Skip to content

fix(security): harden metrics exposure and namespace/private-skill auth#246

Open
dongmucat wants to merge 1 commit intomainfrom
fix/security-hardening-unauth
Open

fix(security): harden metrics exposure and namespace/private-skill auth#246
dongmucat wants to merge 1 commit intomainfrom
fix/security-hardening-unauth

Conversation

@dongmucat
Copy link
Copy Markdown
Collaborator

@dongmucat dongmucat commented Apr 7, 2026

概述

修复安全基线与越权问题,关闭敏感端点暴露并收紧私有 skill 与命名空间访问授权。

变更内容

后端实现

  • 指标与敏感服务收敛:
    • server/skillhub-app/src/main/resources/application.yml
      • management.endpoints.web.exposure.include 收敛为 health,info
      • 关闭 management.metrics.export.prometheus.enabled
    • docker-compose.yml
      • Redis 端口改为仅本机绑定 127.0.0.1:6379:6379
  • 命名空间鉴权收敛:
    • server/skillhub-auth/src/main/java/com/iflytek/skillhub/auth/policy/RouteSecurityPolicyRegistry.java
      • /api/v1/namespaces/api/web/namespaces 的 GET 从 permitAll 改为 authenticated
    • server/skillhub-app/src/main/java/com/iflytek/skillhub/controller/portal/NamespaceController.java
      • 列表接口读取 userNsRoles,详情接口要求 userId
    • server/skillhub-app/src/main/java/com/iflytek/skillhub/service/NamespacePortalQueryAppService.java
      • 列表仅返回用户所属且 ACTIVE 的 namespace
      • 详情接口强制成员校验(非成员抛 DomainForbiddenException
  • 私有 skill 兼容接口授权加固:
    • server/skillhub-app/src/main/java/com/iflytek/skillhub/compat/CompatSkillLookupService.java
      • 新增 canAccess(...) 统一复用 VisibilityChecker
    • server/skillhub-app/src/main/java/com/iflytek/skillhub/compat/ClawHubCompatController.java
      • GET /api/v1/download 透传 userId/userNsRoles
    • server/skillhub-app/src/main/java/com/iflytek/skillhub/compat/ClawHubCompatAppService.java
      • legacy slug 查询坐标解析增加可见性校验,不可访问返回 not found
    • server/skillhub-app/src/main/java/com/iflytek/skillhub/compat/ClawHubRegistryFacade.java
      • 透传并规范化角色映射用于可见性判断

前端实现

  • 无前端代码变更。

测试覆盖

  • 后端单测新增/修改:
    • server/skillhub-app/src/test/java/com/iflytek/skillhub/compat/CompatSkillLookupServiceTest.java
    • server/skillhub-app/src/test/java/com/iflytek/skillhub/compat/ClawHubCompatControllerSecurityTest.java
    • server/skillhub-app/src/test/java/com/iflytek/skillhub/compat/ClawHubCompatAppServiceTest.java
    • server/skillhub-app/src/test/java/com/iflytek/skillhub/controller/NamespacePortalControllerTest.java
    • server/skillhub-app/src/test/java/com/iflytek/skillhub/service/NamespacePortalQueryAppServiceTest.java
    • server/skillhub-app/src/test/java/com/iflytek/skillhub/metrics/PrometheusEndpointTest.java
    • server/skillhub-auth/src/test/java/com/iflytek/skillhub/auth/policy/RouteSecurityPolicyRegistryTest.java
  • 前端单测:无新增(本次无前端功能改动)
  • E2E 测试:不适用(本次未修改 web/src/**/*.ts(x)

质量门禁

  • make typecheck-web 通过(0 errors)
  • make lint-web 通过(0 errors, 0 warnings)
  • make test-frontend 通过
  • make test-backend-app 通过(后端变更)
  • Playwright E2E(web/e2e)关键路径通过(无 UI 交互变更,不适用)
  • make generate-api 已执行且 schema.d.ts 无差异

安全考虑

  • 鉴权/授权:
    • 命名空间接口从匿名访问收敛到认证访问
    • 命名空间列表与详情均按成员关系强制校验
    • 兼容 legacy slug 下载/解析链路增加私有可见性校验,阻断未授权信息泄露
  • 敏感面收敛:
    • 关闭 metrics/prometheus 外露
    • Redis 端口仅本机绑定,避免公网暴露

相关 Issue

Related to #N/A

测试说明

本地验证步骤

  1. 执行 make typecheck-web
  2. 执行 make lint-web
  3. 执行 make test-frontend
  4. 执行 make test-backend-app
  5. 执行 make generate-api 并确认 web/src/api/generated/schema.d.ts 无 diff

回归测试范围

  • 兼容 API(/api/v1/skills/*/api/v1/download/api/v1/resolve
  • 命名空间门户接口(/api/v1/namespaces
  • Actuator/metrics 暴露收敛
  • Redis 本地开发端口暴露策略

截图/录屏(如有 UI 变更)

无(本次无 UI 变更)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dongmucat