From 6b50c4e4198e96ef08101647b8374b8c48fc649c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 30 Sep 2024 15:54:32 +0000 Subject: [PATCH 1/4] Bump webrick in /docs in the bundler group across 1 directory Bumps the bundler group with 1 update in the /docs directory: [webrick](https://github.com/ruby/webrick). Updates `webrick` from 1.8.1 to 1.8.2 - [Release notes](https://github.com/ruby/webrick/releases) - [Commits](https://github.com/ruby/webrick/compare/v1.8.1...v1.8.2) --- updated-dependencies: - dependency-name: webrick dependency-type: indirect dependency-group: bundler ... Signed-off-by: dependabot[bot] --- docs/Gemfile.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/Gemfile.lock b/docs/Gemfile.lock index f7ac156f..47f5f7ec 100644 --- a/docs/Gemfile.lock +++ b/docs/Gemfile.lock @@ -80,7 +80,7 @@ GEM terminal-table (3.0.2) unicode-display_width (>= 1.1.1, < 3) unicode-display_width (2.5.0) - webrick (1.8.1) + webrick (1.8.2) PLATFORMS arm64-darwin From cc78349c17685193c05249a2f4d966e8316ee6c0 Mon Sep 17 00:00:00 2001 From: zengl Date: Mon, 30 Sep 2024 23:59:53 +0800 Subject: [PATCH 2/4] add missing file --- server/tokenstore.go | 97 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 97 insertions(+) create mode 100644 server/tokenstore.go diff --git a/server/tokenstore.go b/server/tokenstore.go new file mode 100644 index 00000000..9320945a --- /dev/null +++ b/server/tokenstore.go @@ -0,0 +1,97 @@ +package server + +import ( + "encoding/base64" + "encoding/binary" + "time" + + "github.com/emmansun/gmsm/sm3" + + "github.com/OpenNHP/opennhp/common" + "github.com/OpenNHP/opennhp/log" +) + +type ACTokenEntry struct { + User *common.AgentUser + ResourceId string + ACTokens map[string]string + OpenTime int + ExpireTime time.Time +} + +type TokenToACMap = map[string]*ACTokenEntry // server access token mapped into mutiple AC tokens +type TokenStore = map[string]TokenToACMap // upper layer of tokens, indexed by first two characters + +func (s *UdpServer) GenerateAccessToken(entry *ACTokenEntry) string { + var tsBytes [8]byte + currTime := time.Now().UnixNano() + + hash := sm3.New() + binary.BigEndian.PutUint64(tsBytes[:], uint64(currTime)) + au := entry.User + hash.Write([]byte(s.config.Hostname + au.UserId + au.DeviceId + au.OrganizationId + au.AuthServiceId)) + hash.Write(tsBytes[:]) + token := base64.StdEncoding.EncodeToString(hash.Sum(nil)) + hash.Reset() + + s.tokenStoreMutex.Lock() + defer s.tokenStoreMutex.Unlock() + + entry.ExpireTime = time.Now().Add(time.Duration(entry.OpenTime) * time.Second) + tokenMap, found := s.tokenStore[token[0:1]] + if found { + tokenMap[token] = entry + } else { + tokenMap := make(TokenToACMap) + tokenMap[token] = entry + s.tokenStore[token[0:1]] = tokenMap + } + + return token +} + +func (s *UdpServer) VerifyAccessToken(token string) *ACTokenEntry { + s.tokenStoreMutex.Lock() + defer s.tokenStoreMutex.Unlock() + + tokenMap, found := s.tokenStore[token[0:1]] + if found { + entry, found := tokenMap[token] + if found { + return entry + } + } + + return nil +} + +func (s *UdpServer) tokenStoreRefreshRoutine() { + defer s.wg.Done() + defer log.Info("tokenStoreRefreshRoutine stopped") + + log.Info("tokenStoreRefreshRoutine started") + + for { + select { + case <-s.signals.stop: + return + + case <-time.After(TokenStoreRefreshInterval * time.Second): + s.tokenStoreMutex.Lock() + defer s.tokenStoreMutex.Unlock() + + now := time.Now() + for head, tokenMap := range s.tokenStore { + for token, entry := range tokenMap { + if now.After(entry.ExpireTime) { + log.Info("[TokenStore] token %s expired, remove", token) + delete(tokenMap, token) + } + } + if len(tokenMap) == 0 { + delete(s.tokenStore, head) + } + } + } + } +} From 9b1e55cef96a97a8b4e18fe543fd9a68160687ff Mon Sep 17 00:00:00 2001 From: windcbf Date: Mon, 30 Sep 2024 09:02:10 -0700 Subject: [PATCH 3/4] Create SECURITY.md --- SECURITY.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..2c9c5218 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,12 @@ +# Security Policy + +## Reporting Security Issues + +The OpenNHP team and community take security bugs in OpenNHP seriously. We appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions. + +To report a security issue, please use the GitHub Security Advisory ["Report a Vulnerability"](https://github.com/opennhp/opennhp/security/advisories/new) tab. + +The OpenNHP team will send a response indicating the next steps in handling your report. After the initial reply to your report, the security team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance. + +Report security bugs in third-party modules to the person or team maintaining the module. + From d5bf7be7b4603512b3a0d90736d6ef4e2ccab405 Mon Sep 17 00:00:00 2001 From: windcbf Date: Mon, 30 Sep 2024 12:45:36 -0700 Subject: [PATCH 4/4] Create CODE_OF_CONDUCT.md --- CODE_OF_CONDUCT.md | 128 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 128 insertions(+) create mode 100644 CODE_OF_CONDUCT.md diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md new file mode 100644 index 00000000..afbe7e53 --- /dev/null +++ b/CODE_OF_CONDUCT.md @@ -0,0 +1,128 @@ +# Contributor Covenant Code of Conduct + +## Our Pledge + +We as members, contributors, and