Merge pull request #618 from ywk253100/security_check_on_jobservice

add security check on job service
2024-09-28 21:37:31 +02:00 · 2016-08-05 14:53:38 +08:00 · 2016-08-05 14:53:38 +08:00 · 4fc9373fec
commit 4fc9373fec
parent 7efe419518 c4081f9aa3
3 changed files with 57 additions and 3 deletions
--- a/api/jobs/replication.go
+++ b/api/jobs/replication.go
@ -46,6 +46,27 @@ type ReplicationReq struct {
 	TagList   []string `json:"tags"`
 }

+// Prepare ...
+func (rj *ReplicationJob) Prepare() {
+	rj.authenticate()
+}
+
+func (rj *ReplicationJob) authenticate() {
+	cookie, err := rj.Ctx.Request.Cookie(models.UISecretCookie)
+	if err != nil && err != http.ErrNoCookie {
+		log.Errorf("failed to get cookie %s: %v", models.UISecretCookie, err)
+		rj.CustomAbort(http.StatusInternalServerError, "")
+	}
+
+	if err == http.ErrNoCookie {
+		rj.CustomAbort(http.StatusUnauthorized, "")
+	}
+
+	if cookie.Value != config.UISecret() {
+		rj.CustomAbort(http.StatusForbidden, "")
+	}
+}
+
 // Post creates replication jobs according to the policy.
 func (rj *ReplicationJob) Post() {
 	var data ReplicationReq
--- a/api/replication_job.go
+++ b/api/replication_job.go
@ -147,7 +147,14 @@ func (ra *RepJobAPI) GetLog() {
 		ra.CustomAbort(http.StatusBadRequest, "id is nil")
 	}

-	resp, err := http.Get(buildJobLogURL(strconv.FormatInt(ra.jobID, 10)))
+	req, err := http.NewRequest("GET", buildJobLogURL(strconv.FormatInt(ra.jobID, 10)), nil)
+	if err != nil {
+		log.Errorf("failed to create a request: %v", err)
+		ra.CustomAbort(http.StatusInternalServerError, "")
+	}
+	addAuthentication(req)
+	client := &http.Client{}
+	resp, err := client.Do(req)
 	if err != nil {
 		log.Errorf("failed to get log for job %d: %v", ra.jobID, err)
 		ra.CustomAbort(http.StatusInternalServerError, http.StatusText(http.StatusInternalServerError))
--- a/api/utils.go
+++ b/api/utils.go
@ -115,7 +115,14 @@ func TriggerReplication(policyID int64, repository string,

 	url := buildReplicationURL()

-	resp, err := http.DefaultClient.Post(url, "application/json", bytes.NewBuffer(b))
+	req, err := http.NewRequest("POST", url, bytes.NewBuffer(b))
+	if err != nil {
+		return err
+	}
+	addAuthentication(req)
+
+	client := &http.Client{}
+	resp, err := client.Do(req)
 	if err != nil {
 		return err
 	}
@ -188,7 +195,16 @@ func postReplicationAction(policyID int64, acton string) error {

 	url := buildReplicationActionURL()

-	resp, err := http.DefaultClient.Post(url, "application/json", bytes.NewBuffer(b))
+	req, err := http.NewRequest("POST", url, bytes.NewBuffer(b))
+	if err != nil {
+		return err
+	}
+
+	addAuthentication(req)
+
+	client := &http.Client{}
+
+	resp, err := client.Do(req)
 	if err != nil {
 		return err
 	}
@ -207,6 +223,16 @@ func postReplicationAction(policyID int64, acton string) error {
 	return fmt.Errorf("%d %s", resp.StatusCode, string(b))
 }

+func addAuthentication(req *http.Request) {
+	if req != nil {
+		req.AddCookie(&http.Cookie{
+			Name: models.UISecretCookie,
+			// TODO read secret from config
+			Value: os.Getenv("UI_SECRET"),
+		})
+	}
+}
+
 func buildReplicationURL() string {
 	url := getJobServiceURL()
 	return fmt.Sprintf("%s/api/jobs/replication", url)