From 41c0a15f8fd1bedd682ffd23986de581588ae23e Mon Sep 17 00:00:00 2001
From: wxz <wangxianzhang1992@163.com>
Date: Fri, 26 Mar 2021 10:38:23 +0800
Subject: [PATCH] =?UTF-8?q?openApi=E5=9F=BA=E6=9C=AC=E5=AE=8C=E6=88=90?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../security/sign/openapi/OpenApiSignUtils.java |  1 +
 .../epmet/commons/tools/redis/RedisKeys.java    |  4 ++--
 ...r.java => ExtAppTakeTokenAuthProcessor.java} | 17 ++++++++++++-----
 .../com/epmet/auth/ExternalAuthProcessor.java   |  4 ++--
 .../epmet/aspect/OpenApiRequestCheckAspect.java | 13 +++++++------
 .../impl/OpenApiAccessTokenServiceImpl.java     |  3 ++-
 6 files changed, 26 insertions(+), 16 deletions(-)
 rename epmet-gateway/src/main/java/com/epmet/auth/{ExtAppFetchTokenAuthProcessor.java => ExtAppTakeTokenAuthProcessor.java} (81%)

diff --git a/epmet-commons/epmet-commons-security/src/main/java/com/epmet/commons/security/sign/openapi/OpenApiSignUtils.java b/epmet-commons/epmet-commons-security/src/main/java/com/epmet/commons/security/sign/openapi/OpenApiSignUtils.java
index 785c2a0578..ef3e31f6aa 100644
--- a/epmet-commons/epmet-commons-security/src/main/java/com/epmet/commons/security/sign/openapi/OpenApiSignUtils.java
+++ b/epmet-commons/epmet-commons-security/src/main/java/com/epmet/commons/security/sign/openapi/OpenApiSignUtils.java
@@ -94,6 +94,7 @@ public class OpenApiSignUtils {
         HashMap<String, String> content = new HashMap<>();
         content.put("orgId", "aaa");
         content.put("test", null);
+        content.put("app_id", "7d98b8af2d05752b4225709c4cfd4bd0");
         content.put("timestamp", String.valueOf(now));
         content.put("nonce", uuid);
         content.put("auth_type", "take_token");
diff --git a/epmet-commons/epmet-commons-tools/src/main/java/com/epmet/commons/tools/redis/RedisKeys.java b/epmet-commons/epmet-commons-tools/src/main/java/com/epmet/commons/tools/redis/RedisKeys.java
index dd5ca2e18a..d923bf5ba7 100644
--- a/epmet-commons/epmet-commons-tools/src/main/java/com/epmet/commons/tools/redis/RedisKeys.java
+++ b/epmet-commons/epmet-commons-tools/src/main/java/com/epmet/commons/tools/redis/RedisKeys.java
@@ -393,8 +393,8 @@ public class RedisKeys {
 	 * @author wxz
 	 * @date 2021.03.23 10:25
 	*/
-	public static String getOpenApiAccessTokenKey(String accessToken) {
-		return rootPrefix.concat("openapi:accesstoken:").concat(accessToken);
+	public static String getOpenApiAccessTokenKey(String appId) {
+		return rootPrefix.concat("openapi:accesstoken:").concat(appId);
 	}
 
 	/**
diff --git a/epmet-gateway/src/main/java/com/epmet/auth/ExtAppFetchTokenAuthProcessor.java b/epmet-gateway/src/main/java/com/epmet/auth/ExtAppTakeTokenAuthProcessor.java
similarity index 81%
rename from epmet-gateway/src/main/java/com/epmet/auth/ExtAppFetchTokenAuthProcessor.java
rename to epmet-gateway/src/main/java/com/epmet/auth/ExtAppTakeTokenAuthProcessor.java
index acc9f056ca..433b5ef01b 100644
--- a/epmet-gateway/src/main/java/com/epmet/auth/ExtAppFetchTokenAuthProcessor.java
+++ b/epmet-gateway/src/main/java/com/epmet/auth/ExtAppTakeTokenAuthProcessor.java
@@ -23,22 +23,29 @@ import org.springframework.web.server.ServerWebExchange;
  * 外部应用认证处理器：来平台token的方式
  */
 @Component
-public class ExtAppFetchTokenAuthProcessor extends ExtAppAuthProcessor {
+public class ExtAppTakeTokenAuthProcessor extends ExtAppAuthProcessor {
 
