!451 响应加密功能 * update 优化调整加解密判断逻辑, 避免 NPE ; * rollback 回滚错误提交, 保留加密组件开关 ; * ...

MichelleChung

2023-11-27 78c91d0733ed359957a18db05930977eca75b5e5

!451 响应加密功能
* update 优化调整加解密判断逻辑, 避免 NPE ;
* rollback 回滚错误提交, 保留加密组件开关 ;
* add 新增注解 @ApiEncrypt 用于校验接口加解密 ;
* add 新增 EncryptResponseBodyWrapper 加密响应参数包装类 ;

 ruoyi-admin/src/main/java/org/dromara/web/controller/AuthController.java

@@ -16,6 +16,7 @@
import org.dromara.common.core.domain.model.RegisterBody;
import org.dromara.common.core.domain.model.SocialLoginBody;
import org.dromara.common.core.utils.*;
import org.dromara.common.encrypt.annotation.ApiEncrypt;
import org.dromara.common.json.utils.JsonUtils;
import org.dromara.common.satoken.utils.LoginHelper;
import org.dromara.common.social.config.properties.SocialLoginConfigProperties;
@@ -73,6 +74,7 @@
     * @param body ç™»å½•ä¿¡æ¯
     * @return ç»“æžœ
     */
    @ApiEncrypt(response = false)
    @PostMapping("/login")
    public R<LoginVo> login(@Validated @RequestBody String body) {
        LoginBody loginBody = JsonUtils.parseObject(body, LoginBody.class);

 ruoyi-admin/src/main/resources/application.yml

@@ -171,8 +171,11 @@
  enabled: true
  # AES åŠ å¯†å¤´æ ‡è¯†
  headerFlag: encrypt-key
  # å…¬ç§é’¥ éžå¯¹ç§°ç®—法的公私钥 å¦‚：SM2，RSA ä½¿ç”¨è€…请自行更换
  publicKey: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKoR8mX0rGKLqzcWmOzbfj64K8ZIgOdHnzkXSOVOZbFu/TJhZ7rFAN+eaGkl3C4buccQd/EjEsj9ir7ijT7h96MCAwEAAQ==
  # å“åº”加密公钥 éžå¯¹ç§°ç®—法的公私钥 å¦‚：SM2，RSA ä½¿ç”¨è€…请自行更换
  # å¯¹åº”前端解密私钥 MIIBVAIBADANBgkqhkiG9w0BAQEFAASCAT4wggE6AgEAAkEAmc3CuPiGL/LcIIm7zryCEIbl1SPzBkr75E2VMtxegyZ1lYRD+7TZGAPkvIsBcaMs6Nsy0L78n2qh+lIZMpLH8wIDAQABAkEAk82Mhz0tlv6IVCyIcw/s3f0E+WLmtPFyR9/WtV3Y5aaejUkU60JpX4m5xNR2VaqOLTZAYjW8Wy0aXr3zYIhhQQIhAMfqR9oFdYw1J9SsNc+CrhugAvKTi0+BF6VoL6psWhvbAiEAxPPNTmrkmrXwdm/pQQu3UOQmc2vCZ5tiKpW10CgJi8kCIFGkL6utxw93Ncj4exE/gPLvKcT+1Emnoox+O9kRXss5AiAMtYLJDaLEzPrAWcZeeSgSIzbL+ecokmFKSDDcRske6QIgSMkHedwND1olF8vlKsJUGK3BcdtM8w4Xq7BpSBwsloE=
  publicKey: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJnNwrj4hi/y3CCJu868ghCG5dUj8wZK++RNlTLcXoMmdZWEQ/u02RgD5LyLAXGjLOjbMtC+/J9qofpSGTKSx/MCAwEAAQ==
  # è¯·æ±‚解密私钥 éžå¯¹ç§°ç®—法的公私钥 å¦‚：SM2，RSA ä½¿ç”¨è€…请自行更换
  # å¯¹åº”前端加密公钥 MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKoR8mX0rGKLqzcWmOzbfj64K8ZIgOdHnzkXSOVOZbFu/TJhZ7rFAN+eaGkl3C4buccQd/EjEsj9ir7ijT7h96MCAwEAAQ==
  privateKey: MIIBVAIBADANBgkqhkiG9w0BAQEFAASCAT4wggE6AgEAAkEAqhHyZfSsYourNxaY7Nt+PrgrxkiA50efORdI5U5lsW79MmFnusUA355oaSXcLhu5xxB38SMSyP2KvuKNPuH3owIDAQABAkAfoiLyL+Z4lf4Myxk6xUDgLaWGximj20CUf+5BKKnlrK+Ed8gAkM0HqoTt2UZwA5E2MzS4EI2gjfQhz5X28uqxAiEA3wNFxfrCZlSZHb0gn2zDpWowcSxQAgiCstxGUoOqlW8CIQDDOerGKH5OmCJ4Z21v+F25WaHYPxCFMvwxpcw99EcvDQIgIdhDTIqD2jfYjPTY8Jj3EDGPbH2HHuffvflECt3Ek60CIQCFRlCkHpi7hthhYhovyloRYsM+IS9h/0BzlEAuO0ktMQIgSPT3aFAgJYwKpqRYKlLDVcflZFCKY7u3UP8iWi1Qw0Y=

