refining/secrets
Public Access
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 61 Wiki Activity

release(secrets-mcp): 0.5.6
All checks were successful
Secrets MCP — Build & Release / 检查 / 构建 / 发版 (push) Successful in 5m8s
Details
Secrets MCP — Build & Release / 部署 secrets-mcp (push) Successful in 1m36s
Details

Browse Source 
修复 OAuth 解绑时非法聚合 FOR UPDATE,Web OAuth 审计 IP 与 TRUST_PROXY 对齐并校验 IP,账号绑定写入 oauth_state 失败时回滚 bind 标记。回滚条目时恢复 folder/type,导入冲突检查在 DB 失败时传播错误,MCP delete/history 要求已登录用户,全局请求体 10MiB 限制。CI 部署支持 DEPLOY_KNOWN_HOSTS,默认 accept-new;文档与 deploy 示例补充连接池、限流、TRUST_PROXY。移除含明文凭据的 sync-test-to-prod 脚本。
This commit is contained in:
voson
2026-04-05 12:32:14 +08:00
parent 2b994141b8
commit 63cb3a8216
14 changed files with 217 additions and 194 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
.gitea/workflows/secrets.yml
View File

@@ -208,6 +208,7 @@ jobs:
DEPLOY_HOST: ${{ vars.DEPLOY_HOST }} DEPLOY_HOST: ${{ vars.DEPLOY_HOST }}
DEPLOY_USER: ${{ vars.DEPLOY_USER }} DEPLOY_USER: ${{ vars.DEPLOY_USER }}
DEPLOY_SSH_KEY: ${{ secrets.DEPLOY_SSH_KEY }} DEPLOY_SSH_KEY: ${{ secrets.DEPLOY_SSH_KEY }}
DEPLOY_KNOWN_HOSTS: ${{ vars.DEPLOY_KNOWN_HOSTS }}
run: | run: |
if [ -z "$DEPLOY_HOST" ] || [ -z "$DEPLOY_USER" ] || [ -z "$DEPLOY_SSH_KEY" ]; then if [ -z "$DEPLOY_HOST" ] || [ -z "$DEPLOY_USER" ] || [ -z "$DEPLOY_SSH_KEY" ]; then
echo "部署跳过:请配置 vars.DEPLOY_HOST、vars.DEPLOY_USER 与 secrets.DEPLOY_SSH_KEY" echo "部署跳过:请配置 vars.DEPLOY_HOST、vars.DEPLOY_USER 与 secrets.DEPLOY_SSH_KEY"
@@ -216,19 +217,26 @@ jobs:
echo "$DEPLOY_SSH_KEY" > /tmp/deploy_key echo "$DEPLOY_SSH_KEY" > /tmp/deploy_key
chmod 600 /tmp/deploy_key chmod 600 /tmp/deploy_key
trap 'rm -f /tmp/deploy_key' EXIT
scp -i /tmp/deploy_key -o StrictHostKeyChecking=no \ if [ -n "$DEPLOY_KNOWN_HOSTS" ]; then
echo "$DEPLOY_KNOWN_HOSTS" > /tmp/deploy_known_hosts
ssh_opts="-o UserKnownHostsFile=/tmp/deploy_known_hosts -o StrictHostKeyChecking=yes"
else
ssh_opts="-o StrictHostKeyChecking=accept-new"
fi
scp -i /tmp/deploy_key $ssh_opts \
"/tmp/artifact/${MCP_BINARY}" \ "/tmp/artifact/${MCP_BINARY}" \
"${DEPLOY_USER}@${DEPLOY_HOST}:/tmp/secrets-mcp.new" "${DEPLOY_USER}@${DEPLOY_HOST}:/tmp/secrets-mcp.new"
ssh -i /tmp/deploy_key -o StrictHostKeyChecking=no "${DEPLOY_USER}@${DEPLOY_HOST}" " ssh -i /tmp/deploy_key $ssh_opts "${DEPLOY_USER}@${DEPLOY_HOST}" "
sudo mv /tmp/secrets-mcp.new /opt/secrets-mcp/secrets-mcp sudo mv /tmp/secrets-mcp.new /opt/secrets-mcp/secrets-mcp
sudo chmod +x /opt/secrets-mcp/secrets-mcp sudo chmod +x /opt/secrets-mcp/secrets-mcp
sudo systemctl restart secrets-mcp sudo systemctl restart secrets-mcp
sleep 2 sleep 2
sudo systemctl is-active secrets-mcp && echo '服务启动成功' || (sudo journalctl -u secrets-mcp -n 20 && exit 1) sudo systemctl is-active secrets-mcp && echo '服务启动成功' || (sudo journalctl -u secrets-mcp -n 20 && exit 1)
