| package com.ruoyi.gateway.filter; | 
|   | 
| import com.alibaba.fastjson.JSON; | 
| import com.alibaba.fastjson.JSONObject; | 
| import com.ruoyi.common.core.constant.CacheConstants; | 
| import com.ruoyi.common.core.constant.HttpStatus; | 
| import com.ruoyi.common.core.constant.SecurityConstants; | 
| import com.ruoyi.common.core.constant.TokenConstants; | 
| import com.ruoyi.common.core.utils.JwtUtils; | 
| import com.ruoyi.common.core.utils.ServletUtils; | 
| import com.ruoyi.common.core.utils.StringUtils; | 
| import com.ruoyi.common.redis.service.RedisService; | 
| import com.ruoyi.gateway.config.properties.IgnoreWhiteProperties; | 
| import io.jsonwebtoken.Claims; | 
| import org.apache.commons.codec.binary.Base64; | 
| import org.slf4j.Logger; | 
| import org.slf4j.LoggerFactory; | 
| import org.springframework.beans.factory.annotation.Autowired; | 
| import org.springframework.beans.factory.annotation.Value; | 
| import org.springframework.cloud.gateway.filter.GatewayFilterChain; | 
| import org.springframework.cloud.gateway.filter.GlobalFilter; | 
| import org.springframework.core.Ordered; | 
| import org.springframework.core.io.buffer.DataBuffer; | 
| import org.springframework.core.io.buffer.DataBufferUtils; | 
| import org.springframework.http.HttpHeaders; | 
| import org.springframework.http.HttpMethod; | 
| import org.springframework.http.server.reactive.ServerHttpRequest; | 
| import org.springframework.http.server.reactive.ServerHttpRequestDecorator; | 
| import org.springframework.stereotype.Component; | 
| import org.springframework.web.server.ServerWebExchange; | 
| import reactor.core.publisher.Flux; | 
| import reactor.core.publisher.Mono; | 
|   | 
| import java.nio.charset.StandardCharsets; | 
| import java.util.ArrayList; | 
| import java.util.Collections; | 
| import java.util.Comparator; | 
| import java.util.List; | 
| import java.util.concurrent.atomic.AtomicReference; | 
|   | 
| /** | 
|  * 网关鉴权 | 
|  *  | 
|  * @author ruoyi | 
|  */ | 
| @Component | 
| public class SignFilter implements GlobalFilter, Ordered { | 
|     private static final Logger log = LoggerFactory.getLogger(SignFilter.class); | 
|   | 
|     // 排除过滤的 uri 地址,nacos自行添加 | 
|     @Autowired | 
|     private IgnoreWhiteProperties ignoreWhite; | 
|   | 
|     @Autowired | 
|     private RedisService redisService; | 
|      | 
|     @Value("${security.sign}") | 
|     private boolean parameter_signature; | 
|   | 
|   | 
|     @Override | 
|     public Mono<Void> filter(ServerWebExchange exchange, GatewayFilterChain chain) { | 
|         ServerHttpRequest request = exchange.getRequest(); | 
|         ServerHttpRequest.Builder mutate = request.mutate(); | 
|      | 
|         HttpMethod method = request.getMethod(); | 
|         if(method != HttpMethod.POST){ | 
|             return chain.filter(exchange.mutate().request(mutate.build()).build()); | 
|         } | 
|         String sign = request.getHeaders().getFirst(TokenConstants.SIGN); | 
|         String nonce_str = request.getHeaders().getFirst(TokenConstants.NONCE_STR); | 
|         if (parameter_signature && StringUtils.isEmpty(sign)) { | 
|             return unauthorizedResponse(exchange, "签名不能为空!"); | 
|         } | 
|         if (parameter_signature && StringUtils.isEmpty(nonce_str)) { | 
|             return unauthorizedResponse(exchange, "签名不能为空!"); | 
|         } | 
|         if(parameter_signature){ | 
|             return authSign(exchange, chain, sign, nonce_str); | 
|         } | 
|         return chain.filter(exchange.mutate().request(mutate.build()).build()); | 
|     } | 
|   | 
|   | 
|   | 
|     private Mono<Void> unauthorizedResponse(ServerWebExchange exchange, String msg) { | 
|         log.error("[签名异常处理]请求路径:{}", exchange.getRequest().getPath()); | 
|         return ServletUtils.webFluxResponseWriter(exchange.getResponse(), msg, HttpStatus.BAD_REQUEST); | 
|     } | 
|      | 
|      | 
