feat: 添加数据掩码功能以保护敏感信息

2025-10-23 03:31:56 +00:00 · 2025-09-13 14:35:42 +08:00
parent 0f0e359c63
commit b616eeb2d4
3 changed files with 155 additions and 4 deletions
--- a/utils/oauth/generic/generic.go
+++ b/utils/oauth/generic/generic.go
@@ -70,7 +70,7 @@ func (g *Generic) OnCallback(ctx *gin.Context, state string, query map[string]st
 	resp, err := http.DefaultClient.Do(req)
 	if err != nil {
-		return factory.OidcCallback{}, fmt.Errorf("failed to get access token: %v", err)
+		return factory.OidcCallback{}, fmt.Errorf("failed to get access token: %s", utils.DataMasking(err.Error(), []string{g.Addition.ClientSecret, g.Addition.ClientId}))
 	}
 	defer resp.Body.Close()
@@ -79,7 +79,7 @@ func (g *Generic) OnCallback(ctx *gin.Context, state string, query map[string]st
 	}
 	if err := json.NewDecoder(resp.Body).Decode(&tokenResp); err != nil {
-		return factory.OidcCallback{}, fmt.Errorf("failed to parse access token response: %v", err)
+		return factory.OidcCallback{}, fmt.Errorf("failed to parse access token response: %s", utils.DataMasking(err.Error(), []string{g.Addition.ClientSecret, g.Addition.ClientId}))
 	}
 	// 获取用户信息
--- a/utils/oauth/github/github.go
+++ b/utils/oauth/github/github.go
@@ -71,7 +71,7 @@ func (g *Github) OnCallback(ctx *gin.Context, state string, query map[string]str
 	resp, err := http.DefaultClient.Do(req)
 	if err != nil {
-		return factory.OidcCallback{}, fmt.Errorf("failed to get access token: %v", err)
+		return factory.OidcCallback{}, fmt.Errorf("failed to get access token: %s", utils.DataMasking(err.Error(), []string{g.Addition.ClientSecret, g.Addition.ClientId}))
 	}
 	defer resp.Body.Close()
@@ -82,7 +82,7 @@ func (g *Github) OnCallback(ctx *gin.Context, state string, query map[string]str
 	}
 	if err := json.NewDecoder(resp.Body).Decode(&tokenResp); err != nil {
-		return factory.OidcCallback{}, fmt.Errorf("failed to parse access token response: %v", err)
+		return factory.OidcCallback{}, fmt.Errorf("failed to parse access token response: %s", utils.DataMasking(err.Error(), []string{g.Addition.ClientSecret, g.Addition.ClientId}))
 	}
 	// 获取用户信息
--- a/utils/utils.go
+++ b/utils/utils.go
@@ -2,6 +2,7 @@ package utils
 import (
 	"sort"
 	"strings"
 	"time"
 	"github.com/komari-monitor/komari/common"
@@ -118,3 +119,153 @@ func AverageReport(uuid string, time time.Time, records []common.Report, topPerc
 	}
 	return newRecord
 }
 func DataMasking(str string, private []string) string {
 	if str == "" || len(private) == 0 {
 		return str
 	}
 	mask := "********"
 	// 相似度阈值，可根据需要调节（0~1，越大越严格）
 	const threshold = 0.8
 	runes := []rune(str)
 	n := len(runes)
 	toMask := make([]bool, n)
 	// 预处理 private 中的词，去掉空、重复
 	uniq := make(map[string]struct{})
 	var words []string
 	for _, w := range private {
 		w = strings.TrimSpace(w)
 		if w == "" {
 			continue
 		}
 		if _, ok := uniq[w]; ok {
 			continue
 		}
 		uniq[w] = struct{}{}
 		words = append(words, w)
 	}
 	if len(words) == 0 {
 		return str
 	}
 	// 逐词进行滑动窗口匹配 + 模糊匹配（Levenshtein 相似度）
 	for _, w := range words {
 		wRunes := []rune(w)
 		wl := len(wRunes)
 		if wl == 0 || wl > n {
 			continue
 		}
 		// 滑动窗口大小采用敏感词长度
 		for i := 0; i <= n-wl; i++ {
 			if allMasked(toMask[i : i+wl]) { // 已全被标记则跳过
 				continue
 			}
 			sub := string(runes[i : i+wl])
 			sim := similarity(sub, w)
 			if sim >= threshold {
 				for k := 0; k < wl; k++ {
 					toMask[i+k] = true
 				}
 			}
 		}
 	}
 	// 构造输出：连续的掩码段只输出一次；如果原始被遮蔽长度>5，展示首尾字符
 	var b strings.Builder
 	i := 0
 	for i < n {
 		if toMask[i] {
 			start := i
 			for i < n && toMask[i] {
 				i++
 			}
 			end := i // 不包含
 			segLen := end - start
 			if segLen > 5 {
 				b.WriteRune(runes[start])
 				b.WriteString(mask)
 				b.WriteRune(runes[end-1])
 			} else {
 				b.WriteString(mask)
 			}
 		} else {
 			b.WriteRune(runes[i])
 			i++
 		}
 	}
 	return b.String()
 }
 // allMasked 判断一个区间是否全部已经被标记
 func allMasked(bools []bool) bool {
 	for _, v := range bools {
 		if !v {
 			return false
 		}
 	}
 	return true
 }
 // similarity 返回两个字符串的相似度 (0~1)，基于 Levenshtein 距离
 func similarity(a, b string) float64 {
 	if a == b {
 		return 1
 	}
 	ar := []rune(a)
 	br := []rune(b)
 	dist := levenshtein(ar, br)
 	maxLen := len(ar)
 	if len(br) > maxLen {
 		maxLen = len(br)
 	}
 	if maxLen == 0 {
 		return 1
 	}
 	return 1 - float64(dist)/float64(maxLen)
 }
 // levenshtein 计算两个 rune slice 的编辑距离
 func levenshtein(a, b []rune) int {
 	la, lb := len(a), len(b)
 	if la == 0 {
 		return lb
 	}
 	if lb == 0 {
 		return la
 	}
 	// 使用滚动数组降低空间复杂度
 	prev := make([]int, lb+1)
 	curr := make([]int, lb+1)
 	for j := 0; j <= lb; j++ {
 		prev[j] = j
 	}
 	for i := 1; i <= la; i++ {
 		curr[0] = i
 		for j := 1; j <= lb; j++ {
 			cost := 0
 			if a[i-1] != b[j-1] {
 				cost = 1
 			}
 			del := prev[j] + 1
 			ins := curr[j-1] + 1
 			sub := prev[j-1] + cost
 			curr[j] = minInt(del, ins, sub)
 		}
 		prev, curr = curr, prev
 	}
 	return prev[lb]
 }
 func minInt(vals ...int) int {
 	m := vals[0]
 	for _, v := range vals[1:] {
 		if v < m {
 			m = v
 		}
 	}
 	return m
 }