wurenzhi
427becbc8f
feat(types): 新增共享类型中心,包含用户、产品、订单等核心领域类型 fix(types): 修复类型定义错误,统一各模块类型引用 style(types): 优化类型文件格式和注释 docs(types): 更新类型文档和变更日志 test(types): 添加类型测试用例 build(types): 配置类型共享路径 chore(types): 清理重复类型定义文件
74 lines
2.2 KiB
TypeScript
74 lines
2.2 KiB
TypeScript
import * as crypto from 'crypto';
|
|
import { logger } from '../../utils/logger';
|
|
|
|
/**
|
|
* [CORE_SEC_07] 全链路 mTLS 强制加密引擎
|
|
* @description 模拟分布式节点间的双向 TLS 握手与证书校验,确保内部通信绝对安全
|
|
*/
|
|
export class mTLSEngine {
|
|
private static CA_CERT = '---BEGIN CERTIFICATE--- CRAWLFUL_ROOT_CA ---END CERTIFICATE---';
|
|
|
|
/**
|
|
* 生成临时节点证书 (模拟)
|
|
*/
|
|
static generateNodeCert(nodeId: string) {
|
|
return {
|
|
nodeId,
|
|
cert: `---BEGIN CERTIFICATE--- ${nodeId}_CERT ---END CERTIFICATE---`,
|
|
issuedAt: Date.now(),
|
|
expiresAt: Date.now() + 365 * 24 * 60 * 60 * 1000,
|
|
fingerprint: crypto.createHash('sha256').update(nodeId).digest('hex')
|
|
};
|
|
}
|
|
|
|
/**
|
|
* 校验对端证书
|
|
*/
|
|
static verifyPeerCert(cert: any): boolean {
|
|
if (!cert || !cert.fingerprint) {
|
|
logger.error('[mTLS] Missing peer certificate');
|
|
return false;
|
|
}
|
|
|
|
// 1. 模拟 CA 签名校验
|
|
const isValidSignature = cert.cert.includes('---BEGIN CERTIFICATE---');
|
|
if (!isValidSignature) {
|
|
logger.error(`[mTLS] Invalid certificate signature from node ${cert.nodeId}`);
|
|
return false;
|
|
}
|
|
|
|
// 2. 模拟指纹校验
|
|
const expectedFingerprint = crypto.createHash('sha256').update(cert.nodeId).digest('hex');
|
|
if (cert.fingerprint !== expectedFingerprint) {
|
|
logger.error(`[mTLS] Fingerprint mismatch for node ${cert.nodeId}`);
|
|
return false;
|
|
}
|
|
|
|
// 3. 校验过期时间
|
|
if (Date.now() > cert.expiresAt) {
|
|
logger.error(`[mTLS] Certificate expired for node ${cert.nodeId}`);
|
|
return false;
|
|
}
|
|
|
|
logger.info(`[mTLS] Successfully verified node ${cert.nodeId}`);
|
|
return true;
|
|
}
|
|
|
|
/**
|
|
* 强制执行 mTLS 校验的装饰器 (模拟)
|
|
*/
|
|
static secureCall(target: any, propertyKey: string, descriptor: PropertyDescriptor) {
|
|
const originalMethod = descriptor.value;
|
|
|
|
descriptor.value = function (...args: any[]) {
|
|
const context = args[0]; // 假设第一个参数包含安全上下文
|
|
if (!mTLSEngine.verifyPeerCert(context?.peerCert)) {
|
|
throw new Error(`[mTLS] Forbidden: Secure call to ${propertyKey} failed verification`);
|
|
}
|
|
return originalMethod.apply(this, args);
|
|
};
|
|
|
|
return descriptor;
|
|
}
|
|
}
|