Merge pull request #10703 from fcfang123/issue-10663

feat：oauth2 增加密码模式 #10663
TencentBlueKing · Sep 26, 2024 · e1b68e6 · e1b68e6
2 parents e94031e + 970b815
commit e1b68e6
Show file tree

Hide file tree

Showing 33 changed files with 314 additions and 152 deletions.
diff --git a/scripts/bkenv.properties b/scripts/bkenv.properties
@@ -1,5 +1,4 @@
 # ci.env template, generated at 2021-09-09 16:40:32
-
 ##########
 # 0-依赖声明
 ##########
@@ -75,7 +74,8 @@ BK_CI_MONITOR_REGISTER=false
 BK_CI_MONITOR_URL=
 # BK_CI_MONITOR_URL 监控对接权限中心SYSTEM_ID，无默认值. 无需修改. 声明依赖, 蓝鲸环境下会自动填充. 其他环境无需填写.
 BK_CI_MONITOR_IAM_SYSTEM=
-
+# BK_CI_AUTH_AES_AUTH_KEY 加密Key值，初始值为I4U1SzSNRaDYufbE，若用到oauth2密码模式，最好对该值进行修改。
+BK_CI_AUTH_AES_AUTH_KEY=I4U1SzSNRaDYufbE
 ##########
 # 1-基础配置
 ##########
@@ -149,7 +149,6 @@ BK_ESB_HOST=
 BK_CI_PUBLIC_PATH=""
 # BK_CI_FRONTEND_INDEX
 BK_CI_FRONTEND_INDEX="rewrite .* /\$subsystem/index.html break"
-
 ##########
 # 2-公共依赖
 ##########
@@ -231,7 +230,6 @@ BK_CI_KUBERNETES_WEBCONSOLE_PROXY=
 BK_CI_SM4_KEY=s31^dDjd!3k
 # BK_CI_SM4_ENABLED
 BK_CI_SM4_ENABLED=false
-
 ##########
 # 3-微服务配置
 ##########
@@ -310,7 +308,7 @@ BK_CI_PROJECT_ROUTER_TAG=$BK_CI_CONSUL_DISCOVERY_TAG
 # BK_CI_STREAM_URL stream独立页面地址
 BK_CI_STREAM_URL=
 # BK_CI_GIT_GITHUB_URL stream当前对接的Git源的类型如 CODE_GIT GITHUB 等，参考代码中的ScmType
-BK_CI_STREAM_SCM_TYPE= CODE_GIT
+BK_CI_STREAM_SCM_TYPE=CODE_GIT
 # BK_CI_GIT_GITCODE_URL stream跳转时用到的git url地址
 BK_CI_STREAM_GIT_URL=
 # BK_CI_STREAM_REPORT_PREFIX stream展示报告时的前置链接
@@ -363,7 +361,6 @@ BK_CI_OPENAPI_VERIFY_PROJECT=false
 BK_CI_AUDIT_ENABLED=false
 # 是否开启构建记录清理
 BK_CI_BUILD_DATA_CLEAR_SWITCH=false
-
 ##########
 # 4-微服务依赖
 ##########
@@ -473,7 +470,6 @@ BK_CI_API_TOKEN_EXPIRED_MILLISECOND=86400000
 BK_CI_DISPATCH_KUBERNETES_NS=default
 # BK_CI_DISPATCH_THIRD_AGENT_WORKER_ERROR_TEMPLATE dispatch服务发送worker启动失败的模板名称，无需修改
 BK_CI_DISPATCH_THIRD_AGENT_WORKER_ERROR_TEMPLATE=THIRD_AGENT_WORKER_ERROR
-
 ##########
 # 5-api port
 ##########

diff --git a/...-auth/src/main/kotlin/com/tencent/devops/auth/api/oauth2/Oauth2ServiceEndpointResource.kt b/...-auth/src/main/kotlin/com/tencent/devops/auth/api/oauth2/Oauth2ServiceEndpointResource.kt
@@ -1,6 +1,7 @@
 package com.tencent.devops.auth.api.oauth2
 
