鉴权修改

distributed-print/src/main/java/com/qmth/distributed/print/auth/DistributedPrintAuthenticationService.java

@@ -3,15 +3,36 @@ package com.qmth.distributed.print.auth;
 import com.qmth.boot.core.security.model.AccessEntity;
 import com.qmth.boot.core.security.service.AuthorizationService;
 import com.qmth.boot.tools.signature.SignatureType;
+import com.qmth.distributed.print.business.bean.auth.AuthBean;
+import com.qmth.distributed.print.business.entity.SysUser;
+import com.qmth.distributed.print.business.entity.TBSession;
+import com.qmth.distributed.print.business.enums.PrivilegePropertyEnum;
+import com.qmth.distributed.print.business.enums.RoleTypeEnum;
+import com.qmth.distributed.print.business.service.CacheService;
+import com.qmth.distributed.print.business.service.TBSessionService;
+import com.qmth.distributed.print.business.util.ServletUtil;
+import com.qmth.distributed.print.common.contant.SystemConstant;
+import com.qmth.distributed.print.common.enums.ExceptionResultEnum;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.springframework.stereotype.Component;
 
-import java.util.Arrays;
+import javax.annotation.Resource;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
 import java.util.List;
+import java.util.Objects;
+import java.util.Set;
 
 @Component
 public class DistributedPrintAuthenticationService implements AuthorizationService {
+    private final static Logger log = LoggerFactory.getLogger(DistributedPrintAuthenticationService.class);
 
-    List<String> list = Arrays.asList("/api/admin/test", "/api/exam/test");
+    @Resource
+    TBSessionService tbSessionService;
+
+    @Resource
+    CacheService cacheService;
 
     @Override
     public AccessEntity findByIdentity(String identity, SignatureType signatureType, String path) {
@@ -20,11 +41,66 @@ public class DistributedPrintAuthenticationService implements AuthorizationServi
 
     @Override
     public boolean hasPermission(AccessEntity accessEntity, String path) {
-        for (String s : list) {
-            if (s.contains(path)) {
+        if (Objects.nonNull(accessEntity) && Objects.nonNull(accessEntity.getIdentity())) {
+            TBSession tbSession = tbSessionService.getById(accessEntity.getIdentity());
+            List<String> privilegeUrl = cacheService.privilegeUrlCache(PrivilegePropertyEnum.NO_AUTH);
+            //无需鉴权的url
+            int noAuthCount = Objects.nonNull(privilegeUrl) ? (int) privilegeUrl.stream().filter(s -> s.equalsIgnoreCase(path)).count() : 0;
+            if (noAuthCount > 0) {
                 return true;
             }
+            Long userId = Long.parseLong(tbSession.getIdentity());
+            SysUser sysUser = cacheService.userCache(userId);
+            HttpServletRequest request = ServletUtil.getRequest();
+            HttpServletResponse response = ServletUtil.getResponse();
+            request.setAttribute(SystemConstant.SESSION, tbSession);
+            request.setAttribute(SystemConstant.USER, sysUser);
+            return authFootCommon(userId, SystemConstant.USER_OAUTH_CACHE, path, request, response);
         }
         return false;
     }
+
+    /**
+     * 鉴权尾公用
+     *
+     * @param userId
+     * @param type
+     * @param path
+     * @param request
+     * @param response
+     * @return
+     */
+    public boolean authFootCommon(Long userId,
+                                  String type,
+                                  String path,
+                                  HttpServletRequest request,
+                                  HttpServletResponse response) {
+        //验证权限
+        AuthBean authBean = type.contains(SystemConstant.USER_OAUTH_CACHE) ? authBean = cacheService.userAuthCache(userId) : null;
+        if (Objects.isNull(authBean)) {
+            throw ExceptionResultEnum.ROLE_ENABLE_AUTHORIZATION.exception();
+        }
+        request.setAttribute(SystemConstant.SCHOOL, authBean.getSchool());
+        request.setAttribute(SystemConstant.ORG, authBean.getOrg());
+
+        //超级系统管理员拥有所有权限
+        int count = Objects.nonNull(authBean) ? (int) authBean.getRoleList().stream().filter(s -> s.getType() == RoleTypeEnum.ADMIN).count() : 0;
+        if (count > 0) {
+            return true;
+        }
+        //系统公用接口不拦截
+        List<String> sysUrls = cacheService.privilegeUrlCache(PrivilegePropertyEnum.SYS);
+        int sysCount = Objects.nonNull(sysUrls) ? (int) sysUrls.stream().filter(s -> s.equalsIgnoreCase(path)).count() : 0;
+        if (sysCount > 0) {
+            return true;
+        }
+        Set<String> urls = authBean.getUrls();
+        int privilegeCount = Objects.nonNull(urls) ? (int) urls.stream().filter(s -> s.equalsIgnoreCase(path)).count() : 0;
+        if (privilegeCount == 0) {
+            log.warn("Authorization faile: url cannot access");
+            throw ExceptionResultEnum.UN_AUTHORIZATION.exception();
+        }
+        response.setStatus(ExceptionResultEnum.SUCCESS.getCode());
+        return true;
+    }
 }