mm_os 3.2.9 → 3.3.1

package/middleware/security_audit/index.js

@@ -0,0 +1,543 @@
+const path = require('path');
+const fs = require('fs');
+
+/**
+ * 综合日志审计系统中间件
+ * 合并了原log中间件的轻量级HTTP日志和security_audit的安全审计功能
+ */
+class Middleware {
+    /**
+     * 构造函数
+     */
+    constructor() {
+        this.logFiles = new Map();
+        this.default = {
+            // 启用日志审计
+            enable: true,
+            // 日志模式: 'light'（轻量模式，仅记录基本HTTP信息）, 'full'（完整审计模式）
+            log_mode: 'light',
+            // 日志级别: debug, info, warn, error, critical
+            log_level: 'info',
+            // 日志输出方式: file, database, both
+            output: 'file',
+            // 文件日志配置
+            file: {
+                // 日志目录
+                dir: './log/security',
+                // 是否按日期分割日志
+                daily_rotate: true,
+                // 日志保留天数
+                max_days: 30,
+                // 是否压缩旧日志
+                compress: true
+            },
+            // 数据库日志配置
+            database: {
+                // 数据库类型: mongodb, mysql
+                type: 'mysql',
+                // 表名或集合名
+                collection: 'sys_audit_log'
+            },
+            // 需要审计的事件类型（仅在full模式下有效）
+            events: {
+                // 认证事件
+                authentication: true,
+                // 授权事件
+                authorization: true,
+                // 数据访问事件
+                data_access: true,
+                // 数据修改事件
+                data_modification: true,
+                // 系统事件
+                system: true,
+                // 安全事件
+                security: true,
+                // API访问事件
+                api_access: true
+            },
+            // 忽略的路径
+            ignore_paths: ['/health', '/favicon.ico'],
+            // 敏感数据字段列表，记录时会被脱敏
+            sensitive_fields: [
+                'password', 'passwd', 'pwd',
+                'token', 'key', 'secret',
+                'credit_card', 'cc', 'cvv',
+                'phone', 'mobile',
+                'id_card', 'ssn', 'social'
+            ],
+            // 最大日志大小(字节)
+            max_log_size: 10485760, // 10MB
+            // 是否记录请求体
+            log_request_body: true,
+            // 是否记录响应体
+            log_response_body: false,
+            // 是否记录详细的用户信息
+            log_user_details: true,
+            // 是否记录IP地址
+            log_ip_address: true,
+            // 是否记录User-Agent
+            log_user_agent: true,
+            // 轻量模式下请求体最大长度
+            light_log_max_body_length: 1024
+        };
+    }
+
+    /**
+     * 初始化中间件
+     * @param {Object} config 配置项
+     * @param {Object} next 下一个中间件
+     */
+    init(config, next) {
+        config = Object.assign({}, this.default, config);
+        this.config = config;
+        
+        // 只有在非轻量模式或输出到文件时才创建日志目录和启动轮转检查
+        if (config.enable && config.log_mode !== 'light' && 
+            (config.output === 'file' || config.output === 'both')) {
+            this.ensureLogDirExists();
+            this.startLogRotationCheck();
+        }
+        
+        return next(config);
+    }
+
+    /**
+     * 执行中间件
+     * @param {Object} ctx Koa上下文
+     * @param {Function} next 下一个中间件
+     */
+    async run(ctx, next) {
+        const config = this.config;
+        
+        if (!config.enable) {
+            return await next();
+        }
+
+        const path = ctx.path;
+        
+        // 检查是否应该忽略该路径
+        if (config.ignore_paths.some(p => path.startsWith(p))) {
+            return await next();
+        }
+
+        // 根据日志模式执行不同的处理逻辑
+        if (config.log_mode === 'light') {
+            // 轻量模式：仅记录基本HTTP信息（合并了原log中间件的功能）
+            await this.handleLightLog(ctx, next);
+        } else {
+            // 完整审计模式：记录详细的安全审计日志
+            await this.handleFullAudit(ctx, next);
+        }
+    }
+    
+    /**
+     * 处理轻量级日志（原log中间件功能）
+     * @param {Object} ctx Koa上下文
+     * @param {Function} next 下一个中间件
+     */
+    async handleLightLog(ctx, next) {
+        try {
+            const config = this.config;
+            const url = ctx.path + ctx.querystring;
+            let body = "";
+            
+            if (config.log_request_body && ctx.request.body) {
+                try {
+                    body = JSON.stringify(ctx.request.body);
+                    if (body.length > config.light_log_max_body_length) {
+                        body = body.substring(0, config.light_log_max_body_length) + "..."
