Pre Merge pull request !291 from 天天向上/gateway-auth

1 year ago · 6af48adade
parent 8984ecba86 a5d5787735
commit 6af48adade
5 changed files with 234 additions and 18 deletions
--- a/ruoyi-common/ruoyi-common-core/src/main/java/com/ruoyi/common/core/constant/SecurityConstants.java
+++ b/ruoyi-common/ruoyi-common-core/src/main/java/com/ruoyi/common/core/constant/SecurityConstants.java
@ -46,4 +46,19 @@ public class SecurityConstants
     * 角色权限
     */
    public static final String ROLE_PERMISSION = "role_permission";
    /**
     * 缓存在redis中的控制器路径与权限字符串对应的hash键
     */
    public static final String PATH_PERMISSION_MAP = "path_permission_map";
    /**
     * 缓存的角色名前缀
     */
    public static final String ROLE_PREFIX = "ROLE_";
    /**
     * 匿名角色（公共权限的角色名字）
     */
    public static final String ROLE_ANON = "ROLE_ANON";
 }
--- a/ruoyi-common/ruoyi-common-security/src/main/java/com/ruoyi/common/security/aspect/PreAuthorizeAspect.java
+++ b/ruoyi-common/ruoyi-common-security/src/main/java/com/ruoyi/common/security/aspect/PreAuthorizeAspect.java
@ -1,16 +1,18 @@
 package com.ruoyi.common.security.aspect;
-import java.lang.reflect.Method;
+import com.ruoyi.common.security.annotation.RequiresLogin;
 import com.ruoyi.common.security.annotation.RequiresPermissions;
 import com.ruoyi.common.security.annotation.RequiresRoles;
 import com.ruoyi.common.security.auth.AuthUtil;
 import org.aspectj.lang.ProceedingJoinPoint;
 import org.aspectj.lang.annotation.Around;
 import org.aspectj.lang.annotation.Aspect;
 import org.aspectj.lang.annotation.Pointcut;
 import org.aspectj.lang.reflect.MethodSignature;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.stereotype.Component;
-import com.ruoyi.common.security.annotation.RequiresLogin;
+
-import com.ruoyi.common.security.annotation.RequiresPermissions;
+import java.lang.reflect.Method;
 import com.ruoyi.common.security.annotation.RequiresRoles;
 import com.ruoyi.common.security.auth.AuthUtil;
 /**
 * 基于 Spring Aop 的注解鉴权
@ -19,6 +21,7 @@ import com.ruoyi.common.security.auth.AuthUtil;
 */
@Aspect
@Component
@ConditionalOnProperty(prefix = "security.annotation", name = "enabled", havingValue = "true", matchIfMissing = true)
 public class PreAuthorizeAspect
 {
    /**
--- a/ruoyi-common/ruoyi-common-security/src/main/java/com/ruoyi/common/security/config/PathPermissionMappingConfig.java
+++ b/ruoyi-common/ruoyi-common-security/src/main/java/com/ruoyi/common/security/config/PathPermissionMappingConfig.java
@ -0,0 +1,110 @@
 package com.ruoyi.common.security.config;
 import com.ruoyi.common.core.constant.SecurityConstants;
 import com.ruoyi.common.core.utils.SpringUtils;
 import com.ruoyi.common.redis.service.RedisService;
 import com.ruoyi.common.security.annotation.RequiresPermissions;
 import com.ruoyi.common.security.annotation.RequiresRoles;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.method.HandlerMethod;
 import org.springframework.web.servlet.mvc.method.RequestMappingInfo;
 import org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping;
 import javax.annotation.PostConstruct;
 import java.util.*;
 /**
 * =====================================网关鉴权使用说明=======================================
 * 场景：
 * 微服务部署在内网，确定安全，无需在每个微服务都实现鉴权的逻辑，可以在网关层面实现统一鉴权
 * 使用方式：
 * 1、在每个微服务的配置文件中添加参数：security.annotation.enabled: false 关闭系统默认的通过注解方式鉴权，默认开启
 * 2、在每个微服务的配置文件中添加参数：pathPrefix: 值为网关中微服务匹配的路由地址前缀，例如: /auth
 * 3、在网关配置文件中添加参数：security.gateway.enabled: true 启用网关统一鉴权，默认关闭
 * <p>
 * 通过反射扫描所有控制器，缓存所有控制器的映射路径以及对应的权限注解，缓存到redis，方便网关鉴权
 */
@ConditionalOnProperty(prefix = "security.annotation", name = "enabled", havingValue = "false")
 public class PathPermissionMappingConfig
 {
    /**
     * 微服务在网关配置中predicates中的Path前缀，例如： /system
     */
    @Value("${pathPrefix}")
    private String pathPrefix;
    @PostConstruct
    public PathPermissionMappingConfig execute()
    {
        RedisService redisService = SpringUtils.getBean(RedisService.class);
        RequestMappingHandlerMapping bean = SpringUtils.getBean("requestMappingHandlerMapping");
        Map<RequestMappingInfo, HandlerMethod> handlerMethods = bean.getHandlerMethods();
        /**
         * 路径->权限字符串映射，例如 /user/list_GET->system:user:list
         */
        Map<String, String> pathPermsMap = new TreeMap<>();
        handlerMethods.forEach((k, v) ->
