From c7c630bb8f2676f5e7204d56b5731929f469f0d9 Mon Sep 17 00:00:00 2001 From: zyxxoo <1318247699@qq.com> Date: Fri, 18 Mar 2022 00:26:25 +0800 Subject: [PATCH] feat: add ingore security check api --- .../security/HugeSecurityManager.java | 20 +++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/hugegraph-core/src/main/java/com/baidu/hugegraph/security/HugeSecurityManager.java b/hugegraph-core/src/main/java/com/baidu/hugegraph/security/HugeSecurityManager.java index fa303ce829..86e67dc35e 100644 --- a/hugegraph-core/src/main/java/com/baidu/hugegraph/security/HugeSecurityManager.java +++ b/hugegraph-core/src/main/java/com/baidu/hugegraph/security/HugeSecurityManager.java @@ -24,6 +24,7 @@ import java.security.Permission; import java.util.Map; import java.util.Set; +import java.util.concurrent.CopyOnWriteArraySet; import org.slf4j.Logger; @@ -126,6 +127,17 @@ public class HugeSecurityManager extends SecurityManager { ImmutableSet.of("newSecurityException") ); + private static final Set ignoreCheck = new CopyOnWriteArraySet<>(); + + public static void addIgnoreCheck(String clazz) { + if (callFromGremlin()) { + throw newSecurityException( + "Not allowed to add ignore check via Gremlin"); + } + + ignoreCheck.add(clazz); + } + @Override public void checkPermission(Permission permission) { if (DENIED_PERMISSIONS.contains(permission.getName()) && @@ -167,7 +179,7 @@ public void checkAccess(Thread thread) { if (callFromGremlin() && !callFromCaffeine() && !callFromAsyncTasks() && !callFromEventHubNotify() && !callFromBackendThread() && !callFromBackendHbase() && - !callFromRaft() && !callFromSofaRpc()) { + !callFromRaft() && !callFromSofaRpc() && !callFromIgnore()) { throw newSecurityException( "Not allowed to access thread via Gremlin"); } @@ -179,7 +191,7 @@ public void checkAccess(ThreadGroup threadGroup) { if (callFromGremlin() && !callFromCaffeine() && !callFromAsyncTasks() && !callFromEventHubNotify() && !callFromBackendThread() && !callFromBackendHbase() && - !callFromRaft() && !callFromSofaRpc()) { + !callFromRaft() && !callFromSofaRpc() && !callFromIgnore()) { throw newSecurityException( "Not allowed to access thread group via Gremlin"); } @@ -475,6 +487,10 @@ private static boolean callFromNewSecurityException() { return callFromMethods(NEW_SECURITY_EXCEPTION); } + private static boolean callFromIgnore() { + return callFromWorkerWithClass(ignoreCheck); + } + private static boolean callFromWorkerWithClass(Set classes) { Thread curThread = Thread.currentThread(); if (curThread.getName().startsWith(GREMLIN_SERVER_WORKER) ||