完成数据库敏感信息的加密

server/api/asset.go

@@ -9,6 +9,7 @@ import (
 	"strings"
 
 	"next-terminal/pkg/constant"
+	"next-terminal/pkg/global"
 	"next-terminal/server/model"
 	"next-terminal/server/utils"
 
@@ -199,6 +200,9 @@ func AssetUpdateEndpoint(c echo.Context) error {
 		item.Description = "-"
 	}
 
+	if err := assetRepository.Encrypt(&item, global.Config.EncryptionPassword); err != nil {
+		return err
+	}
 	if err := assetRepository.UpdateById(&item, id); err != nil {
 		return err
 	}
@@ -264,7 +268,7 @@ func AssetGetEndpoint(c echo.Context) (err error) {
 	}
 
 	var item model.Asset
-	if item, err = assetRepository.FindById(id); err != nil {
+	if item, err = assetRepository.FindByIdAndDecrypt(id); err != nil {
 		return err
 	}
 	attributeMap, err := assetRepository.FindAssetAttrMapByAssetId(id)
@@ -289,9 +293,12 @@ func AssetTcpingEndpoint(c echo.Context) (err error) {
 
 	active := utils.Tcping(item.IP, item.Port)
 
-	if err := assetRepository.UpdateActiveById(active, item.ID); err != nil {
-		return err
+	if item.Active != active {
+		if err := assetRepository.UpdateActiveById(active, item.ID); err != nil {
+			return err
+		}
 	}
+
 	return Success(c, active)
 }
 

server/api/credential.go

@@ -1,11 +1,13 @@
 package api
 
 import (
+	"encoding/base64"
 	"errors"
 	"strconv"
 	"strings"
 
 	"next-terminal/pkg/constant"
+	"next-terminal/pkg/global"
 	"next-terminal/server/model"
 	"next-terminal/server/utils"
 
@@ -32,27 +34,28 @@ func CredentialCreateEndpoint(c echo.Context) error {
 	case constant.Custom:
 		item.PrivateKey = "-"
 		item.Passphrase = "-"
-		if len(item.Username) == 0 {
+		if item.Username == "" {
 			item.Username = "-"
 		}
-		if len(item.Password) == 0 {
+		if item.Password == "" {
 			item.Password = "-"
 		}
 	case constant.PrivateKey:
 		item.Password = "-"
-		if len(item.Username) == 0 {
+		if item.Username == "" {
 			item.Username = "-"
 		}
-		if len(item.PrivateKey) == 0 {
+		if item.PrivateKey == "" {
 			item.PrivateKey = "-"
 		}
-		if len(item.Passphrase) == 0 {
+		if item.Passphrase == "" {
 			item.Passphrase = "-"
 		}
 	default:
 		return Fail(c, -1, "类型错误")
 	}
 
+	item.Encrypted = true
 	if err := credentialRepository.Create(&item); err != nil {
 		return err
 	}
@@ -96,26 +99,48 @@ func CredentialUpdateEndpoint(c echo.Context) error {
 	case constant.Custom:
 		item.PrivateKey = "-"
 		item.Passphrase = "-"
-		if len(item.Username) == 0 {
+		if item.Username == "" {
 			item.Username = "-"
 		}
-		if len(item.Password) == 0 {
+		if item.Password == "" {
 			item.Password = "-"
 		}
+		if item.Password != "-" {
+			encryptedCBC, err := utils.AesEncryptCBC([]byte(item.Password), global.Config.EncryptionPassword)
+			if err != nil {
+				return err
+			}
+			item.Password = base64.StdEncoding.EncodeToString(encryptedCBC)
+		}
 	case constant.PrivateKey:
 		item.Password = "-"
-		if len(item.Username) == 0 {
+		if item.Username == "" {
 			item.Username = "-"
 		}
-		if len(item.PrivateKey) == 0 {
+		if item.PrivateKey == "" {
 			item.PrivateKey = "-"
 		}
-		if len(item.Passphrase) == 0 {
+		if item.PrivateKey != "-" {
+			encryptedCBC, err := utils.AesEncryptCBC([]byte(item.PrivateKey), global.Config.EncryptionPassword)
+			if err != nil {
+				return err
+			}
+			item.PrivateKey = base64.StdEncoding.EncodeToString(encryptedCBC)
+		}
+		if item.Passphrase == "" {
 			item.Passphrase = "-"
 		}
+		if item.Passphrase != "-" {
+			encryptedCBC, err := utils.AesEncryptCBC([]byte(item.Passphrase), global.Config.EncryptionPassword)
+			if err != nil {
+				return err
+			}
+			item.Passphrase = base64.StdEncoding.EncodeToString(encryptedCBC)
+		}
 	default:
 		return Fail(c, -1, "类型错误")
 	}
+	item.Encrypted = true
 
 	if err := credentialRepository.UpdateById(&item, id); err != nil {
 		return err
@@ -149,7 +174,7 @@ func CredentialGetEndpoint(c echo.Context) error {
 		return err
 	}
 
