diff --git a/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/controller/user/UserFilterRuleController.kt b/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/controller/user/UserFilterRuleController.kt index b7753baac8..64bb3a596a 100644 --- a/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/controller/user/UserFilterRuleController.kt +++ b/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/controller/user/UserFilterRuleController.kt @@ -27,19 +27,18 @@ package com.tencent.bkrepo.analyst.controller.user +import com.tencent.bkrepo.analyst.component.ScannerPermissionCheckHandler import com.tencent.bkrepo.analyst.pojo.request.filter.ListFilterRuleRequest import com.tencent.bkrepo.analyst.pojo.request.filter.UpdateFilterRuleRequest import com.tencent.bkrepo.analyst.pojo.response.filter.FilterRule import com.tencent.bkrepo.analyst.service.FilterRuleService import com.tencent.bkrepo.auth.pojo.enums.PermissionAction -import com.tencent.bkrepo.auth.pojo.enums.ResourceType import com.tencent.bkrepo.common.api.constant.DEFAULT_PAGE_NUMBER import com.tencent.bkrepo.common.api.constant.DEFAULT_PAGE_SIZE import com.tencent.bkrepo.common.api.exception.ErrorCodeException import com.tencent.bkrepo.common.api.message.CommonMessageCode import com.tencent.bkrepo.common.api.pojo.Page import com.tencent.bkrepo.common.api.pojo.Response -import com.tencent.bkrepo.common.security.permission.Permission import com.tencent.bkrepo.common.service.util.ResponseBuilder import io.swagger.annotations.Api import io.swagger.annotations.ApiOperation @@ -56,10 +55,12 @@ import org.springframework.web.bind.annotation.RestController @Api("分析结果忽略规则") @RestController @RequestMapping("/api/project/{projectId}/filter/rules") -class UserFilterRuleController(private val filterRuleService: FilterRuleService) { +class UserFilterRuleController( + private val filterRuleService: FilterRuleService, + private val permissionCheckHandler: ScannerPermissionCheckHandler +) { @ApiOperation("增加规则") @PostMapping - @Permission(ResourceType.PROJECT, PermissionAction.WRITE) fun addRule( @PathVariable("projectId") projectId: String, @RequestBody request: UpdateFilterRuleRequest @@ -67,12 +68,12 @@ class UserFilterRuleController(private val filterRuleService: FilterRuleService) if (request.projectId != projectId) { throw ErrorCodeException(CommonMessageCode.PARAMETER_INVALID, projectId) } + permissionCheckHandler.checkProjectPermission(projectId, PermissionAction.WRITE) return ResponseBuilder.success(filterRuleService.create(request)) } @ApiOperation("更新规则") @PutMapping("/{ruleId}") - @Permission(ResourceType.PROJECT, PermissionAction.WRITE) fun updateRule( @PathVariable("projectId") projectId: String, @PathVariable("ruleId") ruleId: String, @@ -81,29 +82,30 @@ class UserFilterRuleController(private val filterRuleService: FilterRuleService) if (request.projectId != projectId) { throw ErrorCodeException(CommonMessageCode.PARAMETER_INVALID, projectId) } + permissionCheckHandler.checkProjectPermission(projectId, PermissionAction.WRITE) return ResponseBuilder.success(filterRuleService.update(request.copy(id = ruleId))) } @ApiOperation("删除规则") @DeleteMapping("/{ruleId}") - @Permission(ResourceType.PROJECT, PermissionAction.WRITE) fun deleteRule( @PathVariable("projectId") projectId: String, @PathVariable("ruleId") ruleId: String ): Response { + permissionCheckHandler.checkProjectPermission(projectId, PermissionAction.WRITE) filterRuleService.delete(projectId, ruleId) return ResponseBuilder.success() } @ApiOperation("分页获取规则") @GetMapping - @Permission(ResourceType.PROJECT, PermissionAction.READ) fun listRules( @PathVariable("projectId") projectId: String, @RequestParam(required = false) planId: String? = null, @RequestParam(required = false) pageNumber: Int = DEFAULT_PAGE_NUMBER, @RequestParam(required = false) pageSize: Int = DEFAULT_PAGE_SIZE ): Response> { + permissionCheckHandler.checkProjectPermission(projectId, PermissionAction.READ) val request = ListFilterRuleRequest( projectId = projectId, planId = planId, diff --git a/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/controller/user/UserLicenseController.kt b/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/controller/user/UserLicenseController.kt index 85bacb08db..fe9b611cd9 100644 --- a/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/controller/user/UserLicenseController.kt +++ b/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/controller/user/UserLicenseController.kt @@ -28,6 +28,7 @@ package com.tencent.bkrepo.analyst.controller.user import com.tencent.bkrepo.analyst.pojo.license.SpdxLicenseInfo +import com.tencent.bkrepo.analyst.service.SpdxLicenseService import com.tencent.bkrepo.common.api.constant.DEFAULT_PAGE_NUMBER import com.tencent.bkrepo.common.api.constant.DEFAULT_PAGE_SIZE import com.tencent.bkrepo.common.api.pojo.Page @@ -35,7 +36,6 @@ import com.tencent.bkrepo.common.api.pojo.Response import com.tencent.bkrepo.common.security.permission.Principal import com.tencent.bkrepo.common.security.permission.PrincipalType import com.tencent.bkrepo.common.service.util.ResponseBuilder -import com.tencent.bkrepo.analyst.service.SpdxLicenseService import io.swagger.annotations.Api import io.swagger.annotations.ApiOperation import io.swagger.annotations.ApiParam diff --git a/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/controller/user/UserScanController.kt b/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/controller/user/UserScanController.kt index 990cd32dfb..a6a9db78cb 100644 --- a/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/controller/user/UserScanController.kt +++ b/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/controller/user/UserScanController.kt @@ -27,20 +27,11 @@ package com.tencent.bkrepo.analyst.controller.user +import com.tencent.bkrepo.analyst.component.ScannerPermissionCheckHandler import com.tencent.bkrepo.analyst.pojo.ScanTask import com.tencent.bkrepo.analyst.pojo.ScanTriggerType import com.tencent.bkrepo.analyst.pojo.request.GlobalScanRequest import com.tencent.bkrepo.analyst.pojo.request.PipelineScanRequest -import com.tencent.bkrepo.auth.pojo.enums.PermissionAction -import com.tencent.bkrepo.auth.pojo.enums.ResourceType -import com.tencent.bkrepo.common.api.exception.BadRequestException -import com.tencent.bkrepo.common.api.message.CommonMessageCode -import com.tencent.bkrepo.common.api.pojo.Page -import com.tencent.bkrepo.common.api.pojo.Response -import com.tencent.bkrepo.common.query.model.PageLimit -import com.tencent.bkrepo.common.security.permission.Permission -import com.tencent.bkrepo.common.security.util.SecurityUtils -import com.tencent.bkrepo.common.service.util.ResponseBuilder import com.tencent.bkrepo.analyst.pojo.request.ScanRequest import com.tencent.bkrepo.analyst.pojo.request.ScanTaskQuery import com.tencent.bkrepo.analyst.pojo.request.SubtaskInfoRequest @@ -50,8 +41,16 @@ import com.tencent.bkrepo.analyst.pojo.response.SubtaskResultOverview import com.tencent.bkrepo.analyst.service.ScanService import com.tencent.bkrepo.analyst.service.ScanTaskService import com.tencent.bkrepo.analyst.utils.ScanPlanConverter +import com.tencent.bkrepo.auth.pojo.enums.PermissionAction +import com.tencent.bkrepo.common.api.exception.BadRequestException +import com.tencent.bkrepo.common.api.message.CommonMessageCode +import com.tencent.bkrepo.common.api.pojo.Page +import com.tencent.bkrepo.common.api.pojo.Response +import com.tencent.bkrepo.common.query.model.PageLimit import com.tencent.bkrepo.common.security.permission.Principal import com.tencent.bkrepo.common.security.permission.PrincipalType +import com.tencent.bkrepo.common.security.util.SecurityUtils +import com.tencent.bkrepo.common.service.util.ResponseBuilder import io.swagger.annotations.Api import io.swagger.annotations.ApiOperation import io.swagger.annotations.ApiParam @@ -69,7 +68,8 @@ import org.springframework.web.bind.annotation.RestController @RequestMapping("/api/scan") class UserScanController @Autowired constructor( private val scanService: ScanService, - private val scanTaskService: ScanTaskService + private val scanTaskService: ScanTaskService, + private val permissionCheckHandler: ScannerPermissionCheckHandler ) { @ApiOperation("手动创建全局扫描任务") @@ -93,7 +93,6 @@ class UserScanController @Autowired constructor( @ApiOperation("中止制品扫描") @PostMapping("/{projectId}/stop") - @Permission(ResourceType.PROJECT, PermissionAction.MANAGE) fun stopScan( @ApiParam(value = "projectId") @PathVariable projectId: String, @@ -102,6 +101,7 @@ class UserScanController @Autowired