[ISSUE #338] support config auth (#623)

* enable authentication for config center api

add resource hook for configgroup resource and config center support authorization

add Editable attribute for ConfigGroup

* enable authz for config_file&config_file_release

* generate store api mock code

* fix:config_auth ci error

* fix:config_auth ci error

* style:处理代码风格问题

style:处理代码风格问题

style:处理代码风格问题

style:处理代码风格问题

style:处理代码风格问题

style:处理代码风格问题

style:处理代码风格问题

style:处理代码风格问题

style:处理代码风格问题

style:处理代码风格问题

style:处理代码风格问题

style:处理代码风格问题

style:处理代码风格问题

style:处理代码风格问题

style:处理代码风格问题

style:处理代码风格问题

style:处理代码风格问题

style:处理代码风格问题

style:处理代码风格问题

style:处理代码风格问题

style:处理代码风格问题

style:处理代码风格问题

style:处理代码风格问题

style:处理代码风格问题

style:处理代码风格问题

* fix:import order

* refactor:调整配置中心鉴权走CheckConsole

* refactor:移除不需要的变量定义

* fix:修复代码冲突问题

* test:添加单元测试

* test:添加单元测试

* test:添加单元测试

* test:添加单元测试

* test:添加单元测试

* test:添加单元测试

* test:添加单元测试

Co-authored-by: zhongtaoyue <zhongtaoyue@tencent.com>

Author: chuntaojun

apiserver/eurekaserver/vip_test.go

@@ -119,7 +119,7 @@ func mockGetVipInstances(namingServer service.DiscoverServer, svcId string) ([]*
 	return retValue, uuid.NewString(), nil
 }
 
-//TestBuildApplicationsForVip test method for BuildApplicationsForVip
+// TestBuildApplicationsForVip test method for BuildApplicationsForVip
 func TestBuildApplicationsForVip(t *testing.T) {
 	doVipFunctionMock()
 	builder := &ApplicationsBuilder{
@@ -175,7 +175,7 @@ func mockGetSvipInstances(namingServer service.DiscoverServer, svcId string) ([]
 	return retValue, uuid.NewString(), nil
 }
 
-//TestBuildApplicationsForSVip test method for BuildApplicationsForVip
+// TestBuildApplicationsForSVip test method for BuildApplicationsForVip
 func TestBuildApplicationsForSvip(t *testing.T) {
 	doSVipFunctionMock()
 	builder := &ApplicationsBuilder{

apiserver/grpcserver/stream.go

@@ -146,9 +146,9 @@ type VirtualStream struct {
 // SetHeader sets the header metadata. It may be called multiple times.
 // When call multiple times, all the provided metadata will be merged.
 // All the metadata will be sent out when one of the following happens:
-//  - ServerStream.SendHeader() is called;
-//  - The first response is sent out;
-//  - An RPC status is sent out (error or success).
+//   - ServerStream.SendHeader() is called;
+//   - The first response is sent out;
+//   - An RPC status is sent out (error or success).
 func (v *VirtualStream) SetHeader(md metadata.MD) error {
 	return v.stream.SetHeader(md)
 }

apiserver/httpserver/i18n/messages.genearate.go

@@ -50,7 +50,8 @@ func (h *HTTPServer) GetMaintainAccessServer() *restful.WebService {
 
 // GetServerConnections 查看server的连接数
 // query参数：protocol，必须，查看指定协议server
-//           host，可选，查看指定host
+//
+//	host，可选，查看指定host
 func (h *HTTPServer) GetServerConnections(req *restful.Request, rsp *restful.Response) {
 	ctx := initContext(req)
 	params := httpcommon.ParseQueryParams(req)

apiserver/httpserver/maintain_access.go

@@ -40,13 +40,15 @@ func (h *PrometheusServer) addPrometheusDefaultAccess(ws *restful.WebService) {
 
 // GetPrometheusClients 对接 prometheus 基于 http 的 service discovery
 // [
-//   {
-//     "targets": [ "<host>", ... ],
-//     "labels": {
-//       "<labelname>": "<labelvalue>", ...
-//     }
-//   },
-//   ...
+//
+//	{
+//	  "targets": [ "<host>", ... ],
+//	  "labels": {
+//	    "<labelname>": "<labelvalue>", ...
+//	  }
+//	},
+//	...
+//
 // ]
 func (h *PrometheusServer) GetPrometheusClients(req *restful.Request, rsp *restful.Response) {
 

apiserver/prometheussd/prometheus_access.go

@@ -95,13 +95,14 @@ func (d *defaultAuthChecker) checkMaintainPermission(preCtx *model.AcquireContex
 }
 
