From c7c630bb8f2676f5e7204d56b5731929f469f0d9 Mon Sep 17 00:00:00 2001 From: zyxxoo <1318247699@qq.com> Date: Fri, 18 Mar 2022 00:26:25 +0800 Subject: [PATCH 1/2] feat: add ingore security check api --- .../security/HugeSecurityManager.java | 20 +++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/hugegraph-core/src/main/java/com/baidu/hugegraph/security/HugeSecurityManager.java b/hugegraph-core/src/main/java/com/baidu/hugegraph/security/HugeSecurityManager.java index fa303ce829..86e67dc35e 100644 --- a/hugegraph-core/src/main/java/com/baidu/hugegraph/security/HugeSecurityManager.java +++ b/hugegraph-core/src/main/java/com/baidu/hugegraph/security/HugeSecurityManager.java @@ -24,6 +24,7 @@ import java.security.Permission; import java.util.Map; import java.util.Set; +import java.util.concurrent.CopyOnWriteArraySet; import org.slf4j.Logger; @@ -126,6 +127,17 @@ public class HugeSecurityManager extends SecurityManager { ImmutableSet.of("newSecurityException") ); + private static final Set ignoreCheck = new CopyOnWriteArraySet<>(); + + public static void addIgnoreCheck(String clazz) { + if (callFromGremlin()) { + throw newSecurityException( + "Not allowed to add ignore check via Gremlin"); + } + + ignoreCheck.add(clazz); + } + @Override public void checkPermission(Permission permission) { if (DENIED_PERMISSIONS.contains(permission.getName()) && @@ -167,7 +179,7 @@ public void checkAccess(Thread thread) { if (callFromGremlin() && !callFromCaffeine() && !callFromAsyncTasks() && !callFromEventHubNotify() && !callFromBackendThread() && !callFromBackendHbase() && - !callFromRaft() && !callFromSofaRpc()) { + !callFromRaft() && !callFromSofaRpc() && !callFromIgnore()) { throw newSecurityException( "Not allowed to access thread via Gremlin"); } @@ -179,7 +191,7 @@ public void checkAccess(ThreadGroup threadGroup) { if (callFromGremlin() && !callFromCaffeine() && !callFromAsyncTasks() && !callFromEventHubNotify() && !callFromBackendThread() && !callFromBackendHbase() && - !callFromRaft() && !callFromSofaRpc()) { + !callFromRaft() && !callFromSofaRpc() && !callFromIgnore()) { throw newSecurityException( "Not allowed to access thread group via Gremlin"); } @@ -475,6 +487,10 @@ private static boolean callFromNewSecurityException() { return callFromMethods(NEW_SECURITY_EXCEPTION); } + private static boolean callFromIgnore() { + return callFromWorkerWithClass(ignoreCheck); + } + private static boolean callFromWorkerWithClass(Set classes) { Thread curThread = Thread.currentThread(); if (curThread.getName().startsWith(GREMLIN_SERVER_WORKER) || From 610d83a7c656961aedea6a898dea31f110214081 Mon Sep 17 00:00:00 2001 From: zyxxoo <1318247699@qq.com> Date: Mon, 21 Mar 2022 10:20:13 +0800 Subject: [PATCH 2/2] feat: improve code --- .../hugegraph/security/HugeSecurityManager.java | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/hugegraph-core/src/main/java/com/baidu/hugegraph/security/HugeSecurityManager.java b/hugegraph-core/src/main/java/com/baidu/hugegraph/security/HugeSecurityManager.java index 86e67dc35e..5767cba554 100644 --- a/hugegraph-core/src/main/java/com/baidu/hugegraph/security/HugeSecurityManager.java +++ b/hugegraph-core/src/main/java/com/baidu/hugegraph/security/HugeSecurityManager.java @@ -127,15 +127,15 @@ public class HugeSecurityManager extends SecurityManager { ImmutableSet.of("newSecurityException") ); - private static final Set ignoreCheck = new CopyOnWriteArraySet<>(); + private static final Set ignoreCheckedClasses = new CopyOnWriteArraySet<>(); - public static void addIgnoreCheck(String clazz) { + public static void ignoreCheckedClass(String clazz) { if (callFromGremlin()) { throw newSecurityException( "Not allowed to add ignore check via Gremlin"); } - ignoreCheck.add(clazz); + ignoreCheckedClasses.add(clazz); } @Override @@ -179,7 +179,7 @@ public void checkAccess(Thread thread) { if (callFromGremlin() && !callFromCaffeine() && !callFromAsyncTasks() && !callFromEventHubNotify() && !callFromBackendThread() && !callFromBackendHbase() && - !callFromRaft() && !callFromSofaRpc() && !callFromIgnore()) { + !callFromRaft() && !callFromSofaRpc() && !callFromIgnoreCheckedClass()) { throw newSecurityException( "Not allowed to access thread via Gremlin"); } @@ -191,7 +191,8 @@ public void checkAccess(ThreadGroup threadGroup) { if (callFromGremlin() && !callFromCaffeine() && !callFromAsyncTasks() && !callFromEventHubNotify() && !callFromBackendThread() && !callFromBackendHbase() && - !callFromRaft() && !callFromSofaRpc() && !callFromIgnore()) { + !callFromRaft() && !callFromSofaRpc() && + !callFromIgnoreCheckedClass()) { throw newSecurityException( "Not allowed to access thread group via Gremlin"); } @@ -487,8 +488,8 @@ private static boolean callFromNewSecurityException() { return callFromMethods(NEW_SECURITY_EXCEPTION); } - private static boolean callFromIgnore() { - return callFromWorkerWithClass(ignoreCheck); + private static boolean callFromIgnoreCheckedClass() { + return callFromWorkerWithClass(ignoreCheckedClasses); } private static boolean callFromWorkerWithClass(Set classes) {