新增：md5摘要验签方式的外部应用认证

5 years ago · 0b6ee2a2ee
10 changed files with 231 additions and 99 deletions
--- a/epmet-commons/epmet-commons-extapp-auth/src/main/java/com/epmet/commons/extappauth/aspect/ExternalAppRequestAuthAspect.java
+++ b/epmet-commons/epmet-commons-extapp-auth/src/main/java/com/epmet/commons/extappauth/aspect/ExternalAppRequestAuthAspect.java
@ -37,6 +37,9 @@ public class ExternalAppRequestAuthAspect {
    public static final String ACCESS_TOKEN_HEADER_KEY = "AccessToken";
    public static final String APP_ID_HEADER_KEY = "appId";
    public static final String APP_ID_TIMESTAMP_KEY = "ts";
    public static final String APP_ID_CUSTOMER_ID_KEY = "CustomerId";
    public static final String APP_ID_AUTY_TYPE_KEY = "AuthType";
    @Autowired
    private EpmetCommonServiceOpenFeignClient commonServiceOpenFeignClient;
@ -52,6 +55,9 @@ public class ExternalAppRequestAuthAspect {
        HttpServletRequest request = getRequest();
        String token = request.getHeader(ACCESS_TOKEN_HEADER_KEY);
        String appId = request.getHeader(APP_ID_HEADER_KEY);
        String ts = request.getHeader(APP_ID_TIMESTAMP_KEY);
        String customerId = request.getHeader(APP_ID_CUSTOMER_ID_KEY);
        String authType = request.getHeader(APP_ID_AUTY_TYPE_KEY);
        if (StringUtils.isAnyBlank(token, appId)) {
            throw new RenException("请求头中的token和appId不能为空");
@ -62,6 +68,11 @@ public class ExternalAppRequestAuthAspect {
        ExternalAppAuthFormDTO form = new ExternalAppAuthFormDTO();
        form.setAppId(appId);
        form.setToken(token);
        form.setAuthType(authType);
        if (StringUtils.isNotBlank(ts)) {
            // 将字符串转化为时间
            form.setTs(new Long(ts));
        }
        Result<ExternalAppAuthResultDTO> result = commonServiceOpenFeignClient.externalAppAuth(form);
        if (result == null) {
            throw new RenException("调用服务进行外部应用认证，返回null");
@ -84,7 +95,7 @@ public class ExternalAppRequestAuthAspect {
                if (parameters[i].getType() == ExternalAppRequestParam.class) {
                    ExternalAppRequestParam requestParam = (ExternalAppRequestParam) point.getArgs()[i];
                    requestParam.setAppId(appId);
-                    requestParam.setCustomerId(authResult.getCustomerId());
+                    requestParam.setCustomerId(authResult.getCustomerId() == null ? customerId : authResult.getCustomerId());
                }
            }
        }
--- a/epmet-module/epmet-common-service/common-service-client/src/main/java/com/epmet/dto/form/ExternalAppAuthFormDTO.java
+++ b/epmet-module/epmet-common-service/common-service-client/src/main/java/com/epmet/dto/form/ExternalAppAuthFormDTO.java
@ -15,4 +15,14 @@ public class ExternalAppAuthFormDTO {
     */
    private String token;
    /**
     * 时间戳
     */
    private Long ts;
    /**
     * 认证类型：md5，jwt
     */
    private String authType;
 }
--- a/epmet-module/epmet-common-service/common-service-server/src/main/java/com/epmet/constant/ExtAppAuthTypeConstant.java
+++ b/epmet-module/epmet-common-service/common-service-server/src/main/java/com/epmet/constant/ExtAppAuthTypeConstant.java
@ -0,0 +1,8 @@
 package com.epmet.constant;
 public interface ExtAppAuthTypeConstant {
    String JWT = "jwt";
    String MD5 = "md5";
 }
--- a/epmet-module/epmet-common-service/common-service-server/src/main/java/com/epmet/controller/ExternalAppController.java
