OrgTJWater/TJWaterServerBinary
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

初步实现数据加密、权限管理、日志审计等功能

Browse Source
This commit is contained in:
Jiang
2026-02-02 10:09:28 +08:00
parent b6b37a453b
commit 807e634318
27 changed files with 3787 additions and 59 deletions
Download Patch File Download Diff File Expand all files Collapse all files

134
app/core/audit.py
View File

@@ -1,3 +1,131 @@
# Placeholder for audit logic
async def log_audit_event(event_type: str, user_id: str, details: dict):
pass
"""
审计日志模块
记录系统关键操作,用于安全审计和合规追踪
"""
from typing import Optional
from datetime import datetime
import logging
logger = logging.getLogger(__name__)
class AuditAction:
"""审计操作类型常量"""
# 认证相关
LOGIN = "LOGIN"
LOGOUT = "LOGOUT"
REGISTER = "REGISTER"
PASSWORD_CHANGE = "PASSWORD_CHANGE"
# 数据操作
CREATE = "CREATE"
READ = "READ"
UPDATE = "UPDATE"
DELETE = "DELETE"
# 权限相关
PERMISSION_CHANGE = "PERMISSION_CHANGE"
ROLE_CHANGE = "ROLE_CHANGE"
# 系统操作
CONFIG_CHANGE = "CONFIG_CHANGE"
SYSTEM_START = "SYSTEM_START"
SYSTEM_STOP = "SYSTEM_STOP"
async def log_audit_event(
action: str,
user_id: Optional[int] = None,
username: Optional[str] = None,
resource_type: Optional[str] = None,
resource_id: Optional[str] = None,
ip_address: Optional[str] = None,
user_agent: Optional[str] = None,
request_method: Optional[str] = None,
request_path: Optional[str] = None,
request_data: Optional[dict] = None,
response_status: Optional[int] = None,
error_message: Optional[str] = None,
db = None # 新增:可选的数据库实例
):
"""
记录审计日志
Args:
action: 操作类型
user_id: 用户ID
username: 用户名
resource_type: 资源类型
resource_id: 资源ID
ip_address: IP地址
user_agent: User-Agent
request_method: 请求方法
request_path: 请求路径
request_data: 请求数据(敏感字段需脱敏)
response_status: 响应状态码
error_message: 错误消息
db: 数据库实例(可选,如果不提供则尝试获取)
"""
from app.infra.repositories.audit_repository import AuditRepository
try:
# 脱敏敏感数据
if request_data:
request_data = sanitize_sensitive_data(request_data)
# 如果没有提供数据库实例,尝试获取(这在中间件中可能不可用)
if db is None:
# 在某些上下文中可能无法获取,此时静默失败
logger.warning("No database instance provided for audit logging")
return
audit_repo = AuditRepository(db)
await audit_repo.create_log(
user_id=user_id,
username=username,
action=action,
resource_type=resource_type,
resource_id=resource_id,
ip_address=ip_address,
user_agent=user_agent,
request_method=request_method,
request_path=request_path,
request_data=request_data,
response_status=response_status,
error_message=error_message
)
logger.info(
f"Audit log created: action={action}, user={username or user_id}, "
f"resource={resource_type}:{resource_id}"
)
except Exception as e:
# 审计日志失败不应影响业务流程
logger.error(f"Failed to create audit log: {e}", exc_info=True)
def sanitize_sensitive_data(data: dict) -> dict:
"""
脱敏敏感数据
Args:
data: 原始数据
Returns:
脱敏后的数据
"""
sensitive_fields = [
'password', 'passwd', 'pwd',
'secret', 'token', 'api_key', 'apikey',
'credit_card', 'ssn', 'social_security'
]
sanitized = data.copy()
for key in sanitized:
if isinstance(sanitized[key], dict):
sanitized[key] = sanitize_sensitive_data(sanitized[key])
elif any(sensitive in key.lower() for sensitive in sensitive_fields):
sanitized[key] = "***REDACTED***"
return sanitized

8
app/core/config.py
View File

@@ -3,9 +3,15 @@ from pydantic_settings import BaseSettings
class Settings(BaseSettings):
PROJECT_NAME: str = "TJWater Server"
API_V1_STR: str = "/api/v1"
SECRET_KEY: str = "your-secret-key-here" # Change in production
# JWT 配置
SECRET_KEY: str = "your-secret-key-here-change-in-production-use-openssl-rand-hex-32"
ALGORITHM: str = "HS256"
ACCESS_TOKEN_EXPIRE_MINUTES: int = 30
REFRESH_TOKEN_EXPIRE_DAYS: int = 7
# 数据加密密钥 (使用 Fernet)
ENCRYPTION_KEY: str = "" # 必须从环境变量设置
# Database Config (PostgreSQL)
DB_NAME: str = "tjwater"

