yangzhenghui
/
ZhAgent


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374
							# -*- coding: utf-8 -*-

import uuid_utils.compat as uuid
from django.db import transaction
from django.db.models import QuerySet, Q, Func, F, TextField
from django.db.models.functions import Cast
from django.utils.translation import gettext_lazy as _
from rest_framework import serializers

from application.models.application import Application, ApplicationFolder
from application.serializers.application import ApplicationOperateSerializer
from application.serializers.application_folder import ApplicationFolderTreeSerializer
from common.constants.permission_constants import Group, ResourcePermission, ResourcePermissionRole, RoleConstants
from common.database_model_manage.database_model_manage import DatabaseModelManage
from common.exception.app_exception import AppApiException
from folders.api.folder import FolderCreateRequest
from knowledge.models import KnowledgeFolder, Knowledge
from knowledge.serializers.knowledge import KnowledgeSerializer
from knowledge.serializers.knowledge_folder import KnowledgeFolderTreeSerializer
from system_manage.models import WorkspaceUserResourcePermission
from system_manage.serializers.user_resource_permission import UserResourcePermissionSerializer
from tools.models import ToolFolder, Tool
from tools.serializers.tool import ToolSerializer
from tools.serializers.tool_folder import ToolFolderTreeSerializer
from users.serializers.user import is_workspace_manage


def has_exact_permission_by_role(user_id: str, workspace_id: str, permission_id: str, role_type: str):
    workspace_user_role_mapping_model = DatabaseModelManage.get_model("workspace_user_role_mapping")
    role_permission_mapping_model = DatabaseModelManage.get_model("role_permission_mapping_model")
    is_x_pack_ee = workspace_user_role_mapping_model is not None and role_permission_mapping_model is not None
    if is_x_pack_ee:
        return QuerySet(workspace_user_role_mapping_model).select_related('role', 'user').filter(
            Q(role__rolepermission__permission_id=permission_id) | Q(role__internal=True),
            workspace_id=workspace_id,
            user_id=user_id,
            role__type=role_type,
        ).exists()

    return False

def get_source_type(source):
    if source == Group.TOOL.name:
        return Tool
    elif source == Group.APPLICATION.name:
        return Application
    elif source == Group.KNOWLEDGE.name:
        return Knowledge
    else:
        return None


def get_folder_type(source):
    if source == Group.TOOL.name:
        return ToolFolder
    elif source == Group.APPLICATION.name:
        return ApplicationFolder
    elif source == Group.KNOWLEDGE.name:
        return KnowledgeFolder
    else:
        return None


def get_folder_tree_serializer(source):
    if source == Group.TOOL.name:
        return ToolFolderTreeSerializer
    elif source == Group.APPLICATION.name:
        return ApplicationFolderTreeSerializer
    elif source == Group.KNOWLEDGE.name:
        return KnowledgeFolderTreeSerializer
    else:
        return None


FOLDER_DEPTH = 10000


def check_depth(source, parent_id, workspace_id, current_depth=0):
    # Folder 不能超过3层
    Folder = get_folder_type(source)  # noqa

    if parent_id != workspace_id:
        # 计算当前层级
        depth = 1  # 当前要创建的节点算一层
        current_parent_id = parent_id

        # 向上追溯父节点
        while current_parent_id != workspace_id:
            depth += 1
            parent_node = QuerySet(Folder).filter(id=current_parent_id).first()
            if parent_node is None:
                break
            current_parent_id = parent_node.parent_id

        # 验证层级深度
        if depth + current_depth > FOLDER_DEPTH:
            raise serializers.ValidationError(_('Folder depth cannot exceed 10000 levels'))


def get_max_depth(current_node):
    if not current_node:
        return 0

    # 获取所有后代节点
    descendants = current_node.get_descendants()

    if not descendants.exists():
        return 0

    # 获取最大深度
    max_level = descendants.order_by('-level').first().level
    current_level = current_node.level
    max_depth = max_level - current_level

    return max_depth


def has_target_permission(workspace_id, source, user_id, target):
    return QuerySet(WorkspaceUserResourcePermission).filter(workspace_id=workspace_id, user_id=user_id,
                                                            auth_target_type=source, target=target,
                                                            permission_list__contains=['MANAGE']).exists()


class FolderSerializer(serializers.Serializer):
    id = serializers.CharField(required=True, label=_('folder id'))
    name = serializers.CharField(required=True, label=_('folder name'))
    desc = serializers.CharField(required=False, allow_null=True, allow_blank=True, label=_('folder description'))
    user_id = serializers.CharField(required=True, label=_('folder user id'))
    workspace_id = serializers.CharField(required=False, label=_('workspace id'))
    parent_id = serializers.CharField(required=False, label=_('parent id'))

    class Create(serializers.Serializer):
        workspace_id = serializers.CharField(required=True, label=_('workspace id'))
        user_id = serializers.UUIDField(required=True, label=_('user id'))
        source = serializers.CharField(required=True, label=_('source'))

        def insert(self, instance, with_valid=True):
            if with_valid:
                self.is_valid(raise_exception=True)
                FolderCreateRequest(data=instance).is_valid(raise_exception=True)

            workspace_id = self.data.get('workspace_id')
            if not workspace_id:
                workspace_id = 'default'
            parent_id = instance.get('parent_id')
            if not parent_id:
                parent_id = workspace_id
            name = instance.get('name')

