feat: 限制只有application/json格式的接口才支持加解密、签名

Author: luckyQing

README.md

@@ -229,8 +229,8 @@ sign = RSA签名签名(AES加密(head的json串) + AES加密(body json串))
 ```
 
 # 五、错误码
-所属模块 | code | message
----| ---|---
+所属模块 | code   | message
+---|--------|---
 basic-service-user | 100001 | 账号不存在
 basic-service-user | 100002 | 用户被禁用
 basic-service-user | 100003 | 用户已被删除
@@ -256,6 +256,9 @@ support-service-gateway | 400011 | 请求时间戳格式错误
 support-service-gateway | 400012 | 请求时间戳非法
 support-service-gateway | 400013 | security key过期
 support-service-gateway | 400014 | AES key获取失败
+support-service-gateway | 400015 | 命中黑名单列表，禁止访问
+support-service-gateway | 400016 | 不在白名单中，禁止访问
+support-service-gateway | 400017 | 不支持数据安全
 
 # FAQ
 ## spring cloud gateway集成openfeign启动时卡死

application-module/api-ac-core/src/main/java/org/smartframework/cloud/examples/api/ac/core/util/ApiMetaUtil.java

@@ -90,12 +90,14 @@ public ApiMetaFetchRespVO collectApiMetas() {
             String[] urlTails = getUrlTails(method);
             for (String urlTail : urlTails) {
                 String urlCode = getUrlCode(urlHeader, urlTail);
+                DataSecurityMetaRespVO dataSecurityMeta = buildDataSecurityMeta(method);
+                RepeatSubmitCheckMetaRespVO repeatSubmitCheckMeta = buildRepeatSubmitCheckMeta(method);
 
                 ApiAccessMetaRespVO apiAccessMeta = new ApiAccessMetaRespVO();
-                apiAccessMeta.setAuthMeta(buildAuthMeta(method));
-                apiAccessMeta.setDataSecurityMeta(buildDataSecurityMeta(method));
-                apiAccessMeta.setRepeatSubmitCheckMeta(buildRepeatSubmitCheckMeta(method));
+                apiAccessMeta.setDataSecurityMeta(dataSecurityMeta);
+                apiAccessMeta.setRepeatSubmitCheckMeta(repeatSubmitCheckMeta);
                 apiAccessMeta.setRequestValidMillis(getRequestValidMillis(method));
+                apiAccessMeta.setAuthMeta(buildAuthMeta(method, repeatSubmitCheckMeta.getCheck(), dataSecurityMeta));
                 apiAccessMap.put(urlCode, apiAccessMeta);
             }
         }
@@ -161,18 +163,45 @@ private DataSecurityMetaRespVO buildDataSecurityMeta(Method method) {
      * @param method
      * @return
      */
-    private AuthMetaRespVO buildAuthMeta(Method method) {
+    private AuthMetaRespVO buildAuthMeta(Method method, boolean resubmitCheck, DataSecurityMetaRespVO dataSecurityMetaRespVO) {
         RequirePermissions requirePermissions = method.getAnnotation(RequirePermissions.class);
         RequireRoles requireRoles = method.getAnnotation(RequireRoles.class);
         RequireUser requireUser = method.getAnnotation(RequireUser.class);
 
         AuthMetaRespVO authMeta = new AuthMetaRespVO();
-        authMeta.setRequireUser(requireUser != null);
+        authMeta.setRequireUser(isRequireUser(requirePermissions, requireRoles, requireUser, resubmitCheck, dataSecurityMetaRespVO));
         authMeta.setRequireRoles((requireRoles != null) ? requireRoles.value() : new String[0]);
         authMeta.setRequirePermissions((requirePermissions != null) ? requirePermissions.value() : new String[0]);
         return authMeta;
     }
 
+    /**
+     * 是否需要登录校验
+     *
+     * @param requirePermissions
+     * @param requireRoles
+     * @param requireUser
+     * @param resubmitCheck
+     * @param dataSecurityMetaRespVO
+     * @return
+     */
+    private boolean isRequireUser(RequirePermissions requirePermissions, RequireRoles requireRoles, RequireUser requireUser,
+                                  boolean resubmitCheck, DataSecurityMetaRespVO dataSecurityMetaRespVO) {
+        if (requirePermissions != null || requireRoles != null || requireUser != null) {
+            return true;
+        }
+
+        if (resubmitCheck) {
+            return true;
+        }
+
+        if (dataSecurityMetaRespVO.getRequestDecrypt() || dataSecurityMetaRespVO.getResponseEncrypt()) {
+            return true;
+        }
+
+        return dataSecurityMetaRespVO.getSign() != SignType.NONE.getType();
+    }
+
     private Set<Method> getAllApiMethods(Reflections reflections) {
         Set<Method> allMappingSet = new HashSet<>();
         allMappingSet.addAll(reflections.getMethodsAnnotatedWith(RequestMapping.class));

application-module/support-module/support-service-gateway/src/main/java/org/smartframework/cloud/examples/support/gateway/cache/ApiAccessMetaCache.java

@@ -157,11 +157,6 @@ private void initRepeatSubmitCheck(RepeatSubmitCheckMetaRespVO repeatSubmitCheck
         }
     }
 
-    @JsonIgnore
-    public boolean isAuth() {
-        return requiresUser || requiresRoles.size() > 0 || requiresPermissions.size() > 0;
-    }
-
     @JsonIgnore
     public boolean isDataSecurity() {
         return requestDecrypt || responseEncrypt || signType != SignType.NONE.getType();

application-module/support-module/support-service-gateway/src/main/java/org/smartframework/cloud/examples/support/gateway/constants/GatewayReturnCodes.java

@@ -54,7 +54,7 @@ public interface GatewayReturnCodes {
      */
     String LOGIN_CACHE_MISSING = "400009";
     /**
-     * 请求时间戳为空
+     * 请求时间戳不能为空
      */
     String REQUEST_TIMESTAMP_MISSING = "400010";
     /**
@@ -81,5 +81,9 @@ public interface GatewayReturnCodes {
      * 不在白名单中，禁止访问
      */
     String NOT_IN_WHITE_LIST = "400016";
+    /**
+     * 不支持数据安全
+     */
+    String NOT_SUPPORT_DATA_SECURITY = "400017";
 
 }

application-module/support-module/support-service-gateway/src/main/java/org/smartframework/cloud/examples/support/gateway/exception/BlackListException.java

@@ -1,3 +1,18 @@
+/*
+ * Copyright © 2019 collin (1634753825@qq.com)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package org.smartframework.cloud.examples.support.gateway.exception;
 
 import io.github.smart.cloud.exception.BaseException;

application-module/support-module/support-service-gateway/src/main/java/org/smartframework/cloud/examples/support/gateway/exception/UnsupportedFunctionException.java

@@ -0,0 +1,32 @@
+/*
+ * Copyright © 2019 collin (1634753825@qq.com)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.smartframework.cloud.examples.support.gateway.exception;
+
+import io.github.smart.cloud.exception.BaseException;
+
+/**
+ * 不支持的功能
+ *
+ * @author collin
+ * @date 2024-04-10
+ */
+public class UnsupportedFunctionException extends BaseException {
+
+    public UnsupportedFunctionException(String code) {
+        super(code);
+    }
+
+}

application-module/support-module/support-service-gateway/src/main/java/org/smartframework/cloud/examples/support/gateway/exception/WhiteListException.java

@@ -1,3 +1,18 @@
+/*
+ * Copyright © 2019 collin (1634753825@qq.com)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package org.smartframework.cloud.examples.support.gateway.exception;
 
 import io.github.smart.cloud.exception.BaseException;

application-module/support-module/support-service-gateway/src/main/java/org/smartframework/cloud/examples/support/gateway/filter/access/BlackWhiteListFilter.java

@@ -1,3 +1,18 @@
+/*
+ * Copyright © 2019 collin (1634753825@qq.com)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package org.smartframework.cloud.examples.support.gateway.filter.access;
 
 import lombok.RequiredArgsConstructor;

application-module/support-module/support-service-gateway/src/main/java/org/smartframework/cloud/examples/support/gateway/filter/access/core/AuthFilter.java

@@ -80,8 +80,8 @@ public int getOrder() {
     @Override
     protected Mono<Void> innerFilter(ServerWebExchange exchange, WebFilterChain chain, FilterContext filterContext) {
         ApiAccessMetaCache apiAccessMetaCache = filterContext.getApiAccessMetaCache();
-        // 判断是否需要登陆、鉴权
-        if (!apiAccessMetaCache.isAuth()) {
+        // 判断是否需要登陆校验
+        if (!apiAccessMetaCache.isRequiresUser()) {
             return chain.filter(exchange);
         }
 

application-module/support-module/support-service-gateway/src/main/java/org/smartframework/cloud/examples/support/gateway/filter/access/core/RepeatSubmitCheckFilter.java

@@ -15,12 +15,15 @@
  */
 package org.smartframework.cloud.examples.support.gateway.filter.access.core;
 
+import io.github.smart.cloud.exception.DataValidateException;
 import io.github.smart.cloud.exception.RepeatSubmitException;
 import io.github.smart.cloud.utility.security.Md5Util;
 import lombok.RequiredArgsConstructor;
+import org.apache.commons.lang3.StringUtils;
 import org.redisson.api.RLock;
 import org.redisson.api.RedissonClient;
 import org.smartframework.cloud.examples.support.gateway.cache.ApiAccessMetaCache;
+import org.smartframework.cloud.examples.support.gateway.constants.GatewayReturnCodes;
 import org.smartframework.cloud.examples.support.gateway.constants.Order;
 import org.smartframework.cloud.examples.support.gateway.filter.FilterContext;
 import org.smartframework.cloud.examples.support.gateway.filter.access.AbstractFilter;
@@ -52,6 +55,11 @@ protected Mono<Void> innerFilter(ServerWebExchange exchange, WebFilterChain chai
         if (!apiAccessMetaCache.isRepeatSubmitCheck()) {
             return chain.filter(exchange);
         }
+
+        if (StringUtils.isBlank(filterContext.getToken())) {
+            throw new DataValidateException(GatewayReturnCodes.TOKEN_MISSING);
+        }
+
         ServerHttpRequest request = exchange.getRequest();
 
         StringBuilder key = new StringBuilder();

application-module/support-module/support-service-gateway/src/main/java/org/smartframework/cloud/examples/support/gateway/filter/access/core/datasecurity/DataSecurityFilter.java

@@ -22,10 +22,10 @@
 import org.smartframework.cloud.examples.support.gateway.cache.ApiAccessMetaCache;
 import org.smartframework.cloud.examples.support.gateway.constants.GatewayReturnCodes;
 import org.smartframework.cloud.examples.support.gateway.constants.Order;
+import org.smartframework.cloud.examples.support.gateway.exception.UnsupportedFunctionException;
 import org.smartframework.cloud.examples.support.gateway.filter.FilterContext;
 import org.smartframework.cloud.examples.support.gateway.filter.access.AbstractFilter;
-import org.springframework.http.HttpMethod;
-import org.springframework.http.MediaType;
+import org.smartframework.cloud.examples.support.gateway.util.RewriteHttpUtil;
 import org.springframework.stereotype.Component;
 import org.springframework.web.server.ServerWebExchange;
 import org.springframework.web.server.WebFilterChain;
@@ -55,43 +55,20 @@ protected Mono<Void> innerFilter(ServerWebExchange exchange, WebFilterChain chai
             return chain.filter(exchange);
         }
 
+        if (!RewriteHttpUtil.isSupported(exchange.getRequest().getHeaders().getContentType())) {
+            throw new UnsupportedFunctionException(GatewayReturnCodes.NOT_SUPPORT_DATA_SECURITY);
+        }
+
         String token = filterContext.getToken();
         if (StringUtils.isBlank(token)) {
             throw new ParamValidateException(GatewayReturnCodes.TOKEN_MISSING);
         }
 
-        HttpMethod httpMethod = exchange.getRequest().getMethod();
-        MediaType contentType = exchange.getRequest().getHeaders().getContentType();
-        if (!match(contentType, httpMethod)) {
-            return chain.filter(exchange);
-        }
-
         return chain.filter(exchange.mutate()
                 .request(new DataSecurityServerHttpRequestDecorator(exchange.getRequest(), exchange.getResponse().bufferFactory(), token, apiAccessMetaCache.isRequestDecrypt(),
                         apiAccessMetaCache.getSignType(), redisAdapter))
                 .response(new DataSecurityServerHttpResponseDecorator(exchange.getResponse(), apiAccessMetaCache.isResponseEncrypt(), apiAccessMetaCache.getSignType()))
                 .build());
     }
 
-    /**
-     * 加解密、签名匹配条件
-     *
-     * @param contentType
-     * @param httpMethod
-     * @return
-     */
-    private boolean match(MediaType contentType, HttpMethod httpMethod) {
-        if (contentType == null) {
-            return false;
-        }
-
-        String contentTypeStr = contentType.toString();
-        if (!StringUtils.containsAny(contentTypeStr, MediaType.APPLICATION_JSON_VALUE, MediaType.APPLICATION_FORM_URLENCODED_VALUE)) {
-            return false;
-        }
-
-        // GET、POST以外的请求不做加解密、签名处理
-        return httpMethod == HttpMethod.GET || httpMethod == HttpMethod.POST;
-    }
-
 }

application-module/support-module/support-service-gateway/src/main/java/org/smartframework/cloud/examples/support/gateway/filter/access/core/datasecurity/DataSecurityServerHttpResponseDecorator.java

