package main import ( "strings" "sync" ) // ResourceType 资源类型 type ResourceType string const ( ResourceTypeGitHub ResourceType = "github" ResourceTypeDocker ResourceType = "docker" ) // AccessController 统一访问控制器 type AccessController struct { mu sync.RWMutex } // DockerImageInfo Docker镜像信息 type DockerImageInfo struct { Namespace string Repository string Tag string FullName string } // 全局访问控制器实例 var GlobalAccessController = &AccessController{} // ParseDockerImage 解析Docker镜像名称 func (ac *AccessController) ParseDockerImage(image string) DockerImageInfo { image = strings.TrimPrefix(image, "docker://") var tag string if idx := strings.LastIndex(image, ":"); idx != -1 { part := image[idx+1:] if !strings.Contains(part, "/") { tag = part image = image[:idx] } } if tag == "" { tag = "latest" } var namespace, repository string if strings.Contains(image, "/") { parts := strings.Split(image, "/") if len(parts) >= 2 { if strings.Contains(parts[0], ".") { if len(parts) >= 3 { namespace = parts[1] repository = parts[2] } else { namespace = "library" repository = parts[1] } } else { namespace = parts[0] repository = parts[1] } } } else { namespace = "library" repository = image } fullName := namespace + "/" + repository return DockerImageInfo{ Namespace: namespace, Repository: repository, Tag: tag, FullName: fullName, } } // CheckDockerAccess 检查Docker镜像访问权限 func (ac *AccessController) CheckDockerAccess(image string) (allowed bool, reason string) { cfg := GetConfig() // 解析镜像名称 imageInfo := ac.ParseDockerImage(image) // 检查白名单(如果配置了白名单,则只允许白名单中的镜像) if len(cfg.Proxy.WhiteList) > 0 { if !ac.matchImageInList(imageInfo, cfg.Proxy.WhiteList) { return false, "不在Docker镜像白名单内" } } // 检查黑名单 if len(cfg.Proxy.BlackList) > 0 { if ac.matchImageInList(imageInfo, cfg.Proxy.BlackList) { return false, "Docker镜像在黑名单内" } } return true, "" } // CheckGitHubAccess 检查GitHub仓库访问权限 func (ac *AccessController) CheckGitHubAccess(matches []string) (allowed bool, reason string) { if len(matches) < 2 { return false, "无效的GitHub仓库格式" } cfg := GetConfig() // 检查白名单 if len(cfg.Proxy.WhiteList) > 0 && !ac.checkList(matches, cfg.Proxy.WhiteList) { return false, "不在GitHub仓库白名单内" } // 检查黑名单 if len(cfg.Proxy.BlackList) > 0 && ac.checkList(matches, cfg.Proxy.BlackList) { return false, "GitHub仓库在黑名单内" } return true, "" } // matchImageInList 检查Docker镜像是否在指定列表中 func (ac *AccessController) matchImageInList(imageInfo DockerImageInfo, list []string) bool { fullName := strings.ToLower(imageInfo.FullName) namespace := strings.ToLower(imageInfo.Namespace) for _, item := range list { item = strings.ToLower(strings.TrimSpace(item)) if item == "" { continue } if fullName == item { return true } if item == namespace || item == namespace+"/*" { return true } if strings.HasSuffix(item, "*") { prefix := strings.TrimSuffix(item, "*") if strings.HasPrefix(fullName, prefix) { return true } } if strings.HasPrefix(item, "*/") { repoPattern := strings.TrimPrefix(item, "*/") if strings.HasSuffix(repoPattern, "*") { repoPrefix := strings.TrimSuffix(repoPattern, "*") if strings.HasPrefix(imageInfo.Repository, repoPrefix) { return true } } else { if strings.ToLower(imageInfo.Repository) == repoPattern { return true } } } if strings.HasPrefix(fullName, item+"/") { return true } } return false } // checkList GitHub仓库检查逻辑 func (ac *AccessController) checkList(matches, list []string) bool { if len(matches) < 2 { return false } username := strings.ToLower(strings.TrimSpace(matches[0])) repoName := strings.ToLower(strings.TrimSpace(strings.TrimSuffix(matches[1], ".git"))) fullRepo := username + "/" + repoName for _, item := range list { item = strings.ToLower(strings.TrimSpace(item)) if item == "" { continue } // 支持多种匹配模式 if fullRepo == item { return true } // 用户级匹配 if item == username || item == username+"/*" { return true } // 前缀匹配(支持通配符) if strings.HasSuffix(item, "*") { prefix := strings.TrimSuffix(item, "*") if strings.HasPrefix(fullRepo, prefix) { return true } } // 子仓库匹配(防止 user/repo 匹配到 user/repo-fork) if strings.HasPrefix(fullRepo, item+"/") { return true } } return false } // Reload 热重载访问控制规则 func (ac *AccessController) Reload() { ac.mu.Lock() defer ac.mu.Unlock() // 访问控制器本身不缓存配置 }