<feature>[identity]: add generic external tenant resource isolation framework

Implement a generic framework for external services (ZCF, AIOS, etc.) to
isolate resources by tenant via HTTP headers (X-Tenant-Source/Id/User).

- ExternalTenantContext: ThreadLocal DTO bridging REST layer to AOP layer
- ExternalTenantProvider: SPI interface for tenant validation and tracking
- ExternalTenantResourceRefVO: JPA entity with CASCADE delete on ResourceVO
- ExternalTenantResourceTracker: AOP-driven resource binding on creation,
  cleanup on hard/soft delete via extension points
- ExternalTenantZQLExtension: two-phase ZQL AST injection for automatic
  tenant-scoped query filtering with SQL injection protection
- RestServer integration: header parsing, provider validation, ThreadLocal
  lifecycle management with try/finally cleanup
- SessionInventory: @APINoSee externalTenantContext field + hasExternalTenant()
- DB migration: V5.5.1__schema.sql for ExternalTenantResourceRefVO table

Resolves: ZCF-1147

Change-Id: I7778676171646874706164777869707288976172

Author: liang-hanyu

conf/db/upgrade/V5.5.1__schema.sql

@@ -0,0 +1,19 @@
+CREATE TABLE IF NOT EXISTS `zstack`.`ExternalTenantResourceRefVO` (
+    `id`            BIGINT UNSIGNED AUTO_INCREMENT PRIMARY KEY,
+    `source`        VARCHAR(64)  NOT NULL COMMENT 'source service identifier (zcf, svcX, ...)',
+    `tenantId`      VARCHAR(128) NOT NULL COMMENT 'external tenant identifier',
+    `userId`        VARCHAR(128) DEFAULT NULL COMMENT 'external user identifier (optional)',
+    `resourceUuid`  VARCHAR(32)  NOT NULL COMMENT 'resource UUID',
+    `resourceType`  VARCHAR(256) NOT NULL COMMENT 'resource type (VO SimpleName)',
+    `accountUuid`   VARCHAR(32)  NOT NULL COMMENT 'associated ZStack Account',
+    `createDate`    TIMESTAMP    NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    `lastOpDate`    TIMESTAMP    NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
+    INDEX idx_source_tenant (`source`, `tenantId`),
+    INDEX idx_source_tenant_user (`source`, `tenantId`, `userId`),
+    INDEX idx_resource (`resourceUuid`),
+    UNIQUE KEY uk_resource_source_tenant (`resourceUuid`, `source`, `tenantId`),
+    CONSTRAINT fk_ext_tenant_resource FOREIGN KEY (`resourceUuid`)
+        REFERENCES `ResourceVO`(`uuid`) ON DELETE CASCADE,
+    CONSTRAINT fk_ext_tenant_account FOREIGN KEY (`accountUuid`)
+        REFERENCES `AccountVO`(`uuid`) ON DELETE CASCADE
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;

conf/springConfigXml/AccountManager.xml

@@ -111,5 +111,22 @@
     <bean id = "RoleUtils" class="org.zstack.identity.rbac.RoleUtils"/>
 
     <bean id="AccountQuotaUpdateChecker" class="org.zstack.identity.AccountQuotaUpdateChecker"/>
+
+    <bean id="ExternalTenantResourceTracker" class="org.zstack.identity.ExternalTenantResourceTracker">
+        <zstack:plugin>
+            <zstack:extension interface="org.zstack.header.Component"/>
+            <zstack:extension interface="org.zstack.header.identity.ResourceOwnershipCreatedExtensionPoint"/>
+            <zstack:extension interface="org.zstack.core.db.HardDeleteEntityExtensionPoint"/>
+            <zstack:extension interface="org.zstack.core.db.SoftDeleteEntityByEOExtensionPoint"/>
+            <zstack:extension interface="org.zstack.header.aspect.OwnedByAccountAspectHelper$ResourceOwnershipCreationNotifier"/>
+        </zstack:plugin>
+    </bean>
+
+    <bean id="ExternalTenantZQLExtension" class="org.zstack.identity.ExternalTenantZQLExtension">
+        <zstack:plugin>
+            <zstack:extension interface="org.zstack.header.zql.MarshalZQLASTTreeExtensionPoint"/>
+            <zstack:extension interface="org.zstack.header.zql.RestrictByExprExtensionPoint"/>
+        </zstack:plugin>
+    </bean>
 </beans>
 

