From e0d63011000d6f7da7e4423cd651abdbc1d9cf7e Mon Sep 17 00:00:00 2001 From: Andrey Sobolev Date: Fri, 14 Feb 2025 17:38:06 +0700 Subject: [PATCH] UBERF-9479: Fix adapter security selection (#8007) Signed-off-by: Andrey Sobolev --- dev/tool/src/index.ts | 2 ++ pods/backup/src/index.ts | 2 ++ pods/fulltext/src/server.ts | 2 ++ pods/server/src/server.ts | 5 ++++- server/server-pipeline/src/pipeline.ts | 20 +++++++++++++++++++- server/workspace-service/src/service.ts | 3 +++ workers/transactor/src/transactor.ts | 7 +++++-- 7 files changed, 37 insertions(+), 4 deletions(-) diff --git a/dev/tool/src/index.ts b/dev/tool/src/index.ts index 6d7b7c176b..358d39be10 100644 --- a/dev/tool/src/index.ts +++ b/dev/tool/src/index.ts @@ -33,6 +33,7 @@ import { registerServerPlugins, registerStringLoaders, registerTxAdapterFactory, + setAdapterSecurity, sharedPipelineContextVars } from '@hcengineering/server-pipeline' import serverToken from '@hcengineering/server-token' @@ -121,6 +122,7 @@ export function devTool ( registerTxAdapterFactory('postgresql', createPostgresTxAdapter, true) registerAdapterFactory('postgresql', createPostgresAdapter, true) registerDestroyFactory('postgresql', createPostgreeDestroyAdapter, true) + setAdapterSecurity('postgresql', true) registerServerPlugins() registerStringLoaders() diff --git a/pods/backup/src/index.ts b/pods/backup/src/index.ts index 6a5d2817ea..aace294ce9 100644 --- a/pods/backup/src/index.ts +++ b/pods/backup/src/index.ts @@ -24,6 +24,7 @@ import { registerAdapterFactory, registerDestroyFactory, registerTxAdapterFactory, + setAdapterSecurity, sharedPipelineContextVars } from '@hcengineering/server-pipeline' import { join } from 'path' @@ -86,6 +87,7 @@ registerDestroyFactory('mongodb', createMongoDestroyAdapter) registerTxAdapterFactory('postgresql', createPostgresTxAdapter, true) registerAdapterFactory('postgresql', createPostgresAdapter, true) registerDestroyFactory('postgresql', createPostgreeDestroyAdapter, true) +setAdapterSecurity('postgresql', true) startBackup( metricsContext, diff --git a/pods/fulltext/src/server.ts b/pods/fulltext/src/server.ts index 1c3a74ff69..ecfb021e04 100644 --- a/pods/fulltext/src/server.ts +++ b/pods/fulltext/src/server.ts @@ -63,6 +63,7 @@ import { registerServerPlugins, registerStringLoaders, registerTxAdapterFactory, + setAdapterSecurity, sharedPipelineContextVars } from '@hcengineering/server-pipeline' import serverToken, { decodeToken, generateToken, type Token } from '@hcengineering/server-token' @@ -257,6 +258,7 @@ export async function startIndexer ( registerTxAdapterFactory('postgresql', createPostgresTxAdapter, true) registerAdapterFactory('postgresql', createPostgresAdapter, true) registerDestroyFactory('postgresql', createPostgreeDestroyAdapter, true) + setAdapterSecurity('postgresql', true) registerServerPlugins() registerStringLoaders() diff --git a/pods/server/src/server.ts b/pods/server/src/server.ts index 132df45f05..bf0ebbbd34 100644 --- a/pods/server/src/server.ts +++ b/pods/server/src/server.ts @@ -29,11 +29,13 @@ import { type Token } from '@hcengineering/server-token' import { createServerPipeline, + isAdapterSecurity, registerAdapterFactory, registerDestroyFactory, registerServerPlugins, registerStringLoaders, registerTxAdapterFactory, + setAdapterSecurity, sharedPipelineContextVars } from '@hcengineering/server-pipeline' import { uncompress } from 'snappy' @@ -99,6 +101,7 @@ export function start ( registerTxAdapterFactory('postgresql', createPostgresTxAdapter, true) registerAdapterFactory('postgresql', createPostgresAdapter, true) registerDestroyFactory('postgresql', createPostgreeDestroyAdapter, true) + setAdapterSecurity('postgresql', true) const usePrepare = (process.env.DB_PREPARE ?? 'true') === 'true' @@ -117,7 +120,7 @@ export function start ( metrics, dbUrl, model, - { ...opt, externalStorage, adapterSecurity: dbUrl.startsWith('postgresql') }, + { ...opt, externalStorage, adapterSecurity: isAdapterSecurity(dbUrl) }, {} ) const sessionFactory = (token: Token, workspace: Workspace, account: Account): Session => { diff --git a/server/server-pipeline/src/pipeline.ts b/server/server-pipeline/src/pipeline.ts index 5365fa1f5e..8e7cc4e692 100644 --- a/server/server-pipeline/src/pipeline.ts +++ b/server/server-pipeline/src/pipeline.ts @@ -211,7 +211,8 @@ export async function getServerPipeline ( const pipelineFactory = createServerPipeline(ctx, dbUrl, model, { externalStorage: storageAdapter, usePassedCtx: true, - disableTriggers: opt?.disableTriggers ?? false + disableTriggers: opt?.disableTriggers ?? false, + adapterSecurity: isAdapterSecurity(dbUrl) }) return await pipelineFactory(ctx, wsUrl, true, () => {}, null) @@ -220,6 +221,23 @@ export async function getServerPipeline ( const txAdapterFactories: Record = {} const adapterFactories: Record = {} const destroyFactories: Record WorkspaceDestroyAdapter> = {} +const adapterSecurityState = new Set() + +export function isAdapterSecurity (name: string): boolean { + for (const it of adapterSecurityState) { + if (name.startsWith(it)) { + return true + } + } + return false +} +export function setAdapterSecurity (name: string, state: boolean): void { + if (state) { + adapterSecurityState.add(name) + } else { + adapterSecurityState.delete(name) + } +} export function registerTxAdapterFactory (name: string, factory: DbAdapterFactory, useAsDefault: boolean = true): void { txAdapterFactories[name] = factory diff --git a/server/workspace-service/src/service.ts b/server/workspace-service/src/service.ts index 1fb3ca7ed6..40fc0dae06 100644 --- a/server/workspace-service/src/service.ts +++ b/server/workspace-service/src/service.ts @@ -62,6 +62,7 @@ import { registerServerPlugins, registerStringLoaders, registerTxAdapterFactory, + setAdapterSecurity, sharedPipelineContextVars } from '@hcengineering/server-pipeline' import { buildStorageFromConfig, storageConfigFromEnv } from '@hcengineering/server-storage' @@ -160,6 +161,8 @@ export class WorkspaceWorker { registerTxAdapterFactory('postgresql', createPostgresTxAdapter, true) registerAdapterFactory('postgresql', createPostgresAdapter, true) registerDestroyFactory('postgresql', createPostgreeDestroyAdapter, true) + setAdapterSecurity('postgresql', true) + registerServerPlugins() registerStringLoaders() diff --git a/workers/transactor/src/transactor.ts b/workers/transactor/src/transactor.ts index b5b6b2ba9f..ca18223329 100644 --- a/workers/transactor/src/transactor.ts +++ b/workers/transactor/src/transactor.ts @@ -46,11 +46,13 @@ import { } from '@hcengineering/postgres' import { createServerPipeline, + isAdapterSecurity, registerAdapterFactory, registerDestroyFactory, registerServerPlugins, registerStringLoaders, - registerTxAdapterFactory + registerTxAdapterFactory, + setAdapterSecurity } from '@hcengineering/server-pipeline' import { CloudFlareLogger } from './logger' import model from './model.json' @@ -109,6 +111,7 @@ export class Transactor extends DurableObject { registerTxAdapterFactory('postgresql', createPostgresTxAdapter, true) registerAdapterFactory('postgresql', createPostgresAdapter, true) registerDestroyFactory('postgresql', createPostgreeDestroyAdapter, true) + setAdapterSecurity('postgresql', true) if (env.USE_GREEN === 'true') { registerGreenUrl(env.GREEN_URL) @@ -140,7 +143,7 @@ export class Transactor extends DurableObject { this.pipelineFactory = async (ctx, ws, upgrade, broadcast, branding) => { const pipeline = createServerPipeline(this.measureCtx, dbUrl, model, { externalStorage: storage, - adapterSecurity: false, + adapterSecurity: isAdapterSecurity(dbUrl), disableTriggers: false, fulltextUrl: env.FULLTEXT_URL, extraLogging: true,