Develop refactor request context (alibaba#12331)

* Add RequestContext and RequestContextHolder.

* build RequestContext when request start.

* Refactor ClientAttributesFilter with RequestContext.

* InstanceController get client ip from request context.

* SubscribeServiceRequestHandler get app from requestcontext.

* config http api support use request context get user, app and source ip.

* Rename nacos request context filter.

* Unified naming request get source ip by request context.

* For checkstyle.

config/src/main/java/com/alibaba/nacos/config/server/utils/RequestUtil.java

@@ -18,6 +18,9 @@
 
 import com.alibaba.nacos.api.common.Constants;
 import com.alibaba.nacos.common.utils.StringUtils;
+import com.alibaba.nacos.core.context.RequestContextHolder;
+import com.alibaba.nacos.core.utils.WebUtils;
+import com.alibaba.nacos.plugin.auth.api.IdentityContext;
 
 import javax.servlet.http.HttpServletRequest;
 
@@ -28,30 +31,24 @@
  */
 public class RequestUtil {
 
- private static final String X_REAL_IP = "X-Real-IP";
-
- private static final String X_FORWARDED_FOR = "X-Forwarded-For";
-
- private static final String X_FORWARDED_FOR_SPLIT_SYMBOL = ",";
-
  public static final String CLIENT_APPNAME_HEADER = "Client-AppName";
 
  /**
- * get real client ip
- *
- * <p>first use X-Forwarded-For header https://zh.wikipedia.org/wiki/X-Forwarded-For next nginx X-Real-IP last
- * {@link HttpServletRequest#getRemoteAddr()}
+ * Get real client ip from context first, if no value, use
+ * {@link com.alibaba.nacos.core.utils.WebUtils#getRemoteIp(HttpServletRequest)}.
  *
  * @param request {@link HttpServletRequest}
  * @return remote ip address.
  */
  public static String getRemoteIp(HttpServletRequest request) {
- String xForwardedFor = request.getHeader(X_FORWARDED_FOR);
- if (!StringUtils.isBlank(xForwardedFor)) {
- return xForwardedFor.split(X_FORWARDED_FOR_SPLIT_SYMBOL)[0].trim();
+ String remoteIp = RequestContextHolder.getContext().getBasicContext().getAddressContext().getSourceIp();
+ if (StringUtils.isBlank(remoteIp)) {
+ remoteIp = RequestContextHolder.getContext().getBasicContext().getAddressContext().getRemoteIp();
  }
- String nginxHeader = request.getHeader(X_REAL_IP);
- return StringUtils.isBlank(nginxHeader) ? request.getRemoteAddr() : nginxHeader;
+ if (StringUtils.isBlank(remoteIp)) {
+ remoteIp = WebUtils.getRemoteIp(request);
+ }
+ return remoteIp;
  }
 
  /**
@@ -61,7 +58,12 @@ public static String getRemoteIp(HttpServletRequest request) {
  * @return may be return null
  */
  public static String getAppName(HttpServletRequest request) {
- return request.getHeader(CLIENT_APPNAME_HEADER);
+ String result = RequestContextHolder.getContext().getBasicContext().getApp();
+ return isUnknownApp(result) ? request.getHeader(CLIENT_APPNAME_HEADER) : result;
+ }
+
+ private static boolean isUnknownApp(String appName) {
+ return StringUtils.isBlank(appName) || StringUtils.equalsIgnoreCase("unknown", appName);
  }
 
  /**
@@ -71,8 +73,12 @@ public static String getAppName(HttpServletRequest request) {
  * @return may be return null
  */
  public static String getSrcUserName(HttpServletRequest request) {
- String result = (String) request.getSession()
- .getAttribute(com.alibaba.nacos.plugin.auth.constant.Constants.Identity.IDENTITY_ID);
+ IdentityContext identityContext = RequestContextHolder.getContext().getAuthContext().getIdentityContext();
+ String result = StringUtils.EMPTY;
+ if (null != identityContext) {
+ result = (String) identityContext.getParameter(
+ com.alibaba.nacos.plugin.auth.constant.Constants.Identity.IDENTITY_ID);
+ }
  // If auth is disabled, get username from parameters by agreed key
  return StringUtils.isBlank(result) ? request.getParameter(Constants.USERNAME) : result;
  }

config/src/test/java/com/alibaba/nacos/config/server/utils/RequestUtilTest.java

@@ -17,11 +17,13 @@
 package com.alibaba.nacos.config.server.utils;
 
 import com.alibaba.nacos.api.common.Constants;
+import com.alibaba.nacos.core.context.RequestContextHolder;
+import com.alibaba.nacos.plugin.auth.api.IdentityContext;
+import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.Test;
 import org.mockito.Mockito;
 
 import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpSession;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.mockito.ArgumentMatchers.eq;
@@ -32,8 +34,13 @@ class RequestUtilTest {
 
  private static final String X_FORWARDED_FOR = "X-Forwarded-For";
 
