完成数据库敏感信息的加密

server/api/asset.go

@@ -9,6 +9,7 @@ import (
 	"strings"
 
 	"next-terminal/pkg/constant"
+	"next-terminal/pkg/global"
 	"next-terminal/server/model"
 	"next-terminal/server/utils"
 
@@ -199,6 +200,9 @@ func AssetUpdateEndpoint(c echo.Context) error {
 		item.Description = "-"
 	}
 
+	if err := assetRepository.Encrypt(&item, global.Config.EncryptionPassword); err != nil {
+		return err
+	}
 	if err := assetRepository.UpdateById(&item, id); err != nil {
 		return err
 	}
@@ -264,7 +268,7 @@ func AssetGetEndpoint(c echo.Context) (err error) {
 	}
 
 	var item model.Asset
-	if item, err = assetRepository.FindById(id); err != nil {
+	if item, err = assetRepository.FindByIdAndDecrypt(id); err != nil {
 		return err
 	}
 	attributeMap, err := assetRepository.FindAssetAttrMapByAssetId(id)
@@ -289,9 +293,12 @@ func AssetTcpingEndpoint(c echo.Context) (err error) {
 
 	active := utils.Tcping(item.IP, item.Port)
 
-	if err := assetRepository.UpdateActiveById(active, item.ID); err != nil {
-		return err
+	if item.Active != active {
+		if err := assetRepository.UpdateActiveById(active, item.ID); err != nil {
+			return err
+		}
 	}
+
 	return Success(c, active)
 }
 

server/api/credential.go

@@ -1,11 +1,13 @@
 package api
 
 import (
+	"encoding/base64"
 	"errors"
 	"strconv"
 	"strings"
 
 	"next-terminal/pkg/constant"
+	"next-terminal/pkg/global"
 	"next-terminal/server/model"
 	"next-terminal/server/utils"
 
@@ -32,27 +34,28 @@ func CredentialCreateEndpoint(c echo.Context) error {
 	case constant.Custom:
 		item.PrivateKey = "-"
 		item.Passphrase = "-"
-		if len(item.Username) == 0 {
+		if item.Username == "" {
 			item.Username = "-"
 		}
-		if len(item.Password) == 0 {
+		if item.Password == "" {
 			item.Password = "-"
 		}
 	case constant.PrivateKey:
 		item.Password = "-"
-		if len(item.Username) == 0 {
+		if item.Username == "" {
 			item.Username = "-"
 		}
-		if len(item.PrivateKey) == 0 {
+		if item.PrivateKey == "" {
 			item.PrivateKey = "-"
 		}
-		if len(item.Passphrase) == 0 {
+		if item.Passphrase == "" {
 			item.Passphrase = "-"
 		}
 	default:
 		return Fail(c, -1, "类型错误")
 	}
 
+	item.Encrypted = true
 	if err := credentialRepository.Create(&item); err != nil {
 		return err
 	}
@@ -96,26 +99,48 @@ func CredentialUpdateEndpoint(c echo.Context) error {
 	case constant.Custom:
 		item.PrivateKey = "-"
 		item.Passphrase = "-"
-		if len(item.Username) == 0 {
+		if item.Username == "" {
 			item.Username = "-"
 		}
-		if len(item.Password) == 0 {
+		if item.Password == "" {
 			item.Password = "-"
 		}
+		if item.Password != "-" {
+			encryptedCBC, err := utils.AesEncryptCBC([]byte(item.Password), global.Config.EncryptionPassword)
+			if err != nil {
+				return err
+			}
+			item.Password = base64.StdEncoding.EncodeToString(encryptedCBC)
+		}
 	case constant.PrivateKey:
 		item.Password = "-"
-		if len(item.Username) == 0 {
+		if item.Username == "" {
 			item.Username = "-"
 		}
-		if len(item.PrivateKey) == 0 {
+		if item.PrivateKey == "" {
 			item.PrivateKey = "-"
 		}
-		if len(item.Passphrase) == 0 {
+		if item.PrivateKey != "-" {
+			encryptedCBC, err := utils.AesEncryptCBC([]byte(item.PrivateKey), global.Config.EncryptionPassword)
+			if err != nil {
+				return err
+			}
+			item.PrivateKey = base64.StdEncoding.EncodeToString(encryptedCBC)
+		}
+		if item.Passphrase == "" {
 			item.Passphrase = "-"
 		}
+		if item.Passphrase != "-" {
+			encryptedCBC, err := utils.AesEncryptCBC([]byte(item.Passphrase), global.Config.EncryptionPassword)
+			if err != nil {
+				return err
+			}
+			item.Passphrase = base64.StdEncoding.EncodeToString(encryptedCBC)
+		}
 	default:
 		return Fail(c, -1, "类型错误")
 	}
+	item.Encrypted = true
 
 	if err := credentialRepository.UpdateById(&item, id); err != nil {
 		return err
@@ -149,7 +174,7 @@ func CredentialGetEndpoint(c echo.Context) error {
 		return err
 	}
 
-	item, err := credentialRepository.FindById(id)
+	item, err := credentialRepository.FindByIdAndDecrypt(id)
 	if err != nil {
 		return err
 	}

server/api/routes.go

@@ -1,8 +1,10 @@
 package api
 
 import (
+	"crypto/md5"
 	"fmt"
 	"net/http"
+	"os"
 	"strings"
 	"time"
 
@@ -45,6 +47,7 @@ var (
 	sessionService  *service.SessionService
 	mailService     *service.MailService
 	numService      *service.NumService
+	assetService    *service.AssetService
 )
 
 func SetupRoutes(db *gorm.DB) *echo.Echo {
@@ -54,6 +57,7 @@ func SetupRoutes(db *gorm.DB) *echo.Echo {
 
 	if err := InitDBData(); err != nil {
 		log.WithError(err).Error("初始化数据异常")
+		os.Exit(0)
 	}
 
 	if err := ReloadData(); err != nil {
@@ -251,6 +255,7 @@ func InitService() {
 	sessionService = service.NewSessionService(sessionRepository)
 	mailService = service.NewMailService(propertyRepository)
 	numService = service.NewNumService(numRepository)
+	assetService = service.NewAssetService(assetRepository)
 }
 
 func InitDBData() (err error) {
@@ -266,12 +271,18 @@ func InitDBData() (err error) {
 	if err := jobService.InitJob(); err != nil {
 		return err
 	}
-	if err := userService.FixedUserOnlineState(); err != nil {
+	if err := userService.FixUserOnlineState(); err != nil {
 		return err
 	}
 	if err := sessionService.FixSessionState(); err != nil {
 		return err
 	}
+	if err := sessionService.EmptyPassword(); err != nil {
+		return err
+	}
+	if err := assetService.Encrypt(); err != nil {
+		return err
+	}
 	return nil
 }
 
@@ -312,6 +323,47 @@ func ResetTotp(username string) error {
 	return nil
 }
 
+func ChangeEncryptionKey(oldEncryptionKey, newEncryptionKey string) error {
+
+	oldPassword := []byte(fmt.Sprintf("%x", md5.Sum([]byte(oldEncryptionKey))))
+	newPassword := []byte(fmt.Sprintf("%x", md5.Sum([]byte(newEncryptionKey))))
+
+	credentials, err := credentialRepository.FindAll()
+	if err != nil {
+		return err
+	}
+	for i := range credentials {
+		credential := credentials[i]
+		if err := credentialRepository.Decrypt(&credential, oldPassword); err != nil {
+			return err
+		}
+		if err := credentialRepository.Encrypt(&credential, newPassword); err != nil {
+			return err
+		}
+		if err := credentialRepository.UpdateById(&credential, credential.ID); err != nil {
+			return err
+		}
+	}
+	assets, err := assetRepository.FindAll()
+	if err != nil {
+		return err
+	}
+	for i := range assets {
+		asset := assets[i]
+		if err := assetRepository.Decrypt(&asset, oldPassword); err != nil {
+			return err
+		}
+		if err := assetRepository.Encrypt(&asset, newPassword); err != nil {
+			return err
+		}
+		if err := assetRepository.UpdateById(&asset, asset.ID); err != nil {
+			return err
+		}
+	}
+	log.Infof("encryption key has being changed.")
+	return nil
+}
+
 func SetupCache() *cache.Cache {
 	// 配置缓存器
 	mCache := cache.New(5*time.Minute, 10*time.Minute)

server/api/session.go

@@ -137,6 +137,9 @@ func CloseSessionById(sessionId string, code int, reason string) {
 	session.DisconnectedTime = utils.NowJsonTime()
 	session.Code = code
 	session.Message = reason
+	session.Password = "-"
+	session.PrivateKey = "-"
+	session.Passphrase = "-"
 
 	_ = sessionRepository.UpdateById(&session, sessionId)
 }
@@ -359,7 +362,7 @@ type File struct {
 
 func SessionLsEndpoint(c echo.Context) error {
 	sessionId := c.Param("id")
-	session, err := sessionRepository.FindById(sessionId)
+	session, err := sessionRepository.FindByIdAndDecrypt(sessionId)
 	if err != nil {
 		return err
 	}

server/api/ssh.go

@@ -54,7 +54,7 @@ func SSHEndpoint(c echo.Context) (err error) {
 	cols, _ := strconv.Atoi(c.QueryParam("cols"))
 	rows, _ := strconv.Atoi(c.QueryParam("rows"))
 
-	session, err := sessionRepository.FindById(sessionId)
+	session, err := sessionRepository.FindByIdAndDecrypt(sessionId)
 	if err != nil {
 		msg := Message{
 			Type:    Closed,

server/api/tunnel.go

@@ -65,7 +65,7 @@ func TunEndpoint(c echo.Context) error {
 		configuration.SetParameter("width", width)
 		configuration.SetParameter("height", height)
 		configuration.SetParameter("dpi", dpi)
-		session, err = sessionRepository.FindById(sessionId)
+		session, err = sessionRepository.FindByIdAndDecrypt(sessionId)
 		if err != nil {
 			CloseSessionById(sessionId, NotFoundSession, "会话不存在")
 			return err

server/model/asset.go

@@ -21,6 +21,7 @@ type Asset struct {
 	Created      utils.JsonTime `json:"created"`
 	Tags         string         `json:"tags"`
 	Owner        string         `gorm:"index" json:"owner"`
+	Encrypted    bool           `json:"encrypted"`
 }
 
 type AssetForPage struct {

server/model/credential.go

@@ -14,6 +14,7 @@ type Credential struct {
 	Passphrase string         `json:"passphrase"`
 	Created    utils.JsonTime `json:"created"`
 	Owner      string         `gorm:"index" json:"owner"`
+	Encrypted  bool           `json:"encrypted"`
 }
 
 func (r *Credential) TableName() string {

server/repository/asset.go

@@ -1,6 +1,7 @@
 package repository
 
 import (
+	"encoding/base64"
 	"fmt"
 	"strings"
 
@@ -145,7 +146,36 @@ func (r AssetRepository) Find(pageIndex, pageSize int, name, protocol, tags stri
 	return
 }
 
+func (r AssetRepository) Encrypt(item *model.Asset, password []byte) error {
+	if item.Password != "" && item.Password != "-" {
+		encryptedCBC, err := utils.AesEncryptCBC([]byte(item.Password), password)
+		if err != nil {
+			return err
+		}
+		item.Password = base64.StdEncoding.EncodeToString(encryptedCBC)
+	}
+	if item.PrivateKey != "" && item.PrivateKey != "-" {
+		encryptedCBC, err := utils.AesEncryptCBC([]byte(item.PrivateKey), password)
+		if err != nil {
+			return err
+		}
+		item.PrivateKey = base64.StdEncoding.EncodeToString(encryptedCBC)
+	}
+	if item.Passphrase != "" && item.Passphrase != "-" {
+		encryptedCBC, err := utils.AesEncryptCBC([]byte(item.Passphrase), password)
+		if err != nil {
+			return err
+		}
+		item.Passphrase = base64.StdEncoding.EncodeToString(encryptedCBC)
+	}
+	item.Encrypted = true
+	return nil
+}
+
 func (r AssetRepository) Create(o *model.Asset) (err error) {
+	if err := r.Encrypt(o, global.Config.EncryptionPassword); err != nil {
+		return err
+	}
 	if err = r.DB.Create(o).Error; err != nil {
 		return err
 	}
@@ -157,8 +187,54 @@ func (r AssetRepository) FindById(id string) (o model.Asset, err error) {
 	return
 }
 
