From 6bcbe72b43d6fa041d06878d1dae09a6d8903895 Mon Sep 17 00:00:00 2001
From: jack <jack.su@pollex.com.tw>
Date: 星期五, 11 八月 2023 16:19:02 +0800
Subject: [PATCH] [ADD] 為了解決滲透測試JWT token 登出未失效問題, 在登出後會需要建立黑名單並在filter中確定token是否非黑名單

---
 pamapi/src/main/java/com/pollex/pam/web/rest/TestLoginResource.java |  108 ++++++++++++++++++++++++++++++++++-------------------
 1 files changed, 69 insertions(+), 39 deletions(-)

diff --git a/pamapi/src/main/java/com/pollex/pam/web/rest/TestLoginResource.java b/pamapi/src/main/java/com/pollex/pam/web/rest/TestLoginResource.java
index ae4d394..8c12c37 100644
--- a/pamapi/src/main/java/com/pollex/pam/web/rest/TestLoginResource.java
+++ b/pamapi/src/main/java/com/pollex/pam/web/rest/TestLoginResource.java
@@ -1,28 +1,36 @@
 package com.pollex.pam.web.rest;
 
 import com.pollex.pam.config.ApplicationProperties;
-import com.pollex.pam.security.jwt.JWTFilter;
 import com.pollex.pam.security.jwt.TokenProvider;
-import com.pollex.pam.security.token.EServiceAuthenticationToken;
-import com.pollex.pam.security.token.OtpAuthenticationToken;
-import com.pollex.pam.service.LoginService;
 import com.pollex.pam.service.OtpWebService;
-import com.pollex.pam.service.dto.OtpResponseDTO;
-import com.pollex.pam.web.rest.vm.OtpAccount;
+import com.pollex.pam.business.service.dto.EServiceResponse;
+import com.pollex.pam.business.service.dto.OtpResponseDTO;
+import org.apache.http.conn.ssl.NoopHostnameVerifier;
+import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
+import org.apache.http.impl.client.CloseableHttpClient;
+import org.apache.http.impl.client.HttpClients;
+import org.apache.http.ssl.SSLContexts;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.http.HttpHeaders;
-import org.springframework.http.HttpStatus;
-import org.springframework.http.ResponseEntity;
+import org.springframework.http.*;
+import org.springframework.http.client.HttpComponentsClientHttpRequestFactory;
+import org.springframework.http.converter.HttpMessageConverter;
+import org.springframework.http.converter.json.MappingJackson2HttpMessageConverter;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
-import org.springframework.security.core.Authentication;
-import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.web.bind.annotation.*;
-import tw.com.softleader.otp.ws.OtpWebServicePortBindingStub;
+import org.springframework.web.client.RestTemplate;
+import org.springframework.web.util.UriComponentsBuilder;
 
-import javax.xml.rpc.ServiceException;
-import java.rmi.RemoteException;
+import javax.net.ssl.SSLContext;
+import java.security.KeyManagementException;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+import java.util.UUID;
 
 
 // todo嚗����login�靘蹂蝙��get��撘�嚗��歇��OtpResource��ServiceResource嚗蜓閬�����
@@ -32,9 +40,6 @@
 public class TestLoginResource {
 
     private final static Logger log = LoggerFactory.getLogger(TestLoginResource.class);
-
-    @Autowired
-    LoginService loginService;
 
     @Autowired
     ApplicationProperties applicationProperty;
@@ -49,41 +54,66 @@
     TokenProvider tokenProvider;
 
     @GetMapping("/bySMS")
-    public ResponseEntity<OtpResponseDTO> sendOtpBySMS(@RequestParam("phone") String phone) throws ServiceException, RemoteException {
+    public ResponseEntity<OtpResponseDTO> sendOtpBySMS(@RequestParam("phone") String phone) {
         final OtpResponseDTO otpResponseDTO = otpWebService.sendByPhone(phone);
         return new ResponseEntity<>(otpResponseDTO, HttpStatus.OK);
     }
 
     @GetMapping("/byEmail")
-    public ResponseEntity<OtpResponseDTO> sendOtpByEmail(@RequestParam("email") String email) throws RemoteException, ServiceException {
+    public ResponseEntity<OtpResponseDTO> sendOtpByEmail(@RequestParam("email") String email) {
         final OtpResponseDTO otpResponseDTO = otpWebService.sendByEmail(email);
         return new ResponseEntity<>(otpResponseDTO, HttpStatus.OK);
     }
 
