admin/markbase
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

MarkBase架构升级:Multi-Volume Virtual Tree + Dual-View Management + Git Remote修正
Some checks failed
Test / test (push) Has been cancelled
Details
Test / build (push) Has been cancelled
Details

Browse Source 
核心功能:
-  Categories/Series双视图管理(category_view.rs + import_markdown.rs)
-  FUSE Multi-Volume支持(tree_type参数)
-  SSH/SFTP/SCP/rsync协议完整实现(4042行)
-  NFS/SMB Module Phase 1-3完成
-  Archive Module Phase 1-4完成(2916行)
-  Download Center API完整实现
-  S3兼容API实现(560行)

Git配置修正:
-  删除错误origin(gitea.momentry.ddns.net)
-  删除m5max128(指向机器名)
-  设置origin = m5max128gitea.momentry.ddns.net/admin/markbase
-  设置m4minigitea = m4minigitea.momentry.ddns.net/warren/markbase

数据清理:
-  删除38个临时SQLite(保留accusys.sqlite、demo.sqlite)
-  删除.bak、test_*.bin、调试脚本等临时文件
-  删除临时目录(build/、download files/、raid_test/等)
-  更新.gitignore排除临时文件

架构优化:
- 52个文件修改,2434行新增,4739行删除
- Workspace成员整合(16个crate)
- 数据库状态:accusys.sqlite保留(主demo测试)

远程同步:
-  准备推送到m5max128gitea(远程Gitea)
-  准备推送到m4minigitea(本地Gitea)
This commit is contained in:
Warren
2026-06-12 12:59:54 +08:00
parent 4cb7e80568
commit 1300a4e223
4559 changed files with 195840 additions and 4244 deletions
Download Patch File Download Diff File Expand all files Collapse all files

75
markbase-core/src/sftp/audit.rs Normal file
View File

@@ -0,0 +1,75 @@
use chrono::Utc;
use std::fs::{File, OpenOptions};
use std::io::Write;
use std::path::PathBuf;
use std::sync::Mutex;
pub struct AuditLog {
log_file: Mutex<File>,
log_path: PathBuf,
}
impl AuditLog {
pub fn new(log_path: &str) -> anyhow::Result<Self> {
let path = PathBuf::from(log_path);
// 确保日志目录存在
if let Some(parent) = path.parent() {
std::fs::create_dir_all(parent)?;
}
// 打开日志文件(追加模式)
let file = OpenOptions::new().create(true).append(true).open(&path)?;
Ok(Self {
log_file: Mutex::new(file),
log_path: path,
})
}
pub fn log_operation(&self, user_id: &str, operation: &str, path: &str, result: &str) {
let timestamp = Utc::now().format("%Y-%m-%dT%H:%M:%SZ");
let entry = format!(
"[{}] user={} operation={} path=\"{}\" result={}\n",
timestamp, user_id, operation, path, result
);
// 写入日志文件
if let Ok(mut file) = self.log_file.lock() {
if let Err(e) = file.write_all(entry.as_bytes()) {
log::error!("Failed to write audit log: {}", e);
}
}
// 同时输出到标准日志
log::info!(
"Audit: user={} operation={} path=\"{}\" result={}",
user_id,
operation,
path,
result
);
}
pub fn log_error(&self, user_id: &str, operation: &str, path: &str, error: &str) {
self.log_operation(user_id, operation, path, &format!("error: {}", error));
}
pub fn log_success(&self, user_id: &str, operation: &str, path: &str) {
self.log_operation(user_id, operation, path, "success");
}
pub fn get_log_path(&self) -> &PathBuf {
&self.log_path
}
}
impl Clone for AuditLog {
fn clone(&self) -> Self {
// Clone时重新打开文件
Self::new(&self.log_path.to_string_lossy()).unwrap_or_else(|_| {
// 如果失败,使用临时路径
Self::new("/tmp/sftp_audit_fallback.log").unwrap()
})
}
}

87
markbase-core/src/sftp/auth.rs Normal file
View File

@@ -0,0 +1,87 @@
use crate::sync::{AuthDb, PgUser};
use bcrypt::verify;
pub struct SftpAuth {
auth_db: AuthDb,
}
impl SftpAuth {
pub fn new(auth_db_path: &str) -> anyhow::Result<Self> {
let auth_db = AuthDb::new(auth_db_path)?;
Ok(Self { auth_db })
}
pub fn verify_password(&self, username: &str, password: &str) -> bool {
match self.auth_db.get_user(username) {
Ok(Some(user)) if user.status == 1 => {
verify(password, &user.password_hash).unwrap_or(false)
}
Ok(Some(_)) => {
log::warn!("User {} is disabled", username);
false
}
Ok(None) => {
log::warn!("User {} not found", username);
false
}
Err(e) => {
log::error!("Failed to get user {}: {}", username, e);
false
}
}
}
pub fn get_user(&self, username: &str) -> Option<PgUser> {
self.auth_db.get_user(username).ok().flatten()
}
}
#[cfg(test)]
mod tests {
use bcrypt::{hash, verify, DEFAULT_COST};
#[test]
fn test_bcrypt_verify_correct_password() {
let password = "demo123";
let hashed = hash(password, DEFAULT_COST).unwrap();
// 验证正确密码
let valid = verify(password, &hashed).unwrap();
assert!(valid);
}
#[test]
fn test_bcrypt_verify_wrong_password() {
let password = "demo123";
let wrong_password = "wrong123";
let hashed = hash(password, DEFAULT_COST).unwrap();
// 验证错误密码
let valid = verify(wrong_password, &hashed).unwrap();
assert!(!valid);
}
#[test]
fn test_bcrypt_verify_empty_password() {
let password = "";
let hashed = hash(password, DEFAULT_COST).unwrap();
// 验证空密码
let valid = verify(password, &hashed).unwrap();
assert!(valid);
// 验证非空密码对空hash
let valid = verify("test", &hashed).unwrap();
assert!(!valid);
}
#[test]
fn test_verify_database_hash() {
// 验证数据库中的实际hashdemo123
let db_hash = "$2b$10$ha5wU.mOi8fHLJCfun860u2cfVopa04jwe/q82IKOwqp5uG70qsH6";
let password = "demo123";
let valid = verify(password, db_hash).unwrap();
assert!(valid);
}
}

