河北安全测评整改需求

pqs-gateway/src/main/java/com/njcn/gateway/config/ResourceServerConfig.java

@@ -3,10 +3,17 @@ package com.njcn.gateway.config;
 import cn.hutool.core.codec.Base64;
 import cn.hutool.core.convert.Convert;
 import cn.hutool.core.io.IoUtil;
+import cn.hutool.json.JSONObject;
+import com.alibaba.nacos.shaded.com.google.gson.JsonObject;
+import com.github.tocrhz.mqtt.publisher.MqttPublisher;
+import com.njcn.common.pojo.constant.LogInfo;
 import com.njcn.common.pojo.constant.SecurityConstants;
+import com.njcn.common.pojo.dto.LogInfoDTO;
+import com.njcn.common.utils.PubUtils;
 import com.njcn.gateway.enums.GateWayEnum;
 import com.njcn.gateway.security.AuthorizationManager;
 import com.njcn.gateway.utils.ResponseUtils;
+import com.njcn.gateway.utils.WebFluxRequestUtil;
 import lombok.AllArgsConstructor;
 import lombok.SneakyThrows;
 import org.springframework.context.annotation.Bean;
@@ -14,6 +21,7 @@ import org.springframework.context.annotation.Configuration;
 import org.springframework.core.convert.converter.Converter;
 import org.springframework.core.io.ClassPathResource;
 import org.springframework.core.io.Resource;
+import org.springframework.http.server.reactive.ServerHttpRequest;
 import org.springframework.security.authentication.AbstractAuthenticationToken;
 import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
 import org.springframework.security.config.web.server.ServerHttpSecurity;
@@ -30,6 +38,8 @@ import java.io.InputStream;
 import java.security.KeyFactory;
 import java.security.interfaces.RSAPublicKey;
 import java.security.spec.X509EncodedKeySpec;
+import java.time.LocalDateTime;
+import java.util.Objects;
 
 /**
  * @author hongawen
@@ -44,6 +54,8 @@ public class ResourceServerConfig {
 
     private final WhiteListConfig whiteListConfig;
 
+    private final MqttPublisher publisher;
+
     @Bean
     public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
 
@@ -75,7 +87,31 @@ public class ResourceServerConfig {
     @Bean
     ServerAccessDeniedHandler accessDeniedHandler() {
         return (exchange, denied) -> Mono.defer(() -> Mono.just(exchange.getResponse()))
-                .flatMap(response -> ResponseUtils.writeErrorInfo(response, GateWayEnum.NO_AUTHORIZATION));
+                .flatMap(response -> {
+                    ServerHttpRequest request = exchange.getRequest();
+                    JSONObject jsonObject = WebFluxRequestUtil.getJwtPayload(request);
+                    String loginName = jsonObject.get("user_name").toString();
+                    String userName = jsonObject.get("nickname").toString();
+                    String userIndex = jsonObject.get("userIndex").toString();
+                    String ip = WebFluxRequestUtil.getRealIp(request);
+                    LogInfoDTO logInfoDTO = new LogInfoDTO(
+                            loginName,
+                            userName,
+                            ip,
+                            "越权访问",
+                            "越权访问",
+                            0,
+                            "当前用户无该接口访问权限:"+request.getPath().toString(),
+                            2,
+                            1,
+                            "",
+                            userIndex,
+                            LocalDateTime.now()
+                    );
+                    publisher.send("/userLog", PubUtils.obj2json(logInfoDTO), 2, false);
+                    publisher.send("/userLogPush", PubUtils.obj2json(logInfoDTO), 2, false);
+                    return ResponseUtils.writeErrorInfo(response, GateWayEnum.NO_AUTHORIZATION);
+                });
     }
 
