feat: 登录强制校验弱密码&关键信息加密传输

2025-11-04 00:10:25 +08:00 · 2022-07-18 20:36:31 +08:00
parent db554ebdc9
commit 5271bd21e8
29 changed files with 1804 additions and 1327 deletions
--- a/server/internal/common/api/common.go
+++ b/server/internal/common/api/common.go
@@ -0,0 +1,16 @@
+package api
+
+import (
+	"mayfly-go/pkg/biz"
+	"mayfly-go/pkg/ctx"
+	"mayfly-go/pkg/utils"
+)
+
+type Common struct {
+}
+
+func (i *Common) RasPublicKey(rc *ctx.ReqCtx) {
+	publicKeyStr, err := utils.GetRsaPublicKey()
+	biz.ErrIsNilAppendErr(err, "rsa生成公私钥失败")
+	rc.ResData = publicKeyStr
+}
--- a/server/internal/common/router/common.go
+++ b/server/internal/common/router/common.go
@@ -0,0 +1,21 @@
+package router
+
+import (
+	"mayfly-go/internal/common/api"
+	"mayfly-go/pkg/ctx"
+
+	"github.com/gin-gonic/gin"
+)
+
+func InitCommonRouter(router *gin.RouterGroup) {
+	common := router.Group("common")
+	c := &api.Common{}
+	{
+		// 获取公钥
+		common.GET("public-key", func(g *gin.Context) {
+			ctx.NewReqCtxWithGin(g).
+				WithNeedToken(false).
+				Handle(c.RasPublicKey)
+		})
+	}
+}
--- a/server/internal/devops/api/db.go
+++ b/server/internal/devops/api/db.go
@@ -47,6 +47,12 @@ func (d *Db) Save(rc *ctx.ReqCtx) {

 	db := new(entity.Db)
 	utils.Copy(db, form)
+
+	// 密码解密，并使用解密后的赋值
+	originPwd, err := utils.DefaultRsaDecrypt(form.Password, true)
+	biz.ErrIsNilAppendErr(err, "解密密码错误: %s")
+	db.Password = originPwd
+
 	// 密码脱敏记录日志
 	form.Password = "****"
 	rc.ReqParam = form
--- a/server/internal/devops/api/form/redis.go
+++ b/server/internal/devops/api/form/redis.go
@@ -10,6 +10,7 @@ type Redis struct {
 	Project   string `json:"project"`
 	Env       string `json:"env"`
 	EnvId     uint64 `binding:"required" json:"envId"`
+	Remark    string `json:"remark"`
 }

 type KeyInfo struct {
--- a/server/internal/devops/api/machine.go
+++ b/server/internal/devops/api/machine.go
@@ -57,6 +57,11 @@ func (m *Machine) SaveMachine(rc *ctx.ReqCtx) {
 	entity := new(entity.Machine)
 	utils.Copy(entity, machineForm)

+	// 密码解密，并使用解密后的赋值
+	originPwd, err := utils.DefaultRsaDecrypt(machineForm.Password, true)
+	biz.ErrIsNilAppendErr(err, "解密密码错误: %s")
+	entity.Password = originPwd
+
 	// 密码脱敏记录日志
 	machineForm.Password = "****"
 	rc.ReqParam = machineForm
--- a/server/internal/devops/api/mongo.go
+++ b/server/internal/devops/api/mongo.go
@@ -38,6 +38,11 @@ func (m *Mongo) Save(rc *ctx.ReqCtx) {

 	mongo := new(entity.Mongo)
 	utils.Copy(mongo, form)
+	// 解密uri，并使用解密后的赋值
+	originUri, err := utils.DefaultRsaDecrypt(form.Uri, true)
+	biz.ErrIsNilAppendErr(err, "解密uri错误: %s")
+	mongo.Uri = originUri
+
 	mongo.SetBaseInfo(rc.LoginAccount)
 	m.MongoApp.Save(mongo)
 }
--- a/server/internal/devops/api/redis.go
+++ b/server/internal/devops/api/redis.go
@@ -38,6 +38,12 @@ func (r *Redis) Save(rc *ctx.ReqCtx) {

