feat(Login): add rsa to password (#1604)

ee612908 · 水淹萌龙 · GitHub · be25adf9 · ee612908 · ee612908
6 changed file
--- a/center/center.go
+++ b/center/center.go
@@ -79,8 +79,10 @@ func Initialize(configDir string, cryptoKey string) (func(), error) {

 	writers := writer.NewWriters(config.Pushgw)

+	httpx.InitRSAConfig(&config.HTTP.RSA)
+
 	alertrtRouter := alertrt.New(config.HTTP, config.Alert, alertMuteCache, targetCache, busiGroupCache, alertStats, ctx, externalProcessors)
-	centerRouter := centerrt.New(config.HTTP, config.Center, cconf.Operations, dsCache, notifyConfigCache, promClients, redis, sso, ctx, metas,idents, targetCache)
+	centerRouter := centerrt.New(config.HTTP, config.Center, cconf.Operations, dsCache, notifyConfigCache, promClients, redis, sso, ctx, metas, idents, targetCache)
 	pushgwRouter := pushgwrt.New(config.HTTP, config.Pushgw, targetCache, busiGroupCache, idents, writers, ctx)

 	r := httpx.GinEngine(config.Global.RunMode, config.HTTP)

--- a/center/router/router.go
+++ b/center/router/router.go
@@ -18,8 +18,8 @@ import (
 	"github.com/ccfos/nightingale/v6/pkg/ctx"
 	"github.com/ccfos/nightingale/v6/pkg/httpx"
 	"github.com/ccfos/nightingale/v6/prom"
-	"github.com/ccfos/nightingale/v6/storage"
 	"github.com/ccfos/nightingale/v6/pushgw/idents"
+	"github.com/ccfos/nightingale/v6/storage"

 	"github.com/gin-gonic/gin"
 	"github.com/rakyll/statik/fs"
@@ -36,7 +36,7 @@ type Router struct {
 	PromClients       *prom.PromClientMap
 	Redis             storage.Redis
 	MetaSet           *metas.Set
-	IdentSet           *idents.Set
+	IdentSet          *idents.Set
 	TargetCache       *memsto.TargetCacheType
 	Sso               *sso.SsoClient
 	Ctx               *ctx.Context
@@ -170,6 +170,7 @@ func (rt *Router) Config(r *gin.Engine) {
 		pages.GET("/auth/ifshowcaptcha", rt.ifShowCaptcha)

 		pages.GET("/auth/sso-config", rt.ssoConfigNameGet)
+		pages.GET("/auth/rsa-config", rt.rsaConfigGet)
 		pages.GET("/auth/redirect", rt.loginRedirect)
 		pages.GET("/auth/redirect/cas", rt.loginRedirectCas)
 		pages.GET("/auth/redirect/oauth", rt.loginRedirectOAuth)

--- a/center/router/router_login.go
+++ b/center/router/router_login.go
 package router

 import (
+	"encoding/base64"
 	"fmt"
 	"net/http"
 	"strconv"
@@ -12,6 +13,7 @@ import (
 	"github.com/ccfos/nightingale/v6/pkg/ldapx"
 	"github.com/ccfos/nightingale/v6/pkg/oauth2x"
 	"github.com/ccfos/nightingale/v6/pkg/oidcx"
+	"github.com/ccfos/nightingale/v6/pkg/secu"
 	"github.com/pelletier/go-toml/v2"

 	"github.com/dgrijalva/jwt-go"
@@ -38,13 +40,23 @@ func (rt *Router) loginPost(c *gin.Context) {
 			return
 		}
 	}
-
-	user, err := models.PassLogin(rt.Ctx, f.Username, f.Password)
+	authPassWord := f.Password
+	// need decode
+	if rt.HTTP.RSA.OpenRSA {
+		decPassWord, err := secu.Decrypt(f.Password, rt.HTTP.RSA.RSAPrivateKey, rt.HTTP.RSA.RSAPassWord)
+		if err != nil {
+			logger.Errorf("RSA Decrypt failed: %v username: %s", err, f.Username)
+			ginx.NewRender(c).Message(err)
+			return
+		}
+		authPassWord = decPassWord
+	}
+	user, err := models.PassLogin(rt.Ctx, f.Username, authPassWord)
 	if err != nil {
 		// pass validate fail, try ldap
 		if rt.Sso.LDAP.Enable {
 			roles := strings.Join(rt.Sso.LDAP.DefaultRoles, " ")
-			user, err = models.LdapLogin(rt.Ctx, f.Username, f.Password, roles, rt.Sso.LDAP)
+			user, err = models.LdapLogin(rt.Ctx, f.Username, authPassWord, roles, rt.Sso.LDAP)
 			if err != nil {
 				logger.Debugf("ldap login failed: %v username: %s", err, f.Username)
 				ginx.NewRender(c).Message(err)
@@ -548,3 +560,19 @@ func (rt *Router) ssoConfigUpdate(c *gin.Context) {