" "
rm -f /tmp/deploy_key
- name: 飞书通知 - name: 飞书通知
if: always() if: always()

3
.vscode/tasks.json vendored
View File

@@ -22,7 +22,6 @@
"label": "test: workspace", "label": "test: workspace",
"type": "shell", "type": "shell",
"command": "cargo test --workspace --locked", "command": "cargo test --workspace --locked",
"dependsOn": "build",
"group": { "kind": "test", "isDefault": true } "group": { "kind": "test", "isDefault": true }
}, },
{ {
@@ -35,7 +34,7 @@
"label": "clippy: workspace", "label": "clippy: workspace",
"type": "shell", "type": "shell",
"command": "cargo clippy --workspace --locked -- -D warnings", "command": "cargo clippy --workspace --locked -- -D warnings",
"dependsOn": "build" "problemMatcher": []
}, },
{ {
"label": "ci: release-check", "label": "ci: release-check",

2
Cargo.lock generated
View File

@@ -2066,7 +2066,7 @@ dependencies = [
[[package]] [[package]]
name = "secrets-mcp" name = "secrets-mcp"
version = "0.5.5" version = "0.5.6"
dependencies = [ dependencies = [
"anyhow", "anyhow",
"askama", "askama",

7
README.md
View File

@@ -25,6 +25,13 @@ cargo build --release -p secrets-mcp
| `SECRETS_MCP_BIND` | 监听地址,默认 `127.0.0.1:9315`。容器内或直接对外暴露端口时请改为 `0.0.0.0:9315`;反代时常为 `127.0.0.1:9315`。 | | `SECRETS_MCP_BIND` | 监听地址,默认 `127.0.0.1:9315`。容器内或直接对外暴露端口时请改为 `0.0.0.0:9315`;反代时常为 `127.0.0.1:9315`。 |
| `GOOGLE_CLIENT_ID` / `GOOGLE_CLIENT_SECRET` | 可选;不配置则无 Google 登录入口。运行时从环境读取,勿写入 CI、勿打入二进制。 | | `GOOGLE_CLIENT_ID` / `GOOGLE_CLIENT_SECRET` | 可选;不配置则无 Google 登录入口。运行时从环境读取,勿写入 CI、勿打入二进制。 |
| `RUST_LOG` | 可选;日志级别,如 `secrets_mcp=debug`。 | | `RUST_LOG` | 可选;日志级别,如 `secrets_mcp=debug`。 |
| `SECRETS_DATABASE_POOL_SIZE` | 可选。连接池最大连接数,默认 `10`。 |
| `SECRETS_DATABASE_ACQUIRE_TIMEOUT` | 可选。获取连接超时秒数,默认 `5`。 |
| `RATE_LIMIT_GLOBAL_PER_SECOND` | 可选。全局限流速率,默认 `100` req/s。 |
| `RATE_LIMIT_GLOBAL_BURST` | 可选。全局限流突发量,默认 `200`。 |
| `RATE_LIMIT_IP_PER_SECOND` | 可选。单 IP 限流速率,默认 `20` req/s。 |
| `RATE_LIMIT_IP_BURST` | 可选。单 IP 限流突发量,默认 `40`。 |
| `TRUST_PROXY` | 可选。设为 `1`/`true`/`yes` 时从 `X-Forwarded-For` / `X-Real-IP` 提取客户端 IP仅在反代环境下启用。 |
```bash ```bash
cargo run -p secrets-mcp cargo run -p secrets-mcp

8
crates/secrets-core/src/service/import.rs
View File

@@ -54,7 +54,13 @@ pub async fn run(
.bind(params.user_id) .bind(params.user_id)
.fetch_one(pool) .fetch_one(pool)
.await .await
.unwrap_or(false); .map_err(|e| {
anyhow::anyhow!(
"Failed to check entry existence for '{}': {}",
entry.name,
e
)
})?;
if exists && !params.force { if exists && !params.force {
return Err(anyhow::anyhow!( return Err(anyhow::anyhow!(

6
crates/secrets-core/src/service/rollback.rs
View File

@@ -228,9 +228,11 @@ pub async fn run(
} }
sqlx::query( sqlx::query(