+++ b/epmet-module/epmet-common-service/common-service-server/src/main/java/com/epmet/controller/ExternalAppController.java
@ -40,12 +40,14 @@ public class ExternalAppController {
    public Result<ExternalAppAuthResultDTO> auth(@RequestBody ExternalAppAuthFormDTO formDTO) {
        String appId = formDTO.getAppId();
        String token = formDTO.getToken();
        Long ts = formDTO.getTs();
        String authType = formDTO.getAuthType();
        if (StringUtils.isAnyBlank(token, appId)) {
            throw new RenException("请求头中的token和appId不能为空");
        }
        logger.info("外部应用请求认证拦截Aspect。appId:{}, token:{}", appId, token);
-        ExternalAppAuthResultDTO auth = externalAppAuthService.auth(appId, token);
+        ExternalAppAuthResultDTO auth = externalAppAuthService.auth(appId, token, ts, authType);
        return new Result<ExternalAppAuthResultDTO>().ok(auth);
    }
--- a/epmet-module/epmet-common-service/common-service-server/src/main/java/com/epmet/service/ExternalAppAuthService.java
+++ b/epmet-module/epmet-common-service/common-service-server/src/main/java/com/epmet/service/ExternalAppAuthService.java
@ -1,10 +1,9 @@
 package com.epmet.service;
 import com.epmet.dto.result.ExternalAppAuthResultDTO;
 import com.epmet.dto.result.ExternalAppResultDTO;
 public interface ExternalAppAuthService {
-    ExternalAppAuthResultDTO auth(String appId, String token);
+    ExternalAppAuthResultDTO auth(String appId, String token, Long ts, String authType);
 }
--- a/epmet-module/epmet-common-service/common-service-server/src/main/java/com/epmet/service/impl/ExternalAppAuthServiceImpl.java
+++ b/epmet-module/epmet-common-service/common-service-server/src/main/java/com/epmet/service/impl/ExternalAppAuthServiceImpl.java
@ -1,19 +1,10 @@
 package com.epmet.service.impl;
-import com.epmet.commons.tools.exception.EpmetErrorCode;
+import com.epmet.constant.ExtAppAuthTypeConstant;
 import com.epmet.commons.tools.exception.ExceptionUtils;
 import com.epmet.commons.tools.exception.RenException;
 import com.epmet.commons.tools.redis.RedisKeys;
 import com.epmet.commons.tools.redis.RedisUtils;
 import com.epmet.dao.ExternalAppDao;
 import com.epmet.dao.ExternalAppSecretDao;
 import com.epmet.dto.result.ExternalAppAuthResultDTO;
 import com.epmet.dto.result.ExternalAppResultDTO;
 import com.epmet.entity.ExternalAppEntity;
 import com.epmet.entity.ExternalAppSecretEntity;
 import com.epmet.service.ExternalAppAuthService;
-import com.epmet.utils.externalapp.ExtAppJwtTokenUtils;
+import com.epmet.utils.externalapp.ExtAppJwtAuthProcessor;
-import io.jsonwebtoken.Claims;
+import com.epmet.utils.externalapp.ExtAppMD5AuthProcessor;
 import org.apache.commons.lang3.StringUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@ -26,90 +17,23 @@ public class ExternalAppAuthServiceImpl implements ExternalAppAuthService {
    private static Logger logger = LoggerFactory.getLogger(ExternalAppAuthServiceImpl.class);
    @Autowired
-    private RedisUtils redisUtils;
+    private ExtAppJwtAuthProcessor jwtAuthProcessor;
    @Autowired
-    private ExtAppJwtTokenUtils jwtTokenUtils;
+    private ExtAppMD5AuthProcessor md5AuthProcessor;
    @Autowired
    private ExternalAppSecretDao externalAppSecretDao;
    @Autowired
    private ExternalAppDao externalAppDao;
    private int diffMillins = 1000 * 60 * 5;
    @Override
-    public ExternalAppAuthResultDTO auth(String appId, String token) {
+    public ExternalAppAuthResultDTO auth(String appId, String token, Long ts, String authType) {
