mirror of
https://github.com/TeaOSLab/EdgeAdmin.git
synced 2026-04-20 19:39:00 +08:00
安全设置增加允许访问的国家地区、省份、是否局域网访问
This commit is contained in:
@@ -1,9 +1,12 @@
|
||||
package security
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
"github.com/TeaOSLab/EdgeAdmin/internal/securitymanager"
|
||||
"github.com/TeaOSLab/EdgeAdmin/internal/web/actions/actionutils"
|
||||
"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
|
||||
"github.com/iwind/TeaGo/actions"
|
||||
"github.com/iwind/TeaGo/maps"
|
||||
)
|
||||
|
||||
type IndexAction struct {
|
||||
@@ -20,12 +23,52 @@ func (this *IndexAction) RunGet(params struct{}) {
|
||||
this.ErrorPage(err)
|
||||
return
|
||||
}
|
||||
|
||||
// 国家和地区
|
||||
countryMaps := []maps.Map{}
|
||||
for _, countryId := range config.AllowCountryIds {
|
||||
countryResp, err := this.RPC().RegionCountryRPC().FindEnabledRegionCountry(this.AdminContext(), &pb.FindEnabledRegionCountryRequest{CountryId: countryId})
|
||||
if err != nil {
|
||||
this.ErrorPage(err)
|
||||
return
|
||||
}
|
||||
country := countryResp.Country
|
||||
if country != nil {
|
||||
countryMaps = append(countryMaps, maps.Map{
|
||||
"id": country.Id,
|
||||
"name": country.Name,
|
||||
})
|
||||
}
|
||||
}
|
||||
this.Data["countries"] = countryMaps
|
||||
|
||||
// 省份
|
||||
provinceMaps := []maps.Map{}
|
||||
for _, provinceId := range config.AllowProvinceIds {
|
||||
provinceResp, err := this.RPC().RegionProvinceRPC().FindEnabledRegionProvince(this.AdminContext(), &pb.FindEnabledRegionProvinceRequest{ProvinceId: provinceId})
|
||||
if err != nil {
|
||||
this.ErrorPage(err)
|
||||
return
|
||||
}
|
||||
province := provinceResp.Province
|
||||
if province != nil {
|
||||
provinceMaps = append(provinceMaps, maps.Map{
|
||||
"id": province.Id,
|
||||
"name": province.Name,
|
||||
})
|
||||
}
|
||||
}
|
||||
this.Data["provinces"] = provinceMaps
|
||||
|
||||
this.Data["config"] = config
|
||||
this.Show()
|
||||
}
|
||||
|
||||
func (this *IndexAction) RunPost(params struct {
|
||||
Frame string
|
||||
Frame string
|
||||
CountryIdsJSON []byte
|
||||
ProvinceIdsJSON []byte
|
||||
AllowLocal bool
|
||||
|
||||
Must *actions.Must
|
||||
CSRF *actionutils.CSRF
|
||||
@@ -38,7 +81,34 @@ func (this *IndexAction) RunPost(params struct {
|
||||
return
|
||||
}
|
||||
|
||||
// 框架
|
||||
config.Frame = params.Frame
|
||||
|
||||
// 国家和地区
|
||||
countryIds := []int64{}
|
||||
if len(params.CountryIdsJSON) > 0 {
|
||||
err = json.Unmarshal(params.CountryIdsJSON, &countryIds)
|
||||
if err != nil {
|
||||
this.ErrorPage(err)
|
||||
return
|
||||
}
|
||||
}
|
||||
config.AllowCountryIds = countryIds
|
||||
|
||||
// 省份
|
||||
provinceIds := []int64{}
|
||||
if len(params.ProvinceIdsJSON) > 0 {
|
||||
err = json.Unmarshal(params.ProvinceIdsJSON, &provinceIds)
|
||||
if err != nil {
|
||||
this.ErrorPage(err)
|
||||
return
|
||||
}
|
||||
}
|
||||
config.AllowProvinceIds = provinceIds
|
||||
|
||||
// 允许本地
|
||||
config.AllowLocal = params.AllowLocal
|
||||
|
||||
err = securitymanager.UpdateSecurityConfig(config)
|
||||
if err != nil {
|
||||
this.ErrorPage(err)
|
||||
|
||||
@@ -11,6 +11,8 @@ func init() {
|
||||
server.
|
||||
Prefix("/ui").
|
||||
Get("/download", new(DownloadAction)).
|
||||
GetPost("/selectProvincesPopup", new(SelectProvincesPopupAction)).
|
||||
GetPost("/selectCountriesPopup", new(SelectCountriesPopupAction)).
|
||||
|
||||
// 以下的需要压缩
|
||||
Helper(&actions.Gzip{Level: gzip.BestCompression}).
|
||||
|
||||
70
internal/web/actions/default/ui/selectCountriesPopup.go
Normal file
70
internal/web/actions/default/ui/selectCountriesPopup.go
Normal file
@@ -0,0 +1,70 @@
|
||||
package ui
|
||||
|
||||
import (
|
||||
"github.com/TeaOSLab/EdgeAdmin/internal/utils"
|
||||
"github.com/TeaOSLab/EdgeAdmin/internal/web/actions/actionutils"
|
||||
"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
|
||||
"github.com/iwind/TeaGo/actions"
|
||||
"github.com/iwind/TeaGo/lists"
|
||||
"github.com/iwind/TeaGo/maps"
|
||||
"strings"
|
||||
)
|
||||
|
||||
type SelectCountriesPopupAction struct {
|
||||
actionutils.ParentAction
|
||||
}
|
||||
|
||||
func (this *SelectCountriesPopupAction) Init() {
|
||||
this.Nav("", "", "")
|
||||
}
|
||||
|
||||
func (this *SelectCountriesPopupAction) RunGet(params struct {
|
||||
CountryIds string
|
||||
}) {
|
||||
selectedCountryIds := utils.SplitNumbers(params.CountryIds)
|
||||
|
||||
countriesResp, err := this.RPC().RegionCountryRPC().FindAllEnabledRegionCountries(this.AdminContext(), &pb.FindAllEnabledRegionCountriesRequest{})
|
||||
if err != nil {
|
||||
this.ErrorPage(err)
|
||||
return
|
||||
}
|
||||
countryMaps := []maps.Map{}
|
||||
for _, country := range countriesResp.Countries {
|
||||
countryMaps = append(countryMaps, maps.Map{
|
||||
"id": country.Id,
|
||||
"name": country.Name,
|
||||
"letter": strings.ToUpper(string(country.Pinyin[0][0])),
|
||||
"isChecked": lists.ContainsInt64(selectedCountryIds, country.Id),
|
||||
})
|
||||
}
|
||||
this.Data["countries"] = countryMaps
|
||||
|
||||
this.Show()
|
||||
}
|
||||
|
||||
func (this *SelectCountriesPopupAction) RunPost(params struct {
|
||||
CountryIds []int64
|
||||
|
||||
Must *actions.Must
|
||||
CSRF *actionutils.CSRF
|
||||
}) {
|
||||
countryMaps := []maps.Map{}
|
||||
for _, countryId := range params.CountryIds {
|
||||
countryResp, err := this.RPC().RegionCountryRPC().FindEnabledRegionCountry(this.AdminContext(), &pb.FindEnabledRegionCountryRequest{CountryId: countryId})
|
||||
if err != nil {
|
||||
this.ErrorPage(err)
|
||||
return
|
||||
}
|
||||
country := countryResp.Country
|
||||
if country == nil {
|
||||
continue
|
||||
}
|
||||
countryMaps = append(countryMaps, maps.Map{
|
||||
"id": country.Id,
|
||||
"name": country.Name,
|
||||
})
|
||||
}
|
||||
this.Data["countries"] = countryMaps
|
||||
|
||||
this.Success()
|
||||
}
|
||||
70
internal/web/actions/default/ui/selectProvincesPopup.go
Normal file
70
internal/web/actions/default/ui/selectProvincesPopup.go
