Commit 9fd8b630 authored by Steven Zou's avatar Steven Zou
Browse files

refactor code to reflect code review comments



- refactor the db schema \
- refactor  permission checking in API handlers \

to follow the latest code/interface changes
Signed-off-by: default avatarSteven Zou <szou@vmware.com>
parent 58afd8e1
/*Table for keeping the plug scanner registration*/
CREATE TABLE scanner_registration
(
id SERIAL PRIMARY KEY NOT NULL,
uuid VARCHAR(64) UNIQUE NOT NULL,
url VARCHAR(256) UNIQUE NOT NULL,
name VARCHAR(128) UNIQUE NOT NULL,
description VARCHAR(1024) NULL,
auth VARCHAR(16) NOT NULL,
access_cred VARCHAR(512) NULL,
disabled BOOLEAN NOT NULL DEFAULT FALSE,
is_default BOOLEAN NOT NULL DEFAULT FALSE,
skip_cert_verify BOOLEAN NOT NULL DEFAULT FALSE,
create_time TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
update_time TIMESTAMP DEFAULT CURRENT_TIMESTAMP
);
/*Table for keeping the scan report. The report details are stored as JSON*/
CREATE TABLE scan_report
(
id SERIAL PRIMARY KEY NOT NULL,
uuid VARCHAR(64) UNIQUE NOT NULL,
digest VARCHAR(256) NOT NULL,
registration_uuid VARCHAR(64) NOT NULL,
mime_type VARCHAR(256) NOT NULL,
job_id VARCHAR(64),
track_id VARCHAR(64),
status VARCHAR(1024) NOT NULL,
status_code INTEGER DEFAULT 0,
status_rev BIGINT DEFAULT 0,
report JSON,
start_time TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
end_time TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
UNIQUE(digest, registration_uuid, mime_type)
)
/*Table for keeping the plug scanner registration*/
CREATE TABLE scanner_registration
(
id SERIAL PRIMARY KEY NOT NULL,
uuid VARCHAR(64) UNIQUE NOT NULL,
url VARCHAR(256) UNIQUE NOT NULL,
name VARCHAR(128) UNIQUE NOT NULL,
description VARCHAR(1024) NULL,
auth VARCHAR(16) NOT NULL,
access_cred VARCHAR(512) NULL,
disabled BOOLEAN NOT NULL DEFAULT FALSE,
is_default BOOLEAN NOT NULL DEFAULT FALSE,
skip_cert_verify BOOLEAN NOT NULL DEFAULT FALSE,
create_time TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
update_time TIMESTAMP DEFAULT CURRENT_TIMESTAMP
);
/*Table for keeping the scan report. The report details are stored as JSON*/
CREATE TABLE scan_report
(
id SERIAL PRIMARY KEY NOT NULL,
uuid VARCHAR(64) UNIQUE NOT NULL,
digest VARCHAR(256) NOT NULL,
registration_uuid VARCHAR(64) NOT NULL,
mime_type VARCHAR(256) NOT NULL,
job_id VARCHAR(64),
track_id VARCHAR(64),
status VARCHAR(1024) NOT NULL,
status_code INTEGER DEFAULT 0,
status_rev BIGINT DEFAULT 0,
report JSON,
start_time TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
end_time TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
UNIQUE(digest, registration_uuid, mime_type)
);
/** Add table for immutable tag **/
CREATE TABLE immutable_tag_rule
(
......
......@@ -36,17 +36,29 @@ func (sa *ProjectScannerAPI) Prepare() {
sa.BaseController.Prepare()
// Check access permissions
if !sa.SecurityCtx.IsAuthenticated() {
sa.SendUnAuthorizedError(errors.New("UnAuthorized"))
if !sa.RequireAuthenticated() {
return
}
// Get ID of the project
pid, err := sa.GetInt64FromPath(":pid")
if err != nil {
sa.SendBadRequestError(errors.Wrap(err, "scanner API: get project scanners"))
