feat: add observe status access-key for pre-check and logging only (#5216)

apollo-adminservice/src/main/java/com/ctrip/framework/apollo/adminservice/controller/AccessKeyController.java

@@ -18,6 +18,7 @@
 
 import com.ctrip.framework.apollo.biz.entity.AccessKey;
 import com.ctrip.framework.apollo.biz.service.AccessKeyService;
+import com.ctrip.framework.apollo.common.constants.AccessKeyMode;
 import com.ctrip.framework.apollo.common.dto.AccessKeyDTO;
 import com.ctrip.framework.apollo.common.utils.BeanUtils;
 import java.util.List;
@@ -27,6 +28,7 @@
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.PutMapping;
 import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.RestController;
 
 /**
@@ -61,9 +63,11 @@ public void delete(@PathVariable String appId, @PathVariable long id, String ope
   }
 
   @PutMapping(value = "/apps/{appId}/accesskeys/{id}/enable")
-  public void enable(@PathVariable String appId, @PathVariable long id, String operator) {
+  public void enable(@PathVariable String appId, @PathVariable long id,
+      @RequestParam(required = false, defaultValue = "0") int mode, String operator) {
     AccessKey entity = new AccessKey();
     entity.setId(id);
+    entity.setMode(mode);
     entity.setEnabled(true);
     entity.setDataChangeLastModifiedBy(operator);
 
@@ -74,6 +78,7 @@ public void enable(@PathVariable String appId, @PathVariable long id, String ope
   public void disable(@PathVariable String appId, @PathVariable long id, String operator) {
     AccessKey entity = new AccessKey();
     entity.setId(id);
+    entity.setMode(AccessKeyMode.FILTER);
     entity.setEnabled(false);
     entity.setDataChangeLastModifiedBy(operator);
 

apollo-biz/src/main/java/com/ctrip/framework/apollo/biz/entity/AccessKey.java

@@ -36,6 +36,9 @@ public class AccessKey extends BaseEntity {
   @Column(name = "`Secret`", nullable = false)
   private String secret;
 
+  @Column(name = "`Mode`")
+  private int mode;
+
   @Column(name = "`IsEnabled`", columnDefinition = "Bit default '0'")
   private boolean enabled;
 
@@ -55,6 +58,14 @@ public void setSecret(String secret) {
     this.secret = secret;
   }
 
+  public int getMode() {
+    return mode;
+  }
+
+  public void setMode(int mode) {
+    this.mode = mode;
+  }
+
   public boolean isEnabled() {
     return enabled;
   }
@@ -66,6 +77,6 @@ public void setEnabled(boolean enabled) {
   @Override
   public String toString() {
     return toStringHelper().add("appId", appId).add("secret", secret)
-        .add("enabled", enabled).toString();
+        .add("mode", mode).add("enabled", enabled).toString();
   }
 }

apollo-biz/src/main/java/com/ctrip/framework/apollo/biz/service/AccessKeyService.java

@@ -74,6 +74,7 @@ public AccessKey update(String appId, AccessKey entity) {
       throw BadRequestException.accessKeyNotExists();
     }
 
+    accessKey.setMode(entity.getMode());
     accessKey.setEnabled(entity.isEnabled());
     accessKey.setDataChangeLastModifiedBy(operator);
     accessKeyRepository.save(accessKey);

