Merge d4ea530bfc into 3227e30b3e

2025-02-02 09:38:13 -05:00 · 2024-12-21 00:51:27 +08:00
12 changed files with 60 additions and 154 deletions
--- a/cmd/dashboard/controller/jwt.go
+++ b/cmd/dashboard/controller/jwt.go
@ -88,21 +88,18 @@ func authenticator() func(c *gin.Context) (interface{}, error) {
 		}
 		var user model.User
 		realip := c.GetString(model.CtxKeyRealIPStr)
 		if err := singleton.DB.Select("id", "password").Where("username = ?", loginVals.Username).First(&user).Error; err != nil {
 			if err == gorm.ErrRecordNotFound {
-				model.BlockIP(singleton.DB, realip, model.WAFBlockReasonTypeLoginFail, model.BlockIDUnknownUser)
+				model.BlockIP(singleton.DB, c.GetString(model.CtxKeyRealIPStr), model.WAFBlockReasonTypeLoginFail)
 			}
 			return nil, jwt.ErrFailedAuthentication
 		}
 		if err := bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(loginVals.Password)); err != nil {
-			model.BlockIP(singleton.DB, realip, model.WAFBlockReasonTypeLoginFail, int64(user.ID))
+			model.BlockIP(singleton.DB, c.GetString(model.CtxKeyRealIPStr), model.WAFBlockReasonTypeLoginFail)
 			return nil, jwt.ErrFailedAuthentication
 		}
 		model.ClearIP(singleton.DB, realip, model.BlockIDUnknownUser)
 		model.ClearIP(singleton.DB, realip, int64(user.ID))
 		return utils.Itoa(user.ID), nil
 	}
 }
@ -172,10 +169,10 @@ func optionalAuthMiddleware(mw *jwt.GinJWTMiddleware) func(c *gin.Context) {
 		identity := mw.IdentityHandler(c)
 		if identity != nil {
-			model.ClearIP(singleton.DB, c.GetString(model.CtxKeyRealIPStr), model.BlockIDToken)
+			model.ClearIP(singleton.DB, c.GetString(model.CtxKeyRealIPStr))
 			c.Set(mw.IdentityKey, identity)
 		} else {
-			if err := model.BlockIP(singleton.DB, c.GetString(model.CtxKeyRealIPStr), model.WAFBlockReasonTypeBruteForceToken, model.BlockIDToken); err != nil {
+			if err := model.BlockIP(singleton.DB, c.GetString(model.CtxKeyRealIPStr), model.WAFBlockReasonTypeBruteForceToken); err != nil {
 				waf.ShowBlockPage(c, err)
 				return
 			}
--- a/cmd/dashboard/controller/user.go
+++ b/cmd/dashboard/controller/user.go
@ -151,6 +151,6 @@ func batchDeleteUser(c *gin.Context) (any, error) {
 		return nil, singleton.Localizer.ErrorT("can't delete yourself")
 	}
-	err := singleton.OnUserDelete(ids, newGormError)
+	singleton.OnUserDelete(ids)
-	return nil, err
+	return nil, singleton.DB.Where("id IN (?)", ids).Delete(&model.User{}).Error
 }
--- a/cmd/dashboard/controller/waf.go
+++ b/cmd/dashboard/controller/waf.go
@ -1,8 +1,6 @@
 package controller
 import (
 	"strconv"
 	"github.com/gin-gonic/gin"
 	"github.com/nezhahq/nezha/model"
@ -15,24 +13,12 @@ import (
 // @Schemes
 // @Description List server
 // @Tags auth required
 // @Param limit query uint false "Page limit"
 // @Param offset query uint false "Page offset"
 // @Produce json
 // @Success 200 {object} model.CommonResponse[[]model.WAFApiMock]
 // @Router /waf [get]
 func listBlockedAddress(c *gin.Context) ([]*model.WAF, error) {
 	limit, err := strconv.Atoi(c.Query("limit"))
 	if err != nil || limit < 1 {
 		limit = 25
 	}
 	offset, err := strconv.Atoi(c.Query("offset"))
 	if err != nil || offset < 1 {
 		offset = 1
 	}
 	var waf []*model.WAF
-	if err := singleton.DB.Limit(limit).Offset(offset).Find(&waf).Error; err != nil {
+	if err := singleton.DB.Find(&waf).Error; err != nil {
 		return nil, err
 	}
--- a/cmd/dashboard/controller/ws.go
