Merge branch 'main' into fix-api-auth

pkg/ginx/auth.go

@@ -0,0 +1,102 @@
+// Copyright 2014 Manu Martinez-Almeida. All rights reserved.
+// Use of this source code is governed by a MIT style
+// license that can be found in the LICENSE file.
+
+package ginx
+
+import (
+	"crypto/subtle"
+	"encoding/base64"
+	"net/http"
+	"strconv"
+
+	"github.com/gin-gonic/gin"
+)
+
+// AuthUserKey is the cookie name for user credential in basic auth.
+const AuthUserKey = "user"
+
+// Accounts defines a key/value for user/pass list of authorized logins.
+type Accounts []Account
+
+type Account struct {
+	User     string
+	Password string
+}
+
+type authPair struct {
+	value string
+	user  string
+}
+
+type authPairs []authPair
+
+func (a authPairs) searchCredential(authValue string) (string, bool) {
+	if authValue == "" {
+		return "", false
+	}
+	for _, pair := range a {
+		if subtle.ConstantTimeCompare(StringToBytes(pair.value), StringToBytes(authValue)) == 1 {
+			return pair.user, true
+		}
+	}
+	return "", false
+}
+
+// BasicAuthForRealm returns a Basic HTTP Authorization middleware. It takes as arguments a map[string]string where
+// the key is the user name and the value is the password, as well as the name of the Realm.
+// If the realm is empty, "Authorization Required" will be used by default.
+// (see http://tools.ietf.org/html/rfc2617#section-1.2)
+func BasicAuthForRealm(accounts Accounts, realm string) gin.HandlerFunc {
+	if realm == "" {
+		realm = "Authorization Required"
+	}
+	realm = "Basic realm=" + strconv.Quote(realm)
+	pairs := processAccounts(accounts)
+	return func(c *gin.Context) {
+		// Search user in the slice of allowed credentials
+		user, found := pairs.searchCredential(c.Request.Header.Get("Authorization"))
+		if !found {
+			// Credentials doesn't match, we return 401 and abort handlers chain.
+			c.Header("WWW-Authenticate", realm)
+			c.AbortWithStatus(http.StatusUnauthorized)
+			return
+		}
+
+		// The user credentials was found, set user's id to key AuthUserKey in this context, the user's id can be read later using
+		// c.MustGet(gin.AuthUserKey).
+		c.Set(AuthUserKey, user)
+	}
+}
+
+// BasicAuth returns a Basic HTTP Authorization middleware. It takes as argument a map[string]string where
+// the key is the user name and the value is the password.
+func BasicAuth(accounts Accounts) gin.HandlerFunc {
+	return BasicAuthForRealm(accounts, "")
+}
+
+func processAccounts(accounts Accounts) authPairs {
+	length := len(accounts)
+	assert1(length > 0, "Empty list of authorized credentials")
+	pairs := make(authPairs, 0, length)
+	for _, account := range accounts {
+		assert1(account.User != "", "User can not be empty")
+		value := authorizationHeader(account.User, account.Password)
+		pairs = append(pairs, authPair{
+			value: value,
+			user:  account.User,
+		})
+	}
+	return pairs
+}
+
+func authorizationHeader(user, password string) string {
+	base := user + ":" + password
+	return "Basic " + base64.StdEncoding.EncodeToString(StringToBytes(base))
+}
+
+func assert1(guard bool, text string) {
+	if !guard {
+		panic(text)
+	}
+}

pkg/ginx/bytesconv.go

@@ -0,0 +1,23 @@
+// Copyright 2023 Gin Core Team. All rights reserved.
+// Use of this source code is governed by a MIT style
+// license that can be found in the LICENSE file.
+
+//go:build go1.20
+
+package ginx
+
+import (
+	"unsafe"
+)
+
+// StringToBytes converts string to byte slice without a memory allocation.
+// For more details, see https://github.com/golang/go/issues/53003#issuecomment-1140276077.
+func StringToBytes(s string) []byte {
+	return unsafe.Slice(unsafe.StringData(s), len(s))
+}
+
+// BytesToString converts byte slice to string without a memory allocation.
+// For more details, see https://github.com/golang/go/issues/53003#issuecomment-1140276077.
+func BytesToString(b []byte) string {
+	return unsafe.String(unsafe.SliceData(b), len(b))
+}

pushgw/router/router.go

@@ -12,6 +12,7 @@ import (
 	"github.com/ccfos/nightingale/v6/center/metas"
 	"github.com/ccfos/nightingale/v6/memsto"
 	"github.com/ccfos/nightingale/v6/pkg/ctx"
+	"github.com/ccfos/nightingale/v6/pkg/ginx"
 	"github.com/ccfos/nightingale/v6/pkg/httpx"
 	"github.com/ccfos/nightingale/v6/pushgw/idents"
 	"github.com/ccfos/nightingale/v6/pushgw/pconf"
@@ -87,21 +88,22 @@ func (rt *Router) Config(r *gin.Engine) {
 
 	if len(rt.HTTP.APIForAgent.BasicAuth) > 0 {
 		// enable basic auth
-		accounts := make(gin.Accounts)
+		accounts := make(ginx.Accounts, 0)
 		for username, password := range rt.HTTP.APIForAgent.BasicAuth {
-			accounts[username] = password
+			accounts = append(accounts, ginx.Account{
+				User:     username,
+				Password: password,
+			})
 		}
 
-		// 合并两个 basic auth，为了让 n9e-edge 和 n9e-pushgw 使用服务端授权调用 api for agent 的接口
 		for username, password := range rt.HTTP.APIForService.BasicAuth {
-			if _, exists := accounts[username]; exists {
-				logger.Errorf("api for agent and api for service basic auth username conflict: %s", username)
-			} else {
-				accounts[username] = password
-			}
+			accounts = append(accounts, ginx.Account{
+				User:     username,
+				Password: password,
+			})
 		}
 
-		auth := gin.BasicAuth(accounts)
+		auth := ginx.BasicAuth(accounts)
 		r.POST("/opentsdb/put", auth, rt.openTSDBPut)
 		r.POST("/openfalcon/push", auth, rt.falconPush)
 		r.POST("/prometheus/v1/write", auth, rt.remoteWrite)