Skip to content

Commit

Permalink
fix: horizontal security (#696)
Browse files Browse the repository at this point in the history
  • Loading branch information
masaimu authored Oct 17, 2023
1 parent 3b2cbac commit ced3ca9
Show file tree
Hide file tree
Showing 5 changed files with 78 additions and 2 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@
import io.holoinsight.server.home.web.interceptor.MonitorScopeAuth;
import io.holoinsight.server.common.J;
import io.holoinsight.server.common.JsonResult;
import io.holoinsight.server.home.web.security.ParameterSecurityService;
import org.apache.commons.lang3.StringUtils;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.DeleteMapping;
Expand Down Expand Up @@ -47,14 +48,25 @@ public class AlarmBlockFacadeImpl extends BaseFacade {
@Autowired
private UserOpLogService userOpLogService;

@Autowired
private ParameterSecurityService parameterSecurityService;

@PostMapping("/create")
@ResponseBody
@MonitorScopeAuth(targetType = AuthTargetType.TENANT, needPower = PowerConstants.EDIT)
public JsonResult<Long> save(@RequestBody AlarmBlockDTO alarmBlockDTO) {
final JsonResult<Long> result = new JsonResult<>();
facadeTemplate.manage(result, new ManageCallback() {
@Override
public void checkParameter() {}
public void checkParameter() {
if (StringUtils.isNotEmpty(alarmBlockDTO.getUniqueId())) {
MonitorScope ms = RequestContext.getContext().ms;
ParaCheckUtil.checkParaBoolean(
parameterSecurityService.checkRuleTenantAndWorkspace(alarmBlockDTO.getUniqueId(),
ms.getTenant(), ms.getWorkspace()),
"uniqueId do not belong to this tenant or workspace");
}
}

@Override
public void doManage() {
Expand Down Expand Up @@ -96,7 +108,13 @@ public void checkParameter() {
ParaCheckUtil.checkParaNotNull(alarmBlockDTO.getTenant(), "tenant");
ParaCheckUtil.checkEquals(alarmBlockDTO.getTenant(),
RequestContext.getContext().ms.getTenant(), "tenant is illegal");

if (StringUtils.isNotEmpty(alarmBlockDTO.getUniqueId())) {
MonitorScope ms = RequestContext.getContext().ms;
ParaCheckUtil.checkParaBoolean(
parameterSecurityService.checkRuleTenantAndWorkspace(alarmBlockDTO.getUniqueId(),
ms.getTenant(), ms.getWorkspace()),
"uniqueId do not belong to this tenant or workspace");
}
}

@Override
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@
import io.holoinsight.server.home.web.interceptor.MonitorScopeAuth;
import io.holoinsight.server.common.J;
import io.holoinsight.server.common.JsonResult;
import io.holoinsight.server.home.web.security.ParameterSecurityService;
import org.apache.commons.lang3.StringUtils;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.util.CollectionUtils;
Expand Down Expand Up @@ -62,6 +63,8 @@ public class AlarmGroupFacadeImpl extends BaseFacade {

@Autowired
private RequestContextAdapter requestContextAdapter;
@Autowired
private ParameterSecurityService parameterSecurityService;

@PostMapping("/pageQuery")
@ResponseBody
Expand Down Expand Up @@ -109,6 +112,15 @@ public void checkParameter() {
ParaCheckUtil.checkParaNotBlank(alarmGroup.getGroupName(), "groupName");
ParaCheckUtil.checkInvalidCharacter(alarmGroup.getGroupName(),
"invalid groupName, please use a-z A-Z 0-9 Chinese - _ , . spaces");
List<String> persons = alarmGroup.getUserList();
MonitorUser mu = RequestContext.getContext().mu;
if (!CollectionUtils.isEmpty(persons)) {
for (String person : persons) {
ParaCheckUtil.checkParaBoolean(
parameterSecurityService.checkUserTenantAndWorkspace(person, mu),
"invalid alarm group person");
}
}
}