        {
            RequiresRoles requiresRoles = v.getMethodAnnotation(RequiresRoles.class);
            RequiresPermissions requiresPermissions = v.getMethodAnnotation(RequiresPermissions.class);
            Set<RequestMethod> methods = k.getMethodsCondition().getMethods();
            Set<String> patternValues = k.getPatternValues();
            /**
             * @RequestMapping注解
             */
            if (methods.isEmpty())
            {
                methods = new HashSet<>();
                methods.addAll(Arrays.asList(RequestMethod.GET, RequestMethod.POST));
            }
            if (requiresPermissions == null && requiresRoles == null)
            {
                addPathPermsMap(SecurityConstants.ROLE_ANON, pathPermsMap, methods, patternValues);
            }
            if (requiresPermissions != null)
            {
                for (String perms : requiresPermissions.value())
                {
                    addPathPermsMap(perms, pathPermsMap, methods, patternValues);
                }
            }
            if (requiresRoles != null)
            {
                for (String role : requiresRoles.value())
                {
                    addPathPermsMap(SecurityConstants.ROLE_PREFIX + role, pathPermsMap, methods, patternValues);
                }
            }
        });
        System.out.println("pathPermsMap = " + pathPermsMap);
        redisService.setCacheMap(SecurityConstants.PATH_PERMISSION_MAP, pathPermsMap);
        return this;
    }
    /**
     * 一个path对应多个perms
     *
     * @param perms
     * @param pathPermsMap
     * @param methods
     * @param patternValues
     */
    private void addPathPermsMap(String perms, Map<String, String> pathPermsMap, Set<RequestMethod> methods, Set<String> patternValues)
    {
        for (RequestMethod method : methods)
        {
            for (String patternValue : patternValues)
            {
                String key = pathPrefix + patternValue + "_" + method.name();
                pathPermsMap.put(key, perms);
            }
        }
    }
 }
--- a/ruoyi-common/ruoyi-common-security/src/main/resources/META-INF/spring/org.springframework.boot.autoconfigure.AutoConfiguration.imports
+++ b/ruoyi-common/ruoyi-common-security/src/main/resources/META-INF/spring/org.springframework.boot.autoconfigure.AutoConfiguration.imports
@ -3,3 +3,4 @@ com.ruoyi.common.security.service.TokenService
 com.ruoyi.common.security.aspect.PreAuthorizeAspect
 com.ruoyi.common.security.aspect.InnerAuthAspect
 com.ruoyi.common.security.handler.GlobalExceptionHandler
 com.ruoyi.common.security.config.PathPermissionMappingConfig
--- a/ruoyi-gateway/src/main/java/com/ruoyi/gateway/filter/AuthFilter.java
+++ b/ruoyi-gateway/src/main/java/com/ruoyi/gateway/filter/AuthFilter.java
@ -1,14 +1,6 @@
 package com.ruoyi.gateway.filter;
-import org.slf4j.Logger;
+import com.alibaba.fastjson2.JSONObject;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.cloud.gateway.filter.GatewayFilterChain;
 import org.springframework.cloud.gateway.filter.GlobalFilter;
 import org.springframework.core.Ordered;
 import org.springframework.http.server.reactive.ServerHttpRequest;
 import org.springframework.stereotype.Component;
 import org.springframework.web.server.ServerWebExchange;
 import com.ruoyi.common.core.constant.CacheConstants;
 import com.ruoyi.common.core.constant.HttpStatus;
 import com.ruoyi.common.core.constant.SecurityConstants;
@ -19,11 +11,27 @@ import com.ruoyi.common.core.utils.StringUtils;
 import com.ruoyi.common.redis.service.RedisService;
 import com.ruoyi.gateway.config.properties.IgnoreWhiteProperties;
 import io.jsonwebtoken.Claims;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.cloud.gateway.filter.GatewayFilterChain;
 import org.springframework.cloud.gateway.filter.GlobalFilter;
 import org.springframework.core.Ordered;
 import org.springframework.http.server.reactive.ServerHttpRequest;
 import org.springframework.stereotype.Component;
 import org.springframework.util.AntPathMatcher;
 import org.springframework.web.server.ServerWebExchange;
 import reactor.core.publisher.Mono;
 import javax.annotation.Resource;
 import java.util.Map;
 import java.util.Set;
 import java.util.stream.Collectors;
 /**
 * 网关鉴权
- * 
+ *
 * @author ruoyi
 */
@Component
