chore: temporarily disable JWT authentication function (#2804)

#### What type of PR is this? /kind improvement /area core /kind api-change #### What this PR does / why we need it: - 暂时关闭 JWT 认证功能，`POST /api/auth/token` API 将失效。 - 移除 `halo.security.oauth2.jwt` 配置，公私钥放在 classpath 只是之前还没有 halo work dir 时的临时方案 - Disable JWT 相关的单元测试后续会 Revert 此 PR。 #### Special notes for your reviewer: how to test it? 1. 期望 `/api/auth/token` 失效 2. 期望 Console 登录功能没问题 /cc @halo-dev/sig-halo #### Does this PR introduce a user-facing change? ```release-note None ```
2022-11-30 18:21:47 +08:00 · 2022-11-30 18:21:47 +08:00 · bd02d9bb3b
parent 5aff60d5b4
commit bd02d9bb3b
12 changed files with 13 additions and 90 deletions
--- a/src/main/java/run/halo/app/Application.java
+++ b/src/main/java/run/halo/app/Application.java
@ -6,7 +6,6 @@ import org.springframework.boot.autoconfigure.integration.IntegrationAutoConfigu
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
 import org.springframework.scheduling.annotation.EnableScheduling;
 import run.halo.app.infra.properties.HaloProperties;
-import run.halo.app.infra.properties.JwtProperties;

 /**
 * Halo main class.
@ -19,7 +18,7 @@ import run.halo.app.infra.properties.JwtProperties;
@EnableScheduling
@SpringBootApplication(scanBasePackages = "run.halo.app", exclude =
    IntegrationAutoConfiguration.class)
-@EnableConfigurationProperties({HaloProperties.class, JwtProperties.class})
+@EnableConfigurationProperties({HaloProperties.class})
 public class Application {

    public static void main(String[] args) {
--- a/src/main/java/run/halo/app/config/WebServerSecurityConfig.java
+++ b/src/main/java/run/halo/app/config/WebServerSecurityConfig.java
@ -3,10 +3,6 @@ package run.halo.app.config;
 import static org.springframework.security.config.Customizer.withDefaults;
 import static org.springframework.security.web.server.header.XFrameOptionsServerHttpHeadersWriter.Mode.SAMEORIGIN;

-import com.nimbusds.jose.JWSAlgorithm;
-import com.nimbusds.jose.jwk.JWKSet;
-import com.nimbusds.jose.jwk.RSAKey;
-import com.nimbusds.jose.jwk.source.ImmutableJWKSet;
 import org.springframework.beans.factory.ObjectProvider;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.context.annotation.Bean;
@ -18,18 +14,12 @@ import org.springframework.security.config.web.server.ServerHttpSecurity;
 import org.springframework.security.core.userdetails.ReactiveUserDetailsService;
 import org.springframework.security.crypto.factory.PasswordEncoderFactories;
 import org.springframework.security.crypto.password.PasswordEncoder;
-import org.springframework.security.oauth2.jwt.JwtEncoder;
-import org.springframework.security.oauth2.jwt.NimbusJwtEncoder;
-import org.springframework.security.oauth2.jwt.NimbusReactiveJwtDecoder;
-import org.springframework.security.oauth2.jwt.ReactiveJwtDecoder;
-import org.springframework.security.oauth2.jwt.SupplierReactiveJwtDecoder;
 import org.springframework.security.web.server.SecurityWebFilterChain;
 import run.halo.app.core.extension.service.RoleService;
 import run.halo.app.core.extension.service.UserService;
 import run.halo.app.extension.ReactiveExtensionClient;
 import run.halo.app.infra.AnonymousUserConst;
 import run.halo.app.infra.properties.HaloProperties;
-import run.halo.app.infra.properties.JwtProperties;
 import run.halo.app.security.DefaultUserDetailService;
 import run.halo.app.security.SuperAdminInitializer;
 import run.halo.app.security.authentication.SecurityConfigurer;
@ -44,12 +34,6 @@ import run.halo.app.security.authorization.RequestInfoAuthorizationManager;
@EnableWebFluxSecurity
 public class WebServerSecurityConfig {

