feat(tls-fingerprint): 新增 TLS 指纹 Profile 数据库管理及代码质量优化

新增功能： - 新增 TLS 指纹 Profile CRUD 管理（Ent schema + 迁移 + Admin API + 前端管理界面） - 支持账号绑定数据库中的自定义 TLS Profile，或随机选择（profile_id=-1） - HTTPUpstream.DoWithTLS 接口从 bool 改为 *tlsfingerprint.Profile，支持按账号指定 Profile - AccountUsageService 注入 TLSFingerprintProfileService，统一 usage 场景与网关的 Profile 解析逻辑代码优化： - 删除已被 TLSFingerprintProfileService 完全取代的 registry.go 死代码（418 行） - 提取 3 个 dialer 的重复 TLS 握手逻辑为 performTLSHandshake() 共用函数 - 修复 GetTLSFingerprintProfileID 缺少 json.Number 处理的 bug - gateway_service.Forward 中 ResolveTLSProfile 从重试循环内重复调用改为预解析局部变量 - 删除冗余的 buildClientHelloSpec() 单行 wrapper 和 int64(e.ID) 无效转换 - tls_fingerprint_profile_cache.go 日志从 log.Printf 改为 slog 结构化日志 - dialer_capture_test.go 添加 //go:build integration 标签，防止 CI 失败 - 去重 TestProfileExpectation 类型至共享 test_types_test.go - 修复 9 个测试文件缺少 tlsfingerprint import 的编译错误 - 修复 error_policy_integration_test.go 中 handleError 回调签名被错误替换的问题
2026-03-27 14:23:28 +08:00
parent ef5c8e6839
commit 1854050df3
70 changed files with 8095 additions and 1037 deletions
--- a/backend/internal/handler/admin/tls_fingerprint_profile_handler.go
+++ b/backend/internal/handler/admin/tls_fingerprint_profile_handler.go
@@ -0,0 +1,234 @@
+package admin
+
+import (
+	"strconv"
+
+	"github.com/Wei-Shaw/sub2api/internal/model"
+	"github.com/Wei-Shaw/sub2api/internal/pkg/response"
+	"github.com/Wei-Shaw/sub2api/internal/service"
+	"github.com/gin-gonic/gin"
+)
+
+// TLSFingerprintProfileHandler 处理 TLS 指纹模板的 HTTP 请求
+type TLSFingerprintProfileHandler struct {
+	service *service.TLSFingerprintProfileService
+}
+
+// NewTLSFingerprintProfileHandler 创建 TLS 指纹模板处理器
+func NewTLSFingerprintProfileHandler(service *service.TLSFingerprintProfileService) *TLSFingerprintProfileHandler {
+	return &TLSFingerprintProfileHandler{service: service}
+}
+
+// CreateTLSFingerprintProfileRequest 创建模板请求
+type CreateTLSFingerprintProfileRequest struct {
+	Name                string   `json:"name" binding:"required"`
+	Description         *string  `json:"description"`
+	EnableGREASE        *bool    `json:"enable_grease"`
+	CipherSuites        []uint16 `json:"cipher_suites"`
+	Curves              []uint16 `json:"curves"`
+	PointFormats        []uint16 `json:"point_formats"`
+	SignatureAlgorithms []uint16 `json:"signature_algorithms"`
+	ALPNProtocols       []string `json:"alpn_protocols"`
+	SupportedVersions   []uint16 `json:"supported_versions"`
+	KeyShareGroups      []uint16 `json:"key_share_groups"`
+	PSKModes            []uint16 `json:"psk_modes"`
+	Extensions          []uint16 `json:"extensions"`
+}
+
+// UpdateTLSFingerprintProfileRequest 更新模板请求（部分更新）
+type UpdateTLSFingerprintProfileRequest struct {
+	Name                *string  `json:"name"`
+	Description         *string  `json:"description"`
+	EnableGREASE        *bool    `json:"enable_grease"`
+	CipherSuites        []uint16 `json:"cipher_suites"`
