feat: 完善系统配置、安全增强与知识库功能
- .env.example: API基础路径改为相对路径 /api/v1,支持代理转发 - README.md: 完善项目结构与启动说明文档 - docker-compose.yml: 新增Docker编排配置,支持容器化部署 - docker/: 新增Docker部署相关文档与配置 - server_start.sh: 重构启动脚本,添加容器环境检测、隔离虚拟环境路径、环境变量覆盖机制 - deps.py: 完善API依赖注入,增强权限验证逻辑 - admin_secret.py: 优化管理员密钥加密存储与验证 - config.py: 扩展配置管理,支持多环境变量绑定 - security.py: 增强安全模块,完善加密与认证机制 - db/base.py: 优化数据库基础架构与连接管理 - main.py: 更新应用入口,整合新模块路由 - models/: 完善系统模型配置,支持模型设置持久化 - repositories/settings.py: 优化设置仓储层,增强数据持久化 - services/settings.py: 重构设置服务,精简代码结构 - router.py: 更新API路由配置 - endpoints/knowledge.py: 新增知识库API端点 - schemas/knowledge.py: 新增知识库数据模型 - services/knowledge.py: 新增知识库业务逻辑 - storage/knowledge/.index.json: 知识库索引存储 - api.js: 完善API服务层,增强错误处理 - bootstrap.js: 优化前端初始化与引导流程 - useSetupView.js / useSystemState.js: 重构组合式函数 - TopBar.vue: 优化顶部导航栏组件 - SettingsView.vue: 重构设置页面UI,增强用户体验 - SetupView.vue / SetupRouteView.vue: 完善引导流程页面 - PoliciesView.vue: 优化策略视图组件 - vite.config.js: 更新Vite构建配置 - web_start.sh: 完善前端启动脚本 - views/scripts/: 优化各业务视图JS逻辑 - settings-view.css: 重构设置页面样式 - setup-view.css: 完善引导页样式 - policies-view.css: 优化策略页样式 - test_auth_service.py: 完善认证服务测试 - test_settings_persistence.py: 增强设置持久化测试 - document/: 新增开发文档与工作日志
This commit is contained in:
@@ -1,63 +1,63 @@
|
||||
from __future__ import annotations
|
||||
|
||||
import hashlib
|
||||
import json
|
||||
import secrets
|
||||
from pathlib import Path
|
||||
|
||||
from app.core.config import SERVER_DIR
|
||||
|
||||
ADMIN_SECRET_FILE = SERVER_DIR / ".secrets" / "admin.json"
|
||||
|
||||
|
||||
def read_admin_secret() -> dict[str, object] | None:
|
||||
if not ADMIN_SECRET_FILE.exists():
|
||||
return None
|
||||
|
||||
try:
|
||||
payload = json.loads(ADMIN_SECRET_FILE.read_text(encoding="utf-8"))
|
||||
except (OSError, json.JSONDecodeError):
|
||||
return None
|
||||
|
||||
if (
|
||||
payload
|
||||
and payload.get("algorithm") == "scrypt"
|
||||
and isinstance(payload.get("username"), str)
|
||||
and isinstance(payload.get("salt"), str)
|
||||
and isinstance(payload.get("derived_key"), str)
|
||||
):
|
||||
return payload
|
||||
|
||||
return None
|
||||
|
||||
|
||||
def verify_admin_secret(password: str, record: dict[str, object]) -> bool:
|
||||
try:
|
||||
salt = bytes.fromhex(str(record["salt"]))
|
||||
stored_key = bytes.fromhex(str(record["derived_key"]))
|
||||
key_length = int(record.get("key_length", 64))
|
||||
n_value = int(record.get("N", 16384))
|
||||
r_value = int(record.get("r", 8))
|
||||
p_value = int(record.get("p", 1))
|
||||
except (KeyError, TypeError, ValueError):
|
||||
return False
|
||||
|
||||
derived_key = hashlib.scrypt(
|
||||
password.encode("utf-8"),
|
||||
salt=salt,
|
||||
n=n_value,
|
||||
r=r_value,
|
||||
p=p_value,
|
||||
dklen=key_length,
|
||||
)
|
||||
return secrets.compare_digest(derived_key, stored_key)
|
||||
|
||||
|
||||
def legacy_admin_secret_to_password_hash(record: dict[str, object]) -> str:
|
||||
salt = str(record["salt"])
|
||||
derived_key = str(record["derived_key"])
|
||||
key_length = int(record.get("key_length", 64))
|
||||
n_value = int(record.get("N", 16384))
|
||||
r_value = int(record.get("r", 8))
|
||||
p_value = int(record.get("p", 1))
|
||||
return f"scrypt${n_value}${r_value}${p_value}${key_length}${salt}${derived_key}"
|
||||
from __future__ import annotations
|
||||
|
||||
import hashlib
|
||||
import json
|
||||
import secrets
|
||||
from pathlib import Path
|
||||
|
||||
from app.core.config import SERVER_DIR
|
||||
|
||||
ADMIN_SECRET_FILE = SERVER_DIR / ".secrets" / "admin.json"
|
||||
|
||||
|
||||
def read_admin_secret() -> dict[str, object] | None:
|
||||
if not ADMIN_SECRET_FILE.exists():
|
||||
return None
|
||||
|
||||
try:
|
||||
payload = json.loads(ADMIN_SECRET_FILE.read_text(encoding="utf-8"))
|
||||
except (OSError, json.JSONDecodeError):
|
||||
return None
|
||||
|
||||
if (
|
||||
payload
|
||||
and payload.get("algorithm") == "scrypt"
|
||||
and isinstance(payload.get("username"), str)
|
||||
and isinstance(payload.get("salt"), str)
|
||||
and isinstance(payload.get("derived_key"), str)
|
||||
):
|
||||
return payload
|
||||
|
||||
return None
|
||||
|
||||
|
||||
def verify_admin_secret(password: str, record: dict[str, object]) -> bool:
|
||||
try:
|
||||
salt = bytes.fromhex(str(record["salt"]))
|
||||
stored_key = bytes.fromhex(str(record["derived_key"]))
|
||||
key_length = int(record.get("key_length", 64))
|
||||
n_value = int(record.get("N", 16384))
|
||||
r_value = int(record.get("r", 8))
|
||||
p_value = int(record.get("p", 1))
|
||||
except (KeyError, TypeError, ValueError):
|
||||
return False
|
||||
|
||||
derived_key = hashlib.scrypt(
|
||||
password.encode("utf-8"),
|
||||
salt=salt,
|
||||
n=n_value,
|
||||
r=r_value,
|
||||
p=p_value,
|
||||
dklen=key_length,
|
||||
)
|
||||
return secrets.compare_digest(derived_key, stored_key)
|
||||
|
||||
|
||||
def legacy_admin_secret_to_password_hash(record: dict[str, object]) -> str:
|
||||
salt = str(record["salt"])
|
||||
derived_key = str(record["derived_key"])
|
||||
key_length = int(record.get("key_length", 64))
|
||||
n_value = int(record.get("N", 16384))
|
||||
r_value = int(record.get("r", 8))
|
||||
p_value = int(record.get("p", 1))
|
||||
return f"scrypt${n_value}${r_value}${p_value}${key_length}${salt}${derived_key}"
|
||||
|
||||
@@ -1,76 +1,84 @@
|
||||
from __future__ import annotations
|
||||
|
||||
from functools import lru_cache
|
||||
from os import environ
|
||||
from pathlib import Path
|
||||
|
||||
from pydantic import Field
|
||||
from pydantic_settings import BaseSettings, SettingsConfigDict
|
||||
|
||||
SERVER_DIR = Path(__file__).resolve().parents[3]
|
||||
ROOT_DIR = SERVER_DIR.parent
|
||||
|
||||
|
||||
class Settings(BaseSettings):
|
||||
model_config = SettingsConfigDict(
|
||||
env_file=(ROOT_DIR / ".env", SERVER_DIR / ".env"),
|
||||
env_file_encoding="utf-8",
|
||||
extra="ignore",
|
||||
)
|
||||
|
||||
app_name: str = Field(default="X-Financial Server", alias="APP_NAME")
|
||||
app_env: str = Field(default="local", alias="APP_ENV")
|
||||
app_debug: bool = Field(default=True, alias="APP_DEBUG")
|
||||
setup_completed: bool = Field(default=False, alias="SETUP_COMPLETED")
|
||||
|
||||
company_name: str = Field(default="", alias="COMPANY_NAME")
|
||||
company_code: str = Field(default="", alias="COMPANY_CODE")
|
||||
admin_email: str = Field(default="", alias="ADMIN_EMAIL")
|
||||
|
||||
web_host: str = Field(default="0.0.0.0", alias="WEB_HOST")
|
||||
web_port: int = Field(default=5173, alias="WEB_PORT")
|
||||
app_host: str = Field(default="0.0.0.0", alias="SERVER_HOST")
|
||||
app_port: int = Field(default=8000, alias="SERVER_PORT")
|
||||
api_v1_prefix: str = Field(default="/api/v1", alias="API_V1_PREFIX")
|
||||
|
||||
postgres_host: str = Field(default="127.0.0.1", alias="POSTGRES_HOST")
|
||||
postgres_port: int = Field(default=5432, alias="POSTGRES_PORT")
|
||||
postgres_db: str = Field(default="x_financial", alias="POSTGRES_DB")
|
||||
postgres_user: str = Field(default="postgres", alias="POSTGRES_USER")
|
||||
postgres_password: str = Field(default="postgres", alias="POSTGRES_PASSWORD")
|
||||
|
||||
database_url: str | None = Field(default=None, alias="DATABASE_URL")
|
||||
sqlalchemy_echo: bool = Field(default=False, alias="SQLALCHEMY_ECHO")
|
||||
|
||||
redis_url: str | None = Field(default=None, alias="REDIS_URL")
|
||||
cors_origins: list[str] = Field(default_factory=list, alias="CORS_ORIGINS")
|
||||
vite_api_base_url: str = Field(
|
||||
default="http://127.0.0.1:8000/api/v1", alias="VITE_API_BASE_URL"
|
||||
)
|
||||
|
||||
from __future__ import annotations
|
||||
|
||||
from functools import lru_cache
|
||||
from os import environ
|
||||
from pathlib import Path
|
||||
|
||||
from pydantic import Field
|
||||
from pydantic_settings import BaseSettings, SettingsConfigDict
|
||||
|
||||
SERVER_DIR = Path(__file__).resolve().parents[3]
|
||||
ROOT_DIR = SERVER_DIR.parent
|
||||
|
||||
|
||||
class Settings(BaseSettings):
|
||||
model_config = SettingsConfigDict(
|
||||
env_file=(ROOT_DIR / ".env", SERVER_DIR / ".env"),
|
||||
env_file_encoding="utf-8",
|
||||
extra="ignore",
|
||||
)
|
||||
|
||||
app_name: str = Field(default="X-Financial Server", alias="APP_NAME")
|
||||
app_env: str = Field(default="local", alias="APP_ENV")
|
||||
app_debug: bool = Field(default=True, alias="APP_DEBUG")
|
||||
setup_completed: bool = Field(default=False, alias="SETUP_COMPLETED")
|
||||
|
||||
company_name: str = Field(default="", alias="COMPANY_NAME")
|
||||
company_code: str = Field(default="", alias="COMPANY_CODE")
|
||||
admin_email: str = Field(default="", alias="ADMIN_EMAIL")
|
||||
|
||||
web_host: str = Field(default="0.0.0.0", alias="WEB_HOST")
|
||||
web_port: int = Field(default=5173, alias="WEB_PORT")
|
||||
app_host: str = Field(default="0.0.0.0", alias="SERVER_HOST")
|
||||
app_port: int = Field(default=8000, alias="SERVER_PORT")
|
||||
api_v1_prefix: str = Field(default="/api/v1", alias="API_V1_PREFIX")
|
||||
|
||||
postgres_host: str = Field(default="127.0.0.1", alias="POSTGRES_HOST")
|
||||
postgres_port: int = Field(default=5432, alias="POSTGRES_PORT")
|
||||
postgres_db: str = Field(default="x_financial", alias="POSTGRES_DB")
|
||||
postgres_user: str = Field(default="postgres", alias="POSTGRES_USER")
|
||||
postgres_password: str = Field(default="postgres", alias="POSTGRES_PASSWORD")
|
||||
|
||||
database_url: str | None = Field(default=None, alias="DATABASE_URL")
|
||||
sqlalchemy_echo: bool = Field(default=False, alias="SQLALCHEMY_ECHO")
