feat: 项目鉴权不能使用@Permission注解#2617

* feat: 项目鉴权不能使用@Permission注解#2617

* feat: 去除无效引用#2617

* feat: 使用项目注解校验权限先从url中获取项目id信息进行判断#2617

src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/controller/user/UserFilterRuleController.kt

@@ -27,19 +27,18 @@
 
 package com.tencent.bkrepo.analyst.controller.user
 
+import com.tencent.bkrepo.analyst.component.ScannerPermissionCheckHandler
 import com.tencent.bkrepo.analyst.pojo.request.filter.ListFilterRuleRequest
 import com.tencent.bkrepo.analyst.pojo.request.filter.UpdateFilterRuleRequest
 import com.tencent.bkrepo.analyst.pojo.response.filter.FilterRule
 import com.tencent.bkrepo.analyst.service.FilterRuleService
 import com.tencent.bkrepo.auth.pojo.enums.PermissionAction
-import com.tencent.bkrepo.auth.pojo.enums.ResourceType
 import com.tencent.bkrepo.common.api.constant.DEFAULT_PAGE_NUMBER
 import com.tencent.bkrepo.common.api.constant.DEFAULT_PAGE_SIZE
 import com.tencent.bkrepo.common.api.exception.ErrorCodeException
 import com.tencent.bkrepo.common.api.message.CommonMessageCode
 import com.tencent.bkrepo.common.api.pojo.Page
 import com.tencent.bkrepo.common.api.pojo.Response
-import com.tencent.bkrepo.common.security.permission.Permission
 import com.tencent.bkrepo.common.service.util.ResponseBuilder
 import io.swagger.annotations.Api
 import io.swagger.annotations.ApiOperation
@@ -56,23 +55,25 @@ import org.springframework.web.bind.annotation.RestController
 @Api("分析结果忽略规则")
 @RestController
 @RequestMapping("/api/project/{projectId}/filter/rules")
-class UserFilterRuleController(private val filterRuleService: FilterRuleService) {
+class UserFilterRuleController(
+    private val filterRuleService: FilterRuleService,
+    private val permissionCheckHandler: ScannerPermissionCheckHandler
+) {
     @ApiOperation("增加规则")
     @PostMapping
-    @Permission(ResourceType.PROJECT, PermissionAction.WRITE)
     fun addRule(
         @PathVariable("projectId") projectId: String,
         @RequestBody request: UpdateFilterRuleRequest
     ): Response<FilterRule> {
         if (request.projectId != projectId) {
             throw ErrorCodeException(CommonMessageCode.PARAMETER_INVALID, projectId)
         }
+        permissionCheckHandler.checkProjectPermission(projectId, PermissionAction.WRITE)
         return ResponseBuilder.success(filterRuleService.create(request))
     }
 
     @ApiOperation("更新规则")
     @PutMapping("/{ruleId}")
-    @Permission(ResourceType.PROJECT, PermissionAction.WRITE)
     fun updateRule(
         @PathVariable("projectId") projectId: String,
         @PathVariable("ruleId") ruleId: String,
@@ -81,29 +82,30 @@ class UserFilterRuleController(private val filterRuleService: FilterRuleService)
         if (request.projectId != projectId) {
             throw ErrorCodeException(CommonMessageCode.PARAMETER_INVALID, projectId)
         }
+        permissionCheckHandler.checkProjectPermission(projectId, PermissionAction.WRITE)
         return ResponseBuilder.success(filterRuleService.update(request.copy(id = ruleId)))
     }
 
     @ApiOperation("删除规则")
     @DeleteMapping("/{ruleId}")
-    @Permission(ResourceType.PROJECT, PermissionAction.WRITE)
     fun deleteRule(
         @PathVariable("projectId") projectId: String,
         @PathVariable("ruleId") ruleId: String
     ): Response<Void> {
+        permissionCheckHandler.checkProjectPermission(projectId, PermissionAction.WRITE)
         filterRuleService.delete(projectId, ruleId)
         return ResponseBuilder.success()
     }
 
     @ApiOperation("分页获取规则")
     @GetMapping
-    @Permission(ResourceType.PROJECT, PermissionAction.READ)
     fun listRules(
         @PathVariable("projectId") projectId: String,
         @RequestParam(required = false) planId: String? = null,
         @RequestParam(required = false) pageNumber: Int = DEFAULT_PAGE_NUMBER,
         @RequestParam(required = false) pageSize: Int = DEFAULT_PAGE_SIZE
     ): Response<Page<FilterRule>> {
+        permissionCheckHandler.checkProjectPermission(projectId, PermissionAction.READ)
         val request = ListFilterRuleRequest(
             projectId = projectId,
             planId = planId,

src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/controller/user/UserLicenseController.kt

