YG-Soft/X-Financial
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: 支持 ONLYOFFICE 持久化配置管理

Browse Source 
- 添加 SettingsRenderForm schema 和 renderForm 字段
- 实现数据库 schema 自动迁移(onlyoffice_enabled, onlyoffice_public_url, onlyoffice_jwt_secret_encrypted)
- 新增 resolve_onlyoffice_settings() 函数支持运行时配置解析
- 知识库服务改用数据库配置替代运行时配置
- 前端添加文件渲染配置页面,支持 JWT 密钥管理
- 完善相关测试覆盖
This commit is contained in:
caoxiaozhu
2026-05-09 08:02:01 +00:00
parent 94122fd34b
commit 4fbd313f35
14 changed files with 735 additions and 314 deletions
Download Patch File Download Diff File Expand all files Collapse all files

341
server/src/app/services/settings.py
View File

@@ -1,20 +1,22 @@
from __future__ import annotations
from dataclasses import dataclass
from datetime import datetime
from sqlalchemy.orm import Session
from app.core.admin_secret import legacy_admin_secret_to_password_hash, read_admin_secret, verify_admin_secret
from app.core.config import get_settings
from app.core.secret_box import decrypt_secret, encrypt_secret
from app.core.security import hash_password, verify_password
from app.db.base import Base
from app.models.system_model_setting import SystemModelSetting
from app.models.system_setting import SystemSetting
from app.models.system_setting_secret import SystemSettingSecret
from app.repositories.settings import SETTINGS_ROW_ID, SettingsRepository
from app.schemas.settings import SettingsRead, SettingsWrite
from dataclasses import dataclass
from datetime import datetime
from sqlalchemy import inspect, text
from sqlalchemy.orm import Session
from app.core.admin_secret import legacy_admin_secret_to_password_hash, read_admin_secret, verify_admin_secret
from app.core.config import get_settings
from app.core.secret_box import decrypt_secret, encrypt_secret
from app.core.security import hash_password, verify_password
from app.db.base import Base
from app.db.session import get_session_factory
from app.models.system_model_setting import SystemModelSetting
from app.models.system_setting import SystemSetting
from app.models.system_setting_secret import SystemSettingSecret
from app.repositories.settings import SETTINGS_ROW_ID, SettingsRepository
from app.schemas.settings import SettingsRead, SettingsWrite
@dataclass(frozen=True, slots=True)
@@ -79,25 +81,34 @@ MODEL_SLOT_CONFIGS = {
@dataclass(slots=True)
class AdminCredentialRecord:
account: str
email: str
password_hash: str
class SettingsService:
class AdminCredentialRecord:
account: str
email: str
password_hash: str
@dataclass(frozen=True, slots=True)
class OnlyOfficeRuntimeConfig:
enabled: bool
public_url: str
backend_url: str
jwt_secret: str
class SettingsService:
def __init__(self, db: Session) -> None:
self.db = db
self.repository = SettingsRepository(db)
self.runtime_settings = get_settings()
def ensure_settings_ready(self) -> tuple[SystemSetting, SystemSettingSecret]:
Base.metadata.create_all(bind=self.db.get_bind())
settings_row = self.repository.get_settings()
secrets_row = self.repository.get_secrets()
should_commit = False
legacy_admin = read_admin_secret()
def ensure_settings_ready(self) -> tuple[SystemSetting, SystemSettingSecret]:
Base.metadata.create_all(bind=self.db.get_bind())
self._ensure_settings_schema()
settings_row = self.repository.get_settings()
secrets_row = self.repository.get_secrets()
should_commit = False
legacy_admin = read_admin_secret()
if settings_row is None:
settings_row = self._build_default_settings()
@@ -112,14 +123,17 @@ class SettingsService:
if legacy_admin is not None and not secrets_row.admin_password_hash:
secrets_row.admin_password_hash = legacy_admin_secret_to_password_hash(legacy_admin)
admin_username = str(legacy_admin.get("username", "")).strip()
if admin_username and str(settings_row.admin_account or "").strip() in {"", "superadmin"}:
settings_row.admin_account = admin_username
should_commit = True
if should_commit:
self.db.commit()
self.db.refresh(settings_row)
self.db.refresh(secrets_row)
if admin_username and str(settings_row.admin_account or "").strip() in {"", "superadmin"}:
settings_row.admin_account = admin_username
should_commit = True
if self._sync_onlyoffice_defaults(settings_row, secrets_row):
should_commit = True
if should_commit:
self.db.commit()
self.db.refresh(settings_row)
self.db.refresh(secrets_row)
return settings_row, secrets_row
@@ -207,31 +221,42 @@ class SettingsService:
payload.llmForm.vlmEndpoint,
payload.llmForm.vlmApiKey,
)
self._apply_model_setting(
model_rows["embedding"],
payload.llmForm.embeddingProvider,
payload.llmForm.embeddingModel,
payload.llmForm.embeddingEndpoint,
payload.llmForm.embeddingApiKey,
)
settings_row.main_provider = model_rows["main"].provider
settings_row.main_model = model_rows["main"].model_name
settings_row.main_endpoint = model_rows["main"].endpoint
settings_row.backup_provider = model_rows["backup"].provider
self._apply_model_setting(
model_rows["embedding"],
payload.llmForm.embeddingProvider,
payload.llmForm.embeddingModel,
payload.llmForm.embeddingEndpoint,
payload.llmForm.embeddingApiKey,
)
if payload.renderForm.enabled and not payload.renderForm.publicUrl:
raise ValueError("启用 ONLYOFFICE 时必须配置服务地址。")
if (
payload.renderForm.enabled
and not payload.renderForm.jwtSecret
and not secrets_row.onlyoffice_jwt_secret_encrypted
):
raise ValueError("启用 ONLYOFFICE 时必须配置 JWT 密钥。")
settings_row.main_provider = model_rows["main"].provider
settings_row.main_model = model_rows["main"].model_name
settings_row.main_endpoint = model_rows["main"].endpoint
settings_row.backup_provider = model_rows["backup"].provider
settings_row.backup_model = model_rows["backup"].model_name
settings_row.backup_endpoint = model_rows["backup"].endpoint
settings_row.vlm_provider = model_rows["vlm"].provider
settings_row.vlm_model = model_rows["vlm"].model_name
settings_row.vlm_endpoint = model_rows["vlm"].endpoint
settings_row.embedding_provider = model_rows["embedding"].provider
settings_row.embedding_model = model_rows["embedding"].model_name
settings_row.embedding_endpoint = model_rows["embedding"].endpoint
settings_row.log_level = payload.logForm.level
settings_row.retention_days = payload.logForm.retentionDays
settings_row.archive_cycle = payload.logForm.archiveCycle
settings_row.log_path = payload.logForm.logPath
settings_row.vlm_endpoint = model_rows["vlm"].endpoint
settings_row.embedding_provider = model_rows["embedding"].provider
settings_row.embedding_model = model_rows["embedding"].model_name
settings_row.embedding_endpoint = model_rows["embedding"].endpoint
settings_row.onlyoffice_enabled = payload.renderForm.enabled
settings_row.onlyoffice_public_url = payload.renderForm.publicUrl
settings_row.log_level = payload.logForm.level
settings_row.retention_days = payload.logForm.retentionDays
settings_row.archive_cycle = payload.logForm.archiveCycle
settings_row.log_path = payload.logForm.logPath
settings_row.alert_email = payload.logForm.alertEmail
settings_row.operation_audit = payload.logForm.operationAudit
settings_row.login_audit = payload.logForm.loginAudit
@@ -243,12 +268,17 @@ class SettingsService:
settings_row.sender_name = payload.mailForm.senderName
settings_row.sender_address = payload.mailForm.senderAddress
settings_row.smtp_username = payload.mailForm.username
settings_row.alert_enabled = payload.mailForm.alertEnabled
settings_row.digest_enabled = payload.mailForm.digestEnabled
settings_row.digest_time = payload.mailForm.digestTime
settings_row.default_receiver = payload.mailForm.defaultReceiver
self._replace_secret_if_present(secrets_row, "smtp_password_encrypted", payload.mailForm.password)
settings_row.alert_enabled = payload.mailForm.alertEnabled
settings_row.digest_enabled = payload.mailForm.digestEnabled
settings_row.digest_time = payload.mailForm.digestTime
settings_row.default_receiver = payload.mailForm.defaultReceiver
