nezha/service/rpc/auth.go

package rpc

import (
	"context"
	"strings"

	petname "github.com/dustinkirkland/golang-petname"
	"github.com/hashicorp/go-uuid"
	"google.golang.org/grpc/codes"
	"google.golang.org/grpc/metadata"
	"google.golang.org/grpc/status"

	"github.com/nezhahq/nezha/model"
	"github.com/nezhahq/nezha/service/singleton"
)

type authHandler struct {
	ClientSecret string
	ClientUUID   string
}

func (a *authHandler) Check(ctx context.Context) (uint64, error) {
	md, ok := metadata.FromIncomingContext(ctx)
	if !ok {
		return 0, status.Errorf(codes.Unauthenticated, "获取 metaData 失败")
	}

	var clientSecret string
	if value, ok := md["client_secret"]; ok {
		clientSecret = strings.TrimSpace(value[0])
	}

	if clientSecret == "" {
		return 0, status.Error(codes.Unauthenticated, "客户端认证失败")
	}

	ip, _ := ctx.Value(model.CtxKeyRealIP{}).(string)

	singleton.UserLock.RLock()
	userId, ok := singleton.AgentSecretToUserId[clientSecret]
	if !ok {
		singleton.UserLock.RUnlock()
		model.BlockIP(singleton.DB, ip, model.WAFBlockReasonTypeAgentAuthFail, model.BlockIDgRPC)
		return 0, status.Error(codes.Unauthenticated, "客户端认证失败")
	}
	singleton.UserLock.RUnlock()

	model.UnblockIP(singleton.DB, ip, model.BlockIDgRPC)

	var clientUUID string
	if value, ok := md["client_uuid"]; ok {
		clientUUID = value[0]
	}

	if _, err := uuid.ParseUUID(clientUUID); err != nil {
		return 0, status.Error(codes.Unauthenticated, "客户端 UUID 不合法")
	}

	singleton.ServerLock.RLock()
	clientID, hasID := singleton.ServerUUIDToID[clientUUID]
	singleton.ServerLock.RUnlock()

	if !hasID {
		s := model.Server{UUID: clientUUID, Name: petname.Generate(2, "-"), Common: model.Common{
			UserID: userId,
		}}
		if err := singleton.DB.Create(&s).Error; err != nil {
			return 0, status.Error(codes.Unauthenticated, err.Error())
		}
		s.Host = &model.Host{}
		s.State = &model.HostState{}
		s.GeoIP = &model.GeoIP{}

		singleton.ServerLock.Lock()
		singleton.ServerList[s.ID] = &s
		singleton.ServerUUIDToID[clientUUID] = s.ID
		singleton.ServerLock.Unlock()
		singleton.ReSortServer()

		clientID = s.ID
	}

	return clientID, nil
}
Web 服务 2019-12-08 03:59:58 -05:00			`package rpc`
gRPC 上报系统信息 2019-12-07 05:14:40 -05:00
			`import (`
			`"context"`
improve: use stream reduce auth check time 2024-11-22 23:43:02 -05:00			`"strings"`
gRPC 上报系统信息 2019-12-07 05:14:40 -05:00
report geoip separately, fix server creation & deletion bugs (#14) * new geoip method * report geoip separately, fix server creation & deletion bugs * fix struct tag * fix write name * remove deleteion list * remove rpc realip header * Revert "remove rpc realip header" This reverts commit 8a5f86cf2d7df87f28cfa2a3b3430f449dd6ed73. 2024-11-22 09:40:43 -05:00			`petname "github.com/dustinkirkland/golang-petname"`
			`"github.com/hashicorp/go-uuid"`
gRPC 上报系统信息 2019-12-07 05:14:40 -05:00			`"google.golang.org/grpc/codes"`
			`"google.golang.org/grpc/metadata"`
			`"google.golang.org/grpc/status"`
theme-mdui by @MikoyChinese 2022-01-08 22:54:14 -05:00
rename repo 2024-11-28 06:38:54 -05:00			`"github.com/nezhahq/nezha/model"`
			`"github.com/nezhahq/nezha/service/singleton"`
gRPC 上报系统信息 2019-12-07 05:14:40 -05:00			`)`

feat: 去除 webTerminal 的 websocket 依赖 2024-07-14 00:47:36 -04:00			`type authHandler struct {`
客户端授权验证 2019-12-09 03:02:49 -05:00			`ClientSecret string`
refactor agent auth & server api 2024-10-20 11:23:04 -04:00			`ClientUUID string`
gRPC 上报系统信息 2019-12-07 05:14:40 -05:00			`}`

feat: 去除 webTerminal 的 websocket 依赖 2024-07-14 00:47:36 -04:00			`func (a *authHandler) Check(ctx context.Context) (uint64, error) {`
gRPC 上报系统信息 2019-12-07 05:14:40 -05:00			`md, ok := metadata.FromIncomingContext(ctx)`
			`if !ok {`
♻️ v4: 去掉添加 Agent ID 要求需要更新面板 close #83 2021-01-30 04:10:51 -05:00			`return 0, status.Errorf(codes.Unauthenticated, "获取 metaData 失败")`
gRPC 上报系统信息 2019-12-07 05:14:40 -05:00			`}`
♻️ v4: 去掉添加 Agent ID 要求需要更新面板 close #83 2021-01-30 04:10:51 -05:00
✨ feat: 展示排序 close #29 2021-01-08 08:04:50 -05:00			`var clientSecret string`
展示服务器列表 2019-12-09 05:14:31 -05:00			`if value, ok := md["client_secret"]; ok {`
improve: use stream reduce auth check time 2024-11-22 23:43:02 -05:00			`clientSecret = strings.TrimSpace(value[0])`
gRPC 上报系统信息 2019-12-07 05:14:40 -05:00			`}`

improve: use stream reduce auth check time 2024-11-22 23:43:02 -05:00			`if clientSecret == "" {`
			`return 0, status.Error(codes.Unauthenticated, "客户端认证失败")`
			`}`

			`ip, _ := ctx.Value(model.CtxKeyRealIP{}).(string)`

feat: user roles (#852) * [WIP] feat: user roles * update * update * admin handler * update * feat: user-specific connection secret * simplify some logics * cleanup * update waf * update user api error handling * update waf api * fix codeql * update waf table * fix several problems * add pagination for waf api * update permission checks * switch to runtime check * 1 * cover? * some changes 2024-12-21 11:05:41 -05:00			`singleton.UserLock.RLock()`
			`userId, ok := singleton.AgentSecretToUserId[clientSecret]`
bug fixes (#918) * bug fixes * fix for backward compatibility * fix init * cleanup * possible fix * optimize permission check * Revert "possible fix" This reverts commit 003f1bbb2aa368aade6702e6019922b7f4871a39. 2024-12-26 10:38:40 -05:00			`if !ok {`
feat: user roles (#852) * [WIP] feat: user roles * update * update * admin handler * update * feat: user-specific connection secret * simplify some logics * cleanup * update waf * update user api error handling * update waf api * fix codeql * update waf table * fix several problems * add pagination for waf api * update permission checks * switch to runtime check * 1 * cover? * some changes 2024-12-21 11:05:41 -05:00			`singleton.UserLock.RUnlock()`
			`model.BlockIP(singleton.DB, ip, model.WAFBlockReasonTypeAgentAuthFail, model.BlockIDgRPC)`
report geoip separately, fix server creation & deletion bugs (#14) * new geoip method * report geoip separately, fix server creation & deletion bugs * fix struct tag * fix write name * remove deleteion list * remove rpc realip header * Revert "remove rpc realip header" This reverts commit 8a5f86cf2d7df87f28cfa2a3b3430f449dd6ed73. 2024-11-22 09:40:43 -05:00			`return 0, status.Error(codes.Unauthenticated, "客户端认证失败")`
refactor agent auth & server api 2024-10-20 11:23:04 -04:00			`}`
feat: user roles (#852) * [WIP] feat: user roles * update * update * admin handler * update * feat: user-specific connection secret * simplify some logics * cleanup * update waf * update user api error handling * update waf api * fix codeql * update waf table * fix several problems * add pagination for waf api * update permission checks * switch to runtime check * 1 * cover? * some changes 2024-12-21 11:05:41 -05:00			`singleton.UserLock.RUnlock()`
refactor agent auth & server api 2024-10-20 11:23:04 -04:00
feat: upgrade frontend 2024-12-25 08:02:54 -05:00			`model.UnblockIP(singleton.DB, ip, model.BlockIDgRPC)`
improve: use stream reduce auth check time 2024-11-22 23:43:02 -05:00
refactor agent auth & server api 2024-10-20 11:23:04 -04:00			`var clientUUID string`
			`if value, ok := md["client_uuid"]; ok {`
			`clientUUID = value[0]`
			`}`

fix agent connect 2024-10-22 11:44:50 -04:00			`if _, err := uuid.ParseUUID(clientUUID); err != nil {`
report geoip separately, fix server creation & deletion bugs (#14) * new geoip method * report geoip separately, fix server creation & deletion bugs * fix struct tag * fix write name * remove deleteion list * remove rpc realip header * Revert "remove rpc realip header" This reverts commit 8a5f86cf2d7df87f28cfa2a3b3430f449dd6ed73. 2024-11-22 09:40:43 -05:00			`return 0, status.Error(codes.Unauthenticated, "客户端 UUID 不合法")`
fix agent connect 2024-10-22 11:44:50 -04:00			`}`