constructor( @ApiParam(value = "方案id") @RequestParam("id") planId: String? ): Response { + permissionCheckHandler.checkProjectPermission(projectId, PermissionAction.MANAGE) return when { !subtaskId.isNullOrBlank() -> { ResponseBuilder.success(scanService.stopByPlanArtifactLatestSubtaskId(projectId, subtaskId)) @@ -117,13 +117,13 @@ class UserScanController @Autowired constructor( @ApiOperation("中止制品扫描") @PostMapping("/{projectId}/tasks/{taskId}/stop") - @Permission(ResourceType.PROJECT, PermissionAction.MANAGE) fun stopTask( @ApiParam(value = "projectId") @PathVariable projectId: String, @ApiParam(value = "任务id") @PathVariable("taskId") taskId: String ): Response { + permissionCheckHandler.checkProjectPermission(projectId, PermissionAction.MANAGE) return ResponseBuilder.success(scanService.stopTask(projectId, taskId)) } diff --git a/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/controller/user/UserScanPlanController.kt b/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/controller/user/UserScanPlanController.kt index 33bde2d4bf..2165305358 100644 --- a/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/controller/user/UserScanPlanController.kt +++ b/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/controller/user/UserScanPlanController.kt @@ -43,13 +43,11 @@ import com.tencent.bkrepo.analyst.service.ScanPlanService import com.tencent.bkrepo.analyst.service.ScanTaskService import com.tencent.bkrepo.analyst.utils.ScanPlanConverter import com.tencent.bkrepo.auth.pojo.enums.PermissionAction -import com.tencent.bkrepo.auth.pojo.enums.ResourceType import com.tencent.bkrepo.common.api.constant.DEFAULT_PAGE_NUMBER import com.tencent.bkrepo.common.api.constant.DEFAULT_PAGE_SIZE import com.tencent.bkrepo.common.api.pojo.Page import com.tencent.bkrepo.common.api.pojo.Response import com.tencent.bkrepo.common.query.model.PageLimit -import com.tencent.bkrepo.common.security.permission.Permission import com.tencent.bkrepo.common.security.permission.Principal import com.tencent.bkrepo.common.security.permission.PrincipalType import com.tencent.bkrepo.common.service.util.ResponseBuilder @@ -84,7 +82,6 @@ class UserScanPlanController( @ApiOperation("查询扫描方案基础信息") @GetMapping("/detail/{projectId}/{id}") - @Permission(ResourceType.PROJECT, PermissionAction.MANAGE) fun getScanPlan( @ApiParam(value = "projectId") @PathVariable @@ -93,18 +90,19 @@ class UserScanPlanController( @PathVariable id: String ): Response { + permissionCheckHandler.checkProjectPermission(projectId, PermissionAction.MANAGE) return ResponseBuilder.success(scanPlanService.find(projectId, id)) } @ApiOperation("删除扫描方案") @DeleteMapping("/delete/{projectId}/{id}") - @Permission(ResourceType.PROJECT, PermissionAction.MANAGE) fun deleteScanPlan( @ApiParam(value = "projectId") @PathVariable projectId: String, @ApiParam(value = "方案id") @PathVariable id: String ): Response { + permissionCheckHandler.checkProjectPermission(projectId, PermissionAction.MANAGE) scanPlanService.delete(projectId, id) return ResponseBuilder.success(true) } @@ -118,7 +116,6 @@ class UserScanPlanController( @ApiOperation("扫描方案列表-分页") @GetMapping("/list/{projectId}") - @Permission(ResourceType.PROJECT, PermissionAction.MANAGE) fun scanPlanList( @ApiParam(value = "projectId", required = true) @PathVariable @@ -136,6 +133,7 @@ class UserScanPlanController( @RequestParam(required = false, defaultValue = DEFAULT_PAGE_SIZE.toString()) pageSize: Int = DEFAULT_PAGE_SIZE ): Response> { + permissionCheckHandler.checkProjectPermission(projectId, PermissionAction.MANAGE) val page = scanPlanService.page( projectId = projectId, type = type, planNameContains = name, pageLimit = PageLimit(pageNumber, pageSize) ) @@ -144,7 +142,6 @@ class UserScanPlanController( @ApiOperation("所有扫描方案") @GetMapping("/all/{projectId}") - @Permission(ResourceType.PROJECT, PermissionAction.READ) fun scanPlanList( @ApiParam(value = "projectId", required = true) @PathVariable @@ -156,6 +153,7 @@ class UserScanPlanController( @RequestParam(required = false) fileNameExt: String? = null ): Response> { + permissionCheckHandler.checkProjectPermission(projectId, PermissionAction.READ) val planList = scanPlanService.list(projectId, type, fileNameExt) planList.forEach { ScanPlanConverter.keepProps(it, KEEP_PROPS) } return