增加登录绕过的接口调用方式

c3a0dbbe · zengqiao · 28a72513 · c3a0dbbe · c3a0dbbe · c3a0dbbe
8 changed file
--- a/docs/user_guide/call_api_bypass_login.md
+++ b/docs/user_guide/call_api_bypass_login.md
+
+---
+
+![kafka-manager-logo](../assets/images/common/logo_name.png)
+
+**一站式`Apache Kafka`集群指标监控与运维管控平台**
+
+--- 
+
+# 登录绕过
+
+## 背景
+
+现在除了开放出来的第三方接口，其他接口都需要走登录认证。
+
+但是第三方接口不多，开放出来的能力有限，但是登录的接口又需要登录，非常的麻烦。
+
+因此，新增了一个登录绕过的功能，为一些紧急临时的需求，提供一个调用不需要登录的能力。
+
+## 使用方式
+
+步骤一：接口调用时，在header中，增加如下信息：
+```shell
+# 表示开启登录绕过
+Trick-Login-Switch : on
+
+# 登录绕过的用户, 这里可以是admin, 或者是其他的, 但是必须在运维管控->平台管理->用户管理中设置了该用户。
+Trick-Login-User : admin
+```
+
+&nbsp;
+
+步骤二：在运维管控->平台管理->平台配置上，设置允许了该用户以绕过的方式登录
+```shell
+# 设置的key，必须是这个
+SECURITY.TRICK_USERS
+
+# 设置的value，是json数组的格式，例如
+[ "admin", "logi"]
+```
+
+&nbsp;
+
+步骤三：解释说明
+
+设置完成上面两步之后，就可以直接调用需要登录的接口了。
+
+但是还有一点需要注意，绕过的用户仅能调用他有权限的接口，比如一个普通用户，那么他就只能调用普通的接口，不能去调用运维人员的接口。
+
--- a/docs/user_guide/faq.md
+++ b/docs/user_guide/faq.md
@@ -27,6 +27,7 @@
 - 15、APP(应用)如何被使用起来？
 - 16、为什么下线应用提示operation forbidden？
 - 17、删除Topic成功，为什么过一会儿之后又出现了？
+- 18、如何在不登录的情况下，调用一些需要登录的接口？

 ---

@@ -195,3 +196,7 @@ for (int i= 0; i < 100000; ++i) {
    producer.send(new ProducerRecord<String, String>("logi_km" + i,"hello logi_km"));
 }
 ```
+
+### 18、如何在不登录的情况下，调用一些需要登录的接口？
+
+具体见：[登录绕过](./call_api_bypass_login.md)
--- a/kafka-manager-common/src/main/java/com/xiaojukeji/kafka/manager/common/constant/TrickLoginConstant.java
+++ b/kafka-manager-common/src/main/java/com/xiaojukeji/kafka/manager/common/constant/TrickLoginConstant.java
+package com.xiaojukeji.kafka.manager.common.constant;
+
+public class TrickLoginConstant {
+    /**
+     * HTTP Header key
+     */
+    public static final String TRICK_LOGIN_SWITCH = "Trick-Login-Switch";
+
+    public static final String TRICK_LOGIN_USER = "Trick-Login-User";
+
+    /**
+     * 配置允许 trick 登录用户名单
+     */
+    public static final String TRICK_LOGIN_LEGAL_USER_CONFIG_KEY = "SECURITY.TRICK_USERS";
+
+    /**
+     * 开关状态值
+     */
+    public static final String TRICK_LOGIN_SWITCH_ON = "on";
+    public static final String TRICK_LOGIN_SWITCH_OFF = "off";
+}
--- a/kafka-manager-common/src/main/java/com/xiaojukeji/kafka/manager/common/utils/SpringTool.java
+++ b/kafka-manager-common/src/main/java/com/xiaojukeji/kafka/manager/common/utils/SpringTool.java
@@ -2,6 +2,7 @@ package com.xiaojukeji.kafka.manager.common.utils;

 import com.xiaojukeji.kafka.manager.common.constant.Constant;
 import com.xiaojukeji.kafka.manager.common.constant.LoginConstant;
+import com.xiaojukeji.kafka.manager.common.constant.TrickLoginConstant;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.BeansException;
@@ -53,13 +54,6 @@ public class SpringTool implements ApplicationContextAware, DisposableBean {
        return getApplicationContext().getBeansOfType(type);
    }

-//    /**
-//     * 从静态变量applicationContext中去的Bean，自动转型为所复制对象的类型
-//     */
-//    public static <T> T getBean(Class<T> requiredType) {
-//        return (T) applicationContext.getBean(requiredType);
-//    }
-
    /**
     * 清除SpringContextHolder中的ApplicationContext为Null
     */
@@ -87,10 +81,18 @@ public class SpringTool implements ApplicationContextAware, DisposableBean {
