simple_app.py

#!/usr/bin/env python3
# -*- coding: utf-8 -*-

import os
import json
import time
import requests
import socket
import ssl
import csv
import io
import re
import sqlite3
from datetime import datetime
from concurrent.futures import ThreadPoolExecutor
from urllib.parse import urlparse, urljoin

from flask import Flask, render_template, request, jsonify, session, redirect, url_for
from flask_cors import CORS
from bs4 import BeautifulSoup
from functools import wraps
from werkzeug.security import generate_password_hash, check_password_hash
from cryptography import x509
from cryptography.hazmat.backends import default_backend

# ==========================================
# 核心配置区 (彻底告别 JSON 文件，拥抱 DB)
# ==========================================
BASE_DIR = os.path.dirname(os.path.abspath(__file__))
DB_FILE = os.path.join(BASE_DIR, 'eagleeye.db')

# 老旧 JSON 文件路径（仅用于系统第一次启动时的无损迁移）
WEBSITES_FILE = os.path.join(BASE_DIR, 'websites.json')
RECORDS_FILE = os.path.join(BASE_DIR, 'monitor_records.json')
SETTINGS_FILE = os.path.join(BASE_DIR, 'settings.json')
AUDIT_LOGS_FILE = os.path.join(BASE_DIR, 'audit_logs.json')
USERS_FILE = os.path.join(BASE_DIR, 'users.json')

app = Flask(__name__)
CORS(app)
app.secret_key = 'EagleEye_Pro_Enterprise_Secret_Key_2026!@#'

# 核心线程池与缓存
executor = ThreadPoolExecutor(max_workers=50)
SCAN_COOLDOWN = {}
COOLDOWN_SECONDS = 1800
ALERT_STATE_CACHE = {}


# ==========================================
# 数据库基座操作
# ==========================================
def query_db(query, args=(), one=False):
    """通用数据库查询"""
    with sqlite3.connect(DB_FILE, timeout=10) as conn:
        conn.row_factory = sqlite3.Row
        cur = conn.execute(query, args)
        rv = cur.fetchall()
        return (dict(rv[0]) if rv else None) if one else [dict(x) for x in rv]


def execute_db(query, args=()):
    """通用数据库写入"""
    with sqlite3.connect(DB_FILE, timeout=10) as conn:
        conn.execute(query, args)
        conn.commit()


def init_and_migrate_db():
    """系统启动初始化，自动将老JSON无缝迁移到数据库"""
    with sqlite3.connect(DB_FILE, timeout=10) as conn:
        conn.execute(
            '''CREATE TABLE IF NOT EXISTS users (username TEXT PRIMARY KEY, password TEXT, role TEXT, permissions TEXT)''')
        conn.execute(
            '''CREATE TABLE IF NOT EXISTS assets (url TEXT PRIMARY KEY, group_name TEXT, added_at DATETIME DEFAULT CURRENT_TIMESTAMP)''')
        conn.execute(
            '''CREATE TABLE IF NOT EXISTS records (url TEXT PRIMARY KEY, status TEXT, code INTEGER, latency INTEGER, title TEXT, risk_score INTEGER, vuln_details TEXT, infra TEXT, server TEXT, ssl TEXT, updated_at DATETIME DEFAULT CURRENT_TIMESTAMP)''')
        conn.execute(
            '''CREATE TABLE IF NOT EXISTS audit_logs (id INTEGER PRIMARY KEY AUTOINCREMENT, time TEXT, url TEXT, group_name TEXT, event TEXT, detail TEXT)''')
        conn.execute('''CREATE TABLE IF NOT EXISTS settings (key TEXT PRIMARY KEY, value TEXT)''')
        conn.commit()

    if os.path.exists(USERS_FILE):
        try:
            with open(USERS_FILE, 'r', encoding='utf-8') as f:
                users = json.load(f)
            for u, info in users.items():
                if query_db("SELECT 1 FROM users WHERE username=?", (u,)): continue
                if isinstance(info, str):
                    execute_db("INSERT INTO users (username, password, role, permissions) VALUES (?, ?, 'user', ?)",
                               (u, info,
                                json.dumps(["dashboard", "monitor", "risks", "assets", "reports", "logs", "settings"])))
                else:
                    execute_db("INSERT INTO users (username, password, role, permissions) VALUES (?, ?, ?, ?)",
                               (u, info.get('password'), info.get('role', 'user'),
                                json.dumps(info.get('permissions', []))))
            os.rename(USERS_FILE, USERS_FILE + '.bak')
        except Exception as e:
            print(f"[DB] 迁移 Users 失败: {e}")

