From ae909556ce6a7efb5d3726da0ca44f56f56a0bbd Mon Sep 17 00:00:00 2001 From: 1289220708 <1289220708@qq.com> Date: Fri, 19 Jan 2024 19:52:42 +0800 Subject: [PATCH 01/23] chore(server): update swagger info for default server profile --- .../main/java/org/apache/hugegraph/api/profile/ProfileAPI.java | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/profile/ProfileAPI.java b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/profile/ProfileAPI.java index c28b4878bf..8e9eaad1c3 100644 --- a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/profile/ProfileAPI.java +++ b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/profile/ProfileAPI.java @@ -55,6 +55,7 @@ public class ProfileAPI { private static final String SERVICE = "hugegraph"; private static final String DOC = "https://hugegraph.apache.org/docs/"; private static final String API_DOC = DOC + "clients/"; + private static final String SWAGGER_UI = "http://{ip/domain}:{port}/swagger-ui/index.html#/"; private static String SERVER_PROFILES = null; private static String API_PROFILES = null; @@ -73,6 +74,7 @@ public String getProfile(@Context Application application) { profiles.put("version", CoreVersion.VERSION.toString()); profiles.put("doc", DOC); profiles.put("api_doc", API_DOC); + profiles.put("swagger_ui", SWAGGER_UI); Set apis = new TreeSet<>(); for (Class clazz : application.getClasses()) { if (!isAnnotatedPathClass(clazz)) { From bb67693a8ed3b15ae0b4c5a7f24095210cedd57a Mon Sep 17 00:00:00 2001 From: 1289220708 <1289220708@qq.com> Date: Fri, 19 Jan 2024 19:54:11 +0800 Subject: [PATCH 02/23] chore(server): update swagger info for default server profile --- .../main/java/org/apache/hugegraph/api/profile/ProfileAPI.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/profile/ProfileAPI.java b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/profile/ProfileAPI.java index 8e9eaad1c3..379e814dbd 100644 --- a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/profile/ProfileAPI.java +++ b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/profile/ProfileAPI.java @@ -55,7 +55,7 @@ public class ProfileAPI { private static final String SERVICE = "hugegraph"; private static final String DOC = "https://hugegraph.apache.org/docs/"; private static final String API_DOC = DOC + "clients/"; - private static final String SWAGGER_UI = "http://{ip/domain}:{port}/swagger-ui/index.html#/"; + private static final String SWAGGER_UI = "http://{domain/ip}:{port}/swagger-ui/index.html#/"; private static String SERVER_PROFILES = null; private static String API_PROFILES = null; From 13f916fdc5ddc6931eea7313b7631bb01aa7d491 Mon Sep 17 00:00:00 2001 From: 1289220708 <1289220708@qq.com> Date: Sat, 27 Jan 2024 22:00:25 +0800 Subject: [PATCH 03/23] fix(server): arthas default bind ip should not be 0.0.0.0 --- .../main/java/org/apache/hugegraph/config/ServerOptions.java | 2 +- .../src/assembly/static/conf/rest-server.properties | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/config/ServerOptions.java b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/config/ServerOptions.java index a8bbe5a5f2..a8d0dab92a 100644 --- a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/config/ServerOptions.java +++ b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/config/ServerOptions.java @@ -294,7 +294,7 @@ public static synchronized ServerOptions instance() { "arthas.ip", "The IP provided by Arthas, it can be accessible from the outside.", disallowEmpty(), - "0.0.0.0" + "127.0.0.1" ); public static final ConfigOption ARTHAS_DISABLED_COMMANDS = diff --git a/hugegraph-server/hugegraph-dist/src/assembly/static/conf/rest-server.properties b/hugegraph-server/hugegraph-dist/src/assembly/static/conf/rest-server.properties index 23f78c5824..b67905fc19 100644 --- a/hugegraph-server/hugegraph-dist/src/assembly/static/conf/rest-server.properties +++ b/hugegraph-server/hugegraph-dist/src/assembly/static/conf/rest-server.properties @@ -12,7 +12,7 @@ batch.max_write_threads=0 # configuration of arthas arthas.telnet_port=8562 arthas.http_port=8561 -arthas.ip=0.0.0.0 +arthas.ip=127.0.0.1 arthas.disabled_commands=jad # authentication configs From 2519b393216acd83ef2065d943c9b62672dc8bb1 Mon Sep 17 00:00:00 2001 From: 1289220708 <1289220708@qq.com> Date: Sat, 27 Jan 2024 22:12:17 +0800 Subject: [PATCH 04/23] fix(server): arthas default bind ip should not be 0.0.0.0 --- .../main/java/org/apache/hugegraph/api/profile/ProfileAPI.java | 2 -- 1 file changed, 2 deletions(-) diff --git a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/profile/ProfileAPI.java b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/profile/ProfileAPI.java index 379e814dbd..c28b4878bf 100644 --- a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/profile/ProfileAPI.java +++ b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/profile/ProfileAPI.java @@ -55,7 +55,6 @@ public class ProfileAPI { private static final String SERVICE = "hugegraph"; private static final String DOC = "https://hugegraph.apache.org/docs/"; private static final String API_DOC = DOC + "clients/"; - private static final String SWAGGER_UI = "http://{domain/ip}:{port}/swagger-ui/index.html#/"; private static String SERVER_PROFILES = null; private static String API_PROFILES = null; @@ -74,7 +73,6 @@ public String getProfile(@Context Application application) { profiles.put("version", CoreVersion.VERSION.toString()); profiles.put("doc", DOC); profiles.put("api_doc", API_DOC); - profiles.put("swagger_ui", SWAGGER_UI); Set apis = new TreeSet<>(); for (Class clazz : application.getClasses()) { if (!isAnnotatedPathClass(clazz)) { From 7d75e0db3d7cfb33439bd6833d1736ac623c72af Mon Sep 17 00:00:00 2001 From: 1289220708 <1289220708@qq.com> Date: Wed, 21 Feb 2024 21:56:18 +0800 Subject: [PATCH 05/23] fix(server): fix the bug which promtheus cant collect hg metric --- .../main/java/org/apache/hugegraph/config/ServerOptions.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/config/ServerOptions.java b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/config/ServerOptions.java index b46735c8f0..63da169c99 100644 --- a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/config/ServerOptions.java +++ b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/config/ServerOptions.java @@ -294,7 +294,7 @@ public static synchronized ServerOptions instance() { "arthas.ip", "The IP provided by Arthas, it can be accessible from the outside.", disallowEmpty(), - "0.0.0.0" + "127.0.0.1" ); public static final ConfigOption ARTHAS_DISABLED_COMMANDS = From 552dcb8afeb391caa220d4d0d4861dabda27ad49 Mon Sep 17 00:00:00 2001 From: 1289220708 <1289220708@qq.com> Date: Tue, 27 Feb 2024 22:45:47 +0800 Subject: [PATCH 06/23] fix(server): fix the arthas default bind ip to 127.0.0.1 --- .../main/java/org/apache/hugegraph/api/ArthasApiTest.java | 7 ------- 1 file changed, 7 deletions(-) diff --git a/hugegraph-server/hugegraph-test/src/main/java/org/apache/hugegraph/api/ArthasApiTest.java b/hugegraph-server/hugegraph-test/src/main/java/org/apache/hugegraph/api/ArthasApiTest.java index d79fa772b5..7bdfa3ee1f 100644 --- a/hugegraph-server/hugegraph-test/src/main/java/org/apache/hugegraph/api/ArthasApiTest.java +++ b/hugegraph-server/hugegraph-test/src/main/java/org/apache/hugegraph/api/ArthasApiTest.java @@ -43,16 +43,9 @@ public void testArthasApi() { " \"command\": \"version\"\n" + "}"; RestClient arthasApiClient = new RestClient(ARTHAS_API_BASE_URL, false); - // If the request header contains basic auth, - // and if we are not set auth when arthas attach hg, arthas will auth it and return 401. - // ref:https://arthas.aliyun.com/en/doc/auth.html#configure-username-and-password Response r = arthasApiClient.post(ARTHAS_API_PATH, body); String result = assertResponseStatus(200, r); assertJsonContains(result, "state"); assertJsonContains(result, "body"); - - RestClient arthasApiClientWithAuth = new RestClient(ARTHAS_API_BASE_URL); - r = arthasApiClientWithAuth.post(ARTHAS_API_PATH, body); - assertResponseStatus(401, r); } } From ba74aaafb9c265087aba267b92472a5ba1481403 Mon Sep 17 00:00:00 2001 From: 1289220708 <1289220708@qq.com> Date: Sun, 3 Mar 2024 21:50:28 +0800 Subject: [PATCH 07/23] fix(server): clear auth context (TLS) after req done --- .../java/org/apache/hugegraph/api/filter/AccessLogFilter.java | 4 ++++ .../java/org/apache/hugegraph/auth/HugeAuthenticator.java | 1 - .../java/org/apache/hugegraph/auth/HugeGraphAuthProxy.java | 2 +- 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AccessLogFilter.java b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AccessLogFilter.java index 7a4a9b97d7..2a80f18cff 100644 --- a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AccessLogFilter.java +++ b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AccessLogFilter.java @@ -26,6 +26,7 @@ import java.io.IOException; import java.net.URI; +import org.apache.hugegraph.auth.HugeGraphAuthProxy; import org.apache.hugegraph.config.HugeConfig; import org.apache.hugegraph.config.ServerOptions; import org.apache.hugegraph.metrics.MetricsUtil; @@ -114,6 +115,9 @@ public void filter(ContainerRequestContext requestContext, executeTime, null, method, path, uri.getQuery()); } } + + // request thread multiplex will not clear TLS, need release the context + HugeGraphAuthProxy.resetContext(); } private boolean statusOk(int status) { diff --git a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/auth/HugeAuthenticator.java b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/auth/HugeAuthenticator.java index 1e67680953..48cf0ae2aa 100644 --- a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/auth/HugeAuthenticator.java +++ b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/auth/HugeAuthenticator.java @@ -105,7 +105,6 @@ default User authenticate(final Map credentials) HugeGraphAuthProxy.logUser(user, credentials.get(KEY_PATH)); /* * Set authentication context - * TODO: unset context after finishing a request */ HugeGraphAuthProxy.setContext(new Context(user)); diff --git a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/auth/HugeGraphAuthProxy.java b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/auth/HugeGraphAuthProxy.java index 796c38c320..3d46a04293 100644 --- a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/auth/HugeGraphAuthProxy.java +++ b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/auth/HugeGraphAuthProxy.java @@ -1818,7 +1818,7 @@ protected static Context setContext(Context context) { return old; } - protected static void resetContext() { + public static void resetContext() { CONTEXTS.remove(); } From 4f7fc0f3028e6caf0dc6dd424b5edb1140970991 Mon Sep 17 00:00:00 2001 From: 1289220708 <1289220708@qq.com> Date: Sun, 3 Mar 2024 21:52:38 +0800 Subject: [PATCH 08/23] fix(server): clear auth context (TLS) after req done --- .../java/org/apache/hugegraph/api/filter/AccessLogFilter.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AccessLogFilter.java b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AccessLogFilter.java index 2a80f18cff..2f248253f0 100644 --- a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AccessLogFilter.java +++ b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AccessLogFilter.java @@ -116,7 +116,7 @@ public void filter(ContainerRequestContext requestContext, } } - // request thread multiplex will not clear TLS, need release the context + // Release the context HugeGraphAuthProxy.resetContext(); } From 43288d9f6f2e1fd42dc0565fb52aedad6a63e266 Mon Sep 17 00:00:00 2001 From: "vaughn.zhang" Date: Fri, 19 Jan 2024 13:49:58 +0800 Subject: [PATCH 09/23] fix: security bug --- hugegraph-server/hugegraph-api/pom.xml | 6 ++++++ .../hugegraph/api/filter/AuthenticationFilter.java | 11 ++++++----- 2 files changed, 12 insertions(+), 5 deletions(-) diff --git a/hugegraph-server/hugegraph-api/pom.xml b/hugegraph-server/hugegraph-api/pom.xml index ce18f8d35c..ae687bff57 100644 --- a/hugegraph-server/hugegraph-api/pom.xml +++ b/hugegraph-server/hugegraph-api/pom.xml @@ -164,6 +164,12 @@ arthas-packaging ${arthas.version} + + org.gridkit.jvmtool + sjk-core + 0.14 + compile + diff --git a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AuthenticationFilter.java b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AuthenticationFilter.java index fffe5ef9e5..494bd2eafe 100644 --- a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AuthenticationFilter.java +++ b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AuthenticationFilter.java @@ -41,6 +41,7 @@ import org.apache.tinkerpop.gremlin.server.auth.AuthenticationException; import org.glassfish.grizzly.http.server.Request; import org.glassfish.grizzly.utils.Charsets; +import org.gridkit.jvmtool.cmd.AntPathMatcher; import org.slf4j.Logger; import com.alipay.remoting.util.StringUtils; @@ -71,10 +72,11 @@ public class AuthenticationFilter implements ContainerRequestFilter { private static final Logger LOG = Log.logger(AuthenticationFilter.class); private static final List WHITE_API_LIST = ImmutableList.of( - "auth/login", - "versions", - "openapi.json" + "**/auth/login", + "**/versions", + "**/openapi.json" ); + private static final AntPathMatcher MATCHER = new AntPathMatcher(); private static String whiteIpStatus; @@ -314,9 +316,8 @@ public boolean equals(Object obj) { public static boolean isWhiteAPI(ContainerRequestContext context) { String path = context.getUriInfo().getPath(); - for (String whiteApi : WHITE_API_LIST) { - if (path.endsWith(whiteApi)) { + if (MATCHER.match(whiteApi, path)) { return true; } } From 6104ed692503293c7ac8d720f1ee8acb7254337b Mon Sep 17 00:00:00 2001 From: "vaughn.zhang" Date: Fri, 19 Jan 2024 14:52:17 +0800 Subject: [PATCH 10/23] improve --- hugegraph-server/hugegraph-api/pom.xml | 2 +- .../apache/hugegraph/api/filter/AuthenticationFilter.java | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/hugegraph-server/hugegraph-api/pom.xml b/hugegraph-server/hugegraph-api/pom.xml index ae687bff57..e13849d93a 100644 --- a/hugegraph-server/hugegraph-api/pom.xml +++ b/hugegraph-server/hugegraph-api/pom.xml @@ -167,7 +167,7 @@ org.gridkit.jvmtool sjk-core - 0.14 + 0.22 compile diff --git a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AuthenticationFilter.java