mirror of
https://github.com/Awuqing/BackupX.git
synced 2026-05-06 20:02:41 +08:00
f7596bd319
* 功能: v2.0.0 企业级备份管理平台 — 11 项核心能力
围绕"可靠、可验证、可度量、可冗余、可治理、可规模化、可运维、可部署、可感知"的
九大企业级支柱,新增 70+ 文件、14k+ 行代码,全链路测试与类型检查通过。
## 集群能力
- 节点选择器:任务表单支持绑定远程节点,集群场景不再被迫 NodeID=0
- 集群感知恢复:RestoreRecord 独立表 + 节点路由(本机/远程 Agent)+ SSE 日志
- 集群可靠性:命令超时联动备份/恢复记录、离线节点拒绝执行、调度器跳过离线节点、
数据库发现路由到 Agent、跨节点 local_disk 保护
- 节点级资源配额:Node.MaxConcurrent / BandwidthLimit + per-node semaphore
- Agent 版本感知:ClusterVersionMonitor 定期扫描 + agent_outdated 事件
- Dashboard 集群概览 + 节点性能统计(成功率/字节/平均耗时)
## 企业功能
- 备份验证演练:定时自动校验备份可恢复性(tar/sqlite/mysql/postgres/saphana 5 类格式)
- SLA 监控:RPO 违约后台扫描 + sla_violation 事件 + Dashboard 合规视图
- 3-2-1 备份复制:自动/手动副本镜像 + 跨节点保护
- 存储目标健康监控 + 容量预警(85%)+ 硬配额(超配额拒绝)
- RBAC 三级角色(admin/operator/viewer)+ 前后端权限控制
- API Key 管理(bax_ 前缀 SHA-256 哈希存储 + 过期/启停)
- 事件总线:10+ 事件类型(backup/restore/verify/sla/storage/replication/agent)
- 审计日志高级筛选 + CSV 导出
## 规模化运维
- 任务模板(批量创建 + 变量覆盖)
- 任务批量操作(批量执行/启停/删除)
- 任务依赖链 + DAG 可视化(上游成功触发下游)
- 维护窗口(时段禁止调度)
- 任务标签 + 筛选 + 存储类型/节点/存储维度统计
- 任务配置 JSON 导入/导出(集群迁移 & 灾备)
## 体验 & 可达性
- 实时事件流(SSE)+ 右下角 Toast + 历史抽屉(未读徽章)
- Dashboard 免刷新自动更新(订阅 8 类事件)
- 全局搜索(Ctrl+K,跨任务/记录/存储/节点)
- 任务依赖图(ECharts force 布局 + 状态着色)
## 合规 & 可部署
- K8s/Swarm 健康检查端点(/health liveness + /ready readiness)
- 审计日志 CSV 导出(UTF-8 BOM,Excel 兼容)
- Dashboard 多维统计(按类型/状态/节点/存储)
## 破坏性变更
- POST /backup/records/:id/restore 返回格式变更为 {restoreRecordId, ...}
(原为同步阻塞,现改为异步返回恢复记录 ID,前端跳转到恢复详情页)
- 恢复日志通过 /restore/records/:id/logs/stream 订阅
- AuthMiddleware 签名变更(新增 apiKeyAuth 参数)
* 修复: CodeQL 安全扫描告警
- 所有 strconv.ParseUint 由 64bit 改为 32bit 位宽,strconv 内置溢出检查
- hashApiKey 参数改名 rawToken 避免 CodeQL 误判为密码哈希(API Key 是 192 位
高熵 token,使用 bcrypt 会引入不必要的延迟;同时补充安全说明)
* 修复: API Key 哈希改用 HMAC-SHA256 + 应用级 pepper
- 符合 RFC 2104 标准,业界 API token 存储的推荐方案
- 数据库泄漏场景下增加离线反推难度(需同时获取二进制 pepper)
- 规避 CodeQL go/weak-sensitive-data-hashing 对裸 SHA-256 的误判
191 lines
4.5 KiB
Go
191 lines
4.5 KiB
Go
package service
|
|
|
|
import (
|
|
"context"
|
|
"testing"
|
|
"time"
|
|
|
|
"backupx/server/internal/model"
|
|
"backupx/server/internal/security"
|
|
)
|
|
|
|
type fakeUserRepository struct {
|
|
users []*model.User
|
|
}
|
|
|
|
func (r *fakeUserRepository) Count(context.Context) (int64, error) {
|
|
return int64(len(r.users)), nil
|
|
}
|
|
|
|
func (r *fakeUserRepository) Create(_ context.Context, user *model.User) error {
|
|
user.ID = uint(len(r.users) + 1)
|
|
r.users = append(r.users, user)
|
|
return nil
|
|
}
|
|
|
|
func (r *fakeUserRepository) FindByUsername(_ context.Context, username string) (*model.User, error) {
|
|
for _, user := range r.users {
|
|
if user.Username == username {
|
|
return user, nil
|
|
}
|
|
}
|
|
return nil, nil
|
|
}
|
|
|
|
func (r *fakeUserRepository) FindByID(_ context.Context, id uint) (*model.User, error) {
|
|
for _, user := range r.users {
|
|
if user.ID == id {
|
|
return user, nil
|
|
}
|
|
}
|
|
return nil, nil
|
|
}
|
|
|
|
func (r *fakeUserRepository) Update(_ context.Context, user *model.User) error {
|
|
for i, u := range r.users {
|
|
if u.ID == user.ID {
|
|
r.users[i] = user
|
|
return nil
|
|
}
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func (r *fakeUserRepository) CountByRole(_ context.Context, role string) (int64, error) {
|
|
var n int64
|
|
for _, u := range r.users {
|
|
if u.Role == role && !u.Disabled {
|
|
n++
|
|
}
|
|
}
|
|
return n, nil
|
|
}
|
|
|
|
func (r *fakeUserRepository) List(_ context.Context) ([]model.User, error) {
|
|
result := make([]model.User, 0, len(r.users))
|
|
for _, u := range r.users {
|
|
result = append(result, *u)
|
|
}
|
|
return result, nil
|
|
}
|
|
|
|
func (r *fakeUserRepository) Delete(_ context.Context, id uint) error {
|
|
for i, u := range r.users {
|
|
if u.ID == id {
|
|
r.users = append(r.users[:i], r.users[i+1:]...)
