8f05a7c188
- Update ASR, face, OCR, pose processors - Add release pre-flight check script - Add synonym generation, chunk processing scripts - Add face recognition, stamp search utilities
245 lines
5.7 KiB
Bash
Executable File
245 lines
5.7 KiB
Bash
Executable File
#!/bin/bash
|
|
# Momentry Core 安全配置檢查腳本
|
|
# 版本: 1.0
|
|
# 更新時間: 2026-04-22
|
|
|
|
set -e
|
|
|
|
echo "========================================="
|
|
echo "Momentry Core 安全配置檢查"
|
|
echo "========================================="
|
|
echo ""
|
|
|
|
# 顏色定義
|
|
RED='\033[0;31m'
|
|
GREEN='\033[0;32m'
|
|
YELLOW='\033[1;33m'
|
|
NC='\033[0m' # No Color
|
|
|
|
# 檢查函數
|
|
check_pass() {
|
|
echo -e "${GREEN}[✓] $1${NC}"
|
|
}
|
|
|
|
check_warn() {
|
|
echo -e "${YELLOW}[!] $1${NC}"
|
|
}
|
|
|
|
check_fail() {
|
|
echo -e "${RED}[✗] $1${NC}"
|
|
}
|
|
|
|
# 1. 環境變數檢查
|
|
echo "1. 環境變數檢查"
|
|
echo "----------------"
|
|
|
|
# 檢查必要的環境變數
|
|
required_vars=(
|
|
"DATABASE_URL"
|
|
"REDIS_URL"
|
|
"MOMENTRY_API_KEY"
|
|
)
|
|
|
|
for var in "${required_vars[@]}"; do
|
|
if [ -z "${!var}" ]; then
|
|
check_warn "環境變數 $var 未設置"
|
|
else
|
|
if [[ "$var" == *"PASSWORD"* ]] || [[ "$var" == *"KEY"* ]] || [[ "$var" == *"SECRET"* ]]; then
|
|
# 敏感信息只顯示是否存在,不顯示值
|
|
check_pass "環境變數 $var 已設置 (敏感信息已隱藏)"
|
|
else
|
|
check_pass "環境變數 $var 已設置"
|
|
fi
|
|
fi
|
|
done
|
|
|
|
echo ""
|
|
|
|
# 2. 數據庫安全檢查
|
|
echo "2. 數據庫安全檢查"
|
|
echo "------------------"
|
|
|
|
# 檢查 PostgreSQL 連接
|
|
if command -v psql &>/dev/null && [ -n "$DATABASE_URL" ]; then
|
|
if psql "$DATABASE_URL" -c "SELECT 1" &>/dev/null; then
|
|
check_pass "PostgreSQL 連接正常"
|
|
|
|
# 檢查 SSL 連接
|
|
ssl_status=$(psql "$DATABASE_URL" -c "SHOW ssl" -t 2>/dev/null | tr -d '[:space:]' || echo "unknown")
|
|
if [ "$ssl_status" == "on" ]; then
|
|
check_pass "PostgreSQL SSL 已啟用"
|
|
else
|
|
check_warn "PostgreSQL SSL 未啟用"
|
|
fi
|
|
else
|
|
check_fail "PostgreSQL 連接失敗"
|
|
fi
|
|
else
|
|
check_warn "PostgreSQL 客戶端未安裝或 DATABASE_URL 未設置"
|
|
fi
|
|
|
|
echo ""
|
|
|
|
# 3. Redis 安全檢查
|
|
echo "3. Redis 安全檢查"
|
|
echo "------------------"
|
|
|
|
# 檢查 Redis 連接
|
|
if command -v redis-cli &>/dev/null && [ -n "$REDIS_URL" ]; then
|
|
# 提取 Redis 主機和端口
|
|
redis_host=$(echo "$REDIS_URL" | sed -n 's/.*:\/\/\([^:/]*\).*/\1/p')
|
|
redis_port=$(echo "$REDIS_URL" | sed -n 's/.*:\([0-9]*\)$/\1/p')
|
|
|
|
if [ -z "$redis_port" ]; then
|
|
redis_port=6379
|
|
fi
|
|
|
|
if redis-cli -h "$redis_host" -p "$redis_port" ping &>/dev/null; then
|
|
check_pass "Redis 連接正常"
|
|
|
|
# 檢查 Redis 是否需要密碼
|
|
if echo "$REDIS_URL" | grep -q "@"; then
|
|
check_pass "Redis 使用密碼認證"
|
|
else
|
|
check_warn "Redis 未使用密碼認證"
|
|
fi
|
|
else
|
|
check_fail "Redis 連接失敗"
|
|
fi
|
|
else
|
|
check_warn "Redis 客戶端未安裝或 REDIS_URL 未設置"
|
|
fi
|
|
|
|
echo ""
|
|
|
|
# 4. API 安全檢查
|
|
echo "4. API 安全檢查"
|
|
echo "----------------"
|
|
|
|
# 檢查 API Key 格式
|
|