            Folder = get_folder_type(self.data.get('source'))  # noqa
            if QuerySet(Folder).filter(name=name, workspace_id=workspace_id, parent_id=parent_id).exists():
                raise Exception(_('Folder name already exists'))
            # Folder 不能超过3层
            check_depth(self.data.get('source'), parent_id, workspace_id)

            folder = Folder(
                id=uuid.uuid7(),
                name=instance.get('name'),
                desc=instance.get('desc'),
                user_id=self.data.get('user_id'),
                workspace_id=workspace_id,
                parent_id=parent_id
            )
            folder.save()

            UserResourcePermissionSerializer(data={
                'workspace_id': self.data.get('workspace_id'),
                'user_id': self.data.get('user_id'),
                'auth_target_type': self.data.get('source')
            }).auth_resource(str(folder.id), is_folder=True)

            return FolderSerializer(folder).data

    class Operate(serializers.Serializer):
        id = serializers.CharField(required=True, label=_('folder id'))
        workspace_id = serializers.CharField(required=True, allow_null=True, allow_blank=True, label=_('workspace id'))
        source = serializers.CharField(required=True, label=_('source'))
        user_id = serializers.UUIDField(required=True, label=_('user id'))

        @transaction.atomic
        def edit(self, instance):
            self.is_valid(raise_exception=True)
            Folder = get_folder_type(self.data.get('source'))  # noqa
            current_id = self.data.get('id')
            current_node = Folder.objects.get(id=current_id)
            if current_node is None:
                raise serializers.ValidationError(_('Folder does not exist'))
            # 模块间的移动
            parent_id = instance.get('parent_id')
            if parent_id is None:
                parent_id = current_node.parent_id
            # 如果要修改文件夹名称，检查同级目录下是否存在同名文件夹
            new_name = instance.get('name')
            if new_name is not None and new_name != current_node.name:
                if QuerySet(Folder).filter(
                        name=new_name,
                        parent_id=parent_id,
                        workspace_id=current_node.workspace_id
                ).exclude(id=current_id).exists():
                    raise serializers.ValidationError(_('Folder name already exists'))

            edit_field_list = ['name', 'desc']
            edit_dict = {field: instance.get(field) for field in edit_field_list if (
                    field in instance and instance.get(field) is not None)}

            QuerySet(Folder).filter(id=current_id).update(**edit_dict)
            current_node.refresh_from_db()

            if parent_id is not None and current_id != current_node.workspace_id and current_node.parent_id != parent_id:

                source_type = self.data.get('source')
                if has_target_permission(current_node.workspace_id, source_type, self.data.get('user_id'),
                                         parent_id) or is_workspace_manage(self.data.get('user_id'),
                                                                           current_node.workspace_id):
                    current_depth = get_max_depth(current_node)
                    check_depth(self.data.get('source'), parent_id, current_node.workspace_id, current_depth)
                    parent = Folder.objects.get(id=parent_id)

                    if QuerySet(Folder).filter(name=current_node.name, parent_id=parent_id,
                                               workspace_id=current_node.workspace_id).exists():
                        raise serializers.ValidationError(_('Folder name already exists'))

                    current_node.parent = parent
                    current_node.save()
                    current_node.refresh_from_db()
                else:
                    raise AppApiException(403, _('No permission for the target folder'))

            return self.one()

        def one(self):
            self.is_valid(raise_exception=True)
            Folder = get_folder_type(self.data.get('source'))  # noqa
            folder = QuerySet(Folder).filter(id=self.data.get('id')).first()
            return FolderSerializer(folder).data

        @transaction.atomic
        def delete(self):
            self.is_valid(raise_exception=True)
            Folder = get_folder_type(self.data.get('source'))  # noqa
            Source = get_source_type(self.data.get('source'))  # noqa
            folder = Folder.objects.filter(id=self.data.get('id')).first()
            if not folder:
                raise serializers.ValidationError(_('Folder does not exist'))
            if folder.id == folder.workspace_id:
                raise serializers.ValidationError(_('Cannot delete root folder'))

