refactor: 后台服务间调用不使用apikey

2023-01-09 14:31:40 +08:00 · 2023-01-09 14:31:40 +08:00 · 92e3098cb6
parent 451663bab3
commit 92e3098cb6
2 changed files with 12 additions and 79 deletions
--- a/framework/sdk-parent/sdk/src/main/java/io/metersphere/commons/utils/HttpHeaderUtils.java
+++ b/framework/sdk-parent/sdk/src/main/java/io/metersphere/commons/utils/HttpHeaderUtils.java
@ -1,19 +1,16 @@
 package io.metersphere.commons.utils;
 import io.metersphere.base.domain.User;
 import io.metersphere.base.domain.UserKey;
 import io.metersphere.commons.constants.ApiKeyConstants;
 import io.metersphere.commons.constants.SessionConstants;
-import io.metersphere.commons.exception.MSException;
+import io.metersphere.commons.user.SessionUser;
 import io.metersphere.dto.UserDTO;
 import io.metersphere.service.BaseUserService;
 import io.metersphere.service.UserKeyService;
 import org.apache.commons.collections4.CollectionUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.springframework.beans.BeanUtils;
 import org.springframework.http.HttpHeaders;
 import org.springframework.http.MediaType;
-import java.util.List;
+import java.util.UUID;
 import java.util.Optional;
 /**
 * 服务之间调用，需要添加HttpHeader,获取的时候注意当前线程的位置
@ -57,33 +54,19 @@ public class HttpHeaderUtils {
        User user = sessionUserThreadLocal.get();
        if (user != null) {
-            UserKey userKey = getUserKey(user);
+            UserDTO userDTO = new UserDTO();
-            accessKey = userKey.getAccessKey();
+            BeanUtils.copyProperties(user, userDTO);
-            String secretKey = userKey.getSecretKey();
+            SessionUser sessionUser = SessionUser.fromUser(userDTO, UUID.randomUUID().toString());
-            headers.add(SessionConstants.ACCESS_KEY, accessKey);
+
-            headers.add(SessionConstants.SIGNATURE, CodingUtil.aesDecrypt(accessKey + "|" + System.currentTimeMillis(), secretKey, accessKey));
+            headers.add(SessionConstants.HEADER_TOKEN, sessionUser.getSessionId());
-            headers.remove(HttpHeaders.COOKIE);
+            headers.add(SessionConstants.CSRF_TOKEN, sessionUser.getCsrfToken());
            headers.add(SessionConstants.CURRENT_PROJECT, sessionUser.getLastProjectId());
            headers.add(SessionConstants.CURRENT_WORKSPACE, sessionUser.getLastWorkspaceId());
        }
        return headers;
    }
    private static UserKey getUserKey(User user) {
        UserKeyService userKeyService = CommonBeanFactory.getBean(UserKeyService.class);
        List<UserKey> userKeys = userKeyService.getUserKeysInfo(user.getId());
        UserKey userKey;
        if (CollectionUtils.isEmpty(userKeys)) {
            userKey = userKeyService.generateUserKey(user.getId());
        } else {
            Optional<UserKey> ukOp = userKeys.stream().filter(uk -> StringUtils.equals(uk.getStatus(), ApiKeyConstants.ACTIVE.name())).findAny();
            if (ukOp.isEmpty()) {
                MSException.throwException("用户[" + user.getId() + "]至少需要开启一个ApiKey");
            }
            userKey = ukOp.get();
        }
        return userKey;
    }
    public static void runAsUser(User user) {
        if (user != null) {
            if (StringUtils.isBlank(user.getId())) {
--- a/framework/sdk-parent/sdk/src/main/java/io/metersphere/security/ApiKeySessionHandler.java
+++ b/framework/sdk-parent/sdk/src/main/java/io/metersphere/security/ApiKeySessionHandler.java
@ -6,17 +6,11 @@ import io.metersphere.commons.utils.CodingUtil;
 import io.metersphere.commons.utils.LogUtil;
 import org.apache.commons.lang3.StringUtils;
 import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.util.HashSet;
 import java.util.Set;
 import java.util.UUID;
 public class ApiKeySessionHandler {
    public static final String SSO_SOURCE_ID = "sourceId";
    public static String random = UUID.randomUUID() + UUID.randomUUID().toString();
    public static String validate(HttpServletRequest request) {
@ -32,49 +26,6 @@ public class ApiKeySessionHandler {
        return null;
    }
    public static void logout(HttpServletRequest request, HttpServletResponse response, String... remainSessionId) {
        try {
            Set<String> remainSessionIdSet = new HashSet<>();
            int len$;
            int i$;
            if (remainSessionId != null && remainSessionId.length > 0) {
                String[] arr$ = remainSessionId;
                len$ = remainSessionId.length;
                for (i$ = 0; i$ < len$; ++i$) {
                    String s = arr$[i$];
                    if (s != null && !StringUtils.EMPTY.equals(s)) {
                        remainSessionIdSet.add(s.toLowerCase());
                    }
                }
            }
            if (request.getCookies() != null) {
                Cookie[] arr$ = request.getCookies();
                len$ = arr$.length;
                for (i$ = 0; i$ < len$; ++i$) {
                    Cookie cookie = arr$[i$];
                    if (!cookie.getName().toLowerCase().contains("rememberme") && (remainSessionIdSet.size() == 0 || !remainSessionIdSet.contains(cookie.getName().toLowerCase()))) {
                        cookie.setValue("deleteMe");
                        cookie.setPath("/");
                        cookie.setMaxAge(0);
                        response.addCookie(cookie);
                    }
                }
            } else {
                Cookie cookie = new Cookie("MS_SESSION_ID", "deleteMe");
                cookie.setPath("/");
                cookie.setMaxAge(0);
                response.addCookie(cookie);
            }
            request.logout();
        } catch (Exception var8) {
            LogUtil.error("failed to logout", var8);
        }
    }
    private static String validate(String csrfToken) {
        csrfToken = CodingUtil.aesDecrypt(csrfToken, SessionUser.secret, SessionUser.iv);
        String[] signatureArray = StringUtils.split(StringUtils.trimToNull(csrfToken), "|");
@ -83,5 +34,4 @@ public class ApiKeySessionHandler {
        }
        return signatureArray[0];
    }
 }