Refactor authentication and improve security docs

imbajin · imbajin · commit e3aaa8a8265a · 2025-10-28T17:17:55.000+08:00
Enhanced internal authentication logic and documentation in Authentication.java, emphasizing production security best practices. Refactored TokenUtil for clarity and immutability. Improved code formatting in PDPulseTest and SampleRegister, and updated ServiceConstant with stricter external exposure warnings.
diff --git a/hugegraph-pd/hg-pd-service/src/main/java/org/apache/hugegraph/pd/service/interceptor/Authentication.java b/hugegraph-pd/hg-pd-service/src/main/java/org/apache/hugegraph/pd/service/interceptor/Authentication.java
@@ -19,32 +19,52 @@
 
 import java.nio.charset.StandardCharsets;
 import java.util.Base64;
-import java.util.HashSet;
 import java.util.Set;
 import java.util.function.Function;
 import java.util.function.Supplier;
 
 import org.apache.commons.lang3.StringUtils;
-import org.apache.hugegraph.pd.KvService;
-import org.apache.hugegraph.pd.common.Cache;
-import org.apache.hugegraph.pd.config.PDConfig;
-import org.apache.hugegraph.pd.util.TokenUtil;
-import org.apache.hugegraph.util.StringEncoding;
-import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.authentication.BadCredentialsException;
 import org.springframework.stereotype.Component;
 
+/**
+ * Simple internal authentication component for PD service.
+ * <p>
+ * <b>WARNING:</b> This class currently implements only basic internal authentication
+ * validation for internal modules (hg, store, hubble, vermeer). The authentication mechanism
+ * is designed for internal service-to-service communication only.
+ * </p>
+ *
+ * <p><b>Important SEC Considerations:</b></p>
+ * <ul>
+ *   <li><b>DO NOT expose RPC interfaces to external networks</b> - This authentication is NOT
+ *       designed for public-facing services and should only be used in trusted internal networks.</li>
+ *   <li><b>Production Environment Best Practices:</b> It is STRONGLY RECOMMENDED to configure
+ *       IP whitelisting and network-level access control policies (e.g., firewall rules,
+ *       security groups) to restrict access to trusted sources only.</li>
+ *   <li><b>Future Improvements:</b> This authentication mechanism will be enhanced in future
+ *       versions with more robust security features. Do not rely on this as the sole security
+ *       measure for production deployments.</li>
+ * </ul>
+ *
+ * <p>
+ * For production deployments, ensure proper network isolation and implement defense-in-depth
+ * strategies including but not limited to:
+ * - VPC isolation
+ * - IP whitelisting
+ * - TLS/mTLS encryption,
+ * and regular security audits.
+ * </p>
+ */
 @Component
 public class Authentication {
-    private static volatile TokenUtil util;
-
-    private static final Set<String> innerUsers = Set.of("hg", "store", "hubble", "vermeer");
-    private static String invalidBasicInfo = "invalid basic authentication info";
+    private static final Set<String> innerModules = Set.of("hg", "store", "hubble", "vermeer");
 
     protected <T> T authenticate(String authority, String token, Function<String, T> tokenCall,
                                  Supplier<T> call) {
         try {
+            String invalidBasicInfo = "invalid basic authentication info";
             if (StringUtils.isEmpty(authority)) {
                 throw new BadCredentialsException(invalidBasicInfo);
             }
@@ -55,9 +75,10 @@ protected <T> T authenticate(String authority, String token, Function<String, T>
             if (delim == -1) {
                 throw new BadCredentialsException(invalidBasicInfo);
             }
+
             String name = info.substring(0, delim);
-            String pwd = info.substring(delim + 1);
-            if (innerUsers.contains(name)) {
+            //String pwd = info.substring(delim + 1);
+            if (innerModules.contains(name)) {
                 return call.get();
             } else {
                 throw new AccessDeniedException("invalid service name");
diff --git a/hugegraph-pd/hg-pd-service/src/main/java/org/apache/hugegraph/pd/util/TokenUtil.java b/hugegraph-pd/hg-pd-service/src/main/java/org/apache/hugegraph/pd/util/TokenUtil.java
@@ -19,19 +19,17 @@
 
 import java.nio.charset.StandardCharsets;
 import java.util.Base64;
-import java.util.HashMap;
 import java.util.Map;
 
 import org.apache.hugegraph.auth.AuthConstant;
 import org.apache.hugegraph.auth.TokenGenerator;
-import org.apache.hugegraph.util.StringEncoding;
 
 import com.google.common.base.Charsets;
 import com.google.common.collect.ImmutableMap;
 
 public class TokenUtil {
 
-    private TokenGenerator generator;
+    private final TokenGenerator generator;
     public static final long AUTH_TOKEN_EXPIRE = 3600 * 24L * 1000;
 