-	item, err := credentialRepository.FindById(id)
+	item, err := credentialRepository.FindByIdAndDecrypt(id)
 	if err != nil {
 		return err
 	}

server/api/routes.go

@@ -1,8 +1,10 @@
 package api
 
 import (
+	"crypto/md5"
 	"fmt"
 	"net/http"
+	"os"
 	"strings"
 	"time"
 
@@ -45,6 +47,7 @@ var (
 	sessionService  *service.SessionService
 	mailService     *service.MailService
 	numService      *service.NumService
+	assetService    *service.AssetService
 )
 
 func SetupRoutes(db *gorm.DB) *echo.Echo {
@@ -54,6 +57,7 @@ func SetupRoutes(db *gorm.DB) *echo.Echo {
 
 	if err := InitDBData(); err != nil {
 		log.WithError(err).Error("初始化数据异常")
+		os.Exit(0)
 	}
 
 	if err := ReloadData(); err != nil {
@@ -251,6 +255,7 @@ func InitService() {
 	sessionService = service.NewSessionService(sessionRepository)
 	mailService = service.NewMailService(propertyRepository)
 	numService = service.NewNumService(numRepository)
+	assetService = service.NewAssetService(assetRepository)
 }
 
 func InitDBData() (err error) {
@@ -266,12 +271,18 @@ func InitDBData() (err error) {
 	if err := jobService.InitJob(); err != nil {
 		return err
 	}
-	if err := userService.FixedUserOnlineState(); err != nil {
+	if err := userService.FixUserOnlineState(); err != nil {
 		return err
 	}
 	if err := sessionService.FixSessionState(); err != nil {
 		return err
 	}
+	if err := sessionService.EmptyPassword(); err != nil {
+		return err
+	}
+	if err := assetService.Encrypt(); err != nil {
+		return err
+	}
 	return nil
 }
 
@@ -312,6 +323,47 @@ func ResetTotp(username string) error {
 	return nil
 }
 
+func ChangeEncryptionKey(oldEncryptionKey, newEncryptionKey string) error {
+
+	oldPassword := []byte(fmt.Sprintf("%x", md5.Sum([]byte(oldEncryptionKey))))
+	newPassword := []byte(fmt.Sprintf("%x", md5.Sum([]byte(newEncryptionKey))))
+
+	credentials, err := credentialRepository.FindAll()
+	if err != nil {
+		return err
+	}
+	for i := range credentials {
+		credential := credentials[i]
+		if err := credentialRepository.Decrypt(&credential, oldPassword); err != nil {
+			return err
+		}
+		if err := credentialRepository.Encrypt(&credential, newPassword); err != nil {
+			return err
+		}
+		if err := credentialRepository.UpdateById(&credential, credential.ID); err != nil {
+			return err
+		}
+	}
+	assets, err := assetRepository.FindAll()
+	if err != nil {
+		return err
+	}
+	for i := range assets {
+		asset := assets[i]
+		if err := assetRepository.Decrypt(&asset, oldPassword); err != nil {
+			return err
+		}
+		if err := assetRepository.Encrypt(&asset, newPassword); err != nil {
+			return err
+		}
+		if err := assetRepository.UpdateById(&asset, asset.ID); err != nil {
+			return err
+		}
+	}
+	log.Infof("encryption key has being changed.")
+	return nil
+}
+
 func SetupCache() *cache.Cache {
 	// 配置缓存器
 	mCache := cache.New(5*time.Minute, 10*time.Minute)

server/api/session.go

@@ -137,6 +137,9 @@ func CloseSessionById(sessionId string, code int, reason string) {
 	session.DisconnectedTime = utils.NowJsonTime()
 	session.Code = code
 	session.Message = reason
+	session.Password = "-"
+	session.PrivateKey = "-"
+	session.Passphrase = "-"
 
 	_ = sessionRepository.UpdateById(&session, sessionId)
 }
@@ -359,7 +362,7 @@ type File struct {
 
 func SessionLsEndpoint(c echo.Context) error {
 	sessionId := c.Param("id")
-	session, err := sessionRepository.FindById(sessionId)
+	session, err := sessionRepository.FindByIdAndDecrypt(sessionId)
 	if err != nil {
 		return err
 	}

server/api/ssh.go

@@ -54,7 +54,7 @@ func SSHEndpoint(c echo.Context) (err error) {
 	cols, _ := strconv.Atoi(c.QueryParam("cols"))
 	rows, _ := strconv.Atoi(c.QueryParam("rows"))
 
-	session, err := sessionRepository.FindById(sessionId)
+	session, err := sessionRepository.FindByIdAndDecrypt(sessionId)
 	if err != nil {
 		msg := Message{
 			Type:    Closed,

server/api/tunnel.go

@@ -65,7 +65,7 @@ func TunEndpoint(c echo.Context) error {
 		configuration.SetParameter("width", width)
 		configuration.SetParameter("height", height)
 		configuration.SetParameter("dpi", dpi)
-		session, err = sessionRepository.FindById(sessionId)
+		session, err = sessionRepository.FindByIdAndDecrypt(sessionId)
 		if err != nil {
 			CloseSessionById(sessionId, NotFoundSession, "会话不存在")
 			return err