From b65eb2ec4569891495ae184bf6090e0e500961e3 Mon Sep 17 00:00:00 2001
From: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.com>
Date: Mon, 2 Dec 2024 23:38:10 +0500
Subject: [PATCH] [security] reload whiteList on http seerver (#6302)

* reload whiteList

* white_list add to scaffold
---
 weed/command/scaffold/security.toml |  4 ++
 weed/command/volume.go              |  1 +
 weed/security/guard.go              | 67 +++++++++++++++++------------
 weed/server/filer_server.go         | 18 +++++---
 weed/server/master_server.go        | 13 +++++-
 weed/server/volume_server.go        | 12 ++++++
 6 files changed, 81 insertions(+), 34 deletions(-)

diff --git a/weed/command/scaffold/security.toml b/weed/command/scaffold/security.toml
index 113e5b016..8c1b51ac3 100644
--- a/weed/command/scaffold/security.toml
+++ b/weed/command/scaffold/security.toml
@@ -121,3 +121,7 @@ cert = ""
 key = ""
 ca = ""
 # disable_tls_verify_client_cert = true|false (default: false)
+
+# white list. It's checking request ip address.
+[guard]
+white_list = ""
diff --git a/weed/command/volume.go b/weed/command/volume.go
index 1078d8d6c..2389d5561 100644
--- a/weed/command/volume.go
+++ b/weed/command/volume.go
@@ -280,6 +280,7 @@ func (v VolumeServerOptions) startVolumeServer(volumeFolders, maxVolumeCounts, v
 	clusterHttpServer := v.startClusterHttpService(volumeMux)
 
 	grace.OnReload(volumeServer.LoadNewVolumes)
+	grace.OnReload(volumeServer.Reload)
 
 	stopChan := make(chan bool)
 	grace.OnInterrupt(func() {
diff --git a/weed/security/guard.go b/weed/security/guard.go
index 14aacb83c..f92b10044 100644
--- a/weed/security/guard.go
+++ b/weed/security/guard.go
@@ -3,11 +3,10 @@ package security
 import (
 	"errors"
 	"fmt"
+	"github.com/seaweedfs/seaweedfs/weed/glog"
 	"net"
 	"net/http"
 	"strings"
-
-	"github.com/seaweedfs/seaweedfs/weed/glog"
 )
 
 var (
@@ -40,24 +39,25 @@ Referenced:
 https://github.com/pkieltyka/jwtauth/blob/master/jwtauth.go
 */
 type Guard struct {
-	whiteList           []string
+	whiteListIp         map[string]struct{}
+	whiteListCIDR       map[string]*net.IPNet
 	SigningKey          SigningKey
 	ExpiresAfterSec     int
 	ReadSigningKey      SigningKey
 	ReadExpiresAfterSec int
 
-	isWriteActive bool
+	isWriteActive    bool
+	isEmptyWhiteList bool
 }
 
 func NewGuard(whiteList []string, signingKey string, expiresAfterSec int, readSigningKey string, readExpiresAfterSec int) *Guard {
 	g := &Guard{
-		whiteList:           whiteList,
 		SigningKey:          SigningKey(signingKey),
 		ExpiresAfterSec:     expiresAfterSec,
 		ReadSigningKey:      SigningKey(readSigningKey),
 		ReadExpiresAfterSec: readExpiresAfterSec,
 	}
-	g.isWriteActive = len(g.whiteList) != 0 || len(g.SigningKey) != 0
+	g.UpdateWhiteList(whiteList)
 	return g
 }
 
@@ -90,37 +90,48 @@ func GetActualRemoteHost(r *http.Request) (host string, err error) {
 }
 
 func (g *Guard) checkWhiteList(w http.ResponseWriter, r *http.Request) error {
-	if len(g.whiteList) == 0 {
+	if g.isEmptyWhiteList {
 		return nil
 	}
 
 	host, err := GetActualRemoteHost(r)
-	if err == nil {
-		for _, ip := range g.whiteList {
+	if err != nil {
+		return fmt.Errorf("get actual remote host %s in checkWhiteList failed: %v", r.RemoteAddr, err)
+	}
 
