feat(P1/P2): 完成TDD开发及P1/P2设计文档

## 设计文档 - multi_role_permission_design: 多角色权限设计 (CONDITIONAL GO) - audit_log_enhancement_design: 审计日志增强 (CONDITIONAL GO) - routing_strategy_template_design: 路由策略模板 (CONDITIONAL GO) - sso_saml_technical_research: SSO/SAML调研 (CONDITIONAL GO) - compliance_capability_package_design: 合规能力包设计 (CONDITIONAL GO) ## TDD开发成果 - IAM模块: supply-api/internal/iam/ (111个测试) - 审计日志模块: supply-api/internal/audit/ (40+测试) - 路由策略模块: gateway/internal/router/ (33+测试) - 合规能力包: gateway/internal/compliance/ + scripts/ci/compliance/ ## 规范文档 - parallel_agent_output_quality_standards: 并行Agent产出质量规范 - project_experience_summary: 项目经验总结 (v2) - 2026-04-02-p1-p2-tdd-execution-plan: TDD执行计划 ## 评审报告 - 5个CONDITIONAL GO设计文档评审报告 - fix_verification_report: 修复验证报告 - full_verification_report: 全面质量验证报告 - tdd_module_quality_verification: TDD模块质量验证 - tdd_execution_summary: TDD执行总结依据: Superpowers执行框架 + TDD规范
2026-04-02 23:35:53 +08:00
parent ed0961d486
commit 89104bd0db
94 changed files with 24738 additions and 5 deletions
--- a/supply-api/internal/audit/sanitizer/sanitizer.go
+++ b/supply-api/internal/audit/sanitizer/sanitizer.go
@@ -0,0 +1,279 @@
+package sanitizer
+
+import (
+	"regexp"
+	"strings"
+)
+
+// ScanRule 扫描规则
+type ScanRule struct {
+	ID          string
+	Pattern     *regexp.Regexp
+	Description string
+	Severity    string
+}
+
+// Violation 违规项
+type Violation struct {
+	Type        string // 违规类型
+	Pattern     string // 匹配的正则模式
+	Value       string // 匹配的值（已脱敏）
+	Description string
+}
+
+// ScanResult 扫描结果
+type ScanResult struct {
+	Violations []Violation
+	Passed     bool
+}
+
+// NewScanResult 创建扫描结果
+func NewScanResult() *ScanResult {
+	return &ScanResult{
+		Violations: []Violation{},
+		Passed:     true,
+	}
+}
+
+// HasViolation 检查是否有违规
+func (r *ScanResult) HasViolation() bool {
+	return len(r.Violations) > 0
+}
+
+// AddViolation 添加违规项
+func (r *ScanResult) AddViolation(v Violation) {
+	r.Violations = append(r.Violations, v)
+	r.Passed = false
+}
+
+// CredentialScanner 凭证扫描器
+type CredentialScanner struct {
+	rules []ScanRule
+}
+
+// NewCredentialScanner 创建凭证扫描器
+func NewCredentialScanner() *CredentialScanner {
+	scanner := &CredentialScanner{
+		rules: []ScanRule{
+			{
+				ID:          "openai_key",
+				Pattern:     regexp.MustCompile(`sk-[a-zA-Z0-9]{20,}`),
+				Description: "OpenAI API Key",
+				Severity:    "HIGH",
+			},
+			{
+				ID:          "api_key",
+				Pattern:     regexp.MustCompile(`(?i)(api[_-]?key|apikey)["\s:=]+['"]?([a-zA-Z0-9_\-]{16,})['"]?`),
+				Description: "Generic API Key",
+				Severity:    "MEDIUM",
+			},
+			{
+				ID:          "aws_access_key",
+				Pattern:     regexp.MustCompile(`(?i)(access[_-]?key[_-]?id|aws[_-]?access[_-]?key)["\s:=]+['"]?(AKIA[0-9A-Z]{16})['"]?`),
+				Description: "AWS Access Key ID",
+				Severity:    "HIGH",
+			},
+			{
+				ID:          "aws_secret_key",
+				Pattern:     regexp.MustCompile(`(?i)(secret[_-]?key|aws[_-]?.*secret[_-]?key)["\s:=]+['"]?([a-zA-Z0-9/+=]{40})['"]?`),
+				Description: "AWS Secret Access Key",
+				Severity:    "HIGH",
+			},
+			{
+				ID:          "password",
+				Pattern:     regexp.MustCompile(`(?i)(password|passwd|pwd)["\s:=]+['"]?([a-zA-Z0-9@#$%^&*!]{8,})['"]?`),
+				Description: "Password",
+				Severity:    "HIGH",
+			},
+			{
+				ID:          "bearer_token",
+				Pattern:     regexp.MustCompile(`(?i)(token|bearer|authorization)["\s:=]+['"]?([Bb]earer\s+)?([a-zA-Z0-9_\-\.]+)['"]?`),
+				Description: "Bearer Token",
+				Severity:    "MEDIUM",
+			},
+			{
+				ID:          "private_key",
+				Pattern:     regexp.MustCompile(`-----BEGIN\s+(RSA\s+)?PRIVATE\s+KEY-----`),
+				Description: "Private Key",
+				Severity:    "CRITICAL",
+			},
+			{
+				ID:          "secret",
+				Pattern:     regexp.MustCompile(`(?i)(secret|client[_-]?secret)["\s:=]+['"]?([a-zA-Z0-9_\-]{16,})['"]?`),