apollo-biz/src/test/resources/sql/accesskey-test.sql

@@ -13,9 +13,9 @@
 -- See the License for the specific language governing permissions and
 -- limitations under the License.
 --
-INSERT INTO "AccessKey" (`Id`, `AppId`, `Secret`, `IsEnabled`, `IsDeleted`, `DataChange_CreatedBy`, `DataChange_CreatedTime`, `DataChange_LastModifiedBy`, `DataChange_LastTime`)
+INSERT INTO "AccessKey" (`Id`, `AppId`, `Secret`, `Mode`, `IsEnabled`, `IsDeleted`, `DataChange_CreatedBy`, `DataChange_CreatedTime`, `DataChange_LastModifiedBy`, `DataChange_LastTime`)
 VALUES
-	(1, 'someAppId', 'someSecret', 0, 0, 'apollo', '2019-12-19 10:28:40', 'apollo', '2019-12-19 10:28:40'),
-	(2, '100004458', 'c715cbc80fc44171b43732c3119c9456', 0, 0, 'apollo', '2019-12-19 10:39:54', 'apollo', '2019-12-19 14:46:35'),
-	(3, '100004458', '25a0e68d2a3941edb1ed3ab6dd0646cd', 0, 1, 'apollo', '2019-12-19 13:44:13', 'apollo', '2019-12-19 13:44:19'),
-	(4, '100004458', '4003c4d7783443dc9870932bebf3b7fe', 0, 0, 'apollo', '2019-12-19 13:43:52', 'apollo', '2019-12-19 13:44:21');
+	(1, 'someAppId', 'someSecret', 0, 0, 0, 'apollo', '2019-12-19 10:28:40', 'apollo', '2019-12-19 10:28:40'),
+	(2, '100004458', 'c715cbc80fc44171b43732c3119c9456', 0, 0, 0, 'apollo', '2019-12-19 10:39:54', 'apollo', '2019-12-19 14:46:35'),
+	(3, '100004458', '25a0e68d2a3941edb1ed3ab6dd0646cd', 0, 0, 1, 'apollo', '2019-12-19 13:44:13', 'apollo', '2019-12-19 13:44:19'),
+	(4, '100004458', '4003c4d7783443dc9870932bebf3b7fe', 0, 0, 0, 'apollo', '2019-12-19 13:43:52', 'apollo', '2019-12-19 13:44:21');

apollo-common/src/main/java/com/ctrip/framework/apollo/common/constants/AccessKeyMode.java

@@ -0,0 +1,25 @@
+/*
+ * Copyright 2024 Apollo Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+package com.ctrip.framework.apollo.common.constants;
+
+public interface AccessKeyMode {
+
+  int FILTER = 0;
+
+  int OBSERVER = 1;
+
+}

apollo-common/src/main/java/com/ctrip/framework/apollo/common/dto/AccessKeyDTO.java

@@ -24,6 +24,8 @@ public class AccessKeyDTO extends BaseDTO {
 
   private String appId;
 
+  private Integer mode;
+
   private Boolean enabled;
 
   public Long getId() {
@@ -50,6 +52,14 @@ public void setAppId(String appId) {
     this.appId = appId;
   }
 
+  public Integer getMode() {
+    return mode;
+  }
+
+  public void setMode(Integer mode) {
+    this.mode = mode;
+  }
+
   public Boolean getEnabled() {
     return enabled;
   }

apollo-configservice/src/main/java/com/ctrip/framework/apollo/configservice/filter/ClientAuthenticationFilter.java

@@ -17,9 +17,11 @@
 package com.ctrip.framework.apollo.configservice.filter;
 
 import com.ctrip.framework.apollo.biz.config.BizConfig;
+import com.ctrip.framework.apollo.common.utils.WebUtils;
 import com.ctrip.framework.apollo.configservice.util.AccessKeyUtil;
 import com.ctrip.framework.apollo.core.signature.Signature;
 import com.ctrip.framework.apollo.core.utils.StringUtils;
+import com.ctrip.framework.apollo.tracer.Tracer;
 import com.google.common.net.HttpHeaders;
 import java.io.IOException;
 import java.util.List;
@@ -68,26 +70,49 @@ public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain
       return;
     }
 
+    // check timestamp and signature
     List<String> availableSecrets = accessKeyUtil.findAvailableSecret(appId);
     if (!CollectionUtils.isEmpty(availableSecrets)) {
       String timestamp = request.getHeader(Signature.HTTP_HEADER_TIMESTAMP);
       String authorization = request.getHeader(HttpHeaders.AUTHORIZATION);
+      String ip = WebUtils.tryToGetClientIp(request);
 
