[fix] fix the problem of vertial ultra vires when only open the conso…

…le auth
apache · Jun 27, 2024 · 1ff9f77 · 1ff9f77
1 parent 4b61afc
commit 1ff9f77
Show file tree

Hide file tree

Showing 5 changed files with 31 additions and 12 deletions.
diff --git a/etc/conf/app.conf b/etc/conf/app.conf
@@ -25,6 +25,7 @@ frontend_endpoint_cidr = 127.0.0.1/32
 # httpaddr = fe80::f816:3eff:fe17:c38b%eth0 (link-local scope)
 httpaddr = 127.0.0.1
 httpport = 30100
+rbac_allow_missToken = ${RBAC_ALLOW_MISSTOKEN||false}
 
 ###################################################################
 # sever options (deprecated, pls use app.yaml instead)

diff --git a/server/config/config.go b/server/config/config.go
@@ -185,7 +185,8 @@ func loadServerConfig() ServerConfig {
 
 			SchemaDisable: GetBool("registry.schema.disable", false, WithENV("SCHEMA_DISABLE")),
 
-			EnableRBAC: GetBool("rbac.enable", false, WithStandby("rbac_enabled")),
+			EnableRBAC:     GetBool("rbac.enable", false, WithStandby("rbac_enabled")),
+			AllowMissToken: GetBool("rbac.allowMissToken", false, WithStandby("rbac_allow_missToken")),
 		},
 	}
 }

diff --git a/server/config/server.go b/server/config/server.go
@@ -48,7 +48,8 @@ type ServerConfigDetail struct {
 	EnablePProf bool `json:"enablePProf"`
 	EnableCache bool `json:"enableCache"`
 
-	EnableRBAC bool `json:"enableRBAC"`
+	EnableRBAC     bool `json:"enableRBAC"`
+	AllowMissToken bool `json:"AllowMissToken"`
 
 	LogRotateSize   int64  `json:"-"`
 	LogBackupCount  int64  `json:"-"`
@@ -64,7 +65,7 @@ type ServerConfigDetail struct {
 
 	SelfRegister bool `json:"selfRegister"`
 
-	//CacheTTL is the ttl of cache
+	// CacheTTL is the ttl of cache
 	CacheTTL      time.Duration `json:"cacheTTL"`
 	GlobalVisible string        `json:"-"`
 

diff --git a/server/plugin/auth/buildin/buildin.go b/server/plugin/auth/buildin/buildin.go
@@ -22,8 +22,14 @@ import (
 	"errors"
 	"fmt"
 	"net/http"
+	"reflect"
 	"strings"
 
+	"github.com/go-chassis/cari/pkg/errsvc"
+	rbacmodel "github.com/go-chassis/cari/rbac"
+	"github.com/go-chassis/go-chassis/v2/security/authr"
+	"github.com/go-chassis/go-chassis/v2/server/restful"
+
 	"github.com/apache/servicecomb-service-center/pkg/log"
 	"github.com/apache/servicecomb-service-center/pkg/plugin"
 	"github.com/apache/servicecomb-service-center/pkg/rest"
@@ -32,13 +38,12 @@ import (
 	"github.com/apache/servicecomb-service-center/server/plugin/auth"
 	rbacsvc "github.com/apache/servicecomb-service-center/server/service/rbac"
 	"github.com/apache/servicecomb-service-center/server/service/rbac/token"
-	rbacmodel "github.com/go-chassis/cari/rbac"
-	"github.com/go-chassis/go-chassis/v2/security/authr"
-	"github.com/go-chassis/go-chassis/v2/server/restful"
 )
 
 var ErrNoRoles = errors.New("no role found in token")
 
+const disCoveryType = "*errsvc.Error"
+
 func init() {
 	plugin.RegisterPlugin(plugin.Plugin{Kind: auth.AUTH, Name: "buildin", New: New})
 }
@@ -90,15 +95,22 @@ func getRequestPattern(req *http.Request) string {
 }
 
 func (ba *TokenAuthenticator) mustAuth(req *http.Request, pattern string) (*rbacmodel.Account, error) {
-	if !rbacsvc.MustAuth(pattern) {
-		return nil, nil
+	account, err := ba.VerifyRequest(req)
+	if err == nil {
+		return account, err
 	}
-	return ba.VerifyRequest(req)
+	if rbacsvc.MustAuth(pattern) {
+		return nil, err
+	}
+	return nil, nil
 }
 
 func (ba *TokenAuthenticator) VerifyRequest(req *http.Request) (*rbacmodel.Account, error) {
 	claims, err := ba.VerifyToken(req)
 	if err != nil {
+		if reflect.TypeOf(err).String() == disCoveryType && err.(*errsvc.Error).Code == rbacmodel.ErrNoAuthHeader && rbacsvc.AllowMissToken() {
+			return nil, nil
+		}
 		log.Error(fmt.Sprintf("verify request token failed, %s %s", req.Method, req.RequestURI), err)
 		return nil, err
 	}
@@ -172,12 +184,12 @@ func checkPerm(roleList []string, req *http.Request) ([]map[string]string, error
 	if hasAdmin {
 		return nil, nil
 	}
-	//todo fast check for dev role
+	// todo fast check for dev role
 	targetResource := FromRequest(req)
 	if targetResource == nil {
 		return nil, errors.New("no valid resouce scope")
 	}
-	//TODO add project
+	// TODO add project
 	project := req.URL.Query().Get(":project")
 	return rbacsvc.Allow(req.Context(), project, normalRoles, targetResource)
 }
diff --git a/server/service/rbac/rbac.go b/server/service/rbac/rbac.go
@@ -135,7 +135,7 @@ func readPublicKey() {
 	log.Info("read public key success")
 }
 func initFirstTime() {
-	//handle root account
+	// handle root account
 	pwd := getPassword()
 	if len(pwd) == 0 {
 		log.Warn("skip init root account! Cause by " + InitPassword + " is empty. " +
@@ -176,6 +176,10 @@ func Enabled() bool {
 	return config.GetRBAC().EnableRBAC
 }
 
+func AllowMissToken() bool {
+	return config.GetRBAC().AllowMissToken
+}
+
 // PublicKey get public key to verify a token
 func PublicKey() string {
 	return archaius.GetString("rbac_public_key", "")