generic类型制品支持S3协议获取 #1296

src/backend/auth/api-auth/src/main/kotlin/com/tencent/bkrepo/auth/api/ServiceUserClient.kt

@@ -92,4 +92,10 @@ interface ServiceUserClient {
     fun userInfoById(
         @PathVariable uid: String
     ): Response<UserInfo?>
+
+    @ApiOperation("获取用户pwd ")
+    @GetMapping("/userpwd/{uid}")
+    fun userPwdById(
+        @PathVariable uid: String
+    ): Response<String?>
 }

src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/controller/service/ServiceUserController.kt

@@ -69,4 +69,8 @@ class ServiceUserController @Autowired constructor(
     override fun userInfoById(uid: String): Response<UserInfo?> {
         return ResponseBuilder.success(userService.getUserInfoById(uid))
     }
+
+    override fun userPwdById(uid: String): Response<String?> {
+        return ResponseBuilder.success(userService.getUserPwdById(uid))
+    }
 }

src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/UserService.kt

@@ -79,6 +79,8 @@ interface UserService {
 
     fun getUserInfoById(userId: String): UserInfo?
 
+    fun getUserPwdById(userId: String): String?
+
     fun updatePassword(userId: String, oldPwd: String, newPwd: String): Boolean
 
     fun resetPassword(userId: String): Boolean

src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/local/UserServiceImpl.kt

@@ -371,6 +371,11 @@ class UserServiceImpl constructor(
         return UserRequestUtil.convToUserInfo(tUser)
     }
 
+    override fun getUserPwdById(userId: String): String? {
+        val tUser = userRepository.findFirstByUserId(userId) ?: return null
+        return tUser.pwd
+    }
+
     override fun updatePassword(userId: String, oldPwd: String, newPwd: String): Boolean {
         val query = UserQueryHelper.getUserByIdAndPwd(userId, oldPwd)
         val user = mongoTemplate.find(query, TUser::class.java)

src/backend/buildSrc/src/main/kotlin/Versions.kt

@@ -66,4 +66,5 @@ object Versions {
     const val Jasypt = "3.0.5"
     const val CryptoJavaSdk = "1.1.0"
     const val IamJavaSdk = "1.0.30-SNAPSHOT"
+    const val dom4j = "2.1.0"
 }

src/backend/common/common-api/src/main/kotlin/com/tencent/bkrepo/common/api/constant/Constants.kt

@@ -99,6 +99,7 @@ const val BEARER_AUTH_PREFIX = "Bearer "
 const val AUTH_HEADER_UID = "X-BKREPO-UID"
 const val OAUTH_AUTH_PREFIX = "Oauth "
 const val TEMPORARY_TOKEN_AUTH_PREFIX = "Temporary "
+const val AWS4_AUTH_PREFIX = "AWS4-HMAC-SHA256 "
 
 /**
  * micro service header user id key

src/backend/common/common-api/src/main/kotlin/com/tencent/bkrepo/common/api/constant/S3MessageCode.kt

@@ -0,0 +1,44 @@
+/*
+ * Tencent is pleased to support the open source community by making BK-CI 蓝鲸持续集成平台 available.
+ *
+ * Copyright (C) 2020 THL A29 Limited, a Tencent company.  All rights reserved.
+ *
+ * BK-CI 蓝鲸持续集成平台 is licensed under the MIT license.
+ *
+ * A copy of the MIT License is included in this file.
+ *
+ *
+ * Terms of the MIT License:
+ * ---------------------------------------------------
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package com.tencent.bkrepo.common.api.constant
+
+
+enum class S3MessageCode(private val code: String, private val message: String){
+
+    S3_NO_SUCH_KEY("NoSuchKey", "The specified key does not exist."),
+    S3_NO_SUCH_BUCKET("NoSuchBucket", "The specified bucket does not exist."),
+    S3_NO_AUTHORIZED("SignatureDoesNotMatch", "The Signature you specified is invalid."),
+    ;
+
+    fun getMessage() = message
+    fun getCode() = code
+}

src/backend/common/common-api/src/main/kotlin/com/tencent/bkrepo/common/api/exception/AWS4AuthenticationException.kt