 import com.tencent.devops.auth.pojo.Oauth2AccessTokenRequest
+import com.tencent.devops.auth.pojo.dto.ClientDetailsDTO
 import com.tencent.devops.auth.pojo.dto.Oauth2AuthorizationCodeDTO
 import com.tencent.devops.auth.pojo.vo.Oauth2AccessTokenVo
 import com.tencent.devops.auth.pojo.vo.Oauth2AuthorizationInfoVo
@@ -13,6 +14,7 @@ import io.swagger.v3.oas.annotations.tags.Tag
 import io.swagger.v3.oas.annotations.Operation
 import io.swagger.v3.oas.annotations.Parameter
 import javax.ws.rs.Consumes
+import javax.ws.rs.DELETE
 import javax.ws.rs.GET
 import javax.ws.rs.HeaderParam
 import javax.ws.rs.POST
@@ -70,9 +72,9 @@ interface Oauth2ServiceEndpointResource {
         clientSecret: String,
         @Parameter(description = "oauth2获取token请求报文体", required = true)
         accessTokenRequest: Oauth2AccessTokenRequest
-    ): Result<Oauth2AccessTokenVo?>
+    ): Result<Oauth2AccessTokenVo>
 
-    @POST
+    @GET
     @Path("/verifyAccessToken")
     @Operation(summary = "校验accessToken")
     fun verifyAccessToken(
@@ -86,4 +88,21 @@ interface Oauth2ServiceEndpointResource {
         @Parameter(description = "access token", required = true)
         accessToken: String
     ): Result<String>
+
+    @POST
+    @Path("/createClientDetails")
+    @Operation(summary = "新增Oauth2客户端信息")
+    fun createClientDetails(
+        @Parameter(description = "Oauth2客户端请求实体", required = true)
+        clientDetailsDTO: ClientDetailsDTO
+    ): Result<Boolean>
+
+    @DELETE
+    @Path("/deleteClientDetails")
+    @Operation(summary = "删除Oauth2客户端信息")
+    fun deleteClientDetails(
+        @Parameter(description = "客户端ID", required = true)
+        @QueryParam("clientId")
+        clientId: String
+    ): Result<Boolean>
 }
diff --git a/...re/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/Oauth2AccessTokenRequest.kt b/...re/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/Oauth2AccessTokenRequest.kt
@@ -1,13 +1,24 @@
 package com.tencent.devops.auth.pojo
 
+import com.fasterxml.jackson.annotation.JsonSubTypes
+import com.fasterxml.jackson.annotation.JsonTypeInfo
+import com.tencent.devops.auth.pojo.enum.Oauth2GrantType
 import io.swagger.v3.oas.annotations.media.Schema
 