@@ -28,14 +28,14 @@
 package com.tencent.bkrepo.analyst.controller.user
 
 import com.tencent.bkrepo.analyst.pojo.license.SpdxLicenseInfo
+import com.tencent.bkrepo.analyst.service.SpdxLicenseService
 import com.tencent.bkrepo.common.api.constant.DEFAULT_PAGE_NUMBER
 import com.tencent.bkrepo.common.api.constant.DEFAULT_PAGE_SIZE
 import com.tencent.bkrepo.common.api.pojo.Page
 import com.tencent.bkrepo.common.api.pojo.Response
 import com.tencent.bkrepo.common.security.permission.Principal
 import com.tencent.bkrepo.common.security.permission.PrincipalType
 import com.tencent.bkrepo.common.service.util.ResponseBuilder
-import com.tencent.bkrepo.analyst.service.SpdxLicenseService
 import io.swagger.annotations.Api
 import io.swagger.annotations.ApiOperation
 import io.swagger.annotations.ApiParam

src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/controller/user/UserScanController.kt

@@ -27,20 +27,11 @@
 
 package com.tencent.bkrepo.analyst.controller.user
 
+import com.tencent.bkrepo.analyst.component.ScannerPermissionCheckHandler
 import com.tencent.bkrepo.analyst.pojo.ScanTask
 import com.tencent.bkrepo.analyst.pojo.ScanTriggerType
 import com.tencent.bkrepo.analyst.pojo.request.GlobalScanRequest
 import com.tencent.bkrepo.analyst.pojo.request.PipelineScanRequest
-import com.tencent.bkrepo.auth.pojo.enums.PermissionAction
-import com.tencent.bkrepo.auth.pojo.enums.ResourceType
-import com.tencent.bkrepo.common.api.exception.BadRequestException
-import com.tencent.bkrepo.common.api.message.CommonMessageCode
-import com.tencent.bkrepo.common.api.pojo.Page
-import com.tencent.bkrepo.common.api.pojo.Response
-import com.tencent.bkrepo.common.query.model.PageLimit
-import com.tencent.bkrepo.common.security.permission.Permission
-import com.tencent.bkrepo.common.security.util.SecurityUtils
-import com.tencent.bkrepo.common.service.util.ResponseBuilder
 import com.tencent.bkrepo.analyst.pojo.request.ScanRequest
 import com.tencent.bkrepo.analyst.pojo.request.ScanTaskQuery
 import com.tencent.bkrepo.analyst.pojo.request.SubtaskInfoRequest
@@ -50,8 +41,16 @@ import com.tencent.bkrepo.analyst.pojo.response.SubtaskResultOverview
 import com.tencent.bkrepo.analyst.service.ScanService
 import com.tencent.bkrepo.analyst.service.ScanTaskService
 import com.tencent.bkrepo.analyst.utils.ScanPlanConverter
+import com.tencent.bkrepo.auth.pojo.enums.PermissionAction
+import com.tencent.bkrepo.common.api.exception.BadRequestException
+import com.tencent.bkrepo.common.api.message.CommonMessageCode
+import com.tencent.bkrepo.common.api.pojo.Page
+import com.tencent.bkrepo.common.api.pojo.Response
+import com.tencent.bkrepo.common.query.model.PageLimit
 import com.tencent.bkrepo.common.security.permission.Principal
 import com.tencent.bkrepo.common.security.permission.PrincipalType
+import com.tencent.bkrepo.common.security.util.SecurityUtils
+import com.tencent.bkrepo.common.service.util.ResponseBuilder
 import io.swagger.annotations.Api
 import io.swagger.annotations.ApiOperation
 import io.swagger.annotations.ApiParam
@@ -69,7 +68,8 @@ import org.springframework.web.bind.annotation.RestController
 @RequestMapping("/api/scan")
 class UserScanController @Autowired constructor(
     private val scanService: ScanService,
-    private val scanTaskService: ScanTaskService
+    private val scanTaskService: ScanTaskService,
+    private val permissionCheckHandler: ScannerPermissionCheckHandler
 ) {
 
     @ApiOperation("手动创建全局扫描任务")
@@ -93,7 +93,6 @@ class UserScanController @Autowired constructor(
 