"UPDATE entries SET tags = $1, metadata = $2, version = version + 1, \ "UPDATE entries SET folder = $1, type = $2, tags = $3, metadata = $4, version = version + 1, \
updated_at = NOW() WHERE id = $3", updated_at = NOW() WHERE id = $5",
) )
.bind(&snap.folder)
.bind(&snap.entry_type)
.bind(&snap.tags) .bind(&snap.tags)
.bind(&snap.metadata) .bind(&snap.metadata)
.bind(lr.id) .bind(lr.id)

89
crates/secrets-core/src/service/user.rs
View File

@@ -200,10 +200,14 @@ pub async fn unbind_oauth_account(
); );
} }
let count: i64 = sqlx::query_scalar("SELECT COUNT(*) FROM oauth_accounts WHERE user_id = $1") let mut tx = pool.begin().await?;
let locked_accounts: Vec<(String,)> =
sqlx::query_as("SELECT provider FROM oauth_accounts WHERE user_id = $1 FOR UPDATE")
.bind(user_id) .bind(user_id)
.fetch_one(pool) .fetch_all(&mut *tx)
.await?; .await?;
let count = locked_accounts.len();
if count <= 1 { if count <= 1 {
anyhow::bail!("Cannot unbind the last OAuth account. Please link another account first."); anyhow::bail!("Cannot unbind the last OAuth account. Please link another account first.");
@@ -212,8 +216,87 @@ pub async fn unbind_oauth_account(
sqlx::query("DELETE FROM oauth_accounts WHERE user_id = $1 AND provider = $2") sqlx::query("DELETE FROM oauth_accounts WHERE user_id = $1 AND provider = $2")
.bind(user_id) .bind(user_id)
.bind(provider) .bind(provider)
.execute(pool) .execute(&mut *tx)
.await?; .await?;
tx.commit().await?;
Ok(()) Ok(())
} }
#[cfg(test)]
mod tests {
use super::*;
async fn maybe_test_pool() -> Option<PgPool> {
let database_url = match std::env::var("SECRETS_DATABASE_URL") {
Ok(v) => v,
Err(_) => {
eprintln!("skip user service tests: SECRETS_DATABASE_URL not set");
return None;
}
};
let pool = match sqlx::PgPool::connect(&database_url).await {
Ok(pool) => pool,
Err(e) => {
eprintln!("skip user service tests: cannot connect to database: {e}");
return None;
}
};
if let Err(e) = crate::db::migrate(&pool).await {
eprintln!("skip user service tests: migrate failed: {e}");
return None;
}
Some(pool)
}
async fn cleanup_user_rows(pool: &PgPool, user_id: Uuid) -> Result<()> {
sqlx::query("DELETE FROM oauth_accounts WHERE user_id = $1")
.bind(user_id)
.execute(pool)
.await?;
sqlx::query("DELETE FROM users WHERE id = $1")
.bind(user_id)
.execute(pool)
.await?;
Ok(())
}
#[tokio::test]
async fn unbind_oauth_account_removes_only_requested_provider() -> Result<()> {
let Some(pool) = maybe_test_pool().await else {
return Ok(());
};
let user_id = Uuid::from_u128(rand::random());
cleanup_user_rows(&pool, user_id).await?;
sqlx::query("INSERT INTO users (id, name) VALUES ($1, '')")
.bind(user_id)
.execute(&pool)
.await?;
sqlx::query(
"INSERT INTO oauth_accounts (user_id, provider, provider_id, email, name, avatar_url) \
VALUES ($1, 'google', $2, NULL, NULL, NULL), \
($1, 'github', $3, NULL, NULL, NULL)",
)
.bind(user_id)
.bind(format!("google-{user_id}"))
.bind(format!("github-{user_id}"))
.execute(&pool)
.await?;
unbind_oauth_account(&pool, user_id, "github", Some("google")).await?;
let remaining: Vec<(String,)> = sqlx::query_as(
"SELECT provider FROM oauth_accounts WHERE user_id = $1 ORDER BY provider",
)
.bind(user_id)
.fetch_all(&pool)
.await?;
assert_eq!(remaining, vec![("google".to_string(),)]);
cleanup_user_rows(&pool, user_id).await?;
Ok(())
}
}

2
crates/secrets-mcp/Cargo.toml
View File

@@ -1,6 +1,6 @@
[package] [package]
name = "secrets-mcp" name = "secrets-mcp"
version = "0.5.5" version = "0.5.6"
edition.workspace = true edition.workspace = true
[[bin]] [[bin]]

18
crates/secrets-mcp/src/logging.rs
View File

@@ -1,9 +1,8 @@
use std::net::SocketAddr;
use std::time::Instant; use std::time::Instant;
use axum::{ use axum::{
body::{Body, Bytes, to_bytes}, body::{Body, Bytes, to_bytes},
extract::{ConnectInfo, Request}, extract::Request,
http::{ http::{
HeaderMap, Method, StatusCode, HeaderMap, Method, StatusCode,
header::{CONTENT_LENGTH, CONTENT_TYPE, USER_AGENT}, header::{CONTENT_LENGTH, CONTENT_TYPE, USER_AGENT},
@@ -245,18 +244,5 @@ fn header_str(headers: &HeaderMap, name: impl axum::http::header::AsHeaderName)
} }
fn client_ip(req: &Request) -> Option<String> { fn client_ip(req: &Request) -> Option<String> {
if let Some(first) = req crate::client_ip::extract_client_ip(req).into()
.headers()
.get("x-forwarded-for")
.and_then(|v| v.to_str().ok())
.and_then(|s| s.split(',').next())
{
let s = first.trim();
if !s.is_empty() {
return Some(s.to_string());
}
}
req.extensions()
.get::<ConnectInfo<SocketAddr>>()
.map(|c| c.ip().to_string())
} }

3
crates/secrets-mcp/src/main.rs
View File

@@ -187,6 +187,9 @@ async fn main() -> Result<()> {
)) ))
.layer(session_layer) .layer(session_layer)
.layer(cors) .layer(cors)
.layer(tower_http::limit::RequestBodyLimitLayer::new(
10 * 1024 * 1024,
))
.with_state(app_state); .with_state(app_state);
// ── Start server ────────────────────────────────────────────────────────── // ── Start server ──────────────────────────────────────────────────────────

29
crates/secrets-mcp/src/tools.rs
View File

@@ -230,15 +230,6 @@ impl SecretsService {
} }
} }
/// Extract user_id from the HTTP request parts injected by auth middleware.
fn user_id_from_ctx(ctx: &RequestContext<RoleServer>) -> Result<Option<Uuid>, rmcp::ErrorData> {
let parts = ctx
.extensions
.get::<http::request::Parts>()
.ok_or_else(mcp_err_missing_http_parts)?;
Ok(parts.extensions.get::<AuthUser>().map(|a| a.user_id))
}
/// Get the authenticated user_id (returns error if not authenticated). /// Get the authenticated user_id (returns error if not authenticated).
