From ae79ad6c8d12134ce473e557df1f4a4875fbadaa Mon Sep 17 00:00:00 2001
From: felixncheng <felixncheng@tencent.com>
Date: Tue, 8 Aug 2023 10:42:13 +0800
Subject: [PATCH 1/2] =?UTF-8?q?bug:=20=E4=BF=AE=E5=A4=8D=E5=8D=95=E4=BD=93?=
 =?UTF-8?q?=E6=9C=8D=E5=8A=A1=E5=90=AF=E5=8A=A8=E6=8A=A5=E9=94=99=20#1038?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../bkrepo/config/BootAssemblyHandlerMapping.kt        |  3 +++
 .../boot-assembly/src/main/resources/application.yml   |  3 +++
 .../bkrepo/common/artifact/cns/CnsConfiguration.kt     | 10 +++++++++-
 3 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/src/backend/boot-assembly/src/main/kotlin/com/tencent/bkrepo/config/BootAssemblyHandlerMapping.kt b/src/backend/boot-assembly/src/main/kotlin/com/tencent/bkrepo/config/BootAssemblyHandlerMapping.kt
index 0f1eb8a4c1..e8b11d7cb8 100644
--- a/src/backend/boot-assembly/src/main/kotlin/com/tencent/bkrepo/config/BootAssemblyHandlerMapping.kt
+++ b/src/backend/boot-assembly/src/main/kotlin/com/tencent/bkrepo/config/BootAssemblyHandlerMapping.kt
@@ -64,6 +64,9 @@ class BootAssemblyHandlerMapping : RequestMappingHandlerMapping() {
     @Suppress("SpreadOperator")
     private fun updateMapping(mapping: RequestMappingInfo, method: Method): RequestMappingInfo? {
         val serviceName = ServiceCommonUtils.getServiceName(method.declaringClass)
+        if (serviceName == "common") {
+            return mapping
+        }
         val newPatterns = updatePatterns(mapping.patternsCondition?.patterns.orEmpty(), serviceName)
         if (newPatterns.isEmpty()) {
             return null
diff --git a/src/backend/boot-assembly/src/main/resources/application.yml b/src/backend/boot-assembly/src/main/resources/application.yml
index 423eb844db..f5044b313d 100644
--- a/src/backend/boot-assembly/src/main/resources/application.yml
+++ b/src/backend/boot-assembly/src/main/resources/application.yml
@@ -38,6 +38,9 @@ spring:
   main:
     allow-bean-definition-overriding: true
 
+cns:
+  enabled: true
+
 logging:
   config: classpath:logback-config.xml
   path: /data/logs
diff --git a/src/backend/common/common-artifact/artifact-service/src/main/kotlin/com/tencent/bkrepo/common/artifact/cns/CnsConfiguration.kt b/src/backend/common/common-artifact/artifact-service/src/main/kotlin/com/tencent/bkrepo/common/artifact/cns/CnsConfiguration.kt
index f53e9f47fd..a52c47226a 100644
--- a/src/backend/common/common-artifact/artifact-service/src/main/kotlin/com/tencent/bkrepo/common/artifact/cns/CnsConfiguration.kt
+++ b/src/backend/common/common-artifact/artifact-service/src/main/kotlin/com/tencent/bkrepo/common/artifact/cns/CnsConfiguration.kt
@@ -28,8 +28,10 @@
 package com.tencent.bkrepo.common.artifact.cns
 
 import com.tencent.bkrepo.common.artifact.cns.impl.CnsServiceImpl
+import com.tencent.bkrepo.common.security.http.core.HttpAuthSecurity
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty
 import org.springframework.boot.context.properties.EnableConfigurationProperties
+import org.springframework.context.annotation.Bean
 import org.springframework.context.annotation.Configuration
 import org.springframework.context.annotation.Import
 
@@ -40,4 +42,10 @@ import org.springframework.context.annotation.Import
 )
 @EnableConfigurationProperties(CnsProperties::class)
 @ConditionalOnProperty("cns.enabled")
-class CnsConfiguration
+class CnsConfiguration {
+
+    @Bean
+    fun httpAuthSecurity() = HttpAuthSecurity().apply {
+        includePattern("/cns/**")
+    }
+}

