Skip to content

Commit

Permalink
refactor:优化鉴权相关功能开关以及修复NPE问题
Browse files Browse the repository at this point in the history
  • Loading branch information
@chuntaojun
chuntaojun committed Jun 14, 2023
1 parent 92286d7 commit 782c902
Show file tree
Hide file tree
Showing 10 changed files with 214 additions and 189 deletions.
2 changes: 1 addition & 1 deletion apiserver/eurekaserver/access.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -438,7 +438,7 @@ func (h *EurekaServer) UpdateStatus(req *restful.Request, rsp *restful.Response)
}
code := h.updateStatus(context.Background(), namespace, appId, instId, status, false)
writePolarisStatusCode(req, code)
if code == api.ExecuteSuccess {
if code == api.ExecuteSuccess || code == api.NoNeedUpdate {
log.Infof("[EUREKA-SERVER]instance (namespace=%s, instId=%s, appId=%s) has been updated successfully",
namespace, instId, appId)
writeHeader(http.StatusOK, rsp)
Expand Down
10 changes: 8 additions & 2 deletions auth/defaultauth/auth_checker.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -94,7 +94,10 @@ func (d *defaultAuthChecker) Initialize(options *auth.Config, s store.Store, cac
if err := cfg.Verify(); err != nil {
return err
}

// 兼容原本老的配置逻辑
if cfg.Strict {
cfg.ConsoleOpen = cfg.Strict
}
AuthOption = cfg
d.cacheMgn = cacheMgn
return nil
Expand Down Expand Up @@ -208,7 +211,10 @@ func canDowngradeAnonymous(authCtx *model.AcquireContext, err error) bool {
if authCtx.GetModule() == model.AuthModule {
return false
}
if AuthOption.Strict {
if authCtx.IsFromClient() && AuthOption.ClientStrict {
return false
}
if authCtx.IsFromConsole() && AuthOption.ConsoleStrict {
return false
}
if errors.Is(err, model.ErrorTokenInvalid) {
Expand Down
14 changes: 11 additions & 3 deletions auth/defaultauth/config.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,12 @@ type AuthConfig struct {
// Salt 相关密码、token加密的salt
Salt string `json:"salt" xml:"salt"`
// Strict 是否启用鉴权的严格模式,即对于没有任何鉴权策略的资源,也必须带上正确的token才能操作, 默认关闭
// Deprecated
Strict bool `json:"strict"`
// ConsoleStrict 是否启用鉴权的严格模式,即对于没有任何鉴权策略的资源,也必须带上正确的token才能操作, 默认关闭
ConsoleStrict bool `json:"consoleStrict"`
// ClientStrict 是否启用鉴权的严格模式,即对于没有任何鉴权策略的资源,也必须带上正确的token才能操作, 默认关闭
ClientStrict bool `json:"clientStrict"`
}

// Verify 检查配置是否合法
Expand All @@ -54,8 +59,11 @@ func DefaultAuthConfig() *AuthConfig {
ConsoleOpen: true,
// 针对客户端接口,默认不开启鉴权操作
ClientOpen: false,
Salt: "polarismesh@2021",
// 这里默认开启强 Token 检查模式
Strict: true,
// Salt token 加密 key
Salt: "polarismesh@2021",
// 这里默认开启 OpenAPI 的强 Token 检查模式
ConsoleStrict: true,
// 客户端接口默认不开启 token 强检查模式
ClientStrict: false,
}
}
19 changes: 10 additions & 9 deletions bootstrap/server.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -252,16 +252,17 @@ func StartDiscoverComponents(ctx context.Context, cfg *boot_config.Config, s sto
if err != nil {
return err
}
cacheProvider, err := healthCheckServer.CacheProvider()
if err != nil {
return err
if cfg.HealthChecks.Open {
cacheProvider, err := healthCheckServer.CacheProvider()
if err != nil {
return err
}
healthCheckServer.SetServiceCache(cacheMgn.Service())
healthCheckServer.SetInstanceCache(cacheMgn.Instance())
// 为 instance 的 cache 添加 健康检查的 Listener
cacheMgn.AddListener(cache.CacheNameInstance, []cache.Listener{cacheProvider})
cacheMgn.AddListener(cache.CacheNameClient, []cache.Listener{cacheProvider})
}
healthCheckServer.SetServiceCache(cacheMgn.Service())
healthCheckServer.SetInstanceCache(cacheMgn.Instance())

