niuniu/lijiaoqiao
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
732c97f85bb231a6f765507e64a07a90e0917a51
lijiaoqiao/supply-api/internal/audit/sanitizer/sanitizer.go
Your Name 89104bd0db feat(P1/P2): 完成TDD开发及P1/P2设计文档 
## 设计文档
- multi_role_permission_design: 多角色权限设计 (CONDITIONAL GO)
- audit_log_enhancement_design: 审计日志增强 (CONDITIONAL GO)
- routing_strategy_template_design: 路由策略模板 (CONDITIONAL GO)
- sso_saml_technical_research: SSO/SAML调研 (CONDITIONAL GO)
- compliance_capability_package_design: 合规能力包设计 (CONDITIONAL GO)

## TDD开发成果
- IAM模块: supply-api/internal/iam/ (111个测试)
- 审计日志模块: supply-api/internal/audit/ (40+测试)
- 路由策略模块: gateway/internal/router/ (33+测试)
- 合规能力包: gateway/internal/compliance/ + scripts/ci/compliance/

## 规范文档
- parallel_agent_output_quality_standards: 并行Agent产出质量规范
- project_experience_summary: 项目经验总结 (v2)
- 2026-04-02-p1-p2-tdd-execution-plan: TDD执行计划

## 评审报告
- 5个CONDITIONAL GO设计文档评审报告
- fix_verification_report: 修复验证报告
- full_verification_report: 全面质量验证报告
- tdd_module_quality_verification: TDD模块质量验证
- tdd_execution_summary: TDD执行总结