-        String secret;
+        // 没传或者传的jwt都用jwtprocessor处理
-        if (StringUtils.isBlank(secret = getTokenByAppId(appId))) {
+        if (StringUtils.isBlank(authType) || ExtAppAuthTypeConstant.JWT.equals(authType)) {
-            return fillAuthResult(false, String.format("根据AppId:%s没有找到对应的秘钥", appId), null);
+            return jwtAuthProcessor.auth(appId, token, ts);
        } else if (ExtAppAuthTypeConstant.MD5.equals(authType)) {
            return md5AuthProcessor.auth(appId, token, ts);
        } else {
            ExternalAppAuthResultDTO rst = new ExternalAppAuthResultDTO();
            rst.setMessage("错误的认证类型");
            rst.setSuccess(false);
            return rst;
        }
        Claims claim;
        try {
            claim = jwtTokenUtils.getClaimByToken(token, secret);
        } catch (Exception e) {
            String errorStackTrace = ExceptionUtils.getErrorStackTrace(e);
            logger.error("解析token失败:{}", errorStackTrace);
            return fillAuthResult(false, "解析token失败", null);
        }
        String appIdIn = (String)claim.get("appId");
        String customerId = (String)claim.get("customerId");
        Long timestamp = (Long)claim.get("ts");
        //校验时间戳，允许5分钟误差
        if (StringUtils.isAnyBlank(appIdIn, customerId) || timestamp == null) {
            logger.error("access token不完整。{},{},{}", appIdIn, customerId, timestamp);
            return fillAuthResult(false, "access token不完整。", null);
        }
        // TODO
 //        if (!validTimeStamp(timestamp)) {
 //            logger.error("服务器存在时差过大，请求被拒绝", appId, appIdIn);
 //            return fillAuthResult(false, "服务器存在时差过大，请求被拒绝", null);
 //        }
        if (!appId.equals(appIdIn)) {
            logger.error("AppId不对应，token外部的:{}, token内部解析出来的:{}", appId, appIdIn);
            return fillAuthResult(false, "Header中的AppId不匹配", null);
        }
        return fillAuthResult(true, "解析成功", customerId);
    }
    private boolean validTimeStamp(Long timestamp) {
        long now = System.currentTimeMillis();
 //        System.out.println(new Date(timestamp));
        if (Math.abs(now - timestamp) > diffMillins) {
            return false;
        }
        return true;
    }
    /**
     * 通过APP ID查询对应的秘钥
     * @param appId
     * @return
     */
    public String getTokenByAppId(String appId) {
        String secret = (String)redisUtils.get(RedisKeys.getExternalAppSecretKey(appId));
        if (StringUtils.isBlank(secret)) {
            ExternalAppSecretEntity secretEntity = externalAppSecretDao.getSecretsByAppId(appId);
            if (secretEntity == null) {
                return null;
            }
            secret = secretEntity.getSecret();
            redisUtils.set(RedisKeys.getExternalAppSecretKey(appId), secret);
        }
        return secret;
    }
    public ExternalAppAuthResultDTO fillAuthResult(Boolean result, String message, String customerId) {
        ExternalAppAuthResultDTO authResult = new ExternalAppAuthResultDTO();
        authResult.setSuccess(result);
        authResult.setMessage(message);
        authResult.setCustomerId(customerId);
        return authResult;
    }
 }
--- a/epmet-module/epmet-common-service/common-service-server/src/main/java/com/epmet/utils/externalapp/ExtAppAuthProcessor.java
+++ b/epmet-module/epmet-common-service/common-service-server/src/main/java/com/epmet/utils/externalapp/ExtAppAuthProcessor.java
@ -0,0 +1,73 @@
 package com.epmet.utils.externalapp;
