node: 增加 job 安全性检查

2017-03-03 16:00:01 +08:00 · 2017-03-03 16:00:01 +08:00 · 2718dd22e0
parent aedb0f6d10
commit 2718dd22e0
4 changed files with 56 additions and 8 deletions
--- a/conf/files/security.json.sample
+++ b/conf/files/security.json.sample
@ -1,9 +1,9 @@
 {
-    "Open": true,
+    "Open": false,
    "Users": [
        "www", "db"
    ],
    "Ext": [
-        "sh", "py"
+        ".sh", ".py"
    ]
 }
--- a/models/errors.go
+++ b/models/errors.go
@ -13,4 +13,6 @@ var (

 	ErrEmptyNodeGroupName = errors.New("Name of node group is empty.")
 	ErrIllegalNodeGroupId = errors.New("Invalid node group id that includes illegal characters such as '/'.")
+
+	InvalidJobErr = errors.New("invalid job")
 )
--- a/models/job.go
+++ b/models/job.go
@ -120,7 +120,11 @@ func GetJobs() (jobs map[string]*Job, err error) {
 			continue
 		}

-		job.splitCmd()
+		if !job.Valid() {
+			log.Warnf("job[%s] is invalid", string(j.Key))
+			continue
+		}
+
 		jobs[job.ID] = job
 	}
 	return
@ -137,7 +141,9 @@ func GetJobFromKv(kv *mvccpb.KeyValue) (job *Job, err error) {
 		return
 	}

-	job.splitCmd()
+	if !job.Valid() {
+		err = InvalidJobErr
+	}
 	return
 }

@ -282,3 +288,43 @@ func (j *Job) Cmds(nid string, gs map[string]*Group) (cmds map[string]*Cmd) {

 	return
 }
+
+// 安全选项验证
+func (j *Job) Valid() bool {
+	if len(j.cmd) == 0 {
+		j.splitCmd()
+	}
+
+	security := conf.Config.Security
+	if !security.Open {
+		return true
+	}
+
+	return j.validUser() && j.validCmd()
+}
+
+func (j *Job) validUser() bool {
+	if len(conf.Config.Security.Users) == 0 {
+		return true
+	}
+
+	for _, u := range conf.Config.Security.Users {
+		if j.User == u {
+			return true
+		}
+	}
+	return false
+}
+
+func (j *Job) validCmd() bool {
+	if len(conf.Config.Security.Ext) == 0 {
+		return true
+	}
+
+	for _, ext := range conf.Config.Security.Ext {
+		if strings.HasSuffix(j.cmd[0], ext) {
+			return true
+		}
+	}
+	return false
+}
--- a/node/node.go
+++ b/node/node.go
@ -335,7 +335,7 @@ func (n *Node) watchJobs() {
 			case ev.IsCreate():
 				job, err := models.GetJobFromKv(ev.Kv)
 				if err != nil {
-					log.Warnf(err.Error())
+					log.Warnf("err: %s, kv: %s", err.Error(), ev.Kv.String())
 					continue
 				}

@ -344,7 +344,7 @@ func (n *Node) watchJobs() {
 			case ev.IsModify():
 				job, err := models.GetJobFromKv(ev.Kv)
 				if err != nil {
-					log.Warnf(err.Error())
+					log.Warnf("err: %s, kv: %s", err.Error(), ev.Kv.String())
 					continue
 				}

@ -367,7 +367,7 @@ func (n *Node) watchGroups() {
 			case ev.IsCreate():
 				g, err := models.GetGroupFromKv(ev.Kv)
 				if err != nil {
-					log.Warnf(err.Error())
+					log.Warnf("err: %s, kv: %s", err.Error(), ev.Kv.String())
 					continue
 				}

@ -375,7 +375,7 @@ func (n *Node) watchGroups() {
 			case ev.IsModify():
 				g, err := models.GetGroupFromKv(ev.Kv)
 				if err != nil {
-					log.Warnf(err.Error())
+					log.Warnf("err: %s, kv: %s", err.Error(), ev.Kv.String())
 					continue
 				}