@@ -0,0 +1,52 @@
+/*
+ * Tencent is pleased to support the open source community by making BK-CI 蓝鲸持续集成平台 available.
+ *
+ * Copyright (C) 2020 THL A29 Limited, a Tencent company.  All rights reserved.
+ *
+ * BK-CI 蓝鲸持续集成平台 is licensed under the MIT license.
+ *
+ * A copy of the MIT License is included in this file.
+ *
+ *
+ * Terms of the MIT License:
+ * ---------------------------------------------------
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package com.tencent.bkrepo.common.api.exception
+
+import com.tencent.bkrepo.common.api.constant.HttpStatus
+import com.tencent.bkrepo.common.api.constant.S3MessageCode
+import com.tencent.bkrepo.common.api.exception.ErrorCodeException
+import com.tencent.bkrepo.common.api.message.CommonMessageCode
+import com.tencent.bkrepo.common.api.message.MessageCode
+import java.lang.RuntimeException
+
+/**
+ * WAS4认证异常, 403错误
+ */
+open class AWS4AuthenticationException(
+    val status: HttpStatus = HttpStatus.FORBIDDEN,
+    val messageCode: S3MessageCode = S3MessageCode.S3_NO_AUTHORIZED,
+    vararg var params: Any
+) : RuntimeException() {
+    fun getFirstParam(): String? {
+        return params?.first()?.toString()
+    }
+}

src/backend/common/common-api/src/main/kotlin/com/tencent/bkrepo/common/api/exception/S3NotFoundException.kt

@@ -0,0 +1,52 @@
+/*
+ * Tencent is pleased to support the open source community by making BK-CI 蓝鲸持续集成平台 available.
+ *
+ * Copyright (C) 2020 THL A29 Limited, a Tencent company.  All rights reserved.
+ *
+ * BK-CI 蓝鲸持续集成平台 is licensed under the MIT license.
+ *
+ * A copy of the MIT License is included in this file.
+ *
+ *
+ * Terms of the MIT License:
+ * ---------------------------------------------------
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package com.tencent.bkrepo.common.api.exception
+
+import com.tencent.bkrepo.common.api.constant.HttpStatus
+import com.tencent.bkrepo.common.api.constant.S3MessageCode
+import com.tencent.bkrepo.common.api.exception.ErrorCodeException
+import com.tencent.bkrepo.common.api.message.CommonMessageCode
+import com.tencent.bkrepo.common.api.message.MessageCode
+import java.lang.RuntimeException
+
+/**
+ * s3请求，比如key不存在异常
+ */
+open class S3NotFoundException(
+    val status: HttpStatus = HttpStatus.NOT_FOUND,
+    val messageCode: S3MessageCode = S3MessageCode.S3_NO_SUCH_KEY,
+    vararg var params: Any
+) : RuntimeException() {
+    fun getFirstParam(): String? {
+        return params?.first()?.toString()
+    }
+}

src/backend/common/common-security/src/main/kotlin/com/tencent/bkrepo/common/security/http/HttpAuthSecurityConfiguration.kt

@@ -32,6 +32,7 @@
 package com.tencent.bkrepo.common.security.http
 
 import com.tencent.bkrepo.common.security.crypto.CryptoProperties
+import com.tencent.bkrepo.common.security.http.aws4.AWS4AuthHandler
 import com.tencent.bkrepo.common.security.http.basic.BasicAuthHandler
 import com.tencent.bkrepo.common.security.http.core.HttpAuthInterceptor
 import com.tencent.bkrepo.common.security.http.core.HttpAuthSecurity
@@ -118,5 +119,8 @@ class HttpAuthSecurityConfiguration(
         if (httpAuthSecurity.signAuthEnabled) {
             httpAuthSecurity.addHttpAuthHandler(SignAuthHandler(authenticationManager, httpAuthSecurity))
         }
+        if (httpAuthSecurity.AWS4AuthEnabled) {
+            httpAuthSecurity.addHttpAuthHandler(AWS4AuthHandler(authenticationManager))
+        }
     }
 }

src/backend/common/common-security/src/main/kotlin/com/tencent/bkrepo/common/security/http/aws4/AWS4AuthCredentials.kt

@@ -0,0 +1,49 @@
+/*
+ * Tencent is pleased to support the open source community by making BK-CI 蓝鲸持续集成平台 available.
+ *
+ * Copyright (C) 2020 THL A29 Limited, a Tencent company.  All rights reserved.
+ *
+ * BK-CI 蓝鲸持续集成平台 is licensed under the MIT license.
+ *
+ * A copy of the MIT License is included in this file.
+ *
+ *
+ * Terms of the MIT License:
+ * ---------------------------------------------------
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package com.tencent.bkrepo.common.security.http.aws4
+
+import com.tencent.bkrepo.common.security.http.credentials.HttpAuthCredentials
+
+/**
+ * Http AWS4认证信息
+ */
+data class AWS4AuthCredentials(
+    var authorization: String,
+    var accessKeyId: String,
+    var secretAccessKey: String,
+    var requestDate: String,
+    var contentHash: String,
+    var uri: String,
+    var host: String,
+    var queryString: String,
+    var method: String
+) : HttpAuthCredentials

src/backend/common/common-security/src/main/kotlin/com/tencent/bkrepo/common/security/http/aws4/AWS4AuthHandler.kt

