This commit is contained in:
2026-05-28 20:19:28 +08:00
commit 070fad058f
124 changed files with 22713 additions and 0 deletions
+18
View File
@@ -0,0 +1,18 @@
<?php
declare(strict_types=1);
namespace LayLink\Auth;
final class ClientAuthenticator
{
public function authenticate(array $request): array
{
$token = (string)($request['auth_token'] ?? '');
if (!hash_equals('dev-token', $token)) {
return ['ok' => false, 'reason' => 'invalid_auth'];
}
return ['ok' => true, 'user_id' => (string)($request['user_id'] ?? 'admin')];
}
}
+45
View File
@@ -0,0 +1,45 @@
<?php
declare(strict_types=1);
namespace LayLink\Auth;
final class NodeAuthenticator
{
/**
* @param string[] $allowedTransports
*/
public function __construct(
private readonly array $nodes,
private readonly array $allowedTransports = ['tcp'],
) {
}
public function authenticate(array $payload): array
{
$nodeId = (string)($payload['node_id'] ?? '');
$nodeType = (string)($payload['node_type'] ?? '');
$token = (string)($payload['node_token'] ?? '');
$transport = strtolower((string)($payload['transport_protocol'] ?? 'tcp'));
if ($nodeId === '' || !isset($this->nodes[$nodeId])) {
return ['ok' => false, 'reason' => 'node_not_found'];
}
$node = $this->nodes[$nodeId];
if (($node['enabled'] ?? false) !== true) {
return ['ok' => false, 'reason' => 'node_disabled'];
}
if (($node['node_type'] ?? '') !== $nodeType) {
return ['ok' => false, 'reason' => 'node_type_mismatch'];
}
if (!hash_equals((string)($node['token'] ?? ''), $token)) {
return ['ok' => false, 'reason' => 'invalid_node_token'];
}
if (!in_array($transport, $this->allowedTransports, true)) {
return ['ok' => false, 'reason' => 'transport_not_allowed'];
}
return ['ok' => true, 'node' => $node + ['node_id' => $nodeId]];
}
}
+66
View File
@@ -0,0 +1,66 @@
<?php
declare(strict_types=1);
namespace LayLink\Auth;
final class PolicyChecker
{
public function __construct(private readonly array $policies)
{
}
public function find(string $userId, string $host, int $port, string $protocol): ?array
{
foreach ($this->policies as $policy) {
if (($policy['enabled'] ?? false) !== true) {
continue;
}
if (!in_array($userId, $policy['users'] ?? [], true)) {
continue;
}
if (($policy['protocol'] ?? 'tcp') !== $protocol) {
continue;
}
if (!in_array($port, $policy['target_ports'] ?? [], true)) {
continue;
}
if (!$this->hostMatches($host, $policy['target_hosts'] ?? [])) {
continue;
}
return $policy;
}
return null;
}
private function hostMatches(string $host, array $patterns): bool
{
foreach ($patterns as $pattern) {
if ($pattern === '*' || $pattern === $host) {
return true;
}
if (is_string($pattern) && str_contains($pattern, '/') && self::cidrContains($pattern, $host)) {
return true;
}
}
return false;
}
public static function cidrContains(string $cidr, string $host): bool
{
if (filter_var($host, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4) === false) {
return false;
}
[$subnet, $bits] = array_pad(explode('/', $cidr, 2), 2, null);
if ($bits === null || filter_var($subnet, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4) === false) {
return false;
}
$mask = -1 << (32 - (int)$bits);
return (ip2long($host) & $mask) === (ip2long($subnet) & $mask);
}
}