@pengzi/kms 1.0.2 → 1.1.1

package/dist/cli/src/repositories/key.repository.js

@@ -0,0 +1,125 @@
+"use strict";
+/**
+ * 密钥仓储
+ * 负责密钥的数据访问
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.KeyRepository = void 0;
+const base_repository_1 = require("./base.repository");
+const types_1 = require("../types");
+const types_2 = require("../types");
+class KeyRepository extends base_repository_1.BaseRepository {
+    constructor(db) {
+        super(db, 'keys');
+        this.initializeIndexes();
+    }
+    /**
+     * 初始化索引
+     */
+    async initializeIndexes() {
+        await this.createIndexes([
+            { keyId: 1 },
+            { projectId: 1 },
+            { keyName: 1 },
+            { projectId: 1, keyName: 1 },
+            { keyType: 1 },
+            { status: 1 },
+            { tags: 1 },
+            { expiresAt: 1 },
+            { createdAt: -1 },
+        ]);
+    }
+    /**
+     * 根据密钥ID查找
+     */
+    async findByKeyId(keyId) {
+        return await this.findOne({ keyId });
+    }
+    /**
+     * 根据密钥ID查找，如果不存在则抛出错误
+     */
+    async getByKeyId(keyId) {
+        const key = await this.findByKeyId(keyId);
+        if (!key) {
+            throw new types_2.KeyNotFoundError(keyId);
+        }
+        return key;
+    }
+    /**
+     * 根据项目ID和密钥名称查找
+     */
+    async findByProjectAndName(projectId, keyName) {
+        return await this.findOne({ projectId, keyName });
+    }
+    /**
+     * 查询项目的所有密钥
+     */
+    async findByProjectId(projectId, filters, options) {
+        const query = { projectId };
+        if (filters?.keyType) {
+            query.keyType = filters.keyType;
+        }
+        if (filters?.status) {
+            query.status = filters.status;
+        }
+        if (filters?.tags && filters.tags.length > 0) {
+            query.tags = { $in: filters.tags };
+        }
+        if (filters?.search) {
+            query.keyName = { $regex: filters.search, $options: 'i' };
+        }
+        const total = await this.count(query);
+        const skip = options?.page && options?.limit ? (options.page - 1) * options.limit : 0;
+        const limit = options?.limit || 100;
+        const keys = await this.findMany(query, {
+            sort: { createdAt: -1 },
+            skip,
+            limit,
+        });
+        return { keys, total };
+    }
+    /**
+     * 更新密钥
+     */
+    async updateKey(keyId, updates) {
+        return await this.updateOne({ keyId }, { $set: { ...updates, updatedAt: new Date() } });
+    }
+    /**
+     * 删除密钥（软删除）
+     */
+    async softDeleteKey(keyId) {
+        return await this.updateOne({ keyId }, { $set: { status: types_1.KeyStatus.DELETED, updatedAt: new Date() } });
+    }
+    /**
+     * 永久删除密钥
+     */
+    async hardDeleteKey(keyId) {
+        return await this.deleteOne({ keyId });
+    }
+    /**
+     * 批量查询密钥
+     */
+    async findByKeyIds(keyIds) {
+        return await this.findMany({ keyId: { $in: keyIds } });
+    }
+    /**
+     * 更新密钥最后访问时间
+     */
+    async updateLastAccessed(keyId) {
+        return await this.updateOne({ keyId }, { $set: { lastAccessedAt: new Date() } });
+    }
+    /**
+     * 查询过期密钥
+     */
+    async findExpiredKeys(projectId) {
+        const query = {
+            expiresAt: { $lt: new Date() },
+            status: { $ne: types_1.KeyStatus.DELETED },
+        };
+        if (projectId) {
+            query.projectId = projectId;
+        }
+        return await this.findMany(query);
+    }
+}
+exports.KeyRepository = KeyRepository;

