1 year ago · 2d92753b70
--- a/src/main/java/com/tuoheng/gateway/commons/CommonsConfig.java
+++ b/src/main/java/com/tuoheng/gateway/commons/CommonsConfig.java
@@ -41,6 +41,10 @@ public class CommonsConfig {
     * 电信城管权限接口地址
     */
    public static String telecomumalePermissionUrl;
    /**
     * 周界警戒控制系统接口地址
     */
    public static String alertPermissionUrl;


    @Value("${tuoheng.hhz-admin-perUrl}")
@@ -73,4 +77,9 @@ public class CommonsConfig {
        telecomumalePermissionUrl = url;
    }

    @Value("${tuoheng.alert-admin-perUrl}")
    public void setAlertPermissionUrl(String url) {
        alertPermissionUrl = url;
    }

 }
--- a/src/main/java/com/tuoheng/gateway/config/GatewayFilterConfig.java
+++ b/src/main/java/com/tuoheng/gateway/config/GatewayFilterConfig.java
@@ -23,7 +23,9 @@ import org.springframework.web.server.ServerWebExchange;
 import reactor.core.publisher.Mono;

 import java.nio.charset.StandardCharsets;
 import java.util.*;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Objects;


@Configuration
@@ -40,12 +42,18 @@ public class GatewayFilterConfig implements GlobalFilter, Ordered {

    private static final String ADMIN = "admin";

    private static final String ABLE = "isAble";

    private static final String EXPIRE = "isExpire";


    @Override
    public Mono<Void> filter(ServerWebExchange exchange, GatewayFilterChain chain) {
        String token = getToken(exchange);
        String username = null;
        Long oUserId = null;
        Integer able = null;
        Integer expire = null;
        List<String> authorityList = new ArrayList<>();
        List<ClientUserRoleDto> clientUserRoleDtoList = new ArrayList<>();
        if (!StringUtils.isBlank(token)) {
@@ -53,34 +61,36 @@ public class GatewayFilterConfig implements GlobalFilter, Ordered {
            DecodedJWT decodedJWT = JWT.decode(token);
            username = decodedJWT.getClaim(USERNAME).asString();
            oUserId = decodedJWT.getClaim(OUSERID).asLong();
            able = decodedJWT.getClaim(ABLE).asInt();
            expire = decodedJWT.getClaim(EXPIRE).asInt();
            authorityList = decodedJWT.getClaim(SCOPE).asList(String.class);
            String str = decodedJWT.getClaim(CLIENTROLELIST).asString();
            clientUserRoleDtoList = JSONArray.parseArray(str, ClientUserRoleDto.class);;
            clientUserRoleDtoList = JSONArray.parseArray(str, ClientUserRoleDto.class);
        }
        //header里封装 Client-Id 信息
        String clientId = getClientId(exchange);
        log.info("clientId is :{}", clientId);
        if(!StringUtils.isEmpty(clientId)){
        if (!StringUtils.isEmpty(clientId)) {
            String requestUrl = exchange.getRequest().getPath().value();
            //去除gateway path 前缀
            String apiUrl = requestUrl.replace(GatewayUrlPathUtil.getPathByClientId(clientId),"");
            String apiUrl = requestUrl.replace(GatewayUrlPathUtil.getPathByClientId(clientId), "");
            log.info("requestUrl is :{}; apiUrl is :{}", requestUrl, apiUrl);
            List<Integer> roleIds = GatewayUrlPathUtil.getRoleIdByApiUrlPermission(clientId, apiUrl, token);
            log.info("roleIds is :{}", roleIds);
            //return invalidClientIdMono(exchange);
            if(roleIds.size() > 0){
            if (roleIds.size() > 0) {
                //说明这个url 需要一定的角色才可以访问
                //在不是admin权限的情况下进行校验
                log.info("该接口存在权限...");
                if(!authorityList.contains(ADMIN)){
                if (!authorityList.contains(ADMIN)) {
                    //获取用户 client_id 对应的 roleId
                    ClientUserRoleDto clientUserRoleDto = clientUserRoleDtoList.stream().filter(dto -> dto.getClientId().equals(clientId))
                            .findFirst().orElse(null);
                    if(Objects.isNull(clientUserRoleDto)){
                    if (Objects.isNull(clientUserRoleDto)) {
                        return forbiddenTokenMono(exchange);
                    }
                    Integer roleId = clientUserRoleDto.getRoleId();
                    if(!roleIds.contains(roleId)){
                    if (!roleIds.contains(roleId)) {
                        return forbiddenTokenMono(exchange);
                    }
                }
@@ -90,6 +100,8 @@ public class GatewayFilterConfig implements GlobalFilter, Ordered {
            JSONObject jsonObject = new JSONObject();
            jsonObject.put(USERNAME, username);
            jsonObject.put(OUSERID, oUserId);
            jsonObject.put(ABLE,able);
            jsonObject.put(EXPIRE,expire);
            String base64 = EncryptUtil.encodeUTF8StringBase64(jsonObject.toJSONString());
            try {
                ServerHttpRequest tokenRequest = exchange.getRequest().mutate().header("th-token", token)
@@ -162,6 +174,28 @@ public class GatewayFilterConfig implements GlobalFilter, Ordered {
        return buildReturnMono(json, exchange, HttpStatus.UNAUTHORIZED);
    }

