You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@servicecomb.apache.org by li...@apache.org on 2023/02/03 02:55:07 UTC
[servicecomb-service-center] branch mod updated (0e2fa607 -> c33787c7)
This is an automated email from the ASF dual-hosted git repository.
littlecui pushed a change to branch mod
in repository https://gitbox.apache.org/repos/asf/servicecomb-service-center.git
omit 0e2fa607 bugfix: return 'no permission' when discover provider in specify env
add bd25fc1e bugfix: return 'no permission' when discover provider in specify env (#1370)
add 2d48e69f Bump json5 from 1.0.1 to 1.0.2 in /ux (#1369)
add 36be1317 Bump qs from 6.5.2 to 6.5.3 in /ux (#1364)
add 11844f2a Bump github.com/labstack/echo/v4 from 4.7.2 to 4.9.0 (#1343)
add f11564bd Bump ansi-regex, ansi-regex and ansi-regex in /ux (#1346)
new c33787c7 [fix]bad performance in login API
This update added new revisions after undoing existing revisions.
That is to say, some revisions that were in the old version of the
branch are not in the new version. This situation occurs
when a user --force pushes a change and generates a repository
containing something like this:
* -- * -- B -- O -- O -- O (0e2fa607)
\
N -- N -- N refs/heads/mod (c33787c7)
You should already have received notification emails for all of the O
revisions, and so the following emails describe only the N revisions
from the common base, B.
Any revisions marked "omit" are not gone; other references still
refer to them. Any revisions marked "discard" are gone forever.
The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
go.mod | 2 +-
go.sum | 4 +-
pkg/privacy/password_test.go | 35 ++++++++++--
server/service/rbac/rbac.go | 36 ++++++------
server/service/rbac/rbac_test.go | 59 +++++++++++++-------
ux/package-lock.json | 116 ++++++++++++++++++---------------------
6 files changed, 142 insertions(+), 110 deletions(-)
[servicecomb-service-center] 01/01: [fix]bad performance in login API
Posted by li...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
littlecui pushed a commit to branch mod
in repository https://gitbox.apache.org/repos/asf/servicecomb-service-center.git
commit c33787c700bec064d0821d9a9319c3abd5b4e6f8
Author: little-cui <su...@qq.com>
AuthorDate: Fri Feb 3 10:43:08 2023 +0800
[fix]bad performance in login API
---
pkg/privacy/password_test.go | 35 +++++++++++++++++++++---
server/service/rbac/rbac.go | 36 ++++++++++++------------
server/service/rbac/rbac_test.go | 59 ++++++++++++++++++++++++++--------------
3 files changed, 87 insertions(+), 43 deletions(-)
diff --git a/pkg/privacy/password_test.go b/pkg/privacy/password_test.go
index e2a32514..448b023d 100644
--- a/pkg/privacy/password_test.go
+++ b/pkg/privacy/password_test.go
@@ -38,24 +38,51 @@ func (m mockPassword) CheckPassword(hashedPwd, pwd string) bool {
return true
}
-func BenchmarkScrypt(b *testing.B) {
+func BenchmarkSamePassword(b *testing.B) {
h, _ := privacy.ScryptPassword("test")
for i := 0; i < b.N; i++ {
same := privacy.SamePassword(h, "test")
if !same {
- panic("")
+ b.Fatal()
}
}
b.ReportAllocs()
}
-func BenchmarkScryptP(b *testing.B) {
+func BenchmarkSamePasswordP500(b *testing.B) {
h, _ := privacy.ScryptPassword("test")
+ b.SetParallelism(500)
b.RunParallel(func(pb *testing.PB) {
for pb.Next() {
same := privacy.SamePassword(h, "test")
if !same {
- panic("")
+ b.Fatal()
+ }
+ }
+ })
+ b.ReportAllocs()
+}
+func BenchmarkSamePasswordP1000(b *testing.B) {
+ h, _ := privacy.ScryptPassword("test")
+ b.SetParallelism(1000)
+ b.RunParallel(func(pb *testing.PB) {
+ for pb.Next() {
+ same := privacy.SamePassword(h, "test")
+ if !same {
+ b.Fatal()
+ }
+ }
+ })
+ b.ReportAllocs()
+}
+func BenchmarkSamePasswordP5000(b *testing.B) {
+ h, _ := privacy.ScryptPassword("test")
+ b.SetParallelism(5000)
+ b.RunParallel(func(pb *testing.PB) {