    admin_user = query_db("SELECT * FROM users WHERE username='admin'", one=True)
    all_perms = json.dumps(["dashboard", "monitor", "risks", "assets", "reports", "logs", "settings", "users"])
    if not admin_user:
        execute_db("INSERT INTO users (username, password, role, permissions) VALUES (?, ?, 'admin', ?)",
                   ('admin', generate_password_hash("admin123"), all_perms))
    elif admin_user['role'] != 'admin' or 'users' not in admin_user['permissions']:
        execute_db("UPDATE users SET role='admin', permissions=? WHERE username='admin'", (all_perms,))

    if os.path.exists(WEBSITES_FILE):
        try:
            with open(WEBSITES_FILE, 'r', encoding='utf-8') as f:
                assets = json.load(f)
            for item in assets:
                url = item if isinstance(item, str) else item.get('url')
                grp = '默认分组' if isinstance(item, str) else item.get('group', '默认分组')
                execute_db("INSERT OR IGNORE INTO assets (url, group_name) VALUES (?, ?)", (url, grp))
            os.rename(WEBSITES_FILE, WEBSITES_FILE + '.bak')
        except Exception:
            pass

    if os.path.exists(RECORDS_FILE):
        try:
            with open(RECORDS_FILE, 'r', encoding='utf-8') as f:
                records = json.load(f)
            for r in records:
                execute_db(
                    '''INSERT OR REPLACE INTO records (url, status, code, latency, title, risk_score, vuln_details, infra, server, ssl) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)''',
                    (r['url'], r.get('status'), r.get('code', 0), r.get('latency', 0), r.get('title', ''),
                     r.get('risk_score', 100), json.dumps(r.get('vuln_details', [])), json.dumps(r.get('infra', {})),
                     r.get('server', ''), json.dumps(r.get('ssl', {}))))
            os.rename(RECORDS_FILE, RECORDS_FILE + '.bak')
        except Exception:
            pass

    if os.path.exists(AUDIT_LOGS_FILE):
        try:
            with open(AUDIT_LOGS_FILE, 'r', encoding='utf-8') as f:
                logs = json.load(f)
            for log in logs: execute_db(
                "INSERT INTO audit_logs (time, url, group_name, event, detail) VALUES (?, ?, ?, ?, ?)",
                (log['time'], log['url'], log.get('group', '默认'), log['event'], log['detail']))
            os.rename(AUDIT_LOGS_FILE, AUDIT_LOGS_FILE + '.bak')
        except Exception:
            pass

    if os.path.exists(SETTINGS_FILE):
        try:
            with open(SETTINGS_FILE, 'r', encoding='utf-8') as f:
                settings = json.load(f)
            if 'word_templates' in settings: del settings['word_templates']  # 清理历史无用字段
            execute_db("INSERT OR REPLACE INTO settings (key, value) VALUES (?, ?)",
                       ('sys_settings', json.dumps(settings)))
            os.rename(SETTINGS_FILE, SETTINGS_FILE + '.bak')
        except Exception:
            pass
    else:
        if not query_db("SELECT 1 FROM settings WHERE key='sys_settings'"):
            default_tpl = "### {date} 自动生成安全报表\n{top5_risks}"
            default_settings = {"keywords": "博彩,荷官,娱乐城,色情,发票,VPN", "timeout": 8, "webhooks": [],
                                "templates": [
                                    {"id": "tpl_1", "name": "默认基础模板", "type": "daily", "content": default_tpl}]}
            execute_db("INSERT INTO settings (key, value) VALUES (?, ?)",
                       ('sys_settings', json.dumps(default_settings)))


init_and_migrate_db()


def load_settings():
    row = query_db("SELECT value FROM settings WHERE key='sys_settings'", one=True)
    return json.loads(row['value']) if row else {}


def save_settings_db(data):
    execute_db("UPDATE settings SET value=? WHERE key='sys_settings'", (json.dumps(data),))


def append_audit_log(url, group, event_type, detail):
    time_str = datetime.now().strftime('%Y-%m-%d %H:%M:%S')
    execute_db("INSERT INTO audit_logs (time, url, group_name, event, detail) VALUES (?, ?, ?, ?, ?)",
               (time_str, url, group, event_type, detail))


def lock_and_update_record(res):
    execute_db(
        '''INSERT OR REPLACE INTO records (url, status, code, latency, title, risk_score, vuln_details, infra, server, ssl) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)''',
        (res['url'], res['status'], res['code'], res['latency'], res['title'], res['risk_score'],
         json.dumps(res['vuln_details']), json.dumps(res['infra']), res['server'], json.dumps(res['ssl'])))


# ==========================================
# 告警与纯净版报表核心
# ==========================================
class AlertManager:
    @staticmethod
    def send_dingtalk(webhook_url, title, text):
        if not webhook_url or not webhook_url.startswith("http"): return
        if "监控" not in title: title = f"【EagleEye监控】{title}"
        try:
            requests.post(webhook_url, json={"msgtype": "markdown", "markdown": {"title": title, "text": text}},
                          timeout=5)
        except:
            pass