    /**
     * 401 禁用
     */
    private Mono<Void> disableClientIdMono(ServerWebExchange exchange) {
        JSONObject json = new JSONObject();
        json.put("code", HttpStatus.UNAUTHORIZED.value());
        json.put("msg", "该账号已被禁用，请联系系统管理员");
        json.put("data", null);
        return buildReturnMono(json, exchange, HttpStatus.UNAUTHORIZED);
    }

    /**
     * 401 过期
     */
    private Mono<Void> expireClientIdMono(ServerWebExchange exchange) {
        JSONObject json = new JSONObject();
        json.put("code", HttpStatus.UNAUTHORIZED.value());
        json.put("msg", "系统有效期已过，请联系系统管理员");
        json.put("data", null);
        return buildReturnMono(json, exchange, HttpStatus.UNAUTHORIZED);
    }

    /**
     * 403 未授权的token
     */
--- a/src/main/java/com/tuoheng/gateway/config/WebSecurityConfig.java
+++ b/src/main/java/com/tuoheng/gateway/config/WebSecurityConfig.java
@@ -65,6 +65,7 @@ public class WebSecurityConfig {
        String[] weptspPermitPath = PermitPathConstant.weptspPermitUrlStr;
        String[] airmonitorPermitPath = PermitPathConstant.airmonitorPermitUrlStr;
        String[] telecomumalePermitPath = PermitPathConstant.telecomumaleUrlStr;
        String[] alertPermitPath = PermitPathConstant.alertleUrlStr;
        httpSecurity
                .authorizeExchange()
                //.pathMatchers(OAUTH_PATH).hasAnyAuthority(AuthorityConstant.SCOPE_ADMIN, AuthorityConstant.SCOPE_TUOHNEG_DSP_MP, AuthorityConstant.SCOPE_TUOHNEG_DSP_WEB)
@@ -75,6 +76,7 @@ public class WebSecurityConfig {
                .pathMatchers(weptspPermitPath).permitAll()
                .pathMatchers(airmonitorPermitPath).permitAll()
                .pathMatchers(telecomumalePermitPath).permitAll()
                .pathMatchers(alertPermitPath).permitAll()
                .pathMatchers("/pilot/miniprogram/**").hasAnyAuthority(AuthorityConstant.SCOPE_ADMIN, AuthorityConstant.SCOPE_TUOHNEG_PILOT_MP)
                .pathMatchers("/pilot/admin/**").hasAnyAuthority(AuthorityConstant.SCOPE_ADMIN, AuthorityConstant.SCOPE_TUOHNEG_PILOT_ADMIN)
                .pathMatchers("/hhz/admin/**").hasAnyAuthority(AuthorityConstant.SCOPE_ADMIN, AuthorityConstant.SCOPE_TUOHNEG_HHZ_ADMIN)
@@ -88,6 +90,7 @@ public class WebSecurityConfig {
                .pathMatchers("/telecomumale/admin/**").hasAnyAuthority(AuthorityConstant.SCOPE_ADMIN, AuthorityConstant.SCOPE_TUOHNEG_TELECOMUMALE_ADMIN)
                .pathMatchers("/weptsp/admin/**").hasAnyAuthority(AuthorityConstant.SCOPE_ADMIN, AuthorityConstant.SCOPE_TUOHNEG_WEPTSP_ADMIN)