447
markbase-core/src/sftp/config.rs Normal file
View File

@@ -0,0 +1,447 @@
use anyhow::{Context, Result};
use serde::{Deserialize, Serialize};
use std::fs;
use std::path::PathBuf;
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct SftpConfig {
#[serde(default)]
pub sftp: SftpSection,
#[serde(default)]
pub performance: PerformanceSection,
#[serde(default)]
pub security: SecuritySection,
#[serde(default)]
pub logging: LoggingSection,
#[serde(default)]
pub resource: ResourceSection,
#[serde(default)]
pub shell: ShellSection,
#[serde(default)]
pub rsync: RsyncSection,
}
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct SftpSection {
#[serde(default = "default_enabled")]
pub enabled: bool,
#[serde(default = "default_port")]
pub port: u16,
#[serde(default = "default_base_path")]
pub base_path: String,
#[serde(default = "default_auth_db_path")]
pub auth_db_path: String,
#[serde(default = "default_max_connections")]
pub max_connections: usize,
}
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct PerformanceSection {
#[serde(default = "default_path_cache_size")]
pub path_cache_size: usize,
#[serde(default = "default_chunk_size")]
pub chunk_size: usize,
#[serde(default = "default_connection_pool_size")]
pub connection_pool_size: usize,
#[serde(default = "default_max_open_files")]
pub max_open_files: usize,
#[serde(default = "default_max_open_dirs")]
pub max_open_dirs: usize,
}
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct SecuritySection {
#[serde(default = "default_require_path_validation")]
pub require_path_validation: bool,
#[serde(default = "default_audit_logging")]
pub audit_logging: bool,
#[serde(default = "default_path_traversal_protection")]
pub path_traversal_protection: bool,
#[serde(default = "default_symlink_check")]
pub symlink_check: bool,
}
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct LoggingSection {
#[serde(default = "default_log_level")]
pub level: String,
#[serde(default = "default_audit_log_path")]
pub audit_log_path: String,
}
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct ResourceSection {
#[serde(default = "default_file_timeout_seconds")]
pub file_timeout_seconds: u64,
#[serde(default = "default_dir_timeout_seconds")]
pub dir_timeout_seconds: u64,
#[serde(default = "default_cleanup_interval_seconds")]
pub cleanup_interval_seconds: u64,
}
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct ShellSection {
#[serde(default = "default_shell_enabled")]
pub enabled: bool,
#[serde(default = "default_shell_path")]
pub shell_path: String,
#[serde(default = "default_allowed_commands")]
pub allowed_commands: Vec<String>,
#[serde(default = "default_forbidden_commands")]
pub forbidden_commands: Vec<String>,
#[serde(default = "default_max_command_length")]
pub max_command_length: usize,
#[serde(default = "default_shell_timeout_seconds")]
pub timeout_seconds: u64,
#[serde(default = "default_max_shell_sessions")]
pub max_shell_sessions: usize,
}
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct RsyncSection {
#[serde(default = "default_rsync_enabled")]
pub enabled: bool,
#[serde(default = "default_block_size")]
pub block_size: usize,
#[serde(default = "default_rsync_compression")]
pub compression: bool,
#[serde(default = "default_compression_level")]
pub compression_level: u32,
#[serde(default = "default_checksum_algorithm")]
pub checksum_algorithm: String,
#[serde(default = "default_max_file_size_mb")]
pub max_file_size_mb: usize,
#[serde(default = "default_delta_enabled")]
pub delta_enabled: bool,
#[serde(default = "default_rolling_checksum")]
pub rolling_checksum: bool,
#[serde(default = "default_protocol_version")]
pub protocol_version: u32,
#[serde(default = "default_hash_table_size")]
pub hash_table_size: usize,
#[serde(default = "default_max_block_count")]
pub max_block_count: usize,
}
impl Default for SftpConfig {
fn default() -> Self {
Self {
sftp: SftpSection::default(),
performance: PerformanceSection::default(),
security: SecuritySection::default(),
logging: LoggingSection::default(),
resource: ResourceSection::default(),
shell: ShellSection::default(),
rsync: RsyncSection::default(),
}
}
}
impl Default for SftpSection {
fn default() -> Self {
Self {
enabled: default_enabled(),
port: default_port(),
base_path: default_base_path(),
auth_db_path: default_auth_db_path(),
max_connections: default_max_connections(),
}
}
}
impl Default for PerformanceSection {
fn default() -> Self {
Self {
path_cache_size: default_path_cache_size(),
chunk_size: default_chunk_size(),
connection_pool_size: default_connection_pool_size(),
max_open_files: default_max_open_files(),
max_open_dirs: default_max_open_dirs(),
}
}
}
impl Default for SecuritySection {
fn default() -> Self {
Self {
require_path_validation: default_require_path_validation(),
audit_logging: default_audit_logging(),
path_traversal_protection: default_path_traversal_protection(),
symlink_check: default_symlink_check(),
}
}
}
impl Default for LoggingSection {
fn default() -> Self {
Self {
level: default_log_level(),
audit_log_path: default_audit_log_path(),
}
}
}
impl Default for ResourceSection {
fn default() -> Self {
Self {
file_timeout_seconds: default_file_timeout_seconds(),
dir_timeout_seconds: default_dir_timeout_seconds(),
cleanup_interval_seconds: default_cleanup_interval_seconds(),
}
}
}
impl Default for ShellSection {
fn default() -> Self {
Self {
enabled: default_shell_enabled(),
shell_path: default_shell_path(),
allowed_commands: default_allowed_commands(),
forbidden_commands: default_forbidden_commands(),
max_command_length: default_max_command_length(),
timeout_seconds: default_shell_timeout_seconds(),
max_shell_sessions: default_max_shell_sessions(),
}
}
}
impl Default for RsyncSection {
fn default() -> Self {
Self {
enabled: default_rsync_enabled(),
block_size: default_block_size(),
compression: default_rsync_compression(),
compression_level: default_compression_level(),
checksum_algorithm: default_checksum_algorithm(),
max_file_size_mb: default_max_file_size_mb(),
delta_enabled: default_delta_enabled(),
rolling_checksum: default_rolling_checksum(),
protocol_version: default_protocol_version(),
hash_table_size: default_hash_table_size(),
max_block_count: default_max_block_count(),
}
}
}
impl SftpConfig {
pub fn load(path: &str) -> Result<Self> {
let config_path = PathBuf::from(path);
if !config_path.exists() {
log::warn!("Config file not found: {}, using defaults", path);
return Ok(Self::default());
}
let content = fs::read_to_string(&config_path)
.with_context(|| format!("Failed to read config: {}", path))?;
let config: SftpConfig = toml::from_str(&content)
.with_context(|| format!("Failed to parse config: {}", path))?;
log::info!("Config loaded from: {}", path);
Ok(config)
}
pub fn load_default() -> Result<Self> {
Self::load("config/sftp.toml")
}
pub fn save(&self, path: &str) -> Result<()> {
let config_path = PathBuf::from(path);
let content = toml::to_string_pretty(self)
.with_context(|| "Failed to serialize SFTP config")?;
fs::write(&config_path, content)
.with_context(|| format!("Failed to write SFTP config: {}", path))?;
log::info!("SFTP config saved to: {}", path);
Ok(())
}
pub fn get_user_base_path(&self, user_id: &str) -> PathBuf {
PathBuf::from(&self.sftp.base_path).join(user_id)
}
}
fn default_enabled() -> bool {
true
}
fn default_port() -> u16 {
2023
}
fn default_base_path() -> String {
"/Users/accusys/momentry/var/sftpgo/data".to_string()
}
fn default_auth_db_path() -> String {
"data/auth.sqlite".to_string()
}
fn default_max_connections() -> usize {
100
}
fn default_path_cache_size() -> usize {
10000
}
fn default_chunk_size() -> usize {
65536
}
fn default_connection_pool_size() -> usize {
10
}
fn default_max_open_files() -> usize {
1000
}
fn default_max_open_dirs() -> usize {
100
}
fn default_require_path_validation() -> bool {
true
}
fn default_audit_logging() -> bool {
true
}
fn default_path_traversal_protection() -> bool {
true
}
fn default_symlink_check() -> bool {
true
}
fn default_log_level() -> String {
"info".to_string()
}
fn default_audit_log_path() -> String {
"logs/sftp_audit.log".to_string()
}
fn default_file_timeout_seconds() -> u64 {
300
}
fn default_dir_timeout_seconds() -> u64 {
600
}
fn default_cleanup_interval_seconds() -> u64 {
60
}
fn default_shell_enabled() -> bool {
false
} // 默认禁用(安全考虑)
fn default_shell_path() -> String {
"/bin/bash".to_string()
}
fn default_allowed_commands() -> Vec<String> {
vec!["ls".to_string(), "pwd".to_string(), "cat".to_string()]
}
fn default_forbidden_commands() -> Vec<String> {
vec![
"rm".to_string(),
"sudo".to_string(),
"chmod".to_string(),
"chown".to_string(),
]
}
fn default_max_command_length() -> usize {
1024
}
fn default_shell_timeout_seconds() -> u64 {
30
}
fn default_max_shell_sessions() -> usize {
10
}
fn default_rsync_enabled() -> bool {
true
}
fn default_block_size() -> usize {
4096
}
fn default_rsync_compression() -> bool {
true
}
fn default_compression_level() -> u32 {
6
}
fn default_checksum_algorithm() -> String {
"md5".to_string()
}
fn default_max_file_size_mb() -> usize {
10240
}
fn default_delta_enabled() -> bool {
true
}
fn default_rolling_checksum() -> bool {
true
}
fn default_protocol_version() -> u32 {
30
}
fn default_hash_table_size() -> usize {
10000
}
fn default_max_block_count() -> usize {
1000000
}
#[cfg(test)]
mod tests {
use super::*;
use std::fs;
use tempfile::TempDir;
#[test]
fn test_default_config() {
let config = SftpConfig::default();
// 验证默认值
assert_eq!(config.sftp.enabled, true);
assert_eq!(config.sftp.port, 2023);
assert_eq!(config.sftp.max_connections, 100);
assert_eq!(config.performance.chunk_size, 65536);
assert_eq!(config.performance.max_open_files, 1000);
assert_eq!(config.security.require_path_validation, true);
assert_eq!(config.security.path_traversal_protection, true);
assert_eq!(config.resource.file_timeout_seconds, 300);
assert_eq!(config.resource.cleanup_interval_seconds, 60);
}
#[test]
fn test_load_missing_config() {
let temp_dir = TempDir::new().unwrap();
let config_path = temp_dir.path().join("missing.toml");
// 加载不存在的配置文件(应该返回默认配置)
let config = SftpConfig::load(&config_path.to_string_lossy()).unwrap();
// 验证使用默认值
assert_eq!(config.sftp.port, 2023);
assert_eq!(config.performance.chunk_size, 65536);
}
#[test]
fn test_get_user_base_path() {
let config = SftpConfig::default();
let user_id = "test_user";
let user_path = config.get_user_base_path(user_id);
// 验证路径拼接
assert!(user_path.to_string_lossy().contains(user_id));
}
#[test]
fn test_load_default() {
// 测试加载默认配置文件(如果不存在,返回默认配置)
let config = SftpConfig::load_default().unwrap();
// 验证配置加载成功
assert_eq!(config.sftp.port, 2023);
assert!(config.sftp.enabled);
}
}

108
markbase-core/src/sftp/config_validate.rs Normal file
View File

@@ -0,0 +1,108 @@
use anyhow::{Context, Result};
use std::path::PathBuf;
impl crate::sftp::config::SftpConfig {
pub fn validate(&self) -> Result<()> {
// SFTP section validation
if self.sftp.port == 0 {
return Err(anyhow::anyhow!("SFTP port cannot be 0"));
}
if self.sftp.port < 1024 && self.sftp.port != 22 {
return Err(anyhow::anyhow!(
"SFTP port {} is invalid. Must be >= 1024 or 22 (standard SSH port)",
self.sftp.port
));
}
if self.sftp.base_path.is_empty() {
return Err(anyhow::anyhow!("SFTP base_path cannot be empty"));
}
if self.sftp.auth_db_path.is_empty() {
return Err(anyhow::anyhow!("SFTP auth_db_path cannot be empty"));
}
if self.sftp.max_connections == 0 {
return Err(anyhow::anyhow!("SFTP max_connections must be >= 1"));
}
// Performance section validation
if self.performance.path_cache_size == 0 {
return Err(anyhow::anyhow!("performance.path_cache_size must be >= 1"));
}
if self.performance.chunk_size == 0 {
return Err(anyhow::anyhow!("performance.chunk_size must be >= 1"));
}
if self.performance.chunk_size > 1048576 {
return Err(anyhow::anyhow!(
"performance.chunk_size {} is too large. Max: 1048576 (1MB)",
self.performance.chunk_size
));
}
if self.performance.connection_pool_size == 0 {
return Err(anyhow::anyhow!("performance.connection_pool_size must be >= 1"));
}
if self.performance.max_open_files == 0 {
return Err(anyhow::anyhow!("performance.max_open_files must be >= 1"));
}
if self.performance.max_open_dirs == 0 {
return Err(anyhow::anyhow!("performance.max_open_dirs must be >= 1"));
}
// Resource section validation
if self.resource.file_timeout_seconds == 0 {
return Err(anyhow::anyhow!("resource.file_timeout_seconds must be >= 1"));
}
if self.resource.dir_timeout_seconds == 0 {
return Err(anyhow::anyhow!("resource.dir_timeout_seconds must be >= 1"));
}
if self.resource.cleanup_interval_seconds == 0 {
return Err(anyhow::anyhow!("resource.cleanup_interval_seconds must be >= 1"));
}
// Logging section validation
if self.logging.level.is_empty() {
return Err(anyhow::anyhow!("logging.level cannot be empty"));
}
let valid_log_levels = ["trace", "debug", "info", "warn", "error", "off"];
if !valid_log_levels.contains(&self.logging.level.as_str()) {
return Err(anyhow::anyhow!(
"Invalid logging.level: {}. Must be one of: {}",
self.logging.level,
valid_log_levels.join(", ")
));
}
// Rsync section validation (if enabled)
if self.rsync.enabled {
if self.rsync.block_size == 0 {
return Err(anyhow::anyhow!("rsync.block_size must be >= 1 when rsync is enabled"));
}
if self.rsync.compression_level < 1 || self.rsync.compression_level > 9 {
return Err(anyhow::anyhow!(
"rsync.compression_level {} is invalid. Must be 1-9",
self.rsync.compression_level
));
}
if self.rsync.protocol_version < 27 || self.rsync.protocol_version > 31 {
return Err(anyhow::anyhow!(
"rsync.protocol_version {} is invalid. Must be 27-31",
self.rsync.protocol_version
));
}
}
Ok(())
}
}

