修改：传参方式修改 half

4 years ago · 64aca2e5de
18 changed files with 212 additions and 104 deletions
--- a/epmet-commons/epmet-commons-openapi/pom.xml
+++ b/epmet-commons/epmet-commons-openapi/pom.xml
@ -1,17 +0,0 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <version>2.0.0</version>
    <parent>
        <artifactId>epmet-commons</artifactId>
        <groupId>com.epmet</groupId>
        <version>2.0.0</version>
    </parent>
    <modelVersion>4.0.0</modelVersion>
    <artifactId>epmet-commons-openapi</artifactId>
 </project>
--- a/epmet-commons/epmet-commons-openapi/src/main/java/com/epmet/commons/openapi/constants/HeaderFieldKeys.java
+++ b/epmet-commons/epmet-commons-openapi/src/main/java/com/epmet/commons/openapi/constants/HeaderFieldKeys.java
@ -1,7 +0,0 @@
 package com.epmet.commons.openapi.constants;
 public interface HeaderFieldKeys {
    String APP_ID = "AppId";
 }
--- a/epmet-commons/epmet-commons-openapi/src/main/java/com/epmet/commons/openapi/constants/RequestBodyFieldKeys.java
+++ b/epmet-commons/epmet-commons-openapi/src/main/java/com/epmet/commons/openapi/constants/RequestBodyFieldKeys.java
@ -1,10 +0,0 @@
 package com.epmet.commons.openapi.constants;
 /**
 * 请求体字段key
 */
 public interface RequestBodyFieldKeys {
    String APP_ID = "appId";
 }
--- a/epmet-commons/epmet-commons-openapi/src/main/java/com/epmet/commons/openapi/constants/RequestParamKeys.java
+++ b/epmet-commons/epmet-commons-openapi/src/main/java/com/epmet/commons/openapi/constants/RequestParamKeys.java
@ -1,11 +0,0 @@
 package com.epmet.commons.openapi.constants;
 /**
 * url请求参数key
 */
 public class RequestParamKeys {
    public static String APP_ID = "app_id";
    public static String AUTH_TYPE = "auth_type";
 }
--- a/epmet-commons/epmet-commons-security/src/main/java/com/epmet/commons/security/sign/openapi/OpenApiSignUtils.java
+++ b/epmet-commons/epmet-commons-security/src/main/java/com/epmet/commons/security/sign/openapi/OpenApiSignUtils.java
@ -2,10 +2,7 @@ package com.epmet.commons.security.sign.openapi;
 import com.epmet.commons.tools.utils.Md5Util;
-import java.util.Arrays;
+import java.util.*;
 import java.util.HashMap;
 import java.util.Map;
 import java.util.Set;
 /**
 * OpenApi签名工具
@ -62,16 +59,41 @@ public class OpenApiSignUtils {
        return sb.toString();
    }
    public static void main(String[] args) {
        //generateGetAccessTokenSign();
        generateGetOrgDetailSign();
    }
    private static void generateGetAccessTokenSign() {
        long now = System.currentTimeMillis();
        System.out.println(now);
        HashMap<String, String> content = new HashMap<>();
-        content.put("orgId", "aaa");
+        content.put("appId", "7d98b8af2d05752b4225709c4cfd4bd0");
-        content.put("test", "");
+        content.put("timestamp", String.valueOf(now));
        content.put("nonce", "aaa");
        String secret = "3209ee9f41704482be1a1fb5873a25376f2899191ca846119d44168316bc3e44";
        String sign = createSign(content, secret);
        System.out.println(sign);
    }
    private static void generateGetOrgDetailSign() {
        long now = System.currentTimeMillis();
        String uuid = UUID.randomUUID().toString();
        System.out.println("时间戳:" + now);
        System.out.println("随机数:" + uuid);
        HashMap<String, String> content = new HashMap<>();
        content.put("orgId", "aaa");
        content.put("test", null);
        content.put("timestamp", String.valueOf(now));
        content.put("nonce", uuid);
        String secret = "3209ee9f41704482be1a1fb5873a25376f2899191ca846119d44168316bc3e44";