 	ginx.NewRender(c).Message(nil)
 }
+
+type RSAConfigOutput struct {
+	OpenRSA      bool
+	RSAPublicKey string
+}
+
+func (rt *Router) rsaConfigGet(c *gin.Context) {
+	publicKey := ""
+	if rt.HTTP.RSA.OpenRSA {
+		publicKey = base64.StdEncoding.EncodeToString(rt.HTTP.RSA.RSAPublicKey)
+	}
+	ginx.NewRender(c).Data(RSAConfigOutput{
+		OpenRSA:      rt.HTTP.RSA.OpenRSA,
+		RSAPublicKey: publicKey,
+	}, nil)
+}
--- a/etc/config.toml
+++ b/etc/config.toml
@@ -70,6 +70,16 @@ Enable = false
 HeaderUserNameKey = "X-User-Name"
 DefaultRoles = ["Standard"]

+[HTTP.RSA]
+# open RSA
+OpenRSA = false
+# RSA public key
+RSAPublicKeyPath = "/etc/n9e/public.pem"
+# RSA private key
+RSAPrivateKeyPath = "/etc/n9e/private.pem"
+# RSA private key password
+RSAPassWord = ""
+
 [DB]
 # postgres: host=%s port=%s user=%s dbname=%s password=%s sslmode=%s
 DSN="root:1234@tcp(127.0.0.1:3306)/n9e_v6?charset=utf8mb4&parseTime=True&loc=Local&allowNativePasswords=true"

--- a/pkg/httpx/httpx.go
+++ b/pkg/httpx/httpx.go
@@ -34,6 +34,16 @@ type Config struct {
 	ShowCaptcha      ShowCaptcha
 	APIForAgent      BasicAuths
 	APIForService    BasicAuths
+	RSA              RSAConfig
+}
+
+type RSAConfig struct {
+	OpenRSA           bool
+	RSAPublicKey      []byte
+	RSAPublicKeyPath  string
+	RSAPrivateKey     []byte
+	RSAPrivateKeyPath string
+	RSAPassWord       string
 }

 type ShowCaptcha struct {
@@ -150,3 +160,22 @@ func Init(cfg Config, handler http.Handler) func() {
 		}
 	}
 }
+
+func InitRSAConfig(rsaConfig *RSAConfig) {
+	if !rsaConfig.OpenRSA {
+		return
+	}
+	// 读取公钥配置文件
+	//获取文件内容
+	publicBuf, err := os.ReadFile(rsaConfig.RSAPublicKeyPath)
+	if err != nil {
+		panic(fmt.Errorf("could not read RSAPublicKeyPath %q: %v", rsaConfig.RSAPublicKeyPath, err))
+	}
+	rsaConfig.RSAPublicKey = publicBuf
+	// 读取私钥配置文件
+	privateBuf, err := os.ReadFile(rsaConfig.RSAPrivateKeyPath)
+	if err != nil {
+		panic(fmt.Errorf("could not read RSAPrivateKeyPath %q: %v", rsaConfig.RSAPrivateKeyPath, err))
+	}
+	rsaConfig.RSAPrivateKey = privateBuf
+}
--- a/pkg/secu/rsa.go
+++ b/pkg/secu/rsa.go
+package secu
+
+import (
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/base64"
+	"encoding/pem"
+
+	"github.com/toolkits/pkg/logger"
+)
+
+func Decrypt(cipherText string, privateKeyByte []byte, password string) (decrypted string, err error) {
+	decodeCipher, _ := base64.StdEncoding.DecodeString(cipherText)
+	//pem解码
+	block, _ := pem.Decode(privateKeyByte)
+	var privateKey *rsa.PrivateKey
+	if password != "" {
+		decryptedPrivateKeyBytes, err := x509.DecryptPEMBlock(block, []byte(password))
+		if err != nil {
+			logger.Error("Failed to DecryptPEMBlock:", err)
+			return "", err
+		}
+		privateKey, err = x509.ParsePKCS1PrivateKey(decryptedPrivateKeyBytes)
+	} else {
+		privateKey, err = x509.ParsePKCS1PrivateKey(block.Bytes)
+	}
+	if err != nil {
+		logger.Error("Failed to parse private key:", err)
+		return "", err
+	}
+	decryptedByte, err := rsa.DecryptPKCS1v15(rand.Reader, privateKey, decodeCipher)
+	if err != nil {
+		logger.Error("Failed to decrypt data:", err)
+		return "", err
+	}
+	return string(decryptedByte), err
+}