Skip to content

Commit

Permalink
auth white list (#66)
Browse files Browse the repository at this point in the history
* add dconfs to control whether generate auth

---------

Co-authored-by: zeyu10 <[email protected]>
  • Loading branch information
techloghub and zeyu10 authored May 29, 2024
1 parent 06e7f90 commit 6005c38
Show file tree
Hide file tree
Showing 4 changed files with 86 additions and 1 deletion.
Original file line number Diff line number Diff line change
Expand Up @@ -19,11 +19,15 @@
import com.weibo.rill.flow.common.util.AuthHttpUtil;
import com.weibo.rill.flow.interfaces.model.task.TaskInfo;
import com.weibo.rill.flow.service.auth.AuthHeaderGenerator;
import com.weibo.rill.flow.service.dconfs.BizDConfs;
import com.weibo.rill.flow.service.util.ExecutionIdUtil;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.http.HttpHeaders;
import org.springframework.stereotype.Service;

import java.util.Map;
import java.util.Set;
import java.util.TreeMap;

@Service("authHeaderGenerator")
Expand All @@ -37,6 +41,9 @@ public class FlowAuthHeaderGenerator implements AuthHeaderGenerator {
@Value("${rill_flow_auth_secret_key}")
private String authSecret;

@Autowired
private BizDConfs bizDConfs;

@Override
public void appendRequestHeader(HttpHeaders httpHeaders, String executionId, TaskInfo task, Map<String, Object> input) {
Map<String, String> paramMap = new TreeMap<>();
Expand All @@ -47,7 +54,14 @@ public void appendRequestHeader(HttpHeaders httpHeaders, String executionId, Tas
paramMap.put("task_name", task.getName());
}
paramMap.put("ts", String.valueOf(System.currentTimeMillis()));
AuthHttpUtil.addSignToParam(paramMap, authSecret);
Set<String> authBusinessWhiteList = bizDConfs.getGenerateAuthHeaderBusinessIds();
String generateAuth = String.valueOf(input.get("generate_auth")).toLowerCase();
if (executionId != null && authBusinessWhiteList.contains(ExecutionIdUtil.getBusinessId(executionId))
|| "1".equals(generateAuth) || "true".equals(generateAuth)
) {
AuthHttpUtil.addSignToParam(paramMap, authSecret);
input.remove("generate_auth");
}
httpHeaders.add("X-Callback-Url", flowServerHost + flowCallbackUri + "?" + AuthHttpUtil.paramToQueryString(paramMap, "utf-8"));
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -118,6 +118,9 @@ public class BizDConfsImpl implements BizDConfs {
@Value("#{'${weibo.flow.sys.exp.filter.ignore.logs:}'.split(',')}")
private Set<String> sysExpFilterIgnoreLogs;

@Value("#{'${weibo.flow.generate.auth.header.business.ids:}'.split(',')}")
private Set<String> generateAuthHeaderBusinessIds;

@Value("#{${weibo.flow.tenant.defined.task.invoke.profile.log:{:}}}")
private Map<String, List<String>> tenantDefinedTaskInvokeProfileLog;

Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
package com.weibo.rill.flow.impl.auth

import com.weibo.rill.flow.interfaces.model.task.TaskInfo
import com.weibo.rill.flow.service.dconfs.BizDConfs
import org.springframework.http.HttpHeaders
import spock.lang.Specification

class FlowAuthHeaderGeneratorTest extends Specification {
BizDConfs bizDConfs = Mock(BizDConfs)
FlowAuthHeaderGenerator flowAuthHeaderGenerator = new FlowAuthHeaderGenerator(bizDConfs: bizDConfs, authSecret: 123,
flowServerHost: "http://127.0.0.1", flowCallbackUri: "/flow/trigger.json")

def setup() {
bizDConfs.getGenerateAuthHeaderBusinessIds() >> ["business1"]
}

def "test appendRequestHeader when execution id is null"() {
given:
HttpHeaders httpHeaders = new HttpHeaders()
when:
flowAuthHeaderGenerator.appendRequestHeader(httpHeaders, null, null, Map.of())
then:
!httpHeaders.get("X-Callback-Url").get(0).contains("sign")
}

def "test appendRequestHeader when execution id not matches business ids"() {
given:
HttpHeaders httpHeaders = new HttpHeaders()
Map<String, Object> input = new HashMap<>()
when:
flowAuthHeaderGenerator.appendRequestHeader(httpHeaders, "business2", null, input)
then:
!httpHeaders.get("X-Callback-Url").get(0).contains("sign")
}

def "test appendRequestHeader when execution id matches business ids"() {
given:
HttpHeaders httpHeaders = new HttpHeaders()
Map<String, Object> input = new HashMap<>()
when:
flowAuthHeaderGenerator.appendRequestHeader(httpHeaders, "business1", null, input)
then:
httpHeaders.get("X-Callback-Url").get(0).contains("sign")
}

def "test appendRequestHeader when execution id not matches business ids but generate_auth is 1"() {
given:
HttpHeaders httpHeaders = new HttpHeaders()
Map<String, Object> input = new HashMap<>()
input.put("generate_auth", "1")
when:
flowAuthHeaderGenerator.appendRequestHeader(httpHeaders, "business2", null, input)
then:
httpHeaders.get("X-Callback-Url").get(0).contains("sign")
}

def "test appendRequestHeader when execution id not matches business ids but generate_auth is true"() {
given:
HttpHeaders httpHeaders = new HttpHeaders()
Map<String, Object> input = new HashMap<>()
input.put("generate_auth", true)
when:
flowAuthHeaderGenerator.appendRequestHeader(httpHeaders, "business2", new TaskInfo(name: "testTask"), input)
then:
httpHeaders.get("X-Callback-Url").get(0).contains("sign")
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -61,4 +61,5 @@ public interface BizDConfs {

Map<String, Integer> getRedisBusinessIdToRuntimeSubmitContextMaxSize();
Map<String, Integer> getRedisBusinessIdToRuntimeCallbackContextMaxSize();
Set<String> getGenerateAuthHeaderBusinessIds();
}

0 comments on commit 6005c38

Please sign in to comment.