VberAdmin_V4/SourceCode/Zero/VberYue.Zero/Authorization/Roles/VzRoleManager.cs

#nullable enable

using Abp;
using Abp.Application.Features;
using Abp.Authorization;
using Abp.Collections.Extensions;
using Abp.Domain.Repositories;
using Abp.Domain.Services;
using Abp.Domain.Uow;
using Abp.Localization;

using Abp.Runtime.Caching;
using Abp.UI;

using Microsoft.AspNetCore.Identity;

using System.Globalization;

using VberZero.BaseSystem.Organizations;
using VberZero.BaseSystem.Roles;
using VberZero.Caching;
using VberZero.Configuration;
using VberZero.Session;

namespace VberZero.Authorization.Roles;

public class VzRoleManager : RoleManager<Role>, IDomainService
{
    public ILocalizationManager LocalizationManager { get; set; }

    protected string LocalizationSourceName { get; set; }

    public IVzSession AbpSession { get; set; }

    public IRoleManagementConfig RoleManagementConfig { get; }

    public FeatureDependencyContext FeatureDependencyContext { get; set; }

    private IRolePermissionStore<Role> RolePermissionStore
    {
        get
        {
            if (!(Store is IRolePermissionStore<Role>))
            {
                throw new AbpException("Store is not IRolePermissionStore");
            }

            return Store as IRolePermissionStore<Role> ?? throw new InvalidOperationException();
        }
    }

    protected VzRoleStore AbpStore { get; }

    private readonly IPermissionManager _permissionManager;
    private readonly ICacheManager _cacheManager;
    private readonly IUnitOfWorkManager _unitOfWorkManager;
    private readonly IRepository<OrganizationUnit, long> _organizationUnitRepository;
    private readonly IRepository<OrganizationUnitRole, long> _organizationUniRoleRepository;

    public VzRoleManager(
        VzRoleStore store,
        IEnumerable<IRoleValidator<Role>> roleValidators,
        ILookupNormalizer keyNormalizer,
        IdentityErrorDescriber errors,
        ILogger<VzRoleManager> logger,
        IPermissionManager permissionManager,
        ICacheManager cacheManager,
        IUnitOfWorkManager unitOfWorkManager,
        IRoleManagementConfig roleManagementConfig,
        IRepository<OrganizationUnit, long> organizationUnitRepository,
        IRepository<OrganizationUnitRole, long> organizationUniRoleRepository)
        : base(
            store,
            roleValidators,
            keyNormalizer,
            errors,
            logger)
    {
        _permissionManager = permissionManager;
        _cacheManager = cacheManager;
        _unitOfWorkManager = unitOfWorkManager;

        RoleManagementConfig = roleManagementConfig;
        _organizationUnitRepository = organizationUnitRepository;
        _organizationUniRoleRepository = organizationUniRoleRepository;
        AbpStore = store;
        AbpSession = NullVzSession.Instance;
        LocalizationManager = NullLocalizationManager.Instance;
        LocalizationSourceName = VzConsts.LocalizationSourceName;
    }

    #region Permission

    #region IsGranted

    /// <summary>
    /// 检查角色是否被授予权限
    /// </summary>
    /// <param name="roleName"></param>
    /// <param name="permissionName"></param>
    /// <returns></returns>
    public virtual async Task<bool> IsGrantedAsync(string roleName, string permissionName)
    {
        return await IsGrantedAsync((await GetRoleByNameAsync(roleName)).Id,
            _permissionManager.GetPermission(permissionName));
    }

    /// <summary>
    /// 检查角色是否被授予权限
    /// </summary>
    /// <param name="roleId"></param>
    /// <param name="permissionName"></param>
    /// <returns></returns>
    public virtual async Task<bool> IsGrantedAsync(int roleId, string permissionName)
    {
        return await IsGrantedAsync(roleId, _permissionManager.GetPermission(permissionName));
    }

    /// <summary>
    /// 检查角色是否被授予权限
    /// </summary>
    /// <param name="role"></param>
    /// <param name="permission"></param>
    /// <returns></returns>
    public Task<bool> IsGrantedAsync(Role role, Permission permission)
    {
        return IsGrantedAsync(role.Id, permission);
    }

