2025-03-08 11:40:52 +08:00
|
|
|
package auth
|
2025-03-01 17:08:56 +08:00
|
|
|
|
|
|
|
|
import (
|
2025-05-15 09:53:23 +08:00
|
|
|
"fmt"
|
2025-03-01 17:08:56 +08:00
|
|
|
"net"
|
2025-05-16 17:04:03 +08:00
|
|
|
"proxy-server/gateway/app"
|
|
|
|
|
"proxy-server/gateway/core"
|
2025-05-23 18:59:53 +08:00
|
|
|
"proxy-server/gateway/env"
|
|
|
|
|
"slices"
|
2025-03-08 11:40:52 +08:00
|
|
|
"strconv"
|
2025-03-01 17:08:56 +08:00
|
|
|
"time"
|
|
|
|
|
|
2025-05-15 09:53:23 +08:00
|
|
|
"errors"
|
2025-03-01 17:08:56 +08:00
|
|
|
)
|
|
|
|
|
|
2025-03-08 11:40:52 +08:00
|
|
|
type Protocol string
|
2025-03-01 17:08:56 +08:00
|
|
|
|
2025-03-08 11:40:52 +08:00
|
|
|
const (
|
|
|
|
|
Socks5 = Protocol("socks5")
|
|
|
|
|
Http = Protocol("http")
|
|
|
|
|
)
|
2025-03-01 17:08:56 +08:00
|
|
|
|
2025-05-15 15:56:20 +08:00
|
|
|
func Protect(conn net.Conn, proto Protocol, username, password *string) (*core.AuthContext, error) {
|
2025-03-01 17:08:56 +08:00
|
|
|
|
|
|
|
|
// 获取用户地址
|
|
|
|
|
remoteAddr := conn.RemoteAddr().String()
|
|
|
|
|
remoteHost, _, err := net.SplitHostPort(remoteAddr)
|
|
|
|
|
if err != nil {
|
2025-05-15 09:53:23 +08:00
|
|
|
return nil, fmt.Errorf("无法获取连接信息: %w", err)
|
2025-03-01 17:08:56 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// 获取服务端口
|
|
|
|
|
localAddr := conn.LocalAddr().String()
|
2025-03-08 11:40:52 +08:00
|
|
|
_, _localPort, err := net.SplitHostPort(localAddr)
|
2025-05-15 15:56:20 +08:00
|
|
|
localPort, err := strconv.ParseUint(_localPort, 10, 16)
|
2025-03-08 11:40:52 +08:00
|
|
|
if err != nil {
|
2025-05-15 09:53:23 +08:00
|
|
|
return nil, fmt.Errorf("noAuth 认证失败: %w", err)
|
2025-03-08 11:40:52 +08:00
|
|
|
}
|
2025-03-01 17:08:56 +08:00
|
|
|
|
2025-05-23 18:59:53 +08:00
|
|
|
var id, _ = app.Assigns.Load(uint16(localPort))
|
|
|
|
|
|
|
|
|
|
// 检查全局白名单
|
|
|
|
|
var remoteIp = net.ParseIP(remoteHost)
|
|
|
|
|
if remoteIp == nil {
|
|
|
|
|
return nil, fmt.Errorf("无法解析 IP 地址: %s", remoteHost)
|
|
|
|
|
}
|
|
|
|
|
if slices.ContainsFunc(env.AuthWhitelist, func(ip net.IP) bool { return ip.Equal(remoteIp) }) {
|
|
|
|
|
return &core.AuthContext{
|
|
|
|
|
Payload: core.Payload{
|
|
|
|
|
ID: id,
|
|
|
|
|
},
|
|
|
|
|
}, nil
|
|
|
|
|
}
|
|
|
|
|
|
2025-05-15 15:56:20 +08:00
|
|
|
// 查找权限配置
|
2025-05-17 11:02:18 +08:00
|
|
|
var permit = app.LoadPermit(uint16(localPort))
|
|
|
|
|
if permit == nil {
|
2025-05-15 15:56:20 +08:00
|
|
|
return nil, errors.New("没有权限")
|
2025-03-01 17:08:56 +08:00
|
|
|
}
|
|
|
|
|
|
2025-05-15 15:56:20 +08:00
|
|
|
// 检查是否过期
|
|
|
|
|
if permit.Expire.Before(time.Now()) {
|
2025-03-01 17:08:56 +08:00
|
|
|
return nil, errors.New("权限已过期")
|
|
|
|
|
}
|
|
|
|
|
|
2025-05-15 15:56:20 +08:00
|
|
|
// 检查 IP 是否可用
|
2025-05-19 10:57:56 +08:00
|
|
|
if permit.Whitelists != nil && len(*permit.Whitelists) > 0 {
|
2025-05-15 15:56:20 +08:00
|
|
|
var found = false
|
2025-05-19 10:57:56 +08:00
|
|
|
for _, allowedHost := range *permit.Whitelists {
|
2025-05-15 15:56:20 +08:00
|
|
|
var allowed = net.ParseIP(allowedHost)
|
|
|
|
|
var remote = net.ParseIP(remoteHost)
|
|
|
|
|
if remote.Equal(allowed) {
|
|
|
|
|
found = true
|
|
|
|
|
break
|
|
|
|
|
}
|
2025-03-01 17:08:56 +08:00
|
|
|
}
|
2025-05-15 15:56:20 +08:00
|
|
|
if !found {
|
2025-03-01 17:08:56 +08:00
|
|
|
return nil, errors.New("不在白名单内")
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2025-05-19 10:57:56 +08:00
|
|
|
if permit.Username != nil || permit.Password != nil {
|
|
|
|
|
if *username != *permit.Username || *password != *permit.Password {
|
2025-05-15 15:56:20 +08:00
|
|
|
return nil, errors.New("用户名或密码错误")
|
|
|
|
|
}
|
2025-03-08 11:40:52 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return &core.AuthContext{
|
|
|
|
|
Payload: core.Payload{
|
2025-05-16 15:13:16 +08:00
|
|
|
ID: id,
|
2025-03-01 17:08:56 +08:00
|
|
|
},
|
|
|
|
|
}, nil
|
|
|
|
|
}
|