       // check timestamp, valid within 1 minute
       if (!checkTimestamp(timestamp)) {
-        logger.warn("Invalid timestamp. appId={},timestamp={}", appId, timestamp);
+        logger.warn("Invalid timestamp. appId={},clientIp={},timestamp={}", appId, ip, timestamp);
         response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "RequestTimeTooSkewed");
         return;
       }
 
       // check signature
-      String uri = request.getRequestURI();
-      String query = request.getQueryString();
-      if (!checkAuthorization(authorization, availableSecrets, timestamp, uri, query)) {
-        logger.warn("Invalid authorization. appId={},authorization={}", appId, authorization);
+      if (!checkAuthorization(authorization, availableSecrets, timestamp,
+          request.getRequestURI(), request.getQueryString())) {
+        logger.warn("Invalid authorization. appId={},clientIp={},authorization={}",
+            appId, ip, authorization);
         response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Unauthorized");
         return;
       }
+    } else {
+      // pre-check timestamp and signature
+      List<String> observableSecrets = accessKeyUtil.findObservableSecrets(appId);
+      if (!CollectionUtils.isEmpty(observableSecrets)) {
+        String timestamp = request.getHeader(Signature.HTTP_HEADER_TIMESTAMP);
+        String authorization = request.getHeader(HttpHeaders.AUTHORIZATION);
+        String ip = WebUtils.tryToGetClientIp(request);
+
+        // pre-check timestamp, valid within 1 minute
+        if (!checkTimestamp(timestamp)) {
+          preCheckInvalidLogging(String.format("Invalid timestamp in pre-check. "
+              + "appId=%s,clientIp=%s,timestamp=%s", appId, ip, timestamp));
+        }
+
+        // pre-check signature
+        if (!checkAuthorization(authorization, observableSecrets, timestamp,
+            request.getRequestURI(), request.getQueryString())) {
+          preCheckInvalidLogging(String.format("Invalid authorization in pre-check. "
+              + "appId=%s,clientIp=%s,authorization=%s", appId, ip, authorization));
+        }
+      }
     }
 
     chain.doFilter(request, response);
@@ -130,4 +155,11 @@ private boolean checkAuthorization(String authorization, List<String> availableS
     }
     return false;
   }
+
+  private void preCheckInvalidLogging(String message) {
+    logger.warn(message);
+    Tracer.logEvent("Apollo.AccessKey.PreCheck", message);
+    // only for test mock
+    accessKeyUtil.preCheckInvalid();
+  }
 }

apollo-configservice/src/main/java/com/ctrip/framework/apollo/configservice/service/AccessKeyServiceWithCache.java

@@ -19,6 +19,7 @@
 import com.ctrip.framework.apollo.biz.config.BizConfig;
 import com.ctrip.framework.apollo.biz.entity.AccessKey;
 import com.ctrip.framework.apollo.biz.repository.AccessKeyRepository;
+import com.ctrip.framework.apollo.common.constants.AccessKeyMode;
 import com.ctrip.framework.apollo.core.utils.ApolloThreadFactory;
 import com.ctrip.framework.apollo.tracer.Tracer;
 import com.ctrip.framework.apollo.tracer.spi.Transaction;
@@ -37,11 +38,11 @@
 import java.util.concurrent.ScheduledExecutorService;
 import java.util.concurrent.ScheduledThreadPoolExecutor;
 import java.util.concurrent.TimeUnit;
+import java.util.function.Predicate;
 import java.util.stream.Collectors;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.InitializingBean;
-import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;
 import org.springframework.util.CollectionUtils;
 
