From 3126743eee5a31ea77cedd54c17b540eadb88930 Mon Sep 17 00:00:00 2001 From: Haotian Zhang Date: Tue, 19 Nov 2024 17:41:35 +0800 Subject: [PATCH] feat:support auth. (#1459) --- CHANGELOG.md | 1 + pom.xml | 1 + spring-cloud-starter-tencent-all/pom.xml | 5 + .../DecodeTransferMetadataReactiveFilter.java | 2 - .../pom.xml | 106 ++++++++++++++++++ .../auth/config/AuthConfigModifier.java | 46 ++++++++ .../config/PolarisAuthAutoConfiguration.java | 86 ++++++++++++++ .../auth/config/PolarisAuthProperties.java | 40 +++++++ ...olarisAuthPropertiesAutoConfiguration.java | 39 +++++++ ...sAuthPropertiesBootstrapConfiguration.java | 34 ++++++ .../auth/filter/AuthReactiveFilter.java | 70 ++++++++++++ .../auth/filter/AuthServletFilter.java | 67 +++++++++++ .../polaris/auth/utils/AuthenticateUtils.java | 53 +++++++++ ...itional-spring-configuration-metadata.json | 10 ++ .../main/resources/META-INF/spring.factories | 2 + ...ot.autoconfigure.AutoConfiguration.imports | 2 + .../cloud/common/constant/OrderConstant.java | 19 +++- .../metadata/MetadataContextHolder.java | 4 +- spring-cloud-tencent-coverage/pom.xml | 9 +- spring-cloud-tencent-dependencies/pom.xml | 6 + .../tsf-example/provider-demo/pom.xml | 5 + spring-cloud-tencent-polaris-context/pom.xml | 5 + .../context/PolarisSDKContextManager.java | 17 +++ 23 files changed, 621 insertions(+), 8 deletions(-) create mode 100644 spring-cloud-starter-tencent-polaris-auth/pom.xml create mode 100644 spring-cloud-starter-tencent-polaris-auth/src/main/java/com/tencent/cloud/polaris/auth/config/AuthConfigModifier.java create mode 100644 spring-cloud-starter-tencent-polaris-auth/src/main/java/com/tencent/cloud/polaris/auth/config/PolarisAuthAutoConfiguration.java create mode 100644 spring-cloud-starter-tencent-polaris-auth/src/main/java/com/tencent/cloud/polaris/auth/config/PolarisAuthProperties.java create mode 100644 spring-cloud-starter-tencent-polaris-auth/src/main/java/com/tencent/cloud/polaris/auth/config/PolarisAuthPropertiesAutoConfiguration.java create mode 100644 spring-cloud-starter-tencent-polaris-auth/src/main/java/com/tencent/cloud/polaris/auth/config/PolarisAuthPropertiesBootstrapConfiguration.java create mode 100644 spring-cloud-starter-tencent-polaris-auth/src/main/java/com/tencent/cloud/polaris/auth/filter/AuthReactiveFilter.java create mode 100644 spring-cloud-starter-tencent-polaris-auth/src/main/java/com/tencent/cloud/polaris/auth/filter/AuthServletFilter.java create mode 100644 spring-cloud-starter-tencent-polaris-auth/src/main/java/com/tencent/cloud/polaris/auth/utils/AuthenticateUtils.java create mode 100644 spring-cloud-starter-tencent-polaris-auth/src/main/resources/META-INF/additional-spring-configuration-metadata.json create mode 100644 spring-cloud-starter-tencent-polaris-auth/src/main/resources/META-INF/spring.factories create mode 100644 spring-cloud-starter-tencent-polaris-auth/src/main/resources/META-INF/spring/org.springframework.boot.autoconfigure.AutoConfiguration.imports diff --git a/CHANGELOG.md b/CHANGELOG.md index 88faf75d5..b3f469da4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -37,3 +37,4 @@ - [feat: support lossless config from console & support warmup.](https://github.com/Tencent/spring-cloud-tencent/pull/1435) - [feat:add admin http handler.](https://github.com/Tencent/spring-cloud-tencent/pull/1448) - [feat:support concurrency rate limit.](https://github.com/Tencent/spring-cloud-tencent/pull/1454) +- [feat:support auth.](https://github.com/Tencent/spring-cloud-tencent/pull/1459) diff --git a/pom.xml b/pom.xml index 5781df978..19a8ab879 100644 --- a/pom.xml +++ b/pom.xml @@ -48,6 +48,7 @@ spring-cloud-starter-tencent-polaris-circuitbreaker spring-cloud-starter-tencent-polaris-router spring-cloud-starter-tencent-polaris-contract + spring-cloud-starter-tencent-polaris-auth spring-cloud-tencent-plugin-starters spring-cloud-tencent-dependencies spring-cloud-starter-tencent-all diff --git a/spring-cloud-starter-tencent-all/pom.xml b/spring-cloud-starter-tencent-all/pom.xml index 767a25866..a2a5e53f0 100644 --- a/spring-cloud-starter-tencent-all/pom.xml +++ b/spring-cloud-starter-tencent-all/pom.xml @@ -54,6 +54,11 @@ com.tencent.cloud spring-cloud-starter-tencent-trace-plugin + + + com.tencent.cloud + spring-cloud-starter-tencent-polaris-auth + diff --git a/spring-cloud-starter-tencent-metadata-transfer/src/main/java/com/tencent/cloud/metadata/core/DecodeTransferMetadataReactiveFilter.java b/spring-cloud-starter-tencent-metadata-transfer/src/main/java/com/tencent/cloud/metadata/core/DecodeTransferMetadataReactiveFilter.java index f462f67fe..7e6240aef 100644 --- a/spring-cloud-starter-tencent-metadata-transfer/src/main/java/com/tencent/cloud/metadata/core/DecodeTransferMetadataReactiveFilter.java +++ b/spring-cloud-starter-tencent-metadata-transfer/src/main/java/com/tencent/cloud/metadata/core/DecodeTransferMetadataReactiveFilter.java @@ -98,8 +98,6 @@ public class DecodeTransferMetadataReactiveFilter implements WebFilter, Ordered TransHeadersTransfer.transfer(serverHttpRequest); return webFilterChain.filter(serverWebExchange) - .doOnError(throwable -> LOG.error("handle metadata[{}] error.", - MetadataContextHolder.get(), throwable)) .doFinally((type) -> MetadataContextHolder.remove()); } diff --git a/spring-cloud-starter-tencent-polaris-auth/pom.xml b/spring-cloud-starter-tencent-polaris-auth/pom.xml new file mode 100644 index 000000000..c3fe3df23 --- /dev/null +++ b/spring-cloud-starter-tencent-polaris-auth/pom.xml @@ -0,0 +1,106 @@ + + + + spring-cloud-tencent + com.tencent.cloud + ${revision} + ../pom.xml + + 4.0.0 + spring-cloud-starter-tencent-polaris-auth + Spring Cloud Starter Tencent Polaris Auth + + + + + com.tencent.cloud + spring-cloud-tencent-rpc-enhancement + + + + com.tencent.cloud + spring-cloud-starter-tencent-metadata-transfer + + + + + + com.tencent.polaris + polaris-auth-factory + + + + com.tencent.polaris + auth-block-allow-list + + + + com.tencent.polaris + polaris-test-common + test + + + + com.tencent.polaris + polaris-test-mock-discovery + test + + + junit + junit + + + + + + + org.springframework.boot + spring-boot-starter-web + true + + + + org.springframework.boot + spring-boot-starter-webflux + true + + + + org.springframework.boot + spring-boot-starter-test + test + + + + org.springframework.boot + spring-boot-actuator + true + + + + org.springframework.boot + spring-boot-actuator-autoconfigure + true + + + + org.mockito + mockito-inline + test + + + + org.mockito + mockito-core + test + + + + net.bytebuddy + byte-buddy + test + + + \ No newline at end of file diff --git a/spring-cloud-starter-tencent-polaris-auth/src/main/java/com/tencent/cloud/polaris/auth/config/AuthConfigModifier.java b/spring-cloud-starter-tencent-polaris-auth/src/main/java/com/tencent/cloud/polaris/auth/config/AuthConfigModifier.java new file mode 100644 index 000000000..876b5fc3e --- /dev/null +++ b/spring-cloud-starter-tencent-polaris-auth/src/main/java/com/tencent/cloud/polaris/auth/config/AuthConfigModifier.java @@ -0,0 +1,46 @@ +/* + * Tencent is pleased to support the open source community by making Spring Cloud Tencent available. + * + * Copyright (C) 2019 THL A29 Limited, a Tencent company. All rights reserved. + * + * Licensed under the BSD 3-Clause License (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://opensource.org/licenses/BSD-3-Clause + * + * Unless required by applicable law or agreed to in writing, software distributed + * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR + * CONDITIONS OF ANY KIND, either express or implied. See the License for the + * specific language governing permissions and limitations under the License. + */ + +package com.tencent.cloud.polaris.auth.config; + +import com.tencent.cloud.common.constant.OrderConstant; +import com.tencent.cloud.polaris.context.PolarisConfigModifier; +import com.tencent.polaris.factory.config.ConfigurationImpl; + +/** + * Config modifier for auth. + * + * @author Haotian Zhang + */ +public class AuthConfigModifier implements PolarisConfigModifier { + + private final PolarisAuthProperties polarisAuthProperties; + + public AuthConfigModifier(PolarisAuthProperties polarisAuthProperties) { + this.polarisAuthProperties = polarisAuthProperties; + } + + @Override + public void modify(ConfigurationImpl configuration) { + configuration.getProvider().getAuth().setEnable(polarisAuthProperties.isEnabled()); + } + + @Override + public int getOrder() { + return OrderConstant.Modifier.AUTH_ORDER; + } +} diff --git a/spring-cloud-starter-tencent-polaris-auth/src/main/java/com/tencent/cloud/polaris/auth/config/PolarisAuthAutoConfiguration.java