fn require_user_id(ctx: &RequestContext<RoleServer>) -> Result<Uuid, rmcp::ErrorData> { fn require_user_id(ctx: &RequestContext<RoleServer>) -> Result<Uuid, rmcp::ErrorData> {
let parts = ctx let parts = ctx
@@ -1142,7 +1133,7 @@ impl SecretsService {
ctx: RequestContext<RoleServer>, ctx: RequestContext<RoleServer>,
) -> Result<CallToolResult, rmcp::ErrorData> { ) -> Result<CallToolResult, rmcp::ErrorData> {
let t = Instant::now(); let t = Instant::now();
let user_id = Self::user_id_from_ctx(&ctx)?; let user_id = Self::require_user_id(&ctx)?;
// Safety: require at least one filter. // Safety: require at least one filter.
if input.id.is_none() if input.id.is_none()
@@ -1172,9 +1163,9 @@ impl SecretsService {
if let Some(ref id_str) = input.id { if let Some(ref id_str) = input.id {
let eid = parse_uuid(id_str)?; let eid = parse_uuid(id_str)?;
let uid = user_id; let uid = user_id;
let entry = resolve_entry_by_id(&self.pool, eid, uid) let entry = resolve_entry_by_id(&self.pool, eid, Some(uid))
.await .await
.map_err(|e| mcp_err_internal_logged("secrets_delete", uid, e))?; .map_err(|e| mcp_err_internal_logged("secrets_delete", Some(uid), e))?;
(Some(entry.name), Some(entry.folder)) (Some(entry.name), Some(entry.folder))
} else { } else {
(input.name.clone(), input.folder.clone()) (input.name.clone(), input.folder.clone())
@@ -1187,11 +1178,11 @@ impl SecretsService {
folder: effective_folder.as_deref(), folder: effective_folder.as_deref(),
entry_type: input.entry_type.as_deref(), entry_type: input.entry_type.as_deref(),
dry_run: input.dry_run.unwrap_or(false), dry_run: input.dry_run.unwrap_or(false),
user_id, user_id: Some(user_id),
}, },
) )
.await .await
.map_err(|e| mcp_err_internal_logged("secrets_delete", user_id, e))?; .map_err(|e| mcp_err_internal_logged("secrets_delete", Some(user_id), e))?;
tracing::info!( tracing::info!(
tool = "secrets_delete", tool = "secrets_delete",
@@ -1218,7 +1209,7 @@ impl SecretsService {
ctx: RequestContext<RoleServer>, ctx: RequestContext<RoleServer>,
) -> Result<CallToolResult, rmcp::ErrorData> { ) -> Result<CallToolResult, rmcp::ErrorData> {
let t = Instant::now(); let t = Instant::now();
let user_id = Self::user_id_from_ctx(&ctx)?; let user_id = Self::require_user_id(&ctx)?;
tracing::info!( tracing::info!(
tool = "secrets_history", tool = "secrets_history",
?user_id, ?user_id,
@@ -1230,9 +1221,9 @@ impl SecretsService {
let (resolved_name, resolved_folder): (String, Option<String>) = let (resolved_name, resolved_folder): (String, Option<String>) =
if let Some(ref id_str) = input.id { if let Some(ref id_str) = input.id {
let eid = parse_uuid(id_str)?; let eid = parse_uuid(id_str)?;
let entry = resolve_entry_by_id(&self.pool, eid, user_id) let entry = resolve_entry_by_id(&self.pool, eid, Some(user_id))
.await .await
.map_err(|e| mcp_err_internal_logged("secrets_history", user_id, e))?; .map_err(|e| mcp_err_internal_logged("secrets_history", Some(user_id), e))?;
(entry.name, Some(entry.folder)) (entry.name, Some(entry.folder))
