Add connection time acl check to standalone mcrouter

Summary: Add per-connection acl checker to mcrouter server. Reviewed By: callenrain Differential Revision: D13355499 fbshipit-source-id: 8ac8c5b68b325ce2315b86eef26ea00cadc86d9d
facebook · Dec 11, 2018 · b4c5c8e · b4c5c8e
1 parent 4d98639
commit b4c5c8e
Show file tree

Hide file tree

Showing 8 changed files with 160 additions and 37 deletions.
diff --git a/mcrouter/Makefile.am b/mcrouter/Makefile.am
@@ -199,6 +199,8 @@ mcrouter_SOURCES = \
   Server-inl.h \
   Server.h \
   ServerOnRequest.h \
+  StandaloneConfig.cpp \
+  StandaloneConfig.h \
   StandaloneUtils.cpp \
   StandaloneUtils.h \
   standalone_options.h \

diff --git a/mcrouter/Server-inl.h b/mcrouter/Server-inl.h
@@ -1,9 +1,8 @@
-/*
- *  Copyright (c) Facebook, Inc.
- *
- *  This source code is licensed under the MIT license found in the LICENSE
- *  file in the root directory of this source tree.
+/**
+ * Copyright (c) Facebook, Inc. and its affiliates.
  *
+ * This source code is licensed under the MIT license found in the LICENSE
+ * file in the root directory of this source tree.
  */
 #include <signal.h>
 
@@ -16,6 +15,7 @@
 #include "mcrouter/Proxy.h"
 #include "mcrouter/ProxyThread.h"
 #include "mcrouter/ServerOnRequest.h"
+#include "mcrouter/StandaloneConfig.h"
 #include "mcrouter/config.h"
 #include "mcrouter/lib/network/AsyncMcServer.h"
 #include "mcrouter/lib/network/AsyncMcServerWorker.h"
@@ -27,6 +27,26 @@ namespace mcrouter {
 
 namespace detail {
 
+inline std::function<void(McServerSession&)> getAclChecker(
+    const McrouterOptions& opts,
+    const McrouterStandaloneOptions& standaloneOpts) {
+  if (standaloneOpts.acl_checker_enable) {
+    try {
+      return getConnectionAclChecker(
+          standaloneOpts.server_ssl_service_identity,
+          standaloneOpts.acl_checker_enforce);
+    } catch (const std::exception& ex) {
+      MC_LOG_FAILURE(
+          opts,
+          failure::Category::kSystemError,
+          "Error creating acl checker: {}",
+          ex.what());
+      LOG(WARNING) << "Disabling acl checker on all threads.";
+    }
+  }
+  return [](McServerSession&) {};
+}
+
 template <class RouterInfo, template <class> class RequestHandler>
 void serverLoop(
     CarbonRouterInstance<RouterInfo>& router,
@@ -47,9 +67,24 @@ void serverLoop(
       *routerClient,
       standaloneOpts.retain_source_ip,
       standaloneOpts.enable_pass_through_mode));
-  worker.setOnConnectionAccepted([proxy](McServerSession&) {
-    proxy->stats().increment(num_client_connections_stat);
-  });
+
+  worker.setOnConnectionAccepted(
+      [proxy,
+       aclChecker = getAclChecker(proxy->router().opts(), standaloneOpts)](
+          McServerSession& session) mutable {
+        proxy->stats().increment(num_client_connections_stat);
+        try {
+          aclChecker(session);
+        } catch (const std::exception& ex) {
+          MC_LOG_FAILURE(
+              proxy->router().opts(),
+              failure::Category::kSystemError,
+              "Error running acl checker: {}",
+              ex.what());
+          LOG(WARNING) << "Disabling acl checker on this thread.";
+          aclChecker = [](McServerSession&) {};
+        }
+      });
   worker.setOnConnectionCloseFinish(
       [proxy](McServerSession&, bool onAcceptedCalled) {
         if (onAcceptedCalled) {