leaders pledge to make participation in our +community a harassment-free experience for everyone, regardless of age, body +size, visible or invisible disability, ethnicity, sex characteristics, gender +identity and expression, level of experience, education, socio-economic status, +nationality, personal appearance, race, religion, or sexual identity +and orientation. + +We pledge to act and interact in ways that contribute to an open, welcoming, +diverse, inclusive, and healthy community. + +## Our Standards + +Examples of behavior that contributes to a positive environment for our +community include: + +* Demonstrating empathy and kindness toward other people +* Being respectful of differing opinions, viewpoints, and experiences +* Giving and gracefully accepting constructive feedback +* Accepting responsibility and apologizing to those affected by our mistakes, + and learning from the experience +* Focusing on what is best not just for us as individuals, but for the + overall community + +Examples of unacceptable behavior include: + +* The use of sexualized language or imagery, and sexual attention or + advances of any kind +* Trolling, insulting or derogatory comments, and personal or political attacks +* Public or private harassment +* Publishing others' private information, such as a physical or email + address, without their explicit permission +* Other conduct which could reasonably be considered inappropriate in a + professional setting + +## Enforcement Responsibilities + +Community leaders are responsible for clarifying and enforcing our standards of +acceptable behavior and will take appropriate and fair corrective action in +response to any behavior that they deem inappropriate, threatening, offensive, +or harmful. + +Community leaders have the right and responsibility to remove, edit, or reject +comments, commits, code, wiki edits, issues, and other contributions that are +not aligned to this Code of Conduct, and will communicate reasons for moderation +decisions when appropriate. + +## Scope + +This Code of Conduct applies within all community spaces, and also applies when +an individual is officially representing the community in public spaces. +Examples of representing our community include using an official e-mail address, +posting via an official social media account, or acting as an appointed +representative at an online or offline event. + +## Enforcement + +Instances of abusive, harassing, or otherwise unacceptable behavior may be +reported to the community leaders responsible for enforcement at +opennhp@gmail.com. +All complaints will be reviewed and investigated promptly and fairly. + +All community leaders are obligated to respect the privacy and security of the +reporter of any incident. + +## Enforcement Guidelines + +Community leaders will follow these Community Impact Guidelines in determining +the consequences for any action they deem in violation of this Code of Conduct: + +### 1. Correction + +**Community Impact**: Use of inappropriate language or other behavior deemed +unprofessional or unwelcome in the community. + +**Consequence**: A private, written warning from community leaders, providing +clarity around the nature of the violation and an explanation of why the +behavior was inappropriate. A public apology may be requested. + +### 2. Warning + +**Community Impact**: A violation through a single incident or series +of actions. + +**Consequence**: A warning with consequences for continued behavior. No +interaction with the people involved, including unsolicited interaction with +those enforcing the Code of Conduct, for a specified period of time. This +includes avoiding interactions in community spaces as well as external channels +like social media. Violating these terms may lead to a temporary or +permanent ban. + +### 3. Temporary Ban + +**Community Impact**: A serious violation of community standards, including +sustained inappropriate behavior. + +**Consequence**: A temporary ban from any sort of interaction or public +communication with the community for a specified period of time. No public or +private interaction with the people involved, including unsolicited interaction +with those enforcing the Code of Conduct, is allowed during this period. +Violating these terms may lead to a permanent ban. + +### 4. Permanent Ban + +**Community Impact**: Demonstrating a pattern of violation of community +standards, including sustained inappropriate behavior, harassment of an +individual, or aggression toward or disparagement of classes of individuals. + +**Consequence**: A permanent ban from any sort of public interaction within +the community. + +## Attribution + +This Code of Conduct is adapted from the [Contributor Covenant][homepage], +version 2.0, available at +https://www.contributor-covenant.org/version/2/0/code_of_conduct.html. + +Community Impact Guidelines were inspired by [Mozilla's code of conduct +enforcement ladder](https://github.com/mozilla/diversity). + +[homepage]: https://www.contributor-covenant.org + +For answers to common questions about this code of conduct, see the FAQ at +https://www.contributor-covenant.org/faq. Translations are available at +https://www.contributor-covenant.org/translations.