feat(system-security): Optimized unauthenticated settings to enhance system security (#7142)

2024-11-23 18:49:21 +08:00 · 2024-11-21 16:31:07 +08:00 · 2024-11-21 16:31:07 +08:00 · 2ba17d89ef
commit 2ba17d89ef
parent aaae8a5d3b
19 changed files with 429 additions and 96 deletions
--- a/backend/app/api/v1/auth.go
+++ b/backend/app/api/v1/auth.go
@ -2,14 +2,11 @@ package v1

 import (
 	"encoding/base64"
-	"net/http"
-
 	"github.com/1Panel-dev/1Panel/backend/app/api/v1/helper"
 	"github.com/1Panel-dev/1Panel/backend/app/dto"
 	"github.com/1Panel-dev/1Panel/backend/app/model"
 	"github.com/1Panel-dev/1Panel/backend/constant"
 	"github.com/1Panel-dev/1Panel/backend/global"
-	"github.com/1Panel-dev/1Panel/backend/middleware"
 	"github.com/1Panel-dev/1Panel/backend/utils/captcha"
 	"github.com/1Panel-dev/1Panel/backend/utils/qqwry"
 	"github.com/gin-gonic/gin"
@ -37,11 +34,18 @@ func (b *BaseApi) Login(c *gin.Context) {
 			return
 		}
 	}
+
 	entranceItem := c.Request.Header.Get("EntranceCode")
 	var entrance []byte
 	if len(entranceItem) != 0 {
 		entrance, _ = base64.StdEncoding.DecodeString(entranceItem)
 	}
+	if len(entrance) == 0 {
+		cookieValue, err := c.Cookie("SecurityEntrance")
+		if err == nil {
+			entrance, _ = base64.StdEncoding.DecodeString(cookieValue)
+		}
+	}

 	user, err := authService.Login(c, req, string(entrance))
 	go saveLoginLogs(c, err)
@ -108,34 +112,6 @@ func (b *BaseApi) Captcha(c *gin.Context) {
 	helper.SuccessWithData(c, captcha)
 }

-// @Tags Auth
-// @Summary Load safety status
-// @Description 获取系统安全登录状态
-// @Success 200
-// @Router /auth/issafety [get]
-func (b *BaseApi) CheckIsSafety(c *gin.Context) {
-	code := c.DefaultQuery("code", "")
-	status, err := authService.CheckIsSafety(code)
-	if err != nil {
-		helper.ErrorWithDetail(c, constant.CodeErrInternalServer, constant.ErrTypeInternalServer, err)
-		return
-	}
-	if status == "disable" && len(code) != 0 {
-		helper.ErrResponse(c, http.StatusNotFound)
-		return
-	}
-	if status == "unpass" {
-		code := middleware.LoadErrCode()
-		if code != 200 {
-			helper.ErrResponse(c, code)
-			return
-		}
-		helper.ErrorWithDetail(c, constant.CodeErrEntrance, constant.ErrTypeInternalServer, nil)
-		return
-	}
-	helper.SuccessWithOutData(c)
-}
-
 func (b *BaseApi) GetResponsePage(c *gin.Context) {
 	pageCode, err := authService.GetResponsePage()
 	if err != nil {
--- a/backend/app/service/auth.go
+++ b/backend/app/service/auth.go
@ -2,6 +2,7 @@ package service

 import (
 	"crypto/hmac"
+	"encoding/base64"
 	"strconv"

 	"github.com/1Panel-dev/1Panel/backend/app/dto"
@ -19,12 +20,13 @@ import (
 type AuthService struct{}

 type IAuthService interface {
-	CheckIsSafety(code string) (string, error)
 	GetResponsePage() (string, error)
 	VerifyCode(code string) (bool, error)
 	Login(c *gin.Context, info dto.Login, entrance string) (*dto.UserLoginInfo, error)
 	LogOut(c *gin.Context) error
 	MFALogin(c *gin.Context, info dto.MFALogin, entrance string) (*dto.UserLoginInfo, error)
+	GetSecurityEntrance() string
+	IsLogin(c *gin.Context) bool
 }