     public TokenUtil(String secretKey) {
@@ -47,20 +45,16 @@ public TokenUtil(String secretKey) {
     //    return generator.create(payload, AUTH_TOKEN_EXPIRE);
     // }
     public String getToken(String[] info) {
-        Map<String, ?> payload = ImmutableMap.of(AuthConstant.TOKEN_USER_NAME,
-                                                 info[0]);
-        byte[] bytes =
-                generator.create(payload, AUTH_TOKEN_EXPIRE).getBytes(StandardCharsets.UTF_8);
+        Map<String, ?> payload = ImmutableMap.of(AuthConstant.TOKEN_USER_NAME, info[0]);
+        byte[] bytes = generator.create(payload, AUTH_TOKEN_EXPIRE).
+                                getBytes(StandardCharsets.UTF_8);
         byte[] encode = Base64.getEncoder().encode(bytes);
         return new String(encode, Charsets.UTF_8);
     }
 
     public boolean verify(String token, String[] info) {
         byte[] decode = Base64.getDecoder().decode(token);
         String d = new String(decode, StandardCharsets.UTF_8);
-        if (d.equals(info[1])) {
-            return true;
-        }
-        return false;
+        return d.equals(info[1]);
     }
 }
diff --git a/hugegraph-pd/hg-pd-test/src/main/java/org/apache/hugegraph/pd/client/PDPulseTest.java b/hugegraph-pd/hg-pd-test/src/main/java/org/apache/hugegraph/pd/client/PDPulseTest.java
@@ -45,8 +45,7 @@ public class PDPulseTest {
 
     @BeforeClass
     public static void beforeClass() throws Exception {
-        pdConfig = PDConfig.of("localhost:8686").setAuthority(SERVICE_NAME,
-                                                              AUTHORITY);
+        pdConfig = PDConfig.of("localhost:8686").setAuthority(SERVICE_NAME, AUTHORITY);
 //        pdConfig.setEnableCache(true);
 //        pdClient = PDClient.create(pdConfig);
 //        pdClient.getLeader();
diff --git a/hugegraph-server/hugegraph-core/src/main/java/org/apache/hugegraph/constant/ServiceConstant.java b/hugegraph-server/hugegraph-core/src/main/java/org/apache/hugegraph/constant/ServiceConstant.java
@@ -17,10 +17,13 @@
 
 package org.apache.hugegraph.constant;
 
+/**
+ * TODO:
+ *  Strictly prohibited from external exposure; network IP whitelisting must be
+ *  configured in production environments.
+ *  refer: src/main/java/org/apache/hugegraph/pd/service/interceptor/Authentication.java
+ */
 public class ServiceConstant {
-
-    // FIXME: Strictly prohibited from external exposure; network IP whitelisting must be
-    //  configured in production environments.
     public static final String SERVICE_NAME = "hg";
     public static final String AUTHORITY = "";
 }
diff --git a/hugegraph-server/hugegraph-core/src/main/java/org/apache/hugegraph/space/register/registerImpl/SampleRegister.java b/hugegraph-server/hugegraph-core/src/main/java/org/apache/hugegraph/space/register/registerImpl/SampleRegister.java
@@ -42,8 +42,7 @@ private RegisterConfig decodeConfigMap(String configMap) {
         RegisterConfig config = new RegisterConfig();
         Gson gson = new Gson();
         ServiceDTO serviceDTO = gson.fromJson(configMap, ServiceDTO.class);
-        config.setNodePort(
-                serviceDTO.getSpec().getPorts().get(0).getNodePort().toString());
+        config.setNodePort(serviceDTO.getSpec().getPorts().get(0).getNodePort().toString());
         config.setNodeName(serviceDTO.getSpec().getClusterIP());
         config.setPodIp("127.0.0.1");
         config.setPodPort("8080");
@@ -52,23 +51,19 @@ private RegisterConfig decodeConfigMap(String configMap) {
 
     public String init(String appName) throws Exception {
         File file = new File("/home/scorpiour/HugeGraph/hugegraph-plugin/example/k8s-service.json");
-        FileInputStream input = new FileInputStream(file);
-        System.out.printf("load file: %s%n", file.toPath());
 
-        try {
-            Long fileLength = file.length();
-            byte[] bytes = new byte[fileLength.intValue()];
+        try (FileInputStream input = new FileInputStream(file)) {
+            System.out.printf("load file: %s%n", file.toPath());
+            long fileLength = file.length();
+            byte[] bytes = new byte[(int) fileLength];
             input.read(bytes);
             String configMap = new String(bytes);
             RegisterConfig config = this.decodeConfigMap(configMap);
             config.setGrpcAddress("127.0.0.1:8686");
             config.setAppName(appName);
             System.out.printf("load file: %s%n", file.toPath());
-            String var8 = this.registerService(config);
-            return var8;
-        } catch (IOException var12) {
-        } finally {
-            input.close();
+            return this.registerService(config);
+        } catch (IOException ignored) {
         }
 
         return "";