        String sign = createSign(content, secret);
        System.out.println("签名：" + sign);
    }
 }
--- a/epmet-commons/epmet-commons-tools/src/main/java/com/epmet/commons/tools/exception/EpmetErrorCode.java
+++ b/epmet-commons/epmet-commons-tools/src/main/java/com/epmet/commons/tools/exception/EpmetErrorCode.java
@ -147,7 +147,9 @@ public enum EpmetErrorCode {
 	// open api异常
 	OPEN_API_SIGN_ERROR(9100, "签名错误"),
-	OPEN_API_SIGN_TOKEN_EXPIRED(9101, "Token过期");
+	OPEN_API_TOKEN_EXPIRED(9101, "Token过期"),
 	OPEN_API_PARAMS_MISSING(9102, "参数不完整"),
 	OPEN_API_PARAMS_APPID_DIFF(9103, "app_id不一致"); // app_id在请求参数中和在token中不一致
 	private int code;
 	private String msg;
--- a/epmet-commons/epmet-commons-tools/src/main/java/com/epmet/commons/tools/redis/RedisKeys.java
+++ b/epmet-commons/epmet-commons-tools/src/main/java/com/epmet/commons/tools/redis/RedisKeys.java
@ -396,4 +396,14 @@ public class RedisKeys {
 	public static String getOpenApiAccessTokenKey(String accessToken) {
 		return rootPrefix.concat("openapi:accesstoken:").concat(accessToken);
 	}
 	/**
 	 * @Description 获取OpenApi请求随机数nonce
 	 * @return
 	 * @author wxz
 	 * @date 2021.03.24 17:49
 	*/
 	public static String getOpenApiNonceKey(String nonce) {
 		return rootPrefix.concat("openapi:nonce:").concat(nonce);
 	}
 }
--- a/epmet-gateway/src/main/java/com/epmet/auth/ExtAppFetchTokenAuthProcessor.java
+++ b/epmet-gateway/src/main/java/com/epmet/auth/ExtAppFetchTokenAuthProcessor.java
@ -26,25 +26,19 @@ public class ExtAppFetchTokenAuthProcessor extends ExtAppAuthProcessor {
    @Autowired
    private JwtUtils jwtTokenUtils;
    @Autowired
    private RedisUtils redisUtils;
    @Override
    public void auth(String appId, String token, Long ts, ServerWebExchange exchange) {
        // 这种方式不需要其他平台传appId，因此我们自己从redis中取
        appId = (String) redisUtils.get(RedisKeys.getOpenApiAccessTokenKey(token));
        // 1.token过期校验
        if (StringUtils.isBlank(appId)) {
-            throw new RenException(EpmetErrorCode.OPEN_API_SIGN_TOKEN_EXPIRED.getCode(),
+            throw new RenException(EpmetErrorCode.OPEN_API_TOKEN_EXPIRED.getCode(),
-                    EpmetErrorCode.OPEN_API_SIGN_TOKEN_EXPIRED.getMsg());
+                    EpmetErrorCode.OPEN_API_TOKEN_EXPIRED.getMsg());
        }
        String secret = getSecret(appId);
        if (jwtTokenUtils.isTokenExpired(jwtTokenUtils.getExpiration(token, secret))) {
-            throw new RenException(EpmetErrorCode.OPEN_API_SIGN_TOKEN_EXPIRED.getCode(),
+            throw new RenException(EpmetErrorCode.OPEN_API_TOKEN_EXPIRED.getCode(),
-                    EpmetErrorCode.OPEN_API_SIGN_TOKEN_EXPIRED.getMsg());
+                    EpmetErrorCode.OPEN_API_TOKEN_EXPIRED.getMsg());
        }
        // 2.验签
@ -53,14 +47,19 @@ public class ExtAppFetchTokenAuthProcessor extends ExtAppAuthProcessor {
        // 2. 获取claims
        Claims claims = jwtTokenUtils.getClaimByToken(token, secret);
-        appId = claims.get("appId", String.class);
+        String appIdInAccessToken = claims.get("appId", String.class);
-        if (!StringUtils.isBlank(appId)) {
+        if (!appId.equals(appIdInAccessToken)) {
            // 参数列表的appId和token中封装的不一致
            throw new RenException(EpmetErrorCode.OPEN_API_TOKEN_EXPIRED.getCode(),
                    EpmetErrorCode.OPEN_API_TOKEN_EXPIRED.getMsg());
        }
        // 3.将app_id放入header中
        ServerHttpRequest.Builder mutate = exchange.getRequest().mutate();
        mutate.header("AppId", appId);
        exchange.mutate().request(mutate.build()).build();
    }
