V3.0 develop starting listening enhance & fix console auth invalid pr…

…oblem. (#13001) * Enhance StartingApplicationListener to reduce duplicate operation. * Fix console auth invalid problem.
alibaba · Dec 30, 2024 · 05362b0 · 05362b0
1 parent 8478fd7
commit 05362b0
Show file tree

Hide file tree

Showing 64 changed files with 1,691 additions and 1,288 deletions.
diff --git a/auth/src/main/java/com/alibaba/nacos/auth/AbstractProtocolAuthService.java b/auth/src/main/java/com/alibaba/nacos/auth/AbstractProtocolAuthService.java
@@ -17,7 +17,7 @@
 package com.alibaba.nacos.auth;
 
 import com.alibaba.nacos.auth.annotation.Secured;
-import com.alibaba.nacos.auth.config.AuthConfigs;
+import com.alibaba.nacos.auth.config.NacosAuthConfig;
 import com.alibaba.nacos.auth.serveridentity.ServerIdentity;
 import com.alibaba.nacos.auth.serveridentity.ServerIdentityChecker;
 import com.alibaba.nacos.auth.serveridentity.ServerIdentityCheckerHolder;
@@ -45,36 +45,36 @@
  */
 public abstract class AbstractProtocolAuthService<R> implements ProtocolAuthService<R> {
 
-    protected final AuthConfigs authConfigs;
+    protected final NacosAuthConfig authConfig;
 
     protected final ServerIdentityChecker checker;
 
-    protected AbstractProtocolAuthService(AuthConfigs authConfigs) {
-        this.authConfigs = authConfigs;
+    protected AbstractProtocolAuthService(NacosAuthConfig authConfig) {
+        this.authConfig = authConfig;
         this.checker = ServerIdentityCheckerHolder.getInstance().getChecker();
     }
 
     @Override
     public void initialize() {
-        this.checker.init(authConfigs);
+        this.checker.init(authConfig);
     }
 
     @Override
     public boolean enableAuth(Secured secured) {
         Optional<AuthPluginService> authPluginService = AuthPluginManager.getInstance()
-                .findAuthServiceSpiImpl(authConfigs.getNacosAuthSystemType());
+                .findAuthServiceSpiImpl(authConfig.getNacosAuthSystemType());
         if (authPluginService.isPresent()) {
             return authPluginService.get().enableAuth(secured.action(), secured.signType());
         }
         Loggers.AUTH.warn("Can't find auth plugin for type {}, please add plugin to classpath or set {} as false",
-                authConfigs.getNacosAuthSystemType(), Constants.Auth.NACOS_CORE_AUTH_ENABLED);
+                authConfig.getNacosAuthSystemType(), Constants.Auth.NACOS_CORE_AUTH_ENABLED);
         return false;
     }
 
     @Override
     public boolean validateIdentity(IdentityContext identityContext, Resource resource) throws AccessException {
         Optional<AuthPluginService> authPluginService = AuthPluginManager.getInstance()
-                .findAuthServiceSpiImpl(authConfigs.getNacosAuthSystemType());
+                .findAuthServiceSpiImpl(authConfig.getNacosAuthSystemType());
         if (authPluginService.isPresent()) {
             return authPluginService.get().validateIdentity(identityContext, resource);
         }
@@ -84,7 +84,7 @@ public boolean validateIdentity(IdentityContext identityContext, Resource resour
     @Override
     public boolean validateAuthority(IdentityContext identityContext, Permission permission) throws AccessException {
         Optional<AuthPluginService> authPluginService = AuthPluginManager.getInstance()
-                .findAuthServiceSpiImpl(authConfigs.getNacosAuthSystemType());
+                .findAuthServiceSpiImpl(authConfig.getNacosAuthSystemType());
         if (authPluginService.isPresent()) {
             return authPluginService.get().validateAuthority(identityContext, permission);
         }
@@ -103,8 +103,8 @@ public ServerIdentityResult checkServerIdentity(R request, Secured secured) {
     }
 
     private boolean isInvalidServerIdentity() {
-        return StringUtils.isBlank(authConfigs.getServerIdentityKey()) || StringUtils.isBlank(
-                authConfigs.getServerIdentityValue());
+        return StringUtils.isBlank(authConfig.getServerIdentityKey()) || StringUtils.isBlank(
+                authConfig.getServerIdentityValue());
     }
 
