q792602257/DataMate
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
75db6daeb590185a47a1b517e55b7d90ee454626
DataMate/runtime/datamate-python/app/core/config.py
Jerry Yan 37b478a052 fix(kg): 修复 Codex 审查发现的 P1/P2 问题并补全测试 
修复内容:

P1 级别(关键):
1. 数据隔离漏洞:邻居查询添加 graph_id 路径约束,防止跨图谱数据泄漏
2. 空快照误删风险:添加 allowPurgeOnEmptySnapshot 保护开关(默认 false)
3. 弱默认凭据:启动自检,生产环境检测到默认密码直接拒绝启动

P2 级别(重要):
4. 配置校验:importBatchSize 添加 @Min(1) 验证,启动时 fail-fast
5. N+1 性能:重写 upsertEntity 为单条 Cypher 查询(从 3 条优化到 1 条)
6. 服务认证:添加 mTLS/JWT 文档说明
7. 错误处理:改进 Schema 初始化和序列化错误处理

测试覆盖:
- 新增 69 个单元测试,全部通过
- GraphEntityServiceTest: 13 个测试(CRUD、验证、分页)
- GraphRelationServiceTest: 13 个测试(CRUD、方向验证)
- GraphSyncServiceTest: 5 个测试(验证、全量同步)
- GraphSyncStepServiceTest: 14 个测试(空快照保护、N+1 验证)
- GraphQueryServiceTest: 13 个测试(邻居/路径/子图/搜索)
- GraphInitializerTest: 11 个测试(凭据验证、Schema 初始化)

技术细节:
- 数据隔离:使用 ALL() 函数约束路径中所有节点和关系的 graph_id
- 空快照保护:新增配置项 allow-purge-on-empty-snapshot 和错误码 EMPTY_SNAPSHOT_PURGE_BLOCKED
- 凭据检查:Java 和 Python 双端实现,根据环境(dev/test/prod)采取不同策略
- 性能优化:使用 SDN 复合属性格式(properties.key)在 MERGE 中直接设置属性
- 属性安全:使用白名单 [a-zA-Z0-9_] 防止 Cypher 注入

代码变更:+210 行,-29 行
2026-02-18 09:25:00 +08:00

122 lines
4.4 KiB
Python
Raw Blame History

from pydantic_settings import BaseSettings
from pydantic import SecretStr, model_validator
from typing import Optional
import logging
import os
_logger = logging.getLogger(__name__)
# 已知的弱默认凭据,生产环境禁止使用
_BLOCKED_DEFAULT_PASSWORDS = {"password", "123456", "admin", "root", "datamate123"}
_BLOCKED_DEFAULT_TOKENS = {"abc123abc123", "EMPTY"}
class Settings(BaseSettings):
"""应用程序配置"""
class Config:
env_file = ".env"
case_sensitive = False
extra = 'ignore'
# Service
app_name: str = "DataMate Python Backend"
app_version: str = "1.0.0"
app_description: str = "Adapter for integrating Data Management System with Label Studio"
host: str = "0.0.0.0"
port: int = 18000
# CORS
# allowed_origins: List[str] = ["*"]
# allowed_methods: List[str] = ["*"]
# allowed_headers: List[str] = ["*"]
# Log
log_level: str = "INFO"
debug: bool = True
log_file_dir: str = "/var/log/datamate/backend-python"
# Database
mysql_host: str = "datamate-database"
mysql_port: int = 3306
mysql_user: str = "root"
mysql_password: str = "password"
mysql_database: str = "datamate"
database_url: str = "" # Will be overridden by build_database_url() if not provided
@model_validator(mode='after')
def build_database_url(self):
"""如果没有提供 database_url,则根据 MySQL 配置构建"""
if not self.database_url:
if self.mysql_password and self.mysql_user:
self.database_url = f"mysql+aiomysql://{self.mysql_user}:{self.mysql_password}@{self.mysql_host}:{self.mysql_port}/{self.mysql_database}"
else:
self.database_url = f"mysql+aiomysql://{self.mysql_host}:{self.mysql_port}/{self.mysql_database}"
return self
# Label Studio
label_studio_base_url: str = "http://label-studio:8000"
label_studio_username: Optional[str] = "admin@demo.com"
label_studio_password: Optional[str] = "demoadmin"
label_studio_user_token: Optional[str] = "abc123abc123" # Legacy Token
label_studio_local_document_root: str = "/label-studio/local" # Label Studio local file storage path
label_studio_file_path_prefix: str = "/data/local-files/?d=" # Label Studio local file serving URL prefix
ls_task_page_size: int = 1000
# DataMate
dm_file_path_prefix: str = "/dataset" # DM存储文件夹前缀
# DataMate Backend (Java) - 用于通过"下载/预览接口"读取文件内容
datamate_backend_base_url: str = "http://datamate-backend:8080/api"
# Knowledge Graph - LLM 三元组抽取配置
kg_llm_api_key: SecretStr = SecretStr("EMPTY")
kg_llm_base_url: Optional[str] = None
kg_llm_model: str = "gpt-4o-mini"
kg_llm_temperature: float = 0.0
kg_llm_timeout_seconds: int = 60
kg_llm_max_retries: int = 2
# 标注编辑器(Label Studio Editor)相关
editor_max_text_bytes: int = 0 # <=0 表示不限制,正数为最大字节数
@model_validator(mode='after')
def check_default_credentials(self):
"""生产环境下检测弱默认凭据,拒绝启动。
通过环境变量 DATAMATE_ENV 判断环境:
- dev/test/local: 仅发出警告
- 其他(prod/staging 等): 抛出异常阻止启动
"""
env = os.environ.get("DATAMATE_ENV", "dev").lower()
is_dev = env in ("dev", "test", "local", "development")
issues: list[str] = []
if self.mysql_password in _BLOCKED_DEFAULT_PASSWORDS:
issues.append(f"mysql_password is set to a weak default ('{self.mysql_password}')")
if self.label_studio_password and self.label_studio_password in _BLOCKED_DEFAULT_PASSWORDS:
issues.append("label_studio_password is set to a weak default")
if self.label_studio_user_token and self.label_studio_user_token in _BLOCKED_DEFAULT_TOKENS:
issues.append("label_studio_user_token is set to a weak default")
if issues:
msg = "SECURITY: Weak default credentials detected: " + "; ".join(issues)
if is_dev:
_logger.warning(msg + " (acceptable in dev/test, MUST change for production)")
else:
raise ValueError(
msg + ". Set proper credentials via environment variables "
"before deploying to production."
)
return self
# 全局设置实例
settings = Settings()
Reference in New Issue View Git Blame Copy Permalink