[系统用户]增加OTP动态密码二次认证

2025-12-14 14:50:24 +08:00 · 2020-12-24 17:16:51 +08:00
parent df33936ba1
commit 34e6f29aae
12 changed files with 330 additions and 30 deletions
--- a/internal/const/const.go
+++ b/internal/const/const.go
@@ -1,7 +1,7 @@
 package teaconst

 const (
-	Version = "0.0.6"
+	Version = "0.0.6.1"

 	ProductName   = "Edge API"
 	ProcessName   = "edge-api"
--- a/internal/db/models/login_dao.go
+++ b/internal/db/models/login_dao.go
@@ -0,0 +1,151 @@
+package models
+
+import (
+	"github.com/TeaOSLab/EdgeAPI/internal/errors"
+	_ "github.com/go-sql-driver/mysql"
+	"github.com/iwind/TeaGo/Tea"
+	"github.com/iwind/TeaGo/dbs"
+	"github.com/iwind/TeaGo/maps"
+)
+
+const (
+	LoginStateEnabled  = 1 // 已启用
+	LoginStateDisabled = 0 // 已禁用
+)
+
+type LoginType = string
+
+const (
+	LoginTypeOTP LoginType = "otp"
+)
+
+type LoginDAO dbs.DAO
+
+func NewLoginDAO() *LoginDAO {
+	return dbs.NewDAO(&LoginDAO{
+		DAOObject: dbs.DAOObject{
+			DB:     Tea.Env,
+			Table:  "edgeLogins",
+			Model:  new(Login),
+			PkName: "id",
+		},
+	}).(*LoginDAO)
+}
+
+var SharedLoginDAO *LoginDAO
+
+func init() {
+	dbs.OnReady(func() {
+		SharedLoginDAO = NewLoginDAO()
+	})
+}
+
+// 启用条目
+func (this *LoginDAO) EnableLogin(id int64) error {
+	_, err := this.Query().
+		Pk(id).
+		Set("state", LoginStateEnabled).
+		Update()
+	return err
+}
+
+// 禁用条目
+func (this *LoginDAO) DisableLogin(id int64) error {
+	_, err := this.Query().
+		Pk(id).
+		Set("state", LoginStateDisabled).
+		Update()
+	return err
+}
+
+// 查找启用中的条目
+func (this *LoginDAO) FindEnabledLogin(id int64) (*Login, error) {
+	result, err := this.Query().
+		Pk(id).
+		Attr("state", LoginStateEnabled).
+		Find()
+	if result == nil {
+		return nil, err
+	}
+	return result.(*Login), err
+}
+
+// 创建认证
+func (this *LoginDAO) CreateLogin(Id int64, loginType LoginType, params maps.Map) (int64, error) {
+	if Id <= 0 {
+		return 0, errors.New("invalid Id")
+	}
+	if params == nil {
+		params = maps.Map{}
+	}
+	op := NewLoginOperator()
+	op.Id = Id
+	op.Type = loginType
+	op.Params = params.AsJSON()
+	op.State = LoginStateEnabled
+	op.IsOn = true
+	return this.SaveInt64(op)
+}
+
+// 修改认证
+func (this *LoginDAO) UpdateLogin(adminId int64, loginType LoginType, params maps.Map, isOn bool) error {
+	// 是否已经存在
+	loginId, err := this.Query().
+		Attr("adminId", adminId).
+		Attr("type", loginType).
+		State(LoginStateEnabled).
+		ResultPk().
+		FindInt64Col(0)
+	if err != nil {
+		return err
+	}
+	op := NewLoginOperator()
+	if loginId > 0 {
+		op.Id = loginId
+	} else {
+		op.AdminId = adminId
+		op.Type = loginType
+		op.State = LoginStateEnabled
+	}
+
+	if params == nil {
+		params = maps.Map{}
+	}
+
+	op.IsOn = isOn
+	op.Params = params.AsJSON()
+	return this.Save(op)
+}
+
+// 禁用相关认证
+func (this *LoginDAO) DisableLoginWithAdminId(adminId int64, loginType LoginType) error {
+	_, err := this.Query().
+		Attr("adminId", adminId).
+		Attr("type", loginType).
+		Set("isOn", false).
+		Update()
+	return err
+}
+
+// 查找管理员相关的认证
+func (this *LoginDAO) FindEnabledLoginWithAdminId(adminId int64, loginType LoginType) (*Login, error) {
+	one, err := this.Query().
+		Attr("adminId", adminId).
+		Attr("type", loginType).
+		State(LoginStateEnabled).
+		Find()
+	if err != nil || one == nil {
+		return nil, err
+	}
+	return one.(*Login), nil
+}
+
+// 检查某个认证是否启用
+func (this *LoginDAO) CheckLoginIsOn(adminId int64, loginType LoginType) (bool, error) {
+	return this.Query().
+		Attr("adminId", adminId).
+		Attr("type", loginType).
+		State(LoginStateEnabled).
+		Attr("isOn", true).
+		Exist()
+}
--- a/internal/db/models/login_dao_test.go
+++ b/internal/db/models/login_dao_test.go
@@ -0,0 +1,5 @@
+package models
+
+import (
+	_ "github.com/go-sql-driver/mysql"
+)
--- a/internal/db/models/login_model.go
+++ b/internal/db/models/login_model.go
@@ -0,0 +1,26 @@
+package models
+
+// 第三方登录认证
+type Login struct {
+	Id      uint32 `field:"id"`      // ID
+	AdminId uint32 `field:"adminId"` // 管理员ID
+	UserId  uint32 `field:"userId"`  // 用户ID
+	IsOn    uint8  `field:"isOn"`    // 是否启用
+	Type    string `field:"type"`    // 认证方式
+	Params  string `field:"params"`  // 参数
+	State   uint8  `field:"state"`   // 状态
+}
+
+type LoginOperator struct {
+	Id      interface{} // ID
+	AdminId interface{} // 管理员ID
+	UserId  interface{} // 用户ID
+	IsOn    interface{} // 是否启用
+	Type    interface{} // 认证方式
+	Params  interface{} // 参数
+	State   interface{} // 状态
+}
+
+func NewLoginOperator() *LoginOperator {
+	return &LoginOperator{}
+}
--- a/internal/db/models/login_model_ext.go
+++ b/internal/db/models/login_model_ext.go
@@ -0,0 +1 @@
+package models
--- a/internal/db/models/server_dao.go
+++ b/internal/db/models/server_dao.go
@@ -977,6 +977,7 @@ func (this *ServerDAO) FindAllServersDNSWithClusterId(clusterId int64) (result [
 	_, err = this.Query().
 		State(ServerStateEnabled).
 		Attr("isOn", true).
+		Attr("isAuditing", false). // 不在审核中
 		Attr("clusterId", clusterId).
 		Result("id", "name", "dnsName").
 		DescPk().
--- a/internal/nodes/api_node.go
+++ b/internal/nodes/api_node.go
@@ -206,6 +206,7 @@ func (this *APINode) listenRPC(listener net.Listener, tlsConfig *tls.Config) err
 	pb.RegisterServerDailyStatServiceServer(rpcServer, &services.ServerDailyStatService{})
 	pb.RegisterUserBillServiceServer(rpcServer, &services.UserBillService{})
 	pb.RegisterUserNodeServiceServer(rpcServer, &services.UserNodeService{})
+	pb.RegisterLoginServiceServer(rpcServer, &services.LoginService{})
 	err := rpcServer.Serve(listener)
 	if err != nil {
 		return errors.New("[API_NODE]start rpc failed: " + err.Error())
--- a/internal/rpc/services/service_admin.go
+++ b/internal/rpc/services/service_admin.go
@@ -143,6 +143,23 @@ func (this *AdminService) FindEnabledAdmin(ctx context.Context, req *pb.FindEnab
 		}
 	}

