7x31
/
anylink
mirror of https://github.com/bjdgyc/anylink.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #114 from bjdgyc/dev 

Dev
This commit is contained in:
bjdgyc 2022-07-11 18:02:13 +08:00 committed by GitHub
parent 06931551d0 dd8c114632
commit 973541c132
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
10 changed files with 318 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
README.md
View File

@ -53,6 +53,8 @@ AnyLink 服务端仅在 CentOS 7、Ubuntu 18.04 测试通过,如需要安装
> 对于线上环境,必须申请安全的 https 证书,不支持私有证书连接
>
> 客户端请使用群共享文件的版本,其他版本没有测试过,不保证使用正常
>
> 首次使用,请在浏览器访问 https://域名:443浏览器提示安全后在客户端输入 【域名:443】 即可
### 自行编译安装
@ -73,6 +75,7 @@ sudo ./anylink
# 默认账号 密码
# admin 123456
```
## Feature
@ -97,6 +100,7 @@ sudo ./anylink
- [x] IP 访问审计功能
- [x] 域名动态拆分隧道(域名路由功能)
- [x] radius认证支持
- [x] LDAP认证支持
- [ ] 基于 ipvtap 设备的桥接访问模式
## Config
@ -288,9 +292,11 @@ sh bridge-init.sh
## Discussion
添加 QQ 群: 567510628
添加微信群: 群共享文件有相关软件下载
![contact_me_qr](doc/screenshot/contact_me_qr.png)
QQ 群共享文件有相关软件下载
## Contribution

BIN
doc/screenshot/contact_me_qr.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 68 KiB

8
server/dbdata/group.go
View File

@ -159,8 +159,7 @@ func SetGroup(g *Group) error {
if authType == "local" {
g.Auth = defAuth
} else {
_, ok := authRegistry[authType]
if !ok {
if _, ok := authRegistry[authType]; !ok {
return errors.New("未知的认证方式: " + authType)
}
auth := makeInstance(authType).(IUserAuth)
@ -168,6 +167,11 @@ func SetGroup(g *Group) error {
if err != nil {
return err
}
// 重置Auth 删除多余的key
g.Auth = map[string]interface{}{
"type": authType,
authType: g.Auth[authType],
}
}
g.UpdatedAt = time.Now()

18
server/dbdata/group_test.go
View File

@ -41,8 +41,24 @@ func TestGetGroupNames(t *testing.T) {
err = SetGroup(&g6)
ast.Nil(err)
authData = map[string]interface{}{
"type": "ldap",
"ldap": map[string]interface{}{
"addr": "192.168.8.12:389",
"tls": true,
"bind_name": "userfind@abc.com",
"bind_pwd": "afdbfdsafds",
"base_dn": "dc=abc,dc=com",
"search_attr": "sAMAccountName",
"member_of": "cn=vpn,cn=user,dc=abc,dc=com",
},
}
g7 := Group{Name: "g7", ClientDns: []ValData{{Val: "114.114.114.114"}}, Auth: authData}
err = SetGroup(&g7)
ast.Nil(err)
// 判断所有数据
gAll := []string{"g1", "g2", "g3", "g4", "g5", "g6"}
gAll := []string{"g1", "g2", "g3", "g4", "g5", "g6", "g7"}
gs := GetGroupNames()
for _, v := range gs {
ast.Equal(true, utils.InArrStr(gAll, v))

2
server/dbdata/tables.go
View File

@ -17,7 +17,7 @@ type Group struct {
DsIncludeDomains string `json:"ds_include_domains" xorm:"Text"`
LinkAcl []GroupLinkAcl `json:"link_acl" xorm:"Text"`
Bandwidth int `json:"bandwidth" xorm:"Int"` // 带宽限制
Auth map[string]interface{} `json:"auth" xorm:"not null default '{}' varchar(255)"` // 认证方式
Auth map[string]interface{} `json:"auth" xorm:"not null default '{}' varchar(500)"` // 认证方式
Status int8 `json:"status" xorm:"Int"` // 1正常
CreatedAt time.Time `json:"created_at" xorm:"DateTime created"`
UpdatedAt time.Time `json:"updated_at" xorm:"DateTime updated"`

22
server/dbdata/user_test.go
View File

@ -56,7 +56,6 @@ func TestCheckUser(t *testing.T) {
err = CheckUser("aaa", "bbbbbbb", group2)
if ast.NotNil(err) {