+	Curves              []uint16 `json:"curves"`
+	PointFormats        []uint16 `json:"point_formats"`
+	SignatureAlgorithms []uint16 `json:"signature_algorithms"`
+	ALPNProtocols       []string `json:"alpn_protocols"`
+	SupportedVersions   []uint16 `json:"supported_versions"`
+	KeyShareGroups      []uint16 `json:"key_share_groups"`
+	PSKModes            []uint16 `json:"psk_modes"`
+	Extensions          []uint16 `json:"extensions"`
+}
+
+// List 获取所有模板
+// GET /api/v1/admin/tls-fingerprint-profiles
+func (h *TLSFingerprintProfileHandler) List(c *gin.Context) {
+	profiles, err := h.service.List(c.Request.Context())
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+	response.Success(c, profiles)
+}
+
+// GetByID 根据 ID 获取模板
+// GET /api/v1/admin/tls-fingerprint-profiles/:id
+func (h *TLSFingerprintProfileHandler) GetByID(c *gin.Context) {
+	id, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		response.BadRequest(c, "Invalid profile ID")
+		return
+	}
+
+	profile, err := h.service.GetByID(c.Request.Context(), id)
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+	if profile == nil {
+		response.NotFound(c, "Profile not found")
+		return
+	}
+
+	response.Success(c, profile)
+}
+
+// Create 创建模板
+// POST /api/v1/admin/tls-fingerprint-profiles
+func (h *TLSFingerprintProfileHandler) Create(c *gin.Context) {
+	var req CreateTLSFingerprintProfileRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, "Invalid request: "+err.Error())
+		return
+	}
+
+	profile := &model.TLSFingerprintProfile{
+		Name:                req.Name,
+		Description:         req.Description,
+		CipherSuites:        req.CipherSuites,
+		Curves:              req.Curves,
+		PointFormats:        req.PointFormats,
+		SignatureAlgorithms: req.SignatureAlgorithms,
+		ALPNProtocols:       req.ALPNProtocols,
+		SupportedVersions:   req.SupportedVersions,
+		KeyShareGroups:      req.KeyShareGroups,
+		PSKModes:            req.PSKModes,
+		Extensions:          req.Extensions,
+	}
+
+	if req.EnableGREASE != nil {
+		profile.EnableGREASE = *req.EnableGREASE
+	}
+
+	created, err := h.service.Create(c.Request.Context(), profile)
+	if err != nil {
+		if _, ok := err.(*model.ValidationError); ok {
+			response.BadRequest(c, err.Error())
+			return
+		}
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	response.Success(c, created)
+}
+
+// Update 更新模板（支持部分更新）
+// PUT /api/v1/admin/tls-fingerprint-profiles/:id
+func (h *TLSFingerprintProfileHandler) Update(c *gin.Context) {
+	id, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		response.BadRequest(c, "Invalid profile ID")
+		return
+	}
+
+	var req UpdateTLSFingerprintProfileRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, "Invalid request: "+err.Error())
+		return
+	}
+
+	existing, err := h.service.GetByID(c.Request.Context(), id)
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+	if existing == nil {
+		response.NotFound(c, "Profile not found")
