mm_os 3.3.0 → 4.0.0

package/middleware/security_audit/index.js

@@ -1,549 +0,0 @@
-const mm_expand = require('mm_expand');
-const path = require('path');
-const fs = require('fs');
-
-/**
- * 综合日志审计系统中间件
- * 合并了原log中间件的轻量级HTTP日志和security_audit的安全审计功能
- */
-class Middleware {
-    /**
-     * 构造函数
-     */
-    constructor() {
-        this.logFiles = new Map();
-        this.default = {
-            // 启用日志审计
-            enable: true,
-            // 日志模式: 'light'（轻量模式，仅记录基本HTTP信息）, 'full'（完整审计模式）
-            log_mode: 'light',
-            // 日志级别: debug, info, warn, error, critical
-            log_level: 'info',
-            // 日志输出方式: file, database, both
-            output: 'file',
-            // 文件日志配置
-            file: {
-                // 日志目录
-                dir: './log/security',
-                // 是否按日期分割日志
-                daily_rotate: true,
-                // 日志保留天数
-                max_days: 30,
-                // 是否压缩旧日志
-                compress: true
-            },
-            // 数据库日志配置
-            database: {
-                // 数据库类型: mongodb, mysql
-                type: 'mongodb',
-                // 表名或集合名
-                collection: 'security_audit_logs'
-            },
-            // 需要审计的事件类型（仅在full模式下有效）
-            events: {
-                // 认证事件
-                authentication: true,
-                // 授权事件
-                authorization: true,
-                // 数据访问事件
-                data_access: true,
-                // 数据修改事件
-                data_modification: true,
-                // 系统事件
-                system: true,
-                // 安全事件
-                security: true,
-                // API访问事件
-                api_access: true
-            },
-            // 忽略的路径
-            ignore_paths: ['/health', '/favicon.ico'],
-            // 敏感数据字段列表，记录时会被脱敏
-            sensitive_fields: [
-                'password', 'passwd', 'pwd',
-                'token', 'key', 'secret',
-                'credit_card', 'cc', 'cvv',
-                'phone', 'mobile',
-                'id_card', 'ssn', 'social'
-            ],
-            // 最大日志大小(字节)
-            max_log_size: 10485760, // 10MB
-            // 是否记录请求体
-            log_request_body: true,
-            // 是否记录响应体
-            log_response_body: false,
-            // 是否记录详细的用户信息
-            log_user_details: true,
-            // 是否记录IP地址
-            log_ip_address: true,
-            // 是否记录User-Agent
-            log_user_agent: true,
-            // 轻量模式下请求体最大长度
-            light_log_max_body_length: 1024
-        };
-    }
-
-    /**
-     * 初始化中间件
-     * @param {Object} config 配置项
-     * @param {Object} next 下一个中间件
-     */
-    init(config, next) {
-        config = Object.assign({}, this.default, config);
-        this.config = config;
-        
-        // 只有在非轻量模式或输出到文件时才创建日志目录和启动轮转检查
-        if (config.enable && config.log_mode !== 'light' && 
-            (config.output === 'file' || config.output === 'both')) {
-            this.ensureLogDirExists();
-            this.startLogRotationCheck();
-        }
-        
-        return next(config);
-    }
-
-    /**
-     * 执行中间件
-     * @param {Object} ctx Koa上下文
-     * @param {Function} next 下一个中间件
-     */
-    async run(ctx, next) {
-        const config = this.config;
-        
-        if (!config.enable) {
-            return await next();
-        }
-
-        const path = ctx.path;
-        
-        // 检查是否应该忽略该路径
-        if (config.ignore_paths.some(p => path.startsWith(p))) {
-            return await next();
-        }
-
-        // 根据日志模式执行不同的处理逻辑
-        if (config.log_mode === 'light') {
-            // 轻量模式：仅记录基本HTTP信息（合并了原log中间件的功能）
-            await this.handleLightLog(ctx, next);
-        } else {
-            // 完整审计模式：记录详细的安全审计日志
-            await this.handleFullAudit(ctx, next);
-        }
-    }
-    
-    /**
-     * 处理轻量级日志（原log中间件功能）
-     * @param {Object} ctx Koa上下文
-     * @param {Function} next 下一个中间件
-     */
-    async handleLightLog(ctx, next) {
-        try {
-            const config = this.config;
-            const url = ctx.path + ctx.querystring;
-            let body = "";
-            
-            if (config.log_request_body && ctx.request.body) {
-                try {
-                    body = JSON.stringify(ctx.request.body);
-                    if (body.length > config.light_log_max_body_length) {
-                        body = body.substring(0, config.light_log_max_body_length) + "..."
