FIX 解决ci 数据库安全性问题

app/controllers/ci/base_controller.rb

@@ -1,11 +1,12 @@
 class Ci::BaseController < ApplicationController
   before_action :require_login
+  before_action :connect_to_ci_database
 
   def load_repo
     namespace = params[:owner]
     id = params[:repo] || params[:id]
 
-    @user, @repo = Ci::Repo.find_with_namespace(namespace, id)
+    @ci_user, @repo = Ci::Repo.find_with_namespace(namespace, id)
   end
 
   private
@@ -43,4 +44,20 @@ class Ci::BaseController < ApplicationController
       end
     end
 
+    # Dynamically sets the database connection.
+    def connect_to_ci_database
+      db_config = Rails.configuration.database_configuration[Rails.env]["ci_server_db"]
+      return render_error('ci database config missing') if db_config.blank?
+
+      req_params = {
+        host: db_config["host"],
+        username: db_config['username'],
+        password: db_config['password'],
+        port: db_config['port'],
+        database: "#{current_user.login}_#{db_config['database']}"
+      }
+      db_params = Ci::Database.get_connection_params(req_params)
+      Ci::Database.set_connection(db_params)
+    end
+
 end

app/controllers/ci/builds_controller.rb

@@ -7,6 +7,7 @@ class Ci::BuildsController < Ci::BaseController
   before_action :find_cloud_account, except: [:index, :show]
 
   def index
+    @user = current_user
     scope = @repo.builds
 
     scope = Ci::Builds::ListQuery.call(@repo, params)
@@ -20,13 +21,13 @@ class Ci::BuildsController < Ci::BaseController
   end
 
   def restart
-    result = Ci::Drone::API.new(@user.user_hash, @cloud_account.drone_url, @repo.repo_namespace, @repo.repo_name, number: params[:build]).restart
+    result = Ci::Drone::API.new(@ci_user.user_hash, @cloud_account.drone_url, @repo.repo_namespace, @repo.repo_name, number: params[:build]).restart
 
     render json: result
   end
 
   def stop
-    result = Ci::Drone::API.new(@user.user_hash, @cloud_account.drone_url, @repo.repo_namespace, @repo.repo_name, number: params[:build]).stop
+    result = Ci::Drone::API.new(@ci_user.user_hash, @cloud_account.drone_url, @repo.repo_namespace, @repo.repo_name, number: params[:build]).stop
     render json: result
   end
 

app/controllers/ci/cloud_accounts_controller.rb

@@ -31,15 +31,15 @@ class Ci::CloudAccountsController < Ci::BaseController
       ActiveRecord::Base.transaction do
         if @repo
           return render_error('该项目已经激活') if @repo.repo_active?
-          @repo.activate!(@user.user_id)
+          @repo.activate!(@ci_user.user_id)
         else
-          @repo = Ci::Repo.auto_create!(@user, @project)
+          @repo = Ci::Repo.auto_create!(@ci_user, @project)
           @user.update_column(:user_syncing, false)
         end
 
         result = bind_hook!(current_user, @cloud_account, @repo)
         @project.update_columns(open_devops: true, gitea_webhook_id: result['id'])
-        @cloud_account.update_column(:ci_user_id, @user.user_id)
+        @cloud_account.update_column(:ci_user_id, @ci_user.user_id)
       end
       render_ok
     rescue Exception => ex

app/controllers/concerns/ci/cloud_account_manageable.rb

@@ -28,7 +28,7 @@ module Ci::CloudAccountManageable
     logger.info "######### rpc_secret: #{rpc_secret}"
 
     # 3. 创建drone server
-    drone_server_cmd = Ci::Drone::Server.new(oauth.client_id, oauth.client_secret, cloud_account.drone_host, rpc_secret).generate_cmd
+    drone_server_cmd = Ci::Drone::Server.new(current_user.login, oauth.client_id, oauth.client_secret, cloud_account.drone_host, rpc_secret).generate_cmd
     logger.info "######### drone_server_cmd: #{drone_server_cmd}"
 
     # 4. 创建drone client

app/libs/ci/database.rb

@@ -0,0 +1,31 @@
+module Ci
+  class Database < ActiveRecord::Base
+    self.abstract_class = true
+    
+    # Dynamically sets the database connection.
+    def self.set_connection(params)
+      puts "[Ci::Database] set db connection params: #{params}"
+      establish_connection(
+        adapter: params[:adapter],
+        database: params[:database],
+        port: params[:port].to_i,
+        host: params[:host],
+        username: params[:username],
+        password: params[:password],
+        encoding: "utf8"
+      )
+    end
+
+    def self.get_connection_params(connect_to)
+      params = Hash.new
+      params[:adapter]  = "mysql2"
+      params[:host]     = connect_to[:host].to_s
+      params[:username] = connect_to[:username].to_s
+      params[:password] = connect_to[:password].to_s
+      params[:database] = connect_to[:database].to_s
+      params[:port]     = connect_to[:port] || "43306"
+      params[:encoding] = "utf8"
+      return params
+    end
+  end
+end

app/libs/ci/drone/server.rb

@@ -1,12 +1,13 @@
 class Ci::Drone::Server
-  attr_reader :client_id, :client_secret, :drone_host, :rpc_secret
+  attr_reader :user_login, :client_id, :client_secret, :drone_host, :rpc_secret
 
   # client_id: user's client_id from oauth
   # client_secret: user's client_id from oauth
   # drone_host: 云服务器地址，eq: 173.53.21.31:80
   # eg:
-  # DevOps::Drone::Server.new(current_user.oauth.client_id, current_user.oauth.client_secret, 'drone_host').generate_cmd
+  # DevOps::Drone::Server.new(current_user.login, current_user.oauth.client_id, current_user.oauth.client_secret, 'drone_host').generate_cmd
-  def initialize(client_id, client_secret, drone_host, rpc_secret)
+  def initialize(user_login, client_id, client_secret, drone_host, rpc_secret)
+    @user_login    = user_login
     @client_id     = client_id
     @drone_host    = drone_host
     @rpc_secret    = rpc_secret
@@ -19,7 +20,7 @@ class Ci::Drone::Server
     "service docker start; docker run \
       -v /var/run/docker.sock:/var/run/docker.sock \
       -e DRONE_DATABASE_DRIVER=mysql \
-      -e DRONE_DATABASE_DATASOURCE=#{database_username}:#{database_password}@tcp\\(#{database_host}:#{database_port}\\)/drone?parseTime=true \
+      -e DRONE_DATABASE_DATASOURCE=#{database_username}:#{database_password}@tcp\\(#{database_host}:#{database_port}\\)/drone_#{user_login}?parseTime=true \
       -e DRONE_GITEA_SERVER=#{gitea_url} \
       -e DRONE_GITEA_CLIENT_ID=#{client_id} \
       -e DRONE_GITEA_CLIENT_SECRET=#{client_secret} \
@@ -55,10 +56,6 @@ class Ci::Drone::Server
       database_config[Rails.env]["ci_server_db"]["port"] || 3306
     end
 
-    def database
-      database_config[Rails.env]["ci_server_db"]["database"]
-    end
-
     def database_config
       Rails.configuration.database_configuration
     end

app/models/ci/remote_base.rb

@@ -1,10 +1,8 @@
-class Ci::RemoteBase < ApplicationRecord
+class Ci::RemoteBase < Ci::Database
   self.abstract_class = true
 
-  establish_connection Rails.configuration.database_configuration[Rails.env]["ci_server_db"]
-
   def generate_code
     [*'a'..'z',*'0'..'9',*'A'..'Z'].sample(32).join
   end
-  
+
 end

app/views/ci/builds/_build.json.jbuilder

@@ -7,7 +7,7 @@ json.action build.build_action
 json.error build.build_error  if build.build_status == 'error'
 json.message build.build_message
 json.author do
-  json.partial! 'author', user: current_user
+  json.partial! 'author', user: user
 end
 json.started format_utc_time build.build_started
 json.finished format_utc_time build.build_finished

app/views/ci/builds/index.json.jbuilder

@@ -1,4 +1,4 @@
 json.total_count @total_count
 json.builds @builds do |build|
-  json.partial! "/ci/builds/build", build: build
+  json.partial! "/ci/builds/build", build: build, user: @user
 end