提交 v1.3.0 beta

2022-10-23 20:05:13 +08:00
parent 4ff4d37442
commit 112435199a
329 changed files with 18340 additions and 58458 deletions
--- a/server/app/middleware/auth.go
+++ b/server/app/middleware/auth.go
@ -0,0 +1,138 @@
+package middleware
+
+import (
+	"next-terminal/server/common/nt"
+	"strings"
+
+	"next-terminal/server/api"
+	"next-terminal/server/dto"
+	"next-terminal/server/global/cache"
+	"next-terminal/server/service"
+
+	"github.com/labstack/echo/v4"
+	"github.com/ucarion/urlpath"
+)
+
+var anonymousUrls = []string{"/login", "/static", "/favicon.ico", "/logo.svg", "/branding"}
+
+var allowUrls = []urlpath.Path{
+	urlpath.New("/account/info"),
+	urlpath.New("/share-sessions/:id"),
+	urlpath.New("/sessions"),
+	urlpath.New("/sessions/:id/tunnel"),
+	urlpath.New("/sessions/:id/connect"),
+	urlpath.New("/sessions/:id/resize"),
+	urlpath.New("/sessions/:id/stats"),
+	urlpath.New("/sessions/:id/ls"),
+	urlpath.New("/sessions/:id/download"),
+	urlpath.New("/sessions/:id/upload"),
+	urlpath.New("/sessions/:id/edit"),
+	urlpath.New("/sessions/:id/mkdir"),
+	urlpath.New("/sessions/:id/rm"),
+	urlpath.New("/sessions/:id/rename"),
+	urlpath.New("/sessions/:id/ssh"),
+}
+
+func Auth(next echo.HandlerFunc) echo.HandlerFunc {
+
+	return func(c echo.Context) error {
+
+		uri := c.Request().RequestURI
+		if uri == "/" || strings.HasPrefix(uri, "/#") {
+			return next(c)
+		}
+		// 路由拦截 - 登录身份、资源权限判断等
+		for i := range anonymousUrls {
+			if strings.HasPrefix(uri, anonymousUrls[i]) {
+				return next(c)
+			}
+		}
+
+		token := api.GetToken(c)
+		if token == "" {
+			return api.Fail(c, 401, "您的登录信息已失效，请重新登录后再试。")
+		}
+
+		v, found := cache.TokenManager.Get(token)
+		if !found {
+			return api.Fail(c, 401, "您的登录信息已失效，请重新登录后再试。")
+		}
+
+		authorization := v.(dto.Authorization)
+
+		if strings.EqualFold(nt.LoginToken, authorization.Type) {
+			if authorization.Remember {
+				// 记住登录有效期两周
+				cache.TokenManager.Set(token, authorization, cache.RememberMeExpiration)
+			} else {
+				cache.TokenManager.Set(token, authorization, cache.NotRememberExpiration)
+			}
+		}
+
+		if strings.HasPrefix(uri, "/account") {
+			return next(c)
+		}
+		if strings.HasPrefix(uri, "/worker") {
+			return next(c)
+		}
+
+		// 放行接入相关接口
+		uri = strings.Split(uri, "?")[0]
+		for _, url := range allowUrls {
+			_, ok := url.Match(uri)
+			if ok {
+				return next(c)
+			}
+		}
+
+		account, _ := api.GetCurrentAccount(c)
+
+		if service.UserService.IsSuperAdmin(account.ID) {
+			return next(c)
+		}
+		var roles []string
+		v, ok := cache.UserRolesManager.Get(account.ID)
+		if ok {
+			roles = v.([]string)
+			if len(roles) == 0 {
+				roles, _ = service.RoleService.GetRolesByUserId(account.ID)
+				cache.UserRolesManager.SetDefault(account.ID, roles)
+			}
+		} else {
+			roles, _ = service.RoleService.GetRolesByUserId(account.ID)
+			cache.UserRolesManager.SetDefault(account.ID, roles)
+		}
+
+		urlPath := c.Request().URL.Path
+
+		for _, role := range roles {
+			menus := service.RoleService.GetMenuListByRole(role)
+			for _, menu := range menus {
+				permissions := service.MenuService.GetPermissionByMenu(menu)
+				for _, perm := range permissions {
+					_, ok := perm.Match(urlPath)
+					if ok {
+						return next(c)
+					}
+				}
+			}
+		}
+		return api.Fail(c, 403, "permission denied")
+	}
+}
+
+func Admin(next echo.HandlerFunc) echo.HandlerFunc {
+	return func(c echo.Context) error {
+
+		account, found := api.GetCurrentAccount(c)
+		if !found {
+			return api.Fail(c, 401, "您的登录信息已失效，请重新登录后再试。")
+		}
+
+		if account.Type != nt.TypeAdmin {
+			return api.Fail(c, 403, "permission denied.")
