Merge branch 'develop' of https://github.com/alibaba/nacos into devel…

…op-self # Conflicts: # console/src/main/resources/static/index.html # console/src/main/resources/static/js/main.js
alibaba · Nov 29, 2024 · f95ab77 · f95ab77
2 parents 99e3eaf + 2a0dafa
commit f95ab77
Show file tree

Hide file tree

Showing 188 changed files with 9,058 additions and 6,332 deletions.
diff --git a/api/src/main/java/com/alibaba/nacos/api/common/Constants.java b/api/src/main/java/com/alibaba/nacos/api/common/Constants.java
@@ -35,6 +35,8 @@ public class Constants {
 
     public static final String CLIENT_VERSION_KEY = "ClientVersion";
 
+    public static final String CLIENT_IP = "ClientIp";
+
     public static final String UNKNOWN_APP = "UnknownApp";
 
     public static final String DEFAULT_DOMAINNAME = "commonconfig.config-host.taobao.com";

diff --git a/...a/com/alibaba/nacos/api/config/remote/request/cluster/ConfigChangeClusterSyncRequest.java b/...a/com/alibaba/nacos/api/config/remote/request/cluster/ConfigChangeClusterSyncRequest.java
@@ -25,14 +25,16 @@
  * @version $Id: ConfigChangeClusterSyncRequest.java, v 0.1 2020年08月11日 4:30 PM liuzunfei Exp $
  */
 public class ConfigChangeClusterSyncRequest extends AbstractConfigRequest {
-
-    String tag;
-
+
     long lastModified;
 
+    String grayName;
+
+    @Deprecated
     boolean isBeta;
 
-    boolean isBatch;
+    @Deprecated
+    String tag;
 
     public boolean isBeta() {
         return isBeta;
@@ -42,14 +44,6 @@ public void setBeta(boolean beta) {
         isBeta = beta;
     }
 
-    public boolean isBatch() {
-        return isBatch;
-    }
-
-    public void setBatch(boolean batch) {
-        isBatch = batch;
-    }
-
     /**
      * Getter method for property <tt>tag</tt>.
      *
@@ -68,6 +62,14 @@ public void setTag(String tag) {
         this.tag = tag;
     }
 
+    public String getGrayName() {
+        return grayName;
+    }
+
+    public void setGrayName(String grayName) {
+        this.grayName = grayName;
+    }
+
     /**
      * Getter method for property <tt>lastModified</tt>.
      *

diff --git a/api/src/main/java/com/alibaba/nacos/api/config/remote/response/ConfigQueryResponse.java b/api/src/main/java/com/alibaba/nacos/api/config/remote/response/ConfigQueryResponse.java
@@ -30,6 +30,8 @@ public class ConfigQueryResponse extends Response {
 
     public static final int CONFIG_QUERY_CONFLICT = 400;
 
+    public static final int NO_RIGHT = 403;
+
     String content;
 
     String encryptedDataKey;

diff --git a/api/src/main/java/com/alibaba/nacos/api/model/v2/ErrorCode.java b/api/src/main/java/com/alibaba/nacos/api/model/v2/ErrorCode.java
@@ -90,6 +90,26 @@ public enum ErrorCode {
      */
     PARAMETER_MISMATCH(20009, "parameter mismatch"),
 
+    /**
+     * config gray request error.
+     */
+    CONFIG_GRAY_OVER_MAX_VERSION_COUNT(20010, "config gray version version over max count"),
+
+    /**
+     * config gray tag v2 rule format invalid.
+     */
+    CONFIG_GRAY_RULE_FORMAT_INVALID(20011, "config gray rule format invalid"),
+
+    /**
+     * config gray tag v2 rule version invalid.
+     */
+    CONFIG_GRAY_VERSION_INVALID(20012, "config gray rule version invalid"),
+
+    /**
+     * config gray request error.
+     */
+    CONFIG_GRAY_NAME_UNRECOGNIZED_ERROR(20013, "config gray name not recognized"),
+
     /**
      *  service name error.
      */

diff --git a/api/src/main/java/com/alibaba/nacos/api/remote/request/RequestMeta.java b/api/src/main/java/com/alibaba/nacos/api/remote/request/RequestMeta.java
@@ -18,9 +18,11 @@
 
 import com.alibaba.nacos.api.ability.constant.AbilityKey;
 import com.alibaba.nacos.api.ability.constant.AbilityStatus;
+import com.alibaba.nacos.api.common.Constants;
 
 import java.util.HashMap;
 import java.util.Map;
+import java.util.Objects;
 
