package com.lll.serviceoutgateway.appCode;
import com.lll.serviceoutgateway.appCode.util.SHA256Util;
import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.google.common.collect.Maps;
import io.netty.buffer.ByteBufAllocator;
import lombok.SneakyThrows;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.cloud.gateway.filter.GatewayFilterChain;
import org.springframework.cloud.gateway.filter.GlobalFilter;
import org.springframework.core.Ordered;
import org.springframework.core.io.buffer.DataBuffer;
import org.springframework.core.io.buffer.DataBufferUtils;
import org.springframework.core.io.buffer.NettyDataBufferFactory;
import org.springframework.http.HttpMethod;
import org.springframework.http.HttpStatus;
import org.springframework.http.server.reactive.ServerHttpRequest;
import org.springframework.http.server.reactive.ServerHttpRequestDecorator;
import org.springframework.http.server.reactive.ServerHttpResponse;
import org.springframework.stereotype.Component;
import org.springframework.util.MultiValueMap;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Flux;
import reactor.core.publisher.Mono;
import java.net.URI;
import java.nio.CharBuffer;
import java.nio.charset.StandardCharsets;
import java.sql.Timestamp;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import java.util.concurrent.atomic.AtomicReference;
/**
* 防篡改过滤器
*
* @author: lll
* @date: 2021年08月27日 14:08:20
*/
@Component
public class TamperProofFilter implements GlobalFilter, Ordered {
static Logger logger = LoggerFactory.getLogger(TamperProofFilter.class);
//加密key
private static final String enCodeKey = "CodingPanda";
@SneakyThrows
@Override
public Mono<Void> filter(ServerWebExchange exchange, GatewayFilterChain chain) {
ServerHttpRequest serverHttpRequest = exchange.getRequest();
HttpMethod method = serverHttpRequest.getMethod();
String checkTamper = serverHttpRequest.getHeaders().getFirst("checkTamper");
//checkTamper为1时才进行防篡改校验
if (checkTamper != null && "1".equals(checkTamper)) {
//时间戳
String timestamp = serverHttpRequest.getHeaders().getFirst("timestamp");
//校验时间:服务器时间和请求时间相差超过60秒,校验不通过
Long timeCheck = (System.currentTimeMillis() - Long.valueOf(timestamp)) / (1000);
if (timeCheck >= 60) {
logger.info("Current Time Stamp: " + (System.currentTimeMillis()) / (1000));
logger.info("timestamp: " + (System.currentTimeMillis()) / (1000));
Map<String, Object> responseData = Maps.newHashMap();
responseData.put("code", 406);
responseData.put("msg", "对不起,防篡改校验未通过,请求失败!");
ObjectMapper objectMapper = new ObjectMapper();
byte[] data = new byte[0];
try {
data = objectMapper.writeValueAsBytes(responseData);
} catch (JsonProcessingException e) {
e.printStackTrace();
}
ServerHttpResponse res = exchange.getResponse();
DataBuffer buffer = res.bufferFactory().wrap(data);
res.setStatusCode(HttpStatus.OK);
res.getHeaders().add("Content-Type", "application/json;charset=UTF-8");
return res.writeWith(Mono.just(buffer));
}
//校验串
String checkTamperSign = serverHttpRequest.getHeaders().getFirst("checkTamperSign");
//参数
String params = "";
String bodyStr = "";
if (method == HttpMethod.POST || method == HttpMethod.PUT) {
//从请求里获取Post请求体
bodyStr = resolveBodyFromRequest(serverHttpRequest);
params = bodyStr;
logger.info("PUT OR POST params: " + params);
} else if (method == HttpMethod.GET || method == HttpMethod.DELETE) {
MultiValueMap<String, String> requestQueryParams = serverHttpRequest.getQueryParams();
params = requestQueryParamsToString(requestQueryParams);
