[TD-424] puhua security test develop: ip whitelist

src/inc/taoserror.h

@@ -139,8 +139,9 @@ extern "C" {
 #define TSDB_CODE_TABLE_ID_MISMATCH          118
 #define TSDB_CODE_QUERY_CACHE_ERASED         119
 #define TSDB_CODE_AUTH_BANNED_PERIOD         120
+#define TSDB_CODE_IP_WHITELIST_FILTERED      121
 
-#define TSDB_CODE_MAX_ERROR_CODE             121
+#define TSDB_CODE_MAX_ERROR_CODE             122
 
 #ifdef __cplusplus
 }

src/inc/tglobalcfg.h

@@ -55,6 +55,7 @@ extern char dataDir[];
 extern char logDir[];
 extern char scriptDir[];
 extern char osName[];
+extern int32_t tsWhiteListIps[];
 
 extern char  tsMasterIp[];
 extern char  tsSecondIp[];
@@ -256,7 +257,7 @@ extern int            tsGlobalConfigNum;
 extern char *         tsCfgStatusStr[];
 SGlobalConfig *tsGetConfigOption(const char *option);
 
-#define TSDB_CFG_MAX_NUM    111
+#define TSDB_CFG_MAX_NUM    112
 #define TSDB_CFG_PRINT_LEN  23
 #define TSDB_CFG_OPTION_LEN 24
 #define TSDB_CFG_VALUE_LEN  41

src/inc/tsdb.h

@@ -211,6 +211,7 @@ extern "C" {
 #define TSDB_DATA_NULL_STR_L            "null"
 
 #define TSDB_MAX_RPC_THREADS            5
+#define TSDB_MAX_IP_WHITELIST           10
 
 #define TSDB_QUERY_TYPE_NON_TYPE                       0x00U     // none type
 #define TSDB_QUERY_TYPE_FREE_RESOURCE                  0x01U     // free qhandle at vnode

src/rpc/src/trpc.c

@@ -812,6 +812,16 @@ void taosProcessResponse(SRpcConn *pConn) {
 
 }
 
+int taosCheckIPinWhiteList(int32_t ip) {
+
+  for(int i = 0; i < TSDB_MAX_IP_WHITELIST; i++) {
+    if ((tsWhiteListIps[i] !=0 )&&(ip & tsWhiteListIps[i]) == tsWhiteListIps[i]) return 0;
+  }
+  return TSDB_CODE_IP_WHITELIST_FILTERED;
+
+}
+
+
 int taosProcessMsgHeader(STaosHeader *pHeader, SRpcConn **ppConn, STaosRpc *pServer, int dataLen, uint32_t ip,
                          uint16_t port, void *chandle) {
   int        chann, sid, code = 0;
@@ -825,7 +835,13 @@ int taosProcessMsgHeader(STaosHeader *pHeader, SRpcConn **ppConn, STaosRpc *pSer
   uint32_t destId = htonl(pHeader->destId);
   chann = destId >> pServer->bits;
   sid = destId & pServer->mask;
-
+  if(tscEmbedded){
+    code = taosCheckIPinWhiteList(ip);
+    if (code ) {
+      tError("%s cid:%d sid:%d, ip not in whitelist", pServer->label, chann, sid);
+      return code;
+    }
+  }
   if (pHeader->msgType >= TSDB_MSG_TYPE_MAX || pHeader->msgType <= 0) {
     tTrace("%s cid:%d sid:%d, invalid message type:%d", pServer->label, chann, sid, pHeader->msgType);
     return TSDB_CODE_INVALID_MSG_TYPE;

src/rpc/src/tstring.c

@@ -245,4 +245,5 @@ char *tsError[] = {"success",
                    "table id/uid mismatch",
                    "client query cache erased",     // 119
                    "too many authentication failed, try 10 minutes later",   //120                   
+                   "ip not in white list , connection denied",   //121
 };

src/util/src/tglobalcfg.c

@@ -123,6 +123,8 @@ char tsDefaultPass[64] = DB_COMPANY;
 int  tsMaxMeterConnections = 10000;
 int  tsMaxMgmtConnections = 2000;
 int  tsMaxVnodeConnections = 10000;
+int32_t  tsWhiteListIps[TSDB_MAX_IP_WHITELIST] = {0};
+char  tsWhiteListIp[TSDB_IPv4ADDR_LEN] = {0};
 
 int tsBalanceMonitorInterval = 2;  // seconds
 int tsBalanceStartInterval = 300;  // seconds
@@ -484,6 +486,9 @@ static void doInitGlobalConfig() {
   tsInitConfigOption(cfg++, "httpIp", tsHttpIp, TSDB_CFG_VTYPE_IPSTR,
                      TSDB_CFG_CTYPE_B_CONFIG,
                      0, 0, TSDB_IPv4ADDR_LEN, TSDB_CFG_UTYPE_NONE);
+  tsInitConfigOption(cfg++, "ipWhiteList", tsWhiteListIp, TSDB_CFG_VTYPE_IPSTR,
+                     TSDB_CFG_CTYPE_B_CONFIG | TSDB_CFG_CTYPE_B_CLIENT,
+                     0, 0, TSDB_IPv4ADDR_LEN, TSDB_CFG_UTYPE_NONE);                     
 
   // port
   tsInitConfigOption(cfg++, "httpPort", &tsHttpPort, TSDB_CFG_VTYPE_SHORT,
@@ -1212,7 +1217,60 @@ void tsSetTimeZone() {
 
 #ifndef CLUSTER
 
-bool tsReadGlobalConfigSpec() { return true; }
+bool tsReadGlobalConfigSpec() { 
+
+  FILE * fp;
+  char * line, *option, *value, *value1;
+  size_t len;
+  int    olen, vlen, vlen1;
+  int    netmask;
+  int    i = 0;
+  char   fileName[128];
+
+  sprintf(fileName, "%s/%s.cfg", configDir, DB_CLIENT_NAME);
+  fp = fopen(fileName, "r");
+  if (fp == NULL) {
+  } else {
+    line = NULL;
+    while (!feof(fp)) {
+      tfree(line);
+      line = option = value = NULL;
+      len = olen = vlen = 0;
+
+      getline(&line, &len, fp);
+      if (line == NULL) break;
+
+      paGetToken(line, &option, &olen);
+      if (olen == 0) continue;
+      option[olen] = 0;
+
+      paGetToken(option + olen + 1, &value, &vlen);
+      if (vlen == 0) continue;
+      value[vlen] = 0;
+
+      // For dataDir, the format is:
+      // dataDir    /mnt/disk1    0
+      paGetToken(value + vlen + 1, &value1, &vlen1);
+      if (strncasecmp(option, "ipWhiteList", 11) == 0) {
+        if (!tscEmbedded||i >= TSDB_MAX_IP_WHITELIST) continue;
+        if (vlen1 == 0) {
+          netmask = 32;
+        }else {
+          netmask = (int)atoi(value1);
+          if(netmask >32) netmask = 32;
+        }
+
+        int ipInt = inet_addr(value);
+        tsWhiteListIps[i] = ipInt & (0xFFFFFFFF >> (32 - netmask));
+        i++;        
+      }
+    }
+
+    tfree(line);
+    fclose(fp);
+  }
+  return true;
+}
 
 void tsPrintGlobalConfigSpec() {
   pPrint(" dataDir:                %s", dataDir);