feat: 支持OpenId Connect协议 #1062

src/backend/auth/api-auth/src/main/kotlin/com/tencent/bkrepo/auth/api/ServiceAccountClient.kt

@@ -32,6 +32,7 @@
 package com.tencent.bkrepo.auth.api
 
 import com.tencent.bkrepo.auth.constant.AUTH_SERVICE_ACCOUNT_PREFIX
+import com.tencent.bkrepo.auth.pojo.oauth.AuthorizationGrantType
 import com.tencent.bkrepo.common.api.constant.AUTH_SERVICE_NAME
 import com.tencent.bkrepo.common.api.pojo.Response
 import io.swagger.annotations.Api
@@ -67,7 +68,9 @@ interface ServiceAccountClient {
         @ApiParam(value = "accesskey")
         @RequestParam accesskey: String,
         @ApiParam(value = "secretkey")
-        @RequestParam secretkey: String
+        @RequestParam secretkey: String,
+        @ApiParam(value = "authorizationGrantType")
+        @RequestParam authorizationGrantType: AuthorizationGrantType? = null
     ): Response<String?>
 
     @ApiOperation("查找sk")

src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/controller/service/ServiceAccountController.kt

@@ -33,6 +33,7 @@ package com.tencent.bkrepo.auth.controller.service
 
 import com.tencent.bkrepo.auth.api.ServiceAccountClient
 import com.tencent.bkrepo.auth.controller.OpenResource
+import com.tencent.bkrepo.auth.pojo.oauth.AuthorizationGrantType
 import com.tencent.bkrepo.auth.service.AccountService
 import com.tencent.bkrepo.auth.service.PermissionService
 import com.tencent.bkrepo.common.api.pojo.Response
@@ -48,12 +49,16 @@ class ServiceAccountController @Autowired constructor(
 
     @Deprecated("删除get方式校验")
     override fun checkCredential(accesskey: String, secretkey: String): Response<String?> {
-        val result = accountService.checkCredential(accesskey, secretkey)
+        val result = accountService.checkCredential(accesskey, secretkey, null)
         return ResponseBuilder.success(result)
     }
 
-    override fun checkAccountCredential(accesskey: String, secretkey: String): Response<String?> {
-        val result = accountService.checkCredential(accesskey, secretkey)
+    override fun checkAccountCredential(
+        accesskey: String,
+        secretkey: String,
+        authorizationGrantType: AuthorizationGrantType?
+    ): Response<String?> {
+        val result = accountService.checkCredential(accesskey, secretkey, authorizationGrantType)
         return ResponseBuilder.success(result)
     }
     override fun findSecretKey(appId: String, accessKey: String): Response<String?> {

src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/interceptor/AuthInterceptor.kt

@@ -57,6 +57,7 @@ import com.tencent.bkrepo.auth.constant.AUTH_PROJECT_SUFFIX
 import com.tencent.bkrepo.auth.constant.AUTH_REPO_SUFFIX
 import com.tencent.bkrepo.auth.constant.BASIC_AUTH_HEADER_PREFIX
 import com.tencent.bkrepo.auth.constant.PLATFORM_AUTH_HEADER_PREFIX
+import com.tencent.bkrepo.auth.pojo.oauth.AuthorizationGrantType
 import com.tencent.bkrepo.auth.pojo.user.CreateUserRequest
 import com.tencent.bkrepo.auth.service.AccountService
 import com.tencent.bkrepo.auth.service.UserService
@@ -158,7 +159,7 @@ class AuthInterceptor(
         val decodedHeader = String(Base64.getDecoder().decode(encodedCredentials))
         val parts = decodedHeader.split(COLON)
         require(parts.size == 2)
-        val appId = accountService.checkCredential(parts[0], parts[1]) ?: run {
+        val appId = accountService.checkCredential(parts[0], parts[1], AuthorizationGrantType.PLATFORM) ?: run {
             logger.warn("find no account [$parts[0]]")
             throw IllegalArgumentException("check auth credential fail")
         }

src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/AccountService.kt

@@ -64,7 +64,11 @@ interface AccountService {
 
     fun updateCredentialStatus(appId: String, accessKey: String, status: CredentialStatus): Boolean
 
