[ISSUE #8701] ignore getServerList url (#8727)

* [ISSUE #8701] ignore getServerList url Close #8701 * add some unit test for auth - use http basic authentication - disable csrf * fix ci error
2022-07-14 09:30:11 +08:00 · 2022-07-14 09:30:11 +08:00 · 26f86e8da3
commit 26f86e8da3
parent 8cc92c598d
2 changed files with 107 additions and 29 deletions
--- a/address/src/main/java/com/alibaba/nacos/address/config/AddressServerSecurityConfiguration.java
+++ b/address/src/main/java/com/alibaba/nacos/address/config/AddressServerSecurityConfiguration.java
@ -0,0 +1,37 @@
+/*
+ * Copyright 1999-2022 Alibaba Group Holding Ltd.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.alibaba.nacos.address.config;
+
+import org.springframework.context.annotation.Configuration;
+import org.springframework.core.annotation.Order;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+
+/**
+ * nacos web security configuration.
+ * @author onewe
+ */
+@Configuration
+@Order(99)
+public class AddressServerSecurityConfiguration extends WebSecurityConfigurerAdapter {
+    
+    @Override
+    protected void configure(HttpSecurity http) throws Exception {
+        http.authorizeHttpRequests(requestMatcherRegistry -> requestMatcherRegistry.mvcMatchers("/nacos/v1/as/**").authenticated())
+                .csrf().disable().httpBasic();
+    }
+}
--- a/address/src/test/java/com/alibaba/nacos/address/AddressServerControllerTests.java
+++ b/address/src/test/java/com/alibaba/nacos/address/AddressServerControllerTests.java
@ -16,37 +16,36 @@

 package com.alibaba.nacos.address;

+import com.alibaba.nacos.common.codec.Base64;
 import org.junit.AfterClass;
 import org.junit.Assert;
 import org.junit.BeforeClass;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.boot.actuate.autoconfigure.security.servlet.ManagementWebSecurityAutoConfiguration;
-import org.springframework.boot.autoconfigure.ImportAutoConfiguration;
-import org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration;
-import org.springframework.boot.autoconfigure.security.servlet.SecurityFilterAutoConfiguration;
-import org.springframework.boot.autoconfigure.security.servlet.UserDetailsServiceAutoConfiguration;
 import org.springframework.boot.test.context.SpringBootTest;
 import org.springframework.boot.test.web.client.TestRestTemplate;
+import org.springframework.http.HttpHeaders;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.RequestEntity;
 import org.springframework.http.ResponseEntity;
 import org.springframework.test.context.junit4.SpringRunner;
 import org.springframework.util.LinkedMultiValueMap;

+import java.nio.charset.StandardCharsets;
 import java.util.concurrent.TimeUnit;

@RunWith(SpringRunner.class)
-@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.DEFINED_PORT)
-@ImportAutoConfiguration(exclude = {SecurityAutoConfiguration.class, SecurityFilterAutoConfiguration.class,
-        ManagementWebSecurityAutoConfiguration.class, UserDetailsServiceAutoConfiguration.class})
+@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.DEFINED_PORT, properties = {
+        "spring.security.user.password=123456", "spring.security.user.name=user"})
 public class AddressServerControllerTests {
    
    private static final String PRODUCT_CONFIG = "config";
    
    private static final String PRODUCT_NAMING = "naming";
    
+    private static final String HTTP_BASIC_INFO = getHttpBasicInfo();
+    
    @Autowired
    private TestRestTemplate restTemplate;
    
@ -56,6 +55,36 @@ public class AddressServerControllerTests {
        System.setProperty("embeddedStorage", "true");
    }
    