    }

    public static String getUserName(){
-        HttpServletRequest request =
-                ((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getRequest();
-        HttpSession session = request.getSession();
-        String username = (String) session.getAttribute(LoginConstant.SESSION_USERNAME_KEY);
+        HttpServletRequest request = ((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getRequest();
+
+        String username = null;
+        if (TrickLoginConstant.TRICK_LOGIN_SWITCH_ON.equals(request.getHeader(TrickLoginConstant.TRICK_LOGIN_SWITCH))) {
+            // trick登录方式的获取用户
+            username = request.getHeader(TrickLoginConstant.TRICK_LOGIN_USER);
+        } else {
+            // 走页面登录方式登录的获取用户
+            HttpSession session = request.getSession();
+            username = (String) session.getAttribute(LoginConstant.SESSION_USERNAME_KEY);
+        }
+
        if (ValidateUtils.isNull(username)) {
            return Constant.DEFAULT_USER_NAME;
        }

--- a/kafka-manager-extends/kafka-manager-account/src/main/java/com/xiaojukeji/kafka/manager/account/LoginService.java
+++ b/kafka-manager-extends/kafka-manager-account/src/main/java/com/xiaojukeji/kafka/manager/account/LoginService.java
@@ -12,9 +12,29 @@ import javax.servlet.http.HttpServletResponse;
 * @date 20/8/20
 */
 public interface LoginService {
+    /**
+     * 登录
+     * @param request HttpServletRequest
+     * @param response HttpServletResponse
+     * @param dto 登录信息
+     * @return 登录结果
+     */
    Result<Account> login(HttpServletRequest request, HttpServletResponse response, LoginDTO dto);

+    /**
+     * 登出
+     * @param request HttpServletRequest
+     * @param response HttpServletResponse
+     * @param needJump2LoginPage 是否需要跳转到登录页
+     */
    void logout(HttpServletRequest request, HttpServletResponse response, Boolean needJump2LoginPage);

+    /**
+     * 检查是否登录
+     * @param request HttpServletRequest
+     * @param response HttpServletResponse
+     * @param classRequestMappingValue request-mapping的value
+     * @return 检查结果, false:未登录或无权限, true:已登录并且有权限
+     */
    boolean checkLogin(HttpServletRequest request, HttpServletResponse response, String classRequestMappingValue);
 }
\ No newline at end of file
--- a/kafka-manager-extends/kafka-manager-account/src/main/java/com/xiaojukeji/kafka/manager/account/component/AbstractSingleSignOn.java
+++ b/kafka-manager-extends/kafka-manager-account/src/main/java/com/xiaojukeji/kafka/manager/account/component/AbstractSingleSignOn.java
@@ -7,7 +7,7 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;

 /**
- * 单点登录抽象类
+ * 登录抽象类
 * @author zengqiao
 * @date 20/8/20
 */

--- a/kafka-manager-extends/kafka-manager-account/src/main/java/com/xiaojukeji/kafka/manager/account/component/login/trick/TrickLoginService.java
+++ b/kafka-manager-extends/kafka-manager-account/src/main/java/com/xiaojukeji/kafka/manager/account/component/login/trick/TrickLoginService.java
+package com.xiaojukeji.kafka.manager.account.component.login.trick;
+
+import com.xiaojukeji.kafka.manager.common.constant.TrickLoginConstant;
