提交自测

src/main/java/cn/quantgroup/xyqb/aspect/limit/PasswordFreeAccessValidatorValidateAdvisor.java

@@ -5,6 +5,7 @@ import cn.quantgroup.xyqb.entity.User;
 import cn.quantgroup.xyqb.model.JsonResult;
 import cn.quantgroup.xyqb.model.session.SessionStruct;
 import cn.quantgroup.xyqb.session.XyqbSessionContextHolder;
+import com.alibaba.fastjson.JSONObject;
 import org.apache.commons.lang3.StringUtils;
 import org.aspectj.lang.ProceedingJoinPoint;
 import org.aspectj.lang.annotation.Around;
@@ -20,10 +21,7 @@ import org.springframework.web.context.request.RequestContextHolder;
 import org.springframework.web.context.request.ServletRequestAttributes;
 
 import javax.servlet.http.HttpServletRequest;
-import java.util.Enumeration;
-import java.util.Map;
-import java.util.Objects;
-import java.util.Set;
+import java.util.*;
 
 /**
  * 免密访问校验切面
@@ -57,50 +55,74 @@ public class PasswordFreeAccessValidatorValidateAdvisor {
      */
     @Around("passwordFreeAccess()")
     private Object checkToken(ProceedingJoinPoint pjp) throws Throwable {
-        boolean valid = tokenValid();
+        HttpServletRequest request = ((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getRequest();
+        boolean valid = tokenValid(request) || ipValid(request);
         if (valid) {
             return pjp.proceed();
         }
-        return JsonResult.buildErrorStateResult("操作失败，请重新提交请求", "");
+        return JsonResult.buildErrorStateResult("拒绝访问", "");
     }
 
     /**
      * 校验免密访问
+     * 规则：token 与 身份标记（phoneNo、userId匹配）
      * @return True or False
      */
-    private boolean tokenValid() {
-        HttpServletRequest request = ((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getRequest();
+    private boolean tokenValid(HttpServletRequest request) {
+        Objects.requireNonNull(request, "无效请求");
         Set<String> paramKeys = request.getParameterMap().keySet();
         if(!paramKeys.contains(PHONE_NO) && !paramKeys.contains(USER_ID)){
-            LOGGER.info("缺少参数信息，请重新请求, paramKeys={}, clientIp={}", paramKeys, request.getRemoteAddr());
+            LOGGER.info("非法请求 - 缺少参数, paramKeys={}, clientIp={}", paramKeys, request.getRemoteAddr());
             return false;
         }
         // 当前请求的phoneNo/userId
         String phoneNo = request.getParameter(PHONE_NO);
         String userId = request.getParameter(USER_ID);
         if(StringUtils.isBlank(phoneNo) && StringUtils.isBlank(userId)){
-            LOGGER.info("缺少参数信息，请重新请求, phoneNo={}, userId={}, clientIp={}", phoneNo, userId, request.getRemoteAddr());
+            LOGGER.info("非法请求 - 缺少参数, phoneNo={}, userId={}, clientIp={}", phoneNo, userId, request.getRemoteAddr());
             return false;
         }
         // 当前请求的Token
         String token = request.getHeader(Constants.X_AUTH_TOKEN);
         if (Objects.isNull(token) || token.length() != 36) {
+            LOGGER.info("非法请求 - 无效token, token={}, phoneNo={}, userId={}, clientIp={}", token, phoneNo, userId, request.getRemoteAddr());
             return false;
         }
         // 当前session
         SessionStruct session = XyqbSessionContextHolder.getXSessionFromRedis(token);
         if (Objects.isNull(session) || Objects.isNull(session.getValues()) || Objects.isNull(session.getValues().getUser())){
+            LOGGER.info("非法请求 - 未登录, token={}, phoneNo={}, userId={}, clientIp={}", token, phoneNo, userId, request.getRemoteAddr());
             return false;
         }
         // 当前用户
         User user = session.getValues().getUser();
         if(Objects.isNull(user.getId()) && StringUtils.isBlank(user.getPhoneNo())){
+            LOGGER.info("非法请求 - 未登录, token={}, phoneNo={}, userId={}, clientIp={}", token, phoneNo, userId, request.getRemoteAddr());
             return false;
         }
         // 校对用户信息是否匹配
-        boolean valid = Objects.equals(userId, user.getId()) || Objects.equals(phoneNo, user.getPhoneNo());
+        boolean valid = (Objects.nonNull(user.getId()) && Objects.equals(userId, user.getId().toString()));
+        valid = valid || (StringUtils.isNotBlank(phoneNo) && Objects.equals(phoneNo, user.getPhoneNo()));
+        if(!valid) {
+            LOGGER.info("非法请求 - 身份不匹配, token={}, phoneNo=({},{}), userId=({},{}), clientIp={}", token, phoneNo, user.getPhoneNo(), userId, user.getId(), request.getRemoteAddr());
+        }
+        return valid;
+    }
+
+    /**
+     * 校验免密访问
+     * 规则：来访IP与白名单匹配
+     * @return True or False
+     */
+    private boolean ipValid(HttpServletRequest request) {
+        Objects.requireNonNull(request, "无效请求");
+        String remoteAddr = request.getRemoteAddr();
+        Set<String> whiteAddr = Collections.emptySet();
+        // Todo 配置白名单
+        // 校对来访IP是否与白名单匹配
+        boolean valid = StringUtils.isNotBlank(remoteAddr) && whiteAddr.contains(remoteAddr);
         if(!valid) {
-            LOGGER.info("非法请求, token={}, phoneNo=({},{}), userId=({},{}), clientIp={}", token, phoneNo, user.getPhoneNo(), userId, user.getId(), request.getRemoteAddr());
+            LOGGER.info("非法请求 - 未授权访问, clientIp={}", request.getRemoteAddr());
         }
         return valid;
     }

