JointCloud
/
JCS-pub
Not watched
1
0
Fork 0
Code
Releases 0 Wiki evaluate Activity
Issues 0 Pull Requests 0 Datasets Model Cloudbrain HPC
You can not select more than 25 topics Topics must start with a chinese character,a letter or number, can include dashes ('-') and can be up to 35 characters long.
1071 Commits
3 Branches
118 MB
1278 Download
Tree: 97979df7a4
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '97979df7a4'
${ noResults }
JCS-pub/common/pkgs/rpc/auth.go

auth.go 6.3 kB
Raw Normal View History

增加服务鉴权机制
11 months ago
coor的types移动到common
9 months ago
增加服务鉴权机制
11 months ago
coor的types移动到common
9 months ago
增加服务鉴权机制
11 months ago
增加UserSpace相关CRUD接口
11 months ago
增加服务鉴权机制
11 months ago
coor的types移动到common
9 months ago
增加服务鉴权机制
11 months ago
coor的types移动到common
9 months ago
增加服务鉴权机制
11 months ago
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232 
  1. package rpc

  2. 

  3. import (

  4. 	"crypto/tls"

  5. 	"fmt"

  6. 	"strconv"

  7. 

  8. 	jcstypes "gitlink.org.cn/cloudream/jcs-pub/common/types"

  9. 	"golang.org/x/net/context"

  10. 	"google.golang.org/grpc"

  11. 	"google.golang.org/grpc/codes"

  12. 	"google.golang.org/grpc/credentials"

  13. 	"google.golang.org/grpc/metadata"

  14. 	"google.golang.org/grpc/peer"

  15. 	"google.golang.org/grpc/status"

  16. )

  17. 

  18. const (

  19. 	ClientAPISNIV1   = "rpc.client.jcs-pub.v1"

  20. 	InternalAPISNIV1 = "rpc.internal.jcs-pub.v1"

  21. 

  22. 	MetaUserID        = "x-jcs-user-id"

  23. 	MetaAccessTokenID = "x-jcs-access-token-id"

  24. 	MetaNonce         = "x-jcs-nonce"

  25. 	MetaSignature     = "x-jcs-signature"

  26. 	MetaTokenAuthInfo = "x-jcs-token-auth-info"

  27. )

  28. 

  29. type AccessTokenAuthInfo struct {

  30. 	UserID        jcstypes.UserID

  31. 	AccessTokenID jcstypes.AccessTokenID

  32. 	Nonce         string

  33. 	Signature     string

  34. }

  35. 

  36. type AccessTokenVerifier interface {

  37. 	Verify(authInfo AccessTokenAuthInfo) bool

  38. }

  39. 

  40. type AccessTokenProvider interface {

  41. 	MakeAuthInfo() (AccessTokenAuthInfo, error)

  42. }

  43. 

  44. func (s *ServerBase) tlsConfigSelector(hello *tls.ClientHelloInfo) (*tls.Config, error) {

  45. 	switch hello.ServerName {

  46. 	case ClientAPISNIV1:

  47. 		return &tls.Config{

  48. 			Certificates: []tls.Certificate{s.serverCert},

  49. 			ClientAuth:   tls.NoClientCert,

  50. 			NextProtos:   []string{"h2"},

  51. 		}, nil

  52. 	case InternalAPISNIV1:

  53. 		return &tls.Config{

  54. 			Certificates: []tls.Certificate{s.serverCert},

  55. 			ClientAuth:   tls.RequireAndVerifyClientCert,

  56. 			ClientCAs:    s.rootCA,

  57. 			NextProtos:   []string{"h2"},

  58. 		}, nil

  59. 

  60. 	default:

  61. 		return nil, fmt.Errorf("unknown server name: %s", hello.ServerName)

  62. 	}

  63. }

  64. 

  65. func (s *ServerBase) authUnary(

  66. 	ctx context.Context,

  67. 	req interface{},

  68. 	info *grpc.UnaryServerInfo,

  69. 	handler grpc.UnaryHandler,

  70. 

  71. ) (resp any, err error) {

  72. 	pr, ok := peer.FromContext(ctx)

  73. 	if !ok {

  74. 		return nil, status.Error(codes.Unauthenticated, "no peer found in context")

  75. 	}

  76. 

  77. 	tlsInfo, ok := pr.AuthInfo.(credentials.TLSInfo)

  78. 	if !ok {

  79. 		return nil, status.Error(codes.Unauthenticated, "no tls info found in peer")

  80. 	}

  81. 

  82. 	// 如果是使用interanl ServerName通过的TLS认证,则直接放行

  83. 	if tlsInfo.State.ServerName == InternalAPISNIV1 {

  84. 		return handler(ctx, req)

  85. 	}

  86. 

  87. 	// 如果是无需认证的API,则直接放行

  88. 	if s.noAuthAPIs[info.FullMethod] {

  89. 		return handler(ctx, req)

  90. 	}

  91. 

  92. 	// 否则要进行额外的Token认证

  93. 

  94. 	if !s.accessTokenAuthAPIs[info.FullMethod] {

  95. 		return nil, status.Error(codes.Unauthenticated, "unauthorized access")

  96. 	}

  97. 

  98. 	meta, ok := metadata.FromIncomingContext(ctx)

  99. 	if !ok {

  100. 		return nil, status.Error(codes.Unauthenticated, "no metadata found in context")

  101. 	}

  102. 

  103. 	userIDs := meta.Get(MetaUserID)

  104. 	if len(userIDs) != 1 {

  105. 		return nil, status.Error(codes.Unauthenticated, "missing or multiple user ids in metadata")

  106. 	}

  107. 	userID, err := strconv.ParseInt(userIDs[0], 10, 64)

  108. 	if err != nil {

  109. 		return nil, status.Error(codes.Unauthenticated, "invalid user id in metadata")

  110. 	}

  111. 

  112. 	accessTokenIDs := meta.Get(MetaAccessTokenID)

  113. 	if len(accessTokenIDs) != 1 {

  114. 		return nil, status.Error(codes.Unauthenticated, "missing or multiple access token ids in metadata")

  115. 	}

  116. 

  117. 	nonce := meta.Get(MetaNonce)

  118. 	if len(nonce) != 1 {

  119. 		return nil, status.Error(codes.Unauthenticated, "missing or multiple nonces in metadata")

  120. 	}

  121. 

  122. 	signature := meta.Get(MetaSignature)

  123. 	if len(signature) != 1 {

  124. 		return nil, status.Error(codes.Unauthenticated, "missing or multiple signatures in metadata")

  125. 	}

  126. 

  127. 	authInfo := AccessTokenAuthInfo{

  128. 		UserID:        jcstypes.UserID(userID),

  129. 		AccessTokenID: jcstypes.AccessTokenID(accessTokenIDs[0]),

  130. 		Nonce:         nonce[0],

  131. 		Signature:     signature[0],

  132. 	}

  133. 	if !s.tokenVerifier.Verify(authInfo) {

  134. 		return nil, status.Error(codes.Unauthenticated, "invalid access token")

  135. 	}

  136. 

  137. 	ctx = context.WithValue(ctx, MetaTokenAuthInfo, authInfo)

  138. 	return handler(ctx, req)

  139. }

  140. 

  141. func (s *ServerBase) authStream(

  142. 	srv any,

  143. 	stream grpc.ServerStream,

  144. 	info *grpc.StreamServerInfo,

  145. 	handler grpc.StreamHandler,

  146. ) error {

  147. 	pr, ok := peer.FromContext(stream.Context())

  148. 	if !ok {

  149. 		return status.Error(codes.Unauthenticated, "no peer found in context")

  150. 	}

  151. 

  152. 	tlsInfo, ok := pr.AuthInfo.(credentials.TLSInfo)

  153. 	if !ok {

  154. 		return status.Error(codes.Unauthenticated, "no tls info found in peer")

  155. 	}

  156. 

  157. 	// 如果是使用interanl ServerName通过的TLS认证,则直接放行

  158. 	if tlsInfo.State.ServerName == InternalAPISNIV1 {

  159. 		return handler(srv, stream)

  160. 	}

  161. 

  162. 	// 如果是无需认证的API,则直接放行

  163. 	if s.noAuthAPIs[info.FullMethod] {

  164. 		return handler(srv, stream)

  165. 	}

  166. 

  167. 	// 否则要进行额外的Token认证

  168. 

  169. 	if !s.accessTokenAuthAPIs[info.FullMethod] {

  170. 		return status.Error(codes.Unauthenticated, "unauthorized access")

  171. 	}

  172. 

  173. 	meta, ok := metadata.FromIncomingContext(stream.Context())

  174. 	if !ok {

  175. 		return status.Error(codes.Unauthenticated, "no metadata found in context")

  176. 	}

  177. 

  178. 	userIDs := meta.Get(MetaUserID)

  179. 	if len(userIDs) != 1 {

  180. 		return status.Error(codes.Unauthenticated, "missing or multiple user ids in metadata")

  181. 	}

  182. 	userID, err := strconv.ParseInt(userIDs[0], 10, 64)

  183. 	if err != nil {

  184. 		return status.Error(codes.Unauthenticated, "invalid user id in metadata")

  185. 	}

  186. 

  187. 	accessTokenIDs := meta.Get(MetaAccessTokenID)

  188. 	if len(accessTokenIDs) != 1 {

  189. 		return status.Error(codes.Unauthenticated, "missing or multiple access token ids in metadata")

  190. 	}

  191. 

  192. 	nonce := meta.Get(MetaNonce)

  193. 	if len(nonce) != 1 {

  194. 		return status.Error(codes.Unauthenticated, "missing or multiple nonces in metadata")

  195. 	}

  196. 

  197. 	signature := meta.Get(MetaSignature)

  198. 	if len(signature) != 1 {

  199. 		return status.Error(codes.Unauthenticated, "missing or multiple signatures in metadata")

  200. 	}

  201. 

  202. 	authInfo := AccessTokenAuthInfo{

  203. 		UserID:        jcstypes.UserID(userID),

  204. 		AccessTokenID: jcstypes.AccessTokenID(accessTokenIDs[0]),

  205. 		Nonce:         nonce[0],

  206. 		Signature:     signature[0],

  207. 	}

  208. 

  209. 	if !s.tokenVerifier.Verify(authInfo) {

  210. 		return status.Error(codes.Unauthenticated, "invalid access token")

  211. 	}

  212. 

  213. 	return handler(srv, &serverStream{stream, context.WithValue(stream.Context(), MetaTokenAuthInfo, authInfo)})

  214. }

  215. 

  216. type serverStream struct {

  217. 	grpc.ServerStream

  218. 	ctx context.Context

  219. }

  220. 

  221. func (s *serverStream) Context() context.Context {

  222. 	return s.ctx

  223. }

  224. 

  225. func GetAuthInfo(ctx context.Context) (AccessTokenAuthInfo, bool) {

  226. 	val := ctx.Value(MetaTokenAuthInfo)

  227. 	if val == nil {

  228. 		return AccessTokenAuthInfo{}, false

  229. 	}

  230. 	authInfo, ok := val.(AccessTokenAuthInfo)

  231. 	return authInfo, ok

  232. }

本项目旨在将云际存储公共基础设施化,使个人及企业可低门槛使用高效的云际存储服务(安装开箱即用云际存储客户端即可,无需关注其他组件的部署),同时支持用户灵活便捷定制云际存储的功能细节。