refactor: 使用csrf拦截器过滤请求

Closes #1088
2021-03-10 14:02:17 +08:00 · 2021-03-10 14:02:17 +08:00 · 7e6a08bef2
parent 8bf4ce16a6
commit 7e6a08bef2
7 changed files with 97 additions and 18 deletions
--- a/backend/src/main/java/io/metersphere/commons/user/SessionUser.java
+++ b/backend/src/main/java/io/metersphere/commons/user/SessionUser.java
@ -1,18 +1,35 @@
 package io.metersphere.commons.user;

+import io.metersphere.commons.utils.CodingUtil;
 import io.metersphere.dto.UserDTO;
+import lombok.Getter;
+import lombok.Setter;
+import org.apache.commons.lang3.RandomStringUtils;
+import org.apache.commons.lang3.StringUtils;
 import org.springframework.beans.BeanUtils;

 import java.io.Serializable;
+import java.util.Arrays;
+import java.util.List;

+@Setter
+@Getter
 public class SessionUser extends UserDTO implements Serializable {
+    public static final String secret = "9a9rdqPlTqhpZzkq";
+    public static final String iv = "1Av7hf9PgHusUHRm";

    private static final long serialVersionUID = -7149638440406959033L;
+    private String csrfToken;
+
+    private SessionUser() {
+    }

    public static SessionUser fromUser(UserDTO user) {
        SessionUser sessionUser = new SessionUser();
        BeanUtils.copyProperties(user, sessionUser);

+        List<String> infos = Arrays.asList(user.getId(), RandomStringUtils.random(6), "" + System.currentTimeMillis());
+        sessionUser.csrfToken = CodingUtil.aesEncrypt(StringUtils.join(infos, "|"), secret, iv);
        return sessionUser;
    }

--- a/backend/src/main/java/io/metersphere/commons/utils/SessionUtils.java
+++ b/backend/src/main/java/io/metersphere/commons/utils/SessionUtils.java
@ -62,14 +62,14 @@ public class SessionUtils {
    }

    public static String getCurrentWorkspaceId() {
-        return Optional.ofNullable(getUser()).orElse(new SessionUser()).getLastWorkspaceId();
+        return getUser().getLastWorkspaceId();
    }

    public static String getCurrentOrganizationId() {
-        return Optional.ofNullable(getUser()).orElse(new SessionUser()).getLastOrganizationId();
+        return getUser().getLastOrganizationId();
    }

    public static String getCurrentProjectId() {
-        return Optional.ofNullable(getUser()).orElse(new SessionUser()).getLastProjectId();
+        return getUser().getLastProjectId();
    }
 }
--- a/backend/src/main/java/io/metersphere/config/ShiroConfig.java
+++ b/backend/src/main/java/io/metersphere/config/ShiroConfig.java
@ -2,6 +2,7 @@ package io.metersphere.config;

 import io.metersphere.commons.utils.ShiroUtils;
 import io.metersphere.security.ApiKeyFilter;
+import io.metersphere.security.CsrfFilter;
 import io.metersphere.security.UserModularRealmAuthenticator;
 import io.metersphere.security.realm.LdapRealm;
 import io.metersphere.security.realm.ShiroDBRealm;
@ -44,10 +45,11 @@ public class ShiroConfig implements EnvironmentAware {
        shiroFilterFactoryBean.setSuccessUrl("/");

        shiroFilterFactoryBean.getFilters().put("apikey", new ApiKeyFilter());
+        shiroFilterFactoryBean.getFilters().put("csrf", new CsrfFilter());
        Map<String, String> filterChainDefinitionMap = shiroFilterFactoryBean.getFilterChainDefinitionMap();
        ShiroUtils.loadBaseFilterChain(filterChainDefinitionMap);

-        filterChainDefinitionMap.put("/**", "apikey, authc");
+        filterChainDefinitionMap.put("/**", "apikey, csrf, authc");
        return shiroFilterFactoryBean;
    }

--- a/backend/src/main/java/io/metersphere/controller/LoginController.java
+++ b/backend/src/main/java/io/metersphere/controller/LoginController.java
@ -1,6 +1,5 @@
 package io.metersphere.controller;

-import io.metersphere.commons.constants.SsoMode;
 import io.metersphere.commons.constants.UserSource;
 import io.metersphere.commons.user.SessionUser;
 import io.metersphere.commons.utils.SessionUtils;
@ -10,7 +9,6 @@ import io.metersphere.service.UserService;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.shiro.SecurityUtils;
 import org.springframework.context.i18n.LocaleContextHolder;
-import org.springframework.core.env.Environment;
 import org.springframework.http.ResponseEntity;
 import org.springframework.web.bind.annotation.*;

@ -24,8 +22,6 @@ public class LoginController {
    @Resource
    private UserService userService;
    @Resource
-    private Environment env;
-    @Resource
    private BaseDisplayService baseDisplayService;

