Micro Services: Create internal services and allowed services list (#19427)

556cc51e · Diego Sampaio · GitHub · f830405b · 556cc51e · 556cc51e
Unverified Commit 556cc51e authored 4 years ago by Diego Sampaio Committed by GitHub 4 years ago
--- a/app/livechat/server/roomAccessValidator.internalService.ts
+++ b/app/livechat/server/roomAccessValidator.internalService.ts
@@ -8,6 +8,8 @@ import { IUser } from '../../../definition/IUser';
 class AuthorizationLivechat extends ServiceClass implements IAuthorizationLivechat {
 	protected name = 'authorization-livechat';

+	protected internal = true;
+
 	async canAccessRoom(room: Partial<IRoom>, user: Pick<IUser, '_id'>, extraData?: object): Promise<boolean> {
 		for (const validator of validators) {
 			if (validator(room, user, extraData)) {

--- a/app/search/server/search.internalService.ts
+++ b/app/search/server/search.internalService.ts
@@ -10,6 +10,8 @@ import { searchEventService } from './events/events';
 class Search extends ServiceClass {
 	protected name = 'search';

+	protected internal = true;
+
 	constructor() {
 		super();


--- a/app/tokenpass/server/roomAccessValidator.internalService.ts
+++ b/app/tokenpass/server/roomAccessValidator.internalService.ts
@@ -8,6 +8,8 @@ import { IUser } from '../../../definition/IUser';
 class AuthorizationTokenpass extends ServiceClass implements IAuthorizationTokenpass {
 	protected name = 'authorization-tokenpass';

+	protected internal = true;
+
 	async canAccessRoom(room: Partial<IRoom>, user: Pick<IUser, '_id'>): Promise<boolean> {
 		for (const validator of validators) {
 			if (validator(room, user)) {

--- a/ee/app/license/server/license.internalService.ts
+++ b/ee/app/license/server/license.internalService.ts
@@ -9,6 +9,8 @@ import { guestPermissions } from '../../authorization/lib/guestPermissions';
 class LicenseService extends ServiceClass implements ILicense {
 	protected name = 'license';

+	protected internal = true;
+
 	constructor() {
 		super();


--- a/ee/app/settings/server/settings.internalService.ts
+++ b/ee/app/settings/server/settings.internalService.ts
@@ -7,6 +7,8 @@ import { ISetting } from '../../../../definition/ISetting';
 class EnterpriseSettings extends ServiceClass implements IEnterpriseSettings {
 	protected name = 'ee-settings';

+	protected internal = true;
+
 	changeSettingValue(record: ISetting): undefined | { value: ISetting['value'] } {
 		return changeSettingValue(record);
 	}

--- a/ee/server/broker.ts
+++ b/ee/server/broker.ts
@@ -20,6 +20,11 @@ const lifecycle: {[k: string]: string} = {
 	stopped: 'stopped',
 };

+const {
+	INTERNAL_SERVICES_ONLY = 'false',
+	SERVICES_ALLOWED = '',
+} = process.env;
+
 class NetworkBroker implements IBroker {
 	private broker: ServiceBroker;

@@ -34,6 +39,12 @@ class NetworkBroker implements IBroker {
 		actions: ['license.hasLicense'],
 	}

+	// wether only internal services are allowed to be registered
+	private internalOnly = ['true', 'yes'].includes(INTERNAL_SERVICES_ONLY.toLowerCase());
+
+	// list of allowed services to run - has precedence over `internalOnly`
+	private allowedList = new Set<string>(SERVICES_ALLOWED?.split(',').map((i) => i.trim()).filter((i) => i));
+
 	constructor(broker: ServiceBroker) {
 		this.broker = broker;

@@ -87,6 +98,10 @@ class NetworkBroker implements IBroker {
 	}

 	createService(instance: ServiceClass): void {
+		if (!this.isServiceAllowed(instance)) {
+			return;
+		}
+
 		this.localBroker.createService(instance);

 		const name = instance.getName();
@@ -172,6 +187,20 @@ class NetworkBroker implements IBroker {
 	async nodeList(): Promise<IBrokerNode[]> {
 		return this.broker.call('$node.list');
 	}
+
+	private isServiceAllowed(instance: ServiceClass): boolean {
+		// check if the service is in the list of allowed services if the list is not empty
+		if (this.allowedList.size > 0 && !this.allowedList.has(instance.getName())) {
+			return false;
+		}
+
+		// allow only internal services if internalOnly is true
+		if (this.internalOnly && !instance.isInternal()) {
+			return false;
+		}
+
+		return true;
+	}
 }

 const Base = Serializers.Base as unknown as new () => {};

--- a/server/sdk/types/ServiceClass.ts
+++ b/server/sdk/types/ServiceClass.ts
@@ -42,6 +42,8 @@ export abstract class ServiceClass implements IServiceClass {

 	protected events = new EventEmitter();

+	protected internal = false;
+
 	constructor() {
 		this.emit = this.emit.bind(this);
 	}
@@ -54,6 +56,10 @@ export abstract class ServiceClass implements IServiceClass {
 		return this.name;
 	}

+	isInternal(): boolean {
+		return this.internal;
+	}
+
 	get context(): IServiceContext | undefined {
 		return asyncLocalStorage.getStore();
 	}

--- a/server/services/meteor/service.ts
+++ b/server/services/meteor/service.ts
@@ -114,6 +114,8 @@ if (disableOplog) {
 export class MeteorService extends ServiceClass implements IMeteor {
 	protected name = 'meteor';

+	protected internal = true;
+
 	constructor() {
 		super();