From 6005c38cc8981e4093d49072237422b7a036c49a Mon Sep 17 00:00:00 2001
From: techlog <zeyu203@qq.com>
Date: Wed, 29 May 2024 19:21:17 +0800
Subject: [PATCH] auth white list (#66)

* add dconfs to control whether generate auth

---------

Co-authored-by: zeyu10 <zeyu10@staff.sina.com>
---
 .../impl/auth/FlowAuthHeaderGenerator.java    | 16 ++++-
 .../rill/flow/impl/dconfs/BizDConfsImpl.java  |  3 +
 .../auth/FlowAuthHeaderGeneratorTest.groovy   | 67 +++++++++++++++++++
 .../rill/flow/service/dconfs/BizDConfs.java   |  1 +
 4 files changed, 86 insertions(+), 1 deletion(-)
 create mode 100755 rill-flow-impl/src/test/groovy/com/weibo/rill/flow/impl/auth/FlowAuthHeaderGeneratorTest.groovy

diff --git a/rill-flow-impl/src/main/java/com/weibo/rill/flow/impl/auth/FlowAuthHeaderGenerator.java b/rill-flow-impl/src/main/java/com/weibo/rill/flow/impl/auth/FlowAuthHeaderGenerator.java
index 687d92525..488981a49 100644
--- a/rill-flow-impl/src/main/java/com/weibo/rill/flow/impl/auth/FlowAuthHeaderGenerator.java
+++ b/rill-flow-impl/src/main/java/com/weibo/rill/flow/impl/auth/FlowAuthHeaderGenerator.java
@@ -19,11 +19,15 @@
 import com.weibo.rill.flow.common.util.AuthHttpUtil;
 import com.weibo.rill.flow.interfaces.model.task.TaskInfo;
 import com.weibo.rill.flow.service.auth.AuthHeaderGenerator;
+import com.weibo.rill.flow.service.dconfs.BizDConfs;
+import com.weibo.rill.flow.service.util.ExecutionIdUtil;
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.http.HttpHeaders;
 import org.springframework.stereotype.Service;
 
 import java.util.Map;
+import java.util.Set;
 import java.util.TreeMap;
 
 @Service("authHeaderGenerator")
@@ -37,6 +41,9 @@ public class FlowAuthHeaderGenerator implements AuthHeaderGenerator {
     @Value("${rill_flow_auth_secret_key}")
     private String authSecret;
 
+    @Autowired
+    private BizDConfs bizDConfs;
+
     @Override
     public void appendRequestHeader(HttpHeaders httpHeaders, String executionId, TaskInfo task, Map<String, Object> input) {
         Map<String, String> paramMap = new TreeMap<>();
@@ -47,7 +54,14 @@ public void appendRequestHeader(HttpHeaders httpHeaders, String executionId, Tas
             paramMap.put("task_name", task.getName());
         }
         paramMap.put("ts", String.valueOf(System.currentTimeMillis()));
-        AuthHttpUtil.addSignToParam(paramMap, authSecret);
+        Set<String> authBusinessWhiteList = bizDConfs.getGenerateAuthHeaderBusinessIds();
+        String generateAuth = String.valueOf(input.get("generate_auth")).toLowerCase();
+        if (executionId != null && authBusinessWhiteList.contains(ExecutionIdUtil.getBusinessId(executionId))
+                || "1".equals(generateAuth) || "true".equals(generateAuth)
+        ) {
+            AuthHttpUtil.addSignToParam(paramMap, authSecret);
+            input.remove("generate_auth");
+        }
         httpHeaders.add("X-Callback-Url", flowServerHost + flowCallbackUri + "?" + AuthHttpUtil.paramToQueryString(paramMap, "utf-8"));
     }
 }
diff --git a/rill-flow-impl/src/main/java/com/weibo/rill/flow/impl/dconfs/BizDConfsImpl.java b/rill-flow-impl/src/main/java/com/weibo/rill/flow/impl/dconfs/BizDConfsImpl.java
index 719fb3776..4006acb73 100644
--- a/rill-flow-impl/src/main/java/com/weibo/rill/flow/impl/dconfs/BizDConfsImpl.java
+++ b/rill-flow-impl/src/main/java/com/weibo/rill/flow/impl/dconfs/BizDConfsImpl.java
@@ -118,6 +118,9 @@ public class BizDConfsImpl implements BizDConfs {
     @Value("#{'${weibo.flow.sys.exp.filter.ignore.logs:}'.split(',')}")
     private Set<String> sysExpFilterIgnoreLogs;
 
