[WIP] support sign and auth the request

dubbo-common/src/main/java/org/apache/dubbo/config/AbstractInterfaceConfig.java

@@ -154,6 +154,9 @@ public abstract class AbstractInterfaceConfig extends AbstractMethodConfig {
 
     protected String tag;
 
+    private  Boolean auth;
+
+
     /**
      * The url of the reference service
      */
@@ -668,6 +671,14 @@ public void setTag(String tag) {
         this.tag = tag;
     }
 
+    public Boolean getAuth() {
+        return auth;
+    }
+
+    public void setAuth(Boolean auth) {
+        this.auth = auth;
+    }
+
     public SslConfig getSslConfig() {
         return ApplicationModel.getConfigManager().getSsl().orElse(null);
     }

dubbo-plugin/dubbo-auth/pom.xml

@@ -0,0 +1,46 @@
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+  -->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <parent>
+        <groupId>org.apache.dubbo</groupId>
+        <artifactId>dubbo-plugin</artifactId>
+        <version>${revision}</version>
+        <relativePath>../pom.xml</relativePath>
+    </parent>
+    <modelVersion>4.0.0</modelVersion>
+
+    <artifactId>dubbo-auth</artifactId>
+    <packaging>jar</packaging>
+
+    <properties>
+        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+        <skip_maven_deploy>false</skip_maven_deploy>
+    </properties>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.apache.dubbo</groupId>
+            <artifactId>dubbo-common</artifactId>
+            <version>${project.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.dubbo</groupId>
+            <artifactId>dubbo-rpc-api</artifactId>
+            <version>${project.version}</version>
+        </dependency>
+    </dependencies>
+</project>

dubbo-plugin/dubbo-auth/src/main/java/org/apache/dubbo/auth/AccessKeyAuthenticationHelper.java

@@ -0,0 +1,93 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.dubbo.auth;
+
+import org.apache.dubbo.auth.exception.AccessKeyNotFoundException;
+import org.apache.dubbo.auth.model.AccessKeyPair;
+import org.apache.dubbo.auth.spi.AccessKeyStorage;
+import org.apache.dubbo.auth.spi.AuthenticationHelper;
+import org.apache.dubbo.auth.utils.SignatureUtils;
+import org.apache.dubbo.common.URL;
+import org.apache.dubbo.common.constants.CommonConstants;
+import org.apache.dubbo.common.extension.ExtensionLoader;
+import org.apache.dubbo.common.utils.StringUtils;
+import org.apache.dubbo.rpc.Invocation;
+
+public class AccessKeyAuthenticationHelper implements AuthenticationHelper {
+    @Override
+    public void signForRequest(Invocation invocation, URL url) {
+        String currentTime = String.valueOf(System.currentTimeMillis());
+        String consumer = url.getParameter(CommonConstants.APPLICATION_KEY);
+        AccessKeyPair accessKeyPair = getAccessKeyPair(invocation, url);
+        invocation.setAttachment(Constants.SIGNATURE_STRING_FORMAT, getSignature(url, invocation, accessKeyPair.getSecretKey(), currentTime));
+        invocation.setAttachment(Constants.REQUEST_TIMESTAMP_KEY, currentTime);
+        invocation.setAttachment(Constants.AK_KEY, accessKeyPair.getAccessKey());
+        invocation.setAttachment(CommonConstants.CONSUMER, consumer);
+    }
+
+    @Override
+    public boolean authenticateRequest(Invocation invocation, URL url) {
+        String accessKeyId = String.valueOf(invocation.getAttachment(Constants.AK_KEY));
+        String requestTimestamp = String.valueOf(invocation.getAttachment(Constants.REQUEST_TIMESTAMP_KEY));
+        String originSignature = String.valueOf(invocation.getAttachment(Constants.REQUEST_SIGNATURE_KEY));
+        String consumer = String.valueOf(invocation.getAttachment(CommonConstants.CONSUMER));
+
+        if (StringUtils.isEmpty(accessKeyId) || StringUtils.isEmpty(consumer)
+                || StringUtils.isEmpty(requestTimestamp) || StringUtils.isEmpty(originSignature)) {
+            throw new RuntimeException("Auth failed, maybe consumer not enable the auth");
+        }
+        AccessKeyPair accessKeyPair = getAccessKeyPair(invocation, url);
+
+        String computeSignature = getSignature(url, invocation, accessKeyPair.getSecretKey(), requestTimestamp);
+        boolean success = computeSignature.equals(originSignature);
+        if (!success) {
+            throw new RuntimeException("Auth failed, signature is not correct");
+        }
+        return success;
+    }
+
+
+    AccessKeyPair getAccessKeyPair(Invocation invocation, URL url) {
+        AccessKeyStorage accessKeyStorage = ExtensionLoader.getExtensionLoader(AccessKeyStorage.class)
+                .getExtension(url.getParameter(Constants.ACCESS_KEY_STORAGE_KEY, Constants.DEFAULT_ACCESS_KEY_STORAGE));
+
+        AccessKeyPair accessKeyPair = null;
+        try {
+            accessKeyPair = accessKeyStorage.getAccessKey(url, invocation);
+            if (accessKeyPair == null || StringUtils.isEmpty(accessKeyPair.getAccessKey()) || StringUtils.isEmpty(accessKeyPair.getSecretKey())) {
+                throw new AccessKeyNotFoundException("AccessKeyId or secretAccessKey not found");
+            }
+        } catch (Exception e) {
+            throw new RuntimeException("Can't load the AccessKeyPair from accessKeyStorage", e);
+        }
+        return accessKeyPair;
+    }
+
+    String getSignature(URL url, Invocation invocation, String secrectKey, String time) {
+        boolean parameterEncrypt = url.getParameter(Constants.PARAMTER_ENCRYPT_ENABLE_KEY, false);
+        String signature;
+        String requestString = String.format(Constants.SIGNATURE_STRING_FORMAT,
+                url.getColonSeparatedKey(), invocation.getMethodName(), secrectKey, time);
+        if (parameterEncrypt) {
+            signature = SignatureUtils.sign(invocation.getArguments(), requestString, secrectKey);
+        } else {
+            signature = SignatureUtils.sign(requestString, secrectKey);
+        }
+        return signature;
+    }
+
+}