package/dist/cli/src/repositories/project.repository.js

@@ -0,0 +1,81 @@
+"use strict";
+/**
+ * 项目仓储
+ * 负责项目的数据访问
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ProjectRepository = void 0;
+const base_repository_1 = require("./base.repository");
+const types_1 = require("../types");
+const types_2 = require("../types");
+class ProjectRepository extends base_repository_1.BaseRepository {
+    constructor(db) {
+        super(db, 'projects');
+        this.initializeIndexes();
+    }
+    /**
+     * 初始化索引
+     */
+    async initializeIndexes() {
+        await this.createIndexes([
+            { projectId: 1 },
+            { projectName: 1 },
+            { status: 1 },
+            { createdAt: -1 },
+        ]);
+    }
+    /**
+     * 根据项目ID查找
+     */
+    async findByProjectId(projectId) {
+        return await this.findOne({ projectId });
+    }
+    /**
+     * 根据项目ID查找，如果不存在则抛出错误
+     */
+    async getByProjectId(projectId) {
+        const project = await this.findByProjectId(projectId);
+        if (!project) {
+            throw new types_2.ProjectNotFoundError(projectId);
+        }
+        return project;
+    }
+    /**
+     * 根据项目名称查找
+     */
+    async findByProjectName(projectName) {
+        return await this.findOne({ projectName });
+    }
+    /**
+     * 查询项目列表
+     */
+    async findProjects(filter) {
+        const query = {};
+        if (filter?.status) {
+            query.status = filter.status;
+        }
+        if (filter?.projectName) {
+            query.projectName = { $regex: filter.projectName, $options: 'i' };
+        }
+        return await this.findMany(query, { sort: { createdAt: -1 } });
+    }
+    /**
+     * 更新项目
+     */
+    async updateProject(projectId, updates) {
+        return await this.updateOne({ projectId }, { $set: { ...updates, updatedAt: new Date() } });
+    }
+    /**
+     * 删除项目（软删除）
+     */
+    async softDeleteProject(projectId) {
+        return await this.updateOne({ projectId }, { $set: { status: types_1.ProjectStatus.DELETED, updatedAt: new Date() } });
+    }
+    /**
+     * 永久删除项目
+     */
+    async hardDeleteProject(projectId) {
+        return await this.deleteOne({ projectId });
+    }
+}
+exports.ProjectRepository = ProjectRepository;

package/dist/cli/src/repositories/user.repository.js

@@ -0,0 +1,101 @@
+"use strict";
+/**
+ * 用户仓储
+ * 负责用户的数据访问
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.UserRepository = void 0;
+const base_repository_1 = require("./base.repository");
+const types_1 = require("../types");
+const types_2 = require("../types");
+class UserRepository extends base_repository_1.BaseRepository {
+    constructor(db) {
+        super(db, 'users');
+        this.initializeIndexes();
+    }
+    /**
+     * 初始化索引
+     */
+    async initializeIndexes() {
+        await this.createIndexes([
+            { userId: 1 },
+            { projectId: 1 },
+            { username: 1 },
+            { projectId: 1, username: 1 },
+            { status: 1 },
+            { apiKeyHash: 1 },
+            { createdAt: -1 },
+        ]);
+    }
+    /**
+     * 根据用户ID查找
+     */
+    async findByUserId(userId) {
+        return await this.findOne({ userId });
+    }
+    /**
+     * 根据用户ID查找，如果不存在则抛出错误
+     */
+    async getByUserId(userId) {
+        const user = await this.findByUserId(userId);
+        if (!user) {
+            throw new types_2.UserNotFoundError(userId);
+        }
+        return user;
+    }
+    /**
+     * 根据项目ID和用户名查找
+     */
+    async findByProjectAndUsername(projectId, username) {
+        return await this.findOne({ projectId, username });
+    }
+    /**
+     * 查询项目的所有用户
+     */
+    async findByProjectId(projectId) {
+        return await this.findMany({ projectId }, { sort: { createdAt: -1 } });
+    }
+    /**
+     * 根据API密钥哈希查找用户
+     */
+    async findByApiKeyHash(apiKeyHash) {
+        return await this.findOne({ apiKeyHash });
+    }
+    /**
+     * 更新用户
+     */
+    async updateUser(userId, updates) {
+        return await this.updateOne({ userId }, { $set: { ...updates, updatedAt: new Date() } });
+    }
+    /**
+     * 更新最后登录时间
+     */
+    async updateLastLogin(userId) {
+        return await this.updateOne({ userId }, { $set: { lastLoginAt: new Date() } });
+    }
+    /**
+     * 锁定用户
+     */
+    async lockUser(userId) {
+        return await this.updateOne({ userId }, { $set: { status: types_1.UserStatus.LOCKED, updatedAt: new Date() } });
+    }
+    /**
+     * 激活用户
+     */
+    async activateUser(userId) {
+        return await this.updateOne({ userId }, { $set: { status: types_1.UserStatus.ACTIVE, updatedAt: new Date() } });
+    }
+    /**
+     * 删除用户（软删除）
+     */
+    async softDeleteUser(userId) {
+        return await this.updateOne({ userId }, { $set: { status: types_1.UserStatus.INACTIVE, updatedAt: new Date() } });
+    }
+    /**
+     * 永久删除用户
+     */
+    async hardDeleteUser(userId) {
+        return await this.deleteOne({ userId });
+    }
+}
+exports.UserRepository = UserRepository;