    /// <summary>
    /// 检查角色是否被授予权限
    /// </summary>
    /// <param name="roleId"></param>
    /// <param name="permission"></param>
    /// <returns></returns>
    public virtual async Task<bool> IsGrantedAsync(int roleId, Permission permission)
    {
        //获取缓存的角色权限
        var cacheItem = await GetRolePermissionCacheItemAsync(roleId);

        //检查权限
        return cacheItem.GrantedPermissions.Contains(permission.Name);
    }

    /// <summary>
    /// 检查角色是否被授予权限
    /// </summary>
    /// <param name="roleId"></param>
    /// <param name="permission"></param>
    /// <returns></returns>
    public virtual bool IsGranted(int roleId, Permission permission)
    {
        //获取缓存的角色权限
        var cacheItem = GetRolePermissionCacheItem(roleId);

        //检查权限
        return cacheItem.GrantedPermissions.Contains(permission.Name);
    }

    #endregion IsGranted

    /// <summary>
    /// 获取角色的权限
    /// </summary>
    /// <param name="roleId"></param>
    /// <returns></returns>
    public virtual async Task<IReadOnlyList<Permission>> GetGrantedPermissionsAsync(int roleId)
    {
        return await GetGrantedPermissionsAsync(await GetRoleByIdAsync(roleId));
    }

    /// <summary>
    /// 获取角色的权限
    /// </summary>
    /// <param name="roleName"></param>
    /// <returns></returns>
    public virtual async Task<IReadOnlyList<Permission>> GetGrantedPermissionsAsync(string roleName)
    {
        return await GetGrantedPermissionsAsync(await GetRoleByNameAsync(roleName));
    }

    /// <summary>
    /// 获取角色的权限
    /// </summary>
    /// <param name="role"></param>
    /// <returns></returns>
    public virtual async Task<IReadOnlyList<Permission>> GetGrantedPermissionsAsync(Role role)
    {
        var cacheItem = await GetRolePermissionCacheItemAsync(role.Id);
        var allPermissions = _permissionManager.GetAllPermissions();
        return allPermissions.Where(x => cacheItem.GrantedPermissions.Contains(x.Name)).ToList();
    }

    /// <summary>
    /// 一次设置角色的所有授予权限。
    /// 禁止所有其他权限
    /// </summary>
    /// <param name="roleId"></param>
    /// <param name="permissions"></param>
    /// <param name="isRemove">true 移除所有其他权限  false禁止所有其他权限</param>
    public virtual async Task SetGrantedPermissionsAsync(int roleId, IEnumerable<Permission> permissions, bool isRemove = true)
    {
        await SetGrantedPermissionsAsync(await GetRoleByIdAsync(roleId), permissions);
    }

    /// <summary>
    /// 一次设置角色的所有授予权限。
    /// 禁止所有其他权限。
    /// </summary>
    /// <param name="role"></param>
    /// <param name="permissions"></param>
    /// <param name="isRemove">true 移除所有其他权限  false禁止所有其他权限</param>
    public virtual async Task SetGrantedPermissionsAsync(Role role, IEnumerable<Permission> permissions, bool isRemove = true)
    {
        var oldPermissions = await GetGrantedPermissionsAsync(role);
        var newPermissions = permissions.ToArray();

        foreach (var permission in oldPermissions.Where(p =>
                     !newPermissions.Contains(p, PermissionEqualityComparer.Instance)))
        {
            if (isRemove)
            {
                await RemovePermissionAsync(role, permission);
            }
            else
            {
                await ProhibitPermissionAsync(role, permission);
            }
        }

        foreach (var permission in newPermissions.Where(p =>
                     !oldPermissions.Contains(p, PermissionEqualityComparer.Instance)))
        {
            await GrantPermissionAsync(role, permission);
        }
    }