 @Schema(title = "oauth2获取token请求报文体")
-data class Oauth2AccessTokenRequest(
-    @get:Schema(title = "授权类型", required = true)
-    val grantType: String,
-    @get:Schema(title = "授权码,用于授权码模式", required = false)
-    val code: String? = null,
-    @get:Schema(title = "refreshToken,用于刷新授权码模式", required = false)
-    val refreshToken: String? = null
+@JsonTypeInfo(
+    use = JsonTypeInfo.Id.NAME,
+    include = JsonTypeInfo.As.EXISTING_PROPERTY,
+    property = "grantType",
+    visible = true,
+    defaultImpl = Oauth2AccessTokenRequest::class
+)
+@JsonSubTypes(
+    JsonSubTypes.Type(value = Oauth2AuthorizationCodeRequest::class, name = Oauth2AuthorizationCodeRequest.TYPE),
+    JsonSubTypes.Type(value = Oauth2PassWordRequest::class, name = Oauth2PassWordRequest.TYPE),
+    JsonSubTypes.Type(value = Oauth2RefreshTokenRequest::class, name = Oauth2RefreshTokenRequest.TYPE)
 )
+interface Oauth2AccessTokenRequest {
+    @get:Schema(title = "授权类型", required = true)
+    open val grantType: Oauth2GrantType
+}
diff --git a/...h/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/Oauth2AuthorizationCodeRequest.kt b/...h/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/Oauth2AuthorizationCodeRequest.kt
@@ -0,0 +1,16 @@
+package com.tencent.devops.auth.pojo
+
+import com.tencent.devops.auth.pojo.enum.Oauth2GrantType
+import io.swagger.v3.oas.annotations.media.Schema
+
+@Schema(title = "授权码模式获取token请求报文体")
+data class Oauth2AuthorizationCodeRequest(
+    @get:Schema(title = "授权类型", required = true)
+    override val grantType: Oauth2GrantType,
+    @get:Schema(title = "授权码,用于授权码模式", required = false)
+    val code: String
+) : Oauth2AccessTokenRequest {
+    companion object {
+        const val TYPE = "AUTHORIZATION_CODE"
+    }
+}
diff --git a/.../core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/Oauth2PassWordRequest.kt b/.../core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/Oauth2PassWordRequest.kt
@@ -0,0 +1,18 @@
+package com.tencent.devops.auth.pojo
+
+import com.tencent.devops.auth.pojo.enum.Oauth2GrantType
+import io.swagger.v3.oas.annotations.media.Schema
+
+@Schema(title = "密码模式获取token请求报文体")
+data class Oauth2PassWordRequest(
+    @get:Schema(title = "授权类型", required = true)
+    override val grantType: Oauth2GrantType,
+    @get:Schema(title = "账号名称，用于密码模式", required = false)
+    val userName: String? = null,
+    @get:Schema(title = "密码，用于密码模式", required = false)
+    val passWord: String? = null
+) : Oauth2AccessTokenRequest {
+    companion object {
+        const val TYPE = "PASS_WORD"
+    }
+}
diff --git a/...e/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/Oauth2RefreshTokenRequest.kt b/...e/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/Oauth2RefreshTokenRequest.kt
@@ -0,0 +1,16 @@
+package com.tencent.devops.auth.pojo
+
+import com.tencent.devops.auth.pojo.enum.Oauth2GrantType
+import io.swagger.v3.oas.annotations.media.Schema
+
+@Schema(title = "客户端模式获取token请求报文体")
+data class Oauth2RefreshTokenRequest(
+    @get:Schema(title = "授权类型", required = true)
+    override val grantType: Oauth2GrantType,
+    @get:Schema(title = "刷新码,用于刷新授权码模式", required = false)
+    val refreshToken: String
+) : Oauth2AccessTokenRequest {
+    companion object {
+        const val TYPE = "REFRESH_TOKEN"
+    }
+}
diff --git a/...i/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/dto/ClientDetailsDTO.kt b/...i/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/dto/ClientDetailsDTO.kt
@@ -1,5 +1,6 @@
 package com.tencent.devops.auth.pojo.dto
 
+import com.tencent.devops.auth.pojo.enum.Oauth2GrantType
 import io.swagger.v3.oas.annotations.media.Schema
 
 @Schema(title = "Oauth2客户端请求实体")
@@ -15,15 +16,15 @@ data class ClientDetailsDTO(
     @get:Schema(title = "图标")
     val icon: String,
     @get:Schema(title = "授权模式")
-    val authorizedGrantTypes: String,
+    val authorizedGrantTypes: List<Oauth2GrantType>,
     @get:Schema(title = "跳转链接")
     val webServerRedirectUri: String,
     @get:Schema(title = "access_token有效时间")
     val accessTokenValidity: Long,
     @get:Schema(title = "refresh_token有效时间")
     val refreshTokenValidity: Long,
     @get:Schema(title = "创建人")
-    val createUser: String? = null,
+    val createUser: String = "system",
     @get:Schema(title = "更新人")
-    val updateUser: String? = null
+    val updateUser: String = "system"
 )
diff --git a/...re/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/dto/Oauth2AccessTokenDTO.kt b/...re/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/dto/Oauth2AccessTokenDTO.kt
@@ -12,6 +12,8 @@ data class Oauth2AccessTokenDTO(
     val expiredTime: Long? = null,
     @get:Schema(title = "accessToken绑定的用户名称", required = true)
     val userName: String? = null,
+    @get:Schema(title = "accessToken绑定的密码", required = true)
+    val passWord: String? = null,
     @get:Schema(title = "授权范围Id", required = true)
     val scopeId: Int
 )
diff --git a/...i/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/enum/Oauth2GrantType.kt b/...i/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/enum/Oauth2GrantType.kt
@@ -35,6 +35,9 @@ enum class Oauth2GrantType(val grantType: String) {
     // 客户端模式
     CLIENT_CREDENTIALS("client_credentials"),
 
