Merge pull request #8318 from stubenhuang/issue-token-8317

feat: 通过网关进行的跨服务调用, 必须携带token进行校验 #8317
TencentBlueKing · Feb 6, 2023 · 2db3c38 · 2db3c38
2 parents fe300a9 + 55154f2
commit 2db3c38
Show file tree

Hide file tree

Showing 16 changed files with 309 additions and 67 deletions.
diff --git a/.../src/main/kotlin/com/tencent/devops/auth/api/callback/OpenAuthResourceCallBackResource.kt b/.../src/main/kotlin/com/tencent/devops/auth/api/callback/OpenAuthResourceCallBackResource.kt
@@ -0,0 +1,69 @@
+/*
+ * Tencent is pleased to support the open source community by making BK-CI 蓝鲸持续集成平台 available.
+ *
+ * Copyright (C) 2019 THL A29 Limited, a Tencent company.  All rights reserved.
+ *
+ * BK-CI 蓝鲸持续集成平台 is licensed under the MIT license.
+ *
+ * A copy of the MIT License is included in this file.
+ *
+ *
+ * Terms of the MIT License:
+ * ---------------------------------------------------
+ * Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated
+ * documentation files (the "Software"), to deal in the Software without restriction, including without limitation the
+ * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
+ * permit persons to whom the Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all copies or substantial portions of
+ * the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
+ * LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
+ * NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+ * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+ * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ */
+
+package com.tencent.devops.auth.api.callback
+
+import com.tencent.bk.sdk.iam.dto.callback.request.CallbackRequestDTO
+import com.tencent.bk.sdk.iam.dto.callback.response.CallbackBaseResponseDTO
+import io.swagger.annotations.Api
+import io.swagger.annotations.ApiOperation
+import io.swagger.annotations.ApiParam
+import javax.ws.rs.Consumes
+import javax.ws.rs.POST
+import javax.ws.rs.Path
+import javax.ws.rs.Produces
+import javax.ws.rs.HeaderParam
+import javax.ws.rs.core.MediaType
+
+@Api(tags = ["AUTH_RESOURCE_CALLBACK"], description = "权限-资源-回调接口")
+@Path("/open/auth/resource")
+@Produces(MediaType.APPLICATION_JSON)
+@Consumes(MediaType.APPLICATION_JSON)
+interface OpenAuthResourceCallBackResource {
+
+    @POST
+    @Path("/projects")
+    @ApiOperation("项目列表")
+    fun projectInfo(
+        @ApiParam(value = "回调信息")
+        callBackInfo: CallbackRequestDTO,
+        @HeaderParam("Authorization")
+        @ApiParam("token")
+        token: String
+    ): CallbackBaseResponseDTO?
+
+    @POST
+    @Path("/instances/list")
+    @ApiOperation("特定资源列表")
+    fun resourceList(
+        @ApiParam(value = "回调信息")
+        callBackInfo: CallbackRequestDTO,
+        @HeaderParam("Authorization")
+        @ApiParam("token")
+        token: String
+    ): CallbackBaseResponseDTO?
+}
diff --git a/.../callback/AuthResourceCallBackResource.kt → ...ck/ServiceAuthResourceCallBackResource.kt b/.../callback/AuthResourceCallBackResource.kt → ...ck/ServiceAuthResourceCallBackResource.kt
@@ -43,7 +43,7 @@ import javax.ws.rs.core.MediaType
 @Path("/service/auth/resource")
 @Produces(MediaType.APPLICATION_JSON)
 @Consumes(MediaType.APPLICATION_JSON)
-interface AuthResourceCallBackResource {
+interface ServiceAuthResourceCallBackResource {
 
     @POST
     @Path("/projects")