ast.Equal("aaa Radius服务器连接异常, 请检测服务器和端口", err.Error())
}
// 添加用户策略
dns2 := []ValData{{Val: "8.8.8.8"}}
@ -66,4 +65,25 @@ func TestCheckUser(t *testing.T) {
ast.Nil(err)
err = CheckUser("aaa", u.PinCode, group)
ast.Nil(err)
// 添加一个ldap组
group3 := "group3"
authData = map[string]interface{}{
"type": "ldap",
"ldap": map[string]interface{}{
"addr": "192.168.8.12:389",
"tls": true,
"bind_name": "userfind@abc.com",
"bind_pwd": "afdbfdsafds",
"base_dn": "dc=abc,dc=com",
"search_attr": "sAMAccountName",
"member_of": "cn=vpn,cn=user,dc=abc,dc=com",
},
}
g3 := Group{Name: group3, Status: 1, ClientDns: dns, RouteInclude: route, Auth: authData}
err = SetGroup(&g3)
ast.Nil(err)
err = CheckUser("aaa", "bbbbbbb", group3)
if ast.NotNil(err) {
ast.Equal("aaa LDAP服务器连接异常, 请检测服务器和端口", err.Error())
}
}

136
server/dbdata/userauth_ldap.go Normal file
View File

@ -0,0 +1,136 @@
package dbdata
import (
"crypto/tls"
"encoding/json"
"errors"
"fmt"
"net"
"reflect"
"regexp"
"time"
"github.com/go-ldap/ldap"
)
type AuthLdap struct {
Addr string `json:"addr"`
Tls bool `json:"tls"`
BindName string `json:"bind_name"`
BindPwd string `json:"bind_pwd"`
BaseDn string `json:"base_dn"`
SearchAttr string `json:"search_attr"`
MemberOf string `json:"member_of"`
}
func init() {
authRegistry["ldap"] = reflect.TypeOf(AuthLdap{})
}
func (auth AuthLdap) checkData(authData map[string]interface{}) error {
authType := authData["type"].(string)
bodyBytes, err := json.Marshal(authData[authType])
if err != nil {
return errors.New("LDAP配置填写有误")
}
json.Unmarshal(bodyBytes, &auth)
// 支持域名和IP, 必须填写端口
if !ValidateIpPort(auth.Addr) && !ValidateDomainPort(auth.Addr) {
return errors.New("LDAP的服务器地址(含端口)填写有误")
}
if auth.BindName == "" {
return errors.New("LDAP的管理员账号不能为空")
}
if auth.BindPwd == "" {
return errors.New("LDAP的管理员密码不能为空")
}
if auth.BaseDn == "" || !ValidateDN(auth.BaseDn) {
return errors.New("LDAP的Base DN填写有误")
}
if auth.SearchAttr == "" {
return errors.New("LDAP的用户唯一ID不能为空")
}
if auth.MemberOf != "" && !ValidateDN(auth.MemberOf) {
return errors.New("LDAP的受限用户组填写有误")
}
return nil
}
func (auth AuthLdap) checkUser(name, pwd string, g *Group) error {
pl := len(pwd)
if name == "" || pl < 1 {
return fmt.Errorf("%s %s", name, "密码错误")
}
authType := g.Auth["type"].(string)
if _, ok := g.Auth[authType]; !ok {
return fmt.Errorf("%s %s", name, "LDAP的ldap值不存在")
}
bodyBytes, err := json.Marshal(g.Auth[authType])
if err != nil {
return fmt.Errorf("%s %s", name, "LDAP Marshal出现错误")
}
err = json.Unmarshal(bodyBytes, &auth)
if err != nil {
return fmt.Errorf("%s %s", name, "LDAP Unmarshal出现错误")
}
// 检测服务器和端口的可用性
con, err := net.DialTimeout("tcp", auth.Addr, 3*time.Second)
if err != nil {
return fmt.Errorf("%s %s", name, "LDAP服务器连接异常, 请检测服务器和端口")
}
defer con.Close()
// 连接LDAP
l, err := ldap.Dial("tcp", auth.Addr)
if err != nil {
return fmt.Errorf("LDAP连接失败 %s %s", auth.Addr, err.Error())
}
defer l.Close()
if auth.Tls {
err = l.StartTLS(&tls.Config{InsecureSkipVerify: true})
if err != nil {
return fmt.Errorf("%s LDAP TLS连接失败 %s", name, err.Error())
}
}
err = l.Bind(auth.BindName, auth.BindPwd)
if err != nil {
return fmt.Errorf("%s LDAP 管理员账号或密码填写有误 %s", name, err.Error())