+    // 密码模式
+    PASS_WORD("pass_word"),
+
     // 刷新token模式
     REFRESH_TOKEN("refresh_token");
 }
diff --git a/...ore/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/dao/AuthOauth2AccessTokenDao.kt b/...ore/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/dao/AuthOauth2AccessTokenDao.kt
@@ -14,13 +14,15 @@ class AuthOauth2AccessTokenDao {
         accessToken: String? = null,
         refreshToken: String? = null,
         userName: String? = null,
+        passWord: String? = null,
         grantType: String? = null
     ): TAuthOauth2AccessTokenRecord? {
         return with(TAuthOauth2AccessToken.T_AUTH_OAUTH2_ACCESS_TOKEN) {
             dslContext.selectFrom(this)
                 .where(CLIENT_ID.eq(clientId))
                 .apply { accessToken?.let { and(ACCESS_TOKEN.eq(it)) } }
                 .apply { userName?.let { and(USER_NAME.eq(it)) } }
+                .apply { passWord?.let { and(PASS_WORD.eq(it)) } }
                 .apply { grantType?.let { and(GRANT_TYPE.eq(it)) } }
                 .apply { refreshToken?.let { and(REFRESH_TOKEN.eq(it)) } }
                 .fetchOne()
@@ -43,6 +45,7 @@ class AuthOauth2AccessTokenDao {
         dslContext: DSLContext,
         clientId: String,
         userName: String?,
+        passWord: String?,
         grantType: String,
         accessToken: String,
         refreshToken: String? = null,
@@ -54,6 +57,7 @@ class AuthOauth2AccessTokenDao {
                 this,
                 CLIENT_ID,
                 USER_NAME,
+                PASS_WORD,
                 GRANT_TYPE,
                 ACCESS_TOKEN,
                 REFRESH_TOKEN,
@@ -62,6 +66,7 @@ class AuthOauth2AccessTokenDao {
             ).values(
                 clientId,
                 userName,
+                passWord,
                 grantType,
                 accessToken,
                 refreshToken,

diff --git a/...e/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/dao/AuthOauth2ClientDetailsDao.kt b/...e/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/dao/AuthOauth2ClientDetailsDao.kt
@@ -42,7 +42,7 @@ class AuthOauth2ClientDetailsDao {
                 clientDetailsDTO.clientName,
                 clientDetailsDTO.scope,
                 clientDetailsDTO.icon,
-                clientDetailsDTO.authorizedGrantTypes,
+                clientDetailsDTO.authorizedGrantTypes.map { it.grantType }.joinToString { "," },
                 clientDetailsDTO.webServerRedirectUri,
                 clientDetailsDTO.accessTokenValidity,
                 clientDetailsDTO.refreshTokenValidity,

diff --git a/...th/src/main/kotlin/com/tencent/devops/auth/resources/Oauth2ServiceEndpointResourceImpl.kt b/...th/src/main/kotlin/com/tencent/devops/auth/resources/Oauth2ServiceEndpointResourceImpl.kt
@@ -2,16 +2,19 @@ package com.tencent.devops.auth.resources
 
 import com.tencent.devops.auth.api.oauth2.Oauth2ServiceEndpointResource
 import com.tencent.devops.auth.pojo.Oauth2AccessTokenRequest
+import com.tencent.devops.auth.pojo.dto.ClientDetailsDTO
 import com.tencent.devops.auth.pojo.dto.Oauth2AuthorizationCodeDTO
 import com.tencent.devops.auth.pojo.vo.Oauth2AccessTokenVo
 import com.tencent.devops.auth.pojo.vo.Oauth2AuthorizationInfoVo
+import com.tencent.devops.auth.service.oauth2.Oauth2ClientService
 import com.tencent.devops.auth.service.oauth2.Oauth2EndpointService
 import com.tencent.devops.common.api.pojo.Result
 import com.tencent.devops.common.web.RestResource
 
