|
|
|
|
@ -1,14 +1,44 @@
|
|
|
|
|
/* |
|
|
|
|
* Copyright (c) 2018-2028, Chill Zhuang All rights reserved. |
|
|
|
|
* |
|
|
|
|
* Redistribution and use in source and binary forms, with or without |
|
|
|
|
* modification, are permitted provided that the following conditions are met: |
|
|
|
|
* |
|
|
|
|
* Redistributions of source code must retain the above copyright notice, |
|
|
|
|
* this list of conditions and the following disclaimer. |
|
|
|
|
* Redistributions in binary form must reproduce the above copyright |
|
|
|
|
* notice, this list of conditions and the following disclaimer in the |
|
|
|
|
* documentation and/or other materials provided with the distribution. |
|
|
|
|
* Neither the name of the dreamlu.net developer nor the names of its |
|
|
|
|
* contributors may be used to endorse or promote products derived from |
|
|
|
|
* this software without specific prior written permission. |
|
|
|
|
* Author: Chill 庄骞 (smallchill@163.com) |
|
|
|
|
*/ |
|
|
|
|
package org.springblade.auth.granter; |
|
|
|
|
|
|
|
|
|
import me.zhyd.oauth.model.AuthCallback; |
|
|
|
|
import me.zhyd.oauth.model.AuthResponse; |
|
|
|
|
import me.zhyd.oauth.model.AuthUser; |
|
|
|
|
import me.zhyd.oauth.request.AuthRequest; |
|
|
|
|
import org.springblade.auth.constant.AuthConstant; |
|
|
|
|
import org.springblade.auth.service.BladeUserDetails; |
|
|
|
|
import org.springblade.auth.utils.TokenUtil; |
|
|
|
|
import org.springblade.common.cache.CacheNames; |
|
|
|
|
import org.springblade.core.redis.cache.BladeRedis; |
|
|
|
|
import org.springblade.core.tool.utils.StringUtil; |
|
|
|
|
import org.springblade.core.social.props.SocialProperties; |
|
|
|
|
import org.springblade.core.social.utils.SocialUtil; |
|
|
|
|
import org.springblade.core.tool.api.R; |
|
|
|
|
import org.springblade.core.tool.support.Kv; |
|
|
|
|
import org.springblade.core.tool.utils.BeanUtil; |
|
|
|
|
import org.springblade.core.tool.utils.Func; |
|
|
|
|
import org.springblade.core.tool.utils.WebUtil; |
|
|
|
|
import org.springframework.security.authentication.*; |
|
|
|
|
import org.springblade.system.entity.User; |
|
|
|
|
import org.springblade.system.entity.UserInfo; |
|
|
|
|
import org.springblade.system.entity.UserOauth; |
|
|
|
|
import org.springblade.system.feign.IUserClient; |
|
|
|
|
import org.springframework.security.authentication.AbstractAuthenticationToken; |
|
|
|
|
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; |
|
|
|
|
import org.springframework.security.core.Authentication; |
|
|
|
|
import org.springframework.security.core.authority.AuthorityUtils; |
|
|
|
|
import org.springframework.security.oauth2.common.exceptions.InvalidGrantException; |
|
|
|
|
import org.springframework.security.oauth2.common.exceptions.UserDeniedAuthorizationException; |
|
|
|
|
import org.springframework.security.oauth2.provider.*; |
|
|
|
|
import org.springframework.security.oauth2.provider.token.AbstractTokenGranter; |
|
|
|
|
import org.springframework.security.oauth2.provider.token.AuthorizationServerTokenServices; |
|
|
|
|
@ -16,59 +46,61 @@ import org.springframework.security.oauth2.provider.token.AuthorizationServerTok
|
|
|
|
|
import javax.servlet.http.HttpServletRequest; |
|
|
|
|
import java.util.LinkedHashMap; |
|
|
|
|
import java.util.Map; |
|
|
|
|
import java.util.Objects; |
|
|
|
|
|
|
|
|
|
/** |
|
|
|
|
* 本地内部服务TokenGranter |
|
|
|
|
* 本地登录 |
|
|
|
|
* |
|
|
|
|
* @author Chill |
|
|
|
|
*/ |
|
|
|
|
public class LocalServerTokenGranter extends AbstractTokenGranter { |
|
|
|
|
private static final String GRANT_TYPE = "local_server"; |
|
|
|
|
private static final Integer AUTH_SUCCESS_CODE = 2000; |
|
|
|
|
|
|
|
|
|
private static final String GRANT_TYPE = "localserver"; |
|
|
|
|
|
|
|
|
|
private final AuthenticationManager authenticationManager; |
|
|
|
|
|
|
|
|
|
private BladeRedis bladeRedis; |
|
|
|
|
|
|
|
|
|
public LocalServerTokenGranter(AuthenticationManager authenticationManager, |
|
|
|
|
AuthorizationServerTokenServices tokenServices, ClientDetailsService clientDetailsService, OAuth2RequestFactory requestFactory, BladeRedis bladeRedis) { |
|
|
|
|
this(authenticationManager, tokenServices, clientDetailsService, requestFactory, GRANT_TYPE); |
|
|
|
|