 func NewIAuthService() IAuthService {
@ -64,7 +66,16 @@ func (u *AuthService) Login(c *gin.Context, info dto.Login, entrance string) (*d
 	if mfa.Value == "enable" {
 		return &dto.UserLoginInfo{Name: nameSetting.Value, MfaStatus: mfa.Value}, nil
 	}
-	return u.generateSession(c, info.Name, info.AuthMethod)
+
+	loginUser, err := u.generateSession(c, info.Name, info.AuthMethod)
+	if err != nil {
+		return nil, err
+	}
+	if entrance != "" {
+		entranceValue := base64.StdEncoding.EncodeToString([]byte(entrance))
+		c.SetCookie("SecurityEntrance", entranceValue, 0, "", "", false, true)
+	}
+	return loginUser, nil
 }

 func (u *AuthService) MFALogin(c *gin.Context, info dto.MFALogin, entrance string) (*dto.UserLoginInfo, error) {
@ -103,7 +114,15 @@ func (u *AuthService) MFALogin(c *gin.Context, info dto.MFALogin, entrance strin
 		return nil, constant.ErrAuth
 	}

-	return u.generateSession(c, info.Name, info.AuthMethod)
+	loginUser, err := u.generateSession(c, info.Name, info.AuthMethod)
+	if err != nil {
+		return nil, err
+	}
+	if entrance != "" {
+		entranceValue := base64.StdEncoding.EncodeToString([]byte(entrance))
+		c.SetCookie("SecurityEntrance", entranceValue, 0, "", "", false, true)
+	}
+	return loginUser, nil
 }

 func (u *AuthService) generateSession(c *gin.Context, name, authMethod string) (*dto.UserLoginInfo, error) {
@ -173,20 +192,6 @@ func (u *AuthService) VerifyCode(code string) (bool, error) {
 	return hmac.Equal([]byte(setting.Value), []byte(code)), nil
 }

-func (u *AuthService) CheckIsSafety(code string) (string, error) {
-	status, err := settingRepo.Get(settingRepo.WithByKey("SecurityEntrance"))
-	if err != nil {
-		return "", err
-	}
-	if len(status.Value) == 0 {
-		return "disable", nil
-	}
-	if status.Value == code {
-		return "pass", nil
-	}
-	return "unpass", nil
-}
-
 func (u *AuthService) GetResponsePage() (string, error) {
 	pageCode, err := settingRepo.Get(settingRepo.WithByKey("NoAuthSetting"))
 	if err != nil {
@ -194,3 +199,23 @@ func (u *AuthService) GetResponsePage() (string, error) {
 	}
 	return pageCode.Value, nil
 }
+
+func (u *AuthService) GetSecurityEntrance() string {
+	status, err := settingRepo.Get(settingRepo.WithByKey("SecurityEntrance"))
+	if err != nil {
+		return ""
+	}
+	if len(status.Value) == 0 {
+		return ""
+	}
+	return status.Value
+}
+
+func (u *AuthService) IsLogin(c *gin.Context) bool {
+	sID, _ := c.Cookie(constant.SessionName)
+	_, err := global.SESSION.Get(sID)
+	if err != nil {
+		return false
+	}
+	return true
+}
--- a/backend/constant/common.go
+++ b/backend/constant/common.go
@ -23,3 +23,87 @@ const (
 	DateTimeLayout     = "2006-01-02 15:04:05" // or use time.DateTime while go version >= 1.20
 	DateTimeSlimLayout = "20060102150405"
 )
+
+var WebUrlMap = map[string]struct{}{
+	"/apps":           {},
+	"/apps/all":       {},
+	"/apps/installed": {},
+	"/apps/upgrade":   {},
+
+	"/containers":           {},
+	"/containers/container": {},
+	"/containers/image":     {},
+	"/containers/network":   {},
+	"/containers/volume":    {},
+	"/containers/repo":      {},
+	"/containers/compose":   {},
+	"/containers/template":  {},
+	"/containers/setting":   {},
+
+	"/cronjobs": {},
+
+	"/databases":                   {},
+	"/databases/mysql":             {},
+	"/databases/mysql/remote":      {},
+	"/databases/postgresql":        {},
+	"/databases/postgresql/remote": {},
+	"/databases/redis":             {},
+	"/databases/redis/remote":      {},
+
+	"/hosts":                  {},
+	"/hosts/files":            {},
+	"/hosts/monitor/monitor":  {},
+	"/hosts/monitor/setting":  {},
+	"/hosts/terminal":         {},
+	"/hosts/firewall/port":    {},
+	"/hosts/firewall/forward": {},
+	"/hosts/firewall/ip":      {},
+	"/hosts/process/process":  {},
+	"/hosts/process/network":  {},
+	"/hosts/ssh/ssh":          {},
+	"/hosts/ssh/log":          {},
+	"/hosts/ssh/session":      {},
+
+	"/logs":           {},
+	"/logs/operation": {},
+	"/logs/login":     {},
+	"/logs/website":   {},
+	"/logs/system":    {},
+	"/logs/ssh":       {},
+
+	"/settings":               {},
+	"/settings/panel":         {},
+	"/settings/backupaccount": {},
+	"/settings/license":       {},
+	"/settings/about":         {},
+	"/settings/safe":          {},
+	"/settings/snapshot":      {},
+	"/settings/expired":       {},
+
+	"/toolbox":              {},
+	"/toolbox/device":       {},
+	"/toolbox/supervisor":   {},
+	"/toolbox/clam":         {},
+	"/toolbox/clam/setting": {},
+	"/toolbox/ftp":          {},
+	"/toolbox/fail2ban":     {},
+	"/toolbox/clean":        {},
+
+	"/websites":                 {},
+	"/websites/ssl":             {},
+	"/websites/runtimes/php":    {},
+	"/websites/runtimes/node":   {},
+	"/websites/runtimes/java":   {},
+	"/websites/runtimes/net":    {},
+	"/websites/runtimes/go":     {},
+	"/websites/runtimes/python": {},
+
+	"/login": {},
+}
+
+var DynamicRoutes = []string{
+	`^/containers/composeDetail/[^/]+$`,
+	`^/databases/mysql/setting/[^/]+/[^/]+$`,
+	`^/databases/postgresql/setting/[^/]+/[^/]+$`,
+	`^/websites/[^/]+/config/[^/]+$`,
+}
--- a/backend/init/router/router.go
+++ b/backend/init/router/router.go
@ -1,8 +1,15 @@
 package router

 import (
+	"encoding/base64"
 	"fmt"
+	"github.com/1Panel-dev/1Panel/backend/app/service"
+	"github.com/1Panel-dev/1Panel/backend/constant"
+	"github.com/1Panel-dev/1Panel/cmd/server/res"
 	"net/http"
+	"regexp"
+	"strconv"
+	"strings"

 	"github.com/1Panel-dev/1Panel/backend/global"
 	"github.com/1Panel-dev/1Panel/backend/i18n"
@ -20,8 +27,90 @@ var (
 	Router *gin.Engine
 )

+func toIndexHtml(c *gin.Context) {
+	c.Writer.WriteHeader(http.StatusOK)
+	_, _ = c.Writer.Write(web.IndexByte)
+	c.Writer.Header().Add("Accept", "text/html")
+	c.Writer.Flush()
+}
+
+func isEntrancePath(c *gin.Context) bool {
+	entrance := service.NewIAuthService().GetSecurityEntrance()
+	if entrance != "" && strings.TrimSuffix(c.Request.URL.Path, "/") == "/"+entrance {
+		return true
+	}
+	return false
+}
+
+func isFrontendPath(c *gin.Context) bool {
+	reqUri := strings.TrimSuffix(c.Request.URL.Path, "/")
+	if _, ok := constant.WebUrlMap[reqUri]; ok {
+		return true
+	}
+	for _, route := range constant.DynamicRoutes {
+		if match, _ := regexp.MatchString(route, reqUri); match {
+			return true
+		}
+	}
+	return false
+}
+
+func checkFrontendPath(c *gin.Context) bool {
+	if !isFrontendPath(c) {
+		return false
+	}
+	authService := service.NewIAuthService()
+	if authService.GetSecurityEntrance() != "" {
+		return authService.IsLogin(c)
+	}
+	return true
+}
+
+func checkEntrance(c *gin.Context) bool {
+	authService := service.NewIAuthService()
+	entrance := authService.GetSecurityEntrance()
+	if entrance == "" {
+		return true
+	}
+
+	cookieValue, err := c.Cookie("SecurityEntrance")
+	if err != nil {
+		return false
+	}
+	entranceValue, err := base64.StdEncoding.DecodeString(cookieValue)
+	if err != nil {
+		return false
+	}
+	return string(entranceValue) == entrance
+}
+
+func handleNoRoute(c *gin.Context) {
+	resPage, err := service.NewIAuthService().GetResponsePage()
+	if err != nil {
+		c.String(http.StatusInternalServerError, "Internal Server Error")
+		return
+	}
+	file := fmt.Sprintf("html/%s.html", resPage)
+	if resPage == "200" && c.GetHeader("Accept-Language") == "en" {
+		file = "html/200_en.html"
+	}
+
+	data, err := res.ErrorMsg.ReadFile(file)
+	if err != nil {
+		c.String(http.StatusInternalServerError, "Internal Server Error")
+		return
+	}
+	statusCode, err := strconv.Atoi(resPage)
+	if err != nil {
+		c.String(http.StatusInternalServerError, "Internal Server Error")
+		return
+	}
+	c.Data(statusCode, "text/html; charset=utf-8", data)
+}
+
 func setWebStatic(rootRouter *gin.RouterGroup) {
 	rootRouter.StaticFS("/public", http.FS(web.Favicon))
+	rootRouter.StaticFS("/favicon.ico", http.FS(web.Favicon))
 	rootRouter.Static("/api/v1/images", "./uploads")
 	rootRouter.Use(func(c *gin.Context) {
 		c.Next()
@ -31,7 +120,27 @@ func setWebStatic(rootRouter *gin.RouterGroup) {
 		staticServer := http.FileServer(http.FS(web.Assets))
 		staticServer.ServeHTTP(c.Writer, c.Request)
 	})
+
+	authService := service.NewIAuthService()
+	entrance := authService.GetSecurityEntrance()
+	if entrance != "" {
+		rootRouter.GET("/"+entrance, func(c *gin.Context) {
+			entrance = authService.GetSecurityEntrance()
+			if entrance == "" {
+				handleNoRoute(c)
+				return
+			}
+			c.Writer.WriteHeader(http.StatusOK)
+			_, _ = c.Writer.Write(web.IndexByte)
+			c.Writer.Header().Add("Accept", "text/html")
+			c.Writer.Flush()
+		})
+	}
 	rootRouter.GET("/", func(c *gin.Context) {
+		if !checkEntrance(c) {
+			handleNoRoute(c)
+			return
+		}
 		staticServer := http.FileServer(http.FS(web.IndexHtml))
 		staticServer.ServeHTTP(c.Writer, c.Request)
 	})
@ -47,10 +156,15 @@ func Routers() *gin.Engine {
 	}

 	Router.NoRoute(func(c *gin.Context) {
-		c.Writer.WriteHeader(http.StatusOK)
-		_, _ = c.Writer.Write(web.IndexByte)
-		c.Writer.Header().Add("Accept", "text/html")
-		c.Writer.Flush()
+		if checkFrontendPath(c) {
+			toIndexHtml(c)
+			return
+		}
+		if isEntrancePath(c) {
+			toIndexHtml(c)
+			return
+		}
+		handleNoRoute(c)
 	})