@Override
Expand Down Expand Up @@ -164,6 +176,15 @@ public void checkParameter() {
ParaCheckUtil.checkInvalidCharacter(alarmGroup.getGroupName(),
"invalid groupName, please use a-z A-Z 0-9 Chinese - _ , . spaces");
}
List<String> persons = alarmGroup.getUserList();
MonitorUser mu = RequestContext.getContext().mu;
if (!CollectionUtils.isEmpty(persons)) {
for (String person : persons) {
ParaCheckUtil.checkParaBoolean(
parameterSecurityService.checkUserTenantAndWorkspace(person, mu),
"invalid alarm group person");
}
}
}

@Override
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@
import io.holoinsight.server.home.common.service.RequestContextAdapter;
import io.holoinsight.server.home.dal.model.AlarmSubscribe;
import io.holoinsight.server.home.dal.model.dto.AlarmSubscribeInfo;
import io.holoinsight.server.home.web.security.ParameterSecurityService;
import org.apache.commons.lang3.StringUtils;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.util.CollectionUtils;
Expand Down Expand Up @@ -52,6 +53,8 @@ public class AlarmSubscribeFacadeImpl extends BaseFacade {

@Autowired
private RequestContextAdapter requestContextAdapter;
@Autowired
private ParameterSecurityService parameterSecurityService;

@GetMapping(value = "/queryByUniqueId/{uniqueId}")
@MonitorScopeAuth(targetType = AuthTargetType.TENANT, needPower = PowerConstants.VIEW)
Expand Down Expand Up @@ -97,6 +100,33 @@ public JsonResult<Boolean> saveBatch(AlarmSubscribeDTO alarmSubscribeDTO) {
@Override
public void checkParameter() {
ParaCheckUtil.checkParaNotNull(alarmSubscribeDTO, "alarmSubscribeDTO");
MonitorScope ms = RequestContext.getContext().ms;
MonitorUser mu = RequestContext.getContext().mu;
if (StringUtils.isNotEmpty(alarmSubscribeDTO.getUniqueId())) {
ParaCheckUtil.checkParaBoolean(
parameterSecurityService.checkRuleTenantAndWorkspace(alarmSubscribeDTO.getUniqueId(),
ms.getTenant(), ms.getWorkspace()),
"uniqueId do not belong to this tenant or workspace");
}
if (!CollectionUtils.isEmpty(alarmSubscribeDTO.getAlarmSubscribe())) {
for (AlarmSubscribeInfo alarmSubscribeInfo : alarmSubscribeDTO.getAlarmSubscribe()) {
if (CollectionUtils.isEmpty(alarmSubscribeInfo.getNoticeType())) {
continue;
}
if (alarmSubscribeInfo.getNoticeType().contains("dingding")
|| alarmSubscribeInfo.getNoticeType().contains("sms")
|| alarmSubscribeInfo.getNoticeType().contains("phone")
|| alarmSubscribeInfo.getNoticeType().contains("email")) {
ParaCheckUtil.checkParaBoolean(parameterSecurityService.checkUserTenantAndWorkspace(
alarmSubscribeInfo.getSubscriber(), mu), "invalid subscriber");
}
if (alarmSubscribeInfo.getNoticeType().contains("dingDingRobot")) {
ParaCheckUtil.checkParaBoolean(parameterSecurityService.checkGroupTenantAndWorkspace(
alarmSubscribeInfo.getGroupId(), ms.getTenant(),
requestContextAdapter.getWorkspace(true)), "invalid subscriber");
}
}
}
}

@Override
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,8 @@ public interface ParameterSecurityService {

boolean checkMetricTenantAndWorkspace(String metricTable, String tenant, String workspace);

boolean checkGroupTenantAndWorkspace(Long groupId, String tenant, String workspace);

boolean checkUserTenantAndWorkspace(String uid, MonitorUser user);

boolean checkFilterTenantAndWorkspace(String metricTable, Map<String, List<Object>> filters,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,11 @@ public boolean checkMetricTenantAndWorkspace(String metricTable, String tenant,
return true;
}

@Override
public boolean checkGroupTenantAndWorkspace(Long groupId, String tenant, String workspace) {
return true;
}

@Override
public String getTenantFromMetricInfo(String metricTable) {
return StringUtils.EMPTY;
Expand Down

0 comments on commit ced3ca9

Please sign in to comment.