apache · YSF-A · Sep 29, 2021 · Sep 29, 2021 · Oct 8, 2021 · Oct 8, 2021
diff --git a/core/src/main/java/io/seata/core/constants/ConfigurationKeys.java b/core/src/main/java/io/seata/core/constants/ConfigurationKeys.java
@@ -449,6 +449,11 @@ public interface ConfigurationKeys {
      */
     String DISTRIBUTED_LOCK_EXPIRE_TIME = SERVER_PREFIX + "distributedLockExpireTime";
 
+    /**
+     * The constant BLACKLIST
+     */
+    String BLACKLIST = SERVER_PREFIX + "blacklist";
+
     /**
      * The constant MIN_SERVER_POOL_SIZE.
      */

diff --git a/core/src/main/java/io/seata/core/rpc/DefaultServerMessageListenerImpl.java b/core/src/main/java/io/seata/core/rpc/DefaultServerMessageListenerImpl.java
@@ -112,7 +112,7 @@ public void onRegRmMessage(RpcMessage request, ChannelHandlerContext ctx, Regist
         boolean isSuccess = false;
         String errorInfo = StringUtils.EMPTY;
         try {
-            if (checkAuthHandler == null || checkAuthHandler.regResourceManagerCheckAuth(message)) {
+            if (checkAuthHandler == null || checkAuthHandler.regResourceManagerCheckAuth(message, ctx)) {
                 ChannelManager.registerRMChannel(message, ctx.channel());
                 Version.putChannelVersion(ctx.channel(), message.getVersion());
                 isSuccess = true;
@@ -144,7 +144,7 @@ public void onRegTmMessage(RpcMessage request, ChannelHandlerContext ctx, Regist
         boolean isSuccess = false;
         String errorInfo = StringUtils.EMPTY;
         try {
-            if (checkAuthHandler == null || checkAuthHandler.regTransactionManagerCheckAuth(message)) {
+            if (checkAuthHandler == null || checkAuthHandler.regTransactionManagerCheckAuth(message, ctx)) {
                 ChannelManager.registerTMChannel(message, ctx.channel());
                 Version.putChannelVersion(ctx.channel(), message.getVersion());
                 isSuccess = true;

diff --git a/core/src/main/java/io/seata/core/rpc/RegisterCheckAuthHandler.java b/core/src/main/java/io/seata/core/rpc/RegisterCheckAuthHandler.java
@@ -15,6 +15,7 @@
  */
 package io.seata.core.rpc;
 
+import io.netty.channel.ChannelHandlerContext;
 import io.seata.core.protocol.RegisterRMRequest;
 import io.seata.core.protocol.RegisterTMRequest;
 
@@ -29,15 +30,17 @@ public interface RegisterCheckAuthHandler {
      * Reg transaction manager check auth boolean.
      *
      * @param request the request
+     * @param ctx the ctx
      * @return the boolean
      */
-    boolean regTransactionManagerCheckAuth(RegisterTMRequest request);
+    boolean regTransactionManagerCheckAuth(RegisterTMRequest request, ChannelHandlerContext ctx);
 
     /**
      * Reg resource manager check auth boolean.
      *
      * @param request the request
+     * @param ctx the ctx
      * @return the boolean
      */
-    boolean regResourceManagerCheckAuth(RegisterRMRequest request);
+    boolean regResourceManagerCheckAuth(RegisterRMRequest request, ChannelHandlerContext ctx);
 }
diff --git a/core/src/main/java/io/seata/core/rpc/processor/server/RegRmProcessor.java b/core/src/main/java/io/seata/core/rpc/processor/server/RegRmProcessor.java
@@ -63,7 +63,7 @@ private void onRegRmMessage(ChannelHandlerContext ctx, RpcMessage rpcMessage) {
         boolean isSuccess = false;
         String errorInfo = StringUtils.EMPTY;
         try {
-            if (null == checkAuthHandler || checkAuthHandler.regResourceManagerCheckAuth(message)) {
+            if (null == checkAuthHandler || checkAuthHandler.regResourceManagerCheckAuth(message, ctx)) {
                 ChannelManager.registerRMChannel(message, ctx.channel());
                 Version.putChannelVersion(ctx.channel(), message.getVersion());
                 isSuccess = true;