    /// <summary>
    /// 授予角色权限
    /// </summary>
    /// <param name="role"></param>
    /// <param name="permission"></param>
    public async Task GrantPermissionAsync(Role role, Permission permission)
    {
        if (await IsGrantedAsync(role.Id, permission))
        {
            return;
        }

        await RolePermissionStore.RemovePermissionAsync(role, new PermissionGrantInfo(permission.Name, false));
        await RolePermissionStore.AddPermissionAsync(role, new PermissionGrantInfo(permission.Name, true));
    }

    /// <summary>
    /// 移除角色权限
    /// </summary>
    /// <param name="role"></param>
    /// <param name="permission"></param>
    public async Task RemovePermissionAsync(Role role, Permission permission)
    {
        if (!await IsGrantedAsync(role.Id, permission))
        {
            return;
        }

        await RolePermissionStore.RemovePermissionAsync(role, new PermissionGrantInfo(permission.Name, true));
    }

    /// <summary>
    /// 禁止角色权限
    /// </summary>
    /// <param name="role"></param>
    /// <param name="permission"></param>
    public async Task ProhibitPermissionAsync(Role role, Permission permission)
    {
        if (!await IsGrantedAsync(role.Id, permission))
        {
            return;
        }

        await RolePermissionStore.RemovePermissionAsync(role, new PermissionGrantInfo(permission.Name, true));
        await RolePermissionStore.AddPermissionAsync(role, new PermissionGrantInfo(permission.Name, false));
    }

    /// <summary>
    /// 禁止角色的所有权限
    /// </summary>
    /// <param name="role">Role</param>
    public async Task ProhibitAllPermissionsAsync(Role role)
    {
        foreach (var permission in _permissionManager.GetAllPermissions())
        {
            await ProhibitPermissionAsync(role, permission);
        }
    }

    /// <summary>
    /// 重置角色的所有权限设置。删除角色的所有权限设置。
    /// 角色将拥有 <see cref="StaticRoleDefinition.IsGrantedByDefault"/> 返回 true 的权限
    /// </summary>
    /// <param name="role"></param>
    public async Task ResetAllPermissionsAsync(Role role)
    {
        await RolePermissionStore.RemoveAllPermissionSettingsAsync(role);
    }

    #endregion Permission

    /// <summary>
    /// 创建角色
    /// </summary>
    /// <param name="role"></param>
    public override async Task<IdentityResult> CreateAsync(Role role)
    {
        var result = await CheckDuplicateRoleNameAsync(role.Id, role.Name, role.DisplayName);
        if (!result.Succeeded)
        {
            return result;
        }

        var tenantId = GetCurrentTenantId();
        if (tenantId.HasValue && !role.TenantId.HasValue)
        {
            role.TenantId = tenantId.Value;
        }

        return await base.CreateAsync(role);
    }

    /// <summary>
    /// 修改角色
    /// </summary>
    /// <param name="role"></param>
    /// <returns></returns>
    public override async Task<IdentityResult> UpdateAsync(Role role)
    {
        var result = await CheckDuplicateRoleNameAsync(role.Id, role.Name, role.DisplayName);
        if (!result.Succeeded)
        {
            return result;
        }

        return await base.UpdateAsync(role);
    }

    /// <summary>
    /// 删除角色
    /// </summary>
    /// <param name="role">Role</param>
    public override async Task<IdentityResult> DeleteAsync(Role role)
    {
        if (role.IsStatic)
        {
            throw new UserFriendlyException(string.Format(L("CanNotDeleteStaticRole"), role.Name));
        }

        return await base.DeleteAsync(role);
    }

    /// <summary>
    /// 通过给定的 id 获取角色。
    /// 如果没有给定 id 的角色，则抛出异常。
    /// </summary>
    /// <param name="roleId"></param>
    /// <returns>Role</returns>
    public virtual async Task<Role> GetRoleByIdAsync(int roleId)
    {
        var role = await FindByIdAsync(roleId.ToString());
        if (role == null)
        {
            throw new AbpException("There is no role with id: " + roleId);
        }