 /**
  * RequestMeta info.
@@ -38,6 +40,8 @@ public class RequestMeta {
 
     private Map<String, String> labels = new HashMap<>();
 
+    private Map<String, String> appLabels = new HashMap<>();
+
     private Map<String, Boolean> abilityTable;
 
     public AbilityStatus getConnectionAbility(AbilityKey abilityKey) {
@@ -90,6 +94,35 @@ public Map<String, String> getLabels() {
      */
     public void setLabels(Map<String, String> labels) {
         this.labels = labels;
+        extractAppLabels();
+    }
+
+    private void extractAppLabels() {
+        HashMap<String, String> applabelsMap = new HashMap<String, String>(8) {
+            {
+                put(Constants.APPNAME, labels.get(Constants.APPNAME));
+                put(Constants.CLIENT_VERSION_KEY, clientVersion);
+                put(Constants.CLIENT_IP, clientIp);
+            }
+        };
+        labels.entrySet().stream().filter(Objects::nonNull).filter(e -> e.getKey().startsWith(Constants.APP_CONN_PREFIX)
+                        && e.getKey().length() > Constants.APP_CONN_PREFIX.length() && !e.getValue().trim().isEmpty())
+                .forEach(entry -> {
+                    applabelsMap.putIfAbsent(entry.getKey().substring(Constants.APP_CONN_PREFIX.length()),
+                            entry.getValue());
+                });
+        this.appLabels = applabelsMap;
+    }
+
+    /**
+     * get labels map with filter of starting with prefix #{@link Constants#APP_CONN_PREFIX} and return a new map trim
+     * the prefix #{@link Constants#APP_CONN_PREFIX}.
+     *
+     * @return map of labels.
+     * @date 2024/2/29
+     */
+    public Map<String, String> getAppLabels() {
+        return appLabels;
     }
 
     /**

diff --git a/...m/alibaba/nacos/api/config/remote/request/cluster/ConfigChangeClusterSyncRequestTest.java b/...m/alibaba/nacos/api/config/remote/request/cluster/ConfigChangeClusterSyncRequestTest.java
@@ -40,7 +40,6 @@ void before() {
         configChangeClusterSyncRequest.setTag(TAG);
         configChangeClusterSyncRequest.setBeta(Boolean.TRUE);
         configChangeClusterSyncRequest.setLastModified(0L);
-        configChangeClusterSyncRequest.setBatch(false);
         configChangeClusterSyncRequest.putAllHeader(HEADERS);
         requestId = injectRequestUuId(configChangeClusterSyncRequest);
     }

diff --git a/auth/src/main/java/com/alibaba/nacos/auth/AbstractProtocolAuthService.java b/auth/src/main/java/com/alibaba/nacos/auth/AbstractProtocolAuthService.java
@@ -18,7 +18,12 @@
 
 import com.alibaba.nacos.auth.annotation.Secured;
 import com.alibaba.nacos.auth.config.AuthConfigs;
+import com.alibaba.nacos.auth.serveridentity.ServerIdentity;
+import com.alibaba.nacos.auth.serveridentity.ServerIdentityChecker;
+import com.alibaba.nacos.auth.serveridentity.ServerIdentityCheckerHolder;
+import com.alibaba.nacos.auth.serveridentity.ServerIdentityResult;
 import com.alibaba.nacos.auth.util.Loggers;
+import com.alibaba.nacos.common.utils.StringUtils;
 import com.alibaba.nacos.plugin.auth.api.IdentityContext;
 import com.alibaba.nacos.plugin.auth.api.Permission;
 import com.alibaba.nacos.plugin.auth.api.Resource;
@@ -42,8 +47,16 @@ public abstract class AbstractProtocolAuthService<R> implements ProtocolAuthServ
 
     protected final AuthConfigs authConfigs;
 