+	// OTP认证
+	var pbOtpAuth *pb.Login = nil
+	{
+		adminAuth, err := models.SharedLoginDAO.FindEnabledLoginWithAdminId(int64(admin.Id), models.LoginTypeOTP)
+		if err != nil {
+			return nil, err
+		}
+		if adminAuth != nil {
+			pbOtpAuth = &pb.Login{
+				Id:         int64(adminAuth.Id),
+				Type:       adminAuth.Type,
+				ParamsJSON: []byte(adminAuth.Params),
+				IsOn:       adminAuth.IsOn == 1,
+			}
+		}
+	}
+
 	result := &pb.Admin{
 		Id:       int64(admin.Id),
 		Fullname: admin.Fullname,
@@ -150,6 +167,7 @@ func (this *AdminService) FindEnabledAdmin(ctx context.Context, req *pb.FindEnab
 		IsOn:     admin.IsOn == 1,
 		IsSuper:  admin.IsSuper == 1,
 		Modules:  pbModules,
+		OtpLogin: pbOtpAuth,
 	}
 	return &pb.FindEnabledAdminResponse{Admin: result}, nil
 }
@@ -275,6 +293,7 @@ func (this *AdminService) CreateAdmin(ctx context.Context, req *pb.CreateAdminRe
 	if err != nil {
 		return nil, err
 	}
+
 	return &pb.CreateAdminResponse{AdminId: adminId}, nil
 }

@@ -291,6 +310,7 @@ func (this *AdminService) UpdateAdmin(ctx context.Context, req *pb.UpdateAdminRe
 	if err != nil {
 		return nil, err
 	}
+
 	return this.Success()
 }