        return role;
    }

    /// <summary>
    /// 通过给定的 roleName 获取角色。
    /// 如果没有给定 roleName 的角色，则抛出异常。
    /// </summary>
    /// <param name="roleName"></param>
    /// <returns>Role</returns>
    public virtual async Task<Role> GetRoleByNameAsync(string roleName)
    {
        var role = await FindByNameAsync(roleName);
        if (role == null)
        {
            throw new AbpException("There is no role with name: " + roleName);
        }

        return role;
    }

    /// <summary>
    ///  通过给定的 roleName 获取角色。
    /// 如果没有给定 roleName 的角色，则抛出异常。
    /// </summary>
    /// <param name="roleName"></param>
    /// <returns>Role</returns>
    public virtual Role GetRoleByName(string roleName)
    {
        var normalizedRoleName = roleName.ToUpperInvariant();

        var role = AbpStore.FindByName(normalizedRoleName);
        if (role == null)
        {
            throw new AbpException("There is no role with name: " + roleName);
        }

        return role;
    }

    public async Task GrantAllPermissionsAsync(Role role)
    {
        FeatureDependencyContext.TenantId = role.TenantId;

        var permissions = _permissionManager.GetAllPermissions(Abp.MultiTenancy.MultiTenancyExtensions.GetMultiTenancySide(role))
            .Where(permission =>
                permission.FeatureDependency == null ||
                permission.FeatureDependency.IsSatisfied(FeatureDependencyContext)
            );

        await SetGrantedPermissionsAsync(role, permissions);
    }

    public virtual async Task<IdentityResult> CreateStaticRoles(int tenantId)
    {
        return await _unitOfWorkManager.WithUnitOfWorkAsync(async () =>
        {
            var staticRoleDefinitions = RoleManagementConfig.StaticRoles.Where(
                sr => sr.Side == Abp.MultiTenancy.MultiTenancySides.Tenant
            );

            using (_unitOfWorkManager.Current.SetTenantId(tenantId))
            {
                foreach (var staticRoleDefinition in staticRoleDefinitions)
                {
                    var role = MapStaticRoleDefinitionToRole(tenantId, staticRoleDefinition);

                    var identityResult = await CreateAsync(role);
                    if (!identityResult.Succeeded)
                    {
                        return identityResult;
                    }
                }
            }

            return IdentityResult.Success;
        });
    }

    public virtual async Task<IdentityResult> CheckDuplicateRoleNameAsync(
        int? expectedRoleId,
        string name,
        string displayName)
    {
        var role = await FindByNameAsync(name);
        if (role != null && role.Id != expectedRoleId)
        {
            throw new UserFriendlyException(string.Format(L("RoleNameIsAlreadyTaken"), name));
        }

        role = await FindByDisplayNameAsync(displayName);
        if (role != null && role.Id != expectedRoleId)
        {
            throw new UserFriendlyException(string.Format(L("RoleDisplayNameIsAlreadyTaken"), displayName));
        }

        return IdentityResult.Success;
    }

    /// <summary>
    /// 获取组织单元的角色
    /// </summary>
    /// <param name="organizationUnit"></param>
    /// <param name="includeChildren">包括子组织单位的角色。 默认为 false</param>
    /// <returns></returns>
    public virtual async Task<List<Role>> GetRolesInOrganizationUnit(
        OrganizationUnit organizationUnit,
        bool includeChildren = false)
    {
        var result = _unitOfWorkManager.WithUnitOfWork(() =>
        {
            if (!includeChildren)
            {
                var query = from organizationUniRole in _organizationUniRoleRepository.GetAll()
                            join role in Roles on organizationUniRole.RoleId equals role.Id
                            where organizationUniRole.OrganizationUnitId == organizationUnit.Id
                            select role;

                return query.ToList();
            }
            else
            {
                var query = from organizationUniRole in _organizationUniRoleRepository.GetAll()
                            join role in Roles on organizationUniRole.RoleId equals role.Id
                            join ou in _organizationUnitRepository.GetAll() on organizationUniRole.OrganizationUnitId
                                equals
                                ou.Id
                            where ou.Path.StartsWith(organizationUnit.Path)
                            select role;

