feat: support rbac SSO token

apps/authentication/api/sso.py

@@ -14,7 +14,6 @@ from rest_framework.response import Response
 from authentication.errors import ACLError
 from common.api import JMSGenericViewSet
 from common.const.http import POST, GET
-from common.permissions import OnlySuperUser
 from common.serializers import EmptySerializer
 from common.utils import reverse, safe_next_url
 from common.utils.timezone import utc_now
@@ -38,8 +37,11 @@ class SSOViewSet(AuthMixin, JMSGenericViewSet):
         'login_url': SSOTokenSerializer,
         'login': EmptySerializer
     }
+    rbac_perms = {
+        'login_url': 'authentication.add_ssotoken',
+    }
     
-    @action(methods=[POST], detail=False, permission_classes=[OnlySuperUser], url_path='login-url')
+    @action(methods=[POST], detail=False, url_path='login-url')
     def login_url(self, request, *args, **kwargs):
         if not settings.AUTH_SSO:
             raise SSOAuthClosed()

apps/rbac/const.py

@@ -24,7 +24,7 @@ exclude_permissions = (
     ('authentication', 'privatetoken', '*', '*'),
     ('authentication', 'connectiontoken', 'delete,change', 'connectiontoken'),
     ('authentication', 'connectiontoken', 'view', 'connectiontokensecret'),
-    ('authentication', 'ssotoken', '*', '*'),
+    ('authentication', 'ssotoken', 'change,delete', 'ssotoken'),
     ('authentication', 'superconnectiontoken', 'change,delete', 'superconnectiontoken'),
     ('authentication', 'temptoken', 'delete', 'temptoken'),
     ('users', 'userpasswordhistory', '*', '*'),
@@ -148,6 +148,7 @@ only_system_permissions = (
     ('authentication', 'superconnectiontoken', '*', '*'),
     ('authentication', 'temptoken', '*', '*'),
     ('authentication', 'passkey', '*', '*'),
+    ('authentication', 'ssotoken', '*', '*'),
     ('tickets', '*', '*', '*'),
     ('orgs', 'organization', 'view', 'rootorg'),
     ('terminal', 'applet', '*', '*'),