一、安全架构设计
1.1 分层安全模型
应用层安全
├── 身份认证
├── 访问控制
├── 输入验证
└── 输出编码
传输层安全
├── TLS/SSL加密
├── 证书管理
└── 密钥轮换
数据层安全
├── 数据加密
├── 数据脱敏
├── 访问审计
└── 备份恢复
基础设施安全
├── 网络安全
├── 主机安全
├── 容器安全
└── 运行时安全
1.2 安全设计原则
# 安全设计原则
security:
principles:
- "最小权限原则"
- "纵深防御"
- "安全默认配置"
- "失败安全"
- "完全中介"
- "开放设计"
- "权限分离"
- "心理可接受性"
二、身份认证与授权
2.1 JWT认证实现
// JWT认证服务
import jwt from 'jsonwebtoken';
import bcrypt from 'bcrypt';
class AuthService {
private readonly JWT_SECRET = process.env.JWT_SECRET!;
private readonly JWT_EXPIRES_IN = '24h';
async authenticate(username: string, password: string) {
// 1. 验证用户
const user = await this.findUser(username);
if (!user) {
throw new Error('用户不存在');
}
// 2. 验证密码
const isValid = await bcrypt.compare(password, user.passwordHash);
if (!isValid) {
throw new Error('密码错误');
}
// 3. 生成JWT
const token = jwt.sign(
{
userId: user.id,
username: user.username,
roles: user.roles,
permissions: user.permissions
},
this.JWT_SECRET,
{
expiresIn: this.JWT_EXPIRES_IN,
issuer: 'openclaw-auth',
audience: 'openclaw-api'
}
);
// 4. 生成刷新令牌
const refreshToken = jwt.sign(
{ userId: user.id },
process.env.REFRESH_TOKEN_SECRET!,
{ expiresIn: '7d' }
);
return { token, refreshToken, user };
}
async verifyToken(token: string) {
try {
const decoded = jwt.verify(token, this.JWT_SECRET, {
issuer: 'openclaw-auth',
audience: 'openclaw-api'
});
return decoded;
} catch (error) {
throw new Error('令牌无效或已过期');
}
}
}
2.2 OAuth2.0集成
// OAuth2.0客户端
import { AuthorizationCode } from 'simple-oauth2';
class OAuth2Client {
private client: AuthorizationCode;
constructor() {
this.client = new AuthorizationCode({
client: {
id: process.env.OAUTH_CLIENT_ID!,
secret: process.env.OAUTH_CLIENT_SECRET!
},
auth: {
tokenHost: process.env.OAUTH_TOKEN_HOST!,
authorizePath: process.env.OAUTH_AUTHORIZE_PATH!,
tokenPath: process.env.OAUTH_TOKEN_PATH!
}
});
}
async getAuthorizationUrl() {
const authorizationUri = this.client.authorizeURL({
redirect_uri: process.env.OAUTH_REDIRECT_URI!,
scope: 'openid profile email',
state: this.generateState()
});
return authorizationUri;
}
async getToken(code: string) {
const tokenParams = {
code,
redirect_uri: process.env.OAUTH_REDIRECT_URI!,
scope: 'openid profile email'
};
const result = await this.client.getToken(tokenParams);
return result.token;
}
}
三、访问控制
3.1 RBAC权限控制
// RBAC权限管理
class RBACService {
private roles = new Map();
private permissions = new Map();
constructor() {
this.initializeRoles();
}
private initializeRoles() {
// 定义角色
this.roles.set('admin', {
name: '管理员',
permissions: [
'workflow:*',
'user:*',
'model:*',
'tool:*',
'system:*'
]
});
this.roles.set('developer', {
name: '开发者',
permissions: [
'workflow:read',
'workflow:write',
'model:read',
'model:execute',
'tool:read',
'tool:execute'
]
});
this.roles.set('viewer', {
name: '查看者',
permissions: [
'workflow:read',
'model:read',
'tool:read'
]
});
}
async checkPermission(user: User, resource: string, action: string) {
const userRoles = user.roles || [];
for (const roleName of userRoles) {
const role = this.roles.get(roleName);
if (!role) continue;
// 检查通配符权限
if (role.permissions.includes(`${resource}:*`)) {
return true;
}
// 检查具体权限
if (role.permissions.includes(`${resource}:${action}`)) {
return true;
}
}
return false;
}
async enforce(user: User, resource: string, action: string) {
const hasPermission = await this.checkPermission(user, resource, action);
if (!hasPermission) {
throw new Error('权限不足');
}
}
}
3.2 ABAC属性访问控制
// ABAC策略引擎
class ABACEngine {
private policies = [];
async evaluate(user: User, resource: Resource, action: string) {
for (const policy of this.policies) {
