共计 3165 个字符,预计需要花费 8 分钟才能阅读完成。
序
本文次要钻研一下 dubbo-go 的 ProviderAuthFilter
ProviderAuthFilter
dubbo-go-v1.4.2/filter/filter_impl/auth/provider_auth.go
type ProviderAuthFilter struct { | |
} | |
func init() {extension.SetFilter(constant.PROVIDER_AUTH_FILTER, getProviderAuthFilter) | |
} |
- ProviderAuthFilter 的 init 办法设置了 getProviderAuthFilter
getProviderAuthFilter
dubbo-go-v1.4.2/filter/filter_impl/auth/provider_auth.go
func getProviderAuthFilter() filter.Filter {return &ProviderAuthFilter{} | |
} |
- getProviderAuthFilter 实例化了 ProviderAuthFilter
Invoke
dubbo-go-v1.4.2/filter/filter_impl/auth/provider_auth.go
func (paf *ProviderAuthFilter) Invoke(ctx context.Context, invoker protocol.Invoker, invocation protocol.Invocation) protocol.Result {logger.Infof("invoking providerAuth filter.") | |
url := invoker.GetUrl() | |
err := doAuthWork(&url, func(authenticator filter.Authenticator) error {return authenticator.Authenticate(invocation, &url) | |
}) | |
if err != nil {logger.Infof("auth the request: %v occur exception, cause: %s", invocation, err.Error()) | |
return &protocol.RPCResult{Err: err,} | |
} | |
return invoker.Invoke(ctx, invocation) | |
} |
- Invoke 办法通过 doAuthWork 来进行 auth,其传递的 func 执行 authenticator.Authenticate(invocation, &url)
OnResponse
dubbo-go-v1.4.2/filter/filter_impl/auth/default_authenticator.go
func (paf *ProviderAuthFilter) OnResponse(ctx context.Context, result protocol.Result, invoker protocol.Invoker, invocation protocol.Invocation) protocol.Result {return result}
- OnResponse 办法间接返回 result
doAuthWork
dubbo-go-v1.4.2/filter/filter_impl/auth/default_authenticator.go
func doAuthWork(url *common.URL, do func(filter.Authenticator) error) error {shouldAuth := url.GetParamBool(constant.SERVICE_AUTH_KEY, false) | |
if shouldAuth {authenticator := extension.GetAuthenticator(url.GetParam(constant.AUTHENTICATOR_KEY, constant.DEFAULT_AUTHENTICATOR)) | |
return do(authenticator) | |
} | |
return nil | |
} |
- doAuthWork 办法先从 url 读取 constant.SERVICE_AUTH_KEY 判断是否须要 auth,需要的话,则获取 authenticator,执行 do(authenticator)
Authenticate
dubbo-go-v1.4.2/filter/filter_impl/auth/default_authenticator.go
func (authenticator *DefaultAuthenticator) Authenticate(invocation protocol.Invocation, url *common.URL) error {accessKeyId := invocation.AttachmentsByKey(constant.AK_KEY, "") | |
requestTimestamp := invocation.AttachmentsByKey(constant.REQUEST_TIMESTAMP_KEY, "") | |
originSignature := invocation.AttachmentsByKey(constant.REQUEST_SIGNATURE_KEY, "") | |
consumer := invocation.AttachmentsByKey(constant.CONSUMER, "") | |
if IsEmpty(accessKeyId, false) || IsEmpty(consumer, false) || | |
IsEmpty(requestTimestamp, false) || IsEmpty(originSignature, false) {return errors.New("failed to authenticate your ak/sk, maybe the consumer has not enabled the auth") | |
} | |
accessKeyPair, err := getAccessKeyPair(invocation, url) | |
if err != nil {return errors.New("failed to authenticate , can't load the accessKeyPair") | |
} | |
computeSignature, err := getSignature(url, invocation, accessKeyPair.SecretKey, requestTimestamp) | |
if err != nil {return err} | |
if success := computeSignature == originSignature; !success {return errors.New("failed to authenticate, signature is not correct") | |
} | |
return nil | |
} |
- Authenticate 办法从 invocation 的 attachment 获取 requestTimestamp 及 originSignature,而后通过 getAccessKeyPair 从 accesskeyStorage.GetAccessKeyPair 获取 accessKeyPair,之后通过 getSignature 计算 signature,而后比照 computeSignature 与 originSignature 是否一样,不一样则返回 error
小结
ProviderAuthFilter 的 Invoke 办法通过 doAuthWork 来进行 auth,其传递的 func 执行 authenticator.Authenticate(invocation, &url)
doc
- provider_auth
正文完