 	redis := new(entity.Redis)
 	utils.Copy(redis, form)
+
+	// 密码解密，并使用解密后的赋值
+	originPwd, err := utils.DefaultRsaDecrypt(redis.Password, true)
+	biz.ErrIsNilAppendErr(err, "解密密码错误: %s")
+	redis.Password = originPwd
+
 	// 密码脱敏记录日志
 	form.Password = "****"
 	rc.ReqParam = form
--- a/server/internal/devops/application/redis_app.go
+++ b/server/internal/devops/application/redis_app.go
@@ -65,7 +65,10 @@ func (r *redisAppImpl) GetRedisBy(condition *entity.Redis, cols ...string) error
 }

 func (r *redisAppImpl) Save(re *entity.Redis) {
-	TestRedisConnection(re)
+	// ’修改信息且密码不为空‘ or ‘新增’需要测试是否可连接
+	if (re.Id != 0 && re.Password != "") || re.Id == 0 {
+		TestRedisConnection(re)
+	}

 	// 查找是否存在该库
 	oldRedis := &entity.Redis{Host: re.Host, Db: re.Db}
--- a/server/internal/sys/api/account.go
+++ b/server/internal/sys/api/account.go
@@ -12,6 +12,7 @@ import (
 	"mayfly-go/pkg/ginx"
 	"mayfly-go/pkg/model"
 	"mayfly-go/pkg/utils"
+	"regexp"
 	"strconv"
 	"strings"
 	"time"
@@ -34,10 +35,16 @@ func (a *Account) Login(rc *ctx.ReqCtx) {
 	// 校验验证码
 	biz.IsTrue(captcha.Verify(loginForm.Cid, loginForm.Captcha), "验证码错误")

-	account := &entity.Account{Username: loginForm.Username, Password: utils.Md5(loginForm.Password)}
+	originPwd, err := utils.DefaultRsaDecrypt(loginForm.Password, true)
+	biz.ErrIsNilAppendErr(err, "解密密码错误: %s")
+
+	account := &entity.Account{Username: loginForm.Username, Password: utils.Md5(originPwd)}
 	biz.ErrIsNil(a.AccountApp.GetAccount(account, "Id", "Username", "Status", "LastLoginTime", "LastLoginIp"), "用户名或密码错误")
 	biz.IsTrue(account.IsEnable(), "该账号不可用")

+	// 校验密码强度是否符合
+	biz.IsTrueBy(CheckPasswordLever(originPwd), biz.NewBizErrCode(401, "您的密码安全等级较低，请修改后重新登录"))
+
 	var resources vo.AccountResourceVOList
 	// 获取账号菜单资源
 	a.ResourceApp.GetAccountResources(account.Id, &resources)
@@ -72,6 +79,48 @@ func (a *Account) Login(rc *ctx.ReqCtx) {
 	}
 }

