[#1099] adjusting new logic and configuration for security

spring-cloud-huawei-governance/src/main/java/com/huaweicloud/governance/authentication/Const.java

@@ -25,4 +25,6 @@ public class Const {
   public static final String AUTH_SERVICE_NAME = "serviceName";
 
   public static final String AUTH_TOKEN_CHECK_ENABLED = "spring.cloud.servicecomb.webmvc.publicKey.tokenCheckEnabled";
+
+  public static final String AUTH_TOKEN_HEADER_KEY = "spring.cloud.servicecomb.webmvc.publicKey.headerTokenKey";
 }

spring-cloud-huawei-governance/src/main/java/com/huaweicloud/governance/authentication/RSAProviderTokenManager.java

@@ -42,12 +42,24 @@ public RSAProviderTokenManager(List<AccessController> accessControllers, Environ
     this.authenticationAdapter = authenticationAdapter;
   }
 
+  /**
+   * 1.tokenCheckEnabled is true or request headers has no serviceName, use serviceId and instanceId for authentication
+   * in token.
+   * 2.tokenCheckEnabled is false and request headers has serviceName, use serviceName for authentication in request
+   * header.
+   *
+   * @param request
+   * @throws Exception
+   */
   public void valid(HttpServletRequest request) throws Exception {
     try {
       AuthRequestExtractor extractor;
       if (environment.getProperty(Const.AUTH_TOKEN_CHECK_ENABLED, boolean.class, true)
           || StringUtils.isEmpty(request.getHeader(Const.AUTH_SERVICE_NAME))) {
-        RsaAuthenticationToken rsaToken = RSATokenCheckUtils.checkTokenInfo(request, authenticationAdapter);
+        String headerTokenKey = environment.getProperty(Const.AUTH_TOKEN_HEADER_KEY, String.class,
+            "X-SM-Token");
+        RsaAuthenticationToken rsaToken = RSATokenCheckUtils.checkTokenInfo(request, authenticationAdapter,
+            headerTokenKey);
         extractor = AuthRequestExtractorUtils.createAuthRequestExtractor(request, rsaToken.getServiceId(),
             rsaToken.getInstanceId());
       } else {

spring-cloud-huawei-governance/src/main/java/com/huaweicloud/governance/authentication/RSATokenCheckUtils.java

@@ -38,8 +38,8 @@ public class RSATokenCheckUtils {
       .build();
 
   public static RsaAuthenticationToken checkTokenInfo(HttpServletRequest request,
-      AuthenticationAdapter authenticationAdapter) throws Exception {
-    String token = request.getHeader(Const.AUTH_TOKEN);
+      AuthenticationAdapter authenticationAdapter, String headerTokenKey) throws Exception {
+    String token = request.getHeader(headerTokenKey);
     if (StringUtils.isEmpty(token)) {
       token = InvocationContextHolder.getOrCreateInvocationContext().getContext(Const.AUTH_TOKEN);
     }

spring-cloud-huawei-governance/src/main/java/com/huaweicloud/governance/authentication/securityPolicy/SecurityPolicyAccessController.java

@@ -54,15 +54,12 @@ public boolean isAllowed(AuthRequestExtractor extractor) throws Exception {
 
   private boolean checkDeny(String serviceName, AuthRequestExtractor extractor) {
     if (securityPolicyProperties.matchDeny(serviceName, extractor.uri(), extractor.method())) {
+      // both permissive and enforcing model need print logs(send alarm info).
+      LOGGER.info("[autoauthz unauthorized request] consumer={}, provider={}, path={}, method={}, timestamp={}",
+          serviceName, securityPolicyProperties.getProvider(), extractor.uri(), extractor.method(),
+          System.currentTimeMillis());
       // permissive mode, black policy match allow passing
-      if ("permissive".equals(securityPolicyProperties.getMode())) {
-        LOGGER.info("[autoauthz unauthorized request] consumer={}, provider={}, path={}, method={}, timestamp={}",
-            serviceName, securityPolicyProperties.getProvider(), extractor.uri(), extractor.method(),
-            System.currentTimeMillis());
-        return false;
-      } else {
-        return true;
-      }
+      return !"permissive".equals(securityPolicyProperties.getMode());
     } else {
       return false;
     }
@@ -72,15 +69,12 @@ private boolean checkAllowAndDeny(String serviceName, AuthRequestExtractor extra
     if (securityPolicyProperties.matchAllow(serviceName, extractor.uri(), extractor.method())) {
       return !checkDeny(serviceName, extractor);
     } else {
+      // both permissive and enforcing model need print logs(send alarm info).
+      LOGGER.info("[autoauthz unauthorized request] consumer={}, provider={}, path={}, method={}, timestamp={}",
+          serviceName, securityPolicyProperties.getProvider(), extractor.uri(), extractor.method(),
+          System.currentTimeMillis());
       // permissive mode, white policy not match allow passing
-      if ("permissive".equals(securityPolicyProperties.getMode())) {
-        LOGGER.info("[autoauthz unauthorized request] consumer={}, provider={}, path={}, method={}, timestamp={}",
-            serviceName, securityPolicyProperties.getProvider(), extractor.uri(), extractor.method(),
-            System.currentTimeMillis());
-        return true;
-      } else {
-        return false;
-      }
+      return "permissive".equals(securityPolicyProperties.getMode());
     }
   }
 

spring-cloud-huawei-governance/src/main/java/com/huaweicloud/governance/authentication/securityPolicy/SecurityPolicyProperties.java

@@ -138,7 +138,7 @@ public void setAction(Action action) {
 
   public boolean matchAllow(String serviceName, String uri, String method) {
     if (action == null || action.allow.isEmpty()) {
-      return true;
+      return false;
     }
 
     for (ConfigurationItem item : action.allow) {

spring-cloud-huawei-governance/src/test/java/com/huaweicloud/governance/authentication/securityPolicy/SecurityPolicyAccessControllerTest.java

@@ -462,8 +462,8 @@ public void testAllowEnforcingNotMatch() throws Exception {
 
   @Test
   public void testDenyEnforcingNotMatch() throws Exception {
-    AuthRequestExtractor extractor = createAuthRequestExtractor("/checkToken");
-    Assertions.assertTrue(getDenyAccessController("enforcing")
+    AuthRequestExtractor extractor = createAuthRequestExtractor("/checkTokenSecurityAllow");
+    Assertions.assertTrue(getBothAccessController("enforcing")
         .isAllowed(extractor));
   }