Allow adding VIP if the user has sudo permission (#629)

Author: djshow832

.golangci.yaml

@@ -26,6 +26,10 @@ issues:
       linters:
         - gosec
       text: "G101:"
+    - path: pkg/util/cmd/cmd.go
+      linters:
+        - gosec
+      text: "G204:"
 
 linters:
   enable:

pkg/manager/vip/network.go

@@ -5,9 +5,11 @@ package vip
 
 import (
 	"runtime"
+	"syscall"
 
 	"github.com/j-keck/arping"
 	"github.com/pingcap/tiproxy/lib/util/errors"
+	"github.com/pingcap/tiproxy/pkg/util/cmd"
 	"github.com/vishvananda/netlink"
 )
 
@@ -68,13 +70,26 @@ func (no *networkOperation) HasIP() (bool, error) {
 }
 
 func (no *networkOperation) AddIP() error {
-	return netlink.AddrAdd(no.link, no.address)
+	err := netlink.AddrAdd(no.link, no.address)
+	// If TiProxy is deployed by TiUP, the user that runs TiProxy only has the sudo permission.
+	if err != nil && errors.Is(err, syscall.EPERM) {
+		err = cmd.ExecCmd("sudo", "ip", "addr", "add", no.address.String(), "dev", no.link.Attrs().Name)
+	}
+	return errors.WithStack(err)
 }
 
 func (no *networkOperation) DeleteIP() error {
-	return netlink.AddrDel(no.link, no.address)
+	err := netlink.AddrDel(no.link, no.address)
+	if err != nil && errors.Is(err, syscall.EPERM) {
+		err = cmd.ExecCmd("sudo", "ip", "addr", "del", no.address.String(), "dev", no.link.Attrs().Name)
+	}
+	return errors.WithStack(err)
 }
 
 func (no *networkOperation) SendARP() error {
-	return arping.GratuitousArpOverIfaceByName(no.address.IP, no.link.Attrs().Name)
+	err := arping.GratuitousArpOverIfaceByName(no.address.IP, no.link.Attrs().Name)
+	if err != nil && errors.Is(err, syscall.EPERM) {
+		err = cmd.ExecCmd("sudo", "arping", "-c", "1", "-U", "-I", no.link.Attrs().Name, no.address.IP.String())
+	}
+	return errors.WithStack(err)
 }

pkg/manager/vip/network_test.go

@@ -53,8 +53,8 @@ func TestAddDelIP(t *testing.T) {
 		require.NotNil(t, operation, "case %d", i)
 
 		err = operation.AddIP()
-		// Maybe the privilege is not granted.
-		if err != nil && strings.Contains(err.Error(), "operation not permitted") {
+		// Maybe the command is not installed.
+		if err != nil && strings.Contains(err.Error(), "command not found") {
 			continue
 		}
 		if test.addErr != "" {
@@ -65,11 +65,13 @@ func TestAddDelIP(t *testing.T) {
 		}
 
 		err = operation.SendARP()
-		if test.sendErr != "" {
-			require.Error(t, err, "case %d", i)
-			require.Contains(t, err.Error(), test.sendErr, "case %d", i)
-		} else {
-			require.NoError(t, err, "case %d", i)
+		if err == nil || !strings.Contains(err.Error(), "command not found") {
+			if test.sendErr != "" {
+				require.Error(t, err, "case %d", i)
+				require.Contains(t, err.Error(), test.sendErr, "case %d", i)
+			} else {
+				require.NoError(t, err, "case %d", i)
+			}
 		}
 
 		if err := operation.DeleteIP(); test.delErr != "" {

pkg/util/cmd/cmd.go

@@ -0,0 +1,46 @@
+// Copyright 2024 PingCAP, Inc.
+// SPDX-License-Identifier: Apache-2.0
+
+package cmd
+
+import (
+	"fmt"
+	"os/exec"
+	"strings"
+
+	"github.com/pingcap/tiproxy/lib/util/errors"
+)
+
+// ExecCmd executes commands with checking potential tainted input.
+func ExecCmd(cmd string, args ...string) error {
+	cmds := make([]string, 0, len(args)+1)
+	if !isValidArg(cmd) {
+		return errors.Errorf("invalid cmd: %s", cmd)
+	}
+	cmds = append(cmds, cmd)
+	for _, arg := range args {
+		if !isValidArg(arg) {
+			return errors.Errorf("invalid argument: %s", arg)
+		}
+		cmds = append(cmds, escapeArg(arg))
+	}
+	output, err := exec.Command(cmds[0], cmds[1:]...).CombinedOutput()
+	if err != nil {
+		return errors.Wrapf(errors.WithStack(err), "output: %s", string(output))
+	}
+	return nil
+}
+
+func isValidArg(arg string) bool {
+	dangerousChars := []string{";", "&", "|", "`", "$(", "${", "<", ">", ">>"}
+	for _, char := range dangerousChars {
+		if strings.Contains(arg, char) {
+			return false
+		}
+	}
+	return true
+}
+
+func escapeArg(arg string) string {
+	return fmt.Sprintf("'%s'", strings.ReplaceAll(arg, "'", "'\\''"))
+}

pkg/util/cmd/cmd_test.go

@@ -0,0 +1,34 @@
+// Copyright 2024 PingCAP, Inc.
+// SPDX-License-Identifier: Apache-2.0
+
+package cmd
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestExecCmd(t *testing.T) {
+	tests := []struct {
+		cmds   []string
+		hasErr bool
+	}{
+		{
+			cmds:   []string{"echo", "$(whoami)"},
+			hasErr: true,
+		},
+		{
+			cmds: []string{"echo", "abc"},
+		},
+		{
+			cmds:   []string{"hello"},
+			hasErr: true,
+		},
+	}
+
+	for i, test := range tests {
+		err := ExecCmd(test.cmds[0], test.cmds[1:]...)
+		require.Equal(t, test.hasErr, err != nil, "case %d", i)
+	}
+}