修改bug

sso-module-system/sso-module-system-api/src/main/java/com/poteviohealth/cgp/sso/module/system/enums/ErrorCodeConstants.java

@@ -67,6 +67,8 @@ public interface ErrorCodeConstants {
 
     ErrorCode USER_SYNC_ERROR = new ErrorCode(1_002_003_019, "用户同步错误({})");
 
+    ErrorCode USER_CLIENT_LINK_AUTH_ERROR = new ErrorCode(1_002_003_020, "无权限");
+
     // ========== 部门模块 1-002-004-000 ==========
     ErrorCode DEPT_NAME_DUPLICATE = new ErrorCode(1_002_004_000, "已经存在该名字的部门");
     ErrorCode DEPT_PARENT_NOT_EXITS = new ErrorCode(1_002_004_001,"父级部门不存在");
@@ -171,6 +173,8 @@ public interface ErrorCodeConstants {
     ErrorCode OAUTH2_GRANT_STATE_MISMATCH = new ErrorCode(1_002_021_002, "state 不匹配");
     ErrorCode OAUTH2_GRANT_CODE_NOT_EXISTS = new ErrorCode(1_002_021_003, "code 不存在");
 
+    ErrorCode OAUTH2_ERROR = new ErrorCode(1_002_021_004, "授权失败！");
+
     // ========== OAuth2 授权 1-002-022-000 =========
     ErrorCode OAUTH2_CODE_NOT_EXISTS = new ErrorCode(1_002_022_000, "code 不存在");
     ErrorCode OAUTH2_CODE_EXPIRE = new ErrorCode(1_002_022_001, "code 已过期");

sso-module-system/sso-module-system-biz/src/main/java/com/poteviohealth/cgp/sso/module/system/controller/admin/oauth2/OAuth2OpenController.java

@@ -4,6 +4,7 @@ import cn.hutool.core.lang.Assert;
 import cn.hutool.core.util.ArrayUtil;
 import cn.hutool.core.util.ObjectUtil;
 import cn.hutool.core.util.StrUtil;
+import com.poteviohealth.cgp.sso.framework.common.enums.CommonStatusEnum;
 import com.poteviohealth.cgp.sso.framework.common.enums.UserTypeEnum;
 import com.poteviohealth.cgp.sso.framework.common.pojo.CommonResult;
 import com.poteviohealth.cgp.sso.framework.common.util.http.HttpUtils;
@@ -15,11 +16,13 @@ import com.poteviohealth.cgp.sso.module.system.convert.oauth2.OAuth2OpenConvert;
 import com.poteviohealth.cgp.sso.module.system.dal.dataobject.oauth2.OAuth2AccessTokenDO;
 import com.poteviohealth.cgp.sso.module.system.dal.dataobject.oauth2.OAuth2ApproveDO;
 import com.poteviohealth.cgp.sso.module.system.dal.dataobject.oauth2.OAuth2ClientDO;
+import com.poteviohealth.cgp.sso.module.system.dal.dataobject.userclient.UserClientDO;
 import com.poteviohealth.cgp.sso.module.system.enums.oauth2.OAuth2GrantTypeEnum;
 import com.poteviohealth.cgp.sso.module.system.service.oauth2.OAuth2ApproveService;
 import com.poteviohealth.cgp.sso.module.system.service.oauth2.OAuth2ClientService;
 import com.poteviohealth.cgp.sso.module.system.service.oauth2.OAuth2GrantService;
 import com.poteviohealth.cgp.sso.module.system.service.oauth2.OAuth2TokenService;
+import com.poteviohealth.cgp.sso.module.system.service.userclient.UserClientService;
 import com.poteviohealth.cgp.sso.module.system.util.oauth2.OAuth2Utils;
 import io.swagger.v3.oas.annotations.tags.Tag;
 import io.swagger.v3.oas.annotations.Parameter;
@@ -38,10 +41,12 @@ import java.util.Map;
 import java.util.Objects;
 
