github-advanced-security[bot] commented on code in PR #15554:
URL:
https://github.com/apache/dolphinscheduler/pull/15554#discussion_r1479255284
##########
dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/service/impl/AuditServiceImpl.java:
##########
@@ -17,96 +17,190 @@
package org.apache.dolphinscheduler.api.service.impl;
-import org.apache.dolphinscheduler.api.audit.AuditMessage;
-import org.apache.dolphinscheduler.api.audit.AuditPublishService;
import org.apache.dolphinscheduler.api.dto.AuditDto;
import org.apache.dolphinscheduler.api.service.AuditService;
import org.apache.dolphinscheduler.api.utils.PageInfo;
+import org.apache.dolphinscheduler.common.enums.AuditObjectType;
import org.apache.dolphinscheduler.common.enums.AuditOperationType;
-import org.apache.dolphinscheduler.common.enums.AuditResourceType;
+import org.apache.dolphinscheduler.dao.entity.AccessToken;
+import org.apache.dolphinscheduler.dao.entity.AlertGroup;
+import org.apache.dolphinscheduler.dao.entity.AlertPluginInstance;
import org.apache.dolphinscheduler.dao.entity.AuditLog;
+import org.apache.dolphinscheduler.dao.entity.Cluster;
+import org.apache.dolphinscheduler.dao.entity.DataSource;
+import org.apache.dolphinscheduler.dao.entity.Environment;
+import org.apache.dolphinscheduler.dao.entity.K8sNamespace;
+import org.apache.dolphinscheduler.dao.entity.ProcessDefinition;
+import org.apache.dolphinscheduler.dao.entity.ProcessInstance;
+import org.apache.dolphinscheduler.dao.entity.Project;
+import org.apache.dolphinscheduler.dao.entity.Queue;
+import org.apache.dolphinscheduler.dao.entity.TaskDefinition;
+import org.apache.dolphinscheduler.dao.entity.Tenant;
+import org.apache.dolphinscheduler.dao.entity.UdfFunc;
import org.apache.dolphinscheduler.dao.entity.User;
+import org.apache.dolphinscheduler.dao.entity.WorkerGroup;
+import org.apache.dolphinscheduler.dao.mapper.AccessTokenMapper;
+import org.apache.dolphinscheduler.dao.mapper.AlertGroupMapper;
+import org.apache.dolphinscheduler.dao.mapper.AlertPluginInstanceMapper;
import org.apache.dolphinscheduler.dao.mapper.AuditLogMapper;
+import org.apache.dolphinscheduler.dao.mapper.ClusterMapper;
+import org.apache.dolphinscheduler.dao.mapper.DataSourceMapper;
+import org.apache.dolphinscheduler.dao.mapper.EnvironmentMapper;
+import org.apache.dolphinscheduler.dao.mapper.K8sNamespaceMapper;
+import org.apache.dolphinscheduler.dao.mapper.ProcessDefinitionMapper;
+import org.apache.dolphinscheduler.dao.mapper.ProcessInstanceMapper;
+import org.apache.dolphinscheduler.dao.mapper.ProjectMapper;
+import org.apache.dolphinscheduler.dao.mapper.QueueMapper;
+import org.apache.dolphinscheduler.dao.mapper.ScheduleMapper;
+import org.apache.dolphinscheduler.dao.mapper.TaskDefinitionMapper;
+import org.apache.dolphinscheduler.dao.mapper.TenantMapper;
+import org.apache.dolphinscheduler.dao.mapper.UdfFuncMapper;
+import org.apache.dolphinscheduler.dao.mapper.UserMapper;
+import org.apache.dolphinscheduler.dao.mapper.WorkerGroupMapper;
+import org.apache.parquet.Strings;
+
+import java.util.ArrayList;
+import java.util.Arrays;
import java.util.Date;
import java.util.List;
import java.util.stream.Collectors;
+import lombok.extern.slf4j.Slf4j;
+
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;
import com.baomidou.mybatisplus.core.metadata.IPage;
import com.baomidou.mybatisplus.extension.plugins.pagination.Page;
@Service
+@Slf4j
public class AuditServiceImpl extends BaseServiceImpl implements AuditService {
@Autowired
private AuditLogMapper auditLogMapper;
@Autowired
- private AuditPublishService publishService;
+ private ProjectMapper projectMapper;
+
+ @Autowired
+ private ProcessDefinitionMapper processDefinitionMapper;
+
+ @Autowired
+ private ProcessInstanceMapper processInstanceMapper;
+
+ @Autowired
+ private TaskDefinitionMapper taskDefinitionMapper;
