Make Access Key Timestamp check configurable

CHANGES.md

@@ -9,6 +9,7 @@ Apollo 1.10.0
 * [Fix issue that the $ symbol is not used when reading shell variables](https://github.com/ctripcorp/apollo/pull/3890)
 * [Bump xstream from 1.4.17 to 1.4.18](https://github.com/apolloconfig/apollo/pull/3916)
 * [switch apollo.config-service log from warning to info level](https://github.com/ctripcorp/apollo/pull/3884)
+* [Make Access Key Timestamp check configurable](https://github.com/ctripcorp/apollo/pull/3908)
 * [remove ctrip profile](https://github.com/ctripcorp/apollo/pull/3920)
 
 ------------------

apollo-biz/src/main/java/com/ctrip/framework/apollo/biz/config/BizConfig.java

@@ -38,8 +38,9 @@ public class BizConfig extends RefreshableConfig {
   private static final int DEFAULT_APPNAMESPACE_CACHE_REBUILD_INTERVAL = 60; //60s
   private static final int DEFAULT_GRAY_RELEASE_RULE_SCAN_INTERVAL = 60; //60s
   private static final int DEFAULT_APPNAMESPACE_CACHE_SCAN_INTERVAL = 1; //1s
-  private static final int DEFAULT_ACCESSKEY_CACHE_SCAN_INTERVAL = 1; //1s
-  private static final int DEFAULT_ACCESSKEY_CACHE_REBUILD_INTERVAL = 60; //60s
+  private static final int DEFAULT_ACCESS_KEY_CACHE_SCAN_INTERVAL = 1; //1s
+  private static final int DEFAULT_ACCESS_KEY_CACHE_REBUILD_INTERVAL = 60; //60s
+  private static final int DEFAULT_ACCESS_KEY_AUTH_TIME_DIFF_TOLERANCE = 60; //60s
   private static final int DEFAULT_RELEASE_MESSAGE_CACHE_SCAN_INTERVAL = 1; //1s
   private static final int DEFAULT_RELEASE_MESSAGE_SCAN_INTERVAL_IN_MS = 1000; //1000ms
   private static final int DEFAULT_RELEASE_MESSAGE_NOTIFICATION_BATCH = 100;
@@ -138,23 +139,32 @@ public TimeUnit appNamespaceCacheRebuildIntervalTimeUnit() {
   }
 
   public int accessKeyCacheScanInterval() {
-    int interval = getIntProperty("apollo.access-key-cache-scan.interval", DEFAULT_ACCESSKEY_CACHE_SCAN_INTERVAL);
-    return checkInt(interval, 1, Integer.MAX_VALUE, DEFAULT_ACCESSKEY_CACHE_SCAN_INTERVAL);
+    int interval = getIntProperty("apollo.access-key-cache-scan.interval",
+        DEFAULT_ACCESS_KEY_CACHE_SCAN_INTERVAL);
+    return checkInt(interval, 1, Integer.MAX_VALUE, DEFAULT_ACCESS_KEY_CACHE_SCAN_INTERVAL);
   }
 
   public TimeUnit accessKeyCacheScanIntervalTimeUnit() {
     return TimeUnit.SECONDS;
   }
 
   public int accessKeyCacheRebuildInterval() {
-    int interval = getIntProperty("apollo.access-key-cache-rebuild.interval", DEFAULT_ACCESSKEY_CACHE_REBUILD_INTERVAL);
-    return checkInt(interval, 1, Integer.MAX_VALUE, DEFAULT_ACCESSKEY_CACHE_REBUILD_INTERVAL);
+    int interval = getIntProperty("apollo.access-key-cache-rebuild.interval",
+        DEFAULT_ACCESS_KEY_CACHE_REBUILD_INTERVAL);
+    return checkInt(interval, 1, Integer.MAX_VALUE, DEFAULT_ACCESS_KEY_CACHE_REBUILD_INTERVAL);
   }
 
   public TimeUnit accessKeyCacheRebuildIntervalTimeUnit() {
     return TimeUnit.SECONDS;
   }
 
+  public int accessKeyAuthTimeDiffTolerance() {
+    int authTimeDiffTolerance = getIntProperty("apollo.access-key.auth-time-diff-tolerance",
+        DEFAULT_ACCESS_KEY_AUTH_TIME_DIFF_TOLERANCE);
+    return checkInt(authTimeDiffTolerance, 1, Integer.MAX_VALUE,
+        DEFAULT_ACCESS_KEY_AUTH_TIME_DIFF_TOLERANCE);
+  }
+
   public int releaseMessageCacheScanInterval() {
     int interval = getIntProperty("apollo.release-message-cache-scan.interval", DEFAULT_RELEASE_MESSAGE_CACHE_SCAN_INTERVAL);
     return checkInt(interval, 1, Integer.MAX_VALUE, DEFAULT_RELEASE_MESSAGE_CACHE_SCAN_INTERVAL);

apollo-configservice/src/main/java/com/ctrip/framework/apollo/configservice/ConfigServiceAutoConfiguration.java

@@ -67,7 +67,7 @@ public static NoOpPasswordEncoder passwordEncoder() {
   public FilterRegistrationBean clientAuthenticationFilter(AccessKeyUtil accessKeyUtil) {
     FilterRegistrationBean filterRegistrationBean = new FilterRegistrationBean();
 
-    filterRegistrationBean.setFilter(new ClientAuthenticationFilter(accessKeyUtil));
+    filterRegistrationBean.setFilter(new ClientAuthenticationFilter(bizConfig, accessKeyUtil));
     filterRegistrationBean.addUrlPatterns("/configs/*");
     filterRegistrationBean.addUrlPatterns("/configfiles/*");
     filterRegistrationBean.addUrlPatterns("/notifications/v2/*");

apollo-configservice/src/main/java/com/ctrip/framework/apollo/configservice/filter/ClientAuthenticationFilter.java