-    fun checkCredential(accessKey: String, secretKey: String): String?
+    fun checkCredential(
+        accessKey: String,
+        secretKey: String,
+        authorizationGrantType: AuthorizationGrantType? = null
+    ): String?
 
     fun findSecretKey(appId: String, accessKey: String): String?
 }

src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/local/AccountServiceImpl.kt

@@ -248,9 +248,13 @@ class AccountServiceImpl constructor(
         return false
     }
 
-    override fun checkCredential(accessKey: String, secretKey: String): String? {
+    override fun checkCredential(
+        accessKey: String,
+        secretKey: String,
+        authorizationGrantType: AuthorizationGrantType?
+    ): String? {
         logger.debug("check  credential  accessKey : [$accessKey] , secretKey: []")
-        val query = AccountQueryHelper.checkCredential(accessKey, secretKey)
+        val query = AccountQueryHelper.checkCredential(accessKey, secretKey, authorizationGrantType)
         val result = mongoTemplate.findOne(query, TAccount::class.java) ?: return null
         return result.appId
     }

src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/oauth/OauthAuthorizationServiceImpl.kt

@@ -175,7 +175,6 @@ class OauthAuthorizationServiceImpl(
                 nonce = OauthUtils.generateRandomString(10)
             )
             token.accessToken = idToken.toJwtToken()
-            token.refreshToken = OauthUtils.generateRefreshToken()
             token.issuedAt = Instant.now(Clock.systemDefaultZone())
             token.idToken?.let { token.idToken = idToken }
             oauthTokenRepository.save(token)

src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/util/query/AccountQueryHelper.kt

@@ -1,15 +1,28 @@
 package com.tencent.bkrepo.auth.util.query
 
 import com.tencent.bkrepo.auth.model.TAccount
+import com.tencent.bkrepo.auth.pojo.oauth.AuthorizationGrantType
 import org.springframework.data.mongodb.core.query.Criteria
 import org.springframework.data.mongodb.core.query.Query
+import org.springframework.data.mongodb.core.query.isEqualTo
 
 object AccountQueryHelper {
 
-    fun checkCredential(accessKey: String, secretKey: String): Query {
+    fun checkCredential(accessKey: String, secretKey: String, authorizationGrantType: AuthorizationGrantType?): Query {
+        val criteria = Criteria()
         return Query.query(
-            Criteria.where("credentials.secretKey").`is`(secretKey)
-                .and("credentials.accessKey").`is`(accessKey)
+            criteria.andOperator(
+                Criteria.where("credentials.secretKey").`is`(secretKey),
+                Criteria.where("credentials.accessKey").`is`(accessKey),
+                Criteria().apply {
+                    authorizationGrantType?.let {
+                        orOperator(
+                            Criteria.where("credentials.authorizationGrantType").isEqualTo(null),
+                            Criteria.where("credentials.authorizationGrantType").isEqualTo(authorizationGrantType)
+                        )
+                    }
+                }
+            )
         )
     }
 

src/backend/common/common-security/src/main/kotlin/com/tencent/bkrepo/common/security/manager/AuthenticationManager.kt

@@ -30,6 +30,7 @@ package com.tencent.bkrepo.common.security.manager
 import com.tencent.bkrepo.auth.api.ServiceAccountClient
 import com.tencent.bkrepo.auth.api.ServiceOauthAuthorizationClient
 import com.tencent.bkrepo.auth.api.ServiceUserClient
+import com.tencent.bkrepo.auth.pojo.oauth.AuthorizationGrantType
 import com.tencent.bkrepo.auth.pojo.oauth.OauthToken
 import com.tencent.bkrepo.auth.pojo.user.CreateUserRequest
 import com.tencent.bkrepo.auth.pojo.user.UserInfo
@@ -60,7 +61,11 @@ class AuthenticationManager(
      * @throws AuthenticationException 校验失败
      */
     fun checkPlatformAccount(accessKey: String, secretKey: String): String {
-        val response = serviceAccountClient.checkAccountCredential(accessKey, secretKey)
+        val response = serviceAccountClient.checkAccountCredential(
+            accesskey = accessKey,
+            secretkey = secretKey,
+            authorizationGrantType = AuthorizationGrantType.PLATFORM
+        )
         return response.data ?: throw AuthenticationException("AccessKey/SecretKey check failed.")
     }