FIX 解决ci 数据库安全性问题

2020-09-18 15:26:14 +08:00 · 2020-09-18 15:26:14 +08:00 · b74d43083e
parent 12bef27260
commit b74d43083e
9 changed files with 65 additions and 21 deletions
--- a/app/controllers/ci/base_controller.rb
+++ b/app/controllers/ci/base_controller.rb
@ -1,11 +1,12 @@
 class Ci::BaseController < ApplicationController
  before_action :require_login
+  before_action :connect_to_ci_database

  def load_repo
    namespace = params[:owner]
    id = params[:repo] || params[:id]

-    @user, @repo = Ci::Repo.find_with_namespace(namespace, id)
+    @ci_user, @repo = Ci::Repo.find_with_namespace(namespace, id)
  end

  private
@ -43,4 +44,20 @@ class Ci::BaseController < ApplicationController
      end
    end

+    # Dynamically sets the database connection.
+    def connect_to_ci_database
+      db_config = Rails.configuration.database_configuration[Rails.env]["ci_server_db"]
+      return render_error('ci database config missing') if db_config.blank?
+
+      req_params = {
+        host: db_config["host"],
+        username: db_config['username'],
+        password: db_config['password'],
+        port: db_config['port'],
+        database: "#{current_user.login}_#{db_config['database']}"
+      }
+      db_params = Ci::Database.get_connection_params(req_params)
+      Ci::Database.set_connection(db_params)
+    end
+
 end
--- a/app/controllers/ci/builds_controller.rb
+++ b/app/controllers/ci/builds_controller.rb
@ -7,6 +7,7 @@ class Ci::BuildsController < Ci::BaseController
  before_action :find_cloud_account, except: [:index, :show]

  def index
+    @user = current_user
    scope = @repo.builds

    scope = Ci::Builds::ListQuery.call(@repo, params)
@ -20,13 +21,13 @@ class Ci::BuildsController < Ci::BaseController
  end

  def restart
-    result = Ci::Drone::API.new(@user.user_hash, @cloud_account.drone_url, @repo.repo_namespace, @repo.repo_name, number: params[:build]).restart
+    result = Ci::Drone::API.new(@ci_user.user_hash, @cloud_account.drone_url, @repo.repo_namespace, @repo.repo_name, number: params[:build]).restart

    render json: result
  end

  def stop
-    result = Ci::Drone::API.new(@user.user_hash, @cloud_account.drone_url, @repo.repo_namespace, @repo.repo_name, number: params[:build]).stop
+    result = Ci::Drone::API.new(@ci_user.user_hash, @cloud_account.drone_url, @repo.repo_namespace, @repo.repo_name, number: params[:build]).stop
    render json: result
  end

--- a/app/controllers/ci/cloud_accounts_controller.rb
+++ b/app/controllers/ci/cloud_accounts_controller.rb
@ -31,15 +31,15 @@ class Ci::CloudAccountsController < Ci::BaseController
      ActiveRecord::Base.transaction do
        if @repo
          return render_error('该项目已经激活') if @repo.repo_active?
-          @repo.activate!(@user.user_id)
+          @repo.activate!(@ci_user.user_id)
        else
-          @repo = Ci::Repo.auto_create!(@user, @project)
+          @repo = Ci::Repo.auto_create!(@ci_user, @project)
          @user.update_column(:user_syncing, false)
        end

        result = bind_hook!(current_user, @cloud_account, @repo)
        @project.update_columns(open_devops: true, gitea_webhook_id: result['id'])
-        @cloud_account.update_column(:ci_user_id, @user.user_id)
+        @cloud_account.update_column(:ci_user_id, @ci_user.user_id)
      end
      render_ok
    rescue Exception => ex
--- a/app/controllers/concerns/ci/cloud_account_manageable.rb
+++ b/app/controllers/concerns/ci/cloud_account_manageable.rb
@ -28,7 +28,7 @@ module Ci::CloudAccountManageable
    logger.info "######### rpc_secret: #{rpc_secret}"

    # 3. 创建drone server
-    drone_server_cmd = Ci::Drone::Server.new(oauth.client_id, oauth.client_secret, cloud_account.drone_host, rpc_secret).generate_cmd
+    drone_server_cmd = Ci::Drone::Server.new(current_user.login, oauth.client_id, oauth.client_secret, cloud_account.drone_host, rpc_secret).generate_cmd
    logger.info "######### drone_server_cmd: #{drone_server_cmd}"

