From 44e4b59eff1bfad8c555441c79082abf37341625 Mon Sep 17 00:00:00 2001 From: Tao Liu Date: Thu, 28 May 2020 13:39:51 +0000 Subject: [PATCH] [TD-424] puhua security test develop: ip whitelist --- src/inc/taoserror.h | 3 +- src/inc/tglobalcfg.h | 3 +- src/inc/tsdb.h | 1 + src/rpc/src/trpc.c | 18 +++++++++++- src/rpc/src/tstring.c | 1 + src/util/src/tglobalcfg.c | 60 ++++++++++++++++++++++++++++++++++++++- 6 files changed, 82 insertions(+), 4 deletions(-) diff --git a/src/inc/taoserror.h b/src/inc/taoserror.h index 99e42377ee..197149d220 100644 --- a/src/inc/taoserror.h +++ b/src/inc/taoserror.h @@ -139,8 +139,9 @@ extern "C" { #define TSDB_CODE_TABLE_ID_MISMATCH 118 #define TSDB_CODE_QUERY_CACHE_ERASED 119 #define TSDB_CODE_AUTH_BANNED_PERIOD 120 +#define TSDB_CODE_IP_WHITELIST_FILTERED 121 -#define TSDB_CODE_MAX_ERROR_CODE 121 +#define TSDB_CODE_MAX_ERROR_CODE 122 #ifdef __cplusplus } diff --git a/src/inc/tglobalcfg.h b/src/inc/tglobalcfg.h index 462d488a6b..ff3936d3b9 100644 --- a/src/inc/tglobalcfg.h +++ b/src/inc/tglobalcfg.h @@ -55,6 +55,7 @@ extern char dataDir[]; extern char logDir[]; extern char scriptDir[]; extern char osName[]; +extern int32_t tsWhiteListIps[]; extern char tsMasterIp[]; extern char tsSecondIp[]; @@ -256,7 +257,7 @@ extern int tsGlobalConfigNum; extern char * tsCfgStatusStr[]; SGlobalConfig *tsGetConfigOption(const char *option); -#define TSDB_CFG_MAX_NUM 111 +#define TSDB_CFG_MAX_NUM 112 #define TSDB_CFG_PRINT_LEN 23 #define TSDB_CFG_OPTION_LEN 24 #define TSDB_CFG_VALUE_LEN 41 diff --git a/src/inc/tsdb.h b/src/inc/tsdb.h index 9d6c2ef16b..8de1c6445f 100644 --- a/src/inc/tsdb.h +++ b/src/inc/tsdb.h @@ -211,6 +211,7 @@ extern "C" { #define TSDB_DATA_NULL_STR_L "null" #define TSDB_MAX_RPC_THREADS 5 +#define TSDB_MAX_IP_WHITELIST 10 #define TSDB_QUERY_TYPE_NON_TYPE 0x00U // none type #define TSDB_QUERY_TYPE_FREE_RESOURCE 0x01U // free qhandle at vnode diff --git a/src/rpc/src/trpc.c b/src/rpc/src/trpc.c index c8f58db1fe..6ee04e5837 100755 --- a/src/rpc/src/trpc.c +++ b/src/rpc/src/trpc.c @@ -812,6 +812,16 @@ void taosProcessResponse(SRpcConn *pConn) { } +int taosCheckIPinWhiteList(int32_t ip) { + + for(int i = 0; i < TSDB_MAX_IP_WHITELIST; i++) { + if ((tsWhiteListIps[i] !=0 )&&(ip & tsWhiteListIps[i]) == tsWhiteListIps[i]) return 0; + } + return TSDB_CODE_IP_WHITELIST_FILTERED; + +} + + int taosProcessMsgHeader(STaosHeader *pHeader, SRpcConn **ppConn, STaosRpc *pServer, int dataLen, uint32_t ip, uint16_t port, void *chandle) { int chann, sid, code = 0; @@ -825,7 +835,13 @@ int taosProcessMsgHeader(STaosHeader *pHeader, SRpcConn **ppConn, STaosRpc *pSer uint32_t destId = htonl(pHeader->destId); chann = destId >> pServer->bits; sid = destId & pServer->mask; - + if(tscEmbedded){ + code = taosCheckIPinWhiteList(ip); + if (code ) { + tError("%s cid:%d sid:%d, ip not in whitelist", pServer->label, chann, sid); + return