self._replace_secret_if_present(
secrets_row,
"onlyoffice_jwt_secret_encrypted",
payload.renderForm.jwtSecret,
)
self._replace_secret_if_present(secrets_row, "smtp_password_encrypted", payload.mailForm.password)
self.db.add(settings_row)
self.db.add(secrets_row)
@@ -342,11 +372,11 @@ class SettingsService:
return AdminCredentialRecord(account=admin_username, email=admin_email, password_hash="")
def _build_default_settings(self) -> SystemSetting:
current_year = datetime.now().year
company_name = str(self.runtime_settings.company_name or "X-Financial").strip() or "X-Financial"
company_code = str(self.runtime_settings.company_code or "XF-001").strip() or "XF-001"
admin_email = str(self.runtime_settings.admin_email or "").strip()
def _build_default_settings(self) -> SystemSetting:
current_year = datetime.now().year
company_name = str(self.runtime_settings.company_name or "X-Financial").strip() or "X-Financial"
company_code = str(self.runtime_settings.company_code or "XF-001").strip() or "XF-001"
admin_email = str(self.runtime_settings.admin_email or "").strip()
legacy_admin = read_admin_secret() or {}
admin_account = str(legacy_admin.get("username", "")).strip() or "superadmin"
@@ -369,18 +399,20 @@ class SettingsService:
main_endpoint="https://api.openai.com/v1",
backup_provider="GLM",
backup_model="glm-5.1",
backup_endpoint="https://open.bigmodel.cn/api/paas/v4/",
vlm_provider="Gemini",
vlm_model="gemini-2.5-flash",
vlm_endpoint="https://generativelanguage.googleapis.com/v1beta/openai/",
embedding_provider="GLM",
embedding_model="Embedding-3",
embedding_endpoint="https://open.bigmodel.cn/api/paas/v4/",
log_level="INFO",
retention_days=180,
archive_cycle="weekly",
log_path="server/logs/app.log",
alert_email=admin_email,
backup_endpoint="https://open.bigmodel.cn/api/paas/v4/",
vlm_provider="Gemini",
vlm_model="gemini-2.5-flash",
vlm_endpoint="https://generativelanguage.googleapis.com/v1beta/openai/",
embedding_provider="GLM",
embedding_model="Embedding-3",
embedding_endpoint="https://open.bigmodel.cn/api/paas/v4/",
onlyoffice_enabled=bool(self.runtime_settings.onlyoffice_enabled),
onlyoffice_public_url=str(self.runtime_settings.onlyoffice_public_url or "").strip(),
log_level="INFO",
retention_days=180,
archive_cycle="weekly",
log_path="server/logs/app.log",
alert_email=admin_email,
operation_audit=True,
login_audit=True,
mask_sensitive=True,
@@ -405,11 +437,11 @@ class SettingsService:
setattr(secret_row, field_name, encrypt_secret(normalized))
@staticmethod
def _apply_model_setting(
model_row: SystemModelSetting,
provider: str,
model_name: str,
endpoint: str,
def _apply_model_setting(
model_row: SystemModelSetting,
provider: str,
model_name: str,
endpoint: str,
api_key: str,
) -> None:
model_row.provider = provider
@@ -417,13 +449,71 @@ class SettingsService:
model_row.endpoint = endpoint
normalized_api_key = api_key.strip()
if normalized_api_key:
model_row.api_key_encrypted = encrypt_secret(normalized_api_key)
@staticmethod
def _serialize(
settings_row: SystemSetting,
secrets_row: SystemSettingSecret,
if normalized_api_key:
model_row.api_key_encrypted = encrypt_secret(normalized_api_key)
def _ensure_settings_schema(self) -> None:
bind = self.db.get_bind()
inspector = inspect(bind)
table_names = set(inspector.get_table_names())
migration_statements: list[str] = []
if "system_settings" in table_names:
settings_columns = {column["name"] for column in inspector.get_columns("system_settings")}
if "onlyoffice_enabled" not in settings_columns:
migration_statements.append(
"ALTER TABLE system_settings ADD COLUMN onlyoffice_enabled BOOLEAN DEFAULT 0"
)
if "onlyoffice_public_url" not in settings_columns:
migration_statements.append(
"ALTER TABLE system_settings ADD COLUMN onlyoffice_public_url VARCHAR(512) DEFAULT ''"
)
if "system_setting_secrets" in table_names:
secret_columns = {column["name"] for column in inspector.get_columns("system_setting_secrets")}