 import static com.poteviohealth.cgp.sso.framework.common.exception.enums.GlobalErrorCodeConstants.BAD_REQUEST;
+import static com.poteviohealth.cgp.sso.framework.common.exception.util.ServiceExceptionUtil.exception;
 import static com.poteviohealth.cgp.sso.framework.common.exception.util.ServiceExceptionUtil.exception0;
 import static com.poteviohealth.cgp.sso.framework.common.pojo.CommonResult.success;
 import static com.poteviohealth.cgp.sso.framework.common.util.collection.CollectionUtils.convertList;
 import static com.poteviohealth.cgp.sso.framework.security.core.util.SecurityFrameworkUtils.getLoginUserId;
+import static com.poteviohealth.cgp.sso.module.system.enums.ErrorCodeConstants.OAUTH2_CLIENT_NOT_EXISTS;
 
 /**
  * 提供给外部应用调用为主
@@ -71,6 +76,7 @@ public class OAuth2OpenController {
     @Resource
     private OAuth2TokenService oauth2TokenService;
 
+
     /**
      * 对应 Spring Security OAuth 的 TokenEndpoint 类的 postAccessToken 方法
      * <p>
@@ -122,43 +128,41 @@ public class OAuth2OpenController {
         //消息体解析
         if (Objects.nonNull(bodyData) && !bodyData.isEmpty()) {
             if (bodyData.containsKey("code")) {
-                code =(String) bodyData.get("code");
+                code = (String) bodyData.get("code");
             }
             if (bodyData.containsKey("redirect_uri")) {
-                redirectUri =(String) bodyData.get("redirect_uri");
+                redirectUri = (String) bodyData.get("redirect_uri");
             }
             if (bodyData.containsKey("state")) {
-                state =(String) bodyData.get("state");
+                state = (String) bodyData.get("state");
             }
             if (bodyData.containsKey("username")) {
-                username =(String) bodyData.get("username");
+                username = (String) bodyData.get("username");
             }
             if (bodyData.containsKey("password")) {
-                password =(String) bodyData.get("password");
+                password = (String) bodyData.get("password");
             }
             if (bodyData.containsKey("scope")) {
-                scope =(String) bodyData.get("scope");
+                scope = (String) bodyData.get("scope");
             }
             if (bodyData.containsKey("refresh_token")) {
-                refreshToken =(String) bodyData.get("refresh_token");
+                refreshToken = (String) bodyData.get("refresh_token");
             }
         }
-
-
         // 2. 根据授权模式，获取访问令牌
         OAuth2AccessTokenDO accessTokenDO;
         switch (grantTypeEnum) {
             case AUTHORIZATION_CODE:
-                accessTokenDO = oauth2GrantService.grantAuthorizationCodeForAccessToken(client.getClientId(), code, redirectUri, state);
+                accessTokenDO = oauth2GrantService.grantAuthorizationCodeForAccessToken(client.getClientId(), code, redirectUri, state, client.getId());
                 break;
             case PASSWORD:
-                accessTokenDO = oauth2GrantService.grantPassword(username, password, client.getClientId(), scopes);
+                accessTokenDO = oauth2GrantService.grantPassword(username, password, client.getClientId(), scopes, client.getId());
                 break;
             case CLIENT_CREDENTIALS:
-                accessTokenDO = oauth2GrantService.grantClientCredentials(client.getClientId(), scopes);
+                accessTokenDO = oauth2GrantService.grantClientCredentials(client.getClientId(), scopes, client.getId());
                 break;
             case REFRESH_TOKEN:
-                accessTokenDO = oauth2GrantService.grantRefreshToken(refreshToken, client.getClientId());
+                accessTokenDO = oauth2GrantService.grantRefreshToken(refreshToken, client.getClientId(), client.getId());
                 break;
             default:
                 throw new IllegalArgumentException("未知授权类型：" + grantType);
@@ -208,20 +212,24 @@ public class OAuth2OpenController {
         OAuth2AccessTokenDO accessTokenDO;
         switch (grantTypeEnum) {
             case AUTHORIZATION_CODE:
-                accessTokenDO = oauth2GrantService.grantAuthorizationCodeForAccessToken(client.getClientId(), code, redirectUri, state);
+                accessTokenDO = oauth2GrantService.grantAuthorizationCodeForAccessToken(client.getClientId(), code, redirectUri, state,client.getId());
                 break;
             case PASSWORD:
-                accessTokenDO = oauth2GrantService.grantPassword(username, password, client.getClientId(), scopes);
+                accessTokenDO = oauth2GrantService.grantPassword(username, password, client.getClientId(), scopes,client.getId());
                 break;
             case CLIENT_CREDENTIALS:
-                accessTokenDO = oauth2GrantService.grantClientCredentials(client.getClientId(), scopes);
+                accessTokenDO = oauth2GrantService.grantClientCredentials(client.getClientId(), scopes,client.getId());
                 break;
             case REFRESH_TOKEN:
-                accessTokenDO = oauth2GrantService.grantRefreshToken(refreshToken, client.getClientId());
+                accessTokenDO = oauth2GrantService.grantRefreshToken(refreshToken, client.getClientId(),client.getId());
                 break;
             default:
                 throw new IllegalArgumentException("未知授权类型：" + grantType);
         }
+        //
+        if (Objects.isNull(accessTokenDO)) {
+            throw new IllegalArgumentException("授权失败");
+        }
         Assert.notNull(accessTokenDO, "访问令牌不能为空"); // 防御性检查
         return OAuth2OpenConvert.INSTANCE.convert(accessTokenDO);
     }

