This is an automated email from the ASF dual-hosted git repository.
youling1128 pushed a commit to branch dev
in repository https://gitbox.apache.org/repos/asf/servicecomb-service-center.git
The following commit(s) were added to refs/heads/dev by this push:
new eaf52a2a fix some rbac problems (#1485)
eaf52a2a is described below
commit eaf52a2a27c1fb8b6dbf1fb320654bc97f5ef9fc
Author: tornado-ssy <[email protected]>
AuthorDate: Mon Jul 15 22:01:59 2024 +0800
fix some rbac problems (#1485)
---
etc/conf/app.conf | 1 +
server/config/config.go | 3 ++-
server/config/server.go | 5 +++--
server/plugin/auth/buildin/buildin.go | 24 +++++++++++++++++++++---
server/service/rbac/rbac.go | 6 +++++-
5 files changed, 32 insertions(+), 7 deletions(-)
diff --git a/etc/conf/app.conf b/etc/conf/app.conf
index ff086dfc..0c61a546 100644
--- a/etc/conf/app.conf
+++ b/etc/conf/app.conf
@@ -25,6 +25,7 @@ frontend_endpoint_cidr = 127.0.0.1/32
# httpaddr = fe80::f816:3eff:fe17:c38b%eth0 (link-local scope)
httpaddr = 127.0.0.1
httpport = 30100
+rbac_allow_missToken = ${RBAC_ALLOW_MISSTOKEN||false}
###################################################################
# sever options (deprecated, pls use app.yaml instead)
diff --git a/server/config/config.go b/server/config/config.go
index b500022c..a19fb49e 100644
--- a/server/config/config.go
+++ b/server/config/config.go
@@ -186,7 +186,8 @@ func loadServerConfig() ServerConfig {
SchemaDisable: GetBool("registry.schema.disable",
false, WithENV("SCHEMA_DISABLE")),
SchemaRootPath:
GetString("registry.schema.schemaRootPath", "", WithENV("SCHEMA_ROOT_PATH")),
- EnableRBAC: GetBool("rbac.enable", false,
WithStandby("rbac_enabled")),
+ EnableRBAC: GetBool("rbac.enable", false,
WithStandby("rbac_enabled")),
+ AllowMissToken: GetBool("rbac.allowMissToken", false,
WithStandby("rbac_allow_missToken")),
},
}
}
diff --git a/server/config/server.go b/server/config/server.go
index 9a2a0f28..107307d5 100644
--- a/server/config/server.go
+++ b/server/config/server.go
@@ -48,7 +48,8 @@ type ServerConfigDetail struct {
EnablePProf bool `json:"enablePProf"`
EnableCache bool `json:"enableCache"`
- EnableRBAC bool `json:"enableRBAC"`
+ EnableRBAC bool `json:"enableRBAC"`
+ AllowMissToken bool `json:"AllowMissToken"`
LogRotateSize int64 `json:"-"`
LogBackupCount int64 `json:"-"`
@@ -64,7 +65,7 @@ type ServerConfigDetail struct {
SelfRegister bool `json:"selfRegister"`
- //CacheTTL is the ttl of cache
+ // CacheTTL is the ttl of cache
CacheTTL time.Duration `json:"cacheTTL"`
GlobalVisible string `json:"-"`
diff --git a/server/plugin/auth/buildin/buildin.go
b/server/plugin/auth/buildin/buildin.go
index d9570c7c..e22e2668 100644
--- a/server/plugin/auth/buildin/buildin.go
+++ b/server/plugin/auth/buildin/buildin.go
@@ -23,9 +23,11 @@ import (
"errors"
"fmt"
"net/http"
+ "reflect"
"strings"
"time"
+ "github.com/go-chassis/cari/pkg/errsvc"
rbacmodel "github.com/go-chassis/cari/rbac"
"github.com/go-chassis/go-chassis/v2/security/authr"
"github.com/go-chassis/go-chassis/v2/server/restful"
@@ -47,6 +49,10 @@ var tokenCache = cache.New(cacheDefaultExpireTime,
cacheDefaultCleanUpTime)
const cacheErrorItemExpTime = 5 * time.Minute
const cacheDefaultExpireTime = 5 * time.Minute
const cacheDefaultCleanUpTime = 10 * time.Minute
+const getEnvirOnMentPath = "environments"
+const getVerb = "get"
+
+const disCoveryType = "*errsvc.Error"
func init() {
plugin.RegisterPlugin(plugin.Plugin{Kind: auth.AUTH, Name: "buildin",
New: New})
@@ -99,15 +105,22 @@ func getRequestPattern(req *http.Request) string {
}
func (ba *TokenAuthenticator) mustAuth(req *http.Request, pattern string)
(*rbacmodel.Account, error) {
- if !rbacsvc.MustAuth(pattern) {
- return nil, nil
+ account, err := ba.VerifyRequest(req)
+ if err == nil {
+ return account, err
+ }
+ if rbacsvc.MustAuth(pattern) {
+ return nil, err
}
- return ba.VerifyRequest(req)
+ return nil, nil
}
func (ba *TokenAuthenticator) VerifyRequest(req *http.Request)
(*rbacmodel.Account, error) {
claims, err := ba.VerifyToken(req)
if err != nil {
+ if reflect.TypeOf(err).String() == disCoveryType &&
err.(*errsvc.Error).Code == rbacmodel.ErrNoAuthHeader &&
rbacsvc.AllowMissToken() {
+ return nil, nil
+ }
log.Error(fmt.Sprintf("verify request token failed, %s %s",
req.Method, req.RequestURI), err)
return nil, err
}
@@ -215,6 +228,11 @@ func checkPerm(roleList []string, req *http.Request)
([]map[string]string, error
if hasAdmin {
return nil, nil
}
+ pattern := getRequestPattern(req)
+ verb := rbacsvc.MethodToVerbs[req.Method]
+ if strings.Contains(pattern, getEnvirOnMentPath) && verb == getVerb {
+ return nil, nil
+ }
// todo fast check for dev role
targetResource := FromRequest(req)
if targetResource == nil {
diff --git a/server/service/rbac/rbac.go b/server/service/rbac/rbac.go
index 5d1808ef..3c3ff5d1 100644
--- a/server/service/rbac/rbac.go
+++ b/server/service/rbac/rbac.go
@@ -135,7 +135,7 @@ func readPublicKey() {
log.Info("read public key success")
}
func initFirstTime() {
- //handle root account
+ // handle root account
pwd := getPassword()
if len(pwd) == 0 {
log.Warn("skip init root account! Cause by " + InitPassword + "
is empty. " +
@@ -176,6 +176,10 @@ func Enabled() bool {
return config.GetRBAC().EnableRBAC
}
+func AllowMissToken() bool {
+ return config.GetRBAC().AllowMissToken
+}
+
// PublicKey get public key to verify a token
func PublicKey() string {
return archaius.GetString("rbac_public_key", "")