}
filterAttr := "(objectClass=person)"
filterAttr += "(" + auth.SearchAttr + "=" + name + ")"
if auth.MemberOf != "" {
filterAttr += "(memberOf:=" + auth.MemberOf + ")"
}
searchRequest := ldap.NewSearchRequest(
auth.BaseDn,
ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 3, false,
fmt.Sprintf("(&%s)", filterAttr),
[]string{},
nil,
)
sr, err := l.Search(searchRequest)
if err != nil {
return fmt.Errorf("%s LDAP 查询失败 %s %s %s", name, auth.BaseDn, filterAttr, err.Error())
}
if len(sr.Entries) != 1 {
if len(sr.Entries) == 0 {
return fmt.Errorf("LDAP 找不到 %s 用户, 请检查用户或LDAP配置参数", name)
}
return fmt.Errorf("LDAP发现 %s 用户,存在多个账号", name)
}
userDN := sr.Entries[0].DN
err = l.Bind(userDN, pwd)
if err != nil {
return fmt.Errorf("%s LDAP 登入失败,请检查登入的账号或密码 %s", name, err.Error())
}
return nil
}
func ValidateDomainPort(addr string) bool {
re := regexp.MustCompile(`^([a-zA-Z0-9][-a-zA-Z0-9]{0,62}\.)+[A-Za-z]{2,18}\:([0-9]|[1-9]\d{1,3}|[1-5]\d{4}|6[0-5]{2}[0-3][0-5])$`)
return re.MatchString(addr)
}
func ValidateDN(dn string) bool {
re := regexp.MustCompile(`^(?:(?:CN|cn|OU|ou|DC|dc)\=[^,'"]+,)*(?:CN|cn|OU|ou|DC|dc)\=[^,'"]+$`)
return re.MatchString(dn)
}

7
server/go.mod
View File

@ -4,6 +4,8 @@ go 1.16
require (
github.com/StackExchange/wmi v1.2.1 // indirect
github.com/go-ldap/ldap v3.0.3+incompatible // indirect
github.com/go-ldap/ldap/v3 v3.4.3 // indirect
github.com/go-sql-driver/mysql v1.6.0
github.com/golang-jwt/jwt/v4 v4.0.0
github.com/google/gopacket v1.1.19
@ -22,9 +24,10 @@ require (
github.com/tklauser/go-sysconf v0.3.7 // indirect
github.com/xhit/go-simple-mail/v2 v2.10.0
github.com/xlzd/gotp v0.0.0-20181030022105-c8557ba2c119
golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97
golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d
golang.org/x/crypto v0.0.0-20220331220935-ae2d96664a29
golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2
golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac
gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d // indirect
layeh.com/radius v0.0.0-20210819152912-ad72663a72ab
xorm.io/xorm v1.2.2
)

127
web/src/pages/group/List.vue
View File

@ -168,10 +168,11 @@
title="用户组"
:visible.sync="user_edit_dialog"
width="750px"
@close='closeDialog'
center>
<el-form :model="ruleForm" :rules="rules" ref="ruleForm" label-width="100px" class="ruleForm">
<el-tabs v-model="activeTab">
<el-tabs v-model="activeTab" :before-leave="beforeTabLeave">
<el-tab-pane label="通用" name="general">
<el-form-item label="用户组ID" prop="id">
<el-input v-model="ruleForm.id" disabled></el-input>
@ -228,22 +229,45 @@
<el-tab-pane label="认证方式" name="authtype">
<el-form-item label="认证" prop="authtype">
<el-radio-group v-model="ruleForm.auth.type">
<el-radio-group v-model="ruleForm.auth.type" @change="authTypeChange">
<el-radio label="local" border>本地</el-radio>
<el-radio label="radius" border>Radius</el-radio>
<el-radio label="ldap" border>LDAP</el-radio>
</el-radio-group>
</el-form-item>
<el-form-item label="Radius密钥" v-if="ruleForm.auth.type == 'radius'">
<el-col :span="10">
<el-input v-model="ruleForm.auth.radius.secret"></el-input>
</el-col>
</el-form-item>