+++ b/cmd/dashboard/controller/ws.go
@ -107,8 +107,6 @@ func serverStream(c *gin.Context) (any, error) {
 		return nil, newWsError("%v", err)
 	}
 	defer conn.Close()
 	singleton.OnlineUsers.Add(1)
 	defer singleton.OnlineUsers.Add(^uint64(0))
 	count := 0
 	for {
 		stat, err := getServerStat(c, count == 0)
@ -166,7 +164,6 @@ func getServerStat(c *gin.Context, withPublicNote bool) ([]byte, error) {
 		return utils.Json.Marshal(model.StreamServerData{
 			Now:     time.Now().Unix() * 1000,
 			Online:  singleton.OnlineUsers.Load(),
 			Servers: servers,
 		})
 	})
--- a/cmd/dashboard/controller/ws_test.go
+++ b/cmd/dashboard/controller/ws_test.go
@ -1,26 +0,0 @@
 package controller
 import (
 	"sync/atomic"
 	"testing"
 )
 func TestWs(t *testing.T) {
 	onlineUsers := new(atomic.Uint64)
 	onlineUsers.Add(1)
 	if onlineUsers.Load() != 1 {
 		t.Error("onlineUsers.Add(1) failed")
 	}
 	onlineUsers.Add(1)
 	if onlineUsers.Load() != 2 {
 		t.Error("onlineUsers.Add(1) failed")
 	}
 	onlineUsers.Add(^uint64(0))
 	if onlineUsers.Load() != 1 {
 		t.Error("onlineUsers.Add(^uint64(0)) failed")
 	}
 	onlineUsers.Add(^uint64(0))
 	if onlineUsers.Load() != 0 {
 		t.Error("onlineUsers.Add(^uint64(0)) failed")
 	}
 }
--- a/model/server_api.go
+++ b/model/server_api.go
@ -16,7 +16,6 @@ type StreamServer struct {
 type StreamServerData struct {
 	Now     int64          `json:"now,omitempty"`
 	Online  uint64         `json:"online,omitempty"`
 	Servers []StreamServer `json:"servers,omitempty"`
 }
--- a/model/user.go
+++ b/model/user.go
@ -19,10 +19,6 @@ type User struct {
 }
 func (u *User) BeforeSave(tx *gorm.DB) error {
 	if u.AgentSecret != "" {
 		return nil
 	}
 	key, err := utils.GenerateRandomString(32)
 	if err != nil {
 		return err
--- a/model/waf.go
+++ b/model/waf.go
@ -16,30 +16,22 @@ const (
 	WAFBlockReasonTypeAgentAuthFail
 )
 const (
 	BlockIDgRPC = -127 + iota
 	BlockIDToken
 	BlockIDUnknownUser
 )
 type WAFApiMock struct {
-	ID              uint64 `json:"id,omitempty"`
+	IP                 string `json:"ip,omitempty"`
-	IP              string `json:"ip,omitempty"`
+	Count              uint64 `json:"count,omitempty"`
-	BlockReason     uint8  `json:"block_reason,omitempty"`
+	LastBlockReason    uint8  `json:"last_block_reason,omitempty"`
-	BlockTimestamp  uint64 `json:"block_timestamp,omitempty"`
+	LastBlockTimestamp uint64 `json:"last_block_timestamp,omitempty"`
 	BlockIdentifier uint64 `json:"block_identifier,omitempty"`
 }
 type WAF struct {
-	ID              uint64 `gorm:"primaryKey" json:"id,omitempty"`
+	IP                 []byte `gorm:"type:binary(16);primaryKey" json:"ip,omitempty"`
-	IP              []byte `gorm:"type:binary(16);index:idx_block_identifier" json:"ip,omitempty"`
+	Count              uint64 `json:"count,omitempty"`
-	BlockReason     uint8  `json:"block_reason,omitempty"`
+	LastBlockReason    uint8  `json:"last_block_reason,omitempty"`
-	BlockTimestamp  uint64 `json:"block_timestamp,omitempty"`
+	LastBlockTimestamp uint64 `json:"last_block_timestamp,omitempty"`
 	BlockIdentifier int64  `gorm:"index:idx_block_identifier" json:"block_identifier,omitempty"`
 }
 func (w *WAF) TableName() string {
-	return "nz_waf"
+	return "waf"
 }
 func CheckIP(db *gorm.DB, ip string) error {
@ -50,31 +42,22 @@ func CheckIP(db *gorm.DB, ip string) error {
 	if err != nil {
 		return err
 	}
-
+	var w WAF
-	var blockTimestamp uint64
