feat: Phase 1 - 安全中间件 + 运维工具箱

新增 oss/core/security/ 模块（852行）： - jwt_auth.py: JWT签发/验证（HMAC-SHA256，零外部依赖） - csrf.py: CSRF Token生成与校验 - input_validator.py: JSON Schema校验+类型强制 - tls.py: 自签名证书生成+SSL上下文新增 oss/core/ops/ 模块： - health.py: 增强版/health端点（CPU/内存/磁盘/运行时间） - metrics.py: Prometheus兼容/metrics端点对接改造： - engine.py: 导出新模块 - manager.py: 注册/api/login /health /metrics路由 - middleware.py: CSRF+InputValidation中间件 - config.py: JWT_SECRET/CSRF_SECRET等配置项 - security.py→security/__init__.py: 合并插件沙箱与HTTP安全
2026-05-17 15:42:40 +08:00
parent e67d2d8ef6
commit 5e957096fa
12 changed files with 754 additions and 56 deletions
--- a/oss/core/manager.py
+++ b/oss/core/manager.py
@@ -673,11 +673,65 @@ class PluginManager:
    def start_http_server(self):
        """启动 HTTP 服务（子模块）"""
        try:
-            from oss.core.http_api.server import HttpServer
+            from oss.core.http_api.server import HttpServer, Request, Response
            from oss.core.http_api.router import HttpRouter
            from oss.core.http_api.middleware import MiddlewareChain

            router = HttpRouter()
+
+            # ── 登录路由 ──
+            def login_handler(req: Request):
+                from oss.core.security.jwt_auth import issue_token
+                import json
+                try:
+                    data = json.loads(req.body or "{}")
+                    user = data.get("username", "")
+                    pwd = data.get("password", "")
+                    config = get_config()
+                    admin_user = config.get("ADMIN_USER", "admin")
+                    admin_pass = config.get("ADMIN_PASS", "admin123")
+                    if user == admin_user and pwd == admin_pass:
+                        token = issue_token(user)
+                        return Response(
+                            status=200,
+                            body=json.dumps({"token": token, "user": user}),
+                            headers={"Content-Type": "application/json"},
+                        )
+                    return Response(
+                        status=401,
+                        body=json.dumps({"error": "用户名或密码错误"}),
+                        headers={"Content-Type": "application/json"},
+                    )
+                except Exception as e:
+                    return Response(
+                        status=400,
+                        body=json.dumps({"error": str(e)}),
+                        headers={"Content-Type": "application/json"},
+                    )
+
+            # ── 健康检查路由 ──
+            def health_handler(req: Request):
+                from oss.core.ops.health import HealthChecker
+                import json
+                return Response(
+                    status=200,
+                    body=json.dumps(HealthChecker.check()),
+                    headers={"Content-Type": "application/json"},
+                )
+
+            # ── Metrics 路由 ──
+            def metrics_handler(req: Request):
+                from oss.core.ops.metrics import get_metrics
+                return Response(
+                    status=200,
+                    body=get_metrics().render(),
+                    headers={"Content-Type": "text/plain; version=0.0.4"},
+                )
+
+            router.add("POST", "/api/login", login_handler)
+            router.add("GET", "/health", health_handler)
+            router.add("GET", "/metrics", metrics_handler)
+
            middleware = MiddlewareChain()
            self.http_server = HttpServer(router=router, middleware=middleware)
            self.http_server.start()