feat: support MFA status filter for users#4746
Conversation
Signed-off-by: huanghongbo-hhb <huanghongbo@koderover.com>
Signed-off-by: huanghongbo-hhb <huanghongbo@koderover.com>
Signed-off-by: huanghongbo-hhb <huanghongbo@koderover.com>
Signed-off-by: huanghongbo-hhb <huanghongbo@koderover.com>
| roleUIDs := uidSubQueryByRoles(roles, namespace, db) | ||
| query := db.Model(&models.User{}). | ||
| Select("user.uid, user.name, user.account, user.identity_type, user.api_token_enabled, "+userMFAEnabledSelectExpr+", IFNULL(user_login.last_login_time, 0) AS last_login_time"). | ||
| Joins("LEFT JOIN user_login ON user_login.uid = user.uid"). | ||
| Where("user.uid IN ? AND user.name LIKE ?", uids, "%"+name+"%") | ||
| Where("user.uid IN (?) AND user.name LIKE ?", roleUIDs, "%"+name+"%") | ||
| query = applyMFAEnabledJoinFilter(query, mfaEnabled) | ||
| err = query. | ||
| err := query. | ||
| Order("last_login_time " + string(order)). | ||
| Offset((page - 1) * perPage). | ||
| Limit(perPage). |
There was a problem hiding this comment.
你有看过这句生成的SQL吗?感觉很复杂,把实际SQL打印出来看看吧
There was a problem hiding this comment.
-- ListUsersByNameAndRoleWithLoginTime, mfa_enabled = true
SELECT user.uid, user.name, user.account, user.identity_type, user.api_token_enabled,
IFNULL(user_mfa.enabled, 0) AS mfa_enabled,
IFNULL(user_login.last_login_time, 0) AS last_login_time
FROM user
LEFT JOIN user_login ON user_login.uid = user.uid
LEFT JOIN user_mfa ON user_mfa.uid = user.uid
WHERE user.uid IN (
SELECT DISTINCT role_binding.uid
FROM role_binding
INNER JOIN role ON role.id = role_binding.role_id
WHERE role.name IN (?,?) AND role.namespace = ?
)
AND user.name LIKE ?
AND user_mfa.enabled = ?
ORDER BY last_login_time DESC
LIMIT ?;
-- ListUsersByNameAndRole, mfa_enabled = true
SELECT user.*, IFNULL(user_mfa.enabled, 0) AS mfa_enabled
FROM user
LEFT JOIN user_mfa ON user_mfa.uid = user.uid
WHERE user.uid IN (
SELECT DISTINCT role_binding.uid
FROM role_binding
INNER JOIN role ON role.id = role_binding.role_id
WHERE role.name IN (?,?) AND role.namespace = ?
)
AND user.name LIKE ?
AND user_mfa.enabled = ?
ORDER BY account ASC
LIMIT ?;
-- ListUsersByNameAndRole, mfa_enabled = true
SELECT user.*, IFNULL(user_mfa.enabled, 0) AS mfa_enabled
FROM user
LEFT JOIN user_mfa ON user_mfa.uid = user.uid
WHERE user.uid IN (
SELECT DISTINCT role_binding.uid
FROM role_binding
INNER JOIN role ON role.id = role_binding.role_id
WHERE role.name IN (?,?) AND role.namespace = ?
)
AND user.name LIKE ?
AND user_mfa.enabled = ?
ORDER BY account ASC
LIMIT ?;
其实我觉得还好?
Signed-off-by: huanghongbo-hhb <huanghongbo@koderover.com>
2 participants
Summary
Why
Main Changes
mfa_enabledto user search, OpenAPI query, and shared client args/response.mfa_enableddirectly fromuser_mfaand apply the same filter to list, count, and account lookup.Risk / Compatibility
mfa_enabledkeeps existing behavior.user_mfa.uidand role relations.Test
GOCACHE=/private/tmp/go-build-cache go test ./pkg/microservice/user/core/repository/ormGOCACHE=/private/tmp/go-build-cache go test ./pkg/microservice/user/core/service/permissionGOCACHE=/private/tmp/go-build-cache go test ./pkg/microservice/user/core/handler/userContact
Contact: huanghongbo@koderover.com
This change is