springdoc:

 ruoyi-common/ruoyi-common-encrypt/pom.xml

@@ -37,6 +37,18 @@
            <artifactId>hutool-crypto</artifactId>
        </dependency>

        <!-- SpringBoot Web容器 -->
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
            <exclusions>
                <exclusion>
                    <artifactId>spring-boot-starter-tomcat</artifactId>
                    <groupId>org.springframework.boot</groupId>
                </exclusion>
            </exclusions>
        </dependency>

    </dependencies>

</project>

 ruoyi-common/ruoyi-common-encrypt/src/main/java/org/dromara/common/encrypt/annotation/ApiEncrypt.java

¶Ô±ÈÐÂÎļþ
@@ -0,0 +1,20 @@
package org.dromara.common.encrypt.annotation;

import java.lang.annotation.*;

/**
 * å¼ºåˆ¶åŠ å¯†æ³¨è§£
 *
 * @author Michelle.Chung
 */
@Documented
@Target({ElementType.METHOD})
@Retention(RetentionPolicy.RUNTIME)
public @interface ApiEncrypt {

    /**
     * å“åº”加密忽略，默认加密，为 false æ—¶ä¸åŠ å¯†
     */
    boolean response() default true;

}

 ruoyi-common/ruoyi-common-encrypt/src/main/java/org/dromara/common/encrypt/filter/CryptoFilter.java

@@ -3,10 +3,19 @@
import cn.hutool.core.util.ObjectUtil;
import jakarta.servlet.*;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import org.dromara.common.core.constant.HttpStatus;
import org.dromara.common.core.exception.ServiceException;
import org.dromara.common.core.utils.SpringUtils;
import org.dromara.common.core.utils.StringUtils;
import org.dromara.common.encrypt.annotation.ApiEncrypt;
import org.dromara.common.encrypt.properties.ApiDecryptProperties;
import org.springframework.http.HttpMethod;
import org.springframework.http.MediaType;
import org.springframework.web.method.HandlerMethod;
import org.springframework.web.servlet.HandlerExceptionResolver;
import org.springframework.web.servlet.HandlerExecutionChain;
import org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping;

import java.io.IOException;

@@ -25,8 +34,14 @@

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        ServletRequest requestWrapper = null;
        HttpServletRequest servletRequest = (HttpServletRequest) request;
        HttpServletResponse servletResponse = (HttpServletResponse) response;

        boolean encryptFlag = false;
        ServletRequest requestWrapper = null;
        ServletResponse responseWrapper = null;
        EncryptResponseBodyWrapper responseBodyWrapper = null;

