钉钉免密

626ceb22 · sq3536 · a6bae625 · 626ceb22 · 626ceb22 · 626ceb22
--- a/ibzuaa-core/pom.xml
+++ b/ibzuaa-core/pom.xml
@@ -103,6 +103,13 @@
            <artifactId>spring-ldap-core</artifactId>
        </dependency>

+        <dependency>
+            <groupId>com.aliyun</groupId>
+            <artifactId>alibaba-dingtalk-service-sdk</artifactId>
+            <version>1.0.1</version>
+        </dependency>
+
+
    </dependencies>

    <properties>

--- a/ibzuaa-core/src/main/java/cn/ibizlab/core/uaa/extensions/service/UserDingtalkRegisterService.java
+++ b/ibzuaa-core/src/main/java/cn/ibizlab/core/uaa/extensions/service/UserDingtalkRegisterService.java
 package cn.ibizlab.core.uaa.extensions.service;

+import cn.ibizlab.core.uaa.domain.SysOpenAccess;
 import cn.ibizlab.core.uaa.domain.SysUserAuth;
+import cn.ibizlab.core.uaa.service.ISysOpenAccessService;
 import cn.ibizlab.core.uaa.service.ISysUserAuthService;
 import cn.ibizlab.util.domain.IBZUSER;
 import cn.ibizlab.util.errors.BadRequestAlertException;
+import cn.ibizlab.util.errors.InternalServerErrorException;
+import cn.ibizlab.util.security.AuthenticationUser;
+import cn.ibizlab.util.service.AuthenticationUserService;
 import cn.ibizlab.util.service.IBZUSERService;
 import com.alibaba.fastjson.JSONObject;
 import com.alibaba.nacos.client.identify.Base64;
+import com.baomidou.mybatisplus.core.toolkit.Wrappers;
+import com.dingtalk.api.DefaultDingTalkClient;
+import com.dingtalk.api.DingTalkClient;
+import com.dingtalk.api.request.OapiGettokenRequest;
+import com.dingtalk.api.request.OapiSnsGetuserinfoBycodeRequest;
+import com.dingtalk.api.request.OapiUserGetuserinfoRequest;
+import com.dingtalk.api.response.OapiGettokenResponse;
+import com.dingtalk.api.response.OapiSnsGetuserinfoBycodeResponse;
+import com.dingtalk.api.response.OapiUserGetuserinfoResponse;
+import com.taobao.api.ApiException;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.http.HttpEntity;
 import org.apache.http.client.methods.CloseableHttpResponse;
@@ -25,6 +40,8 @@ import java.io.IOException;
 import java.net.URLEncoder;
 import java.security.InvalidKeyException;
 import java.security.NoSuchAlgorithmException;
+import java.sql.Wrapper;
+import java.util.Date;

 /**
 * 实体[IBZUSER] 钉钉用户注册接口实现
@@ -35,6 +52,10 @@ public class UserDingtalkRegisterService {

    @Autowired
    private IBZUSERService ibzuserService;
+
+    @Autowired
+    private AuthenticationUserService authenticationUserService;
+
    @Autowired
    private ISysUserAuthService sysUserAuthService;

