alibaba · KomachiSion · Nov 22, 2024 · Nov 21, 2024
diff --git a/auth/src/main/java/com/alibaba/nacos/auth/GrpcProtocolAuthService.java b/auth/src/main/java/com/alibaba/nacos/auth/GrpcProtocolAuthService.java
@@ -19,9 +19,11 @@
 import com.alibaba.nacos.api.remote.request.Request;
 import com.alibaba.nacos.auth.annotation.Secured;
 import com.alibaba.nacos.auth.serveridentity.ServerIdentity;
+import com.alibaba.nacos.auth.serveridentity.ServerIdentityResult;
 import com.alibaba.nacos.plugin.auth.api.IdentityContext;
 import com.alibaba.nacos.plugin.auth.api.Resource;
 import com.alibaba.nacos.auth.config.AuthConfigs;
+import com.alibaba.nacos.plugin.auth.constant.ApiType;
 import com.alibaba.nacos.plugin.auth.constant.SignType;
 import com.alibaba.nacos.auth.context.GrpcIdentityContextBuilder;
 import com.alibaba.nacos.auth.parser.grpc.AbstractGrpcResourceParser;
@@ -76,6 +78,14 @@ public IdentityContext parseIdentity(Request request) {
         return identityContextBuilder.build(request);
     }
 
+    @Override
+    public ServerIdentityResult checkServerIdentity(Request request, Secured secured) {
+        if (ApiType.INNER_API != secured.apiType()) {
+            return ServerIdentityResult.noMatched();
+        }
+        return super.checkServerIdentity(request, secured);
+    }
+
     @Override
     protected ServerIdentity parseServerIdentity(Request request) {
         String serverIdentityKey = authConfigs.getServerIdentityKey();

diff --git a/auth/src/test/java/com/alibaba/nacos/auth/GrpcProtocolAuthServiceTest.java b/auth/src/test/java/com/alibaba/nacos/auth/GrpcProtocolAuthServiceTest.java
@@ -26,6 +26,7 @@
 import com.alibaba.nacos.plugin.auth.api.IdentityContext;
 import com.alibaba.nacos.plugin.auth.api.Permission;
 import com.alibaba.nacos.plugin.auth.api.Resource;
+import com.alibaba.nacos.plugin.auth.constant.ApiType;
 import com.alibaba.nacos.plugin.auth.constant.SignType;
 import com.alibaba.nacos.plugin.auth.exception.AccessException;
 import org.junit.jupiter.api.BeforeEach;
@@ -181,7 +182,7 @@ void testEnabledAuthWithoutPlugin() throws NoSuchMethodException {
     }
 
     @Test
-    @Secured
+    @Secured(apiType = ApiType.INNER_API)
     void testCheckServerIdentityWithoutIdentityConfig() throws NoSuchMethodException {
         Secured secured = getMethodSecure("testCheckServerIdentityWithoutIdentityConfig");
         ServerIdentityResult result = protocolAuthService.checkServerIdentity(namingRequest, secured);
@@ -198,7 +199,7 @@ void testCheckServerIdentityWithoutIdentityConfig() throws NoSuchMethodException
     }
 
     @Test
-    @Secured
+    @Secured(apiType = ApiType.INNER_API)
     void testCheckServerIdentityNotMatched() throws NoSuchMethodException {
         Secured secured = getMethodSecure("testCheckServerIdentityNotMatched");
         when(authConfigs.getServerIdentityKey()).thenReturn("1");
@@ -211,7 +212,7 @@ void testCheckServerIdentityNotMatched() throws NoSuchMethodException {
     }
 
     @Test
-    @Secured
+    @Secured(apiType = ApiType.INNER_API)
     void testCheckServerIdentityMatched() throws NoSuchMethodException {
         when(authConfigs.getServerIdentityKey()).thenReturn("1");
         when(authConfigs.getServerIdentityValue()).thenReturn("2");
@@ -221,6 +222,15 @@ void testCheckServerIdentityMatched() throws NoSuchMethodException {
         assertEquals(ServerIdentityResult.ResultStatus.MATCHED, result.getStatus());
     }
 
+    @Test
+    @Secured
+    void testCheckServerIdentityForOtherTypeApi() throws NoSuchMethodException {
+        namingRequest.putHeader("1", "2");
+        Secured secured = getMethodSecure("testCheckServerIdentityForOtherTypeApi");
+        ServerIdentityResult result = protocolAuthService.checkServerIdentity(namingRequest, secured);
+        assertEquals(ServerIdentityResult.ResultStatus.NOT_MATCHED, result.getStatus());
+    }
+
     private Secured getMethodSecure(String methodName) throws NoSuchMethodException {
         Method method = GrpcProtocolAuthServiceTest.class.getDeclaredMethod(methodName);
         return method.getAnnotation(Secured.class);