 	Router.Use(i18n.UseI18n())
--- a/backend/router/ro_base.go
+++ b/backend/router/ro_base.go
@ -14,7 +14,6 @@ func (s *BaseRouter) InitRouter(Router *gin.RouterGroup) {
 		baseRouter.GET("/captcha", baseApi.Captcha)
 		baseRouter.POST("/mfalogin", baseApi.MFALogin)
 		baseRouter.POST("/login", baseApi.Login)
-		baseRouter.GET("/issafety", baseApi.CheckIsSafety)
 		baseRouter.POST("/logout", baseApi.LogOut)
 		baseRouter.GET("/demo", baseApi.CheckIsDemo)
 		baseRouter.GET("/language", baseApi.GetLanguage)
--- a/cmd/server/res/error_msg.go
+++ b/cmd/server/res/error_msg.go
@ -0,0 +1,6 @@
+package res
+
+import "embed"
+
+//go:embed html/*
+var ErrorMsg embed.FS
--- a/cmd/server/res/html/200.html
+++ b/cmd/server/res/html/200.html
@ -0,0 +1,55 @@
+<!DOCTYPE html>
+<html lang="zh-CN">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>暂无法访问</title>
+    <style>
+        body {
+            font-family: Arial, sans-serif;
+            text-align: center;
+            background-color: #f9f9f9;
+            margin: 0;
+            padding: 0;
+            color: #333;
+        }
+        .container {
+            max-width: 600px;
+            margin: 50px auto;
+            padding: 20px;
+            background: #fff;
+            box-shadow: 0 0 10px rgba(0, 0, 0, 0.1);
+            border-radius: 8px;
+        }
+        .icon img {
+            width: 100px;
+            height: auto;
+        }
+        h1 {
+            font-size: 24px;
+            color: #555;
+        }
+        p {
+            font-size: 16px;
+            color: #666;
+            line-height: 1.5;
+        }
+        .command {
+            font-family: monospace;
+            background: #f0f0f0;
+            padding: 5px 10px;
+            border-radius: 4px;
+            display: inline-block;
+            margin-top: 10px;
+        }
+    </style>
+</head>
+<body>
+<div class="container">
+    <h1>暂时无法访问</h1>
+    <p>当前环境已经开启了安全入口登录。</p>
+    <p>在 SSH 终端输入以下命令来查看面板入口</p>
+    <p class="command">1pctl user-info</p>
+</div>
+</body>
+</html>
--- a/cmd/server/res/html/200_en.html
+++ b/cmd/server/res/html/200_en.html
@ -0,0 +1,55 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Access Temporarily Unavailable</title>
+    <style>
+        body {
+            font-family: Arial, sans-serif;
+            text-align: center;
+            background-color: #f9f9f9;
+            margin: 0;
+            padding: 0;
+            color: #333;
+        }
+        .container {
+            max-width: 600px;
+            margin: 50px auto;
+            padding: 20px;
+            background: #fff;
+            box-shadow: 0 0 10px rgba(0, 0, 0, 0.1);
+            border-radius: 8px;
+        }
+        .icon img {
+            width: 100px;