sso-module-system/sso-module-system-biz/src/main/java/com/poteviohealth/cgp/sso/module/system/controller/admin/user/UserController.java

@@ -29,6 +29,7 @@ import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.Parameter;
 import io.swagger.v3.oas.annotations.Parameters;
 import io.swagger.v3.oas.annotations.tags.Tag;
+import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.collections4.CollectionUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.springframework.security.access.prepost.PreAuthorize;
@@ -58,6 +59,7 @@ import static com.poteviohealth.cgp.sso.module.system.enums.ErrorCodeConstants.*
 @RestController
 @RequestMapping("/system/user")
 @Validated
+@Slf4j
 public class UserController {
     @Resource
     private AdminUserService userService;
@@ -266,24 +268,30 @@ public class UserController {
                 throw exception(USER_NOT_EXISTS);
             }else{
                 if(user.getStatus().equals(CommonStatusEnum.DISABLE.getStatus())){
-                    throw exception(USER_IS_DISABLE,user.getNickname());
+                    log.error(USER_IS_DISABLE.getMsg(),user.getUsername());
+                    throw exception(USER_CLIENT_LINK_AUTH_ERROR);
                 }
                 if(!user.getAssociatedSystem().contains(linkId)){
-                    throw exception(USER_CLIENT_NOT_EXISTS);
+                    log.error(USER_CLIENT_NOT_EXISTS.getMsg());
+                    throw exception(USER_CLIENT_LINK_AUTH_ERROR);
                 }
                 OAuth2ClientDO oAuth2Client = oAuth2ClientService.getOAuth2Client(linkId);
                 if(Objects.isNull(oAuth2Client)){
-                    throw exception(USER_CLIENT_NOT_EXISTS);
+                    log.error(USER_CLIENT_NOT_EXISTS.getMsg());
+                    throw exception(USER_CLIENT_LINK_AUTH_ERROR);
                 }
                 UserClientDO userClient = userClientService.getUserClientByParam(userId, linkId);
                 if(Objects.isNull(userClient)){
-                    throw exception(USER_CLIENT_NOT_EXISTS);
+                    log.error(USER_CLIENT_NOT_EXISTS.getMsg());
+                    throw exception(USER_CLIENT_LINK_AUTH_ERROR);
                 }
                 if(userClient.getStatus().equals(CommonStatusEnum.DISABLE.getStatus())){
-                    throw exception(USER_CLIENT_STOP);
+                    log.error(USER_CLIENT_STOP.getMsg());
+                    throw exception(USER_CLIENT_LINK_AUTH_ERROR);
                 }
                 if(userClient.getSyncStatus()==0 || userClient.getSyncStatus()==2){
-                    throw exception(USER_NO_SYNC);
+                    log.error(USER_NO_SYNC.getMsg());
+                    throw exception(USER_CLIENT_LINK_AUTH_ERROR);
                 }
                 // 拼接数据
                 url = constructLinkUrl(userClient,oAuth2Client,refreshToken,user);

sso-module-system/sso-module-system-biz/src/main/java/com/poteviohealth/cgp/sso/module/system/service/oauth2/OAuth2ClientServiceImpl.java

