fix: fix rbac to dev (#7636)

* feat: 添加 RBAC 应用模块

* feat: 添加 RBAC Model、API

* feat: 添加 RBAC Model、API 2

* feat: 添加 RBAC Model、API 3

* feat: 添加 RBAC Model、API 4

* feat: RBAC

* feat: RBAC

* feat: RBAC

* feat: RBAC

* feat: RBAC

* feat: RBAC 整理权限位

* feat: RBAC 整理权限位2

* feat: RBAC 整理权限位2

* feat: RBAC 整理权限位

* feat: RBAC 添加默认角色

* feat: RBAC 添加迁移文件；迁移用户角色->用户角色绑定

* feat: RBAC 添加迁移文件；迁移用户角色->用户角色绑定

* feat: RBAC 修改用户模块API

* feat: RBAC 添加组织模块迁移文件 & 修改组织模块API

* feat: RBAC 添加组织模块迁移文件 & 修改组织模块API

* feat: RBAC 修改用户角色属性的使用

* feat: RBAC No.1

* xxx

* perf: 暂存

* perf: ...

* perf(rbac): 添加 perms 到 profile serializer 中

* stash

* perf: 使用init

* perf: 修改migrations

* perf: rbac

* stash

* stash

* pref: 修改rbac

* stash it

* stash: 先去修复其他bug

* perf: 修改 role 添加 users

* pref: 修改 RBAC Model

* feat: 添加权限的 tree api

* stash: 暂存一下

* stash: 暂存一下

* perf: 修改 model verbose name

* feat: 添加model各种 verbose name

* perf: 生成 migrations

* perf: 优化权限位

* perf: 添加迁移脚本

* feat: 添加组织角色迁移

* perf: 添加迁移脚本

* stash

* perf: 添加migrateion

* perf: 暂存一下

* perf: 修改rbac

* perf: stash it

* fix: 迁移冲突

* fix: 迁移冲突

* perf: 暂存一下

* perf: 修改 rbac 逻辑

* stash: 暂存一下

* perf: 修改内置角色

* perf: 解决 root 组织的问题

* perf: stash it

* perf: 优化 rbac

* perf: 优化 rolebinding 处理

* perf: 完成用户离开组织的问题

* perf: 暂存一下

* perf: 修改翻译

* perf: 去掉了 IsSuperUser

* perf: IsAppUser 去掉完成

* perf: 修改 connection token 的权限

* perf: 去掉导入的问题

* perf: perms define 格式，修改 app 用户 的全新啊

* perf: 修改 permission

* perf: 去掉一些 org admin

* perf: 去掉部分 org admin

* perf: 再去掉点 org admin role

* perf: 再去掉部分 org admin

* perf: user 角色搜索

* perf: 去掉很多 js

* perf: 添加权限位

* perf: 修改权限

* perf: 去掉一个 todo

* merge: with dev

* fix: 修复冲突

Co-authored-by: Bai <bugatti_it@163.com>
Co-authored-by: Michael Bai <baijiangjie@gmail.com>
Co-authored-by: ibuler <ibuler@qq.com>

apps/rbac/builtin.py

@@ -0,0 +1,134 @@
+from django.utils.translation import ugettext_noop
+
+from .const import Scope, system_exclude_permissions, org_exclude_permissions
+
+
+auditor_perms = (
+    ('audits', '*', '*', '*'),
+    ('rbac', 'menupermission', 'view', 'auditview'),
+    ('terminal', 'session', '*', '*'),
+    ('terminal', 'command', '*', '*'),
+)
+
+user_perms = (
+    ('rbac', 'menupermission', 'view', 'userview'),
+    ('perms', 'assetpermission', 'view,connect', 'myassets'),
+    ('perms', 'applicationpermission', 'view,connect', 'myapps'),
+)
+
+app_exclude_perms = [
+    ('users', 'user', 'add,delete', 'user'),
+    ('orgs', 'org', 'add,delete,change', 'org'),
+    ('rbac', '*', '*', '*'),
+]
+
+need_check = [
+    *auditor_perms, *user_perms, *app_exclude_perms,
+    *system_exclude_permissions, *org_exclude_permissions
+]
+defines_errors = [d for d in need_check if len(d) != 4]
+if len(defines_errors) != 0:
+    raise ValueError('Perms define error: {}'.format(defines_errors))
+
+
+class PreRole:
+    id_prefix = '00000000-0000-0000-0000-00000000000'
+
+    def __init__(self, index, name, scope, perms, perms_type='include'):
+        self.id = self.id_prefix + index
+        self.name = name
+        self.scope = scope
+        self.perms = perms
+        self.perms_type = perms_type
+
+    def get_role(self):
+        from rbac.models import Role
+        return Role.objects.get(id=self.id)
+
+    def get_defaults(self):
+        from rbac.models import Permission
+        q = Permission.get_define_permissions_q(self.perms)
+        permissions = Permission.get_permissions(self.scope)
+
+        if not q:
+            permissions = permissions.none()
+        elif self.perms_type == 'include':
+            permissions = permissions.filter(q)
+        else:
+            permissions = permissions.exclude(q)
+
+        perms = permissions.values_list('id', flat=True)
+        defaults = {
+            'id': self.id, 'name': self.name, 'scope': self.scope,
+            'builtin': True, 'permissions': perms
+        }
+        return defaults
+
+    def get_or_create_role(self):
+        from rbac.models import Role
+        defaults = self.get_defaults()
+        permissions = defaults.pop('permissions', [])
+        role, created = Role.objects.get_or_create(defaults, id=self.id)
+        role.permissions.set(permissions)
+        return role, created
+
+
+class BuiltinRole:
+    system_admin = PreRole(
+        '1', ugettext_noop('SystemAdmin'), Scope.system, []
+    )
+    system_auditor = PreRole(
+        '2', ugettext_noop('SystemAuditor'), Scope.system, auditor_perms
+    )
+    system_app = PreRole(
+        '4', ugettext_noop('SystemApp'), Scope.system, app_exclude_perms, 'exclude'
+    )
+    system_user = PreRole(
+        '3', ugettext_noop('User'), Scope.system, []
+    )
+    org_admin = PreRole(
+        '5', ugettext_noop('OrgAdmin'), Scope.org, []
+    )
+    org_auditor = PreRole(
+        '6', ugettext_noop('OrgAuditor'), Scope.org, auditor_perms
+    )
+    org_user = PreRole(
+        '7', ugettext_noop('OrgUser'), Scope.org, user_perms
+    )
+
+    @classmethod
+    def get_roles(cls):
+        roles = {
+            k: v
+            for k, v in cls.__dict__.items()
+            if isinstance(v, PreRole)
+        }
+        return roles
+
+    @classmethod
+    def get_system_role_by_old_name(cls, name):
+        mapper = {
+            'App': cls.system_app,
+            'Admin': cls.system_admin,
+            'User': cls.system_user,
+            'Auditor': cls.system_auditor
+        }
+        return mapper[name].get_role()
+
+    @classmethod
+    def get_org_role_by_old_name(cls, name):
+        mapper = {
+            'Admin': cls.org_admin,
+            'User': cls.org_user,
+            'Auditor': cls.org_auditor,
+        }
+        return mapper[name].get_role()
+
+    @classmethod
+    def sync_to_db(cls):
+        roles = cls.get_roles()
+
+        for pre_role in roles.values():
+            role, created = pre_role.get_or_create_role()
+            print("Create builtin Role: {} - {}".format(role.name, created))
+