feat: 支持OpenId Connect协议 #1062

TencentBlueKing · Aug 28, 2023 · e1cbf30 · e1cbf30
1 parent f3be363
commit e1cbf30
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 6 deletions.
diff --git a/.../src/main/kotlin/com/tencent/bkrepo/common/security/http/HttpAuthSecurityConfiguration.kt b/.../src/main/kotlin/com/tencent/bkrepo/common/security/http/HttpAuthSecurityConfiguration.kt
@@ -31,6 +31,7 @@
 
 package com.tencent.bkrepo.common.security.http
 
+import com.tencent.bkrepo.common.security.crypto.CryptoProperties
 import com.tencent.bkrepo.common.security.http.basic.BasicAuthHandler
 import com.tencent.bkrepo.common.security.http.core.HttpAuthInterceptor
 import com.tencent.bkrepo.common.security.http.core.HttpAuthSecurity
@@ -58,7 +59,8 @@ class HttpAuthSecurityConfiguration(
     private val unifiedCustomizer: ObjectProvider<HttpAuthSecurityCustomizer>,
     @Lazy
     private val authenticationManager: AuthenticationManager,
-    private val jwtAuthProperties: JwtAuthProperties
+    private val jwtAuthProperties: JwtAuthProperties,
+    private val cryptoProperties: CryptoProperties
 ) {
 
     @Bean
@@ -99,7 +101,7 @@ class HttpAuthSecurityConfiguration(
             httpAuthSecurity.addHttpAuthHandler(PlatformAuthHandler(authenticationManager))
         }
         if (httpAuthSecurity.jwtAuthEnabled) {
-            httpAuthSecurity.addHttpAuthHandler(JwtAuthHandler(jwtAuthProperties))
+            httpAuthSecurity.addHttpAuthHandler(JwtAuthHandler(jwtAuthProperties, cryptoProperties))
         }
         if (httpAuthSecurity.oauthEnabled) {
             httpAuthSecurity.addHttpAuthHandler(OauthAuthHandler(authenticationManager))

diff --git a/...on-security/src/main/kotlin/com/tencent/bkrepo/common/security/http/jwt/JwtAuthHandler.kt b/...on-security/src/main/kotlin/com/tencent/bkrepo/common/security/http/jwt/JwtAuthHandler.kt
@@ -33,18 +33,23 @@ package com.tencent.bkrepo.common.security.http.jwt
 
 import com.tencent.bkrepo.common.api.constant.BEARER_AUTH_PREFIX
 import com.tencent.bkrepo.common.api.constant.HttpHeaders
+import com.tencent.bkrepo.common.security.crypto.CryptoProperties
 import com.tencent.bkrepo.common.security.exception.AuthenticationException
 import com.tencent.bkrepo.common.security.http.core.HttpAuthHandler
 import com.tencent.bkrepo.common.security.http.credentials.AnonymousCredentials
 import com.tencent.bkrepo.common.security.http.credentials.HttpAuthCredentials
 import com.tencent.bkrepo.common.security.util.JwtUtils
+import com.tencent.bkrepo.common.security.util.RsaUtils
 import io.jsonwebtoken.ExpiredJwtException
 import io.jsonwebtoken.JwtException
 import javax.servlet.http.HttpServletRequest
 
-open class JwtAuthHandler(properties: JwtAuthProperties) : HttpAuthHandler {
+open class JwtAuthHandler(
+    jwtAuthProperties: JwtAuthProperties,
+    private val cryptoProperties: CryptoProperties
+) : HttpAuthHandler {
 
-    private val signingKey = JwtUtils.createSigningKey(properties.secretKey)
+    private val signingKey = JwtUtils.createSigningKey(jwtAuthProperties.secretKey)
 
     override fun extractAuthCredentials(request: HttpServletRequest): HttpAuthCredentials {
         val authorizationHeader = request.getHeader(HttpHeaders.AUTHORIZATION).orEmpty()
@@ -56,13 +61,28 @@ open class JwtAuthHandler(properties: JwtAuthProperties) : HttpAuthHandler {
 
     override fun onAuthenticate(request: HttpServletRequest, authCredentials: HttpAuthCredentials): String {
         require(authCredentials is JwtAuthCredentials)
+
+        val token = authCredentials.token
+        try {
+            return validateToken { JwtUtils.validateToken(signingKey, token).body.subject }
+        } catch (ignore: AuthenticationException) {
+            // do nothing
+        }
+
+        return validateToken {
+            val key = RsaUtils.stringToPublicKey(cryptoProperties.publicKeyStr2048PKCS8)
+            JwtUtils.validateToken(key, token).body.subject
+        }
+    }
+
+    private fun validateToken(action: () -> String): String {
         try {
-            return JwtUtils.validateToken(signingKey, authCredentials.token).body.subject
+            return action()
         } catch (exception: ExpiredJwtException) {
             throw AuthenticationException("Expired token")
         } catch (exception: JwtException) {
             throw AuthenticationException("Invalid token")
-        } catch (exception: IllegalArgumentException) {
+        } catch (exception: JwtException) {
             throw AuthenticationException("Empty token")
         }
     }