feature: ESB 网关认证参数标准化 TencentBlueKing#2590

src/backend/commons/common-web/src/main/java/com/tencent/bk/job/common/web/config/WebInterceptorAutoConfiguration.java

@@ -27,7 +27,6 @@
 import com.tencent.bk.job.common.jwt.JwtManager;
 import com.tencent.bk.job.common.service.SpringProfile;
 import com.tencent.bk.job.common.web.interceptor.EsbApiLogInterceptor;
-import com.tencent.bk.job.common.web.interceptor.EsbReqRewriteInterceptor;
 import com.tencent.bk.job.common.web.interceptor.JobCommonInterceptor;
 import com.tencent.bk.job.common.web.interceptor.ServiceSecurityInterceptor;
 import org.springframework.cloud.sleuth.Tracer;
@@ -50,11 +49,6 @@ public EsbApiLogInterceptor esbApiLogInterceptor() {
         return new EsbApiLogInterceptor();
     }
 
-    @Bean
-    public EsbReqRewriteInterceptor esbReqRewriteInterceptor() {
-        return new EsbReqRewriteInterceptor();
-    }
-
     @Bean
     public ServiceSecurityInterceptor serviceSecurityInterceptor(JwtManager jwtManager, SpringProfile springProfile) {
         return new ServiceSecurityInterceptor(jwtManager, springProfile);

src/backend/commons/common-web/src/main/java/com/tencent/bk/job/common/web/interceptor/EsbApiLogInterceptor.java

@@ -25,7 +25,6 @@
 package com.tencent.bk.job.common.web.interceptor;
 
 import com.fasterxml.jackson.databind.node.ObjectNode;
-import com.fasterxml.jackson.databind.node.TextNode;
 import com.tencent.bk.job.common.annotation.JobInterceptor;
 import com.tencent.bk.job.common.constant.InterceptorOrder;
 import com.tencent.bk.job.common.constant.JobCommonHeaders;
@@ -48,8 +47,6 @@ public class EsbApiLogInterceptor extends HandlerInterceptorAdapter {
 
     private static final String ATTR_REQUEST_START = "request-start";
     private static final String ATTR_API_NAME = "api-name";
-    private static final String ATTR_USERNAME = "username";
-    private static final String ATTR_APP_CODE = "app-code";
 
     @Override
     public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) {
@@ -59,8 +56,8 @@ public boolean preHandle(HttpServletRequest request, HttpServletResponse respons
         RepeatableReadWriteHttpServletRequest wrapperRequest = (RepeatableReadWriteHttpServletRequest) request;
         String desensitizedBody = "";
         String desensitizedQueryParams = "";
-        String username = "";
-        String appCode = "";
+        String username = request.getHeader(JobCommonHeaders.USERNAME);
+        String appCode = request.getHeader(JobCommonHeaders.APP_CODE);
         String apiName = "";
         String lang = request.getHeader(JobCommonHeaders.BK_GATEWAY_LANG);
         String requestId = request.getHeader(JobCommonHeaders.BK_GATEWAY_REQUEST_ID);
@@ -70,28 +67,9 @@ public boolean preHandle(HttpServletRequest request, HttpServletResponse respons
             apiName = getAPIName(wrapperRequest.getRequestURI());
             request.setAttribute(ATTR_API_NAME, apiName);
             desensitizedQueryParams = desensitizeQueryParams(request.getQueryString());
-            if (request.getMethod().equals(HttpMethod.POST.name())
-                || request.getMethod().equals(HttpMethod.PUT.name())) {
-                if (StringUtils.isNotBlank(wrapperRequest.getBody())) {
-                    ObjectNode jsonBody = (ObjectNode) JsonUtils.toJsonNode(wrapperRequest.getBody());
-                    if (jsonBody == null) {
-                        return true;
-                    }
-                    username = jsonBody.get("bk_username") == null ? null : jsonBody.get("bk_username").asText();
-                    appCode = jsonBody.get("bk_app_code") == null ? null : jsonBody.get("bk_app_code").asText();
-
-                    // hidden sensitive data
-                    jsonBody.set("bk_app_secret", TextNode.valueOf("***"));
-                    desensitizedBody = jsonBody.toString();
-                }
-            } else if (request.getMethod().equals(HttpMethod.GET.name())) {
-                username = request.getParameter("bk_username");
-                appCode = request.getParameter("bk_app_code");
-                request.setAttribute(ATTR_USERNAME, username);
-                request.setAttribute(ATTR_APP_CODE, appCode);
-            }
-        } catch (Throwable e) {
-            return true;
+            desensitizedBody = desensitizeRequestBody(wrapperRequest);
+        } catch (Throwable ignore) {
+            // do nothing
         } finally {
             log.info("request-id: {}|lang: {}|API: {}|uri: {}|appCode: {}|username: {}|body: {}|queryParams: {}",
                 requestId, lang, apiName, request.getRequestURI(), appCode, username, desensitizedBody,
@@ -100,6 +78,25 @@ public boolean preHandle(HttpServletRequest request, HttpServletResponse respons
         return true;
     }
 
