feat(server): change time fomat to yyyy-MM-dd HH:mm:ss.SSS

Author: Tsukilc

hugegraph-commons/hugegraph-common/src/main/java/org/apache/hugegraph/rest/RestResult.java

@@ -18,13 +18,15 @@
 package org.apache.hugegraph.rest;
 
 import java.io.IOException;
+import java.text.SimpleDateFormat;
 import java.util.ArrayList;
 import java.util.List;
 
 import com.fasterxml.jackson.databind.JavaType;
 import com.fasterxml.jackson.databind.JsonNode;
 import com.fasterxml.jackson.databind.Module;
 import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.SerializationFeature;
 
 import lombok.SneakyThrows;
 import okhttp3.Response;
@@ -33,6 +35,11 @@ public class RestResult {
 
     private static final ObjectMapper MAPPER = new ObjectMapper();
 
+    static {
+        MAPPER.disable(SerializationFeature.WRITE_DATES_AS_TIMESTAMPS);
+        MAPPER.setDateFormat(new SimpleDateFormat("yyyy-MM-dd HH:mm:ss.SSS"));
+    }
+
     private final int status;
     private final RestHeaders headers;
     private final String content;

hugegraph-commons/hugegraph-common/src/main/java/org/apache/hugegraph/util/DateUtil.java

@@ -22,6 +22,7 @@
 import java.util.concurrent.ConcurrentHashMap;
 
 import org.apache.hugegraph.date.SafeDateFormat;
+
 import com.google.common.collect.ImmutableMap;
 
 public final class DateUtil {
@@ -46,7 +47,7 @@ public static Date parse(String value) {
             }
         }
         throw new IllegalArgumentException(String.format(
-                  "Expected date format is: %s, but got '%s'", VALID_DFS.values(), value));
+                "Expected date format is: %s, but got '%s'", VALID_DFS.values(), value));
     }
 
     public static Date parse(String value, String df) {

hugegraph-commons/hugegraph-common/src/main/java/org/apache/hugegraph/util/JsonUtilCommon.java

@@ -18,13 +18,15 @@
 package org.apache.hugegraph.util;
 
 import java.io.IOException;
+import java.text.SimpleDateFormat;
 
 import org.apache.hugegraph.rest.SerializeException;
 
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.JsonNode;
 import com.fasterxml.jackson.databind.Module;
 import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.SerializationFeature;
 
 /**
  * Utility class for JSON operations.
@@ -36,6 +38,11 @@ public final class JsonUtilCommon {
      */
     private static final ObjectMapper MAPPER = new ObjectMapper();
 
+    static {
+        MAPPER.disable(SerializationFeature.WRITE_DATES_AS_TIMESTAMPS);
+        MAPPER.setDateFormat(new SimpleDateFormat("yyyy-MM-dd HH:mm:ss.SSS"));
+    }
+
     /**
      * Registers a module with the ObjectMapper.
      *

hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/API.java

@@ -241,33 +241,29 @@ public static boolean checkAndParseAction(String action) {
         }
     }
 
-    //todo: auth
-    //public static boolean hasAdminPerm(GraphManager manager, String user) {
-    //    return manager.authManager().isAdminManager(user);
-    //}
-    //
-    //public static boolean hasSpaceManagerPerm(GraphManager manager,
-    //                                          String graphSpace,
-    //                                          String user) {
-    //    return manager.authManager().isSpaceManager(graphSpace, user);
-    //}
-
-    //public static boolean hasAnySpaceManagerPerm(GraphManager manager,
-    //                                             String user) {
-    //    return manager.authManager().isSpaceManager(user);
-    //}
-    //
-    //public static boolean hasAdminOrSpaceManagerPerm(GraphManager manager,
-    //                                                 String graphSpace,
-    //                                                 String user) {
-    //    return hasAdminPerm(manager, user) ||
-    //           hasSpaceManagerPerm(manager, graphSpace, user);
-    //}
+    public static boolean hasAdminPerm(GraphManager manager, String user) {
+        return manager.authManager().isAdminManager(user);
+    }
+
+    public static boolean hasSpaceManagerPerm(GraphManager manager,
+                                              String graphSpace,
+                                              String user) {
+        return manager.authManager().isSpaceManager(graphSpace, user);
+    }
+
+    public static boolean hasAdminOrSpaceManagerPerm(GraphManager manager,
+                                                     String graphSpace,
+                                                     String user) {
+        return hasAdminPerm(manager, user) ||
+               hasSpaceManagerPerm(manager, graphSpace, user);
+    }
 
     public static void validPermission(boolean hasPermission, String user,
                                        String action) {
-        E.checkArgument(hasPermission, "The user [%s] has no permission to [%s].",
-                        user, action);
+        if (!hasPermission) {
+            throw new jakarta.ws.rs.ForbiddenException(
+                    String.format("The user [%s] has no permission to [%s].", user, action));
+        }
     }
 
     public static class ApiMeasurer {

hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AuthenticationFilter.java

@@ -30,9 +30,8 @@
 import javax.xml.bind.DatatypeConverter;
 
