Skip to content

ak auth support on long connection #3821

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
KomachiSion merged 1 commit into from
Sep 14, 2020
Merged

ak auth support on long connection #3821

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions address/src/main/java/com/alibaba/nacos/address/auth/AddressServerAuthManager.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,11 @@ public User login(Object request) throws AccessException {
return result;
}

@Override
public User loginRemote(Object request) throws AccessException {
return null;
}

@Override
public void auth(Permission permission, User user) throws AccessException {
}
Expand Down
7 changes: 2 additions & 5 deletions api/src/main/java/com/alibaba/nacos/api/config/remote/response/ConfigQueryResponse.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,6 @@
package com.alibaba.nacos.api.config.remote.response;

import com.alibaba.nacos.api.remote.response.Response;
import com.alibaba.nacos.api.remote.response.ResponseCode;

import java.util.HashMap;
import java.util.Map;
Expand Down Expand Up @@ -57,14 +56,12 @@ public void addLabel(String key, String value) {
* Buid fail response.
*
* @param errorCode errorCode.
* @param message message.
* @param message message.
* @return
*/
public static ConfigQueryResponse buildFailResponse(int errorCode, String message) {
ConfigQueryResponse response = new ConfigQueryResponse();
response.setResultCode(ResponseCode.FAIL.getCode());
response.setErrorCode(errorCode);
response.setMessage(message);
response.setErrorInfo(errorCode, message);
return response;
}

Expand Down
3 changes: 1 addition & 2 deletions api/src/main/java/com/alibaba/nacos/api/naming/remote/response/ServiceListResponse.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,8 +52,7 @@ public static ServiceListResponse buildSuccessResponse(int count, List<String> s
*/
public static ServiceListResponse buildFailResponse(String message) {
ServiceListResponse result = new ServiceListResponse();
result.setErrorCode(ResponseCode.FAIL.getCode());
result.setMessage(message);
result.setErrorInfo(ResponseCode.FAIL.getCode(), message);
return result;
}

Expand Down
6 changes: 6 additions & 0 deletions api/src/main/java/com/alibaba/nacos/api/remote/response/Response.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -116,6 +116,12 @@ public void setErrorCode(int errorCode) {
this.errorCode = errorCode;
}

public void setErrorInfo(int errorCode, String errorMsg) {
this.resultCode = ResponseCode.FAIL.getCode();
this.errorCode = errorCode;
this.message = errorMsg;
}

@Override
public String toString() {
return ToStringBuilder.reflectionToString(this);
Expand Down
9 changes: 9 additions & 0 deletions auth/src/main/java/com/alibaba/nacos/auth/AuthManager.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,15 @@ public interface AuthManager {
*/
User login(Object request) throws AccessException;

/**
* Authentication of request, identify the user who request the resource.
*
* @param request where we can find the user information
* @return user related to this request, null if no user info is found.
* @throws AccessException if authentication is failed
*/
User loginRemote(Object request) throws AccessException;

/**
* Authorization of request, constituted with resource and user.
*
Expand Down
8 changes: 6 additions & 2 deletions client/src/test/java/com/alibaba/nacos/client/ConfigTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,10 +55,15 @@ public class ConfigTest {
public void before() throws Exception {
Properties properties = new Properties();
properties.setProperty(PropertyKeyConst.SERVER_ADDR, "127.0.0.1:8848");
properties.setProperty("-Dclientworker.use.http.switch", "Y");

//properties.setProperty(PropertyKeyConst.SERVER_ADDR, "11.160.144.148:8848");
//properties.setProperty(PropertyKeyConst.SERVER_ADDR, "11.160.144.149:8848,11.160.144.148:8848,127.0.0.1:8848");
//"11.239.114.187:8848,,11.239.113.204:8848,11.239.112.161:8848");
//"11.239.114.187:8848");
properties.setProperty(PropertyKeyConst.USERNAME, "nacos");
properties.setProperty(PropertyKeyConst.PASSWORD, "nacos");

configService = NacosFactory.createConfigService(properties);
//Thread.sleep(2000L);
}
Expand Down Expand Up @@ -249,8 +254,7 @@ public void run() {
try {
String content1 = System.currentTimeMillis() + "";
//System.out.println("publish content:" + content1);
configService.publishConfig(dataId, group, content1);

