opengrok的鉴权插件开发指南
opengrok的鉴权插件开发指南
opengrok是被广泛应用的源代码浏览系统。对于开源代码,不需要考虑鉴权的问题,但是对于需要进行权限控制的代码,我们就需要做一些鉴权操作。
opengrok专门为我们提供了插件机制来进行鉴权等操作。
最简单的鉴权例子
opengrok提供了IAuthorizationPlugin做为鉴权的入口。IAuthorizationPlugin包含load, unload和两个isAllowed方法,结构非常简单。
第一步,我们先了解鉴权的接口。最简单的鉴权操作,就是不管三七二十一一律通过。
我们实现接口如下:
public class TruePlugin implements IAuthorizationPlugin{
@Override
public void load(Map<String, Object> map) {
}
@Override
public void unload() {
}
@Override
public boolean isAllowed(javax.servlet.http.HttpServletRequest httpServletRequest, Project project) {
return true;
}
@Override
public boolean isAllowed(javax.servlet.http.HttpServletRequest httpServletRequest, Group group) {
return true;
}
}
我们可以通过把两个isAllowed都改成返回false实现一个啥都不可以的鉴权。
load函数中的Map是配置项的引用。
isAllowed中的Project和Group是保存opengrok中的工程和工程组的数据结构。
插件落地之旅
插件写好了之后,引用opengrok.jar和servlet api jar包就可以编译成功了,毕竟我们一点有意义的逻辑都没写,想编不过也不太容易:)
插件堆栈
因为opengrok支持多个插件,这些插件会形成一个插件堆栈。所以这些插件需要有一套逻辑来管理,否则就形成冲突了。
为了更好地协调彼此,插件有下面三个属性可以选择:
- REQUIRED: 如果失败,会导致最终鉴权失败,但是会让所有的插件都执行完
- REQUISITE: 如果失败,则鉴权流程结束,不过失败的原因会是第一个失败的插件
- SUFFICIENT:如果当前插件成功,且之前没有失败,则直接返回成功
我们通过xml来写这个属性,我们举个例子:
<void property="pluginStack">
<void method="add">
<object class="org.opengrok.indexer.authorization.AuthorizationPlugin">
<void property="flag">
<string>REQUISITEstring>
void>
<void property="name">
<string>com.ebanma.opengrok.plugin.TruePluginstring>
void>
object>
void>
void>
这个pluginStack是Configuration的属性,增加到configuration.xml中。
我们解释下,我们相当于在pluginStack中调用add(AuthorizationPlugin)方法。
而flag和name的定义如下,定义在AuthorizationEntity类中,而AuthorizationPlugin继承自AuthorizationEntity:
protected AuthControlFlag flag;
protected String name;
落地
我们将TruePlugin.class的按路径放到data目录的同级plugins目录下。
这样说有点抽象,我们看一个例子:
比如我的data目录是:/workspace/xulun/opengrok/opengrok-1.3.6/data_dev_bsp_8155/,那么plugin目录就是/workspace/xulun/opengrok/opengrok-1.3.6/plugins
请看日志中的打印:
org.opengrok.indexer.framework.PluginFramework.reload Plugins are being reloaded from /workspace/xulun/opengrok/opengrok-1.3.6/data_dev_bsp_8155/../plugins
为了看得更清楚,我们打印几行日志,代码最终如下:
package com.ebanma.opengrok.plugin;
import org.opengrok.indexer.authorization.*;
import org.opengrok.indexer.configuration.Group;
import org.opengrok.indexer.configuration.Project;
import java.util.Map;
public class TruePlugin implements IAuthorizationPlugin{
@Override
public void load(Map<String, Object> map) {
System.out.println("[xulun] BanmaGrok Plugin loaded");
}
@Override
public void unload() {
System.out.println("[xulun] BanmaGrok Plugin unloaded");
}
@Override
public boolean isAllowed(javax.servlet.http.HttpServletRequest httpServletRequest, Project project) {
System.out.println("[xulun] BanmaGrok Plugin verified 1");
return true;
}
@Override
public boolean isAllowed(javax.servlet.http.HttpServletRequest httpServletRequest, Group group) {
System.out.println("[xulun] BanmaGrok Plugin verified 2");
return true;
}
}
修改好configuration.xml后,我们重新deploy,例:
opengrok-deploy -c /workspace/xulun/opengrok/opengrok-1.3.6/etc/bsp_8155/configuration.xml -l DEBUG /workspace/xulun/opengrok/opengrok-1.3.6/lib/source.war /root/apache-tomcat-9.0.30/webapps/bsp_8155.war
我们查看tomcat的日志catalina.out,看到如下:
25-Mar-2020 14:21:25.492 INFO [Catalina-utility-2] org.opengrok.indexer.framework.PluginFramework.reload Plugins are being reloaded from /workspace/xulun/opengrok/opengrok-1.3.6/data_dev_bsp_8155/../plugins
25-Mar-2020 14:21:25.494 INFO [Catalina-utility-2] org.opengrok.indexer.authorization.AuthorizationStack.load [REQUIRED] Stack "default stack" is loading.