b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AuthenticationFilter.java index 494bd2eafe..8505d435dd 100644 --- a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AuthenticationFilter.java +++ b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AuthenticationFilter.java @@ -72,9 +72,9 @@ public class AuthenticationFilter implements ContainerRequestFilter { private static final Logger LOG = Log.logger(AuthenticationFilter.class); private static final List WHITE_API_LIST = ImmutableList.of( - "**/auth/login", - "**/versions", - "**/openapi.json" + "graphs/*/auth/login", + "versions", + "openapi.json" ); private static final AntPathMatcher MATCHER = new AntPathMatcher(); From 906c0de45f55364db7cce33a90d1216981725532 Mon Sep 17 00:00:00 2001 From: 1289220708 <1289220708@qq.com> Date: Wed, 6 Mar 2024 21:59:38 +0800 Subject: [PATCH 11/23] fix(server): white list change to fixed and flexable --- .../api/filter/AuthenticationFilter.java | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AuthenticationFilter.java b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AuthenticationFilter.java index 8505d435dd..74508c6cff 100644 --- a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AuthenticationFilter.java +++ b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AuthenticationFilter.java @@ -41,11 +41,11 @@ import org.apache.tinkerpop.gremlin.server.auth.AuthenticationException; import org.glassfish.grizzly.http.server.Request; import org.glassfish.grizzly.utils.Charsets; -import org.gridkit.jvmtool.cmd.AntPathMatcher; import org.slf4j.Logger; import com.alipay.remoting.util.StringUtils; import com.google.common.collect.ImmutableList; +import com.google.common.collect.ImmutableSet; import jakarta.annotation.Priority; import jakarta.ws.rs.BadRequestException; @@ -71,12 +71,13 @@ public class AuthenticationFilter implements ContainerRequestFilter { private static final Logger LOG = Log.logger(AuthenticationFilter.class); - private static final List WHITE_API_LIST = ImmutableList.of( - "graphs/*/auth/login", + private static final ImmutableSet FIXED_WHITE_API_SET = ImmutableSet.of( "versions", "openapi.json" ); - private static final AntPathMatcher MATCHER = new AntPathMatcher(); + private static final List FLEXIBLE_WHITE_API_LIST = ImmutableList.of( + "auth/login" + ); private static String whiteIpStatus; @@ -316,8 +317,11 @@ public boolean equals(Object obj) { public static boolean isWhiteAPI(ContainerRequestContext context) { String path = context.getUriInfo().getPath(); - for (String whiteApi : WHITE_API_LIST) { - if (MATCHER.match(whiteApi, path)) { + if (FIXED_WHITE_API_SET.contains(path)) { + return true; + } + for (String whiteApi : FLEXIBLE_WHITE_API_LIST) { + if (path.endsWith(whiteApi)) { return true; } } From 165b5c8d7828c93c50bff05c0f145ba998a172b8 Mon Sep 17 00:00:00 2001 From: 1289220708 <1289220708@qq.com> Date: Wed, 6 Mar 2024 22:13:39 +0800 Subject: [PATCH 12/23] fix(server): white list change to fixed and flexable --- hugegraph-server/hugegraph-api/pom.xml | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/hugegraph-server/hugegraph-api/pom.xml b/hugegraph-server/hugegraph-api/pom.xml index e13849d93a..ee76df83e8 100644 --- a/hugegraph-server/hugegraph-api/pom.xml +++ b/hugegraph-server/hugegraph-api/pom.xml @@ -164,12 +164,6 @@ arthas-packaging ${arthas.version} - - org.gridkit.jvmtool - sjk-core - 0.22 - compile - @@ -194,7 +188,7 @@ - 0.71.0.0 + 0.70.0.0 From 7eeda250579510789207679f8ed58b1b17d9e34d Mon Sep 17 00:00:00 2001 From: 1289220708 <1289220708@qq.com> Date: Wed, 6 Mar 2024 22:33:09 +0800 Subject: [PATCH 13/23] fix(server): white list change to fixed and flexable --- hugegraph-server/hugegraph-api/pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hugegraph-server/hugegraph-api/pom.xml b/hugegraph-server/hugegraph-api/pom.xml index ee76df83e8..ce18f8d35c 100644 --- a/hugegraph-server/hugegraph-api/pom.xml +++ b/hugegraph-server/hugegraph-api/pom.xml @@ -188,7 +188,7 @@ - 0.70.0.0 + 0.71.0.0 From 5aa1a409444c11d295a2369e733bed039ceebc07 Mon Sep 17 00:00:00 2001 From: 1289220708 <1289220708@qq.com> Date: Wed, 6 Mar 2024 22:37:01 +0800 Subject: [PATCH 14/23] fix(server): white list change to fixed and flexable --- .../java/org/apache/hugegraph/api/filter/AccessLogFilter.java | 2 +- .../java/org/apache/hugegraph/auth/HugeAuthenticator.java | 4 +--- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AccessLogFilter.java b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AccessLogFilter.java index 2f248253f0..a741e4f520 100644 --- a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AccessLogFilter.java +++ b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AccessLogFilter.java @@ -116,7 +116,7 @@ public void filter(ContainerRequestContext requestContext, } } - // Release the context + //Unset the context in "HugeAuthenticator" HugeGraphAuthProxy.resetContext(); } diff --git a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/auth/HugeAuthenticator.java b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/auth/HugeAuthenticator.java index 48cf0ae2aa..c3b1248877 100644 --- a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/auth/HugeAuthenticator.java +++ b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/auth/HugeAuthenticator.java @@ -103,9 +103,7 @@ default User authenticate(final Map credentials) } HugeGraphAuthProxy.logUser(user, credentials.get(KEY_PATH)); - /* - * Set authentication context - */ + // Set authentication context & unset in AccessLogFilter HugeGraphAuthProxy.setContext(new Context(user)); return user; From 41459f593bd42f678f0a905a2c922c0023a485a7 Mon Sep 17 00:00:00 2001 From: imbajin Date: Fri, 8 Mar 2024 19:51:29 +0800 Subject: [PATCH 15/23] remove login from whiteList --- .../java/org/apache/hugegraph/api/auth/LoginAPI.java | 6 ++---- .../hugegraph/api/filter/AuthenticationFilter.java | 10 +++++----- .../java/org/apache/hugegraph/api/BaseApiTest.java | 7 +++---- .../java/org/apache/hugegraph/api/LoginApiTest.java | 12 ++++-------- 4 files changed, 14 insertions(+), 21 deletions(-) diff --git a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/auth/LoginAPI.java b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/auth/LoginAPI.java index ba2ab3f4fe..74af573e39 100644 --- a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/auth/LoginAPI.java +++ b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/auth/LoginAPI.java @@ -70,11 +70,9 @@ public String login(@Context GraphManager manager, @PathParam("graph") String gr checkCreatingBody(jsonLogin); try { - String token = manager.authManager() - .loginUser(jsonLogin.name, jsonLogin.password); + String token = manager.authManager().loginUser(jsonLogin.name, jsonLogin.password); HugeGraph g = graph(manager, graph); - return manager.serializer(g) - .writeMap(ImmutableMap.of("token", token)); + return manager.serializer(g).writeMap(ImmutableMap.of("token", token)); } catch (AuthenticationException e) { throw new NotAuthorizedException(e.getMessage(), e); } diff --git