YG-Soft/X-Financial
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
86568660a4eeeb76f367097f4e44e366333bedbb
X-Financial/server/tests/test_settings_persistence.py
caoxiaozhu 86568660a4 feat: 重构模型配置存储与 API Key 加密管理 
主要修改点:

1. 遗留密码格式兼容 (server/src/app/core/admin_secret.py)
   - 新增 legacy_admin_secret_to_password_hash(): 将旧版 admin secret 记录转换为标准 scrypt 哈希格式

2. Scrypt 密码验证增强 (server/src/app/core/security.py)
   - verify_password(): 新增 scrypt$ 前缀检测,分流到专用验证函数
   - 新增 verify_scrypt_password(): 解析 scrypt$ 格式哈希并验证

3. 模型配置存储重构 (server/src/app/models/system_model_setting.py)
   - 新增 SystemModelSetting 模型(slot 为 PK)
   - 字段: slot, provider, model_name, endpoint, capability, priority, enabled, api_key_encrypted, created_at, updated_at

4. Settings Repository 扩展 (server/src/app/repositories/settings.py)
   - 新增 get_model_settings(): 获取所有模型配置
   - 新增 get_model_setting(slot): 按 slot 获取单个模型配置

5. Settings Service 重构 (server/src/app/services/settings.py)
   - 新增 ModelSlotConfig dataclass: 封装单个模型槽位的配置属性
   - 新增 MODEL_SLOT_CONFIGS 字典: main/backup/vlm/embedding 四个槽位配置
   - 重构 save_model_settings(): 批量保存模型配置到 SystemModelSetting 表
   - 新增 load_model_settings(): 从 SystemModelSetting 表加载所有模型配置
   - read_settings(): 整合 legacy secrets 与新的 SystemModelSetting 表数据
   - write_settings(): 拆分 model secrets 到 SystemModelSetting 表
   - decrypt_model_secret(): 新增从数据库读取加密的 API Key

6. 数据库模型注册 (server/src/app/db/base.py)
   - 注册 SystemModelSetting 模型

7. 前端 API URL 智能解析 (web/src/services/api.js)
   - 新增 isLoopbackHost(): 判断是否为回环地址
   - 新增 resolveBrowserReachableApiBaseUrl(): 当后端配置为回环地址但浏览器非回环时,自动替换为浏览器 host
   - 改进错误信息: "无法连接 FastAPI 后端服务,请确认后端已启动且浏览器可访问后端端口。"

8. 前端 Session 导航增强 (web/src/composables/useSystemState.js)
   - installSessionNavigation(): 调用 fetchBootstrapState 后设置运行时 API Base URL

9. Settings 视图增强 (web/src/views/SettingsView.vue)
   - API Key 输入框: 新增 @focus="clearModelSecretMask('xxx')" 清除遮罩
   - 新增 .secret-bound-state 提示: 显示"已从数据库加密加载,测试会使用已保存密钥"

10. Settings 脚本增强 (web/src/views/scripts/SettingsView.js)
    - 新增 clearModelSecretMask(slot): 清除指定槽位的 API Key 遮罩状态

11. CSS 样式 (web/src/assets/styles/views/settings-view.css)
    - 新增 .secret-bound-state 样式: 显示数据库已加载密钥的提示样式
2026-05-08 11:14:04 +08:00