diff --git a/mcrouter/StandaloneConfig.cpp b/mcrouter/StandaloneConfig.cpp
@@ -0,0 +1,36 @@
+/**
+ * Copyright (c) Facebook, Inc. and its affiliates.
+ *
+ * This source code is licensed under the MIT license found in the LICENSE
+ * file in the root directory of this source tree.
+ */
+#include "StandaloneConfig.h"
+
+#include <functional>
+#include <unordered_map>
+
+namespace facebook {
+namespace memcache {
+namespace mcrouter {
+
+void standalonePreInitFromCommandLineOpts(
+    const std::unordered_map<std::string, std::string>& standaloneOptionsDict) {
+}
+
+void standaloneInit(
+    const McrouterOptions& opts,
+    const McrouterStandaloneOptions& standaloneOpts) {}
+
+void initStandaloneSSL() {}
+
+void finalizeStandaloneOptions(McrouterStandaloneOptions& opts) {}
+
+std::function<void(McServerSession&)> getConnectionAclChecker(
+    const std::string& /* serviceIdentity */,
+    bool /* enforce */) {
+  return [](McServerSession&) {};
+}
+
+} // namespace mcrouter
+} // namespace memcache
+} // namespace facebook
diff --git a/mcrouter/StandaloneConfig.h b/mcrouter/StandaloneConfig.h
@@ -0,0 +1,40 @@
+/**
+ * Copyright (c) Facebook, Inc. and its affiliates.
+ *
+ * This source code is licensed under the MIT license found in the LICENSE
+ * file in the root directory of this source tree.
+ */
+#pragma once
+
+#include <functional>
+#include <unordered_map>
+
+namespace facebook {
+namespace memcache {
+
+// forward declarations
+class McrouterOptions;
+class McServerSession;
+
+namespace mcrouter {
+// forward declarations
+class McrouterStandaloneOptions;
+
+void standalonePreInitFromCommandLineOpts(
+    const std::unordered_map<std::string, std::string>& standaloneOptionsDict);
+
+void standaloneInit(
+    const McrouterOptions& opts,
+    const McrouterStandaloneOptions& standaloneOpts);
+
+void initStandaloneSSL();
+
+void finalizeStandaloneOptions(McrouterStandaloneOptions& opts);
+
+std::function<void(McServerSession&)> getConnectionAclChecker(
+    const std::string& serviceIdentity,
+    bool enforce);
+
+} // namespace mcrouter
+} // namespace memcache
+} // namespace facebook
diff --git a/mcrouter/StandaloneUtils.cpp b/mcrouter/StandaloneUtils.cpp
@@ -1,9 +1,8 @@
-/*
- *  Copyright (c) Facebook, Inc.
- *
- *  This source code is licensed under the MIT license found in the LICENSE
- *  file in the root directory of this source tree.
+/**
+ * Copyright (c) Facebook, Inc. and its affiliates.
  *
+ * This source code is licensed under the MIT license found in the LICENSE
+ * file in the root directory of this source tree.
  */
 #include "StandaloneUtils.h"
 
@@ -24,6 +23,7 @@
 #include "mcrouter/McrouterLogFailure.h"
 #include "mcrouter/RouterRegistry.h"
 #include "mcrouter/Server.h"
+#include "mcrouter/StandaloneConfig.h"
 #include "mcrouter/config.h"
 #include "mcrouter/options.h"
 #include "mcrouter/standalone_options.h"
@@ -430,6 +430,9 @@ void setupStandaloneMcrouter(
         option);
   }
 
+  // finialize standalone options
+  finalizeStandaloneOptions(standaloneOptions);
+
   // init a few things.
   initStandaloneSSL();
   srand(time(nullptr) + getpid());

diff --git a/mcrouter/mcrouter_config.cpp b/mcrouter/mcrouter_config.cpp
@@ -1,9 +1,8 @@
-/*
- *  Copyright (c) 2014-present, Facebook, Inc.
- *
- *  This source code is licensed under the MIT license found in the LICENSE
- *  file in the root directory of this source tree.
+/**
+ * Copyright (c) Facebook, Inc. and its affiliates.
  *
+ * This source code is licensed under the MIT license found in the LICENSE
+ * file in the root directory of this source tree.
  */
 #include <memory>
 
@@ -133,8 +132,6 @@ folly::dynamic readStaticJsonFile(folly::StringPiece file) {
   return folly::parseJson(contents);
 }
 
-void initStandaloneSSL() {}
-
 } // namespace mcrouter
 } // namespace memcache
 } // namespace facebook
diff --git a/mcrouter/mcrouter_config.h b/mcrouter/mcrouter_config.h
@@ -1,9 +1,8 @@
-/*
- *  Copyright (c) Facebook, Inc.
- *
- *  This source code is licensed under the MIT license found in the LICENSE
- *  file in the root directory of this source tree.
+/**
+ * Copyright (c) Facebook, Inc. and its affiliates.
  *
+ * This source code is licensed under the MIT license found in the LICENSE
+ * file in the root directory of this source tree.
  */
 #pragma once
 
@@ -50,7 +49,6 @@ namespace mcrouter {
 class CarbonRouterInstanceBase;
 class ConfigApi;
 class McrouterLogger;
-class McrouterStandaloneOptions;
 struct FailoverContext;
 class ProxyBase;
 struct RequestLoggerContext;
@@ -107,13 +105,6 @@ std::unique_ptr<ConfigApi> createConfigApi(const McrouterOptions& opts);
 
 std::string performOptionSubstitution(std::string str);
 
-inline void standalonePreInitFromCommandLineOpts(
-    const std::unordered_map<std::string, std::string>& st_option_dict) {}
-
-inline void standaloneInit(
-    const McrouterOptions& opts,
-    const McrouterStandaloneOptions& standaloneOpts) {}
-
 std::unique_ptr<McrouterLogger> createMcrouterLogger(
     CarbonRouterInstanceBase& router);
 
@@ -153,8 +144,6 @@ std::string getBinPath(folly::StringPiece name);
 
 void finalizeOptions(McrouterOptions& options);
 
-void initStandaloneSSL();
-
 /**
  * Reads a static json file. Do not monitor for changes.
  * May throw if there's an error while parsing file contents.

diff --git a/mcrouter/standalone_options_list.h b/mcrouter/standalone_options_list.h
@@ -67,14 +67,14 @@ MCROUTER_OPTION_TOGGLE(
 
 MCROUTER_OPTION_STRING(
     server_pem_cert_path,
-    "",
+    "", // this may get overwritten by finalizeOptions
     "server-pem-cert-path",
     no_short,
     "Path of pem-style server certificate for ssl.")
 
 MCROUTER_OPTION_STRING(
     server_pem_key_path,
-    "",
+    "", // this may get overwritten by finalizeOptions
     "server-pem-key-path",
     no_short,
     "Path of pem-style server key for ssl.")
@@ -195,6 +195,27 @@ MCROUTER_OPTION_INTEGER(
     "use the zero copy optimization on TX."
     "If 0, the tcp zero copy optimization will not be applied.")
 
+MCROUTER_OPTION_TOGGLE(
+    acl_checker_enable,
+    false,
+    "acl-checker-enable",
+    no_short,
+    "If true, incoming requests are checked against the ACL.")
+
+MCROUTER_OPTION_TOGGLE(
+    acl_checker_enforce,
+    false,
+    "acl-checker-enforce",
+    no_short,
+    "If true, enforces the result of the ACL check.")
+
+MCROUTER_OPTION_STRING(
+    server_ssl_service_identity,
+    "memcache",
+    "server-ssl-service-identity",
+    no_short,
+    "If true, enforces the result of the ACL check.")
+
 #ifdef ADDITIONAL_STANDALONE_OPTIONS_FILE
 #include ADDITIONAL_STANDALONE_OPTIONS_FILE
 #endif