diff --git a/...in/java/com/alibaba/nacos/config/server/remote/ConfigChangeClusterSyncRequestHandler.java b/...in/java/com/alibaba/nacos/config/server/remote/ConfigChangeClusterSyncRequestHandler.java
@@ -21,6 +21,7 @@
 import com.alibaba.nacos.api.exception.NacosException;
 import com.alibaba.nacos.api.remote.RemoteConstants;
 import com.alibaba.nacos.api.remote.request.RequestMeta;
+import com.alibaba.nacos.auth.annotation.Secured;
 import com.alibaba.nacos.common.utils.StringUtils;
 import com.alibaba.nacos.config.server.model.gray.BetaGrayRule;
 import com.alibaba.nacos.config.server.model.gray.TagGrayRule;
@@ -34,6 +35,8 @@
 import com.alibaba.nacos.core.paramcheck.impl.ConfigRequestParamExtractor;
 import com.alibaba.nacos.core.remote.RequestHandler;
 import com.alibaba.nacos.core.remote.grpc.InvokeSource;
+import com.alibaba.nacos.plugin.auth.constant.ApiType;
+import com.alibaba.nacos.plugin.auth.constant.SignType;
 import org.springframework.stereotype.Component;
 
 /**
@@ -60,6 +63,7 @@ public ConfigChangeClusterSyncRequestHandler(DumpService dumpService,
     @TpsControl(pointName = "ClusterConfigChangeNotify")
     @Override
     @ExtractorManager.Extractor(rpcExtractor = ConfigRequestParamExtractor.class)
+    @Secured(signType = SignType.CONFIG, apiType = ApiType.INNER_API)
     public ConfigChangeClusterSyncResponse handle(ConfigChangeClusterSyncRequest configChangeSyncRequest,
             RequestMeta meta) throws NacosException {
 

diff --git a/core/src/main/java/com/alibaba/nacos/core/auth/RemoteRequestAuthFilter.java b/core/src/main/java/com/alibaba/nacos/core/auth/RemoteRequestAuthFilter.java
@@ -23,7 +23,7 @@
 import com.alibaba.nacos.auth.GrpcProtocolAuthService;
 import com.alibaba.nacos.auth.annotation.Secured;
 import com.alibaba.nacos.auth.config.AuthConfigs;
-import com.alibaba.nacos.plugin.auth.constant.ApiType;
+import com.alibaba.nacos.auth.serveridentity.ServerIdentityResult;
 import com.alibaba.nacos.common.utils.ExceptionUtil;
 import com.alibaba.nacos.core.context.RequestContext;
 import com.alibaba.nacos.core.context.RequestContextHolder;
@@ -32,6 +32,7 @@
 import com.alibaba.nacos.plugin.auth.api.IdentityContext;
 import com.alibaba.nacos.plugin.auth.api.Permission;
 import com.alibaba.nacos.plugin.auth.api.Resource;
+import com.alibaba.nacos.plugin.auth.constant.ApiType;
 import com.alibaba.nacos.plugin.auth.constant.Constants;
 import com.alibaba.nacos.plugin.auth.exception.AccessException;
 import org.springframework.stereotype.Component;
@@ -63,20 +64,25 @@ public Response filter(Request request, RequestMeta meta, Class handlerClazz) th
         try {
 
             Method method = getHandleMethod(handlerClazz);
-            boolean isAuthEnabled = authConfigs.isConsoleAuthEnabled() || authConfigs.isAuthEnabled();
-            if (method.isAnnotationPresent(Secured.class) && isAuthEnabled) {
-
-                if (Loggers.AUTH.isDebugEnabled()) {
-                    Loggers.AUTH.debug("auth start, request: {}", request.getClass().getSimpleName());
-                }
-
+            if (method.isAnnotationPresent(Secured.class)) {
                 Secured secured = method.getAnnotation(Secured.class);
-                ApiType apiType = secured.apiType();
-                if (apiType == ApiType.CONSOLE_API && !authConfigs.isConsoleAuthEnabled()) {
+                // Inner API must do check server identity. So judge api type not inner api and whether auth is enabled.
+                if (ApiType.INNER_API != secured.apiType() && !authConfigs.isAuthEnabled()) {
                     return null;
                 }
-                if (apiType == ApiType.OPEN_API && !authConfigs.isAuthEnabled()) {
-                    return null;
+                if (Loggers.AUTH.isDebugEnabled()) {
+                    Loggers.AUTH.debug("auth start, request: {}", request.getClass().getSimpleName());
+                }
+                ServerIdentityResult identityResult = protocolAuthService.checkServerIdentity(request, secured);
+                switch (identityResult.getStatus()) {
+                    case FAIL:
+                        Response defaultResponseInstance = getDefaultResponseInstance(handlerClazz);
+                        defaultResponseInstance.setErrorInfo(NacosException.NO_RIGHT, identityResult.getMessage());
+                        return defaultResponseInstance;
+                    case MATCHED:
+                        return null;
+                    default:
+                        break;
                 }
                 if (!protocolAuthService.enableAuth(secured)) {
                     return null;
@@ -113,7 +119,6 @@ public Response filter(Request request, RequestMeta meta, Class handlerClazz) th
             return defaultResponseInstance;
         } catch (Exception e) {
             Response defaultResponseInstance = getDefaultResponseInstance(handlerClazz);
-
             defaultResponseInstance.setErrorInfo(NacosException.SERVER_ERROR, ExceptionUtil.getAllExceptionMsg(e));
             return defaultResponseInstance;
         }

