fix: 修复系统级授权无法查看密钥的bug

2024-12-26 23:15:35 +08:00 · 2024-12-26 23:15:35 +08:00 · 8644348fc4
parent 00dc226bd2
commit 8644348fc4
6 changed files with 55 additions and 18 deletions
--- a/packages/libs/lib-server/src/system/settings/service/models.ts
+++ b/packages/libs/lib-server/src/system/settings/service/models.ts
@ -112,6 +112,17 @@ export class SysSecretBackup extends BaseSettings {
  encryptSecret?: string;
 }

+/**
+ * 不要修改
+ */
+export class SysSecret extends BaseSettings {
+  static __title__ = '密钥信息';
+  static __key__ = 'sys.secret';
+  static __access__ = 'private';
+  siteId?: string;
+  encryptSecret?: string;
+}
+
 export class SysSiteEnv {
  agent?: {
    enabled?: boolean;
--- a/packages/libs/lib-server/src/system/settings/service/sys-settings-service.ts
+++ b/packages/libs/lib-server/src/system/settings/service/sys-settings-service.ts
@ -1,25 +1,22 @@
-import { Inject, Provide, Scope, ScopeEnum } from '@midwayjs/core';
+import { Provide, Scope, ScopeEnum } from '@midwayjs/core';
 import { InjectEntityModel } from '@midwayjs/typeorm';
 import { Repository } from 'typeorm';
 import { SysSettingsEntity } from '../entity/sys-settings.js';
-import { CacheManager } from '@midwayjs/cache';
-import { BaseSettings, SysInstallInfo, SysPrivateSettings, SysPublicSettings, SysSecretBackup } from './models.js';
+import { BaseSettings, SysInstallInfo, SysPrivateSettings, SysPublicSettings, SysSecret, SysSecretBackup } from './models.js';
 import * as _ from 'lodash-es';
 import { BaseService } from '../../../basic/index.js';
-import { logger, setGlobalProxy } from '@certd/basic';
+import { cache, logger, setGlobalProxy } from '@certd/basic';
 import * as dns from 'node:dns';
+
 /**
 * 设置
 */
@Provide()
-@Scope(ScopeEnum.Request, { allowDowngrade: true })
+@Scope(ScopeEnum.Singleton)
 export class SysSettingsService extends BaseService<SysSettingsEntity> {
  @InjectEntityModel(SysSettingsEntity)
  repository: Repository<SysSettingsEntity>;

-  @Inject()
-  cache: CacheManager; // 依赖注入CacheManager
-
  getRepository() {
    return this.repository;
  }
@ -72,7 +69,7 @@ export class SysSettingsService extends BaseService<SysSettingsEntity> {
  async getSetting<T>(type: any): Promise<T> {
    const key = type.__key__;
    const cacheKey = type.getCacheKey();
-    const settings: T = await this.cache.get(cacheKey);
+    const settings: T = cache.get(cacheKey);
    if (settings) {
      return settings;
    }
@ -80,7 +77,7 @@ export class SysSettingsService extends BaseService<SysSettingsEntity> {
    const savedSettings = await this.getSettingByKey(key);
    newSetting = _.merge(newSetting, savedSettings);
    await this.saveSetting(newSetting);
-    await this.cache.set(cacheKey, newSetting);
+    cache.set(cacheKey, newSetting);
    return newSetting;
  }

@ -93,6 +90,12 @@ export class SysSettingsService extends BaseService<SysSettingsEntity> {
    if (entity) {
      entity.setting = JSON.stringify(bean);
      entity.access = type.__access__;
+
+      if (key === SysSecretBackup.__key__ || key === SysSecret.__key__) {
+        //备份密钥不允许更新
+        return;
+      }
+
      await this.repository.save(entity);
    } else {
      const newEntity = new SysSettingsEntity();
@ -103,7 +106,7 @@ export class SysSettingsService extends BaseService<SysSettingsEntity> {
      await this.repository.save(newEntity);
    }

