[#1137] API security authentication support set uri whitelist (#1138) (…

…#1139)
huaweicloud · Dec 15, 2023 · a2f742a · a2f742a
1 parent 7fe73a6
commit a2f742a
Show file tree

Hide file tree

Showing 10 changed files with 154 additions and 35 deletions.
diff --git a/...b-tests/account-provider/src/main/java/com/huaweicloud/crossappsample/AuthController.java b/...b-tests/account-provider/src/main/java/com/huaweicloud/crossappsample/AuthController.java
@@ -74,4 +74,9 @@ public String checkTokenSecurity() {
     }
     return "success";
   }
+
+  @RequestMapping("/checkWhitelist")
+  public String checkWhitelist() {
+    return "success";
+  }
 }
diff --git a/...tion-tests/discovery-servicecomb-tests/account-provider/src/main/resources/bootstrap.yaml b/...tion-tests/discovery-servicecomb-tests/account-provider/src/main/resources/bootstrap.yaml
@@ -62,6 +62,7 @@ spring:
                 rule: order*
 
           securityPolicyEnabled: true
+          apiPathWhitelist: '/checkWhitelist'
           acls:
             app: canary
             mode: permissive

diff --git a/...b-tests/discovery-tests-client/src/test/java/com/huaweicloud/sample/AuthControllerIT.java b/...b-tests/discovery-tests-client/src/test/java/com/huaweicloud/sample/AuthControllerIT.java
@@ -77,4 +77,10 @@ public void testCheckTokenSecurityFailFromOther() {
     }
     assertThat(exception).isEqualTo(true);
   }
+
+  @Test
+  public void testApiPathWhitelistSucesssFromConsumer() {
+    String result = template.getForObject(accountServiceUrl + "/checkWhitelist", String.class);
+    assertThat(result).isEqualTo("success");
+  }
 }
diff --git a/...loud-huawei-governance/src/main/java/com/huaweicloud/governance/authentication/Const.java b/...loud-huawei-governance/src/main/java/com/huaweicloud/governance/authentication/Const.java
@@ -27,4 +27,6 @@ public class Const {
   public static final String AUTH_TOKEN_CHECK_ENABLED = "spring.cloud.servicecomb.webmvc.publicKey.tokenCheckEnabled";
 
   public static final String AUTH_TOKEN_HEADER_KEY = "spring.cloud.servicecomb.webmvc.publicKey.headerTokenKey";
+
+  public static final String AUTH_API_PATH_WHITELIST = "spring.cloud.servicecomb.webmvc.publicKey.apiPathWhitelist";
 }
diff --git a/...awei-governance/src/main/java/com/huaweicloud/governance/authentication/MatcherUtils.java b/...awei-governance/src/main/java/com/huaweicloud/governance/authentication/MatcherUtils.java
@@ -0,0 +1,37 @@
+/*
+
+ * Copyright (C) 2020-2022 Huawei Technologies Co., Ltd. All rights reserved.
+
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.huaweicloud.governance.authentication;
+
+public class MatcherUtils {
+  public static boolean isPatternMatch(String value, String pattern) {
+    if (pattern.startsWith("*") || pattern.startsWith("/*")) {
+      int index = 0;
+      for (int i = 0; i < pattern.length(); i++) {
+        if (pattern.charAt(i) != '*' && pattern.charAt(i) != '/') {
+          break;
+        }
+        index++;
+      }
+      return value.endsWith(pattern.substring(index));
+    }
+    if (pattern.endsWith("*")) {
+      return value.startsWith(pattern.substring(0, pattern.length() - 1));
+    }
+    return value.equals(pattern);
+  }
+}
diff --git a/...ain/java/com/huaweicloud/governance/authentication/ProviderAuthPreHandlerInterceptor.java b/...ain/java/com/huaweicloud/governance/authentication/ProviderAuthPreHandlerInterceptor.java
@@ -37,7 +37,9 @@ public ProviderAuthPreHandlerInterceptor(List<AccessController> accessController
 