+				Description: "Secret",
+				Severity:    "HIGH",
+			},
+		},
+	}
+	return scanner
+}
+
+// Scan 扫描内容
+func (s *CredentialScanner) Scan(content string) *ScanResult {
+	result := NewScanResult()
+
+	for _, rule := range s.rules {
+		matches := rule.Pattern.FindAllStringSubmatch(content, -1)
+		for _, match := range matches {
+			// 构建违规项
+			violation := Violation{
+				Type:        rule.ID,
+				Pattern:     rule.Pattern.String(),
+				Description: rule.Description,
+			}
+
+			// 提取匹配的值（取最后一个匹配组）
+			if len(match) > 1 {
+				violation.Value = maskString(match[len(match)-1])
+			} else {
+				violation.Value = maskString(match[0])
+			}
+
+			result.AddViolation(violation)
+		}
+	}
+
+	return result
+}
+
+// GetRules 获取扫描规则
+func (s *CredentialScanner) GetRules() []ScanRule {
+	return s.rules
+}
+
+// Sanitizer 脱敏器
+type Sanitizer struct {
+	patterns []*regexp.Regexp
+}
+
+// NewSanitizer 创建脱敏器
+func NewSanitizer() *Sanitizer {
+	return &Sanitizer{
+		patterns: []*regexp.Regexp{
+			// OpenAI API Key
+			regexp.MustCompile(`(sk-[a-zA-Z0-9]{4})[a-zA-Z0-9]+([a-zA-Z0-9]{4})`),
+			// AWS Access Key
+			regexp.MustCompile(`(AKIA[0-9A-Z]{4})[0-9A-Z]+([0-9A-Z]{4})`),
+			// Generic API Key
+			regexp.MustCompile(`([a-zA-Z0-9_\-]{4})[a-zA-Z0-9_\-]{8,}([a-zA-Z0-9_\-]{4})`),
+			// Password
+			regexp.MustCompile(`([a-zA-Z0-9@#$%^&*!]{4})[a-zA-Z0-9@#$%^&*!]+([a-zA-Z0-9@#$%^&*!]{4})`),
+		},
+	}
+}
+
+// Mask 对字符串进行脱敏
+func (s *Sanitizer) Mask(content string) string {
+	result := content
+
+	for _, pattern := range s.patterns {
+		// 替换为格式：前4字符 + **** + 后4字符
+		result = pattern.ReplaceAllStringFunc(result, func(match string) string {
+			// 尝试分组替换
+			re := regexp.MustCompile(`^(.{4}).+(.{4})$`)
+			submatch := re.FindStringSubmatch(match)
+			if len(submatch) == 3 {
+				return submatch[1] + "****" + submatch[2]
+			}
+			// 如果无法分组，直接掩码
+			if len(match) > 8 {
+				return match[:4] + "****" + match[len(match)-4:]
+			}
+			return "****"
+		})
+	}
+
+	return result
+}
+
+// MaskMap 对map进行脱敏
+func (s *Sanitizer) MaskMap(data map[string]interface{}) map[string]interface{} {
+	result := make(map[string]interface{})
+
+	for key, value := range data {
+		if IsSensitiveField(key) {
+			if str, ok := value.(string); ok {
+				result[key] = s.Mask(str)
+			} else {
+				result[key] = value
+			}
+		} else {
+			result[key] = s.maskValue(value)
+		}
+	}
+
+	return result
+}
+
+// MaskSlice 对slice进行脱敏
+func (s *Sanitizer) MaskSlice(data []string) []string {
+	result := make([]string, len(data))
+	for i, item := range data {
+		result[i] = s.Mask(item)
+	}
+	return result
+}
+
+// maskValue 递归掩码
+func (s *Sanitizer) maskValue(value interface{}) interface{} {
+	switch v := value.(type) {
+	case string:
+		return s.Mask(v)
+	case map[string]interface{}:
+		return s.MaskMap(v)
+	case []interface{}:
+		result := make([]interface{}, len(v))
+		for i, item := range v {
+			result[i] = s.maskValue(item)
+		}
+		return result
+	case []string:
+		return s.MaskSlice(v)
+	default:
+		return v
+	}
+}
+
+// maskString 掩码字符串
+func maskString(s string) string {
+	if len(s) > 8 {
+		return s[:4] + "****" + s[len(s)-4:]
+	}
+	return "****"
+}
+
+// GetSensitiveFields 获取敏感字段列表
+func GetSensitiveFields() []string {
+	return []string{
+		"api_key",
+		"apikey",
+		"secret",
+		"secret_key",
+		"password",
+		"passwd",
+		"pwd",
+		"token",
+		"access_key",
+		"access_key_id",
+		"private_key",
+		"session_id",
+		"authorization",
+		"bearer",
+		"client_secret",
+		"credentials",
+	}
+}
+
+// IsSensitiveField 判断字段名是否为敏感字段
+func IsSensitiveField(fieldName string) bool {
+	lowerName := strings.ToLower(fieldName)
+	sensitiveFields := GetSensitiveFields()
+
+	for _, sf := range sensitiveFields {
+		if strings.Contains(lowerName, sf) {
+			return true
+		}
+	}
+
+	return false
+}