     /**

diff --git a/auth/src/main/java/com/alibaba/nacos/auth/GrpcProtocolAuthService.java b/auth/src/main/java/com/alibaba/nacos/auth/GrpcProtocolAuthService.java
@@ -18,19 +18,19 @@
 
 import com.alibaba.nacos.api.remote.request.Request;
 import com.alibaba.nacos.auth.annotation.Secured;
-import com.alibaba.nacos.auth.serveridentity.ServerIdentity;
-import com.alibaba.nacos.auth.serveridentity.ServerIdentityResult;
-import com.alibaba.nacos.plugin.auth.api.IdentityContext;
-import com.alibaba.nacos.plugin.auth.api.Resource;
-import com.alibaba.nacos.auth.config.AuthConfigs;
-import com.alibaba.nacos.plugin.auth.constant.ApiType;
-import com.alibaba.nacos.plugin.auth.constant.SignType;
+import com.alibaba.nacos.auth.config.NacosAuthConfig;
 import com.alibaba.nacos.auth.context.GrpcIdentityContextBuilder;
 import com.alibaba.nacos.auth.parser.grpc.AbstractGrpcResourceParser;
 import com.alibaba.nacos.auth.parser.grpc.ConfigGrpcResourceParser;
 import com.alibaba.nacos.auth.parser.grpc.NamingGrpcResourceParser;
+import com.alibaba.nacos.auth.serveridentity.ServerIdentity;
+import com.alibaba.nacos.auth.serveridentity.ServerIdentityResult;
 import com.alibaba.nacos.auth.util.Loggers;
 import com.alibaba.nacos.common.utils.StringUtils;
+import com.alibaba.nacos.plugin.auth.api.IdentityContext;
+import com.alibaba.nacos.plugin.auth.api.Resource;
+import com.alibaba.nacos.plugin.auth.constant.ApiType;
+import com.alibaba.nacos.plugin.auth.constant.SignType;
 
 import java.util.HashMap;
 import java.util.Map;
@@ -46,10 +46,10 @@ public class GrpcProtocolAuthService extends AbstractProtocolAuthService<Request
 
     private final GrpcIdentityContextBuilder identityContextBuilder;
 
-    public GrpcProtocolAuthService(AuthConfigs authConfigs) {
-        super(authConfigs);
+    public GrpcProtocolAuthService(NacosAuthConfig authConfig) {
+        super(authConfig);
         resourceParserMap = new HashMap<>(2);
-        identityContextBuilder = new GrpcIdentityContextBuilder(authConfigs);
+        identityContextBuilder = new GrpcIdentityContextBuilder(authConfig);
     }
 
     @Override
@@ -88,7 +88,7 @@ public ServerIdentityResult checkServerIdentity(Request request, Secured secured
 
     @Override
     protected ServerIdentity parseServerIdentity(Request request) {
-        String serverIdentityKey = authConfigs.getServerIdentityKey();
+        String serverIdentityKey = authConfig.getServerIdentityKey();
         String serverIdentity = request.getHeader(serverIdentityKey);
         return new ServerIdentity(serverIdentityKey, serverIdentity);
     }

diff --git a/auth/src/main/java/com/alibaba/nacos/auth/HttpProtocolAuthService.java b/auth/src/main/java/com/alibaba/nacos/auth/HttpProtocolAuthService.java
@@ -17,17 +17,17 @@
 package com.alibaba.nacos.auth;
 