} else { } else {
(input.name.clone(), input.folder.clone()) (input.name.clone(), input.folder.clone())
@@ -1243,10 +1234,10 @@ impl SecretsService {
&resolved_name, &resolved_name,
resolved_folder.as_deref(), resolved_folder.as_deref(),
input.limit.unwrap_or(20), input.limit.unwrap_or(20),
user_id, Some(user_id),
) )
.await .await
.map_err(|e| mcp_err_internal_logged("secrets_history", user_id, e))?; .map_err(|e| mcp_err_internal_logged("secrets_history", Some(user_id), e))?;
tracing::info!( tracing::info!(
tool = "secrets_history", tool = "secrets_history",

98
crates/secrets-mcp/src/web.rs
View File

@@ -1,6 +1,6 @@
use askama::Template; use askama::Template;
use chrono::SecondsFormat; use chrono::SecondsFormat;
use std::net::SocketAddr; use std::net::{IpAddr, SocketAddr};
use axum::{ use axum::{
Json, Router, Json, Router,
@@ -176,14 +176,33 @@ async fn current_user_id(session: &Session) -> Option<Uuid> {
} }
fn request_client_ip(headers: &HeaderMap, connect_info: ConnectInfo<SocketAddr>) -> Option<String> { fn request_client_ip(headers: &HeaderMap, connect_info: ConnectInfo<SocketAddr>) -> Option<String> {
let trust_proxy = std::env::var("TRUST_PROXY")
.as_deref()
.is_ok_and(|v| matches!(v, "1" | "true" | "yes"));
request_client_ip_with_trust_proxy(headers, connect_info, trust_proxy)
}
fn request_client_ip_with_trust_proxy(
headers: &HeaderMap,
connect_info: ConnectInfo<SocketAddr>,
trust_proxy: bool,
) -> Option<String> {
if trust_proxy {
if let Some(first) = headers if let Some(first) = headers
.get("x-forwarded-for") .get("x-forwarded-for")
.and_then(|v| v.to_str().ok()) .and_then(|v| v.to_str().ok())
.and_then(|s| s.split(',').next()) .and_then(|s| s.split(',').next())
{ {
let value = first.trim(); let value = first.trim();
if !value.is_empty() { if let Ok(ip) = value.parse::<IpAddr>() {
return Some(value.to_string()); return Some(ip.to_string());
}
}
if let Some(value) = headers.get("x-real-ip").and_then(|v| v.to_str().ok()) {
let value = value.trim();
if let Ok(ip) = value.parse::<IpAddr>() {
return Some(ip.to_string());
}
} }
} }
@@ -234,10 +253,6 @@ pub fn web_router() -> Router<AppState> {
.route("/entries", get(entries_page)) .route("/entries", get(entries_page))
.route("/audit", get(audit_page)) .route("/audit", get(audit_page))
.route("/account/bind/google", get(account_bind_google)) .route("/account/bind/google", get(account_bind_google))
.route(
"/account/bind/google/callback",
get(account_bind_google_callback),
)
.route("/account/unbind/{provider}", post(account_unbind)) .route("/account/unbind/{provider}", post(account_unbind))
.route("/api/key-salt", get(api_key_salt)) .route("/api/key-salt", get(api_key_salt))
.route("/api/key-setup", post(api_key_setup)) .route("/api/key-setup", post(api_key_setup))
@@ -909,14 +924,9 @@ async fn account_bind_google(
StatusCode::INTERNAL_SERVER_ERROR StatusCode::INTERNAL_SERVER_ERROR
})?; })?;
let redirect_uri = format!("{}/account/bind/google/callback", state.base_url); let config = google_cfg(&state).ok_or(StatusCode::SERVICE_UNAVAILABLE)?;