diff --git a/core/src/main/java/com/alibaba/nacos/core/cluster/remote/MemberReportHandler.java b/core/src/main/java/com/alibaba/nacos/core/cluster/remote/MemberReportHandler.java
@@ -21,6 +21,7 @@
 import com.alibaba.nacos.api.exception.NacosException;
 import com.alibaba.nacos.api.remote.RemoteConstants;
 import com.alibaba.nacos.api.remote.request.RequestMeta;
+import com.alibaba.nacos.auth.annotation.Secured;
 import com.alibaba.nacos.common.utils.LoggerUtils;
 import com.alibaba.nacos.core.cluster.Member;
 import com.alibaba.nacos.core.cluster.NodeState;
@@ -30,6 +31,8 @@
 import com.alibaba.nacos.core.remote.RequestHandler;
 import com.alibaba.nacos.core.remote.grpc.InvokeSource;
 import com.alibaba.nacos.core.utils.Loggers;
+import com.alibaba.nacos.plugin.auth.constant.ApiType;
+import com.alibaba.nacos.plugin.auth.constant.SignType;
 import org.springframework.stereotype.Component;
 
 /**
@@ -48,6 +51,7 @@ public MemberReportHandler(ServerMemberManager memberManager) {
     }
 
     @Override
+    @Secured(resource = "report", signType = SignType.SPECIFIED, apiType = ApiType.INNER_API)
     public MemberReportResponse handle(MemberReportRequest request, RequestMeta meta) throws NacosException {
         Member node = request.getNode();
         if (!node.check()) {

diff --git a/core/src/main/java/com/alibaba/nacos/core/remote/core/ServerLoaderInfoRequestHandler.java b/core/src/main/java/com/alibaba/nacos/core/remote/core/ServerLoaderInfoRequestHandler.java
@@ -21,9 +21,12 @@
 import com.alibaba.nacos.api.remote.request.RequestMeta;
 import com.alibaba.nacos.api.remote.request.ServerLoaderInfoRequest;
 import com.alibaba.nacos.api.remote.response.ServerLoaderInfoResponse;
+import com.alibaba.nacos.auth.annotation.Secured;
 import com.alibaba.nacos.core.remote.ConnectionManager;
 import com.alibaba.nacos.core.remote.RequestHandler;
 import com.alibaba.nacos.core.remote.grpc.InvokeSource;
+import com.alibaba.nacos.plugin.auth.constant.ApiType;
+import com.alibaba.nacos.plugin.auth.constant.SignType;
 import com.alibaba.nacos.sys.env.EnvUtil;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Component;
@@ -45,6 +48,7 @@ public class ServerLoaderInfoRequestHandler extends RequestHandler<ServerLoaderI
     private ConnectionManager connectionManager;
 
     @Override
+    @Secured(resource = "serverLoader", signType = SignType.SPECIFIED, apiType = ApiType.INNER_API)
     public ServerLoaderInfoResponse handle(ServerLoaderInfoRequest request, RequestMeta meta) throws NacosException {
         ServerLoaderInfoResponse serverLoaderInfoResponse = new ServerLoaderInfoResponse();
         serverLoaderInfoResponse.putMetricsValue("conCount", String.valueOf(connectionManager.currentClientsCount()));

diff --git a/core/src/main/java/com/alibaba/nacos/core/remote/core/ServerReloaderRequestHandler.java b/core/src/main/java/com/alibaba/nacos/core/remote/core/ServerReloaderRequestHandler.java
@@ -21,11 +21,14 @@
 import com.alibaba.nacos.api.remote.request.RequestMeta;
 import com.alibaba.nacos.api.remote.request.ServerReloadRequest;
 import com.alibaba.nacos.api.remote.response.ServerReloadResponse;
+import com.alibaba.nacos.auth.annotation.Secured;
 import com.alibaba.nacos.core.remote.ConnectionManager;
 import com.alibaba.nacos.core.remote.RequestHandler;
 import com.alibaba.nacos.core.remote.grpc.InvokeSource;
 import com.alibaba.nacos.core.utils.Loggers;
 import com.alibaba.nacos.core.utils.RemoteUtils;
+import com.alibaba.nacos.plugin.auth.constant.ApiType;
+import com.alibaba.nacos.plugin.auth.constant.SignType;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Component;
 
@@ -46,6 +49,7 @@ public class ServerReloaderRequestHandler extends RequestHandler<ServerReloadReq
     private ConnectionManager connectionManager;
 
     @Override
+    @Secured(resource = "serverReload", signType = SignType.SPECIFIED, apiType = ApiType.INNER_API)
     public ServerReloadResponse handle(ServerReloadRequest request, RequestMeta meta) throws NacosException {
         ServerReloadResponse response = new ServerReloadResponse();
         Loggers.REMOTE.info("server reload request receive,reload count={},redirectServer={},requestIp={}",