apolloconfig
diff --git a/‎CHANGES.md‎
Lines changed: 1 addition & 0 deletions b/‎CHANGES.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎apollo-adminservice/src/main/java/com/ctrip/framework/apollo/adminservice/controller/AccessKeyController.java‎
Lines changed: 7 additions & 1 deletion b/‎apollo-adminservice/src/main/java/com/ctrip/framework/apollo/adminservice/controller/AccessKeyController.java‎
Lines changed: 7 additions & 1 deletion
diff --git a/‎apollo-biz/src/main/java/com/ctrip/framework/apollo/biz/entity/AccessKey.java‎
Lines changed: 12 additions & 1 deletion b/‎apollo-biz/src/main/java/com/ctrip/framework/apollo/biz/entity/AccessKey.java‎
Lines changed: 12 additions & 1 deletion
diff --git a/‎apollo-biz/src/main/java/com/ctrip/framework/apollo/biz/service/AccessKeyService.java‎
Lines changed: 1 addition & 0 deletions b/‎apollo-biz/src/main/java/com/ctrip/framework/apollo/biz/service/AccessKeyService.java‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎apollo-biz/src/test/resources/sql/accesskey-test.sql‎
Lines changed: 5 additions & 5 deletions b/‎apollo-biz/src/test/resources/sql/accesskey-test.sql‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎apollo-common/src/main/java/com/ctrip/framework/apollo/common/constants/AccessKeyMode.java‎
Lines changed: 25 additions & 0 deletions b/‎apollo-common/src/main/java/com/ctrip/framework/apollo/common/constants/AccessKeyMode.java‎
Lines changed: 25 additions & 0 deletions
diff --git a/‎apollo-common/src/main/java/com/ctrip/framework/apollo/common/dto/AccessKeyDTO.java‎
Lines changed: 10 additions & 0 deletions b/‎apollo-common/src/main/java/com/ctrip/framework/apollo/common/dto/AccessKeyDTO.java‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎apollo-configservice/src/main/java/com/ctrip/framework/apollo/configservice/filter/ClientAuthenticationFilter.java‎
Lines changed: 53 additions & 15 deletions b/‎apollo-configservice/src/main/java/com/ctrip/framework/apollo/configservice/filter/ClientAuthenticationFilter.java‎
Lines changed: 53 additions & 15 deletions
diff --git a/‎apollo-configservice/src/main/java/com/ctrip/framework/apollo/configservice/service/AccessKeyServiceWithCache.java‎
Lines changed: 11 additions & 2 deletions b/‎apollo-configservice/src/main/java/com/ctrip/framework/apollo/configservice/service/AccessKeyServiceWithCache.java‎
Lines changed: 11 additions & 2 deletions
diff --git a/‎apollo-configservice/src/main/java/com/ctrip/framework/apollo/configservice/util/AccessKeyUtil.java‎
Lines changed: 4 additions & 0 deletions b/‎apollo-configservice/src/main/java/com/ctrip/framework/apollo/configservice/util/AccessKeyUtil.java‎
Lines changed: 4 additions & 0 deletions
@@ -11,6 +11,7 @@ Apollo 2.4.0
 * [Fix: Resolve issues with duplicate comments and blank lines in configuration management](https://github.com/apolloconfig/apollo/pull/5232)
 * [Fix link namespace published items show missing some items](https://github.com/apolloconfig/apollo/pull/5240)
 * [Feature: Add limit and whitelist for namespace count per appid+cluster](https://github.com/apolloconfig/apollo/pull/5228)
+* [Feature support the observe status access-key for pre-check and logging only](https://github.com/apolloconfig/apollo/pull/5236)
 * [Feature add limit for items count per namespace](https://github.com/apolloconfig/apollo/pull/5227)
 
 ------------------
 
@@ -16,6 +16,8 @@
  */
 package com.ctrip.framework.apollo.adminservice.controller;
 
+import static com.ctrip.framework.apollo.common.constants.AccessKeyMode.FILTER;
+
 import com.ctrip.framework.apollo.biz.entity.AccessKey;
 import com.ctrip.framework.apollo.biz.service.AccessKeyService;
 import com.ctrip.framework.apollo.common.dto.AccessKeyDTO;
@@ -27,6 +29,7 @@
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.PutMapping;
 import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.RestController;
 
