-
Notifications
You must be signed in to change notification settings - Fork 342
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Syncer supports to enable rbac (#1487)
- Loading branch information
1 parent
b133e42
commit 983f3f3
Showing
14 changed files
with
404 additions
and
41 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,63 @@ | ||
package rpc | ||
|
||
import ( | ||
"context" | ||
"fmt" | ||
"strings" | ||
|
||
"github.com/go-chassis/cari/rbac" | ||
"github.com/go-chassis/go-chassis/v2/security/authr" | ||
"github.com/go-chassis/go-chassis/v2/server/restful" | ||
"google.golang.org/grpc/metadata" | ||
|
||
"github.com/apache/servicecomb-service-center/pkg/log" | ||
"github.com/apache/servicecomb-service-center/syncer/config" | ||
) | ||
|
||
var errWrongAccountNorRole = fmt.Errorf("account should be %s, and roles should contain %s", RbacAllowedAccountName, RbacAllowedRoleName) | ||
|
||
func auth(ctx context.Context) error { | ||
if !config.GetConfig().Sync.RbacEnabled { | ||
return nil | ||
} | ||
md, ok := metadata.FromIncomingContext(ctx) | ||
if !ok { | ||
return rbac.NewError(rbac.ErrNoAuthHeader, "") | ||
} | ||
|
||
authHeader := md.Get(restful.HeaderAuth) | ||
if len(authHeader) == 0 { | ||
return rbac.NewError(rbac.ErrNoAuthHeader, fmt.Sprintf("header %s not found nor content empty", restful.HeaderAuth)) | ||
} | ||
|
||
s := strings.Split(authHeader[0], " ") | ||
if len(s) != 2 { | ||
return rbac.ErrInvalidHeader | ||
} | ||
to := s[1] | ||
|
||
claims, err := authr.Authenticate(ctx, to) | ||
if err != nil { | ||
return err | ||
} | ||
m, ok := claims.(map[string]interface{}) | ||
if !ok { | ||
log.Error("claims convert failed", rbac.ErrConvert) | ||
return rbac.ErrConvert | ||
} | ||
account, err := rbac.GetAccount(m) | ||
if err != nil { | ||
log.Error("get account from token failed", err) | ||
return err | ||
} | ||
|
||
if account.Name != RbacAllowedAccountName { | ||
return errWrongAccountNorRole | ||
} | ||
for _, role := range account.Roles { | ||
if role == RbacAllowedRoleName { | ||
return nil | ||
} | ||
} | ||
return errWrongAccountNorRole | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,130 @@ | ||
package rpc | ||
|
||
import ( | ||
"context" | ||
"encoding/json" | ||
"errors" | ||
"fmt" | ||
"testing" | ||
|
||
"github.com/go-chassis/cari/pkg/errsvc" | ||
"github.com/go-chassis/cari/rbac" | ||
"github.com/go-chassis/go-chassis/v2/security/authr" | ||
"github.com/go-chassis/go-chassis/v2/server/restful" | ||
"github.com/stretchr/testify/assert" | ||
"google.golang.org/grpc/metadata" | ||
|
||
"github.com/apache/servicecomb-service-center/syncer/config" | ||
) | ||
|
||
type testAuth struct{} | ||
|
||
func (testAuth) Login(ctx context.Context, user string, password string, opts ...authr.LoginOption) (string, error) { | ||
return "", nil | ||
} | ||
|
||
func (testAuth) Authenticate(ctx context.Context, token string) (interface{}, error) { | ||
var claim map[string]interface{} | ||
return claim, json.Unmarshal([]byte(token), &claim) | ||
} | ||
|
||
func Test_auth(t *testing.T) { | ||
// use the custom auth plugin | ||
authr.Install("test", func(opts *authr.Options) (authr.Authenticator, error) { | ||
return testAuth{}, nil | ||
}) | ||
assert.NoError(t, authr.Init(authr.WithPlugin("test"))) | ||
|
||
type args struct { | ||
ctx context.Context | ||
} | ||
tests := []struct { | ||
name string | ||
preDo func() | ||
args args | ||
wantErr assert.ErrorAssertionFunc | ||
}{ | ||
{ | ||
name: "sync rbac disables", | ||
preDo: func() { | ||
config.SetConfig(config.Config{ | ||
Sync: &config.Sync{ | ||
RbacEnabled: false, | ||
}}) | ||
}, | ||
args: args{ | ||
ctx: context.Background(), // rbac disabled, empty ctx should pass the auth | ||
}, | ||
wantErr: assert.NoError, | ||
}, | ||
{ | ||
name: "no header", | ||
preDo: func() { | ||
config.SetConfig(config.Config{ | ||
Sync: &config.Sync{ | ||
RbacEnabled: true, | ||
}}) | ||
}, | ||
args: args{ | ||
ctx: context.Background(), // rbac enabled, empty ctx should not pass the auth | ||
}, | ||
wantErr: func(t assert.TestingT, err error, i ...interface{}) bool { | ||
var errSvcErr *errsvc.Error | ||
ok := errors.As(err, &errSvcErr) | ||
assert.True(t, ok) | ||
|
||
return assert.Equal(t, rbac.ErrNoAuthHeader, errSvcErr.Code) | ||
}, | ||
}, | ||
{ | ||
name: "with header but no auth header", | ||
args: args{ | ||
ctx: metadata.NewIncomingContext(context.Background(), metadata.New(map[string]string{"fake": "fake"})), | ||
}, | ||
wantErr: func(t assert.TestingT, err error, i ...interface{}) bool { | ||
var errSvcErr *errsvc.Error | ||
ok := errors.As(err, &errSvcErr) | ||
assert.True(t, ok) | ||
|
||
return assert.Equal(t, rbac.ErrNoAuthHeader, errSvcErr.Code) | ||
}, | ||
}, | ||
{ | ||
name: "auth header format error", | ||
args: args{ | ||
ctx: metadata.NewIncomingContext(context.Background(), metadata.New(map[string]string{restful.HeaderAuth: "fake"})), | ||
}, | ||
wantErr: func(t assert.TestingT, err error, i ...interface{}) bool { | ||
return assert.Equal(t, rbac.ErrInvalidHeader, err) | ||
}, | ||
}, | ||
{ | ||
name: "wrong account nor role", | ||
args: args{ | ||
ctx: metadata.NewIncomingContext(context.Background(), | ||
metadata.New(map[string]string{restful.HeaderAuth: `Bear {"account":"x","roles":["x"]}`})), | ||
}, | ||
wantErr: func(t assert.TestingT, err error, i ...interface{}) bool { | ||
return assert.Equal(t, errWrongAccountNorRole, err) | ||
}, | ||
}, | ||
{ | ||
name: "valid token", | ||
args: args{ | ||
ctx: metadata.NewIncomingContext(context.Background(), | ||
metadata.New(map[string]string{restful.HeaderAuth: `Bear {"account":"sync-user","roles":["sync-admin"]}`})), | ||
}, | ||
wantErr: func(t assert.TestingT, err error, i ...interface{}) bool { | ||
return assert.NoError(t, err) | ||
}, | ||
}, | ||
} | ||
for _, tt := range tests { | ||
t.Run(tt.name, func(t *testing.T) { | ||
if tt.preDo != nil { | ||
tt.preDo() | ||
} | ||
tt.wantErr(t, auth(tt.args.ctx), fmt.Sprintf("auth(%v)", tt.args.ctx)) | ||
}) | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.