diff --git a/core/src/main/java/io/seata/core/rpc/processor/server/RegTmProcessor.java b/core/src/main/java/io/seata/core/rpc/processor/server/RegTmProcessor.java
@@ -64,7 +64,7 @@ private void onRegTmMessage(ChannelHandlerContext ctx, RpcMessage rpcMessage) {
         boolean isSuccess = false;
         String errorInfo = StringUtils.EMPTY;
         try {
-            if (null == checkAuthHandler || checkAuthHandler.regTransactionManagerCheckAuth(message)) {
+            if (null == checkAuthHandler || checkAuthHandler.regTransactionManagerCheckAuth(message, ctx)) {
                 ChannelManager.registerTMChannel(message, ctx.channel());
                 Version.putChannelVersion(ctx.channel(), message.getVersion());
                 isSuccess = true;

diff --git a/.../src/main/java/io/seata/spring/boot/autoconfigure/properties/server/ServerProperties.java b/.../src/main/java/io/seata/spring/boot/autoconfigure/properties/server/ServerProperties.java
@@ -34,6 +34,7 @@ public class ServerProperties {
     private Boolean enableCheckAuth = true;
     private Integer retryDeadThreshold = 130000;
     private Integer servicePort;
+    private String blacklist = null;
 
     public Duration getMaxCommitRetryTimeout() {
         return maxCommitRetryTimeout;
@@ -88,4 +89,13 @@ public ServerProperties setServicePort(Integer servicePort) {
         this.servicePort = servicePort;
         return this;
     }
+
+    public String getBlacklist() {
+        return blacklist;
+    }
+
+    public ServerProperties setBlacklist(String blacklist) {
+        this.blacklist = blacklist;
+        return this;
+    }
 }
diff --git a/server/src/main/java/io/seata/server/auth/AbstractCheckAuthHandler.java b/server/src/main/java/io/seata/server/auth/AbstractCheckAuthHandler.java
@@ -15,6 +15,7 @@
  */
 package io.seata.server.auth;
 
+import io.netty.channel.ChannelHandlerContext;
 import io.seata.config.ConfigurationFactory;
 import io.seata.core.constants.ConfigurationKeys;
 import io.seata.core.protocol.RegisterRMRequest;
@@ -32,22 +33,22 @@ public abstract class AbstractCheckAuthHandler implements RegisterCheckAuthHandl
         ConfigurationKeys.SERVER_ENABLE_CHECK_AUTH, DEFAULT_SERVER_ENABLE_CHECK_AUTH);
 
     @Override
-    public boolean regTransactionManagerCheckAuth(RegisterTMRequest request) {
+    public boolean regTransactionManagerCheckAuth(RegisterTMRequest request, ChannelHandlerContext ctx) {
         if (!ENABLE_CHECK_AUTH) {
             return true;
         }
-        return doRegTransactionManagerCheck(request);
+        return doRegTransactionManagerCheck(request, ctx);
     }
 
-    public abstract boolean doRegTransactionManagerCheck(RegisterTMRequest request);
+    public abstract boolean doRegTransactionManagerCheck(RegisterTMRequest request, ChannelHandlerContext ctx);
 
     @Override
-    public boolean regResourceManagerCheckAuth(RegisterRMRequest request) {
+    public boolean regResourceManagerCheckAuth(RegisterRMRequest request, ChannelHandlerContext ctx) {
         if (!ENABLE_CHECK_AUTH) {
             return true;
         }
-        return doRegResourceManagerCheck(request);
+        return doRegResourceManagerCheck(request, ctx);
     }
 