Normal file
@@ -0,0 +1,70 @@
|
||||
package ui
|
||||
|
||||
import (
|
||||
"github.com/TeaOSLab/EdgeAdmin/internal/utils"
|
||||
"github.com/TeaOSLab/EdgeAdmin/internal/web/actions/actionutils"
|
||||
"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
|
||||
"github.com/iwind/TeaGo/actions"
|
||||
"github.com/iwind/TeaGo/lists"
|
||||
"github.com/iwind/TeaGo/maps"
|
||||
)
|
||||
|
||||
const ChinaCountryId = 1
|
||||
|
||||
type SelectProvincesPopupAction struct {
|
||||
actionutils.ParentAction
|
||||
}
|
||||
|
||||
func (this *SelectProvincesPopupAction) Init() {
|
||||
this.Nav("", "", "")
|
||||
}
|
||||
|
||||
func (this *SelectProvincesPopupAction) RunGet(params struct {
|
||||
ProvinceIds string
|
||||
}) {
|
||||
selectedProvinceIds := utils.SplitNumbers(params.ProvinceIds)
|
||||
|
||||
provincesResp, err := this.RPC().RegionProvinceRPC().FindAllEnabledRegionProvincesWithCountryId(this.AdminContext(), &pb.FindAllEnabledRegionProvincesWithCountryIdRequest{CountryId: ChinaCountryId})
|
||||
if err != nil {
|
||||
this.ErrorPage(err)
|
||||
return
|
||||
}
|
||||
provinceMaps := []maps.Map{}
|
||||
for _, province := range provincesResp.Provinces {
|
||||
provinceMaps = append(provinceMaps, maps.Map{
|
||||
"id": province.Id,
|
||||
"name": province.Name,
|
||||
"isChecked": lists.ContainsInt64(selectedProvinceIds, province.Id),
|
||||
})
|
||||
}
|
||||
this.Data["provinces"] = provinceMaps
|
||||
|
||||
this.Show()
|
||||
}
|
||||
|
||||
func (this *SelectProvincesPopupAction) RunPost(params struct {
|
||||
ProvinceIds []int64
|
||||
|
||||
Must *actions.Must
|
||||
CSRF *actionutils.CSRF
|
||||
}) {
|
||||
provinceMaps := []maps.Map{}
|
||||
for _, provinceId := range params.ProvinceIds {
|
||||
provinceResp, err := this.RPC().RegionProvinceRPC().FindEnabledRegionProvince(this.AdminContext(), &pb.FindEnabledRegionProvinceRequest{ProvinceId: provinceId})
|
||||
if err != nil {
|
||||
this.ErrorPage(err)
|
||||
return
|
||||
}
|
||||
province := provinceResp.Province
|
||||
if province == nil {
|
||||
continue
|
||||
}
|
||||
provinceMaps = append(provinceMaps, maps.Map{
|
||||
"id": province.Id,
|
||||
"name": province.Name,
|
||||
})
|
||||
}
|
||||
this.Data["provinces"] = provinceMaps
|
||||
|
||||
this.Success()
|
||||
}
|
||||
@@ -35,6 +35,12 @@ func (this *UserMustAuth) BeforeAction(actionPtr actions.ActionWrapper, paramNam
|
||||
}
|
||||
action.AddHeader("Content-Security-Policy", "default-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'")
|
||||
|
||||
// 检查IP
|
||||
if !checkIP(securityConfig, action.RequestRemoteIP()) {
|
||||
action.ResponseWriter.WriteHeader(http.StatusForbidden)
|
||||
return false
|
||||
}
|
||||
|
||||
// 检查系统是否已经配置过
|
||||
if !setup.IsConfigured() {
|
||||
action.RedirectURL("/setup")