    }
    /**
     * @Description 获取秘钥
--- a/epmet-gateway/src/main/java/com/epmet/auth/ExternalAuthProcessor.java
+++ b/epmet-gateway/src/main/java/com/epmet/auth/ExternalAuthProcessor.java
@ -4,6 +4,7 @@ import com.epmet.commons.tools.exception.EpmetErrorCode;
 import com.epmet.commons.tools.exception.ExceptionUtils;
 import com.epmet.commons.tools.exception.RenException;
 import com.epmet.filter.CpProperty;
 import com.epmet.utils.ServerHttpRequestUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@ -13,6 +14,7 @@ import org.springframework.http.HttpHeaders;
 import org.springframework.http.server.reactive.ServerHttpRequest;
 import org.springframework.stereotype.Component;
 import org.springframework.util.AntPathMatcher;
 import org.springframework.util.MultiValueMap;
 import org.springframework.web.server.ServerWebExchange;
 /**
@ -67,6 +69,7 @@ public class ExternalAuthProcessor extends AuthProcessor {
        for (String url : cpProperty.getExternalOpenUrls()) {
            if (antPathMatcher.match(url, requestUri)) {
                inPaths = true;
                break;
            }
        }
@ -74,6 +77,13 @@ public class ExternalAuthProcessor extends AuthProcessor {
            throw new RenException(EpmetErrorCode.ERR401.getCode(), "所请求的url并未对外部应用开放");
        }
        // 放行白名单
        for (String url : cpProperty.getExternalAuthUrlsWhiteList()) {
            if (antPathMatcher.match(url, requestUri)) {
                return exchange;
            }
        }
        HttpHeaders headers = request.getHeaders();
        String token = headers.getFirst(ACCESS_TOKEN_HEADER_KEY);
@ -99,7 +109,12 @@ public class ExternalAuthProcessor extends AuthProcessor {
                }
                md5AuthProcessor.auth(appId, token, StringUtils.isNotBlank(ts) ? new Long(ts) : null, exchange);
            } else if (APP_AUTH_TYPE_FETCH_TOKEN.equals(authType)) {
-                fetchTokenAuthProcessor.auth(null, token, StringUtils.isNotBlank(ts) ? new Long(ts) : null, exchange);
+                String paramName = "app_id";
                String appId = ServerHttpRequestUtils.getRequestParam(request, paramName);
                if (StringUtils.isBlank(appId)) {
                    throw new RenException(EpmetErrorCode.OPEN_API_PARAMS_MISSING.getCode(),"缺少参数".concat(paramName));
                }
                fetchTokenAuthProcessor.auth(appId, token, StringUtils.isNotBlank(ts) ? new Long(ts) : null, exchange);
            } else {
                throw new RenException(EpmetErrorCode.OPER_EXTERNAL_APP_AUTH_ERROR.getCode(), "未知的外部认证类型");
            }
--- a/epmet-gateway/src/main/java/com/epmet/filter/CpAuthGatewayFilterFactory.java
+++ b/epmet-gateway/src/main/java/com/epmet/filter/CpAuthGatewayFilterFactory.java
@ -10,6 +10,7 @@ import com.epmet.commons.tools.utils.IpUtils;
 import com.epmet.commons.tools.utils.Result;
 import com.epmet.constant.AuthTypeConstant;
 import com.epmet.constant.TokenHeaderKeyConstant;
 import com.epmet.utils.ServerHttpRequestUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@ -111,6 +112,11 @@ public class CpAuthGatewayFilterFactory extends AbstractGatewayFilterFactory<CpA
 		//	}
 		//}
 		String authType = ServerHttpRequestUtils.getRequestParam(request, RequestBodyField.);
 		if (StringUtils.isNotBlank(authType) && ExternalAuthProcessor.APP_AUTH_TYPE_FETCH_TOKEN.equals(authType)) {
 			return AuthTypeConstant.AUTH_TYPE_EXTERNAL;
 		}
 		boolean needExternal = StringUtils.isNotBlank(request.getHeaders().getFirst(TokenHeaderKeyConstant.ACCESS_TOKEN_HEADER_KEY));
