github
/
halo
mirror of https://github.com/halo-dev/halo
1
0
Fork 0
Code Issues Releases Wiki Activity

chore: temporarily disable JWT authentication function (#2804) 

#### What type of PR is this?
/kind improvement
/area core
/kind api-change

#### What this PR does / why we need it:
- 暂时关闭 JWT 认证功能,`POST /api/auth/token` API 将失效。
- 移除  `halo.security.oauth2.jwt` 配置,公私钥放在 classpath 只是之前还没有 halo work dir 时的临时方案
- Disable  JWT 相关的单元测试

后续会 Revert 此 PR。

#### Special notes for your reviewer:
how to test it?
1. 期望 `/api/auth/token` 失效
2. 期望 Console 登录功能没问题

/cc @halo-dev/sig-halo 
#### Does this PR introduce a user-facing change?

```release-note
None
```
pull/2806/head
guqing 2022-11-30 18:21:47 +08:00 committed by GitHub
parent 5aff60d5b4
commit bd02d9bb3b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
12 changed files with 13 additions and 90 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/main/java/run/halo/app/Application.java
View File

@ -6,7 +6,6 @@ import org.springframework.boot.autoconfigure.integration.IntegrationAutoConfigu
import org.springframework.boot.context.properties.EnableConfigurationProperties; import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.scheduling.annotation.EnableScheduling; import org.springframework.scheduling.annotation.EnableScheduling;
import run.halo.app.infra.properties.HaloProperties; import run.halo.app.infra.properties.HaloProperties;
import run.halo.app.infra.properties.JwtProperties;
/** /**
* Halo main class. * Halo main class.
@ -19,7 +18,7 @@ import run.halo.app.infra.properties.JwtProperties;
@EnableScheduling @EnableScheduling
@SpringBootApplication(scanBasePackages = "run.halo.app", exclude = @SpringBootApplication(scanBasePackages = "run.halo.app", exclude =
IntegrationAutoConfiguration.class) IntegrationAutoConfiguration.class)
@EnableConfigurationProperties({HaloProperties.class, JwtProperties.class}) @EnableConfigurationProperties({HaloProperties.class})
public class Application { public class Application {
public static void main(String[] args) { public static void main(String[] args) {

