避免明文存储数据库密码

README.md

@@ -8,3 +8,25 @@ DR Resource Server
 ```shell
 go run main.go run
 ```
+
+#### deploy
+```shell
+# vim /etc/systemd/system/resource-server.service
+[Unit]
+Description=dr resource service
+After=network.target
+ 
+[Service]
+Type=simple
+WorkingDirectory=xxx/DRResourceServer
+ExecStart=xxx/DRResourceServer/resource-server run
+ 
+[Install]
+WantedBy=multi-user.target
+
+# 重新加载systemd配置
+sudo systemctl daemon-load
+
+# 启动服务
+sudo systemctl restart resource-server.service
+```

cmd/cobra.go

@@ -9,6 +9,7 @@ import (
 )
 
 import (
+	"resource-server/cmd/crypto"
 	"resource-server/cmd/httpserver"
 	"resource-server/cmd/version"
 )
@@ -26,6 +27,7 @@ var rootCmd = &cobra.Command{
 func init() {
 	rootCmd.AddCommand(httpserver.StartCmd)
 	rootCmd.AddCommand(version.StartCmd)
+	rootCmd.AddCommand(crypto.StartCmd)
 }
 
 // Execute : apply commands

cmd/crypto/crypto.go

@@ -0,0 +1,46 @@
+package crypto
+
+import (
+	"fmt"
+	"resource-server/common"
+)
+
+import (
+	"github.com/spf13/cobra"
+)
+
+var (
+	orig     string
+	StartCmd = &cobra.Command{
+		Use:     "crypto",
+		Short:   "Crypto",
+		Example: "resource-server crypto -o 123456",
+		PreRun: func(cmd *cobra.Command, args []string) {
+
+		},
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return run()
+		},
+	}
+)
+
+func init() {
+	StartCmd.Flags().StringVarP(&orig, "orig", "o", "", "orig")
+}
+
+func run() error {
+	ciphertext, err := common.DBPwdEncrypt([]byte(orig))
+	if err != nil {
+		fmt.Println("Error encrypting:", err)
+		return err
+	}
+	fmt.Printf("Ciphertext: %x\n", ciphertext)
+
+	decryptedtext, err := common.DBPwdDecrypt(ciphertext)
+	if err != nil {
+		fmt.Println("Error decrypting:", err)
+		return err
+	}
+	fmt.Printf("Decryptedtext: %s\n", string(decryptedtext))
+	return nil
+}

common/config.go

@@ -1,6 +1,7 @@
 package common
 
 import (
+	"encoding/hex"
 	"fmt"
 )
 
@@ -59,6 +60,18 @@ type postgres struct {
 	Name     string
 }
 
+func (p *postgres) setup() {
+	raw, err := hex.DecodeString(p.Password)
+	if err != nil {
+		panic("db password is invalid")
+	}
+	pwd, err := DBPwdDecrypt(raw)
+	if err != nil {
+		panic("db password is invalid")
+	}
+	p.Password = string(pwd)
+}
+
 // metadata配置
 type metadata struct {
 	Languages []Lang
@@ -137,6 +150,8 @@ func InitPostgres(cfg *viper.Viper) *postgres {
 	if err != nil {
 		panic("InitPostgres err")
 	}
+
+	postgres.setup()
 	return &postgres
 }
 

common/global.go

@@ -9,8 +9,6 @@ var (
 	Build   = "current"
 
 	Hostname string
-
-	SambaPassword = ""
 )
 
 func init() {

common/utils.go

@@ -1,6 +1,8 @@
 package common
 
 import (
+	"crypto/aes"
+	"crypto/cipher"
 	"crypto/md5"
 	"encoding/hex"
 	"fmt"
@@ -64,3 +66,51 @@ func MD5(v []byte) string {
 	re := h.Sum(nil)
 	return hex.EncodeToString(re)
 }
+
+var dbPwKey = []byte("X3O6wVF&6*&lSVk0*504V~q7>\"k]6S'*") // 32 bytes for AES-256
+var dbPwNonceHex = "1962a6f6f9999447632c8a34"
+
+func EncryptGCM(key []byte, nonce []byte, plaintext []byte) ([]byte, error) {
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return nil, err
+	}
+
+	gcm, err := cipher.NewGCM(block)
+	if err != nil {
+		return nil, err
+	}
+
+	ciphertext := gcm.Seal(nil, nonce, plaintext, nonce)
+
+	return ciphertext, nil
+}
+
+func DecryptGCM(key []byte, nonce []byte, ciphertext []byte) ([]byte, error) {
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return nil, err
+	}
+
+	gcm, err := cipher.NewGCM(block)
+	if err != nil {
+		return nil, err
+	}
+
+	plaintext, err := gcm.Open(nil, nonce, ciphertext, nonce)
+	if err != nil {
+		return nil, err
+	}
+
+	return plaintext, nil
+}
+
+func DBPwdEncrypt(ciphertext []byte) ([]byte, error) {
+	nonce, _ := hex.DecodeString(dbPwNonceHex)
+	return EncryptGCM(dbPwKey, nonce, ciphertext)
+}
+
+func DBPwdDecrypt(ciphertext []byte) ([]byte, error) {
+	nonce, _ := hex.DecodeString(dbPwNonceHex)
+	return DecryptGCM(dbPwKey, nonce, ciphertext)
+}

config/config.toml.template

@@ -23,7 +23,7 @@ prod = ""
 ip = "127.0.0.1"
 port = 5432
 username = "mytest"
-password = "123456"
+password = "24a4e49b95adb006fbadd7c5a74dbb2ee4d67d61abab"
 name = "mytestdatabase"
 
 [metadata]