feat(services): add CTDSG FW service package#432
Conversation
|
PR Title: feat(services): add CTDSG FW service package Commit: 本次 PR 新增了一个 CTDSG FW 的 OctoBus 服务包,用于通过 CTDSG 设备的黑名单 API 对 IP 和域名进行封禁/解封。核心变更包括:
整体代码结构清晰,测试覆盖了主要功能路径。但在审阅中发现两个高置信度的可靠性问题: |
|
|
||
| const extractHeaders = (res) => { | ||
| const map = new Map(); | ||
| const headers = res?.headers; |
There was a problem hiding this comment.
fetch 调用传入无效的 timeoutMs 选项导致请求超时失效
fetchHttp 向原生 fetch 传入了 timeoutMs: resolveTimeoutMs(ctx) 选项。Node.js 内置的 fetch(undici)并不识别 timeoutMs,该选项会被静默忽略。若上游 CTDSG 设备无响应,请求将一直挂起直至操作系统 TCP 超时(通常数分钟),而非代码预期的 5 秒(或配置值)。测试中对 captured.init.timeoutMs 的断言仅能验证选项被传入,无法验证实际生效。
Problem code:
Changed code at services/ctdsg__fw/src/ctdsg-fw.js:347-353
Recommendation:
将 timeoutMs 替换为 signal: AbortSignal.timeout(resolveTimeoutMs(ctx)),以利用 Node.js 原生 fetch 支持的 AbortSignal 机制实现真正的请求超时。
Suggested diff:
@@ -345,7 +345,7 @@
let res;
try {
res = await withTlsBypass(ctx, () => fetch(url, {
method: 'POST',
- timeoutMs: resolveTimeoutMs(ctx),
+ signal: AbortSignal.timeout(resolveTimeoutMs(ctx)),
headers: buildSignedHeaders(ctx, bodyJson),
body: bodyJson,
}));
|
PR Title: feat(services): add CTDSG FW service package Commit: 本次 PR 的核心变更是移除 CTDSG FW 服务中硬编码的默认 appId('hybzapi'),将其从可选参数改为必填参数:
总体评估:这是一项正向的安全改进,消除了多租户/多实例场景下因共享默认 appId 可能导致的凭证混淆或越权风险。但发现 config.schema.json 未同步将 appId 标记为 required,导致 schema 验证与运行时行为不一致。 |
|
PR Title: feat(services): add CTDSG FW service package Commit: 本次 PR 对 CTDSG FW 服务进行了两项主要加固:
同时, 但在审查中发现两处由本次变更引入的问题:
|
| assert.equal(_test.resolveHost({ req: {}, bindings: { restBaseUrl: 'https://binding.test/' } }), 'https://binding.test'); | ||
| assert.equal(_test.resolveSecretKey({ req: {}, bindings: { secret_key: 's' } }), 's'); | ||
| assert.equal(_test.resolveTimeoutMs({ req: { timeout_ms: 111 }, bindings: { timeoutMs: 222 }, limits: { timeoutMs: 333 } }), 111); | ||
| assert.throws(() => AbortSignal.timeout(10), /TimeoutError|The operation was aborted|signal/i); |
There was a problem hiding this comment.
新增测试错误断言 AbortSignal.timeout 同步抛出异常
测试新增了一行 assert.throws(() => AbortSignal.timeout(10), ...),但 AbortSignal.timeout(ms) 是同步返回一个 AbortSignal 实例的工厂方法,本身不会抛出异常;超时行为是异步触发的。因此该断言在任何标准 Node.js 环境下都会失败,导致测试回归。
Problem code:
Changed code at services/ctdsg__fw/test/ctdsg-fw.test.js:291
Recommendation:
若目的是验证超时信号能被 fetch 正确消费,应改为对 fetchHttp 进行集成测试(例如使用极短的超时并断言抛出 UNAVAILABLE 或 AbortError);若仅想验证 AbortSignal.timeout 存在,可直接调用而不包裹在 assert.throws 中。
Suggested diff:
--- a/services/ctdsg__fw/test/ctdsg-fw.test.js
+++ b/services/ctdsg__fw/test/ctdsg-fw.test.js
@@ -288,7 +288,6 @@ test('helpers cover parsing, aliases, signatures, timing, and normalization bran
assert.equal(_test.resolveHost({ req: {}, bindings: { restBaseUrl: 'https://binding.test/' } }), 'https://binding.test');
assert.equal(_test.resolveSecretKey({ req: {}, bindings: { secret_key: 's' } }), 's');
assert.equal(_test.resolveTimeoutMs({ req: { timeout_ms: 111 }, bindings: { timeoutMs: 222 }, limits: { timeoutMs: 333 } }), 111);
- assert.throws(() => AbortSignal.timeout(10), /TimeoutError|The operation was aborted|signal/i);
assert.equal(_test.resolveTimeoutMs({ req: {}, bindings: { timeout_ms: 223 }, limits: { timeoutMs: 333 } }), 223);
Closes #423
变更概述
ctdsg-fwOctoBus service package,用于对接长亭 CTDSG 黑名单能力。BlockIPUnblockIPBlockDomainUnblockDomain接入设备信息
https://10.211.194.22:9090appId + secretKey,HMAC-MD5 请求签名已实现方法
BlockIP:封禁 IPUnblockIP:解封 IPBlockDomain:封禁域名UnblockDomain:解封域名关键实现说明
/Users/admin/Desktop/tools/mssblockingcomponent/Chaitin_FW_CTDSG_8815E_HTTP/chaitinfw.pyhy-bz-api-app-idhy-bz-api-timestamphy-bz-api-signatureoptBlockIP/BlockDomain使用addPatchblack2UnblockIP/UnblockDomain使用delblack2type、time、punish_time、time_unit、addr_type按字符串发送本地验证
验证结果:
validate-service-package通过node:test聚焦测试通过npm pack --dry-run通过网关接入验证
已通过 OctoBus Connect RPC 网关 验证以下能力:
BlockIPUnblockIPBlockDomainUnblockDomain真实设备联调验证
本次联调验证的是
serve→service import→instance→capset→Connect RPC的完整链路,验证结果为 OctoBus 适配器集成链路成功,不是直接绕过 OctoBus 访问设备。联调证据一:BlockIP 跑通
Request
POST http://127.0.0.1:9000/capsets/dev/connect/ctdsg-fw-test/CTDSG_FW.CTDSG_FW/BlockIP
Content-Type: application/json
{"ips":["43.143.110.163"],"permanent":false,"punishTime":1,"timeUnit":1}Response
HTTP/1.1 200 OK
{ "statusCode": 200, "rawBody": "{\"code\":0,\"msg\":\"成功\"}", "bodyJson": { "code": 0, "msg": "成功" }, "effectiveUrl": "https://10.211.194.22:9090/api.php/inter/Inter?opt=addPatchblack2" }联调证据二:UnblockIP 跑通
Request
POST http://127.0.0.1:9000/capsets/dev/connect/ctdsg-fw-test/CTDSG_FW.CTDSG_FW/UnblockIP
Content-Type: application/json
{"ips":["43.143.110.163"]}Response
HTTP/1.1 200 OK
{ "statusCode": 200, "rawBody": "{\"code\":0,\"msg\":\"成功\"}", "bodyJson": { "code": 0, "msg": "成功" }, "effectiveUrl": "https://10.211.194.22:9090/api.php/inter/Inter?opt=delblack2" }联调证据三:BlockDomain 跑通
Request
POST http://127.0.0.1:9000/capsets/dev/connect/ctdsg-fw-test/CTDSG_FW.CTDSG_FW/BlockDomain
Content-Type: application/json
{"domains":["fget-career.com"],"permanent":false,"punishTime":1,"timeUnit":1}Response
HTTP/1.1 200 OK
{ "statusCode": 200, "rawBody": "{\"code\":0,\"msg\":\"成功\"}", "bodyJson": { "code": 0, "msg": "成功" }, "effectiveUrl": "https://10.211.194.22:9090/api.php/inter/Inter?opt=addPatchblack2" }联调证据四:UnblockDomain 跑通
Request
POST http://127.0.0.1:9000/capsets/dev/connect/ctdsg-fw-test/CTDSG_FW.CTDSG_FW/UnblockDomain
Content-Type: application/json
{"domains":["fget-career.com"]}Response
HTTP/1.1 200 OK
{ "statusCode": 200, "rawBody": "{\"code\":0,\"msg\":\"成功\"}", "bodyJson": { "code": 0, "msg": "成功" }, "effectiveUrl": "https://10.211.194.22:9090/api.php/inter/Inter?opt=delblack2" }联调验证截图
截图一:BlockIP 成功
截图二:UnblockIP 成功
截图三:BlockDomain 成功
截图四:UnblockDomain 成功
安全说明
secretKey、密码、Token 或 Authorization 请求头。skipTlsVerify开关控制,不扩散到 OctoBus 网关全局。已知限制
skipTlsVerify适用于大量自签名证书设备场景,生产环境如有可信 CA,建议优先走正常证书链路。