package/dist/cli/src/services/audit.service.js

@@ -0,0 +1,111 @@
+"use strict";
+/**
+ * 审计服务
+ * 负责记录和查询审计日志
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuditService = void 0;
+const types_1 = require("../types");
+const audit_model_1 = require("../models/audit.model");
+class AuditService {
+    constructor(auditRepo) {
+        this.auditRepo = auditRepo;
+    }
+    /**
+     * 记录审计日志
+     */
+    async log(data) {
+        const log = (0, audit_model_1.createAuditLog)(data);
+        await this.auditRepo.insertOne(log);
+    }
+    /**
+     * 查询审计日志
+     */
+    async getAuditLogs(projectId, query) {
+        const result = await this.auditRepo.findAuditLogs(projectId, query);
+        return {
+            logs: result.logs,
+            total: result.total,
+            page: query.page || 1,
+            limit: query.limit || 50,
+        };
+    }
+    /**
+     * 获取最近的审计日志
+     */
+    async getRecentLogs(projectId, limit = 100) {
+        return await this.auditRepo.findRecentLogs(projectId, limit);
+    }
+    /**
+     * 统计失败登录次数
+     */
+    async countFailedLogins(projectId, userId, since) {
+        return await this.auditRepo.countFailedLogins(projectId, userId, since);
+    }
+    /**
+     * 记录项目创建
+     */
+    async logProjectCreated(projectId, userId, projectName, success) {
+        await this.log({
+            projectId,
+            userId,
+            action: types_1.AuditAction.CREATE_PROJECT,
+            resourceType: types_1.ResourceType.PROJECT,
+            resourceId: projectId,
+            details: {
+                keyName: projectName,
+                success,
+            },
+        });
+    }
+    /**
+     * 记录密钥创建
+     */
+    async logKeyCreated(projectId, userId, keyId, keyName, keyType, success) {
+        await this.log({
+            projectId,
+            userId,
+            action: types_1.AuditAction.CREATE_KEY,
+            resourceType: types_1.ResourceType.KEY,
+            resourceId: keyId,
+            details: {
+                keyName,
+                keyType,
+                success,
+            },
+        });
+    }
+    /**
+     * 记录密钥读取
+     */
+    async logKeyRead(projectId, userId, keyId, keyName, success) {
+        await this.log({
+            projectId,
+            userId,
+            action: types_1.AuditAction.READ_KEY,
+            resourceType: types_1.ResourceType.KEY,
+            resourceId: keyId,
+            details: {
+                keyName,
+                success,
+            },
+        });
+    }
+    /**
+     * 记录密钥删除
+     */
+    async logKeyDeleted(projectId, userId, keyId, keyName, success) {
+        await this.log({
+            projectId,
+            userId,
+            action: types_1.AuditAction.DELETE_KEY,
+            resourceType: types_1.ResourceType.KEY,
+            resourceId: keyId,
+            details: {
+                keyName,
+                success,
+            },
+        });
+    }
+}
+exports.AuditService = AuditService;

