refining/secrets
Public Access
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 61 Wiki Activity

release(secrets-mcp): 0.5.6
All checks were successful
Secrets MCP — Build & Release / 检查 / 构建 / 发版 (push) Successful in 5m8s
Details
Secrets MCP — Build & Release / 部署 secrets-mcp (push) Successful in 1m36s
Details

Browse Source 
修复 OAuth 解绑时非法聚合 FOR UPDATE,Web OAuth 审计 IP 与 TRUST_PROXY 对齐并校验 IP,账号绑定写入 oauth_state 失败时回滚 bind 标记。回滚条目时恢复 folder/type,导入冲突检查在 DB 失败时传播错误,MCP delete/history 要求已登录用户,全局请求体 10MiB 限制。CI 部署支持 DEPLOY_KNOWN_HOSTS,默认 accept-new;文档与 deploy 示例补充连接池、限流、TRUST_PROXY。移除含明文凭据的 sync-test-to-prod 脚本。
This commit is contained in:
voson
2026-04-05 12:32:14 +08:00
parent 2b994141b8
commit 63cb3a8216
14 changed files with 217 additions and 194 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
crates/secrets-mcp/src/logging.rs
View File

@@ -1,9 +1,8 @@
use std::net::SocketAddr;
use std::time::Instant;
use axum::{
body::{Body, Bytes, to_bytes},
extract::{ConnectInfo, Request},
extract::Request,
http::{
HeaderMap, Method, StatusCode,
header::{CONTENT_LENGTH, CONTENT_TYPE, USER_AGENT},
@@ -245,18 +244,5 @@ fn header_str(headers: &HeaderMap, name: impl axum::http::header::AsHeaderName)
}
fn client_ip(req: &Request) -> Option<String> {
if let Some(first) = req
.headers()
.get("x-forwarded-for")
.and_then(|v| v.to_str().ok())
.and_then(|s| s.split(',').next())
{
let s = first.trim();
if !s.is_empty() {
return Some(s.to_string());
}
}
req.extensions()
.get::<ConnectInfo<SocketAddr>>()
.map(|c| c.ip().to_string())
crate::client_ip::extract_client_ip(req).into()
}

3
crates/secrets-mcp/src/main.rs
View File

@@ -187,6 +187,9 @@ async fn main() -> Result<()> {
))
.layer(session_layer)
.layer(cors)
.layer(tower_http::limit::RequestBodyLimitLayer::new(
10 * 1024 * 1024,
))
.with_state(app_state);
// ── Start server ──────────────────────────────────────────────────────────

