This is an automated email from the ASF dual-hosted git repository.

youling1128 pushed a commit to branch patch-2.2.0
in repository https://gitbox.apache.org/repos/asf/servicecomb-service-center.git


The following commit(s) were added to refs/heads/patch-2.2.0 by this push:
     new 6f46e0a5 [fix] fix the problem of vertial ultra vires when only open 
the console auth (#1484)
6f46e0a5 is described below

commit 6f46e0a56c48a754ae318a45f09b68230bc5d0cd
Author: tornado-ssy <[email protected]>
AuthorDate: Thu Jun 27 22:37:18 2024 +0800

    [fix] fix the problem of vertial ultra vires when only open the console 
auth (#1484)
---
 etc/conf/app.conf                     |  1 +
 server/config/config.go               |  3 ++-
 server/config/server.go               |  5 +++--
 server/plugin/auth/buildin/buildin.go | 28 ++++++++++++++++++++--------
 server/service/rbac/rbac.go           |  6 +++++-
 5 files changed, 31 insertions(+), 12 deletions(-)

diff --git a/etc/conf/app.conf b/etc/conf/app.conf
index ff086dfc..0c61a546 100644
--- a/etc/conf/app.conf
+++ b/etc/conf/app.conf
@@ -25,6 +25,7 @@ frontend_endpoint_cidr = 127.0.0.1/32
 # httpaddr = fe80::f816:3eff:fe17:c38b%eth0 (link-local scope)
 httpaddr = 127.0.0.1
 httpport = 30100
+rbac_allow_missToken = ${RBAC_ALLOW_MISSTOKEN||false}
 
 ###################################################################
 # sever options (deprecated, pls use app.yaml instead)
diff --git a/server/config/config.go b/server/config/config.go
index f0af627f..e12097d3 100644
--- a/server/config/config.go
+++ b/server/config/config.go
@@ -185,7 +185,8 @@ func loadServerConfig() ServerConfig {
 
                        SchemaDisable: GetBool("registry.schema.disable", 
false, WithENV("SCHEMA_DISABLE")),
 
-                       EnableRBAC: GetBool("rbac.enable", false, 
WithStandby("rbac_enabled")),
+                       EnableRBAC:     GetBool("rbac.enable", false, 
WithStandby("rbac_enabled")),
+                       AllowMissToken: GetBool("rbac.allowMissToken", false, 
WithStandby("rbac_allow_missToken")),
                },
        }
 }
diff --git a/server/config/server.go b/server/config/server.go
index 80916979..33fbc522 100644
--- a/server/config/server.go
+++ b/server/config/server.go
@@ -48,7 +48,8 @@ type ServerConfigDetail struct {
        EnablePProf bool `json:"enablePProf"`
        EnableCache bool `json:"enableCache"`
 
-       EnableRBAC bool `json:"enableRBAC"`
+       EnableRBAC     bool `json:"enableRBAC"`
+       AllowMissToken bool `json:"AllowMissToken"`
 
        LogRotateSize   int64  `json:"-"`
        LogBackupCount  int64  `json:"-"`
@@ -64,7 +65,7 @@ type ServerConfigDetail struct {
 
        SelfRegister bool `json:"selfRegister"`
 
-       //CacheTTL is the ttl of cache
+       // CacheTTL is the ttl of cache
        CacheTTL      time.Duration `json:"cacheTTL"`
        GlobalVisible string        `json:"-"`
 
diff --git a/server/plugin/auth/buildin/buildin.go 
b/server/plugin/auth/buildin/buildin.go
index 21f2d045..3621933e 100644
--- a/server/plugin/auth/buildin/buildin.go
+++ b/server/plugin/auth/buildin/buildin.go
@@ -22,8 +22,14 @@ import (
        "errors"
        "fmt"
        "net/http"
+       "reflect"
        "strings"
 
+       "github.com/go-chassis/cari/pkg/errsvc"
+       rbacmodel "github.com/go-chassis/cari/rbac"
+       "github.com/go-chassis/go-chassis/v2/security/authr"
+       "github.com/go-chassis/go-chassis/v2/server/restful"
+
        "github.com/apache/servicecomb-service-center/pkg/log"
        "github.com/apache/servicecomb-service-center/pkg/plugin"
        "github.com/apache/servicecomb-service-center/pkg/rest"
@@ -32,13 +38,12 @@ import (
        "github.com/apache/servicecomb-service-center/server/plugin/auth"
        rbacsvc 
"github.com/apache/servicecomb-service-center/server/service/rbac"
        "github.com/apache/servicecomb-service-center/server/service/rbac/token"
-       rbacmodel "github.com/go-chassis/cari/rbac"
-       "github.com/go-chassis/go-chassis/v2/security/authr"
-       "github.com/go-chassis/go-chassis/v2/server/restful"
 )
 
 var ErrNoRoles = errors.New("no role found in token")
 
+const disCoveryType = "*errsvc.Error"
+
 func init() {
        plugin.RegisterPlugin(plugin.Plugin{Kind: auth.AUTH, Name: "buildin", 
New: New})
 }
@@ -90,15 +95,22 @@ func getRequestPattern(req *http.Request) string {
 }
 
 func (ba *TokenAuthenticator) mustAuth(req *http.Request, pattern string) 
(*rbacmodel.Account, error) {
-       if !rbacsvc.MustAuth(pattern) {
-               return nil, nil
+       account, err := ba.VerifyRequest(req)
+       if err == nil {
+               return account, err
        }
-       return ba.VerifyRequest(req)
+       if rbacsvc.MustAuth(pattern) {
+               return nil, err
+       }
+       return nil, nil
 }
 
 func (ba *TokenAuthenticator) VerifyRequest(req *http.Request) 
(*rbacmodel.Account, error) {
        claims, err := ba.VerifyToken(req)
        if err != nil {
+               if reflect.TypeOf(err).String() == disCoveryType && 
err.(*errsvc.Error).Code == rbacmodel.ErrNoAuthHeader && 
rbacsvc.AllowMissToken() {
+                       return nil, nil
+               }
                log.Error(fmt.Sprintf("verify request token failed, %s %s", 
req.Method, req.RequestURI), err)
                return nil, err
        }
@@ -172,12 +184,12 @@ func checkPerm(roleList []string, req *http.Request) 
([]map[string]string, error
        if hasAdmin {
                return nil, nil
        }
-       //todo fast check for dev role
+       // todo fast check for dev role
        targetResource := FromRequest(req)
        if targetResource == nil {
                return nil, errors.New("no valid resouce scope")
        }
-       //TODO add project
+       // TODO add project
        project := req.URL.Query().Get(":project")
        return rbacsvc.Allow(req.Context(), project, normalRoles, 
targetResource)
 }
diff --git a/server/service/rbac/rbac.go b/server/service/rbac/rbac.go
index 5d1808ef..3c3ff5d1 100644
--- a/server/service/rbac/rbac.go
+++ b/server/service/rbac/rbac.go
@@ -135,7 +135,7 @@ func readPublicKey() {
        log.Info("read public key success")
 }
 func initFirstTime() {
-       //handle root account
+       // handle root account
        pwd := getPassword()
        if len(pwd) == 0 {
                log.Warn("skip init root account! Cause by " + InitPassword + " 
is empty. " +
@@ -176,6 +176,10 @@ func Enabled() bool {
        return config.GetRBAC().EnableRBAC
 }
 
+func AllowMissToken() bool {
+       return config.GetRBAC().AllowMissToken
+}
+
 // PublicKey get public key to verify a token
 func PublicKey() string {
        return archaius.GetString("rbac_public_key", "")

Reply via email to