Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ISSUE #11957] AuthModule add admin exist #12066

Merged
merged 9 commits into from
May 24, 2024
Merged

[ISSUE #11957] AuthModule add admin exist #12066

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
3498980
AuthModule add admin exist
godhth May 7, 2024
f009cb1
test fix
godhth May 8, 2024
3d752e8
fix state
godhth May 9, 2024
707b40b
add state cache
godhth May 13, 2024
d2c909b
rename to auth_admin_request
godhth May 13, 2024
c165a38
test fix
godhth May 13, 2024
2a58aa0
auth_admin_request default value fix
godhth May 14, 2024
2757237
fix admin request
godhth May 17, 2024
efd14e2
Merge branch 'develop' into develop-addAdminExist
godhth May 21, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion auth/src/main/java/com/alibaba/nacos/auth/config/AuthConfigs.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -78,7 +78,7 @@ public class AuthConfigs extends Subscriber<ServerConfigChangeEvent> {
@Value("${" + Constants.Auth.NACOS_CORE_AUTH_ENABLE_USER_AGENT_AUTH_WHITE + ":false}")
private boolean enableUserAgentAuthWhite;

private boolean hasGlobalAdminRole;
private boolean hasGlobalAdminRole = false;
godhth marked this conversation as resolved.
Show resolved Hide resolved

private Map<String, Properties> authPluginProperties = new HashMap<>();

Expand Down
3 changes: 3 additions & 0 deletions auth/src/main/java/com/alibaba/nacos/auth/config/AuthModuleStateBuilder.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,13 +39,16 @@ public class AuthModuleStateBuilder implements ModuleStateBuilder {

public static final String AUTH_SYSTEM_TYPE = "auth_system_type";

public static final String AUTH_ADMIN_EXIST = "auth_admin_exist";

@Override
public ModuleState build() {
ModuleState result = new ModuleState(AUTH_MODULE);
AuthConfigs authConfigs = ApplicationUtils.getBean(AuthConfigs.class);
result.newState(AUTH_ENABLED, authConfigs.isAuthEnabled());
result.newState(LOGIN_PAGE_ENABLED, isLoginPageEnabled(authConfigs));
result.newState(AUTH_SYSTEM_TYPE, authConfigs.getNacosAuthSystemType());
result.newState(AUTH_ADMIN_EXIST, authConfigs.isHasGlobalAdminRole());
godhth marked this conversation as resolved.
Show resolved Hide resolved
return result;
}

Expand Down
1 change: 1 addition & 0 deletions auth/src/test/java/com/alibaba/nacos/auth/config/AuthModuleStateBuilderTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,5 +57,6 @@ public void testBuild() {
assertFalse((Boolean) actual.getStates().get(AUTH_ENABLED));
assertFalse((Boolean) actual.getStates().get("login_page_enabled"));
assertEquals("nacos", actual.getStates().get("auth_system_type"));
assertFalse((Boolean) actual.getStates().get("auth_admin_exist"));
}
}
15 changes: 5 additions & 10 deletions ...th-plugin/src/main/java/com/alibaba/nacos/plugin/auth/impl/controller/UserController.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -115,18 +115,16 @@ public Object createUser(@RequestParam String username, @RequestParam String pas
* Create a admin user only not exist admin user can use.
*/
@PostMapping("/admin")
public Object createAdminUser(@RequestParam(required = false) String username,
@RequestParam(required = false) String password) {
public Object createAdminUser(@RequestParam(required = false) String password) {
if (AuthSystemTypes.NACOS.name().equalsIgnoreCase(authConfigs.getNacosAuthSystemType())) {
if (roleService.hasGlobalAdminRole()) {
if (iAuthenticationManager.hasGlobalAdminRole()) {
return RestResultUtils.failed("have admin user cannot use it");
}
if (StringUtils.isBlank(password)) {
password = PasswordGeneratorUtil.generateRandomPassword();
}
if (StringUtils.isBlank(username)) {
username = AuthConstants.DEFAULT_USER;
}

String username = AuthConstants.DEFAULT_USER;
userDetailsService.createUser(username, PasswordEncoderUtil.encode(password));
roleService.addAdminRole(username);
ObjectNode result = JacksonUtils.createEmptyJsonNode();
Expand Down Expand Up @@ -266,10 +264,7 @@ public Object login(@RequestParam String username, @RequestParam String password

if (AuthSystemTypes.NACOS.name().equalsIgnoreCase(authConfigs.getNacosAuthSystemType())
|| AuthSystemTypes.LDAP.name().equalsIgnoreCase(authConfigs.getNacosAuthSystemType())) {
if (!iAuthenticationManager.hasGlobalAdminRole()) {
response.sendError(HttpServletResponse.SC_PRECONDITION_FAILED, "admin role user not exist");
return null;
}

NacosUser user = iAuthenticationManager.authenticate(request);

response.addHeader(AuthConstants.AUTHORIZATION_HEADER, AuthConstants.TOKEN_PREFIX + user.getToken());
Expand Down
15 changes: 15 additions & 0 deletions ...h-plugin/src/main/java/com/alibaba/nacos/plugin/auth/impl/roles/NacosRoleServiceImpl.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
package com.alibaba.nacos.plugin.auth.impl.roles;

import com.alibaba.nacos.auth.config.AuthConfigs;
import com.alibaba.nacos.auth.config.AuthModuleStateBuilder;
import com.alibaba.nacos.common.utils.CollectionUtils;
import com.alibaba.nacos.common.utils.ConcurrentHashSet;
import com.alibaba.nacos.common.utils.StringUtils;
Expand All @@ -33,10 +34,13 @@
import com.alibaba.nacos.plugin.auth.impl.persistence.RolePersistService;
import com.alibaba.nacos.plugin.auth.impl.users.NacosUser;
import com.alibaba.nacos.plugin.auth.impl.users.NacosUserDetailsServiceImpl;
import com.alibaba.nacos.sys.module.ModuleState;
import com.alibaba.nacos.sys.module.ModuleStateHolder;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.scheduling.annotation.Scheduled;
import org.springframework.stereotype.Service;

import javax.annotation.PostConstruct;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.List;
Expand Down Expand Up @@ -76,6 +80,11 @@ public class NacosRoleServiceImpl {

private volatile Map<String, List<PermissionInfo>> permissionInfoMap = new ConcurrentHashMap<>();

@PostConstruct
private void init() {
hasGlobalAdminRole();
}

@Scheduled(initialDelay = 5000, fixedDelay = 15000)
private void reload() {
try {
Expand Down Expand Up @@ -247,6 +256,12 @@ public void addAdminRole(String username) {
rolePersistService.addRole(AuthConstants.GLOBAL_ADMIN_ROLE, username);
roleSet.add(AuthConstants.GLOBAL_ADMIN_ROLE);
authConfigs.setHasGlobalAdminRole(true);
//change state
ModuleStateHolder.getInstance().getModuleState(AuthModuleStateBuilder.AUTH_MODULE)
.ifPresent(moduleState -> {
ModuleState temp = new AuthModuleStateBuilder().build();
moduleState.getStates().putAll(temp.getStates());
});
}

/**
Expand Down
1 change: 0 additions & 1 deletion ...lugin/src/test/java/com/alibaba/nacos/plugin/auth/impl/controller/UserControllerTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -90,7 +90,6 @@ public void setUp() throws Exception {
public void testLoginWithAuthedUser() throws AccessException, IOException {
when(authenticationManager.authenticate(request)).thenReturn(user);
when(authenticationManager.hasGlobalAdminRole(user)).thenReturn(true);
when(authenticationManager.hasGlobalAdminRole()).thenReturn(true);
when(authConfigs.getNacosAuthSystemType()).thenReturn(AuthSystemTypes.NACOS.name());
when(tokenManagerDelegate.getTokenTtlInSeconds(anyString())).thenReturn(18000L);
Object actual = userController.login("nacos", "nacos", response, request);
Expand Down
Loading