     /**
@@ -84,7 +120,30 @@ public class ResourceServerConfig {
     @Bean
     ServerAuthenticationEntryPoint authenticationEntryPoint() {
         return (exchange, e) -> Mono.defer(() -> Mono.just(exchange.getResponse()))
-                .flatMap(response -> ResponseUtils.writeErrorInfo(response, GateWayEnum.ACCESS_TOKEN_EXPIRE_JWT));
+                .flatMap(response -> {
+                    ServerHttpRequest request = exchange.getRequest();
+                    JSONObject jsonObject = WebFluxRequestUtil.getJwtPayload(request);
+                    if(Objects.isNull(jsonObject)){
+                        String ip = WebFluxRequestUtil.getRealIp(request);
+                        LogInfoDTO logInfoDTO = new LogInfoDTO(
+                                ip,
+                                ip,
+                                ip,
+                                "越权访问",
+                                "越权访问",
+                                0,
+                                "异常token访问:"+request.getPath().toString(),
+                                2,
+                                1,
+                                "",
+                                ip,
+                                LocalDateTime.now()
+                        );
+                        publisher.send("/userLog", PubUtils.obj2json(logInfoDTO), 2, false);
+                        publisher.send("/userLogPush", PubUtils.obj2json(logInfoDTO), 2, false);
+                    }
+                   return ResponseUtils.writeErrorInfo(response, GateWayEnum.ACCESS_TOKEN_EXPIRE_JWT);
+                });
     }
 
     /**

pqs-gateway/src/main/java/com/njcn/gateway/utils/WebFluxRequestUtil.java

@@ -0,0 +1,52 @@
+package com.njcn.gateway.utils;
+
+
+import cn.hutool.core.collection.CollectionUtil;
+import cn.hutool.core.util.StrUtil;
+import cn.hutool.json.JSONObject;
+import cn.hutool.json.JSONUtil;
+import com.nimbusds.jose.JWSObject;
+import com.njcn.common.pojo.constant.LogInfo;
+import com.njcn.common.pojo.constant.SecurityConstants;
+import lombok.extern.slf4j.Slf4j;
+
+import org.apache.logging.log4j.util.Strings;
+import org.springframework.http.HttpHeaders;
+import org.springframework.http.server.reactive.ServerHttpRequest;
+
+
+@Slf4j
+public class WebFluxRequestUtil {
+
+    /**
+     * HttpServletRequest获取头中存储的IP地址
+     */
+    public static String getRealIp(ServerHttpRequest request) {
+        String ip = request.getURI().getHost();
+        return StrUtil.isBlank(ip) ? LogInfo.UNKNOWN_IP : ip;
+    }
+
+
+
+
+    /**
+     * ServerHttpRequest获取在网关中存储的用户token元信息
+     */
+    public static JSONObject getJwtPayload(ServerHttpRequest request) {
+        JSONObject jsonObject = null;
+        HttpHeaders headers = request.getHeaders();
+        try {
+            if (CollectionUtil.isNotEmpty(headers.get("authorization"))) {
+                String token = headers.get("authorization").get(0);
+                token = token.replace(SecurityConstants.AUTHORIZATION_PREFIX, Strings.EMPTY);
+                JWSObject jwsObject = JWSObject.parse(token);
+                String payload = jwsObject.getPayload().toString();
+                jsonObject = JSONUtil.parseObj(payload);
+            }
+        } catch (Exception e) {
+            log.error("解码网关中心传递的请求头中内容异常，异常为：{}", e.getMessage());
+            e.printStackTrace();
+        }
+        return jsonObject;
+    }
+}

pqs-gateway/src/main/resources/bootstrap.yml

@@ -224,20 +224,20 @@ whitelist:
     - /system-boot/dictType/dictDataCache
     - /system-boot/file/**
     - /system-boot/area/**
-    - /advance-boot/**
-    - /device-boot/**
+    #- /advance-boot/**
+    #- /device-boot/**
     #- /system-boot/**
     #- /harmonic-boot/**
     #- /energy-boot/**
     #- /event-boot/**
     #- /quality-boot/**
     #- /harmonic-prepare/**
-    - /process-boot/**
-    - /bpm-boot/**
-    - /system-boot/**
-    - /supervision-boot/**
-    - /user-boot/**
-    - /harmonic-boot/**
+    #- /process-boot/**
+    #- /bpm-boot/**
+    #- /system-boot/**
+    #- /supervision-boot/**
+    #- /user-boot/**
+    #- /harmonic-boot/**
     - /user-boot/user/listAllUserByDeptId
     - /IndexAnalysis/**
 mqtt: