feat(system-security): Optimized unauthenticated settings to enhance system security (#7142)
Some checks are pending
Build Test / build-linux-binary (push) Waiting to run
Build / SonarCloud (push) Waiting to run
sync2gitee / repo-sync (push) Waiting to run

This commit is contained in:
zhengkunwang 2024-11-21 16:31:07 +08:00 committed by GitHub
parent aaae8a5d3b
commit 2ba17d89ef
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
19 changed files with 429 additions and 96 deletions

View File

@ -2,14 +2,11 @@ package v1
import (
"encoding/base64"
"net/http"
"github.com/1Panel-dev/1Panel/backend/app/api/v1/helper"
"github.com/1Panel-dev/1Panel/backend/app/dto"
"github.com/1Panel-dev/1Panel/backend/app/model"
"github.com/1Panel-dev/1Panel/backend/constant"
"github.com/1Panel-dev/1Panel/backend/global"
"github.com/1Panel-dev/1Panel/backend/middleware"
"github.com/1Panel-dev/1Panel/backend/utils/captcha"
"github.com/1Panel-dev/1Panel/backend/utils/qqwry"
"github.com/gin-gonic/gin"
@ -37,11 +34,18 @@ func (b *BaseApi) Login(c *gin.Context) {
return
}
}
entranceItem := c.Request.Header.Get("EntranceCode")
var entrance []byte
if len(entranceItem) != 0 {
entrance, _ = base64.StdEncoding.DecodeString(entranceItem)
}
if len(entrance) == 0 {
cookieValue, err := c.Cookie("SecurityEntrance")
if err == nil {
entrance, _ = base64.StdEncoding.DecodeString(cookieValue)
}
}
user, err := authService.Login(c, req, string(entrance))
go saveLoginLogs(c, err)
@ -108,34 +112,6 @@ func (b *BaseApi) Captcha(c *gin.Context) {
helper.SuccessWithData(c, captcha)
}
// @Tags Auth
// @Summary Load safety status
// @Description 获取系统安全登录状态
// @Success 200
// @Router /auth/issafety [get]
func (b *BaseApi) CheckIsSafety(c *gin.Context) {
code := c.DefaultQuery("code", "")
status, err := authService.CheckIsSafety(code)
if err != nil {
helper.ErrorWithDetail(c, constant.CodeErrInternalServer, constant.ErrTypeInternalServer, err)
return
}
if status == "disable" && len(code) != 0 {
helper.ErrResponse(c, http.StatusNotFound)
return
}
if status == "unpass" {
code := middleware.LoadErrCode()
if code != 200 {
helper.ErrResponse(c, code)
return
}
helper.ErrorWithDetail(c, constant.CodeErrEntrance, constant.ErrTypeInternalServer, nil)
return
}
helper.SuccessWithOutData(c)
}
func (b *BaseApi) GetResponsePage(c *gin.Context) {
pageCode, err := authService.GetResponsePage()
if err != nil {