   @Override
   public boolean handle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
-    authenticationTokenManager.valid(request);
+    if (!authenticationTokenManager.checkUriWhitelist(request.getRequestURI())) {
+      authenticationTokenManager.valid(request);
+    }
     return true;
   }
 }
diff --git a/...ance/src/main/java/com/huaweicloud/governance/authentication/RSAProviderTokenManager.java b/...ance/src/main/java/com/huaweicloud/governance/authentication/RSAProviderTokenManager.java
@@ -75,4 +75,17 @@ public void valid(HttpServletRequest request) throws Exception {
       throw e;
     }
   }
+
+  public boolean checkUriWhitelist(String uri) {
+    String whitelist = environment.getProperty(Const.AUTH_API_PATH_WHITELIST, String.class, "");
+    if (whitelist.isEmpty()) {
+      return false;
+    }
+    for (String whiteUri : whitelist.split(",")) {
+      if (!whiteUri.isEmpty() && MatcherUtils.isPatternMatch(uri, whiteUri)) {
+        return true;
+      }
+    }
+    return false;
+  }
 }
diff --git a/...va/com/huaweicloud/governance/authentication/securityPolicy/SecurityPolicyProperties.java b/...va/com/huaweicloud/governance/authentication/securityPolicy/SecurityPolicyProperties.java
@@ -20,6 +20,8 @@
 import java.util.ArrayList;
 import java.util.List;
 
+import com.huaweicloud.governance.authentication.MatcherUtils;
+
 public class SecurityPolicyProperties {
 
   public static class ConfigurationItem {
@@ -142,7 +144,7 @@ public boolean matchAllow(String serviceName, String uri, String method) {
     }
 
     for (ConfigurationItem item : action.allow) {
-      if (checkUri(uri, item.getUri()) && method.equals(item.getMethod())
+      if (MatcherUtils.isPatternMatch(uri, item.getUri()) && method.equals(item.getMethod())
           && item.getConsumer().equals(serviceName)) {
         return true;
       }
@@ -155,32 +157,11 @@ public boolean matchDeny(String serviceName, String uri, String method) {
       return false;
     }
     for (ConfigurationItem item : action.deny) {
-      if (checkUri(uri, item.getUri()) && method.equals(item.getMethod())
+      if (MatcherUtils.isPatternMatch(uri, item.getUri()) && method.equals(item.getMethod())
           && item.getConsumer().equals(serviceName)) {
         return true;
       }
     }
     return false;
   }
-
-  private boolean checkUri(String requestUri, String patternUri) {
-    if (patternUri.endsWith("*")) {
-      String pattern = patternUri.substring(0, patternUri.indexOf("*"));
-      return requestUri.startsWith(pattern);
-    } else if (patternUri.startsWith("*")) {
-      StringBuilder stringBuilder = new StringBuilder();
-      stringBuilder.append("/");
-      int index = 0;
-      for (int i = 0; i < patternUri.length(); i++) {
-        if (patternUri.charAt(i) != '*' && patternUri.charAt(i) != '/') {
-          break;
-        }
-        index++;
-      }
-      stringBuilder.append(patternUri.substring(index));
-      return requestUri.endsWith(stringBuilder.toString());
-    } else {
-      return requestUri.equals(patternUri);
-    }
-  }
 }
diff --git a/...java/com/huaweicloud/governance/authentication/whiteBlack/WhiteBlackAccessController.java b/...java/com/huaweicloud/governance/authentication/whiteBlack/WhiteBlackAccessController.java
@@ -25,6 +25,7 @@
 import com.huaweicloud.governance.authentication.AccessController;
 import com.huaweicloud.governance.authentication.AuthRequestExtractor;
 import com.huaweicloud.governance.authentication.AuthenticationAdapter;
+import com.huaweicloud.governance.authentication.MatcherUtils;
 import com.huaweicloud.governance.authentication.UnAuthorizedException;
 