+            height: auto;
+        }
+        h1 {
+            font-size: 24px;
+            color: #555;
+        }
+        p {
+            font-size: 16px;
+            color: #666;
+            line-height: 1.5;
+        }
+        .command {
+            font-family: monospace;
+            background: #f0f0f0;
+            padding: 5px 10px;
+            border-radius: 4px;
+            display: inline-block;
+            margin-top: 10px;
+        }
+    </style>
+</head>
+<body>
+<div class="container">
+    <h1>Access Temporarily Unavailable</h1>
+    <p>The current environment has enabled secure login access.</p>
+    <p>Please enter the following command in the SSH terminal to view the panel login URL:</p>
+    <p class="command">1pctl user-info</p>
+</div>
+</body>
+</html>
--- a/cmd/server/res/html/400.html
+++ b/cmd/server/res/html/400.html
@ -0,0 +1,7 @@
+<!DOCTYPE html>
+<html lang="en">
+<head><title>400 Bad Request</title></head>
+<body>
+<center><h1>400 Bad Request</h1></center>
+<hr><center>nginx</center>
+</body>
--- a/cmd/server/res/html/401.html
+++ b/cmd/server/res/html/401.html
@ -0,0 +1,7 @@
+<!DOCTYPE html>
+<html lang="en">
+<head><title>401 Unauthorized</title></head>
+<body>
+<center><h1>401 Unauthorized</h1></center>
+<hr><center>nginx</center>
+</body>
--- a/cmd/server/res/html/403.html
+++ b/cmd/server/res/html/403.html
@ -0,0 +1,7 @@
+<!DOCTYPE html>
+<html lang="en">
+<head><title>403 Forbidden</title></head>
+<body>
+<center><h1>403 Forbidden</h1></center>
+<hr><center>nginx</center>
+</body>
--- a/cmd/server/res/html/404.html
+++ b/cmd/server/res/html/404.html
@ -0,0 +1,7 @@
+<!DOCTYPE html>
+<html lang="en">
+<head><title>404 Not Found</title></head>
+<body>
+<center><h1>404 Not Found</h1></center>
+<hr><center>nginx</center>
+</body>
--- a/cmd/server/res/html/408.html
+++ b/cmd/server/res/html/408.html
@ -0,0 +1,7 @@
+<!DOCTYPE html>
+<html lang="en">
+<head><title>408 Request Timeout</title></head>
+<body>
+<center><h1>408 Request Timeout</h1></center>
+<hr><center>nginx</center>
+</body>
--- a/cmd/server/res/html/416.html
+++ b/cmd/server/res/html/416.html
@ -0,0 +1,7 @@
+<!DOCTYPE html>
+<html lang="en">
+<head><title>416 Requested Not Satisfiable</title></head>
+<body>
+<center><h1>416 Requested Not Satisfiable</h1></center>
+<hr><center>nginx</center>
+</body>
--- a/cmd/server/res/html/500.html
+++ b/cmd/server/res/html/500.html
@ -0,0 +1,7 @@
+<!DOCTYPE html>
+<html lang="en">
+<head><title>400 Bad Request</title></head>
+<body>
+<center><h1>400 Bad Request</h1></center>
+<hr><center>nginx</center>
+</body>
--- a/frontend/src/api/modules/auth.ts
+++ b/frontend/src/api/modules/auth.ts
@ -17,10 +17,6 @@ export const logOutApi = () => {
    return http.post<any>(`/auth/logout`);
 };