View File

@ -2,6 +2,7 @@ package service
import (
"crypto/hmac"
"encoding/base64"
"strconv"
"github.com/1Panel-dev/1Panel/backend/app/dto"
@ -19,12 +20,13 @@ import (
type AuthService struct{}
type IAuthService interface {
CheckIsSafety(code string) (string, error)
GetResponsePage() (string, error)
VerifyCode(code string) (bool, error)
Login(c *gin.Context, info dto.Login, entrance string) (*dto.UserLoginInfo, error)
LogOut(c *gin.Context) error
MFALogin(c *gin.Context, info dto.MFALogin, entrance string) (*dto.UserLoginInfo, error)
GetSecurityEntrance() string
IsLogin(c *gin.Context) bool
}
func NewIAuthService() IAuthService {
@ -64,7 +66,16 @@ func (u *AuthService) Login(c *gin.Context, info dto.Login, entrance string) (*d
if mfa.Value == "enable" {
return &dto.UserLoginInfo{Name: nameSetting.Value, MfaStatus: mfa.Value}, nil
}
return u.generateSession(c, info.Name, info.AuthMethod)
loginUser, err := u.generateSession(c, info.Name, info.AuthMethod)
if err != nil {
return nil, err
}
if entrance != "" {
entranceValue := base64.StdEncoding.EncodeToString([]byte(entrance))
c.SetCookie("SecurityEntrance", entranceValue, 0, "", "", false, true)
}
return loginUser, nil
}
func (u *AuthService) MFALogin(c *gin.Context, info dto.MFALogin, entrance string) (*dto.UserLoginInfo, error) {
@ -103,7 +114,15 @@ func (u *AuthService) MFALogin(c *gin.Context, info dto.MFALogin, entrance strin
return nil, constant.ErrAuth
}
return u.generateSession(c, info.Name, info.AuthMethod)
loginUser, err := u.generateSession(c, info.Name, info.AuthMethod)
if err != nil {
return nil, err
}
if entrance != "" {
entranceValue := base64.StdEncoding.EncodeToString([]byte(entrance))
c.SetCookie("SecurityEntrance", entranceValue, 0, "", "", false, true)
}
return loginUser, nil
}
func (u *AuthService) generateSession(c *gin.Context, name, authMethod string) (*dto.UserLoginInfo, error) {
@ -173,20 +192,6 @@ func (u *AuthService) VerifyCode(code string) (bool, error) {
return hmac.Equal([]byte(setting.Value), []byte(code)), nil
}
func (u *AuthService) CheckIsSafety(code string) (string, error) {
status, err := settingRepo.Get(settingRepo.WithByKey("SecurityEntrance"))
if err != nil {
return "", err
}
if len(status.Value) == 0 {
return "disable", nil
}
if status.Value == code {
return "pass", nil
}
return "unpass", nil
}
func (u *AuthService) GetResponsePage() (string, error) {
pageCode, err := settingRepo.Get(settingRepo.WithByKey("NoAuthSetting"))
if err != nil {
@ -194,3 +199,23 @@ func (u *AuthService) GetResponsePage() (string, error) {
}
return pageCode.Value, nil
}
func (u *AuthService) GetSecurityEntrance() string {
status, err := settingRepo.Get(settingRepo.WithByKey("SecurityEntrance"))
if err != nil {
return ""
}
if len(status.Value) == 0 {
return ""
}
return status.Value
}
func (u *AuthService) IsLogin(c *gin.Context) bool {
sID, _ := c.Cookie(constant.SessionName)
_, err := global.SESSION.Get(sID)
if err != nil {
return false
}
return true
}

View File

@ -23,3 +23,87 @@ const (
DateTimeLayout = "2006-01-02 15:04:05" // or use time.DateTime while go version >= 1.20
DateTimeSlimLayout = "20060102150405"
)
var WebUrlMap = map[string]struct{}{
"/apps": {},
"/apps/all": {},
"/apps/installed": {},
"/apps/upgrade": {},
"/containers": {},
"/containers/container": {},
"/containers/image": {},
"/containers/network": {},
"/containers/volume": {},
"/containers/repo": {},
"/containers/compose": {},
"/containers/template": {},
"/containers/setting": {},
"/cronjobs": {},
"/databases": {},
"/databases/mysql": {},
"/databases/mysql/remote": {},
"/databases/postgresql": {},
"/databases/postgresql/remote": {},
"/databases/redis": {},
"/databases/redis/remote": {},
"/hosts": {},
"/hosts/files": {},
"/hosts/monitor/monitor": {},
"/hosts/monitor/setting": {},
"/hosts/terminal": {},
"/hosts/firewall/port": {},
"/hosts/firewall/forward": {},
"/hosts/firewall/ip": {},
"/hosts/process/process": {},
"/hosts/process/network": {},
"/hosts/ssh/ssh": {},
"/hosts/ssh/log": {},
"/hosts/ssh/session": {},
"/logs": {},
"/logs/operation": {},
"/logs/login": {},
"/logs/website": {},
"/logs/system": {},
"/logs/ssh": {},
"/settings": {},
"/settings/panel": {},
"/settings/backupaccount": {},
"/settings/license": {},
"/settings/about": {},
"/settings/safe": {},
"/settings/snapshot": {},
"/settings/expired": {},
"/toolbox": {},
"/toolbox/device": {},
"/toolbox/supervisor": {},
"/toolbox/clam": {},
"/toolbox/clam/setting": {},
"/toolbox/ftp": {},
"/toolbox/fail2ban": {},
"/toolbox/clean": {},
"/websites": {},
"/websites/ssl": {},
"/websites/runtimes/php": {},
"/websites/runtimes/node": {},
"/websites/runtimes/java": {},
"/websites/runtimes/net": {},
"/websites/runtimes/go": {},
"/websites/runtimes/python": {},
"/login": {},
}
var DynamicRoutes = []string{
`^/containers/composeDetail/[^/]+$`,
`^/databases/mysql/setting/[^/]+/[^/]+$`,
`^/databases/postgresql/setting/[^/]+/[^/]+$`,
`^/websites/[^/]+/config/[^/]+$`,
}