-    public abstract boolean doRegResourceManagerCheck(RegisterRMRequest request);
+    public abstract boolean doRegResourceManagerCheck(RegisterRMRequest request, ChannelHandlerContext ctx);
 }
diff --git a/server/src/main/java/io/seata/server/auth/Blacklist.java b/server/src/main/java/io/seata/server/auth/Blacklist.java
@@ -0,0 +1,72 @@
+/*
+ *  Copyright 1999-2019 Seata.io Group.
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+package io.seata.server.auth;
+
+import java.util.Collections;
+import java.util.List;
+import java.util.concurrent.CopyOnWriteArrayList;
+
+import io.seata.config.ConfigurationChangeEvent;
+import io.seata.config.ConfigurationChangeListener;
+import io.seata.config.ConfigurationFactory;
+import io.seata.core.constants.ConfigurationKeys;
+
+public class Blacklist {
+
+    private static final long DEFAULT_CONFIG_TIMEOUT = 5000;
+
+    private static final String IP_CONFIG_SPLIT_CHAR = ";";
+
+    private List<String> ipList = new CopyOnWriteArrayList<>();
+
+    public Blacklist(String blacklistConfig) {
+        String ips = ConfigurationFactory.getInstance().getConfig(blacklistConfig);
+        if (ips != null) {
+            String[] ipArray = ips.split(IP_CONFIG_SPLIT_CHAR);
+            Collections.addAll(ipList, ipArray);
+        }
+
+        ConfigurationFactory.getInstance().addConfigListener(blacklistConfig, new ConfigurationChangeListener() {
+            @Override
+            public void onChangeEvent(ConfigurationChangeEvent event) {
+                String currentIps = event.getNewValue();
+                clear();
+                if (currentIps == null) {
+                    return;
+                }
+                String[] currentIpArray = currentIps.split(IP_CONFIG_SPLIT_CHAR);
+                Collections.addAll(ipList, currentIpArray);
+            }
+        });
+    }
+
+    public void setIpList(List<String> ipList) {
+        this.ipList = ipList;
+    }
+
+    public List<String> getIpList() {
+        return ipList;
+    }
+
+    public void clear() {
+        ipList.clear();
+    }
+
+    public boolean contains(String address) {
+        return ipList.contains(address);
+    }
+}
+
diff --git a/server/src/main/java/io/seata/server/auth/DefaultCheckAuthHandler.java b/server/src/main/java/io/seata/server/auth/DefaultCheckAuthHandler.java
@@ -15,7 +15,10 @@
  */
 package io.seata.server.auth;
 
+import io.netty.channel.ChannelHandlerContext;
 import io.seata.common.loader.LoadLevel;
+import io.seata.common.util.NetUtil;
+import io.seata.core.constants.ConfigurationKeys;
 import io.seata.core.protocol.RegisterRMRequest;
 import io.seata.core.protocol.RegisterTMRequest;
 
@@ -25,13 +28,23 @@
 @LoadLevel(name = "defaultCheckAuthHandler", order = 100)
 public class DefaultCheckAuthHandler extends AbstractCheckAuthHandler {
 
+    Blacklist blacklist = new Blacklist(ConfigurationKeys.BLACKLIST);
+
     @Override
-    public boolean doRegTransactionManagerCheck(RegisterTMRequest request) {
+    public boolean doRegTransactionManagerCheck(RegisterTMRequest request, ChannelHandlerContext ctx) {
+        String ip = NetUtil.toStringAddress(ctx.channel().remoteAddress()).split(":")[0];
+        if (blacklist.contains(ip)) {
+            return false;
+        }
         return true;
     }
 
     @Override
-    public boolean doRegResourceManagerCheck(RegisterRMRequest request) {
+    public boolean doRegResourceManagerCheck(RegisterRMRequest request, ChannelHandlerContext ctx) {
+        String ip = NetUtil.toStringAddress(ctx.channel().remoteAddress()).split(":")[0];
+        if (blacklist.contains(ip)) {
+            return false;
+        }
         return true;
     }
 }
diff --git a/server/src/main/resources/application.example.yml b/server/src/main/resources/application.example.yml
@@ -108,6 +108,7 @@ seata:
     undo:
       log-save-days: 7
       log-delete-period: 86400000
+    blacklist: 1.1.1.1;2.2.2.2
   store:
     # support: file 、 db 、 redis
     mode: file