if [ -n "$MOMENTRY_API_KEY" ]; then
|
|
if [[ "$MOMENTRY_API_KEY" =~ ^m(user|admin|service|temp)_[a-f0-9]{32}_[0-9]{10}_[a-f0-9]{8}$ ]]; then
|
|
check_pass "API Key 格式正確"
|
|
else
|
|
check_fail "API Key 格式不正確"
|
|
fi
|
|
else
|
|
check_warn "MOMENTRY_API_KEY 未設置"
|
|
fi
|
|
|
|
echo ""
|
|
|
|
# 5. 文件權限檢查
|
|
echo "5. 文件權限檢查"
|
|
echo "----------------"
|
|
|
|
# 檢查敏感文件權限
|
|
sensitive_files=(
|
|
".env"
|
|
".env.development"
|
|
"scripts/security_check.sh"
|
|
)
|
|
|
|
for file in "${sensitive_files[@]}"; do
|
|
if [ -f "$file" ]; then
|
|
perms=$(stat -f "%Sp" "$file")
|
|
if [[ "$perms" == *"rw-------"* ]] || [[ "$perms" == *"rw-r-----"* ]]; then
|
|
check_pass "$file 權限設置正確 ($perms)"
|
|
else
|
|
check_warn "$file 權限可能過寬 ($perms),建議設置為 600 或 640"
|
|
fi
|
|
fi
|
|
done
|
|
|
|
echo ""
|
|
|
|
# 6. 依賴包安全檢查
|
|
echo "6. 依賴包安全檢查"
|
|
echo "------------------"
|
|
|
|
# 檢查 Rust 依賴
|
|
if [ -f "Cargo.toml" ]; then
|
|
if command -v cargo-audit &>/dev/null; then
|
|
echo "運行 cargo audit 檢查安全漏洞..."
|
|
cargo audit
|
|
if [ $? -eq 0 ]; then
|
|
check_pass "Rust 依賴包無已知安全漏洞"
|
|
else
|
|
check_warn "Rust 依賴包存在安全漏洞,請運行 cargo update 修復"
|
|
fi
|
|
else
|
|
check_warn "cargo-audit 未安裝,無法檢查 Rust 依賴安全"
|
|
echo "安裝 cargo-audit: cargo install cargo-audit"
|
|
fi
|
|
fi
|
|
|
|
echo ""
|
|
|
|
# 7. 網絡安全檢查
|
|
echo "7. 網絡安全檢查"
|
|
echo "----------------"
|
|
|
|
# 檢查本地服務端口
|
|
local_ports=(3002 3003 5432 6379 9090 3000)
|
|
|
|
for port in "${local_ports[@]}"; do
|
|
if lsof -i :$port &>/dev/null; then
|
|
service_name=""
|
|
case $port in
|
|
3002) service_name="Momentry API (生產)" ;;
|
|
3003) service_name="Momentry API (開發)" ;;
|
|
5432) service_name="PostgreSQL" ;;
|
|
6379) service_name="Redis" ;;
|
|
9090) service_name="Prometheus" ;;
|
|
3000) service_name="Grafana" ;;
|
|
esac
|
|
|
|
# 檢查是否只允許本地訪問
|
|
if netstat -an | grep ":$port" | grep -q "LISTEN" && ! netstat -an | grep ":$port" | grep -q "0.0.0.0"; then
|
|
check_pass "$service_name ($port) 只允許本地訪問"
|
|
else
|
|
check_warn "$service_name ($port) 可能允許外部訪問,請檢查防火牆規則"
|
|
fi
|
|
fi
|
|
done
|
|
|
|
echo ""
|
|
|
|
# 8. 安全配置建議
|
|
echo "8. 安全配置建議"
|
|
echo "----------------"
|
|
|
|
echo "建議執行以下安全加固措施:"
|
|
echo "1. 啟用數據庫 SSL/TLS 連接"
|
|
echo "2. 配置 Redis 密碼認證"
|
|
echo "3. 定期更新 API Key"
|
|
echo "4. 設置文件系統權限"
|
|
echo "5. 定期運行依賴安全檢查"
|
|
echo "6. 配置防火牆限制外部訪問"
|
|
echo "7. 啟用 API 請求限流"
|
|
echo "8. 配置安全日誌和監控"
|
|
|
|
echo ""
|
|
echo "========================================="
|
|
echo "檢查完成"
|
|
echo "========================================="
|
|
|
|
# 總結報告
|
|
echo ""
|
|
echo "安全檢查總結:"
|
|
echo "- 環境變數: 檢查完成"
|
|
echo "- 數據庫安全: 檢查完成"
|
|
echo "- Redis 安全: 檢查完成"
|
|
echo "- API 安全: 檢查完成"
|
|
echo "- 文件權限: 檢查完成"
|
|
echo "- 依賴包安全: 檢查完成"
|
|
echo "- 網絡安全: 檢查完成"
|
|
echo ""
|
|
echo "建議:"
|
|
echo "1. 定期運行此檢查腳本"
|
|
echo "2. 修復所有警告和錯誤"
|
|
echo "3. 保持依賴包更新"
|
|
echo "4. 監控安全日誌"
|
|
|
|
exit 0
|