func (self *SProject) GetEmptyProjects() ([]SProject, error) { q := ProjectManager.Query().IsFalse("pending_deleted").NotEquals("name", api.SystemAdminProject) scopes := []SScopeResource{} ScopeResourceManager.Query().GT("count", 0).All(&scopes) ids := []string{} for _, scope := range scopes { ids = append(ids, scope.ProjectId) } projects := []SProject{} if len(ids) == 0 { return projects, nil } q = q.Filter(sqlchemy.NotIn(q.Field("id"), ids)) err := db.FetchModelObjects(ProjectManager, q, &projects) if err != nil { return nil, err } return projects, nil } func (manager *SProjectManager) PerformClean(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, input *api.ProjectCleanInput) (jsonutils.JSONObject, error) { if !userCred.HasSystemAdminPrivilege() { return nil, httperrors.NewForbiddenError("not allow clean projects") } system, err := manager.GetSystemProject() if err != nil { return nil, err } return nil, system.StartProjectCleanTask(ctx, userCred) }