|
|
|
@@ -5,6 +5,7 @@ import com.alibaba.fastjson.JSONObject; |
|
|
|
import com.alibaba.fastjson.serializer.SerializerFeature; |
|
|
|
import com.auth0.jwt.JWT; |
|
|
|
import com.auth0.jwt.interfaces.DecodedJWT; |
|
|
|
import com.tuoheng.gateway.model.AuthoritiesDto; |
|
|
|
import com.tuoheng.gateway.model.ClientUserRoleDto; |
|
|
|
import com.tuoheng.gateway.utils.EncryptUtil; |
|
|
|
import com.tuoheng.gateway.utils.GatewayUrlPathUtil; |
|
|
|
@@ -24,6 +25,7 @@ import reactor.core.publisher.Mono; |
|
|
|
|
|
|
|
import java.nio.charset.StandardCharsets; |
|
|
|
import java.util.*; |
|
|
|
import java.util.stream.Collectors; |
|
|
|
|
|
|
|
|
|
|
|
@Configuration |
|
|
|
@@ -46,41 +48,50 @@ public class GatewayFilterConfig implements GlobalFilter, Ordered { |
|
|
|
String token = getToken(exchange); |
|
|
|
String username = null; |
|
|
|
Long oUserId = null; |
|
|
|
List<String> authorityList = new ArrayList<>(); |
|
|
|
List<AuthoritiesDto> authorityList = new ArrayList<>(); |
|
|
|
List<ClientUserRoleDto> clientUserRoleDtoList = new ArrayList<>(); |
|
|
|
if (!StringUtils.isBlank(token)) { |
|
|
|
//token数据解析 |
|
|
|
DecodedJWT decodedJWT = JWT.decode(token); |
|
|
|
username = decodedJWT.getClaim(USERNAME).asString(); |
|
|
|
oUserId = decodedJWT.getClaim(OUSERID).asLong(); |
|
|
|
authorityList = decodedJWT.getClaim(SCOPE).asList(String.class); |
|
|
|
authorityList = decodedJWT.getClaim(SCOPE).asList(AuthoritiesDto.class); |
|
|
|
String str = decodedJWT.getClaim(CLIENTROLELIST).asString(); |
|
|
|
clientUserRoleDtoList = JSONArray.parseArray(str, ClientUserRoleDto.class);; |
|
|
|
clientUserRoleDtoList = JSONArray.parseArray(str, ClientUserRoleDto.class); |
|
|
|
} |
|
|
|
//header里封装 Client-Id 信息 |
|
|
|
String clientId = getClientId(exchange); |
|
|
|
log.info("clientId is :{}", clientId); |
|
|
|
if(!StringUtils.isEmpty(clientId)){ |
|
|
|
if (!StringUtils.isEmpty(clientId)) { |
|
|
|
//校验过期/禁用给出提示信息 |
|
|
|
List<AuthoritiesDto> authoritiesDtos = authorityList.stream().filter(item -> item.getAuthority().equals(clientId)).limit(1).collect(Collectors.toList()); |
|
|
|
if (0 == authoritiesDtos.get(0).getStatus()) { |
|
|
|
return disableClientIdMono(exchange); |
|
|
|
} |
|
|
|
List<ClientUserRoleDto> clientUserRoleDtos = clientUserRoleDtoList.stream().filter(item -> item.getClientId().equals(clientId)).limit(1).collect(Collectors.toList()); |
|
|
|
if (0 != clientUserRoleDtos.get(0).getStatus()) { |
|
|
|
return expireClientIdMono(exchange); |
|
|
|
} |
|
|
|
String requestUrl = exchange.getRequest().getPath().value(); |
|
|
|
//去除gateway path 前缀 |
|
|
|
String apiUrl = requestUrl.replace(GatewayUrlPathUtil.getPathByClientId(clientId),""); |
|
|
|
String apiUrl = requestUrl.replace(GatewayUrlPathUtil.getPathByClientId(clientId), ""); |
|
|
|
log.info("requestUrl is :{}; apiUrl is :{}", requestUrl, apiUrl); |
|
|
|
List<Integer> roleIds = GatewayUrlPathUtil.getRoleIdByApiUrlPermission(clientId, apiUrl, token); |
|
|
|
log.info("roleIds is :{}", roleIds); |
|
|
|
//return invalidClientIdMono(exchange); |
|
|
|
if(roleIds.size() > 0){ |
|
|
|
if (roleIds.size() > 0) { |
|
|
|
//说明这个url 需要一定的角色才可以访问 |
|
|
|
//在不是admin权限的情况下进行校验 |
|
|
|
log.info("该接口存在权限..."); |
|
|
|
if(!authorityList.contains(ADMIN)){ |
|
|
|
if (!authorityList.contains(ADMIN)) { |
|
|
|
//获取用户 client_id 对应的 roleId |
|
|
|
ClientUserRoleDto clientUserRoleDto = clientUserRoleDtoList.stream().filter(dto -> dto.getClientId().equals(clientId)) |
|
|
|
.findFirst().orElse(null); |
|
|
|
if(Objects.isNull(clientUserRoleDto)){ |
|
|
|
if (Objects.isNull(clientUserRoleDto)) { |
|
|
|
return forbiddenTokenMono(exchange); |
|
|
|
} |
|
|
|
Integer roleId = clientUserRoleDto.getRoleId(); |
|
|
|
if(!roleIds.contains(roleId)){ |
|
|
|
if (!roleIds.contains(roleId)) { |
|
|
|
return forbiddenTokenMono(exchange); |
|
|
|
} |
|
|
|
} |
|
|
|
@@ -162,6 +173,28 @@ public class GatewayFilterConfig implements GlobalFilter, Ordered { |
|
|
|
return buildReturnMono(json, exchange, HttpStatus.UNAUTHORIZED); |
|
|
|
} |
|
|
|
|
|
|
|
/** |
|
|
|
* 401 禁用 |
|
|
|
*/ |
|
|
|
private Mono<Void> disableClientIdMono(ServerWebExchange exchange) { |
|
|
|
JSONObject json = new JSONObject(); |
|
|
|
json.put("code", HttpStatus.UNAUTHORIZED.value()); |
|
|
|
json.put("msg", "该账号已被禁用,请联系系统管理员"); |
|
|
|
json.put("data", null); |
|
|
|
return buildReturnMono(json, exchange, HttpStatus.UNAUTHORIZED); |
|
|
|
} |
|
|
|
|
|
|
|
/** |
|
|
|
* 401 过期 |
|
|
|
*/ |
|
|
|
private Mono<Void> expireClientIdMono(ServerWebExchange exchange) { |
|
|
|
JSONObject json = new JSONObject(); |
|
|
|
json.put("code", HttpStatus.UNAUTHORIZED.value()); |
|
|
|
json.put("msg", "系统有效期已过,请联系系统管理员"); |
|
|
|
json.put("data", null); |
|
|
|
return buildReturnMono(json, exchange, HttpStatus.UNAUTHORIZED); |
|
|
|
} |
|
|
|
|
|
|
|
/** |
|
|
|
* 403 未授权的token |
|
|
|
*/ |
xiaoying
1 year ago