依据: Superpowers执行框架 + TDD规范
2026-04-02 23:35:53 +08:00

279 lines
6.4 KiB
Go
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
package sanitizer
import (
"regexp"
"strings"
)
// ScanRule 扫描规则
type ScanRule struct {
ID string
Pattern *regexp.Regexp
Description string
Severity string
}
// Violation 违规项
type Violation struct {
Type string // 违规类型
Pattern string // 匹配的正则模式
Value string // 匹配的值(已脱敏)
Description string
}
// ScanResult 扫描结果
type ScanResult struct {
Violations []Violation
Passed bool
}
// NewScanResult 创建扫描结果
func NewScanResult() *ScanResult {
return &ScanResult{
Violations: []Violation{},
Passed: true,
}
}
// HasViolation 检查是否有违规
func (r *ScanResult) HasViolation() bool {
return len(r.Violations) > 0
}
// AddViolation 添加违规项
func (r *ScanResult) AddViolation(v Violation) {
r.Violations = append(r.Violations, v)
r.Passed = false
}
// CredentialScanner 凭证扫描器
type CredentialScanner struct {
rules []ScanRule
}
// NewCredentialScanner 创建凭证扫描器
func NewCredentialScanner() *CredentialScanner {
scanner := &CredentialScanner{
rules: []ScanRule{
{
ID: "openai_key",
Pattern: regexp.MustCompile(`sk-[a-zA-Z0-9]{20,}`),
Description: "OpenAI API Key",
Severity: "HIGH",
},
{
ID: "api_key",
Pattern: regexp.MustCompile(`(?i)(api[_-]?key|apikey)["\s:=]+['"]?([a-zA-Z0-9_\-]{16,})['"]?`),
Description: "Generic API Key",
Severity: "MEDIUM",
},
{
ID: "aws_access_key",
Pattern: regexp.MustCompile(`(?i)(access[_-]?key[_-]?id|aws[_-]?access[_-]?key)["\s:=]+['"]?(AKIA[0-9A-Z]{16})['"]?`),
Description: "AWS Access Key ID",
Severity: "HIGH",
},
{
ID: "aws_secret_key",
Pattern: regexp.MustCompile(`(?i)(secret[_-]?key|aws[_-]?.*secret[_-]?key)["\s:=]+['"]?([a-zA-Z0-9/+=]{40})['"]?`),
Description: "AWS Secret Access Key",
Severity: "HIGH",
},
{
ID: "password",
Pattern: regexp.MustCompile(`(?i)(password|passwd|pwd)["\s:=]+['"]?([a-zA-Z0-9@#$%^&*!]{8,})['"]?`),
Description: "Password",
Severity: "HIGH",
},
{
ID: "bearer_token",
Pattern: regexp.MustCompile(`(?i)(token|bearer|authorization)["\s:=]+['"]?([Bb]earer\s+)?([a-zA-Z0-9_\-\.]+)['"]?`),
Description: "Bearer Token",
Severity: "MEDIUM",
},
{
ID: "private_key",
Pattern: regexp.MustCompile(`-----BEGIN\s+(RSA\s+)?PRIVATE\s+KEY-----`),
Description: "Private Key",
Severity: "CRITICAL",
},
{
ID: "secret",
Pattern: regexp.MustCompile(`(?i)(secret|client[_-]?secret)["\s:=]+['"]?([a-zA-Z0-9_\-]{16,})['"]?`),
Description: "Secret",
Severity: "HIGH",
},
},
}
return scanner
}
// Scan 扫描内容
func (s *CredentialScanner) Scan(content string) *ScanResult {
result := NewScanResult()
for _, rule := range s.rules {
matches := rule.Pattern.FindAllStringSubmatch(content, -1)
for _, match := range matches {
// 构建违规项
violation := Violation{
Type: rule.ID,
Pattern: rule.Pattern.String(),
Description: rule.Description,
}
// 提取匹配的值(取最后一个匹配组)
if len(match) > 1 {
violation.Value = maskString(match[len(match)-1])
} else {
violation.Value = maskString(match[0])
}
result.AddViolation(violation)
}
}
return result
}
// GetRules 获取扫描规则
func (s *CredentialScanner) GetRules() []ScanRule {
return s.rules
}
// Sanitizer 脱敏器
type Sanitizer struct {
patterns []*regexp.Regexp
}
// NewSanitizer 创建脱敏器
func NewSanitizer() *Sanitizer {
return &Sanitizer{
patterns: []*regexp.Regexp{
// OpenAI API Key
regexp.MustCompile(`(sk-[a-zA-Z0-9]{4})[a-zA-Z0-9]+([a-zA-Z0-9]{4})`),
// AWS Access Key
regexp.MustCompile(`(AKIA[0-9A-Z]{4})[0-9A-Z]+([0-9A-Z]{4})`),
// Generic API Key
regexp.MustCompile(`([a-zA-Z0-9_\-]{4})[a-zA-Z0-9_\-]{8,}([a-zA-Z0-9_\-]{4})`),
// Password
regexp.MustCompile(`([a-zA-Z0-9@#$%^&*!]{4})[a-zA-Z0-9@#$%^&*!]+([a-zA-Z0-9@#$%^&*!]{4})`),
},
}
}
// Mask 对字符串进行脱敏
func (s *Sanitizer) Mask(content string) string {
result := content
for _, pattern := range s.patterns {
// 替换为格式前4字符 + **** + 后4字符
result = pattern.ReplaceAllStringFunc(result, func(match string) string {
// 尝试分组替换
re := regexp.MustCompile(`^(.{4}).+(.{4})$`)
submatch := re.FindStringSubmatch(match)
if len(submatch) == 3 {
return submatch[1] + "****" + submatch[2]
}
// 如果无法分组,直接掩码
if len(match) > 8 {
return match[:4] + "****" + match[len(match)-4:]
}
return "****"
})
}
return result
}
// MaskMap 对map进行脱敏
func (s *Sanitizer) MaskMap(data map[string]interface{}) map[string]interface{} {
result := make(map[string]interface{})
for key, value := range data {
if IsSensitiveField(key) {
if str, ok := value.(string); ok {
result[key] = s.Mask(str)
} else {
result[key] = value
}
} else {
result[key] = s.maskValue(value)
}
}
return result
}
// MaskSlice 对slice进行脱敏
func (s *Sanitizer) MaskSlice(data []string) []string {
result := make([]string, len(data))
for i, item := range data {
result[i] = s.Mask(item)
}
return result
}
// maskValue 递归掩码
func (s *Sanitizer) maskValue(value interface{}) interface{} {
switch v := value.(type) {
case string:
return s.Mask(v)
case map[string]interface{}:
return s.MaskMap(v)
case []interface{}:
result := make([]interface{}, len(v))
for i, item := range v {
result[i] = s.maskValue(item)
}
return result
case []string:
return s.MaskSlice(v)
default:
return v
}
}
// maskString 掩码字符串
func maskString(s string) string {
if len(s) > 8 {
return s[:4] + "****" + s[len(s)-4:]
}
return "****"
}
// GetSensitiveFields 获取敏感字段列表
func GetSensitiveFields() []string {
return []string{
"api_key",
"apikey",
"secret",
"secret_key",
"password",
"passwd",
"pwd",
"token",
"access_key",
"access_key_id",
"private_key",
"session_id",
"authorization",
"bearer",
"client_secret",
"credentials",
}
}
// IsSensitiveField 判断字段名是否为敏感字段
func IsSensitiveField(fieldName string) bool {
lowerName := strings.ToLower(fieldName)
sensitiveFields := GetSensitiveFields()
for _, sf := range sensitiveFields {
if strings.Contains(lowerName, sf) {
return true
}
}
return false
}
Reference in New Issue View Git Blame Copy Permalink