let mut cfg = state let oauth_state = random_state();
.google_config if let Err(e) = session.insert(SESSION_OAUTH_STATE, &oauth_state).await {
.clone()
.ok_or(StatusCode::SERVICE_UNAVAILABLE)?;
cfg.redirect_uri = redirect_uri;
let st = random_state();
if let Err(e) = session.insert(SESSION_OAUTH_STATE, &st).await {
tracing::error!(error = %e, "failed to insert oauth_state for account bind flow"); tracing::error!(error = %e, "failed to insert oauth_state for account bind flow");
if let Err(rm) = session.remove::<bool>(SESSION_OAUTH_BIND_MODE).await { if let Err(rm) = session.remove::<bool>(SESSION_OAUTH_BIND_MODE).await {
tracing::warn!(error = %rm, "failed to roll back oauth_bind_mode after oauth_state insert failure"); tracing::warn!(error = %rm, "failed to roll back oauth_bind_mode after oauth_state insert failure");
@@ -924,34 +934,8 @@ async fn account_bind_google(
return Err(StatusCode::INTERNAL_SERVER_ERROR); return Err(StatusCode::INTERNAL_SERVER_ERROR);
} }
Ok(Redirect::to(&google_auth_url(&cfg, &st)).into_response()) let url = google_auth_url(config, &oauth_state);
} Ok(Redirect::to(&url).into_response())
async fn account_bind_google_callback(
State(state): State<AppState>,
connect_info: ConnectInfo<SocketAddr>,
headers: HeaderMap,
session: Session,
Query(params): Query<OAuthCallbackQuery>,
) -> Result<Response, StatusCode> {
let client_ip = request_client_ip(&headers, connect_info);
let user_agent = request_user_agent(&headers);
handle_oauth_callback(
&state,
&session,
params,
"google",
client_ip.as_deref(),
user_agent.as_deref(),
|s, cfg, code| {
Box::pin(crate::oauth::google::exchange_code(
&s.http_client,
cfg,
code,
))
},
)
.await
} }
async fn account_unbind( async fn account_unbind(
@@ -1742,6 +1726,34 @@ fn format_audit_target(folder: &str, entry_type: &str, name: &str) -> String {
mod tests { mod tests {
use super::*; use super::*;
#[test]
fn request_client_ip_ignores_forwarded_headers_without_trusted_proxy() {
let mut headers = HeaderMap::new();
headers.insert("x-forwarded-for", "203.0.113.10".parse().unwrap());
let ip = request_client_ip_with_trust_proxy(
&headers,
ConnectInfo(SocketAddr::from(([127, 0, 0, 1], 9315))),
false,
);
assert_eq!(ip.as_deref(), Some("127.0.0.1"));
}
#[test]
fn request_client_ip_uses_valid_forwarded_header_with_trusted_proxy() {
let mut headers = HeaderMap::new();
headers.insert("x-forwarded-for", "203.0.113.10, 10.0.0.1".parse().unwrap());
let ip = request_client_ip_with_trust_proxy(
&headers,
ConnectInfo(SocketAddr::from(([127, 0, 0, 1], 9315))),
true,
);
assert_eq!(ip.as_deref(), Some("203.0.113.10"));
}
#[test] #[test]
fn request_ui_lang_prefers_zh_cn_over_en_fallback() { fn request_ui_lang_prefers_zh_cn_over_en_fallback() {
let mut headers = HeaderMap::new(); let mut headers = HeaderMap::new();

21
deploy/.env.example
View File

@@ -30,3 +30,24 @@ GOOGLE_CLIENT_SECRET=
