添加redis白名单；图片检测代码调整；

5 years ago · f7db2c43c0
8 changed files with 156 additions and 116 deletions
--- a/epmet-openapi/epmet-openapi-scan/src/main/java/com/epmet/openapi/scan/ScanApplication.java
+++ b/epmet-openapi/epmet-openapi-scan/src/main/java/com/epmet/openapi/scan/ScanApplication.java
@ -10,6 +10,7 @@ package com.epmet.openapi.scan;
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
 import org.springframework.context.annotation.ComponentScan;
 /**
 * 管理后台
@ -19,6 +20,7 @@ import org.springframework.boot.autoconfigure.SpringBootApplication;
 */
@SpringBootApplication
@ComponentScan(basePackages = "com.epmet")
 public class ScanApplication {
    public static void main(String[] args) {
--- a/epmet-openapi/epmet-openapi-scan/src/main/java/com/epmet/openapi/scan/common/redis/RedisKeys.java
+++ b/epmet-openapi/epmet-openapi-scan/src/main/java/com/epmet/openapi/scan/common/redis/RedisKeys.java
@ -0,0 +1,29 @@
 /**
 * Copyright (c) 2018 人人开源 All rights reserved.
 * <p>
 * https://www.renren.io
 * <p>
 * 版权所有，侵权必究！
 */
 package com.epmet.openapi.scan.common.redis;
 /**
 * @author Mark sunlightcs@gmail.com
 * @since 1.0.0
 */
 public class RedisKeys {
 	/**
 	 * 党群e事通redis前缀
 	 */
 	private static String rootPrefix = "epmet:";
 	/**
 	 * desc:白名单Key
 	 * @return
 	 */
 	public static String getWhiteList () {
 		return rootPrefix.concat("openapi:scan:whitelist");
 	}
 }
--- a/epmet-openapi/epmet-openapi-scan/src/main/java/com/epmet/openapi/scan/config/ModuleConfigImpl.java
+++ b/epmet-openapi/epmet-openapi-scan/src/main/java/com/epmet/openapi/scan/config/ModuleConfigImpl.java
@ -0,0 +1,26 @@
 /**
 * Copyright (c) 2018 人人开源 All rights reserved.
 *
 * https://www.renren.io
 *
 * 版权所有，侵权必究！
 */
 package com.epmet.openapi.scan.config;
 import com.epmet.commons.tools.config.ModuleConfig;
 import org.springframework.stereotype.Service;
 /**
 * 模块配置信息
 *
 * @author Mark sunlightcs@gmail.com
 * @since 1.0.0
 */
@Service
 public class ModuleConfigImpl implements ModuleConfig {
    @Override
    public String getName() {
        return "epmetscan";
    }
 }
--- a/epmet-openapi/epmet-openapi-scan/src/main/java/com/epmet/openapi/scan/config/WebAppConfig.java
+++ b/epmet-openapi/epmet-openapi-scan/src/main/java/com/epmet/openapi/scan/config/WebAppConfig.java
@ -0,0 +1,31 @@
 package com.epmet.openapi.scan.config;
 import com.epmet.openapi.scan.interceptor.ScanApiAuthInterceptor;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
 import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
 /**
 * @author jianjun liu
 * @email liujianjun@yunzongnet.com
 * @date 2020-06-08 14:30
 **/
 	@Configuration
 	public class WebAppConfig implements  WebMvcConfigurer{
 	@Autowired
 	private ScanApiAuthInterceptor scanApiAuthInterceptor;
 		// 多个拦截器组成一个拦截器链
 		// addPathPatterns 用于添加拦截规则
 		// excludePathPatterns 用户排除拦截
 		@Override
 		public void addInterceptors(InterceptorRegistry registry) {
 			registry.addInterceptor(scanApiAuthInterceptor)//添加拦截器
 					.addPathPatterns("/**") //拦截所有请求
 					.excludePathPatterns("/UserCon/**");//对应的不拦截的请求
 		}
 	}
--- a/epmet-openapi/epmet-openapi-scan/src/main/java/com/epmet/openapi/scan/controller/BackDoorController.java
+++ b/epmet-openapi/epmet-openapi-scan/src/main/java/com/epmet/openapi/scan/controller/BackDoorController.java
@ -16,7 +16,7 @@ import java.util.Map;
 **/
@RestController
@RequestMapping("test")
-public class TestController {
+public class BackDoorController {
 	@Value("${aliyun.green.accessKeyId}")
 	private String accessKeyId;
--- a/epmet-openapi/epmet-openapi-scan/src/main/java/com/epmet/openapi/scan/interceptor/ScanApiAuthInterceptor.java
+++ b/epmet-openapi/epmet-openapi-scan/src/main/java/com/epmet/openapi/scan/interceptor/ScanApiAuthInterceptor.java