        // æ˜¯å¦ä¸º json è¯·æ±‚
        if (StringUtils.startsWithIgnoreCase(request.getContentType(), MediaType.APPLICATION_JSON_VALUE)) {
            // æ˜¯å¦ä¸º put æˆ–者 post è¯·æ±‚
@@ -34,16 +49,68 @@
                // æ˜¯å¦å­˜åœ¨åŠ å¯†æ ‡å¤´
                String headerValue = servletRequest.getHeader(properties.getHeaderFlag());
                if (StringUtils.isNotBlank(headerValue)) {
                    requestWrapper = new DecryptRequestBodyWrapper(servletRequest, properties.getPublicKey(), properties.getPrivateKey(), properties.getHeaderFlag());
                    // è¯·æ±‚解密
                    requestWrapper = new DecryptRequestBodyWrapper(servletRequest, properties.getPrivateKey(), properties.getHeaderFlag());
                    // èŽ·å–加密注解
                    ApiEncrypt apiEncrypt = this.getApiEncryptAnnotation(servletRequest);
                    if (ObjectUtil.isNotNull(apiEncrypt)) {
                        // å“åº”加密标志
                        encryptFlag = apiEncrypt.response();
                    } else {
                        // æ˜¯å¦æœ‰æ³¨è§£ï¼Œæœ‰å°±æŠ¥é”™ï¼Œæ²¡æœ‰æ”¾è¡Œ
                        HandlerExceptionResolver exceptionResolver = SpringUtils.getBean("handlerExceptionResolver");
                        exceptionResolver.resolveException(
                            servletRequest, servletResponse, null,
                            new ServiceException("没有访问权限，请联系管理员授权", HttpStatus.FORBIDDEN));
                    }
                }
                // åˆ¤æ–­æ˜¯å¦å“åº”加密
                if (encryptFlag) {
                    responseBodyWrapper = new EncryptResponseBodyWrapper(servletResponse);
                    responseWrapper = responseBodyWrapper;
                }
            }
        }

        chain.doFilter(ObjectUtil.defaultIfNull(requestWrapper, request), response);
        chain.doFilter(
            ObjectUtil.defaultIfNull(requestWrapper, request),
            ObjectUtil.defaultIfNull(responseWrapper, response));

        if (encryptFlag) {
            servletResponse.reset();
            // å¯¹åŽŸå§‹å†…容加密
            String encryptContent = responseBodyWrapper.getEncryptContent(
                servletResponse, properties.getPublicKey(), properties.getHeaderFlag());
            // å¯¹åŠ å¯†åŽçš„内容写出
            servletResponse.getWriter().write(encryptContent);
        }
    }

    /**
     * èŽ·å– ApiEncrypt æ³¨è§£
     */
    private ApiEncrypt getApiEncryptAnnotation(HttpServletRequest servletRequest) {
        RequestMappingHandlerMapping handlerMapping = SpringUtils.getBean("requestMappingHandlerMapping", RequestMappingHandlerMapping.class);
        // èŽ·å–注解
        try {
            HandlerExecutionChain mappingHandler = handlerMapping.getHandler(servletRequest);
            System.out.println(mappingHandler);
            if (ObjectUtil.isNotNull(mappingHandler)) {
                Object handler = mappingHandler.getHandler();
                if (ObjectUtil.isNotNull(handler)) {
                    // ä»Žhandler获取注解
                    if (handler instanceof HandlerMethod handlerMethod) {
                        return handlerMethod.getMethodAnnotation(ApiEncrypt.class);
                    }
                }
            }
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
        return null;
    }

    @Override
    public void destroy() {

    }
}

 ruoyi-common/ruoyi-common-encrypt/src/main/java/org/dromara/common/encrypt/filter/DecryptRequestBodyWrapper.java

@@ -24,7 +24,7 @@

    private final byte[] body;

    public DecryptRequestBodyWrapper(HttpServletRequest request, String publicKey, String privateKey, String headerFlag) throws IOException {
    public DecryptRequestBodyWrapper(HttpServletRequest request, String privateKey, String headerFlag) throws IOException {
        super(request);
        // èŽ·å– AES å¯†ç  é‡‡ç”¨ RSA åŠ å¯†
        String headerRsa = request.getHeader(headerFlag);

 ruoyi-common/ruoyi-common-encrypt/src/main/java/org/dromara/common/encrypt/filter/EncryptResponseBodyWrapper.java