 /**
@@ -61,9 +64,11 @@ public void delete(@PathVariable String appId, @PathVariable long id, String ope
   }
 
   @PutMapping(value = "/apps/{appId}/accesskeys/{id}/enable")
-  public void enable(@PathVariable String appId, @PathVariable long id, String operator) {
+  public void enable(@PathVariable String appId, @PathVariable long id,
+      @RequestParam(required = false, defaultValue = "" + FILTER) int mode, String operator) {
     AccessKey entity = new AccessKey();
     entity.setId(id);
+    entity.setMode(mode);
     entity.setEnabled(true);
     entity.setDataChangeLastModifiedBy(operator);
 
@@ -74,6 +79,7 @@ public void enable(@PathVariable String appId, @PathVariable long id, String ope
   public void disable(@PathVariable String appId, @PathVariable long id, String operator) {
     AccessKey entity = new AccessKey();
     entity.setId(id);
+    entity.setMode(FILTER);
     entity.setEnabled(false);
     entity.setDataChangeLastModifiedBy(operator);
 
 
@@ -36,6 +36,9 @@ public class AccessKey extends BaseEntity {
   @Column(name = "`Secret`", nullable = false)
   private String secret;
 
+  @Column(name = "`Mode`")
+  private int mode;
+
   @Column(name = "`IsEnabled`", columnDefinition = "Bit default '0'")
   private boolean enabled;
 
@@ -55,6 +58,14 @@ public void setSecret(String secret) {
     this.secret = secret;
   }
 
+  public int getMode() {
+    return mode;
+  }
+
+  public void setMode(int mode) {
+    this.mode = mode;
+  }
+
   public boolean isEnabled() {
     return enabled;
   }
@@ -66,6 +77,6 @@ public void setEnabled(boolean enabled) {
   @Override
   public String toString() {
     return toStringHelper().add("appId", appId).add("secret", secret)
-        .add("enabled", enabled).toString();
+        .add("mode", mode).add("enabled", enabled).toString();
   }
 }
@@ -74,6 +74,7 @@ public AccessKey update(String appId, AccessKey entity) {
       throw BadRequestException.accessKeyNotExists();
     }
 
+    accessKey.setMode(entity.getMode());
     accessKey.setEnabled(entity.isEnabled());
     accessKey.setDataChangeLastModifiedBy(operator);
     accessKeyRepository.save(accessKey);
 
@@ -13,9 +13,9 @@
 -- See the License for the specific language governing permissions and
 -- limitations under the License.
 --
-INSERT INTO "AccessKey" (`Id`, `AppId`, `Secret`, `IsEnabled`, `IsDeleted`, `DataChange_CreatedBy`, `DataChange_CreatedTime`, `DataChange_LastModifiedBy`, `DataChange_LastTime`)
+INSERT INTO "AccessKey" (`Id`, `AppId`, `Secret`, `Mode`, `IsEnabled`, `IsDeleted`, `DataChange_CreatedBy`, `DataChange_CreatedTime`, `DataChange_LastModifiedBy`, `DataChange_LastTime`)
 VALUES
-	(1, 'someAppId', 'someSecret', 0, 0, 'apollo', '2019-12-19 10:28:40', 'apollo', '2019-12-19 10:28:40'),
-	(2, '100004458', 'c715cbc80fc44171b43732c3119c9456', 0, 0, 'apollo', '2019-12-19 10:39:54', 'apollo', '2019-12-19 14:46:35'),
-	(3, '100004458', '25a0e68d2a3941edb1ed3ab6dd0646cd', 0, 1, 'apollo', '2019-12-19 13:44:13', 'apollo', '2019-12-19 13:44:19'),
-	(4, '100004458', '4003c4d7783443dc9870932bebf3b7fe', 0, 0, 'apollo', '2019-12-19 13:43:52', 'apollo', '2019-12-19 13:44:21');
+	(1, 'someAppId', 'someSecret', 0, 0, 0, 'apollo', '2019-12-19 10:28:40', 'apollo', '2019-12-19 10:28:40'),
+	(2, '100004458', 'c715cbc80fc44171b43732c3119c9456', 0, 0, 0, 'apollo', '2019-12-19 10:39:54', 'apollo', '2019-12-19 14:46:35'),
+	(3, '100004458', '25a0e68d2a3941edb1ed3ab6dd0646cd', 0, 0, 1, 'apollo', '2019-12-19 13:44:13', 'apollo', '2019-12-19 13:44:19'),
+	(4, '100004458', '4003c4d7783443dc9870932bebf3b7fe', 0, 0, 0, 'apollo', '2019-12-19 13:43:52', 'apollo', '2019-12-19 13:44:21');
@@ -0,0 +1,25 @@
+/*
+ * Copyright 2024 Apollo Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+package com.ctrip.framework.apollo.common.constants;
+
+public interface AccessKeyMode {
+
+  int FILTER = 0;
+
+  int OBSERVER = 1;
+
+}
@@ -24,6 +24,8 @@ public class AccessKeyDTO extends BaseDTO {
 
