diff --git a/server/config/config.go b/server/config/config.go index f0af627f3..1b7dd93d2 100644 --- a/server/config/config.go +++ b/server/config/config.go @@ -185,7 +185,8 @@ func loadServerConfig() ServerConfig { SchemaDisable: GetBool("registry.schema.disable", false, WithENV("SCHEMA_DISABLE")), - EnableRBAC: GetBool("rbac.enable", false, WithStandby("rbac_enabled")), + EnableRBAC: GetBool("rbac.enable", false, WithStandby("rbac_enabled")), + AllowMissToken: GetBool("rbac.allowMissToken", true, WithStandby("rbac_allow_missToken")), }, } } diff --git a/server/config/server.go b/server/config/server.go index 809169791..33fbc5223 100644 --- a/server/config/server.go +++ b/server/config/server.go @@ -48,7 +48,8 @@ type ServerConfigDetail struct { EnablePProf bool `json:"enablePProf"` EnableCache bool `json:"enableCache"` - EnableRBAC bool `json:"enableRBAC"` + EnableRBAC bool `json:"enableRBAC"` + AllowMissToken bool `json:"AllowMissToken"` LogRotateSize int64 `json:"-"` LogBackupCount int64 `json:"-"` @@ -64,7 +65,7 @@ type ServerConfigDetail struct { SelfRegister bool `json:"selfRegister"` - //CacheTTL is the ttl of cache + // CacheTTL is the ttl of cache CacheTTL time.Duration `json:"cacheTTL"` GlobalVisible string `json:"-"` diff --git a/server/plugin/auth/buildin/buildin.go b/server/plugin/auth/buildin/buildin.go index 21f2d0451..3621933e0 100644 --- a/server/plugin/auth/buildin/buildin.go +++ b/server/plugin/auth/buildin/buildin.go @@ -22,8 +22,14 @@ import ( "errors" "fmt" "net/http" + "reflect" "strings" + "github.com/go-chassis/cari/pkg/errsvc" + rbacmodel "github.com/go-chassis/cari/rbac" + "github.com/go-chassis/go-chassis/v2/security/authr" + "github.com/go-chassis/go-chassis/v2/server/restful" + "github.com/apache/servicecomb-service-center/pkg/log" "github.com/apache/servicecomb-service-center/pkg/plugin" "github.com/apache/servicecomb-service-center/pkg/rest" @@ -32,13 +38,12 @@ import ( "github.com/apache/servicecomb-service-center/server/plugin/auth" rbacsvc "github.com/apache/servicecomb-service-center/server/service/rbac" "github.com/apache/servicecomb-service-center/server/service/rbac/token" - rbacmodel "github.com/go-chassis/cari/rbac" - "github.com/go-chassis/go-chassis/v2/security/authr" - "github.com/go-chassis/go-chassis/v2/server/restful" ) var ErrNoRoles = errors.New("no role found in token") +const disCoveryType = "*errsvc.Error" + func init() { plugin.RegisterPlugin(plugin.Plugin{Kind: auth.AUTH, Name: "buildin", New: New}) } @@ -90,15 +95,22 @@ func getRequestPattern(req *http.Request) string { } func (ba *TokenAuthenticator) mustAuth(req *http.Request, pattern string) (*rbacmodel.Account, error) { - if !rbacsvc.MustAuth(pattern) { - return nil, nil + account, err := ba.VerifyRequest(req) + if err == nil { + return account, err } - return ba.VerifyRequest(req) + if rbacsvc.MustAuth(pattern) { + return nil, err + } + return nil, nil } func (ba *TokenAuthenticator) VerifyRequest(req *http.Request) (*rbacmodel.Account, error) { claims, err := ba.VerifyToken(req) if err != nil { + if reflect.TypeOf(err).String() == disCoveryType && err.(*errsvc.Error).Code == rbacmodel.ErrNoAuthHeader && rbacsvc.AllowMissToken() { + return nil, nil + } log.Error(fmt.Sprintf("verify request token failed, %s %s", req.Method, req.RequestURI), err) return nil, err } @@ -172,12 +184,12 @@ func checkPerm(roleList []string, req *http.Request) ([]map[string]string, error if hasAdmin { return nil, nil } - //todo fast check for dev role + // todo fast check for dev role targetResource := FromRequest(req) if targetResource == nil { return nil, errors.New("no valid resouce scope") } - //TODO add project + // TODO add project project := req.URL.Query().Get(":project") return rbacsvc.Allow(req.Context(), project, normalRoles, targetResource) } diff --git a/server/service/rbac/rbac.go b/server/service/rbac/rbac.go index 5d1808efd..3c3ff5d10 100644 --- a/server/service/rbac/rbac.go +++ b/server/service/rbac/rbac.go @@ -135,7 +135,7 @@ func readPublicKey() { log.Info("read public key success") } func initFirstTime() { - //handle root account + // handle root account pwd := getPassword() if len(pwd) == 0 { log.Warn("skip init root account! Cause by " + InitPassword + " is empty. " + @@ -176,6 +176,10 @@ func Enabled() bool { return config.GetRBAC().EnableRBAC } +func AllowMissToken() bool { + return config.GetRBAC().AllowMissToken +} + // PublicKey get public key to verify a token func PublicKey() string { return archaius.GetString("rbac_public_key", "")