+import com.xiaojukeji.kafka.manager.service.service.ConfigService;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Service;
+
+import javax.servlet.http.HttpServletRequest;
+import java.util.Optional;
+
+
+/**
+ * @author zengqiao
+ * @date 21/5/18
+ */
+@Service
+public class TrickLoginService {
+    private final static Logger LOGGER = LoggerFactory.getLogger(TrickLoginService.class);
+
+    @Autowired
+    private ConfigService configService;
+
+    /**
+     * 是否开启trick的方式登录
+     */
+    public boolean isTrickLoginOn(HttpServletRequest request) {
+        return TrickLoginConstant.TRICK_LOGIN_SWITCH_ON.equals(request.getHeader(TrickLoginConstant.TRICK_LOGIN_SWITCH));
+    }
+
+    /**
+     * 开启trick方式登录后，当前用户是否可以登录
+     */
+    public String checkTrickLogin(HttpServletRequest request) {
+        String trickLoginUser = request.getHeader(TrickLoginConstant.TRICK_LOGIN_USER);
+        LOGGER.info("class=TrickLoginService||method=checkTrickLogin||user={}||uri={}||msg=try trick login", trickLoginUser, request.getRequestURI());
+        if (!checkTrickLogin(trickLoginUser)) {
+            LOGGER.warn("class=TrickLoginService||method=checkTrickLogin||user={}||uri={}||msg=trick login failed", trickLoginUser, request.getRequestURI());
+            return null;
+        }
+        return trickLoginUser;
+    }
+
+    private boolean checkTrickLogin(String trickLoginUser) {
+        return Optional.ofNullable(configService.getArrayByKey(TrickLoginConstant.TRICK_LOGIN_LEGAL_USER_CONFIG_KEY, String.class))
+                .filter(names -> names.contains(trickLoginUser))
+                .isPresent();
+    }
+}
--- a/kafka-manager-extends/kafka-manager-account/src/main/java/com/xiaojukeji/kafka/manager/account/impl/LoginServiceImpl.java
+++ b/kafka-manager-extends/kafka-manager-account/src/main/java/com/xiaojukeji/kafka/manager/account/impl/LoginServiceImpl.java
@@ -3,6 +3,7 @@ package com.xiaojukeji.kafka.manager.account.impl;
 import com.xiaojukeji.kafka.manager.account.AccountService;
 import com.xiaojukeji.kafka.manager.account.component.AbstractSingleSignOn;
 import com.xiaojukeji.kafka.manager.account.LoginService;
+import com.xiaojukeji.kafka.manager.account.component.login.trick.TrickLoginService;
 import com.xiaojukeji.kafka.manager.common.bizenum.AccountRoleEnum;
 import com.xiaojukeji.kafka.manager.common.constant.ApiPrefix;
 import com.xiaojukeji.kafka.manager.common.constant.LoginConstant;
@@ -31,6 +32,9 @@ public class LoginServiceImpl implements LoginService {
    @Autowired
    private AccountService accountService;

+    @Autowired
+    private TrickLoginService trickLoginService;
+
    @Autowired
    private AbstractSingleSignOn singleSignOn;

@@ -80,7 +84,7 @@ public class LoginServiceImpl implements LoginService {
            return true;
        }

-        String username = singleSignOn.checkLoginAndGetLdap(request);
+        String username = trickLoginService.isTrickLoginOn(request)? trickLoginService.checkTrickLogin(request): singleSignOn.checkLoginAndGetLdap(request);
        if (ValidateUtils.isBlank(username)) {
            // 未登录, 则返回false, 同时重定向到登录页面
            singleSignOn.setRedirectToLoginPage(response);