You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@servicecomb.apache.org by GitBox <gi...@apache.org> on 2020/06/29 11:43:23 UTC

[GitHub] [servicecomb-service-center] jeho0815 commented on a change in pull request #655: follow right design pattern of service center

jeho0815 commented on a change in pull request #655:
URL: https://github.com/apache/servicecomb-service-center/pull/655#discussion_r446905676



##########
File path: server/plugin/auth/buildin/buildin.go
##########
@@ -17,26 +17,65 @@
 package buildin
 
 import (
+	"context"
+	"errors"
+	"github.com/apache/servicecomb-service-center/pkg/log"
 	mgr "github.com/apache/servicecomb-service-center/server/plugin"
+	"github.com/apache/servicecomb-service-center/server/service/rbac"
+	"github.com/go-chassis/go-chassis/security/authr"
+	"github.com/go-chassis/go-chassis/server/restful"
 	"net/http"
+	"strings"
 )
 
 func init() {
 	mgr.RegisterPlugin(mgr.Plugin{mgr.AUTH, "buildin", New})
 }
 
 func New() mgr.PluginInstance {
-	return &BuildInAuth{}
+	return &TokenAuthenticator{}
 }
 
-type BuildInAuth struct {
+type TokenAuthenticator struct {
 }
 
-func (ba *BuildInAuth) Identify(r *http.Request) error {
-	df, ok := mgr.DynamicPluginFunc(mgr.AUTH, "Identify").(func(r *http.Request) error)
-	if ok {
-		return df(r)
+func (ba *TokenAuthenticator) Identify(req *http.Request) error {
+	if !rbac.Enabled() {
+		return nil
+	}
+	if !mustAuth(req) {
+		return nil
 	}
 
+	v := req.Header.Get(restful.HeaderAuth)
+	if v == "" {
+		return errors.New("should provide token in header")
+	}
+	s := strings.Split(v, " ")
+	if len(s) != 2 {
+		return errors.New("invalid auth header")
+	}
+	to := s[1]
+	//TODO rbac
+	claims, err := authr.Authenticate(req.Context(), to)
+	if err != nil {
+		log.Errorf(err, "authenticate request failed, %s %s", req.Method, req.RequestURI)
+		return err
+	}
+	log.Info("user access")
+	req2 := req.WithContext(context.WithValue(req.Context(), "accountInfo", claims))
+	*req = *req2
 	return nil
 }
+func mustAuth(req *http.Request) bool {
+	if strings.Contains(req.URL.Path, "/v4/token") {

Review comment:
       加一个白名单列表配置项来做？可能后面还有其他接口不需要鉴权




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org