boolean b = configService.publishConfig(dataId, group, content1);
times--;
Thread.sleep(1000L);
} catch (Exception e) {
Expand Down
2 changes: 1 addition & 1 deletion common/src/main/java/com/alibaba/nacos/common/remote/client/RpcClient.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -600,7 +600,7 @@ public void registerConnectionListener(ConnectionEventListener connectionEventLi
*
* @param serverRequestHandler serverRequestHandler
*/
public void registerServerPushResponseHandler(ServerRequestHandler serverRequestHandler) {
public synchronized void registerServerPushResponseHandler(ServerRequestHandler serverRequestHandler) {
LoggerUtils.printIfInfoEnabled(LOGGER,
" Registry server push response listener to current client, connectionEventListener={}",
serverRequestHandler.getClass().getName());
Expand Down
17 changes: 17 additions & 0 deletions common/src/main/java/com/alibaba/nacos/common/utils/ReflectUtils.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,4 +43,21 @@ public static Object getFieldValue(Object obj, String fieldName) {
}
}

/**
* get filed value of obj.
*
* @param obj obj.
* @param fieldName file name to get value.
* @return
*/
public static Object getFieldValue(Object obj, String fieldName, Object defaultValue) {
try {
Field field = obj.getClass().getDeclaredField(fieldName);
field.setAccessible(true);
return field.get(obj);
} catch (Exception e) {
return defaultValue;
}
}

}
27 changes: 20 additions & 7 deletions config/src/main/java/com/alibaba/nacos/config/server/auth/ConfigResourceParser.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,12 +16,14 @@

package com.alibaba.nacos.config.server.auth;

import javax.servlet.http.HttpServletRequest;

import com.alibaba.nacos.api.remote.request.Request;
import com.alibaba.nacos.auth.model.Resource;
import com.alibaba.nacos.auth.parser.ResourceParser;
import com.alibaba.nacos.common.utils.ReflectUtils;
import org.apache.commons.lang3.StringUtils;

import javax.servlet.http.HttpServletRequest;

/**
* Config resource parser.
*
Expand All @@ -33,11 +35,22 @@ public class ConfigResourceParser implements ResourceParser {
private static final String AUTH_CONFIG_PREFIX = "config/";

@Override
public String parseName(Object request) {
HttpServletRequest req = (HttpServletRequest) request;
String namespaceId = req.getParameter("tenant");
String groupName = req.getParameter("group");
String dataId = req.getParameter("dataId");
public String parseName(Object requestObj) {

String namespaceId = null;
String groupName = null;
String dataId = null;
if (requestObj instanceof HttpServletRequest) {
HttpServletRequest req = (HttpServletRequest) requestObj;
namespaceId = req.getParameter("tenant");
groupName = req.getParameter("group");
dataId = req.getParameter("dataId");
} else if (requestObj instanceof Request) {
Request request = (Request) requestObj;
namespaceId = (String) ReflectUtils.getFieldValue(request, "tenant", "");
groupName = (String) ReflectUtils.getFieldValue(request, "group", "");
dataId = (String) ReflectUtils.getFieldValue(request, "dataId", "");
}

StringBuilder sb = new StringBuilder();

Expand Down
4 changes: 4 additions & 0 deletions config/src/main/java/com/alibaba/nacos/config/server/remote/ConfiRemoveRequestHandler.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,9 @@
import com.alibaba.nacos.api.config.remote.response.ConfigRemoveResponse;
import com.alibaba.nacos.api.exception.NacosException;
import com.alibaba.nacos.api.remote.request.RequestMeta;
import com.alibaba.nacos.auth.annotation.Secured;
import com.alibaba.nacos.auth.common.ActionTypes;
import com.alibaba.nacos.config.server.auth.ConfigResourceParser;
import com.alibaba.nacos.config.server.model.event.ConfigDataChangeEvent;
import com.alibaba.nacos.config.server.service.ConfigChangePublisher;
import com.alibaba.nacos.config.server.service.repository.PersistService;
Expand Down Expand Up @@ -47,6 +50,7 @@ public class ConfiRemoveRequestHandler extends RequestHandler<ConfigRemoveReques
private PersistService persistService;