+func (a *Account) ChangePassword(rc *ctx.ReqCtx) {
+	form := new(form.AccountChangePasswordForm)
+	ginx.BindJsonAndValid(rc.GinCtx, form)
+
+	originOldPwd, err := utils.DefaultRsaDecrypt(form.OldPassword, true)
+	biz.ErrIsNilAppendErr(err, "解密旧密码错误: %s")
+
+	account := &entity.Account{Username: form.Username, Password: utils.Md5(originOldPwd)}
+	biz.ErrIsNil(a.AccountApp.GetAccount(account, "Id", "Username", "Status"), "旧密码不正确")
+
+	originNewPwd, err := utils.DefaultRsaDecrypt(form.NewPassword, true)
+	biz.ErrIsNilAppendErr(err, "解密新密码错误: %s")
+	biz.IsTrue(CheckPasswordLever(originNewPwd), "密码强度必须8位以上且包含字⺟⼤⼩写+数字+特殊符号")
+
+	updateAccount := new(entity.Account)
+	updateAccount.Id = account.Id
+	updateAccount.Password = utils.Md5(originNewPwd)
+	a.AccountApp.Update(updateAccount)
+
+	// 赋值loginAccount 主要用于记录操作日志，因为操作日志保存请求上下文没有该信息不保存日志
+	rc.LoginAccount = &model.LoginAccount{Id: account.Id, Username: account.Username}
+}
+
+func CheckPasswordLever(ps string) bool {
+	if len(ps) < 8 {
+		return false
+	}
+	num := `[0-9]{1}`
+	a_z := `[a-zA-Z]{1}`
+	symbol := `[!@#~$%^&*()+|_.,]{1}`
+	if b, err := regexp.MatchString(num, ps); !b || err != nil {
+		return false
+	}
+	if b, err := regexp.MatchString(a_z, ps); !b || err != nil {
+		return false
+	}
+	if b, err := regexp.MatchString(symbol, ps); !b || err != nil {
+		return false
+	}
+	return true
+}
+
 // 保存更新账号登录信息
 func (a *Account) saveLogin(account *entity.Account, ip string) {
 	// 更新账号最后登录时间
@@ -105,7 +154,7 @@ func (a *Account) saveLogin(account *entity.Account, ip string) {
 }

 // 获取个人账号信息
-func (a Account) AccountInfo(rc *ctx.ReqCtx) {
+func (a *Account) AccountInfo(rc *ctx.ReqCtx) {
 	ap := new(vo.AccountPersonVO)
 	// 角色信息
 	roles := new([]vo.AccountRoleVO)
@@ -116,7 +165,7 @@ func (a Account) AccountInfo(rc *ctx.ReqCtx) {
 }

 // 更新个人账号信息
-func (a Account) UpdateAccount(rc *ctx.ReqCtx) {
+func (a *Account) UpdateAccount(rc *ctx.ReqCtx) {
 	updateForm := &form.AccountUpdateForm{}
 	ginx.BindJsonAndValid(rc.GinCtx, updateForm)

@@ -126,13 +175,14 @@ func (a Account) UpdateAccount(rc *ctx.ReqCtx) {
 	updateAccount.Id = rc.LoginAccount.Id

 	if updateAccount.Password != "" {
+		biz.IsTrue(CheckPasswordLever(updateAccount.Password), "密码强度必须8位以上且包含字⺟⼤⼩写+数字+特殊符号")
 		updateAccount.Password = utils.Md5(updateAccount.Password)
 	}
 	a.AccountApp.Update(updateAccount)
 }

 // 获取账号接收的消息列表
-func (a Account) GetMsgs(rc *ctx.ReqCtx) {
+func (a *Account) GetMsgs(rc *ctx.ReqCtx) {
 	condition := &entity.Msg{
 		RecipientId: int64(rc.LoginAccount.Id),
 	}
--- a/server/internal/sys/api/form/account.go
+++ b/server/internal/sys/api/form/account.go
@@ -7,3 +7,9 @@ type AccountCreateForm struct {
 type AccountUpdateForm struct {
 	Password *string `json:"password" binding:"min=6,max=16"`
 }
+
+type AccountChangePasswordForm struct {
+	Username    string `json:"username"`
+	OldPassword string `json:"oldPassword"`
+	NewPassword string `json:"newPassword"`
+}
--- a/server/internal/sys/router/account.go
+++ b/server/internal/sys/router/account.go
@@ -26,6 +26,14 @@ func InitAccountRouter(router *gin.RouterGroup) {
 				Handle(a.Login)
 		})

+		changePwdLog := ctx.NewLogInfo("用户修改密码").WithSave(true)
+		account.POST("change-pwd", func(g *gin.Context) {
+			ctx.NewReqCtxWithGin(g).
+				WithNeedToken(false).
+				WithLog(changePwdLog).
+				Handle(a.ChangePassword)
+		})
+
 		// 获取个人账号信息
 		account.GET("/self", func(c *gin.Context) {
 			ctx.NewReqCtxWithGin(c).Handle(a.AccountInfo)