|
||||
|
||||
redis_url: str | None = Field(default=None, alias="REDIS_URL")
|
||||
cors_origins: list[str] = Field(default_factory=list, alias="CORS_ORIGINS")
|
||||
vite_api_base_url: str = Field(
|
||||
default="http://127.0.0.1:8000/api/v1", alias="VITE_API_BASE_URL"
|
||||
)
|
||||
|
||||
log_level: str = Field(default="INFO", alias="LOG_LEVEL")
|
||||
log_dir: str = Field(default="logs", alias="LOG_DIR")
|
||||
log_file_enabled: bool = Field(default=True, alias="LOG_FILE_ENABLED")
|
||||
storage_root_dir: str = Field(default="storage", alias="STORAGE_ROOT_DIR")
|
||||
|
||||
@property
|
||||
def resolved_database_url(self) -> str:
|
||||
if self.database_url:
|
||||
return self.database_url
|
||||
|
||||
|
||||
return (
|
||||
f"postgresql+psycopg://{self.postgres_user}:{self.postgres_password}"
|
||||
f"@{self.postgres_host}:{self.postgres_port}/{self.postgres_db}"
|
||||
)
|
||||
|
||||
|
||||
@lru_cache
|
||||
def get_settings() -> Settings:
|
||||
return Settings()
|
||||
|
||||
|
||||
def refresh_settings(updated_values: dict[str, str]) -> Settings:
|
||||
for key, value in updated_values.items():
|
||||
environ[key] = value
|
||||
|
||||
get_settings.cache_clear()
|
||||
return get_settings()
|
||||
@property
|
||||
def resolved_storage_root_dir(self) -> Path:
|
||||
path = Path(self.storage_root_dir)
|
||||
if not path.is_absolute():
|
||||
path = SERVER_DIR / path
|
||||
return path.resolve()
|
||||
|
||||
|
||||
@lru_cache
|
||||
def get_settings() -> Settings:
|
||||
return Settings()
|
||||
|
||||
|
||||
def refresh_settings(updated_values: dict[str, str]) -> Settings:
|
||||
for key, value in updated_values.items():
|
||||
environ[key] = value
|
||||
|
||||
get_settings.cache_clear()
|
||||
return get_settings()
|
||||
|
||||
@@ -1,71 +1,71 @@
|
||||
from __future__ import annotations
|
||||
|
||||
import hashlib
|
||||
import secrets
|
||||
from base64 import urlsafe_b64decode, urlsafe_b64encode
|
||||
|
||||
PBKDF2_ALGORITHM = "sha256"
|
||||
PBKDF2_ITERATIONS = 120_000
|
||||
SALT_BYTES = 16
|
||||
|
||||
|
||||
def hash_password(password: str) -> str:
|
||||
salt = secrets.token_bytes(SALT_BYTES)
|
||||
digest = hashlib.pbkdf2_hmac(
|
||||
PBKDF2_ALGORITHM,
|
||||
password.encode("utf-8"),
|
||||
salt,
|
||||
PBKDF2_ITERATIONS,
|
||||
)
|
||||
encoded_salt = urlsafe_b64encode(salt).decode("utf-8")
|
||||
encoded_digest = urlsafe_b64encode(digest).decode("utf-8")
|
||||
return f"pbkdf2_{PBKDF2_ALGORITHM}${PBKDF2_ITERATIONS}${encoded_salt}${encoded_digest}"
|
||||
|
||||
|
||||
def verify_password(password: str, password_hash: str) -> bool:
|
||||
if password_hash.startswith("scrypt$"):
|
||||
return verify_scrypt_password(password, password_hash)
|
||||
|
||||
try:
|
||||
scheme, iterations, encoded_salt, encoded_digest = password_hash.split("$", 3)
|
||||
except ValueError:
|
||||
return False
|
||||
|
||||
if scheme != f"pbkdf2_{PBKDF2_ALGORITHM}":
|
||||
return False
|
||||
|
||||
salt = urlsafe_b64decode(encoded_salt.encode("utf-8"))
|
||||
expected_digest = urlsafe_b64decode(encoded_digest.encode("utf-8"))
|
||||
computed_digest = hashlib.pbkdf2_hmac(
|
||||
PBKDF2_ALGORITHM,
|
||||