+    protected final ServerIdentityChecker checker;
+
     protected AbstractProtocolAuthService(AuthConfigs authConfigs) {
         this.authConfigs = authConfigs;
+        this.checker = ServerIdentityCheckerHolder.getInstance().getChecker();
+    }
+
+    @Override
+    public void initialize() {
+        this.checker.init(authConfigs);
     }
 
     @Override
@@ -78,6 +91,30 @@ public boolean validateAuthority(IdentityContext identityContext, Permission per
         return true;
     }
 
+    @Override
+    public ServerIdentityResult checkServerIdentity(R request, Secured secured) {
+        if (isInvalidServerIdentity()) {
+            return ServerIdentityResult.fail(
+                    "Invalid server identity key or value, Please make sure set `nacos.core.auth.server.identity.key`"
+                            + " and `nacos.core.auth.server.identity.value`, or open `nacos.core.auth.enable.userAgentAuthWhite`");
+        }
+        ServerIdentity serverIdentity = parseServerIdentity(request);
+        return checker.check(serverIdentity, secured);
+    }
+
+    private boolean isInvalidServerIdentity() {
+        return StringUtils.isBlank(authConfigs.getServerIdentityKey()) || StringUtils.isBlank(
+                authConfigs.getServerIdentityValue());
+    }
+
+    /**
+     * Parse server identity from protocol request.
+     *
+     * @param request protocol request
+     * @return nacos server identity.
+     */
+    protected abstract ServerIdentity parseServerIdentity(R request);
+
     /**
      * Get resource from secured annotation specified resource.
      *

diff --git a/auth/src/main/java/com/alibaba/nacos/auth/GrpcProtocolAuthService.java b/auth/src/main/java/com/alibaba/nacos/auth/GrpcProtocolAuthService.java
@@ -18,6 +18,7 @@
 
 import com.alibaba.nacos.api.remote.request.Request;
 import com.alibaba.nacos.auth.annotation.Secured;
+import com.alibaba.nacos.auth.serveridentity.ServerIdentity;
 import com.alibaba.nacos.plugin.auth.api.IdentityContext;
 import com.alibaba.nacos.plugin.auth.api.Resource;
 import com.alibaba.nacos.auth.config.AuthConfigs;
@@ -51,6 +52,7 @@ public GrpcProtocolAuthService(AuthConfigs authConfigs) {
 
     @Override
     public void initialize() {
+        super.initialize();
         resourceParserMap.put(SignType.NAMING, new NamingGrpcResourceParser());
         resourceParserMap.put(SignType.CONFIG, new ConfigGrpcResourceParser());
     }
@@ -73,4 +75,11 @@ public Resource parseResource(Request request, Secured secured) {
     public IdentityContext parseIdentity(Request request) {
         return identityContextBuilder.build(request);
     }
+
+    @Override
+    protected ServerIdentity parseServerIdentity(Request request) {
+        String serverIdentityKey = authConfigs.getServerIdentityKey();
+        String serverIdentity = request.getHeader(serverIdentityKey);
+        return new ServerIdentity(serverIdentityKey, serverIdentity);
+    }
 }
diff --git a/auth/src/main/java/com/alibaba/nacos/auth/HttpProtocolAuthService.java b/auth/src/main/java/com/alibaba/nacos/auth/HttpProtocolAuthService.java
@@ -17,6 +17,7 @@
 package com.alibaba.nacos.auth;
 
 import com.alibaba.nacos.auth.annotation.Secured;
+import com.alibaba.nacos.auth.serveridentity.ServerIdentity;
 import com.alibaba.nacos.plugin.auth.api.IdentityContext;
 import com.alibaba.nacos.plugin.auth.api.Resource;
 import com.alibaba.nacos.auth.config.AuthConfigs;
@@ -51,6 +52,7 @@ public HttpProtocolAuthService(AuthConfigs authConfigs) {
 
