refactor(auth): simplify authentication logic and remove hardcoded credentials

koi2000 · koi2000 · commit 277be31a10cd · 2025-10-28T11:46:08.000+08:00
diff --git a/hugegraph-pd/hg-pd-service/src/main/java/org/apache/hugegraph/pd/service/interceptor/Authentication.java b/hugegraph-pd/hg-pd-service/src/main/java/org/apache/hugegraph/pd/service/interceptor/Authentication.java
@@ -19,6 +19,8 @@
 
 import java.nio.charset.StandardCharsets;
 import java.util.Base64;
+import java.util.HashSet;
+import java.util.Set;
 import java.util.function.Function;
 import java.util.function.Supplier;
 
@@ -35,16 +37,16 @@
 
 @Component
 public class Authentication {
-
-    @Autowired
-    private KvService kvService;
-    @Autowired
-    private PDConfig pdConfig;
-
-    private static final Cache<String> TOKEN_CACHE = new Cache<>();
     private static volatile TokenUtil util;
-    private static String invalidMsg =
-            "invalid token and invalid user name or password, access denied";
+
+    private static final Set<String> innerUsers = new HashSet<>() {
+        {
+            add("hg");
+            add("store");
+            add("hubble");
+            add("vermeer");
+        }
+    };
     private static String invalidBasicInfo = "invalid basic authentication info";
 
     protected <T> T authenticate(String authority, String token, Function<String, T> tokenCall,
@@ -62,49 +64,11 @@ protected <T> T authenticate(String authority, String token, Function<String, T>
             }
             String name = info.substring(0, delim);
             String pwd = info.substring(delim + 1);
-            if (!"store".equals(name)) {
-                if (util == null) {
-                    synchronized (this) {
-                        if (util == null) {
-                            util = new TokenUtil(pdConfig.getSecretKey());
-                        }
-                    }
-                }
-                String[] i = util.getInfo(name);
-                if (i == null) {
-                    throw new AccessDeniedException("invalid service name");
-                }
-                if (!StringUtils.isEmpty(token)) {
-                    String value = TOKEN_CACHE.get(name);
-                    if (StringUtils.isEmpty(value)) {
-                        synchronized (i) {
-                            value = kvService.get(getTokenKey(name));
-                        }
-                    }
-                    if (!StringUtils.isEmpty(value) && token.equals(value)) {
-                        return call.get();
-                    }
-                }
-                if (StringUtils.isEmpty(pwd) || !StringEncoding.checkPassword(i[2], pwd)) {
-                    throw new AccessDeniedException(invalidMsg);
-                }
-                token = util.getToken(name);
-                String tokenKey = getTokenKey(name);
-                String dbToken = kvService.get(tokenKey);
-                if (StringUtils.isEmpty(dbToken)) {
-                    synchronized (i) {
-                        dbToken = kvService.get(tokenKey);
-                        if (StringUtils.isEmpty(dbToken)) {
-                            kvService.put(tokenKey, token,
-                                          TokenUtil.AUTH_TOKEN_EXPIRE);
-                            TOKEN_CACHE.put(name, token,
-                                            TokenUtil.AUTH_TOKEN_EXPIRE);
-                            return tokenCall.apply(token);
-                        }
-                    }
-                }
+            if (innerUsers.contains(name)) {
+                return call.get();
+            } else {
+                throw new AccessDeniedException("invalid service name");
             }
-            return call.get();
         } catch (Exception e) {
             throw new RuntimeException(e);
         }
diff --git a/hugegraph-pd/hg-pd-service/src/main/java/org/apache/hugegraph/pd/util/TokenUtil.java b/hugegraph-pd/hg-pd-service/src/main/java/org/apache/hugegraph/pd/util/TokenUtil.java
@@ -33,27 +33,6 @@ public class TokenUtil {
 
     private TokenGenerator generator;
     public static final long AUTH_TOKEN_EXPIRE = 3600 * 24L * 1000;
-    private static String[] storeInfo = {"store",
-                                         "$2a$04$9ZGBULe2vc73DMj7r" +
-                                         "/iBKeQB1SagtUXPrDbMmNswRkTwlWQURE/Jy",
-                                         "E3UnnQa605go"};
-    private static String[] serverInfo = {"hg",
-                                          "$2a$04$i10KooNg6wLvIPVDh909n" +
-                                          ".RBYlZ/4pJo978nFK86nrqQiGIKV4UGS",
-                                          "qRyYhxVAWDb5"};
-    private static String[] hubbleInfo = {"hubble",
-                                          "$2a$04$pSGkohaywGgFrJLr6VOPm" +
-                                          ".IK2WtOjlNLcZN8gct5uIKEDO1I61DGa",
-                                          "iMjHnUl5Pprx"};
-    private static String[] vermeer = {"vermeer",
-                                       "$2a$04$N89qHe0v5jqNJKhQZHnTdOFSGmiNoiA2B2fdWpV2BwrtJK72dXYD.",
-                                       "FqU8BOvTpteT"};
-    private static Map<String, String[]> apps = new HashMap<>() {{
-        put(storeInfo[0], storeInfo);
-        put(serverInfo[0], serverInfo);
-        put(hubbleInfo[0], hubbleInfo);
-        put(vermeer[0], vermeer);
-    }};
 
     public TokenUtil(String secretKey) {
         this.generator = new TokenGenerator(secretKey);
@@ -76,14 +55,6 @@ public String getToken(String[] info) {
         return new String(encode, Charsets.UTF_8);
     }
 
