Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ISSUE #12060] fix too large ttl when auth disabled #12090

Merged
merged 3 commits into from
May 20, 2024
Merged

[ISSUE #12060] fix too large ttl when auth disabled #12090

merged 3 commits into from
May 20, 2024

Conversation

DemonHugo
Copy link
Contributor

@DemonHugo DemonHugo commented May 12, 2024
edited

What is the purpose of the change

fix issue #12060

Brief changelog

  1. fix too large ttl when auth disabled
  2. generate a valid token when nacos.core.auth.plugin.nacos.token.secret.key is valid even if auth disabled

Verifying this change

XXXX

Follow this checklist to help us incorporate your contribution quickly and easily:

  • Make sure there is a Github issue filed for the change (usually before you start working on it). Trivial changes like typos do not require a Github issue. Your pull request should address just this issue, without pulling in other changes - one PR resolves one issue.
  • Format the pull request title like [ISSUE #123] Fix UnknownException when host config not exist. Each commit in the pull request should have a meaningful subject line and body.
  • Write a pull request description that is detailed enough to understand what the pull request does, how, and why.
  • Write necessary unit-test to verify your logic correction, more mock a little better when cross module dependency exist. If the new feature or significant change is committed, please remember to add integration-test in test module.
  • Run mvn -B clean package apache-rat:check findbugs:findbugs -Dmaven.test.skip=true to make sure basic checks pass. Run mvn clean install -DskipITs to make sure unit-test pass. Run mvn clean test-compile failsafe:integration-test to make sure integration-test pass.

@DemonHugo
[ISSUE alibaba#12060] fix too large ttl when auth disabled
4184147 
fix issue alibaba#12060

1. fix too large ttl when auth disabled
2. generate a valid token when key is valid even if auth disabled
@CLAassistant
Copy link

CLAassistant commented May 12, 2024
edited

CLA assistant check
All committers have signed the CLA.

KomachiSion
KomachiSion requested changes May 15, 2024
View reviewed changes
Copy link
Collaborator

@KomachiSion KomachiSion left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

我的想法是在AUTH_DISABLED_TOKEN的prefix或者suffix添加时间戳,然后在getTTl的时候把prefix或者suffix取出来计算剩余的ttl时间。

...auth-plugin/src/main/java/com/alibaba/nacos/plugin/auth/impl/token/impl/JwtTokenManager.java
@@ -103,10 +103,13 @@ public String createToken(Authentication authentication) {
* @return token
*/
public String createToken(String userName) {
if (!authConfigs.isAuthEnabled()) {
// create a token when auth enabled or nacos.core.auth.plugin.nacos.token.secret.key is configured
if (!authConfigs.isAuthEnabled() && null == jwtParser) {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

应该不用判断jwtParser,如果未开启鉴权,无论是有jwtParser应该都不需要计算jwtparser的

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

而且下面有校验jwtparser

@DemonHugo
Copy link
Contributor Author

DemonHugo commented May 15, 2024
edited

我的想法是在AUTH_DISABLED_TOKEN的prefix或者suffix添加时间戳,然后在getTTl的时候把prefix或者suffix取出来计算剩余的ttl时间。

该提交目的其实是为了nacos服务端在客户端不感知的情况下自由切换鉴权开关。
目前token校验有四种场景:

鉴权关闭,盐值未正确配置
鉴权开启,盐值未正确配置
鉴权关闭,盐值正确配置
鉴权开启,盐值正确配置

其中第1条返回AUTH_DISABLED_TOKEN,第2条报错应正确配置key,第4条正常鉴权,与当前实现无殊。

本次提交期望是在第3种场景下,服务端仍能正确返回客户端token,这样服务端能在新老版本客户端不感知的情况下开启鉴权,无需使客户端等待9/10ttl后再获取正确token。

因此,我在createToken的方法中返回AUTH_DISABLED_TOKEN时增加校验盐值有效性的条件。同时,将checkParser方法放到else if判断里是为了避免前述改动使服务端在鉴权关闭,盐值未正确配置条件下,login接口频繁报错。

@KomachiSion
Copy link
Collaborator

我的想法是在AUTH_DISABLED_TOKEN的prefix或者suffix添加时间戳,然后在getTTl的时候把prefix或者suffix取出来计算剩余的ttl时间。

该提交目的其实是为了nacos服务端在客户端不感知的情况下自由切换鉴权开关。 目前token校验有四种场景:

鉴权关闭,盐值未正确配置
鉴权开启,盐值未正确配置
鉴权关闭,盐值正确配置
鉴权开启,盐值正确配置

其中第1条返回AUTH_DISABLED_TOKEN,第2条报错应正确配置key,第4条正常鉴权,与当前实现无殊。

本次提交期望是在第3种场景下,服务端仍能正确返回客户端token,这样服务端能在新老版本客户端不感知的情况下开启鉴权,无需使客户端等待9/10ttl后再获取正确token。

因此,我在createToken的方法中返回AUTH_DISABLED_TOKEN时增加校验盐值有效性的条件。同时,将checkParser方法放到else if判断里是为了避免前述改动使服务端在鉴权关闭,盐值未正确配置条件下,login接口频繁报错。

ok

@KomachiSion
Copy link
Collaborator

CI can't pass, please fit it

@KomachiSion KomachiSion merged commit 9363a08 into alibaba:develop May 20, 2024
7 checks passed
@KomachiSion KomachiSion added this to the 2.4.0 milestone May 20, 2024
@KomachiSion KomachiSion linked an issue May 20, 2024 that may be closed by this pull request
临时关闭nacos鉴权时, 登录接口响应内容中tokenttl字段的值过大;恢复鉴权后客户端大面积403报错 #12060
Closed
@KomachiSion KomachiSion added kind/bug Category issues or prs related to bug. plugin labels May 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@KomachiSion KomachiSion KomachiSion approved these changes

Assignees
No one assigned
Labels
kind/bug Category issues or prs related to bug. plugin
Projects
None yet
Milestone
2.4.0
3 participants
@DemonHugo @CLAassistant @KomachiSion