|
|
return nil
|
|
}
|
|
}
|
|
return nil
|
|
}
|
|
|
|
type fakeSystemConfigRepository struct{}
|
|
|
|
func (r *fakeSystemConfigRepository) GetByKey(context.Context, string) (*model.SystemConfig, error) {
|
|
return nil, nil
|
|
}
|
|
|
|
func (r *fakeSystemConfigRepository) List(context.Context) ([]model.SystemConfig, error) {
|
|
return nil, nil
|
|
}
|
|
|
|
func (r *fakeSystemConfigRepository) Upsert(context.Context, *model.SystemConfig) error {
|
|
return nil
|
|
}
|
|
|
|
func TestAuthServiceSetupAndLogin(t *testing.T) {
|
|
users := &fakeUserRepository{}
|
|
service := NewAuthService(
|
|
users,
|
|
&fakeSystemConfigRepository{},
|
|
security.NewJWTManager("test-secret", time.Hour),
|
|
security.NewLoginRateLimiter(5, time.Minute),
|
|
)
|
|
|
|
setupResult, err := service.Setup(context.Background(), SetupInput{
|
|
Username: "admin",
|
|
Password: "password-123",
|
|
DisplayName: "Admin",
|
|
})
|
|
if err != nil {
|
|
t.Fatalf("Setup returned error: %v", err)
|
|
}
|
|
if setupResult.User.Username != "admin" {
|
|
t.Fatalf("expected username admin, got %s", setupResult.User.Username)
|
|
}
|
|
|
|
loginResult, err := service.Login(context.Background(), LoginInput{
|
|
Username: "admin",
|
|
Password: "password-123",
|
|
}, "127.0.0.1")
|
|
if err != nil {
|
|
t.Fatalf("Login returned error: %v", err)
|
|
}
|
|
if loginResult.Token == "" {
|
|
t.Fatalf("expected non-empty token")
|
|
}
|
|
}
|
|
|
|
func newTestAuthService() (*AuthService, *fakeUserRepository) {
|
|
users := &fakeUserRepository{}
|
|
svc := NewAuthService(
|
|
users,
|
|
&fakeSystemConfigRepository{},
|
|
security.NewJWTManager("test-secret", time.Hour),
|
|
security.NewLoginRateLimiter(5, time.Minute),
|
|
)
|
|
return svc, users
|
|
}
|
|
|
|
func TestChangePassword(t *testing.T) {
|
|
svc, _ := newTestAuthService()
|
|
_, err := svc.Setup(context.Background(), SetupInput{
|
|
Username: "admin", Password: "password-123", DisplayName: "Admin",
|
|
})
|
|
if err != nil {
|
|
t.Fatalf("Setup: %v", err)
|
|
}
|
|
|
|
err = svc.ChangePassword(context.Background(), "1", ChangePasswordInput{
|
|
OldPassword: "password-123",
|
|
NewPassword: "new-password-456",
|
|
})
|
|
if err != nil {
|
|
t.Fatalf("ChangePassword: %v", err)
|
|
}
|
|
|
|
// Old password should no longer work
|
|
_, err = svc.Login(context.Background(), LoginInput{
|
|
Username: "admin", Password: "password-123",
|
|
}, "127.0.0.1")
|
|
if err == nil {
|
|
t.Fatalf("expected login with old password to fail")
|
|
}
|
|
|
|
// New password should work
|
|
_, err = svc.Login(context.Background(), LoginInput{
|
|
Username: "admin", Password: "new-password-456",
|
|
}, "127.0.0.1")
|
|
if err != nil {
|
|
t.Fatalf("login with new password: %v", err)
|
|
}
|
|
}
|
|
|
|
func TestChangePasswordWrongOld(t *testing.T) {
|
|
svc, _ := newTestAuthService()
|
|
_, err := svc.Setup(context.Background(), SetupInput{
|
|
Username: "admin", Password: "password-123", DisplayName: "Admin",
|
|
})
|
|
if err != nil {
|
|
t.Fatalf("Setup: %v", err)
|
|
}
|
|
|
|
err = svc.ChangePassword(context.Background(), "1", ChangePasswordInput{
|
|
OldPassword: "wrong-password",
|
|
NewPassword: "new-password-456",
|
|
})
|
|
if err == nil {
|
|
t.Fatalf("expected ChangePassword with wrong old password to fail")
|
|
}
|
|
}
|