dubbo-plugin/dubbo-auth/src/main/java/org/apache/dubbo/auth/Constants.java

@@ -0,0 +1,46 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.dubbo.auth;
+
+
+public interface Constants {
+    String REFERENCE_AUTH = "reference.auth";
+
+    String SERVICE_AUTH = "service.auth";
+
+    String AUTH_HELPER = "auth.helper";
+
+    String DEFAULT_AUTH_HELPER = "accesskey";
+
+    String DEFAULT_ACCESS_KEY_STORAGE = "urlstorage";
+
+    String ACCESS_KEY_STORAGE_KEY = "accessKey.storage";
+
+    String ACCESS_KEY_ID_KEY = "accessKeyId";
+
+    String SECRET_ACCESS_KEY_KEY = "secretAccessKey";
+
+    String REQUEST_TIMESTAMP_KEY = "timestamp";
+
+    String REQUEST_SIGNATURE_KEY = "signature";
+
+    String AK_KEY = "ak";
+
+    String SIGNATURE_STRING_FORMAT = "%s#%s#%s#%s";
+
+    String PARAMTER_ENCRYPT_ENABLE_KEY = "paramater.sign";
+}

dubbo-plugin/dubbo-auth/src/main/java/org/apache/dubbo/auth/DefaultAccessKeyStorage.java

@@ -0,0 +1,38 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.dubbo.auth;
+
+
+import org.apache.dubbo.auth.model.AccessKeyPair;
+import org.apache.dubbo.auth.spi.AccessKeyStorage;
+import org.apache.dubbo.common.URL;
+import org.apache.dubbo.rpc.Invocation;
+
+/**
+ *  The default implemention of {@link AccessKeyStorage}
+ */
+public class DefaultAccessKeyStorage implements AccessKeyStorage {
+    @Override
+    public AccessKeyPair getAccessKey(URL url, Invocation invocation) {
+        AccessKeyPair accessKeyPair = new AccessKeyPair();
+        String accessKeyId = url.getParameter(Constants.ACCESS_KEY_ID_KEY);
+        String secretAccessKey = url.getParameter(Constants.SECRET_ACCESS_KEY_KEY);
+        accessKeyPair.setAccessKey(accessKeyId);
+        accessKeyPair.setSecretKey(secretAccessKey);
+        return accessKeyPair;
+    }
+}

dubbo-plugin/dubbo-auth/src/main/java/org/apache/dubbo/auth/exception/AccessKeyNotFoundException.java