   private String appId;
 
+  private Integer mode;
+
   private Boolean enabled;
 
   public Long getId() {
@@ -50,6 +52,14 @@ public void setAppId(String appId) {
     this.appId = appId;
   }
 
+  public Integer getMode() {
+    return mode;
+  }
+
+  public void setMode(Integer mode) {
+    this.mode = mode;
+  }
+
   public Boolean getEnabled() {
     return enabled;
   }
 
@@ -17,9 +17,11 @@
 package com.ctrip.framework.apollo.configservice.filter;
 
 import com.ctrip.framework.apollo.biz.config.BizConfig;
+import com.ctrip.framework.apollo.common.utils.WebUtils;
 import com.ctrip.framework.apollo.configservice.util.AccessKeyUtil;
 import com.ctrip.framework.apollo.core.signature.Signature;
 import com.ctrip.framework.apollo.core.utils.StringUtils;
+import com.ctrip.framework.apollo.tracer.Tracer;
 import com.google.common.net.HttpHeaders;
 import java.io.IOException;
 import java.util.List;
@@ -70,29 +72,60 @@ public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain
 
     List<String> availableSecrets = accessKeyUtil.findAvailableSecret(appId);
     if (!CollectionUtils.isEmpty(availableSecrets)) {
-      String timestamp = request.getHeader(Signature.HTTP_HEADER_TIMESTAMP);
-      String authorization = request.getHeader(HttpHeaders.AUTHORIZATION);
-
-      // check timestamp, valid within 1 minute
-      if (!checkTimestamp(timestamp)) {
-        logger.warn("Invalid timestamp. appId={},timestamp={}", appId, timestamp);
-        response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "RequestTimeTooSkewed");
+      if (!doCheck(request, response, appId, availableSecrets, false)) {
         return;
       }
-
-      // check signature
-      String uri = request.getRequestURI();
-      String query = request.getQueryString();
-      if (!checkAuthorization(authorization, availableSecrets, timestamp, uri, query)) {
-        logger.warn("Invalid authorization. appId={},authorization={}", appId, authorization);
-        response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Unauthorized");
-        return;
+    } else {
+      // pre-check for observable secrets
+      List<String> observableSecrets = accessKeyUtil.findObservableSecrets(appId);
+      if (!CollectionUtils.isEmpty(observableSecrets)) {
+        doCheck(request, response, appId, observableSecrets, true);
       }
     }
 