+func (r AssetRepository) Decrypt(item *model.Asset, password []byte) error {
+	if item.Encrypted {
+		if item.Password != "" && item.Password != "-" {
+			origData, err := base64.StdEncoding.DecodeString(item.Password)
+			if err != nil {
+				return err
+			}
+			decryptedCBC, err := utils.AesDecryptCBC(origData, password)
+			if err != nil {
+				return err
+			}
+			item.Password = string(decryptedCBC)
+		}
+		if item.PrivateKey != "" && item.PrivateKey != "-" {
+			origData, err := base64.StdEncoding.DecodeString(item.PrivateKey)
+			if err != nil {
+				return err
+			}
+			decryptedCBC, err := utils.AesDecryptCBC(origData, password)
+			if err != nil {
+				return err
+			}
+			item.PrivateKey = string(decryptedCBC)
+		}
+		if item.Passphrase != "" && item.Passphrase != "-" {
+			origData, err := base64.StdEncoding.DecodeString(item.Passphrase)
+			if err != nil {
+				return err
+			}
+			decryptedCBC, err := utils.AesDecryptCBC(origData, password)
+			if err != nil {
+				return err
+			}
+			item.Passphrase = string(decryptedCBC)
+		}
+	}
+	return nil
+}
+
+func (r AssetRepository) FindByIdAndDecrypt(id string) (o model.Asset, err error) {
+	err = r.DB.Where("id = ?", id).First(&o).Error
+	if err == nil {
+		err = r.Decrypt(&o, global.Config.EncryptionPassword)
+	}
+	return
+}
+
 func (r AssetRepository) UpdateById(o *model.Asset, id string) error {
-	o.ID = id
 	return r.DB.Updates(o).Error
 }
 
@@ -167,6 +243,11 @@ func (r AssetRepository) UpdateActiveById(active bool, id string) error {
 	return r.DB.Exec(sql, active, id).Error
 }
 
+func (r AssetRepository) EncryptedById(encrypted bool, password, privateKey, passphrase, id string) error {
+	sql := "update assets set encrypted = ?, password = ?,private_key = ?, passphrase = ?  where id = ?"
+	return r.DB.Exec(sql, encrypted, password, privateKey, passphrase, id).Error
+}
+
 func (r AssetRepository) DeleteById(id string) error {
 	return r.DB.Where("id = ?", id).Delete(&model.Asset{}).Error
 }

server/repository/credential.go

@@ -1,8 +1,12 @@
 package repository
 
 import (
+	"encoding/base64"
+
 	"next-terminal/pkg/constant"
+	"next-terminal/pkg/global"
 	"next-terminal/server/model"
+	"next-terminal/server/utils"
 
 	"gorm.io/gorm"
 )
@@ -65,6 +69,9 @@ func (r CredentialRepository) Find(pageIndex, pageSize int, name, order, field s
 }
 
 func (r CredentialRepository) Create(o *model.Credential) (err error) {
+	if err := r.Encrypt(o, global.Config.EncryptionPassword); err != nil {
+		return err
+	}
 	if err = r.DB.Create(o).Error; err != nil {
 		return err
 	}
@@ -76,6 +83,79 @@ func (r CredentialRepository) FindById(id string) (o model.Credential, err error
 	return
 }
 
