fix: 解决 jwt 硬编码导致的 k8s 集群接管漏洞

1Panel-dev · Jan 4, 2023 · 3be58b8 · 3be58b8
1 parent 2fb4f69
commit 3be58b8
Show file tree

Hide file tree

Showing 6 changed files with 36 additions and 10 deletions.
diff --git a/conf/app.yml b/conf/app.yml
@@ -12,4 +12,6 @@ spec:
   db:
     path: /var/lib/kubepi/db/kubepi.db
   session:
-    expires: 24
+    expires: 24
+  jwt:
+    key:
diff --git a/internal/api/v1/session/session.go b/internal/api/v1/session/session.go
@@ -32,7 +32,6 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
-var JwtSigKey = []byte("signature_hmac_secret_shared_key")
 var jwtMaxAge = 10 * time.Minute
 
 type Handler struct {
@@ -51,7 +50,7 @@ func NewHandler() *Handler {
 		roleService:        role.NewService(),
 		rolebindingService: rolebinding.NewService(),
 		ldapService:        ldap.NewService(),
-		jwtSigner:          jwt.NewSigner(jwt.HS256, JwtSigKey, jwtMaxAge),
+		jwtSigner:          jwt.NewSigner(jwt.HS256, server.Config().Spec.Jwt.Key, jwtMaxAge),
 	}
 }
 

diff --git a/internal/api/v1/v1.go b/internal/api/v1/v1.go
@@ -401,8 +401,7 @@ func resourceNameInvalidHandler() iris.Handler {
 }
 
 func WarpedJwtHandler() iris.Handler {
-
-	verifier := jwt.NewVerifier(jwt.HS256, session.JwtSigKey)
+	verifier := jwt.NewVerifier(jwt.HS256, server.Config().Spec.Jwt.Key)
 	verifier.WithDefaultBlocklist()
 	verifyMiddleware := verifier.Verify(func() interface{} {
 		return new(session.UserProfile)

diff --git a/internal/config/config.go b/internal/config/config.go
@@ -1,12 +1,15 @@
 package config
 
 import (
+	"crypto/rand"
 	"encoding/json"
 	"fmt"
 	"github.com/KubeOperator/kubepi/internal/model/v1/config"
 	"github.com/KubeOperator/kubepi/pkg/file"
 	"github.com/coreos/etcd/pkg/fileutil"
 	"github.com/spf13/viper"
+	"math/big"
+	"strconv"
 )
 
 const configNotFoundSkipErr = "config file not found in %s, skip"
@@ -17,7 +20,7 @@ var configFilePaths = []string{
 	"/etc/kubepi",
 }
 
-func ReadConfig(c *config.Config, path ...string)  error {
+func ReadConfig(c *config.Config, path ...string) error {
 	v := viper.New()
 	v.SetConfigName("app")
 	v.SetConfigType("yaml")
@@ -41,19 +44,36 @@ func ReadConfig(c *config.Config, path ...string)  error {
 		if err := v.MergeInConfig(); err != nil {
 			fmt.Println(fmt.Sprintf(configMergeErr, configFilePaths))
 		}
+
 	}
 
 	var configMap map[string]interface{}
 	if err := v.Unmarshal(&configMap); err != nil {
-		return  err
+		return err
 	}
 	str, err := json.Marshal(&configMap)
 	if err != nil {
-		return  err
+		return err
 	}
 	if err := json.Unmarshal(str, &c); err != nil {
-		return  nil
+		return nil
+	}
+	if c.Spec.Jwt.Key == "" {
+		v.Set("spec.jwt.key", generate(32))
+		if err := v.WriteConfig(); err != nil {
+			return err
+		}
 	}
-	return  nil
+	return nil
 }
 
+func generate(length int) string {
+	const base = 36
+	size := big.NewInt(base)
+	n := make([]byte, length)
+	for i := range n {
+		c, _ := rand.Int(rand.Reader, size)
+		n[i] = strconv.FormatInt(c.Int64(), base)[0]
+	}
+	return string(n)
+}
diff --git a/internal/model/v1/config/config.go b/internal/model/v1/config/config.go
@@ -12,6 +12,7 @@ type Spec struct {
 	DB      DBConfig      `json:"db"`
 	Session SessionConfig `json:"session"`
 	Logger  LoggerConfig  `json:"logger"`
+	Jwt     JwtConfig     `json:"jwt"`
 	AppId   string        `json:"appId"`
 }
 
@@ -42,3 +43,7 @@ type DBConfig struct {
 type SessionConfig struct {
 	Expires int `json:"expires"`
 }
+
+type JwtConfig struct {
+	Key string `json:"key"`
+}
diff --git a/internal/server/server.go b/internal/server/server.go
@@ -340,6 +340,7 @@ func getDefaultConfig() *v1Config.Config {
 				Expires: 72,
 			},
 			Logger: v1Config.LoggerConfig{Level: "debug"},
+			Jwt:    v1Config.JwtConfig{},
 		},
 	}
 }