NSQ详细教程3 Auth权限验证测试

Auth 认证方式验证

nsqd 可以通过第三方认证服务，来对tcp访问进行认证，这里对该功能进行测试

准备启动认证服务

我这里已经编译好一个，可以直接下载使用 点击下载
也可以自己开发或自行到github下载
将程序上传并赋予执行权限如下:

[root@localhost nsq]# ll
total 9436
drwxr-xr-x. 2 root wheel     154 Aug 16  2021 bin
-rw-r--r--. 1 root root        0 Apr 16 00:31 nsq-1.2.1.linux-amd64.go1.16.6
-rwxr--r--. 1 root root  9655078 May 10  2022 nsq-auth

nsq-auth -h 可以查看 参数信息，这里指定认证秘钥为123456 启动服务如下,服务默认监听1325端口：

[root@localhost nsq]# ./nsq-auth -h
2022/04/17 15:30:44 Usage:
  nsq-auth [OPTIONS]

Application Options:
  -a, --address=  api port default :1325 (default: :1325)
  -i, --identity= identity default zhimiaox-nsq-auth (default: zhimiaox-nsq-auth)
  -u, --auth-url= auth-url (default: http://localhost:1325)
  -t, --ttl=      auth expire duration unit s, default 60 (default: 60)
  -s, --secret=   root secret allow all push and sub topic and channel
  -f, --csv=      csv secret file path

Help Options:
  -h, --help      Show this help message

You have new mail in /var/spool/mail/root
[root@localhost nsq]# ./nsq-auth -s 123456
[GIN-debug] [WARNING] Creating an Engine instance with the Logger and Recovery middleware already attached.

[GIN-debug] [WARNING] Running in "debug" mode. Switch to "release" mode in production.
 - using env:   export GIN_MODE=release
 - using code:  gin.SetMode(gin.ReleaseMode)

[GIN-debug] GET    /ping                     --> main.(*api).Ping-fm (3 handlers)
[GIN-debug] GET    /auth                     --> main.(*api).Auth-fm (3 handlers)
[GIN-debug] GET    /refresh                  --> main.(*api).Refresh-fm (3 handlers)
[GIN-debug] [WARNING] You trusted all proxies, this is NOT safe. We recommend you to set a value.
Please check https://pkg.go.dev/github.com/gin-gonic/gin#readme-don-t-trust-all-proxies for details.
[GIN-debug] Listening and serving HTTP on :1325

浏览器访问服务 ping接口 证明服务正常启动

启动nsq服务

启动nsqdlookup nsqd nsqadm 服务，传入身份验证服务地址,如下：

[root@localhost nsq]# bin/nsqlookupd 
[nsqlookupd] 2022/04/17 16:07:28.483336 INFO: nsqlookupd v1.2.1 (built w/go1.16.6)
[nsqlookupd] 2022/04/17 16:07:28.486129 INFO: TCP: listening on [::]:4160
[nsqlookupd] 2022/04/17 16:07:28.486130 INFO: HTTP: listening on [::]:4161
[nsqlookupd] 2022/04/17 16:08:29.604596 INFO: TCP: new client(192.168.195.10:51812)

[root@localhost nsq]# bin/nsqd -auth-http-address "192.168.195.10:1325" -lookupd-tcp-address "192.168.195.10:4160"
[nsqd] 2022/04/17 16:08:29.601832 INFO: nsqd v1.2.1 (built w/go1.16.6)
[nsqd] 2022/04/17 16:08:29.601880 INFO: ID: 856
[nsqd] 2022/04/17 16:08:29.602684 INFO: TOPIC(t1): created
[nsqd] 2022/04/17 16:08:29.602733 INFO: TOPIC(testtopic): created
[nsqd] 2022/04/17 16:08:29.602740 INFO: NSQ: persisting topic/channel metadata to nsqd.dat
[nsqd] 2022/04/17 16:08:29.602897 INFO: DISKQUEUE(t1): readOne() opened t1.diskqueue.000000.dat
[nsqd] 2022/04/17 16:08:29.604075 INFO: LOOKUP(192.168.195.10:4160): adding peer
[nsqd] 2022/04/17 16:08:29.604089 INFO: LOOKUP connecting to 192.168.195.10:4160
[nsqd] 2022/04/17 16:08:29.604193 INFO: HTTP: listening on [::]:4151

[root@localhost nsq]# bin/nsqadmin -lookupd-http-address "192.168.195.10:4161"
[nsqadmin] 2022/04/17 16:09:22.575867 INFO: nsqadmin v1.2.1 (built w/go1.16.6)
[nsqadmin] 2022/04/17 16:09:22.577727 INFO: HTTP: listening on [::]:4171

编写nsq测试程序

编写测试程序进行消息的发布和消费 main_test.go代码如下

package main

import (
	"fmt"
	"github.com/nsqio/go-nsq"
	"os"
	"os/signal"
	"syscall"
	"testing"
	"time"
)