 		boolean needInternal = StringUtils.isNotBlank(request.getHeaders().getFirst(TokenHeaderKeyConstant.AUTHORIZATION_TOKEN_HEADER_KEY));
--- a/epmet-gateway/src/main/java/com/epmet/filter/CpProperty.java
+++ b/epmet-gateway/src/main/java/com/epmet/filter/CpProperty.java
@ -32,6 +32,11 @@ public class CpProperty {
     */
    private List<String> externalOpenUrls;
    /**
     * 对外开放url白名单
     */
    private List<String> externalAuthUrlsWhiteList;
    /**
     * 不处理token，直接通过
     */
--- a/epmet-gateway/src/main/java/com/epmet/utils/ServerHttpRequestUtils.java
+++ b/epmet-gateway/src/main/java/com/epmet/utils/ServerHttpRequestUtils.java
@ -0,0 +1,19 @@
 package com.epmet.utils;
 import org.springframework.http.server.reactive.ServerHttpRequest;
 import org.springframework.util.MultiValueMap;
 public class ServerHttpRequestUtils {
    /**
     * @Description 从url中获取appId
     * @return
     * @author wxz
     * @date 2021.03.25 15:13
     */
    public static String getRequestParam(ServerHttpRequest request, String paramName) {
        MultiValueMap<String, String> queryParams = request.getQueryParams();
        return queryParams.getFirst(paramName);
    }
 }
--- a/epmet-gateway/src/main/resources/bootstrap.yml
+++ b/epmet-gateway/src/main/resources/bootstrap.yml
@ -474,6 +474,11 @@ epmet:
    - /epmetuser/customerstaff/customerlist
    - /message/template/**
    - /data/aggregator/project/projectdistribution
  # 对外开放接口认证白名单
  externalAuthUrlsWhiteList:
    - /epmet/ext/open-api/get-access-token
  swaggerUrls:
 jwt:
--- a/epmet-module/epmet-ext/epmet-ext-client/src/main/java/com/epmet/dto/form/AccessTokenFormDTO.java
+++ b/epmet-module/epmet-ext/epmet-ext-client/src/main/java/com/epmet/dto/form/AccessTokenFormDTO.java
@ -1,17 +1,12 @@
 package com.epmet.dto.form;
 import com.epmet.dto.form.openapi.OpenApiBaseFormDTO;
 import lombok.Data;
 import javax.validation.constraints.NotBlank;
@Data
-public class AccessTokenFormDTO {
+public class AccessTokenFormDTO extends OpenApiBaseFormDTO {
    public interface GetAccessTokenGroup {}
    // 签名字符串密文
    @NotBlank(message = "签名字段不能为空", groups = { GetAccessTokenGroup.class })
    private String sign;
    // 应用id
    @NotBlank(message = "AppId字段不能为空", groups = { GetAccessTokenGroup.class })
--- a/epmet-module/epmet-ext/epmet-ext-client/src/main/java/com/epmet/dto/form/openapi/OpenApiBaseFormDTO.java
+++ b/epmet-module/epmet-ext/epmet-ext-client/src/main/java/com/epmet/dto/form/openapi/OpenApiBaseFormDTO.java
@ -2,12 +2,30 @@ package com.epmet.dto.form.openapi;
 import lombok.Data;
 import javax.validation.constraints.NotBlank;
 import javax.validation.constraints.NotNull;
 /**
 * open api基础类
 */
@Data
 public class OpenApiBaseFormDTO {
    public interface GetAccessTokenGroup {}
    @NotBlank(message = "签名不能为空", groups = { GetAccessTokenGroup.class })
    private String sign;
    /**
     * 时间戳，ms
     */
    @NotNull(message = "时间戳不能为空", groups = { GetAccessTokenGroup.class })
    private Long timestamp;
    /**
     * 随机数，每次请求唯一
     */
    @NotBlank(message = "随机字段nonce不能为空", groups = { GetAccessTokenGroup.class })
    private String nonce;
 }
--- a/epmet-module/epmet-ext/epmet-ext-server/src/main/java/com/epmet/aspect/OpenApiRequestCheckAspect.java
+++ b/epmet-module/epmet-ext/epmet-ext-server/src/main/java/com/epmet/aspect/OpenApiRequestCheckAspect.java
@ -26,6 +26,7 @@ import org.springframework.web.context.request.ServletRequestAttributes;
 import javax.servlet.http.HttpServletRequest;
 import java.beans.IntrospectionException;
 import java.lang.reflect.Field;