    @staticmethod
    def push_to_all(title, text):
        for wh in load_settings().get('webhooks', []): AlertManager.send_dingtalk(wh.get('url'), title, text)

    @staticmethod
    def check_and_alert(result):
        url = result['url'];
        group = result.get('group', '默认分组')
        curr_status = result['status']
        curr_risk = 'high' if result.get('risk_score', 100) < 90 else 'low'
        curr_ssl_valid = result.get('ssl', {}).get('valid', True)
        if not url.startswith('https'): curr_ssl_valid = True

        last_state = ALERT_STATE_CACHE.get(url, {'status': 'unknown', 'risk': 'unknown', 'ssl_valid': True})
        last_status, last_risk, last_ssl_valid = last_state.get('status'), last_state.get('risk'), last_state.get(
            'ssl_valid', True)
        should_send = False;
        title = "";
        ssl_status = result.get('ssl', {}).get('status', '无SSL')
        vulns = [v for v in result.get('vuln_details', []) if 'SSL' not in v['type']]
        base_md = f"### {url}\n**所属分组**: {group}\n**检测时间**: {datetime.now().strftime('%Y-%m-%d %H:%M')}\n\n---\n"

        if curr_status == 'down' and last_status in ['up', 'unknown']:
            title = "【监控】网站宕机断网";
            base_md += "🔴 **网络状态**: 无法访问 (Down)\n";
            should_send = True;
            append_audit_log(url, group, "宕机故障", "网络连接失败")
        elif curr_status == 'up' and last_status == 'down':
            title = "【监控】网站网络恢复";
            base_md += "🟢 **网络状态**: 恢复连通 (Up)\n";
            should_send = True;
            append_audit_log(url, group, "网络恢复", "恢复正常访问")
        elif curr_status == 'up' and not curr_ssl_valid and last_ssl_valid:
            title = "【监控】SSL证书异常";
            base_md += f"🔴 **SSL证书**: {ssl_status}\n";
            should_send = True;
            append_audit_log(url, group, "SSL异常", f"详细状态: {ssl_status}")
        elif curr_status == 'up' and curr_ssl_valid and not last_ssl_valid:
            title = "【监控】SSL证书恢复";
            base_md += "🟢 **SSL证书**: 恢复有效\n";
            should_send = True;
            append_audit_log(url, group, "SSL恢复", "SSL证书检测恢复有效")
        elif curr_status == 'up' and curr_risk == 'high' and last_risk != 'high':
            title = f"【监控】发现安全风险";
            base_md += f"🔒 **SSL状态**: {ssl_status}\n⚠️ **安全风险**: 发现 {len(vulns)} 项隐患\n"
            for v in vulns: base_md += f"- **{v['type']}**: {v['desc']}\n"
            if vulns: should_send = True; append_audit_log(url, group, "发现风险",
                                                           f"触发: {', '.join([v['type'] for v in vulns])}")
        elif curr_status == 'up' and curr_risk == 'low' and last_risk == 'high':
            append_audit_log(url, group, "风险解除", "安全检测通过，异常消失")

        if should_send: AlertManager.push_to_all(title, f"{base_md}\n---\n*来自 EagleEye 自动化巡检引擎*")
        if last_status == 'unknown' or should_send or (
                curr_status == 'up' and curr_risk == 'low' and last_risk == 'high'):
            ALERT_STATE_CACHE[url] = {'status': curr_status, 'risk': curr_risk, 'ssl_valid': curr_ssl_valid}


def get_report_context_data(start_date=None, end_date=None, group_filter='', url_filter=[]):
    assets = query_db("SELECT * FROM assets")
    records_db = query_db("SELECT * FROM records")
    record_map = {r['url']: r for r in records_db}

    results = []
    for a in assets:
        url, grp = a['url'], a['group_name']
        if group_filter and grp != group_filter: continue
        if url_filter and url not in url_filter: continue
        if url in record_map:
            r = record_map[url]
            r['group'] = grp
            r['vuln_details'] = json.loads(r['vuln_details'])
            results.append(r)

    total = len(results)
    online = sum(1 for r in results if r['status'] == 'up')
    down = total - online
    risk = sum(1 for r in results if r.get('risk_score', 100) < 90)
    scores = [r.get('risk_score', 100) for r in results]
    avg_score = int(sum(scores) / len(scores)) if scores else 100
    high_risk_count = sum(1 for s in scores if s < 90)
    safe_count = sum(1 for s in scores if s >= 90)
    total_calc = total if total > 0 else 1