88
app/core/encryption.py
View File

@@ -1,9 +1,87 @@
# Placeholder for encryption logic
from cryptography.fernet import Fernet
from typing import Optional
import base64
import os
class Encryptor:
"""
使用 Fernet (对称加密) 实现数据加密/解密
适用于加密敏感配置、用户数据等
"""
def __init__(self, key: Optional[bytes] = None):
"""
初始化加密器
Args:
key: 加密密钥,如果为 None 则从环境变量读取
"""
if key is None:
key_str = os.getenv("ENCRYPTION_KEY")
if not key_str:
raise ValueError(
"ENCRYPTION_KEY not found in environment variables. "
"Generate one using: Encryptor.generate_key()"
)
key = key_str.encode()
self.fernet = Fernet(key)
def encrypt(self, data: str) -> str:
return data # Implement actual encryption
"""
加密字符串
Args:
data: 待加密的明文字符串
Returns:
Base64 编码的加密字符串
"""
if not data:
return data
encrypted_bytes = self.fernet.encrypt(data.encode())
return encrypted_bytes.decode()
def decrypt(self, data: str) -> str:
return data # Implement actual decryption
"""
解密字符串
Args:
data: Base64 编码的加密字符串
Returns:
解密后的明文字符串
"""
if not data:
return data
decrypted_bytes = self.fernet.decrypt(data.encode())
return decrypted_bytes.decode()
@staticmethod
def generate_key() -> str:
"""
生成新的 Fernet 加密密钥
Returns:
Base64 编码的密钥字符串
"""
key = Fernet.generate_key()
return key.decode()
encryptor = Encryptor()
# 全局加密器实例(懒加载)
_encryptor: Optional[Encryptor] = None
def get_encryptor() -> Encryptor:
"""获取全局加密器实例"""
global _encryptor
if _encryptor is None:
_encryptor = Encryptor()
return _encryptor
# 向后兼容(延迟加载)
def __getattr__(name):
if name == "encryptor":
return get_encryptor()
raise AttributeError(f"module '{__name__}' has no attribute '{name}'")

57
app/core/security.py
View File

@@ -7,17 +7,72 @@ from app.core.config import settings
pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
def create_access_token(subject: Union[str, Any], expires_delta: Optional[timedelta] = None) -> str:
"""
创建 JWT Access Token
Args:
subject: 用户标识通常是用户名或用户ID
expires_delta: 过期时间增量
Returns:
JWT token 字符串
"""
if expires_delta:
expire = datetime.utcnow() + expires_delta
else:
expire = datetime.utcnow() + timedelta(minutes=settings.ACCESS_TOKEN_EXPIRE_MINUTES)
to_encode = {"exp": expire, "sub": str(subject)}
to_encode = {
"exp": expire,
"sub": str(subject),
"type": "access",
"iat": datetime.utcnow()
}
encoded_jwt = jwt.encode(to_encode, settings.SECRET_KEY, algorithm=settings.ALGORITHM)
return encoded_jwt
def create_refresh_token(subject: Union[str, Any]) -> str:
"""
创建 JWT Refresh Token长期有效
Args:
subject: 用户标识
Returns:
JWT refresh token 字符串
"""
expire = datetime.utcnow() + timedelta(days=settings.REFRESH_TOKEN_EXPIRE_DAYS)
to_encode = {
"exp": expire,
"sub": str(subject),
"type": "refresh",
"iat": datetime.utcnow()
}
encoded_jwt = jwt.encode(to_encode, settings.SECRET_KEY, algorithm=settings.ALGORITHM)
return encoded_jwt
def verify_password(plain_password: str, hashed_password: str) -> bool:
"""
验证密码
Args:
plain_password: 明文密码
hashed_password: 密码哈希
Returns:
是否匹配
"""
return pwd_context.verify(plain_password, hashed_password)
def get_password_hash(password: str) -> str:
"""
生成密码哈希
Args:
password: 明文密码
Returns:
bcrypt 哈希字符串
"""
return pwd_context.hash(password)