Skip to content

Commit

Permalink
*: add share code revoke api; add a config to allow disabling custom …
Browse files Browse the repository at this point in the history
…prom addr (#1717) (#1752)

* user: add share code revoke api

Signed-off-by: mornyx <mornyx.z@gmail.com>

* *: add a config to allow disabling custom prom addr

Signed-off-by: mornyx <mornyx.z@gmail.com>

* fix lint

Signed-off-by: mornyx <mornyx.z@gmail.com>

---------

Signed-off-by: mornyx <mornyx.z@gmail.com>
Co-authored-by: mornyx <mornyx.z@gmail.com>
Co-authored-by: Sparkle <1284531+baurine@users.noreply.github.com>
Co-authored-by: ti-chi-bot[bot] <108142056+ti-chi-bot[bot]@users.noreply.github.com>
  • Loading branch information
4 people authored Nov 7, 2024
1 parent b4576e2 commit cea31b0
Show file tree
Hide file tree
Showing 6 changed files with 50 additions and 18 deletions.
1 change: 1 addition & 0 deletions cmd/tidb-dashboard/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,7 @@ func NewCLIConfig() *DashboardCLIConfig {
flag.StringVar(&cfg.CoreConfig.FeatureVersion, "feature-version", cfg.CoreConfig.FeatureVersion, "target TiDB version for standalone mode")
flag.IntVar(&cfg.CoreConfig.NgmTimeout, "ngm-timeout", cfg.CoreConfig.NgmTimeout, "timeout secs for accessing the ngm API")
flag.BoolVar(&cfg.CoreConfig.EnableKeyVisualizer, "keyviz", true, "enable/disable key visualizer(default: true)")
flag.BoolVar(&cfg.CoreConfig.DisableCustomPromAddr, "disable-custom-prom-addr", false, "do not allow custom prometheus address")

showVersion := flag.BoolP("version", "v", false, "print version information and exit")

Expand Down
4 changes: 4 additions & 0 deletions pkg/apiserver/metrics/router.go
Original file line number Diff line number Diff line change
Expand Up @@ -142,6 +142,10 @@ func (s *Service) putCustomPromAddress(c *gin.Context) {
rest.Error(c, rest.ErrBadRequest.NewWithNoMessage())
return
}
if s.params.Config.DisableCustomPromAddr && req.Addr != "" {
rest.Error(c, rest.ErrForbidden.New("custom prometheus address has been disabled"))
return
}
addr, err := s.setCustomPromAddress(req.Addr)
if err != nil {
rest.Error(c, err)
Expand Down
2 changes: 2 additions & 0 deletions pkg/apiserver/metrics/service.go
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ import (
"go.uber.org/fx"
"golang.org/x/sync/singleflight"

"github.com/pingcap/tidb-dashboard/pkg/config"
"github.com/pingcap/tidb-dashboard/pkg/httpc"
"github.com/pingcap/tidb-dashboard/pkg/pd"
)
Expand All @@ -29,6 +30,7 @@ const (

type ServiceParams struct {
fx.In
Config *config.Config
HTTPClient *httpc.Client
EtcdClient *clientv3.Client
PDClient *pd.Client
Expand Down
11 changes: 11 additions & 0 deletions pkg/apiserver/user/code/router.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ func registerRouter(r *gin.RouterGroup, auth *user.AuthService, s *Service) {
endpoint := r.Group("/user/share")
endpoint.Use(auth.MWAuthRequired())
endpoint.POST("/code", auth.MWRequireSharePriv(), s.ShareHandler)
endpoint.POST("/revoke", auth.MWRequireSharePriv(), s.RevokeHandler)
}

type ShareRequest struct {
Expand Down Expand Up @@ -57,3 +58,13 @@ func (s *Service) ShareHandler(c *gin.Context) {

c.JSON(http.StatusOK, ShareResponse{Code: *code})
}

// @ID userRevokeSession
// @Summary Reset encryption key to revoke all authorized codes
// @Security JwtAuth
// @Success 200
// @Router /user/share/revoke [post]
func (s *Service) RevokeHandler(c *gin.Context) {
s.ResetEncryptionKey()
c.JSON(http.StatusOK, nil)
}
16 changes: 14 additions & 2 deletions pkg/apiserver/user/code/service.go
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,9 @@ package code
import (
"encoding/hex"
"fmt"
"sync/atomic"
"time"
"unsafe"