+    @AfterClass
+    public static void teardown() {
+        System.clearProperty("nacos.standalone");
+        System.clearProperty("embeddedStorage");
+    }
+    
+    private static String getHttpBasicInfo() {
+        String userName = "user";
+        String password = "123456";
+        
+        String info = userName + ":" + password;
+        
+        final byte[] bytes = Base64.encodeBase64(info.getBytes(StandardCharsets.UTF_8));
+        
+        return "Basic " + new String(bytes, StandardCharsets.UTF_8);
+    }
+    
+    @Test
+    public void postClusterWithoutLogin() {
+        
+        String ips = "127.0.0.100,127.0.0.102,127.0.0.104";
+        LinkedMultiValueMap<String, String> params = new LinkedMultiValueMap<>(1);
+        params.add("ips", ips);
+        
+        final ResponseEntity<String> postClusterResponseEntity = restTemplate.exchange(
+                RequestEntity.post("/nacos/v1/as/nodes").body(params), String.class);
+        
+        Assert.assertEquals(postClusterResponseEntity.getStatusCode(), HttpStatus.UNAUTHORIZED);
+    }
+    
    @Test
    public void postCluster() throws InterruptedException {
        
@ -64,7 +93,8 @@ public class AddressServerControllerTests {
        params.add("ips", ips);
        
        final ResponseEntity<String> postClusterResponseEntity = restTemplate.exchange(
-                RequestEntity.post("/nacos/v1/as/nodes").body(params), String.class);
+                RequestEntity.post("/nacos/v1/as/nodes").header(HttpHeaders.AUTHORIZATION, HTTP_BASIC_INFO)
+                        .body(params), String.class);
        
        Assert.assertNotNull(postClusterResponseEntity);
        Assert.assertEquals(HttpStatus.OK.value(), postClusterResponseEntity.getStatusCodeValue());
@ -79,6 +109,16 @@ public class AddressServerControllerTests {
        
    }
    
+    @Test
+    public void deleteClusterWithoutLogin() {
+        LinkedMultiValueMap<String, String> params = new LinkedMultiValueMap<>(1);
+        params.add("ips", "127.0.0.104");
+        
+        final ResponseEntity<String> postClusterResponseEntity = restTemplate.exchange(
+                RequestEntity.post("/nacos/v1/as/nodes").body(params), String.class);
+        Assert.assertEquals(postClusterResponseEntity.getStatusCode(), HttpStatus.UNAUTHORIZED);
+    }
+    
    @Test
    public void deleteCluster() throws InterruptedException {
        
@ -86,7 +126,8 @@ public class AddressServerControllerTests {
        params.add("ips", "127.0.0.104");
        
        final ResponseEntity<String> postClusterResponseEntity = restTemplate.exchange(
-                RequestEntity.post("/nacos/v1/as/nodes").body(params), String.class);
+                RequestEntity.post("/nacos/v1/as/nodes").header(HttpHeaders.AUTHORIZATION, HTTP_BASIC_INFO)
+                        .body(params), String.class);
        
        Assert.assertNotNull(postClusterResponseEntity);
        Assert.assertEquals(HttpStatus.OK.value(), postClusterResponseEntity.getStatusCodeValue());
@ -94,7 +135,8 @@ public class AddressServerControllerTests {
        TimeUnit.MILLISECONDS.sleep(500L);
        
        final ResponseEntity<String> deleteClusterResponseEntity = restTemplate.exchange(
-                RequestEntity.delete("/nacos/v1/as/nodes?ips={ips}", "127.0.0.104").build(), String.class);
+                RequestEntity.delete("/nacos/v1/as/nodes?ips={ips}", "127.0.0.104")
+                        .header(HttpHeaders.AUTHORIZATION, HTTP_BASIC_INFO).build(), String.class);
        
        Assert.assertNotNull(deleteClusterResponseEntity);
        Assert.assertEquals(HttpStatus.OK.value(), deleteClusterResponseEntity.getStatusCodeValue());
@ -110,7 +152,8 @@ public class AddressServerControllerTests {
        params.add("product", PRODUCT_CONFIG);
        
        final ResponseEntity<String> postClusterResponseEntity = restTemplate.exchange(
-                RequestEntity.post("/nacos/v1/as/nodes").body(params), String.class);
+                RequestEntity.post("/nacos/v1/as/nodes").header(HttpHeaders.AUTHORIZATION, HTTP_BASIC_INFO)
+                        .body(params), String.class);
        Assert.assertNotNull(postClusterResponseEntity);
        Assert.assertEquals(HttpStatus.OK.value(), postClusterResponseEntity.getStatusCodeValue());
        