const result = await this.evaluatePolicy(policy, user, resource, action);
if (result !== undefined) {
return result;
}
}
return false; // 默认拒绝
}
private async evaluatePolicy(policy, user, resource, action) {
// 评估条件
const conditions = policy.conditions || [];
for (const condition of conditions) {
const result = await this.evaluateCondition(condition, user, resource);
if (!result) {
return undefined; // 条件不满足,跳过此策略
}
}
// 检查操作
if (policy.actions.includes(action) || policy.actions.includes('*')) {
return policy.effect === 'allow';
}
return undefined;
}
private async evaluateCondition(condition, user, resource) {
switch (condition.type) {
case 'time':
return this.evaluateTimeCondition(condition);
case 'location':
return this.evaluateLocationCondition(condition, user);
case 'resource':
return this.evaluateResourceCondition(condition, resource);
default:
return false;
}
}
}
四、数据安全
4.1 数据加密
// 数据加密服务
import crypto from 'crypto';
class EncryptionService {
private readonly algorithm = 'aes-256-gcm';
private readonly key: Buffer;
constructor() {
// 从环境变量获取密钥
const keyString = process.env.ENCRYPTION_KEY!;
this.key = crypto.scryptSync(keyString, 'salt', 32);
}
encrypt(text: string): EncryptedData {
const iv = crypto.randomBytes(16);
const cipher = crypto.createCipheriv(this.algorithm, this.key, iv);
let encrypted = cipher.update(text, 'utf8', 'hex');
encrypted += cipher.final('hex');
const authTag = cipher.getAuthTag();
return {
encrypted,
iv: iv.toString('hex'),
authTag: authTag.toString('hex'),
algorithm: this.algorithm
};
}
decrypt(encryptedData: EncryptedData): string {
const iv = Buffer.from(encryptedData.iv, 'hex');
const authTag = Buffer.from(encryptedData.authTag, 'hex');
const decipher = crypto.createDecipheriv(
this.algorithm,
this.key,
iv
);
decipher.setAuthTag(authTag);
let decrypted = decipher.update(encryptedData.encrypted, 'hex', 'utf8');
decrypted += decipher.final('utf8');
return decrypted;
}
// 哈希函数
async hashPassword(password: string): Promise<string> {
const salt = await bcrypt.genSalt(10);
return bcrypt.hash(password, salt);
}
}
4.2 数据脱敏
// 数据脱敏服务
class DataMaskingService {
private maskingRules = {
email: (email: string) => {
const [local, domain] = email.split('@');
const maskedLocal = local.charAt(0) + '***' + local.charAt(local.length - 1);
return `${maskedLocal}@${domain}`;
},
phone: (phone: string) => {
return phone.replace(/(\d{3})\d{4}(\d{4})/, '$1****$2');
},
idCard: (idCard: string) => {
return idCard.replace(/(\d{6})\d{8}(\w{4})/, '$1********$2');
},
bankCard: (card: string) => {
return card.replace(/(\d{4})\d{8}(\d{4})/, '$1****$2');
}
};
maskData(data: any, rules: string[]): any {
if (Array.isArray(data)) {
return data.map(item => this.maskData(item, rules));
}
if (typeof data === 'object' && data !== null) {
const masked = { ...data };
for (const [key, value] of Object.entries(masked)) {
if (rules.includes(key)) {
const masker = this.maskingRules[key];
if (masker && typeof value === 'string') {
masked[key] = masker(value);
}
}
}
return masked;
}
return data;
}
}
五、API安全
5.1 API安全中间件
// API安全中间件
class APISecurityMiddleware {
static async authenticate(req, res, next) {
try {
const authHeader = req.headers.authorization;
if (!authHeader) {
return res.status(401).json({ error: '未提供认证令牌' });
}
const token = authHeader.replace('Bearer ', '');
const decoded = await authService.verifyToken(token);
req.user = decoded;
next();
} catch (error) {
return res.status(401).json({ error: '认证失败' });
}
}
static async authorize(permission: string) {
return async (req, res, next) => {
try {
const [resource, action] = permission.split(':');