a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AuthenticationFilter.java b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AuthenticationFilter.java index 74508c6cff..6aa19220b5 100644 --- a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AuthenticationFilter.java +++ b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AuthenticationFilter.java @@ -71,13 +71,12 @@ public class AuthenticationFilter implements ContainerRequestFilter { private static final Logger LOG = Log.logger(AuthenticationFilter.class); - private static final ImmutableSet FIXED_WHITE_API_SET = ImmutableSet.of( + private static final Set FIXED_WHITE_API_SET = ImmutableSet.of( "versions", "openapi.json" ); - private static final List FLEXIBLE_WHITE_API_LIST = ImmutableList.of( - "auth/login" - ); + // Remove auth/login API from white list + private static final Set FLEXIBLE_WHITE_API_LIST = ImmutableSet.of(); private static String whiteIpStatus; @@ -95,7 +94,7 @@ public class AuthenticationFilter implements ContainerRequestFilter { @Override public void filter(ContainerRequestContext context) throws IOException { - if (AuthenticationFilter.isWhiteAPI(context)) { + if (isWhiteAPI(context)) { return; } User user = this.authenticate(context); @@ -320,6 +319,7 @@ public static boolean isWhiteAPI(ContainerRequestContext context) { if (FIXED_WHITE_API_SET.contains(path)) { return true; } + for (String whiteApi : FLEXIBLE_WHITE_API_LIST) { if (path.endsWith(whiteApi)) { return true; diff --git a/hugegraph-server/hugegraph-test/src/main/java/org/apache/hugegraph/api/BaseApiTest.java b/hugegraph-server/hugegraph-test/src/main/java/org/apache/hugegraph/api/BaseApiTest.java index 43b8cdbd1a..4b6c0ed7f4 100644 --- a/hugegraph-server/hugegraph-test/src/main/java/org/apache/hugegraph/api/BaseApiTest.java +++ b/hugegraph-server/hugegraph-test/src/main/java/org/apache/hugegraph/api/BaseApiTest.java @@ -101,8 +101,8 @@ public static RestClient newClient() { public static class RestClient { - private Client client; - private WebTarget target; + private final Client client; + private final WebTarget target; public RestClient(String url) { this(url, true); @@ -113,8 +113,7 @@ public RestClient(String url, Boolean enableAuth) { this.client.register(EncodingFilter.class); this.client.register(GZipEncoder.class); if (enableAuth) { - this.client.register(HttpAuthenticationFeature.basic(USERNAME, - PASSWORD)); + this.client.register(HttpAuthenticationFeature.basic(USERNAME, PASSWORD)); } this.target = this.client.target(url); } diff --git a/hugegraph-server/hugegraph-test/src/main/java/org/apache/hugegraph/api/LoginApiTest.java b/hugegraph-server/hugegraph-test/src/main/java/org/apache/hugegraph/api/LoginApiTest.java index b323efa361..e7e3455a45 100644 --- a/hugegraph-server/hugegraph-test/src/main/java/org/apache/hugegraph/api/LoginApiTest.java +++ b/hugegraph-server/hugegraph-test/src/main/java/org/apache/hugegraph/api/LoginApiTest.java @@ -116,8 +116,7 @@ public void testVerify() { assertJsonContains(result, "user_name"); Map user = JsonUtil.fromJson(result, - new TypeReference>() { - }); + new TypeReference>() {}); Assert.assertEquals(this.userId4Test, user.get("user_id")); Assert.assertEquals("test", user.get("user_name")); @@ -140,8 +139,7 @@ public void testVerify() { private Response createUser(String name, String password) { String user = "{\"user_name\":\"%s\",\"user_password\":\"%s" + "\",\"user_email\":\"user1@baidu.com\"," + - "\"user_phone\":\"123456789\",\"user_avatar\":\"image1" + - ".jpg\"}"; + "\"user_phone\":\"123456789\",\"user_avatar\":\"image1.jpg\"}"; return this.client().post(USER_PATH, String.format(user, name, password)); } @@ -151,16 +149,14 @@ private Response deleteUser(String id) { private Response login(String name, String password) { String login = Paths.get(PATH, "login").toString(); - String loginUser = "{\"user_name\":\"%s\"," + - "\"user_password\":\"%s\"}"; + String loginUser = "{\"user_name\":\"%s\",\"user_password\":\"%s\"}"; return client().post(login, String.format(loginUser, name, password)); } private String tokenFromResponse(String content) { Map data = JsonUtil.fromJson(content, - new TypeReference>() { - }); + new TypeReference>() {}); return (String) data.get("token"); } } From 3643116c0376959e9b2f16021986cb6c205546f6 Mon Sep 17 00:00:00 2001 From: imbajin Date: Sat, 9 Mar 2024 21:07:09 +0800 Subject: [PATCH 16/23] Update AccessLogFilter.java --- .../java/org/apache/hugegraph/api/filter/AccessLogFilter.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AccessLogFilter.java b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AccessLogFilter.java index a741e4f520..c4d4048ebb 100644 --- a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AccessLogFilter.java +++ b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AccessLogFilter.java @@ -116,7 +116,7 @@ public void filter(ContainerRequestContext requestContext, } } - //Unset the context in "HugeAuthenticator" + // Unset the context in "HugeAuthenticator", need distinguish Graph/Auth server lifecycle HugeGraphAuthProxy.resetContext(); } From 7484ab38a7adf42fe8931be1abd8cd438704e740 Mon Sep 17 00:00:00 2001 From: imbajin Date: Sat, 9 Mar 2024 21:10:38 +0800 Subject: [PATCH 17/23] Update AuthenticationFilter.java --- .../org/apache/hugegraph/api/filter/AuthenticationFilter.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AuthenticationFilter.java b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AuthenticationFilter.java index 7ebb225759..3faac4f8aa 100644 --- a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AuthenticationFilter.java +++ b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AuthenticationFilter.java @@ -72,6 +72,7 @@ public class AuthenticationFilter implements ContainerRequestFilter { private static final Logger LOG = Log.logger(AuthenticationFilter.class); + private static final AntPathMatcher MATCHER = new AntPathMatcher(); private static final Set FIXED_WHITE_API_SET = ImmutableSet.of( "versions", "openapi.json" @@ -80,7 +81,6 @@ public class AuthenticationFilter implements ContainerRequestFilter { private static final Set FLEXIBLE_WHITE_API_LIST = ImmutableSet.of(); private static String whiteIpStatus; - private static final String STRING_WHITE_IP_LIST = "whiteiplist"; private static final String STRING_ENABLE = "enable"; From 6a50b99c73f26c775704c9c79aa66c4c3fc9c187 Mon Sep 17 00:00:00 2001 From: 1289220708 <1289220708@qq.com> Date: Sun, 10 Mar 2024 23:18:41 +0800 Subject: [PATCH 18/23] fix(server): white list change to fixed and flexable --- .../hugegraph/api/filter/AuthenticationFilter.java | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AuthenticationFilter.java b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AuthenticationFilter.java index 3faac4f8aa..4d24f52821 100644 --- a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AuthenticationFilter.java +++ b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AuthenticationFilter.java @@ -45,7 +45,6 @@ import org.slf4j.Logger; import com.alipay.remoting.util.StringUtils; -import com.google.common.collect.ImmutableList; import