+		return
+	}
+
+	// 部分更新
+	profile := &model.TLSFingerprintProfile{
+		ID:                  id,
+		Name:                existing.Name,
+		Description:         existing.Description,
+		EnableGREASE:        existing.EnableGREASE,
+		CipherSuites:        existing.CipherSuites,
+		Curves:              existing.Curves,
+		PointFormats:        existing.PointFormats,
+		SignatureAlgorithms: existing.SignatureAlgorithms,
+		ALPNProtocols:       existing.ALPNProtocols,
+		SupportedVersions:   existing.SupportedVersions,
+		KeyShareGroups:      existing.KeyShareGroups,
+		PSKModes:            existing.PSKModes,
+		Extensions:          existing.Extensions,
+	}
+
+	if req.Name != nil {
+		profile.Name = *req.Name
+	}
+	if req.Description != nil {
+		profile.Description = req.Description
+	}
+	if req.EnableGREASE != nil {
+		profile.EnableGREASE = *req.EnableGREASE
+	}
+	if req.CipherSuites != nil {
+		profile.CipherSuites = req.CipherSuites
+	}
+	if req.Curves != nil {
+		profile.Curves = req.Curves
+	}
+	if req.PointFormats != nil {
+		profile.PointFormats = req.PointFormats
+	}
+	if req.SignatureAlgorithms != nil {
+		profile.SignatureAlgorithms = req.SignatureAlgorithms
+	}
+	if req.ALPNProtocols != nil {
+		profile.ALPNProtocols = req.ALPNProtocols
+	}
+	if req.SupportedVersions != nil {
+		profile.SupportedVersions = req.SupportedVersions
+	}
+	if req.KeyShareGroups != nil {
+		profile.KeyShareGroups = req.KeyShareGroups
+	}
+	if req.PSKModes != nil {
+		profile.PSKModes = req.PSKModes
+	}
+	if req.Extensions != nil {
+		profile.Extensions = req.Extensions
+	}
+
+	updated, err := h.service.Update(c.Request.Context(), profile)
+	if err != nil {
+		if _, ok := err.(*model.ValidationError); ok {
+			response.BadRequest(c, err.Error())
+			return
+		}
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	response.Success(c, updated)
+}
+
+// Delete 删除模板
+// DELETE /api/v1/admin/tls-fingerprint-profiles/:id
+func (h *TLSFingerprintProfileHandler) Delete(c *gin.Context) {
+	id, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		response.BadRequest(c, "Invalid profile ID")
+		return
+	}
+
+	if err := h.service.Delete(c.Request.Context(), id); err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	response.Success(c, gin.H{"message": "Profile deleted successfully"})
+}
--- a/backend/internal/handler/dto/mappers.go
+++ b/backend/internal/handler/dto/mappers.go
@@ -252,6 +252,10 @@ func AccountFromServiceShallow(a *service.Account) *Account {
 			enabled := true
 			out.EnableTLSFingerprint = &enabled
 		}
+		// TLS指纹模板ID
+		if profileID := a.GetTLSFingerprintProfileID(); profileID > 0 {
+			out.TLSFingerprintProfileID = &profileID
+		}
 		// 会话ID伪装开关
 		if a.IsSessionIDMaskingEnabled() {
 			enabled := true
--- a/backend/internal/handler/dto/types.go
+++ b/backend/internal/handler/dto/types.go
@@ -185,7 +185,8 @@ type Account struct {

