FIX 解决ci 数据库安全性问题

This commit is contained in:
Jasder 2020-09-18 15:26:14 +08:00
parent 12bef27260
commit b74d43083e
9 changed files with 65 additions and 21 deletions

View File

@ -1,11 +1,12 @@
class Ci::BaseController < ApplicationController
before_action :require_login
before_action :connect_to_ci_database
def load_repo
namespace = params[:owner]
id = params[:repo] || params[:id]
@user, @repo = Ci::Repo.find_with_namespace(namespace, id)
@ci_user, @repo = Ci::Repo.find_with_namespace(namespace, id)
end
private
@ -43,4 +44,20 @@ class Ci::BaseController < ApplicationController
end
end
# Dynamically sets the database connection.
def connect_to_ci_database
db_config = Rails.configuration.database_configuration[Rails.env]["ci_server_db"]
return render_error('ci database config missing') if db_config.blank?
req_params = {
host: db_config["host"],
username: db_config['username'],
password: db_config['password'],
port: db_config['port'],
database: "#{current_user.login}_#{db_config['database']}"
}
db_params = Ci::Database.get_connection_params(req_params)
Ci::Database.set_connection(db_params)
end
end

View File

@ -7,6 +7,7 @@ class Ci::BuildsController < Ci::BaseController
before_action :find_cloud_account, except: [:index, :show]
def index
@user = current_user
scope = @repo.builds
scope = Ci::Builds::ListQuery.call(@repo, params)
@ -20,13 +21,13 @@ class Ci::BuildsController < Ci::BaseController
end
def restart
result = Ci::Drone::API.new(@user.user_hash, @cloud_account.drone_url, @repo.repo_namespace, @repo.repo_name, number: params[:build]).restart
result = Ci::Drone::API.new(@ci_user.user_hash, @cloud_account.drone_url, @repo.repo_namespace, @repo.repo_name, number: params[:build]).restart
render json: result
end
def stop
result = Ci::Drone::API.new(@user.user_hash, @cloud_account.drone_url, @repo.repo_namespace, @repo.repo_name, number: params[:build]).stop
result = Ci::Drone::API.new(@ci_user.user_hash, @cloud_account.drone_url, @repo.repo_namespace, @repo.repo_name, number: params[:build]).stop
render json: result
end

View File

@ -31,15 +31,15 @@ class Ci::CloudAccountsController < Ci::BaseController
ActiveRecord::Base.transaction do
if @repo
return render_error('该项目已经激活') if @repo.repo_active?
@repo.activate!(@user.user_id)
@repo.activate!(@ci_user.user_id)
else
@repo = Ci::Repo.auto_create!(@user, @project)
@repo = Ci::Repo.auto_create!(@ci_user, @project)
@user.update_column(:user_syncing, false)
end
result = bind_hook!(current_user, @cloud_account, @repo)
@project.update_columns(open_devops: true, gitea_webhook_id: result['id'])
@cloud_account.update_column(:ci_user_id, @user.user_id)
@cloud_account.update_column(:ci_user_id, @ci_user.user_id)
end
render_ok
rescue Exception => ex

View File

@ -28,7 +28,7 @@ module Ci::CloudAccountManageable
logger.info "######### rpc_secret: #{rpc_secret}"
# 3. 创建drone server
drone_server_cmd = Ci::Drone::Server.new(oauth.client_id, oauth.client_secret, cloud_account.drone_host, rpc_secret).generate_cmd
drone_server_cmd = Ci::Drone::Server.new(current_user.login, oauth.client_id, oauth.client_secret, cloud_account.drone_host, rpc_secret).generate_cmd
logger.info "######### drone_server_cmd: #{drone_server_cmd}"
# 4. 创建drone client

31
app/libs/ci/database.rb Normal file
View File

@ -0,0 +1,31 @@
module Ci
class Database < ActiveRecord::Base
self.abstract_class = true
# Dynamically sets the database connection.
def self.set_connection(params)
puts "[Ci::Database] set db connection params: #{params}"
establish_connection(
adapter: params[:adapter],
database: params[:database],
port: params[:port].to_i,
host: params[:host],
username: params[:username],
password: params[:password],
encoding: "utf8"
)
end
def self.get_connection_params(connect_to)
params = Hash.new
params[:adapter] = "mysql2"
params[:host] = connect_to[:host].to_s
params[:username] = connect_to[:username].to_s
params[:password] = connect_to[:password].to_s
params[:database] = connect_to[:database].to_s
params[:port] = connect_to[:port] || "43306"
params[:encoding] = "utf8"
return params
end
end
end

View File

@ -1,12 +1,13 @@
class Ci::Drone::Server
attr_reader :client_id, :client_secret, :drone_host, :rpc_secret
attr_reader :user_login, :client_id, :client_secret, :drone_host, :rpc_secret
# client_id: user's client_id from oauth
# client_secret: user's client_id from oauth
# drone_host: 云服务器地址eq: 173.53.21.31:80
# eg:
# DevOps::Drone::Server.new(current_user.oauth.client_id, current_user.oauth.client_secret, 'drone_host').generate_cmd
def initialize(client_id, client_secret, drone_host, rpc_secret)
# DevOps::Drone::Server.new(current_user.login, current_user.oauth.client_id, current_user.oauth.client_secret, 'drone_host').generate_cmd
def initialize(user_login, client_id, client_secret, drone_host, rpc_secret)
@user_login = user_login
@client_id = client_id
@drone_host = drone_host
@rpc_secret = rpc_secret
@ -19,7 +20,7 @@ class Ci::Drone::Server
"service docker start; docker run \
-v /var/run/docker.sock:/var/run/docker.sock \
-e DRONE_DATABASE_DRIVER=mysql \
-e DRONE_DATABASE_DATASOURCE=#{database_username}:#{database_password}@tcp\\(#{database_host}:#{database_port}\\)/drone?parseTime=true \
-e DRONE_DATABASE_DATASOURCE=#{database_username}:#{database_password}@tcp\\(#{database_host}:#{database_port}\\)/drone_#{user_login}?parseTime=true \
-e DRONE_GITEA_SERVER=#{gitea_url} \
-e DRONE_GITEA_CLIENT_ID=#{client_id} \
-e DRONE_GITEA_CLIENT_SECRET=#{client_secret} \
@ -55,10 +56,6 @@ class Ci::Drone::Server
database_config[Rails.env]["ci_server_db"]["port"] || 3306
end
def database
database_config[Rails.env]["ci_server_db"]["database"]
end
def database_config
Rails.configuration.database_configuration
end

View File

@ -1,10 +1,8 @@
class Ci::RemoteBase < ApplicationRecord
class Ci::RemoteBase < Ci::Database
self.abstract_class = true
establish_connection Rails.configuration.database_configuration[Rails.env]["ci_server_db"]
def generate_code
[*'a'..'z',*'0'..'9',*'A'..'Z'].sample(32).join
end
end

View File

@ -7,7 +7,7 @@ json.action build.build_action
json.error build.build_error if build.build_status == 'error'
json.message build.build_message
json.author do
json.partial! 'author', user: current_user
json.partial! 'author', user: user
end
json.started format_utc_time build.build_started
json.finished format_utc_time build.build_finished

View File

@ -1,4 +1,4 @@
json.total_count @total_count
json.builds @builds do |build|
json.partial! "/ci/builds/build", build: build
json.partial! "/ci/builds/build", build: build, user: @user
end