@ -0,0 +1,60 @@
 package com.epmet.openapi.scan.interceptor;
 import com.alibaba.fastjson.JSON;
 import com.epmet.commons.tools.exception.EpmetErrorCode;
 import com.epmet.commons.tools.utils.IpUtils;
 import com.epmet.commons.tools.utils.Result;
 import com.epmet.openapi.scan.common.redis.RedisKeys;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.data.redis.core.RedisTemplate;
 import org.springframework.data.redis.core.SetOperations;
 import org.springframework.stereotype.Component;
 import org.springframework.web.servlet.HandlerInterceptor;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
 import java.io.PrintWriter;
 /**
 * @author jianjun liu
 * @date 2020-06-05 16:36
 **/
@Component
 public class ScanApiAuthInterceptor implements HandlerInterceptor {
 	private static final Logger log = LoggerFactory.getLogger(ScanApiAuthInterceptor.class);
 	@Autowired
 	private RedisTemplate redisTemplate;
 	@Override
 	public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
 		String ip = IpUtils.getIpAddr(request);
 		SetOperations setOperations = redisTemplate.opsForSet();
 		if (!setOperations.isMember(RedisKeys.getWhiteList(), ip)) {
 			log.warn("preHandle ip:{} is not in whitelist", ip);
 			String result = JSON.toJSONString(new Result<>().error(EpmetErrorCode.ERR401.getCode(), EpmetErrorCode.ERR401.getMsg()));
 			responseJson(response, result);
 			return false;
 		}
 		return true;
 	}
 	private void responseJson(HttpServletResponse response, String json) throws Exception {
 		PrintWriter writer = null;
 		response.setCharacterEncoding("UTF-8");
 		response.setContentType("text/json; charset=utf-8");
 		try {
 			writer = response.getWriter();
 			writer.print(json);
 		} catch (IOException e) {
 			log.error(e.toString());
 		} finally {
 			if (writer != null) {
 				writer.close();
 			}
 		}
 	}
 }
--- a/epmet-openapi/epmet-openapi-scan/src/main/java/com/epmet/openapi/scan/interceptor/ScanApiInterceptor.java
+++ b/epmet-openapi/epmet-openapi-scan/src/main/java/com/epmet/openapi/scan/interceptor/ScanApiInterceptor.java
@ -1,113 +0,0 @@
 package com.epmet.openapi.scan.interceptor;
 import com.epmet.openapi.scan.common.exception.AuthException;
 import com.google.gson.Gson;
 import com.google.gson.GsonBuilder;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.web.servlet.HandlerInterceptor;
 import org.springframework.web.servlet.ModelAndView;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
 import java.io.PrintWriter;
 import java.util.Calendar;
 import java.util.Date;
 import java.util.HashMap;
 import java.util.Map;
 /**
 * @author jianjun liu
 * @email liujianjun@yunzongnet.com
 * @date 2020-06-05 16:36
 **/
 public class ScanApiInterceptor implements HandlerInterceptor {
 	private static final Logger log = LoggerFactory.getLogger(ScanApiInterceptor.class);
 	@Override
 	public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler)
 			throws Exception {
 		Gson gson = new GsonBuilder().serializeNulls().enableComplexMapKeySerialization().setDateFormat("yyyy-MM-dd HH:mm:ss").create();
 		Map parameterMap = request.getParameterMap();
 		String requestUrl = request.getServletPath();
 		log.info(" 请求地址为: " + requestUrl + " 请求参数为: " + gson.toJson(parameterMap));
 		try {
 			String timestamp = "";
 			String appkey = "";
 			String sign = "";
 			if (parameterMap.containsKey("timestamp")) {
 				timestamp = parameterMap.get("timestamp").toString();
 				//验证时间戳
 				Long timestampL = new Long(timestamp);
 				Calendar timestampCalendar = Calendar.getInstance();
 				timestampCalendar.setTimeInMillis(timestampL * 1000L);
 				//设置过期时间
 				timestampCalendar.add(Calendar.MINUTE, 10);