     @ApiOperation("中止制品扫描")
     @PostMapping("/{projectId}/stop")
-    @Permission(ResourceType.PROJECT, PermissionAction.MANAGE)
     fun stopScan(
         @ApiParam(value = "projectId")
         @PathVariable projectId: String,
@@ -102,6 +101,7 @@ class UserScanController @Autowired constructor(
         @ApiParam(value = "方案id")
         @RequestParam("id") planId: String?
     ): Response<Boolean> {
+        permissionCheckHandler.checkProjectPermission(projectId, PermissionAction.MANAGE)
         return when {
             !subtaskId.isNullOrBlank() -> {
                 ResponseBuilder.success(scanService.stopByPlanArtifactLatestSubtaskId(projectId, subtaskId))
@@ -117,13 +117,13 @@ class UserScanController @Autowired constructor(
 
     @ApiOperation("中止制品扫描")
     @PostMapping("/{projectId}/tasks/{taskId}/stop")
-    @Permission(ResourceType.PROJECT, PermissionAction.MANAGE)
     fun stopTask(
         @ApiParam(value = "projectId")
         @PathVariable projectId: String,
         @ApiParam(value = "任务id")
         @PathVariable("taskId") taskId: String
     ): Response<Boolean> {
+        permissionCheckHandler.checkProjectPermission(projectId, PermissionAction.MANAGE)
         return ResponseBuilder.success(scanService.stopTask(projectId, taskId))
     }
 

src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/controller/user/UserScanPlanController.kt

@@ -43,13 +43,11 @@ import com.tencent.bkrepo.analyst.service.ScanPlanService
 import com.tencent.bkrepo.analyst.service.ScanTaskService
 import com.tencent.bkrepo.analyst.utils.ScanPlanConverter
 import com.tencent.bkrepo.auth.pojo.enums.PermissionAction
-import com.tencent.bkrepo.auth.pojo.enums.ResourceType
 import com.tencent.bkrepo.common.api.constant.DEFAULT_PAGE_NUMBER
 import com.tencent.bkrepo.common.api.constant.DEFAULT_PAGE_SIZE
 import com.tencent.bkrepo.common.api.pojo.Page
 import com.tencent.bkrepo.common.api.pojo.Response
 import com.tencent.bkrepo.common.query.model.PageLimit
-import com.tencent.bkrepo.common.security.permission.Permission
 import com.tencent.bkrepo.common.security.permission.Principal
 import com.tencent.bkrepo.common.security.permission.PrincipalType
 import com.tencent.bkrepo.common.service.util.ResponseBuilder
@@ -84,7 +82,6 @@ class UserScanPlanController(
 
     @ApiOperation("查询扫描方案基础信息")
     @GetMapping("/detail/{projectId}/{id}")
-    @Permission(ResourceType.PROJECT, PermissionAction.MANAGE)
     fun getScanPlan(
         @ApiParam(value = "projectId")
         @PathVariable
@@ -93,18 +90,19 @@ class UserScanPlanController(
         @PathVariable
         id: String
     ): Response<ScanPlan?> {
+        permissionCheckHandler.checkProjectPermission(projectId, PermissionAction.MANAGE)
         return ResponseBuilder.success(scanPlanService.find(projectId, id))
     }
 
     @ApiOperation("删除扫描方案")
     @DeleteMapping("/delete/{projectId}/{id}")
-    @Permission(ResourceType.PROJECT, PermissionAction.MANAGE)
     fun deleteScanPlan(
         @ApiParam(value = "projectId")
         @PathVariable projectId: String,
         @ApiParam(value = "方案id")
         @PathVariable id: String
     ): Response<Boolean> {
+        permissionCheckHandler.checkProjectPermission(projectId, PermissionAction.MANAGE)
         scanPlanService.delete(projectId, id)
         return ResponseBuilder.success(true)
     }
@@ -118,7 +116,6 @@ class UserScanPlanController(
 
     @ApiOperation("扫描方案列表-分页")
     @GetMapping("/list/{projectId}")
-    @Permission(ResourceType.PROJECT, PermissionAction.MANAGE)
     fun scanPlanList(
         @ApiParam(value = "projectId", required = true)
         @PathVariable
@@ -136,6 +133,7 @@ class UserScanPlanController(
         @RequestParam(required = false, defaultValue = DEFAULT_PAGE_SIZE.toString())
         pageSize: Int = DEFAULT_PAGE_SIZE
     ): Response<Page<ScanPlanInfo>> {
+        permissionCheckHandler.checkProjectPermission(projectId, PermissionAction.MANAGE)
         val page = scanPlanService.page(
             projectId = projectId, type = type, planNameContains = name, pageLimit = PageLimit(pageNumber, pageSize)
         )
@@ -144,7 +142,6 @@ class UserScanPlanController(
 
