From b65eb2ec4569891495ae184bf6090e0e500961e3 Mon Sep 17 00:00:00 2001 From: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.com> Date: Mon, 2 Dec 2024 23:38:10 +0500 Subject: [PATCH] [security] reload whiteList on http seerver (#6302) * reload whiteList * white_list add to scaffold --- weed/command/scaffold/security.toml | 4 ++ weed/command/volume.go | 1 + weed/security/guard.go | 69 +++++++++++++++++------------ weed/server/filer_server.go | 16 +++++-- weed/server/master_server.go | 13 +++++- weed/server/volume_server.go | 12 +++++ 6 files changed, 81 insertions(+), 34 deletions(-) diff --git a/weed/command/scaffold/security.toml b/weed/command/scaffold/security.toml index 113e5b016..8c1b51ac3 100644 --- a/weed/command/scaffold/security.toml +++ b/weed/command/scaffold/security.toml @@ -121,3 +121,7 @@ cert = "" key = "" ca = "" # disable_tls_verify_client_cert = true|false (default: false) + +# white list. It's checking request ip address. +[guard] +white_list = "" diff --git a/weed/command/volume.go b/weed/command/volume.go index 1078d8d6c..2389d5561 100644 --- a/weed/command/volume.go +++ b/weed/command/volume.go @@ -280,6 +280,7 @@ func (v VolumeServerOptions) startVolumeServer(volumeFolders, maxVolumeCounts, v clusterHttpServer := v.startClusterHttpService(volumeMux) grace.OnReload(volumeServer.LoadNewVolumes) + grace.OnReload(volumeServer.Reload) stopChan := make(chan bool) grace.OnInterrupt(func() { diff --git a/weed/security/guard.go b/weed/security/guard.go index 14aacb83c..f92b10044 100644 --- a/weed/security/guard.go +++ b/weed/security/guard.go @@ -3,11 +3,10 @@ package security import ( "errors" "fmt" + "github.com/seaweedfs/seaweedfs/weed/glog" "net" "net/http" "strings" - - "github.com/seaweedfs/seaweedfs/weed/glog" ) var ( @@ -40,24 +39,25 @@ Referenced: https://github.com/pkieltyka/jwtauth/blob/master/jwtauth.go */ type Guard struct { - whiteList []string + whiteListIp map[string]struct{} + whiteListCIDR map[string]*net.IPNet SigningKey SigningKey ExpiresAfterSec int ReadSigningKey SigningKey ReadExpiresAfterSec int - isWriteActive bool + isWriteActive bool + isEmptyWhiteList bool } func NewGuard(whiteList []string, signingKey string, expiresAfterSec int, readSigningKey string, readExpiresAfterSec int) *Guard { g := &Guard{ - whiteList: whiteList, SigningKey: SigningKey(signingKey), ExpiresAfterSec: expiresAfterSec, ReadSigningKey: SigningKey(readSigningKey), ReadExpiresAfterSec: readExpiresAfterSec, } - g.isWriteActive = len(g.whiteList) != 0 || len(g.SigningKey) != 0 + g.UpdateWhiteList(whiteList) return g } @@ -90,37 +90,48 @@ func GetActualRemoteHost(r *http.Request) (host string, err error) { } func (g *Guard) checkWhiteList(w http.ResponseWriter, r *http.Request) error { - if len(g.whiteList) == 0 { + if g.isEmptyWhiteList { return nil } host, err := GetActualRemoteHost(r) - if err == nil { - for _, ip := range g.whiteList { - - // If the whitelist entry contains a "/" it - // is a CIDR range, and we should check the - // remote host is within it - if strings.Contains(ip, "/") { - _, cidrnet, err := net.ParseCIDR(ip) - if err != nil { - panic(err) - } - remote := net.ParseIP(host) - if cidrnet.Contains(remote) { - return nil - } - } + if err != nil { + return fmt.Errorf("get actual remote host %s in checkWhiteList failed: %v", r.RemoteAddr, err) + } - // - // Otherwise we're looking for a literal match. - // - if ip == host { - return nil - } + if _, ok := g.whiteListIp[host]; ok { + return nil + } + + for _, cidrnet := range g.whiteListCIDR { + // If the whitelist entry contains a "/" it + // is a CIDR range, and we should check the + remote := net.ParseIP(host) + if cidrnet.Contains(remote) { + return nil } } glog.V(0).Infof("Not in whitelist: %s", r.RemoteAddr) return fmt.Errorf("Not in whitelist: %s", r.RemoteAddr) } + +func (g *Guard) UpdateWhiteList(whiteList []string) { + whiteListIp := make(map[string]struct{}) + whiteListCIDR := make(map[string]*net.IPNet) + for _, ip := range whiteList { + if strings.Contains(ip, "/") { + _, cidrnet, err := net.ParseCIDR(ip) + if err != nil { + glog.Errorf("Parse CIDR %s in whitelist failed: %v", ip, err) + } + whiteListCIDR[ip] = cidrnet + } else { + whiteListIp[ip] = struct{}{} + } + } + g.isEmptyWhiteList = len(whiteListIp) == 0 && len(whiteListCIDR) == 0 + g.isWriteActive = !g.isEmptyWhiteList || len(g.SigningKey) != 0 + g.whiteListIp = whiteListIp + g.whiteListCIDR = whiteListCIDR +} diff --git a/weed/server/filer_server.go b/weed/server/filer_server.go index ee052579c..6855a4745 100644 --- a/weed/server/filer_server.go +++ b/weed/server/filer_server.go @@ -152,8 +152,8 @@ func NewFilerServer(defaultMux, readonlyMux *http.ServeMux, option *FilerOption) } }) fs.filer.Cipher = option.Cipher - // we do not support IP whitelist right now - fs.filerGuard = security.NewGuard([]string{}, signingKey, expiresAfterSec, readSigningKey, readExpiresAfterSec) + whiteList := util.StringSplit(v.GetString("guard.white_list"), ",") + fs.filerGuard = security.NewGuard(whiteList, signingKey, expiresAfterSec, readSigningKey, readExpiresAfterSec) fs.volumeGuard = security.NewGuard([]string{}, volumeSigningKey, volumeExpiresAfterSec, volumeReadSigningKey, volumeReadExpiresAfterSec) fs.checkWithMaster() @@ -187,12 +187,12 @@ func NewFilerServer(defaultMux, readonlyMux *http.ServeMux, option *FilerOption) handleStaticResources(defaultMux) if !option.DisableHttp { defaultMux.HandleFunc("/healthz", fs.filerHealthzHandler) - defaultMux.HandleFunc("/", fs.filerHandler) + defaultMux.HandleFunc("/", fs.filerGuard.WhiteList(fs.filerHandler)) } if defaultMux != readonlyMux { handleStaticResources(readonlyMux) readonlyMux.HandleFunc("/healthz", fs.filerHealthzHandler) - readonlyMux.HandleFunc("/", fs.readonlyFilerHandler) + readonlyMux.HandleFunc("/", fs.filerGuard.WhiteList(fs.readonlyFilerHandler)) } existingNodes := fs.filer.ListExistingPeerUpdates(context.Background()) @@ -209,6 +209,7 @@ func NewFilerServer(defaultMux, readonlyMux *http.ServeMux, option *FilerOption) fs.filer.LoadRemoteStorageConfAndMapping() + grace.OnReload(fs.Reload) grace.OnInterrupt(func() { fs.filer.Shutdown() }) @@ -239,5 +240,12 @@ func (fs *FilerServer) checkWithMaster() { } } } +} + +func (fs *FilerServer) Reload() { + glog.V(0).Infoln("Reload filer server...") + util.LoadConfiguration("security", false) + v := util.GetViper() + fs.filerGuard.UpdateWhiteList(util.StringSplit(v.GetString("guard.white_list"), ",")) } diff --git a/weed/server/master_server.go b/weed/server/master_server.go index fa45053dd..c6cb7762d 100644 --- a/weed/server/master_server.go +++ b/weed/server/master_server.go @@ -104,6 +104,7 @@ func NewMasterServer(r *mux.Router, option *MasterOption, peers map[string]pb.Se topology.VolumeGrowStrategy.Copy3Count = v.GetUint32("master.volume_growth.copy_3") topology.VolumeGrowStrategy.CopyOtherCount = v.GetUint32("master.volume_growth.copy_other") topology.VolumeGrowStrategy.Threshold = v.GetFloat64("master.volume_growth.threshold") + whiteList := util.StringSplit(v.GetString("guard.white_list"), ",") var preallocateSize int64 if option.VolumePreallocate { @@ -133,7 +134,7 @@ func NewMasterServer(r *mux.Router, option *MasterOption, peers map[string]pb.Se ms.vg = topology.NewDefaultVolumeGrowth() glog.V(0).Infoln("Volume Size Limit is", ms.option.VolumeSizeLimitMB, "MB") - ms.guard = security.NewGuard(ms.option.WhiteList, signingKey, expiresAfterSec, readSigningKey, readExpiresAfterSec) + ms.guard = security.NewGuard(append(ms.option.WhiteList, whiteList...), signingKey, expiresAfterSec, readSigningKey, readExpiresAfterSec) handleStaticResources2(r) r.HandleFunc("/", ms.proxyToLeader(ms.uiStatusHandler)) @@ -410,3 +411,13 @@ func (ms *MasterServer) Shutdown() { } ms.Topo.HashicorpRaft.Shutdown() } + +func (ms *MasterServer) Reload() { + glog.V(0).Infoln("Reload master server...") + + util.LoadConfiguration("security", false) + v := util.GetViper() + ms.guard.UpdateWhiteList(append(ms.option.WhiteList, + util.StringSplit(v.GetString("guard.white_list"), ",")...), + ) +} diff --git a/weed/server/volume_server.go b/weed/server/volume_server.go index 5d7e5c7b0..a3f072eb7 100644 --- a/weed/server/volume_server.go +++ b/weed/server/volume_server.go @@ -32,6 +32,7 @@ type VolumeServer struct { readBufferSizeMB int SeedMasterNodes []pb.ServerAddress + whiteList []string currentMaster pb.ServerAddress pulseSeconds int dataCenter string @@ -102,7 +103,10 @@ func NewVolumeServer(adminMux, publicMux *http.ServeMux, ip string, hasSlowRead: hasSlowRead, readBufferSizeMB: readBufferSizeMB, ldbTimout: ldbTimeout, + whiteList: whiteList, } + + whiteList = append(whiteList, util.StringSplit(v.GetString("guard.white_list"), ",")...) vs.SeedMasterNodes = masterNodes vs.checkWithMaster() @@ -150,3 +154,11 @@ func (vs *VolumeServer) Shutdown() { vs.store.Close() glog.V(0).Infoln("Shut down successfully!") } + +func (vs *VolumeServer) Reload() { + glog.V(0).Infoln("Reload volume server...") + + util.LoadConfiguration("security", false) + v := util.GetViper() + vs.guard.UpdateWhiteList(append(vs.whiteList, util.StringSplit(v.GetString("guard.white_list"), ",")...)) +}