FIX 解决ci 数据库安全性问题
This commit is contained in:
parent
12bef27260
commit
b74d43083e
|
@ -1,11 +1,12 @@
|
|||
class Ci::BaseController < ApplicationController
|
||||
before_action :require_login
|
||||
before_action :connect_to_ci_database
|
||||
|
||||
def load_repo
|
||||
namespace = params[:owner]
|
||||
id = params[:repo] || params[:id]
|
||||
|
||||
@user, @repo = Ci::Repo.find_with_namespace(namespace, id)
|
||||
@ci_user, @repo = Ci::Repo.find_with_namespace(namespace, id)
|
||||
end
|
||||
|
||||
private
|
||||
|
@ -43,4 +44,20 @@ class Ci::BaseController < ApplicationController
|
|||
end
|
||||
end
|
||||
|
||||
# Dynamically sets the database connection.
|
||||
def connect_to_ci_database
|
||||
db_config = Rails.configuration.database_configuration[Rails.env]["ci_server_db"]
|
||||
return render_error('ci database config missing') if db_config.blank?
|
||||
|
||||
req_params = {
|
||||
host: db_config["host"],
|
||||
username: db_config['username'],
|
||||
password: db_config['password'],
|
||||
port: db_config['port'],
|
||||
database: "#{current_user.login}_#{db_config['database']}"
|
||||
}
|
||||
db_params = Ci::Database.get_connection_params(req_params)
|
||||
Ci::Database.set_connection(db_params)
|
||||
end
|
||||
|
||||
end
|
||||
|
|
|
@ -7,6 +7,7 @@ class Ci::BuildsController < Ci::BaseController
|
|||
before_action :find_cloud_account, except: [:index, :show]
|
||||
|
||||
def index
|
||||
@user = current_user
|
||||
scope = @repo.builds
|
||||
|
||||
scope = Ci::Builds::ListQuery.call(@repo, params)
|
||||
|
@ -20,13 +21,13 @@ class Ci::BuildsController < Ci::BaseController
|
|||
end
|
||||
|
||||
def restart
|
||||
result = Ci::Drone::API.new(@user.user_hash, @cloud_account.drone_url, @repo.repo_namespace, @repo.repo_name, number: params[:build]).restart
|
||||
result = Ci::Drone::API.new(@ci_user.user_hash, @cloud_account.drone_url, @repo.repo_namespace, @repo.repo_name, number: params[:build]).restart
|
||||
|
||||
render json: result
|
||||
end
|
||||
|
||||
def stop
|
||||
result = Ci::Drone::API.new(@user.user_hash, @cloud_account.drone_url, @repo.repo_namespace, @repo.repo_name, number: params[:build]).stop
|
||||
result = Ci::Drone::API.new(@ci_user.user_hash, @cloud_account.drone_url, @repo.repo_namespace, @repo.repo_name, number: params[:build]).stop
|
||||
render json: result
|
||||
end
|
||||
|
||||
|
|
|
@ -31,15 +31,15 @@ class Ci::CloudAccountsController < Ci::BaseController
|
|||
ActiveRecord::Base.transaction do
|
||||
if @repo
|
||||
return render_error('该项目已经激活') if @repo.repo_active?
|
||||
@repo.activate!(@user.user_id)
|
||||
@repo.activate!(@ci_user.user_id)
|
||||
else
|
||||
@repo = Ci::Repo.auto_create!(@user, @project)
|
||||
@repo = Ci::Repo.auto_create!(@ci_user, @project)
|
||||
@user.update_column(:user_syncing, false)
|
||||
end
|
||||
|
||||
result = bind_hook!(current_user, @cloud_account, @repo)
|
||||
@project.update_columns(open_devops: true, gitea_webhook_id: result['id'])
|
||||
@cloud_account.update_column(:ci_user_id, @user.user_id)
|
||||
@cloud_account.update_column(:ci_user_id, @ci_user.user_id)
|
||||
end
|
||||
render_ok
|
||||
rescue Exception => ex
|
||||
|
|
|
@ -28,7 +28,7 @@ module Ci::CloudAccountManageable
|
|||
logger.info "######### rpc_secret: #{rpc_secret}"
|
||||
|
||||
# 3. 创建drone server
|
||||
drone_server_cmd = Ci::Drone::Server.new(oauth.client_id, oauth.client_secret, cloud_account.drone_host, rpc_secret).generate_cmd
|
||||
drone_server_cmd = Ci::Drone::Server.new(current_user.login, oauth.client_id, oauth.client_secret, cloud_account.drone_host, rpc_secret).generate_cmd
|
||||
logger.info "######### drone_server_cmd: #{drone_server_cmd}"