 import org.apache.hugegraph.auth.HugeAuthenticator;
-import org.apache.hugegraph.auth.HugeAuthenticator.RequiredPerm;
-import org.apache.hugegraph.auth.HugeAuthenticator.RolePerm;
 import org.apache.hugegraph.auth.HugeAuthenticator.User;
+import org.apache.hugegraph.auth.HugeGraphAuthProxy;
 import org.apache.hugegraph.auth.RolePermission;
 import org.apache.hugegraph.config.HugeConfig;
 import org.apache.hugegraph.core.GraphManager;
@@ -54,6 +53,8 @@
 import jakarta.ws.rs.Priorities;
 import jakarta.ws.rs.container.ContainerRequestContext;
 import jakarta.ws.rs.container.ContainerRequestFilter;
+import jakarta.ws.rs.container.ContainerResponseContext;
+import jakarta.ws.rs.container.ContainerResponseFilter;
 import jakarta.ws.rs.container.PreMatching;
 import jakarta.ws.rs.core.Context;
 import jakarta.ws.rs.core.HttpHeaders;
@@ -64,11 +65,13 @@
 @Provider
 @PreMatching
 @Priority(Priorities.AUTHENTICATION)
-public class AuthenticationFilter implements ContainerRequestFilter {
+public class AuthenticationFilter implements ContainerRequestFilter, ContainerResponseFilter {
 
     public static final String BASIC_AUTH_PREFIX = "Basic ";
     public static final String BEARER_TOKEN_PREFIX = "Bearer ";
 
+    public static final String ALL_GRAPH_SPACES = "*";
+
     private static final Logger LOG = Log.logger(AuthenticationFilter.class);
 
     private static final AntPathMatcher MATCHER = new AntPathMatcher();
@@ -97,11 +100,38 @@ public void filter(ContainerRequestContext context) throws IOException {
         if (isWhiteAPI(context)) {
             return;
         }
+        GraphManager manager = this.managerProvider.get();
         User user = this.authenticate(context);
-        Authorizer authorizer = new Authorizer(user, context.getUriInfo());
+
+        // Inject request graph space into AuthContext for permission check
+        // Extract graphspace from path like: /graphspaces/{graphspace}/...
+        String path = context.getUriInfo().getPath();
+        LOG.debug("AuthenticationFilter: path={}", path);
+        if (path != null && path.contains("graphspaces/")) {
+            String[] parts = path.split("/");
+            for (int i = 0; i < parts.length - 1; i++) {
+                if ("graphspaces".equals(parts[i]) && i + 1 < parts.length) {
+                    String requestGraphSpace = parts[i + 1];
+                    HugeGraphAuthProxy.setRequestGraphSpace(requestGraphSpace);
+                    LOG.debug("AuthenticationFilter: set RequestGraphSpace={}", requestGraphSpace);
+                    break;
+                }
+            }
+        }
+
+        Authorizer authorizer = new Authorizer(manager, user, context.getUriInfo());
         context.setSecurityContext(authorizer);
     }
 
+    @Override
+    public void filter(ContainerRequestContext requestContext,
+                       ContainerResponseContext responseContext) throws IOException {
+        // Clean up ThreadLocal variables after request is processed
+        // This prevents memory leaks in thread pool
+        HugeGraphAuthProxy.resetSpaceContext();
+        LOG.debug("HugeGraphAuthProxy ThreadLocal cleaned up after request");
+    }
+
     protected User authenticate(ContainerRequestContext context) {
         GraphManager manager = this.managerProvider.get();
         E.checkState(manager != null, "Context GraphManager is absent");
@@ -188,10 +218,12 @@ public static class Authorizer implements SecurityContext {
         private final UriInfo uri;
         private final User user;
         private final Principal principal;
+        private final GraphManager manager;
 
-        public Authorizer(final User user, final UriInfo uri) {
+        public Authorizer(GraphManager manager, final User user, final UriInfo uri) {
             E.checkNotNull(user, "user");
             E.checkNotNull(uri, "uri");
+            this.manager = manager;
             this.uri = uri;
             this.user = user;
             this.principal = new UserPrincipal();
@@ -232,19 +264,56 @@ public String getAuthenticationScheme() {
 
         private boolean matchPermission(String required) {
             boolean valid;
-            RequiredPerm requiredPerm;
+            HugeAuthenticator.RequiredPerm requiredPerm;
+
+            /*
+             * if request url contains graph space and the corresponding space
+             * does not enable permission check, return true
+             * */
+            if (!isAuth()) {
+                return true;
+            }
 
-            if (!required.startsWith(HugeAuthenticator.KEY_OWNER)) {
-                // Permission format like: "admin"
-                requiredPerm = new RequiredPerm();
+            if (!required.startsWith(HugeAuthenticator.KEY_GRAPHSPACE)) {
+                // Permission format like: "admin", "space", "analyst", "space_member"
+                requiredPerm = new HugeAuthenticator.RequiredPerm();
                 requiredPerm.owner(required);
+
+                // For space-level roles, set graphSpace from path parameter
+                if ("space".equals(required) || "space_member".equals(required)) {
+                    // If graphspace parameter is not in path, use DEFAULT
+                    List<String> graphSpaceParams = this.uri.getPathParameters().get("graphspace");
+                    String graphSpace = "DEFAULT";
+                    if (graphSpaceParams != null && !graphSpaceParams.isEmpty()) {
+                        graphSpace = graphSpaceParams.get(0);
+                    }
+                    requiredPerm.graphSpace(graphSpace);
+                }
+
+                // Role inheritance is handled in HugeAuthenticator.matchSpace()
+                valid = HugeAuthenticator.RolePerm.matchApiRequiredPerm(this.role(), requiredPerm);
             } else {
-                // The required like: $owner=graph1 $action=vertex_write
-                requiredPerm = RequiredPerm.fromPermission(required);
+                // The required like:
+                // $graphspace=graphspace $owner=graph1 $action=vertex_write
+                requiredPerm = HugeAuthenticator.RequiredPerm.fromPermission(required);
+
+                /*
+                 * Replace graphspace value (it may be a variable) if the
+                 * permission format like:
+                 * "$graphspace=$graphspace $owner=$graph $action=vertex_write"
+                 */
+                String graphSpace = requiredPerm.graphSpace();
+                if (graphSpace.startsWith(HugeAuthenticator.VAR_PREFIX)) {
+                    int prefixLen = HugeAuthenticator.VAR_PREFIX.length();
+                    assert graphSpace.length() > prefixLen;
+                    graphSpace = graphSpace.substring(prefixLen);
+                    graphSpace = this.getPathParameter(graphSpace);
+                    requiredPerm.graphSpace(graphSpace);
+                }
 
                 /*
-                 * Replace owner value (it may be a variable) if the permission
-                 * format like: "$owner=$graph $action=vertex_write"
+                 * Replace owner value(it may be a variable) if the permission
+                 * format like: "$graphspace=$graphspace $owner=$graph $action=vertex_write"
                  */
                 String owner = requiredPerm.owner();
                 if (owner.startsWith(HugeAuthenticator.VAR_PREFIX)) {
@@ -255,32 +324,47 @@ private boolean matchPermission(String required) {
                     owner = this.getPathParameter(owner);
                     requiredPerm.owner(owner);
                 }
+                valid = HugeAuthenticator.RolePerm.matchApiRequiredPerm(this.role(), requiredPerm);
             }
 
-            if (LOG.isDebugEnabled()) {
-                LOG.debug("Verify permission {} {} for user '{}' with role {}",
-                          requiredPerm.action().string(), requiredPerm.resourceObject(),
-                          this.user.username(), this.user.role());
-            }
-
-            // verify role permission
-            valid = RolePerm.match(this.role(), requiredPerm);
-
-            if (!valid && LOG.isInfoEnabled() &&
+            if (!valid &&
                 !required.equals(HugeAuthenticator.USER_ADMIN)) {
-                LOG.info("User '{}' is denied to {} {}", this.user.username(),
-                         requiredPerm.action().string(), requiredPerm.resourceObject());
+                LOG.info(
+                        user.userId().asString(),
+                        requiredPerm.action().string(),
+                        requiredPerm.resourceObject());
             }
             return valid;
         }
 
         private String getPathParameter(String key) {
             List<String> params = this.uri.getPathParameters().get(key);
+            // For graphspace parameter, use "DEFAULT" if not present in path
+            if ("graphspace".equals(key) && (params == null || params.isEmpty())) {
+                return "DEFAULT";
+            }
             E.checkState(params != null && params.size() == 1,
                          "There is no matched path parameter: '%s'", key);
             return params.get(0);
         }
 
+        private boolean isAuth() {
+            List<String> params = this.uri.getPathParameters().get(
+                    "graphspace");
+            if (params != null && params.size() == 1) {
+                String graphSpace = params.get(0);
+                if (ALL_GRAPH_SPACES.equals(graphSpace)) {
+                    return true;
+                }
+                E.checkArgumentNotNull(this.manager.graphSpace(graphSpace),
+                                       "The graph space '%s' does not exist",
+                                       graphSpace);
+                return this.manager.graphSpace(graphSpace).auth();
+            } else {
+                return true;
+            }
+        }
+
         private final class UserPrincipal implements Principal {
 
             @Override

hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/ExceptionFilter.java

@@ -89,7 +89,7 @@ public static class TracedExceptionAPI extends API {
         @GET
         @Timed
         @Produces(APPLICATION_JSON_WITH_CHARSET)
-        @RolesAllowed({"admin"})
+        @RolesAllowed({"space_member"})
         public Object get() {
             return ImmutableMap.of("trace", TracedExceptionMapper.forcedTrace);
         }
@@ -98,7 +98,7 @@ public Object get() {
         @Timed
         @Consumes(APPLICATION_JSON)
         @Produces(APPLICATION_JSON_WITH_CHARSET)
-        @RolesAllowed({"admin"})
+        @RolesAllowed({"space_member"})
         public Object trace(boolean trace) {
             TracedExceptionMapper.forcedTrace = trace;
             return ImmutableMap.of("trace", TracedExceptionMapper.forcedTrace);