@Override
@Secured(action = ActionTypes.WRITE, parser = ConfigResourceParser.class)
public ConfigRemoveResponse handle(ConfigRemoveRequest request, RequestMeta meta) throws NacosException {
ConfigRemoveRequest myrequest = (ConfigRemoveRequest) request;
// check tenant
Expand Down
4 changes: 4 additions & 0 deletions ...in/java/com/alibaba/nacos/config/server/remote/ConfigChangeBatchListenRequestHandler.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,9 @@
import com.alibaba.nacos.api.config.remote.response.ConfigChangeBatchListenResponse;
import com.alibaba.nacos.api.exception.NacosException;
import com.alibaba.nacos.api.remote.request.RequestMeta;
import com.alibaba.nacos.auth.annotation.Secured;
import com.alibaba.nacos.auth.common.ActionTypes;
import com.alibaba.nacos.config.server.auth.ConfigResourceParser;
import com.alibaba.nacos.config.server.service.ConfigCacheService;
import com.alibaba.nacos.config.server.utils.GroupKey2;
import com.alibaba.nacos.config.server.utils.SingletonRepository;
Expand All @@ -43,6 +46,7 @@ public class ConfigChangeBatchListenRequestHandler
ConfigChangeListenContext configChangeListenContext;

@Override
@Secured(action = ActionTypes.READ, parser = ConfigResourceParser.class)
public ConfigChangeBatchListenResponse handle(ConfigBatchListenRequest request, RequestMeta requestMeta)
throws NacosException {
ConfigBatchListenRequest configChangeListenRequest = (ConfigBatchListenRequest) request;
Expand Down
2 changes: 1 addition & 1 deletion config/src/main/java/com/alibaba/nacos/config/server/remote/ConfigPublishRequestHandler.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@ public class ConfigPublishRequestHandler extends RequestHandler<ConfigPublishReq
private PersistService persistService;

@Override
@Secured(action = ActionTypes.WRITE, parser = ConfigResourceParser.class)
@Secured(action = ActionTypes.WRITE, resource = "", parser = ConfigResourceParser.class)
public ConfigPubishResponse handle(ConfigPublishRequest myRequest, RequestMeta meta) throws NacosException {

try {
Expand Down
22 changes: 11 additions & 11 deletions config/src/main/java/com/alibaba/nacos/config/server/remote/ConfigQueryRequestHandler.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,9 @@
import com.alibaba.nacos.api.exception.NacosException;
import com.alibaba.nacos.api.remote.request.RequestMeta;
import com.alibaba.nacos.api.remote.response.ResponseCode;
import com.alibaba.nacos.auth.annotation.Secured;
import com.alibaba.nacos.auth.common.ActionTypes;
import com.alibaba.nacos.config.server.auth.ConfigResourceParser;
import com.alibaba.nacos.config.server.constant.Constants;
import com.alibaba.nacos.config.server.model.CacheItem;
import com.alibaba.nacos.config.server.model.ConfigInfoBase;
Expand Down Expand Up @@ -64,6 +67,7 @@ public class ConfigQueryRequestHandler extends RequestHandler<ConfigQueryRequest
private PersistService persistService;

@Override
@Secured(action = ActionTypes.READ, parser = ConfigResourceParser.class)
public ConfigQueryResponse handle(ConfigQueryRequest request, RequestMeta requestMeta) throws NacosException {
ConfigQueryRequest configQueryRequest = (ConfigQueryRequest) request;

