feat: webhook (#834)

server/home/home-boot/src/main/java/io/holoinsight/server/home/bootstrap/HoloinsightHomeConfiguration.java

@@ -19,6 +19,7 @@
 import io.holoinsight.server.home.alert.plugin.GatewayService;
 import io.holoinsight.server.home.alert.service.event.AlertNotifyChainBuilder;
 import io.holoinsight.server.home.alert.service.event.DefaultAlertNotifyChainBuilder;
+import io.holoinsight.server.home.biz.access.MonitorAccessService;
 import io.holoinsight.server.home.biz.plugin.DefaultMarketplaceProductHandler;
 import io.holoinsight.server.home.biz.plugin.MarketplaceProductHandler;
 import io.holoinsight.server.home.biz.plugin.MetricInfoCheckService;
@@ -131,4 +132,9 @@ public AccessRecordService accessRecordService() {
   public ApiSecurityService apiSecurityService() {
     return new ApiSecurityServiceImpl();
   }
+
+  @Bean
+  public MonitorAccessService monitorAccessService() {
+    return new MonitorAccessService();
+  }
 }

server/home/home-service/src/main/java/io/holoinsight/server/home/biz/access/MonitorAccessService.java

@@ -27,11 +27,10 @@
  * @version 1.0: MonitorAccessService.java, v 0.1 2022年06月10日 10:23 上午 jinsong.yjs Exp $
  */
 @Slf4j
-@Component
 public class MonitorAccessService {
 
   @Autowired
-  private AccessConfigService accessConfigService;
+  protected AccessConfigService accessConfigService;
 
   /**
    * 申请token，如果入参非法报错

server/home/home-service/src/main/java/io/holoinsight/server/home/biz/common/MetaDictKey.java

@@ -13,6 +13,7 @@ public class MetaDictKey {
   public static final String ULA_HOST = "ula_host";
   public static final String LOG_TIME_LAYOUT = "log_time_layout";
   public static final String TOKEN_URL_WRITE_LIST = "token_url_write_list";
+  public static final String TOKEN_URL_WHITE_PREFIX_LIST = "token_url_white_prefix_list";
   public static final String TOKEN_URL_NO_AUTH = "token_url_no_auth";
   public static final String RESOURCE_KEYS = "resource_keys";
   public static final String IS_APM_MATERIALIZED = "is_apm_materialized";

server/home/home-service/src/main/java/io/holoinsight/server/home/biz/common/MetaDictUtil.java

@@ -143,6 +143,14 @@ public static List<String> getTokenUrlWriteList() {
     return value;
   }
 
+  public static List<String> getTokenUrlWhitePrefixList() {
+    List<String> value = MetaDictUtil.getValue(MetaDictType.GLOBAL_CONFIG,
+        MetaDictKey.TOKEN_URL_WHITE_PREFIX_LIST, new TypeToken<List<String>>() {});
+    if (CollectionUtils.isEmpty(value))
+      return new ArrayList<>();
+    return value;
+  }
+
   public static List<String> getTokenUrlNoAuth() {
     List<String> value = MetaDictUtil.getValue(MetaDictType.GLOBAL_CONFIG,
         MetaDictKey.TOKEN_URL_NO_AUTH, new TypeToken<List<String>>() {});

server/home/home-web/src/main/java/io/holoinsight/server/home/web/controller/AlarmWebhookFacadeImpl.java

@@ -3,47 +3,46 @@
  */
 package io.holoinsight.server.home.web.controller;
 