 import com.alibaba.nacos.auth.annotation.Secured;
-import com.alibaba.nacos.auth.serveridentity.ServerIdentity;
-import com.alibaba.nacos.plugin.auth.api.IdentityContext;
-import com.alibaba.nacos.plugin.auth.api.Resource;
-import com.alibaba.nacos.auth.config.AuthConfigs;
-import com.alibaba.nacos.plugin.auth.constant.SignType;
+import com.alibaba.nacos.auth.config.NacosAuthConfig;
 import com.alibaba.nacos.auth.context.HttpIdentityContextBuilder;
 import com.alibaba.nacos.auth.parser.http.AbstractHttpResourceParser;
 import com.alibaba.nacos.auth.parser.http.ConfigHttpResourceParser;
 import com.alibaba.nacos.auth.parser.http.NamingHttpResourceParser;
+import com.alibaba.nacos.auth.serveridentity.ServerIdentity;
 import com.alibaba.nacos.auth.util.Loggers;
 import com.alibaba.nacos.common.utils.StringUtils;
+import com.alibaba.nacos.plugin.auth.api.IdentityContext;
+import com.alibaba.nacos.plugin.auth.api.Resource;
+import com.alibaba.nacos.plugin.auth.constant.SignType;
 
 import javax.servlet.http.HttpServletRequest;
 import java.util.HashMap;
@@ -44,10 +44,10 @@ public class HttpProtocolAuthService extends AbstractProtocolAuthService<HttpSer
 
     private final HttpIdentityContextBuilder identityContextBuilder;
 
-    public HttpProtocolAuthService(AuthConfigs authConfigs) {
-        super(authConfigs);
+    public HttpProtocolAuthService(NacosAuthConfig authConfig) {
+        super(authConfig);
         resourceParserMap = new HashMap<>(2);
-        identityContextBuilder = new HttpIdentityContextBuilder(authConfigs);
+        identityContextBuilder = new HttpIdentityContextBuilder(authConfig);
     }
 
     @Override
@@ -77,7 +77,7 @@ public IdentityContext parseIdentity(HttpServletRequest request) {
 
     @Override
     protected ServerIdentity parseServerIdentity(HttpServletRequest request) {
-        String serverIdentityKey = authConfigs.getServerIdentityKey();
+        String serverIdentityKey = authConfig.getServerIdentityKey();
         String serverIdentity = request.getHeader(serverIdentityKey);
         return new ServerIdentity(serverIdentityKey, serverIdentity);
     }

diff --git a/auth/src/main/java/com/alibaba/nacos/auth/config/AuthConfigs.java b/auth/src/main/java/com/alibaba/nacos/auth/config/AuthConfigs.java
@@ -81,9 +81,6 @@ public class AuthConfigs extends Subscriber<ServerConfigChangeEvent> {
     @Value("${" + Constants.Auth.NACOS_CORE_AUTH_SERVER_IDENTITY_VALUE + ":}")
     private String serverIdentityValue;
 
-    @Value("${" + Constants.Auth.NACOS_CORE_AUTH_ENABLE_USER_AGENT_AUTH_WHITE + ":false}")
-    private boolean enableUserAgentAuthWhite;
-
     private boolean hasGlobalAdminRole;
 
     private Map<String, Properties> authPluginProperties = new HashMap<>();
@@ -153,10 +150,6 @@ public String getServerIdentityValue() {
         return serverIdentityValue;
     }
 
-    public boolean isEnableUserAgentAuthWhite() {
-        return enableUserAgentAuthWhite;
-    }
-
     /**
      * console auth function is open.
      *
@@ -208,8 +201,6 @@ public void onEvent(ServerConfigChangeEvent event) {
             cachingEnabled = EnvUtil.getProperty(Constants.Auth.NACOS_CORE_AUTH_CACHING_ENABLED, Boolean.class, true);
             serverIdentityKey = EnvUtil.getProperty(Constants.Auth.NACOS_CORE_AUTH_SERVER_IDENTITY_KEY, "");
             serverIdentityValue = EnvUtil.getProperty(Constants.Auth.NACOS_CORE_AUTH_SERVER_IDENTITY_VALUE, "");
-            enableUserAgentAuthWhite = EnvUtil.getProperty(Constants.Auth.NACOS_CORE_AUTH_ENABLE_USER_AGENT_AUTH_WHITE,
-                    Boolean.class, false);
             nacosAuthSystemType = EnvUtil.getProperty(Constants.Auth.NACOS_CORE_AUTH_SYSTEM_TYPE, "");
             refreshPluginProperties();
             ModuleStateHolder.getInstance().getModuleState(AuthModuleStateBuilder.AUTH_MODULE)