@@ -16,6 +16,7 @@
  */
 package com.ctrip.framework.apollo.configservice.filter;
 
+import com.ctrip.framework.apollo.biz.config.BizConfig;
 import com.ctrip.framework.apollo.configservice.util.AccessKeyUtil;
 import com.ctrip.framework.apollo.core.signature.Signature;
 import com.ctrip.framework.apollo.core.utils.StringUtils;
@@ -42,16 +43,16 @@ public class ClientAuthenticationFilter implements Filter {
 
   private static final Logger logger = LoggerFactory.getLogger(ClientAuthenticationFilter.class);
 
-  private static final Long TIMESTAMP_INTERVAL = 60 * 1000L;
-
+  private final BizConfig bizConfig;
   private final AccessKeyUtil accessKeyUtil;
 
-  public ClientAuthenticationFilter(AccessKeyUtil accessKeyUtil) {
+  public ClientAuthenticationFilter(BizConfig bizConfig, AccessKeyUtil accessKeyUtil) {
+    this.bizConfig = bizConfig;
     this.accessKeyUtil = accessKeyUtil;
   }
 
   @Override
-  public void init(FilterConfig filterConfig) throws ServletException {
+  public void init(FilterConfig filterConfig) {
     //nothing
   }
 
@@ -106,7 +107,8 @@ private boolean checkTimestamp(String timestamp) {
     }
 
     long x = System.currentTimeMillis() - requestTimeMillis;
-    return x >= -TIMESTAMP_INTERVAL && x <= TIMESTAMP_INTERVAL;
+    long authTimeDiffToleranceInMillis = bizConfig.accessKeyAuthTimeDiffTolerance() * 1000L;
+    return Math.abs(x) < authTimeDiffToleranceInMillis;
   }
 
   private boolean checkAuthorization(String authorization, List<String> availableSecrets,

apollo-configservice/src/test/java/com/ctrip/framework/apollo/configservice/filter/ClientAuthenticationFilterTest.java

@@ -22,6 +22,7 @@
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.when;
 
+import com.ctrip.framework.apollo.biz.config.BizConfig;
 import com.ctrip.framework.apollo.configservice.util.AccessKeyUtil;
 import com.ctrip.framework.apollo.core.signature.Signature;
 import com.google.common.collect.Lists;
@@ -44,6 +45,8 @@ public class ClientAuthenticationFilterTest {
 
   private ClientAuthenticationFilter clientAuthenticationFilter;
 
+  @Mock
+  private BizConfig bizConfig;
   @Mock
   private AccessKeyUtil accessKeyUtil;
   @Mock
@@ -55,7 +58,7 @@ public class ClientAuthenticationFilterTest {
 
   @Before
   public void setUp() {
-    clientAuthenticationFilter = new ClientAuthenticationFilter(accessKeyUtil);
+    clientAuthenticationFilter = new ClientAuthenticationFilter(bizConfig, accessKeyUtil);
   }
 
   @Test
@@ -113,6 +116,7 @@ public void testUnauthorized() throws Exception {
     when(accessKeyUtil.buildSignature(any(), any(), any(), any())).thenReturn(availableSignature);
     when(request.getHeader(Signature.HTTP_HEADER_TIMESTAMP)).thenReturn(oneMinAgoTimestamp);
     when(request.getHeader(HttpHeaders.AUTHORIZATION)).thenReturn(errorAuthorization);
+    when(bizConfig.accessKeyAuthTimeDiffTolerance()).thenReturn(60);
 
     clientAuthenticationFilter.doFilter(request, response, filterChain);
 
@@ -133,6 +137,7 @@ public void testAuthorizedSuccessfully() throws Exception {
     when(accessKeyUtil.buildSignature(any(), any(), any(), any())).thenReturn(availableSignature);
     when(request.getHeader(Signature.HTTP_HEADER_TIMESTAMP)).thenReturn(oneMinAgoTimestamp);
     when(request.getHeader(HttpHeaders.AUTHORIZATION)).thenReturn(correctAuthorization);
+    when(bizConfig.accessKeyAuthTimeDiffTolerance()).thenReturn(60);
 
     clientAuthenticationFilter.doFilter(request, response, filterChain);
 
@@ -141,4 +146,4 @@ public void testAuthorizedSuccessfully() throws Exception {
     verify(response, never()).sendError(HttpServletResponse.SC_UNAUTHORIZED, "Unauthorized");
     verify(filterChain, times(1)).doFilter(request, response);
   }
-}
+}

apollo-configservice/src/test/java/com/ctrip/framework/apollo/configservice/util/AccessKeyUtilTest.java

@@ -110,4 +110,4 @@ public void buildSignature() {
     String expectedSignature = "WYjjyJFei6DYiaMlwZjew2O/Yqk=";
     assertThat(actualSignature).isEqualTo(expectedSignature);
   }
-}
+}

docs/zh/deployment/distributed-deployment-guide.md

@@ -1251,3 +1251,9 @@ namespace.value.length.limit.override = {1:200,3:20}
 admin-service.access.tokens=098f6bcd4621d373cade4e832627b4f6
 admin-service.access.tokens=098f6bcd4621d373cade4e832627b4f6,ad0234829205b9033196ba818f7a872b
 ```
+
+### 3.2.8 apollo.access-key.auth-time-diff-tolerance - 配置服务端AccessKey校验容忍的时间偏差
+
+> 适用于1.10.0及以上版本
+
+默认值为60，单位为秒。由于密钥认证时需要校验时间，客户端与服务端的时间可能存在时间偏差，如果偏差太大会导致认证失败，此配置可以配置容忍的时间偏差大小，默认为60秒。