@@ -0,0 +1,36 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.dubbo.auth.exception;
+
+
+import org.apache.dubbo.auth.model.AccessKeyPair;
+
+/**
+ * Signals that an attempt to get the {@link AccessKeyPair} has failed.
+ */
+public class AccessKeyNotFoundException extends Exception {
+    private static final long serialVersionUID = 7106108446396804404L;
+
+    public AccessKeyNotFoundException() {
+    }
+
+    public AccessKeyNotFoundException(String message) {
+        super(message);
+    }
+
+
+}

dubbo-plugin/dubbo-auth/src/main/java/org/apache/dubbo/auth/filter/ConsumerSignFilter.java

@@ -0,0 +1,50 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.dubbo.auth.filter;
+
+import org.apache.dubbo.auth.Constants;
+import org.apache.dubbo.auth.spi.AuthenticationHelper;
+import org.apache.dubbo.common.URL;
+import org.apache.dubbo.common.constants.CommonConstants;
+import org.apache.dubbo.common.extension.Activate;
+import org.apache.dubbo.common.extension.ExtensionLoader;
+import org.apache.dubbo.rpc.Filter;
+import org.apache.dubbo.rpc.Invocation;
+import org.apache.dubbo.rpc.Invoker;
+import org.apache.dubbo.rpc.Result;
+import org.apache.dubbo.rpc.RpcException;
+
+/**
+ * The ConsumerSignFilter
+ *
+ * @see org.apache.dubbo.rpc.Filter
+ */
+@Activate(group = CommonConstants.CONSUMER, order = -10000)
+public class ConsumerSignFilter implements Filter {
+
+    @Override
+    public Result invoke(Invoker<?> invoker, Invocation invocation) throws RpcException {
+        URL url = invoker.getUrl();
+        boolean shouldAuth = url.getParameter(Constants.REFERENCE_AUTH, false);
+        if (shouldAuth) {
+            AuthenticationHelper authenticationHelper = ExtensionLoader.getExtensionLoader(AuthenticationHelper.class)
+                    .getExtension(url.getParameter(Constants.AUTH_HELPER, Constants.DEFAULT_AUTH_HELPER));
+            authenticationHelper.signForRequest(invocation, url);
+        }
+        return invoker.invoke(invocation);
+    }
+}

dubbo-plugin/dubbo-auth/src/main/java/org/apache/dubbo/auth/filter/ProviderAuthFilter.java

@@ -0,0 +1,58 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.dubbo.auth.filter;
+
+import org.apache.dubbo.auth.spi.AuthenticationHelper;
+import org.apache.dubbo.common.URL;
+import org.apache.dubbo.common.constants.CommonConstants;
+import org.apache.dubbo.common.extension.Activate;
+import org.apache.dubbo.common.extension.ExtensionLoader;
+import org.apache.dubbo.rpc.AsyncRpcResult;
+import org.apache.dubbo.auth.Constants;
+import org.apache.dubbo.rpc.Filter;
+import org.apache.dubbo.rpc.Invocation;
+import org.apache.dubbo.rpc.Invoker;
+import org.apache.dubbo.rpc.Result;
+import org.apache.dubbo.rpc.RpcException;
+
+@Activate(group = CommonConstants.PROVIDER, order = -10000)
+public class ProviderAuthFilter implements Filter {
+
+    @Override
+    public Result invoke(Invoker<?> invoker, Invocation invocation) throws RpcException {
+        URL url = invoker.getUrl();
+        boolean shouldAuth = url.getParameter(Constants.SERVICE_AUTH, false);
+        if (shouldAuth) {
+            AuthenticationHelper authenticationHelper = ExtensionLoader.getExtensionLoader(AuthenticationHelper.class)
+                    .getExtension(url.getParameter(Constants.AUTH_HELPER, Constants.DEFAULT_AUTH_HELPER));
+            boolean authResult = false;
+            try {
+                authResult = authenticationHelper.authenticateRequest(invocation, url);
+                if (!authResult) {
+                    SecurityException securityException = new SecurityException("Authenticate Request failed");
+                    return AsyncRpcResult.newDefaultAsyncResult(securityException, invocation);
+                }
+            } catch (Exception e) {
+                SecurityException securityException = new SecurityException("Authenticate Request failed,", e);
+                return AsyncRpcResult.newDefaultAsyncResult(securityException, invocation);
+            }
+        }
+        return invoker.invoke(invocation);
+    }
+
+
+}