+func (r CredentialRepository) Encrypt(item *model.Credential, password []byte) error {
+	if item.Password != "-" {
+		encryptedCBC, err := utils.AesEncryptCBC([]byte(item.Password), password)
+		if err != nil {
+			return err
+		}
+		item.Password = base64.StdEncoding.EncodeToString(encryptedCBC)
+	}
+	if item.PrivateKey != "-" {
+		encryptedCBC, err := utils.AesEncryptCBC([]byte(item.PrivateKey), password)
+		if err != nil {
+			return err
+		}
+		item.PrivateKey = base64.StdEncoding.EncodeToString(encryptedCBC)
+	}
+	if item.Passphrase != "-" {
+		encryptedCBC, err := utils.AesEncryptCBC([]byte(item.Passphrase), password)
+		if err != nil {
+			return err
+		}
+		item.Passphrase = base64.StdEncoding.EncodeToString(encryptedCBC)
+	}
+	item.Encrypted = true
+	return nil
+}
+
+func (r CredentialRepository) Decrypt(item *model.Credential, password []byte) error {
+	if item.Encrypted {
+		if item.Password != "" && item.Password != "-" {
+			origData, err := base64.StdEncoding.DecodeString(item.Password)
+			if err != nil {
+				return err
+			}
+			decryptedCBC, err := utils.AesDecryptCBC(origData, password)
+			if err != nil {
+				return err
+			}
+			item.Password = string(decryptedCBC)
+		}
+		if item.PrivateKey != "" && item.PrivateKey != "-" {
+			origData, err := base64.StdEncoding.DecodeString(item.PrivateKey)
+			if err != nil {
+				return err
+			}
+			decryptedCBC, err := utils.AesDecryptCBC(origData, password)
+			if err != nil {
+				return err
+			}
+			item.PrivateKey = string(decryptedCBC)
+		}
+		if item.Passphrase != "" && item.Passphrase != "-" {
+			origData, err := base64.StdEncoding.DecodeString(item.Passphrase)
+			if err != nil {
+				return err
+			}
+			decryptedCBC, err := utils.AesDecryptCBC(origData, password)
+			if err != nil {
+				return err
+			}
+			item.Passphrase = string(decryptedCBC)
+		}
+	}
+	return nil
+}
+
+func (r CredentialRepository) FindByIdAndDecrypt(id string) (o model.Credential, err error) {
+	err = r.DB.Where("id = ?", id).First(&o).Error
+	if err == nil {
+		err = r.Decrypt(&o, global.Config.EncryptionPassword)
+	}
+	return
+}
+
 func (r CredentialRepository) UpdateById(o *model.Credential, id string) error {
 	o.ID = id
 	return r.DB.Updates(o).Error
@@ -107,3 +187,13 @@ func (r CredentialRepository) CountByUserId(userId string) (total int64, err err
 	err = db.Find(&model.Credential{}).Count(&total).Error
 	return
 }
+
+func (r CredentialRepository) FindAll() (o []model.Credential, err error) {
+	err = r.DB.Find(&o).Error
+	return
+}
+
+func (r CredentialRepository) EncryptedById(encrypted bool, password, privateKey, passphrase, id string) error {
+	sql := "update assets set encrypted = ?, password = ?,private_key = ?, passphrase = ?  where id = ?"
+	return r.DB.Exec(sql, encrypted, password, privateKey, passphrase, id).Error
+}

server/repository/session.go

@@ -1,12 +1,15 @@
 package repository
 
 import (
+	"encoding/base64"
 	"os"
 	"path"
 	"time"
 
 	"next-terminal/pkg/constant"
+	"next-terminal/pkg/global"
 	"next-terminal/server/model"
+	"next-terminal/server/utils"
 
 	"gorm.io/gorm"
 )
@@ -93,6 +96,51 @@ func (r SessionRepository) FindById(id string) (o model.Session, err error) {
 	return
 }
 
+func (r SessionRepository) FindByIdAndDecrypt(id string) (o model.Session, err error) {
+	err = r.DB.Where("id = ?", id).First(&o).Error
+	if err == nil {
+		err = r.Decrypt(&o)
+	}
+	return
+}
+
+func (r SessionRepository) Decrypt(item *model.Session) error {
+	if item.Password != "" && item.Password != "-" {
+		origData, err := base64.StdEncoding.DecodeString(item.Password)
+		if err != nil {
+			return err
+		}
+		decryptedCBC, err := utils.AesDecryptCBC(origData, global.Config.EncryptionPassword)
+		if err != nil {
+			return err
+		}
+		item.Password = string(decryptedCBC)
+	}
+	if item.PrivateKey != "" && item.PrivateKey != "-" {
+		origData, err := base64.StdEncoding.DecodeString(item.PrivateKey)
+		if err != nil {
+			return err
+		}
+		decryptedCBC, err := utils.AesDecryptCBC(origData, global.Config.EncryptionPassword)
+		if err != nil {
+			return err
+		}
+		item.PrivateKey = string(decryptedCBC)
+	}
+	if item.Passphrase != "" && item.Passphrase != "-" {
+		origData, err := base64.StdEncoding.DecodeString(item.Passphrase)
+		if err != nil {
+			return err
+		}
+		decryptedCBC, err := utils.AesDecryptCBC(origData, global.Config.EncryptionPassword)
+		if err != nil {
+			return err
+		}
+		item.Passphrase = string(decryptedCBC)
+	}
+	return nil
+}
+
 func (r SessionRepository) FindByConnectionId(connectionId string) (o model.Session, err error) {
 	err = r.DB.Where("connection_id = ?", connectionId).First(&o).Error
 	return
@@ -167,3 +215,8 @@ func (r SessionRepository) CountSessionByDay(day int) (results []D, err error) {
 
