From 5214db908436c5d22acb31e85e0d95008b3398db Mon Sep 17 00:00:00 2001 From: "saimu.msm" Date: Wed, 11 Oct 2023 22:57:22 +0800 Subject: [PATCH] security --- .../web/controller/AlarmBlockFacadeImpl.java | 22 ++++++++++++-- .../web/controller/AlarmGroupFacadeImpl.java | 21 +++++++++++++ .../controller/AlarmSubscribeFacadeImpl.java | 30 +++++++++++++++++++ .../security/ParameterSecurityService.java | 2 ++ .../ParameterSecurityServiceImpl.java | 5 ++++ 5 files changed, 78 insertions(+), 2 deletions(-) diff --git a/server/home/home-web/src/main/java/io/holoinsight/server/home/web/controller/AlarmBlockFacadeImpl.java b/server/home/home-web/src/main/java/io/holoinsight/server/home/web/controller/AlarmBlockFacadeImpl.java index 7e9fcebcb..0b251d572 100644 --- a/server/home/home-web/src/main/java/io/holoinsight/server/home/web/controller/AlarmBlockFacadeImpl.java +++ b/server/home/home-web/src/main/java/io/holoinsight/server/home/web/controller/AlarmBlockFacadeImpl.java @@ -20,6 +20,7 @@ import io.holoinsight.server.home.web.interceptor.MonitorScopeAuth; import io.holoinsight.server.common.J; import io.holoinsight.server.common.JsonResult; +import io.holoinsight.server.home.web.security.ParameterSecurityService; import org.apache.commons.lang3.StringUtils; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.web.bind.annotation.DeleteMapping; @@ -47,6 +48,9 @@ public class AlarmBlockFacadeImpl extends BaseFacade { @Autowired private UserOpLogService userOpLogService; + @Autowired + private ParameterSecurityService parameterSecurityService; + @PostMapping("/create") @ResponseBody @MonitorScopeAuth(targetType = AuthTargetType.TENANT, needPower = PowerConstants.EDIT) @@ -54,7 +58,15 @@ public JsonResult save(@RequestBody AlarmBlockDTO alarmBlockDTO) { final JsonResult result = new JsonResult<>(); facadeTemplate.manage(result, new ManageCallback() { @Override - public void checkParameter() {} + public void checkParameter() { + if (StringUtils.isNotEmpty(alarmBlockDTO.getUniqueId())) { + MonitorScope ms = RequestContext.getContext().ms; + ParaCheckUtil.checkParaBoolean( + parameterSecurityService.checkRuleTenantAndWorkspace(alarmBlockDTO.getUniqueId(), + ms.getTenant(), ms.getWorkspace()), + "uniqueId do not belong to this tenant or workspace"); + } + } @Override public void doManage() { @@ -96,7 +108,13 @@ public void checkParameter() { ParaCheckUtil.checkParaNotNull(alarmBlockDTO.getTenant(), "tenant"); ParaCheckUtil.checkEquals(alarmBlockDTO.getTenant(), RequestContext.getContext().ms.getTenant(), "tenant is illegal"); - + if (StringUtils.isNotEmpty(alarmBlockDTO.getUniqueId())) { + MonitorScope ms = RequestContext.getContext().ms; + ParaCheckUtil.checkParaBoolean( + parameterSecurityService.checkRuleTenantAndWorkspace(alarmBlockDTO.getUniqueId(), + ms.getTenant(), ms.getWorkspace()), + "uniqueId do not belong to this tenant or workspace"); + } } @Override diff --git a/server/home/home-web/src/main/java/io/holoinsight/server/home/web/controller/AlarmGroupFacadeImpl.java b/server/home/home-web/src/main/java/io/holoinsight/server/home/web/controller/AlarmGroupFacadeImpl.java index 6dc53ef91..2d1e0dea9 100644 --- a/server/home/home-web/src/main/java/io/holoinsight/server/home/web/controller/AlarmGroupFacadeImpl.java +++ b/server/home/home-web/src/main/java/io/holoinsight/server/home/web/controller/AlarmGroupFacadeImpl.java @@ -24,6 +24,7 @@ import io.holoinsight.server.home.web.interceptor.MonitorScopeAuth; import io.holoinsight.server.common.J; import io.holoinsight.server.common.JsonResult; +import io.holoinsight.server.home.web.security.ParameterSecurityService; import org.apache.commons.lang3.StringUtils; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.util.CollectionUtils; @@ -62,6 +63,8 @@ public class AlarmGroupFacadeImpl extends BaseFacade { @Autowired private RequestContextAdapter requestContextAdapter; + @Autowired + private ParameterSecurityService parameterSecurityService; @PostMapping("/pageQuery") @ResponseBody @@ -109,6 +112,15 @@ public void checkParameter() { ParaCheckUtil.checkParaNotBlank(alarmGroup.getGroupName(), "groupName"); ParaCheckUtil.checkInvalidCharacter(alarmGroup.getGroupName(), "invalid groupName, please use a-z A-Z 0-9 Chinese - _ , . spaces"); + List persons = alarmGroup.getUserList(); + MonitorUser mu = RequestContext.getContext().mu; + if (!CollectionUtils.isEmpty(persons)) { + for (String person : persons) { + ParaCheckUtil.checkParaBoolean( + parameterSecurityService.checkUserTenantAndWorkspace(person, mu), + "invalid alarm group person"); + } + } } @Override @@ -164,6 +176,15 @@ public void checkParameter() { ParaCheckUtil.checkInvalidCharacter(alarmGroup.getGroupName(), "invalid groupName, please use a-z A-Z 0-9 Chinese - _ , . spaces"); } + List persons = alarmGroup.getUserList(); + MonitorUser mu = RequestContext.getContext().mu; + if (!CollectionUtils.isEmpty(persons)) { + for (String person : persons) { + ParaCheckUtil.checkParaBoolean( + parameterSecurityService.checkUserTenantAndWorkspace(person, mu), + "invalid alarm group person"); + } + } } @Override diff --git a/server/home/home-web/src/main/java/io/holoinsight/server/home/web/controller/AlarmSubscribeFacadeImpl.java b/server/home/home-web/src/main/java/io/holoinsight/server/home/web/controller/AlarmSubscribeFacadeImpl.java index 4f4229ec2..4c1a133cf 100644 --- a/server/home/home-web/src/main/java/io/holoinsight/server/home/web/controller/AlarmSubscribeFacadeImpl.java +++ b/server/home/home-web/src/main/java/io/holoinsight/server/home/web/controller/AlarmSubscribeFacadeImpl.java @@ -11,6 +11,7 @@ import io.holoinsight.server.home.common.service.RequestContextAdapter; import io.holoinsight.server.home.dal.model.AlarmSubscribe; import io.holoinsight.server.home.dal.model.dto.AlarmSubscribeInfo; +import io.holoinsight.server.home.web.security.ParameterSecurityService; import org.apache.commons.lang3.StringUtils; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.util.CollectionUtils; @@ -52,6 +53,8 @@ public class AlarmSubscribeFacadeImpl extends BaseFacade { @Autowired private RequestContextAdapter requestContextAdapter; + @Autowired + private ParameterSecurityService parameterSecurityService; @GetMapping(value = "/queryByUniqueId/{uniqueId}") @MonitorScopeAuth(targetType = AuthTargetType.TENANT, needPower = PowerConstants.VIEW) @@ -97,6 +100,33 @@ public JsonResult saveBatch(AlarmSubscribeDTO alarmSubscribeDTO) { @Override public void checkParameter() { ParaCheckUtil.checkParaNotNull(alarmSubscribeDTO, "alarmSubscribeDTO"); + MonitorScope ms = RequestContext.getContext().ms; + MonitorUser mu = RequestContext.getContext().mu; + if (StringUtils.isNotEmpty(alarmSubscribeDTO.getUniqueId())) { + ParaCheckUtil.checkParaBoolean( + parameterSecurityService.checkRuleTenantAndWorkspace(alarmSubscribeDTO.getUniqueId(), + ms.getTenant(), ms.getWorkspace()), + "uniqueId do not belong to this tenant or workspace"); + } + if (!CollectionUtils.isEmpty(alarmSubscribeDTO.getAlarmSubscribe())) { + for (AlarmSubscribeInfo alarmSubscribeInfo : alarmSubscribeDTO.getAlarmSubscribe()) { + if (CollectionUtils.isEmpty(alarmSubscribeInfo.getNoticeType())) { + continue; + } + if (alarmSubscribeInfo.getNoticeType().contains("dingding") + || alarmSubscribeInfo.getNoticeType().contains("sms") + || alarmSubscribeInfo.getNoticeType().contains("phone") + || alarmSubscribeInfo.getNoticeType().contains("email")) { + ParaCheckUtil.checkParaBoolean(parameterSecurityService.checkUserTenantAndWorkspace( + alarmSubscribeInfo.getSubscriber(), mu), "invalid subscriber"); + } + if (alarmSubscribeInfo.getNoticeType().contains("dingDingRobot")) { + ParaCheckUtil.checkParaBoolean(parameterSecurityService.checkGroupTenantAndWorkspace( + alarmSubscribeInfo.getGroupId(), ms.getTenant(), + requestContextAdapter.getWorkspace(true)), "invalid subscriber"); + } + } + } } @Override diff --git a/server/home/home-web/src/main/java/io/holoinsight/server/home/web/security/ParameterSecurityService.java b/server/home/home-web/src/main/java/io/holoinsight/server/home/web/security/ParameterSecurityService.java index c073fdf56..900eda8ff 100644 --- a/server/home/home-web/src/main/java/io/holoinsight/server/home/web/security/ParameterSecurityService.java +++ b/server/home/home-web/src/main/java/io/holoinsight/server/home/web/security/ParameterSecurityService.java @@ -19,6 +19,8 @@ public interface ParameterSecurityService { boolean checkMetricTenantAndWorkspace(String metricTable, String tenant, String workspace); + boolean checkGroupTenantAndWorkspace(Long groupId, String tenant, String workspace); + boolean checkUserTenantAndWorkspace(String uid, MonitorUser user); boolean checkFilterTenantAndWorkspace(String metricTable, Map> filters, diff --git a/server/home/home-web/src/main/java/io/holoinsight/server/home/web/security/ParameterSecurityServiceImpl.java b/server/home/home-web/src/main/java/io/holoinsight/server/home/web/security/ParameterSecurityServiceImpl.java index d92b54db9..3d45318e4 100644 --- a/server/home/home-web/src/main/java/io/holoinsight/server/home/web/security/ParameterSecurityServiceImpl.java +++ b/server/home/home-web/src/main/java/io/holoinsight/server/home/web/security/ParameterSecurityServiceImpl.java @@ -29,6 +29,11 @@ public boolean checkMetricTenantAndWorkspace(String metricTable, String tenant, return true; } + @Override + public boolean checkGroupTenantAndWorkspace(Long groupId, String tenant, String workspace) { + return true; + } + @Override public String getTenantFromMetricInfo(String metricTable) { return StringUtils.EMPTY;