@@ -50,7 +50,7 @@ public Mono<Void> writeAndFlushWith(Publisher<? extends Publisher<? extends Data
     public Mono<Void> writeWith(Publisher<? extends DataBuffer> body) {
         // TODO:
         final MediaType contentType = super.getHeaders().getContentType();
-        if (RewriteHttpUtil.isReadable(contentType)) {
+        if (RewriteHttpUtil.isSupported(contentType)) {
             DataBufferFactory dataBufferFactory = super.bufferFactory();
             if (body instanceof Mono) {
                 ((Mono<DataBuffer>) body).subscribe(buffer -> {

application-module/support-module/support-service-gateway/src/main/java/org/smartframework/cloud/examples/support/gateway/filter/rewrite/RewriteServerHttpRequestDecorator.java

@@ -40,7 +40,7 @@ public class RewriteServerHttpRequestDecorator extends ServerHttpRequestDecorato
     RewriteServerHttpRequestDecorator(ServerHttpRequest request, DataBufferFactory dataBufferFactory) {
         super(request);
         Flux<DataBuffer> flux = super.getBody();
-        if (RewriteHttpUtil.isReadable(super.getHeaders().getContentType())) {
+        if (RewriteHttpUtil.isSupported(super.getHeaders().getContentType())) {
             this.body = super.getBody().map(dataBuffer -> {
                 byte[] bytes = RewriteHttpUtil.convert(dataBuffer);
                 this.bodyStr = new String(bytes, StandardCharsets.UTF_8);

application-module/support-module/support-service-gateway/src/main/java/org/smartframework/cloud/examples/support/gateway/filter/rewrite/RewriteServerHttpResponseDecorator.java

@@ -52,7 +52,7 @@ public Mono<Void> writeAndFlushWith(Publisher<? extends Publisher<? extends Data
     @Override
     public Mono<Void> writeWith(Publisher<? extends DataBuffer> body) {
         final MediaType contentType = super.getHeaders().getContentType();
-        if (RewriteHttpUtil.isReadable(contentType)) {
+        if (RewriteHttpUtil.isSupported(contentType)) {
             DataBufferFactory dataBufferFactory = super.bufferFactory();
             if (body instanceof Mono) {
                 ((Mono<DataBuffer>) body).subscribe(buffer -> {

application-module/support-module/support-service-gateway/src/main/java/org/smartframework/cloud/examples/support/gateway/util/RewriteHttpUtil.java

@@ -31,12 +31,12 @@ private RewriteHttpUtil() {
     }
 
     /**
-     * 是否可读
+     * 是否支持
      *
      * @param contentType
      * @return
      */
-    public static boolean isReadable(MediaType contentType) {
+    public static boolean isSupported(MediaType contentType) {
         return contentType != null && contentType.includes(MediaType.APPLICATION_JSON);
     }
 

application-module/support-module/support-service-gateway/src/main/resources/i18n/gateway_messages.properties

@@ -13,4 +13,5 @@
 400013=security key\u8FC7\u671F\uFF01
 400014=AES key\u83B7\u53D6\u5931\u8D25\uFF01
 400015=\u547D\u4E2D\u9ED1\u540D\u5355\u5217\u8868\uFF0C\u7981\u6B62\u8BBF\u95EE
-400016=\u4E0D\u5728\u767D\u540D\u5355\u4E2D\uFF0C\u7981\u6B62\u8BBF\u95EE
+400016=\u4E0D\u5728\u767D\u540D\u5355\u4E2D\uFF0C\u7981\u6B62\u8BBF\u95EE
+400017=\u53EA\u6709application/json\u624D\u652F\u6301\u63A5\u53E3\u7B7E\u540D\u6821\u9A8C\u3001\u52A0\u89E3\u5BC6

application-module/support-module/support-service-gateway/src/main/resources/i18n/gateway_messages_en_US.properties

@@ -13,4 +13,5 @@
 400013=Security key expired!
 400014=AES key is not found!
 400015=Matches the blacklist list, and the access is prohibited
-400016=The access is not in the whitelist
+400016=The access is not in the whitelist
+400017=Only application/json supports interface signature verification, encryption and decryption

application-module/support-module/support-service-gateway/src/main/resources/i18n/gateway_messages_zh_CN.properties

@@ -13,4 +13,5 @@
 400013=security key\u8FC7\u671F\uFF01
 400014=AES key\u83B7\u53D6\u5931\u8D25\uFF01
 400015=\u547D\u4E2D\u9ED1\u540D\u5355\u5217\u8868\uFF0C\u7981\u6B62\u8BBF\u95EE
-400016=\u4E0D\u5728\u767D\u540D\u5355\u4E2D\uFF0C\u7981\u6B62\u8BBF\u95EE
+400016=\u4E0D\u5728\u767D\u540D\u5355\u4E2D\uFF0C\u7981\u6B62\u8BBF\u95EE
+400017=\u53EA\u6709application/json\u624D\u652F\u6301\u63A5\u53E3\u7B7E\u540D\u6821\u9A8C\u3001\u52A0\u89E3\u5BC6