micord/ervu-lkrp-fl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch 'develop' of 10.10.31.70:/ervu-lkrp-fl into develop

Browse source
This commit is contained in:
m.epshtein 2025-05-14 16:24:27 +03:00
commit a50c6ecab0
8 changed files with 59 additions and 45 deletions
Download patch file Download diff file Expand all files Collapse all files

3
backend/src/main/java/ru/micord/ervu/security/SecurityConstants.java
View file

@ -2,4 +2,7 @@ package ru.micord.ervu.security;
public class SecurityConstants {
public static final String ESIA_LOGOUT = "/esia/logout";
public static final String AUTH_TOKEN = "auth_token";
public static final String AUTH_MARKER = "webbpm.ervu-lkrp-fl";
public static final String PRNS_UUID = "prns_uuid_fl";
}

16
backend/src/main/java/ru/micord/ervu/security/esia/EsiaAuthInfoStore.java
View file

@ -9,6 +9,7 @@ import java.util.concurrent.CopyOnWriteArrayList;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.context.support.MessageSourceAccessor;
import ru.micord.ervu.security.esia.exception.EsiaException;
import ru.micord.ervu.security.esia.model.ExpiringState;
import ru.micord.ervu.security.esia.model.ExpiringToken;
@ -105,19 +106,24 @@ public class EsiaAuthInfoStore {
});
}
public static boolean containsState(String prnsUUID, String state) {
public static void validateState(String prnsUUID, String state) {
List<ExpiringState> states = PRNS_UUID_STATE_MAP.get(prnsUUID);
if (states == null) {
return false;
throw new EsiaException("State invalid. No state found");
}
long currentTime = System.currentTimeMillis();
states.removeIf(expiringState -> expiringState.getExpiryTime() < currentTime);
StringBuilder statesStringBuilder = new StringBuilder();
for (ExpiringState expiringState : states) {
if (expiringState.getState().equals(state)) {
return true;
if (expiringState.getExpiryTime() < currentTime) {
throw new EsiaException("State invalid. State : " + state + " expired at : " + expiringState.getExpiryTime());
}
return;
}
return false;
statesStringBuilder.append(expiringState.getState(), 0, 8).append(", ");
}
throw new EsiaException("State invalid. Backend states :" + statesStringBuilder + " cookie state :" + state);
}
public static void removeState(String prnsUUID) {

