Merge branch 'feature/SUPPORT-8682_fix_exit' into develop

2024-11-26 10:59:52 +03:00 · 2024-11-26 10:59:52 +03:00 · 59a5e71560
commit 59a5e71560
parent 17c7872350 172229fbec
4 changed files with 83 additions and 44 deletions
--- a/backend/src/main/java/ru/micord/ervu/security/esia/controller/EsiaController.java
+++ b/backend/src/main/java/ru/micord/ervu/security/esia/controller/EsiaController.java
@ -39,8 +39,8 @@ public class EsiaController {
  }

  @GetMapping(value = "/esia/auth", params = "code")
-  public ResponseEntity<?> esiaAuth(@RequestParam("code") String code, HttpServletRequest request, HttpServletResponse response) {
-    return esiaAuthService.getEsiaTokensByCode(code, request, response);
+  public ResponseEntity<?> esiaAuth(@RequestParam("code") String code, @RequestParam("error") String error, HttpServletRequest request, HttpServletResponse response) {
+    return esiaAuthService.getEsiaTokensByCode(code, error, request, response);
  }

  @RequestMapping(value = "/esia/refresh")
--- a/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java
+++ b/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java
@ -1,6 +1,7 @@
 package ru.micord.ervu.security.esia.service;

 import java.io.UnsupportedEncodingException;
+import java.lang.invoke.MethodHandles;
 import java.net.URI;
 import java.net.URL;
 import java.net.URLEncoder;
@ -13,12 +14,15 @@ import java.time.ZonedDateTime;
 import java.time.format.DateTimeFormatter;
 import java.util.LinkedHashMap;
 import java.util.Map;
+import java.util.Objects;
 import java.util.UUID;
 import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;

 import com.fasterxml.jackson.databind.ObjectMapper;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.http.HttpStatus;
@ -45,11 +49,15 @@ import ru.micord.ervu.security.webbpm.jwt.helper.SecurityHelper;
 import ru.micord.ervu.security.webbpm.jwt.service.JwtTokenService;
 import ru.micord.ervu.security.webbpm.jwt.model.Token;

+import static ru.micord.ervu.security.webbpm.jwt.util.SecurityUtil.getCurrentUsername;
+
 /**
 * @author Eduard Tihomirov
 */
@Service
 public class EsiaAuthService {
+  private static final Logger LOGGER = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
+  private static final Long EXPIRES_IN = 3600L;

  @Autowired
  private ObjectMapper objectMapper;
@ -147,8 +155,16 @@ public class EsiaAuthService {
    return uriBuilder.toString();
  }

-  public ResponseEntity<?> getEsiaTokensByCode(String esiaAuthCode, HttpServletRequest request, HttpServletResponse response) {
+public ResponseEntity<?> getEsiaTokensByCode(String esiaAuthCode, String error,
+      HttpServletRequest request, HttpServletResponse response) {
    try {
+      if (error != null) {
+        createTokenAndAddCookie(response, null, null, EXPIRES_IN);
+        return new ResponseEntity<>(
+            "Произошла неизвестная ошибка. Обратитесь к системному администратору",
+            HttpStatus.FORBIDDEN
+        );
+      }
      String clientId = esiaConfig.getClientId();
      DateTimeFormatter formatter = DateTimeFormatter.ofPattern("yyyy.MM.dd HH:mm:ss xx");
      ZonedDateTime dt = ZonedDateTime.now();
@ -208,23 +224,24 @@ public class EsiaAuthService {
      TokensStore.addAccessToken(prnOid, accessToken, expiresIn);
      TokensStore.addRefreshToken(prnOid, refreshToken, expiresIn);
      Response ervuIdResponse = getErvuIdResponse(accessToken);
-      Token token = jwtTokenService.createAccessToken(esiaAccessToken.getSbj_id(), expiresIn, ervuIdResponse.getErvuId());
-      int expiry = tokenResponse.getExpires_in().intValue();
-      Cookie accessCookie = securityHelper.createAccessCookie(token.getValue(), expiry);
-      response.addCookie(accessCookie);
-      UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken =
-          new UsernamePasswordAuthenticationToken(token.getUserAccountId(), null);
-      SecurityContext context = SecurityContextHolder.createEmptyContext();
-      JwtAuthentication authentication = new JwtAuthentication(usernamePasswordAuthenticationToken,
-          esiaAccessToken.getSbj_id(), token.getValue());
-      context.setAuthentication(authentication);
-      SecurityContextHolder.setContext(context);
-      Cookie authMarkerCookie = securityHelper.createAuthMarkerCookie("true", expiry);
-      response.addCookie(authMarkerCookie);
+      createTokenAndAddCookie(response, esiaAccessToken.getSbj_id(), ervuIdResponse.getErvuId(), expiresIn);
+      if (ervuIdResponse.getErrorData() != null) {
+        return new ResponseEntity<>(
+            "Доступ запрещен. " + ervuIdResponse.getErrorData().getName(),
+            HttpStatus.FORBIDDEN
+        );
+      }
      return ResponseEntity.ok("Authentication successful");
    }
    catch (Exception e) {
-      throw new RuntimeException(e);
+      createTokenAndAddCookie(response, null, null, EXPIRES_IN);
+      String messageId = getMessageId(e);
+      String messageWithId = String.format("[%s] %s", messageId, e.getMessage());
+      LOGGER.error(messageWithId, e);
+      return new ResponseEntity<>(
+          "Произошла ошибка " + messageId + ". Обратитесь к системному администратору",
+          HttpStatus.FORBIDDEN
+      );
    }
  }

