mirror of
https://github.com/hpd840321/starRiverProperty.git
synced 2026-06-10 00:40:30 +08:00
Initial commit: reorganized source tree
- backend/: 13 Maven modules (cw-elevator-application, cloudwalk-cloud, intelligent-cwoscomponent, ninca-crk, etc.) - frontend/: 4 Vue projects (elevator-front, cwos-portal, alarm-front, front_acs) + decompiled + scripts - scripts/: build, test-env, tools (Docker Compose, service templates, API parity) - docs/: AGENTS.md, superpowers specs, architecture docs - .gitignore: standard Java/Maven exclusions Moved from legacy maven-*/ root layout to backend/ organized structure.
This commit is contained in:
hpd840321
@@ -0,0 +1,162 @@
|
||||
# 访客无鉴权策略验证-生产操作手册
|
||||
|
||||
## 1. 文档目的
|
||||
|
||||
本手册用于生产环境执行以下验证并留痕:
|
||||
|
||||
- 在**无鉴权模式**下调用访客相关接口,确认是否存在放开风险。
|
||||
- 验证“黄平(访客)访问蒙海文(被访人)”是否触发访客楼层策略。
|
||||
- 输出可审计报告(JSON)用于归档与发布。
|
||||
|
||||
本手册基于已确认信息:
|
||||
|
||||
- 被访人(蒙海文)`personId=964454497399468032`
|
||||
- 访客(黄平)`personId=1102270499947507712`
|
||||
- 租户 `businessId=2524639890ba4f2cba9ba1a4eeaa4015`
|
||||
|
||||
---
|
||||
|
||||
## 2. 目录与交付件
|
||||
|
||||
本发布包目录:
|
||||
|
||||
- `docs/testing/release-visitor-noauth-verify/访客无鉴权策略验证-生产操作手册.md`
|
||||
- `docs/testing/release-visitor-noauth-verify/黄平访客ID手工查询.sql`
|
||||
|
||||
执行脚本(仓库已有,已按无鉴权流程更新):
|
||||
|
||||
- `maven-cw-elevator-application/tools/visitor_floor_verification/scripts/quick_verify_visitor_floor_policy.py`
|
||||
|
||||
---
|
||||
|
||||
## 3. 验证范围
|
||||
|
||||
本次仅验证以下调用链:
|
||||
|
||||
1. `POST /component/person/detail`
|
||||
2. `POST /elevator/person/add/visitor`
|
||||
3. `POST /elevator/passRule/image`
|
||||
|
||||
请求模式:
|
||||
|
||||
- `noauth-probe`(不传 Authorization/loginid/platformuserid/applicationid)
|
||||
- 可选保留 `businessid` 头:`--probe-with-businessid`
|
||||
|
||||
---
|
||||
|
||||
## 4. 前置条件
|
||||
|
||||
### 4.1 运行环境
|
||||
|
||||
- 可访问生产网络的 Linux 主机
|
||||
- Python 3.8+
|
||||
- 已拉取本仓库代码
|
||||
|
||||
### 4.2 依赖安装
|
||||
|
||||
```bash
|
||||
cd maven-cw-elevator-application/tools/visitor_floor_verification
|
||||
python3 -m pip install -r requirements.txt
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## 5. 参数基线
|
||||
|
||||
建议使用以下固定参数:
|
||||
|
||||
- `org-base-url`:`http://10.0.22.207:8089`(按现场网关/portal入口可调整)
|
||||
- `elevator-base-url`:`http://10.0.22.207:16112`
|
||||
- `business-id`:`2524639890ba4f2cba9ba1a4eeaa4015`
|
||||
- `meng-person-id`:`964454497399468032`
|
||||
- `visitor-person-id`:`1102270499947507712`
|
||||
|
||||
说明:
|
||||
|
||||
- 当前脚本内置默认 `--meng-person-id=964454497399468032`,可不显式传参。
|
||||
|
||||
---
|
||||
|
||||
## 6. 标准执行命令
|
||||
|
||||
```bash
|
||||