@@ -0,0 +1,110 @@
+/*
+ * Tencent is pleased to support the open source community by making BK-CI 蓝鲸持续集成平台 available.
+ *
+ * Copyright (C) 2020 THL A29 Limited, a Tencent company.  All rights reserved.
+ *
+ * BK-CI 蓝鲸持续集成平台 is licensed under the MIT license.
+ *
+ * A copy of the MIT License is included in this file.
+ *
+ *
+ * Terms of the MIT License:
+ * ---------------------------------------------------
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package com.tencent.bkrepo.common.security.http.aws4
+
+import com.tencent.bkrepo.common.api.constant.AWS4_AUTH_PREFIX
+import com.tencent.bkrepo.common.api.constant.HttpHeaders
+import com.tencent.bkrepo.common.api.constant.HttpStatus
+import com.tencent.bkrepo.common.api.constant.S3MessageCode
+import com.tencent.bkrepo.common.security.util.AWS4AuthUtil
+import com.tencent.bkrepo.common.api.exception.AWS4AuthenticationException
+import com.tencent.bkrepo.common.artifact.api.ArtifactInfo
+import com.tencent.bkrepo.common.artifact.constant.ARTIFACT_INFO_KEY
+import com.tencent.bkrepo.common.security.http.core.HttpAuthHandler
+import com.tencent.bkrepo.common.security.http.credentials.AnonymousCredentials
+import com.tencent.bkrepo.common.security.http.credentials.HttpAuthCredentials
+import com.tencent.bkrepo.common.security.manager.AuthenticationManager
+import javax.servlet.http.HttpServletRequest
+
+/**
+ * AWS4 Http 认证方式
+ */
+open class AWS4AuthHandler(val authenticationManager: AuthenticationManager) : HttpAuthHandler {
+
+    override fun extractAuthCredentials(request: HttpServletRequest): HttpAuthCredentials {
+        val authorizationHeader = request.getHeader(HttpHeaders.AUTHORIZATION).orEmpty()
+        return if (authorizationHeader.startsWith(AWS4_AUTH_PREFIX)) {
+            try {
+                /**
+                 * WAS4认证，请求头中只知道accessKey(即用户名),没法知道SecretKey(即密码)，
+                 * 用用户名去db中查出密码来，用客户端同样的算法计算签名，
+                 * 如果计算的签名与传进来的签名一样，则认证通过
+                 */
+                var userName = AWS4AuthUtil.getAccessKey(authorizationHeader)
+                var password: String? = authenticationManager.findUserPwd(userName) ?: throw AWS4AuthenticationException()
+                buildAWS4AuthorizationInfo(request, userName, password!!)
+            } catch (exception: Exception) {
+                // 认证异常处理
+                throw AWS4AuthenticationException(
+                    HttpStatus.FORBIDDEN,
+                    S3MessageCode.S3_NO_AUTHORIZED,
+                    request.requestURI.split("?").toTypedArray()[0]
+                        .substringAfter("/", "").substringAfter("/")
+                )
+            }
+        } else AnonymousCredentials()
+    }
+
+    @Throws(AWS4AuthenticationException::class)
+    override fun onAuthenticate(request: HttpServletRequest, authCredentials: HttpAuthCredentials): String {
+        require(authCredentials is AWS4AuthCredentials)
+        var flag = AWS4AuthUtil.validAuthorization(authCredentials)
+        if (flag) {
+            return authCredentials.accessKeyId
+        }
+        return if (flag) authCredentials.accessKeyId else throw AWS4AuthenticationException(
+            HttpStatus.FORBIDDEN,
+            S3MessageCode.S3_NO_AUTHORIZED,
+            request.requestURI.split("?").toTypedArray()[0]
+                .substringAfter("/", "").substringAfter("/")
+        )
+    }
+
+    private fun buildAWS4AuthorizationInfo(
+        request: HttpServletRequest,
+        accessKeyId: String,
+        secretAccessKey: String
+    ): AWS4AuthCredentials {
+        return AWS4AuthCredentials(
+            authorization = request.getHeader("Authorization"),
+            accessKeyId = accessKeyId,
+            secretAccessKey = secretAccessKey,
+            requestDate = request.getHeader("x-amz-date"),
+            contentHash = request.getHeader("x-amz-content-sha256"),
+            uri = request.requestURI.split("?").toTypedArray()[0],
+            host = request.getHeader("host"),
+            queryString = request.queryString ?: "",
+            method = request.method
+        )
+    }
+
+}