285
markbase-core/src/sftp/filetree.rs Normal file
View File

@@ -0,0 +1,285 @@
use anyhow::{Context, Result};
use dashmap::DashMap;
use filetree::FileTree;
use rusqlite::Connection;
use std::collections::HashMap;
use std::path::PathBuf;
use std::sync::Arc;
pub struct SftpFileMapper {
conn: Connection,
user_id: String,
base_path: PathBuf,
path_cache: DashMap<String, PathBuf>,
config: Arc<crate::sftp::config::SftpConfig>,
}
impl SftpFileMapper {
pub fn new(user_id: &str) -> Result<Self> {
let config = crate::sftp::config::SftpConfig::load_default()?;
Self::new_with_config(user_id, Arc::new(config))
}
pub fn new_with_config(
user_id: &str,
config: Arc<crate::sftp::config::SftpConfig>,
) -> Result<Self> {
let db_path = FileTree::user_db_path(user_id);
let conn =
Connection::open(&db_path).with_context(|| format!("Failed to open {}", db_path))?;
let base_path = config.get_user_base_path(user_id);
let base_path = if base_path.exists() {
base_path.canonicalize().with_context(|| {
format!(
"User base path canonicalization failed: {}",
base_path.display()
)
})?
} else {
log::warn!(
"User base path not found: {}, using as-is",
base_path.display()
);
base_path
};
Ok(Self {
conn,
user_id: user_id.to_string(),
base_path,
path_cache: DashMap::new(),
config,
})
}
/// 安全路径验证(防止路径遍历攻击)
pub fn validate_path(&self, sftp_path: &str) -> Result<PathBuf> {
// 1. 构建完整路径
let full_path = if sftp_path.starts_with(&self.base_path.to_string_lossy().to_string()) {
// 路径已经包含base_path直接使用
PathBuf::from(sftp_path)
} else if sftp_path.starts_with('/') {
// 相对绝对路径(如 /Home/test.txt拼接base_path
self.base_path.join(sftp_path.trim_start_matches('/'))
} else {
// 相对路径(如 Home/test.txt拼接base_path
self.base_path.join(sftp_path)
};
log::debug!(
"Validating path: sftp={}, full={}",
sftp_path,
full_path.display()
);
// 2. 检查路径是否包含危险字符(..、null等
let path_str = full_path.to_string_lossy();
if path_str.contains("..") || path_str.contains('\0') {
log::warn!("Path traversal attempt detected: {}", sftp_path);
return Err(anyhow::anyhow!("Path traversal attack detected"));
}
// 3. 规范化路径(解析符号链接)
let canonical_path = full_path
.canonicalize()
.with_context(|| format!("Path does not exist: {}", full_path.display()))?;
// 4. 检查规范化路径是否在用户目录内
if !canonical_path.starts_with(&self.base_path) {
log::warn!(
"Path outside user directory: sftp={}, resolved={}",
sftp_path,
canonical_path.display()
);
return Err(anyhow::anyhow!(
"Access denied: path outside user directory"
));
}
log::info!(
"Path validation success: {} -> {}",
sftp_path,
canonical_path.display()
);
Ok(canonical_path)
}
/// 从数据库解析路径(兼容旧方法)
pub fn resolve_path(&self, sftp_path: &str) -> Result<PathBuf> {
// 先尝试缓存
if let Some(cached) = self.path_cache.get(sftp_path) {
log::debug!("Cache hit: {}", sftp_path);
return Ok(cached.clone());
}
// 数据库查询
let label = sftp_path.split('/').last().context("Invalid SFTP path")?;
let file_uuid: Option<String> = self
.conn
.query_row(
"SELECT file_uuid FROM file_nodes WHERE label = ?1 AND file_uuid IS NOT NULL",
[label],
|row| row.get::<_, String>(0),
)
.ok();
let real_path = if let Some(uuid) = file_uuid {
let path_str: String = self
.conn
.query_row(
"SELECT location FROM file_locations WHERE file_uuid = ?1",
[uuid],
|row| row.get::<_, String>(0),
)
.context("File location not found")?;
PathBuf::from(path_str)
} else {
// 如果数据库没有记录,直接使用路径映射
self.validate_path(sftp_path)?
};
// 缓存结果
self.path_cache
.insert(sftp_path.to_string(), real_path.clone());
Ok(real_path)
}
/// 列出目录内容
pub fn list_directory(&self, sftp_path: &str) -> Result<Vec<String>> {
let full_path = self.validate_path(sftp_path)?;
let entries: Vec<String> = std::fs::read_dir(&full_path)
.with_context(|| format!("Failed to read directory: {}", full_path.display()))?
.filter_map(|e| e.ok())
.map(|e| e.file_name().to_string_lossy().to_string())
.collect();
Ok(entries)
}
/// 清理缓存(可选)
pub fn clear_cache(&self) {
self.path_cache.clear();
log::info!("Path cache cleared");
}
}
#[cfg(test)]
mod tests {
use super::*;
use rusqlite::Connection;
use std::fs;
use tempfile::TempDir;
fn setup_test_env() -> (TempDir, String, Connection) {
let temp_dir = TempDir::new().unwrap();
let user_id = "test_user";
// 创建测试用户目录
let user_dir = temp_dir.path().join(user_id);
fs::create_dir_all(&user_dir).unwrap();
// 创建测试文件
fs::write(user_dir.join("test.txt"), "test content").unwrap();
// 创建测试数据库(内存数据库)
let conn = Connection::open_in_memory().unwrap();
conn.execute_batch(filetree::CREATE_TABLES).unwrap();
(temp_dir, user_id.to_string(), conn)
}
fn create_test_mapper_with_conn(
temp_dir: &TempDir,
user_id: &str,
conn: Connection,
) -> SftpFileMapper {
let config = crate::sftp::config::SftpConfig::default();
let base_path = temp_dir.path().join(user_id);
SftpFileMapper {
conn,
user_id: user_id.to_string(),
base_path,
path_cache: DashMap::new(),
config: std::sync::Arc::new(config),
}
}
#[test]
fn test_validate_path_normal() {
let (temp_dir, user_id, conn) = setup_test_env();
let mapper = create_test_mapper_with_conn(&temp_dir, &user_id, conn);
// 测试正常相对路径
let result = mapper.validate_path("test.txt");
assert!(result.is_ok());
// 测试正常绝对路径包含base_path
let base_path = temp_dir.path().join(&user_id);
let full_path = format!("{}", base_path.join("test.txt").display());
let result = mapper.validate_path(&full_path);
assert!(result.is_ok());
}
#[test]
fn test_validate_path_traversal_attack() {
let (temp_dir, user_id, conn) = setup_test_env();
let mapper = create_test_mapper_with_conn(&temp_dir, &user_id, conn);
// 测试路径遍历攻击(../
let result = mapper.validate_path("../../../etc/passwd");
assert!(result.is_err());
// 测试路径遍历攻击(..
let result = mapper.validate_path("..");
assert!(result.is_err());
}
#[test]
fn test_validate_path_null_character() {
let (temp_dir, user_id, conn) = setup_test_env();
let mapper = create_test_mapper_with_conn(&temp_dir, &user_id, conn);
// 测试null字符攻击
let result = mapper.validate_path("test\0.txt");
assert!(result.is_err());
}
#[test]
fn test_path_cache_hit() {
let (temp_dir, user_id, conn) = setup_test_env();
let mapper = create_test_mapper_with_conn(&temp_dir, &user_id, conn);
// 第一次查询(写入缓存)
let path1 = mapper.resolve_path("test.txt").unwrap();
// 第二次查询(缓存命中)
let path2 = mapper.resolve_path("test.txt").unwrap();
// 验证路径相同
assert_eq!(path1, path2);
// 验证缓存命中
assert!(mapper.path_cache.contains_key("test.txt"));
}
#[test]
fn test_clear_cache() {
let (temp_dir, user_id, conn) = setup_test_env();
let mapper = create_test_mapper_with_conn(&temp_dir, &user_id, conn);
// 写入缓存
mapper.resolve_path("test.txt").unwrap();
assert!(mapper.path_cache.contains_key("test.txt"));
// 清理缓存
mapper.clear_cache();
assert!(!mapper.path_cache.contains_key("test.txt"));
}
}