 	return
 }
+
+func (r SessionRepository) EmptyPassword() error {
+	sql := "update sessions set password = '-',private_key = '-', passphrase = '-' where 1=1"
+	return r.DB.Exec(sql).Error
+}

server/utils/util_test.go

@@ -1,7 +1,10 @@
 package utils_test
 
 import (
+	"crypto/md5"
 	"encoding/base64"
+	"encoding/hex"
+	"fmt"
 	"net"
 	"testing"
 
@@ -51,3 +54,26 @@ func TestAesDecryptCBC(t *testing.T) {
 	assert.NoError(t, err)
 	assert.Equal(t, "Hello Next Terminal", string(decryptCBC))
 }
+
+func TestPbkdf2(t *testing.T) {
+	pbkdf2, err := utils.Pbkdf2("1234")
+	assert.NoError(t, err)
+	println(hex.EncodeToString(pbkdf2))
+}
+
+func TestAesEncryptCBCWithAnyKey(t *testing.T) {
+	origData := []byte("admin")                                        // 待加密的数据
+	key := []byte(fmt.Sprintf("%x", md5.Sum([]byte("next-terminal")))) // 加密的密钥
+	encryptedCBC, err := utils.AesEncryptCBC(origData, key)
+	assert.NoError(t, err)
+	assert.Equal(t, "3qwawlPxghyiLS5hdr/p0g==", base64.StdEncoding.EncodeToString(encryptedCBC))
+}
+
+func TestAesDecryptCBCWithAnyKey(t *testing.T) {
+	origData, err := base64.StdEncoding.DecodeString("3qwawlPxghyiLS5hdr/p0g==") // 待解密的数据
+	assert.NoError(t, err)
+	key := []byte(fmt.Sprintf("%x", md5.Sum([]byte("next-terminal")))) // 加密的密钥
+	decryptCBC, err := utils.AesDecryptCBC(origData, key)
+	assert.NoError(t, err)
+	assert.Equal(t, "admin", string(decryptCBC))
+}

server/utils/utils.go

@@ -5,6 +5,8 @@ import (
 	"crypto/aes"
 	"crypto/cipher"
 	"crypto/md5"
+	"crypto/rand"
+	"crypto/sha256"
 	"database/sql/driver"
 	"encoding/base64"
 	"fmt"
@@ -19,6 +21,8 @@ import (
 	"strings"
 	"time"
 
+	"golang.org/x/crypto/pbkdf2"
+
 	"github.com/gofrs/uuid"
 	"github.com/sirupsen/logrus"
 	"golang.org/x/crypto/bcrypt"
@@ -239,6 +243,7 @@ func PKCS5UnPadding(origData []byte) []byte {
 	return origData[:(length - unPadding)]
 }
 
+// AesEncryptCBC /*
 func AesEncryptCBC(origData, key []byte) ([]byte, error) {
 	block, err := aes.NewCipher(key)
 	if err != nil {
@@ -266,3 +271,15 @@ func AesDecryptCBC(encrypted, key []byte) ([]byte, error) {
 	origData = PKCS5UnPadding(origData)
 	return origData, nil
 }
+
+func Pbkdf2(password string) ([]byte, error) {
+	//生成随机盐
+	salt := make([]byte, 32)
+	_, err := rand.Read(salt)
+	if err != nil {
+		return nil, err
+	}
+	//生成密文
+	dk := pbkdf2.Key([]byte(password), salt, 1, 32, sha256.New)
+	return dk, nil
+}