diff --git a/0001-plugin-api-add-auth.patch b/0001-plugin-api-add-auth.patch new file mode 100644 index 0000000000000000000000000000000000000000..cca9cac50a94c5b17bf6d61165d15b567b69fd3d --- /dev/null +++ b/0001-plugin-api-add-auth.patch @@ -0,0 +1,129 @@ +From 3cfae80e26447a49ff835bd544285fbf77abca76 Mon Sep 17 00:00:00 2001 +From: Gzx1999 +Date: Fri, 8 Mar 2024 17:27:41 +0800 +Subject: [PATCH] plugin api add auth + +--- + pkg/app/server/controller/pluginapi/script.go | 11 ++- + pkg/app/server/service/jwt/jwt.go | 67 +++++++++++++++++++ + 2 files changed, 77 insertions(+), 1 deletion(-) + +diff --git a/pkg/app/server/controller/pluginapi/script.go b/pkg/app/server/controller/pluginapi/script.go +index 9a723a49..cc0e07d9 100644 +--- a/pkg/app/server/controller/pluginapi/script.go ++++ b/pkg/app/server/controller/pluginapi/script.go +@@ -4,11 +4,13 @@ package pluginapi + + import ( + "fmt" ++ "net/http" + + "gitee.com/openeuler/PilotGo-plugins/sdk/plugin/client" + "github.com/gin-gonic/gin" + "openeuler.org/PilotGo/PilotGo/pkg/app/server/agentmanager" + "openeuler.org/PilotGo/PilotGo/pkg/app/server/service/batch" ++ "openeuler.org/PilotGo/PilotGo/pkg/app/server/service/jwt" + "openeuler.org/PilotGo/PilotGo/pkg/logger" + "openeuler.org/PilotGo/PilotGo/pkg/utils" + "openeuler.org/PilotGo/PilotGo/pkg/utils/response" +@@ -16,7 +18,14 @@ import ( + + // 检查plugin接口调用权限 + func AuthCheck(c *gin.Context) { +- // TODO ++ _, err := jwt.ParsePluginClaims(c) ++ if err != nil { ++ c.JSON(http.StatusUnauthorized, gin.H{ ++ "code": 401, ++ "msg": "plugin token check error:" + err.Error()}) ++ c.Abort() ++ return ++ } + c.Next() + } + +diff --git a/pkg/app/server/service/jwt/jwt.go b/pkg/app/server/service/jwt/jwt.go +index c709c008..2d961718 100644 +--- a/pkg/app/server/service/jwt/jwt.go ++++ b/pkg/app/server/service/jwt/jwt.go +@@ -15,6 +15,7 @@ + package jwt + + import ( ++ "errors" + "fmt" + "net/http" + "time" +@@ -116,3 +117,69 @@ func ParseMyClaims(c *gin.Context) (*MyClaims, error) { + OnError: + return nil, err + } ++ ++type PluginClaims struct { ++ jwt.StandardClaims ++ ++ Name string ++ UUID string ++} ++ ++func GeneratePluginToken(name, uuid string) (string, error) { ++ claims := &PluginClaims{ ++ Name: name, ++ UUID: uuid, ++ ++ StandardClaims: jwt.StandardClaims{ ++ IssuedAt: time.Now().Unix(), ++ Issuer: Issue, ++ Subject: "plugin token", ++ }, ++ } ++ token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims) ++ tokenString, err := token.SignedString([]byte(config.Config().JWT.SecretKey)) ++ if err != nil { ++ return "", err ++ } ++ return tokenString, nil ++} ++ ++func ParsePluginClaims(c *gin.Context) (*PluginClaims, error) { ++ cookie, err := c.Request.Cookie("PluginToken") //Get authorization header ++ if err != nil { ++ return nil, err ++ } ++ ++ claims, err := parseClaims(cookie.Value, &PluginClaims{}) ++ if err != nil { ++ return nil, err ++ } ++ m, ok := claims.