this.bladeRedis = bladeRedis; |
|
|
|
|
} |
|
|
|
|
private final IUserClient userClient; |
|
|
|
|
private final SocialProperties socialProperties; |
|
|
|
|
|
|
|
|
|
protected LocalServerTokenGranter(AuthenticationManager authenticationManager, AuthorizationServerTokenServices tokenServices, |
|
|
|
|
ClientDetailsService clientDetailsService, OAuth2RequestFactory requestFactory, String grantType) { |
|
|
|
|
super(tokenServices, clientDetailsService, requestFactory, grantType); |
|
|
|
|
this.authenticationManager = authenticationManager; |
|
|
|
|
protected LocalServerTokenGranter(AuthorizationServerTokenServices tokenServices, ClientDetailsService clientDetailsService, OAuth2RequestFactory requestFactory, IUserClient userClient, SocialProperties socialProperties) { |
|
|
|
|
super(tokenServices, clientDetailsService, requestFactory, GRANT_TYPE); |
|
|
|
|
this.userClient = userClient; |
|
|
|
|
this.socialProperties = socialProperties; |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
@Override |
|
|
|
|
protected OAuth2Authentication getOAuth2Authentication(ClientDetails client, TokenRequest tokenRequest) { |
|
|
|
|
// 请求头租户信息
|
|
|
|
|
HttpServletRequest request = WebUtil.getRequest(); |
|
|
|
|
String tenantId = Func.toStr(request.getHeader(TokenUtil.TENANT_HEADER_KEY), TokenUtil.DEFAULT_TENANT_ID); |
|
|
|
|
|
|
|
|
|
Map<String, String> parameters = new LinkedHashMap<>(tokenRequest.getRequestParameters()); |
|
|
|
|
|
|
|
|
|
Map<String, String> parameters = new LinkedHashMap<String, String>(tokenRequest.getRequestParameters()); |
|
|
|
|
String username = parameters.get("username"); |
|
|
|
|
String password = parameters.get("password"); |
|
|
|
|
// Protect from downstream leaks of password
|
|
|
|
|
parameters.remove("password"); |
|
|
|
|
tenantId = parameters.get("tenantId"); |
|
|
|
|
|
|
|
|
|
Authentication userAuth = new UsernamePasswordAuthenticationToken(username, password); |
|
|
|
|
((AbstractAuthenticationToken) userAuth).setDetails(parameters); |
|
|
|
|
try { |
|
|
|
|
userAuth = authenticationManager.authenticate(userAuth); |
|
|
|
|
} |
|
|
|
|
catch (AccountStatusException | BadCredentialsException ase) { |
|
|
|
|
//covers expired, locked, disabled cases (mentioned in section 5.2, draft 31)
|
|
|
|
|
throw new InvalidGrantException(ase.getMessage()); |
|
|
|
|
} |
|
|
|
|
// If the username/password are wrong the spec says we should send 400/invalid grant
|
|
|
|
|
|
|
|
|
|
if (userAuth == null || !userAuth.isAuthenticated()) { |
|
|
|
|
throw new InvalidGrantException("Could not authenticate user: " + username); |
|
|
|
|
// 远程调用,获取认证信息
|
|
|
|
|
R<UserInfo> result = userClient.userInfo(tenantId, username); |
|
|
|
|
BladeUserDetails bladeUserDetails; |
|
|
|
|
if (result.isSuccess()) { |
|
|
|
|
User user = result.getData().getUser(); |
|
|
|
|
Kv detail = result.getData().getDetail(); |
|
|
|
|
if (user == null || user.getId() == null || user.getAccount() == null) { |
|
|
|
|
throw new InvalidGrantException("localserver grant failure, user is null"); |
|
|
|
|
} |
|
|
|
|
bladeUserDetails = new BladeUserDetails(user.getId(), |
|
|
|
|
tenantId, result.getData().getOauthId(), user.getName(), user.getRealName(), user.getDeptId(), user.getPostId(), user.getRoleId(), Func.join(result.getData().getRoles()), Func.toStr(user.getAvatar(), TokenUtil.DEFAULT_AVATAR), |
|
|
|
|
user.getName(), AuthConstant.ENCRYPT + user.getPassword(), detail, true, true, true, true, |
|
|
|
|
AuthorityUtils.commaSeparatedStringToAuthorityList(Func.join(result.getData().getRoles()))); |
|
|
|
|
} else { |
|
|
|
|
throw new InvalidGrantException("localserver grant failure, feign client return error"); |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
// 组装认证数据,关闭密码校验
|
|
|
|
|
Authentication userAuth = new UsernamePasswordAuthenticationToken(bladeUserDetails, null, bladeUserDetails.getAuthorities()); |
|
|
|
|
((AbstractAuthenticationToken) userAuth).setDetails(parameters); |
|
|
|
|
OAuth2Request storedOAuth2Request = getRequestFactory().createOAuth2Request(client, tokenRequest); |
|
|
|
|
|
|
|
|
|
// 返回 OAuth2Authentication
|
|
|
|
|
return new OAuth2Authentication(storedOAuth2Request, userAuth); |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
} |
|
|
|
|
|