+    private String desensitizeRequestBody(RepeatableReadWriteHttpServletRequest request) {
+        if (request.getMethod().equals(HttpMethod.POST.name())
+            || request.getMethod().equals(HttpMethod.PUT.name())) {
+            if (StringUtils.isNotBlank(request.getBody())) {
+                ObjectNode jsonBody = (ObjectNode) JsonUtils.toJsonNode(request.getBody());
+                if (jsonBody == null) {
+                    return null;
+                }
+
+                // 由于历史原因，ESB API 的调用方会在 Body 中直接传入 bk_app_secret 这个敏感参数，需要在日志记录的时候脱敏
+                if (jsonBody.get("bk_app_secret") != null) {
+                    jsonBody.remove("bk_app_secret");
+                }
+                return jsonBody.toString();
+            }
+        }
+        return null;
+    }
+
     private String desensitizeQueryParams(String queryParams) {
         String desensitizedQueryParams = queryParams;
         if (StringUtils.isNotEmpty(queryParams)) {
@@ -138,8 +135,8 @@ public void afterCompletion(HttpServletRequest request, HttpServletResponse resp
         try {
             Long startTimeInMills = (Long) request.getAttribute(ATTR_REQUEST_START);
             String apiName = (String) request.getAttribute(ATTR_API_NAME);
-            String appCode = (String) request.getAttribute(ATTR_APP_CODE);
-            String username = (String) request.getAttribute(ATTR_USERNAME);
+            String username = request.getHeader(JobCommonHeaders.USERNAME);
+            String appCode = request.getHeader(JobCommonHeaders.APP_CODE);
             String requestId = request.getHeader(JobCommonHeaders.BK_GATEWAY_REQUEST_ID);
             int respStatus = response.getStatus();
             long cost = System.currentTimeMillis() - startTimeInMills;

src/backend/commons/esb-sdk/src/main/java/com/tencent/bk/job/common/esb/model/EsbReq.java

@@ -27,7 +27,6 @@
 import com.fasterxml.jackson.annotation.JsonInclude;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import com.tencent.bk.job.common.util.http.BasicHttpReq;
-import com.tencent.bk.job.common.util.json.SkipLogFields;
 import lombok.Getter;
 import lombok.Setter;
 
@@ -37,20 +36,19 @@
 @Setter
 @Getter
 public class EsbReq extends BasicHttpReq {
-    @JsonProperty("bk_app_code")
-    private String appCode;
-
-    @SkipLogFields("bk_app_secret")
-    @JsonProperty("bk_app_secret")
-    private String appSecret;
-
-    @JsonProperty("bk_username")
-    private String userName;
-
-    @JsonProperty("bk_token")
-    @JsonInclude(JsonInclude.Include.NON_EMPTY)
-    private String bkToken;
-
+//    @JsonProperty("bk_app_code")
+//    private String appCode;
+//
+//    @SkipLogFields("bk_app_secret")
+//    @JsonProperty("bk_app_secret")
+//    private String appSecret;
+//
+//    @JsonProperty("bk_username")
+//    private String userName;
+
+    /**
+     * 租户账号 - 除了 cmdb 之外，其他平台暂未使用
+     */
     @JsonProperty("bk_supplier_account")
     @JsonInclude(JsonInclude.Include.NON_EMPTY)
     private String bkSupplierAccount;

src/backend/job-execute/api-job-execute/src/main/java/com/tencent/bk/job/execute/api/esb/v2/EsbExecuteTaskResource.java

@@ -25,12 +25,14 @@
 package com.tencent.bk.job.execute.api.esb.v2;
 
 import com.tencent.bk.job.common.annotation.EsbAPI;
+import com.tencent.bk.job.common.constant.JobCommonHeaders;
 import com.tencent.bk.job.common.esb.model.EsbResp;
 import com.tencent.bk.job.execute.model.esb.v2.EsbJobExecuteDTO;
 import com.tencent.bk.job.execute.model.esb.v2.request.EsbExecuteJobRequest;
 import org.springframework.validation.annotation.Validated;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.RequestHeader;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
 
@@ -44,6 +46,8 @@ public interface EsbExecuteTaskResource {
 
     @PostMapping("/execute_job")
     EsbResp<EsbJobExecuteDTO> executeJob(
+        @RequestHeader(value = JobCommonHeaders.USERNAME) String username,
+        @RequestHeader(value = JobCommonHeaders.APP_CODE) String appCode,
         @RequestBody
         @Validated
             EsbExecuteJobRequest request

src/backend/job-execute/api-job-execute/src/main/java/com/tencent/bk/job/execute/api/esb/v2/EsbFastExecuteSQLResource.java

