From 26d8e1711f2ef1aad58be0a1beeaaf847710b238 Mon Sep 17 00:00:00 2001
From: RongtongJin <jinrongtong16@mails.ucas.ac.cn>
Date: Tue, 28 Nov 2023 14:17:18 +0800
Subject: [PATCH] Add validation in broker container configure updating
 command.

---
 .../container/BrokerContainerConfig.java      | 16 ++++++++
 .../container/BrokerContainerProcessor.java   | 40 +++++++++++++++++--
 2 files changed, 52 insertions(+), 4 deletions(-)

diff --git a/container/src/main/java/org/apache/rocketmq/container/BrokerContainerConfig.java b/container/src/main/java/org/apache/rocketmq/container/BrokerContainerConfig.java
index e03b10c34d2..03b4b263f96 100644
--- a/container/src/main/java/org/apache/rocketmq/container/BrokerContainerConfig.java
+++ b/container/src/main/java/org/apache/rocketmq/container/BrokerContainerConfig.java
@@ -49,6 +49,14 @@ public class BrokerContainerConfig {
      */
     private long updateNamesrvAddrInterval = 60 * 2 * 1000;
 
+
+    /**
+     * Config in this black list will be not allowed to update by command.
+     * Try to update this config black list by restart process.
+     * Try to update configures in black list by restart process.
+     */
+    private String configBlackList = "configBlackList;brokerConfigPaths";
+
     public String getRocketmqHome() {
         return rocketmqHome;
     }
@@ -108,4 +116,12 @@ public long getUpdateNamesrvAddrInterval() {
     public void setUpdateNamesrvAddrInterval(long updateNamesrvAddrInterval) {
         this.updateNamesrvAddrInterval = updateNamesrvAddrInterval;
     }
+
+    public String getConfigBlackList() {
+        return configBlackList;
+    }
+
+    public void setConfigBlackList(String configBlackList) {
+        this.configBlackList = configBlackList;
+    }
 }
diff --git a/container/src/main/java/org/apache/rocketmq/container/BrokerContainerProcessor.java b/container/src/main/java/org/apache/rocketmq/container/BrokerContainerProcessor.java
index 5b825fe811c..5ced0825761 100644
--- a/container/src/main/java/org/apache/rocketmq/container/BrokerContainerProcessor.java
+++ b/container/src/main/java/org/apache/rocketmq/container/BrokerContainerProcessor.java
@@ -19,6 +19,9 @@
 
 import io.netty.channel.ChannelHandlerContext;
 import java.io.UnsupportedEncodingException;
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.Set;
 import java.util.List;
 import java.util.Properties;
 import org.apache.rocketmq.broker.BrokerController;
@@ -45,8 +48,19 @@ public class BrokerContainerProcessor implements NettyRequestProcessor {
     private final BrokerContainer brokerContainer;
     private List<BrokerBootHook> brokerBootHookList;
 
+    private final Set<String> configBlackList = new HashSet<>();
+
     public BrokerContainerProcessor(BrokerContainer brokerContainer) {
         this.brokerContainer = brokerContainer;
+        initConfigBlackList();
+    }
+
+    private void initConfigBlackList() {
+        configBlackList.add("brokerConfigPaths");
+        configBlackList.add("rocketmqHome");
+        configBlackList.add("configBlackList");
+        String[] configArray = brokerContainer.getBrokerContainerConfig().getConfigBlackList().split(";");
+        configBlackList.addAll(Arrays.asList(configArray));
     }
 
     @Override
@@ -232,15 +246,24 @@ private RemotingCommand updateBrokerConfig(ChannelHandlerContext ctx, RemotingCo
             try {
                 String bodyStr = new String(body, MixAll.DEFAULT_CHARSET);
                 Properties properties = MixAll.string2Properties(bodyStr);
-                if (properties != null) {
-                    LOGGER.info("updateSharedBrokerConfig, new config: [{}] client: {} ", properties, ctx.channel().remoteAddress());
-                    this.brokerContainer.getConfiguration().update(properties);
-                } else {
+
+                if (properties == null) {
                     LOGGER.error("string2Properties error");
                     response.setCode(ResponseCode.SYSTEM_ERROR);
                     response.setRemark("string2Properties error");
                     return response;
                 }
+
+                if (validateBlackListConfigExist(properties)) {
+                    response.setCode(ResponseCode.NO_PERMISSION);
+                    response.setRemark("Can not update config in black list.");
+                    return response;
+                }
+
+
+                LOGGER.info("updateBrokerContainerConfig, new config: [{}] client: {} ", properties, ctx.channel().remoteAddress());
+                this.brokerContainer.getConfiguration().update(properties);
+
             } catch (UnsupportedEncodingException e) {
                 LOGGER.error("", e);
                 response.setCode(ResponseCode.SYSTEM_ERROR);
@@ -254,6 +277,15 @@ private RemotingCommand updateBrokerConfig(ChannelHandlerContext ctx, RemotingCo
         return response;
     }
 
+    private boolean validateBlackListConfigExist(Properties properties) {
+        for (String blackConfig : configBlackList) {
+            if (properties.containsKey(blackConfig)) {
+                return true;
+            }
+        }
+        return false;
+    }
+
     private RemotingCommand getBrokerConfig(ChannelHandlerContext ctx, RemotingCommand request) {
 
         final RemotingCommand response = RemotingCommand.createResponseCommand(GetBrokerConfigResponseHeader.class);