     @Autowired
     private JwtUtils jwtTokenUtils;
 
+    @Autowired
+    private RedisUtils redisUtils;
+
     @Override
     public void auth(String appId, String token, Long ts, ServerWebExchange exchange) {
         String secret = getSecret(appId);
 
-        if (jwtTokenUtils.isTokenExpired(jwtTokenUtils.getExpiration(token, secret))) {
+        // 1.过期验证
+        String accessTokenInCache = redisUtils.getString(RedisKeys.getOpenApiAccessTokenKey(appId));
+        if (StringUtils.isBlank(accessTokenInCache) ||
+                jwtTokenUtils.isTokenExpired(jwtTokenUtils.getExpiration(token, secret))) {
+
             throw new RenException(EpmetErrorCode.OPEN_API_TOKEN_EXPIRED.getCode(),
                     EpmetErrorCode.OPEN_API_TOKEN_EXPIRED.getMsg());
         }
 
         // 2.验签
-        // 验签暂时放到具体接口中
+        // 验签暂时放到具体接口中，不放在gateway
         //openApiSignUtils.checkSign();
 
         // 2. 获取claims
@@ -47,8 +54,8 @@ public class ExtAppFetchTokenAuthProcessor extends ExtAppAuthProcessor {
 
         if (!appId.equals(appIdInAccessToken)) {
             // 参数列表的appId和token中封装的不一致
-            throw new RenException(EpmetErrorCode.OPEN_API_TOKEN_EXPIRED.getCode(),
-                    EpmetErrorCode.OPEN_API_TOKEN_EXPIRED.getMsg());
+            throw new RenException(EpmetErrorCode.OPEN_API_PARAMS_APPID_DIFF.getCode(),
+                    EpmetErrorCode.OPEN_API_PARAMS_APPID_DIFF.getMsg());
         }
 
         // 3.将app_id放入header中
diff --git a/epmet-gateway/src/main/java/com/epmet/auth/ExternalAuthProcessor.java b/epmet-gateway/src/main/java/com/epmet/auth/ExternalAuthProcessor.java
index bfd7da5de5..72fbfe5c9e 100644
--- a/epmet-gateway/src/main/java/com/epmet/auth/ExternalAuthProcessor.java
+++ b/epmet-gateway/src/main/java/com/epmet/auth/ExternalAuthProcessor.java
@@ -50,7 +50,7 @@ public class ExternalAuthProcessor extends AuthProcessor {
     private ExtAppMD5AuthProcessor md5AuthProcessor;
 
     @Autowired
-    private ExtAppFetchTokenAuthProcessor fetchTokenAuthProcessor;
+    private ExtAppTakeTokenAuthProcessor takeTokenAuthProcessor;
 
     private final AntPathMatcher antPathMatcher = new AntPathMatcher();
 