¶Ô±ÈÐÂÎļþ
@@ -0,0 +1,121 @@
package org.dromara.common.encrypt.filter;

import cn.hutool.core.util.RandomUtil;
import jakarta.servlet.ServletOutputStream;
import jakarta.servlet.WriteListener;
import jakarta.servlet.http.HttpServletResponse;
import jakarta.servlet.http.HttpServletResponseWrapper;
import org.dromara.common.encrypt.utils.EncryptUtils;

import java.io.*;
import java.nio.charset.StandardCharsets;

/**
 * åŠ å¯†å“åº”参数包装类
 *
 * @author Michelle.Chung
 */
public class EncryptResponseBodyWrapper extends HttpServletResponseWrapper {

    private final ByteArrayOutputStream byteArrayOutputStream;
    private final ServletOutputStream servletOutputStream;
    private final PrintWriter printWriter;

    public EncryptResponseBodyWrapper(HttpServletResponse response) throws IOException {
        super(response);
        this.byteArrayOutputStream = new ByteArrayOutputStream();
        this.servletOutputStream = this.getOutputStream();
        this.printWriter = new PrintWriter(new OutputStreamWriter(byteArrayOutputStream));
    }

    @Override
    public PrintWriter getWriter() {
        return printWriter;
    }

    @Override
    public void flushBuffer() throws IOException {
        if (servletOutputStream != null) {
            servletOutputStream.flush();
        }
        if (printWriter != null) {
            printWriter.flush();
        }
    }

    @Override
    public void reset() {
        byteArrayOutputStream.reset();
    }

    public byte[] getResponseData() throws IOException {
        flushBuffer();
        return byteArrayOutputStream.toByteArray();
    }

    public String getContent() throws IOException {
        flushBuffer();
        return byteArrayOutputStream.toString();
    }

    /**
     * èŽ·å–加密内容
     *
     * @param servletResponse response
     * @param publicKey       RSA公钥 (用于加密 AES ç§˜é’¥)
     * @param headerFlag      è¯·æ±‚头标志
     * @return åŠ å¯†å†…容
     * @throws IOException
     */
    public String getEncryptContent(HttpServletResponse servletResponse, String publicKey, String headerFlag) throws IOException {
        // ç”Ÿæˆç§˜é’¥
        String aesPassword = RandomUtil.randomString(32);
        System.out.println("aesPassword = " + aesPassword);
        // ç§˜é’¥ä½¿ç”¨ Base64 ç¼–码
        String encryptAes = EncryptUtils.encryptByBase64(aesPassword);
        // Rsa å…¬é’¥åŠ å¯† Base64 ç¼–码
        String encryptPassword = EncryptUtils.encryptByRsa(encryptAes, publicKey);

        // è®¾ç½®å“åº”头
        servletResponse.setHeader(headerFlag, encryptPassword);
        servletResponse.setHeader("Access-Control-Allow-Origin", "*");
        servletResponse.setHeader("Access-Control-Allow-Methods", "*");
        servletResponse.setCharacterEncoding(StandardCharsets.UTF_8.toString());

        // èŽ·å–原始内容
        String originalBody = this.getContent();
        // å¯¹å†…容进行加密
        return EncryptUtils.encryptByAes(originalBody, aesPassword);
    }

    @Override
    public ServletOutputStream getOutputStream() throws IOException {
        return new ServletOutputStream() {
            @Override
            public boolean isReady() {
                return false;
            }

            @Override
            public void setWriteListener(WriteListener writeListener) {

            }

            @Override
            public void write(int b) throws IOException {
                byteArrayOutputStream.write(b);
            }

            @Override
            public void write(byte[] b) throws IOException {
                byteArrayOutputStream.write(b);
            }

            @Override
            public void write(byte[] b, int off, int len) throws IOException {
                byteArrayOutputStream.write(b, off, len);
            }
        };
    }

}

 ruoyi-common/ruoyi-common-encrypt/src/main/java/org/dromara/common/encrypt/properties/ApiDecryptProperties.java

@@ -21,14 +21,14 @@
     */
    private String headerFlag;


    /**
     * å…¬é’¥
     * å“åº”加密公钥
     */
    private String publicKey;

    /**
     * ç§é’¥
     * è¯·æ±‚解密私钥
     */
    private String privateKey;

}