com.google.common.collect.ImmutableSet; import jakarta.annotation.Priority; @@ -78,9 +77,9 @@ public class AuthenticationFilter implements ContainerRequestFilter { "openapi.json" ); // Remove auth/login API from white list - private static final Set FLEXIBLE_WHITE_API_LIST = ImmutableSet.of(); + private static final Set FLEXIBLE_WHITE_API_SET = ImmutableSet.of(); - private static String whiteIpStatus; + private static Boolean enabledWhiteIpCheck; private static final String STRING_WHITE_IP_LIST = "whiteiplist"; private static final String STRING_ENABLE = "enable"; @@ -122,11 +121,11 @@ protected User authenticate(ContainerRequestContext context) { } // Check whiteIp - if (whiteIpStatus == null) { - whiteIpStatus = this.configProvider.get().get(WHITE_IP_STATUS); + if (enabledWhiteIpCheck == null) { + enabledWhiteIpCheck = Objects.equals(this.configProvider.get().get(WHITE_IP_STATUS), STRING_ENABLE); } - if (Objects.equals(whiteIpStatus, STRING_ENABLE) && request != null) { + if (enabledWhiteIpCheck && request != null) { peer = request.getRemoteAddr() + ":" + request.getRemotePort(); path = request.getRequestURI(); @@ -321,7 +320,7 @@ public static boolean isWhiteAPI(ContainerRequestContext context) { return true; } - for (String whiteApi : FLEXIBLE_WHITE_API_LIST) { + for (String whiteApi : FLEXIBLE_WHITE_API_SET) { if (MATCHER.match(whiteApi, path)) { return true; } From ed2b24a5140b8946edf196ef6c0e8a3fdc30f20a Mon Sep 17 00:00:00 2001 From: 1289220708 <1289220708@qq.com> Date: Wed, 13 Mar 2024 21:31:39 +0800 Subject: [PATCH 19/23] fix(server): better code --- .../hugegraph/api/filter/AccessLogFilter.java | 8 ++++-- .../hugegraph/auth/ConfigAuthenticator.java | 6 ++++ .../hugegraph/auth/HugeAuthenticator.java | 3 ++ .../hugegraph/auth/HugeGraphAuthProxy.java | 2 +- .../hugegraph/auth/StandardAuthenticator.java | 6 ++++ .../apache/hugegraph/core/GraphManager.java | 5 ++++ .../apache/hugegraph/api/ArthasApiTest.java | 28 +++++++++++++++++-- 7 files changed, 52 insertions(+), 6 deletions(-) diff --git a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AccessLogFilter.java b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AccessLogFilter.java index c4d4048ebb..28d234dfb5 100644 --- a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AccessLogFilter.java +++ b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AccessLogFilter.java @@ -26,9 +26,9 @@ import java.io.IOException; import java.net.URI; -import org.apache.hugegraph.auth.HugeGraphAuthProxy; import org.apache.hugegraph.config.HugeConfig; import org.apache.hugegraph.config.ServerOptions; +import org.apache.hugegraph.core.GraphManager; import org.apache.hugegraph.metrics.MetricsUtil; import org.apache.hugegraph.util.Log; import org.slf4j.Logger; @@ -56,6 +56,9 @@ public class AccessLogFilter implements ContainerResponseFilter { @Context private jakarta.inject.Provider configProvider; + @Context + private jakarta.inject.Provider managerProvider; + public static boolean needRecordLog(ContainerRequestContext context) { // TODO: add test for 'path' result ('/gremlin' or 'gremlin') String path = context.getUriInfo().getPath(); @@ -117,7 +120,8 @@ public void filter(ContainerRequestContext requestContext, } // Unset the context in "HugeAuthenticator", need distinguish Graph/Auth server lifecycle - HugeGraphAuthProxy.resetContext(); + GraphManager graphManager = managerProvider.get(); + graphManager.unAuthenticate((AuthenticationFilter.Authorizer) requestContext.getSecurityContext()); } private boolean statusOk(int status) { diff --git a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/auth/ConfigAuthenticator.java b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/auth/ConfigAuthenticator.java index 21cf39682d..1ee8252888 100644 --- a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/auth/ConfigAuthenticator.java +++ b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/auth/ConfigAuthenticator.java @@ -24,6 +24,7 @@ import org.apache.commons.lang.NotImplementedException; import org.apache.hugegraph.HugeGraph; +import org.apache.hugegraph.api.filter.AuthenticationFilter; import org.apache.hugegraph.backend.id.IdGenerator; import org.apache.hugegraph.config.HugeConfig; import org.apache.hugegraph.config.ServerOptions; @@ -80,6 +81,11 @@ public UserWithRole authenticate(final String username, return new UserWithRole(IdGenerator.of(username), username, role); } + @Override + public void unAuthenticate(AuthenticationFilter.Authorizer authorizer) { + throw new NotImplementedException("unAuthenticate is unsupported by ConfigAuthenticator"); + } + @Override public AuthManager authManager() { throw new NotImplementedException("AuthManager is unsupported by ConfigAuthenticator"); diff --git a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/auth/HugeAuthenticator.java b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/auth/HugeAuthenticator.java index c3b1248877..e08c89de7f 100644 --- a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/auth/HugeAuthenticator.java +++ b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/auth/HugeAuthenticator.java @@ -23,6 +23,7 @@ import org.apache.hugegraph.HugeException; import org.apache.hugegraph.HugeGraph; +import org.apache.hugegraph.api.filter.AuthenticationFilter; import org.apache.hugegraph.auth.HugeGraphAuthProxy.Context; import org.apache.hugegraph.auth.SchemaDefine.AuthElement; import org.apache.hugegraph.backend.id.Id; @@ -64,6 +65,8 @@ public interface HugeAuthenticator extends Authenticator { UserWithRole authenticate(String username, String password, String token); + void unAuthenticate(AuthenticationFilter.Authorizer authorizer); + AuthManager authManager(); HugeGraph graph(); diff --git a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/auth/HugeGraphAuthProxy.java b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/auth/HugeGraphAuthProxy.java index 3d46a04293..796c38c320 100644 --- a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/auth/HugeGraphAuthProxy.java +++ b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/auth/HugeGraphAuthProxy.java @@ -1818,7 +1818,7 @@ protected static Context setContext(Context context) { return old; } - public static void resetContext() { + protected static void resetContext() { CONTEXTS.remove(); } diff --git a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/auth/StandardAuthenticator.java b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/auth/StandardAuthenticator.java index 3e276046f9..6b45f7cbd4 100644 --- a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/auth/StandardAuthenticator.java +++ b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/auth/StandardAuthenticator.java @@ -27,6 +27,7 @@ import org.apache.commons.lang.StringUtils; import org.apache.hugegraph.HugeGraph; +import org.apache.hugegraph.api.filter.AuthenticationFilter; import org.apache.hugegraph.config.CoreOptions; import org.apache.hugegraph.config.HugeConfig; import org.apache.hugegraph.config.ServerOptions; @@ -192,6 +193,11 @@ public UserWithRole authenticate(String username, String