38
src/main/java/run/halo/app/config/WebServerSecurityConfig.java
View File

@ -3,10 +3,6 @@ package run.halo.app.config;
import static org.springframework.security.config.Customizer.withDefaults; import static org.springframework.security.config.Customizer.withDefaults;
import static org.springframework.security.web.server.header.XFrameOptionsServerHttpHeadersWriter.Mode.SAMEORIGIN; import static org.springframework.security.web.server.header.XFrameOptionsServerHttpHeadersWriter.Mode.SAMEORIGIN;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.jwk.RSAKey;
import com.nimbusds.jose.jwk.source.ImmutableJWKSet;
import org.springframework.beans.factory.ObjectProvider; import org.springframework.beans.factory.ObjectProvider;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Bean;
@ -18,18 +14,12 @@ import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.core.userdetails.ReactiveUserDetailsService; import org.springframework.security.core.userdetails.ReactiveUserDetailsService;
import org.springframework.security.crypto.factory.PasswordEncoderFactories; import org.springframework.security.crypto.factory.PasswordEncoderFactories;
import org.springframework.security.crypto.password.PasswordEncoder; import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.oauth2.jwt.JwtEncoder;
import org.springframework.security.oauth2.jwt.NimbusJwtEncoder;
import org.springframework.security.oauth2.jwt.NimbusReactiveJwtDecoder;
import org.springframework.security.oauth2.jwt.ReactiveJwtDecoder;
import org.springframework.security.oauth2.jwt.SupplierReactiveJwtDecoder;
import org.springframework.security.web.server.SecurityWebFilterChain; import org.springframework.security.web.server.SecurityWebFilterChain;
import run.halo.app.core.extension.service.RoleService; import run.halo.app.core.extension.service.RoleService;
import run.halo.app.core.extension.service.UserService; import run.halo.app.core.extension.service.UserService;
import run.halo.app.extension.ReactiveExtensionClient; import run.halo.app.extension.ReactiveExtensionClient;
import run.halo.app.infra.AnonymousUserConst; import run.halo.app.infra.AnonymousUserConst;
import run.halo.app.infra.properties.HaloProperties; import run.halo.app.infra.properties.HaloProperties;
import run.halo.app.infra.properties.JwtProperties;
import run.halo.app.security.DefaultUserDetailService; import run.halo.app.security.DefaultUserDetailService;
import run.halo.app.security.SuperAdminInitializer; import run.halo.app.security.SuperAdminInitializer;
import run.halo.app.security.authentication.SecurityConfigurer; import run.halo.app.security.authentication.SecurityConfigurer;
@ -44,12 +34,6 @@ import run.halo.app.security.authorization.RequestInfoAuthorizationManager;
@EnableWebFluxSecurity @EnableWebFluxSecurity
public class WebServerSecurityConfig { public class WebServerSecurityConfig {
private final JwtProperties jwtProp;
public WebServerSecurityConfig(JwtProperties jwtProp) {
this.jwtProp = jwtProp;
}
@Bean @Bean
@Order(Ordered.HIGHEST_PRECEDENCE) @Order(Ordered.HIGHEST_PRECEDENCE)
SecurityWebFilterChain apiFilterChain(ServerHttpSecurity http, SecurityWebFilterChain apiFilterChain(ServerHttpSecurity http,
@ -68,9 +52,7 @@ public class WebServerSecurityConfig {
anonymousSpec.authorities(AnonymousUserConst.Role); anonymousSpec.authorities(AnonymousUserConst.Role);
anonymousSpec.principal(AnonymousUserConst.PRINCIPAL); anonymousSpec.principal(AnonymousUserConst.PRINCIPAL);
}) })
.httpBasic(withDefaults()) .httpBasic(withDefaults());
// for reuse the JWT authentication
.oauth2ResourceServer().jwt();
// Integrate with other configurers separately // Integrate with other configurers separately
securityConfigurers.orderedStream() securityConfigurers.orderedStream()
@ -90,24 +72,6 @@ public class WebServerSecurityConfig {
return PasswordEncoderFactories.createDelegatingPasswordEncoder(); return PasswordEncoderFactories.createDelegatingPasswordEncoder();
} }
@Bean
ReactiveJwtDecoder jwtDecoder() {
return new SupplierReactiveJwtDecoder(
() -> NimbusReactiveJwtDecoder.withPublicKey(jwtProp.getPublicKey())
.signatureAlgorithm(jwtProp.getJwsAlgorithm())
.build());
}
@Bean
JwtEncoder jwtEncoder() {
var rsaKey = new RSAKey.Builder(jwtProp.getPublicKey())
.privateKey(jwtProp.getPrivateKey())
.algorithm(JWSAlgorithm.parse(jwtProp.getJwsAlgorithm().getName()))
.build();
var jwks = new ImmutableJWKSet<>(new JWKSet(rsaKey));
return new NimbusJwtEncoder(jwks);
}
@Bean @Bean
@ConditionalOnProperty(name = "halo.security.initializer.disabled", @ConditionalOnProperty(name = "halo.security.initializer.disabled",
havingValue = "false", havingValue = "false",

2
src/main/java/run/halo/app/infra/properties/JwtProperties.java
View File

@ -7,7 +7,6 @@ import java.io.InputStream;
import java.nio.charset.StandardCharsets; import java.nio.charset.StandardCharsets;
import java.security.interfaces.RSAPrivateKey; import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey; import java.security.interfaces.RSAPublicKey;
import org.springframework.boot.context.properties.ConfigurationProperties;
import org.springframework.boot.context.properties.source.InvalidConfigurationPropertyValueException; import org.springframework.boot.context.properties.source.InvalidConfigurationPropertyValueException;
import org.springframework.core.io.Resource; import org.springframework.core.io.Resource;
import org.springframework.security.converter.RsaKeyConverters; import org.springframework.security.converter.RsaKeyConverters;
@ -21,7 +20,6 @@ import org.springframework.validation.annotation.Validated;
* @author johnniang * @author johnniang
* @date 2022-04-12 * @date 2022-04-12
*/ */
@ConfigurationProperties(prefix = "halo.security.oauth2.jwt")
@Validated @Validated
public class JwtProperties { public class JwtProperties {