53
backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java
View file

@ -34,8 +34,6 @@ import org.springframework.security.core.context.SecurityContext;
import ru.micord.ervu.audit.constants.AuditConstants;
import ru.micord.ervu.audit.service.AuditService;
import org.springframework.web.util.WebUtils;
import ru.micord.ervu.audit.constants.AuditConstants;
import ru.micord.ervu.audit.service.AuditService;
import ru.micord.ervu.kafka.model.Document;
import ru.micord.ervu.kafka.model.Person;
import ru.micord.ervu.kafka.model.Response;
@ -46,6 +44,7 @@ import ru.micord.ervu.security.esia.model.EsiaHeader;
import ru.micord.ervu.security.esia.model.EsiaTokenResponse;
import ru.micord.ervu.security.esia.model.FormUrlencoded;
import ru.micord.ervu.security.esia.model.PersonModel;
import ru.micord.ervu.security.esia.model.SignResponse;
import ru.micord.ervu.security.esia.EsiaAuthInfoStore;
import ru.micord.ervu.security.esia.config.EsiaConfig;
import org.springframework.beans.factory.annotation.Autowired;
@ -60,8 +59,7 @@ import ru.micord.ervu.security.webbpm.jwt.model.Token;
import ru.cg.webbpm.modules.core.runtime.api.MessageBundleUtils;
import static ru.micord.ervu.security.webbpm.jwt.util.SecurityUtil.getCurrentUserEsiaId;
import ru.cg.webbpm.modules.core.runtime.api.MessageBundleUtils;
import static ru.micord.ervu.security.SecurityConstants.PRNS_UUID;
/**
* @author Eduard Tihomirov
@ -71,7 +69,6 @@ public class EsiaAuthService {
private static final Logger LOGGER = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
private static final MessageSourceAccessor MESSAGE_SOURCE = MessageBundleUtils.createAccessor(
"messages/common_errors_messages");
private static final String PRNS_UUID = "prns_uuid";
@Autowired
private ObjectMapper objectMapper;
@ -106,7 +103,6 @@ public class EsiaAuthService {
DateTimeFormatter formatter = DateTimeFormatter.ofPattern("yyyy.MM.dd HH:mm:ss xx");
ZonedDateTime dt = ZonedDateTime.now();
String timestamp = dt.format(formatter);
String state = UUID.randomUUID().toString();
String prnsUUID = UUID.randomUUID().toString();
Cookie oldPrnsCookie = WebUtils.getCookie(request, PRNS_UUID);
if (oldPrnsCookie != null) {
@ -121,12 +117,14 @@ public class EsiaAuthService {
parameters.put("client_id", clientId);
parameters.put("scope", scope);
parameters.put("timestamp", timestamp);
parameters.put("state", state);
parameters.put("state", "%s");
parameters.put("redirect_uri", esiaConfig.getRedirectUrl());
String clientSecret = signMap(parameters);
SignResponse signResponse = signMap(parameters);
String state = signResponse.getState();
String clientSecret = signResponse.getSignature();
EsiaAuthInfoStore.addState(prnsUUID, state, esiaConfig.getEsiaStateCookieLifeTime(), esiaConfig.getEsiaLoginAttemptsCount());
ResponseCookie prnsCookie = securityHelper.createCookie(PRNS_UUID, prnsUUID, "/")
ResponseCookie prnsCookie = securityHelper.createAccessCookie(PRNS_UUID, prnsUUID)
.maxAge(esiaConfig.getEsiaStateCookieLifeTime())
.build();
securityHelper.addResponseCookie(response, prnsCookie);
@ -183,16 +181,12 @@ public class EsiaAuthService {
String prnOid = null;
Long expiresIn = null;
long signSecret = 0, requestAccessToken = 0, verifySecret = 0;
String verifyStateResult = verifyStateFromCookie(request, state, response);
if (verifyStateResult != null) {
throw new EsiaException(verifyStateResult);
}
verifyStateFromCookie(request, state, response);
try {
String clientId = esiaConfig.getClientId();
DateTimeFormatter formatter = DateTimeFormatter.ofPattern("yyyy.MM.dd HH:mm:ss xx");
ZonedDateTime dt = ZonedDateTime.now();
String timestamp = dt.format(formatter);
String newState = UUID.randomUUID().toString();
String redirectUrl = esiaConfig.getRedirectUrl();
String scope = esiaConfig.getEsiaScopes();
@ -200,13 +194,14 @@ public class EsiaAuthService {
parameters.put("client_id", clientId);
parameters.put("scope", scope);
parameters.put("timestamp", timestamp);
parameters.put("state", newState);
parameters.put("state", "%s");
parameters.put("redirect_uri", redirectUrl);
parameters.put("code", esiaAuthCode);
long startTime = System.currentTimeMillis();
String clientSecret = signMap(parameters);
SignResponse signResponse = signMap(parameters);
signSecret = System.currentTimeMillis() - startTime;
String newState = signResponse.getState();
String clientSecret = signResponse.getSignature();
String authUrl = esiaConfig.getEsiaBaseUri() + esiaConfig.getEsiaTokenUrl();
String postBody = new FormUrlencoded()
.setParameter("client_id", clientId)
@ -296,18 +291,19 @@ public class EsiaAuthService {
DateTimeFormatter formatter = DateTimeFormatter.ofPattern("yyyy.MM.dd HH:mm:ss xx");
ZonedDateTime dt = ZonedDateTime.now();
String timestamp = dt.format(formatter);
String state = UUID.randomUUID().toString();
String redirectUrl = esiaConfig.getRedirectUrl();
Map<String, String> parameters = new LinkedHashMap<String, String>();
parameters.put("client_id", clientId);
parameters.put("scope", esiaConfig.getEsiaScopes());
parameters.put("timestamp", timestamp);
parameters.put("state", state);
parameters.put("state", "%s");
parameters.put("redirect_uri", esiaConfig.getRedirectUrl());
parameters.put("refresh_token", refreshToken);
String clientSecret = signMap(parameters);
SignResponse signResponse = signMap(parameters);
String state = signResponse.getState();
String clientSecret = signResponse.getSignature();
String authUrl = esiaConfig.getEsiaBaseUri() + esiaConfig.getEsiaTokenUrl();
String postBody = new FormUrlencoded()
.setParameter("client_id", clientId)
@ -360,7 +356,7 @@ public class EsiaAuthService {
}
}
private String signMap(Map<String, String> paramsToSign) {
private SignResponse signMap(Map<String, String> paramsToSign) {
try {
StringBuilder toSign = new StringBuilder();
for (String s : paramsToSign.values()) {
@ -379,7 +375,7 @@ public class EsiaAuthService {
.build()
.send(request, HttpResponse.BodyHandlers.ofString());
errorHandler(response);
return response.body();
return objectMapper.readValue(response.body(), SignResponse.class);
}
catch (Exception e) {
@ -521,17 +517,18 @@ public class EsiaAuthService {
}
}
private String verifyStateFromCookie(HttpServletRequest request, String state, HttpServletResponse response) {
private void verifyStateFromCookie(HttpServletRequest request, String state, HttpServletResponse response) {
Cookie cookie = WebUtils.getCookie(request, PRNS_UUID);
if (cookie == null) {
return "State invalid. Cookie not found";
throw new EsiaException("State invalid. Cookie not found");
}
String prnsUUID = cookie.getValue();
if (!EsiaAuthInfoStore.containsState(prnsUUID, state)) {
return "State invalid. State from ESIA not equals with state before";
try {
EsiaAuthInfoStore.validateState(prnsUUID, state);
}
finally {
EsiaAuthInfoStore.removeState(prnsUUID);
securityHelper.clearCookie(response, PRNS_UUID, "/");
return null;
securityHelper.clearAccessCookie(response, PRNS_UUID);
}
}
}