 import java.lang.reflect.InvocationTargetException;
 import java.lang.reflect.Method;
 import java.lang.reflect.Parameter;
@ -33,10 +34,15 @@ import java.util.Arrays;
 import java.util.Map;
 import java.util.Set;
 /**
 * OpenApi检查请求切面
 * 1.验签防止参数篡改
 * 2.timestamp+nonce防止请求重放攻击
 */
@Aspect
@Component
@Order(1)
-public class OpenApiCheckSignAspect {
+public class OpenApiRequestCheckAspect {
    @Autowired
    private RedisUtils redisUtils;
@ -53,27 +59,60 @@ public class OpenApiCheckSignAspect {
     * @date 2021.03.24 13:39
    */
    @Before("execution(* com.epmet.controller.*Controller*.*(..)) && @annotation(com.epmet.annotation.OpenApiCheckSign)")
-    public void checkSign(JoinPoint point) {
+    public void check(JoinPoint point) {
        Object[] args = point.getArgs();
        MethodSignature methodSignature = (MethodSignature) point.getSignature();
        Method method = methodSignature.getMethod();
        Parameter[] parameters = method.getParameters();
        HttpServletRequest request = getRequest();
        String appId = request.getHeader("AppId");
        for (int i = 0; i < parameters.length; i++) {
            if (parameters[i].isAnnotationPresent(RequestBody.class)) {
-                Map<String, String> argMap = null;
+                Map<String, String> argMap;
                try {
                    argMap = ConvertUtils.entityToMap(args[i]);
                } catch (Exception e) {
                    throw new RenException("验签参数转化发生异常");
                }
-                if (!OpenApiSignUtils.checkSign(argMap, getSecret(getAppId()))) {
+
                argMap.put("");
                if (!OpenApiSignUtils.checkSign(argMap, getSecret(appId))) {
                    // 验签失败
                    throw new RenException(EpmetErrorCode.OPEN_API_SIGN_ERROR.getCode());
                }
                checkRepeatRequest(argMap);
            }
        }
    }
    /**
     * 检查请求重放
     * @param argMap
     */
    void checkRepeatRequest(Map<String, String> argMap) {
        String timestampStr = argMap.get("timestamp");
        if (StringUtils.isBlank(timestampStr)) {
            throw new RenException(EpmetErrorCode.OPEN_API_PARAMS_MISSING.getCode());
        }
        long timestamp = Long.valueOf(timestampStr).longValue();
        long now = System.currentTimeMillis();
        long requestTimeDiff = 60000;
        if (Math.abs(now - timestamp) > requestTimeDiff) {
            // 只允许1分钟之内的请求，允许服务器之间时差为1分钟
            throw new RenException(String.format("请求已过时，允许时差为%s ms", requestTimeDiff));
        }
        String nonce = argMap.get("nonce");
        String nonceInCache = redisUtils.getString(RedisKeys.getOpenApiNonceKey(nonce));
        if (StringUtils.isNotBlank(nonceInCache)) {
            throw new RenException("请求重复");
        }
        //将nonce缓存到redis，有效期1分钟
        redisUtils.set(RedisKeys.getOpenApiNonceKey(nonce), "1", requestTimeDiff);
    }
    /**
     * @return
     * @Description 取secret
@ -114,12 +153,42 @@ public class OpenApiCheckSignAspect {
     * @author wxz
     * @date 2021.03.24 12:53
     */
-    public String getAppId() {
+    //public String getAppId(Parameter[] parameters, Object[] args) {
-        HttpServletRequest request = getRequest();
+    //    HttpServletRequest request = getRequest();
-        String appId = request.getHeader("AppId");
+    //    String appId = request.getHeader("AppId");
-        if (StringUtils.isBlank(appId)) {
+    //    if (StringUtils.isBlank(appId)) {
-            throw new RenException("请求头中未携带AppId");
+    //        for (int i = 0; i < parameters.length; i++) {
-        }
+    //            if (parameters[i].isAnnotationPresent(RequestBody.class)) {
-        return appId;
+    //                Object arg = args[i];
    //                try {
    //                    appId = getAppIdFromDTO(arg);
    //                } catch (IllegalAccessException e) {
    //                    e.printStackTrace();
    //                }
    //            }
    //        }
    //    }
    //    if (StringUtils.isBlank(appId)) {
    //        throw new RenException("未携带AppId");
    //    }
    //    return appId;
    //}
    //private String getAppIdFromDTO(Object dto) throws IllegalAccessException {
    //    Field[] declaredFields = dto.getClass().getDeclaredFields();
    //    for (int i = 0; i < declaredFields.length; i++) {
    //        Field field = declaredFields[i];
    //        String fieldName = field.getName();
    //        if ("appId".equals(fieldName)) {
    //            field.setAccessible(true);
    //            String value = (String) field.get(dto);
    //            return value;
    //        }
    //    }
    //    return null;
    //}
    public static void main(String[] args) {
        System.out.println(System.currentTimeMillis());
    }
 }
--- a/epmet-module/epmet-ext/epmet-ext-server/src/main/java/com/epmet/controller/OpenApiAccessTokenController.java
+++ b/epmet-module/epmet-ext/epmet-ext-server/src/main/java/com/epmet/controller/OpenApiAccessTokenController.java
@ -1,5 +1,6 @@
 package com.epmet.controller;
 import com.epmet.annotation.OpenApiCheckSign;
 import com.epmet.commons.security.sign.openapi.OpenApiSignUtils;
 import com.epmet.commons.tools.exception.EpmetErrorCode;
 import com.epmet.commons.tools.exception.ExceptionUtils;
@ -10,6 +11,7 @@ import com.epmet.commons.tools.utils.ConvertUtils;
 import com.epmet.commons.tools.utils.Result;
 import com.epmet.commons.tools.validator.ValidatorUtils;
 import com.epmet.dto.form.AccessTokenFormDTO;
 import com.epmet.dto.form.openapi.OpenApiBaseFormDTO;
 import com.epmet.feign.EpmetCommonServiceOpenFeignClient;
 import com.epmet.service.OpenApiAccessTokenService;
 import org.apache.commons.lang3.StringUtils;
@ -45,10 +47,11 @@ public class OpenApiAccessTokenController {
     * @author wxz
     * @date 2021.03.23 09:52
    */
    @OpenApiCheckSign
    @PostMapping("get-access-token")
    public Result<String> getAccessToken(@RequestBody AccessTokenFormDTO input) {
        // 1.校验参数
-        ValidatorUtils.validateEntity(input);
+        ValidatorUtils.validateEntity(input, OpenApiBaseFormDTO.GetAccessTokenGroup.class);
        String appId = input.getAppId();
        // 2.取secret
@ -65,21 +68,6 @@ public class OpenApiAccessTokenController {
            redisUtils.set(RedisKeys.getExternalAppSecretKey(appId), secret);
        }
        // 3.验签
        try {
            if (!OpenApiSignUtils.checkSign(ConvertUtils.entityToMap(input), secret)) {
                throw new RenException(EpmetErrorCode.OPEN_API_SIGN_ERROR.getCode(), EpmetErrorCode.OPEN_API_SIGN_ERROR.getMsg());
            }
        } catch (RenException e) {
            // 如果是自己抛出的异常则继续抛出
            throw e;
        } catch (Exception e) {
            // 是其他意外发生的异常
            String errorStackTrace = ExceptionUtils.getErrorStackTrace(e);
            logger.error("验签发生未知异常:{}", errorStackTrace);
            throw new RenException("验签发生未知异常，请查看ext服务详细日志");
        }
        //4.生成token
        String accessToken = openApiAccessTokenService.getAccessToken(appId, secret);
        return new Result<String>().ok(accessToken);