-    await this.cache.set(cacheKey, bean);
+    cache.set(cacheKey, bean);
  }

  async getPublicSettings(): Promise<SysPublicSettings> {
@ -146,7 +149,7 @@ export class SysSettingsService extends BaseService<SysSettingsEntity> {
    } else {
      throw new Error('该设置不存在');
    }
-    await this.cache.del(`settings.${key}`);
+    cache.delete(`settings.${key}`);
  }

  async backupSecret() {
@ -173,4 +176,20 @@ export class SysSettingsService extends BaseService<SysSettingsEntity> {
      }
    }
  }
+  async getSecret() {
+    const sysSecret = await this.getSetting<SysSecret>(SysSecret);
+    if (sysSecret.encryptSecret) {
+      return sysSecret;
+    }
+    //从备份中读取
+    const settings = await this.getSettingByKey(SysSecretBackup.__key__);
+    if (settings == null || !settings.encryptSecret) {
+      throw new Error('密钥备份不存在');
+    }
+    sysSecret.siteId = settings.siteId;
+    sysSecret.encryptSecret = settings.encryptSecret;
+    await this.saveSetting(sysSecret);
+    logger.info('密钥恢复成功');
+    return sysSecret;
+  }
 }
--- a/packages/libs/lib-server/src/user/access/service/encrypt-service.ts
+++ b/packages/libs/lib-server/src/user/access/service/encrypt-service.ts
@ -1,6 +1,6 @@
 import { Init, Inject, Provide, Scope, ScopeEnum } from '@midwayjs/core';
 import crypto from 'crypto';
-import { SysPrivateSettings, SysSettingsService } from '../../../system/index.js';
+import { SysSecret, SysSettingsService } from '../../../system/index.js';

 /**
 * 授权
@ -15,8 +15,8 @@ export class EncryptService {

  @Init()
  async init() {
-    const privateInfo: SysPrivateSettings = await this.sysSettingService.getSetting(SysPrivateSettings);
-    this.secretKey = Buffer.from(privateInfo.encryptSecret, 'base64');
+    const secret: SysSecret = await this.sysSettingService.getSecret();
+    this.secretKey = Buffer.from(secret.encryptSecret, 'base64');
  }

  // 加密函数
--- a/packages/ui/certd-server/src/controller/sys/access/access-controller.ts
+++ b/packages/ui/certd-server/src/controller/sys/access/access-controller.ts
@ -1,5 +1,5 @@
 import { ALL, Body, Controller, Inject, Post, Provide, Query } from '@midwayjs/core';
-import { AccessService } from '@certd/lib-server';
+import { AccessService, Constants } from '@certd/lib-server';
 import { AccessController } from '../../pipeline/access-controller.js';
 import { checkComm } from '@certd/plus-core';

@ -55,6 +55,12 @@ export class SysAccessController extends AccessController {
    return await super.define(type);
  }

+  @Post('/getSecretPlain', { summary: Constants.per.authOnly })
+  async getSecretPlain(@Body(ALL) body: { id: number; key: string }) {
+    const value = await this.service.getById(body.id, 0);
+    return this.ok(value[body.key]);
+  }
+
  @Post('/accessTypeDict', { summary: 'sys:settings:view' })
  async getAccessTypeDict() {
    return await super.getAccessTypeDict();
--- a/packages/ui/certd-server/src/modules/auto/auto-a-init-site.ts
+++ b/packages/ui/certd-server/src/modules/auto/auto-a-init-site.ts
@ -45,6 +45,9 @@ export class AutoAInitSite {

    await this.sysSettingsService.backupSecret();

+    //加载一次密钥
+    await this.sysSettingsService.getSecret();
+
    await this.sysSettingsService.reloadPrivateSettings();

    // 授权许可
--- a/packages/ui/certd-server/src/modules/auto/auto-c-register-cron.ts
+++ b/packages/ui/certd-server/src/modules/auto/auto-c-register-cron.ts
@ -14,8 +14,6 @@ export class AutoCRegisterCron {
  @Config('cron.onlyAdminUser')
  private onlyAdminUser: boolean;

-  // @Inject()
-  // echoPlugin: EchoPlugin;
  @Config('cron.immediateTriggerOnce')
  private immediateTriggerOnce = false;