-			// If the whitelist entry contains a "/" it
-			// is a CIDR range, and we should check the
-			// remote host is within it
-			if strings.Contains(ip, "/") {
-				_, cidrnet, err := net.ParseCIDR(ip)
-				if err != nil {
-					panic(err)
-				}
-				remote := net.ParseIP(host)
-				if cidrnet.Contains(remote) {
-					return nil
-				}
-			}
+	if _, ok := g.whiteListIp[host]; ok {
+		return nil
+	}
 
-			//
-			// Otherwise we're looking for a literal match.
-			//
-			if ip == host {
-				return nil
-			}
+	for _, cidrnet := range g.whiteListCIDR {
+		// If the whitelist entry contains a "/" it
+		// is a CIDR range, and we should check the
+		remote := net.ParseIP(host)
+		if cidrnet.Contains(remote) {
+			return nil
 		}
 	}
 
 	glog.V(0).Infof("Not in whitelist: %s", r.RemoteAddr)
 	return fmt.Errorf("Not in whitelist: %s", r.RemoteAddr)
 }
+
+func (g *Guard) UpdateWhiteList(whiteList []string) {
+	whiteListIp := make(map[string]struct{})
+	whiteListCIDR := make(map[string]*net.IPNet)
+	for _, ip := range whiteList {
+		if strings.Contains(ip, "/") {
+			_, cidrnet, err := net.ParseCIDR(ip)
+			if err != nil {
+				glog.Errorf("Parse CIDR %s in whitelist failed: %v", ip, err)
+			}
+			whiteListCIDR[ip] = cidrnet
+		} else {
+			whiteListIp[ip] = struct{}{}
+		}
+	}
+	g.isEmptyWhiteList = len(whiteListIp) == 0 && len(whiteListCIDR) == 0
+	g.isWriteActive = !g.isEmptyWhiteList || len(g.SigningKey) != 0
+	g.whiteListIp = whiteListIp
+	g.whiteListCIDR = whiteListCIDR
+}
diff --git a/weed/server/filer_server.go b/weed/server/filer_server.go
index ee052579c..6855a4745 100644
--- a/weed/server/filer_server.go
+++ b/weed/server/filer_server.go
@@ -152,8 +152,8 @@ func NewFilerServer(defaultMux, readonlyMux *http.ServeMux, option *FilerOption)
 		}
 	})
 	fs.filer.Cipher = option.Cipher
-	// we do not support IP whitelist right now
-	fs.filerGuard = security.NewGuard([]string{}, signingKey, expiresAfterSec, readSigningKey, readExpiresAfterSec)
+	whiteList := util.StringSplit(v.GetString("guard.white_list"), ",")
+	fs.filerGuard = security.NewGuard(whiteList, signingKey, expiresAfterSec, readSigningKey, readExpiresAfterSec)
 	fs.volumeGuard = security.NewGuard([]string{}, volumeSigningKey, volumeExpiresAfterSec, volumeReadSigningKey, volumeReadExpiresAfterSec)
 
 	fs.checkWithMaster()
@@ -187,12 +187,12 @@ func NewFilerServer(defaultMux, readonlyMux *http.ServeMux, option *FilerOption)
 	handleStaticResources(defaultMux)
 	if !option.DisableHttp {
 		defaultMux.HandleFunc("/healthz", fs.filerHealthzHandler)
-		defaultMux.HandleFunc("/", fs.filerHandler)
+		defaultMux.HandleFunc("/", fs.filerGuard.WhiteList(fs.filerHandler))
 	}
 	if defaultMux != readonlyMux {
 		handleStaticResources(readonlyMux)
 		readonlyMux.HandleFunc("/healthz", fs.filerHealthzHandler)
-		readonlyMux.HandleFunc("/", fs.readonlyFilerHandler)
+		readonlyMux.HandleFunc("/", fs.filerGuard.WhiteList(fs.readonlyFilerHandler))
 	}
 
 	existingNodes := fs.filer.ListExistingPeerUpdates(context.Background())
@@ -209,6 +209,7 @@ func NewFilerServer(defaultMux, readonlyMux *http.ServeMux, option *FilerOption)
 
 	fs.filer.LoadRemoteStorageConfAndMapping()
 