-    public String getToken(String appName) {
-        String[] info = apps.get(appName);
-        if (info != null) {
-            return getToken(info);
-        }
-        return null;
-    }
-
     public boolean verify(String token, String[] info) {
         byte[] decode = Base64.getDecoder().decode(token);
         String d = new String(decode, StandardCharsets.UTF_8);
@@ -92,24 +63,4 @@ public boolean verify(String token, String[] info) {
         }
         return false;
     }
-
-    public String[] getInfo(String appName) {
-        return apps.get(appName);
-    }
-
-    public static void main(String[] args) {
-        TokenUtil util = new TokenUtil("FXQXbJtbCLxODc6tGci732pkH1cyf8Qg");
-        // String uniqueToken = util.getStoreToken();
-        String x = StringEncoding.hashPassword("FqU8BOvTpteT");
-        // String x = "$2a$04$i10KooNg6wLvIPVDh909n.RBYlZ/4pJo978nFK86nrqQiGIKV4UGS";
-        System.out.println(x);
-        // System.out.println(StringEncoding.checkPassword("qRyYhxVAWDb5", x));
-        // $2a$04$9ZGBULe2vc73DMj7r/iBKeQB1SagtUXPrDbMmNswRkTwlWQURE/Jy "E3UnnQa605go"
-        // $2a$04$i10KooNg6wLvIPVDh909n.RBYlZ/4pJo978nFK86nrqQiGIKV4UGS "qRyYhxVAWDb5"
-        // $2a$04$pSGkohaywGgFrJLr6VOPm.IK2WtOjlNLcZN8gct5uIKEDO1I61DGa "iMjHnUl5Pprx"
-        // eyJhbGciOiJIUzI1NiJ9
-        // .eyJ1c2VyX25hbWUiOiJzdG9yZSIsInVzZXJfaWQiOiJhZWEwOTM1Ni0xZWJhLTQ1NjktODk0ZS1kYWIzZTRhYTYyM2MiLCJleHAiOjE2ODI1MDQ0MTd9.lDqbt3vZkE3X2IIK9A404BBlCFHBaEVsIycH0AIXKsw
-        String token = util.getToken(serverInfo);
-        System.out.println(token);
-    }
 }
diff --git a/hugegraph-pd/hg-pd-test/src/main/java/org/apache/hugegraph/pd/BaseTest.java b/hugegraph-pd/hg-pd-test/src/main/java/org/apache/hugegraph/pd/BaseTest.java
@@ -24,7 +24,7 @@ public class BaseTest {
     protected static String pdGrpcAddr = "127.0.0.1:8686";
     protected static String pdRestAddr = "http://127.0.0.1:8620";
     protected static String user = "store";
-    protected static String pwd = "$2a$04$9ZGBULe2vc73DMj7r/iBKeQB1SagtUXPrDbMmNswRkTwlWQURE/Jy";
+    protected static String pwd = "";
     protected static String key = "Authorization";
     protected static String value = "Basic c3RvcmU6YWRtaW4=";
 
diff --git a/hugegraph-pd/hg-pd-test/src/main/java/org/apache/hugegraph/pd/client/PDPulseTest.java b/hugegraph-pd/hg-pd-test/src/main/java/org/apache/hugegraph/pd/client/PDPulseTest.java
@@ -40,12 +40,13 @@ public class PDPulseTest {
     private String storeAddress = "localhost";
     private String graphName = "graph1";
 
+    private static final String SERVICE_NAME = "store";
+    private static final String AUTHORITY = "";
+
     @BeforeClass
     public static void beforeClass() throws Exception {
-        pdConfig = PDConfig.of("localhost:8686").setAuthority("store",
-                                                              "$2a$04$9ZGBULe2vc73DMj7r" +
-                                                              "/iBKeQB1SagtUXPrDbMmNswRkTwlWQURE" +
-                                                              "/Jy");
+        pdConfig = PDConfig.of("localhost:8686").setAuthority(SERVICE_NAME,
+                                                              AUTHORITY);
 //        pdConfig.setEnableCache(true);
 //        pdClient = PDClient.create(pdConfig);
 //        pdClient.getLeader();
diff --git a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/config/ServerOptions.java b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/config/ServerOptions.java
@@ -261,7 +261,7 @@ public class ServerOptions extends OptionHolder {
                     "service.access_pd_token",
                     "Service token for server to access pd service.",
                     disallowEmpty(),
-                    "$2a$04$i10KooNg6wLvIPVDh909n.RBYlZ/4pJo978nFK86nrqQiGIKV4UGS"
+                    ""
             );
 