password, userWithRole.username(), role); } + @Override + public void unAuthenticate(AuthenticationFilter.Authorizer authorizer) { + HugeGraphAuthProxy.resetContext(); + } + @Override public AuthManager authManager() { return this.graph().authManager(); diff --git a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/core/GraphManager.java b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/core/GraphManager.java index cdd318428b..12d127d95f 100644 --- a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/core/GraphManager.java +++ b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/core/GraphManager.java @@ -31,6 +31,7 @@ import org.apache.commons.lang3.StringUtils; import org.apache.hugegraph.HugeFactory; import org.apache.hugegraph.HugeGraph; +import org.apache.hugegraph.api.filter.AuthenticationFilter; import org.apache.hugegraph.auth.AuthManager; import org.apache.hugegraph.auth.HugeAuthenticator; import org.apache.hugegraph.auth.HugeFactoryAuthProxy; @@ -263,6 +264,10 @@ public HugeAuthenticator.User authenticate(Map credentials) return this.authenticator().authenticate(credentials); } + public void unAuthenticate(AuthenticationFilter.Authorizer authorizer) { + this.authenticator().unAuthenticate(authorizer); + } + public AuthManager authManager() { return this.authenticator().authManager(); } diff --git a/hugegraph-server/hugegraph-test/src/main/java/org/apache/hugegraph/api/ArthasApiTest.java b/hugegraph-server/hugegraph-test/src/main/java/org/apache/hugegraph/api/ArthasApiTest.java index 7bdfa3ee1f..2172be3608 100644 --- a/hugegraph-server/hugegraph-test/src/main/java/org/apache/hugegraph/api/ArthasApiTest.java +++ b/hugegraph-server/hugegraph-test/src/main/java/org/apache/hugegraph/api/ArthasApiTest.java @@ -38,14 +38,36 @@ public void testArthasStart() { @Test public void testArthasApi() { - String body = "{\n" + + // command exec + String execBody = "{\n" + " \"action\": \"exec\",\n" + " \"command\": \"version\"\n" + "}"; RestClient arthasApiClient = new RestClient(ARTHAS_API_BASE_URL, false); - Response r = arthasApiClient.post(ARTHAS_API_PATH, body); - String result = assertResponseStatus(200, r); + Response execResponse = arthasApiClient.post(ARTHAS_API_PATH, execBody); + String result = assertResponseStatus(200, execResponse); assertJsonContains(result, "state"); assertJsonContains(result, "body"); + + // command session + String sessionBody = "{\n" + + " \"action\":\"init_session\"\n" + + "}"; + Response sessionResponse = arthasApiClient.post(ARTHAS_API_PATH, sessionBody); + String sessionResult = assertResponseStatus(200, sessionResponse); + assertJsonContains(sessionResult, "sessionId"); + assertJsonContains(sessionResult, "consumerId"); + assertJsonContains(sessionResult,"state"); + + + // join session: using invalid sessionId + String joinSessionBody = "{\n" + + " \"action\":\"join_session\",\n" + + " \"sessionId\" : \"xxx\"\n" + + "}"; + Response joinSessionResponse = arthasApiClient.post(ARTHAS_API_PATH, joinSessionBody); + String joinSessionResult = assertResponseStatus(200, joinSessionResponse); + assertJsonContains(joinSessionResult,"message"); + assertJsonContains(joinSessionResult,"state"); } } From 80c1634cd2342ea34ad6942bb33bc651917bfda4 Mon Sep 17 00:00:00 2001 From: 1289220708 <1289220708@qq.com> Date: Wed, 13 Mar 2024 21:55:26 +0800 Subject: [PATCH 20/23] fix(server): better code --- .../java/org/apache/hugegraph/api/filter/AccessLogFilter.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AccessLogFilter.java b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AccessLogFilter.java index 28d234dfb5..ee9f138a84 100644 --- a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AccessLogFilter.java +++ b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AccessLogFilter.java @@ -121,7 +121,8 @@ public void filter(ContainerRequestContext requestContext, // Unset the context in "HugeAuthenticator", need distinguish Graph/Auth server lifecycle GraphManager graphManager = managerProvider.get(); - graphManager.unAuthenticate((AuthenticationFilter.Authorizer) requestContext.getSecurityContext()); + // TODO transfer Authorizer if we need after. + graphManager.unAuthenticate(null); } private boolean statusOk(int status) { From ed250f2b1000d38e7bbd7eae7f3c0fce1f41d9f4 Mon Sep 17 00:00:00 2001 From: 1289220708 <1289220708@qq.com> Date: Wed, 13 Mar 2024 22:02:56 +0800 Subject: [PATCH 21/23] fix(server): better code --- .../org/apache/hugegraph/api/filter/AccessLogFilter.java | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AccessLogFilter.java b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AccessLogFilter.java index ee9f138a84..0911622dd8 100644 --- a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AccessLogFilter.java +++ b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AccessLogFilter.java @@ -26,6 +26,7 @@ import java.io.IOException; import java.net.URI; +import org.apache.hugegraph.auth.HugeAuthenticator; import org.apache.hugegraph.config.HugeConfig; import org.apache.hugegraph.config.ServerOptions; import org.apache.hugegraph.core.GraphManager; @@ -120,9 +121,11 @@ public void filter(ContainerRequestContext requestContext, } // Unset the context in "HugeAuthenticator", need distinguish Graph/Auth server lifecycle - GraphManager graphManager = managerProvider.get(); + GraphManager manager = managerProvider.get(); // TODO transfer Authorizer if we need after. - graphManager.unAuthenticate(null); + if (manager.requireAuthentication()) { + manager.unAuthenticate(null); + } } private boolean statusOk(int status) { From 2e3325c03fc9bf87ea9e787cc893d8e57b447992 Mon Sep 17 00:00:00 2001 From: 1289220708 <1289220708@qq.com> Date: Mon, 18 Mar 2024 21:58:33 +0800 Subject: [PATCH 22/23] fix(server): better code --- .../hugegraph/api/filter/AccessLogFilter.java | 2 +- .../hugegraph/api/filter/AuthenticationFilter.java | 3 ++- .../apache/hugegraph/auth/ConfigAuthenticator.java | 6 +++--- .../apache/hugegraph/auth/HugeAuthenticator.java | 5 +++-- .../hugegraph/auth/StandardAuthenticator.java | 4 +++- .../org/apache/hugegraph/core/GraphManager.java | 7 ++++--- .../org/apache/hugegraph/api/ArthasApiTest.java | 13 ++++++------- 7 files changed, 22 insertions(+), 18 deletions(-) diff --git a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AccessLogFilter.java b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AccessLogFilter.java index 0911622dd8..68e57a675e 100644 --- a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AccessLogFilter.java +++ b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AccessLogFilter.java @@ -124,7 +124,7 @@ public void filter(ContainerRequestContext requestContext, GraphManager manager = managerProvider.get(); // TODO transfer Authorizer if we need after. if (manager.requireAuthentication()) { - manager.unAuthenticate(null); + manager.unauthorize(requestContext.getSecurityContext()); } } diff --git a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AuthenticationFilter.java b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AuthenticationFilter.java index 4d24f52821..a90b8f0c09 100644 --- a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AuthenticationFilter.java +++ b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AuthenticationFilter.java @@ -122,7 +122,8 @@ protected User authenticate(ContainerRequestContext context) { // Check whiteIp if (enabledWhiteIpCheck == null) { - enabledWhiteIpCheck = Objects.equals(this.configProvider.get().get(WHITE_IP_STATUS), STRING_ENABLE); + String whiteIpStatus = this.configProvider.get().get(WHITE_IP_STATUS); + enabledWhiteIpCheck = Objects.equals(whiteIpStatus, STRING_ENABLE); } if (enabledWhiteIpCheck && request != null) { diff --git a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/auth/ConfigAuthenticator.java b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/auth/ConfigAuthenticator.java index 1ee8252888..eaad573d5e 100644 --- a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/auth/ConfigAuthenticator.java +++ b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/auth/ConfigAuthenticator.java @@ -24,13 +24,14 @@ import org.apache.commons.lang.NotImplementedException; import org.apache.hugegraph.HugeGraph; -import org.apache.hugegraph.api.filter.AuthenticationFilter; import org.apache.hugegraph.backend.id.IdGenerator; import org.apache.hugegraph.config.HugeConfig; import org.apache.hugegraph.config.ServerOptions; import org.apache.hugegraph.util.E; import org.apache.tinkerpop.gremlin.groovy.jsr223.dsl.credential.CredentialGraphTokens; +import jakarta.ws.rs.core.SecurityContext; + public class ConfigAuthenticator implements HugeAuthenticator { public static final String KEY_USERNAME = CredentialGraphTokens.PROPERTY_USERNAME; @@ -82,8 +83,7 @@ public UserWithRole authenticate(final String username, } @Override - public void unAuthenticate(AuthenticationFilter.Authorizer authorizer) { - throw new NotImplementedException("unAuthenticate is unsupported by ConfigAuthenticator"); + public void unauthorize(SecurityContext context) { } @Override diff --git a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/auth/HugeAuthenticator.java b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/auth/HugeAuthenticator.java index e08c89de7f..18a22eb9ec 100644 --- a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/auth/HugeAuthenticator.java +++ b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/auth/HugeAuthenticator.java @@ -23,7 +23,6 @@ import org.apache.hugegraph.HugeException; import org.apache.hugegraph.HugeGraph; -import org.apache.hugegraph.api.filter.AuthenticationFilter; import org.apache.hugegraph.auth.HugeGraphAuthProxy.Context; import org.apache.hugegraph.auth.SchemaDefine.AuthElement; import org.apache.hugegraph.backend.id.Id; @@ -40,6 +39,8 @@ import org.apache.tinkerpop.gremlin.server.auth.Authenticator; import org.apache.tinkerpop.shaded.jackson.annotation.JsonProperty; +import jakarta.ws.rs.core.SecurityContext; + public interface HugeAuthenticator extends Authenticator { String KEY_USERNAME = CredentialGraphTokens.PROPERTY_USERNAME; @@ -65,7 +66,7 @@ public interface HugeAuthenticator extends Authenticator { UserWithRole authenticate(String username, String password, String token); - void unAuthenticate(AuthenticationFilter.Authorizer authorizer); + void unauthorize(SecurityContext context); AuthManager authManager(); diff --git a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/auth/StandardAuthenticator.java b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/auth/StandardAuthenticator.java index 6b45f7cbd4..ad100875b0 100644 --- a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/auth/StandardAuthenticator.java +++ b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/auth/StandardAuthenticator.java @@ -40,6 +40,8 @@ import org.apache.tinkerpop.gremlin.server.auth.AuthenticationException; import org.apache.tinkerpop.gremlin.structure.util.GraphFactory; +import jakarta.ws.rs.core.SecurityContext; + public class StandardAuthenticator implements HugeAuthenticator { private static final String INITING_STORE = "initing_store"; @@ -194,7 +196,7 @@ public UserWithRole authenticate(String username, String password, } @Override - public void unAuthenticate(AuthenticationFilter.Authorizer authorizer) { + public void unauthorize(SecurityContext context) { HugeGraphAuthProxy.resetContext(); } diff --git a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/core/GraphManager.java b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/core/GraphManager.java index 12d127d95f..37939c2019 100644 --- a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/core/GraphManager.java +++ b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/core/GraphManager.java @@ -31,7 +31,6 @@ import org.apache.commons.lang3.StringUtils; import org.apache.hugegraph.HugeFactory; import org.apache.hugegraph.HugeGraph; -import org.apache.hugegraph.api.filter.AuthenticationFilter; import org.apache.hugegraph.auth.AuthManager; import org.apache.hugegraph.auth.HugeAuthenticator; import org.apache.hugegraph.auth.HugeFactoryAuthProxy; @@ -77,6 +76,8 @@ import com.alipay.sofa.rpc.config.ServerConfig; +import jakarta.ws.rs.core.SecurityContext; + public final class GraphManager { private static final Logger LOG = Log.logger(GraphManager.class); @@ -264,8 +265,8 @@ public HugeAuthenticator.User authenticate(Map credentials) return this.authenticator().authenticate(credentials); } - public void unAuthenticate(AuthenticationFilter.Authorizer authorizer) { - this.authenticator().unAuthenticate(authorizer); + public void unauthorize(SecurityContext context) { + this.authenticator().unauthorize(context); } public AuthManager authManager() { diff --git a/hugegraph-server/hugegraph-test/src/main/java/org/apache/hugegraph/api/ArthasApiTest.java b/hugegraph-server/hugegraph-test/src/main/java/org/apache/hugegraph/api/ArthasApiTest.java index 2172be3608..2f92324808 100644 --- a/hugegraph-server/hugegraph-test/src/main/java/org/apache/hugegraph/api/ArthasApiTest.java +++ b/hugegraph-server/hugegraph-test/src/main/java/org/apache/hugegraph/api/ArthasApiTest.java @@ -40,9 +40,9 @@ public void testArthasStart() { public void testArthasApi() { // command exec String execBody = "{\n" + - " \"action\": \"exec\",\n" + - " \"command\": \"version\"\n" + - "}"; + " \"action\": \"exec\",\n" + + " \"command\": \"version\"\n" + + "}"; RestClient arthasApiClient = new RestClient(ARTHAS_API_BASE_URL, false); Response execResponse = arthasApiClient.post(ARTHAS_API_PATH, execBody); String result = assertResponseStatus(200, execResponse); @@ -57,8 +57,7 @@ public void testArthasApi() { String sessionResult = assertResponseStatus(200, sessionResponse); assertJsonContains(sessionResult, "sessionId"); assertJsonContains(sessionResult, "consumerId"); - assertJsonContains(sessionResult,"state"); - + assertJsonContains(sessionResult, "state"); // join session: using invalid sessionId String joinSessionBody = "{\n" + @@ -67,7 +66,7 @@ public void testArthasApi() { "}"; Response joinSessionResponse = arthasApiClient.post(ARTHAS_API_PATH, joinSessionBody); String joinSessionResult = assertResponseStatus(200, joinSessionResponse); - assertJsonContains(joinSessionResult,"message"); - assertJsonContains(joinSessionResult,"state"); + assertJsonContains(joinSessionResult, "message"); + assertJsonContains(joinSessionResult, "state"); } } From 5817ccd42671c299d8fac3a00aa9e8c83bf329d1 Mon Sep 17 00:00:00 2001 From: imbajin Date: Tue, 19 Mar 2024 15:52:58 +0800 Subject: [PATCH 23/23] tiny improve --- .../hugegraph/api/filter/AccessLogFilter.java | 2 +- .../api/filter/AuthenticationFilter.java | 34 +++++++------------ .../hugegraph/auth/HugeAuthenticator.java | 2 +- .../hugegraph/auth/HugeGraphAuthProxy.java | 6 ++-- 4 files changed, 18 insertions(+), 26 deletions(-) diff --git a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AccessLogFilter.java b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AccessLogFilter.java index 68e57a675e..d429db4d9b 100644 --- a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AccessLogFilter.java +++ b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AccessLogFilter.java @@ -122,7 +122,7 @@ public void filter(ContainerRequestContext requestContext, // Unset the context in "HugeAuthenticator", need distinguish Graph/Auth server lifecycle GraphManager manager = managerProvider.get(); - // TODO transfer Authorizer if we need after. + // TODO: transfer Authorizer if we need after. if (manager.requireAuthentication()) { manager.unauthorize(requestContext.getSecurityContext()); } diff --git a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AuthenticationFilter.java b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AuthenticationFilter.java index a90b8f0c09..b15adf3b90 100644 --- a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AuthenticationFilter.java +++ b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AuthenticationFilter.java @@ -76,7 +76,7 @@ public class AuthenticationFilter implements ContainerRequestFilter { "versions", "openapi.json" ); - // Remove auth/login API from white list + /** Remove auth/login API from whitelist */ private static final Set FLEXIBLE_WHITE_API_SET = ImmutableSet.of(); private static Boolean enabledWhiteIpCheck; @@ -107,7 +107,7 @@ protected User authenticate(ContainerRequestContext context) { E.checkState(manager != null, "Context GraphManager is absent"); if (!manager.requireAuthentication()) { - // Return anonymous user with admin role if disable authentication + // Return anonymous user with an admin role if disable authentication return User.ANONYMOUS; } @@ -135,9 +135,8 @@ protected User authenticate(ContainerRequestContext context) { boolean whiteIpEnabled = manager.authManager().getWhiteIpStatus(); if (!path.contains(STRING_WHITE_IP_LIST) && whiteIpEnabled && !whiteIpList.contains(remoteIp)) { - throw new ForbiddenException( - String.format("Remote ip '%s' is not permitted", - remoteIp)); + throw new ForbiddenException(String.format("Remote ip '%s' is not permitted", + remoteIp)); } } @@ -145,28 +144,23 @@ protected User authenticate(ContainerRequestContext context) { // Extract authentication credentials String auth = context.getHeaderString(HttpHeaders.AUTHORIZATION); if (auth == null) { - throw new NotAuthorizedException( - "Authentication credentials are required", - "Missing authentication credentials"); + throw new NotAuthorizedException("Authentication credentials are required", + "Missing authentication credentials"); } if (auth.startsWith(BASIC_AUTH_PREFIX)) { auth = auth.substring(BASIC_AUTH_PREFIX.length()); - auth = new String(DatatypeConverter.parseBase64Binary(auth), - Charsets.ASCII_CHARSET); + auth = new String(DatatypeConverter.parseBase64Binary(auth), Charsets.ASCII_CHARSET); String[] values = auth.split(":"); if (values.length != 2) { - throw new BadRequestException( - "Invalid syntax for username and password"); + throw new BadRequestException("Invalid syntax for username and password"); } final String username = values[0]; final String password = values[1]; - if (StringUtils.isEmpty(username) || - StringUtils.isEmpty(password)) { - throw new BadRequestException( - "Invalid syntax for username and password"); + if (StringUtils.isEmpty(username) || StringUtils.isEmpty(password)) { + throw new BadRequestException("Invalid syntax for username and password"); } credentials.put(HugeAuthenticator.KEY_USERNAME, username); @@ -175,8 +169,7 @@ protected User authenticate(ContainerRequestContext context) { String token = auth.substring(BEARER_TOKEN_PREFIX.length()); credentials.put(HugeAuthenticator.KEY_TOKEN, token); } else { - throw new BadRequestException( - "Only HTTP Basic or Bearer authentication is supported"); + throw new BadRequestException("Only HTTP Basic or Bearer authentication is supported"); } credentials.put(HugeAuthenticator.KEY_ADDRESS, peer); @@ -186,8 +179,7 @@ protected User authenticate(ContainerRequestContext context) { try { return manager.authenticate(credentials); } catch (AuthenticationException e) { - throw new NotAuthorizedException("Authentication failed", - e.getMessage()); + throw new NotAuthorizedException("Authentication failed", e.getMessage()); } } @@ -251,7 +243,7 @@ private boolean matchPermission(String required) { requiredPerm = RequiredPerm.fromPermission(required); /* - * Replace owner value(it may be a variable) if the permission + * Replace owner value (it may be a variable) if the permission * format like: "$owner=$graph $action=vertex_write" */ String owner = requiredPerm.owner(); diff --git a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/auth/HugeAuthenticator.java b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/auth/HugeAuthenticator.java index 18a22eb9ec..02911c8d98 100644 --- a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/auth/HugeAuthenticator.java +++ b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/auth/HugeAuthenticator.java @@ -107,7 +107,7 @@ default User authenticate(final Map credentials) } HugeGraphAuthProxy.logUser(user, credentials.get(KEY_PATH)); - // Set authentication context & unset in AccessLogFilter + // TODO: Ensure context lifecycle in GraphServer & AuthServer(#AccessLogFilter) HugeGraphAuthProxy.setContext(new Context(user)); return user; diff --git a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/auth/HugeGraphAuthProxy.java b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/auth/HugeGraphAuthProxy.java index 796c38c320..e611d166f4 100644 --- a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/auth/HugeGraphAuthProxy.java +++ b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/auth/HugeGraphAuthProxy.java @@ -1752,9 +1752,9 @@ public void apply(Traversal.Admin traversal) { } /* - * Verify gremlin-execute permission for user gremlin(in gremlin- - * server-exec worker) and gremlin job(in task worker). - * But don't check permission in rest worker, because the following + * Verify gremlin-execute permission for user gremlin (in gremlin-server-exec worker) + * and gremlin job(in task worker). + * But don't check permission in rest worker because the following * places need to call traversal(): * 1.vertices/edges rest api * 2.oltp rest api (like crosspointpath/neighborrank)