                .pathMatchers("/airmonitor/admin/**").hasAnyAuthority(AuthorityConstant.SCOPE_ADMIN, AuthorityConstant.SCOPE_TUOHNEG_AIRMONITOR_ADMIN)
                .pathMatchers("/alert/admin/**").hasAnyAuthority(AuthorityConstant.SCOPE_ADMIN, AuthorityConstant.SCOPE_TUOHNEG_ALERT_ADMIN)
                .pathMatchers("/oidc/admin/user/**").authenticated()
                .pathMatchers("/api/inspection/**").authenticated()
                .pathMatchers(OAUTH_PATH).authenticated()
--- a/src/main/java/com/tuoheng/gateway/constants/AuthorityConstant.java
+++ b/src/main/java/com/tuoheng/gateway/constants/AuthorityConstant.java
@@ -64,4 +64,10 @@ public class AuthorityConstant {
     */
    public static final String SCOPE_TUOHNEG_TELECOMUMALE_ADMIN = "SCOPE_tuoheng-telecomumale-admin";
    public static final String SCOPE_TUOHNEG_TELECOMUMALE_MP= "SCOPE_tuoheng-telecomumale-mp";

    /**
     * Alert 用户权限
     */
    public static final String SCOPE_TUOHNEG_ALERT_ADMIN = "SCOPE_tuoheng-alert-admin";
    //public static final String SCOPE_TUOHNEG_ALERT_MP= "SCOPE_tuoheng-alert-mp";
 }
--- a/src/main/java/com/tuoheng/gateway/constants/PermitPathConstant.java
+++ b/src/main/java/com/tuoheng/gateway/constants/PermitPathConstant.java
@@ -97,4 +97,8 @@ public class PermitPathConstant {
            "/telecomumale/admin/weiXin/send/message/**",
            "/telecomumale/miniprogram/weiXin/**"
    };
    public static String alertleUrlStr[] = {
            "/alert/admin/third/event/**",
            "/alert/admin/third/panorama/**"
    };
 }
--- a/src/main/java/com/tuoheng/gateway/model/AuthoritiesDto.java
+++ b/src/main/java/com/tuoheng/gateway/model/AuthoritiesDto.java
@@ -0,0 +1,17 @@
 package com.tuoheng.gateway.model;

 import lombok.Data;

 /**
 * @Author xiaoying
 * @Date 2023/7/3 9:49
 */
@Data
 public class AuthoritiesDto {

    private String authority;

    private Integer status;


 }
--- a/src/main/java/com/tuoheng/gateway/model/ClientUserRoleDto.java
+++ b/src/main/java/com/tuoheng/gateway/model/ClientUserRoleDto.java
@@ -15,5 +15,4 @@ public class ClientUserRoleDto {
    private String clientId;

    private Integer roleId;

 }
--- a/src/main/java/com/tuoheng/gateway/utils/GatewayUrlPathUtil.java
+++ b/src/main/java/com/tuoheng/gateway/utils/GatewayUrlPathUtil.java
@@ -42,6 +42,9 @@ public class GatewayUrlPathUtil {

    private static final String TELECOMUMALE_ADMIN = "tuoheng-telecomumale-admin";

    private static final String ALERT_ADMIN = "tuoheng-alert-admin";