                return query.ToList();
            }
        });

        return await Task.FromResult(result);
    }

    public virtual async Task SetOrganizationUnitsAsync(int roleId, params long[]? organizationUnitIds)
    {
        await SetOrganizationUnitsAsync(
            await GetRoleByIdAsync(roleId),
            organizationUnitIds
        );
    }

    public virtual async Task SetOrganizationUnitsAsync(Role role, params long[]? organizationUnitIds)
    {
        await _unitOfWorkManager.WithUnitOfWorkAsync(async () =>
        {
            organizationUnitIds ??= Array.Empty<long>();

            var currentOus = await GetOrganizationUnitsAsync(role);

            //Remove from removed OUs
            foreach (var currentOu in currentOus)
            {
                if (!organizationUnitIds.Contains(currentOu.Id))
                {
                    await RemoveFromOrganizationUnitAsync(role, currentOu);
                }
            }

            //Add to added OUs
            foreach (var organizationUnitId in organizationUnitIds)
            {
                if (currentOus.All(ou => ou.Id != organizationUnitId))
                {
                    await AddToOrganizationUnitAsync(
                        role,
                        await _organizationUnitRepository.GetAsync(organizationUnitId)
                    );
                }
            }
        });
    }

    public virtual async Task<bool> IsInOrganizationUnitAsync(int roleId, long ouId)
    {
        return await _unitOfWorkManager.WithUnitOfWorkAsync(async () =>
            await IsInOrganizationUnitAsync(
                await GetRoleByIdAsync(roleId),
                await _organizationUnitRepository.GetAsync(ouId)
            )
        );
    }

    public virtual async Task<bool> IsInOrganizationUnitAsync(Role role, OrganizationUnit ou)
    {
        return await _unitOfWorkManager.WithUnitOfWorkAsync(async () =>
        {
            return await _organizationUniRoleRepository.CountAsync(uou =>
                uou.RoleId == role.Id && uou.OrganizationUnitId == ou.Id
            ) > 0;
        });
    }

    public virtual async Task AddToOrganizationUnitAsync(int roleId, long ouId, int? tenantId)
    {
        await _unitOfWorkManager.WithUnitOfWorkAsync(async () =>
        {
            await AddToOrganizationUnitAsync(
                await GetRoleByIdAsync(roleId),
                await _organizationUnitRepository.GetAsync(ouId)
            );
        });
    }

    public virtual async Task AddToOrganizationUnitAsync(Role role, OrganizationUnit ou)
    {
        await _unitOfWorkManager.WithUnitOfWorkAsync(async () =>
        {
            if (await IsInOrganizationUnitAsync(role, ou))
            {
                return;
            }

            await _organizationUniRoleRepository.InsertAsync(new OrganizationUnitRole(role.TenantId, role.Id, ou.Id));
        });
    }

    public async Task RemoveFromOrganizationUnitAsync(int roleId, long organizationUnitId)
    {
        await _unitOfWorkManager.WithUnitOfWorkAsync(async () =>
        {
            await RemoveFromOrganizationUnitAsync(
                await GetRoleByIdAsync(roleId),
                await _organizationUnitRepository.GetAsync(organizationUnitId)
            );
        });
    }

    public virtual async Task RemoveFromOrganizationUnitAsync(Role role, OrganizationUnit ou)
    {
        await _unitOfWorkManager.WithUnitOfWorkAsync(async () =>
        {
            await _organizationUniRoleRepository.DeleteAsync(uor =>
                uor.RoleId == role.Id && uor.OrganizationUnitId == ou.Id
            );
        });
    }

    public virtual async Task<List<OrganizationUnit>> GetOrganizationUnitsAsync(Role role)
    {
        var result = _unitOfWorkManager.WithUnitOfWork(() =>
        {
            var query = from uor in _organizationUniRoleRepository.GetAll()
                        join ou in _organizationUnitRepository.GetAll() on uor.OrganizationUnitId equals ou.Id
                        where uor.RoleId == role.Id
                        select ou;

            return query.ToList();
        });

