keyring内置证书导入功能

2019-06-14 10:20:13 +08:00
parent 1031b0a118
commit b280c23021
6 changed files with 446 additions and 5 deletions
--- a/src/main/java/com/nis/web/controller/configuration/proxy/PxyObjKeyringController.java
+++ b/src/main/java/com/nis/web/controller/configuration/proxy/PxyObjKeyringController.java
@@ -13,6 +13,7 @@ import java.text.SimpleDateFormat;
 import java.util.ArrayList;
 import java.util.Date;
 import java.util.HashMap;
+import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
 import java.util.Properties;
@@ -34,6 +35,7 @@ import org.springframework.ui.Model;
 import org.springframework.util.FileCopyUtils;
 import org.springframework.web.bind.annotation.ModelAttribute;
 import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.multipart.MultipartFile;
 import org.springframework.web.servlet.mvc.support.RedirectAttributes;
@@ -370,6 +372,19 @@ public class PxyObjKeyringController extends BaseController {
 		// 查询时left join policyGroup
 		Page<PxyObjKeyring> page = pxyObjKeyringService.findPage(new Page<PxyObjKeyring>(request, response, "r"),
 				entity);
+		
+		//查询是否存在内置配置
+		PxyObjKeyring searchEntity=new PxyObjKeyring();
+		searchEntity.setCompileId(0);
+		Page<PxyObjKeyring> searchPage=new Page<PxyObjKeyring>();
+		Page<PxyObjKeyring> builtInPage = pxyObjKeyringService.findPage(searchPage,
+				searchEntity);
+		if(builtInPage != null && !StringUtil.isEmpty(builtInPage.getList())) {
+			model.addAttribute("hasBuiltIn", true);
+		}else {
+			model.addAttribute("hasBuiltIn", false);
+		}
+
 		model.addAttribute("page", page);
 		initPageCondition(model, entity);
 		return "/cfg/intercept/strateagy/list";
@@ -608,8 +623,9 @@ public class PxyObjKeyringController extends BaseController {
 		searchBuiltIn.setBuiltIn(1);
 		searchBuiltIn.setIsValid(1);
 		searchBuiltIn.setIsAudit(1);
+		Page<PxyObjTrustedCaCert> searchPage =new Page<PxyObjTrustedCaCert>();
 		Page<PxyObjTrustedCaCert> builtInReslt = pxyObjKeyringService
-				.findTrustedCertPage(new Page<PxyObjTrustedCaCert>(request, response, "r"), searchBuiltIn);
+				.findTrustedCertPage(searchPage, searchBuiltIn);
 		if(builtInReslt != null && !StringUtil.isEmpty(builtInReslt.getList())) {
 			model.addAttribute("hasBuiltIn", true);
 		}else {
@@ -858,6 +874,17 @@ public class PxyObjKeyringController extends BaseController {
 		
 		return "redirect:" + adminPath + "/proxy/intercept/strateagy/trustedCertList?functionId=" + cfg.getFunctionId();
 	}
+	
+	/**
+	 * 内置可信证书导入
+	 * @param model
+	 * @param request
+	 * @param response
+	 * @param cfg
+	 * @param crlFileI
+	 * @param redirectAttributes
+	 * @return
+	 */
 	@RequestMapping(value = { "/addBuiltInCert" })
 	public String trustedCertBuiltIn(Model model, HttpServletRequest request, HttpServletResponse response,
 			@ModelAttribute("cfg") PxyObjTrustedCaCert cfg, MultipartFile crlFileI,
@@ -1039,6 +1066,220 @@ public class PxyObjKeyringController extends BaseController {
 		
 		return "redirect:" + adminPath + "/proxy/intercept/strateagy/trustedCertList?functionId=" + cfg.getFunctionId();
 	}
+	
+	/**
+	 * 内置Keyring 导入功能
+	 * @param model
+	 * @param request
+	 * @param response
+	 * @param cfg
+	 * @param certFileI
+	 * @param redirectAttributes
+	 * @return
+	 */
+	@RequestMapping(value = { "/addKeyRingBuiltInCert" })
+	public String addKeyRingBuiltInCert(Model model, HttpServletRequest request, HttpServletResponse response,
+			@ModelAttribute("cfg") PxyObjKeyring cfg, @RequestParam("certFileI")MultipartFile[] certFileI,
+			RedirectAttributes redirectAttributes) {
+		
+		logger.info("keyring内置证书开始校验");
+		boolean validFlag = true;
+		//每个证书文件的内容
+		Map<String, Map> fileCertMap=new HashMap<>();
+		try {
+			if(certFileI != null && certFileI.length > 0) {
+				for (MultipartFile multipartFile : certFileI) {
+					//校验证书格式
+					boolean certFileflag = validCertFileContent(multipartFile,null, "-incert");
+					logger.info("证书列表校验结果"+certFileflag);
+					if (!certFileflag) {
+						addMessage(redirectAttributes, "error", "save_failed");