View File

@ -1,8 +1,15 @@
package router
import (
"encoding/base64"
"fmt"
"github.com/1Panel-dev/1Panel/backend/app/service"
"github.com/1Panel-dev/1Panel/backend/constant"
"github.com/1Panel-dev/1Panel/cmd/server/res"
"net/http"
"regexp"
"strconv"
"strings"
"github.com/1Panel-dev/1Panel/backend/global"
"github.com/1Panel-dev/1Panel/backend/i18n"
@ -20,8 +27,90 @@ var (
Router *gin.Engine
)
func toIndexHtml(c *gin.Context) {
c.Writer.WriteHeader(http.StatusOK)
_, _ = c.Writer.Write(web.IndexByte)
c.Writer.Header().Add("Accept", "text/html")
c.Writer.Flush()
}
func isEntrancePath(c *gin.Context) bool {
entrance := service.NewIAuthService().GetSecurityEntrance()
if entrance != "" && strings.TrimSuffix(c.Request.URL.Path, "/") == "/"+entrance {
return true
}
return false
}
func isFrontendPath(c *gin.Context) bool {
reqUri := strings.TrimSuffix(c.Request.URL.Path, "/")
if _, ok := constant.WebUrlMap[reqUri]; ok {
return true
}
for _, route := range constant.DynamicRoutes {
if match, _ := regexp.MatchString(route, reqUri); match {
return true
}
}
return false
}
func checkFrontendPath(c *gin.Context) bool {
if !isFrontendPath(c) {
return false
}
authService := service.NewIAuthService()
if authService.GetSecurityEntrance() != "" {
return authService.IsLogin(c)
}
return true
}
func checkEntrance(c *gin.Context) bool {
authService := service.NewIAuthService()
entrance := authService.GetSecurityEntrance()
if entrance == "" {
return true
}
cookieValue, err := c.Cookie("SecurityEntrance")
if err != nil {
return false
}
entranceValue, err := base64.StdEncoding.DecodeString(cookieValue)
if err != nil {
return false
}
return string(entranceValue) == entrance
}
func handleNoRoute(c *gin.Context) {
resPage, err := service.NewIAuthService().GetResponsePage()
if err != nil {
c.String(http.StatusInternalServerError, "Internal Server Error")
return
}
file := fmt.Sprintf("html/%s.html", resPage)
if resPage == "200" && c.GetHeader("Accept-Language") == "en" {
file = "html/200_en.html"
}
data, err := res.ErrorMsg.ReadFile(file)
if err != nil {
c.String(http.StatusInternalServerError, "Internal Server Error")
return
}
statusCode, err := strconv.Atoi(resPage)
if err != nil {
c.String(http.StatusInternalServerError, "Internal Server Error")
return
}
c.Data(statusCode, "text/html; charset=utf-8", data)
}
func setWebStatic(rootRouter *gin.RouterGroup) {
rootRouter.StaticFS("/public", http.FS(web.Favicon))
rootRouter.StaticFS("/favicon.ico", http.FS(web.Favicon))
rootRouter.Static("/api/v1/images", "./uploads")
rootRouter.Use(func(c *gin.Context) {
c.Next()
@ -31,7 +120,27 @@ func setWebStatic(rootRouter *gin.RouterGroup) {
staticServer := http.FileServer(http.FS(web.Assets))
staticServer.ServeHTTP(c.Writer, c.Request)
})
authService := service.NewIAuthService()
entrance := authService.GetSecurityEntrance()
if entrance != "" {
rootRouter.GET("/"+entrance, func(c *gin.Context) {
entrance = authService.GetSecurityEntrance()
if entrance == "" {
handleNoRoute(c)
return
}
c.Writer.WriteHeader(http.StatusOK)
_, _ = c.Writer.Write(web.IndexByte)
c.Writer.Header().Add("Accept", "text/html")
c.Writer.Flush()
})
}
rootRouter.GET("/", func(c *gin.Context) {
if !checkEntrance(c) {
handleNoRoute(c)
return
}
staticServer := http.FileServer(http.FS(web.IndexHtml))
staticServer.ServeHTTP(c.Writer, c.Request)
})
@ -47,10 +156,15 @@ func Routers() *gin.Engine {
}
Router.NoRoute(func(c *gin.Context) {
c.Writer.WriteHeader(http.StatusOK)
_, _ = c.Writer.Write(web.IndexByte)
c.Writer.Header().Add("Accept", "text/html")
c.Writer.Flush()
if checkFrontendPath(c) {
toIndexHtml(c)
return
}
if isEntrancePath(c) {
toIndexHtml(c)
return
}
handleNoRoute(c)
})
Router.Use(i18n.UseI18n())

View File

@ -14,7 +14,6 @@ func (s *BaseRouter) InitRouter(Router *gin.RouterGroup) {
baseRouter.GET("/captcha", baseApi.Captcha)
baseRouter.POST("/mfalogin", baseApi.MFALogin)
baseRouter.POST("/login", baseApi.Login)
baseRouter.GET("/issafety", baseApi.CheckIsSafety)
baseRouter.POST("/logout", baseApi.LogOut)
baseRouter.GET("/demo", baseApi.CheckIsDemo)
baseRouter.GET("/language", baseApi.GetLanguage)

View File

@ -0,0 +1,6 @@
package res
import "embed"
//go:embed html/*
var ErrorMsg embed.FS

View File

@ -0,0 +1,55 @@
<!DOCTYPE html>
<html lang="zh-CN">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>暂无法访问</title>
<style>
body {
font-family: Arial, sans-serif;
text-align: center;
background-color: #f9f9f9;
margin: 0;
padding: 0;
color: #333;
}
.container {
max-width: 600px;
margin: 50px auto;
padding: 20px;
background: #fff;
box-shadow: 0 0 10px rgba(0, 0, 0, 0.1);
border-radius: 8px;
}
.icon img {
width: 100px;
height: auto;
}
h1 {
font-size: 24px;
color: #555;
}
p {
font-size: 16px;
color: #666;
line-height: 1.5;
}
.command {
font-family: monospace;
background: #f0f0f0;
padding: 5px 10px;
border-radius: 4px;
display: inline-block;
margin-top: 10px;
}
</style>
</head>
<body>
<div class="container">
<h1>暂时无法访问</h1>
<p>当前环境已经开启了安全入口登录</p>
<p> SSH 终端输入以下命令来查看面板入口</p>
<p class="command">1pctl user-info</p>
</div>
</body>
</html>

View File

@ -0,0 +1,55 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Access Temporarily Unavailable</title>
<style>
body {
font-family: Arial, sans-serif;
text-align: center;
background-color: #f9f9f9;
margin: 0;
padding: 0;
color: #333;
}
.container {
max-width: 600px;
margin: 50px auto;
padding: 20px;
background: #fff;
box-shadow: 0 0 10px rgba(0, 0, 0, 0.1);
border-radius: 8px;
}
.icon img {
width: 100px;
height: auto;
}
h1 {
font-size: 24px;
color: #555;
}
p {
font-size: 16px;
color: #666;
line-height: 1.5;
}
.command {
font-family: monospace;
background: #f0f0f0;
padding: 5px 10px;
border-radius: 4px;
display: inline-block;
margin-top: 10px;
}
</style>
</head>
<body>
<div class="container">
<h1>Access Temporarily Unavailable</h1>
<p>The current environment has enabled secure login access.</p>
<p>Please enter the following command in the SSH terminal to view the panel login URL:</p>
<p class="command">1pctl user-info</p>
</div>
</body>
</html>