     public static final ConfigOption<String> SERVER_URLS_TO_PD =
diff --git a/hugegraph-server/hugegraph-core/src/main/java/org/apache/hugegraph/constant/ServiceConstant.java b/hugegraph-server/hugegraph-core/src/main/java/org/apache/hugegraph/constant/ServiceConstant.java
@@ -0,0 +1,7 @@
+package org.apache.hugegraph.constant;
+
+public class ServiceConstant {
+    // FIXME: Strictly prohibited from external exposure; network IP whitelisting must be configured in production environments.
+    public static final String SERVICE_NAME = "hg";
+    public static final String AUTHORITY = "";
+}
diff --git a/hugegraph-server/hugegraph-core/src/main/java/org/apache/hugegraph/space/register/registerImpl/PdRegister.java b/hugegraph-server/hugegraph-core/src/main/java/org/apache/hugegraph/space/register/registerImpl/PdRegister.java
@@ -53,6 +53,7 @@
 import org.apache.http.impl.client.HttpClients;
 import org.apache.http.ssl.SSLContexts;
 import org.apache.http.util.EntityUtils;
+import org.apache.hugegraph.constant.ServiceConstant;
 import org.apache.hugegraph.pd.client.DiscoveryClient;
 import org.apache.hugegraph.pd.client.DiscoveryClientImpl;
 import org.apache.hugegraph.pd.client.PDConfig;
@@ -88,7 +89,7 @@ private PdRegister(String service, String token) {
     }
 
     public static PdRegister getInstance() {
-        return getInstance("hg", "$2a$04$i10KooNg6wLvIPVDh909n.RBYlZ/4pJo978nFK86nrqQiGIKV4UGS");
+        return getInstance(ServiceConstant.SERVICE_NAME, ServiceConstant.AUTHORITY);
     }
 
     //FIXME: pd auth:use this method to replace getInstance()
diff --git a/hugegraph-server/hugegraph-core/src/main/java/org/apache/hugegraph/space/register/registerImpl/SampleRegister.java b/hugegraph-server/hugegraph-core/src/main/java/org/apache/hugegraph/space/register/registerImpl/SampleRegister.java
@@ -22,6 +22,7 @@
 import java.io.IOException;
 import java.util.Map;
 
+import org.apache.hugegraph.constant.ServiceConstant;
 import org.apache.hugegraph.pd.client.DiscoveryClient;
 import org.apache.hugegraph.pd.client.DiscoveryClientImpl;
 import org.apache.hugegraph.pd.client.PDConfig;
@@ -84,8 +85,8 @@ public String registerService(RegisterConfig config) {
 
         try {
             PDConfig pdConfig = PDConfig.of(config.getGrpcAddress());
-            pdConfig.setAuthority("hg",
-                                  "$2a$04$i10KooNg6wLvIPVDh909n.RBYlZ/4pJo978nFK86nrqQiGIKV4UGS");
+            pdConfig.setAuthority(ServiceConstant.SERVICE_NAME,
+                                  ServiceConstant.AUTHORITY);
             DiscoveryClient client = DiscoveryClientImpl.newBuilder().setPdConfig(pdConfig)
                                                         .setCenterAddress(config.getGrpcAddress())
                                                         .setAddress(address)

Original file line number	Diff line number	Diff line change
`@@ -53,6 +53,7 @@`
`53`	`53`	`import org.apache.http.impl.client.HttpClients;`
`54`	`54`	`import org.apache.http.ssl.SSLContexts;`
`55`	`55`	`import org.apache.http.util.EntityUtils;`
	`56`	`+import org.apache.hugegraph.constant.ServiceConstant;`
`56`	`57`	`import org.apache.hugegraph.pd.client.DiscoveryClient;`
`57`	`58`	`import org.apache.hugegraph.pd.client.DiscoveryClientImpl;`
`58`	`59`	`import org.apache.hugegraph.pd.client.PDConfig;`
`@@ -88,7 +89,7 @@ private PdRegister(String service, String token) {`
`88`	`89`	`}`
`89`	`90`
`90`	`91`	`public static PdRegister getInstance() {`
`91`		`- return getInstance("hg", "$2a$04$i10KooNg6wLvIPVDh909n.RBYlZ/4pJo978nFK86nrqQiGIKV4UGS");`
	`92`	`+ return getInstance(ServiceConstant.SERVICE_NAME, ServiceConstant.AUTHORITY);`
`92`	`93`	`}`
`93`	`94`
`94`	`95`	`//FIXME: pd auth:use this method to replace getInstance()`