@@ -25,12 +25,14 @@
 package com.tencent.bk.job.execute.api.esb.v2;
 
 import com.tencent.bk.job.common.annotation.EsbAPI;
+import com.tencent.bk.job.common.constant.JobCommonHeaders;
 import com.tencent.bk.job.common.esb.model.EsbResp;
 import com.tencent.bk.job.execute.model.esb.v2.EsbJobExecuteDTO;
 import com.tencent.bk.job.execute.model.esb.v2.request.EsbFastExecuteSQLRequest;
 import org.springframework.validation.annotation.Validated;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.RequestHeader;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
 
@@ -44,6 +46,8 @@ public interface EsbFastExecuteSQLResource {
 
     @PostMapping("/fast_execute_sql")
     EsbResp<EsbJobExecuteDTO> fastExecuteSQL(
+        @RequestHeader(value = JobCommonHeaders.USERNAME) String username,
+        @RequestHeader(value = JobCommonHeaders.APP_CODE) String appCode,
         @RequestBody
         @Validated
             EsbFastExecuteSQLRequest request

src/backend/job-execute/api-job-execute/src/main/java/com/tencent/bk/job/execute/api/esb/v2/EsbFastExecuteScriptResource.java

@@ -25,12 +25,14 @@
 package com.tencent.bk.job.execute.api.esb.v2;
 
 import com.tencent.bk.job.common.annotation.EsbAPI;
+import com.tencent.bk.job.common.constant.JobCommonHeaders;
 import com.tencent.bk.job.common.esb.model.EsbResp;
 import com.tencent.bk.job.execute.model.esb.v2.EsbJobExecuteDTO;
 import com.tencent.bk.job.execute.model.esb.v2.request.EsbFastExecuteScriptRequest;
 import org.springframework.validation.annotation.Validated;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.RequestHeader;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
 
@@ -44,6 +46,8 @@ public interface EsbFastExecuteScriptResource {
 
     @PostMapping("/fast_execute_script")
     EsbResp<EsbJobExecuteDTO> fastExecuteScript(
+        @RequestHeader(value = JobCommonHeaders.USERNAME) String username,
+        @RequestHeader(value = JobCommonHeaders.APP_CODE) String appCode,
         @RequestBody
         @Validated
             EsbFastExecuteScriptRequest request

src/backend/job-execute/api-job-execute/src/main/java/com/tencent/bk/job/execute/api/esb/v3/EsbGetJobInstanceListV3Resource.java

@@ -49,6 +49,8 @@ public interface EsbGetJobInstanceListV3Resource {
 
     @PostMapping("/get_job_instance_list")
     EsbResp<EsbPageDataV3<EsbTaskInstanceV3DTO>> getJobInstanceListUsingPost(
+        @RequestHeader(value = JobCommonHeaders.USERNAME) String username,
+        @RequestHeader(value = JobCommonHeaders.APP_CODE) String appCode,
         @RequestBody
         @Validated
             EsbGetJobInstanceListV3Request request

src/backend/job-execute/service-job-execute/src/main/java/com/tencent/bk/job/execute/api/esb/v2/impl/EsbExecuteTaskResourceImpl.java

@@ -78,7 +78,11 @@ public EsbExecuteTaskResourceImpl(TaskExecuteService taskExecuteService) {
             ExecuteMetricsConstants.TAG_KEY_TASK_TYPE, ExecuteMetricsConstants.TAG_VALUE_TASK_TYPE_EXECUTE_PLAN
         })
     @AuditEntry(actionId = ActionId.LAUNCH_JOB_PLAN)
-    public EsbResp<EsbJobExecuteDTO> executeJob(@AuditRequestBody EsbExecuteJobRequest request) {
+    public EsbResp<EsbJobExecuteDTO> executeJob(
+        String username,
+        String appCode,
+        @AuditRequestBody EsbExecuteJobRequest request) {
+
         log.info("Execute task, request={}", JsonUtils.toJson(request));
         ValidateResult checkResult = checkExecuteTaskRequest(request);
         if (!checkResult.isPass()) {
@@ -110,11 +114,11 @@ public EsbResp<EsbJobExecuteDTO> executeJob(@AuditRequestBody EsbExecuteJobReque
                 .builder()
                 .appId(request.getAppId())
                 .planId(request.getTaskId())
-                .operator(request.getUserName())
+                .operator(username)
                 .executeVariableValues(executeVariableValues)
                 .startupMode(TaskStartupModeEnum.API)
                 .callbackUrl(request.getCallbackUrl())
-                .appCode(request.getAppCode())
+                .appCode(appCode)
                 .build());
 
         EsbJobExecuteDTO result = new EsbJobExecuteDTO();