    # 4. 创建drone client
--- a/app/libs/ci/database.rb
+++ b/app/libs/ci/database.rb
@ -0,0 +1,31 @@
+module Ci
+  class Database < ActiveRecord::Base
+    self.abstract_class = true
+    
+    # Dynamically sets the database connection.
+    def self.set_connection(params)
+      puts "[Ci::Database] set db connection params: #{params}"
+      establish_connection(
+        adapter: params[:adapter],
+        database: params[:database],
+        port: params[:port].to_i,
+        host: params[:host],
+        username: params[:username],
+        password: params[:password],
+        encoding: "utf8"
+      )
+    end
+
+    def self.get_connection_params(connect_to)
+      params = Hash.new
+      params[:adapter]  = "mysql2"
+      params[:host]     = connect_to[:host].to_s
+      params[:username] = connect_to[:username].to_s
+      params[:password] = connect_to[:password].to_s
+      params[:database] = connect_to[:database].to_s
+      params[:port]     = connect_to[:port] || "43306"
+      params[:encoding] = "utf8"
+      return params
+    end
+  end
+end
--- a/app/libs/ci/drone/server.rb
+++ b/app/libs/ci/drone/server.rb
@ -1,12 +1,13 @@
 class Ci::Drone::Server
-  attr_reader :client_id, :client_secret, :drone_host, :rpc_secret
+  attr_reader :user_login, :client_id, :client_secret, :drone_host, :rpc_secret

  # client_id: user's client_id from oauth
  # client_secret: user's client_id from oauth
  # drone_host: 云服务器地址，eq: 173.53.21.31:80
  # eg:
-  # DevOps::Drone::Server.new(current_user.oauth.client_id, current_user.oauth.client_secret, 'drone_host').generate_cmd
-  def initialize(client_id, client_secret, drone_host, rpc_secret)
+  # DevOps::Drone::Server.new(current_user.login, current_user.oauth.client_id, current_user.oauth.client_secret, 'drone_host').generate_cmd
+  def initialize(user_login, client_id, client_secret, drone_host, rpc_secret)
+    @user_login    = user_login
    @client_id     = client_id
    @drone_host    = drone_host
    @rpc_secret    = rpc_secret
@ -19,7 +20,7 @@ class Ci::Drone::Server
    "service docker start; docker run \
      -v /var/run/docker.sock:/var/run/docker.sock \
      -e DRONE_DATABASE_DRIVER=mysql \
-      -e DRONE_DATABASE_DATASOURCE=#{database_username}:#{database_password}@tcp\\(#{database_host}:#{database_port}\\)/drone?parseTime=true \
+      -e DRONE_DATABASE_DATASOURCE=#{database_username}:#{database_password}@tcp\\(#{database_host}:#{database_port}\\)/drone_#{user_login}?parseTime=true \
      -e DRONE_GITEA_SERVER=#{gitea_url} \
      -e DRONE_GITEA_CLIENT_ID=#{client_id} \
      -e DRONE_GITEA_CLIENT_SECRET=#{client_secret} \
@ -55,10 +56,6 @@ class Ci::Drone::Server
      database_config[Rails.env]["ci_server_db"]["port"] || 3306
    end

-    def database
-      database_config[Rails.env]["ci_server_db"]["database"]
-    end
-
    def database_config
      Rails.configuration.database_configuration
    end
--- a/app/models/ci/remote_base.rb
+++ b/app/models/ci/remote_base.rb
@ -1,10 +1,8 @@
-class Ci::RemoteBase < ApplicationRecord
+class Ci::RemoteBase < Ci::Database
  self.abstract_class = true

-  establish_connection Rails.configuration.database_configuration[Rails.env]["ci_server_db"]
-
  def generate_code
    [*'a'..'z',*'0'..'9',*'A'..'Z'].sample(32).join
  end
-  
+
 end
--- a/app/views/ci/builds/_build.json.jbuilder
+++ b/app/views/ci/builds/_build.json.jbuilder
@ -7,7 +7,7 @@ json.action build.build_action
 json.error build.build_error  if build.build_status == 'error'
 json.message build.build_message
 json.author do
-  json.partial! 'author', user: current_user
+  json.partial! 'author', user: user
 end
 json.started format_utc_time build.build_started
 json.finished format_utc_time build.build_finished
--- a/app/views/ci/builds/index.json.jbuilder
+++ b/app/views/ci/builds/index.json.jbuilder
@ -1,4 +1,4 @@
 json.total_count @total_count
 json.builds @builds do |build|
-  json.partial! "/ci/builds/build", build: build
+  json.partial! "/ci/builds/build", build: build, user: @user
 end