安全设置增加允许访问的国家地区、省份、是否局域网访问

internal/web/actions/default/settings/security/index.go

@@ -1,9 +1,12 @@
 package security
 
 import (
+	"encoding/json"
 	"github.com/TeaOSLab/EdgeAdmin/internal/securitymanager"
 	"github.com/TeaOSLab/EdgeAdmin/internal/web/actions/actionutils"
+	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
 	"github.com/iwind/TeaGo/actions"
+	"github.com/iwind/TeaGo/maps"
 )
 
 type IndexAction struct {
@@ -20,12 +23,52 @@ func (this *IndexAction) RunGet(params struct{}) {
 		this.ErrorPage(err)
 		return
 	}
+
+	// 国家和地区
+	countryMaps := []maps.Map{}
+	for _, countryId := range config.AllowCountryIds {
+		countryResp, err := this.RPC().RegionCountryRPC().FindEnabledRegionCountry(this.AdminContext(), &pb.FindEnabledRegionCountryRequest{CountryId: countryId})
+		if err != nil {
+			this.ErrorPage(err)
+			return
+		}
+		country := countryResp.Country
+		if country != nil {
+			countryMaps = append(countryMaps, maps.Map{
+				"id":   country.Id,
+				"name": country.Name,
+			})
+		}
+	}
+	this.Data["countries"] = countryMaps
+
+	// 省份
+	provinceMaps := []maps.Map{}
+	for _, provinceId := range config.AllowProvinceIds {
+		provinceResp, err := this.RPC().RegionProvinceRPC().FindEnabledRegionProvince(this.AdminContext(), &pb.FindEnabledRegionProvinceRequest{ProvinceId: provinceId})
+		if err != nil {
+			this.ErrorPage(err)
+			return
+		}
+		province := provinceResp.Province
+		if province != nil {
+			provinceMaps = append(provinceMaps, maps.Map{
+				"id":   province.Id,
+				"name": province.Name,
+			})
+		}
+	}
+	this.Data["provinces"] = provinceMaps
+
 	this.Data["config"] = config
 	this.Show()
 }
 
 func (this *IndexAction) RunPost(params struct {
-	Frame string
+	Frame           string
+	CountryIdsJSON  []byte
+	ProvinceIdsJSON []byte
+	AllowLocal      bool
 
 	Must *actions.Must
 	CSRF *actionutils.CSRF
@@ -38,7 +81,34 @@ func (this *IndexAction) RunPost(params struct {
 		return
 	}
 
+	// 框架
 	config.Frame = params.Frame
+
+	// 国家和地区
+	countryIds := []int64{}
+	if len(params.CountryIdsJSON) > 0 {
+		err = json.Unmarshal(params.CountryIdsJSON, &countryIds)
+		if err != nil {
+			this.ErrorPage(err)
+			return
+		}
+	}
+	config.AllowCountryIds = countryIds
+
+	// 省份
+	provinceIds := []int64{}
+	if len(params.ProvinceIdsJSON) > 0 {
+		err = json.Unmarshal(params.ProvinceIdsJSON, &provinceIds)
+		if err != nil {
+			this.ErrorPage(err)
+			return
+		}
+	}
+	config.AllowProvinceIds = provinceIds
+
+	// 允许本地
+	config.AllowLocal = params.AllowLocal
+
 	err = securitymanager.UpdateSecurityConfig(config)
 	if err != nil {
 		this.ErrorPage(err)

internal/web/actions/default/ui/init.go

@@ -11,6 +11,8 @@ func init() {
 		server.
 			Prefix("/ui").
 			Get("/download", new(DownloadAction)).
+			GetPost("/selectProvincesPopup", new(SelectProvincesPopupAction)).
+			GetPost("/selectCountriesPopup", new(SelectCountriesPopupAction)).
 