b/spring-cloud-starter-tencent-polaris-auth/src/main/java/com/tencent/cloud/polaris/auth/config/PolarisAuthAutoConfiguration.java new file mode 100644 index 000000000..39adbaa2b --- /dev/null +++ b/spring-cloud-starter-tencent-polaris-auth/src/main/java/com/tencent/cloud/polaris/auth/config/PolarisAuthAutoConfiguration.java @@ -0,0 +1,86 @@ +/* + * Tencent is pleased to support the open source community by making Spring Cloud Tencent available. + * + * Copyright (C) 2019 THL A29 Limited, a Tencent company. All rights reserved. + * + * Licensed under the BSD 3-Clause License (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://opensource.org/licenses/BSD-3-Clause + * + * Unless required by applicable law or agreed to in writing, software distributed + * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR + * CONDITIONS OF ANY KIND, either express or implied. See the License for the + * specific language governing permissions and limitations under the License. + */ + +package com.tencent.cloud.polaris.auth.config; + +import com.tencent.cloud.common.constant.OrderConstant; +import com.tencent.cloud.polaris.auth.filter.AuthReactiveFilter; +import com.tencent.cloud.polaris.auth.filter.AuthServletFilter; +import com.tencent.cloud.polaris.context.PolarisSDKContextManager; +import com.tencent.cloud.polaris.context.config.PolarisContextAutoConfiguration; + +import org.springframework.boot.autoconfigure.AutoConfigureAfter; +import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean; +import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication; +import org.springframework.boot.web.servlet.FilterRegistrationBean; +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; + +import static com.tencent.cloud.polaris.auth.filter.AuthServletFilter.AUTH_FILTER_BEAN_NAME; +import static jakarta.servlet.DispatcherType.ASYNC; +import static jakarta.servlet.DispatcherType.ERROR; +import static jakarta.servlet.DispatcherType.FORWARD; +import static jakarta.servlet.DispatcherType.INCLUDE; +import static jakarta.servlet.DispatcherType.REQUEST; + +/** + * Auto configuration for auth. + * + * @author Haotian Zhang + */ +@Configuration(proxyBeanMethods = false) +@AutoConfigureAfter(PolarisContextAutoConfiguration.class) +public class PolarisAuthAutoConfiguration { + + /** + * Create when web application type is SERVLET. + */ + @Configuration(proxyBeanMethods = false) + @ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.SERVLET) + protected static class AuthServletFilterConfig { + + @Bean + @ConditionalOnMissingBean + public AuthServletFilter authServletFilter(PolarisSDKContextManager polarisSDKContextManager) { + return new AuthServletFilter(polarisSDKContextManager.getAuthAPI()); + } + + @Bean + public FilterRegistrationBean authFilterRegistrationBean( + AuthServletFilter authServletFilter) { + FilterRegistrationBean registrationBean = new FilterRegistrationBean<>( + authServletFilter); + registrationBean.setDispatcherTypes(ASYNC, ERROR, FORWARD, INCLUDE, REQUEST); + registrationBean.setName(AUTH_FILTER_BEAN_NAME); + registrationBean.setOrder(OrderConstant.Server.Servlet.AUTH_FILTER_ORDER); + return registrationBean; + } + } + + /** + * Create when web application type is REACTIVE. + */ + @Configuration(proxyBeanMethods = false) + @ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.REACTIVE) + protected static class AuthReactiveFilterConfig { + + @Bean + public AuthReactiveFilter authReactiveFilter(PolarisSDKContextManager polarisSDKContextManager) { + return new AuthReactiveFilter(polarisSDKContextManager.getAuthAPI()); + } + } +} diff --git a/spring-cloud-starter-tencent-polaris-auth/src/main/java/com/tencent/cloud/polaris/auth/config/PolarisAuthProperties.java b/spring-cloud-starter-tencent-polaris-auth/src/main/java/com/tencent/cloud/polaris/auth/config/PolarisAuthProperties.java new file mode 100644 index 000000000..cbef2320c --- /dev/null +++ b/spring-cloud-starter-tencent-polaris-auth/src/main/java/com/tencent/cloud/polaris/auth/config/PolarisAuthProperties.java @@ -0,0 +1,40 @@ +/* + * Tencent is pleased to support the open source community by making Spring Cloud Tencent available. + * + * Copyright (C) 2019 THL A29 Limited, a Tencent company. All