password.encode("utf-8"),
|
||||
salt,
|
||||
int(iterations),
|
||||
)
|
||||
return secrets.compare_digest(computed_digest, expected_digest)
|
||||
|
||||
|
||||
def verify_scrypt_password(password: str, password_hash: str) -> bool:
|
||||
try:
|
||||
scheme, n_value, r_value, p_value, key_length, salt_hex, derived_key_hex = password_hash.split("$", 6)
|
||||
except ValueError:
|
||||
return False
|
||||
|
||||
if scheme != "scrypt":
|
||||
return False
|
||||
|
||||
try:
|
||||
salt = bytes.fromhex(salt_hex)
|
||||
expected_key = bytes.fromhex(derived_key_hex)
|
||||
derived_key = hashlib.scrypt(
|
||||
password.encode("utf-8"),
|
||||
salt=salt,
|
||||
n=int(n_value),
|
||||
r=int(r_value),
|
||||
p=int(p_value),
|
||||
dklen=int(key_length),
|
||||
)
|
||||
except ValueError:
|
||||
return False
|
||||
|
||||
return secrets.compare_digest(derived_key, expected_key)
|
||||
from __future__ import annotations
|
||||
|
||||
import hashlib
|
||||
import secrets
|
||||
from base64 import urlsafe_b64decode, urlsafe_b64encode
|
||||
|
||||
PBKDF2_ALGORITHM = "sha256"
|
||||
PBKDF2_ITERATIONS = 120_000
|
||||
SALT_BYTES = 16
|
||||
|
||||
|
||||
def hash_password(password: str) -> str:
|
||||
salt = secrets.token_bytes(SALT_BYTES)
|
||||
digest = hashlib.pbkdf2_hmac(
|
||||
PBKDF2_ALGORITHM,
|
||||
password.encode("utf-8"),
|
||||
salt,
|
||||
PBKDF2_ITERATIONS,
|
||||
)
|
||||
encoded_salt = urlsafe_b64encode(salt).decode("utf-8")
|
||||
encoded_digest = urlsafe_b64encode(digest).decode("utf-8")
|
||||
return f"pbkdf2_{PBKDF2_ALGORITHM}${PBKDF2_ITERATIONS}${encoded_salt}${encoded_digest}"
|
||||
|
||||
|
||||
def verify_password(password: str, password_hash: str) -> bool:
|
||||
if password_hash.startswith("scrypt$"):
|
||||
return verify_scrypt_password(password, password_hash)
|
||||
|
||||
try:
|
||||
scheme, iterations, encoded_salt, encoded_digest = password_hash.split("$", 3)
|
||||
except ValueError:
|
||||
return False
|
||||
|
||||
if scheme != f"pbkdf2_{PBKDF2_ALGORITHM}":
|
||||
return False
|
||||
|
||||
salt = urlsafe_b64decode(encoded_salt.encode("utf-8"))
|
||||
expected_digest = urlsafe_b64decode(encoded_digest.encode("utf-8"))
|
||||
computed_digest = hashlib.pbkdf2_hmac(
|
||||
PBKDF2_ALGORITHM,
|
||||
password.encode("utf-8"),
|
||||
salt,
|
||||
int(iterations),
|
||||
)
|
||||
return secrets.compare_digest(computed_digest, expected_digest)
|
||||
|
||||
|
||||
def verify_scrypt_password(password: str, password_hash: str) -> bool:
|
||||
try:
|
||||
scheme, n_value, r_value, p_value, key_length, salt_hex, derived_key_hex = password_hash.split("$", 6)
|
||||
except ValueError:
|
||||
return False
|
||||
|
||||
if scheme != "scrypt":
|
||||
return False
|
||||
|
||||
try:
|
||||
salt = bytes.fromhex(salt_hex)
|
||||
expected_key = bytes.fromhex(derived_key_hex)
|
||||
derived_key = hashlib.scrypt(
|
||||
password.encode("utf-8"),
|
||||
salt=salt,
|
||||
n=int(n_value),
|
||||
r=int(r_value),
|
||||
p=int(p_value),
|
||||
dklen=int(key_length),
|
||||
)
|
||||
except ValueError:
|
||||
return False
|
||||
|
||||
return secrets.compare_digest(derived_key, expected_key)
|
||||
|
||||
Reference in New Issue
Block a user