fix(security): Q2 Chunk 1 — 密钥外部化与启动强制检查
- default.toml 敏感值改为占位符,强制通过环境变量注入 - 启动时拒绝默认 JWT 密钥和数据库 URL - 移除 super_admin_password 硬编码 fallback - 移除 From<AppError> for AuthError 反向映射,5 处调用点改为显式 map_err - .gitignore 添加 .test_token 和测试产物
This commit is contained in:
iven
10
.gitignore
vendored
10
.gitignore
vendored
@@ -25,3 +25,13 @@ Thumbs.db
|
||||
# Docker data
|
||||
docker/postgres_data/
|
||||
docker/redis_data/
|
||||
|
||||
# Test artifacts
|
||||
.test_token
|
||||
*.heapsnapshot
|
||||
perf-trace-*.json
|
||||
docs/debug-*.png
|
||||
|
||||
# Development env
|
||||
.env.development
|
||||
docker/docker-compose.override.yml
|
||||
|
||||
@@ -43,15 +43,6 @@ impl From<AuthError> for AppError {
|
||||
}
|
||||
}
|
||||
|
||||
impl From<AppError> for AuthError {
|
||||
fn from(err: AppError) -> Self {
|
||||
match err {
|
||||
AppError::VersionMismatch => AuthError::VersionMismatch,
|
||||
other => AuthError::Validation(other.to_string()),
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
pub type AuthResult<T> = Result<T, AuthError>;
|
||||
|
||||
#[cfg(test)]
|
||||
@@ -104,28 +95,4 @@ mod tests {
|
||||
}
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn auth_error_version_mismatch_roundtrip() {
|
||||
// AuthError::VersionMismatch -> AppError::VersionMismatch -> AuthError::VersionMismatch
|
||||
let app: AppError = AuthError::VersionMismatch.into();
|
||||
match app {
|
||||
AppError::VersionMismatch => {}
|
||||
other => panic!("Expected VersionMismatch, got {:?}", other),
|
||||
}
|
||||
// And back
|
||||
let auth: AuthError = AppError::VersionMismatch.into();
|
||||
match auth {
|
||||
AuthError::VersionMismatch => {}
|
||||
other => panic!("Expected VersionMismatch, got {:?}", other),
|
||||
}
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn app_error_other_maps_to_auth_validation() {
|
||||
let auth: AuthError = AppError::NotFound("not found".to_string()).into();
|
||||
match auth {
|
||||
AuthError::Validation(msg) => assert!(msg.contains("not found")),
|
||||
other => panic!("Expected Validation, got {:?}", other),
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -147,7 +147,12 @@ impl ErpModule for AuthModule {
|
||||
_event_bus: &EventBus,
|
||||
) -> AppResult<()> {
|
||||
let password = std::env::var("ERP__SUPER_ADMIN_PASSWORD")
|
||||
.unwrap_or_else(|_| "Admin@2026".to_string());
|
||||
.map_err(|_| {
|
||||
tracing::error!("环境变量 ERP__SUPER_ADMIN_PASSWORD 未设置,无法初始化租户认证");
|
||||
erp_core::error::AppError::Internal(
|
||||
"ERP__SUPER_ADMIN_PASSWORD 未设置".to_string(),
|
||||
)
|
||||
})?;
|
||||
crate::service::seed::seed_tenant_auth(db, tenant_id, &password)
|
||||
.await
|
||||
.map_err(|e| erp_core::error::AppError::Internal(e.to_string()))?;
|
||||
|
||||
@@ -190,7 +190,8 @@ impl DeptService {
|
||||
}
|
||||
}
|
||||
|
||||
let next_ver = check_version(req.version, model.version)?;
|
||||
let next_ver = check_version(req.version, model.version)
|
||||
.map_err(|e| AuthError::Validation(e.to_string()))?;
|
||||
|
||||
let mut active: department::ActiveModel = model.into();