-                    }
-                } catch (jsonError) {
-                    body = "[无法序列化请求体]";
-                    if ($.log && $.log.error) {
-                        $.log.error('日志中间件JSON序列化错误:', jsonError);
-                    }
-                }
-            }
-            
-            // 使用系统日志记录HTTP请求
-            if ($.log && $.log.http) {
-                $.log.http(`${ctx.method}\t${url}\t${body}`);
-            }
-            
-            await next();
-        } catch (error) {
-            // 确保请求可以继续处理
-            if ($.log && $.log.error) {
-                $.log.error('log中间件错误:', error);
-            }
-            await next();
-        }
-    }
-    
-    /**
-     * 处理完整审计日志（原security_audit功能）
-     * @param {Object} ctx Koa上下文
-     * @param {Function} next 下一个中间件
-     */
-    async handleFullAudit(ctx, next) {
-        const config = this.config;
-        
-        // 记录请求开始时间
-        const startTime = Date.now();
-        const requestBody = config.log_request_body ? this.sanitizeData(ctx.request.body) : null;
-        
-        try {
-            await next();
-            
-            // 记录API访问事件
-            if (config.events.api_access) {
-                const logData = this.createApiAccessLog(ctx, startTime, requestBody);
-                this.logSecurityEvent('info', 'API_ACCESS', logData);
-            }
-        } catch (error) {
-            // 记录错误事件
-            const errorLog = this.createErrorLog(ctx, error, startTime, requestBody);
-            this.logSecurityEvent('error', 'REQUEST_ERROR', errorLog);
-            throw error;
-        }
-    }
-
-    /**
-     * 确保日志目录存在
-     */
-    ensureLogDirExists() {
-        const logDir = this.getLogDir();
-        if (!fs.existsSync(logDir)) {
-            try {
-                fs.mkdirSync(logDir, { recursive: true });
-            } catch (error) {
-                console.error('Failed to create log directory:', error);
-            }
-        }
-    }
-    
-    // 其余方法保持不变
-    getLogDir() {
-        const baseDir = this.config.file.dir;
-        return baseDir.startsWith('/') ? baseDir : path.join($.runPath, baseDir);
-    }
-
-    getLogFileName() {
-        const config = this.config;
-        let fileName = 'security_audit';
-        
-        if (config.file.daily_rotate) {
-            const date = new Date();
-            const dateStr = date.toISOString().split('T')[0];
-            fileName += `_${dateStr}`;
-        }
-        
-        fileName += '.log';
-        return path.join(this.getLogDir(), fileName);
-    }
-
-    async logSecurityEvent(level, eventType, data) {
-        if (!this.shouldLogLevel(level)) {
-            return;
-        }
-
-        const logEntry = {
-            timestamp: new Date().toISOString(),
-            level: level,
-            event_type: eventType,
-            ...data
-        };
-
-        if (this.config.output === 'file' || this.config.output === 'both') {
-            this.writeToFile(logEntry);
-        }
-
-        if (this.config.output === 'database' || this.config.output === 'both') {
-            await this.writeToDatabase(logEntry);
-        }
-
-        if (level === 'error' || level === 'critical') {
-            console.error('SECURITY AUDIT:', JSON.stringify(logEntry));
-        } else if (level === 'warn') {
-            console.warn('SECURITY AUDIT:', JSON.stringify(logEntry));
-        }
-    }
-
-    shouldLogLevel(level) {
-        const levels = ['debug', 'info', 'warn', 'error', 'critical'];
-        const configLevelIndex = levels.indexOf(this.config.log_level);
-        const logLevelIndex = levels.indexOf(level);
-        return logLevelIndex >= configLevelIndex;
-    }
-
-    writeToFile(logEntry) {
-        try {
-            const logFile = this.getLogFileName();
-            const logLine = JSON.stringify(logEntry) + '\n';
-            
-            fs.appendFileSync(logFile, logLine, 'utf8');
-            
-            this.checkLogFileSize(logFile);
-        } catch (error) {
-            console.error('Failed to write security log to file:', error);
-        }
-    }
-
-    async writeToDatabase(logEntry) {
-        try {
-            const config = this.config.database;
-            
-            if (config.type === 'mongodb' && $.mongodb_admin) {
-                const db = $.mongodb_admin('sys');
-                await db.save(config.collection, logEntry);
-            } else if (config.type === 'mysql' && $.mysql_admin) {
-                const db = $.mysql_admin('sys');
-                await db.insert(config.collection, logEntry);
-            }
-        } catch (error) {
-            console.error('Failed to write security log to database:', error);
-        }
-    }
-
-    getClientIp(ctx) {
-        const headers = ctx.headers;
-        const xForwardedFor = headers['x-forwarded-for'];
-        if (xForwardedFor) {
-            const ips = xForwardedFor.split(',').map(ip => ip.trim());
-            for (let i = 0; i < ips.length; i++) {
-                const ip = ips[i];
-                if (ip && ip !== 'unknown' && ip !== '127.0.0.1' && ip !== '::1') {
-                    return ip;
-                }
-            }
-        }
-        
-        return headers['x-real-ip'] || 
-               headers['x-client-ip'] || 
-               headers['cf-connecting-ip'] || 
-               headers['fastly-client-ip'] || 
-               headers['true-client-ip'] || 
-               ctx.ip;
-    }
-
-    createApiAccessLog(ctx, startTime, requestBody) {
-        const config = this.config;
-        const endTime = Date.now();
-        const responseTime = endTime - startTime;
-        
-        let logData = {
-            request: {
-                method: ctx.method,
-                path: ctx.path,
-                query: this.sanitizeData(ctx.query),
-                headers: this.sanitizeHeaders(ctx.headers),
-                response_time: responseTime
-            },
-            response: {
-                status: ctx.status
-            }
-        };
-
-        if (requestBody) {
-            logData.request.body = requestBody;
-        }
-
-        if (config.log_response_body && ctx.body && typeof ctx.body === 'object') {
-            logData.response.body = this.sanitizeData(ctx.body);
-        }
-
-        if (config.log_ip_address) {
-            logData.client = {
-                ip: this.getClientIp(ctx)
-            };
-        }
-
-        if (config.log_user_agent && ctx.headers['user-agent']) {
-            if (!logData.client) logData.client = {};
-            logData.client.user_agent = ctx.headers['user-agent'];
-        }
-
-        if (config.log_user_details && ctx.user) {
-            logData.user = this.sanitizeUserInfo(ctx.user);
-        }
-
-        return logData;
-    }
-
-    createErrorLog(ctx, error, startTime, requestBody) {
-        const baseLog = this.createApiAccessLog(ctx, startTime, requestBody);
-        
-        return {
-            ...baseLog,
-            error: {
-                name: error.name,
-                message: error.message,
-                stack: error.stack ? error.stack.substring(0, 1000) : null
-            }
-        };
-    }
-
-    sanitizeData(data) {
-        if (!data || typeof data !== 'object') {
-            return data;
-        }
-
-        const sensitiveFields = this.config.sensitive_fields;
-        const result = Array.isArray(data) ? [] : {};
-
-        for (const key in data) {
-            const value = data[key];
-            const lowerKey = key.toLowerCase();
-            
-            const isSensitive = sensitiveFields.some(field => lowerKey.includes(field));
-            
-            if (isSensitive) {
-                result[key] = this.maskSensitiveValue(value);
-            } else if (typeof value === 'object' && value !== null) {
-                result[key] = this.sanitizeData(value);
-            } else {
-                result[key] = value;
-            }
-        }
-
-        return result;
-    }
-
-    maskSensitiveValue(value) {
-        if (typeof value === 'string') {
-            if (value.length <= 4) {
-                return '****';
-            } else if (value.length <= 10) {
-                return value.charAt(0) + '*'.repeat(value.length - 2) + value.charAt(value.length - 1);
-            } else {
-                return value.substring(0, 3) + '*'.repeat(value.length - 6) + value.substring(value.length - 3);
-            }
-        }
-        return '******';
-    }
-
-    sanitizeHeaders(headers) {
-        if (!headers) return {};
-        
-        const result = {};
-        const sensitiveHeaders = ['authorization', 'cookie', 'x-api-key'];
-        
-        for (const key in headers) {
-            const lowerKey = key.toLowerCase();
-            if (sensitiveHeaders.some(h => lowerKey.includes(h))) {
-                result[key] = '****';
-            } else {
-                result[key] = headers[key];
-            }
-        }
-        
-        return result;
-    }
-
-    sanitizeUserInfo(userInfo) {
-        return this.sanitizeData(userInfo);
-    }
-
-    checkLogFileSize(logFile) {
-        try {
-            const stats = fs.statSync(logFile);
-            if (stats.size > this.config.max_log_size) {
-                this.rotateLogFile(logFile);
