chore: 禁止普通用户使用不安全插件，比如复制到本机、自定义js脚本等

2026-04-15 05:00:52 +08:00 · 2024-09-29 01:14:21 +08:00
parent 5aa06f5b07
commit 4fcaab5feb
10 changed files with 70 additions and 27 deletions
--- a/packages/ui/certd-server/src/modules/authority/controller/permission-controller.ts
+++ b/packages/ui/certd-server/src/modules/authority/controller/permission-controller.ts
@@ -1,12 +1,4 @@
-import {
-  ALL,
-  Body,
-  Controller,
-  Inject,
-  Post,
-  Provide,
-  Query,
-} from '@midwayjs/core';
+import { ALL, Body, Controller, Inject, Post, Provide, Query } from '@midwayjs/core';
 import { CrudController } from '../../../basic/crud-controller.js';
 import { PermissionService } from '../service/permission-service.js';

@@ -49,7 +41,7 @@ export class PermissionController extends CrudController<PermissionService> {
  @Post('/delete', { summary: 'sys:auth:per:remove' })
  async delete(
    @Query('id')
-    id : number
+    id: number
  ) {
    return await super.delete(id);
  }
--- a/packages/ui/certd-server/src/modules/authority/service/user-role-service.ts
+++ b/packages/ui/certd-server/src/modules/authority/service/user-role-service.ts
@@ -16,4 +16,6 @@ export class UserRoleService extends BaseService<UserRoleEntity> {
  getRepository() {
    return this.repository;
  }
+
+
 }
--- a/packages/ui/certd-server/src/modules/authority/service/user-service.ts
+++ b/packages/ui/certd-server/src/modules/authority/service/user-service.ts
@@ -204,4 +204,16 @@ export class UserService extends BaseService<UserEntity> {
    }
    await super.delete(ids);
  }
+
+  async isAdmin(userId: any) {
+    const userRoles = await this.userRoleService.find({
+      where: {
+        userId,
+      },
+    });
+    const roleIds = userRoles.map(item => item.roleId);
+    if (roleIds.includes(1)) {
+      return true;
+    }
+  }
 }
--- a/packages/ui/certd-server/src/modules/pipeline/service/pipeline-service.ts
+++ b/packages/ui/certd-server/src/modules/pipeline/service/pipeline-service.ts
@@ -4,7 +4,7 @@ import { In, Repository } from 'typeorm';
 import { BaseService } from '../../../basic/base-service.js';
 import { PipelineEntity } from '../entity/pipeline.js';
 import { PipelineDetail } from '../entity/vo/pipeline-detail.js';
-import { Executor, isPlus, Pipeline, ResultType, RunHistory } from '@certd/pipeline';
+import { Executor, isPlus, Pipeline, ResultType, RunHistory, UserInfo } from '@certd/pipeline';
 import { AccessService } from './access-service.js';
 import { DbStorage } from './db-storage.js';
 import { StorageService } from './storage-service.js';
@@ -16,9 +16,11 @@ import { HistoryLogService } from './history-log-service.js';
 import { logger } from '../../../utils/logger.js';
 import { EmailService } from '../../basic/service/email-service.js';
 import { NeedVIPException } from '../../../basic/exception/vip-exception.js';
+import { UserService } from '../../authority/service/user-service.js';

 const runningTasks: Map<string | number, Executor> = new Map();
 const freeCount = 10;
+
 /**
 * 证书申请
 */
@@ -38,6 +40,9 @@ export class PipelineService extends BaseService<PipelineEntity> {
  @Inject()
  historyLogService: HistoryLogService;

+  @Inject()
+  userService: UserService;
+
  @Inject()
  cron: Cron;

@@ -331,9 +336,13 @@ export class PipelineService extends BaseService<PipelineEntity> {

    const userId = entity.userId;
    const historyId = await this.historyService.start(entity);
-
+    const userIsAdmin = await this.userService.isAdmin(userId);
+    const user: UserInfo = {
+      id: userId,
+      role: userIsAdmin ? 'admin' : 'user',
+    };
    const executor = new Executor({
-      userId,
+      user,
      pipeline,
      onChanged,
      accessService: this.accessService,
--- a/packages/ui/certd-server/src/plugins/plugin-host/plugin/copy-to-local/index.ts
+++ b/packages/ui/certd-server/src/plugins/plugin-host/plugin/copy-to-local/index.ts
@@ -8,7 +8,7 @@ import path from 'path';
  name: 'CopyToLocal',
  title: '复制到本机',
  icon: 'solar:copy-bold-duotone',
-  desc: '实际上是复制证书到docker容器内的某个路径，需要做目录映射到宿主机',
+  desc: '【仅管理员使用】实际上是复制证书到docker容器内的某个路径，需要做目录映射到宿主机',
  group: pluginGroups.host.key,
  default: {
    strategy: {
@@ -114,6 +114,10 @@ export class CopyCertToLocalPlugin extends AbstractTaskPlugin {
    fs.copyFileSync(srcFile, destFile);
  }
  async execute(): Promise<void> {
+    if (!this.isAdmin()) {
+      throw new Error('只有管理员才能运行此任务');
+    }
+
    let { crtPath, keyPath, icPath, pfxPath, derPath } = this;
    const certReader = new CertReader(this.cert);

--- a/packages/ui/certd-server/src/plugins/plugin-other/plugins/plugin-restart.ts
+++ b/packages/ui/certd-server/src/plugins/plugin-other/plugins/plugin-restart.ts
@@ -4,7 +4,7 @@ import { AbstractTaskPlugin, IsTaskPlugin, pluginGroups, RunStrategy, TaskInput
  name: 'RestartCertd',
  title: '重启Certd',
  icon: 'mdi:restart',
-  desc: '延迟一定时间后自动杀死自己，然后通过Docker来自动重启',
+  desc: '【仅管理员】延迟一定时间后自动杀死自己，然后通过Docker来自动重启',
  group: pluginGroups.other.key,
  default: {
    strategy: {
@@ -25,6 +25,9 @@ export class RestartCertdPlugin extends AbstractTaskPlugin {
  delay = 30;
  async onInstance() {}
  async execute(): Promise<void> {
+    if (!this.isAdmin()) {
+      throw new Error('只有管理员才能运行此任务');
+    }
    this.logger.info(`Certd 将在 ${this.delay} 秒后关闭`);
    setTimeout(() => {
      this.logger.info('重启 Certd');
--- a/packages/ui/certd-server/src/plugins/plugin-other/plugins/plugin-script.ts
+++ b/packages/ui/certd-server/src/plugins/plugin-other/plugins/plugin-script.ts
@@ -9,8 +9,8 @@ export type CustomScriptContext = {
@IsTaskPlugin({
  name: 'CustomScript',
  title: '自定义js脚本',
-  icon:"ri:javascript-line",
-  desc: '测试',
+  icon: 'ri:javascript-line',
+  desc: '【仅管理员】运行自定义js脚本执行',
  group: pluginGroups.other.key,
  default: {
    strategy: {
@@ -45,6 +45,9 @@ export class CustomScriptPlugin extends AbstractTaskPlugin {

  async onInstance() {}
  async execute(): Promise<void> {
+    if (!this.isAdmin()) {
+      throw new Error('只有管理员才能运行此任务');
+    }
    this.logger.info('执行自定义脚本:\n', this.script);
    const ctx: CustomScriptContext = {
      CertReader,