From d1d454451fd4cc24ba4701f56617a233ea04dabb Mon Sep 17 00:00:00 2001 From: nisiyong Date: Fri, 20 Aug 2021 17:19:41 +0800 Subject: [PATCH 1/3] feat: make client auth time difference configurable --- .../apollo/biz/config/BizConfig.java | 22 ++++++++++++++----- .../ConfigServiceAutoConfiguration.java | 2 +- .../filter/ClientAuthenticationFilter.java | 12 +++++----- .../ClientAuthenticationFilterTest.java | 7 ++++-- .../configservice/util/AccessKeyUtilTest.java | 2 +- 5 files changed, 30 insertions(+), 15 deletions(-) diff --git a/apollo-biz/src/main/java/com/ctrip/framework/apollo/biz/config/BizConfig.java b/apollo-biz/src/main/java/com/ctrip/framework/apollo/biz/config/BizConfig.java index 06c17e07ce2..f2b43135e75 100644 --- a/apollo-biz/src/main/java/com/ctrip/framework/apollo/biz/config/BizConfig.java +++ b/apollo-biz/src/main/java/com/ctrip/framework/apollo/biz/config/BizConfig.java @@ -38,8 +38,9 @@ public class BizConfig extends RefreshableConfig { private static final int DEFAULT_APPNAMESPACE_CACHE_REBUILD_INTERVAL = 60; //60s private static final int DEFAULT_GRAY_RELEASE_RULE_SCAN_INTERVAL = 60; //60s private static final int DEFAULT_APPNAMESPACE_CACHE_SCAN_INTERVAL = 1; //1s - private static final int DEFAULT_ACCESSKEY_CACHE_SCAN_INTERVAL = 1; //1s - private static final int DEFAULT_ACCESSKEY_CACHE_REBUILD_INTERVAL = 60; //60s + private static final int DEFAULT_ACCESS_KEY_CACHE_SCAN_INTERVAL = 1; //1s + private static final int DEFAULT_ACCESS_KEY_CACHE_REBUILD_INTERVAL = 60; //60s + private static final int DEFAULT_ACCESS_KEY_AUTH_TIME_DIFF_TOLERANCE = 60; //60s private static final int DEFAULT_RELEASE_MESSAGE_CACHE_SCAN_INTERVAL = 1; //1s private static final int DEFAULT_RELEASE_MESSAGE_SCAN_INTERVAL_IN_MS = 1000; //1000ms private static final int DEFAULT_RELEASE_MESSAGE_NOTIFICATION_BATCH = 100; @@ -138,8 +139,9 @@ public TimeUnit appNamespaceCacheRebuildIntervalTimeUnit() { } public int accessKeyCacheScanInterval() { - int interval = getIntProperty("apollo.access-key-cache-scan.interval", DEFAULT_ACCESSKEY_CACHE_SCAN_INTERVAL); - return checkInt(interval, 1, Integer.MAX_VALUE, DEFAULT_ACCESSKEY_CACHE_SCAN_INTERVAL); + int interval = getIntProperty("apollo.access-key-cache-scan.interval", + DEFAULT_ACCESS_KEY_CACHE_SCAN_INTERVAL); + return checkInt(interval, 1, Integer.MAX_VALUE, DEFAULT_ACCESS_KEY_CACHE_SCAN_INTERVAL); } public TimeUnit accessKeyCacheScanIntervalTimeUnit() { @@ -147,14 +149,22 @@ public TimeUnit accessKeyCacheScanIntervalTimeUnit() { } public int accessKeyCacheRebuildInterval() { - int interval = getIntProperty("apollo.access-key-cache-rebuild.interval", DEFAULT_ACCESSKEY_CACHE_REBUILD_INTERVAL); - return checkInt(interval, 1, Integer.MAX_VALUE, DEFAULT_ACCESSKEY_CACHE_REBUILD_INTERVAL); + int interval = getIntProperty("apollo.access-key-cache-rebuild.interval", + DEFAULT_ACCESS_KEY_CACHE_REBUILD_INTERVAL); + return checkInt(interval, 1, Integer.MAX_VALUE, DEFAULT_ACCESS_KEY_CACHE_REBUILD_INTERVAL); } public TimeUnit accessKeyCacheRebuildIntervalTimeUnit() { return TimeUnit.SECONDS; } + public int accessKeyAuthTimeDiffTolerance() { + int