5
src/main/java/run/halo/app/security/authentication/jwt/JwtAuthenticationConfigurer.java
View File

@ -13,12 +13,13 @@ import org.springframework.security.oauth2.jwt.JwtEncoder;
import org.springframework.security.web.server.authentication.AuthenticationWebFilter; import org.springframework.security.web.server.authentication.AuthenticationWebFilter;
import org.springframework.security.web.server.util.matcher.AndServerWebExchangeMatcher; import org.springframework.security.web.server.util.matcher.AndServerWebExchangeMatcher;
import org.springframework.security.web.server.util.matcher.MediaTypeServerWebExchangeMatcher; import org.springframework.security.web.server.util.matcher.MediaTypeServerWebExchangeMatcher;
import org.springframework.stereotype.Component;
import org.springframework.web.reactive.function.server.ServerResponse; import org.springframework.web.reactive.function.server.ServerResponse;
import run.halo.app.infra.properties.JwtProperties; import run.halo.app.infra.properties.JwtProperties;
import run.halo.app.security.authentication.SecurityConfigurer; import run.halo.app.security.authentication.SecurityConfigurer;
@Component /**
* TODO: Use It after 2.0.0.
*/
public class JwtAuthenticationConfigurer implements SecurityConfigurer { public class JwtAuthenticationConfigurer implements SecurityConfigurer {
private final ReactiveUserDetailsService userDetailsService; private final ReactiveUserDetailsService userDetailsService;

28
src/main/resources/app.key
View File

@ -1,28 +0,0 @@
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDOjnDY1K1lrOrK
ETfKfDlVGVbPCiy+TDmTaXg4SWjdHUpXfqbXMkSX/j2dJ/ECqb/FtsvVxiSwRieG
3MWDKWlNRz0C0QKrsoDYbcvLf68uc7L5eKFZhu0AkXP4T5BIbdMXH8V0+5e+6R+n
eHahFhMyaiYoHVrPMrW2Jn9iWIXuNTDpg9VFhejN4jG1wQqIu1puKeGYPQvtfNO5
Ef5cQdEFCvFfuDQvNhLgI1f798qY6EVFfRo2S3LLCut3wfDzRZiUN4Kz8qYz42Zv
97GS1gW/lfcEsmBApov9xiIaUzUECN35XbZYMK5Y4gfhAseZ+tlj+YarEiPjAtL1
JPUehCmRAgMBAAECggEAKmaI+ammsoFtbO9d4X3gkvxxmmx/RM0G4KC84ekH0qPp
l85S10flVsIEydbiHWbVC/P7IbXb4Cd2g7OcA9GjYQ6nkoVvI+mvkz3uoKZkQofT
jGxbyrHswroY8Tb76jJJK60E7n+a5cCbE9ihmW2boTSzAncMJg5FyM9cRMbhL0Vz
h90/gE2U8awQ8Ug47BN1Dk/awxB9f5zVqI+LCGC0Py0/oQudjSaqPihydTsuqkhV
xNu3NMcL/POt9WxmYyJFDJRW3+EYraPumdUsIWw8p4JJDt1jkyNpSbjGhu8vzRYX
0QSo1pa3VrDY4guEMk4RdJsKJDqQPTvCTTgDYBzFlQKBgQDq98CRLTwqHSEWyVKN
0KRujhVAVEmLDvPxZ2tVaMM37RanCHYSfHLiYCD54rUv7BFWjQ+hfq3iHUpgrefN
KRS9e01mT0f24sAsWfhrFzrhlHaQStFgOw4uvwIDCfzrBeQQsqcAvWSjNr8CqSMX
UIGz9oB6EP39PT3QxT3oYf3ItwKBgQDhC6WN78+0sf2zlptQ7V02eWaRfePtQfmb
ow3c9aF8V7sSwDzjInqV5Bva4RyftYRTYZttBiANjGZ1pSNPi/2p7b+0hxJ1pPf8
6VcFDJBGLbFYNDWOux13KRJToMY0ckzSeBXgkWLVFSfESuoXzy+8bj5eMavJLg6L
2Ek6q6mH9wKBgBZmmE0+6sV5EXaCqwQqKAMCOLRxVLGVM1yIZ4s0+aeTSt2RyO/q
PWmnkH1CR9PRxbVirWLQGPO9pyGgcsD0ca2+25otZMb8xyVzTmOnS03GQadv+pYa
CzgZra9sfFhLr3qIDbPcWoPU7FDsnxPR8QufLJB2nkBOXl5Q753/+ZnxAoGBAI47
GisWwaNmSv3R1d/T5PGk0Jprgj5VUDh5WS2pYKKBoA49yT2UcP2C6cfwNnMJ+dPp
AJ5rHJ7zeV4pPKPtyig3xs2GALixxrnlj8X1Jsnz3v3sIV1QDVNedeK83ggPpVXv
54PC3z/k2vlIj6L0oyroUiqeIgBIR5FC5SVbkQ4JAoGBAOEGQkqw1xR3fd27J6/R
s9hOhItPnjExf5yqeg0nbZYIGd+6PiaVBBWUefZDDS79KUwTiqiHGP7iEVghJr9C
xJI9odzY8WQJ+Q9ZQy1VQfP5mkRUTTkABhykXfWsHckO7yP6c3kwNIOOki8QPrmY
3GKNb5HtQVpazCvrB5PFh65g
-----END PRIVATE KEY-----

