/* * Copyright (c) 2018-2028, Chill Zhuang All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: * * Redistributions of source code must retain the above copyright notice, * this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * Neither the name of the dreamlu.net developer nor the names of its * contributors may be used to endorse or promote products derived from * this software without specific prior written permission. * Author: Chill 庄骞 (smallchill@163.com) */ package com.vci.ubcs.auth.service; import com.alibaba.nacos.common.utils.StringUtils; import com.vci.ubcs.auth.constant.AuthConstant; import com.vci.ubcs.auth.utils.TokenUtil; import com.vci.ubcs.system.user.entity.User; import com.vci.ubcs.system.user.entity.UserInfo; import com.vci.ubcs.system.user.enums.UserEnum; import com.vci.ubcs.system.user.feign.IUserClient; import io.jsonwebtoken.Claims; import lombok.RequiredArgsConstructor; import lombok.SneakyThrows; import me.zhyd.oauth.log.Log; import com.vci.ubcs.common.cache.CacheNames; import org.springblade.core.jwt.JwtUtil; import org.springblade.core.jwt.props.JwtProperties; import org.springblade.core.redis.cache.BladeRedis; import org.springblade.core.secure.utils.AuthUtil; import org.springblade.core.tool.api.R; import org.springblade.core.tool.support.Kv; import org.springblade.core.tool.utils.*; import com.vci.ubcs.system.cache.ParamCache; import com.vci.ubcs.system.entity.Strategy; import com.vci.ubcs.system.entity.Tenant; import com.vci.ubcs.system.feign.ISysClient; import org.springframework.beans.factory.annotation.Value; import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.authority.AuthorityUtils; import org.springframework.security.core.authority.SimpleGrantedAuthority; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.core.userdetails.UsernameNotFoundException; import org.springframework.security.oauth2.common.exceptions.UserDeniedAuthorizationException; import org.springframework.stereotype.Service; import javax.servlet.http.HttpServletRequest; import java.time.Duration; import java.util.ArrayList; import java.util.List; /** * 用户信息 * * @author Chill */ @Service @RequiredArgsConstructor public class BladeUserDetailsServiceImpl implements UserDetailsService { /** * 默认允许错误次数 */ public static final Integer FAIL_COUNT = 5; public static final String FAIL_COUNT_VALUE = "account.failCount"; /** * user服务调用类 */ private final IUserClient userClient; private final ISysClient sysClient; private final BladeRedis bladeRedis; private final JwtProperties jwtProperties; /** * 超级管理员信息 */ @Value("${user-info.tenant-id}") private String tenantId; @Value("${user-info.user-name}") private String userName; @Value("${user-info.passwrod}") private String password; @Value("${user-info.id}") private String id; @Value("${ip-whitelist.ip-enable}") private Boolean ipEnable; @Value("#{'${ip-whitelist.ip}'.split(',')}") private List ips; @Override @SneakyThrows public BladeUserDetails loadUserByUsername(String username) { HttpServletRequest request = WebUtil.getRequest(); // 获取用户绑定ID String headerDept = request.getHeader(TokenUtil.DEPT_HEADER_KEY); String headerRole = request.getHeader(TokenUtil.ROLE_HEADER_KEY); // 获取租户ID String headerTenant = request.getHeader(TokenUtil.TENANT_HEADER_KEY); String paramTenant = request.getParameter(TokenUtil.TENANT_PARAM_KEY); String password = request.getParameter(TokenUtil.PASSWORD_KEY); String grantType = request.getParameter(TokenUtil.GRANT_TYPE_KEY); // 判断租户请求头 if (StringUtil.isAllBlank(headerTenant, paramTenant)) { throw new UserDeniedAuthorizationException(TokenUtil.TENANT_NOT_FOUND); } // 判断令牌合法性 