29
crates/secrets-mcp/src/tools.rs
View File

@@ -230,15 +230,6 @@ impl SecretsService {
}
}
/// Extract user_id from the HTTP request parts injected by auth middleware.
fn user_id_from_ctx(ctx: &RequestContext<RoleServer>) -> Result<Option<Uuid>, rmcp::ErrorData> {
let parts = ctx
.extensions
.get::<http::request::Parts>()
.ok_or_else(mcp_err_missing_http_parts)?;
Ok(parts.extensions.get::<AuthUser>().map(|a| a.user_id))
}
/// Get the authenticated user_id (returns error if not authenticated).
fn require_user_id(ctx: &RequestContext<RoleServer>) -> Result<Uuid, rmcp::ErrorData> {
let parts = ctx
@@ -1142,7 +1133,7 @@ impl SecretsService {
ctx: RequestContext<RoleServer>,
) -> Result<CallToolResult, rmcp::ErrorData> {
let t = Instant::now();
let user_id = Self::user_id_from_ctx(&ctx)?;
let user_id = Self::require_user_id(&ctx)?;
// Safety: require at least one filter.
if input.id.is_none()
@@ -1172,9 +1163,9 @@ impl SecretsService {
if let Some(ref id_str) = input.id {
let eid = parse_uuid(id_str)?;
let uid = user_id;
let entry = resolve_entry_by_id(&self.pool, eid, uid)
let entry = resolve_entry_by_id(&self.pool, eid, Some(uid))
.await
.map_err(|e| mcp_err_internal_logged("secrets_delete", uid, e))?;
.map_err(|e| mcp_err_internal_logged("secrets_delete", Some(uid), e))?;
(Some(entry.name), Some(entry.folder))
} else {
(input.name.clone(), input.folder.clone())
@@ -1187,11 +1178,11 @@ impl SecretsService {
folder: effective_folder.as_deref(),
entry_type: input.entry_type.as_deref(),
dry_run: input.dry_run.unwrap_or(false),
user_id,
user_id: Some(user_id),
},
)
.await
.map_err(|e| mcp_err_internal_logged("secrets_delete", user_id, e))?;
.map_err(|e| mcp_err_internal_logged("secrets_delete", Some(user_id), e))?;
tracing::info!(
tool = "secrets_delete",
@@ -1218,7 +1209,7 @@ impl SecretsService {
ctx: RequestContext<RoleServer>,
) -> Result<CallToolResult, rmcp::ErrorData> {
let t = Instant::now();
let user_id = Self::user_id_from_ctx(&ctx)?;
let user_id = Self::require_user_id(&ctx)?;
tracing::info!(
tool = "secrets_history",
?user_id,
@@ -1230,9 +1221,9 @@ impl SecretsService {
let (resolved_name, resolved_folder): (String, Option<String>) =
if let Some(ref id_str) = input.id {
let eid = parse_uuid(id_str)?;
let entry = resolve_entry_by_id(&self.pool, eid, user_id)
let entry = resolve_entry_by_id(&self.pool, eid, Some(user_id))
.await
.map_err(|e| mcp_err_internal_logged("secrets_history", user_id, e))?;
.map_err(|e| mcp_err_internal_logged("secrets_history", Some(user_id), e))?;
(entry.name, Some(entry.folder))
} else {
(input.name.clone(), input.folder.clone())
@@ -1243,10 +1234,10 @@ impl SecretsService {
&resolved_name,
resolved_folder.as_deref(),
input.limit.unwrap_or(20),
user_id,
Some(user_id),
)
.await
.map_err(|e| mcp_err_internal_logged("secrets_history", user_id, e))?;
.map_err(|e| mcp_err_internal_logged("secrets_history", Some(user_id), e))?;
tracing::info!(
tool = "secrets_history",

