本文次要钻研一下dubbo-go的ProviderAuthFilter

ProviderAuthFilter

dubbo-go-v1.4.2/filter/filter_impl/auth/provider_auth.go

type ProviderAuthFilter struct {}func init() {    extension.SetFilter(constant.PROVIDER_AUTH_FILTER, getProviderAuthFilter)}
  • ProviderAuthFilter的init办法设置了getProviderAuthFilter

getProviderAuthFilter

dubbo-go-v1.4.2/filter/filter_impl/auth/provider_auth.go

func getProviderAuthFilter() filter.Filter {    return &ProviderAuthFilter{}}
  • getProviderAuthFilter实例化了ProviderAuthFilter

Invoke

dubbo-go-v1.4.2/filter/filter_impl/auth/provider_auth.go

func (paf *ProviderAuthFilter) Invoke(ctx context.Context, invoker protocol.Invoker, invocation protocol.Invocation) protocol.Result {    logger.Infof("invoking providerAuth filter.")    url := invoker.GetUrl()    err := doAuthWork(&url, func(authenticator filter.Authenticator) error {        return authenticator.Authenticate(invocation, &url)    })    if err != nil {        logger.Infof("auth the request: %v occur exception, cause: %s", invocation, err.Error())        return &protocol.RPCResult{            Err: err,        }    }    return invoker.Invoke(ctx, invocation)}
  • Invoke办法通过doAuthWork来进行auth,其传递的func执行authenticator.Authenticate(invocation, &url)

OnResponse

dubbo-go-v1.4.2/filter/filter_impl/auth/default_authenticator.go

func (paf *ProviderAuthFilter) OnResponse(ctx context.Context, result protocol.Result, invoker protocol.Invoker, invocation protocol.Invocation) protocol.Result {    return result}
  • OnResponse办法间接返回result

doAuthWork

dubbo-go-v1.4.2/filter/filter_impl/auth/default_authenticator.go

func doAuthWork(url *common.URL, do func(filter.Authenticator) error) error {    shouldAuth := url.GetParamBool(constant.SERVICE_AUTH_KEY, false)    if shouldAuth {        authenticator := extension.GetAuthenticator(url.GetParam(constant.AUTHENTICATOR_KEY, constant.DEFAULT_AUTHENTICATOR))        return do(authenticator)    }    return nil}
  • doAuthWork办法先从url读取constant.SERVICE_AUTH_KEY判断是否须要auth,需要的话,则获取authenticator,执行do(authenticator)

Authenticate

dubbo-go-v1.4.2/filter/filter_impl/auth/default_authenticator.go

func (authenticator *DefaultAuthenticator) Authenticate(invocation protocol.Invocation, url *common.URL) error {    accessKeyId := invocation.AttachmentsByKey(constant.AK_KEY, "")    requestTimestamp := invocation.AttachmentsByKey(constant.REQUEST_TIMESTAMP_KEY, "")    originSignature := invocation.AttachmentsByKey(constant.REQUEST_SIGNATURE_KEY, "")    consumer := invocation.AttachmentsByKey(constant.CONSUMER, "")    if IsEmpty(accessKeyId, false) || IsEmpty(consumer, false) ||        IsEmpty(requestTimestamp, false) || IsEmpty(originSignature, false) {        return errors.New("failed to authenticate your ak/sk, maybe the consumer has not enabled the auth")    }    accessKeyPair, err := getAccessKeyPair(invocation, url)    if err != nil {        return errors.New("failed to authenticate , can't load the accessKeyPair")    }    computeSignature, err := getSignature(url, invocation, accessKeyPair.SecretKey, requestTimestamp)    if err != nil {        return err    }    if success := computeSignature == originSignature; !success {        return errors.New("failed to authenticate, signature is not correct")    }    return nil}
  • Authenticate办法从invocation的attachment获取requestTimestamp及originSignature,而后通过getAccessKeyPair从accesskeyStorage.GetAccessKeyPair获取accessKeyPair,之后通过getSignature计算signature,而后比照computeSignature与originSignature是否一样,不一样则返回error

小结

ProviderAuthFilter的Invoke办法通过doAuthWork来进行auth,其传递的func执行authenticator.Authenticate(invocation, &url)

doc

  • provider_auth