     @Override
     public void initialize() {
+        super.initialize();
         resourceParserMap.put(SignType.NAMING, new NamingHttpResourceParser());
         resourceParserMap.put(SignType.CONFIG, new ConfigHttpResourceParser());
     }
@@ -72,4 +74,11 @@ public Resource parseResource(HttpServletRequest request, Secured secured) {
     public IdentityContext parseIdentity(HttpServletRequest request) {
         return identityContextBuilder.build(request);
     }
+
+    @Override
+    protected ServerIdentity parseServerIdentity(HttpServletRequest request) {
+        String serverIdentityKey = authConfigs.getServerIdentityKey();
+        String serverIdentity = request.getHeader(serverIdentityKey);
+        return new ServerIdentity(serverIdentityKey, serverIdentity);
+    }
 }
diff --git a/auth/src/main/java/com/alibaba/nacos/auth/ProtocolAuthService.java b/auth/src/main/java/com/alibaba/nacos/auth/ProtocolAuthService.java
@@ -17,6 +17,7 @@
 package com.alibaba.nacos.auth;
 
 import com.alibaba.nacos.auth.annotation.Secured;
+import com.alibaba.nacos.auth.serveridentity.ServerIdentityResult;
 import com.alibaba.nacos.plugin.auth.api.IdentityContext;
 import com.alibaba.nacos.plugin.auth.api.Permission;
 import com.alibaba.nacos.plugin.auth.api.Resource;
@@ -85,4 +86,13 @@ public interface ProtocolAuthService<R> {
      * @throws AccessException exception during validating
      */
     boolean validateAuthority(IdentityContext identityContext, Permission permission) throws AccessException;
+
+    /**
+     * check server identity.
+     *
+     * @param request protocol request
+     * @param secured secured api secured annotation
+     * @return server identity result
+     */
+    ServerIdentityResult checkServerIdentity(R request, Secured secured);
 }
diff --git a/auth/src/main/java/com/alibaba/nacos/auth/serveridentity/DefaultChecker.java b/auth/src/main/java/com/alibaba/nacos/auth/serveridentity/DefaultChecker.java
@@ -0,0 +1,43 @@
+/*
+ * Copyright 1999-2023 Alibaba Group Holding Ltd.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.alibaba.nacos.auth.serveridentity;
+
+import com.alibaba.nacos.auth.annotation.Secured;
+import com.alibaba.nacos.auth.config.AuthConfigs;
+
+/**
+ * Nacos default server identity checker.
+ *
+ * @author xiweng.yy
+ */
+public class DefaultChecker implements ServerIdentityChecker {
+
+    private AuthConfigs authConfigs;
+
+    @Override
+    public void init(AuthConfigs authConfigs) {
+        this.authConfigs = authConfigs;
+    }
+
+    @Override
+    public ServerIdentityResult check(ServerIdentity serverIdentity, Secured secured) {
+        if (authConfigs.getServerIdentityValue().equals(serverIdentity.getIdentityValue())) {
+            return ServerIdentityResult.success();
+        }
+        return ServerIdentityResult.noMatched();
+    }
+}
diff --git a/auth/src/main/java/com/alibaba/nacos/auth/serveridentity/ServerIdentity.java b/auth/src/main/java/com/alibaba/nacos/auth/serveridentity/ServerIdentity.java
@@ -0,0 +1,42 @@
+/*
+ * Copyright 1999-2023 Alibaba Group Holding Ltd.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.alibaba.nacos.auth.serveridentity;
+
+/**
+ * Nacos server identity.
+ *
+ * @author xiweng.yy
+ */
+public class ServerIdentity {
+
+    private final String identityKey;
+
+    private final String identityValue;
+
+    public ServerIdentity(String identityKey, String identityValue) {
+        this.identityKey = identityKey;
+        this.identityValue = identityValue;
+    }
+
+    public String getIdentityKey() {
+        return identityKey;
+    }
+
+    public String getIdentityValue() {
+        return identityValue;
+    }
+}