dave/coolify
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

fix: restrict jobs on cloud

Browse Source 
fix: restrict sentinel endpoint
This commit is contained in:
Andras Bacsai
2025-01-10 11:54:45 +01:00
parent 676f616efa
commit b09f0043d1
3 changed files with 89 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

80
app/Console/Kernel.php
View File

@@ -91,7 +91,11 @@ class Kernel extends ConsoleKernel
private function pullImages(): void private function pullImages(): void
{ {
if (isCloud()) {
$servers = $this->allServers->whereRelation('team.subscription', 'stripe_invoice_paid', true)->whereRelation('settings', 'is_usable', true)->whereRelation('settings', 'is_reachable', true)->get();
} else {
$servers = $this->allServers->whereRelation('settings', 'is_usable', true)->whereRelation('settings', 'is_reachable', true)->get(); $servers = $this->allServers->whereRelation('settings', 'is_usable', true)->whereRelation('settings', 'is_reachable', true)->get();
}
foreach ($servers as $server) { foreach ($servers as $server) {
if ($server->isSentinelEnabled()) { if ($server->isSentinelEnabled()) {
$this->scheduleInstance->job(function () use ($server) { $this->scheduleInstance->job(function () use ($server) {
@@ -124,7 +128,7 @@ class Kernel extends ConsoleKernel
private function checkResources(): void private function checkResources(): void
{ {
if (isCloud()) { if (isCloud()) {
$servers = $this->allServers->whereHas('team.subscription')->get(); $servers = $this->allServers->whereRelation('team.subscription', 'stripe_invoice_paid', true)->get();
$own = Team::find(0)->servers; $own = Team::find(0)->servers;
$servers = $servers->merge($own); $servers = $servers->merge($own);
} else { } else {
@@ -175,22 +179,43 @@ class Kernel extends ConsoleKernel
if ($scheduled_backups->isEmpty()) { if ($scheduled_backups->isEmpty()) {
return; return;
} }
$finalScheduledBackups = collect();
foreach ($scheduled_backups as $scheduled_backup) { foreach ($scheduled_backups as $scheduled_backup) {
if (is_null(data_get($scheduled_backup, 'database'))) { if (blank(data_get($scheduled_backup, 'database'))) {
$scheduled_backup->delete(); $scheduled_backup->delete();
continue; continue;
} }
$server = $scheduled_backup->server(); $server = $scheduled_backup->server();
if (blank($server)) {
$scheduled_backup->delete();
if (is_null($server)) {
continue; continue;
} }
if ($server->isFunctional() === false) {
continue;
}
if (isCloud() && data_get($server->team->subscription, 'stripe_invoice_paid', false) === false) {
continue;
}
$finalScheduledBackups->push($scheduled_backup);
}
$own = Team::find(0)->servers;
$finalScheduledBackups = $finalScheduledBackups->merge($own);
foreach ($finalScheduledBackups as $scheduled_backup) {
if (isset(VALID_CRON_STRINGS[$scheduled_backup->frequency])) { if (isset(VALID_CRON_STRINGS[$scheduled_backup->frequency])) {
$scheduled_backup->frequency = VALID_CRON_STRINGS[$scheduled_backup->frequency]; $scheduled_backup->frequency = VALID_CRON_STRINGS[$scheduled_backup->frequency];
} }
$server = $scheduled_backup->server();
$serverTimezone = data_get($server->settings, 'server_timezone', $this->instanceTimezone);
if (validate_timezone($serverTimezone) === false) {
$serverTimezone = config('app.timezone');
}
$this->scheduleInstance->job(new DatabaseBackupJob( $this->scheduleInstance->job(new DatabaseBackupJob(
backup: $scheduled_backup backup: $scheduled_backup
))->cron($scheduled_backup->frequency)->timezone($this->instanceTimezone)->onOneServer(); ))->cron($scheduled_backup->frequency)->timezone($this->instanceTimezone)->onOneServer();
@@ -203,34 +228,55 @@ class Kernel extends ConsoleKernel
if ($scheduled_tasks->isEmpty()) { if ($scheduled_tasks->isEmpty()) {
return; return;
} }
$finalScheduledTasks = collect();
foreach ($scheduled_tasks as $scheduled_task) { foreach ($scheduled_tasks as $scheduled_task) {
$service = $scheduled_task->service; $service = $scheduled_task->service;
$application = $scheduled_task->application; $application = $scheduled_task->application;
if (! $application && ! $service) { $server = $scheduled_task->server();
if (blank($server)) {
$scheduled_task->delete(); $scheduled_task->delete();
continue; continue;
} }
if ($application) {
if (str($application->status)->contains('running') === false) { if ($server->isFunctional() === false) {
continue; continue;
} }
}
if ($service) {
if (str($service->status)->contains('running') === false) {
continue;
}
}
if (isCloud() && data_get($server->team->subscription, 'stripe_invoice_paid', false) === false) {
continue;
}
if (! $service && ! $application) {
$scheduled_task->delete();
continue;
}
if ($application && str($application->status)->contains('running') === false) {
continue;
}
if ($service && str($service->status)->contains('running') === false) {
continue;
}
$finalScheduledTasks->push($scheduled_task);
}
$own = Team::find(0)->servers;
$finalScheduledTasks = $finalScheduledTasks->merge($own);
foreach ($finalScheduledTasks as $scheduled_task) {
$server = $scheduled_task->server(); $server = $scheduled_task->server();
if (! $server) {
continue;
}
if (isset(VALID_CRON_STRINGS[$scheduled_task->frequency])) { if (isset(VALID_CRON_STRINGS[$scheduled_task->frequency])) {
$scheduled_task->frequency = VALID_CRON_STRINGS[$scheduled_task->frequency]; $scheduled_task->frequency = VALID_CRON_STRINGS[$scheduled_task->frequency];
} }
$serverTimezone = data_get($server->settings, 'server_timezone', $this->instanceTimezone);
if (validate_timezone($serverTimezone) === false) {
$serverTimezone = config('app.timezone');
}
$this->scheduleInstance->job(new ScheduledTaskJob( $this->scheduleInstance->job(new ScheduledTaskJob(
task: $scheduled_task task: $scheduled_task
))->cron($scheduled_task->frequency)->timezone($this->instanceTimezone)->onOneServer(); ))->cron($scheduled_task->frequency)->timezone($this->instanceTimezone)->onOneServer();