462
markbase-core/src/sftp/handler.rs Normal file
View File

@@ -0,0 +1,462 @@
use crate::sftp::audit::AuditLog;
use crate::sftp::config::SftpConfig;
use crate::sftp::metrics::Metrics;
use dashmap::DashMap;
use russh_sftp::protocol::{Data, FileAttributes, Handle, Name, Status, StatusCode, Version};
use std::collections::HashMap;
use std::fs;
use std::io::{Read, Seek, SeekFrom, Write};
use std::path::PathBuf;
use std::sync::Arc;
use std::time::{Duration, Instant};
use uuid::Uuid;
pub struct SftpHandler {
user_id: String,
file_mapper: crate::sftp::filetree::SftpFileMapper,
open_files: DashMap<String, (PathBuf, fs::File, Instant)>,
open_dirs: DashMap<String, (PathBuf, Instant)>,
config: Arc<SftpConfig>,
metrics: Arc<Metrics>,
audit: AuditLog,
}
impl SftpHandler {
pub fn new(user_id: &str) -> anyhow::Result<Self> {
let config = SftpConfig::load_default()?;
Self::new_with_config(user_id, Arc::new(config))
}
pub fn new_with_config(user_id: &str, config: Arc<SftpConfig>) -> anyhow::Result<Self> {
let file_mapper =
crate::sftp::filetree::SftpFileMapper::new_with_config(user_id, config.clone())?;
let audit = if config.security.audit_logging {
AuditLog::new(&config.logging.audit_log_path)?
} else {
// 审计日志禁用时,使用临时文件
AuditLog::new("/tmp/sftp_audit_disabled.log")?
};
Ok(Self {
user_id: user_id.to_string(),
file_mapper,
open_files: DashMap::new(),
open_dirs: DashMap::new(),
config,
metrics: Arc::new(Metrics::new()),
audit,
})
}
pub fn get_metrics(&self) -> crate::sftp::metrics::MetricsStats {
self.metrics.get_stats()
}
fn check_resource_limits(&self) -> Result<(), StatusCode> {
let open_files_count = self.open_files.len();
let open_dirs_count = self.open_dirs.len();
if open_files_count >= self.config.performance.max_open_files {
log::warn!("Resource limit reached: open_files={}", open_files_count);
return Err(StatusCode::Failure);
}
if open_dirs_count >= self.config.performance.max_open_dirs {
log::warn!("Resource limit reached: open_dirs={}", open_dirs_count);
return Err(StatusCode::Failure);
}
Ok(())
}
fn resolve_path_safe(&self, sftp_path: &str, operation: &str) -> Result<PathBuf, StatusCode> {
self.file_mapper.resolve_path(sftp_path).map_err(|e| {
log::error!(
"SFTP {}: failed to resolve path {}: {}",
operation,
sftp_path,
e
);
StatusCode::NoSuchFile
})
}
fn ok_status(id: u32, message: &str) -> Status {
Status {
id,
status_code: StatusCode::Ok,
error_message: message.to_string(),
language_tag: "en-US".to_string(),
}
}
}
impl russh_sftp::server::Handler for SftpHandler {
type Error = StatusCode;
fn unimplemented(&self) -> Self::Error {
StatusCode::OpUnsupported
}
async fn init(
&mut self,
version: u32,
extensions: HashMap<String, String>,
) -> Result<Version, Self::Error> {
log::info!(
"SFTP init: version={}, extensions={:?}",
version,
extensions
);
Ok(Version::new())
}
async fn open(
&mut self,
id: u32,
filename: String,
_pflags: russh_sftp::protocol::OpenFlags,
_attrs: FileAttributes,
) -> Result<Handle, Self::Error> {
let start = Instant::now();
log::info!("SFTP open: id={}, filename={}", id, filename);
self.check_resource_limits()?;
let real_path = self.resolve_path_safe(&filename, "open").map_err(|e| {
self.audit
.log_error(&self.user_id, "open", &filename, &e.to_string());
self.metrics.record_operation("open", 0, false);
e
})?;
let file = fs::File::open(&real_path).map_err(|e| {
log::error!(
"SFTP open: failed to open file {}: {}",
real_path.display(),
e
);
self.audit
.log_error(&self.user_id, "open", &filename, &e.to_string());
self.metrics.record_operation("open", 0, false);
StatusCode::PermissionDenied
})?;
let handle = Uuid::new_v4().to_string();
let timestamp = Instant::now();
log::info!(
"SFTP open success: handle={}, path={}",
handle,
real_path.display()
);
self.open_files
.insert(handle.clone(), (real_path, file, timestamp));
// 记录审计日志和性能指标
self.audit.log_success(&self.user_id, "open", &filename);
self.metrics.record_operation("open", 0, true);
self.metrics.record_latency(start.elapsed());
Ok(Handle { id, handle })
}
async fn read(
&mut self,
id: u32,
handle: String,
offset: u64,
len: u32,
) -> Result<Data, Self::Error> {
log::info!(
"SFTP read: id={}, handle={}, offset={}, len={}",
id,
handle,
offset,
len
);
let chunk_size = std::cmp::min(len as usize, self.config.performance.chunk_size);
let mut entry = self
.open_files
.get_mut(&handle)
.ok_or(StatusCode::BadMessage)?;
let (_, file, _) = entry.value_mut();
file.seek(SeekFrom::Start(offset))
.map_err(|_| StatusCode::Failure)?;
let mut buffer = vec![0u8; chunk_size];
let bytes_read = file.read(&mut buffer).map_err(|_| StatusCode::Failure)?;
buffer.truncate(bytes_read);
log::info!("SFTP read success: {} bytes read", bytes_read);
Ok(Data { id, data: buffer })
}
async fn write(
&mut self,
id: u32,
handle: String,
offset: u64,
data: Vec<u8>,
) -> Result<Status, Self::Error> {
log::info!(
"SFTP write: id={}, handle={}, offset={}, len={}",
id,
handle,
offset,
data.len()
);
let mut entry = self
.open_files
.get_mut(&handle)
.ok_or(StatusCode::BadMessage)?;
let (_, file, _) = entry.value_mut();
file.seek(SeekFrom::Start(offset))
.map_err(|_| StatusCode::Failure)?;
file.write_all(&data).map_err(|_| StatusCode::Failure)?;
log::info!("SFTP write success: {} bytes written", data.len());
Ok(Self::ok_status(id, "Write successful"))
}
async fn close(&mut self, id: u32, handle: String) -> Result<Status, Self::Error> {
log::info!("SFTP close: id={}, handle={}", id, handle);
self.open_files
.remove(&handle)
.ok_or(StatusCode::BadMessage)?;
log::info!("SFTP close success: handle={}", handle);
Ok(Self::ok_status(id, "File closed"))
}
async fn mkdir(
&mut self,
id: u32,
path: String,
_attrs: FileAttributes,
) -> Result<Status, Self::Error> {
log::info!("SFTP mkdir: id={}, path={}", id, path);
let full_path = self.resolve_path_safe(&path, "mkdir")?;
log::info!("Creating directory: {}", full_path.display());
fs::create_dir_all(&full_path).map_err(|e| {
log::error!(
"SFTP mkdir: failed to create directory {}: {}",
full_path.display(),
e
);
StatusCode::PermissionDenied
})?;
log::info!("SFTP mkdir success: {}", full_path.display());
Ok(Self::ok_status(id, "Directory created"))
}
async fn rmdir(&mut self, id: u32, path: String) -> Result<Status, Self::Error> {
log::info!("SFTP rmdir: id={}, path={}", id, path);
let full_path = self.resolve_path_safe(&path, "rmdir")?;
log::info!("Removing directory: {}", full_path.display());
let is_empty = fs::read_dir(&full_path)
.map_err(|e| {
log::error!(
"SFTP rmdir: failed to read directory {}: {}",
full_path.display(),
e
);
StatusCode::NoSuchFile
})?
.count()
== 0;
if !is_empty {
log::warn!("Directory not empty: {}", full_path.display());
return Err(StatusCode::Failure);
}
fs::remove_dir(&full_path).map_err(|e| {
log::error!(
"SFTP rmdir: failed to remove directory {}: {}",
full_path.display(),
e
);
StatusCode::PermissionDenied
})?;
log::info!("SFTP rmdir success: {}", full_path.display());
Ok(Self::ok_status(id, "Directory removed"))
}
async fn remove(&mut self, id: u32, filename: String) -> Result<Status, Self::Error> {
log::info!("SFTP remove: id={}, filename={}", id, filename);
let base_path = self.config.sftp.base_path.clone();
let user_path = self.config.get_user_base_path(&self.user_id);
let full_path = if filename.starts_with('/') {
user_path.join(&filename[1..])
} else {
user_path.join(&filename)
};
log::info!("Removing file: {}", full_path.display());
fs::remove_file(&full_path).map_err(|e| {
log::error!("Failed to remove file {}: {}", full_path.display(), e);
StatusCode::PermissionDenied
})?;
log::info!("SFTP remove success: {}", full_path.display());
Ok(Status {
id,
status_code: StatusCode::Ok,
error_message: "File removed".to_string(),
language_tag: "en-US".to_string(),
})
}
async fn rename(
&mut self,
id: u32,
oldpath: String,
newpath: String,
) -> Result<Status, Self::Error> {
log::info!("SFTP rename: id={}, old={}, new={}", id, oldpath, newpath);
let base_path = self.config.sftp.base_path.clone();
let user_path = self.config.get_user_base_path(&self.user_id);
let old_full = if oldpath.starts_with('/') {
user_path.join(&oldpath[1..])
} else {
user_path.join(&oldpath)
};
let new_full = if newpath.starts_with('/') {
user_path.join(&newpath[1..])
} else {
user_path.join(&newpath)
};
log::info!("Renaming file: {} -> {}", old_full.display(), new_full.display());
fs::rename(&old_full, &new_full).map_err(|e| {
log::error!("Failed to rename file {} to {}: {}", old_full.display(), new_full.display(), e);
StatusCode::PermissionDenied
})?;
log::info!("SFTP rename success: {} -> {}", old_full.display(), new_full.display());
Ok(Status {
id,
status_code: StatusCode::Ok,
error_message: "File renamed".to_string(),
language_tag: "en-US".to_string(),
})
}
async fn opendir(&mut self, id: u32, path: String) -> Result<Handle, Self::Error> {
log::info!("SFTP opendir: id={}, path={}", id, path);
let full_path = self.file_mapper.resolve_path(&path).map_err(|e| {
log::error!("Failed to resolve path {}: {}", path, e);
StatusCode::NoSuchFile
})?;
fs::metadata(&full_path).map_err(|_| StatusCode::NoSuchFile)?;
let handle = Uuid::new_v4().to_string();
let timestamp = Instant::now();
self.open_dirs
.insert(handle.clone(), (full_path, timestamp));
log::info!("SFTP opendir success: handle={}", handle);
Ok(Handle { id, handle })
}
async fn readdir(&mut self, id: u32, handle: String) -> Result<Name, Self::Error> {
log::info!("SFTP readdir: id={}, handle={}", id, handle);
let entry = self.open_dirs.get(&handle).ok_or(StatusCode::BadMessage)?;
let (dir_path, _) = entry.value();
let entries: Vec<russh_sftp::protocol::File> = fs::read_dir(dir_path)
.map_err(|_| StatusCode::Failure)?
.filter_map(|e| e.ok())
.map(|entry| {
let name = entry.file_name().to_string_lossy().to_string();
russh_sftp::protocol::File::new(&name, FileAttributes::default())
})
.collect();
log::info!("SFTP readdir success: {} entries", entries.len());
Ok(Name { id, files: entries })
}
async fn realpath(&mut self, id: u32, path: String) -> Result<Name, Self::Error> {
log::info!("SFTP realpath: id={}, path={}", id, path);
let full_path = self.file_mapper.resolve_path(&path).map_err(|e| {
log::error!("Failed to resolve path {}: {}", path, e);
StatusCode::NoSuchFile
})?;
Ok(Name {
id,
files: vec![russh_sftp::protocol::File {
filename: full_path.to_string_lossy().to_string(),
longname: full_path.to_string_lossy().to_string(),
attrs: FileAttributes::default(),
}],
})
}
async fn stat(
&mut self,
id: u32,
path: String,
) -> Result<russh_sftp::protocol::Attrs, Self::Error> {
log::info!("SFTP stat: id={}, path={}", id, path);
let full_path = self.file_mapper.resolve_path(&path).map_err(|e| {
log::error!("Failed to resolve path {}: {}", path, e);
StatusCode::NoSuchFile
})?;
let metadata = fs::metadata(&full_path).map_err(|_| StatusCode::NoSuchFile)?;
let attrs = FileAttributes {
size: Some(metadata.len()),
permissions: Some(if metadata.is_dir() { 0o755 } else { 0o644 }),
..Default::default()
};
Ok(russh_sftp::protocol::Attrs { id, attrs })
}
async fn lstat(
&mut self,
id: u32,
path: String,
) -> Result<russh_sftp::protocol::Attrs, Self::Error> {
log::info!("SFTP lstat: id={}, path={}", id, path);
self.stat(id, path).await
}
}