 				Date timestampDate = timestampCalendar.getTime();
 				Date nowDate = new Date();
 				if (timestampDate.compareTo(nowDate) < 0) {
 					throw new AuthException();
 				}
 			} else {
 				throw new AuthException();
 			}
 			if (parameterMap.containsKey("appkey")) {
 				appkey = parameterMap.get("appkey").toString();
 			} else {
 				throw new AuthException();
 			}
 			if (parameterMap.containsKey("sign")) {
 				sign = parameterMap.get("sign").toString();
 			} else {
 				throw new AuthException();
 			}
 			Map map2 = new HashMap();
 			map2.putAll(parameterMap);
 			map2.remove("sign");
 				/*String urls = MapUtil.getUrlParamsByMap(map2);
 				urls += "&appsecret=" + OakConfig.getApiAppSecret();
 				String newSign = MD5Util.md5(urls);
 				//log.info("拼接urls参数为：" + urls + " 服务器端签名sign为：" + newSign);
 				if (!sign.equals(newSign)) {
 					throw new AuthException();
 					return false;
 				}*/
 			return true;
 		} catch (Exception e) {
 			log.error(e.toString());
 			throw new AuthException();
 		}
 	}
 	@Override
 	public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler,
 	                       ModelAndView modelAndView) throws Exception {
 	}
 	@Override
 	public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex)
 			throws Exception {
 	}
 	private void responseJson(HttpServletResponse response, String json) throws Exception {
 		PrintWriter writer = null;
 		response.setCharacterEncoding("UTF-8");
 		response.setContentType("text/json; charset=utf-8");
 		try {
 			writer = response.getWriter();
 			writer.print(json);
 		} catch (IOException e) {
 			log.error(e.toString());
 		} finally {
 			if (writer != null) {
 				writer.close();
 			}
 		}
 	}
 }
--- a/epmet-openapi/epmet-openapi-scan/src/main/java/com/epmet/openapi/scan/service/impl/ScanServiceImpl.java
+++ b/epmet-openapi/epmet-openapi-scan/src/main/java/com/epmet/openapi/scan/service/impl/ScanServiceImpl.java
@ -187,7 +187,6 @@ public class ScanServiceImpl implements ScanService {
 							List<BaseScanResult> sceneResults = taskResult.getResults();
 							//是文本检测 目前就一种场景
 							for (BaseScanResult sceneResult : sceneResults) {
 								String scene = sceneResult.getScene();
 								String suggestion = sceneResult.getSuggestion();
 								if (SuggestionEnum.BLOCK.getCode().equals(suggestion)) {
 									result.getFailDataIds().add(taskResult.getDataId());
@ -196,6 +195,7 @@ public class ScanServiceImpl implements ScanService {
 								}
 							}
 						} else {
 							result.getFailDataIds().add(taskResult.getDataId());
 							log.warn("executeSyncText task process fail:code:{},msg:{}", taskResult.getCode(), taskResult.getMsg());
 							throw new ExeCuteHttpException(" executeSyncTexttask process fail:code:" + taskResult.getCode() + ",msg:" + taskResult.getMsg());
 						}
@ -275,11 +275,16 @@ public class ScanServiceImpl implements ScanService {
 					JSONArray taskResults = scrResponse.getJSONArray("data");
 					List<ScanTaskResult> scanTaskResults = taskResults.toJavaList(ScanTaskResult.class);
 					for (ScanTaskResult taskResult : scanTaskResults) {
 						if(200 != taskResult.getCode()){
 							if (!result.getFailDataIds().contains(taskResult.getDataId())) {
 								result.getFailDataIds().add(taskResult.getDataId());
 							}
 							continue;
 						}
 						//如果是多个场景 则为对个 BaseScanResult
 						List<BaseScanResult> sceneResults = taskResult.getResults();
 						//是文本检测 目前就一种场景
 						for (BaseScanResult sceneResult : sceneResults) {
 							String scene = sceneResult.getScene();
 							String suggestion = sceneResult.getSuggestion();
 							if (SuggestionEnum.BLOCK.getCode().equals(suggestion)) {
 								if (result.getFailDataIds().contains(taskResult.getDataId())) {