+	result := db.Limit(1).Find(&w, "ip = ?", ipBinary)
 	result := db.Model(&WAF{}).Select("block_timestamp").Order("id desc").Where("ip = ?", ipBinary).Limit(1).Find(&blockTimestamp)
 	if result.Error != nil {
 		return result.Error
 	}
-
+	if result.RowsAffected == 0 { // 检查是否未找到记录
 	// 检查是否未找到记录
 	if result.RowsAffected < 1 {
 		return nil
 	}
 	var count int64
 	if err := db.Model(&WAF{}).Where("ip = ?", ipBinary).Count(&count).Error; err != nil {
 		return err
 	}
 	now := time.Now().Unix()
-	if powAdd(uint64(count), 4, blockTimestamp) > uint64(now) {
+	if powAdd(w.Count, 4, w.LastBlockTimestamp) > uint64(now) {
 		return errors.New("you are blocked by nezha WAF")
 	}
 	return nil
 }
-func ClearIP(db *gorm.DB, ip string, uid int64) error {
+func ClearIP(db *gorm.DB, ip string) error {
 	if ip == "" {
 		return nil
 	}
@ -82,7 +65,7 @@ func ClearIP(db *gorm.DB, ip string, uid int64) error {
 	if err != nil {
 		return err
 	}
-	return db.Unscoped().Delete(&WAF{}, "ip = ? and block_identifier = ?", ipBinary, uid).Error
+	return db.Unscoped().Delete(&WAF{}, "ip = ?", ipBinary).Error
 }
 func BatchClearIP(db *gorm.DB, ip []string) error {
@ -100,7 +83,7 @@ func BatchClearIP(db *gorm.DB, ip []string) error {
 	return db.Unscoped().Delete(&WAF{}, "ip in (?)", ips).Error
 }
-func BlockIP(db *gorm.DB, ip string, reason uint8, uid int64) error {
+func BlockIP(db *gorm.DB, ip string, reason uint8) error {
 	if ip == "" {
 		return nil
 	}
@ -108,20 +91,16 @@ func BlockIP(db *gorm.DB, ip string, reason uint8, uid int64) error {
 	if err != nil {
 		return err
 	}
-	w := WAF{
+	var w WAF
-		IP:              ipBinary,
+	w.IP = ipBinary
 		BlockReason:     reason,
 		BlockTimestamp:  uint64(time.Now().Unix()),
 		BlockIdentifier: uid,
 	}
 	return db.Transaction(func(tx *gorm.DB) error {
-		var lastRecord WAF
+		if err := tx.Where(&w).Attrs(WAF{
-		if err := tx.Model(&WAF{}).Order("id desc").Where("ip = ?", ipBinary).First(&lastRecord).Error; err != nil {
+			LastBlockReason:    reason,
-			if !errors.Is(err, gorm.ErrRecordNotFound) {
+			LastBlockTimestamp: uint64(time.Now().Unix()),
-				return err
+		}).FirstOrCreate(&w).Error; err != nil {
-			}
+			return err
 		}
-		return tx.Create(&w).Error
+		return tx.Exec("UPDATE waf SET count = count + 1, last_block_reason = ?, last_block_timestamp = ? WHERE ip = ?", reason, uint64(time.Now().Unix()), ipBinary).Error
 	})
 }
--- a/service/rpc/auth.go
+++ b/service/rpc/auth.go
@ -41,12 +41,12 @@ func (a *authHandler) Check(ctx context.Context) (uint64, error) {
 	userId, ok := singleton.AgentSecretToUserId[clientSecret]
 	if !ok && subtle.ConstantTimeCompare([]byte(clientSecret), []byte(singleton.Conf.AgentSecretKey)) != 1 {
 		singleton.UserLock.RUnlock()
-		model.BlockIP(singleton.DB, ip, model.WAFBlockReasonTypeAgentAuthFail, model.BlockIDgRPC)
+		model.BlockIP(singleton.DB, ip, model.WAFBlockReasonTypeAgentAuthFail)
 		return 0, status.Error(codes.Unauthenticated, "客户端认证失败")
 	}
 	singleton.UserLock.RUnlock()
-	model.ClearIP(singleton.DB, ip, model.BlockIDgRPC)
+	model.ClearIP(singleton.DB, ip)
 	var clientUUID string
 	if value, ok := md["client_uuid"]; ok {
--- a/service/singleton/frontend-templates.yaml
+++ b/service/singleton/frontend-templates.yaml
@ -9,10 +9,10 @@
  name: "Official"
  repository: "https://github.com/hamster1963/nezha-dash-v1"
  author: "hamster1963"
-  version: "v1.7.6"
+  version: "v1.7.4"