+
+ @Autowired
+ private ScheduleMapper scheduleMapper;
+
+ @Autowired
+ private UdfFuncMapper udfFuncMapper;
+
+ @Autowired
+ private UserMapper userMapper;
+
+ @Autowired
+ private DataSourceMapper dataSourceMapper;
+
+ @Autowired
+ private TenantMapper tenantMapper;
+
+ @Autowired
+ private AlertGroupMapper alertGroupMapper;
+
+ @Autowired
+ private AlertPluginInstanceMapper alertPluginInstanceMapper;
+
+ @Autowired
+ private WorkerGroupMapper workerGroupMapper;
+
+ @Autowired
+ private QueueMapper queueMapper;
+
+ @Autowired
+ private EnvironmentMapper environmentMapper;
+
+ @Autowired
+ private ClusterMapper clusterMapper;
+
+ @Autowired
+ private K8sNamespaceMapper k8sNamespaceMapper;
+
+ @Autowired
+ private AccessTokenMapper accessTokenMapper;
+
+ @Override
+ public void addAudit(AuditLog auditLog) {
+ auditLogMapper.insert(auditLog);
+ }
- /**
- * add new audit log
- *
- * @param user login user
- * @param resourceType resource type
- * @param resourceId resource id
- * @param operation operation type
- */
@Override
- public void addAudit(User user, AuditResourceType resourceType, Integer
resourceId, AuditOperationType operation) {
- publishService.publish(new AuditMessage(user, new Date(),
resourceType, operation, resourceId));
+ public void addAudit(List<AuditLog> auditLogList, long latency) {
+ auditLogList.forEach(auditLog -> {
+ auditLog.setLatency(latency);
+ addAudit(auditLog);
+ });
}
/**
* query audit log paging
*
- * @param loginUser login user
- * @param resourceType resource type
- * @param operationType operation type
- * @param startDate start time
- * @param endDate end time
- * @param userName query user name
- * @param pageNo page number
- * @param pageSize page size
+ * @param objectTypeCodes object type codes
+ * @param operationTypeCodes operation type codes
+ * @param startDate start time
+ * @param endDate end time
+ * @param userName query user name
+ * @param objectName query object name
+ * @param pageNo page number
+ * @param pageSize page size
* @return audit log string data
*/
@Override
- public PageInfo<AuditDto> queryLogListPaging(User loginUser,
- AuditResourceType
resourceType,
- AuditOperationType
operationType,
+ public PageInfo<AuditDto> queryLogListPaging(String objectTypeCodes,
+ String operationTypeCodes,
String startDate,
String endDate,
String userName,
+ String objectName,
Integer pageNo,
Integer pageSize) {
- int[] resourceArray = null;
- if (resourceType != null) {
- resourceArray = new int[]{resourceType.getCode()};
- }
-
- int[] opsArray = null;
- if (operationType != null) {
- opsArray = new int[]{operationType.getCode()};
- }
+ List<Integer> objectTypeCodeList =
convertStringToIntList(objectTypeCodes);
+ List<Integer> operationTypeCodeList =
convertStringToIntList(operationTypeCodes);
Date start = checkAndParseDateParameters(startDate);
Date end = checkAndParseDateParameters(endDate);
- IPage<AuditLog> logIPage = auditLogMapper.queryAuditLog(new
Page<>(pageNo, pageSize), resourceArray, opsArray,
- userName, start, end);
+ IPage<AuditLog> logIPage =
+ auditLogMapper.queryAuditLog(new Page<>(pageNo, pageSize),
objectTypeCodeList, operationTypeCodeList,
+ userName, objectName, start, end);
List<AuditDto> auditDtos =
logIPage.getRecords().stream().map(this::transformAuditLog).collect(Collectors.toList());
PageInfo<AuditDto> pageInfo = new PageInfo<>(pageNo, pageSize);
- pageInfo.setTotal((int) auditDtos.size());
+ pageInfo.setTotal((int) logIPage.getTotal());
pageInfo.setTotalList(auditDtos);
return pageInfo;
}
+ private List<Integer> convertStringToIntList(String codes) {
+ if (Strings.isNullOrEmpty(codes)) {
+ return new ArrayList<>();
+ }
+
+ try {
+ return Arrays.stream(codes.split(","))
+ .map(Integer::parseInt)
Review Comment:
## Missing catch of NumberFormatException
Potential uncaught 'java.lang.NumberFormatException'.
[Show more
details](https://github.com/apache/dolphinscheduler/security/code-scanning/3901)
##########
dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/service/impl/AuditServiceImpl.java:
##########
@@ -17,96 +17,190 @@
package org.apache.dolphinscheduler.api.service.impl;
-import org.apache.dolphinscheduler.api.audit.AuditMessage;
-import org.apache.dolphinscheduler.api.audit.AuditPublishService;
import org.apache.dolphinscheduler.api.dto.AuditDto;
import org.apache.dolphinscheduler.api.service.AuditService;
import org.apache.dolphinscheduler.api.utils.PageInfo;
+import org.apache.dolphinscheduler.common.enums.AuditObjectType;
import org.apache.dolphinscheduler.common.enums.AuditOperationType;
-import org.apache.dolphinscheduler.common.enums.AuditResourceType;
+import org.apache.dolphinscheduler.dao.entity.AccessToken;
+import org.apache.dolphinscheduler.dao.entity.AlertGroup;
+import org.apache.dolphinscheduler.dao.entity.AlertPluginInstance;
import org.apache.dolphinscheduler.dao.entity.AuditLog;
+import org.apache.dolphinscheduler.dao.entity.Cluster;
+import org.apache.dolphinscheduler.dao.entity.DataSource;
+import org.apache.dolphinscheduler.dao.entity.Environment;
+import org.apache.dolphinscheduler.dao.entity.K8sNamespace;
+import org.apache.dolphinscheduler.dao.entity.ProcessDefinition;
+import org.apache.dolphinscheduler.dao.entity.ProcessInstance;
+import org.apache.dolphinscheduler.dao.entity.Project;
+import org.apache.dolphinscheduler.dao.entity.Queue;
+import org.apache.dolphinscheduler.dao.entity.TaskDefinition;
+import org.apache.dolphinscheduler.dao.entity.Tenant;
+import org.apache.dolphinscheduler.dao.entity.UdfFunc;
import org.apache.dolphinscheduler.dao.entity.User;
+import org.apache.dolphinscheduler.dao.entity.WorkerGroup;
+import org.apache.dolphinscheduler.dao.mapper.AccessTokenMapper;
+import org.apache.dolphinscheduler.dao.mapper.AlertGroupMapper;
+import org.apache.dolphinscheduler.dao.mapper.AlertPluginInstanceMapper;
import org.apache.dolphinscheduler.dao.mapper.AuditLogMapper;
+import org.apache.dolphinscheduler.dao.mapper.ClusterMapper;
+import org.apache.dolphinscheduler.dao.mapper.DataSourceMapper;
+import org.apache.dolphinscheduler.dao.mapper.EnvironmentMapper;
+import org.apache.dolphinscheduler.dao.mapper.K8sNamespaceMapper;
+import org.apache.dolphinscheduler.dao.mapper.ProcessDefinitionMapper;
+import org.apache.dolphinscheduler.dao.mapper.ProcessInstanceMapper;
+import org.apache.dolphinscheduler.dao.mapper.ProjectMapper;
+import org.apache.dolphinscheduler.dao.mapper.QueueMapper;
+import org.apache.dolphinscheduler.dao.mapper.ScheduleMapper;
+import org.apache.dolphinscheduler.dao.mapper.TaskDefinitionMapper;
+import org.apache.dolphinscheduler.dao.mapper.TenantMapper;
+import org.apache.dolphinscheduler.dao.mapper.UdfFuncMapper;
+import org.apache.dolphinscheduler.dao.mapper.UserMapper;
+import org.apache.dolphinscheduler.dao.mapper.WorkerGroupMapper;
+import org.apache.parquet.Strings;
+
+import java.util.ArrayList;
+import java.util.Arrays;
import java.util.Date;
import java.util.List;
import java.util.stream.Collectors;
+import lombok.extern.slf4j.Slf4j;
+
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;
import com.baomidou.mybatisplus.core.metadata.IPage;
import com.baomidou.mybatisplus.extension.plugins.pagination.Page;
@Service
+@Slf4j
public class AuditServiceImpl extends BaseServiceImpl implements AuditService {
@Autowired
private AuditLogMapper auditLogMapper;
@Autowired
- private AuditPublishService publishService;
+ private ProjectMapper projectMapper;
+
+ @Autowired
+ private ProcessDefinitionMapper processDefinitionMapper;
+
+ @Autowired
+ private ProcessInstanceMapper processInstanceMapper;
+
+ @Autowired
+ private TaskDefinitionMapper taskDefinitionMapper;
+
+ @Autowired
+ private ScheduleMapper scheduleMapper;
+
+ @Autowired
+ private UdfFuncMapper udfFuncMapper;
+
+ @Autowired
+ private UserMapper userMapper;
+
+ @Autowired
+ private DataSourceMapper dataSourceMapper;
+
+ @Autowired
+ private TenantMapper tenantMapper;
+
+ @Autowired
+ private AlertGroupMapper alertGroupMapper;
+
+ @Autowired
+ private AlertPluginInstanceMapper alertPluginInstanceMapper;
+
+ @Autowired
+ private WorkerGroupMapper workerGroupMapper;
+
+ @Autowired
+ private QueueMapper queueMapper;
+
+ @Autowired
+ private EnvironmentMapper environmentMapper;
+
+ @Autowired
+ private ClusterMapper clusterMapper;
+
+ @Autowired
+ private K8sNamespaceMapper k8sNamespaceMapper;
+
+ @Autowired
+ private AccessTokenMapper accessTokenMapper;
+
+ @Override
+ public void addAudit(AuditLog auditLog) {
+ auditLogMapper.insert(auditLog);
+ }
- /**
- * add new audit log
- *
- * @param user login user
- * @param resourceType resource type
- * @param resourceId resource id
- * @param operation operation type
- */
@Override
- public void addAudit(User user, AuditResourceType resourceType, Integer
resourceId, AuditOperationType operation) {
- publishService.publish(new AuditMessage(user, new Date(),
resourceType, operation, resourceId));
+ public void addAudit(List<AuditLog> auditLogList, long latency) {
+ auditLogList.forEach(auditLog -> {
+ auditLog.setLatency(latency);
+ addAudit(auditLog);
+ });
}
/**
* query audit log paging
*
- * @param loginUser login user
- * @param resourceType resource type
- * @param operationType operation type
- * @param startDate start time
- * @param endDate end time
- * @param userName query user name
- * @param pageNo page number
- * @param pageSize page size
+ * @param objectTypeCodes object type codes
+ * @param operationTypeCodes operation type codes
+ * @param startDate start time
+ * @param endDate end time
+ * @param userName query user name
+ * @param objectName query object name
+ * @param pageNo page number
+ * @param pageSize page size
* @return audit log string data
*/
@Override
- public PageInfo<AuditDto> queryLogListPaging(User loginUser,
- AuditResourceType
resourceType,
- AuditOperationType
operationType,
+ public PageInfo<AuditDto> queryLogListPaging(String objectTypeCodes,
+ String operationTypeCodes,
String startDate,
String endDate,
String userName,
+ String objectName,
Integer pageNo,
Integer pageSize) {
- int[] resourceArray = null;
- if (resourceType != null) {
- resourceArray = new int[]{resourceType.getCode()};
- }
-
- int[] opsArray = null;
- if (operationType != null) {
- opsArray = new int[]{operationType.getCode()};
- }
+ List<Integer> objectTypeCodeList =
convertStringToIntList(objectTypeCodes);
+ List<Integer> operationTypeCodeList =
convertStringToIntList(operationTypeCodes);
Date start = checkAndParseDateParameters(startDate);
Date end = checkAndParseDateParameters(endDate);
- IPage<AuditLog> logIPage = auditLogMapper.queryAuditLog(new
Page<>(pageNo, pageSize), resourceArray, opsArray,
- userName, start, end);
+ IPage<AuditLog> logIPage =
+ auditLogMapper.queryAuditLog(new Page<>(pageNo, pageSize),
objectTypeCodeList, operationTypeCodeList,
+ userName, objectName, start, end);
List<AuditDto> auditDtos =
logIPage.getRecords().stream().map(this::transformAuditLog).collect(Collectors.toList());
PageInfo<AuditDto> pageInfo = new PageInfo<>(pageNo, pageSize);
- pageInfo.setTotal((int) auditDtos.size());
+ pageInfo.setTotal((int) logIPage.getTotal());
pageInfo.setTotalList(auditDtos);
return pageInfo;
}
+ private List<Integer> convertStringToIntList(String codes) {
+ if (Strings.isNullOrEmpty(codes)) {
+ return new ArrayList<>();
+ }
+
+ try {
+ return Arrays.stream(codes.split(","))
+ .map(Integer::parseInt)
+ .collect(Collectors.toList());
+ } catch (NumberFormatException e) {
+ log.error("codes has illegal parameter : {}", codes);
Review Comment:
## Log Injection
This log entry depends on a [user-provided value](1).
This log entry depends on a [user-provided value](2).
[Show more
details](https://github.com/apache/dolphinscheduler/security/code-scanning/3902)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscr...@dolphinscheduler.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