if (!judgeRefreshToken(grantType, request)) { throw new UserDeniedAuthorizationException(TokenUtil.TOKEN_NOT_PERMISSION); } // 指定租户ID String tenantId = StringUtils.isBlank(headerTenant) ? paramTenant : headerTenant; Log.debug("当前登录用户的租户Id为:"+tenantId+"当前登录用户名为:"+username); Strategy strategy = sysClient.getByTenantIdAndName(tenantId, username).getData(); // 判断登录是否锁定 int count = getFailCount(tenantId, username); //为防止取值为空报错的情况,当为空的时候给默认只为5次便锁定用户登录,但是一般很难出现这种情况,因为我feign里面是给了默认密码策略查询的 int failCountValue = Func.isEmpty(strategy) ? FAIL_COUNT:Func.toInt(strategy.getLockingNum()); int failCount = Func.toInt(ParamCache.getValue(FAIL_COUNT_VALUE), failCountValue); if (count >= failCount) { throw new UserDeniedAuthorizationException(TokenUtil.USER_HAS_TOO_MANY_FAILS); } //超级管理员配置文件配置账号密码,实现登录, 默认租户id为000000 if(tenantId.equals(this.tenantId)){ if (!this.userName.equals(username) && !password.equalsIgnoreCase(this.password)) { setFailCount(tenantId, username, count,strategy.getLockingTime()); throw new UsernameNotFoundException(TokenUtil.USER_NOT_FOUND); } //如果ip比对后get抛出异常No value present就直接抛异常结束登录 if(ipEnable){ Log.debug("当前访问IP:"+getIpAddress(request)); try { ips.stream().filter(s -> s.equals(getIpAddress(request))).findFirst().get(); } catch (Exception e){ throw new UserDeniedAuthorizationException(TokenUtil.IP_NOT_FOND); } } ArrayList authorities = new ArrayList<>(); authorities.add(new SimpleGrantedAuthority("administrator")); // 成功则清除登录错误次数 delFailCount(tenantId, username); Kv kv = Kv.create(); kv.set("type","web"); return new BladeUserDetails( new Long(this.id),this.tenantId, StringPool.EMPTY, "超级管理员", "超级管理员",this.id, this.id,"1123598816738675201", "administrator","https://gw.alipayobjects.com/zos/rmsportal/BiazfanxmamNRoxxVxka.png" ,this.userName, AuthConstant.ENCRYPT + this.password, kv, true, true, true, true,authorities ); }else { R tenant = sysClient.getTenant(tenantId); if (tenant.isSuccess()) { if (TokenUtil.judgeTenant(tenant.getData())) { throw new UserDeniedAuthorizationException(TokenUtil.USER_HAS_NO_TENANT_PERMISSION); } } else { throw new UserDeniedAuthorizationException(TokenUtil.USER_HAS_NO_TENANT); } // 获取用户类型 String userType = Func.toStr(request.getHeader(TokenUtil.USER_TYPE_HEADER_KEY), TokenUtil.DEFAULT_USER_TYPE); // 远程调用返回数据 R result; // 根据不同用户类型调用对应的接口返回数据,用户可自行拓展 if (userType.equals(UserEnum.WEB.getName())) { result = userClient.userInfo(tenantId, username, UserEnum.WEB.getName()); } else if (userType.equals(UserEnum.APP.getName())) { result = userClient.userInfo(tenantId, username, UserEnum.APP.getName()); } else { result = userClient.userInfo(tenantId, username, UserEnum.OTHER.getName()); } // 判断返回信息 if (result.isSuccess()) { UserInfo userInfo = result.getData(); User user = userInfo.getUser(); // 用户不存在,但提示用户名与密码错误并锁定账号 if (user == null || user.getId() == null) { setFailCount(tenantId, username, count,strategy.getLockingTime()); throw new UsernameNotFoundException(TokenUtil.USER_NOT_FOUND); } String hex = DigestUtil.hex(password); // 用户存在但密码错误,超过次数则锁定账号 if (grantType != null && !grantType.equals(TokenUtil.REFRESH_TOKEN_KEY) && !user.getPassword().equals(hex)) { setFailCount(tenantId, username, count,strategy.getLockingTime()); throw new UsernameNotFoundException(TokenUtil.USER_NOT_FOUND); } // 用户角色不存在 if (Func.isEmpty(userInfo.getRoles())) { throw new UserDeniedAuthorizationException(TokenUtil.USER_HAS_NO_ROLE); } // 多部门情况下指定单部门 if (Func.isNotEmpty(headerDept) && user.getDeptId().contains(headerDept)) { user.setDeptId(headerDept); } // 多角色情况下指定单角色 if (Func.isNotEmpty(headerRole) && user.getRoleId().contains(headerRole)) { R> roleResult = sysClient.getRoleAliases(headerRole); if (roleResult.isSuccess()) { userInfo.setRoles(roleResult.getData()); } user.setRoleId(headerRole); } // 成功则清除登录错误次数 delFailCount(tenantId, username); //填充用户信息到用户信息扩展类 BladeUserDetails bladeUserDetails = new BladeUserDetails(user.getId(), user.getTenantId(), StringPool.EMPTY, user.getName(), user.getRealName(), user.getDeptId(), user.getPostId(), user.getRoleId(), Func.join(userInfo.getRoles()), Func.toStr(user.getAvatar(), TokenUtil.DEFAULT_AVATAR), username, AuthConstant.ENCRYPT + user.getPassword(), userInfo.getDetail(),user.getSecretGrade(), true, true, true, true, AuthorityUtils.commaSeparatedStringToAuthorityList(Func.join(result.getData().getRoles())),user.getStrategyUpdateStatus(),tenant.getData().getTenantName(),user.getDeptName(),user.getEmail()); return bladeUserDetails; } else { throw new UsernameNotFoundException(result.getMsg()); } } } /** * 获取客户端ip,客户端可能经过代理,也可能没经过代理 * 如开启虚拟机的情况也可能导致获取到的是虚拟机的ip * @param request * @return */ public static String getIpAddress(HttpServletRequest request){ String ip = request.getHeader("x-forwarded-for"); if (ip != null && ip.length() != 0 && !"unknown".equalsIgnoreCase(ip)) { // 多次反向代理后会有多个ip值,第一个ip才是真实ip ip = ip.split(",")[0]; } if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) { ip = request.getHeader("Proxy-Client-IP"); System.out.println("Proxy-Client-IP"+ip); } if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) { ip = request.getHeader("WL-Proxy-Client-IP"); System.out.println("WL-Proxy-Client-IP"+ip); } if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) { ip = request.getHeader("HTTP_CLIENT_IP"); System.out.println("HTTP_CLIENT_IP"+ip); } if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) { ip = request.getHeader("HTTP_X_FORWARDED_FOR"); System.out.println("HTTP_X_FORWARDED_FOR"+ip); } if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) { ip = request.getHeader("X-Real-IP"); System.out.println("X-Real-IP"+ip); } if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) { ip = request.getRemoteAddr(); System.out.println("getRemoteAddr"+ip); } //如果没取到ip,返回"" if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) { ip = ""; } return ip; } /** * 获取账号错误次数 * * @param tenantId 租户id * @param username 账号 * @return int */ private int getFailCount(String tenantId, String username) { return Func.toInt(bladeRedis.get(CacheNames.tenantKey(tenantId, CacheNames.USER_FAIL_KEY, username)), 0); } /** * 设置账号错误次数 * * @param tenantId 租户id * @param username 账号 * @param count 次数 */ private void setFailCount(String tenantId, String username, int count, Long expir) { bladeRedis.setEx(CacheNames.tenantKey(tenantId, CacheNames.USER_FAIL_KEY, username), count + 1, Duration.ofMinutes(expir)); } /** * 清空账号错误次数 * * @param tenantId 租户id * @param username 账号 */ private void delFailCount(String tenantId, String username) { bladeRedis.del(CacheNames.tenantKey(tenantId, CacheNames.USER_FAIL_KEY, username)); } /** * 校验refreshToken合法性 * * @param grantType 认证类型 * @param request 请求 */ private boolean judgeRefreshToken(String grantType, HttpServletRequest request) { if (jwtProperties.getState() && jwtProperties.getSingle() && StringUtil.equals(grantType, TokenUtil.REFRESH_TOKEN_KEY)) { String refreshToken = request.getParameter(TokenUtil.REFRESH_TOKEN_KEY); Claims claims = JwtUtil.parseJWT(refreshToken); String tenantId = String.valueOf(claims.get("tenant_id")); String userId = String.valueOf(claims.get("user_id")); String token = JwtUtil.getRefreshToken(tenantId, userId, refreshToken); return StringUtil.equalsIgnoreCase(token, refreshToken); } return true; } }