// 为 instance 的 cache 添加 健康检查的 Listener
cacheMgn.AddListener(cache.CacheNameInstance, []cache.Listener{cacheProvider})
cacheMgn.AddListener(cache.CacheNameClient, []cache.Listener{cacheProvider})

namespaceSvr, err := namespace.GetServer()
if err != nil {
Expand Down
6 changes: 5 additions & 1 deletion cache/cache.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -208,7 +208,11 @@ func (bc *baseCache) doCacheUpdate(name string, executor func() (map[string]time
log.Warnf("[Cache][%s] get store timestamp fail, skip update lastMtime, err : %v", name, err)
}
defer func() {
bc.lastFetchTime = curStoreTime
if err := recover(); err != nil {
log.Errorf("[Cache][%s] run cache update panic: %+v", name, err)
} else {
bc.lastFetchTime = curStoreTime
}
}()

start := time.Now()
Expand Down
8 changes: 6 additions & 2 deletions release/conf/polaris-server.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -284,10 +284,14 @@ auth:
strategy:
name: defaultStrategy
option:
# Console power switch, open default
# Console auth switch, default true
consoleOpen: true
# Customer inspection ability switch, default close
# Console Strict Model, default true
consoleStrict: true
# Customer auth switch, default false
clientOpen: false
# Customer Strict Model, default close
clientStrict: false
namespace:
# Whether to allow automatic creation of naming space
autoCreate: true
Expand Down
24 changes: 12 additions & 12 deletions service/circuitbreaker_rule_authability.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,6 @@ import (
"context"

apifault "github.com/polarismesh/specification/source/go/api/v1/fault_tolerance"
apimodel "github.com/polarismesh/specification/source/go/api/v1/model"
apiservice "github.com/polarismesh/specification/source/go/api/v1/service_manage"

api "github.com/polarismesh/polaris/common/api/v1"
Expand All @@ -31,13 +30,12 @@ import (

func (svr *serverAuthAbility) CreateCircuitBreakerRules(
ctx context.Context, request []*apifault.CircuitBreakerRule) *apiservice.BatchWriteResponse {

// TODO not support CircuitBreaker resource auth, so we set op is read
authCtx := svr.collectCircuitBreakerRuleV2AuthContext(ctx, request, model.Read, "CreateCircuitBreakerRules")

_, err := svr.strategyMgn.GetAuthChecker().CheckConsolePermission(authCtx)
if err != nil {
return api.NewBatchWriteResponseWithMsg(apimodel.Code_NotAllowedAccess, err.Error())
return api.NewBatchWriteResponse(convertToErrCode(err))
}

ctx = authCtx.GetRequestContext()
Expand All @@ -47,12 +45,10 @@ func (svr *serverAuthAbility) CreateCircuitBreakerRules(

func (svr *serverAuthAbility) DeleteCircuitBreakerRules(
ctx context.Context, request []*apifault.CircuitBreakerRule) *apiservice.BatchWriteResponse {

authCtx := svr.collectCircuitBreakerRuleV2AuthContext(ctx, request, model.Read, "DeleteCircuitBreakerRules")

_, err := svr.strategyMgn.GetAuthChecker().CheckConsolePermission(authCtx)
if err != nil {
return api.NewBatchWriteResponseWithMsg(apimodel.Code_NotAllowedAccess, err.Error())
return api.NewBatchWriteResponse(convertToErrCode(err))
}

ctx = authCtx.GetRequestContext()
Expand All @@ -62,12 +58,10 @@ func (svr *serverAuthAbility) DeleteCircuitBreakerRules(

func (svr *serverAuthAbility) EnableCircuitBreakerRules(
ctx context.Context, request []*apifault.CircuitBreakerRule) *apiservice.BatchWriteResponse {

authCtx := svr.collectCircuitBreakerRuleV2AuthContext(ctx, request, model.Read, "EnableCircuitBreakerRules")

_, err := svr.strategyMgn.GetAuthChecker().CheckConsolePermission(authCtx)
if err != nil {
return api.NewBatchWriteResponseWithMsg(apimodel.Code_NotAllowedAccess, err.Error())
return api.NewBatchWriteResponse(convertToErrCode(err))
}

ctx = authCtx.GetRequestContext()
Expand All @@ -77,12 +71,10 @@ func (svr *serverAuthAbility) EnableCircuitBreakerRules(

func (svr *serverAuthAbility) UpdateCircuitBreakerRules(
ctx context.Context, request []*apifault.CircuitBreakerRule) *apiservice.BatchWriteResponse {

authCtx := svr.collectCircuitBreakerRuleV2AuthContext(ctx, request, model.Read, "UpdateCircuitBreakerRules")

_, err := svr.strategyMgn.GetAuthChecker().CheckConsolePermission(authCtx)
if err != nil {
return api.NewBatchWriteResponseWithMsg(apimodel.Code_NotAllowedAccess, err.Error())
return api.NewBatchWriteResponse(convertToErrCode(err))
}

ctx = authCtx.GetRequestContext()
Expand All @@ -92,5 +84,13 @@ func (svr *serverAuthAbility) UpdateCircuitBreakerRules(

func (svr *serverAuthAbility) GetCircuitBreakerRules(
ctx context.Context, query map[string]string) *apiservice.BatchQueryResponse {
authCtx := svr.collectCircuitBreakerRuleV2AuthContext(ctx, nil, model.Read, "GetCircuitBreakerRules")
_, err := svr.strategyMgn.GetAuthChecker().CheckConsolePermission(authCtx)
if err != nil {
return api.NewBatchQueryResponse(convertToErrCode(err))
}

ctx = authCtx.GetRequestContext()
ctx = context.WithValue(ctx, utils.ContextAuthContextKey, authCtx)
return svr.targetServer.GetCircuitBreakerRules(ctx, query)
}

0 comments on commit 782c902

Please sign in to comment.