9
src/main/resources/app.pub
View File

@ -1,9 +0,0 @@
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzo5w2NStZazqyhE3ynw5
VRlWzwosvkw5k2l4OElo3R1KV36m1zJEl/49nSfxAqm/xbbL1cYksEYnhtzFgylp
TUc9AtECq7KA2G3Ly3+vLnOy+XihWYbtAJFz+E+QSG3TFx/FdPuXvukfp3h2oRYT
MmomKB1azzK1tiZ/YliF7jUw6YPVRYXozeIxtcEKiLtabinhmD0L7XzTuRH+XEHR
BQrxX7g0LzYS4CNX+/fKmOhFRX0aNktyywrrd8Hw80WYlDeCs/KmM+Nmb/exktYF
v5X3BLJgQKaL/cYiGlM1BAjd+V22WDCuWOIH4QLHmfrZY/mGqxIj4wLS9ST1HoQp
kQIDAQAB
-----END PUBLIC KEY-----

5
src/main/resources/application-dev.yaml
View File

@ -17,11 +17,6 @@ halo:
initializer: initializer:
super-admin-username: admin super-admin-username: admin
super-admin-password: admin super-admin-password: admin
oauth2:
jwt:
jwsAlgorithm: rs512
public-key-location: classpath:app.pub
private-key-location: classpath:app.key
plugin: plugin:
runtime-mode: development # development, deployment runtime-mode: development # development, deployment
classes-directories: classes-directories:

5
src/main/resources/application.yaml
View File

@ -17,11 +17,6 @@ spring:
halo: halo:
external-url: "http://${server.address:localhost}:${server.port}" external-url: "http://${server.address:localhost}:${server.port}"
security:
oauth2:
jwt:
public-key-location: classpath:app.pub
private-key-location: classpath:app.key
work-dir: ${user.home}/.halo2 work-dir: ${user.home}/.halo2
plugin: plugin:
plugins-root: ${halo.work-dir}/plugins plugins-root: ${halo.work-dir}/plugins

