follow right design pattern of service center (#655)
diff --git a/docs/user-guides/rbac.md b/docs/user-guides/rbac.md
index b8ed63a..6116ab9 100644
--- a/docs/user-guides/rbac.md
+++ b/docs/user-guides/rbac.md
@@ -13,12 +13,11 @@
```
2.edit app.conf
-
-can revoke private.key after each cluster restart,
```ini
rbac_enabled = true
-rbac_rsa_public_key_file = ./public.key
-rbac_rsa_private_key_file = ./private.key
+rbac_rsa_public_key_file = ./public.key # rsa key pairs
+rbac_rsa_private_key_file = ./private.key # rsa key pairs
+auth_plugin = buildin # must set to buildin
```
3.root account
before you start server, you need to set env to set your root account password.
diff --git a/server/handler/auth/auth.go b/server/handler/auth/auth.go
index 7105ca8..6908aff 100644
--- a/server/handler/auth/auth.go
+++ b/server/handler/auth/auth.go
@@ -17,80 +17,34 @@
package auth
import (
- "context"
"github.com/apache/servicecomb-service-center/pkg/chain"
"github.com/apache/servicecomb-service-center/pkg/log"
"github.com/apache/servicecomb-service-center/pkg/rest"
+ "github.com/apache/servicecomb-service-center/server/plugin"
"github.com/apache/servicecomb-service-center/server/rest/controller"
- scerr "github.com/apache/servicecomb-service-center/server/scerror"
- "github.com/apache/servicecomb-service-center/server/service/rbac"
- "github.com/go-chassis/go-chassis/security/authr"
- "github.com/go-chassis/go-chassis/server/restful"
+ "github.com/apache/servicecomb-service-center/server/scerror"
"net/http"
- "strings"
)
type Handler struct {
}
func (h *Handler) Handle(i *chain.Invocation) {
- if !rbac.Enabled() {
+ r := i.Context().Value(rest.CTX_REQUEST).(*http.Request)
+ err := plugin.Plugins().Auth().Identify(r)
+ if err == nil {
i.Next()
return
}
+
+ log.Errorf(err, "authenticate request failed, %s %s", r.Method, r.RequestURI)
+
w := i.Context().Value(rest.CTX_RESPONSE).(http.ResponseWriter)
- req, ok := i.Context().Value(rest.CTX_REQUEST).(*http.Request)
- if !ok {
- controller.WriteError(w, scerr.ErrUnauthorized, "internal error")
- i.Fail(nil)
- return
- }
- if !mustAuth(req) {
- i.Next()
- return
- }
+ controller.WriteError(w, scerror.ErrUnauthorized, err.Error())
- v := req.Header.Get(restful.HeaderAuth)
- if v == "" {
- controller.WriteError(w, scerr.ErrUnauthorized, "should provide token in header")
- i.Fail(nil)
- return
- }
- s := strings.Split(v, " ")
- if len(s) != 2 {
- controller.WriteError(w, scerr.ErrUnauthorized, "invalid auth header")
- i.Fail(nil)
- return
- }
- to := s[1]
- //TODO rbac
- claims, err := authr.Authenticate(i.Context(), to)
- if err != nil {
- log.Errorf(err, "authenticate request failed, %s %s", req.Method, req.RequestURI)
- controller.WriteError(w, scerr.ErrUnauthorized, err.Error())
- i.Fail(nil)
- return
- }
- log.Info("user access")
- req2 := req.WithContext(context.WithValue(req.Context(), "accountInfo", claims))
-
- *req = *req2
- i.Next()
- return
-
+ i.Fail(nil)
}
-func mustAuth(req *http.Request) bool {
- if strings.Contains(req.URL.Path, "/v4/token") {
- return false
- }
- if strings.Contains(req.URL.Path, "/health") {
- return false
- }
- if strings.Contains(req.URL.Path, "/version") {
- return false
- }
- return true
-}
+
func RegisterHandlers() {
chain.RegisterHandler(rest.ServerChainName, &Handler{})
}
diff --git a/server/plugin/auth/buildin/buildin.go b/server/plugin/auth/buildin/buildin.go
index e0d6ec9..bd28f61 100644
--- a/server/plugin/auth/buildin/buildin.go
+++ b/server/plugin/auth/buildin/buildin.go
@@ -17,8 +17,15 @@
package buildin
import (
+ "context"
+ "errors"
+ "github.com/apache/servicecomb-service-center/pkg/log"
mgr "github.com/apache/servicecomb-service-center/server/plugin"
+ "github.com/apache/servicecomb-service-center/server/service/rbac"
+ "github.com/go-chassis/go-chassis/security/authr"
+ "github.com/go-chassis/go-chassis/server/restful"
"net/http"
+ "strings"
)
func init() {
@@ -26,17 +33,49 @@
}
func New() mgr.PluginInstance {
- return &BuildInAuth{}
+ return &TokenAuthenticator{}
}
-type BuildInAuth struct {
+type TokenAuthenticator struct {
}
-func (ba *BuildInAuth) Identify(r *http.Request) error {
- df, ok := mgr.DynamicPluginFunc(mgr.AUTH, "Identify").(func(r *http.Request) error)
- if ok {
- return df(r)
+func (ba *TokenAuthenticator) Identify(req *http.Request) error {
+ if !rbac.Enabled() {
+ return nil
+ }
+ if !mustAuth(req) {
+ return nil
}
+ v := req.Header.Get(restful.HeaderAuth)
+ if v == "" {
+ return errors.New("should provide token in header")
+ }
+ s := strings.Split(v, " ")
+ if len(s) != 2 {
+ return errors.New("invalid auth header")
+ }
+ to := s[1]
+ //TODO rbac
+ claims, err := authr.Authenticate(req.Context(), to)
+ if err != nil {
+ log.Errorf(err, "authenticate request failed, %s %s", req.Method, req.RequestURI)
+ return err
+ }
+ log.Info("user access")
+ req2 := req.WithContext(context.WithValue(req.Context(), "accountInfo", claims))
+ *req = *req2
return nil
}
+func mustAuth(req *http.Request) bool {
+ if strings.Contains(req.URL.Path, "/v4/token") {
+ return false
+ }
+ if strings.Contains(req.URL.Path, "/health") {
+ return false
+ }
+ if strings.Contains(req.URL.Path, "/version") {
+ return false
+ }
+ return true
+}