package/dist/cli/src/services/auth.service.js

@@ -0,0 +1,176 @@
+"use strict";
+/**
+ * 认证服务
+ * 负责用户认证和授权
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthService = void 0;
+const user_model_1 = require("../models/user.model");
+const bcrypt_1 = require("bcrypt");
+const crypto_1 = require("crypto");
+const types_1 = require("../types");
+const types_2 = require("../types");
+class AuthService {
+    constructor(userRepo, auditService) {
+        this.userRepo = userRepo;
+        this.auditService = auditService;
+    }
+    /**
+     * 创建用户
+     */
+    async createUser(projectId, creatorId, userData) {
+        // 验证用户数据
+        const validation = (0, user_model_1.validateUser)(userData);
+        if (!validation.valid) {
+            throw new types_1.ValidationError(validation.errors.join(', '));
+        }
+        // 检查用户名是否已存在
+        const existingUser = await this.userRepo.findByProjectAndUsername(projectId, userData.username);
+        if (existingUser) {
+            throw new types_1.ValidationError('Username already exists');
+        }
+        // 哈希密码
+        const passwordHash = await (0, bcrypt_1.hash)(userData.password, 10);
+        // 生成API密钥
+        const apiKey = this.generateApiKey();
+        const apiKeyHash = await (0, bcrypt_1.hash)(apiKey, 10);
+        const user = (0, user_model_1.createUser)(projectId, userData, passwordHash, apiKeyHash);
+        await this.userRepo.insertOne(user);
+        // 记录审计日志
+        await this.auditService.log({
+            projectId,
+            userId: creatorId,
+            action: types_2.AuditAction.CREATE_USER,
+            resourceType: types_2.ResourceType.USER,
+            resourceId: user.userId,
+            details: {
+                success: true,
+            },
+        });
+        // 返回用户信息（不包含敏感信息）和API密钥
+        return {
+            ...(0, user_model_1.toSafeUser)(user),
+            apiKey, // 仅在创建时返回一次
+        };
+    }
+    /**
+     * 用户登录
+     */
+    async login(projectId, credentials) {
+        const user = await this.userRepo.findByProjectAndUsername(projectId, credentials.username);
+        if (!user) {
+            await this.auditService.log({
+                projectId,
+                action: types_2.AuditAction.LOGIN_FAILED,
+                resourceType: types_2.ResourceType.USER,
+                resourceId: credentials.username,
+                details: {
+                    success: false,
+                    errorMessage: 'User not found',
+                },
+            });
+            return {
+                success: false,
+                error: 'Invalid username or password',
+            };
+        }
+        if (user.status !== 'active') {
+            await this.auditService.log({
+                projectId,
+                userId: user.userId,
+                action: types_2.AuditAction.LOGIN_FAILED,
+                resourceType: types_2.ResourceType.USER,
+                resourceId: user.userId,
+                details: {
+                    success: false,
+                    errorMessage: 'User account is not active',
+                },
+            });
+            return {
+                success: false,
+                error: 'User account is not active',
+            };
+        }
+        const passwordMatch = await (0, bcrypt_1.compare)(credentials.password, user.passwordHash);
+        if (!passwordMatch) {
+            await this.auditService.log({
+                projectId,
+                userId: user.userId,
+                action: types_2.AuditAction.LOGIN_FAILED,
+                resourceType: types_2.ResourceType.USER,
+                resourceId: user.userId,
+                details: {
+                    success: false,
+                    errorMessage: 'Invalid password',
+                },
+            });
+            return {
+                success: false,
+                error: 'Invalid username or password',
+            };
+        }
+        // 更新最后登录时间
+        await this.userRepo.updateLastLogin(user.userId);
+        // 记录审计日志
+        await this.auditService.log({
+            projectId,
+            userId: user.userId,
+            action: types_2.AuditAction.LOGIN,
+            resourceType: types_2.ResourceType.USER,
+            resourceId: user.userId,
+            details: {
+                success: true,
+            },
+        });
+        return {
+            success: true,
+            user: (0, user_model_1.toSafeUser)(user),
+        };
+    }
+    /**
+     * 使用API密钥认证
+     */
+    async authenticateWithApiKey(projectId, apiKey) {
+        // 查找所有用户并检查API密钥
+        const users = await this.userRepo.findByProjectId(projectId);
+        for (const user of users) {
+            if (user.apiKeyHash && await (0, bcrypt_1.compare)(apiKey, user.apiKeyHash)) {
+                if (user.status === 'active') {
+                    return user;
+                }
+            }
+        }
+        return null;
+    }
+    /**
+     * 验证用户凭证
+     */
+    async verifyCredentials(projectId, username, password) {
+        const result = await this.login(projectId, { username, password });
+        return result.success;
+    }
+    /**
+     * 生成API密钥
+     */
+    generateApiKey() {
+        const apiKeyPrefix = 'kms_';
+        const randomBytesBuffer = (0, crypto_1.randomBytes)(32);
+        const randomString = randomBytesBuffer.toString('hex');
+        return `${apiKeyPrefix}${randomString}`;
+    }
+    /**
+     * 轮换API密钥
+     */
+    async rotateApiKey(projectId, userId, targetUserId) {
+        const user = await this.userRepo.getByUserId(targetUserId);
+        if (user.projectId !== projectId) {
+            throw new types_1.ValidationError('User does not belong to this project');
+        }
+        // 生成新API密钥
+        const newApiKey = this.generateApiKey();
+        const newApiKeyHash = await (0, bcrypt_1.hash)(newApiKey, 10);
+        await this.userRepo.updateUser(targetUserId, { apiKeyHash: newApiKeyHash });
+        return newApiKey;
+    }
+}
+exports.AuthService = AuthService;