@ -134,7 +177,8 @@ public class AddressServerControllerTests {
        params.add("product", PRODUCT_CONFIG);
        
        final ResponseEntity<String> postClusterResponseEntity = restTemplate.exchange(
-                RequestEntity.post("/nacos/v1/as/nodes").body(params), String.class);
+                RequestEntity.post("/nacos/v1/as/nodes").header(HttpHeaders.AUTHORIZATION, HTTP_BASIC_INFO)
+                        .body(params), String.class);
        Assert.assertNotNull(postClusterResponseEntity);
        Assert.assertEquals(HttpStatus.OK.value(), postClusterResponseEntity.getStatusCodeValue());
        
@ -142,7 +186,7 @@ public class AddressServerControllerTests {
        
        final ResponseEntity<String> deleteClusterResponseEntity = restTemplate.exchange(
                RequestEntity.delete("/nacos/v1/as/nodes?product={product}&ips={ips}", PRODUCT_CONFIG, "127.0.0.104")
-                        .build(), String.class);
+                        .header(HttpHeaders.AUTHORIZATION, HTTP_BASIC_INFO).build(), String.class);
        
        Assert.assertNotNull(deleteClusterResponseEntity);
        Assert.assertEquals(HttpStatus.OK.value(), deleteClusterResponseEntity.getStatusCodeValue());
@ -159,7 +203,8 @@ public class AddressServerControllerTests {
        params.add("cluster", "cluster01");
        
        final ResponseEntity<String> postClusterResponseEntity = restTemplate.exchange(
-                RequestEntity.post("/nacos/v1/as/nodes").body(params), String.class);
+                RequestEntity.post("/nacos/v1/as/nodes").header(HttpHeaders.AUTHORIZATION, HTTP_BASIC_INFO)
+                        .body(params), String.class);
        Assert.assertNotNull(postClusterResponseEntity);
        Assert.assertEquals(HttpStatus.OK.value(), postClusterResponseEntity.getStatusCodeValue());
        
@ -184,7 +229,8 @@ public class AddressServerControllerTests {
        params.add("cluster", "cluster01");
        
        final ResponseEntity<String> postClusterResponseEntity = restTemplate.exchange(
-                RequestEntity.post("/nacos/v1/as/nodes").body(params), String.class);
+                RequestEntity.post("/nacos/v1/as/nodes").header(HttpHeaders.AUTHORIZATION, HTTP_BASIC_INFO)
+                        .body(params), String.class);
        Assert.assertNotNull(postClusterResponseEntity);
        Assert.assertEquals(HttpStatus.OK.value(), postClusterResponseEntity.getStatusCodeValue());
        
@ -192,16 +238,11 @@ public class AddressServerControllerTests {
        
        final ResponseEntity<String> deleteClusterResponseEntity = restTemplate.exchange(
                RequestEntity.delete("/nacos/v1/as/nodes?product={product}&cluster={cluster}&ips={ips}", PRODUCT_NAMING,
-                        "cluster01", "127.0.0.104").build(), String.class);
+                        "cluster01", "127.0.0.104").header(HttpHeaders.AUTHORIZATION, HTTP_BASIC_INFO).build(),
+                String.class);
        
        Assert.assertNotNull(deleteClusterResponseEntity);
        Assert.assertEquals(HttpStatus.OK.value(), deleteClusterResponseEntity.getStatusCodeValue());
    }
    
-    @AfterClass
-    public static void teardown() {
-        System.clearProperty("nacos.standalone");
-        System.clearProperty("embeddedStorage");
-    }
-    
 }