-            }
-        } catch (error) {
-            console.error('Failed to check log file size:', error);
-        }
-    }
-
-    rotateLogFile(logFile) {
-        try {
-            const timestamp = new Date().getTime();
-            const rotatedFile = `${logFile}.${timestamp}`;
-            
-            fs.renameSync(logFile, rotatedFile);
-            
-            if (this.config.file.compress) {
-                console.log(`Log file rotated: ${rotatedFile}`);
-            }
-        } catch (error) {
-            console.error('Failed to rotate log file:', error);
-        }
-    }
-
-    startLogRotationCheck() {
-        setInterval(() => {
-            this.cleanupOldLogs();
-        }, 3600000);
-    }
-
-    cleanupOldLogs() {
-        try {
-            const logDir = this.getLogDir();
-            const maxDays = this.config.file.max_days;
-            const now = Date.now();
-            const maxAge = maxDays * 24 * 60 * 60 * 1000;
-            
-            const files = fs.readdirSync(logDir);
-            for (const file of files) {
-                if (file.startsWith('security_audit') && (file.endsWith('.log') || file.endsWith('.log.'))) {
-                    const filePath = path.join(logDir, file);
-                    const stats = fs.statSync(filePath);
-                    
-                    if (now - stats.mtimeMs > maxAge) {
-                        fs.unlinkSync(filePath);
-                        console.log(`Old log file deleted: ${filePath}`);
-                    }
-                }
-            }
-        } catch (error) {
-            console.error('Failed to cleanup old logs:', error);
-        }
-    }
-
-    logAuthentication(action, username, success, additionalInfo = {}) {
-        if (this.config.events.authentication) {
-            this.logSecurityEvent(
-                success ? 'info' : 'warn',
-                'AUTHENTICATION',
-                {
-                    action: action,
-                    username: username,
-                    success: success,
-                    ...additionalInfo
-                }
-            );
-        }
-    }
-
-    logAuthorization(username, resource, action, success, additionalInfo = {}) {
-        if (this.config.events.authorization) {
-            this.logSecurityEvent(
-                success ? 'info' : 'warn',
-                'AUTHORIZATION',
-                {
-                    username: username,
-                    resource: resource,
-                    action: action,
-                    success: success,
-                    ...additionalInfo
-                }
-            );
-        }
-    }
-}
-
-// 创建中间件实例
-const middleware = new Middleware();
-
-// 导出符合系统期望的函数
-exports = module.exports = function(server, config) {
-    // 初始化中间件
-    const middlewareHandler = middleware.init(config, function(config) {
-        // 返回中间件的run方法作为实际的处理函数
-        return function(ctx, next) {
-            return middleware.run(ctx, next);
-        };
-    });
-    
-    // 直接使用server.use注册中间件
-    server.use(middlewareHandler);
-    
-    return server;
-};
-
-// 保留原始审计方法，供其他模块调用
-exports.logAuthentication = middleware.logAuthentication.bind(middleware);
-exports.logAuthorization = middleware.logAuthorization.bind(middleware);
-exports.logSecurityEvent = middleware.logSecurityEvent.bind(middleware);
-exports.middleware = middleware;

package/middleware/security_audit/middleware.json

@@ -1,48 +0,0 @@
-{
-  "name": "security_audit",
-  "title": "综合日志审计系统",
-  "type": "security",
-  "status": 1,
-  "sort": 20,
-  "description": "合并了轻量级HTTP请求日志和安全审计功能的综合日志审计系统",
-  "config": {
-    "enable": true,
-    "log_mode": "light",
-    "log_level": "info",
-    "output": "file",
-    "file": {
-      "dir": "./log/security",
-      "daily_rotate": true,
-      "max_days": 30,
-      "compress": true
-    },
-    "database": {
-      "type": "mongodb",
-      "collection": "security_audit_logs"
-    },
-    "events": {
-      "authentication": true,
-      "authorization": true,
-      "data_access": true,
-      "data_modification": true,
-      "system": true,
-      "security": true,
-      "api_access": true
-    },
-    "ignore_paths": ["/health", "/favicon.ico", "/static/"],
-    "sensitive_fields": [
-      "password", "passwd", "pwd",
-      "token", "key", "secret",
-      "credit_card", "cc", "cvv",
-      "phone", "mobile",
-      "id_card", "ssn", "social"
-    ],
-    "max_log_size": 10485760,
-    "log_request_body": true,
-    "log_response_body": false,
-    "log_user_details": true,
-    "log_ip_address": true,
-    "log_user_agent": true,
-    "light_log_max_body_length": 1024
-  }
-}