test-version22
/
MeterSphere
mirror of https://gitee.com/fit2cloud-feizhiyun/MeterSphere.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

revert: 去掉task-runner过来的totp限制

This commit is contained in:
CaptainB 2023-11-30 09:54:09 +08:00 committed by f2c-ci-robot[bot]
parent f6472080a7
commit 1d353048ed
3 changed files with 1 additions and 48 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
backend/framework/sdk/src/main/java/io/metersphere/sdk/util/FilterChainUtils.java
View File

@ -24,7 +24,6 @@ public class FilterChainUtils {
filterChainDefinitionMap.put("/favicon.ico", "anon");
filterChainDefinitionMap.put("/base-display/**", "anon");
filterChainDefinitionMap.put("/jmeter/ping", "anon");
filterChainDefinitionMap.put("/jmeter/ready/**", "totp");
filterChainDefinitionMap.put("/authsource/list/allenable", "anon");
filterChainDefinitionMap.put("/sso/callback/**", "anon");
filterChainDefinitionMap.put("/license/validate", "anon");
@ -75,10 +74,4 @@ public class FilterChainUtils {
return filterChainDefinitionMap;
}
public static Map<String, String> totpFilterChain() {
Map<String, String> filterChainDefinitionMap = new HashMap<>();
// 执行机下载执行资源需要验证totp
filterChainDefinitionMap.put("/jmeter/download/**", "totp");
return filterChainDefinitionMap;
}
}

4
backend/services/system-setting/src/main/java/io/metersphere/system/config/ShiroConfig.java
View File

@ -4,7 +4,6 @@ package io.metersphere.system.config;
import io.metersphere.system.security.ApiKeyFilter;
import io.metersphere.system.security.CsrfFilter;
import io.metersphere.system.security.MsPermissionAnnotationMethodInterceptor;
import io.metersphere.system.security.TotpFilter;
import io.metersphere.system.security.realm.LocalRealm;
import io.metersphere.sdk.util.FilterChainUtils;
import jakarta.servlet.DispatcherType;
@ -43,12 +42,11 @@ public class ShiroConfig {
shiroFilterFactoryBean.getFilters().put("apikey", new ApiKeyFilter());
shiroFilterFactoryBean.getFilters().put("csrf", new CsrfFilter());
shiroFilterFactoryBean.getFilters().put("totp", new TotpFilter());
Map<String, String> filterChainDefinitionMap = shiroFilterFactoryBean.getFilterChainDefinitionMap();
filterChainDefinitionMap.putAll(FilterChainUtils.loadBaseFilterChain());
filterChainDefinitionMap.putAll(FilterChainUtils.totpFilterChain());
filterChainDefinitionMap.putAll(FilterChainUtils.ignoreCsrfFilter());

38
backend/services/system-setting/src/main/java/io/metersphere/system/security/TotpFilter.java
View File

@ -1,38 +0,0 @@
package io.metersphere.system.security;
import com.bastiaanjansen.otp.TOTPGenerator;
import io.metersphere.sdk.constants.MsHttpHeaders;
import io.metersphere.sdk.util.CommonBeanFactory;
import jakarta.servlet.ServletRequest;
import jakarta.servlet.ServletResponse;
import jakarta.servlet.http.HttpServletRequest;
import org.apache.commons.lang3.StringUtils;
import org.apache.shiro.web.filter.authc.AnonymousFilter;
import org.apache.shiro.web.util.WebUtils;
public class TotpFilter extends AnonymousFilter {
@Override
protected boolean onPreHandle(ServletRequest request, ServletResponse response, Object mappedValue) {
HttpServletRequest httpServletRequest = WebUtils.toHttp(request);
// 请求头取出的token value
String token = httpServletRequest.getHeader(MsHttpHeaders.OTP_TOKEN);
// 校验 token
validateToken(token);
return true;
}
private void validateToken(String token) {
if (StringUtils.isBlank(token)) {
throw new RuntimeException("token is empty");
}
TOTPGenerator totpGenerator = CommonBeanFactory.getBean(TOTPGenerator.class);
if (!totpGenerator.verify(token)) {
throw new RuntimeException("token is not valid");
}
}
}