@@ -75,76 +96,120 @@ public class UserDingtalkRegisterService {
     */
    public JSONObject requestDingtalkUserByCode(String code, long currentTimeMillis, String appId, String appSecret) {
        JSONObject returnObj = null;
-        CloseableHttpClient client = null;
+        DefaultDingTalkClient  client = new DefaultDingTalkClient("https://oapi.dingtalk.com/sns/getuserinfo_bycode");
+        OapiSnsGetuserinfoBycodeRequest req = new OapiSnsGetuserinfoBycodeRequest();
+        req.setTmpAuthCode(code);
        try {
-            // 根据timestamp, appSecret计算签名值
-            String stringToSign = String.valueOf(currentTimeMillis);
-            Mac mac = Mac.getInstance("HmacSHA256");
-            mac.init(new SecretKeySpec(appSecret.getBytes("UTF-8"), "HmacSHA256"));
-            byte[] signatureBytes = mac.doFinal(stringToSign.getBytes("UTF-8"));
-            String signature = new String(Base64.encodeBase64(signatureBytes));
-            String urlEncodeSignature = URLEncoder.encode(signature, "UTF-8");
-
-            // 通过临时授权码Code获取用户信息，临时授权码只能使用一次
-            String url = "https://oapi.dingtalk.com/sns/getuserinfo_bycode?accessKey=" + appId
-                    + "&timestamp=" + currentTimeMillis
-                    + "&signature=" + urlEncodeSignature;
-
-            // 创建httpclient对象
-            client = HttpClients.createDefault();
-
-            // 创建post方式请求对象
-            HttpPost httpPost = new HttpPost(url);
-
-            // 装填参数
-            JSONObject param = new JSONObject();
-            param.put("tmp_auth_code", code);
-            StringEntity jsonBody = new StringEntity(param.toString(), "UTF-8");
-
-            // 设置参数到请求对象中
-            httpPost.setEntity(jsonBody);
-
-            // 设置header信息
-            httpPost.setHeader("Content-type", "application/json");
-            httpPost.setHeader("User-Agent", "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt)");
-
-            //　执行请求操作，并拿到结果（同步阻塞）
-            CloseableHttpResponse response = client.execute(httpPost);
-
-            //　获取结果实体
-            HttpEntity entity = response.getEntity();
-            JSONObject entityJson = null;
-            if (StringUtils.isEmpty(entity)) {
-                throw new BadRequestAlertException("钉钉服务端返回结果为空", "UserDingtalkRegisterService", "");
-            } else {
-                //按指定编码转换结果实体为String类型
-                entityJson = JSONObject.parseObject(EntityUtils.toString(entity, "UTF-8"));
-
-                // 是否获取钉钉用户信息成功
-                if (entityJson.getInteger("errcode")==0) {
-                    // 这里只有简单的信息:nick、openid、unionid
-                    returnObj = entityJson.getJSONObject("user_info");
-                } else {
-                    throw new BadRequestAlertException(entityJson.getString("errmsg"), "UserDingtalkRegisterService", "");
-                }
-            }
-
-        } catch (NoSuchAlgorithmException | InvalidKeyException e) {
-            throw new BadRequestAlertException("钉钉生成安全签名失败", "UserDingtalkRegisterService", "");
-        } catch (IOException e) {
-            throw new BadRequestAlertException("连接钉钉服务端失败", "UserDingtalkRegisterService", "");
-        }
-        finally {
-            if(client != null) {
+            OapiSnsGetuserinfoBycodeResponse response = client.execute(req,appId,appSecret);
+
+            if(response.getErrcode()!=0)
+            {
+                throw new BadRequestAlertException(response.getErrmsg(), "UserDingtalkRegisterService", "");
+            }
+            returnObj = (JSONObject)JSONObject.toJSON(response.getUserInfo());
+        } catch (ApiException e) {
+            e.printStackTrace();
+            throw new InternalServerErrorException("获取access_token失败");
+        }
+
+        return returnObj;
+    }
+
+    private long lastRefreshTime=System.currentTimeMillis()-7200001;
+    private String accessToken="";
+    public boolean isExpire()
+    {
+        if(System.currentTimeMillis()<(lastRefreshTime+7200000))
+        {
+            System.currentTimeMillis();
+            return false;
+        }
+        return true;
+    }
+
+
+    public synchronized String getAccessToken(String appKey,String appSecret)
+    {
+        if(isExpire()) {
+            DefaultDingTalkClient client = new DefaultDingTalkClient("https://oapi.dingtalk.com/gettoken");
+            OapiGettokenRequest request = new OapiGettokenRequest();
+            request.setAppkey("appKey");
+            request.setAppsecret("appSecret");
+            request.setHttpMethod("GET");
            try {
-                    client.close();
-                } catch (IOException e) {
+                OapiGettokenResponse response = client.execute(request);
+                if(response.getErrcode()!=0||StringUtils.isEmpty(response.getAccessToken()))
+                    throw new BadRequestAlertException("获取access_token失败","UserDingtalkRegisterService",response.getErrmsg());
+                lastRefreshTime = System.currentTimeMillis();
+                accessToken = response.getAccessToken();
+            } catch (ApiException e) {
+                e.printStackTrace();
+                throw new InternalServerErrorException("获取access_token失败");
            }
        }
+        return accessToken;
    }