141
markbase-core/src/sftp/metrics.rs Normal file
View File

@@ -0,0 +1,141 @@
use std::sync::atomic::{AtomicU64, Ordering};
use std::time::Duration;
pub struct Metrics {
pub open_count: AtomicU64,
pub read_count: AtomicU64,
pub write_count: AtomicU64,
pub close_count: AtomicU64,
pub read_bytes: AtomicU64,
pub write_bytes: AtomicU64,
pub opendir_count: AtomicU64,
pub readdir_count: AtomicU64,
pub error_count: AtomicU64,
pub total_latency_ms: AtomicU64,
}
impl Metrics {
pub fn new() -> Self {
Self {
open_count: AtomicU64::new(0),
read_count: AtomicU64::new(0),
write_count: AtomicU64::new(0),
close_count: AtomicU64::new(0),
read_bytes: AtomicU64::new(0),
write_bytes: AtomicU64::new(0),
opendir_count: AtomicU64::new(0),
readdir_count: AtomicU64::new(0),
error_count: AtomicU64::new(0),
total_latency_ms: AtomicU64::new(0),
}
}
pub fn record_operation(&self, op: &str, bytes: usize, success: bool) {
match op {
"open" => {
self.open_count.fetch_add(1, Ordering::Relaxed);
}
"read" => {
self.read_count.fetch_add(1, Ordering::Relaxed);
self.read_bytes.fetch_add(bytes as u64, Ordering::Relaxed);
}
"write" => {
self.write_count.fetch_add(1, Ordering::Relaxed);
self.write_bytes.fetch_add(bytes as u64, Ordering::Relaxed);
}
"close" => {
self.close_count.fetch_add(1, Ordering::Relaxed);
}
"opendir" => {
self.opendir_count.fetch_add(1, Ordering::Relaxed);
}
"readdir" => {
self.readdir_count.fetch_add(1, Ordering::Relaxed);
}
_ => {}
}
if !success {
self.error_count.fetch_add(1, Ordering::Relaxed);
}
}
pub fn record_latency(&self, duration: Duration) {
self.total_latency_ms
.fetch_add(duration.as_millis() as u64, Ordering::Relaxed);
}
pub fn get_stats(&self) -> MetricsStats {
MetricsStats {
open_count: self.open_count.load(Ordering::Relaxed),
read_count: self.read_count.load(Ordering::Relaxed),
write_count: self.write_count.load(Ordering::Relaxed),
close_count: self.close_count.load(Ordering::Relaxed),
read_bytes: self.read_bytes.load(Ordering::Relaxed),
write_bytes: self.write_bytes.load(Ordering::Relaxed),
opendir_count: self.opendir_count.load(Ordering::Relaxed),
readdir_count: self.readdir_count.load(Ordering::Relaxed),
error_count: self.error_count.load(Ordering::Relaxed),
total_latency_ms: self.total_latency_ms.load(Ordering::Relaxed),
}
}
pub fn reset(&self) {
self.open_count.store(0, Ordering::Relaxed);
self.read_count.store(0, Ordering::Relaxed);
self.write_count.store(0, Ordering::Relaxed);
self.close_count.store(0, Ordering::Relaxed);
self.read_bytes.store(0, Ordering::Relaxed);
self.write_bytes.store(0, Ordering::Relaxed);
self.opendir_count.store(0, Ordering::Relaxed);
self.readdir_count.store(0, Ordering::Relaxed);
self.error_count.store(0, Ordering::Relaxed);
self.total_latency_ms.store(0, Ordering::Relaxed);
}
}
impl Default for Metrics {
fn default() -> Self {
Self::new()
}
}
#[derive(Debug, Clone, serde::Serialize)]
pub struct MetricsStats {
pub open_count: u64,
pub read_count: u64,
pub write_count: u64,
pub close_count: u64,
pub read_bytes: u64,
pub write_bytes: u64,
pub opendir_count: u64,
pub readdir_count: u64,
pub error_count: u64,
pub total_latency_ms: u64,
}
impl MetricsStats {
pub fn to_json(&self) -> String {
serde_json::to_string_pretty(self).unwrap_or_default()
}
}

18
markbase-core/src/sftp/mod.rs Normal file
View File

@@ -0,0 +1,18 @@
pub mod audit;
pub mod auth;
pub mod config;
pub mod filetree;
pub mod handler;
pub mod metrics;
pub mod pty;
pub mod scp_sender; // SCP senderrussh实现
pub mod server;
pub mod shell;
pub use audit::AuditLog;
pub use config::SftpConfig;
pub use metrics::{Metrics, MetricsStats};
pub use pty::PtySession;
pub use scp_sender::ScpSenderHandler;
pub use server::run_server;
pub use shell::ShellHandler;

160
markbase-core/src/sftp/pty.rs Normal file
View File

@@ -0,0 +1,160 @@
use anyhow::Result;
use std::io::{BufReader, BufWriter, Read, Write};
use std::process::{Child, Command, Stdio};
use std::sync::{Arc, Mutex};
use tokio::io::{AsyncReadExt, AsyncWriteExt};
use tokio::process::{Child as TokioChild, Command as TokioCommand};
pub struct PtySession {
cols: u16,
rows: u16,
term: String,
shell_path: String,
child: Option<TokioChild>,
}
impl PtySession {
pub fn new(term: &str, cols: u16, rows: u16, shell_path: &str) -> Result<Self> {
log::info!(
"PTY session created: term={}, cols={}, rows={}, shell={}",
term,
cols,
rows,
shell_path
);
Ok(Self {
cols,
rows,
term: term.to_string(),
shell_path: shell_path.to_string(),
child: None,
})
}
pub async fn start_shell(&mut self) -> Result<()> {
log::info!("Starting shell: {}", self.shell_path);
let mut child = TokioCommand::new(&self.shell_path)
.stdin(Stdio::piped())
.stdout(Stdio::piped())
.stderr(Stdio::piped())
.spawn()?;
self.child = Some(child);
log::info!("Shell process started successfully");
Ok(())
}
pub fn resize(&mut self, cols: u16, rows: u16) -> Result<()> {
self.cols = cols;
self.rows = rows;
log::info!("PTY resize: cols={}, rows={}", cols, rows);
Ok(())
}
pub fn get_shell_path(&self) -> &str {
&self.shell_path
}
pub fn get_size(&self) -> (u16, u16) {
(self.cols, self.rows)
}
pub async fn write_input(&mut self, data: &[u8]) -> Result<()> {
if let Some(ref mut child) = self.child {
if let Some(ref mut stdin) = child.stdin {
stdin.write_all(data).await?;
stdin.flush().await?;
log::debug!("Written {} bytes to shell stdin", data.len());
}
}
Ok(())
}
pub async fn read_output(&mut self, buf: &mut [u8]) -> Result<usize> {
if let Some(ref mut child) = self.child {
if let Some(ref mut stdout) = child.stdout {
let n = stdout.read(buf).await?;
log::debug!("Read {} bytes from shell stdout", n);
return Ok(n);
}
}
Ok(0)
}
pub async fn read_stderr(&mut self, buf: &mut [u8]) -> Result<usize> {
if let Some(ref mut child) = self.child {
if let Some(ref mut stderr) = child.stderr {
let n = stderr.read(buf).await?;
log::debug!("Read {} bytes from shell stderr", n);
return Ok(n);
}
}
Ok(0)
}
pub async fn wait(&mut self) -> Result<std::process::ExitStatus> {
if let Some(ref mut child) = self.child {
let status = child.wait().await?;
log::info!("Shell process exited with status: {:?}", status);
return Ok(status);
}
Err(anyhow::anyhow!("No shell process running"))
}
pub fn kill(&mut self) -> Result<()> {
if let Some(ref mut child) = self.child {
child.start_kill()?;
log::info!("Shell process killed");
}
Ok(())
}
}
impl Clone for PtySession {
fn clone(&self) -> Self {
Self {
cols: self.cols,
rows: self.rows,
term: self.term.clone(),
shell_path: self.shell_path.clone(),
child: None, // Cannot clone child process
}
}
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn test_pty_session_creation() {
let pty = PtySession::new("xterm", 80, 24, "/bin/bash");
assert!(pty.is_ok());
let pty = pty.unwrap();
assert_eq!(pty.get_shell_path(), "/bin/bash");
assert_eq!(pty.get_size(), (80, 24));
}
#[test]
fn test_pty_resize() {
let mut pty = PtySession::new("xterm", 80, 24, "/bin/bash").unwrap();
assert!(pty.resize(120, 40).is_ok());
assert_eq!(pty.get_size(), (120, 40));
}
#[tokio::test]
async fn test_shell_start() {
let mut pty = PtySession::new("xterm", 80, 24, "/bin/bash").unwrap();
// 启动shell
assert!(pty.start_shell().await.is_ok());
// 清理
pty.kill().ok();
}
}

89
markbase-core/src/sftp/scp_sender.rs Normal file
View File

@@ -0,0 +1,89 @@
// SCP Sender实现russh write-only
// 支持 scp -f从服务器下载文件
use anyhow::{Result, anyhow};
use russh::ChannelId;
use std::path::{Path, PathBuf};
use std::fs::File;
use std::io::Read;
use log::{info, warn, debug};
/// SCP Sender Handler
pub struct ScpSenderHandler {
base_path: PathBuf,
user_id: String,
}
impl ScpSenderHandler {
pub fn new(base_path: PathBuf, user_id: String) -> Self {
Self { base_path, user_id }
}
/// 处理SCP sender命令scp -f客户端下载
pub fn handle_scp_sender(&self, command: &str) -> Result<(PathBuf, String)> {
info!("SCP sender command: {}", command);
// 解析SCP命令scp -f /path/to/file
let parts: Vec<&str> = command.split_whitespace().collect();
if !parts.iter().any(|p| p == "-f") {
return Err(anyhow!("Not a SCP sender command: {}", command));
}
// 获取文件路径(最后一个参数)
let path_str = parts.last().unwrap_or("");
let file_path = self.base_path.join(&self.user_id).join(path_str);
// 检查文件是否存在
if !file_path.exists() {
warn!("SCP file not found: {}", file_path.display());
return Err(anyhow!("File not found: {}", file_path.display()));
}
// 检查是否是目录scp -r
let is_dir = file_path.is_dir();
if is_dir {
// 简化处理:目录发送暂不支持
warn!("SCP directory send not implemented: {}", file_path.display());
return Err(anyhow!("Directory send not implemented"));
}
info!("SCP sender target: {}", file_path.display());
Ok((file_path, path_str.to_string()))
}
/// 构建SCP headerC0644 <size> <filename>\n
pub fn build_scp_header(&self, file_path: &Path) -> Result<String> {
let metadata = std::fs::metadata(file_path)?;
let size = metadata.len();
let filename = file_path.file_name()
.and_then(|n| n.to_str())
.unwrap_or("unknown");
// SCP header format: C0644 <size> <filename>\n
let header = format!("C0644 {} {}\n", size, filename);
debug!("SCP header: {}", header.trim());
Ok(header)
}
/// 读取文件内容
pub fn read_file_content(&self, file_path: &Path) -> Result<Vec<u8>> {
let mut file = File::open(file_path)?;
let metadata = std::fs::metadata(file_path)?;
let size = metadata.len() as usize;
let mut buffer = Vec::with_capacity(size);
file.read_to_end(&mut buffer)?;
info!("SCP read {} bytes from {}", buffer.len(), file_path.display());
Ok(buffer)
}
/// 构建SCP结束标志E\n
pub fn build_eof_marker() -> Vec<u8> {
// SCP end-of-file marker
vec![0x00, 'E' as u8, '\n' as u8]
}
}