133 lines
5.4 KiB
Python
Raw Blame History

from __future__ import annotations
from pathlib import Path
import hashlib
import json
import secrets
import tempfile
from sqlalchemy import create_engine
from sqlalchemy.orm import Session, sessionmaker
from app.core import admin_secret
from app.core import secret_box
from app.db.base import Base
from app.models.system_model_setting import SystemModelSetting
from app.models.system_setting import SystemSetting
from app.models.system_setting_secret import SystemSettingSecret
from app.schemas.settings import SettingsWrite
from app.services.settings import SettingsService
def build_session(db_file: Path) -> Session:
engine = create_engine(
f"sqlite+pysqlite:///{db_file.as_posix()}",
connect_args={"check_same_thread": False},
)
SystemSetting.__table__.create(bind=engine)
SystemSettingSecret.__table__.create(bind=engine)
SystemModelSetting.__table__.create(bind=engine)
session_factory = sessionmaker(bind=engine, autoflush=False, autocommit=False)
return session_factory()
def build_temp_secret_dir() -> Path:
return Path(tempfile.mkdtemp(prefix="xf-settings-test-"))
def test_settings_service_persists_non_secret_and_secret_fields(monkeypatch) -> None:
temp_dir = build_temp_secret_dir()
monkeypatch.setattr(secret_box, "SECRET_KEY_FILE", temp_dir / "settings.key")
monkeypatch.setattr(Base.metadata, "create_all", lambda *args, **kwargs: None)
with build_session(temp_dir / "settings.db") as db:
service = SettingsService(db)
initial_snapshot = service.get_settings_snapshot()
payload = initial_snapshot.model_dump()
payload["companyForm"]["companyName"] = "YGSOFT"
payload["companyForm"]["displayName"] = "云广软件"
payload["adminForm"]["adminAccount"] = "admin-root"
payload["adminForm"]["adminEmail"] = "admin@example.com"
payload["adminForm"]["newPassword"] = "54321"
payload["adminForm"]["confirmPassword"] = "54321"
payload["llmForm"]["mainModel"] = "glm-4.5"
payload["llmForm"]["mainApiKey"] = "main-secret"
payload["mailForm"]["password"] = "smtp-secret"
saved_snapshot = service.save_settings_snapshot(SettingsWrite(**payload))
assert saved_snapshot.companyForm.companyName == "YGSOFT"
assert saved_snapshot.companyForm.displayName == "云广软件"
assert saved_snapshot.llmForm.mainModel == "glm-4.5"
assert saved_snapshot.llmForm.mainApiKey == ""
assert saved_snapshot.llmForm.mainApiKeyConfigured is True
assert saved_snapshot.mailForm.password == ""
assert saved_snapshot.mailForm.passwordConfigured is True
assert saved_snapshot.adminForm.newPassword == ""
assert saved_snapshot.adminForm.adminPasswordConfigured is True
model_row = db.get(SystemModelSetting, "main")
assert model_row is not None
assert model_row.model_name == "glm-4.5"
assert model_row.api_key_encrypted
assert service.load_saved_model_api_key("main") == "main-secret"
assert service.verify_admin_login("admin-root", "54321") is not None
assert service.verify_admin_login("admin@example.com", "54321") is not None
def test_blank_secret_input_does_not_clear_saved_secret(monkeypatch) -> None:
temp_dir = build_temp_secret_dir()
monkeypatch.setattr(secret_box, "SECRET_KEY_FILE", temp_dir / "settings.key")
monkeypatch.setattr(Base.metadata, "create_all", lambda *args, **kwargs: None)
with build_session(temp_dir / "settings.db") as db:
service = SettingsService(db)
first_payload = service.get_settings_snapshot().model_dump()
first_payload["llmForm"]["mainApiKey"] = "persisted-key"
service.save_settings_snapshot(SettingsWrite(**first_payload))
second_payload = service.get_settings_snapshot().model_dump()
second_payload["llmForm"]["mainApiKey"] = ""
service.save_settings_snapshot(SettingsWrite(**second_payload))
assert service.load_saved_model_api_key("main") == "persisted-key"
def test_legacy_setup_admin_password_is_migrated_to_database(monkeypatch) -> None:
temp_dir = build_temp_secret_dir()
admin_file = temp_dir / "admin.json"
monkeypatch.setattr(admin_secret, "ADMIN_SECRET_FILE", admin_file)
monkeypatch.setattr(secret_box, "SECRET_KEY_FILE", temp_dir / "settings.key")
monkeypatch.setattr(Base.metadata, "create_all", lambda *args, **kwargs: None)
password = "setup-secret"
salt = secrets.token_bytes(16)
derived_key = hashlib.scrypt(password.encode("utf-8"), salt=salt, n=16384, r=8, p=1, dklen=64)
admin_file.write_text(
json.dumps(
{
"algorithm": "scrypt",
"username": "setup-admin",
"salt": salt.hex(),
"derived_key": derived_key.hex(),
"key_length": 64,
"N": 16384,
"r": 8,
"p": 1,
}
),
encoding="utf-8",
)
with build_session(temp_dir / "settings.db") as db:
service = SettingsService(db)
snapshot = service.get_settings_snapshot()
secrets_row = db.get(SystemSettingSecret, "default")
assert snapshot.adminForm.adminPasswordConfigured is True
assert secrets_row is not None
assert secrets_row.admin_password_hash.startswith("scrypt$")
assert service.verify_admin_login("setup-admin", password) is not None
Reference in New Issue View Git Blame Copy Permalink