//AuthHost = "http://192.168.195.10:1325"
//host     = "192.168.195.10:4150"
//Secret   = "123456" //nolint:gosec
const (
	topicName = "t1"
	channel1  = "c1"
	channel2  = "c2"
	address   = "192.168.195.10:4150"
	secret    = "123456"
)

type myMessageHandler struct{}

// HandleMessage implements the Handler interface.
func (h *myMessageHandler) HandleMessage(m *nsq.Message) error {
	fmt.Printf("%s\n", m.Body)
	return nil
}

func TestPush(t *testing.T) {
	config := nsq.NewConfig()
	config.AuthSecret = secret
	producer, err := nsq.NewProducer(address, config)
	if err != nil {
		t.Fatal(err)
	}
	now := time.Now()
	for i := 0; i < 2; i++ {
		messageBody := []byte(fmt.Sprintf("hello %d", i))
		err = producer.Publish(topicName, messageBody)
		if err != nil {
			t.Fatal(err)
		}
		// time.Sleep(3 * time.Second)
	}
	t.Log(time.Now().Sub(now))
	producer.Stop()
}

func TestSub1(t *testing.T) {
	config := nsq.NewConfig()
	config.AuthSecret = secret
	consumer, err := nsq.NewConsumer(topicName, channel1, config)
	if err != nil {
		t.Fatal(err)
	}
	consumer.AddHandler(&myMessageHandler{})
	err = consumer.ConnectToNSQD(address)
	if err != nil {
		t.Fatal(err)
	}
	sigChan := make(chan os.Signal, 1)
	signal.Notify(sigChan, syscall.SIGINT, syscall.SIGTERM)
	<-sigChan
	consumer.Stop()
}

func TestSub2(t *testing.T) {
	config := nsq.NewConfig()
	config.AuthSecret = secret
	consumer, err := nsq.NewConsumer(topicName, channel2, config)
	if err != nil {
		t.Fatal(err)
	}
	consumer.AddHandler(&myMessageHandler{})
	err = consumer.ConnectToNSQD(address)
	if err != nil {
		t.Fatal(err)
	}
	sigChan := make(chan os.Signal, 1)
	signal.Notify(sigChan, syscall.SIGINT, syscall.SIGTERM)
	<-sigChan
	consumer.Stop()
}

//func main() {
//	fmt.Println("hello")
//}

消息发送测试

执行测试命令 发现消息发送成功

PS D:\workspaces\workgotest\gotest> go test -v -run TestPush
=== RUN   TestPush
2022/05/10 18:49:03 INF    1 (192.168.195.10:4150) connecting to nsqd                                                               
2022/05/10 18:49:03 INF    1 (192.168.195.10:4150) Auth accepted. Identity: "zhimiaox-nsq-auth" http://localhost:1325 Permissions: 1
    main_test.go:48: 33.5342ms
2022/05/10 18:49:03 INF    1 (192.168.195.10:4150) stopping
2022/05/10 18:49:03 INF    1 (192.168.195.10:4150) exiting router
--- PASS: TestPush (0.03s)
PASS
ok      gotet   0.065s

同时可以看到 认证服务 有认证日志输出

nsqadmin中也可以看到我们发送的消息

修改客户端密码测试

将测试代码中的密码改为1234567

secret    = "1234567"

再次执行上述测试，发现发送失败，提示 链接到nsq权限验证失败。

PS D:\workspaces\workgotest\gotest> go test -v -run TestPush 
=== RUN   TestPush
2022/05/10 18:52:34 INF    1 (192.168.195.10:4150) connecting to nsqd
2022/05/10 18:52:34 ERR    1 (192.168.195.10:4150) Auth Failed Error authenticating E_AUTH_FAILED AUTH failed
2022/05/10 18:52:34 ERR    1 (192.168.195.10:4150) error connecting to nsqd - Error authenticating E_AUTH_FAILED AUTH failed
    main_test.go:44: Error authenticating E_AUTH_FAILED AUTH failed
--- FAIL: TestPush (0.03s)
FAIL
exit status 1
FAIL    gotet   0.065s

认证服务收到一条认证消息，密码是1234567

[GIN] 2022/04/17 - 16:17:35 | 403 |      42.509µs |  192.168.195.10 | GET      "/auth?common_name=&remote_ip=192.168.195.1&secret=1234567&tls=false"

认证服务收到一条认证消息，密码是1234567

[GIN] 2022/04/17 - 16:17:35 | 403 |      42.509µs |  192.168.195.10 | GET      "/auth?common_name=&remote_ip=192.168.195.1&secret=1234567&tls=false"

消息消费测试

执行订阅测试方法，密码不正确的时候 也会提示 身份验证失败

PS D:\workspaces\workgotest\gotest> go test -v -run TestSub1
=== RUN   TestSub1
2022/05/10 19:03:54 INF    1 [t1/c1] (192.168.195.10:4150) connecting to nsqd
2022/05/10 19:03:54 ERR    1 [t1/c1] (192.168.195.10:4150) Auth Failed Error authenticating E_AUTH_FAILED AUTH failed
    main_test.go:62: Error authenticating E_AUTH_FAILED AUTH failed
--- FAIL: TestSub1 (0.03s)
FAIL
exit status 1
FAIL    gotet   0.065s

密码正确后可以正常消费

PS D:\workspaces\workgotest\gotest> go test -v -run TestSub1
=== RUN   TestSub1
2022/05/10 19:05:13 INF    1 [t1/c1] (192.168.195.10:4150) connecting to nsqd
2022/05/10 19:05:13 INF    1 [t1/c1] (192.168.195.10:4150) Auth accepted. Identity: "zhimiaox-nsq-auth" http://localhost:1325 Permissions: 1
hello 0
hello 0
hello 1
hello 1

总结

1、验证方式略微麻烦，需要自己搭建部署认证服务
2、该认证方式仅对tcp访问方式有效，对http接口无效。需要隐藏http接口服务。