From 7de7df24928d655c6a94b6c21def2b4193eacdd6 Mon Sep 17 00:00:00 2001
From: wangxianzhang <ZHANGYUGE6666>
Date: Tue, 27 Sep 2022 17:47:19 +0800
Subject: [PATCH] =?UTF-8?q?=E8=BF=90=E8=90=A5=E7=AB=AF-=E8=B6=8A=E6=9D=83?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../epmet/commons/tools/redis/RedisKeys.java  |  8 +++
 .../com/epmet/auth/InternalAuthProcessor.java | 56 +++++++++++++++++++
 2 files changed, 64 insertions(+)

diff --git a/epmet-commons/epmet-commons-tools/src/main/java/com/epmet/commons/tools/redis/RedisKeys.java b/epmet-commons/epmet-commons-tools/src/main/java/com/epmet/commons/tools/redis/RedisKeys.java
index d31359f1dc..bb22e8de4b 100644
--- a/epmet-commons/epmet-commons-tools/src/main/java/com/epmet/commons/tools/redis/RedisKeys.java
+++ b/epmet-commons/epmet-commons-tools/src/main/java/com/epmet/commons/tools/redis/RedisKeys.java
@@ -898,4 +898,12 @@ public class RedisKeys {
     public static String operResourcesByUserId(String operId) {
 		return rootPrefix.concat("oper:access:resources:").concat(operId);
     }
+
+	/**
+	 * 获取需要检查的资源url
+	 * @return
+	 */
+	public static String getOperExamineResourceUrls() {
+		return rootPrefix.concat("oper:access:examineresources");
+    }
 }
diff --git a/epmet-gateway/src/main/java/com/epmet/auth/InternalAuthProcessor.java b/epmet-gateway/src/main/java/com/epmet/auth/InternalAuthProcessor.java
index 305bf2b3a4..a34a0385d4 100644
--- a/epmet-gateway/src/main/java/com/epmet/auth/InternalAuthProcessor.java
+++ b/epmet-gateway/src/main/java/com/epmet/auth/InternalAuthProcessor.java
@@ -1,11 +1,20 @@
 package com.epmet.auth;
 
+import com.alibaba.fastjson.JSON;
+import com.alibaba.fastjson.TypeReference;
 import com.epmet.commons.tools.constant.AppClientConstant;
 import com.epmet.commons.tools.constant.Constant;
+import com.epmet.commons.tools.dto.form.HasOperPermissionFormDTO;
+import com.epmet.commons.tools.dto.result.OperResouce;
 import com.epmet.commons.tools.exception.EpmetErrorCode;
+import com.epmet.commons.tools.exception.EpmetException;
 import com.epmet.commons.tools.exception.RenException;
+import com.epmet.commons.tools.feign.CommonOperAccessOpenFeignClient;
+import com.epmet.commons.tools.redis.RedisKeys;
+import com.epmet.commons.tools.redis.RedisUtils;
 import com.epmet.commons.tools.security.dto.BaseTokenDto;
 import com.epmet.commons.tools.utils.CpUserDetailRedis;
+import com.epmet.commons.tools.utils.Result;
 import com.epmet.filter.CpProperty;
 import com.epmet.jwt.JwtTokenUtils;
 import io.jsonwebtoken.Claims;
@@ -15,12 +24,14 @@ import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.cloud.gateway.filter.GatewayFilterChain;
 import org.springframework.http.HttpHeaders;
+import org.springframework.http.HttpMethod;
 import org.springframework.http.server.reactive.ServerHttpRequest;
 import org.springframework.stereotype.Component;
 import org.springframework.util.AntPathMatcher;
 import org.springframework.web.server.ServerWebExchange;
 
 import java.util.Date;
+import java.util.List;
 
 /**
  * 内部认证处理器
@@ -41,6 +52,12 @@ public class InternalAuthProcessor extends AuthProcessor {
     @Autowired
     private CpProperty cpProperty;
 
+    @Autowired
+    private CommonOperAccessOpenFeignClient operAccessOpenFeignClient;
+
+    @Autowired
+    private RedisUtils redisUtils;
+
     @Override
     public ServerWebExchange auth(ServerWebExchange exchange, GatewayFilterChain chain) {
         ServerHttpRequest request = exchange.getRequest();
@@ -104,10 +121,49 @@ public class InternalAuthProcessor extends AuthProcessor {
             builder.header(AppClientConstant.CUSTOMER_ID, customerId);
         }
 
+        // 针对运营端的url拦截和校验
+        if (AppClientConstant.APP_OPER.equals(app)) {
+            HttpMethod method = request.getMethod();
+            Boolean hasAccess = checkRequestOperResource(requestUri, method.toString());
+            if (!hasAccess) {
+                throw new EpmetException(EpmetErrorCode.EPMET_COMMON_OPERATION_FAIL.getCode(), "资源未授权", "资源未授权");
+            }
+        }
+
         ServerHttpRequest shr = builder.build();
         return exchange.mutate().request(shr).build();
     }
 
+    /**
+     * 校验运营端用户是否有权访问该资源
+     * @param uri
+     * @param method
+     * @return
+     */
+    private Boolean checkRequestOperResource(String uri, String method) {
+        String resourceJsonString = (String)redisUtils.get(RedisKeys.getOperExamineResourceUrls());
+        List<OperResouce> resources = JSON.parseObject(resourceJsonString, new TypeReference<List<OperResouce>>() {});
+
+        for (OperResouce resource : resources) {
+            if (antPathMatcher.match(resource.getResourceUrl(), uri)
+                    && resource.getResourceMethod().equals(method)) {
+
+                //需要校验权限的url
+                HasOperPermissionFormDTO form = new HasOperPermissionFormDTO();
+                form.setUri(uri);
+                form.setMethod(method);
+                Result result = operAccessOpenFeignClient.hasOperPermission(form);
+                if (result == null || !result.success()) {
+                    return false;
+                }
+                return true;
+            }
+        }
+
+        // 如果当前请求url不需要校验权限，那么返回true
+        return true;
+    }
+
     /**
      * 是否需要认证
      * @param requestUri