# ─── 日志(可选)────────────────────────────────────────────────────── # ─── 日志(可选)──────────────────────────────────────────────────────
# RUST_LOG=secrets_mcp=debug # RUST_LOG=secrets_mcp=debug
# ─── 数据库连接池(可选)──────────────────────────────────────────────
# 最大连接数,默认 10
# SECRETS_DATABASE_POOL_SIZE=10
# 获取连接超时秒数,默认 5
# SECRETS_DATABASE_ACQUIRE_TIMEOUT=5
# ─── 限流(可选)──────────────────────────────────────────────────────
# 全局限流速率req/s默认 100
# RATE_LIMIT_GLOBAL_PER_SECOND=100
# 全局限流突发量,默认 200
# RATE_LIMIT_GLOBAL_BURST=200
# 单 IP 限流速率req/s默认 20
# RATE_LIMIT_IP_PER_SECOND=20
# 单 IP 限流突发量,默认 40
# RATE_LIMIT_IP_BURST=40
# ─── 代理信任(可选)─────────────────────────────────────────────────
# 设为 1/true/yes 时从 X-Forwarded-For / X-Real-IP 提取客户端 IP
# 仅在反代环境下启用,否则客户端可伪造 IP 绕过限流
# TRUST_PROXY=1

95
scripts/sync-test-to-prod.sh
View File

@@ -1,95 +0,0 @@
#!/bin/bash
# 同步测试环境数据到生产环境
# 用法: ./scripts/sync-test-to-prod.sh
set -euo pipefail
# PostgreSQL 客户端工具路径 (Homebrew libpq)
export PATH="/opt/homebrew/opt/libpq/bin:$PATH"
# SSL 配置
export PGSSLMODE=verify-full
export PGSSLROOTCERT=/etc/ssl/cert.pem
# 测试环境
TEST_DB="postgres://postgres:Voson_2026_Pg18!@db.refining.ltd:5432/secrets-nn-test"
# 生产环境
PROD_DB="postgres://postgres:Voson_2026_Pg18!@db.refining.ltd:5432/secrets-nn-prod"
echo "========================================="
echo " 测试环境 -> 生产环境 数据同步"
echo "========================================="
echo ""
# 确认操作
read -p "⚠️ 此操作将覆盖生产环境数据,确认继续? (yes/no): " confirm
if [ "$confirm" != "yes" ]; then
echo "已取消"
exit 0
fi
echo ""
echo "步骤 1/4: 导出测试环境数据..."
TEMP_DIR=$(mktemp -d)
trap "rm -rf $TEMP_DIR" EXIT
# 导出测试环境数据(不含审计日志和历史记录)
pg_dump "$TEST_DB" \
--table=entries \
--table=secrets \
--table=entry_secrets \
--table=users \
--table=oauth_accounts \
--data-only \
--column-inserts \
--no-owner \
--no-privileges \
> "$TEMP_DIR/test_data.sql"
echo "✓ 测试数据已导出到临时文件"
echo " 文件大小: $(du -h "$TEMP_DIR/test_data.sql" | cut -f1)"
echo ""
echo "步骤 2/4: 备份当前生产数据..."
pg_dump "$PROD_DB" \
--table=entries \
--table=secrets \
--table=entry_secrets \
--table=users \
--table=oauth_accounts \
--data-only \
--column-inserts \
--no-owner \
--no-privileges \
> "$TEMP_DIR/prod_backup_$(date +%Y%m%d_%H%M%S).sql"
echo "✓ 生产数据已备份"
echo ""
echo "步骤 3/4: 清空生产环境目标表..."
psql "$PROD_DB" <<'SQL'
TRUNCATE TABLE entry_secrets CASCADE;
TRUNCATE TABLE secrets CASCADE;
TRUNCATE TABLE entries CASCADE;
SQL
echo "✓ 生产环境目标表已清空"
echo ""
echo "步骤 4/4: 导入测试数据到生产环境..."
psql "$PROD_DB" -f "$TEMP_DIR/test_data.sql" 2>&1 | tail -20
echo ""
echo "验证数据..."
echo "生产环境数据统计:"
psql "$PROD_DB" -c "SELECT 'users' as table_name, count(*) FROM users UNION ALL SELECT 'entries', count(*) FROM entries UNION ALL SELECT 'secrets', count(*) FROM secrets UNION ALL SELECT 'entry_secrets', count(*) FROM entry_secrets UNION ALL SELECT 'oauth_accounts', count(*) FROM oauth_accounts ORDER BY table_name;"
echo ""
echo "========================================="
echo " ✓ 数据同步完成!"
echo "========================================="
echo ""
echo "提示:"
echo " - 生产数据备份已保存在临时目录"
echo " - 临时文件将在脚本退出后自动删除"