logger.info("GET OR DELETE ciphertext parameters: " + params);
}
//截取前32为长度
if (params.length() > 32) {
params = params.substring(0, 31);
}
//校验
String plain = params + enCodeKey + timestamp;
String cipher = SHA256Util.getSHA256(plain);
logger.info("plain: " + plain);
logger.info("cipher: " + cipher);
logger.info("checkTamperSign: " + checkTamperSign);
if (!cipher.equals(checkTamperSign)) {
Map<String, Object> responseData = Maps.newHashMap();
responseData.put("code", 406);
responseData.put("msg", "对不起,防篡改校验未通过,请求失败!");
ObjectMapper objectMapper = new ObjectMapper();
byte[] data = new byte[0];
try {
data = objectMapper.writeValueAsBytes(responseData);
} catch (JsonProcessingException e) {
e.printStackTrace();
}
ServerHttpResponse res = exchange.getResponse();
DataBuffer buffer = res.bufferFactory().wrap(data);
res.setStatusCode(HttpStatus.OK);
res.getHeaders().add("Content-Type", "application/json;charset=UTF-8");
return res.writeWith(Mono.just(buffer));
} else {
//post请求的body需要解析之后再次封装,否则请求会报错
if (params != null && (method == HttpMethod.POST || method == HttpMethod.PUT )) {
logger.info("PUT OR POST bodyStr: " + bodyStr);
URI uri = serverHttpRequest.getURI();
ServerHttpRequest request = serverHttpRequest.mutate().uri(uri).build();
DataBuffer bodyDataBuffer = stringBuffer(bodyStr);
Flux<DataBuffer> bodyFlux = Flux.just(bodyDataBuffer);
request = new ServerHttpRequestDecorator(request) {
@Override
public Flux<DataBuffer> getBody() {
return bodyFlux;
}
};
return chain.filter(exchange.mutate().request(request).build());
}
}
}
return chain.filter(exchange);
}
private DataBuffer stringBuffer(String value) {
byte[] bytes = value.getBytes(StandardCharsets.UTF_8);
NettyDataBufferFactory nettyDataBufferFactory = new NettyDataBufferFactory(ByteBufAllocator.DEFAULT);
DataBuffer buffer = nettyDataBufferFactory.allocateBuffer(bytes.length);
buffer.write(bytes);
return buffer;
}
@Override
public int getOrder() {
return Ordered.LOWEST_PRECEDENCE - 4;
}
//将Map参数拼接位字符串
private String requestQueryParamsToString(MultiValueMap<String, String> requestQueryParams) {
List<String> paramsArray = new ArrayList<String>();
for (String key : requestQueryParams.keySet()) {
String temp = key + "=" + requestQueryParams.get(key).get(0);
paramsArray.add(temp);
}
String params = "";
for (int i = 0; i < paramsArray.size(); i++) {
if (i == paramsArray.size() - 1) {
params = params + paramsArray.get(i);
} else {
params = params + paramsArray.get(i) + "&";
}
}
return params;
}
private String resolveBodyFromRequest(ServerHttpRequest serverHttpRequest) {
//获取请求体
Flux<DataBuffer> body = serverHttpRequest.getBody();
AtomicReference<String> bodyRef = new AtomicReference<>();
body.subscribe(buffer -> {
CharBuffer charBuffer = StandardCharsets.UTF_8.decode(buffer.asByteBuffer());
DataBufferUtils.release(buffer);
bodyRef.set(charBuffer.toString());
});
//获取request body
return bodyRef.get();
}
public static void main(String[] args) {
Long datetime = System.currentTimeMillis();
Timestamp timestamp = new Timestamp(datetime);
String params = "{\"pageSize\":10,\"pageNo\":1,\"mlmc\":\"\",\"lmId\":\"02020072909122290800000101001101\",\"gxzq\":[],\"mlzt\":[],\"kflx\":[],\"zylx\":[]}";
params = params.substring(0, 31);
logger.info(params);
logger.info("Current Time Stamp: " + datetime);
logger.info(params + enCodeKey + datetime);
logger.info(SHA256Util.getSHA256(params + enCodeKey + datetime));
}
}
浙公网安备 33010602011771号