feat: 支持校验devx token #2223

src/backend/common/common-security/src/main/kotlin/com/tencent/bkrepo/common/security/interceptor/devx/DevXProperties.kt

@@ -119,4 +119,16 @@ data class DevXProperties(
      * 应用devX拦截器的接口
      */
     var includePatterns: List<String> = emptyList(),
+
+    /**
+     * 校验devx token接口url
+     */
+    var validateTokenUrl: String = "",
+
+    /**
+     * 校验devx token接口的认证token
+     */
+    var authToken: String = "",
+
+
 )

src/backend/fs/boot-fs-server/src/main/kotlin/com/tencent/bkrepo/fs/server/handler/LoginHandler.kt

@@ -42,6 +42,7 @@ import com.tencent.bkrepo.fs.server.constant.JWT_CLAIMS_PERMIT
 import com.tencent.bkrepo.fs.server.constant.JWT_CLAIMS_REPOSITORY
 import com.tencent.bkrepo.fs.server.context.ReactiveArtifactContextHolder
 import com.tencent.bkrepo.fs.server.pojo.DevxLoginResponse
+import com.tencent.bkrepo.fs.server.request.DevxLoginRequest
 import com.tencent.bkrepo.fs.server.request.IoaLoginRequest
 import com.tencent.bkrepo.fs.server.service.PermissionService
 import com.tencent.bkrepo.fs.server.utils.DevxWorkspaceUtils
@@ -86,11 +87,20 @@ class LoginHandler(
     }
 
     suspend fun devxLogin(request: ServerRequest): ServerResponse {
-        val workspace = DevxWorkspaceUtils.getWorkspace().awaitSingleOrNull() ?: throw AuthenticationException()
+        val devxToken = request.bodyToMono(DevxLoginRequest::class.java).awaitSingleOrNull()?.token
         val repoName = request.pathVariable(REPO_NAME)
-        val userId = createUser(workspace)
-        val token = createToken(workspace.projectId, repoName, userId)
-        val response = DevxLoginResponse(workspace.projectId, token)
+        val response = if (devxToken.isNullOrEmpty()) {
+            val workspace = DevxWorkspaceUtils.getWorkspace().awaitSingleOrNull() ?: throw AuthenticationException()
+            val userId = createUser(workspace)
+            val token = createToken(workspace.projectId, repoName, userId)
+            DevxLoginResponse(workspace.projectId, token)
+        } else {
+            val devxTokenInfo = DevxWorkspaceUtils.validateToken(devxToken).awaitSingle()
+            createUser(devxTokenInfo.userId)
+            val token = createToken(devxTokenInfo.projectId, repoName, devxTokenInfo.userId)
+            DevxLoginResponse(devxTokenInfo.projectId, token)
+        }
+
         return ReactiveResponseBuilder.success(response)
     }
 

src/backend/fs/boot-fs-server/src/main/kotlin/com/tencent/bkrepo/fs/server/request/DevxLoginRequest.kt

@@ -0,0 +1,32 @@
+/*
+ * Tencent is pleased to support the open source community by making BK-CI 蓝鲸持续集成平台 available.
+ *
+ * Copyright (C) 2024 THL A29 Limited, a Tencent company.  All rights reserved.
+ *
+ * BK-CI 蓝鲸持续集成平台 is licensed under the MIT license.
+ *
+ *  A copy of the MIT License is included in this file.
+ *
+ *
+ *  Terms of the MIT License:
+ *  ---------------------------------------------------
+ *  Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated
+ *  documentation files (the "Software"), to deal in the Software without restriction, including without limitation the
+ *  rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
+ *  permit persons to whom the Software is furnished to do so, subject to the following conditions:
+ *
+ *  The above copyright notice and this permission notice shall be included in all copies or substantial portions of
+ *  the Software.
+ *
+ *  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
+ *  LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
+ *  NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+ *  WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+ *  SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ */
+
+package com.tencent.bkrepo.fs.server.request
+
+data class DevxLoginRequest(
+    val token: String?
+)

src/backend/fs/boot-fs-server/src/main/kotlin/com/tencent/bkrepo/fs/server/response/DevxTokenInfo.kt

@@ -0,0 +1,33 @@
+/*
+ * Tencent is pleased to support the open source community by making BK-CI 蓝鲸持续集成平台 available.
+ *
+ * Copyright (C) 2024 THL A29 Limited, a Tencent company.  All rights reserved.
+ *
+ * BK-CI 蓝鲸持续集成平台 is licensed under the MIT license.
+ *
+ *  A copy of the MIT License is included in this file.
+ *
+ *
+ *  Terms of the MIT License:
+ *  ---------------------------------------------------
+ *  Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated
+ *  documentation files (the "Software"), to deal in the Software without restriction, including without limitation the
+ *  rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
+ *  permit persons to whom the Software is furnished to do so, subject to the following conditions:
+ *
+ *  The above copyright notice and this permission notice shall be included in all copies or substantial portions of
+ *  the Software.
+ *
+ *  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
+ *  LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
+ *  NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+ *  WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+ *  SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ */
+
+package com.tencent.bkrepo.fs.server.response
+
+data class DevxTokenInfo(
+    val userId: String,
+    val projectId: String
+)

src/backend/fs/boot-fs-server/src/main/kotlin/com/tencent/bkrepo/fs/server/utils/DevxWorkspaceUtils.kt

@@ -28,12 +28,16 @@
 package com.tencent.bkrepo.fs.server.utils
 
 import com.google.common.cache.CacheBuilder
+import com.tencent.bkrepo.common.api.exception.ErrorCodeException
+import com.tencent.bkrepo.common.api.message.CommonMessageCode
 import com.tencent.bkrepo.common.api.util.toJsonString
 import com.tencent.bkrepo.common.security.interceptor.devx.ApiAuth
 import com.tencent.bkrepo.common.security.interceptor.devx.DevXProperties
 import com.tencent.bkrepo.common.security.interceptor.devx.DevXWorkSpace
 import com.tencent.bkrepo.common.security.interceptor.devx.QueryResponse
 import com.tencent.bkrepo.fs.server.context.ReactiveRequestContextHolder
+import com.tencent.bkrepo.fs.server.response.DevxTokenInfo
+import com.tencent.devops.api.pojo.Response
 import kotlinx.coroutines.reactor.mono
 import kotlinx.coroutines.sync.Mutex
 import kotlinx.coroutines.sync.withLock
@@ -150,6 +154,26 @@ class DevxWorkspaceUtils(
                 )
         }
 
+        suspend fun validateToken(devxToken: String): Mono<DevxTokenInfo> {
+            return httpClient
+                .get()
+                .uri("${devXProperties.validateTokenUrl}?dToken=$devxToken")
+                .header("X-DEVOPS-BK-TOKEN", devXProperties.authToken)
+                .exchangeToMono {
+                    mono { parseDevxTokenInfo(it) }
+                }
+        }
+
+        private suspend fun parseDevxTokenInfo(response: ClientResponse): DevxTokenInfo {
+            return if (response.statusCode() != HttpStatus.OK) {
+                val errorMsg = response.awaitBody<String>()
+                logger.error("${response.statusCode()} $errorMsg")
+                throw ErrorCodeException(CommonMessageCode.RESOURCE_EXPIRED, "token")
+            } else {
+                response.awaitBody<Response<DevxTokenInfo>>().data!!
+            }
+        }
+
         private suspend fun listIpFromProject(projectId: String): Mono<Set<String>> {
             val apiAuth = ApiAuth(devXProperties.appCode, devXProperties.appSecret)
             val token = apiAuth.toJsonString().replace(System.lineSeparator(), "")