393
markbase-core/src/sftp/server.rs Normal file
View File

@@ -0,0 +1,393 @@
use crate::sftp::audit::AuditLog;
use crate::sftp::config::SftpConfig;
use crate::sftp::pty::PtySession;
use crate::sftp::shell::ShellHandler;
use russh::server::{Auth, Msg, Server, Session};
use russh::{keys, Channel, ChannelId, MethodSet};
use russh_keys::PrivateKey;
use std::path::Path;
use std::sync::{Arc, Mutex};
use std::time::Duration;
use tokio::sync::Mutex;
pub struct MarkBaseSftpServer {
user_id: String,
config: Arc<SftpConfig>,
}
impl Server for MarkBaseSftpServer {
type Handler = SshSession;
fn new_client(&mut self, _peer_addr: Option<std::net::SocketAddr>) -> Self::Handler {
let audit = AuditLog::new(&self.config.logging.audit_log_path)
.unwrap_or_else(|_| AuditLog::new("/tmp/sftp_audit.log").unwrap());
SshSession {
user_id: self.user_id.clone(),
config: self.config.clone(),
clients: Arc::new(Mutex::new(HashMap::new())),
audit,
pty_sessions: Arc::new(Mutex::new(HashMap::new())),
}
async fn channel_open_session(
&mut self,
mut channel: Channel<Msg>,
session: &mut Session,
) -> Result<bool, Self::Error> {
log::info!("SSH channel open session: channel_id={}", channel.id());
self.clients.lock().unwrap().insert(channel.id(), channel.clone());
Ok(true)
}
async fn subsystem_request(
&mut self,
channel: ChannelId,
name: &str,
session: &mut Session,
) -> Result<(), Self::Error> {
log::info!("SSH subsystem request: channel={}, name={}", channel, name);
if name == "sftp" {
log::info!("Starting SFTP subsystem");
let sftp_handler = crate::sftp::handler::SftpHandler::new_with_config(
self.user_id.clone(),
self.config.clone(),
);
let channel_stream = self.get_channel(channel).await.unwrap();
russh_sftp::server::run(channel_stream.into_stream(), sftp_handler).await;
} else if name == "shell" {
log::info!("Starting shell subsystem");
let shell_handler = ShellHandler::new(self.config.clone());
let channel_stream = self.get_channel(channel).await.unwrap();
log::warn!("Shell subsystem not fully implemented");
} else {
log::warn!("Unknown subsystem: {}", name);
}
Ok(())
}
async fn exec_request(
&mut self,
channel: ChannelId,
data: &[u8],
session: &mut Session,
) -> Result<(), Self::Error> {
let command = String::from_utf8_lossy(data);
log::info!("SSH exec request: channel={}, command={}", channel, command);
let command_str = command.to_string();
if command_str.starts_with("rsync --server") {
log::info!("Handling rsync command");
let channel_obj = self.get_channel(channel).await;
if let Some(ch) = channel_obj {
self.handle_rsync_command(ch, &command_str).await?;
}
} else if command_str.starts_with("scp") {
log::warn!("SCP command received but not implemented: {}", command_str);
self.handle_exec_placeholder(channel, &command_str).await?;
} else {
log::warn!("Unsupported exec command: {}", command_str);
self.handle_exec_placeholder(channel, &command_str).await?;
}
Ok(())
}
async fn shell_request(
&mut self,
channel: ChannelId,
session: &mut Session,
) -> Result<(), Self::Error> {
log::info!("SSH shell request: channel={}", channel);
let shell_handler = ShellHandler::new(self.config.clone());
let channel_obj = self.get_channel(channel).await;
if let Some(ch) = channel_obj {
log::warn!("Shell request not fully implemented");
}
Ok(())
}
}
async fn channel_open_session(
&mut self,
channel: Channel<Msg>,
_session: &mut Session,
) -> Result<bool, Self::Error> {
log::info!("SSH channel open session: channel_id={}", channel.id());
{
let mut clients = self.clients.lock().await;
clients.insert(channel.id(), channel);
}
Ok(true)
}
async fn subsystem_request(
&mut self,
channel_id: ChannelId,
name: &str,
session: &mut Session,
) -> Result<(), Self::Error> {
log::info!("Subsystem request: {}", name);
if name == "sftp" {
let channel = self.get_channel(channel_id).await;
let sftp_handler = crate::sftp::handler::SftpHandler::new_with_config(
&self.user_id,
self.config.clone(),
)?;
session.channel_success(channel_id)?;
log::info!("Starting SFTP subsystem for user: {}", self.user_id);
russh_sftp::server::run(channel.into_stream(), sftp_handler).await;
} else if name == "shell" {
let channel = self.get_channel(channel_id).await;
// 检查shell是否启用
if !self.config.shell.enabled {
log::warn!("Shell disabled for user {}", self.user_id);
session.channel_failure(channel_id)?;
return Ok(());
}
session.channel_success(channel_id)?;
log::info!("Starting Shell subsystem for user: {}", self.user_id);
// 启动shell处理简化实现
let shell_handler =
ShellHandler::new(&self.user_id, self.config.clone(), self.audit.clone());
self.handle_shell_subsystem(channel, shell_handler).await?;
} else {
session.channel_failure(channel_id)?;
}
Ok(())
}
}
impl SshSession {
async fn handle_rsync_command(
&mut self,
mut channel: Channel<Msg>,
command_str: &str,
) -> Result<()> {
log::info!("Handling rsync command for user {}", self.user_id);
// 创建rsync handler
let rsync_config = crate::rsync::RsyncConfig::default();
let rsync_handler = crate::rsync::RsyncHandler::new(
&self.user_id,
std::sync::Arc::new(rsync_config),
&self.config.sftp.base_path,
);
// 解析rsync命令
let rsync_cmd = rsync_handler.parse_command(command_str)?;
log::info!(
"Rsync mode: sender={}, path={}",
rsync_cmd.is_sender_mode(),
rsync_cmd.path
);
// 获取文件路径
let file_path = rsync_handler.get_file_path(&rsync_cmd.path)?;
// 简化实现sender模式发送文件数据
if rsync_cmd.is_sender_mode() {
log::info!("Rsync sender mode: sending file {}", file_path);
// Step 1: 创建握手并生成checksum seed
let mut handshake = crate::rsync::protocol::RsyncHandshake::new();
handshake.perform_sender_handshake()?;
let checksum_seed = handshake.get_checksum_seed();
log::info!("Checksum seed generated: {}", checksum_seed);
// Step 2: 读取文件
let data = tokio::fs::read(&file_path).await?;
log::info!("File read: {} bytes", data.len());
// Step 3: 计算block checksums用于delta传输
let config = rsync_handler.get_config();
let block_checksums = if config.delta_enabled {
crate::rsync::checksum::compute_block_checksums_with_seed(
&data,
config.block_size,
checksum_seed
)
} else {
vec![]
};
log::info!("Block checksums computed: {} blocks", block_checksums.len());
// Step 4: 压缩数据
let send_data = if config.compression {
crate::rsync::compress::compress_data(&data, config.compression_level)?
} else {
data.clone()
};
log::info!("Sending {} bytes (compressed)", send_data.len());
// Step 5: 发送数据到channel
channel.data(&send_data[..]).await?;
// Step 6: 发送退出状态
channel.exit_status(0).await?;
log::info!("Rsync sender completed successfully: seed={}, blocks={}",
checksum_seed, block_checksums.len());
} else {
log::info!("Rsync receiver mode: receiving file {}", file_path);
// Receiver模式不实现技术障碍
log::warn!("Rsync receiver mode not supported (requires channel.read())");
// 发送失败状态(暂时不支持)
channel.exit_status(1).await?;
}
Ok(())
}
async fn handle_shell_subsystem(
&mut self,
_channel: Channel<Msg>,
shell_handler: ShellHandler,
) -> Result<()> {
log::info!("Shell subsystem started for user {}", self.user_id);
// 检查shell是否启用
if !self.config.shell.enabled {
log::warn!("Shell disabled for user {}", self.user_id);
return Ok(());
}
// 创建PTY session
let mut pty_session = PtySession::new("xterm", 80, 24, shell_handler.get_shell_path())?;
// 启动shell进程
pty_session.start_shell().await?;
log::info!("Shell process started for user {}", self.user_id);
// 简化实现等待shell进程退出
// 完整交互需要channel.read()支持russh API限制
// 清理shell进程
pty_session.kill()?;
Ok(())
}
async fn execute_command(
&mut self,
mut channel: Channel<Msg>,
command: &str,
shell_handler: ShellHandler,
) -> Result<()> {
log::info!("Executing command '{}' for user {}", command, self.user_id);
// 执行命令
let result = shell_handler.execute_command(command).await;
match result {
Ok(output) => {
log::info!("Command '{}' succeeded: {} bytes", command, output.len());
// 发送stdout到channel
if !output.is_empty() {
channel.data(&output.as_bytes()[..]).await?;
}
// 发送退出状态
channel.exit_status(0).await?;
}
Err(e) => {
log::error!("Command '{}' failed: {}", command, e);
// 发送stderr到channel
let error_msg = format!("Error: {}\r\n", e);
channel.data(&error_msg.as_bytes()[..]).await?;
// 发送退出状态非0表示失败
channel.exit_status(1).await?;
}
}
Ok(())
}
}
pub async fn run_server(config: SftpConfig, user_id: &str) -> Result<()> {
if !config.sftp.enabled {
log::warn!("SFTP server disabled in config");
return Ok(());
}
let port = config.sftp.port;
let log_level = match config.logging.level.as_str() {
"debug" => log::LevelFilter::Debug,
"info" => log::LevelFilter::Info,
"warn" => log::LevelFilter::Warn,
"error" => log::LevelFilter::Error,
_ => log::LevelFilter::Info,
};
env_logger::builder().filter_level(log_level).init();
let addr = format!("127.0.0.1:{}", port);
log::info!("SFTP server starting on {}", addr);
log::info!("User: {}", user_id);
log::info!("Config loaded: base_path={}", config.sftp.base_path);
println!("=== MarkBase SFTP Server ===");
println!("Listening on {}", addr);
println!("User: {}", user_id);
println!("Config: {}", config.sftp.base_path);
println!("");
println!("Press Ctrl+C to stop");
let russh_config = russh::server::Config {
auth_rejection_time: Duration::from_secs(3),
auth_rejection_time_initial: Some(Duration::from_secs(0)),
keys: {
let host_key_path = "config/ssh_host_ed25519_key";
if Path::new(host_key_path).exists() {
log::info!("Loading existing SSH host key from {}", host_key_path);
vec![PrivateKey::load(host_key_path).unwrap_or_else(|_| {
log::warn!("Failed to load host key, generating new one");
PrivateKey::random(&mut rand::rng(), ssh_key::Algorithm::Ed25519).unwrap()
})]
} else {
log::info!("Generating new SSH host key and saving to {}", host_key_path);
let key = PrivateKey::random(&mut rand::rng(), ssh_key::Algorithm::Ed25519).unwrap();
key.save(host_key_path).unwrap_or_else(|e| {
log::warn!("Failed to save host key: {}", e);
});
vec![key]
}
},
..Default::default()
};
let mut server = MarkBaseSftpServer {
user_id: user_id.to_string(),
config: Arc::new(config),
};
server
.run_on_address(Arc::new(russh_config), ("127.0.0.1", port))
.await?;
Ok(())
}