+ @AfterEach
+ void tearDown() {
+ RequestContextHolder.removeContext();
+ }
+
  @Test
- void testGetRemoteIp() {
+ void testGetRemoteIpFromRequest() {
  HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
 
  Mockito.when(request.getRemoteAddr()).thenReturn("127.0.0.1");
@@ -56,29 +63,33 @@ void testGetRemoteIp() {
  }
 
  @Test
- void testGetAppName() {
+ void testGetAppNameFromContext() {
+ RequestContextHolder.getContext().getBasicContext().setApp("contextApp");
+ HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
+ Mockito.when(request.getHeader(eq(RequestUtil.CLIENT_APPNAME_HEADER))).thenReturn("test");
+ assertEquals("contextApp", RequestUtil.getAppName(request));
+ }
+
+ @Test
+ void testGetAppNameFromRequest() {
  HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
  Mockito.when(request.getHeader(eq(RequestUtil.CLIENT_APPNAME_HEADER))).thenReturn("test");
  assertEquals("test", RequestUtil.getAppName(request));
  }
 
  @Test
- void testGetSrcUserNameV1() {
+ void testGetSrcUserNameFromContext() {
+ IdentityContext identityContext = new IdentityContext();
+ identityContext.setParameter(com.alibaba.nacos.plugin.auth.constant.Constants.Identity.IDENTITY_ID, "test");
+ RequestContextHolder.getContext().getAuthContext().setIdentityContext(identityContext);
  HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
- HttpSession session = Mockito.mock(HttpSession.class);
- Mockito.when(request.getSession()).thenReturn(session);
- Mockito.when(session.getAttribute(eq(com.alibaba.nacos.plugin.auth.constant.Constants.Identity.IDENTITY_ID))).thenReturn("test");
  assertEquals("test", RequestUtil.getSrcUserName(request));
  }
 
  @Test
- void testGetSrcUserNameV2() {
+ void testGetSrcUserNameFromRequest() {
  HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
- HttpSession session = Mockito.mock(HttpSession.class);
- Mockito.when(request.getSession()).thenReturn(session);
- Mockito.when(session.getAttribute(eq(com.alibaba.nacos.plugin.auth.constant.Constants.Identity.IDENTITY_ID))).thenReturn(null);
  Mockito.when(request.getParameter(eq(Constants.USERNAME))).thenReturn("parameterName");
  assertEquals("parameterName", RequestUtil.getSrcUserName(request));
  }
-
 }

core/src/main/java/com/alibaba/nacos/core/auth/AuthFilter.java

@@ -22,6 +22,8 @@
 import com.alibaba.nacos.common.utils.ExceptionUtil;
 import com.alibaba.nacos.common.utils.StringUtils;
 import com.alibaba.nacos.core.code.ControllerMethodsCache;
+import com.alibaba.nacos.core.context.RequestContext;
+import com.alibaba.nacos.core.context.RequestContextHolder;
 import com.alibaba.nacos.core.utils.Loggers;
 import com.alibaba.nacos.core.utils.WebUtils;
 import com.alibaba.nacos.plugin.auth.api.IdentityContext;
@@ -120,11 +122,16 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
  Resource resource = protocolAuthService.parseResource(req, secured);
  IdentityContext identityContext = protocolAuthService.parseIdentity(req);
  boolean result = protocolAuthService.validateIdentity(identityContext, resource);
+ RequestContext requestContext = RequestContextHolder.getContext();
+ requestContext.getAuthContext().setIdentityContext(identityContext);
+ requestContext.getAuthContext().setResource(resource);
+ if (null == requestContext.getAuthContext().getAuthResult()) {
+ requestContext.getAuthContext().setAuthResult(result);
+ }
  if (!result) {
  // TODO Get reason of failure
  throw new AccessException("Validate Identity failed.");
  }
- injectIdentityId(req, identityContext);
  String action = secured.action().toString();
  result = protocolAuthService.validateAuthority(identityContext, new Permission(resource, action));
  if (!result) {
@@ -146,21 +153,4 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
  resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Server failed, " + e.getMessage());
  }
  }
-
- /**
- * Set identity id to request session, make sure some actual logic can get identity information.
- *
- * <p>May be replaced with whole identityContext.
- *
- * @param request http request
- * @param identityContext identity context
- */
- private void injectIdentityId(HttpServletRequest request, IdentityContext identityContext) {
- String identityId = identityContext.getParameter(
- com.alibaba.nacos.plugin.auth.constant.Constants.Identity.IDENTITY_ID, StringUtils.EMPTY);
- request.getSession()
- .setAttribute(com.alibaba.nacos.plugin.auth.constant.Constants.Identity.IDENTITY_ID, identityId);
- request.getSession().setAttribute(com.alibaba.nacos.plugin.auth.constant.Constants.Identity.IDENTITY_CONTEXT,
- identityContext);
- }
 }

