From 1cf10981ef9a0fa5657f9e49a056a011d1be1eb4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=85=AC=E6=98=8E?= <83812544+Ed1s0nZ@users.noreply.github.com> Date: Sat, 11 Jul 2026 11:30:50 +0800 Subject: [PATCH] Add files via upload --- README.md | 5 ++--- README_CN.md | 5 ++--- cmd/server/main.go | 19 ++++++++----------- docs/en-US/configuration-profiles.md | 5 ++--- docs/en-US/configuration.md | 3 +-- docs/en-US/runbooks.md | 2 +- docs/en-US/security-hardening.md | 2 +- docs/en-US/troubleshooting.md | 2 +- docs/zh-CN/configuration-profiles.md | 5 ++--- docs/zh-CN/configuration.md | 3 +-- docs/zh-CN/runbooks.md | 2 +- docs/zh-CN/security-hardening.md | 2 +- docs/zh-CN/security-model.md | 4 ++-- docs/zh-CN/troubleshooting.md | 6 +++--- 14 files changed, 28 insertions(+), 37 deletions(-) diff --git a/README.md b/README.md index 074c49ba..416e9592 100644 --- a/README.md +++ b/README.md @@ -212,7 +212,7 @@ The `run.sh` script will automatically: model: "gpt-4o" # or deepseek-chat, claude-3-opus, etc. ``` - Or edit `config.yaml` directly before launching -2. **Login** - Use the auto-generated password shown in the console (or set `auth.password` in `config.yaml`) +2. **Login** - On first startup the console prints an auto-generated initial `admin` password; create accounts from **Platform permissions → User management** 3. **Install security tools (optional)** - Install tools from `tools/` as needed; missing tools are skipped or substituted at runtime. Common examples: **macOS (Homebrew):** @@ -281,7 +281,7 @@ Requirements / tips: ### Built-in Safeguards - Required-field validation prevents accidental blank API credentials. -- Auto-generated strong passwords when `auth.password` is empty. +- Auto-generated 24-character initial `admin` password on first startup when no RBAC users exist (stored in the database only, not in `config.yaml`). - Unified auth middleware for every web/API call (Bearer token flow). - Timeout and sandbox guards per tool, plus structured logging for triage. @@ -537,7 +537,6 @@ A test SSE MCP server is available at `cmd/test-sse-mcp-server/` for validation ```yaml auth: - password: "change-me" session_duration_hours: 12 server: host: "0.0.0.0" diff --git a/README_CN.md b/README_CN.md index 48a96d3e..d3adcec1 100644 --- a/README_CN.md +++ b/README_CN.md @@ -211,7 +211,7 @@ chmod +x run.sh && ./run.sh model: "gpt-4o" # 或 deepseek-chat, claude-3-opus 等 ``` - 或启动前直接编辑 `config.yaml` 文件 -2. **登录系统** - 使用控制台显示的自动生成密码(或在 `config.yaml` 中设置 `auth.password`) +2. **登录系统** - 首次启动时控制台会显示自动生成的 `admin` 初始密码;也可在「平台权限 → 用户管理」中创建账号 3. **安装安全工具(可选)** - 按需安装 `tools/` 目录中的工具;未安装的工具在执行时会自动跳过或改用替代方案。常用示例: **macOS(Homebrew):** @@ -279,7 +279,7 @@ go build -o cyberstrike-ai cmd/server/main.go ### 默认安全措施 - 设置面板内置必填校验,防止漏配 API Key/Base URL/模型。 -- `auth.password` 为空时自动生成 24 位强口令并写回 `config.yaml`。 +- 首次启动且无 RBAC 用户时,自动生成 24 位 `admin` 初始密码并在控制台输出(仅存于数据库,不再写入 `config.yaml`)。 - 所有 API(除登录外)都需携带 Bearer Token,统一鉴权中间件拦截。 - 每个工具执行都带有超时、日志和错误隔离。 @@ -535,7 +535,6 @@ CyberStrikeAI 支持通过三种传输模式连接外部 MCP 服务器: ```yaml auth: - password: "change-me" session_duration_hours: 12 server: host: "0.0.0.0" diff --git a/cmd/server/main.go b/cmd/server/main.go index e353a863..c6818da1 100644 --- a/cmd/server/main.go +++ b/cmd/server/main.go @@ -5,6 +5,7 @@ import ( "cyberstrike-ai/internal/app" "cyberstrike-ai/internal/config" "cyberstrike-ai/internal/logger" + "cyberstrike-ai/internal/termout" "flag" "fmt" "os" @@ -47,8 +48,7 @@ func main() { return } if localConfig.Created { - cfg.Auth.GeneratedPassword = localConfig.GeneratedPassword - cfg.Auth.GeneratedPasswordPersisted = true + termout.PrintConfigCreated() } if *httpsBootstrap { @@ -63,15 +63,12 @@ func main() { if config.MainWebUIUsesHTTPS(&cfg.Server) { scheme = "https" } - fmt.Println() - fmt.Printf("→ Web 界面: %s://127.0.0.1:%d/\n", scheme, port) - if scheme == "https" && cfg.Server.TLSAutoSelfSign { - fmt.Println(" (内存自签证书:浏览器首次需确认「继续访问」)") - } - if scheme == "https" && config.ServerHTTPRedirectEnabled(&cfg.Server) { - fmt.Printf(" (http://127.0.0.1:%d/ 将自动跳转到 HTTPS)\n", port) - } - fmt.Println() + termout.PrintStartupWebUI(termout.StartupWebUIOptions{ + Scheme: scheme, + Port: port, + SelfSigned: scheme == "https" && cfg.Server.TLSAutoSelfSign, + HTTPRedirect: scheme == "https" && config.ServerHTTPRedirectEnabled(&cfg.Server), + }) // MCP 启用且 auth_header_value 为空时,自动生成随机密钥并写回配置 if err := config.EnsureMCPAuth(cp, cfg); err != nil { diff --git a/docs/en-US/configuration-profiles.md b/docs/en-US/configuration-profiles.md index f9124763..a9d8c040 100644 --- a/docs/en-US/configuration-profiles.md +++ b/docs/en-US/configuration-profiles.md @@ -21,7 +21,7 @@ server: tls_enabled: true tls_auto_self_sign: true auth: - password: "dev-only-change-me" + session_duration_hours: 12 audit: enabled: true retention_days: 7 @@ -45,7 +45,7 @@ server: port: 8080 tls_enabled: false auth: - password: "" + session_duration_hours: 12 audit: enabled: true retention_days: 30 @@ -90,7 +90,6 @@ Goal: long-running production red-team or security platform. ```yaml auth: - password: "" session_duration_hours: 8 audit: enabled: true diff --git a/docs/en-US/configuration.md b/docs/en-US/configuration.md index 74a7a561..c1939243 100644 --- a/docs/en-US/configuration.md +++ b/docs/en-US/configuration.md @@ -12,7 +12,6 @@ server: port: 8080 tls_enabled: true auth: - password: "change-me" session_duration_hours: 12 openai: provider: openai @@ -24,7 +23,7 @@ agent: tool_timeout_minutes: 60 ``` -Change the default password immediately. Use HTTPS or a trusted reverse proxy in any shared environment. +Change the initial `admin` password from the Web UI after first login. Use HTTPS or a trusted reverse proxy in any shared environment. ## Hot-Apply Boundaries diff --git a/docs/en-US/runbooks.md b/docs/en-US/runbooks.md index 9b6fa40c..325e5bde 100644 --- a/docs/en-US/runbooks.md +++ b/docs/en-US/runbooks.md @@ -48,7 +48,7 @@ config.yaml ```yaml auth: - password: "" + session_duration_hours: 12 server: host: 127.0.0.1 port: 8080 diff --git a/docs/en-US/security-hardening.md b/docs/en-US/security-hardening.md index aa4e1b3a..a7b805a8 100644 --- a/docs/en-US/security-hardening.md +++ b/docs/en-US/security-hardening.md @@ -6,7 +6,7 @@ This checklist covers pre-production and continuous hardening for CyberStrikeAI. ## Before Going Live -- Change `auth.password` to a long random secret. +- Change the initial `admin` password from the Web UI after first login. - Use HTTPS or a trusted reverse proxy. - Restrict access by IP, VPN, or bastion. - Enable `audit.enabled`. diff --git a/docs/en-US/troubleshooting.md b/docs/en-US/troubleshooting.md index 4057ba6d..22cf39cc 100644 --- a/docs/en-US/troubleshooting.md +++ b/docs/en-US/troubleshooting.md @@ -37,7 +37,7 @@ Page inaccessible: Login fails: -- wrong `auth.password`; +- wrong RBAC user password; - config not applied/restarted; - stale cookie; - audit throttling repeated failures. diff --git a/docs/zh-CN/configuration-profiles.md b/docs/zh-CN/configuration-profiles.md index 5d531958..027dcf82 100644 --- a/docs/zh-CN/configuration-profiles.md +++ b/docs/zh-CN/configuration-profiles.md @@ -21,7 +21,7 @@ server: tls_enabled: true tls_auto_self_sign: true auth: - password: "dev-only-change-me" + session_duration_hours: 12 audit: enabled: true retention_days: 7 @@ -54,7 +54,7 @@ server: port: 8080 tls_enabled: false auth: - password: "" + session_duration_hours: 12 audit: enabled: true retention_days: 30 @@ -107,7 +107,6 @@ multi_agent: ```yaml auth: - password: "" session_duration_hours: 8 audit: enabled: true diff --git a/docs/zh-CN/configuration.md b/docs/zh-CN/configuration.md index 3244dc4a..9517197b 100644 --- a/docs/zh-CN/configuration.md +++ b/docs/zh-CN/configuration.md @@ -12,7 +12,6 @@ server: tls_enabled: true tls_auto_self_sign: true auth: - password: "change-me" session_duration_hours: 12 log: level: info @@ -22,7 +21,7 @@ log: - `version`:前端展示版本。 - `server.host/port`:Web 服务监听地址和端口。 - `server.tls_*`:HTTPS 配置。生产环境建议使用 `tls_cert_path` 和 `tls_key_path`。 -- `auth.password`:Web 登录密码,必须改为强密码。 +- `auth.session_duration_hours`:登录会话有效期(小时)。登录密码由 RBAC 用户管理,首次启动时在控制台输出 `admin` 初始密码。 - `auth.session_duration_hours`:登录会话有效期。 - `log.output`:可以是 `stdout`、`stderr` 或文件路径。 diff --git a/docs/zh-CN/runbooks.md b/docs/zh-CN/runbooks.md index 0c0feb3b..d29f0691 100644 --- a/docs/zh-CN/runbooks.md +++ b/docs/zh-CN/runbooks.md @@ -48,7 +48,7 @@ config.yaml ```yaml auth: - password: "" + session_duration_hours: 12 server: host: 127.0.0.1 port: 8080 diff --git a/docs/zh-CN/security-hardening.md b/docs/zh-CN/security-hardening.md index 2003111b..539be7a8 100644 --- a/docs/zh-CN/security-hardening.md +++ b/docs/zh-CN/security-hardening.md @@ -6,7 +6,7 @@ ## 上线前必做 -- 修改 `auth.password` 为长随机密码。 +- 首次部署后立即修改 `admin` 初始密码(Web 界面或平台权限 → 用户管理)。 - 使用 HTTPS,或放在可信反向代理之后。 - 限制来源 IP、VPN 或堡垒机访问。 - 开启 `audit.enabled`。 diff --git a/docs/zh-CN/security-model.md b/docs/zh-CN/security-model.md index 0b932f6b..24da283f 100644 --- a/docs/zh-CN/security-model.md +++ b/docs/zh-CN/security-model.md @@ -16,9 +16,9 @@ CyberStrikeAI 面向授权安全测试场景,内置命令执行、MCP 工具 ## 认证与会话 -`auth.password` 是 Web 登录密码。建议: +Web 登录凭据由 RBAC 用户管理(默认内置 `admin` 账号)。建议: -- 首次部署立即修改默认密码。 +- 首次部署后立即修改 `admin` 初始密码(控制台首次启动会输出)。 - 使用长随机密码,并限制分享范围。 - 将服务放在内网、VPN、堡垒机或反向代理认证后面。 - 生产环境开启 HTTPS,避免明文传输 Cookie。 diff --git a/docs/zh-CN/troubleshooting.md b/docs/zh-CN/troubleshooting.md index c502dd99..2f662265 100644 --- a/docs/zh-CN/troubleshooting.md +++ b/docs/zh-CN/troubleshooting.md @@ -23,12 +23,12 @@ https://127.0.0.1:8080/ 检查: -- `config.yaml` 中的 `auth.password`。 -- 是否修改后未重启或未应用配置。 +- RBAC 用户密码是否正确(默认 `admin`;首次启动密码见控制台输出)。 +- 是否修改密码后旧会话已失效,需重新登录。 - 浏览器 Cookie 是否异常,可尝试无痕窗口。 - 审计日志中是否有登录失败节流。 -生产环境忘记密码时,需要在服务器上修改 `config.yaml` 并重启服务。 +生产环境忘记密码时,需在服务器上通过 RBAC 用户管理重置,或直接更新数据库中的用户密码哈希。 ## 模型无响应