rights reserved. + * + * Licensed under the BSD 3-Clause License (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://opensource.org/licenses/BSD-3-Clause + * + * Unless required by applicable law or agreed to in writing, software distributed + * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR + * CONDITIONS OF ANY KIND, either express or implied. See the License for the + * specific language governing permissions and limitations under the License. + * + */ + +package com.tencent.cloud.polaris.auth.config; + +import org.springframework.boot.context.properties.ConfigurationProperties; + +/** + * The properties for auth. + * + * @author Haotian Zhang + */ +@ConfigurationProperties("spring.cloud.polaris.auth") +public class PolarisAuthProperties { + + private boolean enabled = true; + + public boolean isEnabled() { + return enabled; + } + + public void setEnabled(boolean enabled) { + this.enabled = enabled; + } +} diff --git a/spring-cloud-starter-tencent-polaris-auth/src/main/java/com/tencent/cloud/polaris/auth/config/PolarisAuthPropertiesAutoConfiguration.java b/spring-cloud-starter-tencent-polaris-auth/src/main/java/com/tencent/cloud/polaris/auth/config/PolarisAuthPropertiesAutoConfiguration.java new file mode 100644 index 000000000..9c2cc2ce1 --- /dev/null +++ b/spring-cloud-starter-tencent-polaris-auth/src/main/java/com/tencent/cloud/polaris/auth/config/PolarisAuthPropertiesAutoConfiguration.java @@ -0,0 +1,39 @@ +/* + * Tencent is pleased to support the open source community by making Spring Cloud Tencent available. + * + * Copyright (C) 2019 THL A29 Limited, a Tencent company. All rights reserved. + * + * Licensed under the BSD 3-Clause License (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://opensource.org/licenses/BSD-3-Clause + * + * Unless required by applicable law or agreed to in writing, software distributed + * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR + * CONDITIONS OF ANY KIND, either express or implied. See the License for the + * specific language governing permissions and limitations under the License. + */ + +package com.tencent.cloud.polaris.auth.config; + +import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean; +import org.springframework.boot.context.properties.EnableConfigurationProperties; +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; + +/** + * Properties auto configuration of auth. + * + * @author Haotian Zhang + */ +@Configuration(proxyBeanMethods = false) +@EnableConfigurationProperties(PolarisAuthProperties.class) +public class PolarisAuthPropertiesAutoConfiguration { + + @Bean + @ConditionalOnMissingBean + public AuthConfigModifier authConfigModifier(PolarisAuthProperties polarisAuthProperties) { + return new AuthConfigModifier(polarisAuthProperties); + } +} diff --git a/spring-cloud-starter-tencent-polaris-auth/src/main/java/com/tencent/cloud/polaris/auth/config/PolarisAuthPropertiesBootstrapConfiguration.java b/spring-cloud-starter-tencent-polaris-auth/src/main/java/com/tencent/cloud/polaris/auth/config/PolarisAuthPropertiesBootstrapConfiguration.java new file mode 100644 index 000000000..f30472292 --- /dev/null +++ b/spring-cloud-starter-tencent-polaris-auth/src/main/java/com/tencent/cloud/polaris/auth/config/PolarisAuthPropertiesBootstrapConfiguration.java @@ -0,0 +1,34 @@ +/* + * Tencent is pleased to support the open source community by making Spring Cloud Tencent available. + * + * Copyright (C) 2019 THL A29 Limited, a Tencent company. All rights reserved. + * + * Licensed under the BSD 3-Clause License (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://opensource.org/licenses/BSD-3-Clause + * + * Unless required by applicable law or agreed to in writing, software distributed + * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR + * CONDITIONS OF ANY KIND, either express or implied. See the License for the + * specific language governing permissions and limitations under the License. + */ + +package com.tencent.cloud.polaris.auth.config; + +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; +import org.springframework.context.annotation.Configuration; +import org.springframework.context.annotation.Import; + +/** + * Autoconfiguration of auth at bootstrap phase. + * + * @author Haotian Zhang + */ +@Configuration(proxyBeanMethods = false) +@ConditionalOnProperty("spring.cloud.polaris.enabled") +@Import(PolarisAuthPropertiesAutoConfiguration.class) +public class PolarisAuthPropertiesBootstrapConfiguration { + +} diff --git a/spring-cloud-starter-tencent-polaris-auth/src/main/java/com/tencent/cloud/polaris/auth/filter/AuthReactiveFilter.java b/spring-cloud-starter-tencent-polaris-auth/src/main/java/com/tencent/cloud/polaris/auth/filter/AuthReactiveFilter.java new file mode 100644 index 000000000..39b245702 --- /dev/null +++ b/spring-cloud-starter-tencent-polaris-auth/src/main/java/com/tencent/cloud/polaris/auth/filter/AuthReactiveFilter.java @@ -0,0 +1,70 @@ +/* + * Tencent is pleased to support the open source community by making Spring Cloud Tencent available. + * + * Copyright (C) 2019 THL A29 Limited, a Tencent company. All rights reserved. + * + * Licensed under the BSD 3-Clause License (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://opensource.org/licenses/BSD-3-Clause + * + * Unless required by applicable law or agreed to in writing, software distributed + * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR + * CONDITIONS OF ANY KIND, either express or implied. See the License for the + * specific language governing permissions and limitations under the License. + */ + +package com.tencent.cloud.polaris.auth.filter; + +import com.tencent.cloud.common.constant.OrderConstant; +import com.tencent.cloud.common.metadata.MetadataContext; +import com.tencent.cloud.polaris.auth.utils.AuthenticateUtils; +import com.tencent.polaris.api.plugin.auth.AuthResult; +import com.tencent.polaris.auth.api.core.AuthAPI; +import com.tencent.polaris.auth.api.rpc.AuthResponse; +import reactor.core.publisher.Mono; + +import org.springframework.core.Ordered; +import org.springframework.core.io.buffer.DataBuffer; +import org.springframework.http.HttpStatus; +import org.springframework.http.server.reactive.ServerHttpResponse; +import org.springframework.web.server.ServerWebExchange; +import org.springframework.web.server.WebFilter; +import org.springframework.web.server.WebFilterChain; + +import static org.springframework.core.io.buffer.DefaultDataBufferFactory.DEFAULT_INITIAL_CAPACITY; + +/** + * Reactive filter to authenticate. + * + * @author Haotian Zhang + */ +public class AuthReactiveFilter implements WebFilter, Ordered { + + private final AuthAPI authAPI; + + public AuthReactiveFilter(AuthAPI authAPI) { + this.authAPI = authAPI; + } + + @Override + public int getOrder() { + return OrderConstant.Server.Reactive.AUTH_FILTER_ORDER; + } + + @Override + public Mono filter(ServerWebExchange exchange, WebFilterChain chain) { + AuthResponse authResponse = AuthenticateUtils.authenticate(authAPI, MetadataContext.LOCAL_NAMESPACE, + MetadataContext.LOCAL_SERVICE, exchange.getRequest().getURI().getPath(), "HTTP", + exchange.getRequest().getMethod().name()); + if (authResponse != null && authResponse.getAuthResult().getCode() + .equals(AuthResult.Code.AuthResultForbidden)) { + ServerHttpResponse response = exchange.getResponse(); + response.setRawStatusCode(HttpStatus.FORBIDDEN.value()); + DataBuffer dataBuffer = response.bufferFactory().allocateBuffer(DEFAULT_INITIAL_CAPACITY); + return response.writeWith(Mono.just(dataBuffer)); + } + return chain.filter(exchange); + } +} diff --git a/spring-cloud-starter-tencent-polaris-auth/src/main/java/com/tencent/cloud/polaris/auth/filter/AuthServletFilter.java b/spring-cloud-starter-tencent-polaris-auth/src/main/java/com/tencent/cloud/polaris/auth/filter/AuthServletFilter.java new file mode 100644 index 000000000..e80152e7c --- /dev/null +++ b/spring-cloud-starter-tencent-polaris-auth/src/main/java/com/tencent/cloud/polaris/auth/filter/AuthServletFilter.java @@ -0,0 +1,67 @@ +/* + * Tencent is pleased to support the open source community by making Spring Cloud Tencent available. + * + * Copyright (C) 2019 THL A29 Limited, a Tencent company. All rights reserved. + * + * Licensed under the BSD 3-Clause License (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://opensource.org/licenses/BSD-3-Clause + * + * Unless required by applicable law or agreed to in writing, software distributed + * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR + * CONDITIONS OF ANY KIND, either express or implied. See