-        return returnObj;
+    @Autowired
+    private ISysOpenAccessService sysOpenAccessService;
+
+    public SysOpenAccess getOpenAccess(String id)
+    {
+        final String accessid = StringUtils.isEmpty(id)?"dingtalk":id;
+        SysOpenAccess sysOpenAccess=sysOpenAccessService.getOne(Wrappers.<SysOpenAccess>lambdaQuery().eq(SysOpenAccess::getOpenType,"dingtalk").
+                and(wrapper -> wrapper.eq(SysOpenAccess::getAccessKey,accessid).or().eq(SysOpenAccess::getId,accessid)),false);
+        if(sysOpenAccess==null|| (sysOpenAccess.getDisabled()!=null && sysOpenAccess.getDisabled()==1))
+            throw new BadRequestAlertException("获取接入配置失败","UserDingtalkRegisterService","");
+
+        String accessToken = getAccessToken(sysOpenAccess.getAccessKey(),sysOpenAccess.getSecretKey());
+        if(!accessToken.equals(sysOpenAccess.getAccessToken()))
+        {
+            sysOpenAccess.setAccessToken(accessToken);
+            sysOpenAccessService.update(sysOpenAccess);
        }

+        return sysOpenAccess;
+    }
+
+
+
+    public AuthenticationUser getUserByToken(String id,String requestAuthCode)
+    {
+        final String accessid = StringUtils.isEmpty(id)?"dingtalk":id;
+        DingTalkClient client = new DefaultDingTalkClient("https://oapi.dingtalk.com/user/getuserinfo");
+        OapiUserGetuserinfoRequest request = new OapiUserGetuserinfoRequest();
+        request.setCode(requestAuthCode);
+        request.setHttpMethod("GET");
+        OapiUserGetuserinfoResponse response = null;
+        try {
+            response = client.execute(request, accessToken);
+            if(response.getErrcode()!=0||StringUtils.isEmpty(response.getUserid()))
+                throw new BadRequestAlertException("获取user失败","UserDingtalkRegisterService",response.getErrmsg());
+        } catch (ApiException e) {
+            e.printStackTrace();
+            throw new InternalServerErrorException("获取user失败");
+        }
+        String userId = response.getUserid();
+
+        //先按userid或者username查
+        IBZUSER user = ibzuserService.getOne(Wrappers.<IBZUSER>lambdaQuery().eq(IBZUSER::getUserid,userId).or().eq(IBZUSER::getUsername,userId),false);
+
+        if(user==null)
+        {
+            //查不到情况下到auth表查真实userId
+            SysUserAuth userAuth = sysUserAuthService.getOne(Wrappers.<SysUserAuth>lambdaQuery().eq(SysUserAuth::getIdentityType,"dingtalk").eq(SysUserAuth::getIdentifier, userId),false);
+            // 该钉钉用户注册过账号，登录系统
+            if (userAuth!=null) {
+                user = ibzuserService.getById(userAuth.getUserid());
+                if(user==null)
+                    throw new BadRequestAlertException("未找到"+userId+"对应系统用户","UserDingtalkRegisterService","");
+
+                AuthenticationUser curUser = authenticationUserService.loadUserByUsername(user.getLoginname()+(StringUtils.isEmpty(user.getDomains())?"":("|"+user.getDomains())));
+                return curUser;
+            }
+        }
+
+        return null;
+    }

 }
\ No newline at end of file
--- a/ibzuaa-provider/ibzuaa-provider-api/src/main/java/cn/ibizlab/api/rest/extensions/UserDingtalkRegisterResource.java
+++ b/ibzuaa-provider/ibzuaa-provider-api/src/main/java/cn/ibizlab/api/rest/extensions/UserDingtalkRegisterResource.java
@@ -9,6 +9,7 @@ import cn.ibizlab.util.domain.IBZUSER;
 import cn.ibizlab.util.errors.BadRequestAlertException;
 import cn.ibizlab.util.helper.CachedBeanCopier;
 import cn.ibizlab.util.security.AuthTokenUtil;
+import cn.ibizlab.util.security.AuthenticationInfo;
 import cn.ibizlab.util.security.AuthenticationUser;
 import cn.ibizlab.util.service.AuthenticationUserService;
 import cn.ibizlab.util.service.IBZUSERService;
@@ -18,10 +19,7 @@ import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.http.ResponseEntity;
 import org.springframework.util.StringUtils;
-import org.springframework.web.bind.annotation.GetMapping;
-import org.springframework.web.bind.annotation.PostMapping;
-import org.springframework.web.bind.annotation.RequestBody;
-import org.springframework.web.bind.annotation.RestController;
+import org.springframework.web.bind.annotation.*;

 import java.util.UUID;