+    @Value("#{'${weibo.flow.generate.auth.header.business.ids:}'.split(',')}")
+    private Set<String> generateAuthHeaderBusinessIds;
+
     @Value("#{${weibo.flow.tenant.defined.task.invoke.profile.log:{:}}}")
     private Map<String, List<String>> tenantDefinedTaskInvokeProfileLog;
 
diff --git a/rill-flow-impl/src/test/groovy/com/weibo/rill/flow/impl/auth/FlowAuthHeaderGeneratorTest.groovy b/rill-flow-impl/src/test/groovy/com/weibo/rill/flow/impl/auth/FlowAuthHeaderGeneratorTest.groovy
new file mode 100755
index 000000000..f6a5815ca
--- /dev/null
+++ b/rill-flow-impl/src/test/groovy/com/weibo/rill/flow/impl/auth/FlowAuthHeaderGeneratorTest.groovy
@@ -0,0 +1,67 @@
+package com.weibo.rill.flow.impl.auth
+
+import com.weibo.rill.flow.interfaces.model.task.TaskInfo
+import com.weibo.rill.flow.service.dconfs.BizDConfs
+import org.springframework.http.HttpHeaders
+import spock.lang.Specification
+
+class FlowAuthHeaderGeneratorTest extends Specification {
+    BizDConfs bizDConfs = Mock(BizDConfs)
+    FlowAuthHeaderGenerator flowAuthHeaderGenerator = new FlowAuthHeaderGenerator(bizDConfs: bizDConfs, authSecret: 123,
+            flowServerHost: "http://127.0.0.1", flowCallbackUri: "/flow/trigger.json")
+
+    def setup() {
+        bizDConfs.getGenerateAuthHeaderBusinessIds() >> ["business1"]
+    }
+
+    def "test appendRequestHeader when execution id is null"() {
+        given:
+        HttpHeaders httpHeaders = new HttpHeaders()
+        when:
+        flowAuthHeaderGenerator.appendRequestHeader(httpHeaders, null, null, Map.of())
+        then:
+        !httpHeaders.get("X-Callback-Url").get(0).contains("sign")
+    }
+
+    def "test appendRequestHeader when execution id not matches business ids"() {
+        given:
+        HttpHeaders httpHeaders = new HttpHeaders()
+        Map<String, Object> input = new HashMap<>()
+        when:
+        flowAuthHeaderGenerator.appendRequestHeader(httpHeaders, "business2", null, input)
+        then:
+        !httpHeaders.get("X-Callback-Url").get(0).contains("sign")
+    }
+
+    def "test appendRequestHeader when execution id matches business ids"() {
+        given:
+        HttpHeaders httpHeaders = new HttpHeaders()
+        Map<String, Object> input = new HashMap<>()
+        when:
+        flowAuthHeaderGenerator.appendRequestHeader(httpHeaders, "business1", null, input)
+        then:
+        httpHeaders.get("X-Callback-Url").get(0).contains("sign")
+    }
+
+    def "test appendRequestHeader when execution id not matches business ids but generate_auth is 1"() {
+        given:
+        HttpHeaders httpHeaders = new HttpHeaders()
+        Map<String, Object> input = new HashMap<>()
+        input.put("generate_auth", "1")
+        when:
+        flowAuthHeaderGenerator.appendRequestHeader(httpHeaders, "business2", null, input)
+        then:
+        httpHeaders.get("X-Callback-Url").get(0).contains("sign")
+    }
+
+    def "test appendRequestHeader when execution id not matches business ids but generate_auth is true"() {
+        given:
+        HttpHeaders httpHeaders = new HttpHeaders()
+        Map<String, Object> input = new HashMap<>()
+        input.put("generate_auth", true)
+        when:
+        flowAuthHeaderGenerator.appendRequestHeader(httpHeaders, "business2", new TaskInfo(name: "testTask"), input)
+        then:
+        httpHeaders.get("X-Callback-Url").get(0).contains("sign")
+    }
+}
diff --git a/rill-flow-service/src/main/java/com/weibo/rill/flow/service/dconfs/BizDConfs.java b/rill-flow-service/src/main/java/com/weibo/rill/flow/service/dconfs/BizDConfs.java
index 4fc317c66..7499ffb82 100644
--- a/rill-flow-service/src/main/java/com/weibo/rill/flow/service/dconfs/BizDConfs.java
+++ b/rill-flow-service/src/main/java/com/weibo/rill/flow/service/dconfs/BizDConfs.java
@@ -61,4 +61,5 @@ public interface BizDConfs {
 
     Map<String, Integer> getRedisBusinessIdToRuntimeSubmitContextMaxSize();
     Map<String, Integer> getRedisBusinessIdToRuntimeCallbackContextMaxSize();
+    Set<String> getGenerateAuthHeaderBusinessIds();
 }