refactor code to reflect code review comments

- refactor the db schema \ - refactor permission checking in API handlers \ to follow the latest code/interface changes Signed-off-by: Steven Zou <szou@vmware.com>
2024-12-22 08:38:03 +01:00 · 2019-10-11 17:41:47 +08:00 · 2019-10-11 17:41:47 +08:00 · 9fd8b6306c
commit 9fd8b6306c
parent 58afd8e14b
4 changed files with 58 additions and 55 deletions
--- a/make/migrations/postgresql/0012_1.10.0_schema.up.sql
+++ b/make/migrations/postgresql/0012_1.10.0_schema.up.sql
@ -1,35 +0,0 @@
-/*Table for keeping the plug scanner registration*/
-CREATE TABLE scanner_registration
-(
-    id SERIAL PRIMARY KEY NOT NULL,
-    uuid VARCHAR(64) UNIQUE NOT NULL,
-    url VARCHAR(256) UNIQUE NOT NULL,
-    name VARCHAR(128) UNIQUE NOT NULL,
-    description VARCHAR(1024) NULL,
-    auth VARCHAR(16) NOT NULL,
-    access_cred VARCHAR(512) NULL,
-    disabled BOOLEAN NOT NULL DEFAULT FALSE,
-    is_default BOOLEAN NOT NULL DEFAULT FALSE,
-    skip_cert_verify BOOLEAN NOT NULL DEFAULT FALSE,
-    create_time TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
-    update_time TIMESTAMP DEFAULT CURRENT_TIMESTAMP
-);
-
-/*Table for keeping the scan report. The report details are stored as JSON*/
-CREATE TABLE scan_report
-(
-    id SERIAL PRIMARY KEY NOT NULL,
-    uuid VARCHAR(64) UNIQUE NOT NULL,
-    digest VARCHAR(256) NOT NULL,
-    registration_uuid VARCHAR(64) NOT NULL,
-    mime_type VARCHAR(256) NOT NULL,
-    job_id VARCHAR(64),
-    track_id VARCHAR(64),
-    status VARCHAR(1024) NOT NULL,
-    status_code INTEGER DEFAULT 0,
-    status_rev BIGINT DEFAULT 0,
-    report JSON,
-    start_time TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
-    end_time TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
-    UNIQUE(digest, registration_uuid, mime_type)
-)
--- a/make/migrations/postgresql/0015_1.10.0_schema.up.sql
+++ b/make/migrations/postgresql/0015_1.10.0_schema.up.sql
@ -1,3 +1,39 @@
+/*Table for keeping the plug scanner registration*/
+CREATE TABLE scanner_registration
+(
+    id SERIAL PRIMARY KEY NOT NULL,
+    uuid VARCHAR(64) UNIQUE NOT NULL,
+    url VARCHAR(256) UNIQUE NOT NULL,
+    name VARCHAR(128) UNIQUE NOT NULL,
+    description VARCHAR(1024) NULL,
+    auth VARCHAR(16) NOT NULL,
+    access_cred VARCHAR(512) NULL,
+    disabled BOOLEAN NOT NULL DEFAULT FALSE,
+    is_default BOOLEAN NOT NULL DEFAULT FALSE,
+    skip_cert_verify BOOLEAN NOT NULL DEFAULT FALSE,
+    create_time TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
+    update_time TIMESTAMP DEFAULT CURRENT_TIMESTAMP
+);
+
+/*Table for keeping the scan report. The report details are stored as JSON*/
+CREATE TABLE scan_report
+(
+    id SERIAL PRIMARY KEY NOT NULL,
+    uuid VARCHAR(64) UNIQUE NOT NULL,
+    digest VARCHAR(256) NOT NULL,
+    registration_uuid VARCHAR(64) NOT NULL,
+    mime_type VARCHAR(256) NOT NULL,
+    job_id VARCHAR(64),
+    track_id VARCHAR(64),
+    status VARCHAR(1024) NOT NULL,
+    status_code INTEGER DEFAULT 0,
+    status_rev BIGINT DEFAULT 0,
+    report JSON,
+    start_time TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
+    end_time TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
+    UNIQUE(digest, registration_uuid, mime_type)
+);
+
 /** Add table for immutable tag  **/
 CREATE TABLE immutable_tag_rule
 (
--- a/src/core/api/pro_scanner.go
+++ b/src/core/api/pro_scanner.go
@ -36,17 +36,29 @@ func (sa *ProjectScannerAPI) Prepare() {
 	sa.BaseController.Prepare()

 	// Check access permissions
-	if !sa.SecurityCtx.IsAuthenticated() {
-		sa.SendUnAuthorizedError(errors.New("UnAuthorized"))
+	if !sa.RequireAuthenticated() {
 		return
 	}