 	// TLS指纹伪装（仅 Anthropic OAuth/SetupToken 账号有效）
 	// 从 extra 字段提取，方便前端显示和编辑
-	EnableTLSFingerprint *bool `json:"enable_tls_fingerprint,omitempty"`
+	EnableTLSFingerprint    *bool  `json:"enable_tls_fingerprint,omitempty"`
+	TLSFingerprintProfileID *int64 `json:"tls_fingerprint_profile_id,omitempty"`

 	// 会话ID伪装（仅 Anthropic OAuth/SetupToken 账号有效）
 	// 启用后将在15分钟内固定 metadata.user_id 中的 session ID
--- a/backend/internal/handler/gateway_handler_warmup_intercept_unit_test.go
+++ b/backend/internal/handler/gateway_handler_warmup_intercept_unit_test.go
@@ -75,8 +75,10 @@ func (f *fakeGroupRepo) ListActive(context.Context) ([]service.Group, error) { r
 func (f *fakeGroupRepo) ListActiveByPlatform(context.Context, string) ([]service.Group, error) {
 	return nil, nil
 }
-func (f *fakeGroupRepo) ExistsByName(context.Context, string) (bool, error)    { return false, nil }
-func (f *fakeGroupRepo) GetAccountCount(context.Context, int64) (int64, int64, error) { return 0, 0, nil }
+func (f *fakeGroupRepo) ExistsByName(context.Context, string) (bool, error) { return false, nil }
+func (f *fakeGroupRepo) GetAccountCount(context.Context, int64) (int64, int64, error) {
+	return 0, 0, nil
+}
 func (f *fakeGroupRepo) DeleteAccountGroupsByGroupID(context.Context, int64) (int64, error) {
 	return 0, nil
 }
@@ -158,6 +160,7 @@ func newTestGatewayHandler(t *testing.T, group *service.Group, accounts []*servi
 		nil, // rpmCache
 		nil, // digestStore
 		nil, // settingService
+		nil, // tlsFPProfileService
 	)

 	// RunModeSimple：跳过计费检查，避免引入 repo/cache 依赖。
--- a/backend/internal/handler/handler.go
+++ b/backend/internal/handler/handler.go
@@ -6,29 +6,30 @@ import (

 // AdminHandlers contains all admin-related HTTP handlers
 type AdminHandlers struct {
-	Dashboard        *admin.DashboardHandler
-	User             *admin.UserHandler
-	Group            *admin.GroupHandler
-	Account          *admin.AccountHandler
-	Announcement     *admin.AnnouncementHandler
-	DataManagement   *admin.DataManagementHandler
-	Backup           *admin.BackupHandler
-	OAuth            *admin.OAuthHandler
-	OpenAIOAuth      *admin.OpenAIOAuthHandler
-	GeminiOAuth      *admin.GeminiOAuthHandler
-	AntigravityOAuth *admin.AntigravityOAuthHandler
-	Proxy            *admin.ProxyHandler
-	Redeem           *admin.RedeemHandler
-	Promo            *admin.PromoHandler
-	Setting          *admin.SettingHandler
-	Ops              *admin.OpsHandler
-	System           *admin.SystemHandler
-	Subscription     *admin.SubscriptionHandler
-	Usage            *admin.UsageHandler
-	UserAttribute    *admin.UserAttributeHandler
-	ErrorPassthrough *admin.ErrorPassthroughHandler
-	APIKey           *admin.AdminAPIKeyHandler
-	ScheduledTest    *admin.ScheduledTestHandler
+	Dashboard             *admin.DashboardHandler
+	User                  *admin.UserHandler
+	Group                 *admin.GroupHandler
+	Account               *admin.AccountHandler
+	Announcement          *admin.AnnouncementHandler
+	DataManagement        *admin.DataManagementHandler
+	Backup                *admin.BackupHandler
+	OAuth                 *admin.OAuthHandler
+	OpenAIOAuth           *admin.OpenAIOAuthHandler
+	GeminiOAuth           *admin.GeminiOAuthHandler
+	AntigravityOAuth      *admin.AntigravityOAuthHandler
+	Proxy                 *admin.ProxyHandler
+	Redeem                *admin.RedeemHandler
+	Promo                 *admin.PromoHandler
+	Setting               *admin.SettingHandler
+	Ops                   *admin.OpsHandler
+	System                *admin.SystemHandler
+	Subscription          *admin.SubscriptionHandler
+	Usage                 *admin.UsageHandler
+	UserAttribute         *admin.UserAttributeHandler
+	ErrorPassthrough      *admin.ErrorPassthroughHandler
+	TLSFingerprintProfile *admin.TLSFingerprintProfileHandler
+	APIKey                *admin.AdminAPIKeyHandler
+	ScheduledTest         *admin.ScheduledTestHandler
 }

 // Handlers contains all HTTP handlers
--- a/backend/internal/handler/sora_client_handler_test.go
+++ b/backend/internal/handler/sora_client_handler_test.go
@@ -2224,7 +2224,7 @@ func (s *stubSoraClientForHandler) GetVideoTask(_ context.Context, _ *service.Ac
 func newMinimalGatewayService(accountRepo service.AccountRepository) *service.GatewayService {
 	return service.NewGatewayService(
 		accountRepo, nil, nil, nil, nil, nil, nil, nil, nil,
-		nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil,
+		nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil,
 	)
 }