     @ApiOperation("所有扫描方案")
     @GetMapping("/all/{projectId}")
-    @Permission(ResourceType.PROJECT, PermissionAction.READ)
     fun scanPlanList(
         @ApiParam(value = "projectId", required = true)
         @PathVariable
@@ -156,6 +153,7 @@ class UserScanPlanController(
         @RequestParam(required = false)
         fileNameExt: String? = null
     ): Response<List<ScanPlan>> {
+        permissionCheckHandler.checkProjectPermission(projectId, PermissionAction.READ)
         val planList = scanPlanService.list(projectId, type, fileNameExt)
         planList.forEach { ScanPlanConverter.keepProps(it, KEEP_PROPS) }
         return ResponseBuilder.success(planList)

src/backend/common/common-artifact/artifact-service/src/main/kotlin/com/tencent/bkrepo/common/artifact/permission/ArtifactPermissionCheckHandler.kt

@@ -32,18 +32,29 @@
 package com.tencent.bkrepo.common.artifact.permission
 
 import com.tencent.bkrepo.auth.pojo.enums.ResourceType
+import com.tencent.bkrepo.common.artifact.constant.PROJECT_ID
 import com.tencent.bkrepo.common.artifact.repository.context.ArtifactContextHolder
 import com.tencent.bkrepo.common.security.exception.PermissionException
 import com.tencent.bkrepo.common.security.manager.PermissionManager
 import com.tencent.bkrepo.common.security.permission.Permission
 import com.tencent.bkrepo.common.security.permission.PermissionCheckHandler
 import com.tencent.bkrepo.common.security.permission.Principal
+import com.tencent.bkrepo.common.service.util.HttpContextHolder
+import org.springframework.web.servlet.HandlerMapping
 
 class ArtifactPermissionCheckHandler(
     private val permissionManager: PermissionManager
 ) : PermissionCheckHandler {
     override fun onPermissionCheck(userId: String, permission: Permission) {
         when (permission.type) {
+            ResourceType.PROJECT -> {
+                val uriAttribute = HttpContextHolder
+                    .getRequest()
+                    .getAttribute(HandlerMapping.URI_TEMPLATE_VARIABLES_ATTRIBUTE)
+                require(uriAttribute is Map<*, *>)
+                val projectId = uriAttribute[PROJECT_ID]?.toString() ?: throw PermissionException()
+                permissionManager.checkProjectPermission(permission.action, projectId)
+            }
             ResourceType.REPO -> {
                 with(ArtifactContextHolder.getRepoDetail()!!) {
                     permissionManager.checkRepoPermission(

src/backend/media/biz-media/src/main/kotlin/com/tencent/bkrepo/media/controller/UserStreamController.kt

@@ -31,7 +31,6 @@ class UserStreamController(
      * 生成推流地址
      * */
     @PostMapping("/create/{projectId}/{repoName}")
-    @Permission(ResourceType.PROJECT, PermissionAction.MANAGE)
     fun createStream(
         @PathVariable projectId: String,
         @PathVariable repoName: String,

src/backend/repository/biz-repository/src/main/kotlin/com/tencent/bkrepo/repository/controller/user/UserMetadataLabelController.kt

@@ -28,10 +28,8 @@
 package com.tencent.bkrepo.repository.controller.user
 
 import com.tencent.bkrepo.auth.pojo.enums.PermissionAction
-import com.tencent.bkrepo.auth.pojo.enums.ResourceType
 import com.tencent.bkrepo.common.api.pojo.Response
 import com.tencent.bkrepo.common.security.manager.PermissionManager
-import com.tencent.bkrepo.common.security.permission.Permission
 import com.tencent.bkrepo.common.service.util.ResponseBuilder
 import com.tencent.bkrepo.repository.pojo.metadata.label.MetadataLabelDetail
 import com.tencent.bkrepo.repository.pojo.metadata.label.MetadataLabelRequest
@@ -103,7 +101,6 @@ class UserMetadataLabelController(
 
     @ApiOperation("查询标签详情")
     @GetMapping("/{projectId}/{labelKey}")
-    @Permission(type = ResourceType.PROJECT, action = PermissionAction.READ)
     fun detail(
         @PathVariable projectId: String,
         @PathVariable labelKey: String,