Auth fix mix req (ideal-world#381)

* add anti_replay test

* auth fix mix req

* update

* update

* update

* update

* update

* update

* update

Author: RWDai

.gitignore

@@ -55,7 +55,9 @@ node_modules
 
 #macos
 .DS_Store
+#gateway dev
 gateway/example/log
+gateway/spacegate/devsh/save-o.sh
 
 # pre-commit
 .pre-commit-config.yaml

clippy.toml

@@ -1,4 +1,5 @@
 too-many-arguments-threshold = 12
 # fixed: variant name ends with the enum's name
 # like  basic/src/rbum/domain/rbum_kind_attr.rs #[derive(Clone, Debug, PartialEq, DeriveEntityModel)]
-enum-variant-name-threshold = 6
+enum-variant-name-threshold = 6
+allow-unwrap-in-tests = true

gateway/spacegate/Cargo.toml

@@ -35,7 +35,7 @@ spacegate-kernel = { git = "https://github.com/ideal-world/spacegate.git", featu
 
 jsonpath-rust = "0.3.1"
 bios-auth = { path = "../../support/auth" }
-tardis = { workspace = true, features = ["web-server", "web-client"] }
+tardis = { workspace = true, features = ["web-client"] }
 ipnet = "2.8.0"
 [dev-dependencies]
 tardis = { workspace = true, features = ["test", "web-client"] }

gateway/spacegate/src/main.rs

@@ -8,11 +8,11 @@ mod plugin;
 async fn main() -> TardisResult<()> {
     TardisFuns::init_log()?;
     let namespaces = std::env::args().nth(1).map(Some).unwrap_or(None);
-    spacegate_kernel::register_filter_def(auth::CODE, Box::new(auth::SgFilterAuthDef));
+    spacegate_kernel::register_filter_def(audit_log::CODE, Box::new(audit_log::SgFilterAuditLogDef));
     spacegate_kernel::register_filter_def(ip_time::CODE, Box::new(ip_time::SgFilterIpTimeDef));
     spacegate_kernel::register_filter_def(anti_replay::CODE, Box::new(anti_replay::SgFilterAntiReplayDef));
-    spacegate_kernel::register_filter_def(audit_log::CODE, Box::new(audit_log::SgFilterAuditLogDef));
     spacegate_kernel::register_filter_def(anti_xss::CODE, Box::new(anti_xss::SgFilterAntiXSSDef));
+    spacegate_kernel::register_filter_def(auth::CODE, Box::new(auth::SgFilterAuthDef));
     spacegate_kernel::startup(true, namespaces, None).await?;
     spacegate_kernel::wait_graceful_shutdown().await
 }

gateway/spacegate/src/plugin.rs

@@ -3,3 +3,6 @@ pub mod anti_xss;
 pub mod audit_log;
 pub mod auth;
 pub mod ip_time;
+mod plugin_constants {
+    pub const BEFORE_ENCRYPT_BODY: &str = "beforeEncryptBody";
+}

gateway/spacegate/src/plugin/audit_log.rs

@@ -16,6 +16,7 @@ use spacegate_kernel::plugins::{
     filters::{BoxSgPluginFilter, SgPluginFilter, SgPluginFilterAccept, SgPluginFilterDef, SgPluginFilterInitDto},
 };
 use tardis::basic::dto::TardisContext;
+use tardis::basic::error::TardisError;
 use tardis::serde_json::{json, Value};
 
 use tardis::{
@@ -27,6 +28,8 @@ use tardis::{
     TardisFuns, TardisFunsInst,
 };
 
+use super::plugin_constants;
+
 pub const CODE: &str = "audit_log";
 pub struct SgFilterAuditLogDef;
 
@@ -46,9 +49,88 @@ pub struct SgFilterAuditLog {
     header_token_name: String,
     success_json_path: String,
     success_json_path_values: Vec<String>,
+    /// Exclude log path exact match.
+    exclude_log_path: Vec<String>,
     enabled: bool,
 }
 