code; + } + } if (pHeader->msgType >= TSDB_MSG_TYPE_MAX || pHeader->msgType <= 0) { tTrace("%s cid:%d sid:%d, invalid message type:%d", pServer->label, chann, sid, pHeader->msgType); return TSDB_CODE_INVALID_MSG_TYPE; diff --git a/src/rpc/src/tstring.c b/src/rpc/src/tstring.c index 827942b0e2..4aabae0849 100644 --- a/src/rpc/src/tstring.c +++ b/src/rpc/src/tstring.c @@ -245,4 +245,5 @@ char *tsError[] = {"success", "table id/uid mismatch", "client query cache erased", // 119 "too many authentication failed, try 10 minutes later", //120 + "ip not in white list , connection denied", //121 }; diff --git a/src/util/src/tglobalcfg.c b/src/util/src/tglobalcfg.c index 915c1dc2fa..b363c42a8b 100644 --- a/src/util/src/tglobalcfg.c +++ b/src/util/src/tglobalcfg.c @@ -123,6 +123,8 @@ char tsDefaultPass[64] = DB_COMPANY; int tsMaxMeterConnections = 10000; int tsMaxMgmtConnections = 2000; int tsMaxVnodeConnections = 10000; +int32_t tsWhiteListIps[TSDB_MAX_IP_WHITELIST] = {0}; +char tsWhiteListIp[TSDB_IPv4ADDR_LEN] = {0}; int tsBalanceMonitorInterval = 2; // seconds int tsBalanceStartInterval = 300; // seconds @@ -484,6 +486,9 @@ static void doInitGlobalConfig() { tsInitConfigOption(cfg++, "httpIp", tsHttpIp, TSDB_CFG_VTYPE_IPSTR, TSDB_CFG_CTYPE_B_CONFIG, 0, 0, TSDB_IPv4ADDR_LEN, TSDB_CFG_UTYPE_NONE); + tsInitConfigOption(cfg++, "ipWhiteList", tsWhiteListIp, TSDB_CFG_VTYPE_IPSTR, + TSDB_CFG_CTYPE_B_CONFIG | TSDB_CFG_CTYPE_B_CLIENT, + 0, 0, TSDB_IPv4ADDR_LEN, TSDB_CFG_UTYPE_NONE); // port tsInitConfigOption(cfg++, "httpPort", &tsHttpPort, TSDB_CFG_VTYPE_SHORT, @@ -1212,7 +1217,60 @@ void tsSetTimeZone() { #ifndef CLUSTER -bool tsReadGlobalConfigSpec() { return true; } +bool tsReadGlobalConfigSpec() { + + FILE * fp; + char * line, *option, *value, *value1; + size_t len; + int olen, vlen, vlen1; + int netmask; + int i = 0; + char fileName[128]; + + sprintf(fileName, "%s/%s.cfg", configDir, DB_CLIENT_NAME); + fp = fopen(fileName, "r"); + if (fp == NULL) { + } else { + line = NULL; + while (!feof(fp)) { + tfree(line); + line = option = value = NULL; + len = olen = vlen = 0; + + getline(&line, &len, fp); + if (line == NULL) break; + + paGetToken(line, &option, &olen); + if (olen == 0) continue; + option[olen] = 0; + + paGetToken(option + olen + 1, &value, &vlen); + if (vlen == 0) continue; + value[vlen] = 0; + + // For dataDir, the format is: + // dataDir /mnt/disk1 0 + paGetToken(value + vlen + 1, &value1, &vlen1); + if (strncasecmp(option, "ipWhiteList", 11) == 0) { + if (!tscEmbedded||i >= TSDB_MAX_IP_WHITELIST) continue; + if (vlen1 == 0) { + netmask = 32; + }else { + netmask = (int)atoi(value1); + if(netmask >32) netmask = 32; + } + + int ipInt = inet_addr(value); + tsWhiteListIps[i] = ipInt & (0xFFFFFFFF >> (32 - netmask)); + i++; + } + } + + tfree(line); + fclose(fp); + } + return true; +} void tsPrintGlobalConfigSpec() { pPrint(" dataDir: %s", dataDir); -- GitLab