src/main/java/cn/quantgroup/xyqb/controller/external/user/InnerController.java

 package cn.quantgroup.xyqb.controller.external.user;
 
 import cn.quantgroup.user.enums.Relation;
+import cn.quantgroup.xyqb.aspect.limit.PasswordFreeAccessValidator;
 import cn.quantgroup.xyqb.aspect.logcaller.LogHttpCaller;
 import cn.quantgroup.xyqb.controller.IBaseController;
 import cn.quantgroup.xyqb.entity.*;
@@ -519,6 +520,7 @@ public class InnerController implements IBaseController {
     return JsonResult.buildSuccessResult(null, UserExtInfoRet.getUserExtInfoRet(info));
   }
 
+  // Todo @PasswordFreeAccessValidator
   @RequestMapping("/user_detail/search_list")
   @LogHttpCaller
   public JsonResult searchUserDetailList(String name, String phoneNo, String idNo) {
@@ -572,6 +574,7 @@ public class InnerController implements IBaseController {
     return JsonResult.buildSuccessResult("success", wechatUserInfo.getOpenId());
   }
 
+  // Todo @PasswordFreeAccessValidator
   @RequestMapping("/user-association/search/phone")
   @LogHttpCaller
   public JsonResult findUserAssociationByPhone(String phoneNo) {
@@ -624,6 +627,7 @@ public class InnerController implements IBaseController {
 
     return JsonResult.buildSuccessResult("", bean);
   }
+
   @RequestMapping("/user-association/search/uid")
   @LogHttpCaller
   public JsonResult findUserAssociationByUid(Long uid) {

src/main/java/cn/quantgroup/xyqb/controller/external/user/center/UserCenterController.java

 package cn.quantgroup.xyqb.controller.external.user.center;
 
 import cn.quantgroup.xyqb.Constants;
+import cn.quantgroup.xyqb.aspect.limit.PasswordFreeAccessValidator;
 import cn.quantgroup.xyqb.entity.*;
 //import cn.quantgroup.xyqb.entity.enumerate.EducationEnum;
 //import cn.quantgroup.xyqb.entity.enumerate.IncomeRangeEnum;
@@ -55,6 +56,7 @@ public class UserCenterController {
      * @param phoneNo
      * @return
      */
+    @PasswordFreeAccessValidator
     @RequestMapping("/index")
     public JsonResult userCenterIndex(String phoneNo) {
         Long userId = queryUserId(phoneNo);
@@ -84,7 +86,7 @@ public class UserCenterController {
      */
     @RequestMapping("/save/avatar")
     public JsonResult SaveUserAvatarAddr(String phoneNo, String avatarUrl) {
-        if(StringUtils.isEmpty(avatarUrl) || StringUtils.isEmpty(phoneNo)) {
+        if(StringUtils.isBlank(avatarUrl) || StringUtils.isBlank(phoneNo)) {
             LOGGER.error("参数不合法:avatarUrl:{}, phoneNo:{}", avatarUrl, phoneNo);
             return JsonResult.buildErrorStateResult("参数不合法", null);
         }
@@ -190,9 +192,10 @@ public class UserCenterController {
      * @param phoneNo
      * @return
      */
+    @PasswordFreeAccessValidator
     @RequestMapping("/personalData")
     public JsonResult personalData(String phoneNo) {
-        if(StringUtils.isEmpty(phoneNo)) {
+        if(StringUtils.isBlank(phoneNo)) {
             LOGGER.error("手机号为空,phoneNo:{}", phoneNo);
             return JsonResult.buildErrorStateResult("参数不合法", null);
         }