(*PluginClaims) ++ if !ok { ++ return nil, errors.New("invalid plugin claims") ++ } ++ return m, nil ++} ++ ++func parseClaims(tokenString string, clames jwt.Claims) (jwt.Claims, error) { ++ var token *jwt.Token ++ var err error ++ ++ if tokenString == "" { ++ err = fmt.Errorf("token is empty") ++ return nil, err ++ } ++ ++ token, err = jwt.ParseWithClaims(tokenString, clames, func(token *jwt.Token) (i interface{}, err error) { ++ return []byte(config.Config().JWT.SecretKey), nil ++ }) ++ if err != nil { ++ return nil, err ++ } ++ ++ if token != nil && !token.Valid { ++ err = fmt.Errorf("token is invalid") ++ return nil, err ++ } ++ return token.Claims, nil ++} +-- +2.33.0 + diff --git a/PilotGo-2.0.1.tar.gz b/PilotGo-2.0.1.tar.gz index d9826271efadd4e894dafa868744a6c1e9a2b402..4e804383d71da239bdbd440eade4550c009c6cf9 100644 Binary files a/PilotGo-2.0.1.tar.gz and b/PilotGo-2.0.1.tar.gz differ diff --git a/PilotGo-web.tar.gz b/PilotGo-web.tar.gz index b3124bfec00e0f3cd7a1ca8c8db40aadd166dc1c..90d00e5553bcb612855d142a17fbc1aff803ad27 100644 Binary files a/PilotGo-web.tar.gz and b/PilotGo-web.tar.gz differ diff --git a/PilotGo.spec b/PilotGo.spec index 75f1ddff61aa2bd8346ecb4559afaf0af968575a..67f9ee99789b568ca96848eb63a8bf6df3f3579c 100755 --- a/PilotGo.spec +++ b/PilotGo.spec @@ -2,13 +2,17 @@ Name: PilotGo Version: 2.0.1 -Release: 1 +Release: 2 Summary: PilotGo is a plugable operation platform written in go License: MulanPSL-2.0 URL: https://gitee.com/openeuler/PilotGo Source0: https://gitee.com/openeuler/PilotGo/%{name}-%{version}.tar.gz -# Web packaged from ace055a5584482443e9fcfcca906cff2949f6c9b +# tar -xvf Source0 +# cd %{name}-%{version}/frontend/ +# run 'yarn install and yarn build' in it +# tar -czvf PilotGo-web.tar.gz ../frontend/dist/ Source1: PilotGo-web.tar.gz +Patch0: 0001-plugin-api-add-auth.patch BuildRequires: systemd BuildRequires: golang @@ -34,18 +38,18 @@ PilotGo agent. tar -xzvf %{SOURCE1} %build +cp -rf frontend/dist/static frontend/dist/index.html pkg/app/server/resource/ # server -GO111MODULE=on go build -mod=vendor -o PilotGo-server pkg/app/server/main.go +GO111MODULE=on go build -mod=vendor -o PilotGo-server -tags="production" pkg/app/server/main.go # agent GO111MODULE=on go build -mod=vendor -o PilotGo-agent pkg/app/agent/main.go %install -mkdir -p %{buildroot}/opt/PilotGo/{server/{frontend,log},agent/log} +mkdir -p %{buildroot}/opt/PilotGo/{server/log,agent/log} # server install -D -m 0755 PilotGo-server %{buildroot}/opt/PilotGo/server install -D -m 0644 config_server.yaml.templete %{buildroot}/opt/PilotGo/server/config_server.yaml install -D -m 0644 scripts/service/PilotGo-server.service %{buildroot}%{_unitdir}/PilotGo-server.service -cp -rf frontend/dist %{buildroot}/opt/PilotGo/server/frontend # agent install -D -m 0755 PilotGo-agent %{buildroot}/opt/PilotGo/agent install -D -m 0644 config_agent.yaml.templete %{buildroot}/opt/PilotGo/agent/config_agent.yaml @@ -75,8 +79,6 @@ install -D -m 0644 scripts/service/PilotGo-agent.service %{buildroot}%{_unitdir} %dir /opt/PilotGo/server/log /opt/PilotGo/server/PilotGo-server /opt/PilotGo/server/config_server.yaml -%dir /opt/PilotGo/server/frontend -/opt/PilotGo/server/frontend/dist %{_unitdir}/PilotGo-server.service %files agent @@ -89,6 +91,9 @@ install -D -m 0644 scripts/service/PilotGo-agent.service %{buildroot}%{_unitdir} %changelog +* Mon Mar 11 2024 jiangxinyu - 2.0.1-2 +- Fix authentication vulnerability + * Fri Sep 01 2023 jianxinyu - 2.0.1-1 - Package init