478
markbase-core/src/sftp/server.rs.backup Normal file
View File

@@ -0,0 +1,478 @@
use crate::sftp::audit::AuditLog;
use crate::sftp::config::SftpConfig;
use crate::sftp::pty::PtySession;
use crate::sftp::shell::ShellHandler;
use russh::server::{Auth, Msg, Server, Session};
use russh::{keys, Channel, ChannelId, MethodSet};
use russh_keys::PrivateKey;
use std::path::Path;
use std::sync::{Arc, Mutex};
use std::time::Duration;
use tokio::sync::Mutex;
pub struct MarkBaseSftpServer {
user_id: String,
config: Arc<SftpConfig>,
}
impl Server for MarkBaseSftpServer {
type Handler = SshSession;
fn new_client(&mut self, _peer_addr: Option<std::net::SocketAddr>) -> Self::Handler {
let audit = AuditLog::new(&self.config.logging.audit_log_path)
.unwrap_or_else(|_| AuditLog::new("/tmp/sftp_audit.log").unwrap());
SshSession {
user_id: self.user_id.clone(),
config: self.config.clone(),
clients: Arc::new(Mutex::new(HashMap::new())),
audit,
pty_sessions: Arc::new(Mutex::new(HashMap::new())),
}
async fn channel_open_session(
&mut self,
mut channel: Channel<Msg>,
session: &mut Session,
) -> Result<bool, Self::Error> {
log::info!("SSH channel open session: channel_id={}", channel.id());
self.clients.lock().unwrap().insert(channel.id(), channel.clone());
Ok(true)
}
async fn subsystem_request(
&mut self,
channel: ChannelId,
name: &str,
session: &mut Session,
) -> Result<(), Self::Error> {
log::info!("SSH subsystem request: channel={}, name={}", channel, name);
if name == "sftp" {
log::info!("Starting SFTP subsystem");
let sftp_handler = crate::sftp::handler::SftpHandler::new_with_config(
self.user_id.clone(),
self.config.clone(),
);
let channel_stream = self.get_channel(channel).await.unwrap();
russh_sftp::server::run(channel_stream.into_stream(), sftp_handler).await;
} else if name == "shell" {
log::info!("Starting shell subsystem");
let shell_handler = ShellHandler::new(self.config.clone());
let channel_stream = self.get_channel(channel).await.unwrap();
log::warn!("Shell subsystem not fully implemented");
} else {
log::warn!("Unknown subsystem: {}", name);
}
Ok(())
}
async fn exec_request(
&mut self,
channel: ChannelId,
data: &[u8],
session: &mut Session,
) -> Result<(), Self::Error> {
let command = String::from_utf8_lossy(data);
log::info!("SSH exec request: channel={}, command={}", channel, command);
let command_str = command.to_string();
if command_str.starts_with("rsync --server") {
log::info!("Handling rsync command");
let channel_obj = self.get_channel(channel).await;
if let Some(ch) = channel_obj {
self.handle_rsync_command(ch, &command_str).await?;
}
} else if command_str.starts_with("scp") {
log::warn!("SCP command received but not implemented: {}", command_str);
self.handle_exec_placeholder(channel, &command_str).await?;
} else {
log::warn!("Unsupported exec command: {}", command_str);
self.handle_exec_placeholder(channel, &command_str).await?;
}
Ok(())
}
async fn shell_request(
&mut self,
channel: ChannelId,
session: &mut Session,
) -> Result<(), Self::Error> {
log::info!("SSH shell request: channel={}", channel);
let shell_handler = ShellHandler::new(self.config.clone());
let channel_obj = self.get_channel(channel).await;
if let Some(ch) = channel_obj {
log::warn!("Shell request not fully implemented");
}
Ok(())
}
}
}
async fn channel_open_session(
&mut self,
mut channel: Channel<Msg>,
session: &mut Session,
) -> Result<bool, Self::Error> {
log::info!("SSH channel open session: channel_id={}", channel.id());
self.clients.lock().unwrap().insert(channel.id(), channel.clone());
Ok(true)
}
async fn subsystem_request(
&mut self,
channel: ChannelId,
name: &str,
session: &mut Session,
) -> Result<(), Self::Error> {
log::info!("SSH subsystem request: channel={}, name={}", channel, name);
if name == "sftp" {
log::info!("Starting SFTP subsystem");
let sftp_handler = crate::sftp::handler::SftpHandler::new_with_config(
self.user_id.clone(),
self.config.clone(),
);
let channel_stream = self.get_channel(channel).await.unwrap();
russh_sftp::server::run(channel_stream.into_stream(), sftp_handler).await;
} else if name == "shell" {
log::info!("Starting shell subsystem");
let shell_handler = ShellHandler::new(self.config.clone());
let channel_stream = self.get_channel(channel).await.unwrap();
// Shell handler integration
log::warn!("Shell subsystem not fully implemented");
} else {
log::warn!("Unknown subsystem: {}", name);
}
Ok(())
}
async fn exec_request(
&mut self,
channel: ChannelId,
data: &[u8],
session: &mut Session,
) -> Result<(), Self::Error> {
let command = String::from_utf8_lossy(data);
log::info!("SSH exec request: channel={}, command={}", channel, command);
let command_str = command.to_string();
if command_str.starts_with("rsync --server") {
log::info!("Handling rsync command");
let channel_obj = self.get_channel(channel).await;
if let Some(ch) = channel_obj {
self.handle_rsync_command(ch, &command_str).await?;
}
} else if command_str.starts_with("scp") {
log::warn!("SCP command received but not implemented: {}", command_str);
self.handle_exec_placeholder(channel, &command_str).await?;
} else {
log::warn!("Unsupported exec command: {}", command_str);
self.handle_exec_placeholder(channel, &command_str).await?;
}
Ok(())
}
async fn shell_request(
&mut self,
channel: ChannelId,
session: &mut Session,
) -> Result<(), Self::Error> {
log::info!("SSH shell request: channel={}", channel);
let shell_handler = ShellHandler::new(self.config.clone());
let channel_obj = self.get_channel(channel).await;
if let Some(ch) = channel_obj {
// Shell implementation
log::warn!("Shell request not fully implemented");
}
Ok(())
}
}
}
async fn channel_open_session(
&mut self,
channel: Channel<Msg>,
_session: &mut Session,
) -> Result<bool, Self::Error> {
log::info!("SSH channel open session: channel_id={}", channel.id());
{
let mut clients = self.clients.lock().await;
clients.insert(channel.id(), channel);
}
Ok(true)
}
async fn subsystem_request(
&mut self,
channel_id: ChannelId,
name: &str,
session: &mut Session,
) -> Result<(), Self::Error> {
log::info!("Subsystem request: {}", name);
if name == "sftp" {
let channel = self.get_channel(channel_id).await;
let sftp_handler = crate::sftp::handler::SftpHandler::new_with_config(
&self.user_id,
self.config.clone(),
)?;
session.channel_success(channel_id)?;
log::info!("Starting SFTP subsystem for user: {}", self.user_id);
russh_sftp::server::run(channel.into_stream(), sftp_handler).await;
} else if name == "shell" {
let channel = self.get_channel(channel_id).await;
// 检查shell是否启用
if !self.config.shell.enabled {
log::warn!("Shell disabled for user {}", self.user_id);
session.channel_failure(channel_id)?;
return Ok(());
}
session.channel_success(channel_id)?;
log::info!("Starting Shell subsystem for user: {}", self.user_id);
// 启动shell处理简化实现
let shell_handler =
ShellHandler::new(&self.user_id, self.config.clone(), self.audit.clone());
self.handle_shell_subsystem(channel, shell_handler).await?;
} else {
session.channel_failure(channel_id)?;
}
Ok(())
}
}
impl SshSession {
async fn handle_rsync_command(
&mut self,
mut channel: Channel<Msg>,
command_str: &str,
) -> Result<()> {
log::info!("Handling rsync command for user {}", self.user_id);
// 创建rsync handler
let rsync_config = crate::rsync::RsyncConfig::default();
let rsync_handler = crate::rsync::RsyncHandler::new(
&self.user_id,
std::sync::Arc::new(rsync_config),
&self.config.sftp.base_path,
);
// 解析rsync命令
let rsync_cmd = rsync_handler.parse_command(command_str)?;
log::info!(
"Rsync mode: sender={}, path={}",
rsync_cmd.is_sender_mode(),
rsync_cmd.path
);
// 获取文件路径
let file_path = rsync_handler.get_file_path(&rsync_cmd.path)?;
// 简化实现sender模式发送文件数据
if rsync_cmd.is_sender_mode() {
log::info!("Rsync sender mode: sending file {}", file_path);
// Step 1: 创建握手并生成checksum seed
let mut handshake = crate::rsync::protocol::RsyncHandshake::new();
handshake.perform_sender_handshake()?;
let checksum_seed = handshake.get_checksum_seed();
log::info!("Checksum seed generated: {}", checksum_seed);
// Step 2: 读取文件
let data = tokio::fs::read(&file_path).await?;
log::info!("File read: {} bytes", data.len());
// Step 3: 计算block checksums用于delta传输
let config = rsync_handler.get_config();
let block_checksums = if config.delta_enabled {
crate::rsync::checksum::compute_block_checksums_with_seed(
&data,
config.block_size,
checksum_seed
)
} else {
vec![]
};
log::info!("Block checksums computed: {} blocks", block_checksums.len());
// Step 4: 压缩数据
let send_data = if config.compression {
crate::rsync::compress::compress_data(&data, config.compression_level)?
} else {
data.clone()
};
log::info!("Sending {} bytes (compressed)", send_data.len());
// Step 5: 发送数据到channel
channel.data(&send_data[..]).await?;
// Step 6: 发送退出状态
channel.exit_status(0).await?;
log::info!("Rsync sender completed successfully: seed={}, blocks={}",
checksum_seed, block_checksums.len());
} else {
log::info!("Rsync receiver mode: receiving file {}", file_path);
// Receiver模式不实现技术障碍
log::warn!("Rsync receiver mode not supported (requires channel.read())");
// 发送失败状态(暂时不支持)
channel.exit_status(1).await?;
}
Ok(())
}
async fn handle_shell_subsystem(
&mut self,
_channel: Channel<Msg>,
shell_handler: ShellHandler,
) -> Result<()> {
log::info!("Shell subsystem started for user {}", self.user_id);
// 检查shell是否启用
if !self.config.shell.enabled {
log::warn!("Shell disabled for user {}", self.user_id);
return Ok(());
}
// 创建PTY session
let mut pty_session = PtySession::new("xterm", 80, 24, shell_handler.get_shell_path())?;
// 启动shell进程
pty_session.start_shell().await?;
log::info!("Shell process started for user {}", self.user_id);
// 简化实现等待shell进程退出
// 完整交互需要channel.read()支持russh API限制
// 清理shell进程
pty_session.kill()?;
Ok(())
}
async fn execute_command(
&mut self,
mut channel: Channel<Msg>,
command: &str,
shell_handler: ShellHandler,
) -> Result<()> {
log::info!("Executing command '{}' for user {}", command, self.user_id);
// 执行命令
let result = shell_handler.execute_command(command).await;
match result {
Ok(output) => {
log::info!("Command '{}' succeeded: {} bytes", command, output.len());
// 发送stdout到channel
if !output.is_empty() {
channel.data(&output.as_bytes()[..]).await?;
}
// 发送退出状态
channel.exit_status(0).await?;
}
Err(e) => {
log::error!("Command '{}' failed: {}", command, e);
// 发送stderr到channel
let error_msg = format!("Error: {}\r\n", e);
channel.data(&error_msg.as_bytes()[..]).await?;
// 发送退出状态非0表示失败
channel.exit_status(1).await?;
}
}
Ok(())
}
}
pub async fn run_server(config: SftpConfig, user_id: &str) -> Result<()> {
if !config.sftp.enabled {
log::warn!("SFTP server disabled in config");
return Ok(());
}
let port = config.sftp.port;
let log_level = match config.logging.level.as_str() {
"debug" => log::LevelFilter::Debug,
"info" => log::LevelFilter::Info,
"warn" => log::LevelFilter::Warn,
"error" => log::LevelFilter::Error,
_ => log::LevelFilter::Info,
};
env_logger::builder().filter_level(log_level).init();
let addr = format!("127.0.0.1:{}", port);
log::info!("SFTP server starting on {}", addr);
log::info!("User: {}", user_id);
log::info!("Config loaded: base_path={}", config.sftp.base_path);
println!("=== MarkBase SFTP Server ===");
println!("Listening on {}", addr);
println!("User: {}", user_id);
println!("Config: {}", config.sftp.base_path);
println!("");
println!("Press Ctrl+C to stop");
let russh_config = russh::server::Config {
auth_rejection_time: Duration::from_secs(3),
auth_rejection_time_initial: Some(Duration::from_secs(0)),
keys: {
let host_key_path = "config/ssh_host_ed25519_key";
if Path::new(host_key_path).exists() {
log::info!("Loading existing SSH host key from {}", host_key_path);
vec![PrivateKey::load(host_key_path).unwrap_or_else(|_| {
log::warn!("Failed to load host key, generating new one");
PrivateKey::random(&mut rand::rng(), ssh_key::Algorithm::Ed25519).unwrap()
})]
} else {
log::info!("Generating new SSH host key and saving to {}", host_key_path);
let key = PrivateKey::random(&mut rand::rng(), ssh_key::Algorithm::Ed25519).unwrap();
key.save(host_key_path).unwrap_or_else(|e| {
log::warn!("Failed to save host key: {}", e);
});
vec![key]
}
},
..Default::default()
};
let mut server = MarkBaseSftpServer {
user_id: user_id.to_string(),
config: Arc::new(config),
};
server
.run_on_address(Arc::new(russh_config), ("127.0.0.1", port))
.await?;
Ok(())
}

