河北安全测评整改需求

2024-07-22 13:53:04 +08:00
parent 6fa63a7f3e
commit ec051827ac
15 changed files with 254 additions and 76 deletions
--- a/pqs-gateway/src/main/java/com/njcn/gateway/config/ResourceServerConfig.java
+++ b/pqs-gateway/src/main/java/com/njcn/gateway/config/ResourceServerConfig.java
@@ -3,10 +3,17 @@ package com.njcn.gateway.config;
 import cn.hutool.core.codec.Base64;
 import cn.hutool.core.convert.Convert;
 import cn.hutool.core.io.IoUtil;
+import cn.hutool.json.JSONObject;
+import com.alibaba.nacos.shaded.com.google.gson.JsonObject;
+import com.github.tocrhz.mqtt.publisher.MqttPublisher;
+import com.njcn.common.pojo.constant.LogInfo;
 import com.njcn.common.pojo.constant.SecurityConstants;
+import com.njcn.common.pojo.dto.LogInfoDTO;
+import com.njcn.common.utils.PubUtils;
 import com.njcn.gateway.enums.GateWayEnum;
 import com.njcn.gateway.security.AuthorizationManager;
 import com.njcn.gateway.utils.ResponseUtils;
+import com.njcn.gateway.utils.WebFluxRequestUtil;
 import lombok.AllArgsConstructor;
 import lombok.SneakyThrows;
 import org.springframework.context.annotation.Bean;
@@ -14,6 +21,7 @@ import org.springframework.context.annotation.Configuration;
 import org.springframework.core.convert.converter.Converter;
 import org.springframework.core.io.ClassPathResource;
 import org.springframework.core.io.Resource;
+import org.springframework.http.server.reactive.ServerHttpRequest;
 import org.springframework.security.authentication.AbstractAuthenticationToken;
 import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
 import org.springframework.security.config.web.server.ServerHttpSecurity;
@@ -30,6 +38,8 @@ import java.io.InputStream;
 import java.security.KeyFactory;
 import java.security.interfaces.RSAPublicKey;
 import java.security.spec.X509EncodedKeySpec;
+import java.time.LocalDateTime;
+import java.util.Objects;

 /**
 * @author hongawen
@@ -44,6 +54,8 @@ public class ResourceServerConfig {

    private final WhiteListConfig whiteListConfig;

+    private final MqttPublisher publisher;
+
    @Bean
    public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {

@@ -75,7 +87,31 @@ public class ResourceServerConfig {
    @Bean
    ServerAccessDeniedHandler accessDeniedHandler() {
        return (exchange, denied) -> Mono.defer(() -> Mono.just(exchange.getResponse()))
-                .flatMap(response -> ResponseUtils.writeErrorInfo(response, GateWayEnum.NO_AUTHORIZATION));
+                .flatMap(response -> {
+                    ServerHttpRequest request = exchange.getRequest();
+                    JSONObject jsonObject = WebFluxRequestUtil.getJwtPayload(request);
+                    String loginName = jsonObject.get("user_name").toString();
+                    String userName = jsonObject.get("nickname").toString();
+                    String userIndex = jsonObject.get("userIndex").toString();
+                    String ip = WebFluxRequestUtil.getRealIp(request);
+                    LogInfoDTO logInfoDTO = new LogInfoDTO(
+                            loginName,
+                            userName,
+                            ip,
+                            "越权访问",
+                            "越权访问",
+                            0,
+                            "当前用户无该接口访问权限:"+request.getPath().toString(),
+                            2,
+                            1,
+                            "",
+                            userIndex,
+                            LocalDateTime.now()
+                    );
+                    publisher.send("/userLog", PubUtils.obj2json(logInfoDTO), 2, false);
+                    publisher.send("/userLogPush", PubUtils.obj2json(logInfoDTO), 2, false);
+                    return ResponseUtils.writeErrorInfo(response, GateWayEnum.NO_AUTHORIZATION);
+                });
    }

    /**
@@ -84,7 +120,30 @@ public class ResourceServerConfig {
    @Bean
    ServerAuthenticationEntryPoint authenticationEntryPoint() {
        return (exchange, e) -> Mono.defer(() -> Mono.just(exchange.getResponse()))
-                .flatMap(response -> ResponseUtils.writeErrorInfo(response, GateWayEnum.ACCESS_TOKEN_EXPIRE_JWT));
+                .flatMap(response -> {
+                    ServerHttpRequest request = exchange.getRequest();
+                    JSONObject jsonObject = WebFluxRequestUtil.getJwtPayload(request);
+                    if(Objects.isNull(jsonObject)){
+                        String ip = WebFluxRequestUtil.getRealIp(request);
+                        LogInfoDTO logInfoDTO = new LogInfoDTO(
+                                ip,
+                                ip,
+                                ip,
+                                "越权访问",
+                                "越权访问",
+                                0,
+                                "异常token访问:"+request.getPath().toString(),
+                                2,
+                                1,
+                                "",
+                                ip,
+                                LocalDateTime.now()
+                        );
+                        publisher.send("/userLog", PubUtils.obj2json(logInfoDTO), 2, false);
+                        publisher.send("/userLogPush", PubUtils.obj2json(logInfoDTO), 2, false);
+                    }
+                   return ResponseUtils.writeErrorInfo(response, GateWayEnum.ACCESS_TOKEN_EXPIRE_JWT);
+                });
    }

    /**