-export const checkIsSafety = (code: string) => {
-    return http.get<string>(`/auth/issafety?code=${code}`);
-};
-
 export const checkIsDemo = () => {
    return http.get<boolean>('/auth/demo');
 };
--- a/frontend/src/routers/modules/toolbox.ts
+++ b/frontend/src/routers/modules/toolbox.ts
@ -68,7 +68,7 @@ const toolboxRouter = {
                    },
                },
                {
-                    path: 'fail2Ban',
+                    path: 'fail2ban',
                    name: 'Fail2ban',
                    component: () => import('@/views/toolbox/fail2ban/index.vue'),
                    hidden: true,
--- a/frontend/src/views/login/entrance/index.vue
+++ b/frontend/src/views/login/entrance/index.vue
@ -41,7 +41,6 @@
 </template>

 <script setup lang="ts" name="login">
-import { checkIsSafety } from '@/api/modules/auth';
 import LoginForm from '../components/login-form.vue';
 import UnSafe from '@/components/error-message/unsafe.vue';
 import ErrIP from '@/components/error-message/err_ip.vue';
@ -66,9 +65,10 @@ const mySafetyCode = defineProps({

 const getStatus = async () => {
    let code = mySafetyCode.code;
+    if (code != '') {
        globalStore.entrance = code;
-    await checkIsSafety(code)
-        .then(() => {
+    }
+    await getXpackSettingForTheme();
    let info = globalStore.errStatus;
    if (info?.startsWith('err-') || info?.startsWith('code-')) {
        errStatus.value = info;
@ -77,12 +77,6 @@ const getStatus = async () => {
    }
    errStatus.value = '';
    init.value = true;
-            getXpackSettingForTheme();
-        })
-        .catch((err) => {
-            errStatus.value = 'code-' + err.status;
-            init.value = true;
-        });
 };

 onMounted(() => {
--- a/frontend/src/views/login/index.vue
+++ b/frontend/src/views/login/index.vue
@ -19,36 +19,16 @@
 </template>

 <script setup lang="ts" name="login">
-import { checkIsSafety } from '@/api/modules/auth';
 import LoginForm from './components/login-form.vue';
 import { ref, onMounted } from 'vue';
-import router from '@/routers';
 import { GlobalStore } from '@/store';
-import { getXpackSettingForTheme } from '@/utils/xpack';

 const gStore = GlobalStore();
 const loading = ref();

 const screenWidth = ref(null);

-const getStatus = async () => {
-    loading.value = true;
-    await checkIsSafety(gStore.entrance)
-        .then((res) => {
-            loading.value = false;
-            if (res.data === 'unpass') {
-                router.replace({ name: 'entrance', params: { code: gStore.entrance } });
-                return;
-            }
-            getXpackSettingForTheme();
-        })
-        .catch(() => {
-            loading.value = false;
-        });
-};
-
 onMounted(() => {
-    getStatus();
    screenWidth.value = document.body.clientWidth;
    window.onresize = () => {
        return (() => {