+						logger.error(multipartFile.getOriginalFilename() + " file non crl file format ");
+						throw new MultiPartNewException(this.getMsgProp().getProperty("cert_file_error"));
+					}else {
+						if(!certInfoMap.isEmpty()) {
+							String issuer = StringUtil.isEmpty(certInfoMap.get("ca issuer")) ? ""
+									: certInfoMap.get("ca issuer").toString();// 颁发者
+							String fingerprint = StringUtil.isEmpty(certInfoMap.get("ca fingerprint")) ? ""
+									: certInfoMap.get("ca fingerprint").toString();// 指纹
+							if(!StringUtil.isEmpty(issuer) && !StringUtil.isEmpty(fingerprint)) {
+								if(Constants.KEYRING_BUILT_IN_ISSER.contains("||"+issuer+"||") 
+										&& Constants.KEYRING_BUILT_IN_FINGERPRINT.contains("||"+fingerprint+"||")) {
+									fileCertMap.put(multipartFile.getOriginalFilename(), certInfoMap);
+								}else {
+									validFlag=false;
+									break;
+								}
+							}else {
+								validFlag=false;
+								break;
+							}
+						}else {
+							validFlag=false;
+							break;
+						}
+					}
+				}
+			}else {
+				addMessage(redirectAttributes, "error", "save_failed");
+				logger.error(" keyring is null ");
+				throw new Exception();
+			}
+		} catch (Exception e) {
+			validFlag = false;
+			logger.error("证书文件校验失败", e);
+			if (e instanceof MaatConvertException) {
+				addMessage(redirectAttributes, "error", "request_service_failed");
+				LogUtils.saveLog(request, null, e, null);
+			} else if (e instanceof MultiPartNewException) {
+				addMessage(redirectAttributes, "error", e.getMessage());
+				LogUtils.saveLog(request, null, e, null);
+			} else {
+				addMessage(redirectAttributes, "error", "save_failed");
+				LogUtils.saveLog(request, null, e, null);
+			}
+		}
+		List<PxyObjKeyring> keyringList=new ArrayList<PxyObjKeyring>();
+		//是keyring内置证书，且验证通过，进行证书文件上传
+		try {
+			if(validFlag) {
+				File file=null;
+				for (MultipartFile certFile :certFileI) {
+					PxyObjKeyring keyring=new PxyObjKeyring();
+					BeanUtils.copyProperties(cfg, keyring);
+					/**************************证书信息获取*************************************/
+					String issuer = StringUtil.isEmpty(fileCertMap.get(certFile.getOriginalFilename()).get("ca issuer")) ? ""
+							: fileCertMap.get(certFile.getOriginalFilename()).get("ca issuer").toString();// 颁发者
+					String subject = StringUtil.isEmpty(fileCertMap.get(certFile.getOriginalFilename()).get("ca subjectname")) ? ""
+							: fileCertMap.get(certFile.getOriginalFilename()).get("ca subjectname").toString();// 颁发给
+					String notBeforeStr = "";
+					if (!StringUtil.isEmpty(fileCertMap.get(certFile.getOriginalFilename()).get("ca notbefore"))) {
+						Date notBeforeTime = new Date(fileCertMap.get(certFile.getOriginalFilename()).get("ca notbefore").toString());// 开始时间
+						notBeforeStr = sdf.format(notBeforeTime);
+					}
+					String notAfterStr = "";
+					if (!StringUtil.isEmpty(fileCertMap.get(certFile.getOriginalFilename()).get("ca notafter"))) {
+						Date notAfterTime = new Date(fileCertMap.get(certFile.getOriginalFilename()).get("ca notafter").toString());// 结束时间
+						notAfterStr = sdf.format(notAfterTime);
+					}
+					String cn = "";// CN
+					// CN精确信息获取
+					if (!StringUtil.isEmpty(subject)) {
+						for (String cnStr : subject.split(",")) {
+							cnStr = StringUtil.isEmpty(cnStr) ? "" : cnStr.trim();
+							if (cnStr.split("=").length > 1) {
+								cn = cnStr.split("=")[1];
+								cn = StringUtil.isEmpty(cn) ? "" : cn.trim();
+							}
+						}
+					}
+					String altName = StringUtil.isEmpty(fileCertMap.get(certFile.getOriginalFilename()).get("ca altname")) ? ""
+							: fileCertMap.get(certFile.getOriginalFilename()).get("ca altname").toString();// SAN
+
+					keyring.setIssuer(issuer);
+					keyring.setSubject(subject);
+					keyring.setCn(cn);
+					keyring.setAltName(altName);
+					keyring.setNotBeforeTime(notBeforeStr);
+					keyring.setNotAfterTime(notAfterStr);
+					keyring.setKeyringType("root");
+					keyring.setExpireAfter(30);
+					keyring.setCrl("");
+					keyring.setPublicKeyAlgo("");
+					/**************************公私钥文件上传*************************************/		
+					if (certFile != null) {
+						String filename = certFile.getOriginalFilename();
+						String prefix = FileUtils.getPrefix(filename, false);
+						keyring.setKeyringName(prefix);
+						keyring.setCfgDesc(prefix);
+						String suffix = FileUtils.getSuffix(filename, false);
+						file = File.createTempFile("file_" + prefix, FileUtils.getSuffix(filename, true));
+						certFile.transferTo(file);// 复制文件
+						String md5 = FileUtils.getFileMD5(file);
+						Map<String, Object> srcMap = Maps.newHashMap();
+						srcMap.put("filetype", suffix);
+						srcMap.put("datatype", "dbSystem");// 源文件存入数据中心
+						srcMap.put("createTime", new Date());
+						srcMap.put("key", prefix);
+						srcMap.put("fileName", filename);
+						srcMap.put("checksum", md5);
+						ToMaatResult result = ConfigServiceUtil.postFileCfg(null, file, JsonMapper.toJsonString(srcMap));
+						logger.info("proxy 证书文件策略公钥 文件上传响应信息：" + JsonMapper.toJsonString(result));
+						String publicKeyFileAccessUrl = null;
+						if (!StringUtil.isEmpty(result)) {
+							ResponseData data = result.getData();
+							publicKeyFileAccessUrl = data.getAccessUrl();
+							keyring.setPublicKeyFile(publicKeyFileAccessUrl);
+						}
+					}
+					if (certFile != null) {
+						String filename = certFile.getOriginalFilename();
+						String prefix = FileUtils.getPrefix(filename, false);
+						String suffix = FileUtils.getSuffix(filename, false);
+						file = File.createTempFile("file_" + prefix, FileUtils.getSuffix(filename, true));
+						certFile.transferTo(file);// 复制文件
+						String md5 = FileUtils.getFileMD5(file);
+						Map<String, Object> srcMap = Maps.newHashMap();
+						srcMap.put("filetype", suffix);
+						srcMap.put("datatype", "dbSystem");// 源文件存入数据中心
+						srcMap.put("createTime", new Date());
+						srcMap.put("key", prefix);
+						srcMap.put("fileName", filename);
+						srcMap.put("checksum", md5);
+						ToMaatResult result = ConfigServiceUtil.postFileCfg(null, file, JsonMapper.toJsonString(srcMap));
+						logger.info("proxy 证书文件策略私钥 上传响应信息：" + JsonMapper.toJsonString(result));
+						String privateKeyFileAccessUrl = null;
+						if (!StringUtil.isEmpty(result)) {
+							ResponseData data = result.getData();
+							privateKeyFileAccessUrl = data.getAccessUrl();
+							keyring.setPrivateKeyFile(privateKeyFileAccessUrl);
+							;
+						}
+					}
+					logger.info(keyring.getPublicKeyFile());
+					logger.info(keyring.getPrivateKeyFile());
+					keyringList.add(keyring);
+				}
+			}
+		} catch (MultiPartNewException e) {
+			logger.error("证书文件上传失败：",e);
+			addMessage(redirectAttributes, "error", "request_service_failed");
+			LogUtils.saveLog(request, null, e, null);
+		} catch (MaatConvertException e) {
+			logger.error("策略配置下发失败：",e);
+			addMessage(redirectAttributes, "error", "request_service_failed");
+			LogUtils.saveLog(request, null, e, null);
+		} catch (Exception e) {
+			logger.error("策略配置保存失败：",e);
+			addMessage(redirectAttributes, "error", "save_failed");
+			LogUtils.saveLog(request, null, e, null);
+		}
+		
+		
+		try {
+			if(!StringUtil.isEmpty(keyringList)) {
+
+				pxyObjKeyringService.saveAndAuditKeyring(keyringList);
+				//配置仅保存
+				if(StringUtil.isEmpty(cfg.getIsValid()) || cfg.getIsValid()!=1) {
+					addMessage(redirectAttributes, "success", "save_success");
+				}else {
+				//配置直接生效
+					addMessage(redirectAttributes, "success", "audit_success");
+				}
+			}
+		}  catch (MaatConvertException e) {
+			logger.error("策略配置下发失败：",e);
+			addMessage(redirectAttributes, "error", "request_service_failed");
+			LogUtils.saveLog(request, null, e, null);
+		} catch (Exception e) {
+			logger.error("策略配置保存失败：",e);
+			addMessage(redirectAttributes, "error", "save_failed");
+			LogUtils.saveLog(request, null, e, null);
+		}
+		
+		return "redirect:" + adminPath + "/proxy/intercept/strateagy/list?functionId=" + cfg.getFunctionId();
+	}

 	/**
 	 * 调用shell脚本 返回运行结果