  isofficial: true
 - path: "nazhua-dist"
  name: "Nazhua"
  repository: "https://github.com/hi2shark/nazhua"
  author: "hi2hi"
-  version: "v0.4.23"
+  version: "v0.4.22"
--- a/service/singleton/singleton.go
+++ b/service/singleton/singleton.go
@ -3,7 +3,6 @@ package singleton
 import (
 	_ "embed"
 	"log"
 	"sync/atomic"
 	"time"
 	"github.com/patrickmn/go-cache"
@ -24,7 +23,6 @@ var (
 	Loc               *time.Location
 	FrontendTemplates []model.FrontendTemplate
 	DashboardBootTime = uint64(time.Now().Unix())
 	OnlineUsers       = new(atomic.Uint64)
 )
 //go:embed frontend-templates.yaml
--- a/service/singleton/user.go
+++ b/service/singleton/user.go
@ -39,65 +39,50 @@ func OnUserUpdate(u *model.User) {
 	AgentSecretToUserId[u.AgentSecret] = u.ID
 }
-func OnUserDelete(id []uint64, errorFunc func(string, ...interface{}) error) error {
+func OnUserDelete(id []uint64) {
 	UserLock.Lock()
 	defer UserLock.Unlock()
 	if len(id) < 1 {
-		return Localizer.ErrorT("user id not specified")
+		return
 	}
 	var (
-		cron, server   bool
+		cron   bool
-		crons, servers []uint64
+		server bool
 	)
 	for _, uid := range id {
-		err := DB.Transaction(func(tx *gorm.DB) error {
+		secret := UserIdToAgentSecret[uid]
-			CronLock.RLock()
+		delete(AgentSecretToUserId, secret)
-			crons = model.FindUserID(CronList, uid)
+		delete(UserIdToAgentSecret, uid)
 			CronLock.RUnlock()
-			cron = len(crons) > 0
+		CronLock.RLock()
-			if cron {
+		crons := model.FindUserID(CronList, uid)
-				if err := tx.Unscoped().Delete(&model.Cron{}, "id in (?)", crons).Error; err != nil {
+		CronLock.RUnlock()
 					return err
 				}
 			}
-			SortedServerLock.RLock()
+		cron = len(crons) > 0
-			servers = model.FindUserID(SortedServerList, uid)
+		if cron {
-			SortedServerLock.RUnlock()
+			DB.Unscoped().Delete(&model.Cron{}, "id in (?)", crons)
 			OnDeleteCron(crons)
 		}
-			server = len(servers) > 0
+		SortedServerLock.RLock()
-			if server {
+		servers := model.FindUserID(SortedServerList, uid)
 		SortedServerLock.RUnlock()
 		server = len(servers) > 0
 		if server {
 			DB.Transaction(func(tx *gorm.DB) error {
 				if err := tx.Unscoped().Delete(&model.Server{}, "id in (?)", servers).Error; err != nil {
 					return err
 				}
 				if err := tx.Unscoped().Delete(&model.ServerGroupServer{}, "server_id in (?)", servers).Error; err != nil {
 					return err
 				}
-			}
+				return nil
 			})
 			if err := tx.Unscoped().Delete(&model.Transfer{}, "server_id in (?)", servers).Error; err != nil {
 				return err
 			}
 			if err := tx.Where("id IN (?)", id).Delete(&model.User{}).Error; err != nil {
 				return err
 			}
 			return nil
 		})
 		if err != nil {
 			return errorFunc("%v", err)
 		}
 		if cron {
 			OnDeleteCron(crons)
 		}
 		if server {
 			AlertsLock.Lock()
 			for _, sid := range servers {
 				for _, alert := range Alerts {
@ -108,13 +93,10 @@ func OnUserDelete(id []uint64, errorFunc func(string, ...interface{}) error) err
 					}
 				}
 			}
 			DB.Unscoped().Delete(&model.Transfer{}, "server_id in (?)", servers)
 			AlertsLock.Unlock()
 			OnServerDelete(servers)
 		}
 		secret := UserIdToAgentSecret[uid]
 		delete(AgentSecretToUserId, secret)
 		delete(UserIdToAgentSecret, uid)
 	}
 	if cron {
@ -124,6 +106,4 @@ func OnUserDelete(id []uint64, errorFunc func(string, ...interface{}) error) err
 	if server {
 		ReSortServer()
 	}
 	return nil
 }