自动检查管理员弱密码并提醒

2025-11-03 23:20:26 +08:00 · 2023-04-04 17:26:08 +08:00
parent 790165c73a
commit 5b2c965831
3 changed files with 119 additions and 28 deletions
--- a/internal/db/models/admin_dao.go
+++ b/internal/db/models/admin_dao.go
@@ -1,6 +1,7 @@
 package models

 import (
+	dbutils "github.com/TeaOSLab/EdgeAPI/internal/db/utils"
 	"github.com/TeaOSLab/EdgeAPI/internal/errors"
 	_ "github.com/go-sql-driver/mysql"
 	"github.com/iwind/TeaGo/Tea"
@@ -266,17 +267,34 @@ func (this *AdminDAO) FindAllAdminModules(tx *dbs.Tx) (result []*Admin, err erro
 }

 // CountAllEnabledAdmins 计算所有管理员数量
-func (this *AdminDAO) CountAllEnabledAdmins(tx *dbs.Tx) (int64, error) {
-	return this.Query(tx).
+func (this *AdminDAO) CountAllEnabledAdmins(tx *dbs.Tx, keyword string, hasWeakPasswords bool) (int64, error) {
+	var query = this.Query(tx)
+	if len(keyword) > 0 {
+		query.Where("(username LIKE :keyword OR fullname LIKE :keyword)")
+		query.Param("keyword", dbutils.QuoteLike(keyword))
+	}
+	if hasWeakPasswords {
+		query.Attr("password", weakPasswords)
+	}
+	return query.
 		State(AdminStateEnabled).
 		Count()
 }

 // ListEnabledAdmins 列出单页的管理员
-func (this *AdminDAO) ListEnabledAdmins(tx *dbs.Tx, offset int64, size int64) (result []*Admin, err error) {
-	_, err = this.Query(tx).
+func (this *AdminDAO) ListEnabledAdmins(tx *dbs.Tx, keyword string, hasWeakPasswords bool, offset int64, size int64) (result []*Admin, err error) {
+	var query = this.Query(tx)
+	if len(keyword) > 0 {
+		query.Where("(username LIKE :keyword OR fullname LIKE :keyword)")
+		query.Param("keyword", dbutils.QuoteLike(keyword))
+	}
+	if hasWeakPasswords {
+		query.Attr("password", weakPasswords)
+	}
+
+	_, err = query.
 		State(AdminStateEnabled).
-		Result("id", "isOn", "username", "fullname", "isSuper", "createdAt", "canLogin").
+		Result("id", "isOn", "username", "fullname", "isSuper", "createdAt", "canLogin", "password").
 		Offset(offset).
 		Limit(size).
 		DescPk().
@@ -292,3 +310,15 @@ func (this *AdminDAO) UpdateAdminTheme(tx *dbs.Tx, adminId int64, theme string)
 		Set("theme", theme).
 		UpdateQuickly()
 }
+
+// CheckSuperAdmin 检查管理员是否为超级管理员
+func (this *AdminDAO) CheckSuperAdmin(tx *dbs.Tx, adminId int64) (bool, error) {
+	if adminId <= 0 {
+		return false, nil
+	}
+	return this.Query(tx).
+		Pk(adminId).
+		State(AdminStateEnabled).
+		Attr("isSuper", true).
+		Exist()
+}
--- a/internal/db/models/admin_model_ext.go
+++ b/internal/db/models/admin_model_ext.go
@@ -1 +1,42 @@
 package models
+
+import stringutil "github.com/iwind/TeaGo/utils/string"
+
+// 弱密码集合
+var weakPasswords = []string{}
+
+func init() {
+	// 初始化弱密码集合
+	for _, password := range []string{
+		"123",
+		"1234",
+		"12345",
+		"123456",
+		"12345678",
+		"123456789",
+		"000000",
+		"111111",
+		"666666",
+		"888888",
+		"654321",
+		"123456789",
+		"password",
+		"qwerty",
+		"admin",
+	} {
+		weakPasswords = append(weakPasswords, stringutil.Md5(password))
+	}
+}
+
+func (this *Admin) HasWeakPassword() bool {
+	if len(this.Password) == 0 {
+		return false
+	}
+
+	for _, weakPassword := range weakPasswords {
+		if weakPassword == this.Password {
+			return true
+		}
+	}
+	return false
+}
--- a/internal/rpc/services/service_admin.go
+++ b/internal/rpc/services/service_admin.go
@@ -127,7 +127,7 @@ func (this *AdminService) FindAdminFullname(ctx context.Context, req *pb.FindAdm

 // FindEnabledAdmin 获取管理员信息
 func (this *AdminService) FindEnabledAdmin(ctx context.Context, req *pb.FindEnabledAdminRequest) (*pb.FindEnabledAdminResponse, error) {
-	_, err := this.ValidateAdmin(ctx)
+	adminId, err := this.ValidateAdmin(ctx)
 	if err != nil {
 		return nil, err
 	}
@@ -136,6 +136,12 @@ func (this *AdminService) FindEnabledAdmin(ctx context.Context, req *pb.FindEnab

 	var tx = this.NullTx()