    sorted_risks = sorted([r for r in results if r.get('risk_score', 100) < 100],
                          key=lambda x: x.get('risk_score', 100))
    top5_list = [{"rank": idx + 1, "group": r.get('group', '默认'), "url": r['url'], "score": r.get('risk_score', 100),
                  "vulns": ", ".join([v.get('type', '') for v in r.get('vuln_details', [])]) if r.get(
                      'vuln_details') else "网络连通异常"} for idx, r in enumerate(sorted_risks[:5])]

    details_list = []
    for r in results:
        if r['status'] == 'down':
            details_list.append(
                {"group": r.get('group', '默认'), "url": r['url'], "status": "无法访问 (断网)", "vulns": "-"})
        elif r.get('risk_score', 100) < 90:
            details_list.append({"group": r.get('group', '默认'), "url": r['url'], "status": "在线但存隐患",
                                 "vulns": '; '.join([f"{v['type']}({v['desc']})" for v in r.get('vuln_details', [])])})

    query = "SELECT * FROM audit_logs WHERE 1=1";
    args = []
    if group_filter: query += " AND group_name=?"; args.append(group_filter)
    if start_date: query += " AND time >= ?"; args.append(start_date.replace('T', ' ') + ':00')
    if end_date: query += " AND time <= ?"; args.append(end_date.replace('T', ' ') + ':59')

    logs_db = query_db(query + " ORDER BY time DESC", tuple(args))
    filtered_logs = [log for log in logs_db if not url_filter or log['url'] in url_filter]

    filter_info = []
    if group_filter: filter_info.append(f"限定分组: [{group_filter}]")
    if url_filter: filter_info.append(f"限定资产: {len(url_filter)}个站点")

    return {
        'date': datetime.now().strftime('%Y-%m-%d %H:%M'),
        'start_date': start_date[:10] if start_date else '建档日',
        'end_date': end_date[:10] if end_date else '至今',
        'filter_info': "、".join(filter_info) if filter_info else "全局所有资产",
        'score': avg_score, 'total': total, 'online': online, 'down': down, 'risk': risk,
        'high_risk_count': high_risk_count, 'high_risk_pct': round(high_risk_count / total_calc * 100, 1),
        'safe_count': safe_count, 'safe_pct': round(safe_count / total_calc * 100, 1),
        'top5_risks': top5_list, 'top10_logs': filtered_logs[:20], 'details': details_list
    }


def generate_report_markdown(template_content, start_date=None, end_date=None, group_filter='', url_filter=[]):
    ctx = get_report_context_data(start_date, end_date, group_filter, url_filter)

    top5_str = "| 排名 | 资产分组 | 资产地址 | 安全评分 | 核心风险表现 |\n| :---: | :--- | :--- | :---: | :--- |\n" + "".join(
        [
            f"| {item['rank']} | {item['group']} | {item['url']} | **{item['score']}** | <span style='color:red;'>{item['vulns']}</span> |\n"
            for item in ctx['top5_risks']]) if ctx['top5_risks'] else "> ✅ 当前筛选范围内所有资产运行良好。\n"

    details_str = "".join([f"- 🔴 **[{item['group']}] {item['url']}**: {item['status']}\n" if "断网" in item[
        'status'] else f"- ⚠️ **[{item['group']}] {item['url']}**: 存在隐患 -> {item['vulns']}\n" for item in
                           ctx['details']]) or "> ✅ 当前筛选范围内未发现任何异常明细。\n"

    top10_str = "| 发生时间 | 资产分组 | 资产对象 (URL) | 事件类型 | 详情说明 |\n| :--- | :--- | :--- | :--- | :--- |\n" + "".join(
        [
            f"| {lg['time']} | {lg.get('group_name', '默认')} | {lg['url']} | **{lg['event']}** | {lg['detail'].replace(chr(10), ' ')} |\n"
            for lg in ctx['top10_logs']]) if ctx['top10_logs'] else "> ✅ 筛选范围内未发生任何状态变更与告警。\n"

    md = template_content
    for k in ['date', 'start_date', 'end_date', 'filter_info', 'score', 'total', 'online', 'down', 'risk',
              'high_risk_count', 'high_risk_pct', 'safe_count', 'safe_pct']:
        md = md.replace('{' + k + '}', str(ctx[k]))
    return md.replace('{top5_risks}', top5_str).replace('{top10_logs}', top10_str).replace('{details}', details_str)