@@ -144,7 +144,6 @@ public class OAuth2ClientServiceImpl implements OAuth2ClientService {
         if (CommonStatusEnum.isDisable(client.getStatus())) {
             throw exception(OAUTH2_CLIENT_DISABLE);
         }
-
         // 校验客户端密钥
         if (StrUtil.isNotEmpty(clientSecret) && ObjectUtil.notEqual(client.getSecret(), clientSecret)) {
             throw exception(OAUTH2_CLIENT_CLIENT_SECRET_ERROR);

sso-module-system/sso-module-system-biz/src/main/java/com/poteviohealth/cgp/sso/module/system/service/oauth2/OAuth2GrantService.java

@@ -61,7 +61,7 @@ public interface OAuth2GrantService {
      * @return 访问令牌
      */
     OAuth2AccessTokenDO grantAuthorizationCodeForAccessToken(String clientId, String code,
-                                                             String redirectUri, String state);
+                                                             String redirectUri, String state,Long oauthClientId);
 
     /**
      * 密码模式
@@ -75,7 +75,7 @@ public interface OAuth2GrantService {
      * @return 访问令牌
      */
     OAuth2AccessTokenDO grantPassword(String username, String password,
-                                      String clientId, List<String> scopes);
+                                      String clientId, List<String> scopes,Long oauthClientId);
 
     /**
      * 刷新模式
@@ -86,7 +86,7 @@ public interface OAuth2GrantService {
      * @param clientId 客户端编号
      * @return 访问令牌
      */
-    OAuth2AccessTokenDO grantRefreshToken(String refreshToken, String clientId);
+    OAuth2AccessTokenDO grantRefreshToken(String refreshToken, String clientId,Long oauthClientId);
 
     /**
      * 客户端模式
@@ -97,7 +97,7 @@ public interface OAuth2GrantService {
      * @param scopes 授权范围
      * @return 访问令牌
      */
-    OAuth2AccessTokenDO grantClientCredentials(String clientId, List<String> scopes);
+    OAuth2AccessTokenDO grantClientCredentials(String clientId, List<String> scopes,Long oauthClientId);
 
     /**
      * 移除访问令牌

sso-module-system/sso-module-system-biz/src/main/java/com/poteviohealth/cgp/sso/module/system/service/oauth2/OAuth2GrantServiceImpl.java

@@ -3,18 +3,24 @@ package com.poteviohealth.cgp.sso.module.system.service.oauth2;
 import cn.hutool.core.lang.Assert;
 import cn.hutool.core.util.ObjectUtil;
 import cn.hutool.core.util.StrUtil;
+import com.poteviohealth.cgp.sso.framework.common.enums.CommonStatusEnum;
 import com.poteviohealth.cgp.sso.framework.common.enums.UserTypeEnum;
 import com.poteviohealth.cgp.sso.module.system.dal.dataobject.oauth2.OAuth2AccessTokenDO;
 import com.poteviohealth.cgp.sso.module.system.dal.dataobject.oauth2.OAuth2CodeDO;
 import com.poteviohealth.cgp.sso.module.system.dal.dataobject.user.AdminUserDO;
+import com.poteviohealth.cgp.sso.module.system.dal.dataobject.userclient.UserClientDO;
 import com.poteviohealth.cgp.sso.module.system.enums.ErrorCodeConstants;
 import com.poteviohealth.cgp.sso.module.system.service.auth.AdminAuthService;
+import com.poteviohealth.cgp.sso.module.system.service.userclient.UserClientService;
 import org.springframework.stereotype.Service;
 
 import javax.annotation.Resource;
 import java.util.List;
+import java.util.Objects;
 
 import static com.poteviohealth.cgp.sso.framework.common.exception.util.ServiceExceptionUtil.exception;
+import static com.poteviohealth.cgp.sso.module.system.enums.ErrorCodeConstants.OAUTH2_CLIENT_NOT_EXISTS;
+import static com.poteviohealth.cgp.sso.module.system.enums.ErrorCodeConstants.OAUTH2_ERROR;
 