+impl SgFilterAuditLog {
+    async fn get_log_content(&self, end_time: i64, ctx: &mut SgRoutePluginContext) -> TardisResult<LogParamContent> {
+        let start_time = ctx.get_ext(&get_start_time_ext_code()).and_then(|time| time.parse::<i64>().ok());
+        let body_string = if let Some(raw_body) = ctx.get_ext(plugin_constants::BEFORE_ENCRYPT_BODY) {
+            Some(raw_body)
+        } else {
+            ctx.response
+                .pop_resp_body()
+                .await?
+                .map(|body| {
+                    let body_string = String::from_utf8_lossy(&body).to_string();
+                    ctx.response.set_resp_body(body)?;
+                    Ok::<_, TardisError>(body_string)
+                })
+                .transpose()?
+        };
+        let success = match serde_json::from_str::<Value>(&body_string.unwrap_or_default()) {
+            Ok(json) => {
+                if let Ok(matching_value) = json.path(&self.success_json_path) {
+                    if let Some(matching_value) = matching_value.as_array() {
+                        let matching_value = &matching_value[0];
+                        if matching_value.is_string() {
+                            let mut is_match = false;
+                            for value in self.success_json_path_values.clone() {
+                                if Some(value.as_str()) == matching_value.as_str() {
+                                    is_match = true;
+                                    break;
+                                }
+                            }
+                            is_match
+                        } else if matching_value.is_number() {
+                            let mut is_match = false;
+                            for value in self.success_json_path_values.clone() {
+                                let value = value.parse::<i64>();
+                                if value.is_ok() && value.ok() == matching_value.as_i64() {
+                                    is_match = true;
+                                    break;
+                                }
+                            }
+                            is_match
+                        } else {
+                            false
+                        }
+                    } else {
+                        false
+                    }
+                } else {
+                    false
+                }
+            }
+            Err(_) => false,
+        };
+        Ok(LogParamContent {
+            op: ctx.request.get_req_method().to_string(),
+            key: None,
+            name: ctx.get_cert_info().and_then(|info| info.account_name.clone()).unwrap_or_default(),
+            user_id: ctx.get_cert_info().map(|info| info.account_id.clone()),
+            role: ctx.get_cert_info().map(|info| info.roles.clone()).unwrap_or_default(),
+            ip: if let Some(real_ips) = ctx.request.get_req_headers().get("X-Forwarded-For") {
+                real_ips
+                    .to_str()
+                    .ok()
+                    .and_then(|ips| ips.split(',').collect::<Vec<_>>().first().map(|ip| ip.to_string()))
+                    .unwrap_or(ctx.request.get_req_remote_addr().ip().to_string())
+            } else {
+                ctx.request.get_req_remote_addr().ip().to_string()
+            },
+            path: ctx.request.get_req_uri_raw().path().to_string(),
+            scheme: ctx.request.get_req_uri_raw().scheme_str().unwrap_or("http").to_string(),
+            token: ctx.request.get_req_headers().get(&self.header_token_name).and_then(|v| v.to_str().ok().map(|v| v.to_string())),
+            server_timing: start_time.map(|st| end_time - st),
+            resp_status: ctx.response.get_resp_status_code().as_u16().to_string(),
+            success,
+        })
+    }
+}
+
 impl Default for SgFilterAuditLog {
     fn default() -> Self {
         Self {
@@ -59,6 +141,7 @@ impl Default for SgFilterAuditLog {
             success_json_path: "$.code".to_string(),
             enabled: false,
             success_json_path_values: vec!["200".to_string(), "201".to_string()],
+            exclude_log_path: vec!["/starsysApi/apis".to_string()],
         }
     }
 }
@@ -74,7 +157,7 @@ impl SgPluginFilter for SgFilterAuditLog {
 
     async fn init(&mut self, _: &SgPluginFilterInitDto) -> TardisResult<()> {
         if !self.log_url.is_empty() && !self.spi_app_id.is_empty() {
-            if JsonPathInst::from_str(&self.success_json_path).map_err(|e| log::error!("[[Plugin.AuditLog]] invalid json path:{e}")).is_err() {
+            if JsonPathInst::from_str(&self.success_json_path).map_err(|e| log::error!("[Plugin.AuditLog] invalid json path:{e}")).is_err() {
                 self.enabled = false;
                 return Ok(());
             };
@@ -87,6 +170,7 @@ impl SgPluginFilter for SgFilterAuditLog {
                 },
             )?;
         } else {
+            log::warn!("[Plugin.AuditLog] plugin is not active, miss log_url or spi_app_id.");
             self.enabled = false;
         }
         Ok(())
@@ -103,66 +187,36 @@ impl SgPluginFilter for SgFilterAuditLog {
 