 			// 以下的需要压缩
 			Helper(&actions.Gzip{Level: gzip.BestCompression}).

internal/web/actions/default/ui/selectCountriesPopup.go

@@ -0,0 +1,70 @@
+package ui
+
+import (
+	"github.com/TeaOSLab/EdgeAdmin/internal/utils"
+	"github.com/TeaOSLab/EdgeAdmin/internal/web/actions/actionutils"
+	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
+	"github.com/iwind/TeaGo/actions"
+	"github.com/iwind/TeaGo/lists"
+	"github.com/iwind/TeaGo/maps"
+	"strings"
+)
+
+type SelectCountriesPopupAction struct {
+	actionutils.ParentAction
+}
+
+func (this *SelectCountriesPopupAction) Init() {
+	this.Nav("", "", "")
+}
+
+func (this *SelectCountriesPopupAction) RunGet(params struct {
+	CountryIds string
+}) {
+	selectedCountryIds := utils.SplitNumbers(params.CountryIds)
+
+	countriesResp, err := this.RPC().RegionCountryRPC().FindAllEnabledRegionCountries(this.AdminContext(), &pb.FindAllEnabledRegionCountriesRequest{})
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+	countryMaps := []maps.Map{}
+	for _, country := range countriesResp.Countries {
+		countryMaps = append(countryMaps, maps.Map{
+			"id":        country.Id,
+			"name":      country.Name,
+			"letter":    strings.ToUpper(string(country.Pinyin[0][0])),
+			"isChecked": lists.ContainsInt64(selectedCountryIds, country.Id),
+		})
+	}
+	this.Data["countries"] = countryMaps
+
+	this.Show()
+}
+
+func (this *SelectCountriesPopupAction) RunPost(params struct {
+	CountryIds []int64
+
+	Must *actions.Must
+	CSRF *actionutils.CSRF
+}) {
+	countryMaps := []maps.Map{}
+	for _, countryId := range params.CountryIds {
+		countryResp, err := this.RPC().RegionCountryRPC().FindEnabledRegionCountry(this.AdminContext(), &pb.FindEnabledRegionCountryRequest{CountryId: countryId})
+		if err != nil {
+			this.ErrorPage(err)
+			return
+		}
+		country := countryResp.Country
+		if country == nil {
+			continue
+		}
+		countryMaps = append(countryMaps, maps.Map{
+			"id":   country.Id,
+			"name": country.Name,
+		})
+	}
+	this.Data["countries"] = countryMaps
+
+	this.Success()
+}

internal/web/actions/default/ui/selectProvincesPopup.go

@@ -0,0 +1,70 @@
+package ui
+
+import (
+	"github.com/TeaOSLab/EdgeAdmin/internal/utils"
+	"github.com/TeaOSLab/EdgeAdmin/internal/web/actions/actionutils"
+	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
+	"github.com/iwind/TeaGo/actions"
+	"github.com/iwind/TeaGo/lists"
+	"github.com/iwind/TeaGo/maps"
+)
+
+const ChinaCountryId = 1
+
+type SelectProvincesPopupAction struct {
+	actionutils.ParentAction
+}
+
+func (this *SelectProvincesPopupAction) Init() {
+	this.Nav("", "", "")
+}
+
+func (this *SelectProvincesPopupAction) RunGet(params struct {
+	ProvinceIds string
+}) {
+	selectedProvinceIds := utils.SplitNumbers(params.ProvinceIds)
+
+	provincesResp, err := this.RPC().RegionProvinceRPC().FindAllEnabledRegionProvincesWithCountryId(this.AdminContext(), &pb.FindAllEnabledRegionProvincesWithCountryIdRequest{CountryId: ChinaCountryId})
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+	provinceMaps := []maps.Map{}
+	for _, province := range provincesResp.Provinces {
+		provinceMaps = append(provinceMaps, maps.Map{
+			"id":        province.Id,
+			"name":      province.Name,
+			"isChecked": lists.ContainsInt64(selectedProvinceIds, province.Id),
+		})
+	}
+	this.Data["provinces"] = provinceMaps
+
+	this.Show()
+}
+
+func (this *SelectProvincesPopupAction) RunPost(params struct {
+	ProvinceIds []int64
+
+	Must *actions.Must
+	CSRF *actionutils.CSRF
+}) {
+	provinceMaps := []maps.Map{}
+	for _, provinceId := range params.ProvinceIds {
+		provinceResp, err := this.RPC().RegionProvinceRPC().FindEnabledRegionProvince(this.AdminContext(), &pb.FindEnabledRegionProvinceRequest{ProvinceId: provinceId})
+		if err != nil {
+			this.ErrorPage(err)
+			return
+		}
+		province := provinceResp.Province
+		if province == nil {
+			continue
+		}
+		provinceMaps = append(provinceMaps, maps.Map{
+			"id":   province.Id,
+			"name": province.Name,
+		})
+	}
+	this.Data["provinces"] = provinceMaps
+
+	this.Success()
+}