@@ -46,15 +44,16 @@ public class UserDingtalkRegisterResource {
    /**
     * 获取钉钉开放平台创建的网站应用appid
     */
-    @GetMapping(value = "/uaa/getDingtalkAppId")
-    public ResponseEntity<JSONObject> getDingtalkAppId() {
+    @GetMapping(value = {"/uaa/getDingtalkAppId","/uaa/open/dingtalk/access_token","/uaa/open/dingtalk/appid"})
+    public ResponseEntity<JSONObject> getDingtalkAppId(@RequestParam(value = "id",required = false) String id) {
        JSONObject obj = new JSONObject();
-        SysOpenAccess openAccess = openAccessService.getById("dingtalk");
+        SysOpenAccess openAccess = userDingtalkRegisterService.getOpenAccess(id);
        if (openAccess==null || (openAccess.getDisabled()!=null && openAccess.getDisabled()==1))
            return ResponseEntity.ok(obj);
-        String appId = openAccess.getAccessKey();// qq互联appid
+        String appId = openAccess.getAccessKey();
        if (!StringUtils.isEmpty(appId)) {
            obj.put("appid", appId);
+            obj.put("access_token",openAccess.getAccessToken());
        }

        return ResponseEntity.ok(obj);
@@ -68,15 +67,17 @@ public class UserDingtalkRegisterResource {
     * @return
     */
    @PostMapping(value = "/uaa/queryDingtalkUserByCode")
-    public ResponseEntity<JSONObject> queryDingtalkUserByCode(@RequestBody JSONObject param) {
+    public ResponseEntity<JSONObject> queryDingtalkUserByCode(@RequestParam(value = "id",required = false) String id,@RequestParam(value = "code",required = false) String tmpcode,@RequestBody JSONObject param) {
        JSONObject object = new JSONObject();
        // 空校验
        String code = param.getString("code");
+        if (StringUtils.isEmpty(code))
+            code = tmpcode;
        if (StringUtils.isEmpty(code))
            throw new BadRequestAlertException("code为空", "UserDingtalkRegisterResource", "");

        // 从数据库中获取钉钉授权应用信息
-        SysOpenAccess openAccess = openAccessService.getById("dingtalk");
+        SysOpenAccess openAccess = userDingtalkRegisterService.getOpenAccess(id);
        if (openAccess==null || (openAccess.getDisabled()!=null && openAccess.getDisabled()==1))
            throw new BadRequestAlertException("未找到配置", "UserDingtalkRegisterResource", "");
        String appId = openAccess.getAccessKey();// 个人应用开发过程中的唯一性标识AppId
@@ -95,7 +96,7 @@ public class UserDingtalkRegisterResource {
        }

        // 根据openid查用户授权信息
-        SysUserAuth userAuth = sysUserAuthService.getOne(Wrappers.<SysUserAuth>query().eq("identifier", openid));
+        SysUserAuth userAuth = sysUserAuthService.getOne(Wrappers.<SysUserAuth>lambdaQuery().eq(SysUserAuth::getIdentityType,"dingtalk").eq(SysUserAuth::getIdentifier, openid));
        // 该钉钉用户注册过账号，登录系统
        if (!StringUtils.isEmpty(userAuth)) {
            IBZUSER ibzuser = ibzuserService.getById(userAuth.getUserid());
@@ -182,4 +183,21 @@ public class UserDingtalkRegisterResource {
    }


+    @GetMapping(value = {"/uaa/open/dingtalk/auth/{code}"})
+    public ResponseEntity<AuthenticationInfo> getUserByToken(@PathVariable(value = "code") String code, @RequestParam(value = "id",required = false) String id) {
+
+        AuthenticationUser user=userDingtalkRegisterService.getUserByToken(id,code);
+
+        final String token = jwtTokenUtil.generateToken(user);
+
+        AuthenticationUser user2=new AuthenticationUser();
+        CachedBeanCopier.copy(user,user2);
+        user2.setAuthorities(null);
+        user2.setPermissionList(null);
+        // 返回 token
+        return ResponseEntity.ok().body(new AuthenticationInfo(token,user2));
+
+    }
+
+
 }