await rbacService.enforce(req.user, resource, action);
next();
} catch (error) {
return res.status(403).json({ error: '权限不足' });
}
};
}
static async rateLimit(req, res, next) {
const clientIp = req.ip;
const key = `rate_limit:${clientIp}`;
const current = await redis.incr(key);
if (current === 1) {
await redis.expire(key, 60); // 60秒窗口
}
if (current > 100) { // 每分钟100次
return res.status(429).json({
error: '请求过于频繁',
retryAfter: 60
});
}
next();
}
}
5.2 输入验证
// 输入验证
import { z } from 'zod';
const workflowSchema = z.object({
name: z.string()
.min(1, '工作流名称不能为空')
.max(100, '工作流名称不能超过100个字符'),
description: z.string()
.max(500, '描述不能超过500个字符')
.optional(),
nodes: z.array(
z.object({
id: z.string().uuid(),
type: z.enum(['model', 'tool', 'condition', 'loop']),
config: z.record(z.any())
})
).min(1, '至少需要一个节点'),
edges: z.array(
z.object({
source: z.string().uuid(),
target: z.string().uuid(),
condition: z.string().optional()
})
),
metadata: z.record(z.any()).optional()
});
class InputValidator {
static validateWorkflow(input: any) {
try {
return workflowSchema.parse(input);
} catch (error) {
if (error instanceof z.ZodError) {
const errors = error.errors.map(err => ({
path: err.path.join('.'),
message: err.message
}));
throw new ValidationError('输入验证失败', errors);
}
throw error;
}
}
static sanitizeInput(input: string): string {
// 防止XSS攻击
return input
.replace(/</g, '<')
.replace(/>/g, '>')
.replace(/"/g, '"')
.replace(/'/g, ''')
.replace(/\//g, '/');
}
}
六、网络安全
6.1 网络安全配置
# 网络安全策略
network:
# 防火墙规则
firewall:
inbound:
- port: 443
protocol: tcp
source: 0.0.0.0/0
description: "HTTPS访问"
- port: 22
protocol: tcp
source: 10.0.0.0/8
description: "SSH管理"
outbound:
- port: 443
protocol: tcp
destination: 0.0.0.0/0
description: "出站HTTPS"
# WAF配置
waf:
enabled: true
rules:
- type: sql_injection
action: block
- type: xss
action: block
- type: rate_limit
threshold: 100
window: 60
# DDoS防护
ddos:
enabled: true
threshold: 1000
action: rate_limit
6.2 TLS配置
# Nginx TLS配置
server {
listen 443 ssl http2;
server_name openclaw.example.com;
# TLS配置
ssl_certificate /etc/ssl/certs/openclaw.crt;
ssl_certificate_key /etc/ssl/private/openclaw.key;
# 安全协议
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# HSTS
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
# 安全头
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Referrer-Policy "strict-origin-when-cross-origin";
location / {
proxy_pass http://openclaw-backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
七、安全审计
7.1 审计日志
// 审计日志服务
class AuditLogger {
async log(event: AuditEvent) {
const logEntry = {
timestamp: new Date().toISOString(),
userId: event.userId,
action: event.action,
resource: event.resource,
resourceId: event.resourceId,
ipAddress: event.ipAddress,
userAgent: event.userAgent,
details: event.details,
status: event.status,
metadata: event.metadata
};
// 写入审计日志
await this.writeToDatabase(logEntry);
// 发送到SIEM系统
await this.sendToSIEM(logEntry);
// 实时告警
if (this.isSuspiciousEvent(event)) {
await this.triggerAlert(event);
}
}
private isSuspiciousEvent(event: AuditEvent): boolean {
const suspiciousPatterns = [
// 多次失败登录
event.action === 'login_failed' && event.count > 5,
// 异常时间访问
event.timestamp.getHours() < 6 || event.timestamp.getHours() > 22,
// 敏感操作
['delete', 'update', 'export'].includes(event.action) &&
['user', 'workflow', 'model'].includes(event.resource),
// 来自异常IP
this.isSuspiciousIP(event.ipAddress)
];
return suspiciousPatterns.some(pattern => pattern);
}
}
7.2 安全监控
// 安全监控服务
class SecurityMonitor {
private alerts = [];
async monitor() {
// 监控登录行为
this.monitorLoginAttempts();