+	grace.OnReload(fs.Reload)
 	grace.OnInterrupt(func() {
 		fs.filer.Shutdown()
 	})
@@ -239,5 +240,12 @@ func (fs *FilerServer) checkWithMaster() {
 			}
 		}
 	}
-
+}
+
+func (fs *FilerServer) Reload() {
+	glog.V(0).Infoln("Reload filer server...")
+
+	util.LoadConfiguration("security", false)
+	v := util.GetViper()
+	fs.filerGuard.UpdateWhiteList(util.StringSplit(v.GetString("guard.white_list"), ","))
 }
diff --git a/weed/server/master_server.go b/weed/server/master_server.go
index fa45053dd..c6cb7762d 100644
--- a/weed/server/master_server.go
+++ b/weed/server/master_server.go
@@ -104,6 +104,7 @@ func NewMasterServer(r *mux.Router, option *MasterOption, peers map[string]pb.Se
 	topology.VolumeGrowStrategy.Copy3Count = v.GetUint32("master.volume_growth.copy_3")
 	topology.VolumeGrowStrategy.CopyOtherCount = v.GetUint32("master.volume_growth.copy_other")
 	topology.VolumeGrowStrategy.Threshold = v.GetFloat64("master.volume_growth.threshold")
+	whiteList := util.StringSplit(v.GetString("guard.white_list"), ",")
 
 	var preallocateSize int64
 	if option.VolumePreallocate {
@@ -133,7 +134,7 @@ func NewMasterServer(r *mux.Router, option *MasterOption, peers map[string]pb.Se
 	ms.vg = topology.NewDefaultVolumeGrowth()
 	glog.V(0).Infoln("Volume Size Limit is", ms.option.VolumeSizeLimitMB, "MB")
 
-	ms.guard = security.NewGuard(ms.option.WhiteList, signingKey, expiresAfterSec, readSigningKey, readExpiresAfterSec)
+	ms.guard = security.NewGuard(append(ms.option.WhiteList, whiteList...), signingKey, expiresAfterSec, readSigningKey, readExpiresAfterSec)
 
 	handleStaticResources2(r)
 	r.HandleFunc("/", ms.proxyToLeader(ms.uiStatusHandler))
@@ -410,3 +411,13 @@ func (ms *MasterServer) Shutdown() {
 	}
 	ms.Topo.HashicorpRaft.Shutdown()
 }
+
+func (ms *MasterServer) Reload() {
+	glog.V(0).Infoln("Reload master server...")
+
+	util.LoadConfiguration("security", false)
+	v := util.GetViper()
+	ms.guard.UpdateWhiteList(append(ms.option.WhiteList,
+		util.StringSplit(v.GetString("guard.white_list"), ",")...),
+	)
+}
diff --git a/weed/server/volume_server.go b/weed/server/volume_server.go
index 5d7e5c7b0..a3f072eb7 100644
--- a/weed/server/volume_server.go
+++ b/weed/server/volume_server.go
@@ -32,6 +32,7 @@ type VolumeServer struct {
 	readBufferSizeMB              int
 
 	SeedMasterNodes []pb.ServerAddress
+	whiteList       []string
 	currentMaster   pb.ServerAddress
 	pulseSeconds    int
 	dataCenter      string
@@ -102,7 +103,10 @@ func NewVolumeServer(adminMux, publicMux *http.ServeMux, ip string,
 		hasSlowRead:                   hasSlowRead,
 		readBufferSizeMB:              readBufferSizeMB,
 		ldbTimout:                     ldbTimeout,
+		whiteList:                     whiteList,
 	}
+
+	whiteList = append(whiteList, util.StringSplit(v.GetString("guard.white_list"), ",")...)
 	vs.SeedMasterNodes = masterNodes
 
 	vs.checkWithMaster()
@@ -150,3 +154,11 @@ func (vs *VolumeServer) Shutdown() {
 	vs.store.Close()
 	glog.V(0).Infoln("Shut down successfully!")
 }
+
+func (vs *VolumeServer) Reload() {
+	glog.V(0).Infoln("Reload volume server...")
+
+	util.LoadConfiguration("security", false)
+	v := util.GetViper()
+	vs.guard.UpdateWhiteList(append(vs.whiteList, util.StringSplit(v.GetString("guard.white_list"), ",")...))
+}