|
||||
@@ -82,8 +88,48 @@ func (this *UserMustAuth) BeforeAction(actionPtr actions.ActionWrapper, paramNam
|
||||
return action.Data["teaTitle"].(string)
|
||||
})
|
||||
|
||||
// 初始化变量
|
||||
modules := []maps.Map{
|
||||
action.Data["teaTitle"] = teaconst.ProductNameZH
|
||||
action.Data["teaName"] = teaconst.ProductNameZH
|
||||
|
||||
resp, err := rpc.AdminRPC().FindAdminFullname(rpc.Context(0), &pb.FindAdminFullnameRequest{AdminId: int64(this.AdminId)})
|
||||
if err != nil {
|
||||
utils.PrintError(err)
|
||||
action.Data["teaUsername"] = ""
|
||||
} else {
|
||||
action.Data["teaUsername"] = resp.Fullname
|
||||
}
|
||||
|
||||
action.Data["teaUserAvatar"] = ""
|
||||
|
||||
action.Data["teaMenu"] = ""
|
||||
action.Data["teaModules"] = this.modules()
|
||||
action.Data["teaSubMenus"] = []map[string]interface{}{}
|
||||
action.Data["teaTabbar"] = []map[string]interface{}{}
|
||||
action.Data["teaVersion"] = teaconst.Version
|
||||
action.Data["teaIsSuper"] = false
|
||||
action.Data["teaDemoEnabled"] = teaconst.IsDemo
|
||||
if !action.Data.Has("teaSubMenu") {
|
||||
action.Data["teaSubMenu"] = ""
|
||||
}
|
||||
|
||||
// 菜单
|
||||
action.Data["firstMenuItem"] = ""
|
||||
|
||||
// 未读消息数
|
||||
action.Data["teaBadge"] = 0
|
||||
|
||||
// 调用Init
|
||||
initMethod := reflect.ValueOf(actionPtr).MethodByName("Init")
|
||||
if initMethod.IsValid() {
|
||||
initMethod.Call([]reflect.Value{})
|
||||
}
|
||||
|
||||
return true
|
||||
}
|
||||
|
||||
// 菜单配置
|
||||
func (this *UserMustAuth) modules() []maps.Map {
|
||||
return []maps.Map{
|
||||
{
|
||||
"code": "servers",
|
||||
"name": "网站服务",
|
||||
@@ -136,46 +182,9 @@ func (this *UserMustAuth) BeforeAction(actionPtr actions.ActionWrapper, paramNam
|
||||
"icon": "history",
|
||||
},
|
||||
}
|
||||
|
||||
action.Data["teaTitle"] = teaconst.ProductNameZH
|
||||
action.Data["teaName"] = teaconst.ProductNameZH
|
||||
|
||||
resp, err := rpc.AdminRPC().FindAdminFullname(rpc.Context(0), &pb.FindAdminFullnameRequest{AdminId: int64(this.AdminId)})
|
||||
if err != nil {
|
||||
utils.PrintError(err)
|
||||
action.Data["teaUsername"] = ""
|
||||
} else {
|
||||
action.Data["teaUsername"] = resp.Fullname
|
||||
}
|
||||
|
||||
action.Data["teaUserAvatar"] = ""
|
||||
|
||||
action.Data["teaMenu"] = ""
|
||||
action.Data["teaModules"] = modules
|
||||
action.Data["teaSubMenus"] = []map[string]interface{}{}
|
||||
action.Data["teaTabbar"] = []map[string]interface{}{}
|
||||
action.Data["teaVersion"] = teaconst.Version
|
||||
action.Data["teaIsSuper"] = false
|
||||
action.Data["teaDemoEnabled"] = teaconst.IsDemo
|
||||
if !action.Data.Has("teaSubMenu") {
|
||||
action.Data["teaSubMenu"] = ""
|
||||
}
|
||||
|
||||
// 菜单
|
||||
action.Data["firstMenuItem"] = ""
|
||||
|
||||
// 未读消息数
|
||||
action.Data["teaBadge"] = 0