python3 maven-cw-elevator-application/tools/visitor_floor_verification/scripts/quick_verify_visitor_floor_policy.py \
|
||||
--mode noauth-probe \
|
||||
--org-base-url "http://10.0.22.207:8089" \
|
||||
--elevator-base-url "http://10.0.22.207:16112" \
|
||||
--business-id "2524639890ba4f2cba9ba1a4eeaa4015" \
|
||||
--visitor-person-id "1102270499947507712" \
|
||||
--probe-with-businessid
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## 7. 输出与结果判定
|
||||
|
||||
脚本终端会输出:
|
||||
|
||||
- `mode`
|
||||
- `grade`
|
||||
- `summary`
|
||||
- `report`(报告文件路径)
|
||||
- `add_visitor_status/code`
|
||||
- `passrule_image_status/code`
|
||||
|
||||
报告文件输出目录:
|
||||
|
||||
- `maven-cw-elevator-application/tools/visitor_floor_verification/report/quick-verify-<timestamp>.json`
|
||||
|
||||
### 7.1 关键判定规则
|
||||
|
||||
#### A. 无鉴权风险判定(noauth-probe)
|
||||
|
||||
- `grade=high_risk`:`add/visitor` 在无鉴权下业务成功,判定高风险放开。
|
||||
- `grade=expected_block`:返回 401/403,判定符合安全预期。
|
||||
- `grade=needs_review`:非拦截但未成功,需人工复核网关策略。
|
||||
|
||||
#### B. 策略触发判定
|
||||
|
||||
- 若 `add/visitor` 成功,且 `passRule/image` 回读到楼层数据,判定策略触发成功。
|
||||
- 若 `add/visitor` 返回 `76260532`,表示策略求交为空(策略生效但无可放行楼层)。
|
||||
|
||||
---
|
||||
|
||||
## 8. 黄平访客ID手工复核
|
||||
|
||||
可执行以下命令打印 SQL 模板:
|
||||
|
||||
```bash
|
||||
python3 maven-cw-elevator-application/tools/visitor_floor_verification/scripts/quick_verify_visitor_floor_policy.py \
|
||||
--print-visitor-sql-only \
|
||||
--org-base-url "http://10.0.22.207:8089" \
|
||||
--elevator-base-url "http://10.0.22.207:16112" \
|
||||
--visitor-person-id "dummy"
|
||||
```
|
||||
|
||||
或直接使用本包 SQL 文件:
|
||||
|
||||
- `docs/testing/release-visitor-noauth-verify/黄平访客ID手工查询.sql`
|
||||
|
||||
---
|
||||
|
||||
## 9. 发布归档建议
|
||||
|
||||
建议将以下文件打包归档:
|
||||
|
||||
1. 本操作手册
|
||||
2. SQL 文件
|
||||
3. 实际执行命令记录
|
||||
4. `quick-verify-<timestamp>.json` 报告
|
||||
5. 关键日志截图(含执行时间与业务码)
|
||||
|
||||
建议包名:
|
||||
|
||||
- `visitor-noauth-verify-<yyyyMMdd-HHmm>.zip`
|
||||
|
||||
---
|
||||
|
||||
## 10. 风险提示
|
||||
|
||||
- 本流程为生产探测,务必在低峰窗口执行。
|
||||
- 无鉴权探测若成功,属于安全风险项,应立即同步网关/服务鉴权负责人处理。
|
||||
- 所有返回结果以现场实际响应为准,需保留原始响应证据。
|
||||
@@ -0,0 +1,20 @@
|
||||
-- 访客:黄平(手机号 13926442944)手工查询 SQL
|
||||
-- 场景:生产环境复核/确认访客 person_id
|
||||
-- 已知租户:2524639890ba4f2cba9ba1a4eeaa4015
|
||||
-- 已确认库表:component-organization.cw_is_person
|
||||
|
||||
SELECT
|
||||
person_id,
|
||||
name,
|
||||
mobile,
|
||||
business_id,
|
||||
labels,
|
||||
deleted,
|
||||
create_time,
|
||||
update_time
|
||||
FROM `component-organization`.`cw_is_person`
|
||||
WHERE business_id = '2524639890ba4f2cba9ba1a4eeaa4015'
|
||||
AND name = '黄平'
|
||||
AND mobile = '13926442944'
|
||||
ORDER BY update_time DESC;
|
||||
|
||||
Reference in New Issue
Block a user