@@ -326,6 +346,22 @@ func (this *AdminService) ListEnabledAdmins(ctx context.Context, req *pb.ListEna

 	result := []*pb.Admin{}
 	for _, admin := range admins {
+		var pbOtpAuth *pb.Login = nil
+		{
+			adminAuth, err := models.SharedLoginDAO.FindEnabledLoginWithAdminId(int64(admin.Id), models.LoginTypeOTP)
+			if err != nil {
+				return nil, err
+			}
+			if adminAuth != nil {
+				pbOtpAuth = &pb.Login{
+					Id:         int64(adminAuth.Id),
+					Type:       adminAuth.Type,
+					ParamsJSON: []byte(adminAuth.Params),
+					IsOn:       adminAuth.IsOn == 1,
+				}
+			}
+		}
+
 		result = append(result, &pb.Admin{
 			Id:        int64(admin.Id),
 			Fullname:  admin.Fullname,
@@ -333,6 +369,7 @@ func (this *AdminService) ListEnabledAdmins(ctx context.Context, req *pb.ListEna
 			IsOn:      admin.IsOn == 1,
 			IsSuper:   admin.IsSuper == 1,
 			CreatedAt: int64(admin.CreatedAt),
+			OtpLogin:  pbOtpAuth,
 		})
 	}

@@ -357,3 +394,29 @@ func (this *AdminService) DeleteAdmin(ctx context.Context, req *pb.DeleteAdminRe

 	return this.Success()
 }
+
+// 检查是否需要输入OTP
+func (this *AdminService) CheckAdminOTPWithUsername(ctx context.Context, req *pb.CheckAdminOTPWithUsernameRequest) (*pb.CheckAdminOTPWithUsernameResponse, error) {
+	_, err := this.ValidateAdmin(ctx, 0)
+	if err != nil {
+		return nil, err
+	}
+
+	if len(req.Username) == 0 {
+		return &pb.CheckAdminOTPWithUsernameResponse{RequireOTP: false}, nil
+	}
+
+	adminId, err := models.SharedAdminDAO.FindAdminIdWithUsername(req.Username)
+	if err != nil {
+		return nil, err
+	}
+	if adminId <= 0 {
+		return &pb.CheckAdminOTPWithUsernameResponse{RequireOTP: false}, nil
+	}
+
+	otpIsOn, err := models.SharedLoginDAO.CheckLoginIsOn(adminId, "otp")
+	if err != nil {
+		return nil, err
+	}
+	return &pb.CheckAdminOTPWithUsernameResponse{RequireOTP: otpIsOn}, nil
+}
--- a/internal/rpc/services/service_login.go
+++ b/internal/rpc/services/service_login.go
@@ -0,0 +1,70 @@
+package services
+
+import (
+	"context"
+	"encoding/json"
+	"github.com/TeaOSLab/EdgeAPI/internal/db/models"
+	"github.com/TeaOSLab/EdgeAPI/internal/errors"
+	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
+	"github.com/iwind/TeaGo/maps"
+)
+
+// 管理员认证相关服务
+type LoginService struct {
+	BaseService
+}
+
+// 查找认证
+func (this *LoginService) FindEnabledLogin(ctx context.Context, req *pb.FindEnabledLoginRequest) (*pb.FindEnabledLoginResponse, error) {
+	_, err := this.ValidateAdmin(ctx, 0)
+	if err != nil {
+		return nil, err
+	}
+	login, err := models.SharedLoginDAO.FindEnabledLoginWithAdminId(req.AdminId, req.Type)
+	if err != nil {
+		return nil, err
+	}
+	if login == nil {
+		return &pb.FindEnabledLoginResponse{Login: nil}, nil
+	}
+	return &pb.FindEnabledLoginResponse{Login: &pb.Login{
+		Id:         int64(login.Id),
+		Type:       login.Type,
+		ParamsJSON: []byte(login.Params),
+		IsOn:       login.IsOn == 1,
+		AdminId:    int64(login.AdminId),
+		UserId:     int64(login.UserId),
+	}}, nil
+}
+
+// 修改认证
+func (this *LoginService) UpdateLogin(ctx context.Context, req *pb.UpdateLoginRequest) (*pb.RPCSuccess, error) {
+	_, err := this.ValidateAdmin(ctx, 0)
+	if err != nil {
+		return nil, err
+	}
+
+	if req.Login == nil {
+		return nil, errors.New("'login' should not be nil")
+	}
+
+	if req.Login.IsOn {
+		params := maps.Map{}
+		if len(req.Login.ParamsJSON) > 0 {
+			err = json.Unmarshal(req.Login.ParamsJSON, &params)
+			if err != nil {
+				return nil, err
+			}
+		}
+		err = models.SharedLoginDAO.UpdateLogin(req.Login.AdminId, req.Login.Type, params, req.Login.IsOn)
+		if err != nil {
+			return nil, err
+		}
+	} else {
+		err = models.SharedLoginDAO.DisableLoginWithAdminId(req.Login.AdminId, req.Login.Type)
+		if err != nil {
+			return nil, err
+		}
+	}
+	return this.Success()
+}
--- a/internal/rpc/services/service_server.go
+++ b/internal/rpc/services/service_server.go
@@ -436,6 +436,14 @@ func (this *ServerService) UpdateServerNamesAuditing(ctx context.Context, req *p
 		}
 	}

+	// 通知服务更新
+	go func() {
+		err := this.notifyServerDNSChanged(req.ServerId)
+		if err != nil {
+			logs.Println("[DNS]notify server changed: " + err.Error())
+		}
+	}()
+
 	return this.Success()
 }

--- a/internal/setup/sql.go
+++ b/internal/setup/sql.go