[security] reload whiteList on http seerver (#6302)

* reload whiteList

* white_list add to scaffold
This commit is contained in:
Konstantin Lebedev 2024-12-02 23:38:10 +05:00 committed by GitHub
parent b2ba7d7408
commit b65eb2ec45
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
6 changed files with 81 additions and 34 deletions

View File

@ -121,3 +121,7 @@ cert = ""
key = "" key = ""
ca = "" ca = ""
# disable_tls_verify_client_cert = true|false (default: false) # disable_tls_verify_client_cert = true|false (default: false)
# white list. It's checking request ip address.
[guard]
white_list = ""

View File

@ -280,6 +280,7 @@ func (v VolumeServerOptions) startVolumeServer(volumeFolders, maxVolumeCounts, v
clusterHttpServer := v.startClusterHttpService(volumeMux) clusterHttpServer := v.startClusterHttpService(volumeMux)
grace.OnReload(volumeServer.LoadNewVolumes) grace.OnReload(volumeServer.LoadNewVolumes)
grace.OnReload(volumeServer.Reload)
stopChan := make(chan bool) stopChan := make(chan bool)
grace.OnInterrupt(func() { grace.OnInterrupt(func() {

View File

@ -3,11 +3,10 @@ package security
import ( import (
"errors" "errors"
"fmt" "fmt"
"github.com/seaweedfs/seaweedfs/weed/glog"
"net" "net"
"net/http" "net/http"
"strings" "strings"
"github.com/seaweedfs/seaweedfs/weed/glog"
) )
var ( var (
@ -40,24 +39,25 @@ Referenced:
https://github.com/pkieltyka/jwtauth/blob/master/jwtauth.go https://github.com/pkieltyka/jwtauth/blob/master/jwtauth.go
*/ */
type Guard struct { type Guard struct {
whiteList []string whiteListIp map[string]struct{}
whiteListCIDR map[string]*net.IPNet
SigningKey SigningKey SigningKey SigningKey
ExpiresAfterSec int ExpiresAfterSec int
ReadSigningKey SigningKey ReadSigningKey SigningKey
ReadExpiresAfterSec int ReadExpiresAfterSec int
isWriteActive bool isWriteActive bool
isEmptyWhiteList bool
} }
func NewGuard(whiteList []string, signingKey string, expiresAfterSec int, readSigningKey string, readExpiresAfterSec int) *Guard { func NewGuard(whiteList []string, signingKey string, expiresAfterSec int, readSigningKey string, readExpiresAfterSec int) *Guard {
g := &Guard{ g := &Guard{
whiteList: whiteList,
SigningKey: SigningKey(signingKey), SigningKey: SigningKey(signingKey),
ExpiresAfterSec: expiresAfterSec, ExpiresAfterSec: expiresAfterSec,
ReadSigningKey: SigningKey(readSigningKey), ReadSigningKey: SigningKey(readSigningKey),
ReadExpiresAfterSec: readExpiresAfterSec, ReadExpiresAfterSec: readExpiresAfterSec,
} }
g.isWriteActive = len(g.whiteList) != 0 || len(g.SigningKey) != 0 g.UpdateWhiteList(whiteList)
return g return g
} }
@ -90,37 +90,48 @@ func GetActualRemoteHost(r *http.Request) (host string, err error) {
} }
func (g *Guard) checkWhiteList(w http.ResponseWriter, r *http.Request) error { func (g *Guard) checkWhiteList(w http.ResponseWriter, r *http.Request) error {
if len(g.whiteList) == 0 { if g.isEmptyWhiteList {
return nil return nil
} }
host, err := GetActualRemoteHost(r) host, err := GetActualRemoteHost(r)
if err == nil { if err != nil {
for _, ip := range g.whiteList { return fmt.Errorf("get actual remote host %s in checkWhiteList failed: %v", r.RemoteAddr, err)
}
if _, ok := g.whiteListIp[host]; ok {
return nil
}
for _, cidrnet := range g.whiteListCIDR {
// If the whitelist entry contains a "/" it // If the whitelist entry contains a "/" it
// is a CIDR range, and we should check the // is a CIDR range, and we should check the
// remote host is within it
if strings.Contains(ip, "/") {
_, cidrnet, err := net.ParseCIDR(ip)
if err != nil {
panic(err)
}
remote := net.ParseIP(host) remote := net.ParseIP(host)
if cidrnet.Contains(remote) { if cidrnet.Contains(remote) {
return nil return nil
} }
} }
//
// Otherwise we're looking for a literal match.
//
if ip == host {
return nil
}
}
}
glog.V(0).Infof("Not in whitelist: %s", r.RemoteAddr) glog.V(0).Infof("Not in whitelist: %s", r.RemoteAddr)
return fmt.Errorf("Not in whitelist: %s", r.RemoteAddr) return fmt.Errorf("Not in whitelist: %s", r.RemoteAddr)
} }
func (g *Guard) UpdateWhiteList(whiteList []string) {
whiteListIp := make(map[string]struct{})
whiteListCIDR := make(map[string]*net.IPNet)
for _, ip := range whiteList {
if strings.Contains(ip, "/") {
_, cidrnet, err := net.ParseCIDR(ip)
if err != nil {
glog.Errorf("Parse CIDR %s in whitelist failed: %v", ip, err)
}
whiteListCIDR[ip] = cidrnet
} else {
whiteListIp[ip] = struct{}{}
}
}
g.isEmptyWhiteList = len(whiteListIp) == 0 && len(whiteListCIDR) == 0
g.isWriteActive = !g.isEmptyWhiteList || len(g.SigningKey) != 0
g.whiteListIp = whiteListIp
g.whiteListCIDR = whiteListCIDR
}