            # 工作空间管理员可以删除
            workspace_manage = is_workspace_manage(self.data.get('user_id'), self.data.get('workspace_id'))
            if workspace_manage:
                nodes = Folder.objects.filter(id=self.data.get('id')).get_descendants(include_self=True)
                for node in nodes:
                    # print(node)
                    # 删除相关的资源
                    self.delete_source(node)
                    # 删除节点
                    node.delete()
            # 普通用户删除的文件夹内全部都得是自己有权限的资源
            else:
                nodes = Folder.objects.filter(id=self.data.get('id')).get_descendants(include_self=True)
                for node in nodes:
                    # 删除相关的资源
                    source_ids = (Source.objects.filter(folder_id=node.id)
                                  .annotate(id_str=Cast('id', TextField()))
                                  .values_list('id_str', flat=True))
                    # 检查文件夹是否存在未授权当前用户的资源
                    auth_list = QuerySet(WorkspaceUserResourcePermission).filter(
                        Q(workspace_id=self.data.get('workspace_id')) &
                        Q(user_id=self.data.get('user_id')) &
                        Q(auth_target_type=self.data.get('source')) &
                        Q(target__in=source_ids) &
                        Q(permission_list__overlap=[ResourcePermission.MANAGE, ResourcePermissionRole.ROLE])
                    ).count()
                    if auth_list != len(source_ids):
                        raise AppApiException(500, _('This folder contains resources that you dont have permission'))
                    self.delete_source(node)
                    node.delete()

        def delete_source(self, node):
            Source = get_source_type(self.data.get('source'))  # noqa
            source_ids = Source.objects.filter(folder_id=node.id).values_list('id', flat=True)
            source = self.data.get('source')

            for source_id in source_ids:
                if source == Group.TOOL.name:
                    ToolSerializer.Operate(data={
                        'workspace_id': self.data.get('workspace_id'),
                        'id': source_id,
                    }).delete()
                elif source == Group.APPLICATION.name:
                    ApplicationOperateSerializer(data={
                        'workspace_id': self.data.get('workspace_id'),
                        'application_id': source_id,
                        'user_id': self.data.get('user_id'),
                    }).delete()
                elif source == Group.KNOWLEDGE.name:
                    KnowledgeSerializer.Operate(data={
                        'workspace_id': self.data.get('workspace_id'),
                        'knowledge_id': source_id,
                        'user_id': self.data.get('user_id'),
                    }).delete()


class FolderTreeSerializer(serializers.Serializer):
    workspace_id = serializers.CharField(required=True, allow_null=True, allow_blank=True, label=_('workspace id'))
    source = serializers.CharField(required=True, label=_('source'))

    @staticmethod
    def _check_tree_integrity(queryset):
        """检查树结构完整性"""
        for folder in queryset:
            if folder.lft >= folder.rght:
                return True  # 需要重建
            if folder.is_leaf_node() and folder.get_children().exists():
                return True  # 需要重建
        return False

    @staticmethod
    def _having_read_permission_by_role(user_id: str, workspace_id: str, source: str):
        workspace_user_role_mapping_model = DatabaseModelManage.get_model("workspace_user_role_mapping")
        role_permission_mapping_model = DatabaseModelManage.get_model("role_permission_mapping_model")
        is_x_pack_ee = workspace_user_role_mapping_model is not None and role_permission_mapping_model is not None
        if is_x_pack_ee:
            return QuerySet(workspace_user_role_mapping_model).select_related('role', 'user').filter(
                Q(role__rolepermission__permission_id=f"{source}_FOLDER:READ") | Q(role__internal=True),
                workspace_id=workspace_id,
                user_id=user_id,
                role__type=RoleConstants.USER.value.__str__(),
            ).exists()

        return False

    def get_folder_tree(self,
                        current_user, name=None):
        self.is_valid(raise_exception=True)
        user_id = current_user.id
        workspace_id = self.data.get('workspace_id')
        source = self.data.get('source')

        Folder = get_folder_type(source)  # noqa

        # 检查特定工作空间的树结构完整性
        workspace_folders = Folder.objects.filter(workspace_id=workspace_id)
        # 如果发现数据不一致，重建整个表（这是 MPTT 的限制）
        if self._check_tree_integrity(workspace_folders):
            Folder.objects.rebuild()

        workspace_manage = is_workspace_manage(user_id, workspace_id)

        base_q = Q(workspace_id=workspace_id)

        if name is not None:
            base_q &= Q(name__contains=name)
        if not workspace_manage:
            having_read_permission_by_role = has_exact_permission_by_role(user_id, workspace_id, f"{source}_FOLDER:READ", RoleConstants.USER.value.__str__())
            permission_condition = ['VIEW']
            if having_read_permission_by_role:
                permission_condition = ['VIEW', 'ROLE']

            base_q &= (Q(id__in=WorkspaceUserResourcePermission.objects.filter(user_id=current_user.id,
                                                                               auth_target_type=self.data.get('source'),
                                                                               workspace_id=self.data.get(
                                                                                   'workspace_id'),
                                                                               permission_list__overlap=permission_condition)
            .values_list(
                'target', flat=True)) | Q(id=self.data.get('workspace_id')))

        nodes = Folder.objects.filter(base_q).get_cached_trees()

        TreeSerializer = get_folder_tree_serializer(self.data.get('source'))  # noqa
        serializer = TreeSerializer(nodes, many=True)

        return [d for d in serializer.data if
                d.get('id') == d.get('workspace_id')] if name is None else serializer.data  # 这是可序列化的字典