[servicecomb-service-center] branch master updated: Change: always authenticate the request with HTTP Header 'Authorization' (#1345)

[littlecui]

This is an automated email from the ASF dual-hosted git repository.

littlecui pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/servicecomb-service-center.git


The following commit(s) were added to refs/heads/master by this push:
     new ab03c9f0 Change: always authenticate the request with HTTP Header 
'Authorization' (#1345)
ab03c9f0 is described below

commit ab03c9f0f6b4ee2256988540bb0c13ff4547a3f3
Author: little-cui <sure_0...@qq.com>
AuthorDate: Mon Oct 24 17:07:46 2022 +0800

    Change: always authenticate the request with HTTP Header 'Authorization' 
(#1345)
---
 etc/conf/app.yaml                     |  5 ++++-
 server/plugin/auth/buildin/buildin.go | 35 +++++++++++++++++++++++------------
 2 files changed, 27 insertions(+), 13 deletions(-)

diff --git a/etc/conf/app.yaml b/etc/conf/app.yaml
index 94b940ca..06259fb0 100644
--- a/etc/conf/app.yaml
+++ b/etc/conf/app.yaml
@@ -169,7 +169,10 @@ rbac:
   publicKeyFile: ./public.key
   releaseLockAfter: 15m # failure login attempt causes account blocking, that 
is block duration
   retainLockHistoryFor: 20m # the ttl of lock history
-  scope: '*' # specify auth resource scope, can be 
account,role,service,service/schema,...
+  # specify auth resource scope, can be account,role,service,service/schema,...
+  # The authenticator skip the authentication of the request, if the resource 
type of the request is not specified in the scope
+  # The authenticator always authenticate the request with the HTTP Header 
'Authorization'.
+  scope: '*'
 
 metrics:
   # enable to start metrics gather
diff --git a/server/plugin/auth/buildin/buildin.go 
b/server/plugin/auth/buildin/buildin.go
index 3b4eb089..8b092daa 100644
--- a/server/plugin/auth/buildin/buildin.go
+++ b/server/plugin/auth/buildin/buildin.go
@@ -55,22 +55,13 @@ func (ba *TokenAuthenticator) Identify(req *http.Request) 
error {
                return nil
        }
 
-       pattern, ok := req.Context().Value(rest.CtxMatchPattern).(string)
-       if !ok {
-               pattern = req.URL.Path
-               log.Warn("can not find api pattern")
-       }
-
-       if !rbacsvc.MustAuth(pattern) {
-               return nil
-       }
+       pattern := getRequestPattern(req)
 
-       account, err := ba.VerifyRequest(req)
-       if err != nil {
+       account, err := ba.mustAuth(req, pattern)
+       if account == nil || err != nil {
                return err
        }
 
-       // if account not exist should return auth failure
        err = accountExist(req.Context(), account.Name)
        if err != nil {
                return err
@@ -89,6 +80,26 @@ func (ba *TokenAuthenticator) Identify(req *http.Request) 
error {
        return nil
 }
 
+func getRequestPattern(req *http.Request) string {
+       pattern, ok := req.Context().Value(rest.CtxMatchPattern).(string)
+       if !ok {
+               pattern = req.URL.Path
+               log.Warn("can not find api pattern")
+       }
+       return pattern
+}
+
+func (ba *TokenAuthenticator) mustAuth(req *http.Request, pattern string) 
(*rbacmodel.Account, error) {
+       account, err := ba.VerifyRequest(req)
+       if err == nil {
+               return account, nil
+       }
+       if rbacsvc.MustAuth(pattern) {
+               return nil, err
+       }
+       return nil, nil
+}
+
 func (ba *TokenAuthenticator) VerifyRequest(req *http.Request) 
(*rbacmodel.Account, error) {
        claims, err := ba.VerifyToken(req)
        if err != nil {