@ -282,19 +299,7 @@ public class EsiaAuthService {
      TokensStore.addAccessToken(prnOid, accessToken, expiresIn);
      TokensStore.addRefreshToken(prnOid, newRefreshToken, expiresIn);
      Response ervuIdResponse = getErvuIdResponse(accessToken);
-      Token token = jwtTokenService.createAccessToken(esiaAccessToken.getSbj_id(), expiresIn, ervuIdResponse.getErvuId());
-      int expiry = tokenResponse.getExpires_in().intValue();
-      Cookie accessCookie = securityHelper.createAccessCookie(token.getValue(), expiry);
-      response.addCookie(accessCookie);
-      UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken =
-          new UsernamePasswordAuthenticationToken(token.getUserAccountId(), null);
-      SecurityContext context = SecurityContextHolder.createEmptyContext();
-      JwtAuthentication authentication = new JwtAuthentication(usernamePasswordAuthenticationToken,
-          esiaAccessToken.getSbj_id(), token.getValue());
-      context.setAuthentication(authentication);
-      SecurityContextHolder.setContext(context);
-      Cookie authMarkerCookie = securityHelper.createAuthMarkerCookie("true", expiry);
-      response.addCookie(authMarkerCookie);
+      createTokenAndAddCookie(response, esiaAccessToken.getSbj_id(), ervuIdResponse.getErvuId(), expiresIn);
    }
    catch (Exception e) {
      throw new RuntimeException(e);
@ -380,4 +385,27 @@ public class EsiaAuthService {
    person.setDocument(document);
    return person;
  }
+
+  private String getMessageId(Exception exception) {
+    return Integer.toUnsignedString(Objects
+        .hashCode(getCurrentUsername()), 36)
+           + "-"
+           + Integer.toUnsignedString(exception.hashCode(), 36);
+  }
+
+  private void createTokenAndAddCookie(HttpServletResponse response, String userId, String ervuId,
+      Long expiresIn) {
+    Token token = jwtTokenService.createAccessToken(userId, expiresIn, ervuId);
+    Cookie accessCookie = securityHelper.createAccessCookie(token.getValue(), expiresIn.intValue());
+    response.addCookie(accessCookie);
+    UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken =
+        new UsernamePasswordAuthenticationToken(token.getUserAccountId(), null);
+    SecurityContext context = SecurityContextHolder.createEmptyContext();
+    JwtAuthentication authentication = new JwtAuthentication(usernamePasswordAuthenticationToken,
+        userId, token.getValue());
+    context.setAuthentication(authentication);
+    SecurityContextHolder.setContext(context);
+    Cookie authMarkerCookie = securityHelper.createAuthMarkerCookie("true", expiresIn.intValue());
+    response.addCookie(authMarkerCookie);
+  }
 }
--- a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/util/SecurityUtil.java
+++ b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/util/SecurityUtil.java
@ -6,6 +6,7 @@ import java.util.Optional;
 import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;

+import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.web.context.request.RequestAttributes;
 import org.springframework.web.context.request.RequestContextHolder;
@ -55,4 +56,12 @@ public final class SecurityUtil {
        })
        .orElse(null);
  }
+
+  public static String getCurrentUsername() {
+    Authentication auth = SecurityContextHolder.getContext().getAuthentication();
+    if (auth != null && auth.isAuthenticated()) {
+      return auth.getName();
+    }
+    return null;
+  }
 }
--- a/frontend/src/ts/modules/security/guard/auth.guard.ts
+++ b/frontend/src/ts/modules/security/guard/auth.guard.ts
@ -30,18 +30,8 @@ export abstract class AuthGuard implements CanActivate {
      if (isAccess) {
        return true;
      }
-      else if (error) {
-        let userErrorMessage = 'Произошла неизвестная ошибка. Обратитесь к системному администратору';
-        let errorCode = this.extractCode(errorDescription);
-        if (errorCode) {
-          userErrorMessage = EsiaErrorDetail.getDescription(errorCode);
-        }
-        let errorMessage = error + ', error description = ' + errorDescription;
-        this.messageService.error(userErrorMessage)
-        throw new Error(errorMessage);
-      }
-      else if (code) {
-        const params = new HttpParams().set('code', code);
+      if (code || error) {
+        const params = new HttpParams().set('code', code).set('error', error);
        this.httpClient.get("esia/auth",
                            {
                              params: params, responseType: 'text', observe: 'response', headers: {
@ -57,8 +47,20 @@ export abstract class AuthGuard implements CanActivate {
              let errorMessage = reason.error.messages != null
                                 ? reason.error.messages
                                 : reason.error.replaceAll('\\', '');
+              if (error) {
+                errorMessage = 'Произошла неизвестная ошибка. Обратитесь к системному администратору';
+                let errorCode = this.extractCode(errorDescription);
+                if (errorCode) {
+                  errorMessage = EsiaErrorDetail.getDescription(errorCode);
+                }
+                let consoleError = error + ', error description = ' + errorDescription;
+                this.messageService.error(errorMessage);
+                console.error(consoleError);
+              }
+              else {
                this.messageService.error(errorMessage);
                console.error(reason);
+              }
            });
        return false;
      }