View File

@ -152,8 +152,8 @@ func NewFilerServer(defaultMux, readonlyMux *http.ServeMux, option *FilerOption)
} }
}) })
fs.filer.Cipher = option.Cipher fs.filer.Cipher = option.Cipher
// we do not support IP whitelist right now whiteList := util.StringSplit(v.GetString("guard.white_list"), ",")
fs.filerGuard = security.NewGuard([]string{}, signingKey, expiresAfterSec, readSigningKey, readExpiresAfterSec) fs.filerGuard = security.NewGuard(whiteList, signingKey, expiresAfterSec, readSigningKey, readExpiresAfterSec)
fs.volumeGuard = security.NewGuard([]string{}, volumeSigningKey, volumeExpiresAfterSec, volumeReadSigningKey, volumeReadExpiresAfterSec) fs.volumeGuard = security.NewGuard([]string{}, volumeSigningKey, volumeExpiresAfterSec, volumeReadSigningKey, volumeReadExpiresAfterSec)
fs.checkWithMaster() fs.checkWithMaster()
@ -187,12 +187,12 @@ func NewFilerServer(defaultMux, readonlyMux *http.ServeMux, option *FilerOption)
handleStaticResources(defaultMux) handleStaticResources(defaultMux)
if !option.DisableHttp { if !option.DisableHttp {
defaultMux.HandleFunc("/healthz", fs.filerHealthzHandler) defaultMux.HandleFunc("/healthz", fs.filerHealthzHandler)
defaultMux.HandleFunc("/", fs.filerHandler) defaultMux.HandleFunc("/", fs.filerGuard.WhiteList(fs.filerHandler))
} }
if defaultMux != readonlyMux { if defaultMux != readonlyMux {
handleStaticResources(readonlyMux) handleStaticResources(readonlyMux)
readonlyMux.HandleFunc("/healthz", fs.filerHealthzHandler) readonlyMux.HandleFunc("/healthz", fs.filerHealthzHandler)
readonlyMux.HandleFunc("/", fs.readonlyFilerHandler) readonlyMux.HandleFunc("/", fs.filerGuard.WhiteList(fs.readonlyFilerHandler))
} }
existingNodes := fs.filer.ListExistingPeerUpdates(context.Background()) existingNodes := fs.filer.ListExistingPeerUpdates(context.Background())
@ -209,6 +209,7 @@ func NewFilerServer(defaultMux, readonlyMux *http.ServeMux, option *FilerOption)
fs.filer.LoadRemoteStorageConfAndMapping() fs.filer.LoadRemoteStorageConfAndMapping()
grace.OnReload(fs.Reload)
grace.OnInterrupt(func() { grace.OnInterrupt(func() {
fs.filer.Shutdown() fs.filer.Shutdown()
}) })
@ -239,5 +240,12 @@ func (fs *FilerServer) checkWithMaster() {
} }
} }
} }
}
func (fs *FilerServer) Reload() {
glog.V(0).Infoln("Reload filer server...")
util.LoadConfiguration("security", false)
v := util.GetViper()
fs.filerGuard.UpdateWhiteList(util.StringSplit(v.GetString("guard.white_list"), ","))
} }

