/** * IAM 治理后台 API 封装。 * * 注意:apiClient 的响应拦截器已解掉 { success, data } 包装, * 直接返回 inner data。因此 apiClient. 实际返回 Promise。 */ import apiClient from '@/lib/api-client'; // ===== Types ===== export type DataScopeType = | 'SELF' | 'DEPARTMENT' | 'DEPARTMENT_TREE' | 'ORGANIZATION' | 'REGION' | 'ALL' | 'CUSTOM'; export type FieldAccess = 'VISIBLE' | 'READONLY' | 'HIDDEN' | 'DESENSITIZE'; export type IamAuditAction = 'CREATE' | 'UPDATE' | 'DELETE' | 'ADMIN_BYPASS'; export interface DataScope { id: string; code: string; name: string; scopeType: DataScopeType; rules?: Record | null; isBuiltIn: boolean; createdAt: string; updatedAt: string; } export interface RoleDataScope { id: string; roleId: string; dataScopeId: string; resource: string; createdAt: string; dataScope?: DataScope; role?: { id: string; code: string; name: string }; } export interface FieldPermission { id: string; roleId: string; resource: string; field: string; access: FieldAccess; createdAt: string; updatedAt: string; } export interface BypassEntry { endpoint: string; reason: string; enabledAt: string; expiresAt: string; } export interface IamAuditLog { id: string; actor: string; action: IamAuditAction; resource: string; targetId?: string | null; before?: unknown; after?: unknown; ip?: string | null; userAgent?: string | null; timestamp: string; } export interface AuditLogPage { items: IamAuditLog[]; total: number; page: number; pageSize: number; } // ===== DataScope ===== export const listDataScopes = () => apiClient.get('/iam/data-scopes') as unknown as Promise; export const createDataScope = (body: { code: string; name: string; scopeType: DataScopeType; rules?: Record; }) => apiClient.post('/iam/data-scopes', body) as unknown as Promise; export const updateDataScope = ( id: string, body: { name?: string; scopeType?: DataScopeType; rules?: Record | null }, ) => apiClient.patch(`/iam/data-scopes/${id}`, body) as unknown as Promise; export const deleteDataScope = (id: string) => apiClient.delete(`/iam/data-scopes/${id}`) as unknown as Promise<{ ok: true }>; // ===== Role × DataScope ===== export const listRoleDataScopes = (roleId?: string) => apiClient.get('/iam/role-data-scopes', { params: roleId ? { roleId } : undefined }) as unknown as Promise; export const bindRoleDataScope = (body: { roleId: string; dataScopeId: string; resource?: string; }) => apiClient.post('/iam/role-data-scopes', body) as unknown as Promise; export const unbindRoleDataScope = (id: string) => apiClient.delete(`/iam/role-data-scopes/${id}`) as unknown as Promise<{ ok: true }>; // ===== FieldPermission ===== export const listFieldPermissions = (filters: { resource?: string; roleId?: string } = {}) => apiClient.get('/iam/field-permissions', { params: filters }) as unknown as Promise; export const createFieldPermission = (body: { roleId: string; resource: string; field: string; access: FieldAccess; }) => apiClient.post('/iam/field-permissions', body) as unknown as Promise; export const updateFieldPermission = (id: string, body: { access: FieldAccess }) => apiClient.patch(`/iam/field-permissions/${id}`, body) as unknown as Promise; export const deleteFieldPermission = (id: string) => apiClient.delete(`/iam/field-permissions/${id}`) as unknown as Promise<{ ok: true }>; // ===== EmergencyBypass ===== export const listEmergencyBypass = () => apiClient.get('/iam/emergency-bypass') as unknown as Promise; export const enableEmergencyBypass = (body: { endpoint: string; reason: string; ttlSec: number; }) => apiClient.post('/iam/emergency-bypass', body) as unknown as Promise<{ ok: true }>; export const disableEmergencyBypass = (endpoint: string) => { const b64 = btoa(unescape(encodeURIComponent(endpoint))) .replace(/\+/g, '-') .replace(/\//g, '_') .replace(/=+$/, ''); return apiClient.delete(`/iam/emergency-bypass/${b64}`) as unknown as Promise<{ ok: true }>; }; // ===== IamAuditLog ===== export const queryIamAuditLogs = (filters: { actor?: string; action?: IamAuditAction; resource?: string; from?: string; to?: string; page?: number; pageSize?: number; } = {}) => apiClient.get('/iam/audit-logs', { params: filters }) as unknown as Promise;