安全设置增加允许访问的国家地区、省份、是否局域网访问

2026-03-09 21:15:36 +08:00 · 2020-11-20 21:59:12 +08:00
parent 8d8460c3fe
commit 3ec89a432c
25 changed files with 609 additions and 49 deletions
--- a/internal/web/helpers/user_must_auth.go
+++ b/internal/web/helpers/user_must_auth.go
@@ -35,6 +35,12 @@ func (this *UserMustAuth) BeforeAction(actionPtr actions.ActionWrapper, paramNam
 	}
 	action.AddHeader("Content-Security-Policy", "default-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'")

+	// 检查IP
+	if !checkIP(securityConfig, action.RequestRemoteIP()) {
+		action.ResponseWriter.WriteHeader(http.StatusForbidden)
+		return false
+	}
+
 	// 检查系统是否已经配置过
 	if !setup.IsConfigured() {
 		action.RedirectURL("/setup")
@@ -82,8 +88,48 @@ func (this *UserMustAuth) BeforeAction(actionPtr actions.ActionWrapper, paramNam
 		return action.Data["teaTitle"].(string)
 	})

-	// 初始化变量
-	modules := []maps.Map{
+	action.Data["teaTitle"] = teaconst.ProductNameZH
+	action.Data["teaName"] = teaconst.ProductNameZH
+
+	resp, err := rpc.AdminRPC().FindAdminFullname(rpc.Context(0), &pb.FindAdminFullnameRequest{AdminId: int64(this.AdminId)})
+	if err != nil {
+		utils.PrintError(err)
+		action.Data["teaUsername"] = ""
+	} else {
+		action.Data["teaUsername"] = resp.Fullname
+	}
+
+	action.Data["teaUserAvatar"] = ""
+
+	action.Data["teaMenu"] = ""
+	action.Data["teaModules"] = this.modules()
+	action.Data["teaSubMenus"] = []map[string]interface{}{}
+	action.Data["teaTabbar"] = []map[string]interface{}{}
+	action.Data["teaVersion"] = teaconst.Version
+	action.Data["teaIsSuper"] = false
+	action.Data["teaDemoEnabled"] = teaconst.IsDemo
+	if !action.Data.Has("teaSubMenu") {
+		action.Data["teaSubMenu"] = ""
+	}
+
+	// 菜单
+	action.Data["firstMenuItem"] = ""
+
+	// 未读消息数
+	action.Data["teaBadge"] = 0
+
+	// 调用Init
+	initMethod := reflect.ValueOf(actionPtr).MethodByName("Init")
+	if initMethod.IsValid() {
+		initMethod.Call([]reflect.Value{})
+	}
+
+	return true
+}
+
+// 菜单配置
+func (this *UserMustAuth) modules() []maps.Map {
+	return []maps.Map{
 		{
 			"code": "servers",
 			"name": "网站服务",
@@ -136,46 +182,9 @@ func (this *UserMustAuth) BeforeAction(actionPtr actions.ActionWrapper, paramNam
 			"icon": "history",
 		},
 	}
-
-	action.Data["teaTitle"] = teaconst.ProductNameZH
-	action.Data["teaName"] = teaconst.ProductNameZH
-
-	resp, err := rpc.AdminRPC().FindAdminFullname(rpc.Context(0), &pb.FindAdminFullnameRequest{AdminId: int64(this.AdminId)})
-	if err != nil {
-		utils.PrintError(err)
-		action.Data["teaUsername"] = ""
-	} else {
-		action.Data["teaUsername"] = resp.Fullname
-	}
-
-	action.Data["teaUserAvatar"] = ""
-
-	action.Data["teaMenu"] = ""
-	action.Data["teaModules"] = modules
-	action.Data["teaSubMenus"] = []map[string]interface{}{}
-	action.Data["teaTabbar"] = []map[string]interface{}{}
-	action.Data["teaVersion"] = teaconst.Version
-	action.Data["teaIsSuper"] = false
-	action.Data["teaDemoEnabled"] = teaconst.IsDemo
-	if !action.Data.Has("teaSubMenu") {
-		action.Data["teaSubMenu"] = ""
-	}
-
-	// 菜单
-	action.Data["firstMenuItem"] = ""
-
-	// 未读消息数
-	action.Data["teaBadge"] = 0
-
-	// 调用Init
-	initMethod := reflect.ValueOf(actionPtr).MethodByName("Init")
-	if initMethod.IsValid() {
-		initMethod.Call([]reflect.Value{})
-	}
-
-	return true
 }

+// 跳转到登录页
 func (this *UserMustAuth) login(action *actions.ActionObject) {
 	action.RedirectURL("/")
 }
--- a/internal/web/helpers/user_should_auth.go
+++ b/internal/web/helpers/user_should_auth.go
@@ -24,6 +24,12 @@ func (this *UserShouldAuth) BeforeAction(actionPtr actions.ActionWrapper, paramN
 	}
 	action.AddHeader("Content-Security-Policy", "default-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'")

+	// 检查IP
+	if !checkIP(securityConfig, action.RequestRemoteIP()) {
+		action.ResponseWriter.WriteHeader(http.StatusForbidden)
+		return false
+	}
+
 	return true
 }

--- a/internal/web/helpers/utils.go
+++ b/internal/web/helpers/utils.go
@@ -0,0 +1,60 @@
+package helpers
+
+import (
+	nodes "github.com/TeaOSLab/EdgeAdmin/internal/rpc"
+	"github.com/TeaOSLab/EdgeAdmin/internal/securitymanager"
+	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
+	"github.com/iwind/TeaGo/lists"
+	"github.com/iwind/TeaGo/logs"
+	"net"
+)
+
+// 检查用户IP
+func checkIP(config *securitymanager.SecurityConfig, ipAddr string) bool {
+	if config == nil {
+		return true
+	}
+
+	// 本地IP
+	ip := net.ParseIP(ipAddr).To4()
+	if ip == nil {
+		logs.Println("[USER_MUST_AUTH]invalid client address: " + ipAddr)
+		return false
+	}
+	if config.AllowLocal && isLocalIP(ip) {
+		return true
+	}
+
+	// 检查位置
+	if len(config.AllowCountryIds) > 0 || len(config.AllowProvinceIds) > 0 {
+		rpc, err := nodes.SharedRPC()
+		if err != nil {
+			logs.Println("[USER_MUST_AUTH][ERROR]" + err.Error())
+			return false
+		}
+		resp, err := rpc.IPLibraryRPC().LookupIPRegion(rpc.Context(0), &pb.LookupIPRegionRequest{Ip: ipAddr})
+		if err != nil {
+			logs.Println("[USER_MUST_AUTH][ERROR]" + err.Error())
+			return false
+		}
+		if resp.Region == nil {
+			return true
+		}
+		if len(config.AllowCountryIds) > 0 && !lists.ContainsInt64(config.AllowCountryIds, resp.Region.CountryId) {
+			return false
+		}
+		if len(config.AllowProvinceIds) > 0 && !lists.ContainsInt64(config.AllowProvinceIds, resp.Region.ProvinceId) {
+			return false
+		}
+	}
+
+	return true
+}
+
+// 判断是否为本地IP
+func isLocalIP(ip net.IP) bool {
+	return ip[0] == 127 ||
+		ip[0] == 10 ||
+		(ip[0] == 172 && ip[1]&0xf0 == 16) ||
+		(ip[0] == 192 && ip[1] == 168)
+}