fix: harden login for MLPS requirements

This commit is contained in:
2026-05-14 11:05:20 +08:00
parent ecf3ee1ef0
commit 879677516f
39 changed files with 1230 additions and 71 deletions
+43
View File
@@ -28,6 +28,7 @@ type Config struct {
RabbitMQ sharedconfig.RabbitMQConfig `mapstructure:"rabbitmq"`
Log sharedconfig.LogConfig `mapstructure:"log"`
JWT JWTConfig `mapstructure:"jwt"`
Auth sharedconfig.AuthConfig `mapstructure:"auth"`
DefaultAdmin DefaultAdminConfig `mapstructure:"default_admin"`
AdminUsers AdminUsersConfig `mapstructure:"admin_users"`
IPRegion IPRegionConfig `mapstructure:"ip_region"`
@@ -245,6 +246,9 @@ func Diff(previous, current *Config) []FieldChange {
if previous.JWT != current.JWT {
add("jwt", true)
}
if previous.Auth != current.Auth {
add("auth", false)
}
if previous.AdminUsers != current.AdminUsers {
add("admin_users", true)
}
@@ -310,6 +314,11 @@ func load(path string) (*Config, error) {
}
func applySharedDefaults(settings map[string]any) {
serverSettings := ensureMapSetting(settings, "server")
securityHeadersSettings := ensureMapSetting(serverSettings, "security_headers")
if _, ok := securityHeadersSettings["enabled"]; !ok {
securityHeadersSettings["enabled"] = true
}
cacheSettings := ensureMapSetting(settings, "cache")
if _, ok := cacheSettings["metrics_enabled"]; !ok {
cacheSettings["metrics_enabled"] = true
@@ -429,12 +438,46 @@ func applyEnvOverrides(cfg *Config) error {
if v := os.Getenv("OPS_SERVER_TRUSTED_PROXIES"); v != "" {
cfg.Server.TrustedProxies = strings.Split(v, ",")
}
if v := os.Getenv("OPS_SERVER_ALLOWED_ORIGINS"); v != "" {
cfg.Server.AllowedOrigins = strings.Split(v, ",")
}
if v := os.Getenv("OPS_SERVER_SECURITY_HEADERS_ENABLED"); v != "" {
enabled, err := parseBoolEnv("OPS_SERVER_SECURITY_HEADERS_ENABLED", v)
if err != nil {
return err
}
cfg.Server.SecurityHeaders.Enabled = enabled
}
if v := os.Getenv("OPS_AUTH_PASSWORD_CIPHER_ENABLED"); v != "" {
enabled, err := parseBoolEnv("OPS_AUTH_PASSWORD_CIPHER_ENABLED", v)
if err != nil {
return err
}
cfg.Auth.PasswordCipher.Enabled = enabled
}
if v := os.Getenv("OPS_AUTH_PASSWORD_CIPHER_KEY_ID"); v != "" {
cfg.Auth.PasswordCipher.KeyID = v
}
if v := os.Getenv("OPS_AUTH_PASSWORD_CIPHER_PRIVATE_KEY_PEM"); v != "" {
cfg.Auth.PasswordCipher.PrivateKeyPEM = v
}
if v := os.Getenv("OPS_RABBITMQ_URL"); v != "" {
cfg.RabbitMQ.URL = v
}
return nil
}
func parseBoolEnv(name, value string) (bool, error) {
switch strings.ToLower(strings.TrimSpace(value)) {
case "1", "true", "yes", "y", "on":
return true, nil
case "0", "false", "no", "n", "off":
return false, nil
default:
return false, fmt.Errorf("%s must be a boolean", name)
}
}
func normalizeOpsRabbitMQConfig(cfg *sharedconfig.RabbitMQConfig) {
if cfg == nil {
return