@@ -112,7 +112,7 @@ public class ExternalAuthProcessor extends AuthProcessor {
                 if (StringUtils.isBlank(appId)) {
                     throw new RenException(EpmetErrorCode.OPEN_API_PARAMS_MISSING.getCode(),"缺少参数".concat(RequestParamKeys.APP_ID));
                 }
-                fetchTokenAuthProcessor.auth(appId, token, StringUtils.isNotBlank(ts) ? new Long(ts) : null, exchange);
+                takeTokenAuthProcessor.auth(appId, token, StringUtils.isNotBlank(ts) ? new Long(ts) : null, exchange);
             } else {
                 throw new RenException(EpmetErrorCode.OPER_EXTERNAL_APP_AUTH_ERROR.getCode(), "未知的外部认证类型");
             }
diff --git a/epmet-module/epmet-ext/epmet-ext-server/src/main/java/com/epmet/aspect/OpenApiRequestCheckAspect.java b/epmet-module/epmet-ext/epmet-ext-server/src/main/java/com/epmet/aspect/OpenApiRequestCheckAspect.java
index 10e5989d77..3ef87a5c04 100644
--- a/epmet-module/epmet-ext/epmet-ext-server/src/main/java/com/epmet/aspect/OpenApiRequestCheckAspect.java
+++ b/epmet-module/epmet-ext/epmet-ext-server/src/main/java/com/epmet/aspect/OpenApiRequestCheckAspect.java
@@ -26,15 +26,10 @@ import org.springframework.web.context.request.RequestContextHolder;
 import org.springframework.web.context.request.ServletRequestAttributes;
 
 import javax.servlet.http.HttpServletRequest;
-import java.beans.IntrospectionException;
-import java.lang.reflect.Field;
-import java.lang.reflect.InvocationTargetException;
 import java.lang.reflect.Method;
 import java.lang.reflect.Parameter;
-import java.util.Arrays;
 import java.util.HashMap;
 import java.util.Map;
-import java.util.Set;
 
 /**
  * OpenApi检查请求切面
@@ -90,6 +85,12 @@ public class OpenApiRequestCheckAspect {
         checkRepeatRequest(argMap);
     }
 
+    /**
+     * @Description 填充url请求参数到map中，用来签名
+     * @return
+     * @author wxz
+     * @date 2021.03.26 10:13
+    */
     private void fillRequestParamsInfoArgMap(Map<String, String> argMap, HttpServletRequest request) {
         fillRequestParamsInfoArgMap(argMap, request, RequestParamKeys.APP_ID);
         fillRequestParamsInfoArgMap(argMap, request, RequestParamKeys.AUTH_TYPE);
@@ -116,7 +117,7 @@ public class OpenApiRequestCheckAspect {
         }
         long timestamp = Long.valueOf(timestampStr).longValue();
         long now = System.currentTimeMillis();
-        long requestTimeDiff = 60000;
+        long requestTimeDiff = 120000;
         if (Math.abs(now - timestamp) > requestTimeDiff) {
             // 只允许1分钟之内的请求，允许服务器之间时差为1分钟
             throw new RenException(String.format("请求已过时，允许时差为%s ms", requestTimeDiff));
diff --git a/epmet-module/epmet-ext/epmet-ext-server/src/main/java/com/epmet/service/impl/OpenApiAccessTokenServiceImpl.java b/epmet-module/epmet-ext/epmet-ext-server/src/main/java/com/epmet/service/impl/OpenApiAccessTokenServiceImpl.java
index 98409b0b36..b00e5ca6d9 100644
--- a/epmet-module/epmet-ext/epmet-ext-server/src/main/java/com/epmet/service/impl/OpenApiAccessTokenServiceImpl.java
+++ b/epmet-module/epmet-ext/epmet-ext-server/src/main/java/com/epmet/service/impl/OpenApiAccessTokenServiceImpl.java
@@ -4,6 +4,7 @@ import com.epmet.commons.security.jwt.JwtUtils;
 import com.epmet.commons.tools.redis.RedisKeys;
 import com.epmet.commons.tools.redis.RedisUtils;
 import com.epmet.config.OpenApiConfig;
+import com.epmet.openapi.constant.RequestParamKeys;
 import com.epmet.service.OpenApiAccessTokenService;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;
@@ -25,7 +26,7 @@ public class OpenApiAccessTokenServiceImpl implements OpenApiAccessTokenService
     @Override
     public String getAccessToken(String appId, String secret) {
         HashMap<String, Object> claim = new HashMap<>();
-        claim.put("appId", appId);
+        claim.put(RequestParamKeys.APP_ID, appId);
 
         String token = jwtTokenUtils.createToken(claim, openApiConfig.getAccessTokenExpire(), secret);