 // CheckPermission 执行检查动作判断是否有权限
-// 	step 1. 判断是否开启了鉴权
-// 	step 2. 对token进行检查判断
-// 		case 1. 如果 token 被禁用
-// 				a. 读操作，直接放通
-// 				b. 写操作，快速失败
-// 	step 3. 拉取token对应的操作者相关信息，注入到请求上下文中
-// 	step 4. 进行权限检查
+//
+//	step 1. 判断是否开启了鉴权
+//	step 2. 对token进行检查判断
+//		case 1. 如果 token 被禁用
+//				a. 读操作，直接放通
+//				b. 写操作，快速失败
+//	step 3. 拉取token对应的操作者相关信息，注入到请求上下文中
+//	step 4. 进行权限检查
 func (d *defaultAuthChecker) CheckPermission(authCtx *model.AcquireContext) (bool, error) {
 	reqId := utils.ParseRequestID(authCtx.GetRequestContext())
 	if err := d.VerifyCredential(authCtx); err != nil {
@@ -172,7 +173,7 @@ func canDowngradeAnonymous(authCtx *model.AcquireContext, err error) bool {
 // step 1. 首先对 token 进行解析，获取相关的数据信息，注入到整个的 AcquireContext 中
 // step 2. 最后对 token 进行一些验证步骤的执行
 // step 3. 兜底措施：如果开启了鉴权的非严格模式，则根据错误的类型，判断是否转为匿名用户进行访问
-// 		- 如果不是访问权限控制相关模块（用户、用户组、权限策略），不得转为匿名用户
+//   - 如果不是访问权限控制相关模块（用户、用户组、权限策略），不得转为匿名用户
 func (d *defaultAuthChecker) VerifyCredential(authCtx *model.AcquireContext) error {
 	reqId := utils.ParseRequestID(authCtx.GetRequestContext())
 

auth/defaultauth/auth_mgn_core.go

@@ -231,7 +231,6 @@ func Test_defaultAuthChecker_CheckPermission_Write_NoStrict(t *testing.T) {
 		t.Fatal(err)
 	}
 
-
 	defer func() {
 		cancel()
 		cacheMgn.Clear()
@@ -472,7 +471,6 @@ func Test_defaultAuthChecker_CheckPermission_Write_Strict(t *testing.T) {
 		t.Fatal(err)
 	}
 
-
 	defer func() {
 		cancel()
 		cacheMgn.Clear()
@@ -663,7 +661,6 @@ func Test_defaultAuthChecker_CheckPermission_Read_NoStrict(t *testing.T) {
 		t.Fatal(err)
 	}
 
-
 	defer func() {
 		cancel()
 		cacheMgn.Clear()
@@ -874,7 +871,6 @@ func Test_defaultAuthChecker_CheckPermission_Read_Strict(t *testing.T) {
 		t.Fatal(err)
 	}
 
-
 	defer func() {
 		cancel()
 		cacheMgn.Clear()

auth/defaultauth/auth_mgn_core_test.go

@@ -174,6 +174,25 @@ func createMockUser(total int, prefix ...string) []*model.User {
 	return users
 }
 
+func createApiMockUser(total int, prefix ...string) []*api.User {
+	users := make([]*api.User, 0, total)
+
+	models := createMockUser(total, prefix...)
+
+	for i := range models {
+		users = append(users, &api.User{
+			Name:     utils.NewStringValue(models[i].Name),
+			Password: utils.NewStringValue("123456"),
+			Source:   utils.NewStringValue("Polaris"),
+			Comment:  utils.NewStringValue(models[i].Comment),
+			Mobile:   utils.NewStringValue(models[i].Mobile),
+			Email:    utils.NewStringValue(models[i].Email),
+		})
+	}
+
+	return users
+}
+
 func createMockUserGroup(users []*model.User) []*model.UserGroupDetail {
 	groups := make([]*model.UserGroupDetail, 0, len(users))
 
@@ -204,6 +223,35 @@ func createMockUserGroup(users []*model.User) []*model.UserGroupDetail {
 	return groups
 }
 
+// createMockApiUserGroup
+func createMockApiUserGroup(users []*api.User) []*api.UserGroup {
+	musers := make([]*model.User, 0, len(users))
+	for i := range users {
+		musers = append(musers, &model.User{
+			ID: users[i].GetId().GetValue(),
+		})
+	}
+
+	models := createMockUserGroup(musers)
+	ret := make([]*api.UserGroup, 0, len(models))
+
+	for i := range models {
+		ret = append(ret, &api.UserGroup{
+			Name:    utils.NewStringValue(models[i].Name),
+			Comment: utils.NewStringValue(models[i].Comment),
+			Relation: &api.UserGroupRelation{
+				Users: []*api.User{
+					{
+						Id: utils.NewStringValue(users[i].GetId().GetValue()),
+					},
+				},
+			},
+		})
+	}
+
+	return ret
+}
+
 func createMockStrategy(users []*model.User, groups []*model.UserGroupDetail, services []*model.Service) ([]*model.StrategyDetail, []*model.StrategyDetail) {
 	strategies := make([]*model.StrategyDetail, 0, len(users)+len(groups))
 	defaultStrategies := make([]*model.StrategyDetail, 0, len(users)+len(groups))