core/src/main/java/com/alibaba/nacos/core/auth/RemoteRequestAuthFilter.java

@@ -24,6 +24,8 @@
 import com.alibaba.nacos.auth.annotation.Secured;
 import com.alibaba.nacos.auth.config.AuthConfigs;
 import com.alibaba.nacos.common.utils.ExceptionUtil;
+import com.alibaba.nacos.core.context.RequestContext;
+import com.alibaba.nacos.core.context.RequestContextHolder;
 import com.alibaba.nacos.core.remote.AbstractRequestFilter;
 import com.alibaba.nacos.core.utils.Loggers;
 import com.alibaba.nacos.plugin.auth.api.IdentityContext;
@@ -75,6 +77,12 @@ public Response filter(Request request, RequestMeta meta, Class handlerClazz) th
  Resource resource = protocolAuthService.parseResource(request, secured);
  IdentityContext identityContext = protocolAuthService.parseIdentity(request);
  boolean result = protocolAuthService.validateIdentity(identityContext, resource);
+ RequestContext requestContext = RequestContextHolder.getContext();
+ requestContext.getAuthContext().setIdentityContext(identityContext);
+ requestContext.getAuthContext().setResource(resource);
+ if (null == requestContext.getAuthContext().getAuthResult()) {
+ requestContext.getAuthContext().setAuthResult(result);
+ }
  if (!result) {
  // TODO Get reason of failure
  throw new AccessException("Validate Identity failed.");

core/src/main/java/com/alibaba/nacos/core/context/RequestContext.java

@@ -0,0 +1,96 @@
+/*
+ * Copyright 1999-2023 Alibaba Group Holding Ltd.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.alibaba.nacos.core.context;
+
+import com.alibaba.nacos.core.context.addition.AuthContext;
+import com.alibaba.nacos.core.context.addition.BasicContext;
+import com.alibaba.nacos.core.context.addition.EngineContext;
+
+import java.util.HashMap;
+import java.util.Map;
+import java.util.UUID;
+
+/**
+ * Nacos request context.
+ *
+ * @author xiweng.yy
+ */
+public class RequestContext {
+
+ /**
+ * Optional, the request id.
+ * <ul>
+ * <li>For HTTP request, the id not usage, will generate automatically.</li>
+ * <li>For GRPC, the id is same with real request id.</li>
+ * </ul>
+ */
+ private String requestId;
+
+ /**
+ * Request start timestamp.
+ */
+ private final long requestTimestamp;
+
+ private final BasicContext basicContext;
+
+ private final EngineContext engineContext;
+
+ private final AuthContext authContext;
+
+ private final Map<String, Object> extensionContexts;
+
+ RequestContext(long requestTimestamp) {
+ this.requestId = UUID.randomUUID().toString();
+ this.requestTimestamp = requestTimestamp;
+ this.basicContext = new BasicContext();
+ this.engineContext = new EngineContext();
+ this.authContext = new AuthContext();
+ this.extensionContexts = new HashMap<>(1);
+ }
+
+ public void setRequestId(String requestId) {
+ this.requestId = requestId;
+ }
+
+ public String getRequestId() {
+ return requestId;
+ }
+
+ public long getRequestTimestamp() {
+ return requestTimestamp;
+ }
+
+ public BasicContext getBasicContext() {
+ return basicContext;
+ }
+
+ public EngineContext getEngineContext() {
+ return engineContext;
+ }
+
+ public AuthContext getAuthContext() {
+ return authContext;
+ }
+
+ public Object getExtensionContext(String key) {
+ return extensionContexts.get(key);
+ }
+
+ public void addExtensionContext(String key, Object value) {
+ extensionContexts.put(key, value);
+ }
+}

core/src/main/java/com/alibaba/nacos/core/context/RequestContextHolder.java

@@ -0,0 +1,42 @@
+/*
+ * Copyright 1999-2023 Alibaba Group Holding Ltd.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.alibaba.nacos.core.context;
+
+import java.util.function.Supplier;
+
+/**
+ * Holder for request context for each worker thread.
+ *
+ * @author xiweng.yy
+ */
+public class RequestContextHolder {
+
+ private static final Supplier<RequestContext> REQUEST_CONTEXT_FACTORY = () -> {
+ long requestTimestamp = System.currentTimeMillis();
+ return new RequestContext(requestTimestamp);
+ };
+
+ private static final ThreadLocal<RequestContext> CONTEXT_HOLDER = ThreadLocal.withInitial(REQUEST_CONTEXT_FACTORY);
+
+ public static RequestContext getContext() {
+ return CONTEXT_HOLDER.get();
+ }
+
+ public static void removeContext() {
+ CONTEXT_HOLDER.remove();
+ }
+}