@ -35,9 +43,13 @@ public class AuthFilter implements GlobalFilter, Ordered
    @Autowired
    private IgnoreWhiteProperties ignoreWhite;
-    @Autowired
+    @Resource
    private RedisService redisService;
    @Value("${security.gateway.enabled:false}")
    private boolean gatewayAuth;
    private AntPathMatcher antPathMatcher = new AntPathMatcher();
    @Override
    public Mono<Void> filter(ServerWebExchange exchange, GatewayFilterChain chain)
@ -73,16 +85,91 @@ public class AuthFilter implements GlobalFilter, Ordered
        {
            return unauthorizedResponse(exchange, "令牌验证失败");
        }
        // 设置用户信息到请求
        addHeader(mutate, SecurityConstants.USER_KEY, userkey);
        addHeader(mutate, SecurityConstants.DETAILS_USER_ID, userid);
        addHeader(mutate, SecurityConstants.DETAILS_USERNAME, username);
        // 内部请求来源参数清除
        removeHeader(mutate, SecurityConstants.FROM_SOURCE);
        // 通过网关鉴权
        if (gatewayAuth)
        {
            // admin不需要鉴权
            if (isAdmin(userid))
            {
                return chain.filter(exchange.mutate().request(mutate.build()).build());
            }
            // 网关验证权限
            String api = url + "_" + request.getMethod().name();
            if (!hasPermission(api, userkey))
            {
                log.warn("无权访问：{}", api);
                return ServletUtils.webFluxResponseWriter(exchange.getResponse(), "无权访问", HttpStatus.FORBIDDEN);
            }
        }
        return chain.filter(exchange.mutate().request(mutate.build()).build());
    }
    private boolean isAdmin(String userid)
    {
        return "1".equals(userid);
    }
    private boolean hasPermission(String api, String token)
    {
        // 使用JSONObject接收，避免导入依赖
        JSONObject loginUser = redisService.getCacheObject(CacheConstants.LOGIN_TOKEN_KEY + token);
        // 获取登录用户的资源列表
        Set<String> permissions = (Set<String>) loginUser.get("permissions");
        // 获取登录用的角色列表
        Set<String> roles = (Set<String>) loginUser.get("roles");
        // 获取系统所有控制器路径与权限对应的map
        Map<String, String> pathPermsMap = redisService.getCacheMap(SecurityConstants.PATH_PERMISSION_MAP);
        Set<String> matchedPerms = pathPermsMap.entrySet().stream()
                .filter(entry -> match(entry.getKey(), api))
                .map(entry -> entry.getValue())
                .collect(Collectors.toSet());
        if (!matchedPerms.isEmpty())
        {
            // 所有角色权限
            Set<String> rolePerms = matchedPerms.stream().filter(item -> item.startsWith("ROLE_")).collect(Collectors.toSet());
            // 所有资源权限
            matchedPerms.removeAll(rolePerms);
            if (!rolePerms.isEmpty())
            {
                if (rolePerms.contains(SecurityConstants.ROLE_ANON))
                {
                    log.debug("允许访问公共权限:{}，{}", api, rolePerms);
                    return true;
                }
                rolePerms = rolePerms.stream().map(item -> item.substring(SecurityConstants.ROLE_PREFIX.length())).collect(Collectors.toSet());
                // 求交集
                rolePerms.retainAll(roles);
                if (!rolePerms.isEmpty())
                {
                    log.debug("允许访问角色权限:{}， {}", api, rolePerms);
                    return true;
                }
            }
            // 求交集
            matchedPerms.retainAll(permissions);
            if (!matchedPerms.isEmpty())
            {
                log.debug("允许访问资源权限:{}，{}", api, matchedPerms);
                return true;
            }
        }
        log.info("没有找到匹配的权限:{}, {}", api, matchedPerms);
        return false;
    }
    private boolean match(String pattern, String api)
    {
        return antPathMatcher.match(pattern, api);
    }
    private void addHeader(ServerHttpRequest.Builder mutate, String name, Object value)
    {
        if (value == null)
@ -101,7 +188,7 @@ public class AuthFilter implements GlobalFilter, Ordered
    private Mono<Void> unauthorizedResponse(ServerWebExchange exchange, String msg)
    {
-        log.error("[鉴权异常处理]请求路径:{}", exchange.getRequest().getPath());
+        log.error("[鉴权异常处理]请求路径:{}, {}", exchange.getRequest().getPath(), msg);
        return ServletUtils.webFluxResponseWriter(exchange.getResponse(), msg, HttpStatus.UNAUTHORIZED);
    }