6
app/Jobs/PushServerUpdateJob.php
View File

@@ -19,6 +19,7 @@ use Illuminate\Contracts\Queue\ShouldBeEncrypted;
use Illuminate\Contracts\Queue\ShouldQueue; use Illuminate\Contracts\Queue\ShouldQueue;
use Illuminate\Foundation\Bus\Dispatchable; use Illuminate\Foundation\Bus\Dispatchable;
use Illuminate\Queue\InteractsWithQueue; use Illuminate\Queue\InteractsWithQueue;
use Illuminate\Queue\Middleware\WithoutOverlapping;
use Illuminate\Queue\SerializesModels; use Illuminate\Queue\SerializesModels;
use Illuminate\Support\Collection; use Illuminate\Support\Collection;
@@ -68,6 +69,11 @@ class PushServerUpdateJob implements ShouldBeEncrypted, ShouldQueue
public bool $foundLogDrainContainer = false; public bool $foundLogDrainContainer = false;
public function middleware(): array
{
return [(new WithoutOverlapping($this->server->uuid))->dontRelease()];
}
public function backoff(): int public function backoff(): int
{ {
return isDev() ? 1 : 3; return isDev() ? 1 : 3;

17
routes/api.php
View File

@@ -132,18 +132,35 @@ Route::group([
'prefix' => 'v1', 'prefix' => 'v1',
], function () { ], function () {
Route::post('/sentinel/push', function () { Route::post('/sentinel/push', function () {
// return response()->json(['message' => 'temporary unavailable'], 503);
$token = request()->header('Authorization'); $token = request()->header('Authorization');
if (! $token) { if (! $token) {
return response()->json(['message' => 'Unauthorized'], 401); return response()->json(['message' => 'Unauthorized'], 401);
} }
$naked_token = str_replace('Bearer ', '', $token); $naked_token = str_replace('Bearer ', '', $token);
try {
$decrypted = decrypt($naked_token); $decrypted = decrypt($naked_token);
$decrypted_token = json_decode($decrypted, true); $decrypted_token = json_decode($decrypted, true);
} catch (\Exception $e) {
return response()->json(['message' => 'Invalid token'], 401);
}
$server_uuid = data_get($decrypted_token, 'server_uuid'); $server_uuid = data_get($decrypted_token, 'server_uuid');
if (! $server_uuid) {
return response()->json(['message' => 'Invalid token'], 401);
}
$server = Server::where('uuid', $server_uuid)->first(); $server = Server::where('uuid', $server_uuid)->first();
if (! $server) { if (! $server) {
return response()->json(['message' => 'Server not found'], 404); return response()->json(['message' => 'Server not found'], 404);
} }
if (isCloud() && data_get($server->team->subscription, 'stripe_invoice_paid', false) === false && $server->team->id !== 0) {
return response()->json(['message' => 'Unauthorized'], 401);
}
if ($server->isFunctional() === false) {
return response()->json(['message' => 'Server is not functional'], 401);
}
if ($server->settings->sentinel_token !== $naked_token) { if ($server->settings->sentinel_token !== $naked_token) {
return response()->json(['message' => 'Unauthorized'], 401); return response()->json(['message' => 'Unauthorized'], 401);
} }