+		}
+
+		return next(c)
+	}
+}
--- a/server/app/middleware/error_handler.go
+++ b/server/app/middleware/error_handler.go
@ -0,0 +1,28 @@
+package middleware
+
+import (
+	"fmt"
+	"next-terminal/server/log"
+
+	"next-terminal/server/api"
+
+	"github.com/labstack/echo/v4"
+)
+
+func ErrorHandler(next echo.HandlerFunc) echo.HandlerFunc {
+	return func(c echo.Context) error {
+
+		if err := next(c); err != nil {
+
+			fmt.Printf("%+v\n", err)
+			log.Error("api error", log.NamedError("err", err))
+			if he, ok := err.(*echo.HTTPError); ok {
+				message := fmt.Sprintf("%v", he.Message)
+				return api.Fail(c, he.Code, message)
+			}
+
+			return api.Fail(c, -1, err.Error())
+		}
+		return nil
+	}
+}
--- a/server/app/middleware/tcpwall.go
+++ b/server/app/middleware/tcpwall.go
@ -0,0 +1,72 @@
+package middleware
+
+import (
+	"net"
+	"next-terminal/server/common/nt"
+	"strings"
+
+	"next-terminal/server/api"
+	"next-terminal/server/global/security"
+	"next-terminal/server/utils"
+
+	"github.com/labstack/echo/v4"
+)
+
+func TcpWall(next echo.HandlerFunc) echo.HandlerFunc {
+
+	return func(c echo.Context) error {
+		securities := security.GlobalSecurityManager.Values()
+		if len(securities) == 0 {
+			return next(c)
+		}
+
+		ip := c.RealIP()
+
+		var pass = true
+
+		for _, s := range securities {
+			ipGroups := strings.Split(s.IP, ",")
+			for _, ipGroup := range ipGroups {
+				if strings.Contains(ipGroup, "/") {
+					// CIDR
+					_, ipNet, err := net.ParseCIDR(ipGroup)
+					if err != nil {
+						continue
+					}
+					if !ipNet.Contains(net.ParseIP(ip)) {
+						continue
+					}
+				} else if strings.Contains(ipGroup, "-") {
+					// 范围段
+					split := strings.Split(ipGroup, "-")
+					if len(split) < 2 {
+						continue
+					}
+					start := split[0]
+					end := split[1]
+					intReqIP := utils.IpToInt(ip)
+					if intReqIP < utils.IpToInt(start) || intReqIP > utils.IpToInt(end) {
+						continue
+					}
+				} else {
+					// IP
+					if ipGroup != ip {
+						continue
+					}
+				}
+
+				pass = s.Rule == nt.AccessRuleAllow
+			}
+		}
+
+		if !pass {
+			if c.Request().Header.Get("X-Requested-With") != "" || c.Request().Header.Get(nt.Token) != "" {
+				return api.Fail(c, -1, "您的访问请求被拒绝 :(")
+			} else {
+				return c.HTML(666, "您的访问请求被拒绝 :(")
+			}
+		}
+
+		return next(c)
+	}
+}