[xulun] BanmaGrok Plugin loaded
25-Mar-2020 14:21:25.495 INFO [Catalina-utility-2] org.opengrok.indexer.authorization.AuthorizationPlugin.load [REQUISITE] Plugin "com.ebanma.opengrok.plugin.TruePlugin" found and is working.
25-Mar-2020 14:21:25.495 INFO [Catalina-utility-2] org.opengrok.indexer.authorization.AuthorizationStack.load [REQUIRED] Stack "default stack" is ready.
我们看到com.ebanma.opengrok.plugin.TruePlugin已经在正常工作了。
访问之后,我们就能看到我们的输出了:
[xulun] BanmaGrok Plugin allowed 1
[xulun] BanmaGrok Plugin allowed 1
[xulun] BanmaGrok Plugin allowed 1
[xulun] BanmaGrok Plugin allowed 1
[xulun] BanmaGrok Plugin allowed 1
[xulun] BanmaGrok Plugin allowed 1
[xulun] BanmaGrok Plugin allowed 1
[xulun] BanmaGrok Plugin allowed 1
[xulun] BanmaGrok Plugin allowed 1
[xulun] BanmaGrok Plugin allowed 1
[xulun] BanmaGrok Plugin allowed 1
[xulun] BanmaGrok Plugin allowed 1
[xulun] BanmaGrok Plugin allowed 1
[xulun] BanmaGrok Plugin allowed 1
[xulun] BanmaGrok Plugin allowed 1
[xulun] BanmaGrok Plugin allowed 1
[xulun] BanmaGrok Plugin allowed 1
好像看不出来啥,我们再把Project的信息打印出来:
代码改成这样:
package com.ebanma.opengrok.plugin;
import org.opengrok.indexer.authorization.*;
import org.opengrok.indexer.configuration.Group;
import org.opengrok.indexer.configuration.Project;
import java.util.Map;
public class TruePlugin implements IAuthorizationPlugin{
@Override
public void load(Map<String, Object> map) {
System.out.println("[xulun] BanmaGrok Plugin loaded");
}
@Override
public void unload() {
System.out.println("[xulun] BanmaGrok Plugin unloaded");
}
@Override
public boolean isAllowed(javax.servlet.http.HttpServletRequest httpServletRequest, Project project) {
System.out.println("[xulun] BanmaGrok Plugin verified 1:" + project.getName());
return true;
}
@Override
public boolean isAllowed(javax.servlet.http.HttpServletRequest httpServletRequest, Group group) {
System.out.println("[xulun] BanmaGrok Plugin verified 2:"+group.getName());
return true;
}
}
输出如下:
[xulun] BanmaGrok Plugin verified 1:adsp_proc
[xulun] BanmaGrok Plugin verified 1:aop_proc
[xulun] BanmaGrok Plugin verified 1:boot_images
[xulun] BanmaGrok Plugin verified 1:btfm_proc
[xulun] BanmaGrok Plugin verified 1:btfm_proc_gen
[xulun] BanmaGrok Plugin verified 1:btfm_proc_hst
[xulun] BanmaGrok Plugin verified 1:btfm_proc_rome
[xulun] BanmaGrok Plugin verified 1:cdsp_proc
[xulun] BanmaGrok Plugin verified 1:cnss_proc
[xulun] BanmaGrok Plugin verified 1:common
[xulun] BanmaGrok Plugin verified 1:npu_proc
[xulun] BanmaGrok Plugin verified 1:trustzone_images
[xulun] BanmaGrok Plugin verified 1:venus_proc
[xulun] BanmaGrok Plugin verified 1:wdsp_proc
[xulun] BanmaGrok Plugin verified 1:wlan_proc_gen
[xulun] BanmaGrok Plugin verified 1:wlan_proc_hst
[xulun] BanmaGrok Plugin verified 1:apps_proc