You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@streampark.apache.org by mu...@apache.org on 2023/04/18 02:15:21 UTC

[incubator-streampark] branch dev updated: [Improve] permission check improvement (#2647)

This is an automated email from the ASF dual-hosted git repository.

muchunjin pushed a commit to branch dev
in repository https://gitbox.apache.org/repos/asf/incubator-streampark.git


The following commit(s) were added to refs/heads/dev by this push:
     new 2763f37a9 [Improve] permission check improvement (#2647)
2763f37a9 is described below

commit 2763f37a9e092542f9f4eee1667620fc75116e20
Author: benjobs <be...@apache.org>
AuthorDate: Tue Apr 18 10:15:15 2023 +0800

    [Improve] permission check improvement (#2647)
---
 .../console/base/exception/ApiAlertException.java  |  6 +++
 .../console/core/aspect/StreamParkAspect.java      | 61 ++++++++++++----------
 .../core/service/impl/FlinkEnvServiceImpl.java     |  8 +--
 3 files changed, 42 insertions(+), 33 deletions(-)

diff --git a/streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/base/exception/ApiAlertException.java b/streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/base/exception/ApiAlertException.java
index 17ddce28f..34cccf7e3 100644
--- a/streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/base/exception/ApiAlertException.java
+++ b/streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/base/exception/ApiAlertException.java
@@ -57,4 +57,10 @@ public class ApiAlertException extends AbstractApiException {
       throw new ApiAlertException(errorMessage);
     }
   }
+
+  public static void throwIfTrue(boolean expression, String errorMessage) {
+    if (expression) {
+      throw new ApiAlertException(errorMessage);
+    }
+  }
 }
diff --git a/streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/core/aspect/StreamParkAspect.java b/streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/core/aspect/StreamParkAspect.java
index bee22859e..6646ead55 100644
--- a/streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/core/aspect/StreamParkAspect.java
+++ b/streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/core/aspect/StreamParkAspect.java
@@ -30,6 +30,7 @@ import org.apache.streampark.console.core.service.ApplicationService;
 import org.apache.streampark.console.core.service.CommonService;
 import org.apache.streampark.console.core.task.FlinkRESTAPIWatcher;
 import org.apache.streampark.console.system.entity.AccessToken;
+import org.apache.streampark.console.system.entity.Member;
 import org.apache.streampark.console.system.entity.User;
 import org.apache.streampark.console.system.service.MemberService;
 
@@ -104,44 +105,46 @@ public class StreamParkAspect {
     MethodSignature methodSignature = (MethodSignature) joinPoint.getSignature();
     PermissionAction permissionAction =
         methodSignature.getMethod().getAnnotation(PermissionAction.class);
-    String spELString = permissionAction.id();
-    PermissionType permissionType = permissionAction.type();
 
     User currentUser = commonService.getCurrentUser();
     ApiAlertException.throwIfNull(currentUser, "Permission denied, please login first.");
 
-    Long paramId = getId(joinPoint, methodSignature, spELString);
-    switch (permissionType) {
-      case USER:
-        ApiAlertException.throwIfFalse(
-            !(currentUser.getUserType() != UserType.ADMIN
-                && !currentUser.getUserId().equals(paramId)),
-            "Permission denied, only ADMIN user or user himself can access this permission");
-        break;
-      case TEAM:
-        ApiAlertException.throwIfFalse(
-            !(currentUser.getUserType() != UserType.ADMIN
-                && memberService.findByUserName(paramId, currentUser.getUsername()) == null),
-            "Permission denied, only ADMIN user or user belongs to this team can access this permission");
-        break;
-      case APP:
-        Application app = applicationService.getById(paramId);
-        ApiAlertException.throwIfFalse(
-            !(app != null
-                && currentUser.getUserType() != UserType.ADMIN
-                && memberService.findByUserName(app.getTeamId(), currentUser.getUsername())
-                    == null),
-            "Permission denied, only ADMIN user or user belongs to this team can access this permission");
-        break;
-      default:
-        throw new IllegalArgumentException(
-            String.format("Permission type %s is not supported.", permissionType));
+    boolean isAdmin = currentUser.getUserType() == UserType.ADMIN;
+
+    if (!isAdmin) {
+      PermissionType permissionType = permissionAction.type();
+      Long paramId = getParamId(joinPoint, methodSignature, permissionAction.id());
+
+      switch (permissionType) {
+        case USER:
+          ApiAlertException.throwIfTrue(
+              !currentUser.getUserId().equals(paramId),
+              "Permission denied, only user himself can access this permission");
+          break;
+        case TEAM:
+          Member member = memberService.findByUserName(paramId, currentUser.getUsername());
+          ApiAlertException.throwIfTrue(
+              member == null,
+              "Permission denied, only user belongs to this team can access this permission");
+          break;
+        case APP:
+          Application app = applicationService.getById(paramId);
+          ApiAlertException.throwIfTrue(app == null, "Invalid operation, application is null");
+          member = memberService.findByUserName(app.getTeamId(), currentUser.getUsername());
+          ApiAlertException.throwIfTrue(
+              member == null,
+              "Permission denied, only user belongs to this team can access this permission");
+          break;
+        default:
+          throw new IllegalArgumentException(
+              String.format("Permission type %s is not supported.", permissionType));
+      }
     }
 
     return (RestResponse) joinPoint.proceed();
   }
 
-  private Long getId(
+  private Long getParamId(
       ProceedingJoinPoint joinPoint, MethodSignature methodSignature, String spELString) {
     SpelExpressionParser parser = new SpelExpressionParser();
     Expression expression = parser.parseExpression(spELString);
diff --git a/streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/core/service/impl/FlinkEnvServiceImpl.java b/streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/core/service/impl/FlinkEnvServiceImpl.java
index 0c44fe776..2e638c7d3 100644
--- a/streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/core/service/impl/FlinkEnvServiceImpl.java
+++ b/streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/core/service/impl/FlinkEnvServiceImpl.java
@@ -158,13 +158,13 @@ public class FlinkEnvServiceImpl extends ServiceImpl<FlinkEnvMapper, FlinkEnv>
     ApiAlertException.throwIfNull(flinkEnv, "The flink home does not exist, please check.");
 
     // 2.check if it is being used by any flink cluster
-    ApiAlertException.throwIfFalse(
-        !flinkClusterService.existsByFlinkEnvId(flinkEnv.getId()),
+    ApiAlertException.throwIfTrue(
+        flinkClusterService.existsByFlinkEnvId(flinkEnv.getId()),
         "The flink home is still in use by some flink cluster, please check.");
 
     // 3.check if it is being used by any application
-    ApiAlertException.throwIfFalse(
-        !applicationService.existsJobByFlinkEnvId(flinkEnv.getId()),
+    ApiAlertException.throwIfTrue(
+        applicationService.existsJobByFlinkEnvId(flinkEnv.getId()),
         "The flink home is still in use by some application, please check.");
   }
 }