From 18513110cf5dd9bad303bfea4f73729a2022bdf7 Mon Sep 17 00:00:00 2001 From: uubulb Date: Sat, 21 Dec 2024 23:18:43 +0800 Subject: [PATCH] switch to runtime check --- cmd/dashboard/controller/alertrule.go | 31 +++---------------------- cmd/dashboard/controller/service.go | 33 --------------------------- cmd/dashboard/controller/waf.go | 2 +- cmd/dashboard/rpc/rpc.go | 20 ++++++++++++++-- model/alertrule.go | 15 +++++++++--- 5 files changed, 34 insertions(+), 67 deletions(-) diff --git a/cmd/dashboard/controller/alertrule.go b/cmd/dashboard/controller/alertrule.go index 42842b2..d67f56e 100644 --- a/cmd/dashboard/controller/alertrule.go +++ b/cmd/dashboard/controller/alertrule.go @@ -62,7 +62,7 @@ func createAlertRule(c *gin.Context) (uint64, error) { r.TriggerMode = arf.TriggerMode r.Enable = &enable - if err := validateRule(c, &r); err != nil { + if err := validateRule(&r); err != nil { return 0, err } @@ -116,7 +116,7 @@ func updateAlertRule(c *gin.Context) (any, error) { r.TriggerMode = arf.TriggerMode r.Enable = &enable - if err := validateRule(c, &r); err != nil { + if err := validateRule(&r); err != nil { return 0, err } @@ -164,34 +164,9 @@ func batchDeleteAlertRule(c *gin.Context) (any, error) { return nil, nil } -func validateRule(c *gin.Context, r *model.AlertRule) error { +func validateRule(r *model.AlertRule) error { if len(r.Rules) > 0 { for _, rule := range r.Rules { - singleton.ServerLock.RLock() - isCoverAll := rule.Cover == model.RuleCoverAll - isCoverIgnoreAll := rule.Cover == model.RuleCoverIgnoreAll - for s, enabled := range rule.Ignore { - if isCoverAll { - for id, server := range singleton.ServerList { - if enabled && id == s { - continue - } - if !server.HasPermission(c) { - singleton.ServerLock.RUnlock() - return singleton.Localizer.ErrorT("permission denied") - } - } - } else if isCoverIgnoreAll && enabled { - if server, ok := singleton.ServerList[s]; ok { - if !server.HasPermission(c) { - singleton.ServerLock.RUnlock() - return singleton.Localizer.ErrorT("permission denied") - } - } - } - } - singleton.ServerLock.RUnlock() - if !rule.IsTransferDurationRule() { if rule.Duration < 3 { return singleton.Localizer.ErrorT("duration need to be at least 3") diff --git a/cmd/dashboard/controller/service.go b/cmd/dashboard/controller/service.go index 70f4d2a..e28e761 100644 --- a/cmd/dashboard/controller/service.go +++ b/cmd/dashboard/controller/service.go @@ -210,10 +210,6 @@ func createService(c *gin.Context) (uint64, error) { m.RecoverTriggerTasks = mf.RecoverTriggerTasks m.FailTriggerTasks = mf.FailTriggerTasks - if err := validateServers(c, &m); err != nil { - return 0, err - } - if err := singleton.DB.Create(&m).Error; err != nil { return 0, newGormError("%v", err) } @@ -355,32 +351,3 @@ func batchDeleteService(c *gin.Context) (any, error) { singleton.ServiceSentinelShared.UpdateServiceList() return nil, nil } - -func validateServers(c *gin.Context, ss *model.Service) error { - singleton.ServerLock.RLock() - defer singleton.ServerLock.RUnlock() - - isCoverAll := ss.Cover == model.ServiceCoverAll - isCoverIgnoreAll := ss.Cover == model.ServiceCoverIgnoreAll - - for s, enabled := range ss.SkipServers { - if isCoverAll { - for id, server := range singleton.ServerList { - if enabled && id == s { - continue - } - if !server.HasPermission(c) { - return singleton.Localizer.ErrorT("permission denied") - } - } - } else if isCoverIgnoreAll && enabled { - if server, ok := singleton.ServerList[s]; ok { - if !server.HasPermission(c) { - return singleton.Localizer.ErrorT("permission denied") - } - } - } - } - - return nil -} diff --git a/cmd/dashboard/controller/waf.go b/cmd/dashboard/controller/waf.go index 7e7cfbd..de90faa 100644 --- a/cmd/dashboard/controller/waf.go +++ b/cmd/dashboard/controller/waf.go @@ -18,7 +18,7 @@ import ( // @Param limit query uint false "Page limit" // @Param offset query uint false "Page offset" // @Produce json -// @Success 200 {object} model.CommonResponse[[]model.WAFApiMock] +// @Success 200 {object} model.PaginatedResponse[[]model.WAFApiMock, model.WAFApiMock] // @Router /waf [get] func listBlockedAddress(c *gin.Context) (*model.Value[[]*model.WAF], error) { limit, err := strconv.Atoi(c.Query("limit")) diff --git a/cmd/dashboard/rpc/rpc.go b/cmd/dashboard/rpc/rpc.go index 1618870..92503d1 100644 --- a/cmd/dashboard/rpc/rpc.go +++ b/cmd/dashboard/rpc/rpc.go @@ -100,12 +100,28 @@ func DispatchTask(serviceSentinelDispatchBus <-chan model.Service) { continue } if task.Cover == model.ServiceCoverIgnoreAll && task.SkipServers[singleton.SortedServerList[workedServerIndex].ID] { - singleton.SortedServerList[workedServerIndex].TaskStream.Send(task.PB()) + var role uint8 = model.RoleMember + server := singleton.SortedServerList[workedServerIndex] + if err := singleton.DB.Model(&model.User{}).Select("role").Where("id = ?", task.UserID).Limit(1).Scan(&role).Error; err != nil { + workedServerIndex++ + continue + } + if task.UserID == server.UserID || role == model.RoleAdmin { + singleton.SortedServerList[workedServerIndex].TaskStream.Send(task.PB()) + } workedServerIndex++ continue } if task.Cover == model.ServiceCoverAll && !task.SkipServers[singleton.SortedServerList[workedServerIndex].ID] { - singleton.SortedServerList[workedServerIndex].TaskStream.Send(task.PB()) + var role uint8 = model.RoleMember + server := singleton.SortedServerList[workedServerIndex] + if err := singleton.DB.Model(&model.User{}).Select("role").Where("id = ?", task.UserID).Limit(1).Scan(&role).Error; err != nil { + workedServerIndex++ + continue + } + if task.UserID == server.UserID || role == model.RoleAdmin { + singleton.SortedServerList[workedServerIndex].TaskStream.Send(task.PB()) + } workedServerIndex++ continue } diff --git a/model/alertrule.go b/model/alertrule.go index 431dc86..c9c91a1 100644 --- a/model/alertrule.go +++ b/model/alertrule.go @@ -63,9 +63,18 @@ func (r *AlertRule) Enabled() bool { // Snapshot 对传入的Server进行该报警规则下所有type的检查 返回每项检查结果 func (r *AlertRule) Snapshot(cycleTransferStats *CycleTransferStats, server *Server, db *gorm.DB) []bool { - point := make([]bool, 0, len(r.Rules)) - for _, rule := range r.Rules { - point = append(point, rule.Snapshot(cycleTransferStats, server, db)) + point := make([]bool, len(r.Rules)) + + var role uint8 = RoleMember + if err := db.Model(&User{}).Select("role").Where("id = ?", r.UserID).Limit(1).Scan(&role).Error; err != nil { + return point + } + if r.UserID != server.UserID && role != RoleAdmin { + return point + } + + for i, rule := range r.Rules { + point[i] = rule.Snapshot(cycleTransferStats, server, db) } return point }