Skip to content

Commit

Permalink
feat: bk_token校验切换到bkapigw TencentBlueKing#961 (TencentBlueKing#976)
Browse files Browse the repository at this point in the history 
* feat: bk_token校验切换到bkapigw TencentBlueKing#961

* feat: bk_token校验切换到bkapigw TencentBlueKing#961

* feat: bk_token校验切换到bkapigw TencentBlueKing#961

* feat: bk_token校验切换到bkapigw TencentBlueKing#961
  • Loading branch information
@owenlxu
owenlxu authored Jul 21, 2023
1 parent ca4e190 commit c8ed5d0
Show file tree
Hide file tree
Showing 6 changed files with 82 additions and 21 deletions.
37 changes: 19 additions & 18 deletions docs/install/env.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,24 +10,25 @@

## 网关配置项

| 配置项 | 说明 | 示例 |
| ------------------------------- | ------------------- |-------------------------------------------------------------------------------------------------------|
| BK_REPO_HOST | bkrepo主机地址 | bkrepo.example.com |
| BK_REPO_UI_HOST | bkrepo前端主机地址 | bkrepo.example.com |
| BK_REPO_HTTP_PORT | bkrepo http端口 | 80 |
| BK_REPO_HTTPS_PORT | bkrepo https端口 | 443 |
| BK_REPO_APIGW_URL | bkrepo api网关url | |
| BK_REPO_APP_CODE | bkrepo app code | |
| BK_REPO_APP_TOKEN | bkrepo app token | |
| BK_REPO_HOME | bkrepo部署目录 | /data/bkce |
| BK_REPO_LOGS_DIR | bkrepo日志目录 | /data/logs |
| BK_REPO_PAAS_FQDN | bkrepo paas fqdn | paas.example.com |
| BK_REPO_PAAS_LOGIN_URL | 蓝鲸paas登录地址 | http://paas.example.com:80/login/?c_url= |
| BK_REPO_AUTHORIZATION | bkrepo认证token | Platform MThiNjFjOWMtOTAxYi00ZWEzLTg5YzMtMWY3NGJlOTQ0YjY2OlVzOFpHRFhQcWs4NmN3TXVrWUFCUXFDWkxBa00zSw== |
| BK_REPO_GATEWAY_CORS_ALLOW_LIST | 网关跨域允许列表 | |
| BK_REPO_GATEWAY_DNS_ADDR | 网关dns解析服务地址 | 127.0.0.1:53 |
| BK_REPO_SERVICE_PREFIX | bkrepo微服务前缀 | bkrepo- |
| BK_REPO_DEPLOY_MODE | bkrepo部署模式 | standalone / ci |
| 配置项 | 说明 | 示例 |
| -------------------------- |------------------|-------------------------------------------------------------------------------------------------------|
| BK_REPO_HOST | bkrepo主机地址 | bkrepo.example.com |
| BK_REPO_UI_HOST | bkrepo前端主机地址 | bkrepo.example.com |
| BK_REPO_HTTP_PORT | bkrepo http端口 | 80 |
| BK_REPO_HTTPS_PORT | bkrepo https端口 | 443 |
| BK_REPO_APIGW_URL | bkrepo api网关url | |
| BK_APIGW_URL | 蓝鲸 api网关url | |
| BK_REPO_APP_CODE | bkrepo app code | |
| BK_REPO_APP_TOKEN | bkrepo app token | |
| BK_REPO_HOME | bkrepo部署目录 | /data/bkce |
| BK_REPO_LOGS_DIR | bkrepo日志目录 | /data/logs |
| BK_REPO_PAAS_FQDN | bkrepo paas fqdn | paas.example.com |
| BK_REPO_PAAS_LOGIN_URL | 蓝鲸paas登录地址 | http://paas.example.com:80/login/?c_url= |
| BK_REPO_AUTHORIZATION | bkrepo认证token | Platform MThiNjFjOWMtOTAxYi00ZWEzLTg5YzMtMWY3NGJlOTQ0YjY2OlVzOFpHRFhQcWs4NmN3TXVrWUFCUXFDWkxBa00zSw== |
| BK_REPO_GATEWAY_CORS_ALLOW_LIST | 网关跨域允许列表 | |
| BK_REPO_GATEWAY_DNS_ADDR | 网关dns解析服务地址 | 127.0.0.1:53 |
| BK_REPO_SERVICE_PREFIX | bkrepo微服务前缀 | bkrepo- |
| BK_REPO_DEPLOY_MODE | bkrepo部署模式 | standalone / ci |

## consul配置项

Expand Down
6 changes: 5 additions & 1 deletion src/gateway/lua/auth/auth_web.lua
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,11 @@ elseif config.auth_mode == "" or config.auth_mode == "token" then
ngx.exit(401)
return
end
username = oauthUtil:verify_ticket(bk_token, "token")
if config.oauth.apigw_url == "" then
username = oauthUtil:verify_ticket(bk_token, "token")
else
username = oauthUtil:verify_bk_token(config.oauth.apigw_url, bk_token)
end
token = bk_token
elseif config.auth_mode == "ticket" then
local bk_ticket = cookieUtil:get_cookie("bk_ticket")
Expand Down
55 changes: 53 additions & 2 deletions src/gateway/lua/util/oauth_util.lua
View file
Original file line number Diff line number Diff line change
Expand Up @@ -121,6 +121,57 @@ function _M:verify_ticket(bk_ticket, input_type)
return user_cache_value
end

function _M:verify_bk_token(auth_url, token)
local user_cache = ngx.shared.user_info_store
local user_cache_value = user_cache:get(token)
if user_cache_value == nil then
local http_cli = http.new()
local auth = config.oauth
local query = "bk_app_code=" .. auth.app_code .. "&bk_app_secret=" .. auth.app_secret .. "&bk_token=" .. token
local addr = "http://" .. auth_url .. "/api/c/compapi/v2/bk_login/get_user/?" .. query
--- 开始连接
http_cli:set_timeout(3000)
http_cli:connect(addr)
--- 发送请求
local res, err = http_cli:request_uri(addr, {
method = "GET",
})
--- 判断是否出错了
if not res then
ngx.log(ngx.ERR, "failed to request apigw: error", err)
ngx.exit(401)
return
end
--- 判断返回的状态码是否是200
if res.status ~= 200 then
ngx.log(ngx.STDERR, "failed to request apigw, status: ", res.status)
ngx.exit(401)
return
end
--- 转换JSON的返回数据为TABLE
local result = json.decode(res.body)
--- 判断JSON转换是否成功
if result == nil then
ngx.log(ngx.ERR, "failed to parse apigw response:", res.body)
ngx.exit(401)
return
end

--- 判断返回码:Q!
if result.code ~= 0 then
if result.code == 1302403 then
ngx.exit(440)
end
ngx.log(ngx.INFO, "invalid user token: ", result.message)
ngx.exit(401)
return
end
user_cache_value = result.data.bk_username
user_cache:set(token, user_cache_value, 180)
end
return user_cache_value
end

function _M:verify_bkrepo_token(bkrepo_login_token)
local user_cache = ngx.shared.user_info_store
local user_cache_value = user_cache:get(bkrepo_login_token)
Expand Down Expand Up @@ -164,7 +215,7 @@ function _M:verify_bkrepo_token(bkrepo_login_token)
local result = json.decode(res.body)
--- 判断JSON转换是否成功
if result == nil then
ngx.log(ngx.ERR, "failed to parse verify_bkrepo_token response:", responseBody)
ngx.log(ngx.ERR, "failed to parse verify_bkrepo_token response:", res.body)
ngx.exit(401)
return
end
Expand Down Expand Up @@ -212,7 +263,7 @@ function _M:verify_ci_token(ci_login_token)
ngx.exit(401)
return
end
--- 获取所有回复
--- 转换请求内容
local responseBody = res:read_body()
--- 设置HTTP保持连接
httpc:set_keepalive(60000, 5)
Expand Down
2 changes: 2 additions & 0 deletions support-files/kubernetes/charts/bkrepo/templates/gateway/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -105,6 +105,8 @@ spec:
value: {{ .Values.gateway.ssmTokenUrl }}
- name: BK_REPO_SSM_ENV
value: {{ .Values.gateway.ssmEnv }}
- name: BK_APIGW_URL
value: {{ .Values.gateway.bkApigwUrl }}
- name: BK_REPO_APP_CODE
value: {{ .Values.gateway.appCode }}
- name: BK_REPO_APP_TOKEN
Expand Down
2 changes: 2 additions & 0 deletions support-files/kubernetes/charts/bkrepo/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -262,6 +262,8 @@ gateway:
ssmTokenUrl:
## ci模式必填,ssm env
ssmEnv:
## 蓝鲸apigw地址
bkApigwUrl:
## ci模式必填,app code
appCode:
## ci模式必填,app token
Expand Down
1 change: 1 addition & 0 deletions support-files/templates/gateway#lua#init.lua
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@ config = {
url = "__BK_REPO_SSM_TOKEN_URL__", -- 接口路径
app_code = "__BK_REPO_APP_CODE__",
app_secret = "__BK_REPO_APP_TOKEN__",
apigw_url = "__BK_APIGW_URL__"
},
bkrepo = {
authorization = "__BK_REPO_AUTHORIZATION__",
Expand Down

0 comments on commit c8ed5d0

Please sign in to comment.