18
backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/helper/SecurityHelper.java
View file

@ -14,8 +14,9 @@ import org.springframework.web.context.request.RequestAttributes;
import org.springframework.web.context.request.RequestContextHolder;
import static org.springframework.web.context.request.RequestAttributes.REFERENCE_REQUEST;
import static ru.micord.ervu.security.webbpm.jwt.util.SecurityUtil.AUTH_MARKER;
import static ru.micord.ervu.security.webbpm.jwt.util.SecurityUtil.AUTH_TOKEN;
import static ru.micord.ervu.security.SecurityConstants.AUTH_MARKER;
import static ru.micord.ervu.security.SecurityConstants.AUTH_TOKEN;
import static ru.micord.ervu.security.SecurityConstants.PRNS_UUID;
public final class SecurityHelper {
@Value("${cookie.path:#{null}}")
@ -36,9 +37,7 @@ public final class SecurityHelper {
}
public void clearAccessCookies(HttpServletResponse response) {
ResponseCookie emptyAuthToken = createCookie(AUTH_TOKEN, null, accessCookiePath)
.maxAge(0).build();
addResponseCookie(response, emptyAuthToken);
clearCookie(response, AUTH_TOKEN, accessCookiePath);
ResponseCookie emptyAuthMarker = createCookie(AUTH_MARKER, null, "/")
.maxAge(0)
@ -46,6 +45,7 @@ public final class SecurityHelper {
.httpOnly(false)
.build();
addResponseCookie(response, emptyAuthMarker);
clearCookie(response, PRNS_UUID, accessCookiePath);
}
public void clearCookie(HttpServletResponse response, String name, String path) {
@ -92,4 +92,12 @@ public final class SecurityHelper {
.secure(accessCookieSecure)
.sameSite(accessCookieSameSite);
}
public ResponseCookie.ResponseCookieBuilder createAccessCookie(String name, String value) {
return createCookie(name, value, accessCookiePath);
}
public void clearAccessCookie(HttpServletResponse response, String name) {
clearCookie(response, name, accessCookiePath);
}
}

5
backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/util/SecurityUtil.java
View file

@ -10,10 +10,9 @@ import org.springframework.web.util.WebUtils;
import ru.micord.ervu.security.webbpm.jwt.JwtAuthentication;
import ru.micord.ervu.security.webbpm.jwt.UserIdsPair;
public final class SecurityUtil {
public static final String AUTH_TOKEN = "auth_token";
import static ru.micord.ervu.security.SecurityConstants.AUTH_TOKEN;
public static final String AUTH_MARKER = "webbpm.ervu-lkrp-fl";
public final class SecurityUtil {
private SecurityUtil() {
//empty

3
frontend/src/ts/modules/security/guard/auth.guard.ts
View file

@ -2,7 +2,7 @@ import {Injectable} from "@angular/core";
import {ActivatedRouteSnapshot, CanActivate, Router, RouterStateSnapshot} from "@angular/router";
import {Observable} from "rxjs";
import {HttpClient, HttpParams} from "@angular/common/http";
import {MessagesService} from "@webbpm/base-package";
import {MessagesService, ProgressIndicationService} from "@webbpm/base-package";
import {AuthenticationService} from "../authentication.service";
import {EsiaErrorDetail} from "../EsiaErrorDetail";
@ -13,6 +13,7 @@ export abstract class AuthGuard implements CanActivate {
protected router: Router,
private httpClient: HttpClient,
private authenticationService: AuthenticationService,
private progressIndicationService: ProgressIndicationService,
private messageService: MessagesService
) {
}

2
resources/src/main/resources/business-model/LK RP FL/mydata.page
View file

@ -1069,7 +1069,7 @@
<entry>
<key>url</key>
<value>
<simple>"https://www.gosuslugi.ru/"</simple>
<simple>"https://www.gosuslugi.ru/600284/1/form/\"</simple>
</value>
</entry>
</properties>

2
resources/src/main/resources/business-model/LK RP FL/screen-form-fl.page
View file

@ -4842,7 +4842,7 @@
<entry>
<key>initialValue</key>
<value>
<simple>"Если в выписке есть ошибки, подайте \u003ca href\u003d\"https://www.gosuslugi.ru/600595/1/form/\" target\u003d\"_blank\"\u003eзаявление на исправление на Госуслугах\u003c/a\u003e"</simple>
<simple>"Если в выписке есть ошибки, подайте \u003ca href\u003d\"https://www.gosuslugi.ru/600284/1/form/\" target\u003d\"_blank\"\u003eзаявление на исправление на Госуслугах\u003c/a\u003e"</simple>
</value>
</entry>
<entry>