221
markbase-core/src/sftp/shell.rs Normal file
View File

@@ -0,0 +1,221 @@
use anyhow::Result;
use std::process::Command;
use std::time::Duration;
use tokio::time::timeout;
pub struct ShellHandler {
user_id: String,
config: std::sync::Arc<crate::sftp::config::SftpConfig>,
audit: crate::sftp::audit::AuditLog,
}
impl ShellHandler {
pub fn new(
user_id: &str,
config: std::sync::Arc<crate::sftp::config::SftpConfig>,
audit: crate::sftp::audit::AuditLog,
) -> Self {
Self {
user_id: user_id.to_string(),
config,
audit,
}
}
pub fn check_command_permission(&self, command: &str) -> bool {
// 1. 检查是否启用shell
if !self.config.shell.enabled {
log::warn!("Shell disabled for user {}", self.user_id);
return false;
}
// 2. 检查命令长度
if command.len() > self.config.shell.max_command_length {
log::warn!(
"Command too long for user {}: {}",
self.user_id,
command.len()
);
return false;
}
// 3. 检查黑名单(优先级最高)
let cmd_name = command.split_whitespace().next().unwrap_or("");
for forbidden in &self.config.shell.forbidden_commands {
if cmd_name == forbidden || command.starts_with(&format!("{} ", forbidden)) {
log::warn!("Forbidden command '{}' for user {}", cmd_name, self.user_id);
self.audit
.log_error(&self.user_id, "shell_check", command, "forbidden");
return false;
}
}
// 4. 检查白名单(如果配置了白名单)
if !self.config.shell.allowed_commands.is_empty() {
if !self
.config
.shell
.allowed_commands
.contains(&cmd_name.to_string())
{
log::warn!(
"Command '{}' not in whitelist for user {}",
cmd_name,
self.user_id
);
self.audit
.log_error(&self.user_id, "shell_check", command, "not_in_whitelist");
return false;
}
}
log::info!("Command '{}' allowed for user {}", cmd_name, self.user_id);
true
}
pub async fn execute_command(&self, command: &str) -> Result<String> {
// 1. 检查权限
if !self.check_command_permission(command) {
return Err(anyhow::anyhow!("Command not allowed"));
}
// 2. 执行命令带timeout
let timeout_duration = Duration::from_secs(self.config.shell.timeout_seconds);
let result = timeout(timeout_duration, async {
// 使用系统shell执行命令
let output = Command::new(&self.config.shell.shell_path)
.arg("-c")
.arg(command)
.output();
match output {
Ok(output) => {
let stdout = String::from_utf8_lossy(&output.stdout).to_string();
let stderr = String::from_utf8_lossy(&output.stderr).to_string();
if output.status.success() {
Ok(stdout)
} else {
Err(anyhow::anyhow!("Command failed: {}", stderr))
}
}
Err(e) => Err(anyhow::anyhow!("Command execution error: {}", e)),
}
})
.await;
// 3. 处理结果
match result {
Ok(Ok(output)) => {
self.audit.log_success(&self.user_id, "shell_exec", command);
Ok(output)
}
Ok(Err(e)) => {
self.audit
.log_error(&self.user_id, "shell_exec", command, &e.to_string());
Err(e)
}
Err(_) => {
self.audit
.log_error(&self.user_id, "shell_exec", command, "timeout");
Err(anyhow::anyhow!(
"Command timeout after {}s",
self.config.shell.timeout_seconds
))
}
}
}
pub fn get_shell_path(&self) -> &str {
&self.config.shell.shell_path
}
pub fn is_shell_enabled(&self) -> bool {
self.config.shell.enabled
}
}
#[cfg(test)]
mod tests {
use super::*;
use crate::sftp::audit::AuditLog;
use crate::sftp::config::SftpConfig;
use tempfile::TempDir;
fn create_test_shell_handler() -> ShellHandler {
let mut config = SftpConfig::default();
config.shell.enabled = true;
config.shell.allowed_commands = vec!["ls".to_string(), "pwd".to_string()];
config.shell.forbidden_commands = vec!["rm".to_string(), "sudo".to_string()];
let temp_dir = TempDir::new().unwrap();
let audit_log_path = temp_dir
.path()
.join("shell_audit.log")
.to_string_lossy()
.to_string();
let audit = AuditLog::new(&audit_log_path).unwrap();
ShellHandler::new("test_user", std::sync::Arc::new(config), audit)
}
#[test]
fn test_check_command_permission_allowed() {
let handler = create_test_shell_handler();
// 测试允许的命令
assert!(handler.check_command_permission("ls"));
assert!(handler.check_command_permission("pwd"));
assert!(handler.check_command_permission("ls -la"));
}
#[test]
fn test_check_command_permission_forbidden() {
let handler = create_test_shell_handler();
// 测试禁止的命令
assert!(!handler.check_command_permission("rm"));
assert!(!handler.check_command_permission("rm -rf"));
assert!(!handler.check_command_permission("sudo ls"));
}
#[test]
fn test_check_command_permission_not_in_whitelist() {
let handler = create_test_shell_handler();
// 测试不在白名单的命令
assert!(!handler.check_command_permission("cat"));
assert!(!handler.check_command_permission("grep"));
}
#[test]
fn test_check_command_permission_shell_disabled() {
let mut config = SftpConfig::default();
config.shell.enabled = false; // 禁用shell
let temp_dir = TempDir::new().unwrap();
let audit = AuditLog::new(&temp_dir.path().join("audit.log").to_string_lossy()).unwrap();
let handler = ShellHandler::new("test_user", std::sync::Arc::new(config), audit);
// 任何命令都不允许
assert!(!handler.check_command_permission("ls"));
}
#[test]
fn test_check_command_permission_too_long() {
let mut config = SftpConfig::default();
config.shell.enabled = true;
config.shell.max_command_length = 10;
let temp_dir = TempDir::new().unwrap();
let audit = AuditLog::new(&temp_dir.path().join("audit.log").to_string_lossy()).unwrap();
let handler = ShellHandler::new("test_user", std::sync::Arc::new(config), audit);
// 测试超长命令
let long_command = "ls -la /very/long/path/that/exceeds/max/length";
assert!(!handler.check_command_permission(long_command));
}
}