feat(plugin): 实现插件安全验证和审计日志功能
Some checks failed
Build Multi-Platform Binaries / build-frontend (push) Failing after 19s
Build Multi-Platform Binaries / build-binaries (amd64, darwin, server, false) (push) Has been skipped
Build Multi-Platform Binaries / build-binaries (amd64, linux, client, true) (push) Has been skipped
Build Multi-Platform Binaries / build-binaries (amd64, linux, server, true) (push) Has been skipped
Build Multi-Platform Binaries / build-binaries (amd64, windows, client, true) (push) Has been skipped
Build Multi-Platform Binaries / build-binaries (amd64, windows, server, true) (push) Has been skipped
Build Multi-Platform Binaries / build-binaries (arm, 7, linux, client, true) (push) Has been skipped
Build Multi-Platform Binaries / build-binaries (arm, 7, linux, server, true) (push) Has been skipped
Build Multi-Platform Binaries / build-binaries (arm64, darwin, server, false) (push) Has been skipped
Build Multi-Platform Binaries / build-binaries (arm64, linux, client, true) (push) Has been skipped
Build Multi-Platform Binaries / build-binaries (arm64, linux, server, true) (push) Has been skipped
Build Multi-Platform Binaries / build-binaries (arm64, windows, server, false) (push) Has been skipped
Some checks failed
Build Multi-Platform Binaries / build-frontend (push) Failing after 19s
Build Multi-Platform Binaries / build-binaries (amd64, darwin, server, false) (push) Has been skipped
Build Multi-Platform Binaries / build-binaries (amd64, linux, client, true) (push) Has been skipped
Build Multi-Platform Binaries / build-binaries (amd64, linux, server, true) (push) Has been skipped
Build Multi-Platform Binaries / build-binaries (amd64, windows, client, true) (push) Has been skipped
Build Multi-Platform Binaries / build-binaries (amd64, windows, server, true) (push) Has been skipped
Build Multi-Platform Binaries / build-binaries (arm, 7, linux, client, true) (push) Has been skipped
Build Multi-Platform Binaries / build-binaries (arm, 7, linux, server, true) (push) Has been skipped
Build Multi-Platform Binaries / build-binaries (arm64, darwin, server, false) (push) Has been skipped
Build Multi-Platform Binaries / build-binaries (arm64, linux, client, true) (push) Has been skipped
Build Multi-Platform Binaries / build-binaries (arm64, linux, server, true) (push) Has been skipped
Build Multi-Platform Binaries / build-binaries (arm64, windows, server, false) (push) Has been skipped
- 添加插件签名验证机制,支持远程证书吊销列表 - 增加插件安装时的安全检查和签名验证 - 实现插件版本存储的HMAC完整性校验 - 添加插件审计日志记录插件安装和验证事件 - 增加JS插件沙箱安全限制配置 - 添加插件商店API的签名URL字段支持 - 实现安全配置的自动刷新机制
This commit is contained in:
Flik
@@ -5,11 +5,13 @@ import (
|
||||
"log"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"time"
|
||||
|
||||
"github.com/gotunnel/internal/client/tunnel"
|
||||
"github.com/gotunnel/pkg/crypto"
|
||||
"github.com/gotunnel/pkg/plugin"
|
||||
"github.com/gotunnel/pkg/plugin/builtin"
|
||||
"github.com/gotunnel/pkg/plugin/sign"
|
||||
)
|
||||
|
||||
func main() {
|
||||
@@ -40,6 +42,9 @@ func main() {
|
||||
}
|
||||
}
|
||||
|
||||
// 初始化安全配置
|
||||
initSecurityConfig()
|
||||
|
||||
// 初始化插件系统
|
||||
registry := plugin.NewRegistry()
|
||||
for _, h := range builtin.GetClientPlugins() {
|
||||
@@ -52,3 +57,38 @@ func main() {
|
||||
|
||||
client.Run()
|
||||
}
|
||||
|
||||
// 官方安全配置 URL(与服务端保持一致)
|
||||
const (
|
||||
officialRevocationURL = "https://git.92coco.cn:8443/flik/GoTunnel-Plugins/raw/branch/main/security/revocation.json"
|
||||
officialKeyListURL = "https://git.92coco.cn:8443/flik/GoTunnel-Plugins/raw/branch/main/security/keys.json"
|
||||
)
|
||||
|
||||
// initSecurityConfig 初始化安全配置
|
||||
func initSecurityConfig() {
|
||||
// 配置撤销列表
|
||||
sign.SetRevocationConfig(sign.RevocationConfig{
|
||||
RemoteURL: officialRevocationURL,
|
||||
FetchInterval: 1 * time.Hour,
|
||||
RequestTimeout: 10 * time.Second,
|
||||
VerifySignature: true,
|
||||
})
|
||||
|
||||
// 配置公钥列表
|
||||
sign.SetKeyListConfig(sign.KeyListConfig{
|
||||
RemoteURL: officialKeyListURL,
|
||||
FetchInterval: 24 * time.Hour,
|
||||
RequestTimeout: 10 * time.Second,
|
||||
})
|
||||
|
||||
// 启动后台刷新
|
||||
stopCh := make(chan struct{})
|
||||
go sign.StartRevocationRefresher(stopCh)
|
||||
|
||||
// 立即拉取一次
|
||||
if err := sign.FetchRemoteKeyList(); err != nil {
|
||||
log.Printf("[Security] Fetch key list failed: %v", err)
|
||||
}
|
||||
|
||||
log.Printf("[Security] Initialized")
|
||||
}
|
||||
|
||||
@@ -59,6 +59,9 @@ func main() {
|
||||
log.Printf("[Server] TLS enabled")
|
||||
}
|
||||
|
||||
// 初始化安全配置(撤销列表和公钥列表)
|
||||
initSecurityConfig()
|
||||
|
||||
// 初始化插件系统
|
||||
registry := plugin.NewRegistry()
|
||||
if err := registry.RegisterAllServer(builtin.GetServerPlugins()); err != nil {
|
||||
@@ -188,3 +191,32 @@ func verifyPluginSignature(name, source, signature string) error {
|
||||
// 验证签名
|
||||
return sign.VerifyPlugin(pubKey, signed, source)
|
||||
}
|
||||
|
||||
// initSecurityConfig 初始化安全配置
|
||||
func initSecurityConfig() {
|
||||
// 配置撤销列表
|
||||
sign.SetRevocationConfig(sign.RevocationConfig{
|
||||
RemoteURL: config.OfficialRevocationURL,
|
||||
FetchInterval: 1 * time.Hour,
|
||||
RequestTimeout: 10 * time.Second,
|
||||
VerifySignature: true,
|
||||
})
|
||||
|
||||
// 配置公钥列表
|
||||
sign.SetKeyListConfig(sign.KeyListConfig{
|
||||
RemoteURL: config.OfficialKeyListURL,
|
||||
FetchInterval: 24 * time.Hour,
|
||||
RequestTimeout: 10 * time.Second,
|
||||
})
|
||||
|
||||
// 启动后台刷新
|
||||
stopCh := make(chan struct{})
|
||||
go sign.StartRevocationRefresher(stopCh)
|
||||
|
||||
// 立即拉取一次公钥列表
|
||||
if err := sign.FetchRemoteKeyList(); err != nil {
|
||||
log.Printf("[Security] Fetch key list failed: %v", err)
|
||||
}
|
||||
|
||||
log.Printf("[Security] Initialized with remote revocation and key list")
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user