sa.SendBadRequestError(errors.Wrap(err, "project scanner API"))
return
}
// Check if the project exists
exists, err := sa.ProjectMgr.Exists(pid)
if err != nil {
sa.SendInternalServerError(errors.Wrap(err, "project scanner API"))
return
}
if !exists {
sa.SendNotFoundError(errors.Errorf("project with id %d", sa.pid))
return
}
sa.pid = pid
sa.c = scanner.DefaultController
......@@ -55,11 +67,10 @@ func (sa *ProjectScannerAPI) Prepare() {
// GetProjectScanner gets the project level scanner
func (sa *ProjectScannerAPI) GetProjectScanner() {
// Check access permissions
resource := rbac.NewProjectNamespace(sa.pid).Resource(rbac.ResourceConfiguration)
if !sa.SecurityCtx.Can(rbac.ActionRead, resource) {
sa.SendForbiddenError(errors.New(sa.SecurityCtx.GetUsername()))
if !sa.RequireProjectAccess(sa.pid, rbac.ActionRead, rbac.ResourceConfiguration) {
return
}
r, err := sa.c.GetRegistrationByProject(sa.pid)
if err != nil {
sa.SendInternalServerError(errors.Wrap(err, "scanner API: get project scanners"))
......@@ -78,9 +89,7 @@ func (sa *ProjectScannerAPI) GetProjectScanner() {
// SetProjectScanner sets the project level scanner
func (sa *ProjectScannerAPI) SetProjectScanner() {
// Check access permissions
resource := rbac.NewProjectNamespace(sa.pid).Resource(rbac.ResourceConfiguration)
if !sa.SecurityCtx.Can(rbac.ActionUpdate, resource) {
sa.SendForbiddenError(errors.New(sa.SecurityCtx.GetUsername()))
if !sa.RequireProjectAccess(sa.pid, rbac.ActionUpdate, rbac.ResourceConfiguration) {
return
}
......
......@@ -64,8 +64,7 @@ func (sa *ScanAPI) Prepare() {
sa.pro = pro
// Check authentication
if !sa.SecurityCtx.IsAuthenticated() {
sa.SendUnAuthorizedError(errors.New("Unauthorized"))
if !sa.RequireAuthenticated() {
return
}
......@@ -90,9 +89,7 @@ func (sa *ScanAPI) Prepare() {
// Scan artifact
func (sa *ScanAPI) Scan() {
// Check access permissions
resource := rbac.NewProjectNamespace(sa.pro.ProjectID).Resource(rbac.ResourceScan)
if !sa.SecurityCtx.Can(rbac.ActionCreate, resource) {
sa.SendForbiddenError(errors.New(sa.SecurityCtx.GetUsername()))
if !sa.RequireProjectAccess(sa.pro.ProjectID, rbac.ActionCreate, rbac.ResourceScan) {
return
}
......@@ -107,9 +104,7 @@ func (sa *ScanAPI) Scan() {
// Report returns the required reports with the given mime types.
func (sa *ScanAPI) Report() {
// Check access permissions
resource := rbac.NewProjectNamespace(sa.pro.ProjectID).Resource(rbac.ResourceScan)
if !sa.SecurityCtx.Can(rbac.ActionRead, resource) {
sa.SendForbiddenError(errors.New(sa.SecurityCtx.GetUsername()))
if !sa.RequireProjectAccess(sa.pro.ProjectID, rbac.ActionRead, rbac.ResourceScan) {
return
}
......@@ -149,9 +144,7 @@ func (sa *ScanAPI) Report() {
// Log returns the log stream
func (sa *ScanAPI) Log() {
// Check access permissions
resource := rbac.NewProjectNamespace(sa.pro.ProjectID).Resource(rbac.ResourceScan)
if !sa.SecurityCtx.Can(rbac.ActionRead, resource) {
sa.SendForbiddenError(errors.New(sa.SecurityCtx.GetUsername()))
if !sa.RequireProjectAccess(sa.pro.ProjectID, rbac.ActionRead, rbac.ResourceScan) {
return
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment