feat: 优化open api认证方式, 优化白名单和租户管理功能 (#71)

1. 白名单支持租户隔离
2. 优化open api认证方式
3. 增加资产聚合视角
4. 优化租户管理打开位置和UI
5. 白名单相关代码重构

Author: jietian-sts

app/api/pom.xml

@@ -5,7 +5,7 @@
     <parent>
         <artifactId>cloudrec</artifactId>
         <groupId>com.alipay</groupId>
-        <version>0.2.0-SNAPSHOT</version>
+        <version>0.2.1-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
     <artifactId>api</artifactId>
@@ -18,7 +18,7 @@
         <dependency>
             <groupId>com.alipay</groupId>
             <artifactId>application</artifactId>
-            <version>0.2.0-SNAPSHOT</version>
+            <version>0.2.1-SNAPSHOT</version>
         </dependency>
         <!-- Spring Boot Starter Test -->
         <dependency>
@@ -27,4 +27,24 @@
             <scope>test</scope>
         </dependency>
     </dependencies>
+    
+    <build>
+        <plugins>
+            <!-- Maven Surefire Plugin for unified JUnit 5 testing -->
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-surefire-plugin</artifactId>
+                <version>3.0.0-M7</version>
+                <configuration>
+                    <!-- Enable JUnit Platform for JUnit 5 support -->
+                    <useJUnitPlatform>true</useJUnitPlatform>
+                    <includes>
+                        <include>**/*Test.java</include>
+                        <include>**/*Tests.java</include>
+                    </includes>
+                    <testFailureIgnore>false</testFailureIgnore>
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
 </project>

app/api/src/main/java/com/alipay/api/config/filter/CachedBodyFilter.java

@@ -0,0 +1,76 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.alipay.api.config.filter;
+
+import com.alipay.application.service.system.utils.CachedBodyHttpServletRequest;
+import jakarta.servlet.*;
+import jakarta.servlet.http.HttpServletRequest;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.core.annotation.Order;
+import org.springframework.stereotype.Component;
+
+import java.io.IOException;
+
+/**
+ * Filter to cache request body for multiple reads
+ * This filter wraps POST requests with JSON content type to allow
+ * multiple components to read the request body without conflicts
+ */
+@Component
+@Order(1) // Execute early in the filter chain
+public class CachedBodyFilter implements Filter {
+    
+    private static final Logger logger = LoggerFactory.getLogger(CachedBodyFilter.class);
+    
+    @Override
+    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
+            throws IOException, ServletException {
+        
+        if (request instanceof HttpServletRequest httpRequest) {
+            // Only wrap POST requests with JSON content type
+            if ("POST".equalsIgnoreCase(httpRequest.getMethod())) {
+                String contentType = httpRequest.getContentType();
+                if (contentType != null && contentType.toLowerCase().contains("application/json")) {
+                    try {
+                        // Wrap the request to cache the body
+                        CachedBodyHttpServletRequest cachedRequest = new CachedBodyHttpServletRequest(httpRequest);
+                        logger.debug("Wrapped POST request with JSON content type for caching");
+                        chain.doFilter(cachedRequest, response);
+                        return;
+                    } catch (Exception e) {
+                        logger.warn("Failed to wrap request for body caching: {}", e.getMessage());
+                        // Fall through to process the original request
+                    }
+                }
+            }
+        }
+        
+        // For non-POST requests or requests without JSON content type, proceed normally
+        chain.doFilter(request, response);
+    }
+    
+    @Override
+    public void init(FilterConfig filterConfig) {
+        logger.info("CachedBodyFilter initialized");
+    }
+    
+    @Override
+    public void destroy() {
+        logger.info("CachedBodyFilter destroyed");
+    }
+}

app/api/src/main/java/com/alipay/api/config/filter/annotation/aop/OpenApiAspect.java

@@ -62,7 +62,7 @@ public void processRequest(JoinPoint joinPoint) {
             throw new OpenAipNoAuthException(response.getMsg());
         }
 
-        String accessKey = request.getHeader(DigestSignUtils.accessKeyName);
+        String accessKey = request.getHeader(DigestSignUtils.ACCESS_KEY_NAME);
         OpenApiAuthPO openApiAuthPO = openApiAuthMapper.findByAccessKey(accessKey);
         if (openApiAuthPO != null) {
             String userId = openApiAuthPO.getUserId();

app/api/src/main/java/com/alipay/api/config/filter/annotation/aop/RateLimit.java

@@ -0,0 +1,71 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.alipay.api.config.filter.annotation.aop;
+
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+/**
+ * Rate limiting annotation for API endpoints
+ * Uses sliding window algorithm to control request frequency
+ * 
+ * @author jietian
+ * @version 1.0
+ * @since 2024
+ */
+@Retention(RetentionPolicy.RUNTIME)
+@Target(ElementType.METHOD)
+public @interface RateLimit {
+    
+    /**
+     * Maximum number of requests allowed per time window
+     * Default: 10 requests
+     */
+    int maxRequests() default 10;
+    
+    /**
+     * Time window in seconds
+     * Default: 60 seconds (1 minute)
+     */
+    int timeWindowSeconds() default 60;
+    
+    /**
+     * Rate limiting key strategy
+     * IP: limit by client IP address
+     * USER: limit by authenticated user ID
+     * GLOBAL: global rate limiting for all requests
+     * Default: IP
+     */
+    KeyStrategy keyStrategy() default KeyStrategy.IP;
+    
+    /**
+     * Custom error message when rate limit is exceeded
+     * Default: "Too many requests, please try again later"
+     */
+    String message() default "Too many requests, please try again later";
+    
+    /**
+     * Key strategy enumeration
+     */
+    enum KeyStrategy {
+        IP,     // Rate limit by IP address
+        USER,   // Rate limit by user ID
+        GLOBAL  // Global rate limit
+    }
+}

app/api/src/main/java/com/alipay/api/config/filter/annotation/aop/RateLimitAspect.java