<el-form-item label="Radius服务器" v-if="ruleForm.auth.type == 'radius'">
<el-col :span="10">
<el-input v-model="ruleForm.auth.radius.addr" placeholder="输入IP和端口 192.168.2.1:1812"></el-input>
</el-col>
</el-form-item>
</el-tab-pane>
</el-form-item>
<templete v-if="ruleForm.auth.type == 'radius'">
<el-form-item label="服务器地址" prop="auth.radius.addr" :rules="this.ruleForm.auth.type== 'radius' ? this.rules['auth.radius.addr'] : [{ required: false }]">
<el-input v-model="ruleForm.auth.radius.addr" placeholder="例如 ip:1812"></el-input>
</el-form-item>
<el-form-item label="密钥" prop="auth.radius.secret" :rules="this.ruleForm.auth.type== 'radius' ? this.rules['auth.radius.secret'] : [{ required: false }]">
<el-input v-model="ruleForm.auth.radius.secret" placeholder=""></el-input>
</el-form-item>
</templete>
<templete v-if="ruleForm.auth.type == 'ldap'">
<el-form-item label="服务器地址" prop="auth.ldap.addr" :rules="this.ruleForm.auth.type== 'ldap' ? this.rules['auth.ldap.addr'] : [{ required: false }]">
<el-input v-model="ruleForm.auth.ldap.addr" placeholder="例如 ip:389 / 域名:389"></el-input>
</el-form-item>
<el-form-item label="开启TLS" prop="auth.ldap.tls">
<el-switch v-model="ruleForm.auth.ldap.tls"></el-switch>
</el-form-item>
<el-form-item label="管理员账号" prop="auth.ldap.bind_name" :rules="this.ruleForm.auth.type== 'ldap' ? this.rules['auth.ldap.bind_name'] : [{ required: false }]">
<el-input v-model="ruleForm.auth.ldap.bind_name" placeholder="例如 CN=bindadmin,DC=abc,DC=COM"></el-input>
</el-form-item>
<el-form-item label="管理员密码" prop="auth.ldap.bind_pwd" :rules="this.ruleForm.auth.type== 'ldap' ? this.rules['auth.ldap.bind_pwd'] : [{ required: false }]">
<el-input type="password" v-model="ruleForm.auth.ldap.bind_pwd" placeholder=""></el-input>
</el-form-item>
<el-form-item label="Base DN" prop="auth.ldap.base_dn" :rules="this.ruleForm.auth.type== 'ldap' ? this.rules['auth.ldap.base_dn'] : [{ required: false }]">
<el-input v-model="ruleForm.auth.ldap.base_dn" placeholder="例如 DC=abc,DC=com"></el-input>
</el-form-item>
<el-form-item label="用户唯一ID" prop="auth.ldap.search_attr" :rules="this.ruleForm.auth.type== 'ldap' ? this.rules['auth.ldap.search_attr'] : [{ required: false }]">
<el-input v-model="ruleForm.auth.ldap.search_attr" placeholder="例如 sAMAccountName 或 uid"></el-input>
</el-form-item>
<el-form-item label="受限用户组" prop="auth.ldap.member_of">
<el-input v-model="ruleForm.auth.ldap.member_of" placeholder="选填, 只允许指定组登入, 例如 CN=HomeWork,DC=abc,DC=com"></el-input>
</el-form-item>
</templete>
</el-tab-pane>
<el-tab-pane label="路由设置" name="route">
<el-form-item label="包含路由" prop="route_include">
@ -336,7 +360,7 @@
</el-tab-pane>
<el-form-item>
<el-button type="primary" @click="submitForm('ruleForm')">保存</el-button>
<el-button @click="disVisible">取消</el-button>
<el-button @click="closeDialog">取消</el-button>
</el-form-item>
</el-tabs>
</el-form>
@ -368,6 +392,19 @@ export default {
activeTab : "general",
readMore: {},
readMinRows : 5,
defAuth : {
type:'local',
radius:{addr:"", secret:""},
ldap:{
addr:"",
tls:false,
base_dn:"",
search_attr:"sAMAccountName",
member_of:"",
bind_name:"",
bind_pwd:"",
},
},