     @GetMapping("/verifyOtp")
-    public ResponseEntity<OtpResponseDTO> verifyOtp(@RequestParam("account") String account, @RequestParam("indexKey") String indexKey, @RequestParam("otpCode") String otpCode) throws ServiceException, RemoteException {
-        OtpWebServicePortBindingStub stub = otpWebService.getOtpWebServicePortBindingStub();
-        log.info("call OtpService verifyOTP, systemType = {}, service password = {}, indexKey = {}, paxxword = {}",
-            applicationProperty.getOtpWebServiceSystemType(), applicationProperty.getOtpWebServicePassword(), indexKey, otpCode);
-
-        String[] result =
-            stub.verifyOtp(applicationProperty.getOtpWebServicePassword(), applicationProperty.getOtpWebServiceSystemType(), indexKey, otpCode);
-
-        return new ResponseEntity<>(new OtpResponseDTO(result), HttpStatus.OK);
+    public ResponseEntity<OtpResponseDTO> verifyOtp(@RequestParam("account") String account, @RequestParam("indexKey") String indexKey, @RequestParam("otpCode") String otpCode) {
+        final OtpResponseDTO otpResponseDTO = otpWebService.verifyOTP(indexKey, otpCode);
+        return new ResponseEntity<>(otpResponseDTO, HttpStatus.OK);
     }
 
     @GetMapping("/byEService")
-    public ResponseEntity<UserJWTController.JWTToken> loginByEService(@RequestParam("account") String account, @RequestParam("password") String password) throws Exception {
-        EServiceAuthenticationToken authenticationToken = new EServiceAuthenticationToken(
-            account,
-            password
-        );
+    public ResponseEntity<EServiceResponse> loginByEService(@RequestParam("account") String account, @RequestParam("password") String password) throws Exception {
+        RestTemplate restTemplate = getTrustAllRestTemplate();
+        settingMessageConvertesToSpecifyType(restTemplate, MediaType.ALL);
 
-        Authentication authentication = authenticationManagerBuilder.getObject().authenticate(authenticationToken);
-        SecurityContextHolder.getContext().setAuthentication(authenticationToken);
-        String jwt = tokenProvider.createToken(authentication, false);
-        HttpHeaders httpHeaders = new HttpHeaders();
-        httpHeaders.add(JWTFilter.AUTHORIZATION_HEADER, "Bearer" + jwt);
-        return new ResponseEntity<>(new UserJWTController.JWTToken(jwt), httpHeaders, HttpStatus.OK);
+        String urlTemplate = UriComponentsBuilder.fromHttpUrl(applicationProperty.geteServiceLoginUrl())
+            .queryParam("func", applicationProperty.geteServiceLoginFunc())
+            .queryParam("id", account)
+            .queryParam("pin", password)
+            .queryParam("pwd", password)
+            .queryParam("sys", applicationProperty.geteServiceLoginSys())
+            .queryParam("transactionId", UUID.randomUUID().toString())
+            .encode().toUriString();
+
+        log.debug("http get loginByEService, url = {}", urlTemplate);
+
+        HttpHeaders headers = new HttpHeaders();
+        headers.setContentType(MediaType.APPLICATION_JSON);
+
+        HttpEntity<String> entity = new HttpEntity<>(headers);
+        return restTemplate.exchange(urlTemplate, HttpMethod.GET, entity, EServiceResponse.class);
+    }
+
+    private void settingMessageConvertesToSpecifyType(RestTemplate restTemplate, MediaType mediaType) {
+        List<HttpMessageConverter<?>> messageConverters = new ArrayList<>();
+        MappingJackson2HttpMessageConverter converter = new MappingJackson2HttpMessageConverter();
+        converter.setSupportedMediaTypes(Collections.singletonList(mediaType));
+        messageConverters.add(converter);
+        restTemplate.setMessageConverters(messageConverters);
+    }
+
+    private RestTemplate getTrustAllRestTemplate() throws KeyStoreException, NoSuchAlgorithmException, KeyManagementException {
+        SSLContext sslContext = SSLContexts.custom()
+            .loadTrustMaterial(null, (X509Certificate[] x509Certs, String s) -> true)
+            .build();
+        SSLConnectionSocketFactory csf = new SSLConnectionSocketFactory(sslContext, new NoopHostnameVerifier());
+        CloseableHttpClient httpClient = HttpClients.custom()
+            .setSSLSocketFactory(csf)
+            .build();
+        HttpComponentsClientHttpRequestFactory requestFactory = new HttpComponentsClientHttpRequestFactory();
+        requestFactory.setHttpClient(httpClient);
+        requestFactory.setConnectTimeout(300000);
+        requestFactory.setReadTimeout(300000);
+        return new RestTemplate(requestFactory);
     }
 }

--
Gitblit v1.8.0