 import com.epmet.commons.tools.redis.RedisKeys;
 import com.epmet.commons.tools.redis.RedisUtils;
 import com.epmet.dao.ExternalAppSecretDao;
 import com.epmet.dto.result.ExternalAppAuthResultDTO;
 import com.epmet.entity.ExternalAppSecretEntity;
 import org.apache.commons.lang3.StringUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 /**
 * 外部应用认证处理器父类
 */
 public abstract class ExtAppAuthProcessor {
    @Autowired
    private RedisUtils redisUtils;
    @Autowired
    private ExternalAppSecretDao externalAppSecretDao;
    private int diffMillins = 1000 * 60 * 5;
    public abstract ExternalAppAuthResultDTO auth(String appId, String token, Long ts);
    /**
     * 通过APP ID查询对应的秘钥
     * @param appId
     * @return
     */
    public String getTokenByAppId(String appId) {
        String secret = (String)redisUtils.get(RedisKeys.getExternalAppSecretKey(appId));
        if (StringUtils.isBlank(secret)) {
            ExternalAppSecretEntity secretEntity = externalAppSecretDao.getSecretsByAppId(appId);
            if (secretEntity == null) {
                return null;
            }
            secret = secretEntity.getSecret();
            redisUtils.set(RedisKeys.getExternalAppSecretKey(appId), secret);
        }
        return secret;
    }
    /**
     * 时间戳校验
     * @param timestamp
     * @return
     */
    protected boolean validTimeStamp(Long timestamp) {
        long now = System.currentTimeMillis();
        if (Math.abs(now - timestamp) > diffMillins) {
            return false;
        }
        return true;
    }
    /**
     * 封装结果
     * @param result
     * @param message
     * @param customerId
     * @return
     */
    public ExternalAppAuthResultDTO fillAuthResult(Boolean result, String message, String customerId) {
        ExternalAppAuthResultDTO authResult = new ExternalAppAuthResultDTO();
        authResult.setSuccess(result);
        authResult.setMessage(message);
        authResult.setCustomerId(customerId);
        return authResult;
    }
 }
--- a/epmet-module/epmet-common-service/common-service-server/src/main/java/com/epmet/utils/externalapp/ExtAppJwtAuthProcessor.java
+++ b/epmet-module/epmet-common-service/common-service-server/src/main/java/com/epmet/utils/externalapp/ExtAppJwtAuthProcessor.java
@ -0,0 +1,61 @@
 package com.epmet.utils.externalapp;
 import com.epmet.commons.tools.exception.ExceptionUtils;
 import com.epmet.dto.result.ExternalAppAuthResultDTO;
 import io.jsonwebtoken.Claims;
 import org.apache.commons.lang3.StringUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Component;
 /**
 * jwt 认证处理器
 */
@Component
 public class ExtAppJwtAuthProcessor extends ExtAppAuthProcessor {
    private static Logger logger = LoggerFactory.getLogger(ExtAppJwtAuthProcessor.class);
    @Autowired
    private ExtAppJwtTokenUtils jwtTokenUtils;
    public ExternalAppAuthResultDTO auth(String appId, String token, Long ts) {
        String secret;
        if (StringUtils.isBlank(secret = getTokenByAppId(appId))) {
            return fillAuthResult(false, String.format("根据AppId:%s没有找到对应的秘钥", appId), null);
        }
        Claims claim;
        try {
            claim = jwtTokenUtils.getClaimByToken(token, secret);
        } catch (Exception e) {
            String errorStackTrace = ExceptionUtils.getErrorStackTrace(e);
            logger.error("解析token失败:{}", errorStackTrace);
            return fillAuthResult(false, "解析token失败", null);
        }
        String appIdIn = (String)claim.get("appId");