diff --git a/...src/main/kotlin/com/tencent/devops/auth/resources/OpenAuthResourceCallBackResourceImpl.kt b/...src/main/kotlin/com/tencent/devops/auth/resources/OpenAuthResourceCallBackResourceImpl.kt
@@ -0,0 +1,76 @@
+/*
+ * Tencent is pleased to support the open source community by making BK-CI 蓝鲸持续集成平台 available.
+ *
+ * Copyright (C) 2019 THL A29 Limited, a Tencent company.  All rights reserved.
+ *
+ * BK-CI 蓝鲸持续集成平台 is licensed under the MIT license.
+ *
+ * A copy of the MIT License is included in this file.
+ *
+ *
+ * Terms of the MIT License:
+ * ---------------------------------------------------
+ * Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated
+ * documentation files (the "Software"), to deal in the Software without restriction, including without limitation the
+ * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
+ * permit persons to whom the Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all copies or substantial portions of
+ * the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
+ * LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
+ * NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+ * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+ * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ *
+ */
+
+package com.tencent.devops.auth.resources
+
+import com.tencent.bk.sdk.iam.dto.callback.request.CallbackRequestDTO
+import com.tencent.bk.sdk.iam.dto.callback.response.CallbackBaseResponseDTO
+import com.tencent.devops.auth.api.callback.OpenAuthResourceCallBackResource
+import com.tencent.devops.auth.service.ResourceService
+import com.tencent.devops.common.api.exception.TokenForbiddenException
+import com.tencent.devops.common.auth.api.AuthTokenApi
+import com.tencent.devops.common.web.RestResource
+import org.slf4j.LoggerFactory
+import org.springframework.beans.factory.annotation.Autowired
+
+@RestResource
+class OpenAuthResourceCallBackResourceImpl @Autowired constructor(
+    val resourceService: ResourceService,
+    val authTokenApi: AuthTokenApi
+) : OpenAuthResourceCallBackResource {
+
+    override fun projectInfo(
+        callBackInfo: CallbackRequestDTO,
+        token: String
+    ): CallbackBaseResponseDTO {
+        if (!authTokenApi.checkToken(token)) {
+            logger.warn("auth token check fail: $token")
+            throw TokenForbiddenException("auth token check fail")
+        }
+        return resourceService.getProject(callBackInfo, token)
+    }
+
+    override fun resourceList(
+        callBackInfo: CallbackRequestDTO,
+        token: String
+    ): CallbackBaseResponseDTO? {
+        if (!authTokenApi.checkToken(token)) {
+            logger.warn("auth token check fail: $token")
+            throw TokenForbiddenException("auth token check fail")
+        }
+        logger.info("resourceList: $callBackInfo, token: $token")
+        return resourceService.getInstanceByResource(
+                callBackInfo = callBackInfo,
+                token = token
+            )
+    }
+
+    companion object {
+        private val logger = LoggerFactory.getLogger(OpenAuthResourceCallBackResourceImpl::class.java)
+    }
+}
diff --git a/...urces/AuthResourceCallBackResourceImpl.kt → ...erviceAuthResourceCallBackResourceImpl.kt b/...urces/AuthResourceCallBackResourceImpl.kt → ...erviceAuthResourceCallBackResourceImpl.kt
@@ -30,16 +30,16 @@ package com.tencent.devops.auth.resources
 
 import com.tencent.bk.sdk.iam.dto.callback.request.CallbackRequestDTO
 import com.tencent.bk.sdk.iam.dto.callback.response.CallbackBaseResponseDTO
-import com.tencent.devops.auth.api.callback.AuthResourceCallBackResource
+import com.tencent.devops.auth.api.callback.ServiceAuthResourceCallBackResource
 import com.tencent.devops.auth.service.ResourceService
 import com.tencent.devops.common.web.RestResource
 import org.slf4j.LoggerFactory
 import org.springframework.beans.factory.annotation.Autowired
 
 @RestResource
-class AuthResourceCallBackResourceImpl @Autowired constructor(
+class ServiceAuthResourceCallBackResourceImpl @Autowired constructor(
     val resourceService: ResourceService
-) : AuthResourceCallBackResource {
+) : ServiceAuthResourceCallBackResource {
     override fun projectInfo(
         callBackInfo: CallbackRequestDTO,
         token: String
@@ -59,6 +59,6 @@ class AuthResourceCallBackResourceImpl @Autowired constructor(
     }
 
     companion object {
-        val logger = LoggerFactory.getLogger(AuthResourceCallBackResourceImpl::class.java)
+        val logger = LoggerFactory.getLogger(ServiceAuthResourceCallBackResourceImpl::class.java)
     }
 }
diff --git a/src/backend/ci/core/buildless/biz-buildless/build.gradle.kts b/src/backend/ci/core/buildless/biz-buildless/build.gradle.kts
@@ -32,7 +32,7 @@ dependencies {
     api(project(":core:common:common-web"))
     api(project(":core:common:common-redis"))
     api(project(":core:log:api-log"))
-
+    api(project(":core:common:common-security"))
     api("com.github.docker-java:docker-java")
     api("com.github.docker-java:docker-java-transport-okhttp")
     implementation("com.github.oshi:oshi-core")