        return await Task.FromResult(result);
    }

    private Task<Role> FindByDisplayNameAsync(string displayName)
    {
        return AbpStore.FindByDisplayNameAsync(displayName);
    }

    private async Task<RolePermissionCacheItem> GetRolePermissionCacheItemAsync(int roleId)
    {
        var cacheKey = roleId + "@" + (GetCurrentTenantId() ?? 0);
        return await _cacheManager.GetRolePermissionCache().GetAsync(cacheKey, async () =>
        {
            var newCacheItem = new RolePermissionCacheItem(roleId);

            var role = await Store.FindByIdAsync(roleId.ToString(), CancellationToken);
            if (role == null)
            {
                throw new AbpException("There is no role with given id: " + roleId);
            }

            var staticRoleDefinition = RoleManagementConfig.StaticRoles.FirstOrDefault(r =>
                r.RoleName == role.Name && r.Side == Abp.MultiTenancy.MultiTenancyExtensions.GetMultiTenancySide(role)
            );

            if (staticRoleDefinition != null)
            {
                foreach (var permission in _permissionManager.GetAllPermissions())
                {
                    if (staticRoleDefinition.IsGrantedByDefault(permission))
                    {
                        newCacheItem.GrantedPermissions.Add(permission.Name);
                    }
                }
            }

            foreach (var permissionInfo in await RolePermissionStore.GetPermissionsAsync(roleId))
            {
                if (permissionInfo.IsGranted)
                {
                    newCacheItem.GrantedPermissions.AddIfNotContains(permissionInfo.Name);
                }
                else
                {
                    newCacheItem.GrantedPermissions.Remove(permissionInfo.Name);
                }
            }

            return newCacheItem;
        });
    }

    private RolePermissionCacheItem GetRolePermissionCacheItem(int roleId)
    {
        var cacheKey = roleId + "@" + (GetCurrentTenantId() ?? 0);
        return _cacheManager.GetRolePermissionCache().Get(cacheKey, () =>
        {
            var newCacheItem = new RolePermissionCacheItem(roleId);

            var role = AbpStore.FindById(roleId.ToString(), CancellationToken);
            if (role == null)
            {
                throw new AbpException("There is no role with given id: " + roleId);
            }

            var staticRoleDefinition = RoleManagementConfig.StaticRoles.FirstOrDefault(r =>
                r.RoleName == role.Name && r.Side == Abp.MultiTenancy.MultiTenancyExtensions.GetMultiTenancySide(role)
            );

            if (staticRoleDefinition != null)
            {
                foreach (var permission in _permissionManager.GetAllPermissions())
                {
                    if (staticRoleDefinition.IsGrantedByDefault(permission))
                    {
                        newCacheItem.GrantedPermissions.Add(permission.Name);
                    }
                }
            }

            foreach (var permissionInfo in RolePermissionStore.GetPermissions(roleId))
            {
                if (permissionInfo.IsGranted)
                {
                    newCacheItem.GrantedPermissions.AddIfNotContains(permissionInfo.Name);
                }
                else
                {
                    newCacheItem.GrantedPermissions.Remove(permissionInfo.Name);
                }
            }

            return newCacheItem;
        });
    }

    protected virtual string L(string name)
    {
        return LocalizationManager.GetString(LocalizationSourceName, name);
    }

    protected virtual string L(string name, CultureInfo cultureInfo)
    {
        return LocalizationManager.GetString(LocalizationSourceName, name, cultureInfo);
    }

    protected virtual Role MapStaticRoleDefinitionToRole(int tenantId, StaticRoleDefinition staticRoleDefinition)
    {
        return new Role
        {
            TenantId = tenantId,
            Name = staticRoleDefinition.RoleName,
            DisplayName = staticRoleDefinition.RoleDisplayName,
            IsStatic = true
        };
    }

    private int? GetCurrentTenantId()
    {
        if (_unitOfWorkManager.Current != null)
        {
            return _unitOfWorkManager.Current.GetTenantId();
        }

        return AbpSession.TenantId;
    }
}