 /**
  * OAuth2 授予 Service 实现类
@@ -31,6 +37,9 @@ public class OAuth2GrantServiceImpl implements OAuth2GrantService {
     @Resource
     private AdminAuthService adminAuthService;
 
+    @Resource
+    private UserClientService userClientService;
+
     @Override
     public OAuth2AccessTokenDO grantImplicit(Long userId, Integer userType,
                                              String clientId, List<String> scopes) {
@@ -47,7 +56,7 @@ public class OAuth2GrantServiceImpl implements OAuth2GrantService {
 
     @Override
     public OAuth2AccessTokenDO grantAuthorizationCodeForAccessToken(String clientId, String code,
-                                                                    String redirectUri, String state) {
+                                                                    String redirectUri, String state,Long oauthClientId) {
         OAuth2CodeDO codeDO = oauth2CodeService.consumeAuthorizationCode(code);
         Assert.notNull(codeDO, "授权码不能为空"); // 防御性编程
         // 校验 clientId 是否匹配
@@ -59,8 +68,6 @@ public class OAuth2GrantServiceImpl implements OAuth2GrantService {
             throw exception(ErrorCodeConstants.OAUTH2_GRANT_REDIRECT_URI_MISMATCH);
         }
         // 校验 state 是否匹配
-        System.out.println("####################state:"+state);
-        System.out.println("####################codeDO.getState():"+codeDO.getState());
         state = StrUtil.nullToDefault(state, ""); // 数据库 state 为 null 时，会设置为 "" 空串
 //        if (!StrUtil.equals(state, codeDO.getState())) {
 //            throw exception(ErrorCodeConstants.OAUTH2_GRANT_STATE_MISMATCH);
@@ -72,22 +79,29 @@ public class OAuth2GrantServiceImpl implements OAuth2GrantService {
     }
 
     @Override
-    public OAuth2AccessTokenDO grantPassword(String username, String password, String clientId, List<String> scopes) {
+    public OAuth2AccessTokenDO grantPassword(String username, String password, String clientId,
+                                             List<String> scopes,Long oauthClientId){
         // 使用账号 + 密码进行登录
         AdminUserDO user = adminAuthService.authenticate(username, password);
         Assert.notNull(user, "用户不能为空！"); // 防御性编程
 
+        UserClientDO userClient = userClientService.getUserClientByParam(user.getId(), oauthClientId);
+        if(Objects.isNull(userClient)
+                || userClient.getStatus().equals(CommonStatusEnum.DISABLE.getStatus())
+        ){
+            throw exception(OAUTH2_ERROR);
+        }
         // 创建访问令牌
         return oauth2TokenService.createAccessToken(user.getId(), UserTypeEnum.ADMIN.getValue(), clientId, scopes);
     }
 
     @Override
-    public OAuth2AccessTokenDO grantRefreshToken(String refreshToken, String clientId) {
+    public OAuth2AccessTokenDO grantRefreshToken(String refreshToken, String clientId,Long oauthClientId) {
         return oauth2TokenService.refreshAccessToken(refreshToken, clientId);
     }
 
     @Override
-    public OAuth2AccessTokenDO grantClientCredentials(String clientId, List<String> scopes) {
+    public OAuth2AccessTokenDO grantClientCredentials(String clientId, List<String> scopes,Long oauthClientId) {
         // TODO 芋艿：项目中使用 OAuth2 解决的是三方应用的授权，内部的 SSO 等问题，所以暂时不考虑 client_credentials 这个场景
         throw new UnsupportedOperationException("暂时不支持 client_credentials 授权模式");
     }