+ for pb.Next() {
+ same := privacy.SamePassword(h, "test")
+ if !same {
+ b.Fatal()
}
}
})
diff --git a/server/service/rbac/rbac.go b/server/service/rbac/rbac.go
index cd9e8a68..5d1808ef 100644
--- a/server/service/rbac/rbac.go
+++ b/server/service/rbac/rbac.go
@@ -44,6 +44,9 @@ var (
ErrNoPermChangeAccount = errors.New("can not change other account password")
ErrWrongPassword = errors.New("current pwd is wrong")
ErrSamePassword = errors.New("the password can not be same as old one")
+ ErrNoPrivateKey = errors.New("read private key failed")
+
+ privateKey *rsa.PrivateKey
)
// Init decide whether enable rbac function and save the build-in roles to db
@@ -97,11 +100,22 @@ func readPrivateKey() {
log.Fatal("can not read private key", err)
return
}
- err = archaius.Set("rbac_private_key", string(data))
+ content := string(data)
+ err = archaius.Set("rbac_private_key", content)
if err != nil {
log.Fatal("can not init rbac", err)
return
}
+ privateKeyContent, err := cipher.Decrypt(content)
+ if err != nil {
+ log.Warn("cipher fallback: " + err.Error())
+ privateKeyContent = content
+ }
+ privateKey, err = secret.ParseRSAPrivateKey(privateKeyContent)
+ if err != nil {
+ log.Error("can not parse private key", err)
+ return
+ }
log.Info("read private key success")
}
@@ -167,26 +181,12 @@ func PublicKey() string {
return archaius.GetString("rbac_public_key", "")
}
-// privateKey get decrypted private key to verify a token
-func privateKey() string {
- ep := archaius.GetString("rbac_private_key", "")
- p, err := cipher.Decrypt(ep)
- if err != nil {
- log.Warn("cipher fallback: " + err.Error())
- return ep
- }
- return p
-}
-
// GetPrivateKey return rsa key instance
func GetPrivateKey() (*rsa.PrivateKey, error) {
- sk := privateKey()
- p, err := secret.ParseRSAPrivateKey(sk)
- if err != nil {
- log.Error("can not get key:", err)
- return nil, err
+ if privateKey == nil {
+ return nil, ErrNoPrivateKey
}
- return p, nil
+ return privateKey, nil
}
// MakeBanKey return ban key
diff --git a/server/service/rbac/rbac_test.go b/server/service/rbac/rbac_test.go
index e411a761..b424eaeb 100644
--- a/server/service/rbac/rbac_test.go
+++ b/server/service/rbac/rbac_test.go
@@ -22,10 +22,11 @@ import (
"os"
"testing"
+ _ "github.com/apache/servicecomb-service-center/test"
+
"github.com/apache/servicecomb-service-center/pkg/privacy"
"github.com/apache/servicecomb-service-center/server/config"
rbacsvc "github.com/apache/servicecomb-service-center/server/service/rbac"
- _ "github.com/apache/servicecomb-service-center/test"
beego "github.com/beego/beego/v2/server/web"
"github.com/go-chassis/cari/discovery"
"github.com/go-chassis/cari/pkg/errsvc"
@@ -68,10 +69,12 @@ func init() {
}
func TestInitRBAC(t *testing.T) {
+ ctx := context.Background()
+
t.Run("login and authenticate", func(t *testing.T) {
- token, err := authr.Login(context.Background(), "root", "Complicated_password1")
+ token, err := authr.Login(ctx, "root", "Complicated_password1")
assert.NoError(t, err)
- claims, err := authr.Authenticate(context.Background(), token)
+ claims, err := authr.Authenticate(ctx, token)
assert.NoError(t, err)
assert.Equal(t, "root", claims.(map[string]interface{})[rbac.ClaimsUser])
})
@@ -80,35 +83,43 @@ func TestInitRBAC(t *testing.T) {
rbacsvc.Init()
})
+ t.Run("get private key after init should be not nil", func(t *testing.T) {
+ key, err := rbacsvc.GetPrivateKey()
+ assert.NoError(t, err)
+ assert.NotNil(t, key)
+ })
+
t.Run("change pwd,admin can change any one password", func(t *testing.T) {
- persisted := newAccount("admin_change_other_pwd")
- err := rbacsvc.CreateAccount(context.Background(), persisted)
+ accountName := "admin_change_other_pwd"
+ persisted := newAccount(accountName)
+ err := rbacsvc.CreateAccount(ctx, persisted)
assert.NoError(t, err)