theme-mdui by @MikoyChinese 2022-01-08 22:54:14 -05:00			`singleton.ServerLock.RLock()`
refactor agent auth & server api 2024-10-20 11:23:04 -04:00			`clientID, hasID := singleton.ServerUUIDToID[clientUUID]`
feat: user roles (#852) * [WIP] feat: user roles * update * update * admin handler * update * feat: user-specific connection secret * simplify some logics * cleanup * update waf * update user api error handling * update waf api * fix codeql * update waf table * fix several problems * add pagination for waf api * update permission checks * switch to runtime check * 1 * cover? * some changes 2024-12-21 11:05:41 -05:00			`singleton.ServerLock.RUnlock()`

🐛 修复修改服务器导致 Agent 离线 2021-07-25 11:50:08 -04:00			`if !hasID {`
feat: user roles (#852) * [WIP] feat: user roles * update * update * admin handler * update * feat: user-specific connection secret * simplify some logics * cleanup * update waf * update user api error handling * update waf api * fix codeql * update waf table * fix several problems * add pagination for waf api * update permission checks * switch to runtime check * 1 * cover? * some changes 2024-12-21 11:05:41 -05:00			`s := model.Server{UUID: clientUUID, Name: petname.Generate(2, "-"), Common: model.Common{`
			`UserID: userId,`
			`}}`
refactor agent auth & server api 2024-10-20 11:23:04 -04:00			`if err := singleton.DB.Create(&s).Error; err != nil {`
report geoip separately, fix server creation & deletion bugs (#14) * new geoip method * report geoip separately, fix server creation & deletion bugs * fix struct tag * fix write name * remove deleteion list * remove rpc realip header * Revert "remove rpc realip header" This reverts commit 8a5f86cf2d7df87f28cfa2a3b3430f449dd6ed73. 2024-11-22 09:40:43 -05:00			`return 0, status.Error(codes.Unauthenticated, err.Error())`
refactor agent auth & server api 2024-10-20 11:23:04 -04:00			`}`
			`s.Host = &model.Host{}`
			`s.State = &model.HostState{}`
fix: allocate geoip on server creation (#554) 2024-12-05 04:07:31 -05:00			`s.GeoIP = &model.GeoIP{}`
feat: user roles (#852) * [WIP] feat: user roles * update * update * admin handler * update * feat: user-specific connection secret * simplify some logics * cleanup * update waf * update user api error handling * update waf api * fix codeql * update waf table * fix several problems * add pagination for waf api * update permission checks * switch to runtime check * 1 * cover? * some changes 2024-12-21 11:05:41 -05:00
			`singleton.ServerLock.Lock()`
refactor agent auth & server api 2024-10-20 11:23:04 -04:00			`singleton.ServerList[s.ID] = &s`
			`singleton.ServerUUIDToID[clientUUID] = s.ID`
feat: user roles (#852) * [WIP] feat: user roles * update * update * admin handler * update * feat: user-specific connection secret * simplify some logics * cleanup * update waf * update user api error handling * update waf api * fix codeql * update waf table * fix several problems * add pagination for waf api * update permission checks * switch to runtime check * 1 * cover? * some changes 2024-12-21 11:05:41 -05:00			`singleton.ServerLock.Unlock()`
report geoip separately, fix server creation & deletion bugs (#14) * new geoip method * report geoip separately, fix server creation & deletion bugs * fix struct tag * fix write name * remove deleteion list * remove rpc realip header * Revert "remove rpc realip header" This reverts commit 8a5f86cf2d7df87f28cfa2a3b3430f449dd6ed73. 2024-11-22 09:40:43 -05:00			`singleton.ReSortServer()`
feat: user roles (#852) * [WIP] feat: user roles * update * update * admin handler * update * feat: user-specific connection secret * simplify some logics * cleanup * update waf * update user api error handling * update waf api * fix codeql * update waf table * fix several problems * add pagination for waf api * update permission checks * switch to runtime check * 1 * cover? * some changes 2024-12-21 11:05:41 -05:00
fix agent connect 2024-10-22 11:44:50 -04:00			`clientID = s.ID`
gRPC 上报系统信息 2019-12-07 05:14:40 -05:00			`}`
refactor agent auth & server api 2024-10-20 11:23:04 -04:00
♻️ v4: 去掉添加 Agent ID 要求需要更新面板 close #83 2021-01-30 04:10:51 -05:00			`return clientID, nil`
gRPC 上报系统信息 2019-12-07 05:14:40 -05:00			`}`