@@ -0,0 +1,184 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.alipay.api.config.filter.annotation.aop;
+
+import com.alipay.api.config.filter.service.RateLimitService;
+import com.alipay.application.share.vo.ApiResponse;
+import com.alipay.dao.context.UserInfoContext;
+import com.alipay.dao.context.UserInfoDTO;
+import jakarta.annotation.Resource;
+import jakarta.servlet.http.HttpServletRequest;
+import lombok.extern.slf4j.Slf4j;
+import org.apache.commons.lang3.StringUtils;
+import org.aspectj.lang.ProceedingJoinPoint;
+import org.aspectj.lang.annotation.Around;
+import org.aspectj.lang.annotation.Aspect;
+import org.springframework.http.HttpStatus;
+import org.springframework.stereotype.Component;
+import org.springframework.web.context.request.RequestContextHolder;
+import org.springframework.web.context.request.ServletRequestAttributes;
+
+/**
+ * Rate limiting aspect for intercepting methods annotated with @RateLimit
+ * Implements rate limiting logic using sliding window algorithm
+ * 
+ * @author jietian
+ * @version 1.0
+ * @since 2024
+ */
+@Aspect
+@Component
+@Slf4j
+public class RateLimitAspect {
+    
+    @Resource
+    private RateLimitService rateLimitService;
+    
+    /**
+     * Around advice for rate limiting
+     * Intercepts method calls annotated with @RateLimit and applies rate limiting logic
+     * 
+     * @param joinPoint the join point representing the intercepted method
+     * @param rateLimit the rate limit annotation
+     * @return the result of the method execution or rate limit error response
+     * @throws Throwable if method execution fails
+     */
+    @Around("@annotation(rateLimit)")
+    public Object rateLimit(ProceedingJoinPoint joinPoint, RateLimit rateLimit) throws Throwable {
+        try {
+            // Generate rate limiting key based on strategy
+            String rateLimitKey = generateRateLimitKey(rateLimit.keyStrategy(), joinPoint);
+            
+            // Check if request is allowed
+            boolean allowed = rateLimitService.isAllowed(
+                    rateLimitKey, 
+                    rateLimit.maxRequests(), 
+                    rateLimit.timeWindowSeconds()
+            );
+            
+            if (!allowed) {
+                log.warn("Rate limit exceeded for key: {}, method: {}.{}", 
+                        rateLimitKey, 
+                        joinPoint.getTarget().getClass().getSimpleName(),
+                        joinPoint.getSignature().getName());
+                
+                // Return rate limit exceeded response
+                return createRateLimitResponse(rateLimit.message());
+            }
+            
+            // Proceed with method execution
+            return joinPoint.proceed();
+            
+        } catch (Exception e) {
+            log.error("Error in rate limiting aspect for method: {}.{}", 
+                    joinPoint.getTarget().getClass().getSimpleName(),
+                    joinPoint.getSignature().getName(), e);
+            
+            // In case of error, allow the request to proceed
+            return joinPoint.proceed();
+        }
+    }
+    
+    /**
+     * Generate rate limiting key based on the specified strategy
+     * 
+     * @param strategy the key generation strategy
+     * @param joinPoint the join point for method context
+     * @return the generated rate limiting key
+     */
+    private String generateRateLimitKey(RateLimit.KeyStrategy strategy, ProceedingJoinPoint joinPoint) {
+        String methodName = joinPoint.getTarget().getClass().getSimpleName() + "." + joinPoint.getSignature().getName();
+        
+        switch (strategy) {
+            case IP:
+                return "rate_limit:ip:" + getClientIpAddress() + ":" + methodName;
+            case USER:
+                return "rate_limit:user:" + getCurrentUserId() + ":" + methodName;
+            case GLOBAL:
+                return "rate_limit:global:" + methodName;
+            default:
+                return "rate_limit:ip:" + getClientIpAddress() + ":" + methodName;
+        }
+    }
+    
+    /**
+     * Get client IP address from HTTP request
+     * 
+     * @return client IP address
+     */
+    private String getClientIpAddress() {
+        try {
+            ServletRequestAttributes attributes = (ServletRequestAttributes) RequestContextHolder.currentRequestAttributes();
+            HttpServletRequest request = attributes.getRequest();
+            
+            // Check for IP address in various headers (for proxy scenarios)
+            String ipAddress = request.getHeader("X-Forwarded-For");
+            if (StringUtils.isBlank(ipAddress) || "unknown".equalsIgnoreCase(ipAddress)) {
+                ipAddress = request.getHeader("Proxy-Client-IP");
+            }
+            if (StringUtils.isBlank(ipAddress) || "unknown".equalsIgnoreCase(ipAddress)) {
+                ipAddress = request.getHeader("WL-Proxy-Client-IP");
+            }
+            if (StringUtils.isBlank(ipAddress) || "unknown".equalsIgnoreCase(ipAddress)) {
+                ipAddress = request.getHeader("HTTP_CLIENT_IP");
+            }
+            if (StringUtils.isBlank(ipAddress) || "unknown".equalsIgnoreCase(ipAddress)) {
+                ipAddress = request.getHeader("HTTP_X_FORWARDED_FOR");
+            }
+            if (StringUtils.isBlank(ipAddress) || "unknown".equalsIgnoreCase(ipAddress)) {
+                ipAddress = request.getRemoteAddr();
+            }
+            
+            // Handle multiple IPs in X-Forwarded-For header
+            if (StringUtils.isNotBlank(ipAddress) && ipAddress.contains(",")) {
+                ipAddress = ipAddress.split(",")[0].trim();
+            }
+            
+            return StringUtils.isNotBlank(ipAddress) ? ipAddress : "unknown";
+        } catch (Exception e) {
+            log.warn("Failed to get client IP address", e);
+            return "unknown";
+        }
+    }
+    
+    /**
+     * Get current authenticated user ID
+     * 
+     * @return user ID or "anonymous" if not authenticated
+     */
+    private String getCurrentUserId() {
+        try {
+            UserInfoDTO userInfo = UserInfoContext.getCurrentUser();
+            if (userInfo != null && StringUtils.isNotBlank(userInfo.getUserId())) {
+                return userInfo.getUserId();
+            }
+        } catch (Exception e) {
+            log.debug("Failed to get current user ID", e);
+        }
+        return "anonymous";
+    }
+    
+    /**
+     * Create rate limit exceeded response
+     * 
+     * @param message custom error message
+     * @return API response indicating rate limit exceeded
+     */
+    private ApiResponse<Object> createRateLimitResponse(String message) {
+        return new ApiResponse<>(HttpStatus.TOO_MANY_REQUESTS.value(), message);
+    }
+}