    /**
     * 获取 gateway 路由前缀，匹配url
     *
@@ -78,6 +81,9 @@ public class GatewayUrlPathUtil {
            case TELECOMUMALE_ADMIN:
                apiPath = "/telecomumale/admin";
                break;
            case ALERT_ADMIN:
                apiPath = "/alert/admin";
                break;
            default:
                break;
        }
@@ -111,6 +117,9 @@ public class GatewayUrlPathUtil {
        if (clientId.equals(TELECOMUMALE_ADMIN)) {
            url = CommonsConfig.telecomumalePermissionUrl;
        }
        if (clientId.equals(AIRMONITOR_ADMIN)) {
            url = CommonsConfig.alertPermissionUrl;
        }
        log.info("getRoleIdByApiUrlPermission -url:{},token:{}", url, token);
        if (StringUtils.isNotBlank(url)) {
            HttpHeaders resultRequestHeader = new HttpHeaders();
--- a/src/main/resources/application-dev.yml
+++ b/src/main/resources/application-dev.yml
@@ -245,6 +245,13 @@ spring:
            - Path=/telecomumale/miniprogram/**
          filters:
            - StripPrefix=2
        # 周界警戒控制系统 admin服务
        - id: tuoheng-alert-admin
          uri: lb://tuoheng-alert-admin
          predicates:
            - Path=/alert/admin/**
          filters:
            - StripPrefix=2
  # Redis数据源
  redis:
    # 缓存库默认索引0
@@ -275,7 +282,8 @@ security:
 tuoheng:
  hhz-admin-perUrl: http://192.168.11.11:9055/permission/getRoleIdList
  freeway-admin-perUrl: http://192.168.11.11:9117/permission/getRoleIdList
  alert-admin-perUrl: http://192.168.11.11:9150/permission/getRoleIdList
  waterway-admin-perUrl: http://192.168.11.11:9120/permission/getRoleIdList
  weptsp-admin-perUrl: http://192.168.11.11:9140/permission/getRoleIdList
  airmonitor-admin-perUrl: http://192.168.11.11:9130/permission/getRoleIdList
  telecomumale-admin-perUrl: http://192.168.11.11:9150/permission/getRoleIdList
  telecomumale-admin-perUrl: http://192.168.11.11:9160/permission/getRoleIdList
--- a/src/main/resources/application-prod.yml
+++ b/src/main/resources/application-prod.yml
@@ -230,6 +230,13 @@ spring:
            - Path=/airmonitor/admin/**
          filters:
            - StripPrefix=2
        # weptsp admin服务
        - id: tuoheng-weptsp-admin
          uri: lb://tuoheng-weptsp-admin
          predicates:
            - Path=/weptsp/admin/**
          filters:
            - StripPrefix=2
  # Redis数据源
  redis:
    # 缓存库默认索引0
--- a/src/main/resources/application-test.yml
+++ b/src/main/resources/application-test.yml
@@ -238,6 +238,13 @@ spring:
            - Path=/telecomumale/miniprogram/**
          filters:
            - StripPrefix=2
        # 周界警戒控制系统 admin服务
        - id: tuoheng-alert-admin
          uri: lb://tuoheng-alert-admin
          predicates:
            - Path=/alert/admin/**
          filters:
            - StripPrefix=2
  # Redis数据源
  redis:
    # 缓存库默认索引0
@@ -268,6 +275,7 @@ security:
 tuoheng:
  hhz-admin-perUrl: http://172.15.1.21:9055/permission/getRoleIdList
  freeway-admin-perUrl: https://freeway-test.t-aaron.com/permission/getRoleIdList
  alert-admin-perUrl: https://alert-test.t-aaron.com/permission/getRoleIdList
  waterway-admin-perUrl: https://waterway-test.t-aaron.com/permission/getRoleIdList
  weptsp-admin-perUrl: https://weptsp-test.t-aaron.com/permission/getRoleIdList
  airmonitor-admin-perUrl: https://airmonitor-test.t-aaron.com/permission/getRoleIdList