--- a/backend/internal/handler/sora_gateway_handler_test.go
+++ b/backend/internal/handler/sora_gateway_handler_test.go
@@ -464,6 +464,7 @@ func TestSoraGatewayHandler_ChatCompletions(t *testing.T) {
 		nil, // rpmCache
 		nil, // digestStore
 		nil, // settingService
+		nil, // tlsFPProfileService
 	)

 	soraClient := &stubSoraClient{imageURLs: []string{"https://example.com/a.png"}}
--- a/backend/internal/handler/wire.go
+++ b/backend/internal/handler/wire.go
@@ -30,33 +30,35 @@ func ProvideAdminHandlers(
 	usageHandler *admin.UsageHandler,
 	userAttributeHandler *admin.UserAttributeHandler,
 	errorPassthroughHandler *admin.ErrorPassthroughHandler,
+	tlsFingerprintProfileHandler *admin.TLSFingerprintProfileHandler,
 	apiKeyHandler *admin.AdminAPIKeyHandler,
 	scheduledTestHandler *admin.ScheduledTestHandler,
 ) *AdminHandlers {
 	return &AdminHandlers{
-		Dashboard:        dashboardHandler,
-		User:             userHandler,
-		Group:            groupHandler,
-		Account:          accountHandler,
-		Announcement:     announcementHandler,
-		DataManagement:   dataManagementHandler,
-		Backup:           backupHandler,
-		OAuth:            oauthHandler,
-		OpenAIOAuth:      openaiOAuthHandler,
-		GeminiOAuth:      geminiOAuthHandler,
-		AntigravityOAuth: antigravityOAuthHandler,
-		Proxy:            proxyHandler,
-		Redeem:           redeemHandler,
-		Promo:            promoHandler,
-		Setting:          settingHandler,
-		Ops:              opsHandler,
-		System:           systemHandler,
-		Subscription:     subscriptionHandler,
-		Usage:            usageHandler,
-		UserAttribute:    userAttributeHandler,
-		ErrorPassthrough: errorPassthroughHandler,
-		APIKey:           apiKeyHandler,
-		ScheduledTest:    scheduledTestHandler,
+		Dashboard:             dashboardHandler,
+		User:                  userHandler,
+		Group:                 groupHandler,
+		Account:               accountHandler,
+		Announcement:          announcementHandler,
+		DataManagement:        dataManagementHandler,
+		Backup:                backupHandler,
+		OAuth:                 oauthHandler,
+		OpenAIOAuth:           openaiOAuthHandler,
+		GeminiOAuth:           geminiOAuthHandler,
+		AntigravityOAuth:      antigravityOAuthHandler,
+		Proxy:                 proxyHandler,
+		Redeem:                redeemHandler,
+		Promo:                 promoHandler,
+		Setting:               settingHandler,
+		Ops:                   opsHandler,
+		System:                systemHandler,
+		Subscription:          subscriptionHandler,
+		Usage:                 usageHandler,
+		UserAttribute:         userAttributeHandler,
+		ErrorPassthrough:      errorPassthroughHandler,
+		TLSFingerprintProfile: tlsFingerprintProfileHandler,
+		APIKey:                apiKeyHandler,
+		ScheduledTest:         scheduledTestHandler,
 	}
 }

@@ -145,6 +147,7 @@ var ProviderSet = wire.NewSet(
 	admin.NewUsageHandler,
 	admin.NewUserAttributeHandler,
 	admin.NewErrorPassthroughHandler,
+	admin.NewTLSFingerprintProfileHandler,
 	admin.NewAdminAPIKeyHandler,
 	admin.NewScheduledTestHandler,