ruleForm: {
bandwidth: 0,
status: 1,
@ -376,7 +413,7 @@ export default {
route_include: [{val: 'all', note: '默认全局代理'}],
route_exclude: [],
link_acl: [],
auth : {"type":'local'}
auth : {},
},
rules: {
name: [
@ -390,17 +427,37 @@ export default {
status: [
{required: true}
],
"auth.radius.addr": [
{required: true, message: '请输入Radius服务器', trigger: 'blur'}
],
"auth.radius.secret": [
{required: true, message: '请输入Radius密钥', trigger: 'blur'}
],
"auth.ldap.addr": [
{required: true, message: '请输入服务器地址(含端口)', trigger: 'blur'}
],
"auth.ldap.bind_name": [
{required: true, message: '请输入管理员账号', trigger: 'blur'}
],
"auth.ldap.bind_pwd": [
{required: true, message: '请输入管理员密码', trigger: 'blur'}
],
"auth.ldap.base_dn": [
{required: true, message: '请输入Base DN值', trigger: 'blur'}
],
"auth.ldap.search_attr": [
{required: true, message: '请输入用户唯一ID', trigger: 'blur'}
],
},
}
},
methods: {
setAuthData(row) {
var defAuthData = {"type":'local',
"radius":{"addr":"", "secret":""},
}
if (this.ruleForm.auth.type == "local" || !row) {
this.ruleForm.auth = defAuthData;
}
if (! row) {
this.ruleForm.auth = JSON.parse(JSON.stringify(this.defAuth));
return ;
}
this.ruleForm.auth = Object.assign(JSON.parse(JSON.stringify(this.defAuth)), row.auth);
},
handleDel(row) {
axios.post('/group/del?id=' + row.id).then(resp => {
@ -417,10 +474,9 @@ export default {
console.log(error);
});
},
handleEdit(row) {
handleEdit(row) {
!this.$refs['ruleForm'] || this.$refs['ruleForm'].resetFields();
console.log(row)
this.activeTab = "general"
console.log(row)
this.user_edit_dialog = true
if (!row) {
this.setAuthData(row)
@ -503,6 +559,27 @@ export default {
this.$set(this.readMore, id, true);
}
},
authTypeChange() {
this.$refs['ruleForm'].clearValidate();
},
beforeTabLeave() {
var isSwitch = true
if (! this.user_edit_dialog) {
return isSwitch;
}
this.$refs['ruleForm'].validate((valid) => {
if (!valid) {
this.$message.error("错误:您有必填项没有填写。")
isSwitch = false;
return false;
}
});
return isSwitch;
},
closeDialog() {
this.user_edit_dialog = false;
this.activeTab = "general";
}
},
}
</script>

25
web/src/pages/user/Policy.vue
View File

@ -136,10 +136,11 @@
:visible.sync="user_edit_dialog"
width="750px"
top="50px"
@close='closeDialog'
center>
<el-form :model="ruleForm" :rules="rules" ref="ruleForm" label-width="100px" class="ruleForm">
<el-tabs v-model="activeTab">
<el-tabs v-model="activeTab" :before-leave="beforeTabLeave">
<el-tab-pane label="通用" name="general">
<el-form-item label="ID" prop="id">
<el-input v-model="ruleForm.id" disabled></el-input>
@ -283,7 +284,7 @@ export default {
re_upper_limit : 0,
},
rules: {
name: [
username: [
{required: true, message: '请输入用户名', trigger: 'blur'},
{max: 30, message: '长度小于 30 个字符', trigger: 'blur'}
],
@ -398,7 +399,25 @@ export default {
} else {
this.$set(this.readMore, id, true);
}
},
},
beforeTabLeave() {
var isSwitch = true
if (! this.user_edit_dialog) {
return isSwitch;
}
this.$refs['ruleForm'].validate((valid) => {
if (!valid) {
this.$message.error("错误:您有必填项没有填写。")
isSwitch = false;
return false;
}
});
return isSwitch;
},
closeDialog() {
this.user_edit_dialog = false;
this.activeTab = "general";
},
},
}