mirror of https://gitee.com/bigwinds/arangodb
add endpoint check to reconnect (#9196)
This commit is contained in:
Jan Christoph Uhde
Jan
parent
e0c94e64d7
commit
7ac857784f
|
|
@ -33,6 +33,7 @@
|
|||
#include "Basics/FileUtils.h"
|
||||
#include "Basics/StringUtils.h"
|
||||
#include "Basics/VelocyPackHelper.h"
|
||||
#include "ApplicationFeatures/V8SecurityFeature.h"
|
||||
#include "Import/ImportHelper.h"
|
||||
#include "Rest/HttpResponse.h"
|
||||
#include "Rest/Version.h"
|
||||
|
|
@ -48,7 +49,7 @@
|
|||
#include "V8/v8-vpack.h"
|
||||
|
||||
#include <iostream>
|
||||
|
||||
|
||||
using namespace arangodb;
|
||||
using namespace arangodb::application_features;
|
||||
using namespace arangodb::basics;
|
||||
|
|
@ -433,6 +434,16 @@ static void ClientConnection_reconnect(v8::FunctionCallbackInfo<v8::Value> const
|
|||
warnConnect = TRI_ObjectToBoolean(isolate, args[4]);
|
||||
}
|
||||
|
||||
V8SecurityFeature* v8security =
|
||||
application_features::ApplicationServer::getFeature<V8SecurityFeature>(
|
||||
"V8Security");
|
||||
TRI_ASSERT(v8security != nullptr);
|
||||
|
||||
if (!v8security->isAllowedToConnectToEndpoint(isolate, endpoint)) {
|
||||
TRI_V8_THROW_EXCEPTION_MESSAGE(TRI_ERROR_FORBIDDEN,
|
||||
"not allowed to connect to this endpoint");
|
||||
}
|
||||
|
||||
client->setEndpoint(endpoint);
|
||||
client->setDatabaseName(databaseName);
|
||||
client->setUsername(username);
|
||||
|
|
@ -1480,7 +1491,7 @@ v8::Local<v8::Value> V8ClientConnection::requestData(
|
|||
req->header.acceptType(fuerte::ContentType::VPack);
|
||||
}
|
||||
req->timeout(std::chrono::duration_cast<std::chrono::milliseconds>(_requestTimeout));
|
||||
|
||||
|
||||
auto connection = std::atomic_load(&_connection);
|
||||
if (!connection) {
|
||||
TRI_V8_SET_EXCEPTION_MESSAGE(TRI_SIMPLE_CLIENT_COULD_NOT_CONNECT,
|
||||
|
|
@ -1539,7 +1550,7 @@ v8::Local<v8::Value> V8ClientConnection::requestDataRaw(
|
|||
req->header.acceptType(fuerte::ContentType::VPack);
|
||||
}
|
||||
req->timeout(std::chrono::duration_cast<std::chrono::milliseconds>(_requestTimeout));
|
||||
|
||||
|
||||
auto connection = std::atomic_load(&_connection);
|
||||
if (!connection) {
|
||||
TRI_V8_SET_EXCEPTION_MESSAGE(TRI_SIMPLE_CLIENT_COULD_NOT_CONNECT,
|
||||
|
|
@ -1787,7 +1798,7 @@ void V8ClientConnection::initServer(v8::Isolate* isolate, v8::Local<v8::Context>
|
|||
|
||||
connection_proto->Set(isolate, "getMode",
|
||||
v8::FunctionTemplate::New(isolate, ClientConnection_getMode));
|
||||
|
||||
|
||||
connection_proto->Set(isolate, "getRole",
|
||||
v8::FunctionTemplate::New(isolate, ClientConnection_getRole));
|
||||
|
||||
|
|
|
|||
|
|
@ -74,6 +74,27 @@ function testSuite() {
|
|||
}
|
||||
}
|
||||
|
||||
function reconnectForbidden(url, method) {
|
||||
try {
|
||||
let reply = arango.reconnect(url, '_system', 'open', 'sesame');
|
||||
fail();
|
||||
} catch (err) {
|
||||
assertEqual(arangodb.ERROR_FORBIDDEN, err.errorNum, 'while reconnecting: ' + url);
|
||||
}
|
||||
}
|
||||
|
||||
function reconnectPermitted(url, method) {
|
||||
try {
|
||||
let reply = arango.reconnect(url, '_system', 'open', 'sesame');
|
||||
fail();
|
||||
} catch (err) {
|
||||
assertNotEqual(arangodb.ERROR_FORBIDDEN, err.errorNum, 'while reconnecting: ' + url + " Detail error: " + JSON.stringify(err) + ' ');
|
||||
// we expect that we aren't able to connect these URLs...
|
||||
assertEqual(arangodb.ERROR_BAD_PARAMETER, err.errorNum, 'while reconnecting: ' + url + " Detail error: " + JSON.stringify(err) + ' ');
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
return {
|
||||
testDownload : function() {
|
||||
// The filter will only match the host part. We specify one anyways.
|
||||
|
|
@ -92,6 +113,22 @@ function testSuite() {
|
|||
downloadPermitted('http://white.arangodb.org/bla', 'GET');
|
||||
downloadPermitted('https://arangodb.com/blog', 'GET');
|
||||
downloadPermitted('http://arangodb.com/blog', 'GET');
|
||||
|
||||
reconnectForbidden('http://127.0.0.1:8888/testbla');
|
||||
reconnectForbidden('http://127.0.0.1:8888/testbla');
|
||||
reconnectForbidden('http://127.0.0.1:8899/testbla');
|
||||
reconnectForbidden('https://127.0.0.1:7777/testbla');
|
||||
reconnectForbidden('https://127.0.0.1:7777');
|
||||
reconnectForbidden('https://127.0.0.1:777/testbla');
|
||||
reconnectForbidden('http://arangodb.org/testbla');
|
||||
reconnectForbidden('https://arangodb.org/testbla');
|
||||
reconnectForbidden('http://heise.de');
|
||||
reconnectForbidden('http://127.0.0.1:9999');
|
||||
|
||||
reconnectPermitted('https://white.arangodb.org/bla');
|
||||
reconnectPermitted('http://white.arangodb.org/bla');
|
||||
reconnectPermitted('https://arangodb.com/blog');
|
||||
reconnectPermitted('http://arangodb.com/blog');
|
||||
}
|
||||
};
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue