聊聊dubbo-go的ProviderAuthFilter

本文主要研究一下dubbo-go的ProviderAuthFilter

ProviderAuthFilter

dubbo-go-v1.4.2/filter/filter_impl/auth/provider_auth.go

type ProviderAuthFilter struct {
}

func init() {
    extension.SetFilter(constant.PROVIDER_AUTH_FILTER, getProviderAuthFilter)
}
  • ProviderAuthFilter的init方法设置了getProviderAuthFilter

getProviderAuthFilter

dubbo-go-v1.4.2/filter/filter_impl/auth/provider_auth.go

func getProviderAuthFilter() filter.Filter {
    return &ProviderAuthFilter{}
}
  • getProviderAuthFilter实例化了ProviderAuthFilter

Invoke

dubbo-go-v1.4.2/filter/filter_impl/auth/provider_auth.go

func (paf *ProviderAuthFilter) Invoke(ctx context.Context, invoker protocol.Invoker, invocation protocol.Invocation) protocol.Result {
    logger.Infof("invoking providerAuth filter.")
    url := invoker.GetUrl()

    err := doAuthWork(&url, func(authenticator filter.Authenticator) error {
        return authenticator.Authenticate(invocation, &url)
    })
    if err != nil {
        logger.Infof("auth the request: %v occur exception, cause: %s", invocation, err.Error())
        return &protocol.RPCResult{
            Err: err,
        }
    }

    return invoker.Invoke(ctx, invocation)
}
  • Invoke方法通过doAuthWork来进行auth,其传递的func执行authenticator.Authenticate(invocation, &url)

OnResponse

dubbo-go-v1.4.2/filter/filter_impl/auth/default_authenticator.go

func (paf *ProviderAuthFilter) OnResponse(ctx context.Context, result protocol.Result, invoker protocol.Invoker, invocation protocol.Invocation) protocol.Result {
    return result
}
  • OnResponse方法直接返回result

doAuthWork

dubbo-go-v1.4.2/filter/filter_impl/auth/default_authenticator.go

func doAuthWork(url *common.URL, do func(filter.Authenticator) error) error {

    shouldAuth := url.GetParamBool(constant.SERVICE_AUTH_KEY, false)
    if shouldAuth {
        authenticator := extension.GetAuthenticator(url.GetParam(constant.AUTHENTICATOR_KEY, constant.DEFAULT_AUTHENTICATOR))
        return do(authenticator)
    }
    return nil
}
  • doAuthWork方法先从url读取constant.SERVICE_AUTH_KEY判断是否需要auth,需要的话,则获取authenticator,执行do(authenticator)

Authenticate

dubbo-go-v1.4.2/filter/filter_impl/auth/default_authenticator.go

func (authenticator *DefaultAuthenticator) Authenticate(invocation protocol.Invocation, url *common.URL) error {
    accessKeyId := invocation.AttachmentsByKey(constant.AK_KEY, "")

    requestTimestamp := invocation.AttachmentsByKey(constant.REQUEST_TIMESTAMP_KEY, "")
    originSignature := invocation.AttachmentsByKey(constant.REQUEST_SIGNATURE_KEY, "")
    consumer := invocation.AttachmentsByKey(constant.CONSUMER, "")
    if IsEmpty(accessKeyId, false) || IsEmpty(consumer, false) ||
        IsEmpty(requestTimestamp, false) || IsEmpty(originSignature, false) {
        return errors.New("failed to authenticate your ak/sk, maybe the consumer has not enabled the auth")
    }

    accessKeyPair, err := getAccessKeyPair(invocation, url)
    if err != nil {
        return errors.New("failed to authenticate , can't load the accessKeyPair")
    }

    computeSignature, err := getSignature(url, invocation, accessKeyPair.SecretKey, requestTimestamp)
    if err != nil {
        return err
    }
    if success := computeSignature == originSignature; !success {
        return errors.New("failed to authenticate, signature is not correct")
    }
    return nil
}
  • Authenticate方法从invocation的attachment获取requestTimestamp及originSignature,然后通过getAccessKeyPair从accesskeyStorage.GetAccessKeyPair获取accessKeyPair,之后通过getSignature计算signature,然后对比computeSignature与originSignature是否一样,不一样则返回error

小结

ProviderAuthFilter的Invoke方法通过doAuthWork来进行auth,其传递的func执行authenticator.Authenticate(invocation, &url)

doc

  • provider_auth

原文 

https://segmentfault.com/a/1190000023368593

本站部分文章源于互联网,本着传播知识、有益学习和研究的目的进行的转载,为网友免费提供。如有著作权人或出版方提出异议,本站将立即删除。如果您对文章转载有任何疑问请告之我们,以便我们及时纠正。

PS:推荐一个微信公众号: askHarries 或者qq群:474807195,里面会分享一些资深架构师录制的视频录像:有Spring,MyBatis,Netty源码分析,高并发、高性能、分布式、微服务架构的原理,JVM性能优化这些成为架构师必备的知识体系。还能领取免费的学习资源,目前受益良多

转载请注明原文出处:Harries Blog™ » 聊聊dubbo-go的ProviderAuthFilter

赞 (0)
分享到:更多 ()

评论 0

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址