 	// Get ID of the project
 	pid, err := sa.GetInt64FromPath(":pid")
 	if err != nil {
-		sa.SendBadRequestError(errors.Wrap(err, "scanner API: get project scanners"))
+		sa.SendBadRequestError(errors.Wrap(err, "project scanner API"))
 		return
 	}
+
+	// Check if the project exists
+	exists, err := sa.ProjectMgr.Exists(pid)
+	if err != nil {
+		sa.SendInternalServerError(errors.Wrap(err, "project scanner API"))
+		return
+	}
+
+	if !exists {
+		sa.SendNotFoundError(errors.Errorf("project with id %d", sa.pid))
+		return
+	}
+
 	sa.pid = pid

 	sa.c = scanner.DefaultController
@ -55,11 +67,10 @@ func (sa *ProjectScannerAPI) Prepare() {
 // GetProjectScanner gets the project level scanner
 func (sa *ProjectScannerAPI) GetProjectScanner() {
 	// Check access permissions
-	resource := rbac.NewProjectNamespace(sa.pid).Resource(rbac.ResourceConfiguration)
-	if !sa.SecurityCtx.Can(rbac.ActionRead, resource) {
-		sa.SendForbiddenError(errors.New(sa.SecurityCtx.GetUsername()))
+	if !sa.RequireProjectAccess(sa.pid, rbac.ActionRead, rbac.ResourceConfiguration) {
 		return
 	}
+
 	r, err := sa.c.GetRegistrationByProject(sa.pid)
 	if err != nil {
 		sa.SendInternalServerError(errors.Wrap(err, "scanner API: get project scanners"))
@ -78,9 +89,7 @@ func (sa *ProjectScannerAPI) GetProjectScanner() {
 // SetProjectScanner sets the project level scanner
 func (sa *ProjectScannerAPI) SetProjectScanner() {
 	// Check access permissions
-	resource := rbac.NewProjectNamespace(sa.pid).Resource(rbac.ResourceConfiguration)
-	if !sa.SecurityCtx.Can(rbac.ActionUpdate, resource) {
-		sa.SendForbiddenError(errors.New(sa.SecurityCtx.GetUsername()))
+	if !sa.RequireProjectAccess(sa.pid, rbac.ActionUpdate, rbac.ResourceConfiguration) {
 		return
 	}

--- a/src/core/api/scan.go
+++ b/src/core/api/scan.go
@ -64,8 +64,7 @@ func (sa *ScanAPI) Prepare() {
 	sa.pro = pro

 	// Check authentication
-	if !sa.SecurityCtx.IsAuthenticated() {
-		sa.SendUnAuthorizedError(errors.New("Unauthorized"))
+	if !sa.RequireAuthenticated() {
 		return
 	}

@ -90,9 +89,7 @@ func (sa *ScanAPI) Prepare() {
 // Scan artifact
 func (sa *ScanAPI) Scan() {
 	// Check access permissions
-	resource := rbac.NewProjectNamespace(sa.pro.ProjectID).Resource(rbac.ResourceScan)
-	if !sa.SecurityCtx.Can(rbac.ActionCreate, resource) {
-		sa.SendForbiddenError(errors.New(sa.SecurityCtx.GetUsername()))
+	if !sa.RequireProjectAccess(sa.pro.ProjectID, rbac.ActionCreate, rbac.ResourceScan) {
 		return
 	}

@ -107,9 +104,7 @@ func (sa *ScanAPI) Scan() {
 // Report returns the required reports with the given mime types.
 func (sa *ScanAPI) Report() {
 	// Check access permissions
-	resource := rbac.NewProjectNamespace(sa.pro.ProjectID).Resource(rbac.ResourceScan)
-	if !sa.SecurityCtx.Can(rbac.ActionRead, resource) {
-		sa.SendForbiddenError(errors.New(sa.SecurityCtx.GetUsername()))
+	if !sa.RequireProjectAccess(sa.pro.ProjectID, rbac.ActionRead, rbac.ResourceScan) {
 		return
 	}

@ -149,9 +144,7 @@ func (sa *ScanAPI) Report() {
 // Log returns the log stream
 func (sa *ScanAPI) Log() {
 	// Check access permissions
-	resource := rbac.NewProjectNamespace(sa.pro.ProjectID).Resource(rbac.ResourceScan)
-	if !sa.SecurityCtx.Can(rbac.ActionRead, resource) {
-		sa.SendForbiddenError(errors.New(sa.SecurityCtx.GetUsername()))
+	if !sa.RequireProjectAccess(sa.pro.ProjectID, rbac.ActionRead, rbac.ResourceScan) {
 		return
 	}