diff --git a/...dless/biz-buildless/src/main/kotlin/com/tencent/devops/buildless/client/DispatchClient.kt b/...dless/biz-buildless/src/main/kotlin/com/tencent/devops/buildless/client/DispatchClient.kt
@@ -37,6 +37,7 @@ import com.tencent.devops.common.api.pojo.ErrorCode
 import com.tencent.devops.common.api.pojo.ErrorType
 import com.tencent.devops.common.api.util.JsonUtil
 import com.tencent.devops.common.api.util.OkhttpUtils
+import com.tencent.devops.common.security.util.EnvironmentUtil
 import com.tencent.devops.common.service.BkTag
 import com.tencent.devops.common.service.config.CommonConfig
 import com.tencent.devops.dispatch.docker.pojo.DockerIpInfoVO
@@ -57,17 +58,19 @@ class DispatchClient @Autowired constructor(
 ) {
     fun updateContainerId(buildLessTask: BuildLessTask, containerId: String) {
         val path = "/ms/dispatch-docker/api/service/dockerhost/builds/${buildLessTask.buildId}/vmseqs" +
-            "/${buildLessTask.vmSeqId}?containerId=$containerId"
+                "/${buildLessTask.vmSeqId}?containerId=$containerId"
 
         try {
             val url = buildUrl(path)
             val request = Request
                 .Builder()
                 .url(url)
                 .headers(Headers.of(makeHeaders()))
-                .put(RequestBody.create(
-                    MediaType.parse("application/json; charset=utf-8"),
-                    "")
+                .put(
+                    RequestBody.create(
+                        MediaType.parse("application/json; charset=utf-8"),
+                        ""
+                    )
                 )
                 .build()
 
@@ -78,7 +81,8 @@ class DispatchClient @Autowired constructor(
                     throw TaskExecuteException(
                         errorCode = ErrorCode.SYSTEM_WORKER_INITIALIZATION_ERROR,
                         errorType = ErrorType.SYSTEM,
-                        errorMsg = "Update containerId $path fail")
+                        errorMsg = "Update containerId $path fail"
+                    )
                 }
             }
         } catch (e: Exception) {
@@ -121,9 +125,11 @@ class DispatchClient @Autowired constructor(
                 .Builder()
                 .url(url)
                 .headers(Headers.of(makeHeaders()))
-                .post(RequestBody.create(
-                    MediaType.parse("application/json; charset=utf-8"),
-                    JsonUtil.toJson(dockerIpInfoVO))
+                .post(
+                    RequestBody.create(
+                        MediaType.parse("application/json; charset=utf-8"),
+                        JsonUtil.toJson(dockerIpInfoVO)
+                    )
                 )
                 .build()
 
@@ -135,7 +141,8 @@ class DispatchClient @Autowired constructor(
                     throw TaskExecuteException(
                         errorCode = ErrorCode.SYSTEM_WORKER_INITIALIZATION_ERROR,
                         errorType = ErrorType.SYSTEM,
-                        errorMsg = "Refresh buildLess status $url fail")
+                        errorMsg = "Refresh buildLess status $url fail"
+                    )
                 }
                 logger.info("End refreshDockerIpStatus.")
             }
@@ -170,7 +177,13 @@ class DispatchClient @Autowired constructor(
         } else {
             buildLessConfig.gatewayHeaderTag
         }
-        return mapOf(AUTH_HEADER_GATEWAY_TAG to gatewayHeaderTag)
+        val headers = mutableMapOf(AUTH_HEADER_GATEWAY_TAG to gatewayHeaderTag)
+        // 新增devopsToken给网关校验
+        val devopsToken = EnvironmentUtil.gatewayDevopsToken()
+        if (devopsToken != null) {
+            headers["X-DEVOPS-TOKEN"] = devopsToken
+        }
+        return headers
     }
 
     companion object {

diff --git a/src/backend/ci/core/common/common-archive/build.gradle.kts b/src/backend/ci/core/common/common-archive/build.gradle.kts
@@ -36,4 +36,5 @@ dependencies {
     api(project(":core:common:common-pipeline"))
     api("com.tencent.bk.repo:api-generic")
     api("com.tencent.bk.repo:api-repository")
+    api(project(":core:common:common-security"))
 }