// 监控API访问
this.monitorAPIAccess();
// 监控数据访问
this.monitorDataAccess();
// 监控系统资源
this.monitorSystemResources();
}
private async monitorLoginAttempts() {
const recentLogins = await this.getRecentLogins('5m');
const failedLogins = recentLogins.filter(l => !l.success);
if (failedLogins.length > 10) {
await this.triggerAlert({
type: 'brute_force_attempt',
severity: 'high',
details: {
count: failedLogins.length,
ips: [...new Set(failedLogins.map(l => l.ip))]
}
});
}
}
private async monitorAPIAccess() {
const apiStats = await this.getAPIStats('1h');
// 检查异常API调用
for (const [endpoint, stats] of Object.entries(apiStats)) {
if (stats.errorRate > 0.1) { // 错误率超过10%
await this.triggerAlert({
type: 'api_error_rate_high',
severity: 'medium',
details: {
endpoint,
errorRate: stats.errorRate,
totalCalls: stats.total
}
});
}
}
}
}
八、应急响应
8.1 安全事件响应
# 安全事件响应流程
incident_response:
phases:
preparation:
- "建立响应团队"
- "制定响应计划"
- "准备工具和资源"
identification:
- "检测安全事件"
- "确认事件类型"
- "评估影响范围"
containment:
- "隔离受影响系统"
- "阻止攻击扩散"
- "收集证据"
eradication:
- "清除恶意代码"
- "修复漏洞"
- "恢复系统"
recovery:
- "验证修复效果"
- "恢复业务"
- "监控系统"
lessons_learned:
- "分析事件原因"
- "改进安全措施"
- "更新响应计划"
8.2 漏洞管理
// 漏洞管理
class VulnerabilityManager {
async scanDependencies() {
const packageJson = require('./package.json');
const dependencies = {
...packageJson.dependencies,
...packageJson.devDependencies
};
// 检查已知漏洞
const vulnerabilities = await this.checkVulnerabilities(dependencies);
// 生成报告
const report = this.generateReport(vulnerabilities);
// 自动修复
if (this.shouldAutoFix(vulnerabilities)) {
await this.autoFixVulnerabilities(vulnerabilities);
}
return report;
}
async checkVulnerabilities(dependencies: Record<string, string>) {
const results = [];
for (const [name, version] of Object.entries(dependencies)) {
const vulns = await this.queryVulnerabilityDatabase(name, version);
if (vulns.length > 0) {
results.push({
package: name,
version,
vulnerabilities: vulns
});
}
}
return results;
}
}
九、合规与标准
9.1 安全标准遵循
# 安全标准配置
compliance:
standards:
- name: "OWASP Top 10"
version: "2021"
controls:
- "A01:2021 - Broken Access Control"
- "A02:2021 - Cryptographic Failures"
- "A03:2021 - Injection"
- "A04:2021 - Insecure Design"
- "A05:2021 - Security Misconfiguration"
- "A06:2021 - Vulnerable and Outdated Components"
- "A07:2021 - Identification and Authentication Failures"
- "A08:2021 - Software and Data Integrity Failures"
- "A09:2021 - Security Logging and Monitoring Failures"
- "A10:2021 - Server-Side Request Forgery"
- name: "ISO 27001"
controls:
- "A.5 Information security policies"
- "A.6 Organization of information security"
- "A.7 Human resource security"
- "A.8 Asset management"
- "A.9 Access control"
- "A.10 Cryptography"
- "A.11 Physical and environmental security"
- "A.12 Operations security"
- "A.13 Communications security"
- "A.14 System acquisition, development and maintenance"
- "A.15 Supplier relationships"
- "A.16 Information security incident management"
- "A.17 Information security aspects of business continuity management"
- "A.18 Compliance"
十、总结与最佳实践
10.1 安全最佳实践清单
- ✅ 身份认证:多因素认证、JWT令牌管理
- ✅ 访问控制:RBAC/ABAC权限管理
- ✅ 数据安全:加密存储、数据脱敏
- ✅ API安全:输入验证、输出编码、速率限制
- ✅ 网络安全:TLS加密、WAF防护、DDoS防护
- ✅ 安全审计:完整日志记录、实时监控
- ✅ 应急响应:事件响应计划、漏洞管理
- ✅ 合规要求:遵循安全标准和法规
10.2 持续安全改进
# 安全改进计划
security_improvement:
monthly:
- "安全漏洞扫描"
- "权限审计"
- "安全培训"
quarterly:
- "渗透测试"
- "安全架构评审"
- "应急演练"
annually:
- "安全合规审计"
- "安全策略更新"
- "第三方安全评估"
10.3 安全文化建设
- 全员参与:安全是每个人的责任
- 持续培训:定期安全意识和技能培训
- 透明沟通:开放的安全问题讨论
- 奖励机制:鼓励安全行为和创新
- 持续改进:基于反馈不断优化安全措施
通过实施这些安全最佳实践,OpenClaw可以构建一个安全、可靠、合规的AI工作流平台,保护用户数据和系统安全,赢得用户信任。