the License for the + * specific language governing permissions and limitations under the License. + */ + +package com.tencent.cloud.polaris.auth.filter; + +import java.io.IOException; + +import com.tencent.cloud.common.constant.OrderConstant; +import com.tencent.cloud.common.metadata.MetadataContext; +import com.tencent.cloud.polaris.auth.utils.AuthenticateUtils; +import com.tencent.polaris.api.plugin.auth.AuthResult; +import com.tencent.polaris.auth.api.core.AuthAPI; +import com.tencent.polaris.auth.api.rpc.AuthResponse; +import jakarta.servlet.FilterChain; +import jakarta.servlet.ServletException; +import jakarta.servlet.http.HttpServletRequest; +import jakarta.servlet.http.HttpServletResponse; + +import org.springframework.core.annotation.Order; +import org.springframework.http.HttpStatus; +import org.springframework.web.filter.OncePerRequestFilter; + +/** + * Servlet filter to authenticate. + * + * @author Haotian Zhang + */ +@Order(OrderConstant.Server.Servlet.AUTH_FILTER_ORDER) +public class AuthServletFilter extends OncePerRequestFilter { + + /** + * Default Filter Registration Bean Name Defined . + */ + public static final String AUTH_FILTER_BEAN_NAME = "authFilterRegistrationBean"; + + private final AuthAPI authAPI; + + public AuthServletFilter(AuthAPI authAPI) { + this.authAPI = authAPI; + } + + @Override + protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { + AuthResponse authResponse = AuthenticateUtils.authenticate(authAPI, MetadataContext.LOCAL_NAMESPACE, + MetadataContext.LOCAL_SERVICE, request.getRequestURI(), "HTTP", request.getMethod()); + if (authResponse != null && authResponse.getAuthResult().getCode() + .equals(AuthResult.Code.AuthResultForbidden)) { + response.setStatus(HttpStatus.FORBIDDEN.value()); + return; + } + filterChain.doFilter(request, response); + } +} diff --git a/spring-cloud-starter-tencent-polaris-auth/src/main/java/com/tencent/cloud/polaris/auth/utils/AuthenticateUtils.java b/spring-cloud-starter-tencent-polaris-auth/src/main/java/com/tencent/cloud/polaris/auth/utils/AuthenticateUtils.java new file mode 100644 index 000000000..b5f5f609e --- /dev/null +++ b/spring-cloud-starter-tencent-polaris-auth/src/main/java/com/tencent/cloud/polaris/auth/utils/AuthenticateUtils.java @@ -0,0 +1,53 @@ +/* + * Tencent is pleased to support the open source community by making Spring Cloud Tencent available. + * + * Copyright (C) 2019 THL A29 Limited, a Tencent company. All rights reserved. + * + * Licensed under the BSD 3-Clause License (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://opensource.org/licenses/BSD-3-Clause + * + * Unless required by applicable law or agreed to in writing, software distributed + * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR + * CONDITIONS OF ANY KIND, either express or implied. See the License for the + * specific language governing permissions and limitations under the License. + */ + +package com.tencent.cloud.polaris.auth.utils; + +import com.tencent.cloud.common.metadata.MetadataContextHolder; +import com.tencent.polaris.api.plugin.auth.AuthResult; +import com.tencent.polaris.auth.api.core.AuthAPI; +import com.tencent.polaris.auth.api.rpc.AuthRequest; +import com.tencent.polaris.auth.api.rpc.AuthResponse; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +/** + * Utils for authenticate. + * + * @author Haotian Zhang + */ +public final class AuthenticateUtils { + + private static final Logger LOG = LoggerFactory.getLogger(AuthenticateUtils.class); + + private AuthenticateUtils() { + + } + + public static AuthResponse authenticate(AuthAPI authAPI, String namespace, String service, String path, String protocol, String method) { + // build auth request + AuthRequest authRequest = new AuthRequest(namespace, service, path, protocol, method, MetadataContextHolder.get()); + + try { + return authAPI.authenticate(authRequest); + } + catch (Throwable throwable) { + LOG.error("fail to invoke authenticate of AuthAPI with AuthRequest[{}].", authRequest, throwable); + return new AuthResponse(new AuthResult(AuthResult.Code.AuthResultOk)); + } + } +} diff --git a/spring-cloud-starter-tencent-polaris-auth/src/main/resources/META-INF/additional-spring-configuration-metadata.json b/spring-cloud-starter-tencent-polaris-auth/src/main/resources/META-INF/additional-spring-configuration-metadata.json