# ==========================================
# 扫描探针底层引擎 (完全保持不变)
# ==========================================
def parse_url(url):
    if not url.startswith(('http://', 'https://')): url = f'https://{url}'
    parsed = urlparse(url)
    return parsed.hostname, parsed.port if parsed.port else (443 if parsed.scheme == 'https' else 80)


def detect_encoding(resp):
    encoding = resp.encoding
    if not encoding or encoding.lower() == 'iso-8859-1':
        try:
            return resp.content.decode('utf-8')
        except:
            return resp.content.decode('gb18030', errors='ignore')
    return resp.text


def get_cert_info(hostname, port, timeout_val):
    info = {"valid": False, "days": 0, "status": "未获取到证书内容"}
    try:
        ctx = ssl.create_default_context();
        ctx.check_hostname = False;
        ctx.verify_mode = ssl.CERT_NONE
        with socket.create_connection((hostname, port), timeout=timeout_val) as sock:
            with ctx.wrap_socket(sock, server_hostname=hostname) as ssock:
                cert_der = ssock.getpeercert(binary_form=True)
                if cert_der:
                    cert = x509.load_der_x509_certificate(cert_der, default_backend())
                    left = (cert.not_valid_after - datetime.now()).days
                    info['days'] = left
                    if left < 0:
                        info['valid'] = False; info['status'] = f"证书已过期 (超期 {-left} 天)"
                    elif left <= 7:
                        info['valid'] = False; info['status'] = f"证书即将过期告警 (仅剩 {left} 天)"
                    else:
                        info['valid'] = True; info['status'] = f"证书正常有效 (剩余 {left} 天)"
    except socket.timeout:
        info['status'] = f"HTTPS({port}端口) 连接超时"
    except ConnectionRefusedError:
        info['status'] = f"HTTPS({port}端口) 连接被拒绝"
    except Exception as e:
        info['status'] = f"SSL握手异常: {str(e)[:30]}"
    return info


def analyze_reputation_risks(html, soup, current_url, keywords_str):
    risks = []
    try:
        text_soup = BeautifulSoup(str(soup), 'html.parser')
        for tag in text_soup(["script", "style", "noscript"]): tag.extract()
        body_text = text_soup.get_text(separator=' ', strip=True)
    except:
        body_text = ""

    page_title = str(soup.title.string).strip() if soup.title and soup.title.string else "未知标题"
    black_keywords = [k.strip() for k in keywords_str.split(',') if k.strip()]
    found_keywords = set();
    evidence_details = []

    for kw in black_keywords:
        if kw in page_title: found_keywords.add(kw); evidence_details.append(
            f"[标题检出] {page_title.replace(kw, f'【{kw}】')}")
        if kw in body_text:
            found_keywords.add(kw);
            idx = body_text.find(kw)
            evidence_details.append(
                f"[正文检出] ...{body_text[max(0, idx - 30):min(len(body_text), idx + 30)].replace(kw, f' >>{kw}<< ')}...")
            if len(evidence_details) > 5: break
    if found_keywords: risks.append(
        {"type": "内容违规", "level": "high", "desc": "发现敏感违规词", "evidence": evidence_details})

    style_regex = re.compile(
        r'display:\s*none|visibility:\s*hidden|text-indent:\s*-\d+px|left:\s*-\d{3,}px|top:\s*-\d{3,}px|opacity:\s*0|font-size:\s*0|width:\s*0px?\s*;\s*height:\s*0px?',
        re.I)
    ext_hidden = []
    try:
        for link in soup.find_all('a'):
            href = link.get('href', '').strip()
            if not href or href.startswith(('javascript:', '#', 'tel:', 'mailto:')): continue
            try:
                full_url = urljoin(current_url, href)
                b_dom, t_dom = urlparse(current_url).netloc, urlparse(full_url).netloc
                if not ('.'.join(b_dom.split('.')[-2:]) != '.'.join(t_dom.split('.')[-2:]) and t_dom != ''): continue
            except:
                continue

            code = str(link)[:150]
            if link.get('style', '') and style_regex.search(link.get('style', '')):
                ext_hidden.append(f"[CSS特征隐藏] 目标: {full_url}\n代码: {code}")
            elif not link.get_text(strip=True) and not link.find('img'):
                ext_hidden.append(f"[无内容空标签外链] 目标: {full_url}\n代码: {code}")
            if len(ext_hidden) > 10: break
        if ext_hidden: risks.append(
            {"type": "恶意暗链篡改", "level": "high", "desc": f"发现 {len(ext_hidden)} 个高度可疑的隐藏外链",
             "evidence": ext_hidden[:5]})
    except Exception:
        pass
    return risks


def scan_task(url, timeout_val, keywords_str):
    SCAN_COOLDOWN[url] = time.time()
    res = {"url": url, "timestamp": datetime.now().strftime('%Y-%m-%d %H:%M:%S'), "status": "down", "code": 0,
           "latency": 0, "title": "连通性检测中...", "risk_score": 100, "vuln_details": [],
           "infra": {"ip": "未解析", "ports": []}, "server": "-",
           "ssl": {"valid": False, "days": 0, "status": "未检测"}}

    hostname, port = parse_url(url)
    if not hostname: res['title'] = '无效URL格式'; res['status'] = 'error'; return res
    try:
        res['infra']['ip'] = socket.gethostbyname(hostname)
    except:
        pass

