本文主要研究一下dubbo-go-proxy的authorityFilter
dubbo-go-proxy/pkg/filter/authority/authority.go
func Init() {
extension.SetFilterFunc(constant.HTTPAuthorityFilter, authorityFilterFunc())
}
func authorityFilterFunc() context.FilterFunc {
return New().Do()
}
// authorityFilter is a filter for blacklist/whitelist.
type authorityFilter struct {
}
// New create blacklist/whitelist filter.
func New() filter.Filter {
return &authorityFilter{}
}
authorityFilter往extension设置了名为
dgp.filters.http.authority_filter
的authorityFilterFunc;该func执行的是authorityFilter.Do方法
dubbo-go-proxy/pkg/filter/authority/authority.go
// Do execute blacklist/whitelist filter logic.
func (f authorityFilter) Do() context.FilterFunc {
return func(c context.Context) {
f.doAuthorityFilter(c.(*http.HttpContext))
}
}
Do方法执行的是doAuthorityFilter方法
dubbo-go-proxy/pkg/filter/authority/authority.go
func (f authorityFilter) doAuthorityFilter(c *http.HttpContext) {
for _, r := range c.HttpConnectionManager.AuthorityConfig.Rules {
item := c.GetClientIP()
if r.Limit == model.App {
item = c.GetApplicationName()
}
result := passCheck(item, r)
if !result {
c.WriteWithStatus(nh.StatusForbidden, constant.Default403Body)
c.Abort()
return
}
}
c.Next()
}
doAuthorityFilter方法遍历AuthorityConfig的Rules,挨个执行passCheck判断
dubbo-go-proxy/pkg/filter/authority/authority.go
func passCheck(item string, rule model.AuthorityRule) bool {
result := false
for _, it := range rule.Items {
if it == item {
result = true
break
}
}
if (rule.Strategy == model.Blacklist && result == true) || (rule.Strategy == model.Whitelist && result == false) {
return false
}
return true
}
passCheck方法遍历rule.Items,挨个根据Blacklist或者Whitelist判断clientIP是否命中
dubbo-go-proxy的authorityFilter遍历AuthorityConfig的Rules,挨个根据Blacklist或者Whitelist判断clientIP是否命中,命中则无法通过,返回StatusForbidden。