From f3913fe7c8d1ab0aeceef2058538846796166576 Mon Sep 17 00:00:00 2001
From: b2baccline <23131013+b2baccline@users.noreply.github.com>
Date: Wed, 1 Sep 2021 11:55:21 +0800
Subject: [PATCH] =?UTF-8?q?:bug:=20=E4=BF=AE=E5=A4=8D=20client=5Fcredentia?=
 =?UTF-8?q?ls=20=E6=A8=A1=E5=BC=8F=E7=99=BB=E5=BD=95=E7=9A=84=E4=B8=80?=
 =?UTF-8?q?=E4=BA=9B=E9=97=AE=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../ballcat/auth/CustomTokenEnhancer.java     |  7 ++-
 .../auth/filter/LoginCaptchaFilter.java       |  8 ++-
 .../SharedStoredOpaqueTokenIntrospector.java  | 14 +++++
 .../security/userdetails/ClientPrincipal.java | 53 +++++++++++++++++++
 .../common/security/util/SecurityUtils.java   | 16 ++++++
 5 files changed, 92 insertions(+), 6 deletions(-)
 create mode 100644 ballcat-common/ballcat-common-security/src/main/java/com/hccake/ballcat/common/security/userdetails/ClientPrincipal.java

diff --git a/ballcat-auth/ballcat-auth-biz/src/main/java/com/hccake/ballcat/auth/CustomTokenEnhancer.java b/ballcat-auth/ballcat-auth-biz/src/main/java/com/hccake/ballcat/auth/CustomTokenEnhancer.java
index 23a78598..9cefc761 100644
--- a/ballcat-auth/ballcat-auth-biz/src/main/java/com/hccake/ballcat/auth/CustomTokenEnhancer.java
+++ b/ballcat-auth/ballcat-auth-biz/src/main/java/com/hccake/ballcat/auth/CustomTokenEnhancer.java
@@ -3,6 +3,7 @@ package com.hccake.ballcat.auth;
 import com.hccake.ballcat.common.security.constant.TokenAttributeNameConstants;
 import com.hccake.ballcat.common.security.userdetails.User;
 import com.hccake.ballcat.system.model.vo.SysUserInfo;
+import org.springframework.security.core.Authentication;
 import org.springframework.security.oauth2.common.DefaultOAuth2AccessToken;
 import org.springframework.security.oauth2.common.OAuth2AccessToken;
 import org.springframework.security.oauth2.provider.OAuth2Authentication;
@@ -26,8 +27,12 @@ public class CustomTokenEnhancer implements TokenEnhancer {
 	 */
 	@Override
 	public OAuth2AccessToken enhance(OAuth2AccessToken accessToken, OAuth2Authentication authentication) {
-		Object principal = authentication.getUserAuthentication().getPrincipal();
+		Authentication userAuthentication = authentication.getUserAuthentication();
+		if (userAuthentication == null) {
+			return accessToken;
+		}
 
+		Object principal = userAuthentication.getPrincipal();
 		if (principal instanceof User) {
 			User user = (User) principal;
 			// token 附属信息
diff --git a/ballcat-auth/ballcat-auth-biz/src/main/java/com/hccake/ballcat/auth/filter/LoginCaptchaFilter.java b/ballcat-auth/ballcat-auth-biz/src/main/java/com/hccake/ballcat/auth/filter/LoginCaptchaFilter.java
index 9b4d9189..54579cc2 100644
--- a/ballcat-auth/ballcat-auth-biz/src/main/java/com/hccake/ballcat/auth/filter/LoginCaptchaFilter.java
+++ b/ballcat-auth/ballcat-auth-biz/src/main/java/com/hccake/ballcat/auth/filter/LoginCaptchaFilter.java
@@ -29,9 +29,7 @@ public class LoginCaptchaFilter extends OncePerRequestFilter {
 
 	private static final String CAPTCHA_VERIFICATION_PARAM = "captchaVerification";
 
-	private static final String GRANT_TYPE_AUTHORIZATION_CODE = "authorization_code";
-
-	private static final String GRANT_TYPE_REFRESH_TOKEN = "refresh_token";
+	private static final String GRANT_TYPE_PASSWORD = "password";
 
 	@Override
 	protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
@@ -43,9 +41,9 @@ public class LoginCaptchaFilter extends OncePerRequestFilter {
 			return;
 		}
 
-		// 如果是授权码模式或者刷新token请求则，直接放行
+		// 只对 password 的 grant_type 进行拦截处理
 		String grantType = request.getParameter("grant_type");
-		if (GRANT_TYPE_AUTHORIZATION_CODE.equals(grantType) || GRANT_TYPE_REFRESH_TOKEN.equals(grantType)) {
+		if (!GRANT_TYPE_PASSWORD.equals(grantType)) {
 			filterChain.doFilter(request, response);
 			return;
 		}
diff --git a/ballcat-common/ballcat-common-security/src/main/java/com/hccake/ballcat/common/security/oauth2/server/resource/SharedStoredOpaqueTokenIntrospector.java b/ballcat-common/ballcat-common-security/src/main/java/com/hccake/ballcat/common/security/oauth2/server/resource/SharedStoredOpaqueTokenIntrospector.java
index 7882afd7..dd58069f 100644
--- a/ballcat-common/ballcat-common-security/src/main/java/com/hccake/ballcat/common/security/oauth2/server/resource/SharedStoredOpaqueTokenIntrospector.java
+++ b/ballcat-common/ballcat-common-security/src/main/java/com/hccake/ballcat/common/security/oauth2/server/resource/SharedStoredOpaqueTokenIntrospector.java
@@ -1,16 +1,20 @@
 package com.hccake.ballcat.common.security.oauth2.server.resource;
 