"github.com/gtank/cryptopasta"
"github.com/joomcode/errorx"
Expand Down Expand Up @@ -52,7 +54,7 @@ func (s *Service) NewSessionFromSharingCode(codeInHex string) *utils.SessionUser
return nil
}

b, err := cryptopasta.Decrypt(encrypted, s.sharingSecret)
b, err := cryptopasta.Decrypt(encrypted, s.loadShareingSecret())
if err != nil {
return nil
}
Expand Down Expand Up @@ -99,11 +101,21 @@ func (s *Service) SharingCodeFromSession(session *utils.SessionUser, expireIn ti
return nil
}

encrypted, err := cryptopasta.Encrypt(b, s.sharingSecret)
encrypted, err := cryptopasta.Encrypt(b, s.loadShareingSecret())
if err != nil {
return nil
}

codeInHex := hex.EncodeToString(encrypted)
return &codeInHex
}

func (s *Service) ResetEncryptionKey() {
//nolint:gosec // Using unsafe is necessary because atomic pointer operations are required.
atomic.StorePointer((*unsafe.Pointer)(unsafe.Pointer(&s.sharingSecret)), unsafe.Pointer(cryptopasta.NewEncryptionKey()))
}

func (s *Service) loadShareingSecret() *[32]byte {
//nolint:gosec // Using unsafe is necessary because atomic pointer operations are required.
return (*[32]byte)(atomic.LoadPointer((*unsafe.Pointer)(unsafe.Pointer(&s.sharingSecret))))
}
34 changes: 18 additions & 16 deletions pkg/config/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -30,28 +30,30 @@ type Config struct {
ClusterTLSInfo *transport.TLSInfo // TLS info for mTLS authentication between TiDB components.
TiDBTLSConfig *tls.Config // TLS config for mTLS authentication between TiDB and MySQL client.

EnableTelemetry bool
EnableExperimental bool
EnableKeyVisualizer bool
FeatureVersion string // assign the target TiDB version when running TiDB Dashboard as standalone mode
EnableTelemetry bool
EnableExperimental bool
EnableKeyVisualizer bool
DisableCustomPromAddr bool
FeatureVersion string // assign the target TiDB version when running TiDB Dashboard as standalone mode

NgmTimeout int // in seconds
}

func Default() *Config {
return &Config{
DataDir: "/tmp/dashboard-data",
TempDir: "",
PDEndPoint: "http://127.0.0.1:2379",
PublicPathPrefix: defaultPublicPathPrefix,
ClusterTLSConfig: nil,
ClusterTLSInfo: nil,
TiDBTLSConfig: nil,
EnableTelemetry: false,
EnableExperimental: false,
EnableKeyVisualizer: true,
FeatureVersion: version.PDVersion,
NgmTimeout: 30, // s
DataDir: "/tmp/dashboard-data",
TempDir: "",
PDEndPoint: "http://127.0.0.1:2379",
PublicPathPrefix: defaultPublicPathPrefix,
ClusterTLSConfig: nil,
ClusterTLSInfo: nil,
TiDBTLSConfig: nil,
EnableTelemetry: false,
EnableExperimental: false,
EnableKeyVisualizer: true,
DisableCustomPromAddr: false,
FeatureVersion: version.PDVersion,
NgmTimeout: 30, // s
}
}

Expand Down

0 comments on commit cea31b0

Please sign in to comment.