- context.Background()
+ defer rbacsvc.DeleteAccount(ctx, accountName)
claims := map[string]interface{}{
rbac.ClaimsUser: "test",
rbac.ClaimsRoles: []interface{}{rbac.RoleAdmin},
}
- ctx := context.WithValue(context.Background(), rbacsvc.CtxRequestClaims, claims)
+ ctx := context.WithValue(ctx, rbacsvc.CtxRequestClaims, claims)
err = rbacsvc.ChangePassword(ctx, &rbac.Account{Name: persisted.Name, Password: "Complicated_password2"})
assert.NoError(t, err)
- a, err := rbacsvc.GetAccount(context.Background(), persisted.Name)
+ a, err := rbacsvc.GetAccount(ctx, persisted.Name)
assert.NoError(t, err)
assert.True(t, privacy.SamePassword(a.Password, "Complicated_password2"))
})
t.Run("admin change self, must provide current pwd", func(t *testing.T) {
- name := "admin_change_self"
- a := newAccount(name)
+ accountName := "admin_change_self"
+ a := newAccount(accountName)
a.Roles = []string{rbac.RoleAdmin}
err := rbacsvc.CreateAccount(context.TODO(), a)
assert.Nil(t, err)
+ defer rbacsvc.DeleteAccount(ctx, accountName)
claims := map[string]interface{}{
- rbac.ClaimsUser: name,
+ rbac.ClaimsUser: accountName,
rbac.ClaimsRoles: []interface{}{rbac.RoleAdmin},
}
- ctx := context.WithValue(context.Background(), rbacsvc.CtxRequestClaims, claims)
+ ctx := context.WithValue(ctx, rbacsvc.CtxRequestClaims, claims)
err = rbacsvc.ChangePassword(ctx, &rbac.Account{Name: a.Name, CurrentPassword: "", Password: testPwd1})
assert.True(t, errsvc.IsErrEqualCode(err, discovery.ErrInvalidParams))
@@ -116,33 +127,39 @@ func TestInitRBAC(t *testing.T) {
assert.Nil(t, err)
})
t.Run("change self password", func(t *testing.T) {
- a := newAccount("change_self_pwd")
- err := rbacsvc.CreateAccount(context.Background(), a)
+ accountName := "change_self_pwd"
+ a := newAccount(accountName)
+ err := rbacsvc.CreateAccount(ctx, a)
assert.NoError(t, err)
+ defer rbacsvc.DeleteAccount(ctx, accountName)
+
claims := map[string]interface{}{
- rbac.ClaimsUser: "change_self_pwd",
+ rbac.ClaimsUser: accountName,
rbac.ClaimsRoles: []interface{}{rbac.RoleDeveloper},
}
- ctx := context.WithValue(context.Background(), rbacsvc.CtxRequestClaims, claims)
+ ctx := context.WithValue(ctx, rbacsvc.CtxRequestClaims, claims)
err = rbacsvc.ChangePassword(ctx, &rbac.Account{Name: a.Name, CurrentPassword: testPwd0, Password: testPwd1})
assert.NoError(t, err)
- resp, err := rbacsvc.GetAccount(context.Background(), a.Name)
+ resp, err := rbacsvc.GetAccount(ctx, a.Name)
assert.NoError(t, err)
assert.True(t, privacy.SamePassword(resp.Password, testPwd1))
})
t.Run("no admin account change other user password, should return: "+discovery.NewError(discovery.ErrForbidden, "").Error(), func(t *testing.T) {
- a := newAccount("test")
+ accountName := "test"
+ a := newAccount(accountName)
+ defer rbacsvc.DeleteAccount(ctx, accountName)
+
claims := map[string]interface{}{
rbac.ClaimsUser: "change_other_user_password",
rbac.ClaimsRoles: []interface{}{rbac.RoleDeveloper},
}
- ctx := context.WithValue(context.Background(), rbacsvc.CtxRequestClaims, claims)
+ ctx := context.WithValue(ctx, rbacsvc.CtxRequestClaims, claims)
err := rbacsvc.ChangePassword(ctx, &rbac.Account{Name: a.Name, CurrentPassword: testPwd0, Password: testPwd1})
assert.True(t, errsvc.IsErrEqualCode(err, discovery.ErrForbidden))
})
}
-func BenchmarkAuthResource_Login(b *testing.B) {
+func BenchmarkAuthResource_LoginP(b *testing.B) {
b.RunParallel(func(pb *testing.PB) {
for pb.Next() {
_, err := authr.Login(context.TODO(), "root", "Complicated_password1")
@@ -153,7 +170,7 @@ func BenchmarkAuthResource_Login(b *testing.B) {
})
b.ReportAllocs()
}
-func BenchmarkAuthResource_Login2(b *testing.B) {
+func BenchmarkAuthResource_Login(b *testing.B) {
for i := 0; i < b.N; i++ {
_, err := authr.Login(context.TODO(), "root", "Complicated_password1")
if err != nil {