完成数据库敏感信息的加密

pkg/config/config.go

@@ -11,14 +11,17 @@ import (
 var GlobalCfg *Config
 
 type Config struct {
-	Debug         bool
-	Demo          bool
-	DB            string
-	Server        *Server
-	Mysql         *Mysql
-	Sqlite        *Sqlite
-	ResetPassword string
-	ResetTotp     string
+	Debug              bool
+	Demo               bool
+	DB                 string
+	Server             *Server
+	Mysql              *Mysql
+	Sqlite             *Sqlite
+	ResetPassword      string
+	ResetTotp          string
+	EncryptionKey      string
+	EncryptionPassword []byte
+	NewEncryptionKey   string
 }
 
 type Mysql struct {
@@ -83,10 +86,12 @@ func SetupConfig() *Config {
 			Cert: viper.GetString("server.cert"),
 			Key:  viper.GetString("server.key"),
 		},
-		ResetPassword: viper.GetString("reset-password"),
-		ResetTotp:     viper.GetString("reset-totp"),
-		Debug:         viper.GetBool("debug"),
-		Demo:          viper.GetBool("demo"),
+		ResetPassword:    viper.GetString("reset-password"),
+		ResetTotp:        viper.GetString("reset-totp"),
+		Debug:            viper.GetBool("debug"),
+		Demo:             viper.GetBool("demo"),
+		EncryptionKey:    viper.GetString("encryption-key"),
+		NewEncryptionKey: viper.GetString("new-encryption-key"),
 	}
 	GlobalCfg = config
 	return config

pkg/service/asset.go

@@ -0,0 +1,58 @@
+package service
+
+import (
+	"encoding/base64"
+
+	"next-terminal/pkg/global"
+	"next-terminal/server/repository"
+	"next-terminal/server/utils"
+)
+
+type AssetService struct {
+	assetRepository *repository.AssetRepository
+}
+
+func NewAssetService(assetRepository *repository.AssetRepository) *AssetService {
+	return &AssetService{assetRepository: assetRepository}
+}
+
+func (r AssetService) Encrypt() error {
+	items, err := r.assetRepository.FindAll()
+	if err != nil {
+		return err
+	}
+	for i := range items {
+		item := items[i]
+		if item.Encrypted {
+			continue
+		}
+		if item.Password != "" && item.Password != "-" {
+			encryptedCBC, err := utils.AesEncryptCBC([]byte(item.Password), global.Config.EncryptionPassword)
+			if err != nil {
+				return err
+			}
+			item.Password = base64.StdEncoding.EncodeToString(encryptedCBC)
+		}
+
+		if item.PrivateKey != "" && item.PrivateKey != "-" {
+			encryptedCBC, err := utils.AesEncryptCBC([]byte(item.PrivateKey), global.Config.EncryptionPassword)
+			if err != nil {
+				return err
+			}
+			item.PrivateKey = base64.StdEncoding.EncodeToString(encryptedCBC)
+		}
+
+		if item.Passphrase != "" && item.Passphrase != "-" {
+			encryptedCBC, err := utils.AesEncryptCBC([]byte(item.Passphrase), global.Config.EncryptionPassword)
+			if err != nil {
+				return err
+			}
+			item.Passphrase = base64.StdEncoding.EncodeToString(encryptedCBC)
+		}
+		err = r.assetRepository.EncryptedById(true, item.Password, item.PrivateKey, item.Passphrase, item.ID)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}

pkg/service/credential.go

@@ -0,0 +1,58 @@
+package service
+
+import (
+	"encoding/base64"
+
+	"next-terminal/pkg/global"
+	"next-terminal/server/repository"
+	"next-terminal/server/utils"
+)
+
+type CredentialService struct {
+	credentialRepository *repository.CredentialRepository
+}
+
+func NewCredentialService(credentialRepository *repository.CredentialRepository) *CredentialService {
+	return &CredentialService{credentialRepository: credentialRepository}
+}
+
+func (r CredentialService) Encrypt() error {
+	items, err := r.credentialRepository.FindAll()
+	if err != nil {
+		return err
+	}
+	for i := range items {
+		item := items[i]
+		if item.Encrypted {
+			continue
+		}
+		if item.Password != "" && item.Password != "-" {
+			encryptedCBC, err := utils.AesEncryptCBC([]byte(item.Password), global.Config.EncryptionPassword)
+			if err != nil {
+				return err
+			}
+			item.Password = base64.StdEncoding.EncodeToString(encryptedCBC)
+		}
+
+		if item.PrivateKey != "" && item.PrivateKey != "-" {
+			encryptedCBC, err := utils.AesEncryptCBC([]byte(item.PrivateKey), global.Config.EncryptionPassword)
+			if err != nil {
+				return err
+			}
+			item.PrivateKey = base64.StdEncoding.EncodeToString(encryptedCBC)
+		}
+
+		if item.Passphrase != "" && item.Passphrase != "-" {
+			encryptedCBC, err := utils.AesEncryptCBC([]byte(item.Passphrase), global.Config.EncryptionPassword)
+			if err != nil {
+				return err
+			}
+			item.Passphrase = base64.StdEncoding.EncodeToString(encryptedCBC)
+		}
+		err = r.credentialRepository.EncryptedById(true, item.Password, item.PrivateKey, item.Passphrase, item.ID)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}

pkg/service/job.go

@@ -160,7 +160,7 @@ func (r ShellJob) Run() {
 
 	msgChan := make(chan string)
 	for i := range assets {
-		asset, err := r.jobService.assetRepository.FindById(assets[i].ID)
+		asset, err := r.jobService.assetRepository.FindByIdAndDecrypt(assets[i].ID)
 		if err != nil {
 			msgChan <- fmt.Sprintf("资产「%v」Shell执行失败，查询数据异常「%v」", assets[i].Name, err.Error())
 			return
@@ -176,7 +176,7 @@ func (r ShellJob) Run() {
 		)
 
 		if asset.AccountType == "credential" {
-			credential, err := r.jobService.credentialRepository.FindById(asset.CredentialId)
+			credential, err := r.jobService.credentialRepository.FindByIdAndDecrypt(asset.CredentialId)
 			if err != nil {
 				msgChan <- fmt.Sprintf("资产「%v」Shell执行失败，查询授权凭证数据异常「%v」", assets[i].Name, err.Error())
 				return

pkg/service/session.go

@@ -33,3 +33,7 @@ func (r SessionService) FixSessionState() error {
 	}
 	return nil
 }
+
+func (r SessionService) EmptyPassword() error {
+	return r.sessionRepository.EmptyPassword()
+}

pkg/service/user.go

@@ -58,7 +58,7 @@ func (r UserService) InitUser() (err error) {
 	return nil
 }
 
-func (r UserService) FixedUserOnlineState() error {
+func (r UserService) FixUserOnlineState() error {
 	// 修正用户登录状态
 	onlineUsers, err := r.userRepository.FindOnlineUsers()
 	if err != nil {