header/src/main/java/org/zstack/header/aspect/OwnedByAccountAspectHelper.java

@@ -8,6 +8,14 @@
 import javax.persistence.EntityManager;
 
 public class OwnedByAccountAspectHelper {
+
+    // static field for resource ownership creation extension point callback
+    private static ResourceOwnershipCreationNotifier notifier;
+
+    public static void setResourceOwnershipCreationNotifier(ResourceOwnershipCreationNotifier notifier) {
+        OwnedByAccountAspectHelper.notifier = notifier;
+    }
+
     public static void createAccountResourceRefVO(OwnedByAccount oa, EntityManager entityManager, Object entity) {
         AccountResourceRefVO ref = new AccountResourceRefVO();
         ref.setAccountUuid(oa.getAccountUuid());
@@ -19,5 +27,21 @@ public static void createAccountResourceRefVO(OwnedByAccount oa, EntityManager e
         ref.setShared(false);
 
         entityManager.persist(ref);
+
+        // notify resource ownership creation event
+        if (notifier != null) {
+            try {
+                notifier.notifyResourceOwnershipCreated(ref);
+            } catch (Exception e) {
+                // extension point failure should not affect the main flow, silently ignored
+            }
+        }
+    }
+
+    /**
+     * Resource ownership creation notifier interface to avoid circular dependency
+     */
+    public static interface ResourceOwnershipCreationNotifier {
+        void notifyResourceOwnershipCreated(AccountResourceRefVO ref);
     }
 }

header/src/main/java/org/zstack/header/identity/ExternalTenantContext.java

@@ -0,0 +1,70 @@
+package org.zstack.header.identity;
+
+import java.io.Serializable;
+
+/**
+ * External tenant context DTO.
+ * Passed by external services (like ZCF, AIOS, etc.) through HTTP Headers,
+ * attached to SessionInventory throughout the entire request chain.
+ */
+public class ExternalTenantContext implements Serializable {
+    private static final long serialVersionUID = 1L;
+
+    // ThreadLocal used to pass current request's external tenant context at AOP level
+    // Set by RestServer after Header parsing, cleaned up after request completion
+    private static final ThreadLocal<ExternalTenantContext> current = new ThreadLocal<>();
+
+    public static void setCurrent(ExternalTenantContext ctx) {
+        current.set(ctx);
+    }
+
+    public static ExternalTenantContext getCurrent() {
+        return current.get();
+    }
+
+    public static void clearCurrent() {
+        current.remove();
+    }
+
+    private String source;      // Source service identifier, such as "zcf", "svcX"
+    private String tenantId;    // External tenant identifier
+    private String userId;      // External user identifier (optional)
+
+    public ExternalTenantContext() {
+    }
+
+    public ExternalTenantContext(String source, String tenantId, String userId) {
+        this.source = source;
+        this.tenantId = tenantId;
+        this.userId = userId;
+    }
+
+    public String getSource() {
+        return source;
+    }
+
+    public void setSource(String source) {
+        this.source = source;
+    }
+
+    public String getTenantId() {
+        return tenantId;
+    }
+
+    public void setTenantId(String tenantId) {
+        this.tenantId = tenantId;
+    }
+
+    public String getUserId() {
+        return userId;
+    }
+
+    public void setUserId(String userId) {
+        this.userId = userId;
+    }
+
+    @Override
+    public String toString() {
+        return String.format("ExternalTenantContext{source='%s', tenantId='%s', userId='%s'}", source, tenantId, userId);
+    }
+}

