o "il@sxdZddlmZmZddlmZddlZddlmZddl m Z m Z m Z m Z mZddlmZeeZGdd d ZdS) z@ Unified Casbin-based permission service with atomic operations )ListDict)SessionN)Role) get_enforcerget_redis_clientadd_permission_for_roleremove_permission_for_roleget_permissions_for_role) AppExceptionc @seZdZdZgdZgdZededede e e e fdede f d d Z edededede e e e ffd d Zededed edede f ddZededed edede f ddZededefddZede e e effddZdS)CasbinPermissionServicez6Casbin-first permission service with atomic operations) usersrolesknowledge_basesknowledge_categoriesknowledge_tagsagents workflows documents audit_logsmenus providersmodels)readcreateupdatedeleteexecutedbrole_id permissions tenant_idreturnc Cs`|ttj|k}|stdd|jrtddt}d|j}t |}| d||}zK| d|||D]*} | d} | d} | rJ| sQt d | t||| | } | sdtd | d | q:t||td t|d |jWdSty} z(td| | d|||D]}|j|qtdt | dt | d} ~ ww)z Assign permissions to a role with atomic Casbin-first approach Transaction safety: Casbin operations are atomic with rollback support 角色不存在Role not foundu系统角色权限不可修改z*System role permissions cannot be modifiedrole:rresourceactionzInvalid permission: zFailed to add permission: :u ✅ Assigned z permissions to role Tu0❌ Permission assignment failed, rolling back: u权限分配失败: zPermission assignment failed: N)queryrfilteridfirstr is_systemrcodestrget_filtered_policyremove_filtered_policyget ValueErrorr Exceptionr _invalidate_role_cacheloggerinfolenerror add_policy)rrr r!roleenforcer role_codedomain old_policiespermr&r'successepolicyrDU/lsinfo/ai/hellotax_ai/base_platform/app/services/access/casbin_permission_service.pyassign_permissionss>        z*CasbinPermissionService.assign_permissionscCsF|ttj|k}|sgSd|j}t||}dd|DS)z*Get all permissions for a role from Casbinr%cSsg|] }|d|ddqS))r&r'rD).0prDrDrE _sz@CasbinPermissionService.get_role_permissions..)r)rr*r+r,r.r )rr!rr;r=policiesrDrDrEget_role_permissionsUs  z,CasbinPermissionService.get_role_permissionsmenu_idc Cd|ttj|k}|stddd|}d}d|j}t||||}|r0t |||S)zGrant menu permission to roler#r$menu:viewr%) r)rr*r+r,r r.rr r5 rrrNr!r;r&r'r=rArDrDrEgrant_menu_permissiond    z-CasbinPermissionService.grant_menu_permissionc CrO)z Revoke menu permission from roler#r$rPrQr%) r)rr*r+r,r r.r r r5rRrDrDrErevoke_menu_permissionurTz.CasbinPermissionService.revoke_menu_permissionc Csz.t}d|d}d} |j||dd\}}|r|j||dkr#nq td|Wd StyI}ztd|WYd }~d Sd }~ww) z3Invalidate Redis cache for all users with this rolezperm:*:z:*:*rTd)matchcountu,✅ Invalidated permission cache for tenant u#⚠️ Failed to invalidate cache: N)rscanrr6r7r4warning)rr! redis_clientpatterncursorkeysrBrDrDrEr5s   z.CasbinPermissionService._invalidate_role_cachecCsddtjDS)z+Get list of available resources and actionscSsg|]}|tjdqS))r&actions)r ACTIONS)rIr&rDrDrErKs zCCasbinPermissionService.get_available_resources..)r RESOURCESrDrDrDrEget_available_resourcessz/CasbinPermissionService.get_available_resourcesN)__name__ __module__ __qualname____doc__rar` staticmethodrintrrr/boolrFrMrSrUr5anyrbrDrDrDrEr s4 8(   r )rftypingrrsqlalchemy.ormrloggingapp.models.rolerapp.core.permissionsrrrr r app.core.exceptionsr getLoggerrcr6r rDrDrDrEs