@@ -86,13 +87,21 @@ private void initialize() {
   }
 
   public List<String> getAvailableSecrets(String appId) {
+    return getSecrets(appId, key -> key.isEnabled() && key.getMode() == AccessKeyMode.FILTER);
+  }
+
+  public List<String> getObservableSecrets(String appId) {
+    return getSecrets(appId, key -> key.isEnabled() && key.getMode() == AccessKeyMode.OBSERVER);
+  }
+
+  public List<String> getSecrets(String appId, Predicate<AccessKey> filter) {
     List<AccessKey> accessKeys = accessKeyCache.get(appId);
     if (CollectionUtils.isEmpty(accessKeys)) {
       return Collections.emptyList();
     }
 
     return accessKeys.stream()
-        .filter(AccessKey::isEnabled)
+        .filter(filter)
         .map(AccessKey::getSecret)
         .collect(Collectors.toList());
   }

apollo-configservice/src/main/java/com/ctrip/framework/apollo/configservice/util/AccessKeyUtil.java

@@ -46,6 +46,10 @@ public List<String> findAvailableSecret(String appId) {
     return accessKeyServiceWithCache.getAvailableSecrets(appId);
   }
 
+  public List<String> findObservableSecrets(String appId) {
+    return accessKeyServiceWithCache.getObservableSecrets(appId);
+  }
+
   public String extractAppIdFromRequest(HttpServletRequest request) {
     String appId = null;
     String servletPath = request.getServletPath();
@@ -71,4 +75,8 @@ public String buildSignature(String path, String query, String timestampString,
 
     return Signature.signature(timestampString, pathWithQuery, secret);
   }
+
+  public void preCheckInvalid() {
+    // nothing, only for test mock
+  }
 }

apollo-configservice/src/test/java/com/ctrip/framework/apollo/configservice/filter/ClientAuthenticationFilterTest.java

@@ -26,6 +26,7 @@
 import com.ctrip.framework.apollo.configservice.util.AccessKeyUtil;
 import com.ctrip.framework.apollo.core.signature.Signature;
 import com.google.common.collect.Lists;
+import java.util.Collections;
 import java.util.List;
 import javax.servlet.FilterChain;
 import javax.servlet.http.HttpServletRequest;
@@ -146,4 +147,54 @@ public void testAuthorizedSuccessfully() throws Exception {
     verify(response, never()).sendError(HttpServletResponse.SC_UNAUTHORIZED, "Unauthorized");
     verify(filterChain, times(1)).doFilter(request, response);
   }
+
+  @Test
+  public void testPreCheckInvalid() throws Exception {
+    String appId = "someAppId";
+    String availableSignature = "someSignature";
+    List<String> secrets = Lists.newArrayList("someSecret");
+    String oneMinAgoTimestamp = Long.toString(System.currentTimeMillis() - 61 * 1000);
+    String errorAuthorization = "Apollo someAppId:wrongSignature";
+
+    when(accessKeyUtil.extractAppIdFromRequest(any())).thenReturn(appId);
+    when(accessKeyUtil.findAvailableSecret(appId)).thenReturn(Collections.emptyList());
+    when(accessKeyUtil.findObservableSecrets(appId)).thenReturn(secrets);
+    when(accessKeyUtil.buildSignature(any(), any(), any(), any())).thenReturn(availableSignature);
+    when(request.getHeader(Signature.HTTP_HEADER_TIMESTAMP)).thenReturn(oneMinAgoTimestamp);
+    when(request.getHeader(HttpHeaders.AUTHORIZATION)).thenReturn(errorAuthorization);
+    when(bizConfig.accessKeyAuthTimeDiffTolerance()).thenReturn(60);
+
+    clientAuthenticationFilter.doFilter(request, response, filterChain);
+
+    verify(response, never()).sendError(HttpServletResponse.SC_BAD_REQUEST, "InvalidAppId");
+    verify(response, never()).sendError(HttpServletResponse.SC_UNAUTHORIZED, "RequestTimeTooSkewed");
+    verify(response, never()).sendError(HttpServletResponse.SC_UNAUTHORIZED, "Unauthorized");
+    verify(filterChain, times(1)).doFilter(request, response);
+    verify(accessKeyUtil, times(2)).preCheckInvalid();
+  }
+
+  @Test
+  public void testPreCheckSuccessfully() throws Exception {
+    String appId = "someAppId";
+    String availableSignature = "someSignature";
+    List<String> secrets = Lists.newArrayList("someSecret");
+    String oneMinAgoTimestamp = Long.toString(System.currentTimeMillis());
+    String correctAuthorization = "Apollo someAppId:someSignature";
+
+    when(accessKeyUtil.extractAppIdFromRequest(any())).thenReturn(appId);
+    when(accessKeyUtil.findAvailableSecret(appId)).thenReturn(Collections.emptyList());
+    when(accessKeyUtil.findObservableSecrets(appId)).thenReturn(secrets);
+    when(accessKeyUtil.buildSignature(any(), any(), any(), any())).thenReturn(availableSignature);
+    when(request.getHeader(Signature.HTTP_HEADER_TIMESTAMP)).thenReturn(oneMinAgoTimestamp);
+    when(request.getHeader(HttpHeaders.AUTHORIZATION)).thenReturn(correctAuthorization);
+    when(bizConfig.accessKeyAuthTimeDiffTolerance()).thenReturn(60);
+
+    clientAuthenticationFilter.doFilter(request, response, filterChain);
+
+    verify(response, never()).sendError(HttpServletResponse.SC_BAD_REQUEST, "InvalidAppId");
+    verify(response, never()).sendError(HttpServletResponse.SC_UNAUTHORIZED, "RequestTimeTooSkewed");
+    verify(response, never()).sendError(HttpServletResponse.SC_UNAUTHORIZED, "Unauthorized");
+    verify(filterChain, times(1)).doFilter(request, response);
+    verify(accessKeyUtil, never()).preCheckInvalid();
+  }
 }

apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/api/AdminServiceAPI.java

@@ -317,9 +317,9 @@ public void delete(Env env, String appId, long id, String operator) {
     }
 
     @ApolloAuditLog(type = OpType.RPC, name = "AccessKey.enableInRemote")
-    public void enable(Env env, String appId, long id, String operator) {
-      restTemplate.put(env, "apps/{appId}/accesskeys/{id}/enable?operator={operator}",
-          null, appId, id, operator);
+    public void enable(Env env, String appId, long id, int mode, String operator) {
+      restTemplate.put(env, "apps/{appId}/accesskeys/{id}/enable?mode={mode}&operator={operator}",
+          null, appId, id, mode, operator);
     }
 
     @ApolloAuditLog(type = OpType.RPC, name = "AccessKey.disableInRemote")

apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/AccessKeyController.java

@@ -77,9 +77,10 @@ public void delete(@PathVariable String appId,
   @ApolloAuditLog(type = OpType.UPDATE, name = "AccessKey.enable")
   public void enable(@PathVariable String appId,
       @PathVariable String env,
-      @PathVariable long id) {
+      @PathVariable long id,
+      @RequestParam(required = false, defaultValue = "0") int mode) {
     String operator = userInfoHolder.getUser().getUserId();
-    accessKeyService.enable(Env.valueOf(env), appId, id, operator);
+    accessKeyService.enable(Env.valueOf(env), appId, id, mode, operator);
   }
 
   @PreAuthorize(value = "@permissionValidator.isAppAdmin(#appId)")

apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/service/AccessKeyService.java

@@ -49,8 +49,8 @@ public void deleteAccessKey(Env env, String appId, long id, String operator) {
     accessKeyAPI.delete(env, appId, id, operator);
   }
 
-  public void enable(Env env, String appId, long id, String operator) {
-    accessKeyAPI.enable(env, appId, id, operator);
+  public void enable(Env env, String appId, long id, int mode, String operator) {
+    accessKeyAPI.enable(env, appId, id, mode, operator);
   }
 
   public void disable(Env env, String appId, long id, String operator) {