-import java.util.Date;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-import java.util.stream.Collectors;
-
-import org.apache.commons.lang3.StringUtils;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.util.CollectionUtils;
-import org.springframework.web.bind.annotation.DeleteMapping;
-import org.springframework.web.bind.annotation.GetMapping;
-import org.springframework.web.bind.annotation.PathVariable;
-import org.springframework.web.bind.annotation.PostMapping;
-import org.springframework.web.bind.annotation.RequestBody;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.ResponseBody;
-import org.springframework.web.bind.annotation.RestController;
-
 import io.holoinsight.server.common.J;
 import io.holoinsight.server.common.JsonResult;
-import io.holoinsight.server.home.alert.service.AlertService;
-import io.holoinsight.server.common.service.AlertWebhookService;
-import io.holoinsight.server.common.service.UserOpLogService;
-import io.holoinsight.server.home.common.service.query.WebhookResponse;
+import io.holoinsight.server.common.ManageCallback;
 import io.holoinsight.server.common.MonitorException;
+import io.holoinsight.server.common.MonitorPageRequest;
+import io.holoinsight.server.common.MonitorPageResult;
+import io.holoinsight.server.common.RequestContext;
 import io.holoinsight.server.common.SSRFUtils;
+import io.holoinsight.server.common.dao.entity.AlarmWebhook;
+import io.holoinsight.server.common.dao.entity.dto.AlarmWebhookDTO;
+import io.holoinsight.server.common.dao.entity.dto.AlarmWebhookTestDTO;
 import io.holoinsight.server.common.scope.AuthTargetType;
 import io.holoinsight.server.common.scope.MonitorScope;
 import io.holoinsight.server.common.scope.MonitorUser;
 import io.holoinsight.server.common.scope.PowerConstants;
-import io.holoinsight.server.common.RequestContext;
-import io.holoinsight.server.common.dao.entity.AlarmWebhook;
+import io.holoinsight.server.common.service.AlertWebhookService;
+import io.holoinsight.server.common.service.UserOpLogService;
+import io.holoinsight.server.home.alert.service.AlertService;
+import io.holoinsight.server.home.common.service.query.WebhookResponse;
 import io.holoinsight.server.home.dal.model.OpType;
-import io.holoinsight.server.common.dao.entity.dto.AlarmWebhookDTO;
-import io.holoinsight.server.common.dao.entity.dto.AlarmWebhookTestDTO;
-import io.holoinsight.server.common.MonitorPageRequest;
-import io.holoinsight.server.common.MonitorPageResult;
-import io.holoinsight.server.common.ManageCallback;
 import io.holoinsight.server.home.web.common.ParaCheckUtil;
 import io.holoinsight.server.home.web.interceptor.MonitorScopeAuth;
 import lombok.extern.slf4j.Slf4j;
+import org.apache.commons.lang3.StringUtils;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.util.CollectionUtils;
+import org.springframework.web.bind.annotation.DeleteMapping;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PathVariable;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.RestController;
+
+import java.util.Date;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.stream.Collectors;
 
 /**
  * @author wangsiyuan
@@ -93,11 +92,11 @@ public void doManage() {
         alarmWebhookDTO.setGmtCreate(new Date());
         alarmWebhookDTO.setGmtModified(new Date());
 
-        JsonResult<WebhookResponse> test = test(transformTestDTO(alarmWebhookDTO));
-        if (!test.isSuccess()) {
-          throw new MonitorException(
-              "Debugging failed. Please check whether the input parameters are correct");
-        }
+        // JsonResult<WebhookResponse> test = test(transformTestDTO(alarmWebhookDTO));
+        // if (!test.isSuccess()) {
+        // throw new MonitorException(
+        // "Debugging failed. Please check whether the input parameters are correct");
+        // }
 
         Long id = alarmWebhookService.save(alarmWebhookDTO).getId();
 
@@ -153,11 +152,11 @@ public void doManage() {
         }
         alarmWebhookDTO.setGmtModified(new Date());
 
-        JsonResult<WebhookResponse> test = test(transformTestDTO(alarmWebhookDTO));
-        if (!test.isSuccess()) {
-          throw new MonitorException(
-              "Debugging failed. Please check whether the input parameters are correct");
-        }
+        // JsonResult<WebhookResponse> test = test(transformTestDTO(alarmWebhookDTO));
+        // if (!test.isSuccess()) {
+        // throw new MonitorException(
+        // "Debugging failed. Please check whether the input parameters are correct");
+        // }
 
         boolean save = alarmWebhookService.updateById(alarmWebhookDTO);
         userOpLogService.append("alarm_webhook", alarmWebhookDTO.getId(), OpType.UPDATE,

server/home/home-web/src/main/java/io/holoinsight/server/home/web/filter/Step2IdentityFilter.java

@@ -28,6 +28,7 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
+import java.util.List;
 
 import static io.holoinsight.server.home.web.common.ResponseUtil.authFailedResponse;
 
@@ -151,8 +152,7 @@ public boolean userCheck(HttpServletRequest req, HttpServletResponse resp) throw
 
   public boolean tokenCheck(String token, HttpServletRequest req, HttpServletResponse resp)
       throws IOException {
-    if (!TokenUrlFactoryHolder.checkIsExist(req.getServletPath())
-        && !MetaDictUtil.getTokenUrlWriteList().contains(req.getServletPath())) {
+    if (invalidReqServletPath(req)) {
       authFailedResponse(resp, HttpServletResponse.SC_UNAUTHORIZED,
           req.getServletPath() + " is not open, please connect monitor admin, " + token,
           ResultCodeEnum.AUTH_CHECK_ERROR);
@@ -168,4 +168,21 @@ public boolean tokenCheck(String token, HttpServletRequest req, HttpServletRespo
     }
     return true;
   }
+
+  private boolean invalidReqServletPath(HttpServletRequest req) {
+    String servletPath = req.getServletPath();
+    if (TokenUrlFactoryHolder.checkIsExist(servletPath)) {
+      return false;
+    }
+    if (MetaDictUtil.getTokenUrlWriteList().contains(servletPath)) {
+      return false;
+    }
+    List<String> whitePrefixList = MetaDictUtil.getTokenUrlWhitePrefixList();
+    for (String prefix : whitePrefixList) {
+      if (servletPath.startsWith(prefix)) {
+        return false;
+      }
+    }
+    return true;
+  }
 }