110
crates/secrets-mcp/src/web.rs
View File

@@ -1,6 +1,6 @@
use askama::Template;
use chrono::SecondsFormat;
use std::net::SocketAddr;
use std::net::{IpAddr, SocketAddr};
use axum::{
Json, Router,
@@ -176,14 +176,33 @@ async fn current_user_id(session: &Session) -> Option<Uuid> {
}
fn request_client_ip(headers: &HeaderMap, connect_info: ConnectInfo<SocketAddr>) -> Option<String> {
if let Some(first) = headers
.get("x-forwarded-for")
.and_then(|v| v.to_str().ok())
.and_then(|s| s.split(',').next())
{
let value = first.trim();
if !value.is_empty() {
return Some(value.to_string());
let trust_proxy = std::env::var("TRUST_PROXY")
.as_deref()
.is_ok_and(|v| matches!(v, "1" | "true" | "yes"));
request_client_ip_with_trust_proxy(headers, connect_info, trust_proxy)
}
fn request_client_ip_with_trust_proxy(
headers: &HeaderMap,
connect_info: ConnectInfo<SocketAddr>,
trust_proxy: bool,
) -> Option<String> {
if trust_proxy {
if let Some(first) = headers
.get("x-forwarded-for")
.and_then(|v| v.to_str().ok())
.and_then(|s| s.split(',').next())
{
let value = first.trim();
if let Ok(ip) = value.parse::<IpAddr>() {
return Some(ip.to_string());
}
}
if let Some(value) = headers.get("x-real-ip").and_then(|v| v.to_str().ok()) {
let value = value.trim();
if let Ok(ip) = value.parse::<IpAddr>() {
return Some(ip.to_string());
}
}
}
@@ -234,10 +253,6 @@ pub fn web_router() -> Router<AppState> {
.route("/entries", get(entries_page))
.route("/audit", get(audit_page))
.route("/account/bind/google", get(account_bind_google))
.route(
"/account/bind/google/callback",
get(account_bind_google_callback),
)
.route("/account/unbind/{provider}", post(account_unbind))
.route("/api/key-salt", get(api_key_salt))
.route("/api/key-setup", post(api_key_setup))
@@ -909,14 +924,9 @@ async fn account_bind_google(
StatusCode::INTERNAL_SERVER_ERROR
})?;
let redirect_uri = format!("{}/account/bind/google/callback", state.base_url);
let mut cfg = state
.google_config
.clone()
.ok_or(StatusCode::SERVICE_UNAVAILABLE)?;
cfg.redirect_uri = redirect_uri;
let st = random_state();
if let Err(e) = session.insert(SESSION_OAUTH_STATE, &st).await {
let config = google_cfg(&state).ok_or(StatusCode::SERVICE_UNAVAILABLE)?;
let oauth_state = random_state();
if let Err(e) = session.insert(SESSION_OAUTH_STATE, &oauth_state).await {
tracing::error!(error = %e, "failed to insert oauth_state for account bind flow");
if let Err(rm) = session.remove::<bool>(SESSION_OAUTH_BIND_MODE).await {
tracing::warn!(error = %rm, "failed to roll back oauth_bind_mode after oauth_state insert failure");
@@ -924,34 +934,8 @@ async fn account_bind_google(
return Err(StatusCode::INTERNAL_SERVER_ERROR);
}
Ok(Redirect::to(&google_auth_url(&cfg, &st)).into_response())
}
async fn account_bind_google_callback(
State(state): State<AppState>,
connect_info: ConnectInfo<SocketAddr>,
headers: HeaderMap,
session: Session,
Query(params): Query<OAuthCallbackQuery>,
) -> Result<Response, StatusCode> {
let client_ip = request_client_ip(&headers, connect_info);
let user_agent = request_user_agent(&headers);
handle_oauth_callback(
&state,
&session,
params,
"google",
client_ip.as_deref(),
user_agent.as_deref(),
|s, cfg, code| {
Box::pin(crate::oauth::google::exchange_code(
&s.http_client,
cfg,
code,
))
},
)
.await
let url = google_auth_url(config, &oauth_state);
Ok(Redirect::to(&url).into_response())
}
async fn account_unbind(
@@ -1742,6 +1726,34 @@ fn format_audit_target(folder: &str, entry_type: &str, name: &str) -> String {
mod tests {
use super::*;
#[test]
fn request_client_ip_ignores_forwarded_headers_without_trusted_proxy() {
let mut headers = HeaderMap::new();
headers.insert("x-forwarded-for", "203.0.113.10".parse().unwrap());
let ip = request_client_ip_with_trust_proxy(
&headers,
ConnectInfo(SocketAddr::from(([127, 0, 0, 1], 9315))),
false,
);
assert_eq!(ip.as_deref(), Some("127.0.0.1"));
}
#[test]
fn request_client_ip_uses_valid_forwarded_header_with_trusted_proxy() {
let mut headers = HeaderMap::new();
headers.insert("x-forwarded-for", "203.0.113.10, 10.0.0.1".parse().unwrap());
let ip = request_client_ip_with_trust_proxy(
&headers,
ConnectInfo(SocketAddr::from(([127, 0, 0, 1], 9315))),
true,
);
assert_eq!(ip.as_deref(), Some("203.0.113.10"));
}
#[test]
fn request_ui_lang_prefers_zh_cn_over_en_fallback() {
let mut headers = HeaderMap::new();