|
||||
|
||||
// 调用Init
|
||||
initMethod := reflect.ValueOf(actionPtr).MethodByName("Init")
|
||||
if initMethod.IsValid() {
|
||||
initMethod.Call([]reflect.Value{})
|
||||
}
|
||||
|
||||
return true
|
||||
}
|
||||
|
||||
// 跳转到登录页
|
||||
func (this *UserMustAuth) login(action *actions.ActionObject) {
|
||||
action.RedirectURL("/")
|
||||
}
|
||||
|
||||
@@ -24,6 +24,12 @@ func (this *UserShouldAuth) BeforeAction(actionPtr actions.ActionWrapper, paramN
|
||||
}
|
||||
action.AddHeader("Content-Security-Policy", "default-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'")
|
||||
|
||||
// 检查IP
|
||||
if !checkIP(securityConfig, action.RequestRemoteIP()) {
|
||||
action.ResponseWriter.WriteHeader(http.StatusForbidden)
|
||||
return false
|
||||
}
|
||||
|
||||
return true
|
||||
}
|
||||
|
||||
|
||||
60
internal/web/helpers/utils.go
Normal file
60
internal/web/helpers/utils.go
Normal file
@@ -0,0 +1,60 @@
|
||||
package helpers
|
||||
|
||||
import (
|
||||
nodes "github.com/TeaOSLab/EdgeAdmin/internal/rpc"
|
||||
"github.com/TeaOSLab/EdgeAdmin/internal/securitymanager"
|
||||
"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
|
||||
"github.com/iwind/TeaGo/lists"
|
||||
"github.com/iwind/TeaGo/logs"
|
||||
"net"
|
||||
)
|
||||
|
||||
// 检查用户IP
|
||||
func checkIP(config *securitymanager.SecurityConfig, ipAddr string) bool {
|
||||
if config == nil {
|
||||
return true
|
||||
}
|
||||
|
||||
// 本地IP
|
||||
ip := net.ParseIP(ipAddr).To4()
|
||||
if ip == nil {
|
||||
logs.Println("[USER_MUST_AUTH]invalid client address: " + ipAddr)
|
||||
return false
|
||||
}
|
||||
if config.AllowLocal && isLocalIP(ip) {
|
||||
return true
|
||||
}
|
||||
|
||||
// 检查位置
|
||||
if len(config.AllowCountryIds) > 0 || len(config.AllowProvinceIds) > 0 {
|
||||
rpc, err := nodes.SharedRPC()
|
||||
if err != nil {
|
||||
logs.Println("[USER_MUST_AUTH][ERROR]" + err.Error())
|
||||
return false
|
||||
}
|
||||
resp, err := rpc.IPLibraryRPC().LookupIPRegion(rpc.Context(0), &pb.LookupIPRegionRequest{Ip: ipAddr})
|
||||
if err != nil {
|
||||
logs.Println("[USER_MUST_AUTH][ERROR]" + err.Error())
|
||||
return false
|
||||
}
|
||||
if resp.Region == nil {
|
||||
return true
|
||||
}
|
||||
if len(config.AllowCountryIds) > 0 && !lists.ContainsInt64(config.AllowCountryIds, resp.Region.CountryId) {
|
||||
return false
|
||||
}
|
||||
if len(config.AllowProvinceIds) > 0 && !lists.ContainsInt64(config.AllowProvinceIds, resp.Region.ProvinceId) {
|
||||
return false
|
||||
}
|
||||
}
|
||||
|
||||
return true
|
||||
}
|
||||
|
||||
// 判断是否为本地IP
|
||||
func isLocalIP(ip net.IP) bool {
|
||||
return ip[0] == 127 ||
|
||||
ip[0] == 10 ||
|
||||
(ip[0] == 172 && ip[1]&0xf0 == 16) ||
|
||||
(ip[0] == 192 && ip[1] == 168)
|
||||
}
|
||||
Reference in New Issue
Block a user