Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix some rbac problems #1485

Merged
merged 2 commits into from
Jul 15, 2024
Merged

fix some rbac problems #1485

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
a6c1f68
[fix] fix the problem of can not get the info of environments when op…
Jul 15, 2024
8c35803
[fix] fix the problem of vertial ultra vires when only open the conso…
tornado-ssy Jun 27, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions etc/conf/app.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ frontend_endpoint_cidr = 127.0.0.1/32
# httpaddr = fe80::f816:3eff:fe17:c38b%eth0 (link-local scope)
httpaddr = 127.0.0.1
httpport = 30100
rbac_allow_missToken = ${RBAC_ALLOW_MISSTOKEN||false}

###################################################################
# sever options (deprecated, pls use app.yaml instead)
Expand Down
3 changes: 2 additions & 1 deletion server/config/config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -186,7 +186,8 @@ func loadServerConfig() ServerConfig {
SchemaDisable: GetBool("registry.schema.disable", false, WithENV("SCHEMA_DISABLE")),
SchemaRootPath: GetString("registry.schema.schemaRootPath", "", WithENV("SCHEMA_ROOT_PATH")),

EnableRBAC: GetBool("rbac.enable", false, WithStandby("rbac_enabled")),
EnableRBAC: GetBool("rbac.enable", false, WithStandby("rbac_enabled")),
AllowMissToken: GetBool("rbac.allowMissToken", false, WithStandby("rbac_allow_missToken")),
},
}
}
Expand Down
5 changes: 3 additions & 2 deletions server/config/server.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,8 @@ type ServerConfigDetail struct {
EnablePProf bool `json:"enablePProf"`
EnableCache bool `json:"enableCache"`

EnableRBAC bool `json:"enableRBAC"`
EnableRBAC bool `json:"enableRBAC"`
AllowMissToken bool `json:"AllowMissToken"`

LogRotateSize int64 `json:"-"`
LogBackupCount int64 `json:"-"`
Expand All @@ -64,7 +65,7 @@ type ServerConfigDetail struct {

SelfRegister bool `json:"selfRegister"`

//CacheTTL is the ttl of cache
// CacheTTL is the ttl of cache
CacheTTL time.Duration `json:"cacheTTL"`
GlobalVisible string `json:"-"`

Expand Down
24 changes: 21 additions & 3 deletions server/plugin/auth/buildin/buildin.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,9 +23,11 @@ import (
"errors"
"fmt"
"net/http"
"reflect"
"strings"
"time"

"github.com/go-chassis/cari/pkg/errsvc"
rbacmodel "github.com/go-chassis/cari/rbac"
"github.com/go-chassis/go-chassis/v2/security/authr"
"github.com/go-chassis/go-chassis/v2/server/restful"
Expand All @@ -47,6 +49,10 @@ var tokenCache = cache.New(cacheDefaultExpireTime, cacheDefaultCleanUpTime)
const cacheErrorItemExpTime = 5 * time.Minute
const cacheDefaultExpireTime = 5 * time.Minute
const cacheDefaultCleanUpTime = 10 * time.Minute
const getEnvirOnMentPath = "environments"
const getVerb = "get"

const disCoveryType = "*errsvc.Error"

func init() {
plugin.RegisterPlugin(plugin.Plugin{Kind: auth.AUTH, Name: "buildin", New: New})
Expand Down Expand Up @@ -99,15 +105,22 @@ func getRequestPattern(req *http.Request) string {
}

func (ba *TokenAuthenticator) mustAuth(req *http.Request, pattern string) (*rbacmodel.Account, error) {
if !rbacsvc.MustAuth(pattern) {
return nil, nil
account, err := ba.VerifyRequest(req)
if err == nil {
return account, err
}
if rbacsvc.MustAuth(pattern) {
return nil, err
}
return ba.VerifyRequest(req)
return nil, nil
}

func (ba *TokenAuthenticator) VerifyRequest(req *http.Request) (*rbacmodel.Account, error) {
claims, err := ba.VerifyToken(req)
if err != nil {
if reflect.TypeOf(err).String() == disCoveryType && err.(*errsvc.Error).Code == rbacmodel.ErrNoAuthHeader && rbacsvc.AllowMissToken() {
return nil, nil
}
log.Error(fmt.Sprintf("verify request token failed, %s %s", req.Method, req.RequestURI), err)
return nil, err
}
Expand Down Expand Up @@ -215,6 +228,11 @@ func checkPerm(roleList []string, req *http.Request) ([]map[string]string, error
if hasAdmin {
return nil, nil
}
pattern := getRequestPattern(req)
verb := rbacsvc.MethodToVerbs[req.Method]
if strings.Contains(pattern, getEnvirOnMentPath) && verb == getVerb {
return nil, nil
}
// todo fast check for dev role
targetResource := FromRequest(req)
if targetResource == nil {
Expand Down
6 changes: 5 additions & 1 deletion server/service/rbac/rbac.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -135,7 +135,7 @@ func readPublicKey() {
log.Info("read public key success")
}
func initFirstTime() {
//handle root account
// handle root account
pwd := getPassword()
if len(pwd) == 0 {
log.Warn("skip init root account! Cause by " + InitPassword + " is empty. " +
Expand Down Expand Up @@ -176,6 +176,10 @@ func Enabled() bool {
return config.GetRBAC().EnableRBAC
}

func AllowMissToken() bool {
return config.GetRBAC().AllowMissToken
}

// PublicKey get public key to verify a token
func PublicKey() string {
return archaius.GetString("rbac_public_key", "")
Expand Down
Loading