diff --git a/auth/src/main/java/com/alibaba/nacos/auth/config/NacosAuthConfig.java b/auth/src/main/java/com/alibaba/nacos/auth/config/NacosAuthConfig.java
@@ -0,0 +1,60 @@
+/*
+ * Copyright 1999-2023 Alibaba Group Holding Ltd.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.alibaba.nacos.auth.config;
+
+/**
+ * Nacos Auth configurations.
+ *
+ * @author xiweng.yy
+ */
+public interface NacosAuthConfig {
+
+    /**
+     * Whether nacos server or console auth enabled.
+     *
+     * @return {@code true} means enabled, otherwise {@code false}
+     */
+    boolean isAuthEnabled();
+
+    /**
+     * Get current auth plugin type.
+     *
+     * @return auth plugin type.
+     */
+    String getNacosAuthSystemType();
+
+    /**
+     * Whether support server identity to identify request from other nacos servers.
+     *
+     * @return {@code true} means supported, otherwise {@code false}
+     */
+    boolean isSupportServerIdentity();
+
+    /**
+     * Get server identity key.
+     *
+     * @return server identity key If {@link #isSupportServerIdentity()} return {@code true}, otherwise empty string.
+     */
+    String getServerIdentityKey();
+
+    /**
+     * Get server identity value.
+     *
+     * @return server identity value If {@link #isSupportServerIdentity()} return {@code true}, otherwise empty string.
+     */
+    String getServerIdentityValue();
+}
diff --git a/auth/src/main/java/com/alibaba/nacos/auth/context/GrpcIdentityContextBuilder.java b/auth/src/main/java/com/alibaba/nacos/auth/context/GrpcIdentityContextBuilder.java
@@ -17,7 +17,7 @@
 package com.alibaba.nacos.auth.context;
 
 import com.alibaba.nacos.api.remote.request.Request;
-import com.alibaba.nacos.auth.config.AuthConfigs;
+import com.alibaba.nacos.auth.config.NacosAuthConfig;
 import com.alibaba.nacos.plugin.auth.api.IdentityContext;
 import com.alibaba.nacos.plugin.auth.constant.Constants;
 import com.alibaba.nacos.plugin.auth.spi.server.AuthPluginManager;
@@ -35,10 +35,10 @@
  */
 public class GrpcIdentityContextBuilder implements IdentityContextBuilder<Request> {
 
-    private final AuthConfigs authConfigs;
+    private final NacosAuthConfig authConfig;
 
-    public GrpcIdentityContextBuilder(AuthConfigs authConfigs) {
-        this.authConfigs = authConfigs;
+    public GrpcIdentityContextBuilder(NacosAuthConfig authConfig) {
+        this.authConfig = authConfig;
     }
 
     /**
@@ -51,7 +51,7 @@ public GrpcIdentityContextBuilder(AuthConfigs authConfigs) {
     @Override
     public IdentityContext build(Request request) {
         Optional<AuthPluginService> authPluginService = AuthPluginManager.getInstance()
-                .findAuthServiceSpiImpl(authConfigs.getNacosAuthSystemType());
+                .findAuthServiceSpiImpl(authConfig.getNacosAuthSystemType());
         IdentityContext result = new IdentityContext();
         getRemoteIp(request, result);
         if (!authPluginService.isPresent()) {

diff --git a/auth/src/main/java/com/alibaba/nacos/auth/context/HttpIdentityContextBuilder.java b/auth/src/main/java/com/alibaba/nacos/auth/context/HttpIdentityContextBuilder.java
@@ -16,7 +16,7 @@
 
 package com.alibaba.nacos.auth.context;
 
-import com.alibaba.nacos.auth.config.AuthConfigs;
+import com.alibaba.nacos.auth.config.NacosAuthConfig;
 import com.alibaba.nacos.common.utils.StringUtils;
 import com.alibaba.nacos.plugin.auth.api.IdentityContext;
 import com.alibaba.nacos.plugin.auth.constant.Constants;
@@ -40,10 +40,10 @@ public class HttpIdentityContextBuilder implements IdentityContextBuilder<HttpSe
 
     private static final String X_FORWARDED_FOR_SPLIT_SYMBOL = ",";
 
-    private final AuthConfigs authConfigs;
+    private final NacosAuthConfig authConfig;
 
-    public HttpIdentityContextBuilder(AuthConfigs authConfigs) {
-        this.authConfigs = authConfigs;
+    public HttpIdentityContextBuilder(NacosAuthConfig authConfig) {
+        this.authConfig = authConfig;
     }
 
     /**
@@ -57,7 +57,7 @@ public IdentityContext build(HttpServletRequest request) {
         IdentityContext result = new IdentityContext();
         getRemoteIp(request, result);
         Optional<AuthPluginService> authPluginService = AuthPluginManager.getInstance()
-                .findAuthServiceSpiImpl(authConfigs.getNacosAuthSystemType());
+                .findAuthServiceSpiImpl(authConfig.getNacosAuthSystemType());
         if (!authPluginService.isPresent()) {
             return result;
         }

diff --git a/auth/src/main/java/com/alibaba/nacos/auth/serveridentity/DefaultChecker.java b/auth/src/main/java/com/alibaba/nacos/auth/serveridentity/DefaultChecker.java
@@ -17,7 +17,7 @@
 package com.alibaba.nacos.auth.serveridentity;
 
 import com.alibaba.nacos.auth.annotation.Secured;
-import com.alibaba.nacos.auth.config.AuthConfigs;
+import com.alibaba.nacos.auth.config.NacosAuthConfig;
 
 /**
  * Nacos default server identity checker.
@@ -26,16 +26,16 @@
  */
 public class DefaultChecker implements ServerIdentityChecker {
 
-    private AuthConfigs authConfigs;
+    private NacosAuthConfig authConfig;
 
     @Override
-    public void init(AuthConfigs authConfigs) {
-        this.authConfigs = authConfigs;
+    public void init(NacosAuthConfig authConfigs) {
+        this.authConfig = authConfigs;
     }
 
     @Override
     public ServerIdentityResult check(ServerIdentity serverIdentity, Secured secured) {
-        if (authConfigs.getServerIdentityValue().equals(serverIdentity.getIdentityValue())) {
+        if (authConfig.getServerIdentityValue().equals(serverIdentity.getIdentityValue())) {
             return ServerIdentityResult.success();
         }
         return ServerIdentityResult.noMatched();

diff --git a/auth/src/main/java/com/alibaba/nacos/auth/serveridentity/ServerIdentityChecker.java b/auth/src/main/java/com/alibaba/nacos/auth/serveridentity/ServerIdentityChecker.java
@@ -17,7 +17,7 @@
 package com.alibaba.nacos.auth.serveridentity;
 
 import com.alibaba.nacos.auth.annotation.Secured;
-import com.alibaba.nacos.auth.config.AuthConfigs;
+import com.alibaba.nacos.auth.config.NacosAuthConfig;
 
 /**
  * Nacos server identity checker for nacos inner/admin API identity check.
@@ -29,9 +29,9 @@ public interface ServerIdentityChecker {
     /**
      * Do init checker.
      *
-     * @param authConfigs config for nacos auth.
+     * @param authConfig config for nacos auth.
      */
-    void init(AuthConfigs authConfigs);
+    void init(NacosAuthConfig authConfig);
 
     /**
      * Do check nacos server identity.