 @RestResource
-class Oauth2ServiceEndpointResourceImpl constructor(
-    private val endpointService: Oauth2EndpointService
+class Oauth2ServiceEndpointResourceImpl(
+    private val endpointService: Oauth2EndpointService,
+    private val clientService: Oauth2ClientService
 ) : Oauth2ServiceEndpointResource {
     override fun getAuthorizationInformation(
         userId: String,
@@ -47,7 +50,7 @@ class Oauth2ServiceEndpointResourceImpl constructor(
         clientId: String,
         clientSecret: String,
         accessTokenRequest: Oauth2AccessTokenRequest
-    ): Result<Oauth2AccessTokenVo?> {
+    ): Result<Oauth2AccessTokenVo> {
         return Result(
             endpointService.getAccessToken(
                 clientId = clientId,
@@ -70,4 +73,18 @@ class Oauth2ServiceEndpointResourceImpl constructor(
             )
         )
     }
+
+    override fun createClientDetails(clientDetailsDTO: ClientDetailsDTO): Result<Boolean> {
+        return Result(
+            clientService.createClientDetails(
+                clientDetailsDTO = clientDetailsDTO
+            )
+        )
+    }
+
+    override fun deleteClientDetails(clientId: String): Result<Boolean> {
+        return Result(
+            clientService.deleteClientDetails(clientId = clientId)
+        )
+    }
 }
diff --git a/...z-auth/src/main/kotlin/com/tencent/devops/auth/service/oauth2/Oauth2AccessTokenService.kt b/...z-auth/src/main/kotlin/com/tencent/devops/auth/service/oauth2/Oauth2AccessTokenService.kt
@@ -3,15 +3,20 @@ package com.tencent.devops.auth.service.oauth2
 import com.tencent.devops.auth.constant.AuthMessageCode
 import com.tencent.devops.auth.dao.AuthOauth2AccessTokenDao
 import com.tencent.devops.common.api.exception.ErrorCodeException
+import com.tencent.devops.common.api.util.AESUtil
 import com.tencent.devops.model.auth.tables.records.TAuthOauth2AccessTokenRecord
 import org.jooq.DSLContext
+import org.springframework.beans.factory.annotation.Value
 import org.springframework.stereotype.Service
 
 @Service
-class Oauth2AccessTokenService constructor(
+class Oauth2AccessTokenService(
     private val oauth2AccessTokenDao: AuthOauth2AccessTokenDao,
     private val dslContext: DSLContext
 ) {
+    @Value("\${aes.auth:#{null}}")
+    private val aesKey = ""
+
     fun get(
         clientId: String,
         accessToken: String
@@ -31,13 +36,15 @@ class Oauth2AccessTokenService constructor(
         clientId: String,
         refreshToken: String? = null,
         userName: String? = null,
+        passWord: String? = null,
         grantType: String? = null
     ): TAuthOauth2AccessTokenRecord? {
         return oauth2AccessTokenDao.get(
             dslContext = dslContext,
             clientId = clientId,
             refreshToken = refreshToken,
             userName = userName,
+            passWord = passWord?.let { AESUtil.encrypt(aesKey, passWord) },
             grantType = grantType
         )
     }
@@ -46,6 +53,7 @@ class Oauth2AccessTokenService constructor(
     fun create(
         clientId: String,
         userName: String?,
+        passWord: String?,
         grantType: String,
         accessToken: String,
         refreshToken: String?,
@@ -56,6 +64,7 @@ class Oauth2AccessTokenService constructor(
             dslContext = dslContext,
             clientId = clientId,
             userName = userName,
+            passWord = passWord?.let { AESUtil.encrypt(aesKey, passWord) },
             grantType = grantType,
             accessToken = accessToken,
             refreshToken = refreshToken,