+	// 超级管理员才能查看是否为弱密码
+	isSuperAdmin, err := models.SharedAdminDAO.CheckSuperAdmin(tx, adminId)
+	if err != nil {
+		return nil, err
+	}
+
 	admin, err := models.SharedAdminDAO.FindEnabledAdmin(tx, req.AdminId)
 	if err != nil {
 		return nil, err
@@ -144,7 +150,7 @@ func (this *AdminService) FindEnabledAdmin(ctx context.Context, req *pb.FindEnab
 		return &pb.FindEnabledAdminResponse{Admin: nil}, nil
 	}

-	pbModules := []*pb.AdminModule{}
+	var pbModules = []*pb.AdminModule{}
 	modules := []*systemconfigs.AdminModule{}
 	if len(admin.Modules) > 0 {
 		err = json.Unmarshal(admin.Modules, &modules)
@@ -178,14 +184,15 @@ func (this *AdminService) FindEnabledAdmin(ctx context.Context, req *pb.FindEnab
 	}

 	result := &pb.Admin{
-		Id:       int64(admin.Id),
-		Fullname: admin.Fullname,
-		Username: admin.Username,
-		IsOn:     admin.IsOn,
-		IsSuper:  admin.IsSuper,
-		Modules:  pbModules,
-		OtpLogin: pbOtpAuth,
-		CanLogin: admin.CanLogin,
+		Id:              int64(admin.Id),
+		Fullname:        admin.Fullname,
+		Username:        admin.Username,
+		IsOn:            admin.IsOn,
+		IsSuper:         admin.IsSuper,
+		Modules:         pbModules,
+		OtpLogin:        pbOtpAuth,
+		CanLogin:        admin.CanLogin,
+		HasWeakPassword: isSuperAdmin && admin.HasWeakPassword(),
 	}
 	return &pb.FindEnabledAdminResponse{Admin: result}, nil
 }
@@ -347,7 +354,7 @@ func (this *AdminService) UpdateAdmin(ctx context.Context, req *pb.UpdateAdminRe

 // CountAllEnabledAdmins 计算管理员数量
 func (this *AdminService) CountAllEnabledAdmins(ctx context.Context, req *pb.CountAllEnabledAdminsRequest) (*pb.RPCCountResponse, error) {
-	_, err := this.ValidateAdmin(ctx)
+	adminId, err := this.ValidateAdmin(ctx)
 	if err != nil {
 		return nil, err
 	}
@@ -356,7 +363,13 @@ func (this *AdminService) CountAllEnabledAdmins(ctx context.Context, req *pb.Cou

 	var tx = this.NullTx()

-	count, err := models.SharedAdminDAO.CountAllEnabledAdmins(tx)
+	// 超级管理员才能查看是否为弱密码
+	isSuperAdmin, err := models.SharedAdminDAO.CheckSuperAdmin(tx, adminId)
+	if err != nil {
+		return nil, err
+	}
+
+	count, err := models.SharedAdminDAO.CountAllEnabledAdmins(tx, req.Keyword, isSuperAdmin && req.HasWeakPassword)
 	if err != nil {
 		return nil, err
 	}
@@ -365,7 +378,7 @@ func (this *AdminService) CountAllEnabledAdmins(ctx context.Context, req *pb.Cou

 // ListEnabledAdmins 列出单页的管理员
 func (this *AdminService) ListEnabledAdmins(ctx context.Context, req *pb.ListEnabledAdminsRequest) (*pb.ListEnabledAdminsResponse, error) {
-	_, err := this.ValidateAdmin(ctx)
+	adminId, err := this.ValidateAdmin(ctx)
 	if err != nil {
 		return nil, err
 	}
@@ -374,12 +387,18 @@ func (this *AdminService) ListEnabledAdmins(ctx context.Context, req *pb.ListEna

 	var tx = this.NullTx()

-	admins, err := models.SharedAdminDAO.ListEnabledAdmins(tx, req.Offset, req.Size)
+	// 超级管理员才能查看是否为弱密码
+	isSuperAdmin, err := models.SharedAdminDAO.CheckSuperAdmin(tx, adminId)
 	if err != nil {
 		return nil, err
 	}

-	result := []*pb.Admin{}
+	admins, err := models.SharedAdminDAO.ListEnabledAdmins(tx, req.Keyword, isSuperAdmin && req.HasWeakPassword, req.Offset, req.Size)
+	if err != nil {
+		return nil, err
+	}
+
+	var result = []*pb.Admin{}
 	for _, admin := range admins {
 		var pbOtpAuth *pb.Login = nil
 		{
@@ -398,14 +417,15 @@ func (this *AdminService) ListEnabledAdmins(ctx context.Context, req *pb.ListEna
 		}

 		result = append(result, &pb.Admin{
-			Id:        int64(admin.Id),
-			Fullname:  admin.Fullname,
-			Username:  admin.Username,
-			IsOn:      admin.IsOn,
-			IsSuper:   admin.IsSuper,
-			CreatedAt: int64(admin.CreatedAt),
-			OtpLogin:  pbOtpAuth,
-			CanLogin:  admin.CanLogin,
+			Id:              int64(admin.Id),
+			Fullname:        admin.Fullname,
+			Username:        admin.Username,
+			IsOn:            admin.IsOn,
+			IsSuper:         admin.IsSuper,
+			CreatedAt:       int64(admin.CreatedAt),
+			OtpLogin:        pbOtpAuth,
+			CanLogin:        admin.CanLogin,
+			HasWeakPassword: isSuperAdmin && admin.HasWeakPassword(),
 		})
 	}