From 4a25d44e2e554327646956934d85cda3a5d916c8 Mon Sep 17 00:00:00 2001
From: felixncheng <felixncheng@tencent.com>
Date: Tue, 8 Aug 2023 16:47:38 +0800
Subject: [PATCH 2/2] =?UTF-8?q?bug:=20=E4=BF=AE=E5=A4=8Dcns=E8=AE=A4?=
 =?UTF-8?q?=E8=AF=81=E6=8A=A5=E9=94=99=EF=BC=8C=E4=BD=BF=E7=94=A8=E6=9C=8D?=
 =?UTF-8?q?=E5=8A=A1=E9=97=B4token=E8=AE=A4=E8=AF=81=20#1043?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../common/artifact/cns/CnsConfiguration.kt   | 10 +------
 .../common/artifact/cns/CnsController.kt      |  2 +-
 .../artifact/cns/impl/CnsServiceImpl.kt       | 26 ++++++++++++-------
 3 files changed, 19 insertions(+), 19 deletions(-)

diff --git a/src/backend/common/common-artifact/artifact-service/src/main/kotlin/com/tencent/bkrepo/common/artifact/cns/CnsConfiguration.kt b/src/backend/common/common-artifact/artifact-service/src/main/kotlin/com/tencent/bkrepo/common/artifact/cns/CnsConfiguration.kt
index a52c47226a..f53e9f47fd 100644
--- a/src/backend/common/common-artifact/artifact-service/src/main/kotlin/com/tencent/bkrepo/common/artifact/cns/CnsConfiguration.kt
+++ b/src/backend/common/common-artifact/artifact-service/src/main/kotlin/com/tencent/bkrepo/common/artifact/cns/CnsConfiguration.kt
@@ -28,10 +28,8 @@
 package com.tencent.bkrepo.common.artifact.cns
 
 import com.tencent.bkrepo.common.artifact.cns.impl.CnsServiceImpl
-import com.tencent.bkrepo.common.security.http.core.HttpAuthSecurity
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty
 import org.springframework.boot.context.properties.EnableConfigurationProperties
-import org.springframework.context.annotation.Bean
 import org.springframework.context.annotation.Configuration
 import org.springframework.context.annotation.Import
 
@@ -42,10 +40,4 @@ import org.springframework.context.annotation.Import
 )
 @EnableConfigurationProperties(CnsProperties::class)
 @ConditionalOnProperty("cns.enabled")
-class CnsConfiguration {
-
-    @Bean
-    fun httpAuthSecurity() = HttpAuthSecurity().apply {
-        includePattern("/cns/**")
-    }
-}
+class CnsConfiguration
diff --git a/src/backend/common/common-artifact/artifact-service/src/main/kotlin/com/tencent/bkrepo/common/artifact/cns/CnsController.kt b/src/backend/common/common-artifact/artifact-service/src/main/kotlin/com/tencent/bkrepo/common/artifact/cns/CnsController.kt
index d10314e478..7962202353 100644
--- a/src/backend/common/common-artifact/artifact-service/src/main/kotlin/com/tencent/bkrepo/common/artifact/cns/CnsController.kt
+++ b/src/backend/common/common-artifact/artifact-service/src/main/kotlin/com/tencent/bkrepo/common/artifact/cns/CnsController.kt
@@ -39,7 +39,7 @@ import org.springframework.web.bind.annotation.RestController
 
 @Principal(type = PrincipalType.ADMIN)
 @RestController
-@RequestMapping("cns")
+@RequestMapping("/service/cns")
 class CnsController(
     private val cnsService: CnsService
 ) {
diff --git a/src/backend/common/common-artifact/artifact-service/src/main/kotlin/com/tencent/bkrepo/common/artifact/cns/impl/CnsServiceImpl.kt b/src/backend/common/common-artifact/artifact-service/src/main/kotlin/com/tencent/bkrepo/common/artifact/cns/impl/CnsServiceImpl.kt
index 3137830919..1e115b2e62 100644
--- a/src/backend/common/common-artifact/artifact-service/src/main/kotlin/com/tencent/bkrepo/common/artifact/cns/impl/CnsServiceImpl.kt
+++ b/src/backend/common/common-artifact/artifact-service/src/main/kotlin/com/tencent/bkrepo/common/artifact/cns/impl/CnsServiceImpl.kt
@@ -28,15 +28,20 @@
 package com.tencent.bkrepo.common.artifact.cns.impl
 
 import com.google.common.util.concurrent.ThreadFactoryBuilder
+import com.tencent.bkrepo.common.api.constant.MS_AUTH_HEADER_UID
+import com.tencent.bkrepo.common.api.constant.USER_KEY
 import com.tencent.bkrepo.common.api.pojo.Response
 import com.tencent.bkrepo.common.artifact.cns.CnsProperties
 import com.tencent.bkrepo.common.artifact.cns.CnsService
 import com.tencent.bkrepo.common.artifact.pojo.RepositoryType
+import com.tencent.bkrepo.common.security.constant.MS_AUTH_HEADER_SECURITY_TOKEN
+import com.tencent.bkrepo.common.security.service.ServiceAuthManager
 import com.tencent.bkrepo.common.service.otel.util.AsyncUtils.trace
 import com.tencent.bkrepo.common.service.util.HttpContextHolder
 import com.tencent.bkrepo.common.storage.core.StorageProperties
 import com.tencent.bkrepo.common.storage.core.StorageService
 import com.tencent.bkrepo.repository.api.StorageCredentialsClient
+import com.tencent.bkrepo.repository.constant.SYSTEM_USER
 import org.slf4j.LoggerFactory
 import org.springframework.beans.factory.annotation.Value
 import org.springframework.cloud.client.DefaultServiceInstance
@@ -59,7 +64,8 @@ class CnsServiceImpl(
     private val storageService: StorageService,
     private val storageCredentialsClient: StorageCredentialsClient,
     private val storageProperties: StorageProperties,
-    private val cnsProperties: CnsProperties
+    private val cnsProperties: CnsProperties,
+    private val serviceAuthManager: ServiceAuthManager
 ) : CnsService {
     @Value("\${service.prefix:}")
     private val servicePrefix: String = ""
@@ -67,12 +73,12 @@ class CnsServiceImpl(
     @Value("\${service.suffix:}")
     private val serviceSuffix: String = ""
 
-    private val restTemplate = RestTemplate()
-
     private var services = mutableMapOf<String, Set<ServiceInstance>>()
 
     private var lastUpdatedTime = -1L
 
+    private val restTemplate = RestTemplate()
+
     override fun exist(key: String?, sha256: String): Boolean {
         val storageCredentials = storageCredentialsClient.findByKey(key).data
             ?: storageProperties.defaultStorageCredentials()
@@ -96,21 +102,22 @@ class CnsServiceImpl(
             logger.info("Not found any match service.")
             return false
         }
-        val token = HttpContextHolder.getRequest().getHeader(HttpHeaders.AUTHORIZATION)
+        val uid = HttpContextHolder.getRequestOrNull()?.getAttribute(USER_KEY)?.toString() ?: SYSTEM_USER
         val tasks = targetServices.map {
-            Callable { sendExistRequest(key, sha256, it, token) }.trace()
+            Callable { sendExistRequest(key, sha256, it, uid) }.trace()
         }
         val futures = threadPool.invokeAll(tasks)
         return futures.firstOrNull { it.get() == false } == null
     }
 
-    private fun sendExistRequest(key: String?, sha256: String, instance: ServiceInstance, token: String): Boolean {
+    private fun sendExistRequest(key: String?, sha256: String, instance: ServiceInstance, uid: String): Boolean {
         with(instance) {
             val target = instance.uri
-            val url = "$target/cns/exist?key=$key&sha256=$sha256"
+            val url = "$target/service/cns/exist?key=$key&sha256=$sha256"
             try {
                 val headers = HttpHeaders()
-                headers.add(HttpHeaders.AUTHORIZATION, token)
+                headers.add(MS_AUTH_HEADER_SECURITY_TOKEN, serviceAuthManager.getSecurityToken())
+                headers.add(MS_AUTH_HEADER_UID, uid)
                 val httpEntity = HttpEntity<Any>(headers)
                 val response = restTemplate.exchange(url, HttpMethod.GET, httpEntity, Response::class.java).body
                 if (logger.isDebugEnabled) {
@@ -153,6 +160,7 @@ class CnsServiceImpl(
                 serviceIds.add(dockerServiceId)
                 serviceIds.add(ociServiceId)
             }
+
             else -> {
                 serviceIds.add(formatServiceId(type.name.toLowerCase()))
             }
@@ -164,7 +172,7 @@ class CnsServiceImpl(
         return "$servicePrefix$name$serviceSuffix"
     }
 
-    companion object {
+    private companion object {
         private val logger = LoggerFactory.getLogger(CnsServiceImpl::class.java)
         private val threadFactory = ThreadFactoryBuilder().setNameFormat("cns-%d").build()
         private val threadPool =