auth/defaultauth/common_test.go

@@ -24,11 +24,11 @@ import (
 	"go.uber.org/zap"
 
 	api "github.com/polarismesh/polaris-server/common/api/v1"
+	authcommon "github.com/polarismesh/polaris-server/common/auth"
 	"github.com/polarismesh/polaris-server/common/log"
 	"github.com/polarismesh/polaris-server/common/model"
 	commontime "github.com/polarismesh/polaris-server/common/time"
 	"github.com/polarismesh/polaris-server/common/utils"
-	authcommon "github.com/polarismesh/polaris-server/common/auth"
 )
 
 type (

auth/defaultauth/group.go

@@ -90,7 +90,6 @@ func newGroupTest(t *testing.T) *GroupTest {
 		t.Fatal(err)
 	}
 
-
 	time.Sleep(time.Second)
 
 	checker := &defaultAuthChecker{}
@@ -612,3 +611,101 @@ func Test_server_RefreshGroupToken(t *testing.T) {
 		assert.True(t, batchResp.Code.Value == v1.NotAllowedAccess, batchResp.Info.GetValue())
 	})
 }
+
+func Test_AuthServer_NormalOperateUserGroup(t *testing.T) {
+	suit := &AuthTestSuit{}
+	if err := suit.initialize(); err != nil {
+		t.Fatal(err)
+	}
+	defer suit.Destroy()
+
+	users := createApiMockUser(10, "test")
+	for i := range users {
+		users[i].Id = utils.NewStringValue(utils.NewUUID())
+	}
+
+	groups := createMockApiUserGroup([]*api.User{users[0]})
+
+	t.Run("正常创建用户组", func(t *testing.T) {
+		bresp := suit.server.CreateUsers(suit.defaultCtx, users)
+		if !respSuccess(bresp) {
+			t.Fatal(bresp.GetInfo().GetValue())
+		}
+
+		time.Sleep(suit.updateCacheInterval)
+
+		resp := suit.server.CreateGroup(suit.defaultCtx, groups[0])
+
+		if !respSuccess(resp) {
+			t.Fatal(resp.GetInfo().GetValue())
+		}
+
+		groups[0].Id = utils.NewStringValue(resp.GetUserGroup().Id.Value)
+	})
+
+	t.Run("正常更新用户组", func(t *testing.T) {
+
+		time.Sleep(time.Second)
+
+		req := []*api.ModifyUserGroup{
+			&v1.ModifyUserGroup{
+				Id:   utils.NewStringValue(groups[0].GetId().GetValue()),
+				Name: utils.NewStringValue(groups[0].GetName().GetValue()),
+				Comment: &wrapperspb.StringValue{
+					Value: "update user group",
+				},
+				AddRelations: &v1.UserGroupRelation{
+					Users: users[3:],
+				},
+			},
+		}
+
+		resp := suit.server.UpdateGroups(suit.defaultCtx, req)
+		if !respSuccess(resp) {
+			t.Fatal(resp.GetInfo().GetValue())
+		}
+
+		time.Sleep(suit.updateCacheInterval)
+
+		qresp := suit.server.GetGroup(suit.defaultCtx, groups[0])
+
+		if !respSuccess(resp) {
+			t.Fatal(resp.GetInfo().GetValue())
+		}
+
+		assert.Equal(t, req[0].GetComment().GetValue(), qresp.GetUserGroup().GetComment().GetValue())
+		assert.Equal(t, len(users[3:])+1, len(qresp.GetUserGroup().GetRelation().GetUsers()))
+	})
+
+	t.Run("正常更新用户组Token", func(t *testing.T) {
+		resp := suit.server.ResetGroupToken(suit.defaultCtx, groups[0])
+
+		if !respSuccess(resp) {
+			t.Fatal(resp.GetInfo().GetValue())
+		}
+
+		time.Sleep(suit.updateCacheInterval)
+
+		qresp := suit.server.GetGroupToken(suit.defaultCtx, groups[0])
+		if !respSuccess(qresp) {
+			t.Fatal(resp.GetInfo().GetValue())
+		}
+		assert.Equal(t, resp.GetUserGroup().GetAuthToken().GetValue(), qresp.GetUserGroup().GetAuthToken().GetValue())
+	})
+
+	t.Run("正常删除用户组", func(t *testing.T) {
+		resp := suit.server.DeleteGroups(suit.defaultCtx, groups)
+
+		if !respSuccess(resp) {
+			t.Fatal(resp.GetInfo().GetValue())
+		}
+
+		qresp := suit.server.GetGroup(suit.defaultCtx, groups[0])
+
+		if respSuccess(qresp) {
+			t.Fatal(resp.GetInfo().GetValue())
+		}
+
+		assert.Equal(t, v1.NotFoundUserGroup, qresp.GetCode().GetValue())
+	})
+}