authTimeDiffTolerance = getIntProperty("apollo.access-key.auth-time-diff-tolerance", + DEFAULT_ACCESS_KEY_AUTH_TIME_DIFF_TOLERANCE); + return checkInt(authTimeDiffTolerance, 1, Integer.MAX_VALUE, + DEFAULT_ACCESS_KEY_AUTH_TIME_DIFF_TOLERANCE); + } + public int releaseMessageCacheScanInterval() { int interval = getIntProperty("apollo.release-message-cache-scan.interval", DEFAULT_RELEASE_MESSAGE_CACHE_SCAN_INTERVAL); return checkInt(interval, 1, Integer.MAX_VALUE, DEFAULT_RELEASE_MESSAGE_CACHE_SCAN_INTERVAL); diff --git a/apollo-configservice/src/main/java/com/ctrip/framework/apollo/configservice/ConfigServiceAutoConfiguration.java b/apollo-configservice/src/main/java/com/ctrip/framework/apollo/configservice/ConfigServiceAutoConfiguration.java index afffb5f62e3..aa9cc19fbc9 100644 --- a/apollo-configservice/src/main/java/com/ctrip/framework/apollo/configservice/ConfigServiceAutoConfiguration.java +++ b/apollo-configservice/src/main/java/com/ctrip/framework/apollo/configservice/ConfigServiceAutoConfiguration.java @@ -67,7 +67,7 @@ public static NoOpPasswordEncoder passwordEncoder() { public FilterRegistrationBean clientAuthenticationFilter(AccessKeyUtil accessKeyUtil) { FilterRegistrationBean filterRegistrationBean = new FilterRegistrationBean(); - filterRegistrationBean.setFilter(new ClientAuthenticationFilter(accessKeyUtil)); + filterRegistrationBean.setFilter(new ClientAuthenticationFilter(bizConfig, accessKeyUtil)); filterRegistrationBean.addUrlPatterns("/configs/*"); filterRegistrationBean.addUrlPatterns("/configfiles/*"); filterRegistrationBean.addUrlPatterns("/notifications/v2/*"); diff --git a/apollo-configservice/src/main/java/com/ctrip/framework/apollo/configservice/filter/ClientAuthenticationFilter.java b/apollo-configservice/src/main/java/com/ctrip/framework/apollo/configservice/filter/ClientAuthenticationFilter.java index bf8bb6ac616..a3072b85975 100644 --- a/apollo-configservice/src/main/java/com/ctrip/framework/apollo/configservice/filter/ClientAuthenticationFilter.java +++ b/apollo-configservice/src/main/java/com/ctrip/framework/apollo/configservice/filter/ClientAuthenticationFilter.java @@ -16,6 +16,7 @@ */ package com.ctrip.framework.apollo.configservice.filter; +import com.ctrip.framework.apollo.biz.config.BizConfig; import com.ctrip.framework.apollo.configservice.util.AccessKeyUtil; import com.ctrip.framework.apollo.core.signature.Signature; import com.ctrip.framework.apollo.core.utils.StringUtils; @@ -42,16 +43,16 @@ public class ClientAuthenticationFilter implements Filter { private static final Logger logger = LoggerFactory.getLogger(ClientAuthenticationFilter.class); - private static final Long TIMESTAMP_INTERVAL = 60 * 1000L; - + private final BizConfig bizConfig; private final AccessKeyUtil accessKeyUtil; - public ClientAuthenticationFilter(AccessKeyUtil accessKeyUtil) { + public ClientAuthenticationFilter(BizConfig bizConfig, AccessKeyUtil accessKeyUtil) { + this.bizConfig = bizConfig; this.accessKeyUtil = accessKeyUtil; } @Override - public void init(FilterConfig filterConfig) throws ServletException { + public