Expand Down Expand Up @@ -160,9 +164,8 @@ private ConfigQueryResponse getContext(String dataId, String group, String tenan
// pullLog.info("[client-get] clientIp={}, {},
// no data",
// new Object[]{clientIp, groupKey});

response.setErrorCode(ConfigQueryResponse.CONFIG_NOT_FOUND);
response.setMessage("config data not exist");

response.setErrorInfo(ConfigQueryResponse.CONFIG_NOT_FOUND, "config data not exist");
return response;
}
}
Expand Down Expand Up @@ -192,9 +195,8 @@ private ConfigQueryResponse getContext(String dataId, String group, String tenan
// pullLog.info("[client-get] clientIp={}, {},
// no data",
// new Object[]{clientIp, groupKey});

response.setErrorCode(ConfigQueryResponse.CONFIG_NOT_FOUND);
response.setMessage("config data not exist");

response.setErrorInfo(ConfigQueryResponse.CONFIG_NOT_FOUND, "config data not exist");
return response;

}
Expand Down Expand Up @@ -238,14 +240,12 @@ private ConfigQueryResponse getContext(String dataId, String group, String tenan
ConfigTraceService
.logPullEvent(dataId, group, tenant, requestIpApp, -1, ConfigTraceService.PULL_EVENT_NOTFOUND, -1,
clientIp);

response.setErrorCode(ConfigQueryResponse.CONFIG_NOT_FOUND);
response.setMessage("config data not exist");
response.setErrorInfo(ConfigQueryResponse.CONFIG_NOT_FOUND, "config data not exist");

} else {
PULL_LOG.info("[client-get] clientIp={}, {}, get data during dump", clientIp, groupKey);
response.setErrorCode(ConfigQueryResponse.CONFIG_QUERY_CONFLICT);
response.setMessage("requested file is being modified, please try later.");
response.setErrorInfo(ConfigQueryResponse.CONFIG_QUERY_CONFLICT,
"requested file is being modified, please try later.");
}
return response;
}
Expand Down
54 changes: 54 additions & 0 deletions console/src/main/java/com/alibaba/nacos/console/security/nacos/NacosAuthManager.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
package com.alibaba.nacos.console.security.nacos;

import com.alibaba.nacos.api.common.Constants;
import com.alibaba.nacos.api.remote.request.Request;
import com.alibaba.nacos.auth.AuthManager;
import com.alibaba.nacos.auth.exception.AccessException;
import com.alibaba.nacos.auth.model.Permission;
Expand Down Expand Up @@ -95,6 +96,41 @@ public User login(Object request) throws AccessException {
return user;
}

@Override
public User loginRemote(Object request) throws AccessException {
Request req = (Request) request;
String token = resolveToken(req);
if (StringUtils.isBlank(token)) {
throw new AccessException("user not found!");
}

try {
tokenManager.validateToken(token);
} catch (ExpiredJwtException e) {
throw new AccessException("token expired!");
} catch (Exception e) {
throw new AccessException("token invalid!");
}

Authentication authentication = tokenManager.getAuthentication(token);
SecurityContextHolder.getContext().setAuthentication(authentication);

String username = authentication.getName();
NacosUser user = new NacosUser();
user.setUserName(username);
user.setToken(token);
List<RoleInfo> roleInfoList = roleService.getRoles(username);
if (roleInfoList != null) {
for (RoleInfo roleInfo : roleInfoList) {
if (roleInfo.getRole().equals(NacosRoleServiceImpl.GLOBAL_ADMIN_ROLE)) {
user.setGlobalAdmin(true);
break;
}
}
}
return user;
}

@Override
public void auth(Permission permission, User user) throws AccessException {
if (Loggers.AUTH.isDebugEnabled()) {
Expand All @@ -120,6 +156,24 @@ private String resolveToken(HttpServletRequest request) throws AccessException {
String password = request.getParameter("password");
bearerToken = resolveTokenFromUser(userName, password);
}

return bearerToken;
}

/**
* Get token from header.
*/
private String resolveToken(Request request) throws AccessException {
String bearerToken = request.getHeader(NacosAuthConfig.AUTHORIZATION_HEADER);
if (StringUtils.isNotBlank(bearerToken) && bearerToken.startsWith(TOKEN_PREFIX)) {
return bearerToken.substring(7);
}
bearerToken = request.getHeader(Constants.ACCESS_TOKEN);
if (StringUtils.isBlank(bearerToken)) {
String userName = request.getHeader("username");
String password = request.getHeader("password");
bearerToken = resolveTokenFromUser(userName, password);
}

return bearerToken;
}
Expand Down
Loading