     chain.doFilter(request, response);
   }
 
+  /**
+   * Performs authentication checks(timestamp and signature) for the request.
+   *
+   * @param preCheck Boolean flag indicating whether this is a pre-check
+   * @return true if authentication checks is successful, false otherwise
+   */
+  private boolean doCheck(HttpServletRequest req, HttpServletResponse resp,
+      String appId, List<String> secrets, boolean preCheck) throws IOException {
+
+    String timestamp = req.getHeader(Signature.HTTP_HEADER_TIMESTAMP);
+    String authorization = req.getHeader(HttpHeaders.AUTHORIZATION);
+    String ip = WebUtils.tryToGetClientIp(req);
+
+    // check timestamp, valid within 1 minute
+    if (!checkTimestamp(timestamp)) {
+      if (preCheck) {
+        preCheckInvalidLogging(String.format("Invalid timestamp in pre-check. "
+            + "appId=%s,clientIp=%s,timestamp=%s", appId, ip, timestamp));
+      } else {
+        logger.warn("Invalid timestamp. appId={},clientIp={},timestamp={}", appId, ip, timestamp);
+        resp.sendError(HttpServletResponse.SC_UNAUTHORIZED, "RequestTimeTooSkewed");
+        return false;
+      }
+    }
+
+    // check signature
+    if (!checkAuthorization(authorization, secrets, timestamp, req.getRequestURI(), req.getQueryString())) {
+      if (preCheck) {
+        preCheckInvalidLogging(String.format("Invalid authorization in pre-check. "
+            + "appId=%s,clientIp=%s,authorization=%s", appId, ip, authorization));
+      } else {
+        logger.warn("Invalid authorization. appId={},clientIp={},authorization={}", appId, ip, authorization);
+        resp.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Unauthorized");
+        return false;
+      }
+    }
+
+    return true;
+  }
+
   @Override
   public void destroy() {
     //nothing
@@ -130,4 +163,9 @@ private boolean checkAuthorization(String authorization, List<String> availableS
     }
     return false;
   }
+
+  protected void preCheckInvalidLogging(String message) {
+    logger.warn(message);
+    Tracer.logEvent("Apollo.AccessKey.PreCheck", message);
+  }
 }
@@ -19,6 +19,7 @@
 import com.ctrip.framework.apollo.biz.config.BizConfig;
 import com.ctrip.framework.apollo.biz.entity.AccessKey;
 import com.ctrip.framework.apollo.biz.repository.AccessKeyRepository;
+import com.ctrip.framework.apollo.common.constants.AccessKeyMode;
 import com.ctrip.framework.apollo.core.utils.ApolloThreadFactory;
 import com.ctrip.framework.apollo.tracer.Tracer;
 import com.ctrip.framework.apollo.tracer.spi.Transaction;
@@ -37,11 +38,11 @@
 import java.util.concurrent.ScheduledExecutorService;
 import java.util.concurrent.ScheduledThreadPoolExecutor;
 import java.util.concurrent.TimeUnit;
+import java.util.function.Predicate;
 import java.util.stream.Collectors;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.InitializingBean;
-import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;
 import org.springframework.util.CollectionUtils;
 
@@ -86,13 +87,21 @@ private void initialize() {
   }
 
   public List<String> getAvailableSecrets(String appId) {
+    return getSecrets(appId, key -> key.isEnabled() && key.getMode() == AccessKeyMode.FILTER);
+  }
+
+  public List<String> getObservableSecrets(String appId) {
+    return getSecrets(appId, key -> key.isEnabled() && key.getMode() == AccessKeyMode.OBSERVER);
+  }
+
+  public List<String> getSecrets(String appId, Predicate<AccessKey> filter) {
     List<AccessKey> accessKeys = accessKeyCache.get(appId);
     if (CollectionUtils.isEmpty(accessKeys)) {
       return Collections.emptyList();
     }
 
     return accessKeys.stream()
-        .filter(AccessKey::isEnabled)
+        .filter(filter)
         .map(AccessKey::getSecret)
         .collect(Collectors.toList());
   }
 
@@ -46,6 +46,10 @@ public List<String> findAvailableSecret(String appId) {
     return accessKeyServiceWithCache.getAvailableSecrets(appId);
   }
 
+  public List<String> findObservableSecrets(String appId) {
+    return accessKeyServiceWithCache.getObservableSecrets(appId);
+  }
+
   public String extractAppIdFromRequest(HttpServletRequest request) {
     String appId = null;
     String servletPath = request.getServletPath();
Original file line number	Diff line number	Diff line change
`@@ -74,6 +74,7 @@ public AccessKey update(String appId, AccessKey entity) {`
`74`	`74`	`throw BadRequestException.accessKeyNotExists();`
`75`	`75`	`}`
`76`	`76`
	`77`	`+ accessKey.setMode(entity.getMode());`
`77`	`78`	`accessKey.setEnabled(entity.isEnabled());`
`78`	`79`	`accessKey.setDataChangeLastModifiedBy(operator);`
`79`	`80`	`accessKeyRepository.save(accessKey);`