+import com.hccake.ballcat.common.security.userdetails.ClientPrincipal;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.security.oauth2.common.OAuth2AccessToken;
 import org.springframework.security.oauth2.core.OAuth2AuthenticatedPrincipal;
 import org.springframework.security.oauth2.core.user.OAuth2User;
 import org.springframework.security.oauth2.provider.OAuth2Authentication;
+import org.springframework.security.oauth2.provider.OAuth2Request;
 import org.springframework.security.oauth2.provider.token.DefaultTokenServices;
 import org.springframework.security.oauth2.provider.token.TokenStore;
 import org.springframework.security.oauth2.server.resource.introspection.BadOpaqueTokenException;
 import org.springframework.security.oauth2.server.resource.introspection.OpaqueTokenIntrospector;
 
+import java.util.HashMap;
+
 /**
  * 共享存储的不透明令牌的处理器
  *
@@ -25,6 +29,8 @@ public class SharedStoredOpaqueTokenIntrospector implements OpaqueTokenIntrospec
 
 	private final TokenStore tokenStore;
 
+	private static final String CLIENT_CREDENTIALS = "client_credentials";
+
 	/**
 	 * @see DefaultTokenServices#loadAuthentication(java.lang.String)
 	 * @param accessTokenValue token
@@ -47,6 +53,14 @@ public class SharedStoredOpaqueTokenIntrospector implements OpaqueTokenIntrospec
 			throw new BadOpaqueTokenException("Invalid access token: " + accessTokenValue);
 		}
 
+		OAuth2Request oAuth2Request = result.getOAuth2Request();
+		if (oAuth2Request != null && CLIENT_CREDENTIALS.equals(oAuth2Request.getGrantType())) {
+			ClientPrincipal clientPrincipal = new ClientPrincipal(oAuth2Request.getClientId(), new HashMap<>(8),
+					oAuth2Request.getAuthorities());
+			clientPrincipal.setScope(oAuth2Request.getScope());
+			return clientPrincipal;
+		}
+
 		return (OAuth2User) result.getPrincipal();
 	}
 
diff --git a/ballcat-common/ballcat-common-security/src/main/java/com/hccake/ballcat/common/security/userdetails/ClientPrincipal.java b/ballcat-common/ballcat-common-security/src/main/java/com/hccake/ballcat/common/security/userdetails/ClientPrincipal.java
new file mode 100644
index 00000000..725bca4d
--- /dev/null
+++ b/ballcat-common/ballcat-common-security/src/main/java/com/hccake/ballcat/common/security/userdetails/ClientPrincipal.java
@@ -0,0 +1,53 @@
+package com.hccake.ballcat.common.security.userdetails;
+
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.oauth2.core.OAuth2AuthenticatedPrincipal;
+
+import java.util.*;
+
+/**
+ * OAuth2 Client 实体封装对象
+ *
+ * @author hccake
+ */
+public class ClientPrincipal implements OAuth2AuthenticatedPrincipal {
+
+	private final String clientId;
+
+	private final Map<String, Object> attributes;
+
+	private final Collection<? extends GrantedAuthority> authorities;
+
+	private Set<String> scope = new HashSet<>();
+
+	public Set<String> getScope() {
+		return scope;
+	}
+
+	public void setScope(Collection<String> scope) {
+		this.scope = Collections.unmodifiableSet(scope == null ? new LinkedHashSet<>() : new LinkedHashSet<>(scope));
+	}
+
+	@Override
+	public Map<String, Object> getAttributes() {
+		return attributes;
+	}
+
+	@Override
+	public Collection<? extends GrantedAuthority> getAuthorities() {
+		return authorities;
+	}
+
+	@Override
+	public String getName() {
+		return clientId;
+	}
+
+	public ClientPrincipal(String clientId, Map<String, Object> attributes,
+			Collection<? extends GrantedAuthority> authorities) {
+		this.clientId = clientId;
+		this.attributes = attributes;
+		this.authorities = authorities;
+	}
+
+}
diff --git a/ballcat-common/ballcat-common-security/src/main/java/com/hccake/ballcat/common/security/util/SecurityUtils.java b/ballcat-common/ballcat-common-security/src/main/java/com/hccake/ballcat/common/security/util/SecurityUtils.java
index 47fca168..e76f032a 100644
--- a/ballcat-common/ballcat-common-security/src/main/java/com/hccake/ballcat/common/security/util/SecurityUtils.java
+++ b/ballcat-common/ballcat-common-security/src/main/java/com/hccake/ballcat/common/security/util/SecurityUtils.java
@@ -1,6 +1,7 @@
 package com.hccake.ballcat.common.security.util;
 
 import com.hccake.ballcat.common.security.constant.SecurityConstants;
+import com.hccake.ballcat.common.security.userdetails.ClientPrincipal;
 import com.hccake.ballcat.common.security.userdetails.User;
 import lombok.experimental.UtilityClass;
 import org.springframework.security.core.Authentication;
@@ -61,4 +62,19 @@ public class SecurityUtils {
 		return userDetails != null && SecurityConstants.TEST_CLIENT_ID.equals(userDetails.getUsername());
 	}
 
+	/**
+	 * 获取客户端信息
+	 */
+	public ClientPrincipal getClientPrincipal() {
+		Authentication authentication = getAuthentication();
+		if (authentication == null) {
+			return null;
+		}
+		Object principal = authentication.getPrincipal();
+		if (principal instanceof ClientPrincipal) {
+			return (ClientPrincipal) principal;
+		}
+		return null;
+	}
+
 }