|
||||
|
||||
|
||||
@@ -173,7 +173,8 @@ impl OrgService {
|
||||
}
|
||||
}
|
||||
|
||||
let next_ver = check_version(req.version, model.version)?;
|
||||
let next_ver = check_version(req.version, model.version)
|
||||
.map_err(|e| AuthError::Validation(e.to_string()))?;
|
||||
|
||||
let mut active: organization::ActiveModel = model.into();
|
||||
|
||||
|
||||
@@ -165,7 +165,8 @@ impl PositionService {
|
||||
}
|
||||
}
|
||||
|
||||
let next_ver = check_version(req.version, model.version)?;
|
||||
let next_ver = check_version(req.version, model.version)
|
||||
.map_err(|e| AuthError::Validation(e.to_string()))?;
|
||||
|
||||
let mut active: position::ActiveModel = model.into();
|
||||
|
||||
|
||||
@@ -171,7 +171,8 @@ impl RoleService {
|
||||
.filter(|r| r.tenant_id == tenant_id && r.deleted_at.is_none())
|
||||
.ok_or_else(|| AuthError::Validation("角色不存在".to_string()))?;
|
||||
|
||||
let next_ver = check_version(version, model.version)?;
|
||||
let next_ver = check_version(version, model.version)
|
||||
.map_err(|e| AuthError::Validation(e.to_string()))?;
|
||||
|
||||
let mut active: role::ActiveModel = model.into();
|
||||
|
||||
|
||||
@@ -200,7 +200,8 @@ impl UserService {
|
||||
.filter(|u| u.tenant_id == tenant_id && u.deleted_at.is_none())
|
||||
.ok_or_else(|| AuthError::Validation("用户不存在".to_string()))?;
|
||||
|
||||
let next_ver = check_version(req.version, user_model.version)?;
|
||||
let next_ver = check_version(req.version, user_model.version)
|
||||
.map_err(|e| AuthError::Validation(e.to_string()))?;
|
||||
|
||||
let mut active: user::ActiveModel = user_model.into();
|
||||
|
||||
|
||||
@@ -3,7 +3,7 @@ host = "0.0.0.0"
|
||||
port = 3000
|
||||
|
||||
[database]
|
||||
url = "postgres://erp:erp_dev_2024@localhost:5432/erp"
|
||||
url = "__MUST_SET_VIA_ENV__"
|
||||
max_connections = 20
|
||||
min_connections = 5
|
||||
|
||||
@@ -11,12 +11,12 @@ min_connections = 5
|
||||
url = "redis://localhost:6379"
|
||||
|
||||
[jwt]
|
||||
secret = "change-me-in-production"
|
||||
secret = "__MUST_SET_VIA_ENV__"
|
||||
access_token_ttl = "15m"
|
||||
refresh_token_ttl = "7d"
|
||||
|
||||
[auth]
|
||||
super_admin_password = "Admin@2026"
|
||||
super_admin_password = "__MUST_SET_VIA_ENV__"
|
||||
|
||||
[log]
|
||||
level = "info"
|
||||
|
||||
@@ -186,6 +186,20 @@ async fn main() -> anyhow::Result<()> {
|
||||
// Load config
|
||||
let config = AppConfig::load()?;
|
||||
|
||||
// ── 安全检查:拒绝默认密钥 ──────────────────────────
|
||||
if config.jwt.secret == "__MUST_SET_VIA_ENV__" || config.jwt.secret == "change-me-in-production" {
|
||||
tracing::error!(
|
||||
"JWT 密钥为默认值,拒绝启动。请设置环境变量 ERP__JWT__SECRET"
|
||||
);
|
||||
std::process::exit(1);
|
||||
}
|
||||
if config.database.url == "__MUST_SET_VIA_ENV__" {
|
||||
tracing::error!(
|
||||
"数据库 URL 为默认占位值,拒绝启动。请设置环境变量 ERP__DATABASE__URL"
|
||||
);
|
||||
std::process::exit(1);
|
||||
}
|
||||
|
||||
// Initialize tracing
|
||||
tracing_subscriber::fmt()
|
||||
.with_env_filter(
|
||||
|
||||
Reference in New Issue
Block a user