    t1 = time.time();
    soup = None;
    html_content = ""
    try:
        r = requests.get(url, timeout=timeout_val, verify=False,
                         headers={'User-Agent': 'Mozilla/5.0 EagleEye/Pro Scanner'})
        res['latency'], res['code'], res['status'], res['server'] = int(
            (time.time() - t1) * 1000), r.status_code, 'up' if r.status_code < 500 else 'error', r.headers.get('Server',
                                                                                                               '-')
        try:
            html_content = detect_encoding(r)
            soup = BeautifulSoup(html_content, 'html.parser')
            res['title'] = str(soup.title.string).strip() if soup.title and soup.title.string else "无标题页面"
        except Exception:
            res['title'] = "HTML解析失败"
    except requests.exceptions.Timeout:
        res['status'] = 'down'; res['title'] = '网站响应超时'; res['vuln_details'].append(
            {"type": "网络故障", "level": "high", "desc": f"响应超时 {timeout_val}秒", "evidence": []})
    except requests.exceptions.ConnectionError:
        res['status'] = 'down'; res['title'] = '拒绝连接'; res['vuln_details'].append(
            {"type": "网络故障", "level": "high", "desc": "拒绝连接或不可达", "evidence": []})
    except Exception as e:
        res['status'] = 'down'; res['title'] = '网络握手异常'; res['vuln_details'].append(
            {"type": "网络故障", "level": "high", "desc": "底层网络错误", "evidence": [str(e)[:100]]})

    if soup:
        try:
            res['vuln_details'].extend(analyze_reputation_risks(html_content, soup, url, keywords_str))
        except Exception:
            pass

    if url.lower().startswith('https://'):
        ssl_info = get_cert_info(hostname, port, timeout_val)
        res['ssl'] = ssl_info
        if not ssl_info['valid'] and "超时" not in ssl_info['status'] and "拒绝" not in ssl_info[
            'status'] and "未获取" not in ssl_info['status']:
            res['vuln_details'].append({"type": "SSL异常", "level": "high", "desc": ssl_info['status'], "evidence": []})
    else:
        res['ssl']['status'] = "纯HTTP站点(无SSL)"

    score = 100
    if res['status'] == 'down':
        score -= 50
    else:
        for v in res['vuln_details']:
            if v['level'] == 'high':
                score -= 40
            elif v['level'] == 'medium':
                score -= 15
    res['risk_score'] = max(0, score)
    return res


def background_scan(url, group):
    try:
        settings = load_settings()
        timeout_val = int(str(settings.get('timeout', '8')).strip() or 8)
        res = scan_task(url, timeout_val, settings.get('keywords', ''))
        res['group'] = group
        lock_and_update_record(res)
        AlertManager.check_and_alert(res)
    except Exception as e:
        print(f"[Engine] Scan error for {url}: {e}")


# ==========================================
# 鉴权与 API 路由层 (对接完美前端)
# ==========================================
def login_required(f):
    @wraps(f)
    def decorated_function(*args, **kwargs):
        if 'logged_in' not in session:
            if request.path.startswith('/api/'): return jsonify({'code': 401, 'msg': '未授权'}), 401
            return redirect(url_for('login_page'))
        return f(*args, **kwargs)

    return decorated_function


def admin_required(f):
    @wraps(f)
    def decorated_function(*args, **kwargs):
        if 'logged_in' not in session: return jsonify({'code': 401, 'msg': '未授权'}), 401
        if session.get('role') != 'admin': return jsonify({'code': 403, 'msg': '权限不足'}), 403
        return f(*args, **kwargs)

    return decorated_function


@app.route('/login', methods=['GET'])
def login_page():
    if 'logged_in' in session: return redirect(url_for('index'))
    return render_template('login.html')


@app.route('/api/login', methods=['POST'])
def api_login():
    data = request.json or {}
    user = query_db("SELECT * FROM users WHERE username=?", (data.get('username', '').strip(),), one=True)
    if user and check_password_hash(user['password'], data.get('password', '')):
        session['logged_in'] = True;
        session['username'] = user['username'];
        session['role'] = user['role']
        return jsonify({'code': 200, 'msg': '登录成功'})
    return jsonify({'code': 401, 'msg': '账号或密码错误'})


@app.route('/api/register', methods=['POST'])
def api_register():
    data = request.json or {}
    username = data.get('username', '').strip()
    password = data.get('password', '')

    if not username or len(password) < 6:
        return jsonify({'code': 400, 'msg': '账号格式错误或密码不足6位'})

    # 检查账号是否已被注册
    if query_db("SELECT 1 FROM users WHERE username=?", (username,)):
        return jsonify({'code': 400, 'msg': '该账号已被注册'})