     async fn resp_filter(&self, _: &str, mut ctx: SgRoutePluginContext) -> TardisResult<(bool, SgRoutePluginContext)> {
         if self.enabled {
+            let path = ctx.request.get_req_uri_raw().path().to_string();
+            for exclude_path in self.exclude_log_path.clone() {
+                if exclude_path == path {
+                    return Ok((true, ctx));
+                }
+            }
             let funs = get_tardis_inst();
-            let start_time = ctx.get_ext(&get_start_time_ext_code()).and_then(|time| time.parse::<i64>().ok());
             let end_time = tardis::chrono::Utc::now().timestamp_millis();
             let spi_ctx = TardisContext {
                 owner: ctx.get_cert_info().map(|info| info.account_id.clone()).unwrap_or_default(),
                 roles: ctx.get_cert_info().map(|info| info.roles.clone().into_iter().map(|r| r.id).collect()).unwrap_or_default(),
                 ..Default::default()
             };
             let op = ctx.request.get_req_method().to_string();
-            let resp_body = ctx.response.pop_resp_body().await?;
-            let success = match resp_body {
-                Some(body) => {
-                    let body_string = String::from_utf8_lossy(&body).to_string();
-                    let result = match serde_json::from_str::<Value>(&body_string) {
-                        Ok(json) => {
-                            if let Ok(matching_value) = json.path(&self.success_json_path) {
-                                if matching_value.is_number() && matching_value.is_string() {
-                                    let mut is_match = false;
-                                    for value in self.success_json_path_values.clone() {
-                                        if value == matching_value {
-                                            is_match = true;
-                                            break;
-                                        }
-                                    }
-                                    is_match
-                                } else {
-                                    false
-                                }
-                            } else {
-                                false
-                            }
-                        }
-                        Err(_) => false,
-                    };
-                    ctx.response.set_resp_body(body)?;
-                    result
-                }
-                None => false,
-            };
-            let content = LogParamContent {
-                op: op.clone(),
-                key: None,
-                name: ctx.get_cert_info().and_then(|info| info.account_name.clone()).unwrap_or_default(),
-                user_id: ctx.get_cert_info().map(|info| info.account_id.clone()),
-                role: ctx.get_cert_info().map(|info| info.roles.clone()).unwrap_or_default(),
-                ip: ctx.request.get_req_remote_addr().ip().to_string(),
-                token: ctx.request.get_req_headers().get(&self.header_token_name).and_then(|v| v.to_str().ok().map(|v| v.to_string())),
-                server_timing: start_time.map(|st| end_time - st),
-                success,
-            };
+
+            let content = self.get_log_content(end_time, &mut ctx).await?;
+
             let log_ext = json!({
                 "name":content.name,
                 "id":content.user_id,
                 "ip":content.ip,
                 "op":op.clone(),
+                "path":content.path,
+                "resp_status": content.resp_status,
                 "success":content.success,
             });
+            let tag = self.tag.clone();
             tokio::spawn(async move {
                 match spi_log_client::SpiLogClient::add(
-                    "tag",
+                    &tag,
                     &TardisFuns::json.obj_to_string(&content).unwrap_or_default(),
                     Some(log_ext),
                     None,
@@ -181,7 +235,7 @@ impl SgPluginFilter for SgFilterAuditLog {
                         log::trace!("[Plugin.AuditLog] add log success")
                     }
                     Err(e) => {
-                        log::trace!("[Plugin.AuditLog] failed to add log:{e}")