header/src/main/java/org/zstack/header/identity/ExternalTenantProvider.java

@@ -0,0 +1,52 @@
+package org.zstack.header.identity;
+
+/**
+ * External tenant Provider SPI.
+ * Each external service (ZCF, AIOS, etc.) implements this interface to integrate with the universal tenant resource isolation framework.
+ *
+ * The framework automatically collects all implementations through {@link org.zstack.core.componentloader.PluginRegistry}.
+ * Each Provider returns a unique source identifier (such as "zcf") through {@link #getSource()},
+ * corresponding to the HTTP Header X-Tenant-Source value.
+ */
+public interface ExternalTenantProvider {
+    /**
+     * Source identifier, such as "zcf", "svcX".
+     * Corresponds to X-Tenant-Source header value.
+     * Must be globally unique.
+     */
+    String getSource();
+
+    /**
+     * Validate tenant context validity.
+     * Called after RestServer parses Header and before injecting into Session.
+     * Throwing an exception indicates validation failure, and the request will be rejected.
+     *
+     * @param ctx External tenant context (already parsed from Header)
+     */
+    void validateTenant(ExternalTenantContext ctx);
+
+    /**
+     * Whether to track this type of resource.
+     * After resource creation, the framework calls this method to decide whether to write to ExternalTenantResourceRefVO.
+     * Returning false indicates that this resource type does not need to be associated with tenant.
+     * Default is true (track all resources).
+     *
+     * @param resourceType Resource type (VO SimpleName, such as "VmInstanceVO")
+     */
+    default boolean shouldTrackResource(String resourceType) {
+        return true;
+    }
+
+    /**
+     * Resource binding callback (optional).
+     * Called after ExternalTenantResourceRefVO is written,
+     * Provider can use this for custom logic such as sending notifications or writing audit logs.
+     *
+     * @param ctx          External tenant context
+     * @param resourceUuid Resource UUID
+     * @param resourceType Resource type (VO SimpleName)
+     */
+    default void onResourceBound(ExternalTenantContext ctx,
+                                  String resourceUuid, String resourceType) {
+    }
+}

header/src/main/java/org/zstack/header/identity/ExternalTenantResourceRefInventory.java

@@ -0,0 +1,125 @@
+package org.zstack.header.identity;
+
+import org.zstack.header.configuration.PythonClassInventory;
+import org.zstack.header.search.Inventory;
+
+import java.sql.Timestamp;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.List;
+
+/**
+ * Inventory for ExternalTenantResourceRefVO
+ */
+@PythonClassInventory
+@Inventory(mappingVOClass = ExternalTenantResourceRefVO.class)
+public class ExternalTenantResourceRefInventory {
+    private long id;
+    private String source;
+    private String tenantId;
+    private String userId;
+    private String resourceUuid;
+    private String accountUuid;
+    private String resourceType;
+    private Timestamp createDate;
+    private Timestamp lastOpDate;
+
+    public ExternalTenantResourceRefInventory() {
+    }
+
+    public static List<ExternalTenantResourceRefInventory> valueOf(Collection<ExternalTenantResourceRefVO> vos) {
+        List<ExternalTenantResourceRefInventory> invs = new ArrayList<>();
+        for (ExternalTenantResourceRefVO vo : vos) {
+            invs.add(valueOf(vo));
+        }
+        return invs;
+    }
+
+    public static ExternalTenantResourceRefInventory valueOf(ExternalTenantResourceRefVO vo) {
+        return new ExternalTenantResourceRefInventory(vo);
+    }
+
+    public ExternalTenantResourceRefInventory(ExternalTenantResourceRefVO vo) {
+        this.id = vo.getId();
+        this.source = vo.getSource();
+        this.tenantId = vo.getTenantId();
+        this.userId = vo.getUserId();
+        this.resourceUuid = vo.getResourceUuid();
+        this.accountUuid = vo.getAccountUuid();
+        this.resourceType = vo.getResourceType();
+        this.createDate = vo.getCreateDate();
+        this.lastOpDate = vo.getLastOpDate();
+    }
+
+    public long getId() {
+        return id;
+    }
+
+    public void setId(long id) {
+        this.id = id;
+    }
+
+    public String getSource() {
+        return source;
+    }
+
+    public void setSource(String source) {
+        this.source = source;
+    }
+
+    public String getTenantId() {
+        return tenantId;
+    }
+
+    public void setTenantId(String tenantId) {
+        this.tenantId = tenantId;
+    }
+
+    public String getUserId() {
+        return userId;
+    }
+
+    public void setUserId(String userId) {
+        this.userId = userId;
+    }
+
+    public String getResourceUuid() {
+        return resourceUuid;
+    }
+
+    public void setResourceUuid(String resourceUuid) {
+        this.resourceUuid = resourceUuid;
+    }
+
+    public String getAccountUuid() {
+        return accountUuid;
+    }
+
+    public void setAccountUuid(String accountUuid) {
+        this.accountUuid = accountUuid;
+    }
+
+    public String getResourceType() {
+        return resourceType;
+    }
+
+    public void setResourceType(String resourceType) {
+        this.resourceType = resourceType;
+    }
+
+    public Timestamp getCreateDate() {
+        return createDate;
+    }
+
+    public void setCreateDate(Timestamp createDate) {
+        this.createDate = createDate;
+    }
+
+    public Timestamp getLastOpDate() {
+        return lastOpDate;
+    }
+
+    public void setLastOpDate(Timestamp lastOpDate) {
+        this.lastOpDate = lastOpDate;
+    }
+}