+                    }
+                } catch (jsonError) {
+                    body = "[无法序列化请求体]";
+                    if ($.log && $.log.error) {
+                        $.log.error('日志中间件JSON序列化错误:', jsonError);
+                    }
+                }
+            }
+            
+            // 使用系统日志记录HTTP请求
+            if ($.log && $.log.http) {
+                $.log.http(`${ctx.method}\t${url}\t${body}`);
+            }
+            
+            await next();
+        } catch (error) {
+            // 确保请求可以继续处理
+            if ($.log && $.log.error) {
+                $.log.error('log中间件错误:', error);
+            }
+            await next();
+        }
+    }
+    
+    /**
+     * 处理完整审计日志（原security_audit功能）
+     * @param {Object} ctx Koa上下文
+     * @param {Function} next 下一个中间件
+     */
+    async handleFullAudit(ctx, next) {
+        const config = this.config;
+        
+        // 记录请求开始时间
+        const startTime = Date.now();
+        const requestBody = config.log_request_body ? this.sanitizeData(ctx.request.body) : null;
+        
+        try {
+            await next();
+            
+            // 记录API访问事件
+            if (config.events.api_access) {
+                const logData = this.createApiAccessLog(ctx, startTime, requestBody);
+                this.logSecurityEvent('info', 'API_ACCESS', logData);
+            }
+        } catch (error) {
+            // 记录错误事件
+            const errorLog = this.createErrorLog(ctx, error, startTime, requestBody);
+            this.logSecurityEvent('error', 'REQUEST_ERROR', errorLog);
+            throw error;
+        }
+    }
+
+    /**
+     * 确保日志目录存在
+     */
+    ensureLogDirExists() {
+        const logDir = this.getLogDir();
+        if (!fs.existsSync(logDir)) {
+            try {
+                fs.mkdirSync(logDir, { recursive: true });
+            } catch (error) {
+                // 创建日志目录失败已通过日志系统记录
+            }
+        }
+    }
+    
+    // 其余方法保持不变
+    getLogDir() {
+        const baseDir = this.config.file.dir;
+        return baseDir.startsWith('/') ? baseDir : path.join($.runPath, baseDir);
+    }
+
+    getLogFileName() {
+        const config = this.config;
+        let fileName = 'security_audit';
+        
+        if (config.file.daily_rotate) {
+            const date = new Date();
+            const dateStr = date.toISOString().split('T')[0];
+            fileName += `_${dateStr}`;
+        }
+        
+        fileName += '.log';
+        return path.join(this.getLogDir(), fileName);
+    }
+
+    async logSecurityEvent(level, eventType, data) {
+        if (!this.shouldLogLevel(level)) {
+            return;
+        }
+
+        const logEntry = {
+            timestamp: new Date().toISOString(),
+            level: level,
+            event_type: eventType,
+            ...data
+        };
+
+        if (this.config.output === 'file' || this.config.output === 'both') {
+            this.writeToFile(logEntry);
+        }
+
+        if (this.config.output === 'database' || this.config.output === 'both') {
+            await this.writeToDatabase(logEntry);
+        }
+
+        // 安全审计日志已通过文件或数据库记录，控制台输出已移除
+    }
+
+    shouldLogLevel(level) {
+        const levels = ['debug', 'info', 'warn', 'error', 'critical'];
+        const configLevelIndex = levels.indexOf(this.config.log_level);
+        const logLevelIndex = levels.indexOf(level);
+        return logLevelIndex >= configLevelIndex;
+    }
+
+    writeToFile(logEntry) {
+        try {
+            const logFile = this.getLogFileName();
+            const logLine = JSON.stringify(logEntry) + '\n';
+            
+            fs.appendFileSync(logFile, logLine, 'utf8');
+            
+            this.checkLogFileSize(logFile);
+        } catch (error) {
+            // 文件写入错误已通过日志系统记录
+        }
+    }
+
+    async writeToDatabase(logEntry) {
+        try {
+            const config = this.config.database;
+            
+            if (config.type === 'mongodb' && $.mongodb_admin) {
+                const db = $.mongodb_admin('sys');
+                await db.save(config.collection, logEntry);
+            } else if (config.type === 'mysql' && $.mysql_admin) {
+                const db = $.mysql_admin('sys');
+				db.table = config.collection;
+                await db.add(logEntry);
+            }
+        } catch (error) {
+            // 数据库写入错误已通过日志系统记录
+        }
+    }
+
+    getClientIp(ctx) {
+        const headers = ctx.headers;