internal/web/helpers/user_must_auth.go

@@ -35,6 +35,12 @@ func (this *UserMustAuth) BeforeAction(actionPtr actions.ActionWrapper, paramNam
 	}
 	action.AddHeader("Content-Security-Policy", "default-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'")
 
+	// 检查IP
+	if !checkIP(securityConfig, action.RequestRemoteIP()) {
+		action.ResponseWriter.WriteHeader(http.StatusForbidden)
+		return false
+	}
+
 	// 检查系统是否已经配置过
 	if !setup.IsConfigured() {
 		action.RedirectURL("/setup")
@@ -82,8 +88,48 @@ func (this *UserMustAuth) BeforeAction(actionPtr actions.ActionWrapper, paramNam
 		return action.Data["teaTitle"].(string)
 	})
 
-	// 初始化变量
-	modules := []maps.Map{
+	action.Data["teaTitle"] = teaconst.ProductNameZH
+	action.Data["teaName"] = teaconst.ProductNameZH
+
+	resp, err := rpc.AdminRPC().FindAdminFullname(rpc.Context(0), &pb.FindAdminFullnameRequest{AdminId: int64(this.AdminId)})
+	if err != nil {
+		utils.PrintError(err)
+		action.Data["teaUsername"] = ""
+	} else {
+		action.Data["teaUsername"] = resp.Fullname
+	}
+
+	action.Data["teaUserAvatar"] = ""
+
+	action.Data["teaMenu"] = ""
+	action.Data["teaModules"] = this.modules()
+	action.Data["teaSubMenus"] = []map[string]interface{}{}
+	action.Data["teaTabbar"] = []map[string]interface{}{}
+	action.Data["teaVersion"] = teaconst.Version
+	action.Data["teaIsSuper"] = false
+	action.Data["teaDemoEnabled"] = teaconst.IsDemo
+	if !action.Data.Has("teaSubMenu") {
+		action.Data["teaSubMenu"] = ""
+	}
+
+	// 菜单
+	action.Data["firstMenuItem"] = ""
+
+	// 未读消息数
+	action.Data["teaBadge"] = 0
+
+	// 调用Init
+	initMethod := reflect.ValueOf(actionPtr).MethodByName("Init")
+	if initMethod.IsValid() {
+		initMethod.Call([]reflect.Value{})
+	}
+
+	return true
+}
+
+// 菜单配置
+func (this *UserMustAuth) modules() []maps.Map {
+	return []maps.Map{
 		{
 			"code": "servers",
 			"name": "网站服务",
@@ -136,46 +182,9 @@ func (this *UserMustAuth) BeforeAction(actionPtr actions.ActionWrapper, paramNam
 			"icon": "history",
 		},
 	}
-
-	action.Data["teaTitle"] = teaconst.ProductNameZH
-	action.Data["teaName"] = teaconst.ProductNameZH
-
-	resp, err := rpc.AdminRPC().FindAdminFullname(rpc.Context(0), &pb.FindAdminFullnameRequest{AdminId: int64(this.AdminId)})
-	if err != nil {
-		utils.PrintError(err)
-		action.Data["teaUsername"] = ""
-	} else {
-		action.Data["teaUsername"] = resp.Fullname
-	}
-
-	action.Data["teaUserAvatar"] = ""
-
-	action.Data["teaMenu"] = ""
-	action.Data["teaModules"] = modules
-	action.Data["teaSubMenus"] = []map[string]interface{}{}
-	action.Data["teaTabbar"] = []map[string]interface{}{}
-	action.Data["teaVersion"] = teaconst.Version
-	action.Data["teaIsSuper"] = false
-	action.Data["teaDemoEnabled"] = teaconst.IsDemo
-	if !action.Data.Has("teaSubMenu") {
-		action.Data["teaSubMenu"] = ""
-	}
-
-	// 菜单
-	action.Data["firstMenuItem"] = ""
-
-	// 未读消息数
-	action.Data["teaBadge"] = 0
-
-	// 调用Init
-	initMethod := reflect.ValueOf(actionPtr).MethodByName("Init")
-	if initMethod.IsValid() {
-		initMethod.Call([]reflect.Value{})
-	}
-
-	return true
 }
 
+// 跳转到登录页
 func (this *UserMustAuth) login(action *actions.ActionObject) {
 	action.RedirectURL("/")
 }

internal/web/helpers/user_should_auth.go

@@ -24,6 +24,12 @@ func (this *UserShouldAuth) BeforeAction(actionPtr actions.ActionWrapper, paramN
 	}
 	action.AddHeader("Content-Security-Policy", "default-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'")
 
+	// 检查IP
+	if !checkIP(securityConfig, action.RequestRemoteIP()) {
+		action.ResponseWriter.WriteHeader(http.StatusForbidden)
+		return false
+	}
+
 	return true
 }
 

internal/web/helpers/utils.go

@@ -0,0 +1,60 @@
+package helpers
+
+import (
+	nodes "github.com/TeaOSLab/EdgeAdmin/internal/rpc"
+	"github.com/TeaOSLab/EdgeAdmin/internal/securitymanager"
+	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
+	"github.com/iwind/TeaGo/lists"
+	"github.com/iwind/TeaGo/logs"
+	"net"
+)
+
+// 检查用户IP
+func checkIP(config *securitymanager.SecurityConfig, ipAddr string) bool {
+	if config == nil {
+		return true
+	}
+
+	// 本地IP
+	ip := net.ParseIP(ipAddr).To4()
+	if ip == nil {
+		logs.Println("[USER_MUST_AUTH]invalid client address: " + ipAddr)
+		return false
+	}
+	if config.AllowLocal && isLocalIP(ip) {
+		return true
+	}
+
+	// 检查位置
+	if len(config.AllowCountryIds) > 0 || len(config.AllowProvinceIds) > 0 {
+		rpc, err := nodes.SharedRPC()
+		if err != nil {
+			logs.Println("[USER_MUST_AUTH][ERROR]" + err.Error())
+			return false
+		}
+		resp, err := rpc.IPLibraryRPC().LookupIPRegion(rpc.Context(0), &pb.LookupIPRegionRequest{Ip: ipAddr})
+		if err != nil {
+			logs.Println("[USER_MUST_AUTH][ERROR]" + err.Error())
+			return false
+		}
+		if resp.Region == nil {
+			return true
+		}
+		if len(config.AllowCountryIds) > 0 && !lists.ContainsInt64(config.AllowCountryIds, resp.Region.CountryId) {
+			return false
+		}
+		if len(config.AllowProvinceIds) > 0 && !lists.ContainsInt64(config.AllowProvinceIds, resp.Region.ProvinceId) {
+			return false
+		}
+	}
+
+	return true
+}
+
+// 判断是否为本地IP
+func isLocalIP(ip net.IP) bool {
+	return ip[0] == 127 ||
+		ip[0] == 10 ||
+		(ip[0] == 172 && ip[1]&0xf0 == 16) ||
+		(ip[0] == 192 && ip[1] == 168)
+}