View File

@ -104,6 +104,7 @@ func NewMasterServer(r *mux.Router, option *MasterOption, peers map[string]pb.Se
topology.VolumeGrowStrategy.Copy3Count = v.GetUint32("master.volume_growth.copy_3") topology.VolumeGrowStrategy.Copy3Count = v.GetUint32("master.volume_growth.copy_3")
topology.VolumeGrowStrategy.CopyOtherCount = v.GetUint32("master.volume_growth.copy_other") topology.VolumeGrowStrategy.CopyOtherCount = v.GetUint32("master.volume_growth.copy_other")
topology.VolumeGrowStrategy.Threshold = v.GetFloat64("master.volume_growth.threshold") topology.VolumeGrowStrategy.Threshold = v.GetFloat64("master.volume_growth.threshold")
whiteList := util.StringSplit(v.GetString("guard.white_list"), ",")
var preallocateSize int64 var preallocateSize int64
if option.VolumePreallocate { if option.VolumePreallocate {
@ -133,7 +134,7 @@ func NewMasterServer(r *mux.Router, option *MasterOption, peers map[string]pb.Se
ms.vg = topology.NewDefaultVolumeGrowth() ms.vg = topology.NewDefaultVolumeGrowth()
glog.V(0).Infoln("Volume Size Limit is", ms.option.VolumeSizeLimitMB, "MB") glog.V(0).Infoln("Volume Size Limit is", ms.option.VolumeSizeLimitMB, "MB")
ms.guard = security.NewGuard(ms.option.WhiteList, signingKey, expiresAfterSec, readSigningKey, readExpiresAfterSec) ms.guard = security.NewGuard(append(ms.option.WhiteList, whiteList...), signingKey, expiresAfterSec, readSigningKey, readExpiresAfterSec)
handleStaticResources2(r) handleStaticResources2(r)
r.HandleFunc("/", ms.proxyToLeader(ms.uiStatusHandler)) r.HandleFunc("/", ms.proxyToLeader(ms.uiStatusHandler))
@ -410,3 +411,13 @@ func (ms *MasterServer) Shutdown() {
} }
ms.Topo.HashicorpRaft.Shutdown() ms.Topo.HashicorpRaft.Shutdown()
} }
func (ms *MasterServer) Reload() {
glog.V(0).Infoln("Reload master server...")
util.LoadConfiguration("security", false)
v := util.GetViper()
ms.guard.UpdateWhiteList(append(ms.option.WhiteList,
util.StringSplit(v.GetString("guard.white_list"), ",")...),
)
}

View File

@ -32,6 +32,7 @@ type VolumeServer struct {
readBufferSizeMB int readBufferSizeMB int
SeedMasterNodes []pb.ServerAddress SeedMasterNodes []pb.ServerAddress
whiteList []string
currentMaster pb.ServerAddress currentMaster pb.ServerAddress
pulseSeconds int pulseSeconds int
dataCenter string dataCenter string
@ -102,7 +103,10 @@ func NewVolumeServer(adminMux, publicMux *http.ServeMux, ip string,
hasSlowRead: hasSlowRead, hasSlowRead: hasSlowRead,
readBufferSizeMB: readBufferSizeMB, readBufferSizeMB: readBufferSizeMB,
ldbTimout: ldbTimeout, ldbTimout: ldbTimeout,
whiteList: whiteList,
} }
whiteList = append(whiteList, util.StringSplit(v.GetString("guard.white_list"), ",")...)
vs.SeedMasterNodes = masterNodes vs.SeedMasterNodes = masterNodes
vs.checkWithMaster() vs.checkWithMaster()
@ -150,3 +154,11 @@ func (vs *VolumeServer) Shutdown() {
vs.store.Close() vs.store.Close()
glog.V(0).Infoln("Shut down successfully!") glog.V(0).Infoln("Shut down successfully!")
} }
func (vs *VolumeServer) Reload() {
glog.V(0).Infoln("Reload volume server...")
util.LoadConfiguration("security", false)
v := util.GetViper()
vs.guard.UpdateWhiteList(append(vs.whiteList, util.StringSplit(v.GetString("guard.white_list"), ",")...))
}