|
||||
|
||||
# 4. 创建drone client
|
||||
|
|
|
@ -0,0 +1,31 @@
|
|||
module Ci
|
||||
class Database < ActiveRecord::Base
|
||||
self.abstract_class = true
|
||||
|
||||
# Dynamically sets the database connection.
|
||||
def self.set_connection(params)
|
||||
puts "[Ci::Database] set db connection params: #{params}"
|
||||
establish_connection(
|
||||
adapter: params[:adapter],
|
||||
database: params[:database],
|
||||
port: params[:port].to_i,
|
||||
host: params[:host],
|
||||
username: params[:username],
|
||||
password: params[:password],
|
||||
encoding: "utf8"
|
||||
)
|
||||
end
|
||||
|
||||
def self.get_connection_params(connect_to)
|
||||
params = Hash.new
|
||||
params[:adapter] = "mysql2"
|
||||
params[:host] = connect_to[:host].to_s
|
||||
params[:username] = connect_to[:username].to_s
|
||||
params[:password] = connect_to[:password].to_s
|
||||
params[:database] = connect_to[:database].to_s
|
||||
params[:port] = connect_to[:port] || "43306"
|
||||
params[:encoding] = "utf8"
|
||||
return params
|
||||
end
|
||||
end
|
||||
end
|
|
@ -1,12 +1,13 @@
|
|||
class Ci::Drone::Server
|
||||
attr_reader :client_id, :client_secret, :drone_host, :rpc_secret
|
||||
attr_reader :user_login, :client_id, :client_secret, :drone_host, :rpc_secret
|
||||
|
||||
# client_id: user's client_id from oauth
|
||||
# client_secret: user's client_id from oauth
|
||||
# drone_host: 云服务器地址,eq: 173.53.21.31:80
|
||||
# eg:
|
||||
# DevOps::Drone::Server.new(current_user.oauth.client_id, current_user.oauth.client_secret, 'drone_host').generate_cmd
|
||||
def initialize(client_id, client_secret, drone_host, rpc_secret)
|
||||
# DevOps::Drone::Server.new(current_user.login, current_user.oauth.client_id, current_user.oauth.client_secret, 'drone_host').generate_cmd
|
||||
def initialize(user_login, client_id, client_secret, drone_host, rpc_secret)
|
||||
@user_login = user_login
|
||||
@client_id = client_id
|
||||
@drone_host = drone_host
|
||||
@rpc_secret = rpc_secret
|
||||
|
@ -19,7 +20,7 @@ class Ci::Drone::Server
|
|||
"service docker start; docker run \
|
||||
-v /var/run/docker.sock:/var/run/docker.sock \
|
||||
-e DRONE_DATABASE_DRIVER=mysql \
|
||||
-e DRONE_DATABASE_DATASOURCE=#{database_username}:#{database_password}@tcp\\(#{database_host}:#{database_port}\\)/drone?parseTime=true \
|
||||
-e DRONE_DATABASE_DATASOURCE=#{database_username}:#{database_password}@tcp\\(#{database_host}:#{database_port}\\)/drone_#{user_login}?parseTime=true \
|
||||
-e DRONE_GITEA_SERVER=#{gitea_url} \
|
||||
-e DRONE_GITEA_CLIENT_ID=#{client_id} \
|
||||
-e DRONE_GITEA_CLIENT_SECRET=#{client_secret} \
|
||||
|
@ -55,10 +56,6 @@ class Ci::Drone::Server
|
|||
database_config[Rails.env]["ci_server_db"]["port"] || 3306
|
||||
end
|
||||
|
||||
def database
|
||||
database_config[Rails.env]["ci_server_db"]["database"]
|
||||
end
|
||||
|
||||
def database_config
|
||||
Rails.configuration.database_configuration
|
||||
end
|
||||
|
|
|
@ -1,10 +1,8 @@
|
|||
class Ci::RemoteBase < ApplicationRecord
|
||||
class Ci::RemoteBase < Ci::Database
|
||||
self.abstract_class = true
|
||||
|
||||
establish_connection Rails.configuration.database_configuration[Rails.env]["ci_server_db"]
|
||||
|
||||
def generate_code
|
||||
[*'a'..'z',*'0'..'9',*'A'..'Z'].sample(32).join
|
||||
end
|
||||
|
||||
|
||||
end
|
||||
|
|
|
@ -7,7 +7,7 @@ json.action build.build_action
|
|||
json.error build.build_error if build.build_status == 'error'
|
||||
json.message build.build_message
|
||||
json.author do
|
||||
json.partial! 'author', user: current_user
|
||||
json.partial! 'author', user: user
|
||||
end
|
||||
json.started format_utc_time build.build_started
|
||||
json.finished format_utc_time build.build_finished
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
json.total_count @total_count
|
||||
json.builds @builds do |build|
|
||||
json.partial! "/ci/builds/build", build: build
|
||||
json.partial! "/ci/builds/build", build: build, user: @user
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue