rongchao
/
epmet-cloud-rizhao
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity
Browse Source

运营端-越权

dev
wangxianzhang 3 years ago
parent
6bd0bbdd85
commit
7de7df2492
2 changed files with 64 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 8
      epmet-commons/epmet-commons-tools/src/main/java/com/epmet/commons/tools/redis/RedisKeys.java
  2. 56
      epmet-gateway/src/main/java/com/epmet/auth/InternalAuthProcessor.java

8
epmet-commons/epmet-commons-tools/src/main/java/com/epmet/commons/tools/redis/RedisKeys.java
View File

@ -898,4 +898,12 @@ public class RedisKeys {
public static String operResourcesByUserId(String operId) { public static String operResourcesByUserId(String operId) {
return rootPrefix.concat("oper:access:resources:").concat(operId); return rootPrefix.concat("oper:access:resources:").concat(operId);
} }
/**
* 获取需要检查的资源url
* @return
*/
public static String getOperExamineResourceUrls() {
return rootPrefix.concat("oper:access:examineresources");
}
} }

56
epmet-gateway/src/main/java/com/epmet/auth/InternalAuthProcessor.java
View File

@ -1,11 +1,20 @@
package com.epmet.auth; package com.epmet.auth;
import com.alibaba.fastjson.JSON;
import com.alibaba.fastjson.TypeReference;
import com.epmet.commons.tools.constant.AppClientConstant; import com.epmet.commons.tools.constant.AppClientConstant;
import com.epmet.commons.tools.constant.Constant; import com.epmet.commons.tools.constant.Constant;
import com.epmet.commons.tools.dto.form.HasOperPermissionFormDTO;
import com.epmet.commons.tools.dto.result.OperResouce;
import com.epmet.commons.tools.exception.EpmetErrorCode; import com.epmet.commons.tools.exception.EpmetErrorCode;
import com.epmet.commons.tools.exception.EpmetException;
import com.epmet.commons.tools.exception.RenException; import com.epmet.commons.tools.exception.RenException;
import com.epmet.commons.tools.feign.CommonOperAccessOpenFeignClient;
import com.epmet.commons.tools.redis.RedisKeys;
import com.epmet.commons.tools.redis.RedisUtils;
import com.epmet.commons.tools.security.dto.BaseTokenDto; import com.epmet.commons.tools.security.dto.BaseTokenDto;
import com.epmet.commons.tools.utils.CpUserDetailRedis; import com.epmet.commons.tools.utils.CpUserDetailRedis;
import com.epmet.commons.tools.utils.Result;
import com.epmet.filter.CpProperty; import com.epmet.filter.CpProperty;
import com.epmet.jwt.JwtTokenUtils; import com.epmet.jwt.JwtTokenUtils;
import io.jsonwebtoken.Claims; import io.jsonwebtoken.Claims;
@ -15,12 +24,14 @@ import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.cloud.gateway.filter.GatewayFilterChain; import org.springframework.cloud.gateway.filter.GatewayFilterChain;
import org.springframework.http.HttpHeaders; import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpMethod;
import org.springframework.http.server.reactive.ServerHttpRequest; import org.springframework.http.server.reactive.ServerHttpRequest;
import org.springframework.stereotype.Component; import org.springframework.stereotype.Component;
import org.springframework.util.AntPathMatcher; import org.springframework.util.AntPathMatcher;
import org.springframework.web.server.ServerWebExchange; import org.springframework.web.server.ServerWebExchange;
import java.util.Date; import java.util.Date;
import java.util.List;
/** /**
* 内部认证处理器 * 内部认证处理器
@ -41,6 +52,12 @@ public class InternalAuthProcessor extends AuthProcessor {
@Autowired @Autowired
private CpProperty cpProperty; private CpProperty cpProperty;
@Autowired
private CommonOperAccessOpenFeignClient operAccessOpenFeignClient;
@Autowired
private RedisUtils redisUtils;
@Override @Override
public ServerWebExchange auth(ServerWebExchange exchange, GatewayFilterChain chain) { public ServerWebExchange auth(ServerWebExchange exchange, GatewayFilterChain chain) {
ServerHttpRequest request = exchange.getRequest(); ServerHttpRequest request = exchange.getRequest();
@ -104,10 +121,49 @@ public class InternalAuthProcessor extends AuthProcessor {
builder.header(AppClientConstant.CUSTOMER_ID, customerId); builder.header(AppClientConstant.CUSTOMER_ID, customerId);
} }
// 针对运营端的url拦截和校验
if (AppClientConstant.APP_OPER.equals(app)) {
HttpMethod method = request.getMethod();
Boolean hasAccess = checkRequestOperResource(requestUri, method.toString());
if (!hasAccess) {
throw new EpmetException(EpmetErrorCode.EPMET_COMMON_OPERATION_FAIL.getCode(), "资源未授权", "资源未授权");
}
}
ServerHttpRequest shr = builder.build(); ServerHttpRequest shr = builder.build();
return exchange.mutate().request(shr).build(); return exchange.mutate().request(shr).build();
} }
/**
* 校验运营端用户是否有权访问该资源
* @param uri
* @param method
* @return
*/
private Boolean checkRequestOperResource(String uri, String method) {
String resourceJsonString = (String)redisUtils.get(RedisKeys.getOperExamineResourceUrls());
List<OperResouce> resources = JSON.parseObject(resourceJsonString, new TypeReference<List<OperResouce>>() {});
for (OperResouce resource : resources) {
if (antPathMatcher.match(resource.getResourceUrl(), uri)
&& resource.getResourceMethod().equals(method)) {
//需要校验权限的url
HasOperPermissionFormDTO form = new HasOperPermissionFormDTO();
form.setUri(uri);
form.setMethod(method);
Result result = operAccessOpenFeignClient.hasOperPermission(form);
if (result == null || !result.success()) {
return false;
}
return true;
}
}
// 如果当前请求url不需要校验权限,那么返回true
return true;
}
/** /**
* 是否需要认证 * 是否需要认证
* @param requestUri * @param requestUri

Write Preview
Loading…
Cancel
Save