|     /** | 
|      * 校验签名 | 
|      * @return | 
|      */ | 
|     private Mono<Void> authSign(ServerWebExchange exchange, GatewayFilterChain chain, String sign, String nonce_str){ | 
|         return DataBufferUtils.join(exchange.getRequest().getBody()) | 
|                 .flatMap(dataBuffer -> { | 
|                     byte[] bytes = new byte[dataBuffer.readableByteCount()]; | 
|                     dataBuffer.read(bytes); | 
|                     String bodyString = new String(bytes, StandardCharsets.UTF_8); | 
|                     log.info("请求参数:{}", bodyString); | 
|                     if(!authSign(JSON.parseObject(bodyString), sign, nonce_str)){ | 
|                         return unauthorizedResponse(exchange, "签名验证失败!"); | 
|                     } | 
|                     DataBufferUtils.release(dataBuffer); | 
|                     Flux<DataBuffer> cachedFlux = Flux.defer(() -> { | 
|                         DataBuffer buffer = exchange.getResponse().bufferFactory() | 
|                                 .wrap(bytes); | 
|                         return Mono.just(buffer); | 
|                     }); | 
|                     ServerHttpRequest mutatedRequest = new ServerHttpRequestDecorator(exchange.getRequest()) { | 
|                         @Override | 
|                         public Flux<DataBuffer> getBody() { | 
|                             return cachedFlux; | 
|                         } | 
|                     }; | 
|                     return chain.filter(exchange.mutate().request(mutatedRequest) | 
|                             .build()); | 
|         }); | 
|     } | 
|      | 
|      | 
|      | 
|     /** | 
|      * 签名校验 | 
|      * @return | 
|      */ | 
|     private boolean authSign(JSONObject jsonStr, String sign, String nonce_str) { | 
|         String signUrlEncode = localSignUrl(jsonStr, nonce_str); | 
|         signUrlEncode = signUrlEncode.replaceAll("& #40;", "\\(") | 
|                 .replaceAll("& #41;", "\\)"); | 
|         if(sign.equals(signUrlEncode)){ | 
|             return true; | 
|         } | 
|   | 
|         System.err.println("签名值:" + signUrlEncode); | 
|         return false; | 
|     } | 
|      | 
|      | 
|     /** | 
|      * 组装签名路径 | 
|      * @param params | 
|      * @return | 
|      */ | 
|     public static String localSignUrl(JSONObject params, String key) { | 
|         List<String> keySet = new ArrayList<>(params.keySet()); | 
|         // 对所有传入参数按照字段名的 ASCII 码从小到大排序(字典序) | 
|         Collections.sort(keySet, new Comparator<String>() { | 
|             @Override | 
|             public int compare(String o1, String o2) { | 
|                 return o1.compareTo(o2); | 
|             } | 
|         }); | 
|         // 构造签名键值对的格式 | 
|         StringBuilder sb = new StringBuilder(); | 
|         for (String k : keySet) { | 
|             String v = params.getString(k); | 
|             if(StringUtils.isNotEmpty(v)){ | 
|                 sb.append(k + "=" + v + "&"); | 
|             } | 
|         } | 
|         String signUrl = sb.substring(0, sb.length() - 1); | 
|         System.err.println("签名串:" + signUrl); | 
|         return signUrlEncode(signUrl, key); | 
|     } | 
|      | 
|      | 
|     /** | 
|      * 签名字符串加密 | 
|      * @param signUrl | 
|      * @param encryptKey | 
|      * @return | 
|      */ | 
|     public static String signUrlEncode(String signUrl, String encryptKey) { | 
|         byte[] signByte = new byte[0]; | 
|         try { | 
|             signByte = HMACSHA1.HmacSHA1Encrypt(signUrl, encryptKey); | 
|         } catch (Exception e) { | 
|             e.printStackTrace(); | 
|             throw new RuntimeException(e); | 
|         } | 
|         String localSign = Base64.encodeBase64String(signByte); | 
|         return localSign; | 
|     } | 
|      | 
|      | 
|     @Override | 
|     public int getOrder() | 
|     { | 
|         return -200; | 
|     } | 
| } |