 /**
@@ -93,16 +94,6 @@ private boolean matchMicroserviceProperties(String serviceId, String instanceId,
     if (StringUtils.isEmpty(propertyValue)) {
       return false;
     }
-    return isPatternMatch(propertyValue, item.getRule());
-  }
-
-  private boolean isPatternMatch(String value, String pattern) {
-    if (pattern.startsWith("*")) {
-      return value.endsWith(pattern.substring(1));
-    }
-    if (pattern.endsWith("*")) {
-      return value.startsWith(pattern.substring(0, pattern.length() - 1));
-    }
-    return value.equals(pattern);
+    return MatcherUtils.isPatternMatch(propertyValue, item.getRule());
   }
 }
diff --git a/...com/huaweicloud/governance/authentication/securityPolicy/RSAProviderTokenManagerTest.java b/...com/huaweicloud/governance/authentication/securityPolicy/RSAProviderTokenManagerTest.java
@@ -0,0 +1,81 @@
+/*
+
+ * Copyright (C) 2020-2022 Huawei Technologies Co., Ltd. All rights reserved.
+
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.huaweicloud.governance.authentication.securityPolicy;
+
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.Test;
+import org.mockito.Mockito;
+import org.springframework.core.env.Environment;
+
+import com.huaweicloud.governance.authentication.Const;
+import com.huaweicloud.governance.authentication.RSAProviderTokenManager;
+
+public class RSAProviderTokenManagerTest {
+  private Environment environment = Mockito.mock(Environment.class);
+
+  private RSAProviderTokenManager manager
+      = new RSAProviderTokenManager(null, environment, null);
+
+  @Test
+  public void testCheckUriWhitelistPrefixMatch() {
+    Mockito.when(environment.getProperty(Const.AUTH_API_PATH_WHITELIST, String.class, ""))
+        .thenReturn("*/whitelist");
+    Assertions.assertTrue(manager.checkUriWhitelist("/api/check/whitelist"));
+  }
+
+  @Test
+  public void testCheckUriWhitelistPrefixSlashMatch() {
+    Mockito.when(environment.getProperty(Const.AUTH_API_PATH_WHITELIST, String.class, ""))
+        .thenReturn("/*/whitelist");
+    Assertions.assertTrue(manager.checkUriWhitelist("/api/check/whitelist"));
+  }
+  @Test
+  public void testCheckUriWhitelistPrefixNotMatch() {
+    Mockito.when(environment.getProperty(Const.AUTH_API_PATH_WHITELIST, String.class, ""))
+        .thenReturn("*/whitelist");
+    Assertions.assertFalse(manager.checkUriWhitelist("/api/check/query"));
+  }
+
+  @Test
+  public void testCheckUriWhitelistSuffixMatch() {
+    Mockito.when(environment.getProperty(Const.AUTH_API_PATH_WHITELIST, String.class, ""))
+        .thenReturn("/api/*");
+    Assertions.assertTrue(manager.checkUriWhitelist("/api/check/whitelist"));
+  }
+
+  @Test
+  public void testCheckUriWhitelistSuffixNotMatch() {
+    Mockito.when(environment.getProperty(Const.AUTH_API_PATH_WHITELIST, String.class, ""))
+        .thenReturn("/apg/*");
+    Assertions.assertFalse(manager.checkUriWhitelist("/api/check/whitelist"));
+  }
+
+  @Test
+  public void testCheckUriWhitelistEqualMatch() {
+    Mockito.when(environment.getProperty(Const.AUTH_API_PATH_WHITELIST, String.class, ""))
+        .thenReturn("/api/check/whitelist");
+    Assertions.assertTrue(manager.checkUriWhitelist("/api/check/whitelist"));
+  }
+
+  @Test
+  public void testCheckUriWhitelistEqualNotMatch() {
+    Mockito.when(environment.getProperty(Const.AUTH_API_PATH_WHITELIST, String.class, ""))
+        .thenReturn("/api/check/white");
+    Assertions.assertFalse(manager.checkUriWhitelist("/api/check/whitelist"));
+  }
+}