Boen_Shi
e10f050dfc
- 合并检测接口到 BastionAccountController - 新增 bastion:check-login 命令,支持 --refresh-invalid - 检测失效后立即刷新并复检状态
178 lines
5.9 KiB
PHP
178 lines
5.9 KiB
PHP
<?php
|
||
|
||
namespace App\Console\Commands;
|
||
|
||
use App\Models\BastionAccount;
|
||
use Illuminate\Console\Command;
|
||
use Illuminate\Http\Client\ConnectionException;
|
||
use Illuminate\Http\Client\RequestException;
|
||
use Illuminate\Support\Facades\Http;
|
||
|
||
class CheckBastionLoginCommand extends Command
|
||
{
|
||
protected $signature = 'bastion:check-login {--account_id=} {--refresh-invalid}';
|
||
|
||
protected $description = '检测堡垒机账号 token 是否有效(0 有效,-1 无效)';
|
||
|
||
public function handle(): int
|
||
{
|
||
$query = BastionAccount::query()
|
||
->where('is_active', true)
|
||
->whereNotNull('usm')
|
||
->where('usm', '!=', '')
|
||
->whereNotNull('usm_authentication')
|
||
->where('usm_authentication', '!=', '');
|
||
|
||
$accountId = $this->option('account_id');
|
||
if ($accountId !== null && $accountId !== '') {
|
||
$query->where('id', (int) $accountId);
|
||
}
|
||
|
||
$accounts = $query->orderBy('id')->get();
|
||
if ($accounts->isEmpty()) {
|
||
$this->line('[]');
|
||
|
||
return self::SUCCESS;
|
||
}
|
||
|
||
$rows = [];
|
||
foreach ($accounts as $account) {
|
||
$status = $this->checkAccountTokenStatus((string) $account->usm_authentication, (string) $account->usm);
|
||
$refreshed = false;
|
||
if ($status === -1 && $this->option('refresh-invalid')) {
|
||
$refreshed = $this->refreshAccountToken($account);
|
||
if ($refreshed) {
|
||
$account->refresh();
|
||
$status = $this->checkAccountTokenStatus((string) $account->usm_authentication, (string) $account->usm);
|
||
}
|
||
}
|
||
|
||
$rows[] = [
|
||
'id' => $account->id,
|
||
'username' => $account->username,
|
||
'status' => $status,
|
||
'refreshed' => $refreshed,
|
||
];
|
||
}
|
||
|
||
$this->line(json_encode($rows, JSON_UNESCAPED_UNICODE));
|
||
|
||
return self::SUCCESS;
|
||
}
|
||
|
||
private function checkAccountTokenStatus(string $usmAuthentication, string $usm): int
|
||
{
|
||
$url = 'https://172.16.254.2/index.php/extend/check_login';
|
||
$cookie = sprintf(
|
||
'LANG=zh; USM-AUTHENTICATION=%s; USM=%s; LOGON=1; AUTH_METHOD=oauth2',
|
||
$usmAuthentication,
|
||
$usm
|
||
);
|
||
|
||
try {
|
||
$response = Http::timeout(10)
|
||
->withOptions(['verify' => false])
|
||
->withHeaders([
|
||
'Cookie' => $cookie,
|
||
'Accept' => '*/*',
|
||
])
|
||
->get($url);
|
||
} catch (ConnectionException) {
|
||
return -1;
|
||
}
|
||
|
||
if (! $response->successful()) {
|
||
return -1;
|
||
}
|
||
|
||
return trim((string) $response->body()) === '0' ? 0 : -1;
|
||
}
|
||
|
||
private function refreshAccountToken(BastionAccount $account): bool
|
||
{
|
||
$baseUrl = (string) config('services.bastion_token.base_url');
|
||
if ($baseUrl === '') {
|
||
return false;
|
||
}
|
||
|
||
$submitEndpoint = (string) config('services.bastion_token.submit_endpoint', '/bastion_token');
|
||
$statusEndpoint = (string) config('services.bastion_token.status_endpoint', '/bastion_token/{task_id}');
|
||
$timeout = (int) config('services.bastion_token.timeout', 30);
|
||
$service = (string) config('services.bastion_token.service', 'https://myapp.cdu.edu.cn/index.html');
|
||
$verifySsl = (bool) config('services.bastion_token.verify_ssl', false);
|
||
|
||
try {
|
||
$submitResponse = Http::baseUrl($baseUrl)
|
||
->acceptJson()
|
||
->timeout($timeout)
|
||
->retry(2, 300, throw: false)
|
||
->post($submitEndpoint, [
|
||
'username' => $account->username,
|
||
'password' => $account->password,
|
||
'service' => $service,
|
||
'verify_ssl' => $verifySsl,
|
||
]);
|
||
} catch (ConnectionException|RequestException) {
|
||
return false;
|
||
}
|
||
|
||
if (! $submitResponse->successful()) {
|
||
return false;
|
||
}
|
||
|
||
$taskId = (string) data_get($submitResponse->json(), 'task_id', '');
|
||
if ($taskId === '') {
|
||
return false;
|
||
}
|
||
|
||
$maxPoll = 20;
|
||
for ($i = 0; $i < $maxPoll; $i++) {
|
||
usleep(500000);
|
||
$statusUrl = str_replace('{task_id}', $taskId, $statusEndpoint);
|
||
try {
|
||
$statusResponse = Http::baseUrl($baseUrl)
|
||
->acceptJson()
|
||
->timeout($timeout)
|
||
->retry(2, 300, throw: false)
|
||
->get($statusUrl);
|
||
} catch (ConnectionException|RequestException) {
|
||
continue;
|
||
}
|
||
|
||
if (! $statusResponse->successful()) {
|
||
continue;
|
||
}
|
||
|
||
$taskResult = $statusResponse->json();
|
||
$status = strtolower((string) data_get($taskResult, 'status', 'pending'));
|
||
if ($status === 'pending') {
|
||
continue;
|
||
}
|
||
|
||
if ($status === 'error') {
|
||
return false;
|
||
}
|
||
|
||
$usmAuthentication = (string) data_get($taskResult, 'data.bastion.token_cookies.USM-AUTHENTICATION', '');
|
||
$usm = (string) data_get($taskResult, 'data.bastion.token_cookies.USM', '');
|
||
if ($usmAuthentication === '' || $usm === '') {
|
||
$usmAuthentication = (string) data_get($taskResult, 'data.USM-AUTHENTICATION', $usmAuthentication);
|
||
$usm = (string) data_get($taskResult, 'data.USM', $usm);
|
||
}
|
||
if ($usmAuthentication === '' || $usm === '') {
|
||
return false;
|
||
}
|
||
|
||
$account->update([
|
||
'usm_authentication' => $usmAuthentication,
|
||
'usm' => $usm,
|
||
'last_token_refreshed_at' => now(),
|
||
]);
|
||
|
||
return true;
|
||
}
|
||
|
||
return false;
|
||
}
|
||
}
|