void init(FilterConfig filterConfig) { //nothing } @@ -106,7 +107,8 @@ private boolean checkTimestamp(String timestamp) { } long x = System.currentTimeMillis() - requestTimeMillis; - return x >= -TIMESTAMP_INTERVAL && x <= TIMESTAMP_INTERVAL; + long authTimeDiffToleranceInMillis = bizConfig.accessKeyAuthTimeDiffTolerance() * 1000L; + return Math.abs(x) < authTimeDiffToleranceInMillis; } private boolean checkAuthorization(String authorization, List availableSecrets, diff --git a/apollo-configservice/src/test/java/com/ctrip/framework/apollo/configservice/filter/ClientAuthenticationFilterTest.java b/apollo-configservice/src/test/java/com/ctrip/framework/apollo/configservice/filter/ClientAuthenticationFilterTest.java index 65793d90c92..63f66906ea9 100644 --- a/apollo-configservice/src/test/java/com/ctrip/framework/apollo/configservice/filter/ClientAuthenticationFilterTest.java +++ b/apollo-configservice/src/test/java/com/ctrip/framework/apollo/configservice/filter/ClientAuthenticationFilterTest.java @@ -22,6 +22,7 @@ import static org.mockito.Mockito.verify; import static org.mockito.Mockito.when; +import com.ctrip.framework.apollo.biz.config.BizConfig; import com.ctrip.framework.apollo.configservice.util.AccessKeyUtil; import com.ctrip.framework.apollo.core.signature.Signature; import com.google.common.collect.Lists; @@ -44,6 +45,8 @@ public class ClientAuthenticationFilterTest { private ClientAuthenticationFilter clientAuthenticationFilter; + @Mock + private BizConfig bizConfig; @Mock private AccessKeyUtil accessKeyUtil; @Mock @@ -55,7 +58,7 @@ public class ClientAuthenticationFilterTest { @Before public void setUp() { - clientAuthenticationFilter = new ClientAuthenticationFilter(accessKeyUtil); + clientAuthenticationFilter = new ClientAuthenticationFilter(bizConfig, accessKeyUtil); } @Test @@ -141,4 +144,4 @@ public void testAuthorizedSuccessfully() throws Exception { verify(response, never()).sendError(HttpServletResponse.SC_UNAUTHORIZED, "Unauthorized"); verify(filterChain, times(1)).doFilter(request, response); } -} \ No newline at end of file +} diff --git a/apollo-configservice/src/test/java/com/ctrip/framework/apollo/configservice/util/AccessKeyUtilTest.java b/apollo-configservice/src/test/java/com/ctrip/framework/apollo/configservice/util/AccessKeyUtilTest.java index b4ddac43445..62cac625405 100644 --- a/apollo-configservice/src/test/java/com/ctrip/framework/apollo/configservice/util/AccessKeyUtilTest.java +++ b/apollo-configservice/src/test/java/com/ctrip/framework/apollo/configservice/util/AccessKeyUtilTest.java @@ -110,4 +110,4 @@ public void buildSignature() { String expectedSignature = "WYjjyJFei6DYiaMlwZjew2O/Yqk="; assertThat(actualSignature).isEqualTo(expectedSignature); } -} \ No newline at end of file +} From 9e11f26f01c2311e69bb64b5acd431baf03ef2f4 Mon Sep 17 00:00:00 2001 From: nisiyong Date: Fri, 20 Aug 2021 23:08:52 +0800 Subject: [PATCH 2/3] test: fix unit test --- .../configservice/filter/ClientAuthenticationFilterTest.java | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apollo-configservice/src/test/java/com/ctrip/framework/apollo/configservice/filter/ClientAuthenticationFilterTest.java b/apollo-configservice/src/test/java/com/ctrip/framework/apollo/configservice/filter/ClientAuthenticationFilterTest.java index 63f66906ea9..7807845b336 100644 --- a/apollo-configservice/src/test/java/com/ctrip/framework/apollo/configservice/filter/ClientAuthenticationFilterTest.java +++ b/apollo-configservice/src/test/java/com/ctrip/framework/apollo/configservice/filter/ClientAuthenticationFilterTest.java @@ -116,6 +116,7 @@ public void testUnauthorized() throws Exception { when(accessKeyUtil.buildSignature(any(), any(), any(), any())).thenReturn(availableSignature); when(request.getHeader(Signature.HTTP_HEADER_TIMESTAMP)).thenReturn(oneMinAgoTimestamp); when(request.getHeader(HttpHeaders.AUTHORIZATION)).thenReturn(errorAuthorization); + when(bizConfig.accessKeyAuthTimeDiffTolerance()).thenReturn(60); clientAuthenticationFilter.doFilter(request, response, filterChain); @@ -136,6 +137,7 @@ public void testAuthorizedSuccessfully() throws Exception { when(accessKeyUtil.buildSignature(any(), any(), any(), any())).thenReturn(availableSignature); when(request.getHeader(Signature.HTTP_HEADER_TIMESTAMP)).thenReturn(oneMinAgoTimestamp); when(request.getHeader(HttpHeaders.AUTHORIZATION)).thenReturn(correctAuthorization); + when(bizConfig.accessKeyAuthTimeDiffTolerance()).thenReturn(60); clientAuthenticationFilter.doFilter(request, response, filterChain); From 3f9112032bd0543892ac861f7aacbf091d4ac76b Mon Sep 17 00:00:00 2001 From: nisiyong Date: Fri, 27 Aug 2021 13:54:14 +0800 Subject: [PATCH 3/3] docs: update CHANGES.md and docs --- CHANGES.md | 1 + docs/zh/deployment/distributed-deployment-guide.md | 6 ++++++ 2 files changed, 7 insertions(+) diff --git a/CHANGES.md b/CHANGES.md index 3ccfd78d7ef..a574083e73f 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -9,6 +9,7 @@ Apollo 1.10.0 * [Fix issue that the $ symbol is not used when reading shell variables](https://github.com/ctripcorp/apollo/pull/3890) * [Bump xstream from 1.4.17 to 1.4.18](https://github.com/apolloconfig/apollo/pull/3916) * [switch apollo.config-service log from warning to info level](https://github.com/ctripcorp/apollo/pull/3884) +* [Make Access Key Timestamp check configurable](https://github.com/ctripcorp/apollo/pull/3908) ------------------ All issues and pull requests are [here](https://github.com/ctripcorp/apollo/milestone/8?closed=1) diff --git a/docs/zh/deployment/distributed-deployment-guide.md b/docs/zh/deployment/distributed-deployment-guide.md index 71d978f31d2..e228b7b53f3 100644 --- a/docs/zh/deployment/distributed-deployment-guide.md +++ b/docs/zh/deployment/distributed-deployment-guide.md @@ -1251,3 +1251,9 @@ namespace.value.length.limit.override = {1:200,3:20} admin-service.access.tokens=098f6bcd4621d373cade4e832627b4f6 admin-service.access.tokens=098f6bcd4621d373cade4e832627b4f6,ad0234829205b9033196ba818f7a872b ``` + +### 3.2.8 apollo.access-key.auth-time-diff-tolerance - 配置服务端AccessKey校验容忍的时间偏差 + +> 适用于1.10.0及以上版本 + +默认值为60,单位为秒。由于密钥认证时需要校验时间,客户端与服务端的时间可能存在时间偏差,如果偏差太大会导致认证失败,此配置可以配置容忍的时间偏差大小,默认为60秒。