        String customerId = (String)claim.get("customerId");
        Long timestamp = (Long)claim.get("ts");
        //校验时间戳，允许5分钟误差
        if (StringUtils.isAnyBlank(appIdIn, customerId) || timestamp == null) {
            logger.error("access token不完整。{},{},{}", appIdIn, customerId, timestamp);
            return fillAuthResult(false, "access token不完整。", null);
        }
        // TODO 暂时去掉时间差判断
        //if (!validTimeStamp(timestamp)) {
        //    logger.error("服务器存在时差过大，请求被拒绝");
        //    return fillAuthResult(false, "服务器存在时差过大，请求被拒绝", null);
        //}
        if (!appId.equals(appIdIn)) {
            logger.error("AppId不对应，token外部的:{}, token内部解析出来的:{}", appId, appIdIn);
            return fillAuthResult(false, "Header中的AppId不匹配", null);
        }
        return fillAuthResult(true, "解析成功，认证成功", customerId);
    }
 }
--- a/epmet-module/epmet-common-service/common-service-server/src/main/java/com/epmet/utils/externalapp/ExtAppJwtTokenUtils.java
+++ b/epmet-module/epmet-common-service/common-service-server/src/main/java/com/epmet/utils/externalapp/ExtAppJwtTokenUtils.java
@ -75,11 +75,13 @@ public class ExtAppJwtTokenUtils {
    public static void genToken() {
        HashMap<String, Object> claim = new HashMap<>();
-        claim.put("appId", "227fb75ae4baa820755aaf43bf7f0a69");
+        claim.put("appId", "2c448b7da527055fbeebb628f8d3dcb0");
        claim.put("customerId", "c1");
-        claim.put("ts", System.currentTimeMillis() - 1000 * 60 * 4);
+        long ts = System.currentTimeMillis() - 1000 * 60 * 4;
        System.out.println("时间戳:" + ts);
        claim.put("ts", ts);
-        String abc = new ExtAppJwtTokenUtils().createToken(claim, "4a762660254c57996343f8ee42fbc0a6");
+        String abc = new ExtAppJwtTokenUtils().createToken(claim, "d4b73db4cf8e46ef99fa1f95149c2791ef2396fded114dd09e406cbce83fc88a");
        System.out.println(abc);
    }
--- a/epmet-module/epmet-common-service/common-service-server/src/main/java/com/epmet/utils/externalapp/ExtAppMD5AuthProcessor.java
+++ b/epmet-module/epmet-common-service/common-service-server/src/main/java/com/epmet/utils/externalapp/ExtAppMD5AuthProcessor.java
@ -0,0 +1,42 @@
 package com.epmet.utils.externalapp;
 import com.epmet.commons.tools.utils.Md5Util;
 import com.epmet.dto.result.ExternalAppAuthResultDTO;
 import org.apache.commons.lang3.StringUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.stereotype.Component;
 /**
 * md5 认证处理器
 */
@Component
 public class ExtAppMD5AuthProcessor extends ExtAppAuthProcessor {
    private static Logger logger = LoggerFactory.getLogger(ExtAppMD5AuthProcessor.class);
    public ExternalAppAuthResultDTO auth(String appId, String token, Long ts) {
        if (ts == null) {
            return fillAuthResult(false, "需要传入时间戳参数", null);
        }
        String secret;
        if (StringUtils.isBlank(secret = getTokenByAppId(appId))) {
            return fillAuthResult(false, String.format("根据AppId:%s没有找到对应的秘钥", appId), null);
        }
        String localDigest = Md5Util.md5(secret.concat(":") + ts);
        if (!localDigest.equals(token)) {
            // 调用方生成的摘要跟本地生成的摘要不匹配
            return fillAuthResult(false, "签名不匹配，认证失败", null);
        }
        // TODO 暂时去掉时间差判断
        //if (!validTimeStamp(ts)) {
        //    logger.error("服务器存在时差过大，请求被拒绝");
        //    return fillAuthResult(false, "服务器存在时差过大，请求被拒绝", null);
        //}
        return fillAuthResult(true, "签名匹配，认证成功", null);
    }
 }