2
src/test/java/run/halo/app/security/SuperAdminInitializerTest.java
View File

@ -4,6 +4,7 @@ import static org.mockito.ArgumentMatchers.argThat;
import static org.mockito.Mockito.times; import static org.mockito.Mockito.times;
import static org.mockito.Mockito.verify; import static org.mockito.Mockito.verify;
import org.junit.jupiter.api.Disabled;
import org.junit.jupiter.api.Test; import org.junit.jupiter.api.Test;
import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.test.autoconfigure.jdbc.AutoConfigureTestDatabase; import org.springframework.boot.test.autoconfigure.jdbc.AutoConfigureTestDatabase;
@ -17,6 +18,7 @@ import run.halo.app.core.extension.RoleBinding;
import run.halo.app.core.extension.User; import run.halo.app.core.extension.User;
import run.halo.app.extension.ReactiveExtensionClient; import run.halo.app.extension.ReactiveExtensionClient;
@Disabled
@SpringBootTest(properties = {"halo.security.initializer.disabled=false", @SpringBootTest(properties = {"halo.security.initializer.disabled=false",
"halo.security.initializer.super-admin-username=fake-admin", "halo.security.initializer.super-admin-username=fake-admin",
"halo.security.initializer.super-admin-password=fake-password", "halo.security.initializer.super-admin-password=fake-password",

2
src/test/java/run/halo/app/security/authentication/jwt/JwtAuthenticationTest.java
View File

@ -9,6 +9,7 @@ import static org.springframework.security.test.web.reactive.server.SecurityMock
import java.util.List; import java.util.List;
import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Disabled;
import org.junit.jupiter.api.Test; import org.junit.jupiter.api.Test;
import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.test.autoconfigure.web.reactive.AutoConfigureWebTestClient; import org.springframework.boot.test.autoconfigure.web.reactive.AutoConfigureWebTestClient;
@ -25,6 +26,7 @@ import run.halo.app.extension.Metadata;
import run.halo.app.infra.AnonymousUserConst; import run.halo.app.infra.AnonymousUserConst;
import run.halo.app.security.LoginUtils; import run.halo.app.security.LoginUtils;
@Disabled
@SpringBootTest @SpringBootTest
@AutoConfigureWebTestClient @AutoConfigureWebTestClient
class JwtAuthenticationTest { class JwtAuthenticationTest {

2
src/test/java/run/halo/app/security/authentication/jwt/LoginTest.java
View File

@ -8,6 +8,7 @@ import static org.springframework.security.test.web.reactive.server.SecurityMock
import com.nimbusds.jwt.JWTClaimNames; import com.nimbusds.jwt.JWTClaimNames;
import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Disabled;
import org.junit.jupiter.api.Test; import org.junit.jupiter.api.Test;
import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.test.autoconfigure.web.reactive.AutoConfigureWebTestClient; import org.springframework.boot.test.autoconfigure.web.reactive.AutoConfigureWebTestClient;
@ -22,6 +23,7 @@ import org.springframework.security.oauth2.jwt.ReactiveJwtDecoder;
import org.springframework.test.web.reactive.server.WebTestClient; import org.springframework.test.web.reactive.server.WebTestClient;
import reactor.core.publisher.Mono; import reactor.core.publisher.Mono;
@Disabled
@SpringBootTest @SpringBootTest
@AutoConfigureWebTestClient @AutoConfigureWebTestClient
class LoginTest { class LoginTest {

2
src/test/java/run/halo/app/security/authorization/AuthorizationTest.java
View File

@ -14,6 +14,7 @@ import static org.springframework.web.reactive.function.server.RouterFunctions.r
import java.util.ArrayList; import java.util.ArrayList;
import java.util.List; import java.util.List;
import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Disabled;
import org.junit.jupiter.api.Test; import org.junit.jupiter.api.Test;
import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.test.autoconfigure.web.reactive.AutoConfigureWebTestClient; import org.springframework.boot.test.autoconfigure.web.reactive.AutoConfigureWebTestClient;
@ -41,6 +42,7 @@ import run.halo.app.extension.exception.ExtensionNotFoundException;
import run.halo.app.infra.AnonymousUserConst; import run.halo.app.infra.AnonymousUserConst;
import run.halo.app.security.LoginUtils; import run.halo.app.security.LoginUtils;
@Disabled
@SpringBootTest @SpringBootTest
@AutoConfigureWebTestClient @AutoConfigureWebTestClient
@Import(AuthorizationTest.TestConfig.class) @Import(AuthorizationTest.TestConfig.class)