You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@servicecomb.apache.org by GitBox <gi...@apache.org> on 2020/06/29 11:15:26 UTC
[GitHub] [servicecomb-service-center] tianxiaoliang opened a new pull request #655: follow right design pattern of service center
tianxiaoliang opened a new pull request #655:
URL: https://github.com/apache/servicecomb-service-center/pull/655
Follow this checklist to help us incorporate your contribution quickly and easily:
- [ ] Make sure there is a [JIRA issue](https://issues.apache.org/jira/browse/SCB) filed for the change (usually before you start working on it). Trivial changes like typos do not require a JIRA issue. Your pull request should address just this issue, without pulling in other changes.
- [ ] Each commit in the pull request should have a meaningful subject line and body.
- [ ] Format the pull request title like `[SCB-XXX] Fixes bug in ApproximateQuantiles`, where you replace `SCB-XXX` with the appropriate JIRA issue.
- [ ] Write a pull request description that is detailed enough to understand what the pull request does, how, and why.
- [ ] Run `go build` `go test` `go fmt` `go vet` to make sure basic checks pass. A more thorough check will be performed on your pull request automatically.
- [ ] If this contribution is large, please file an Apache [Individual Contributor License Agreement](https://www.apache.org/licenses/icla.pdf).
---
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [servicecomb-service-center] tianxiaoliang commented on pull request #655: follow right design pattern of service center
Posted by GitBox <gi...@apache.org>.
tianxiaoliang commented on pull request #655:
URL: https://github.com/apache/servicecomb-service-center/pull/655#issuecomment-651487903
先合入,白名单机制下一个pr提供
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [servicecomb-service-center] tianxiaoliang merged pull request #655: follow right design pattern of service center
Posted by GitBox <gi...@apache.org>.
tianxiaoliang merged pull request #655:
URL: https://github.com/apache/servicecomb-service-center/pull/655
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [servicecomb-service-center] tianxiaoliang commented on a change in pull request #655: follow right design pattern of service center
Posted by GitBox <gi...@apache.org>.
tianxiaoliang commented on a change in pull request #655:
URL: https://github.com/apache/servicecomb-service-center/pull/655#discussion_r446910064
##########
File path: server/plugin/auth/buildin/buildin.go
##########
@@ -17,26 +17,65 @@
package buildin
import (
+ "context"
+ "errors"
+ "github.com/apache/servicecomb-service-center/pkg/log"
mgr "github.com/apache/servicecomb-service-center/server/plugin"
+ "github.com/apache/servicecomb-service-center/server/service/rbac"
+ "github.com/go-chassis/go-chassis/security/authr"
+ "github.com/go-chassis/go-chassis/server/restful"
"net/http"
+ "strings"
)
func init() {
mgr.RegisterPlugin(mgr.Plugin{mgr.AUTH, "buildin", New})
}
func New() mgr.PluginInstance {
- return &BuildInAuth{}
+ return &TokenAuthenticator{}
}
-type BuildInAuth struct {
+type TokenAuthenticator struct {
}
-func (ba *BuildInAuth) Identify(r *http.Request) error {
- df, ok := mgr.DynamicPluginFunc(mgr.AUTH, "Identify").(func(r *http.Request) error)
- if ok {
- return df(r)
+func (ba *TokenAuthenticator) Identify(req *http.Request) error {
+ if !rbac.Enabled() {
+ return nil
+ }
+ if !mustAuth(req) {
+ return nil
}
+ v := req.Header.Get(restful.HeaderAuth)
+ if v == "" {
+ return errors.New("should provide token in header")
+ }
+ s := strings.Split(v, " ")
+ if len(s) != 2 {
+ return errors.New("invalid auth header")
+ }
+ to := s[1]
+ //TODO rbac
+ claims, err := authr.Authenticate(req.Context(), to)
+ if err != nil {
+ log.Errorf(err, "authenticate request failed, %s %s", req.Method, req.RequestURI)
+ return err
+ }
+ log.Info("user access")
+ req2 := req.WithContext(context.WithValue(req.Context(), "accountInfo", claims))
+ *req = *req2
return nil
}
+func mustAuth(req *http.Request) bool {
+ if strings.Contains(req.URL.Path, "/v4/token") {
Review comment:
可以
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [servicecomb-service-center] jeho0815 commented on a change in pull request #655: follow right design pattern of service center
Posted by GitBox <gi...@apache.org>.
jeho0815 commented on a change in pull request #655:
URL: https://github.com/apache/servicecomb-service-center/pull/655#discussion_r446905676
##########
File path: server/plugin/auth/buildin/buildin.go
##########
@@ -17,26 +17,65 @@
package buildin
import (
+ "context"
+ "errors"
+ "github.com/apache/servicecomb-service-center/pkg/log"
mgr "github.com/apache/servicecomb-service-center/server/plugin"
+ "github.com/apache/servicecomb-service-center/server/service/rbac"
+ "github.com/go-chassis/go-chassis/security/authr"
+ "github.com/go-chassis/go-chassis/server/restful"
"net/http"
+ "strings"
)
func init() {
mgr.RegisterPlugin(mgr.Plugin{mgr.AUTH, "buildin", New})
}
func New() mgr.PluginInstance {
- return &BuildInAuth{}
+ return &TokenAuthenticator{}
}
-type BuildInAuth struct {
+type TokenAuthenticator struct {
}
-func (ba *BuildInAuth) Identify(r *http.Request) error {
- df, ok := mgr.DynamicPluginFunc(mgr.AUTH, "Identify").(func(r *http.Request) error)
- if ok {
- return df(r)
+func (ba *TokenAuthenticator) Identify(req *http.Request) error {
+ if !rbac.Enabled() {
+ return nil
+ }
+ if !mustAuth(req) {
+ return nil
}
+ v := req.Header.Get(restful.HeaderAuth)
+ if v == "" {
+ return errors.New("should provide token in header")
+ }
+ s := strings.Split(v, " ")
+ if len(s) != 2 {
+ return errors.New("invalid auth header")
+ }
+ to := s[1]
+ //TODO rbac
+ claims, err := authr.Authenticate(req.Context(), to)
+ if err != nil {
+ log.Errorf(err, "authenticate request failed, %s %s", req.Method, req.RequestURI)
+ return err
+ }
+ log.Info("user access")
+ req2 := req.WithContext(context.WithValue(req.Context(), "accountInfo", claims))
+ *req = *req2
return nil
}
+func mustAuth(req *http.Request) bool {
+ if strings.Contains(req.URL.Path, "/v4/token") {
Review comment:
加一个白名单列表配置项来做?可能后面还有其他接口不需要鉴权
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [servicecomb-service-center] coveralls commented on pull request #655: follow right design pattern of service center
Posted by GitBox <gi...@apache.org>.
coveralls commented on pull request #655:
URL: https://github.com/apache/servicecomb-service-center/pull/655#issuecomment-651067891
[](https://coveralls.io/builds/31744747)
Coverage increased (+0.2%) to 61.142% when pulling **a2dfe6137887313d2c25279096417d6bb3db40f2 on tianxiaoliang:dev** into **4f6ea4cb6c23e2c925805142ffaab25d14720dd5 on apache:master**.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [servicecomb-service-center] tianxiaoliang commented on a change in pull request #655: follow right design pattern of service center
Posted by GitBox <gi...@apache.org>.
tianxiaoliang commented on a change in pull request #655:
URL: https://github.com/apache/servicecomb-service-center/pull/655#discussion_r446910441
##########
File path: server/plugin/auth/buildin/buildin.go
##########
@@ -17,26 +17,65 @@
package buildin
import (
+ "context"
+ "errors"
+ "github.com/apache/servicecomb-service-center/pkg/log"
mgr "github.com/apache/servicecomb-service-center/server/plugin"
+ "github.com/apache/servicecomb-service-center/server/service/rbac"
+ "github.com/go-chassis/go-chassis/security/authr"
+ "github.com/go-chassis/go-chassis/server/restful"
"net/http"
+ "strings"
)
func init() {
mgr.RegisterPlugin(mgr.Plugin{mgr.AUTH, "buildin", New})
}
func New() mgr.PluginInstance {
- return &BuildInAuth{}
+ return &TokenAuthenticator{}
}
-type BuildInAuth struct {
+type TokenAuthenticator struct {
}
-func (ba *BuildInAuth) Identify(r *http.Request) error {
- df, ok := mgr.DynamicPluginFunc(mgr.AUTH, "Identify").(func(r *http.Request) error)
- if ok {
- return df(r)
+func (ba *TokenAuthenticator) Identify(req *http.Request) error {
+ if !rbac.Enabled() {
+ return nil
+ }
+ if !mustAuth(req) {
+ return nil
}
+ v := req.Header.Get(restful.HeaderAuth)
+ if v == "" {
+ return errors.New("should provide token in header")
+ }
+ s := strings.Split(v, " ")
+ if len(s) != 2 {
+ return errors.New("invalid auth header")
+ }
+ to := s[1]
+ //TODO rbac
+ claims, err := authr.Authenticate(req.Context(), to)
+ if err != nil {
+ log.Errorf(err, "authenticate request failed, %s %s", req.Method, req.RequestURI)
+ return err
+ }
+ log.Info("user access")
+ req2 := req.WithContext(context.WithValue(req.Context(), "accountInfo", claims))
+ *req = *req2
return nil
}
+func mustAuth(req *http.Request) bool {
+ if strings.Contains(req.URL.Path, "/v4/token") {
Review comment:
但是不能做成配置文件,必须通过代码编写搞定
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [servicecomb-service-center] jeho0815 commented on a change in pull request #655: follow right design pattern of service center
Posted by GitBox <gi...@apache.org>.
jeho0815 commented on a change in pull request #655:
URL: https://github.com/apache/servicecomb-service-center/pull/655#discussion_r446911635
##########
File path: server/plugin/auth/buildin/buildin.go
##########
@@ -17,26 +17,65 @@
package buildin
import (
+ "context"
+ "errors"
+ "github.com/apache/servicecomb-service-center/pkg/log"
mgr "github.com/apache/servicecomb-service-center/server/plugin"
+ "github.com/apache/servicecomb-service-center/server/service/rbac"
+ "github.com/go-chassis/go-chassis/security/authr"
+ "github.com/go-chassis/go-chassis/server/restful"
"net/http"
+ "strings"
)
func init() {
mgr.RegisterPlugin(mgr.Plugin{mgr.AUTH, "buildin", New})
}
func New() mgr.PluginInstance {
- return &BuildInAuth{}
+ return &TokenAuthenticator{}
}
-type BuildInAuth struct {
+type TokenAuthenticator struct {
}
-func (ba *BuildInAuth) Identify(r *http.Request) error {
- df, ok := mgr.DynamicPluginFunc(mgr.AUTH, "Identify").(func(r *http.Request) error)
- if ok {
- return df(r)
+func (ba *TokenAuthenticator) Identify(req *http.Request) error {
+ if !rbac.Enabled() {
+ return nil
+ }
+ if !mustAuth(req) {
+ return nil
}
+ v := req.Header.Get(restful.HeaderAuth)
+ if v == "" {
+ return errors.New("should provide token in header")
+ }
+ s := strings.Split(v, " ")
+ if len(s) != 2 {
+ return errors.New("invalid auth header")
+ }
+ to := s[1]
+ //TODO rbac
+ claims, err := authr.Authenticate(req.Context(), to)
+ if err != nil {
+ log.Errorf(err, "authenticate request failed, %s %s", req.Method, req.RequestURI)
+ return err
+ }
+ log.Info("user access")
+ req2 := req.WithContext(context.WithValue(req.Context(), "accountInfo", claims))
+ *req = *req2
return nil
}
+func mustAuth(req *http.Request) bool {
+ if strings.Contains(req.URL.Path, "/v4/token") {
Review comment:
ok
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org