if "onlyoffice_jwt_secret_encrypted" not in secret_columns:
migration_statements.append(
"ALTER TABLE system_setting_secrets ADD COLUMN onlyoffice_jwt_secret_encrypted TEXT DEFAULT ''"
)
for statement in migration_statements:
self.db.execute(text(statement))
if migration_statements:
self.db.commit()
def _sync_onlyoffice_defaults(
self,
settings_row: SystemSetting,
secrets_row: SystemSettingSecret,
) -> bool:
should_commit = False
runtime_public_url = str(self.runtime_settings.onlyoffice_public_url or "").strip()
runtime_jwt_secret = str(self.runtime_settings.onlyoffice_jwt_secret or "").strip()
if not str(settings_row.onlyoffice_public_url or "").strip() and runtime_public_url:
settings_row.onlyoffice_public_url = runtime_public_url
should_commit = True
if not secrets_row.onlyoffice_jwt_secret_encrypted and runtime_jwt_secret:
secrets_row.onlyoffice_jwt_secret_encrypted = encrypt_secret(runtime_jwt_secret)
should_commit = True
if (
not settings_row.onlyoffice_enabled
and self.runtime_settings.onlyoffice_enabled
and (runtime_public_url or runtime_jwt_secret)
):
settings_row.onlyoffice_enabled = True
should_commit = True
return should_commit
@staticmethod
def _serialize(
settings_row: SystemSetting,
secrets_row: SystemSettingSecret,
model_rows: dict[str, SystemModelSetting],
) -> SettingsRead:
main_model = model_rows["main"]
@@ -469,15 +559,21 @@ class SettingsService:
"vlmApiKeyConfigured": bool(vlm_model.api_key_encrypted),
"embeddingProvider": embedding_model.provider,
"embeddingModel": embedding_model.model_name,
"embeddingEndpoint": embedding_model.endpoint,
"embeddingApiKey": "",
"embeddingApiKeyConfigured": bool(embedding_model.api_key_encrypted),
},
logForm={
"level": settings_row.log_level,
"retentionDays": settings_row.retention_days,
"archiveCycle": settings_row.archive_cycle,
"logPath": settings_row.log_path,
"embeddingEndpoint": embedding_model.endpoint,
"embeddingApiKey": "",
"embeddingApiKeyConfigured": bool(embedding_model.api_key_encrypted),
},
renderForm={
"enabled": settings_row.onlyoffice_enabled,
"publicUrl": settings_row.onlyoffice_public_url,
"jwtSecret": "",
"jwtSecretConfigured": bool(secrets_row.onlyoffice_jwt_secret_encrypted),
},
logForm={
"level": settings_row.log_level,
"retentionDays": settings_row.retention_days,
"archiveCycle": settings_row.archive_cycle,
"logPath": settings_row.log_path,
"alertEmail": settings_row.alert_email,
"operationAudit": settings_row.operation_audit,
"loginAudit": settings_row.login_audit,
@@ -495,6 +591,41 @@ class SettingsService:
"alertEnabled": settings_row.alert_enabled,
"digestEnabled": settings_row.digest_enabled,
"digestTime": settings_row.digest_time,
"defaultReceiver": settings_row.default_receiver,
},
)
"defaultReceiver": settings_row.default_receiver,
},
)
def resolve_onlyoffice_settings(db: Session | None = None) -> OnlyOfficeRuntimeConfig:
runtime_settings = get_settings()
owned_session = False
session = db
try:
if session is None:
session_factory = get_session_factory()
session = session_factory()
owned_session = True
service = SettingsService(session)
settings_row, secrets_row = service.ensure_settings_ready()
jwt_secret = ""
if secrets_row.onlyoffice_jwt_secret_encrypted:
jwt_secret = decrypt_secret(secrets_row.onlyoffice_jwt_secret_encrypted)
return OnlyOfficeRuntimeConfig(
enabled=settings_row.onlyoffice_enabled,
public_url=str(settings_row.onlyoffice_public_url or "").strip(),
backend_url=str(runtime_settings.onlyoffice_backend_url or "").strip(),
jwt_secret=jwt_secret,
)
except Exception:
return OnlyOfficeRuntimeConfig(
enabled=bool(runtime_settings.onlyoffice_enabled),
public_url=str(runtime_settings.onlyoffice_public_url or "").strip(),
backend_url=str(runtime_settings.onlyoffice_backend_url or "").strip(),
jwt_secret=str(runtime_settings.onlyoffice_jwt_secret or "").strip(),
)
finally:
if owned_session and session is not None:
session.close()