View File

@ -0,0 +1,7 @@
<!DOCTYPE html>
<html lang="en">
<head><title>400 Bad Request</title></head>
<body>
<center><h1>400 Bad Request</h1></center>
<hr><center>nginx</center>
</body>

View File

@ -0,0 +1,7 @@
<!DOCTYPE html>
<html lang="en">
<head><title>401 Unauthorized</title></head>
<body>
<center><h1>401 Unauthorized</h1></center>
<hr><center>nginx</center>
</body>

View File

@ -0,0 +1,7 @@
<!DOCTYPE html>
<html lang="en">
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx</center>
</body>

View File

@ -0,0 +1,7 @@
<!DOCTYPE html>
<html lang="en">
<head><title>404 Not Found</title></head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>nginx</center>
</body>

View File

@ -0,0 +1,7 @@
<!DOCTYPE html>
<html lang="en">
<head><title>408 Request Timeout</title></head>
<body>
<center><h1>408 Request Timeout</h1></center>
<hr><center>nginx</center>
</body>

View File

@ -0,0 +1,7 @@
<!DOCTYPE html>
<html lang="en">
<head><title>416 Requested Not Satisfiable</title></head>
<body>
<center><h1>416 Requested Not Satisfiable</h1></center>
<hr><center>nginx</center>
</body>

View File

@ -0,0 +1,7 @@
<!DOCTYPE html>
<html lang="en">
<head><title>400 Bad Request</title></head>
<body>
<center><h1>400 Bad Request</h1></center>
<hr><center>nginx</center>
</body>

View File

@ -17,10 +17,6 @@ export const logOutApi = () => {
return http.post<any>(`/auth/logout`);
};
export const checkIsSafety = (code: string) => {
return http.get<string>(`/auth/issafety?code=${code}`);
};
export const checkIsDemo = () => {
return http.get<boolean>('/auth/demo');
};

View File

@ -68,7 +68,7 @@ const toolboxRouter = {
},
},
{
path: 'fail2Ban',
path: 'fail2ban',
name: 'Fail2ban',
component: () => import('@/views/toolbox/fail2ban/index.vue'),
hidden: true,

View File

@ -41,7 +41,6 @@
</template>
<script setup lang="ts" name="login">
import { checkIsSafety } from '@/api/modules/auth';
import LoginForm from '../components/login-form.vue';
import UnSafe from '@/components/error-message/unsafe.vue';
import ErrIP from '@/components/error-message/err_ip.vue';
@ -66,23 +65,18 @@ const mySafetyCode = defineProps({
const getStatus = async () => {
let code = mySafetyCode.code;
globalStore.entrance = code;
await checkIsSafety(code)
.then(() => {
let info = globalStore.errStatus;
if (info?.startsWith('err-') || info?.startsWith('code-')) {
errStatus.value = info;
init.value = true;
return;
}
errStatus.value = '';
init.value = true;
getXpackSettingForTheme();
})
.catch((err) => {
errStatus.value = 'code-' + err.status;
init.value = true;
});
if (code != '') {
globalStore.entrance = code;
}
await getXpackSettingForTheme();
let info = globalStore.errStatus;
if (info?.startsWith('err-') || info?.startsWith('code-')) {
errStatus.value = info;
init.value = true;
return;
}
errStatus.value = '';
init.value = true;
};
onMounted(() => {

View File

@ -19,36 +19,16 @@
</template>
<script setup lang="ts" name="login">
import { checkIsSafety } from '@/api/modules/auth';
import LoginForm from './components/login-form.vue';
import { ref, onMounted } from 'vue';
import router from '@/routers';
import { GlobalStore } from '@/store';
import { getXpackSettingForTheme } from '@/utils/xpack';
const gStore = GlobalStore();
const loading = ref();
const screenWidth = ref(null);
const getStatus = async () => {
loading.value = true;
await checkIsSafety(gStore.entrance)
.then((res) => {
loading.value = false;
if (res.data === 'unpass') {
router.replace({ name: 'entrance', params: { code: gStore.entrance } });
return;
}
getXpackSettingForTheme();
})
.catch(() => {
loading.value = false;
});
};
onMounted(() => {
getStatus();
screenWidth.value = document.body.clientWidth;
window.onresize = () => {
return (() => {