    # 新注册用户默认分配的基础权限（不含账号管理）
    perms = json.dumps(["dashboard", "monitor", "risks", "reports", "logs", "settings"])
    execute_db("INSERT INTO users (username, password, role, permissions) VALUES (?, ?, 'user', ?)",
               (username, generate_password_hash(password), perms))

    return jsonify({'code': 200, 'msg': '注册成功'})

@app.route('/api/logout', methods=['POST', 'GET'])
def api_logout():
    session.clear();
    return jsonify({'code': 200, 'msg': '登出成功'})


@app.route('/api/user/info', methods=['GET'])
@login_required
def api_user_info():
    user = query_db("SELECT * FROM users WHERE username=?", (session.get('username'),), one=True)
    if not user: session.clear(); return jsonify({'code': 401, 'msg': '用户不存在'}), 401
    return jsonify({'username': user['username'], 'role': user['role'], 'permissions': json.loads(user['permissions'])})


@app.route('/api/users', methods=['GET'])
@admin_required
def api_get_users():
    return jsonify([{"username": u['username'], "role": u['role'], "permissions": json.loads(u['permissions'])} for u in
                    query_db("SELECT * FROM users")])


@app.route('/api/users', methods=['POST'])
@admin_required
def api_update_user():
    data = request.json;
    t_user = data.get('username', '').strip()
    user = query_db("SELECT * FROM users WHERE username=?", (t_user,), one=True)
    perms = json.dumps(data.get('permissions', []))
    if not user:
        execute_db("INSERT INTO users (username, password, role, permissions) VALUES (?, ?, 'user', ?)",
                   (t_user, generate_password_hash(data.get('password', '')), perms))
    else:
        if t_user == 'admin' and session.get('username') != 'admin': return jsonify(
            {'code': 403, 'msg': '不能越权'}), 403
        if data.get('password'):
            execute_db("UPDATE users SET password=?, permissions=? WHERE username=?",
                       (generate_password_hash(data.get('password')), perms, t_user))
        else:
            execute_db("UPDATE users SET permissions=? WHERE username=?", (perms, t_user))
    return jsonify({'code': 200, 'msg': '成功'})


@app.route('/api/users', methods=['DELETE'])
@admin_required
def api_delete_user():
    if request.json.get('username') == 'admin': return jsonify({'code': 403, 'msg': '内置超管不可删除'})
    execute_db("DELETE FROM users WHERE username=?", (request.json.get('username'),))
    return jsonify({'code': 200, 'msg': '成功'})


@app.route('/')
@login_required
def index(): return render_template('index.html')


@app.route('/api/websites', methods=['GET', 'POST'])
@login_required
def handle_websites():
    if request.method == 'GET': return jsonify(query_db("SELECT url, group_name as 'group' FROM assets"))
    url = request.json.get('url', '').strip();
    group = request.json.get('group', '默认分组').strip()
    if not url.startswith(('http', 'https')): url = 'https://' + url
    if not query_db("SELECT 1 FROM assets WHERE url=?", (url,)):
        execute_db("INSERT INTO assets (url, group_name) VALUES (?, ?)", (url, group))
        executor.submit(background_scan, url, group)
        return jsonify({'msg': 'ok'})
    return jsonify({'error': 'exists'}), 400


@app.route('/api/websites/import', methods=['POST'])
@login_required
def import_websites():
    group = request.form.get('group', '默认分组').strip()
    urls = [x.strip() for x in
            request.files['file'].read().decode('utf-8', errors='ignore').replace(',', '\n').split('\n') if x.strip()]
    count = 0
    for u in set(urls):
        if not u.startswith(('http', 'https')): u = 'https://' + u
        if not query_db("SELECT 1 FROM assets WHERE url=?", (u,)):
            execute_db("INSERT INTO assets (url, group_name) VALUES (?, ?)", (u, group))
            count += 1;
            executor.submit(background_scan, u, group)
    return jsonify({'msg': f'成功导入 {count} 条资产至 [{group}]'})


@app.route('/api/websites/delete', methods=['POST'])
@login_required
def delete_website():
    url = request.json.get('url')
    execute_db("DELETE FROM assets WHERE url=?", (url,));
    execute_db("DELETE FROM records WHERE url=?", (url,))
    if url in ALERT_STATE_CACHE: del ALERT_STATE_CACHE[url]
    return jsonify({'msg': 'ok'})


@app.route('/api/websites/delete_bulk', methods=['POST'])
@login_required
def delete_website_bulk():
    urls = request.json.get('urls', [])
    with sqlite3.connect(DB_FILE, timeout=10) as conn:
        conn.executemany("DELETE FROM assets WHERE url=?", [(u,) for u in urls])
        conn.executemany("DELETE FROM records WHERE url=?", [(u,) for u in urls])
        conn.commit()
    for u in urls:
        if u in ALERT_STATE_CACHE: del ALERT_STATE_CACHE[u]
    return jsonify({'msg': 'ok'})