new file mode 100644 index 000000000..f071a15b2 --- /dev/null +++ b/spring-cloud-starter-tencent-polaris-auth/src/main/resources/META-INF/additional-spring-configuration-metadata.json @@ -0,0 +1,10 @@ +{ + "properties": [ + { + "name": "spring.cloud.polaris.auth.enabled", + "type": "java.lang.Boolean", + "defaultValue": true, + "description": "Enable polaris auth or not." + } + ] +} diff --git a/spring-cloud-starter-tencent-polaris-auth/src/main/resources/META-INF/spring.factories b/spring-cloud-starter-tencent-polaris-auth/src/main/resources/META-INF/spring.factories new file mode 100644 index 000000000..7cb82fb0c --- /dev/null +++ b/spring-cloud-starter-tencent-polaris-auth/src/main/resources/META-INF/spring.factories @@ -0,0 +1,2 @@ +org.springframework.cloud.bootstrap.BootstrapConfiguration=\ + com.tencent.cloud.polaris.auth.config.PolarisAuthPropertiesBootstrapConfiguration diff --git a/spring-cloud-starter-tencent-polaris-auth/src/main/resources/META-INF/spring/org.springframework.boot.autoconfigure.AutoConfiguration.imports b/spring-cloud-starter-tencent-polaris-auth/src/main/resources/META-INF/spring/org.springframework.boot.autoconfigure.AutoConfiguration.imports new file mode 100644 index 000000000..5c6ccbddf --- /dev/null +++ b/spring-cloud-starter-tencent-polaris-auth/src/main/resources/META-INF/spring/org.springframework.boot.autoconfigure.AutoConfiguration.imports @@ -0,0 +1,2 @@ +com.tencent.cloud.polaris.auth.config.PolarisAuthPropertiesAutoConfiguration +com.tencent.cloud.polaris.auth.config.PolarisAuthAutoConfiguration diff --git a/spring-cloud-tencent-commons/src/main/java/com/tencent/cloud/common/constant/OrderConstant.java b/spring-cloud-tencent-commons/src/main/java/com/tencent/cloud/common/constant/OrderConstant.java index 4d4ef797b..c435541d3 100644 --- a/spring-cloud-tencent-commons/src/main/java/com/tencent/cloud/common/constant/OrderConstant.java +++ b/spring-cloud-tencent-commons/src/main/java/com/tencent/cloud/common/constant/OrderConstant.java @@ -90,10 +90,15 @@ public class OrderConstant { */ public static final int ENHANCED_FILTER_ORDER = Ordered.HIGHEST_PRECEDENCE + 10; + /** + * Order of auth filter. + */ + public static final int AUTH_FILTER_ORDER = Ordered.HIGHEST_PRECEDENCE + 11; + /** * Order of rate-limit filter. */ - public static final int RATE_LIMIT_FILTER_ORDER = Ordered.HIGHEST_PRECEDENCE + 10; + public static final int RATE_LIMIT_FILTER_ORDER = Ordered.HIGHEST_PRECEDENCE + 12; } /** @@ -110,10 +115,15 @@ public class OrderConstant { */ public static final int ENHANCED_FILTER_ORDER = Ordered.HIGHEST_PRECEDENCE + 10; + /** + * Order of auth filter. + */ + public static final int AUTH_FILTER_ORDER = Ordered.HIGHEST_PRECEDENCE + 11; + /** * Order of rate-limit filter. */ - public static final int RATE_LIMIT_FILTER_ORDER = Ordered.HIGHEST_PRECEDENCE + 10; + public static final int RATE_LIMIT_FILTER_ORDER = Ordered.HIGHEST_PRECEDENCE + 12; } } @@ -157,6 +167,11 @@ public class OrderConstant { */ public static Integer RATE_LIMIT_ORDER = 2; + /** + * Order of auth configuration modifier. + */ + public static Integer AUTH_ORDER = 2; + /** * Order of config configuration modifier. */ diff --git a/spring-cloud-tencent-commons/src/main/java/com/tencent/cloud/common/metadata/MetadataContextHolder.java b/spring-cloud-tencent-commons/src/main/java/com/tencent/cloud/common/metadata/MetadataContextHolder.java index 1f220769d..e4a4d9331 100644 --- a/spring-cloud-tencent-commons/src/main/java/com/tencent/cloud/common/metadata/MetadataContextHolder.java +++ b/spring-cloud-tencent-commons/src/main/java/com/tencent/cloud/common/metadata/MetadataContextHolder.java @@ -165,10 +165,10 @@ public final class MetadataContextHolder { } } // caller disposable metadata to caller custom disposable metadata - MetadataContainer metadataContainerDownstream = metadataManager.getMetadataContainer(MetadataType.CUSTOM, true); + MetadataContainer metadataContainerDownstream = metadataManager.getMetadataContainer(MetadataType.CUSTOM, false); if (!CollectionUtils.isEmpty(dynamicDisposableMetadata)) { for (Map.Entry entry : dynamicDisposableMetadata.entrySet()) { - metadataContainerDownstream.putMetadataStringValue(entry.getKey(), entry.getValue(), TransitiveType.DISPOSABLE); + metadataContainerDownstream.putMetadataStringValue(entry.getKey(), entry.getValue(), TransitiveType.NONE); } } // caller application metadata to caller application disposable metadata diff --git a/spring-cloud-tencent-coverage/pom.xml b/spring-cloud-tencent-coverage/pom.xml index 8481f826b..f3fa076f1 100644 --- a/spring-cloud-tencent-coverage/pom.xml +++ b/spring-cloud-tencent-coverage/pom.xml @@ -69,6 +69,11 @@ spring-cloud-starter-tencent-polaris-contract + + com.tencent.cloud + spring-cloud-starter-tencent-polaris-auth + + com.tencent.cloud spring-cloud-starter-tencent-discovery-adapter-plugin @@ -83,11 +88,11 @@ com.tencent.cloud spring-cloud-tencent-gateway-plugin - + com.tencent.cloud spring-cloud-tencent-lossless-plugin - + diff --git a/spring-cloud-tencent-dependencies/pom.xml b/spring-cloud-tencent-dependencies/pom.xml index a31c20ede..428a42514 100644 --- a/spring-cloud-tencent-dependencies/pom.xml +++ b/spring-cloud-tencent-dependencies/pom.xml @@ -162,6 +162,12 @@ ${revision} + + com.tencent.cloud + spring-cloud-starter-tencent-polaris-auth + ${revision} + + com.tencent.cloud spring-cloud-starter-tencent-all diff --git a/spring-cloud-tencent-examples/tsf-example/provider-demo/pom.xml b/spring-cloud-tencent-examples/tsf-example/provider-demo/pom.xml index aa82baace..a8e3dedee 100644 --- a/spring-cloud-tencent-examples/tsf-example/provider-demo/pom.xml +++ b/spring-cloud-tencent-examples/tsf-example/provider-demo/pom.xml @@ -32,6 +32,11 @@ spring-cloud-starter-tencent-polaris-ratelimit + + com.tencent.cloud + spring-cloud-starter-tencent-polaris-auth + + org.springframework.boot spring-boot-starter-web diff --git a/spring-cloud-tencent-polaris-context/pom.xml b/spring-cloud-tencent-polaris-context/pom.xml index acfb7f741..491ef31b9 100644 --- a/spring-cloud-tencent-polaris-context/pom.xml +++ b/spring-cloud-tencent-polaris-context/pom.xml @@ -135,6 +135,11 @@ + + com.tencent.polaris + polaris-auth-factory + + com.tencent.polaris polaris-client diff --git a/spring-cloud-tencent-polaris-context/src/main/java/com/tencent/cloud/polaris/context/PolarisSDKContextManager.java b/spring-cloud-tencent-polaris-context/src/main/java/com/tencent/cloud/polaris/context/PolarisSDKContextManager.java index 26fe59e6b..04cf3b314 100644 --- a/spring-cloud-tencent-polaris-context/src/main/java/com/tencent/cloud/polaris/context/PolarisSDKContextManager.java +++ b/spring-cloud-tencent-polaris-context/src/main/java/com/tencent/cloud/polaris/context/PolarisSDKContextManager.java @@ -30,6 +30,8 @@ import com.tencent.polaris.api.core.ProviderAPI; import com.tencent.polaris.api.utils.CollectionUtils; import com.tencent.polaris.assembly.api.AssemblyAPI; import com.tencent.polaris.assembly.factory.AssemblyAPIFactory; +import com.tencent.polaris.auth.api.core.AuthAPI; +import com.tencent.polaris.auth.factory.AuthAPIFactory; import com.tencent.polaris.circuitbreak.api.CircuitBreakAPI; import com.tencent.polaris.circuitbreak.factory.CircuitBreakAPIFactory; import com.tencent.polaris.client.api.SDKContext; @@ -64,6 +66,7 @@ public class PolarisSDKContextManager { private volatile static RouterAPI routerAPI; private volatile static CircuitBreakAPI circuitBreakAPI; private volatile static LimitAPI limitAPI; + private volatile static AuthAPI authAPI; private volatile static AssemblyAPI assemblyAPI; private final PolarisContextProperties properties; private final Environment environment; @@ -117,6 +120,12 @@ public class PolarisSDKContextManager { limitAPI = null; } + // destroy AuthAPI + if (Objects.nonNull(authAPI)) { + ((AutoCloseable) authAPI).close(); + authAPI = null; + } + // destroy AssemblyAPI if (Objects.nonNull(assemblyAPI)) { ((Destroyable) assemblyAPI).destroy(); @@ -198,6 +207,11 @@ public class PolarisSDKContextManager { return limitAPI; } + public AuthAPI getAuthAPI() { + initService(); + return authAPI; + } + public AssemblyAPI getAssemblyAPI() { return assemblyAPI; } @@ -254,6 +268,9 @@ public class PolarisSDKContextManager { // init LimitAPI limitAPI = LimitAPIFactory.createLimitAPIByContext(serviceSdkContext); + // init AuthAPI + authAPI = AuthAPIFactory.createAuthAPIByContext(serviceSdkContext); + // init AssemblyAPI assemblyAPI = AssemblyAPIFactory.createAssemblyAPIByContext(serviceSdkContext);