-    private final JwtProperties jwtProp;
-
-    public WebServerSecurityConfig(JwtProperties jwtProp) {
-        this.jwtProp = jwtProp;
-    }
-
    @Bean
    @Order(Ordered.HIGHEST_PRECEDENCE)
    SecurityWebFilterChain apiFilterChain(ServerHttpSecurity http,
@ -68,9 +52,7 @@ public class WebServerSecurityConfig {
                anonymousSpec.authorities(AnonymousUserConst.Role);
                anonymousSpec.principal(AnonymousUserConst.PRINCIPAL);
            })
-            .httpBasic(withDefaults())
-            // for reuse the JWT authentication
-            .oauth2ResourceServer().jwt();
+            .httpBasic(withDefaults());

        // Integrate with other configurers separately
        securityConfigurers.orderedStream()
@ -90,24 +72,6 @@ public class WebServerSecurityConfig {
        return PasswordEncoderFactories.createDelegatingPasswordEncoder();
    }

-    @Bean
-    ReactiveJwtDecoder jwtDecoder() {
-        return new SupplierReactiveJwtDecoder(
-            () -> NimbusReactiveJwtDecoder.withPublicKey(jwtProp.getPublicKey())
-                .signatureAlgorithm(jwtProp.getJwsAlgorithm())
-                .build());
-    }
-
-    @Bean
-    JwtEncoder jwtEncoder() {
-        var rsaKey = new RSAKey.Builder(jwtProp.getPublicKey())
-            .privateKey(jwtProp.getPrivateKey())
-            .algorithm(JWSAlgorithm.parse(jwtProp.getJwsAlgorithm().getName()))
-            .build();
-        var jwks = new ImmutableJWKSet<>(new JWKSet(rsaKey));
-        return new NimbusJwtEncoder(jwks);
-    }
-
    @Bean
    @ConditionalOnProperty(name = "halo.security.initializer.disabled",
        havingValue = "false",
--- a/src/main/java/run/halo/app/infra/properties/JwtProperties.java
+++ b/src/main/java/run/halo/app/infra/properties/JwtProperties.java
@ -7,7 +7,6 @@ import java.io.InputStream;
 import java.nio.charset.StandardCharsets;
 import java.security.interfaces.RSAPrivateKey;
 import java.security.interfaces.RSAPublicKey;
-import org.springframework.boot.context.properties.ConfigurationProperties;
 import org.springframework.boot.context.properties.source.InvalidConfigurationPropertyValueException;
 import org.springframework.core.io.Resource;
 import org.springframework.security.converter.RsaKeyConverters;
@ -21,7 +20,6 @@ import org.springframework.validation.annotation.Validated;
 * @author johnniang
 * @date 2022-04-12
 */
-@ConfigurationProperties(prefix = "halo.security.oauth2.jwt")
@Validated
 public class JwtProperties {

--- a/src/main/java/run/halo/app/security/authentication/jwt/JwtAuthenticationConfigurer.java
+++ b/src/main/java/run/halo/app/security/authentication/jwt/JwtAuthenticationConfigurer.java
@ -13,12 +13,13 @@ import org.springframework.security.oauth2.jwt.JwtEncoder;
 import org.springframework.security.web.server.authentication.AuthenticationWebFilter;
 import org.springframework.security.web.server.util.matcher.AndServerWebExchangeMatcher;
 import org.springframework.security.web.server.util.matcher.MediaTypeServerWebExchangeMatcher;
-import org.springframework.stereotype.Component;
 import org.springframework.web.reactive.function.server.ServerResponse;
 import run.halo.app.infra.properties.JwtProperties;
 import run.halo.app.security.authentication.SecurityConfigurer;

-@Component
+/**
+ * TODO: Use It after 2.0.0.
+ */
 public class JwtAuthenticationConfigurer implements SecurityConfigurer {

    private final ReactiveUserDetailsService userDetailsService;
--- a/src/main/resources/app.key
+++ b/src/main/resources/app.key
@ -1,28 +0,0 @@
-----BEGIN PRIVATE KEY-----
-MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDOjnDY1K1lrOrK
-ETfKfDlVGVbPCiy+TDmTaXg4SWjdHUpXfqbXMkSX/j2dJ/ECqb/FtsvVxiSwRieG
-3MWDKWlNRz0C0QKrsoDYbcvLf68uc7L5eKFZhu0AkXP4T5BIbdMXH8V0+5e+6R+n
-eHahFhMyaiYoHVrPMrW2Jn9iWIXuNTDpg9VFhejN4jG1wQqIu1puKeGYPQvtfNO5
-Ef5cQdEFCvFfuDQvNhLgI1f798qY6EVFfRo2S3LLCut3wfDzRZiUN4Kz8qYz42Zv
-97GS1gW/lfcEsmBApov9xiIaUzUECN35XbZYMK5Y4gfhAseZ+tlj+YarEiPjAtL1
-JPUehCmRAgMBAAECggEAKmaI+ammsoFtbO9d4X3gkvxxmmx/RM0G4KC84ekH0qPp
-l85S10flVsIEydbiHWbVC/P7IbXb4Cd2g7OcA9GjYQ6nkoVvI+mvkz3uoKZkQofT
-jGxbyrHswroY8Tb76jJJK60E7n+a5cCbE9ihmW2boTSzAncMJg5FyM9cRMbhL0Vz
-h90/gE2U8awQ8Ug47BN1Dk/awxB9f5zVqI+LCGC0Py0/oQudjSaqPihydTsuqkhV
-xNu3NMcL/POt9WxmYyJFDJRW3+EYraPumdUsIWw8p4JJDt1jkyNpSbjGhu8vzRYX
-0QSo1pa3VrDY4guEMk4RdJsKJDqQPTvCTTgDYBzFlQKBgQDq98CRLTwqHSEWyVKN
-0KRujhVAVEmLDvPxZ2tVaMM37RanCHYSfHLiYCD54rUv7BFWjQ+hfq3iHUpgrefN
-KRS9e01mT0f24sAsWfhrFzrhlHaQStFgOw4uvwIDCfzrBeQQsqcAvWSjNr8CqSMX
-UIGz9oB6EP39PT3QxT3oYf3ItwKBgQDhC6WN78+0sf2zlptQ7V02eWaRfePtQfmb
-ow3c9aF8V7sSwDzjInqV5Bva4RyftYRTYZttBiANjGZ1pSNPi/2p7b+0hxJ1pPf8
-6VcFDJBGLbFYNDWOux13KRJToMY0ckzSeBXgkWLVFSfESuoXzy+8bj5eMavJLg6L
-2Ek6q6mH9wKBgBZmmE0+6sV5EXaCqwQqKAMCOLRxVLGVM1yIZ4s0+aeTSt2RyO/q
-PWmnkH1CR9PRxbVirWLQGPO9pyGgcsD0ca2+25otZMb8xyVzTmOnS03GQadv+pYa
-CzgZra9sfFhLr3qIDbPcWoPU7FDsnxPR8QufLJB2nkBOXl5Q753/+ZnxAoGBAI47
-GisWwaNmSv3R1d/T5PGk0Jprgj5VUDh5WS2pYKKBoA49yT2UcP2C6cfwNnMJ+dPp
-AJ5rHJ7zeV4pPKPtyig3xs2GALixxrnlj8X1Jsnz3v3sIV1QDVNedeK83ggPpVXv
-54PC3z/k2vlIj6L0oyroUiqeIgBIR5FC5SVbkQ4JAoGBAOEGQkqw1xR3fd27J6/R
-s9hOhItPnjExf5yqeg0nbZYIGd+6PiaVBBWUefZDDS79KUwTiqiHGP7iEVghJr9C
-xJI9odzY8WQJ+Q9ZQy1VQfP5mkRUTTkABhykXfWsHckO7yP6c3kwNIOOki8QPrmY
-3GKNb5HtQVpazCvrB5PFh65g
-----END PRIVATE KEY-----
--- a/src/main/resources/app.pub
+++ b/src/main/resources/app.pub
@ -1,9 +0,0 @@
-----BEGIN PUBLIC KEY-----
-MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzo5w2NStZazqyhE3ynw5
-VRlWzwosvkw5k2l4OElo3R1KV36m1zJEl/49nSfxAqm/xbbL1cYksEYnhtzFgylp
-TUc9AtECq7KA2G3Ly3+vLnOy+XihWYbtAJFz+E+QSG3TFx/FdPuXvukfp3h2oRYT
-MmomKB1azzK1tiZ/YliF7jUw6YPVRYXozeIxtcEKiLtabinhmD0L7XzTuRH+XEHR
-BQrxX7g0LzYS4CNX+/fKmOhFRX0aNktyywrrd8Hw80WYlDeCs/KmM+Nmb/exktYF
-v5X3BLJgQKaL/cYiGlM1BAjd+V22WDCuWOIH4QLHmfrZY/mGqxIj4wLS9ST1HoQp
-kQIDAQAB
-----END PUBLIC KEY-----
--- a/src/main/resources/application-dev.yaml
+++ b/src/main/resources/application-dev.yaml
@ -17,11 +17,6 @@ halo:
    initializer:
      super-admin-username: admin
      super-admin-password: admin
-    oauth2:
-      jwt:
-        jwsAlgorithm: rs512
-        public-key-location: classpath:app.pub
-        private-key-location: classpath:app.key
  plugin:
    runtime-mode: development # development, deployment
    classes-directories:
--- a/src/main/resources/application.yaml
+++ b/src/main/resources/application.yaml
@ -17,11 +17,6 @@ spring:

 halo:
  external-url: "http://${server.address:localhost}:${server.port}"
-  security:
-    oauth2:
-      jwt:
-        public-key-location: classpath:app.pub
-        private-key-location: classpath:app.key
  work-dir: ${user.home}/.halo2
  plugin:
    plugins-root: ${halo.work-dir}/plugins
--- a/src/test/java/run/halo/app/security/SuperAdminInitializerTest.java
+++ b/src/test/java/run/halo/app/security/SuperAdminInitializerTest.java
@ -4,6 +4,7 @@ import static org.mockito.ArgumentMatchers.argThat;
 import static org.mockito.Mockito.times;
 import static org.mockito.Mockito.verify;

+import org.junit.jupiter.api.Disabled;
 import org.junit.jupiter.api.Test;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.test.autoconfigure.jdbc.AutoConfigureTestDatabase;
@ -17,6 +18,7 @@ import run.halo.app.core.extension.RoleBinding;
 import run.halo.app.core.extension.User;
 import run.halo.app.extension.ReactiveExtensionClient;

+@Disabled
@SpringBootTest(properties = {"halo.security.initializer.disabled=false",
    "halo.security.initializer.super-admin-username=fake-admin",
    "halo.security.initializer.super-admin-password=fake-password",
--- a/src/test/java/run/halo/app/security/authentication/jwt/JwtAuthenticationTest.java
+++ b/src/test/java/run/halo/app/security/authentication/jwt/JwtAuthenticationTest.java
@ -9,6 +9,7 @@ import static org.springframework.security.test.web.reactive.server.SecurityMock

 import java.util.List;
 import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Disabled;
 import org.junit.jupiter.api.Test;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.test.autoconfigure.web.reactive.AutoConfigureWebTestClient;
@ -25,6 +26,7 @@ import run.halo.app.extension.Metadata;
 import run.halo.app.infra.AnonymousUserConst;
 import run.halo.app.security.LoginUtils;

+@Disabled
@SpringBootTest
@AutoConfigureWebTestClient
 class JwtAuthenticationTest {
--- a/src/test/java/run/halo/app/security/authentication/jwt/LoginTest.java
+++ b/src/test/java/run/halo/app/security/authentication/jwt/LoginTest.java
@ -8,6 +8,7 @@ import static org.springframework.security.test.web.reactive.server.SecurityMock

 import com.nimbusds.jwt.JWTClaimNames;
 import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Disabled;
 import org.junit.jupiter.api.Test;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.test.autoconfigure.web.reactive.AutoConfigureWebTestClient;
@ -22,6 +23,7 @@ import org.springframework.security.oauth2.jwt.ReactiveJwtDecoder;
 import org.springframework.test.web.reactive.server.WebTestClient;
 import reactor.core.publisher.Mono;

+@Disabled
@SpringBootTest
@AutoConfigureWebTestClient
 class LoginTest {
--- a/src/test/java/run/halo/app/security/authorization/AuthorizationTest.java
+++ b/src/test/java/run/halo/app/security/authorization/AuthorizationTest.java
@ -14,6 +14,7 @@ import static org.springframework.web.reactive.function.server.RouterFunctions.r
 import java.util.ArrayList;
 import java.util.List;
 import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Disabled;
 import org.junit.jupiter.api.Test;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.test.autoconfigure.web.reactive.AutoConfigureWebTestClient;
@ -41,6 +42,7 @@ import run.halo.app.extension.exception.ExtensionNotFoundException;
 import run.halo.app.infra.AnonymousUserConst;
 import run.halo.app.security.LoginUtils;

+@Disabled
@SpringBootTest
@AutoConfigureWebTestClient
@Import(AuthorizationTest.TestConfig.class)