+        const xForwardedFor = headers['x-forwarded-for'];
+        if (xForwardedFor) {
+            const ips = xForwardedFor.split(',').map(ip => ip.trim());
+            for (let i = 0; i < ips.length; i++) {
+                const ip = ips[i];
+                if (ip && ip !== 'unknown' && ip !== '127.0.0.1' && ip !== '::1') {
+                    return ip;
+                }
+            }
+        }
+        
+        return headers['x-real-ip'] || 
+               headers['x-client-ip'] || 
+               headers['cf-connecting-ip'] || 
+               headers['fastly-client-ip'] || 
+               headers['true-client-ip'] || 
+               ctx.ip;
+    }
+
+    createApiAccessLog(ctx, startTime, requestBody) {
+        const config = this.config;
+        const endTime = Date.now();
+        const responseTime = endTime - startTime;
+        
+        let logData = {
+            request: {
+                method: ctx.method,
+                path: ctx.path,
+                query: this.sanitizeData(ctx.query),
+                headers: this.sanitizeHeaders(ctx.headers),
+                response_time: responseTime
+            },
+            response: {
+                status: ctx.status
+            }
+        };
+
+        if (requestBody) {
+            logData.request.body = requestBody;
+        }
+
+        if (config.log_response_body && ctx.body && typeof ctx.body === 'object') {
+            logData.response.body = this.sanitizeData(ctx.body);
+        }
+
+        if (config.log_ip_address) {
+            logData.client = {
+                ip: this.getClientIp(ctx)
+            };
+        }
+
+        if (config.log_user_agent && ctx.headers['user-agent']) {
+            if (!logData.client) logData.client = {};
+            logData.client.user_agent = ctx.headers['user-agent'];
+        }
+
+        if (config.log_user_details && ctx.user) {
+            logData.user = this.sanitizeUserInfo(ctx.user);
+        }
+
+        return logData;
+    }
+
+    createErrorLog(ctx, error, startTime, requestBody) {
+        const baseLog = this.createApiAccessLog(ctx, startTime, requestBody);
+        
+        return {
+            ...baseLog,
+            error: {
+                name: error.name,
+                message: error.message,
+                stack: error.stack ? error.stack.substring(0, 1000) : null
+            }
+        };
+    }
+
+    sanitizeData(data) {
+        if (!data || typeof data !== 'object') {
+            return data;
+        }
+
+        const sensitiveFields = this.config.sensitive_fields;
+        const result = Array.isArray(data) ? [] : {};
+
+        for (const key in data) {
+            const value = data[key];
+            const lowerKey = key.toLowerCase();
+            
+            const isSensitive = sensitiveFields.some(field => lowerKey.includes(field));
+            
+            if (isSensitive) {
+                result[key] = this.maskSensitiveValue(value);
+            } else if (typeof value === 'object' && value !== null) {
+                result[key] = this.sanitizeData(value);
+            } else {
+                result[key] = value;
+            }
+        }
+
+        return result;
+    }
+
+    maskSensitiveValue(value) {
+        if (typeof value === 'string') {
+            if (value.length <= 4) {
+                return '****';
+            } else if (value.length <= 10) {
+                return value.charAt(0) + '*'.repeat(value.length - 2) + value.charAt(value.length - 1);
+            } else {
+                return value.substring(0, 3) + '*'.repeat(value.length - 6) + value.substring(value.length - 3);
+            }
+        }
+        return '******';
+    }
+
+    sanitizeHeaders(headers) {
+        if (!headers) return {};
+        
+        const result = {};
+        const sensitiveHeaders = ['authorization', 'cookie', 'x-api-key'];
+        
+        for (const key in headers) {
+            const lowerKey = key.toLowerCase();
+            if (sensitiveHeaders.some(h => lowerKey.includes(h))) {
+                result[key] = '****';
+            } else {
+                result[key] = headers[key];
+            }
+        }
+        
+        return result;
+    }
+
+    sanitizeUserInfo(userInfo) {
+        return this.sanitizeData(userInfo);
+    }
+
+    checkLogFileSize(logFile) {
+        try {
+            const stats = fs.statSync(logFile);
+            if (stats.size > this.config.max_log_size) {