    @GetMapping(value = "/isLogin")
@ -37,10 +33,6 @@ public class LoginController {
            }
            return ResultHolder.success(user);
        }
-        String ssoMode = env.getProperty("sso.mode");
-        if (ssoMode != null && StringUtils.equalsIgnoreCase(SsoMode.CAS.name(), ssoMode)) {
-            return ResultHolder.error("sso");
-        }
        return ResultHolder.error("");
    }

--- a/backend/src/main/java/io/metersphere/controller/UserController.java
+++ b/backend/src/main/java/io/metersphere/controller/UserController.java
@ -1,11 +1,8 @@
 package io.metersphere.controller;

-import com.alibaba.fastjson.JSONObject;
 import com.github.pagehelper.Page;
 import com.github.pagehelper.PageHelper;
-import io.metersphere.base.domain.Organization;
 import io.metersphere.base.domain.User;
-import io.metersphere.base.domain.Workspace;
 import io.metersphere.commons.constants.RoleConstants;
 import io.metersphere.commons.exception.MSException;
 import io.metersphere.commons.user.SessionUser;
@ -29,7 +26,6 @@ import io.metersphere.service.WorkspaceService;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.shiro.authz.annotation.Logical;
 import org.apache.shiro.authz.annotation.RequiresRoles;
-import org.checkerframework.checker.units.qual.C;
 import org.springframework.web.bind.annotation.*;
 import org.springframework.web.multipart.MultipartFile;

--- a/backend/src/main/java/io/metersphere/security/CsrfFilter.java
+++ b/backend/src/main/java/io/metersphere/security/CsrfFilter.java
@ -0,0 +1,63 @@
+package io.metersphere.security;
+
+import io.metersphere.commons.user.SessionUser;
+import io.metersphere.commons.utils.CodingUtil;
+import io.metersphere.commons.utils.CommonBeanFactory;
+import io.metersphere.commons.utils.SessionUtils;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.shiro.SecurityUtils;
+import org.apache.shiro.web.filter.authc.AnonymousFilter;
+import org.apache.shiro.web.util.WebUtils;
+import org.springframework.core.env.Environment;
+
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+public class CsrfFilter extends AnonymousFilter {
+    private static final String TOKEN_NAME = "CSRF-TOKEN";
+
+    @Override
+    protected boolean onPreHandle(ServletRequest request, ServletResponse response, Object mappedValue) {
+        HttpServletRequest httpServletRequest = WebUtils.toHttp(request);
+
+        if (!SecurityUtils.getSubject().isAuthenticated()) {
+            ((HttpServletResponse) response).setHeader("Authentication-Status", "invalid");
+        }
+        // api 过来的请求
+        if (ApiKeyHandler.isApiKeyCall(WebUtils.toHttp(request))) {
+            return true;
+        }
+        // 请求头取出的token value
+        String csrfToken = httpServletRequest.getHeader(TOKEN_NAME);
+        // 校验
+        validate(csrfToken);
+        return true;
+    }
+
+    private void validate(String csrfToken) {
+        csrfToken = CodingUtil.aesDecrypt(csrfToken, SessionUser.secret, SessionUser.iv);
+
+        String[] signatureArray = StringUtils.split(StringUtils.trimToNull(csrfToken), "|");
+        if (signatureArray.length != 3) {
+            throw new RuntimeException("invalid token");
+        }
+
+        long signatureTime;
+        try {
+            signatureTime = Long.parseLong(signatureArray[2]);
+        } catch (Exception e) {
+            throw new RuntimeException(e);
+        }
+        Environment env = CommonBeanFactory.getBean(Environment.class);
+        assert env != null;
+        long timeout = env.getProperty("session.timeout", Long.class, 43200L);
+        if (Math.abs(System.currentTimeMillis() - signatureTime) > timeout * 1000) {
+            throw new RuntimeException("expired token");
+        }
+        if (!StringUtils.equals(SessionUtils.getUserId(), signatureArray[0])) {
+            throw new RuntimeException("Please check csrf token.");
+        }
+    }
+}
--- a/frontend/src/common/js/ajax.js
+++ b/frontend/src/common/js/ajax.js
@ -1,13 +1,13 @@
 import {Message, MessageBox} from 'element-ui';
 import axios from "axios";
 import i18n from '../../i18n/i18n'
-
+import {TokenKey} from "@/common/js/constants";

 export default {
  install(Vue) {

    // 登入请求不重定向
-    let unRedirectUrls = new Set(['signin','ldap/signin','/signin', '/ldap/signin']);
+    let unRedirectUrls = new Set(['signin', 'ldap/signin', '/signin', '/ldap/signin']);

    if (!axios) {
      window.console.error('You have to install axios');
@ -40,6 +40,15 @@ export default {
      return Promise.reject(error);
    });

+    axios.interceptors.request.use(config => {
+      let user = JSON.parse(localStorage.getItem(TokenKey));
+      if (user && user.csrfToken) {
+        config.headers['CSRF-TOKEN'] = user.csrfToken;
+      }
+      return config;
+    });
+
+
    function then(success, response, result) {
      if (!response.data) {
        success(response);