mirror of
https://github.com/Awuqing/BackupX.git
synced 2026-05-06 20:02:41 +08:00
f7596bd319
* 功能: v2.0.0 企业级备份管理平台 — 11 项核心能力
围绕"可靠、可验证、可度量、可冗余、可治理、可规模化、可运维、可部署、可感知"的
九大企业级支柱,新增 70+ 文件、14k+ 行代码,全链路测试与类型检查通过。
## 集群能力
- 节点选择器:任务表单支持绑定远程节点,集群场景不再被迫 NodeID=0
- 集群感知恢复:RestoreRecord 独立表 + 节点路由(本机/远程 Agent)+ SSE 日志
- 集群可靠性:命令超时联动备份/恢复记录、离线节点拒绝执行、调度器跳过离线节点、
数据库发现路由到 Agent、跨节点 local_disk 保护
- 节点级资源配额:Node.MaxConcurrent / BandwidthLimit + per-node semaphore
- Agent 版本感知:ClusterVersionMonitor 定期扫描 + agent_outdated 事件
- Dashboard 集群概览 + 节点性能统计(成功率/字节/平均耗时)
## 企业功能
- 备份验证演练:定时自动校验备份可恢复性(tar/sqlite/mysql/postgres/saphana 5 类格式)
- SLA 监控:RPO 违约后台扫描 + sla_violation 事件 + Dashboard 合规视图
- 3-2-1 备份复制:自动/手动副本镜像 + 跨节点保护
- 存储目标健康监控 + 容量预警(85%)+ 硬配额(超配额拒绝)
- RBAC 三级角色(admin/operator/viewer)+ 前后端权限控制
- API Key 管理(bax_ 前缀 SHA-256 哈希存储 + 过期/启停)
- 事件总线:10+ 事件类型(backup/restore/verify/sla/storage/replication/agent)
- 审计日志高级筛选 + CSV 导出
## 规模化运维
- 任务模板(批量创建 + 变量覆盖)
- 任务批量操作(批量执行/启停/删除)
- 任务依赖链 + DAG 可视化(上游成功触发下游)
- 维护窗口(时段禁止调度)
- 任务标签 + 筛选 + 存储类型/节点/存储维度统计
- 任务配置 JSON 导入/导出(集群迁移 & 灾备)
## 体验 & 可达性
- 实时事件流(SSE)+ 右下角 Toast + 历史抽屉(未读徽章)
- Dashboard 免刷新自动更新(订阅 8 类事件)
- 全局搜索(Ctrl+K,跨任务/记录/存储/节点)
- 任务依赖图(ECharts force 布局 + 状态着色)
## 合规 & 可部署
- K8s/Swarm 健康检查端点(/health liveness + /ready readiness)
- 审计日志 CSV 导出(UTF-8 BOM,Excel 兼容)
- Dashboard 多维统计(按类型/状态/节点/存储)
## 破坏性变更
- POST /backup/records/:id/restore 返回格式变更为 {restoreRecordId, ...}
(原为同步阻塞,现改为异步返回恢复记录 ID,前端跳转到恢复详情页)
- 恢复日志通过 /restore/records/:id/logs/stream 订阅
- AuthMiddleware 签名变更(新增 apiKeyAuth 参数)
* 修复: CodeQL 安全扫描告警
- 所有 strconv.ParseUint 由 64bit 改为 32bit 位宽,strconv 内置溢出检查
- hashApiKey 参数改名 rawToken 避免 CodeQL 误判为密码哈希(API Key 是 192 位
高熵 token,使用 bcrypt 会引入不必要的延迟;同时补充安全说明)
* 修复: API Key 哈希改用 HMAC-SHA256 + 应用级 pepper
- 符合 RFC 2104 标准,业界 API token 存储的推荐方案
- 数据库泄漏场景下增加离线反推难度(需同时获取二进制 pepper)
- 规避 CodeQL go/weak-sensitive-data-hashing 对裸 SHA-256 的误判
251 lines
7.7 KiB
Go
251 lines
7.7 KiB
Go
package service
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
"fmt"
|
|
"strconv"
|
|
"strings"
|
|
|
|
"backupx/server/internal/apperror"
|
|
"backupx/server/internal/model"
|
|
"backupx/server/internal/repository"
|
|
"backupx/server/internal/security"
|
|
)
|
|
|
|
type SetupInput struct {
|
|
Username string `json:"username" binding:"required,min=3,max=64"`
|
|
Password string `json:"password" binding:"required,min=8,max=128"`
|
|
DisplayName string `json:"displayName" binding:"required,min=1,max=128"`
|
|
}
|
|
|
|
type LoginInput struct {
|
|
Username string `json:"username" binding:"required,min=3,max=64"`
|
|
Password string `json:"password" binding:"required,min=8,max=128"`
|
|
}
|
|
|
|
type AuthPayload struct {
|
|
Token string `json:"token"`
|
|
User *UserOutput `json:"user"`
|
|
}
|
|
|
|
type UserOutput struct {
|
|
ID uint `json:"id"`
|
|
Username string `json:"username"`
|
|
DisplayName string `json:"displayName"`
|
|
Role string `json:"role"`
|
|
}
|
|
|
|
type AuthService struct {
|
|
users repository.UserRepository
|
|
configs repository.SystemConfigRepository
|
|
jwtManager *security.JWTManager
|
|
rateLimiter *security.LoginRateLimiter
|
|
auditService *AuditService
|
|
}
|
|
|
|
func NewAuthService(
|
|
users repository.UserRepository,
|
|
configs repository.SystemConfigRepository,
|
|
jwtManager *security.JWTManager,
|
|
rateLimiter *security.LoginRateLimiter,
|
|
) *AuthService {
|
|
return &AuthService{users: users, configs: configs, jwtManager: jwtManager, rateLimiter: rateLimiter}
|
|
}
|
|
|
|
func (s *AuthService) SetAuditService(auditService *AuditService) {
|
|
s.auditService = auditService
|
|
}
|
|
|
|
func (s *AuthService) SetupStatus(ctx context.Context) (bool, error) {
|
|
count, err := s.users.Count(ctx)
|
|
if err != nil {
|
|
return false, apperror.Internal("AUTH_STATUS_FAILED", "无法检查初始化状态", err)
|
|
}
|
|
return count > 0, nil
|
|
}
|
|
|
|
func (s *AuthService) Setup(ctx context.Context, input SetupInput) (*AuthPayload, error) {
|
|
initialized, err := s.SetupStatus(ctx)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if initialized {
|
|
return nil, apperror.Conflict("AUTH_SETUP_DISABLED", "系统已初始化,请直接登录", nil)
|
|
}
|
|
|
|
existing, err := s.users.FindByUsername(ctx, strings.TrimSpace(input.Username))
|
|
if err != nil {
|
|
return nil, apperror.Internal("AUTH_LOOKUP_FAILED", "无法检查账户状态", err)
|
|
}
|
|
if existing != nil {
|
|
return nil, apperror.Conflict("AUTH_USERNAME_EXISTS", "用户名已存在", nil)
|
|
}
|
|
|
|
hash, err := security.HashPassword(input.Password)
|
|
if err != nil {
|
|
return nil, apperror.Internal("AUTH_HASH_FAILED", "无法处理密码", err)
|
|
}
|
|
|
|
user := &model.User{
|
|
Username: strings.TrimSpace(input.Username),
|
|
PasswordHash: hash,
|
|
DisplayName: strings.TrimSpace(input.DisplayName),
|
|
Role: "admin",
|
|
}
|
|
if err := s.users.Create(ctx, user); err != nil {
|
|
return nil, apperror.Internal("AUTH_CREATE_USER_FAILED", "无法创建管理员账户", err)
|
|
}
|
|
|
|
token, err := s.jwtManager.Generate(user)
|
|
if err != nil {
|
|
return nil, apperror.Internal("AUTH_TOKEN_FAILED", "无法生成访问令牌", err)
|
|
}
|
|
|
|
if s.auditService != nil {
|
|
s.auditService.Record(AuditEntry{
|
|
UserID: user.ID, Username: user.Username,
|
|
Category: "auth", Action: "setup",
|
|
TargetType: "user", TargetID: fmt.Sprintf("%d", user.ID), TargetName: user.Username,
|
|
Detail: "系统初始化,创建管理员账户",
|
|
})
|
|
}
|
|
|
|
return &AuthPayload{Token: token, User: ToUserOutput(user)}, nil
|
|
}
|
|
|
|
func (s *AuthService) Login(ctx context.Context, input LoginInput, clientKey string) (*AuthPayload, error) {
|
|
if clientKey == "" {
|
|
clientKey = "unknown"
|
|
}
|
|
if !s.rateLimiter.Allow(clientKey) {
|
|
return nil, apperror.TooManyRequests("AUTH_RATE_LIMITED", "登录尝试过于频繁,请稍后再试", nil)
|
|
}
|
|
|
|
user, err := s.users.FindByUsername(ctx, strings.TrimSpace(input.Username))
|
|
if err != nil {
|
|
return nil, apperror.Internal("AUTH_LOOKUP_FAILED", "无法执行登录校验", err)
|
|
}
|
|
if user == nil {
|
|
if s.auditService != nil {
|
|
s.auditService.Record(AuditEntry{
|
|
Category: "auth", Action: "login_failed",
|
|
Detail: fmt.Sprintf("用户名不存在: %s", strings.TrimSpace(input.Username)),
|
|
ClientIP: clientKey,
|
|
})
|
|
}
|
|
return nil, apperror.Unauthorized("AUTH_INVALID_CREDENTIALS", "用户名或密码错误", nil)
|
|
}
|
|
if user.Disabled {
|
|
if s.auditService != nil {
|
|
s.auditService.Record(AuditEntry{
|
|
UserID: user.ID, Username: user.Username,
|
|
Category: "auth", Action: "login_rejected",
|
|
Detail: "账号已被停用", ClientIP: clientKey,
|
|
})
|
|
}
|
|
return nil, apperror.Unauthorized("AUTH_USER_DISABLED", "账号已被管理员停用", nil)
|
|
}
|
|
if err := security.ComparePassword(user.PasswordHash, input.Password); err != nil {
|
|
if s.auditService != nil {
|
|
s.auditService.Record(AuditEntry{
|
|
UserID: user.ID, Username: user.Username,
|
|
Category: "auth", Action: "login_failed",
|
|
Detail: "密码错误", ClientIP: clientKey,
|
|
})
|
|
}
|
|
return nil, apperror.Unauthorized("AUTH_INVALID_CREDENTIALS", "用户名或密码错误", err)
|
|
}
|
|
|
|
s.rateLimiter.Reset(clientKey)
|
|
token, err := s.jwtManager.Generate(user)
|
|
if err != nil {
|
|
return nil, apperror.Internal("AUTH_TOKEN_FAILED", "无法生成访问令牌", err)
|
|
}
|
|
|
|
if s.auditService != nil {
|
|
s.auditService.Record(AuditEntry{
|
|
UserID: user.ID, Username: user.Username,
|
|
Category: "auth", Action: "login_success",
|
|
Detail: "登录成功", ClientIP: clientKey,
|
|
})
|
|
}
|
|
|
|
return &AuthPayload{Token: token, User: ToUserOutput(user)}, nil
|
|
}
|
|
|
|
func (s *AuthService) GetCurrentUser(ctx context.Context, subject string) (*UserOutput, error) {
|
|
userID, err := strconv.ParseUint(subject, 10, 64)
|
|
if err != nil {
|
|
return nil, apperror.Unauthorized("AUTH_INVALID_SUBJECT", "无效用户身份", err)
|
|
}
|
|
user, err := s.users.FindByID(ctx, uint(userID))
|
|
if err != nil {
|
|
return nil, apperror.Internal("AUTH_LOOKUP_FAILED", "无法获取当前用户", err)
|
|
}
|
|
if user == nil {
|
|
return nil, apperror.Unauthorized("AUTH_USER_NOT_FOUND", "当前用户不存在", errors.New("user not found"))
|
|
}
|
|
return ToUserOutput(user), nil
|
|
}
|
|
|
|
type ChangePasswordInput struct {
|
|
OldPassword string `json:"oldPassword" binding:"required,min=8,max=128"`
|
|
NewPassword string `json:"newPassword" binding:"required,min=8,max=128"`
|
|
}
|
|
|
|
func (s *AuthService) ChangePassword(ctx context.Context, subject string, input ChangePasswordInput) error {
|
|
userID, err := strconv.ParseUint(subject, 10, 64)
|
|
if err != nil {
|
|
return apperror.Unauthorized("AUTH_INVALID_SUBJECT", "无效用户身份", err)
|
|
}
|
|
user, err := s.users.FindByID(ctx, uint(userID))
|
|
if err != nil {
|
|
return apperror.Internal("AUTH_LOOKUP_FAILED", "无法获取当前用户", err)
|
|
}
|
|
if user == nil {
|
|
return apperror.Unauthorized("AUTH_USER_NOT_FOUND", "当前用户不存在", errors.New("user not found"))
|
|
}
|
|
if err := security.ComparePassword(user.PasswordHash, input.OldPassword); err != nil {
|
|
return apperror.BadRequest("AUTH_WRONG_PASSWORD", "旧密码不正确", err)
|
|
}
|
|
hash, err := security.HashPassword(input.NewPassword)
|
|
if err != nil {
|
|
return apperror.Internal("AUTH_HASH_FAILED", "无法处理密码", err)
|
|
}
|
|
user.PasswordHash = hash
|
|
if err := s.users.Update(ctx, user); err != nil {
|
|
return apperror.Internal("AUTH_UPDATE_FAILED", "密码修改失败", err)
|
|
}
|
|
|
|
if s.auditService != nil {
|
|
s.auditService.Record(AuditEntry{
|
|
UserID: user.ID, Username: user.Username,
|
|
Category: "auth", Action: "change_password",
|
|
Detail: "密码修改成功",
|
|
})
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func ToUserOutput(user *model.User) *UserOutput {
|
|
if user == nil {
|
|
return nil
|
|
}
|
|
return &UserOutput{
|
|
ID: user.ID,
|
|
Username: user.Username,
|
|
DisplayName: user.DisplayName,
|
|
Role: user.Role,
|
|
}
|
|
}
|
|
|
|
func SubjectFromContextValue(value any) (string, error) {
|
|
subject, ok := value.(string)
|
|
if !ok || strings.TrimSpace(subject) == "" {
|
|
return "", fmt.Errorf("invalid subject context")
|
|
}
|
|
return subject, nil
|
|
}
|