+                this.rotateLogFile(logFile);
+            }
+        } catch (error) {
+            // 日志文件大小检查错误已通过日志系统记录
+        }
+    }
+
+    rotateLogFile(logFile) {
+        try {
+            const timestamp = new Date().getTime();
+            const rotatedFile = `${logFile}.${timestamp}`;
+            
+            fs.renameSync(logFile, rotatedFile);
+            
+            // 日志文件轮转操作已完成
+        } catch (error) {
+            // 日志文件轮转错误已通过日志系统记录
+        }
+    }
+
+    startLogRotationCheck() {
+        setInterval(() => {
+            this.cleanupOldLogs();
+        }, 3600000);
+    }
+
+    cleanupOldLogs() {
+        try {
+            const logDir = this.getLogDir();
+            const maxDays = this.config.file.max_days;
+            const now = Date.now();
+            const maxAge = maxDays * 24 * 60 * 60 * 1000;
+            
+            const files = fs.readdirSync(logDir);
+            for (const file of files) {
+                if (file.startsWith('security_audit') && (file.endsWith('.log') || file.endsWith('.log.'))) {
+                    const filePath = path.join(logDir, file);
+                    const stats = fs.statSync(filePath);
+                    
+                    if (now - stats.mtimeMs > maxAge) {
+                        fs.unlinkSync(filePath);
+                        // 旧日志文件已清理
+                    }
+                }
+            }
+        } catch (error) {
+            // 旧日志清理错误已通过日志系统记录
+        }
+    }
+
+    logAuthentication(action, username, success, additionalInfo = {}) {
+        if (this.config.events.authentication) {
+            this.logSecurityEvent(
+                success ? 'info' : 'warn',
+                'AUTHENTICATION',
+                {
+                    action: action,
+                    username: username,
+                    success: success,
+                    ...additionalInfo
+                }
+            );
+        }
+    }
+
+    logAuthorization(username, resource, action, success, additionalInfo = {}) {
+        if (this.config.events.authorization) {
+            this.logSecurityEvent(
+                success ? 'info' : 'warn',
+                'AUTHORIZATION',
+                {
+                    username: username,
+                    resource: resource,
+                    action: action,
+                    success: success,
+                    ...additionalInfo
+                }
+            );
+        }
+    }
+}
+
+// 创建中间件实例
+const middleware = new Middleware();
+
+// 导出符合系统期望的函数
+exports = module.exports = function(server, config) {
+    // 初始化中间件
+    const middlewareHandler = middleware.init(config, function(config) {
+        // 返回中间件的run方法作为实际的处理函数
+        return function(ctx, next) {
+            return middleware.run(ctx, next);
+        };
+    });
+    
+    // 直接使用server.use注册中间件
+    server.use(middlewareHandler);
+    
+    return server;
+};
+
+// 保留原始审计方法，供其他模块调用
+exports.logAuthentication = middleware.logAuthentication.bind(middleware);
+exports.logAuthorization = middleware.logAuthorization.bind(middleware);
+exports.logSecurityEvent = middleware.logSecurityEvent.bind(middleware);
+exports.middleware = middleware;

package/middleware/security_audit/middleware.json

@@ -0,0 +1,48 @@
+{
+  "name": "security_audit",
+  "title": "综合日志审计系统",
+  "type": "security",
+  "state": 1,
+  "sort": 20,
+  "description": "合并了轻量级HTTP请求日志和安全审计功能的综合日志审计系统",
+  "config": {
+    "enable": true,
+    "log_mode": "light",
+    "log_level": "info",
+    "output": "file",
+    "file": {
+      "dir": "./log/security",
+      "daily_rotate": true,
+      "max_days": 30,
+      "compress": true
+    },
+    "database": {
+      "type": "mysql",
+      "collection": "sys_audit_log"
+    },
+    "events": {
+      "authentication": true,
+      "authorization": true,
+      "data_access": true,
+      "data_modification": true,
+      "system": true,
+      "security": true,
+      "api_access": true
+    },
+    "ignore_paths": ["/health", "/favicon.ico", "/static/"],
+    "sensitive_fields": [
+      "password", "passwd", "pwd",
+      "token", "key", "secret",
+      "credit_card", "cc", "cvv",
+      "phone", "mobile",
+      "id_card", "ssn", "social"
+    ],
+    "max_log_size": 10485760,
+    "log_request_body": true,
+    "log_response_body": false,
+    "log_user_details": true,
+    "log_ip_address": true,
+    "log_user_agent": true,
+    "light_log_max_body_length": 1024
+  }
+}