ResponseBuilder.success(planList) diff --git a/src/backend/common/common-artifact/artifact-service/src/main/kotlin/com/tencent/bkrepo/common/artifact/permission/ArtifactPermissionCheckHandler.kt b/src/backend/common/common-artifact/artifact-service/src/main/kotlin/com/tencent/bkrepo/common/artifact/permission/ArtifactPermissionCheckHandler.kt index 810989d117..8a50c29e20 100644 --- a/src/backend/common/common-artifact/artifact-service/src/main/kotlin/com/tencent/bkrepo/common/artifact/permission/ArtifactPermissionCheckHandler.kt +++ b/src/backend/common/common-artifact/artifact-service/src/main/kotlin/com/tencent/bkrepo/common/artifact/permission/ArtifactPermissionCheckHandler.kt @@ -32,18 +32,29 @@ package com.tencent.bkrepo.common.artifact.permission import com.tencent.bkrepo.auth.pojo.enums.ResourceType +import com.tencent.bkrepo.common.artifact.constant.PROJECT_ID import com.tencent.bkrepo.common.artifact.repository.context.ArtifactContextHolder import com.tencent.bkrepo.common.security.exception.PermissionException import com.tencent.bkrepo.common.security.manager.PermissionManager import com.tencent.bkrepo.common.security.permission.Permission import com.tencent.bkrepo.common.security.permission.PermissionCheckHandler import com.tencent.bkrepo.common.security.permission.Principal +import com.tencent.bkrepo.common.service.util.HttpContextHolder +import org.springframework.web.servlet.HandlerMapping class ArtifactPermissionCheckHandler( private val permissionManager: PermissionManager ) : PermissionCheckHandler { override fun onPermissionCheck(userId: String, permission: Permission) { when (permission.type) { + ResourceType.PROJECT -> { + val uriAttribute = HttpContextHolder + .getRequest() + .getAttribute(HandlerMapping.URI_TEMPLATE_VARIABLES_ATTRIBUTE) + require(uriAttribute is Map<*, *>) + val projectId = uriAttribute[PROJECT_ID]?.toString() ?: throw PermissionException() + permissionManager.checkProjectPermission(permission.action, projectId) + } ResourceType.REPO -> { with(ArtifactContextHolder.getRepoDetail()!!) { permissionManager.checkRepoPermission( diff --git a/src/backend/media/biz-media/src/main/kotlin/com/tencent/bkrepo/media/controller/UserStreamController.kt b/src/backend/media/biz-media/src/main/kotlin/com/tencent/bkrepo/media/controller/UserStreamController.kt index 8676b77473..bd93064c6e 100644 --- a/src/backend/media/biz-media/src/main/kotlin/com/tencent/bkrepo/media/controller/UserStreamController.kt +++ b/src/backend/media/biz-media/src/main/kotlin/com/tencent/bkrepo/media/controller/UserStreamController.kt @@ -31,7 +31,6 @@ class UserStreamController( * 生成推流地址 * */ @PostMapping("/create/{projectId}/{repoName}") - @Permission(ResourceType.PROJECT, PermissionAction.MANAGE) fun createStream( @PathVariable projectId: String, @PathVariable repoName: String, diff --git a/src/backend/repository/biz-repository/src/main/kotlin/com/tencent/bkrepo/repository/controller/user/UserMetadataLabelController.kt b/src/backend/repository/biz-repository/src/main/kotlin/com/tencent/bkrepo/repository/controller/user/UserMetadataLabelController.kt index f082c68c9f..ba0ada74d7 100644 --- a/src/backend/repository/biz-repository/src/main/kotlin/com/tencent/bkrepo/repository/controller/user/UserMetadataLabelController.kt +++ b/src/backend/repository/biz-repository/src/main/kotlin/com/tencent/bkrepo/repository/controller/user/UserMetadataLabelController.kt @@ -28,10 +28,8 @@ package com.tencent.bkrepo.repository.controller.user import com.tencent.bkrepo.auth.pojo.enums.PermissionAction -import com.tencent.bkrepo.auth.pojo.enums.ResourceType import com.tencent.bkrepo.common.api.pojo.Response import com.tencent.bkrepo.common.security.manager.PermissionManager -import com.tencent.bkrepo.common.security.permission.Permission import com.tencent.bkrepo.common.service.util.ResponseBuilder import com.tencent.bkrepo.repository.pojo.metadata.label.MetadataLabelDetail import com.tencent.bkrepo.repository.pojo.metadata.label.MetadataLabelRequest @@ -103,7 +101,6 @@ class UserMetadataLabelController( @ApiOperation("查询标签详情") @GetMapping("/{projectId}/{labelKey}") - @Permission(type = ResourceType.PROJECT, action = PermissionAction.READ) fun detail( @PathVariable projectId: String, @PathVariable labelKey: String,