@app.route('/api/settings', methods=['GET', 'POST'])
@login_required
def api_settings():
    if request.method == 'GET': return jsonify(load_settings())
    save_settings_db(request.json);
    return jsonify({'msg': 'Saved'})


@app.route('/api/reports/render', methods=['POST'])
@login_required
def api_report_render():
    data = request.json
    return jsonify({'markdown': generate_report_markdown(data.get('content', ''), data.get('start_date'),
                                                         data.get('end_date'), data.get('group_filter', ''),
                                                         data.get('url_filter', []))})


@app.route('/api/reports/preview', methods=['POST'])
@login_required
def api_report_preview():
    data = request.json
    md = generate_report_markdown(data.get('content', ''), data.get('start_date'), data.get('end_date'),
                                  data.get('group_filter', ''), data.get('url_filter', []))
    AlertManager.push_to_all(data.get('name', '报表推送'), md)
    return jsonify({'msg': '推送指令已下发'})


@app.route('/api/logs', methods=['POST'])
@login_required
def api_get_logs():
    data = request.json or {}
    keyword = f"%{data.get('keyword', '').lower()}%" if data.get('keyword') else None
    query = "SELECT * FROM audit_logs WHERE 1=1";
    args = []
    if keyword: query += " AND (url LIKE ? OR event LIKE ? OR group_name LIKE ?)"; args.extend(
        [keyword, keyword, keyword])
    if data.get('start_time'): query += " AND time >= ?"; args.append(data.get('start_time').replace('T', ' ') + ':00')
    if data.get('end_time'): query += " AND time <= ?"; args.append(data.get('end_time').replace('T', ' ') + ':59')
    logs = query_db(query + " ORDER BY time DESC", tuple(args))
    for lg in logs: lg['group'] = lg.pop('group_name')
    return jsonify({'logs': logs})


@app.route('/api/logs/export', methods=['POST'])
@login_required
def api_logs_export():
    logs = api_get_logs().json.get('logs', [])
    output = io.StringIO();
    writer = csv.writer(output)
    writer.writerow(['发生时间', '资产分组', '资产对象', '事件类型', '状态详情说明'])
    for log in logs: writer.writerow([log['time'], log.get('group', '默认'), log['url'], log['event'], log['detail']])
    return jsonify({'csv': output.getvalue()})


@app.route('/api/logs/clear', methods=['POST'])
@admin_required
def api_logs_clear():
    execute_db("DELETE FROM audit_logs");
    return jsonify({'msg': '清空成功'})


@app.route('/api/data', methods=['GET'])
@login_required
def get_data():
    assets = query_db("SELECT * FROM assets");
    records_db = query_db("SELECT * FROM records")
    record_map = {r['url']: r for r in records_db}

    recent_logs = []
    for lg in query_db("SELECT * FROM audit_logs ORDER BY time DESC LIMIT 8"):
        lg['group'] = lg.pop('group_name');
        recent_logs.append(lg)

    results = [];
    scanning = False;
    now = time.time()
    for a in assets:
        url, group = a['url'], a['group_name']
        if url in record_map:
            rec = record_map[url]
            rec['group'] = group
            rec['vuln_details'] = json.loads(rec['vuln_details']) if rec['vuln_details'] else []
            rec['infra'] = json.loads(rec['infra']) if rec['infra'] else {}
            rec['ssl'] = json.loads(rec['ssl']) if rec['ssl'] else {}
            results.append(rec)
            if now - SCAN_COOLDOWN.get(url, 0) > COOLDOWN_SECONDS: executor.submit(background_scan, url, group)
        else:
            results.append(
                {"url": url, "group": group, "status": "scanning", "risk_score": 100, "title": "扫描探测中...",
                 "code": 0, "latency": 0, "vuln_details": [], "infra": {"ip": "未解析", "ports": []},
                 "ssl": {"valid": False, "days": 0, "status": "未检测"}})
            if now - SCAN_COOLDOWN.get(url, 0) > COOLDOWN_SECONDS: executor.submit(background_scan, url,
                                                                                   group); scanning = True

    scores = [r.get('risk_score', 100) for r in results]
    return jsonify({
        'dashboard': {'total': len(assets), 'online': sum(1 for r in results if r.get('status') == 'up'),
                      'risk': sum(1 for r in results if r.get('risk_score', 100) < 90),
                      'score': int(sum(scores) / len(scores)) if scores else 100, 'recent_logs': recent_logs},
        'list': results, 'scanning': scanning
    })


if __name__ == '__main__':
    requests.packages.urllib3.disable_warnings()
    print(">>> EagleEye 前端分离极致纯净版 + SQLite 数据库引擎启动成功: http://0.0.0.0:5000")
    # 明确设置端口为 5000，解决浏览器拒绝连接问题！
    app.run(debug=True, host='0.0.0.0', port=8000)