+                        log::warn!("[Plugin.AuditLog] failed to add log:{e}")
                     }
                 };
             });
@@ -209,8 +263,97 @@ pub struct LogParamContent {
     pub user_id: Option<String>,
     pub role: Vec<SGRoleInfo>,
     pub ip: String,
+    pub path: String,
+    pub scheme: String,
     pub token: Option<String>,
     pub server_timing: Option<i64>,
+    pub resp_status: String,
     //Indicates whether the business operation was successful.
     pub success: bool,
 }
+
+#[cfg(test)]
+mod test {
+    use spacegate_kernel::{
+        http::{HeaderName, Uri},
+        hyper::{Body, HeaderMap, Method, StatusCode, Version},
+        plugins::context::SgRoutePluginContext,
+    };
+    use tardis::tokio;
+
+    use crate::plugin::audit_log::get_start_time_ext_code;
+
+    use super::SgFilterAuditLog;
+
+    #[tokio::test]
+    async fn test_log_content() {
+        let sg_filter_audit_log = SgFilterAuditLog { ..Default::default() };
+        let end_time = 20100;
+        let mut header = HeaderMap::new();
+        header.insert(sg_filter_audit_log.header_token_name.parse::<HeaderName>().unwrap(), "aaa".parse().unwrap());
+        let mut ctx = SgRoutePluginContext::new_http(
+            Method::POST,
+            Uri::from_static("http://sg.idealworld.group/test1"),
+            Version::HTTP_11,
+            header,
+            Body::from(""),
+            "127.0.0.1:8080".parse().unwrap(),
+            "".to_string(),
+            None,
+        );
+        ctx.set_ext(&get_start_time_ext_code(), &20000.to_string());
+        let mut ctx = ctx.resp(StatusCode::OK, HeaderMap::new(), Body::from(r##"{"code":"200","msg":"success"}"##));
+        let log_content = sg_filter_audit_log.get_log_content(end_time, &mut ctx).await.unwrap();
+        assert_eq!(log_content.token, Some("aaa".to_string()));
+        assert_eq!(log_content.server_timing, Some(100));
+        assert!(log_content.success);
+
+        let mut header = HeaderMap::new();
+        header.insert(sg_filter_audit_log.header_token_name.parse::<HeaderName>().unwrap(), "aaa".parse().unwrap());
+        let ctx = SgRoutePluginContext::new_http(
+            Method::POST,
+            Uri::from_static("http://sg.idealworld.group/test1"),
+            Version::HTTP_11,
+            header,
+            Body::from(""),
+            "127.0.0.1:8080".parse().unwrap(),
+            "".to_string(),
+            None,
+        );
+        let mut ctx = ctx.resp(StatusCode::OK, HeaderMap::new(), Body::from(r##"{"code":200,"msg":"success"}"##));
+        let log_content = sg_filter_audit_log.get_log_content(end_time, &mut ctx).await.unwrap();
+        assert!(log_content.success);
+
+        let mut header = HeaderMap::new();
+        header.insert(sg_filter_audit_log.header_token_name.parse::<HeaderName>().unwrap(), "aaa".parse().unwrap());
+        let ctx = SgRoutePluginContext::new_http(
+            Method::POST,
+            Uri::from_static("http://sg.idealworld.group/test1"),
+            Version::HTTP_11,
+            header,
+            Body::from(""),
+            "127.0.0.1:8080".parse().unwrap(),
+            "".to_string(),
+            None,
+        );
+        let mut ctx = ctx.resp(StatusCode::OK, HeaderMap::new(), Body::from(r##"{"code":"500","msg":"not success"}"##));
+        let log_content = sg_filter_audit_log.get_log_content(end_time, &mut ctx).await.unwrap();
+        assert!(!log_content.success);
+
+        let mut header = HeaderMap::new();
+        header.insert(sg_filter_audit_log.header_token_name.parse::<HeaderName>().unwrap(), "aaa".parse().unwrap());
+        let ctx = SgRoutePluginContext::new_http(
+            Method::POST,
+            Uri::from_static("http://sg.idealworld.group/test1"),
+            Version::HTTP_11,
+            header,
+            Body::from(""),
+            "127.0.0.1:8080".parse().unwrap(),
+            "".to_string(),
+            None,
+        );
+        let mut ctx = ctx.resp(StatusCode::OK, HeaderMap::new(), Body::from(r##"{"code":500,"msg":"not success"}"##));
+        let log_content = sg_filter_audit_log.get_log_content(end_time, &mut ctx).await.unwrap();
+        assert!(!log_content.success);
+    }
+}