package sso
import (
"context"
"dubbo.apache.org/dubbo-go/v3/common/logger"
"encoding/json"
"fmt"
"github.com/dgrijalva/jwt-go"
"github.com/fonchain_enterprise/fonchain-main/api/account"
"github.com/fonchain_enterprise/fonchain-main/pkg/cache"
"github.com/fonchain_enterprise/fonchain-main/pkg/config"
"github.com/fonchain_enterprise/fonchain-main/pkg/e"
"github.com/fonchain_enterprise/fonchain-main/pkg/service"
"github.com/fonchain_enterprise/fonchain-main/pkg/utils/secret"
"github.com/gin-gonic/gin"
"github.com/gin-gonic/gin/binding"
"github.com/google/uuid"
"io/ioutil"
"net/http"
"reflect"
"strings"
"time"
)
var (
issuer = "https://erp.fontree.cn"
authorizationEndpoint = "https://common.szjixun.cn/sso/auth"
tokenEndpoint = "https://common.szjixun.cn/sso/token"
userinfoEndpoint = "https://common.szjixun.cn/sso/userinfo"
jwksUri = "https://common.szjixun.cn/sso/.well-known/jwks.json"
)
type ApplicationInfo struct {
ClientId string `json:"clientId"`
ClientSecret string `json:"clientSecret"`
}
type UserInfo struct {
Sub string `json:"sub"`
Name string `json:"name"`
GivenName string `json:"given_name"`
FamilyName string `json:"family_name"`
PreferredUsername string `json:"preferred_username"`
Email string `json:"email"`
EmailVerified bool `json:"email_verified"`
Picture string `json:"picture"`
// ...其他字段...
}
func LoadEnv() {
issuer = config.ApiHost
authorizationEndpoint = issuer + "/sso/auth"
tokenEndpoint = issuer + "/sso/token"
userinfoEndpoint = issuer + "/sso/userinfo"
jwksUri = issuer + "/sso/.well-known/jwks.json"
}
func Configuration(c *gin.Context) {
c.JSON(http.StatusOK, gin.H{
"issuer": issuer,
"authorization_endpoint": authorizationEndpoint,
"token_endpoint": tokenEndpoint,
"userinfo_endpoint": userinfoEndpoint,
"jwks_uri": jwksUri,
// 你可以添加其他必要的OIDC配置项
})
return
}
//Auth erp授权 如果没有登陆则跳转登陆的页面
func Auth(c *gin.Context) {
// 验证用户登录,并重定向到回调地址,带上授权码code
// 这里需要开发者实现用户认证逻辑,并生成授权码
//authCode := "your_generated_auth_code"
//db[authCode] = "asdkfljoqeruowerql"
//获取cookie 解析
token, err := c.Cookie("token")
//次数应该有一个查找,但是我暂时不需要
domainClientId := c.Query("client_id")
clientKey := cache.GetSsoClientId(domainClientId)
domainClientSecret := cache.RedisClient.Get(clientKey).Val()
if domainClientSecret == "" {
c.JSON(http.StatusBadRequest, gin.H{"error": "client_id not exist"})
return
}
fmt.Println("授权页面", token, err)
if err != nil {
c.Redirect(http.StatusFound, "/sso/login?"+c.Request.URL.RawQuery)
return
}
key := cache.GetSsoAuthHtml()
exists := cache.RedisClient.Exists(key).Val()
if exists != 1 {
b, err := ioutil.ReadFile("./data/static/auth.html")
if err != nil {
c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
return
}
fmt.Println(reflect.TypeOf(b))
cache.RedisClient.Set(key, string(b), 300*time.Second)
}
htmlContent := cache.RedisClient.Get(key).Val()
c.Writer.WriteHeader(http.StatusOK)
c.Writer.Write([]byte(htmlContent))
return
}
//AuthSuccess 授权通过
func AuthSuccess(c *gin.Context) {
// 验证用户登录,并重定向到回调地址,带上授权码code
// 这里需要开发者实现用户认证逻辑,并生成授权码
//authCode := "your_generated_auth_code"
//db[authCode] = "asdkfljoqeruowerql"
//获取cookie 解析
token, err := c.Cookie("token")
domainClientId := c.Query("client_id")
clientKey := cache.GetSsoClientId(domainClientId)
domainClientSecret := cache.RedisClient.Get(clientKey).Val()
if domainClientSecret == "" {
c.JSON(http.StatusBadRequest, gin.H{"error": "client_id not exist"})
return
}
if err != nil {
//跳转到登陆
c.Redirect(http.StatusFound, "/sso/login?"+c.Request.URL.RawQuery)
return
}
authCode, b := genJwt(token)
if b != true {
c.Redirect(http.StatusFound, "/sso/login?"+c.Request.URL.RawQuery)
return
}
applicationInfo := ApplicationInfo{
ClientId: domainClientId,
ClientSecret: domainClientSecret,
}
appByte, err := json.Marshal(applicationInfo)
if err != nil {
c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
return
}
cache.RedisClient.Set(cache.GetSSOCodeApplication(authCode), string(appByte), 1200*time.Second)
c.Redirect(http.StatusFound, c.Query("redirect_uri")+"?code="+authCode+"&state="+c.Query("state"))
}
func Token(c *gin.Context) {
fmt.Println("令牌断电")
var appInfo *ApplicationInfo
code := c.PostForm("code")
fmt.Println("code-------", code)
fmt.Println("Body:", c.PostForm("code"))
fmt.Println("Body:", c.PostForm("grant_type"))
fmt.Println("Body:", c.PostForm("redirect_uri"))
if code == "" {
c.JSON(http.StatusBadRequest, gin.H{"error": "code is nil"})
return
}
fmt.Println("应用信息信息", code, cache.GetSSOCodeApplication(code))
appStr := cache.RedisClient.Get(cache.GetSSOCodeApplication(code)).Val()
err := json.Unmarshal([]byte(appStr), &appInfo)
fmt.Println("应用信息信息", appStr)
fmt.Println("应用信息信息", appInfo)
if err != nil {
c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
return
}
id, err := cache.RedisClient.Get(cache.GetSSOCode(code)).Int64()
fmt.Println(id, err)
if err != nil {
//c.String(500, "redis没有查找到code error: %s", err.Error())
c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
return
}
// 打印Body内容
req := &account.InfoRequest{
ID: uint64(id),
}
info, err := service.AccountProvider.Info(c, req)
if err != nil {
//c.String(500, "redis没有查找到code error: %s", err.Error())
c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
return
}
token := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
"iss": issuer, // 你的管理系统 URL
"sub": getAccountNumber(info.Info.Domain, info.Info.ID),
"aud": appInfo.ClientId, // Gitea OAuth 应用的 client_id
"exp": time.Now().Add(time.Hour * 72).Unix(),
"iat": time.Now().Unix(),
})
tokenString, err := token.SignedString([]byte(appInfo.ClientSecret)) // 使用你的密钥对其进行签名
if err != nil {
c.JSON(http.StatusInternalServerError, gin.H{"error": "Could not generate token"})
return
}
b, err := json.Marshal(info.Info)
if err != nil {
c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
return
}
accessToken := uuid.New().String()
cache.RedisClient.Set(cache.GetSsoAccessToken(accessToken), string(b), 6*time.Hour)
c.JSON(http.StatusOK, gin.H{
"access_token": accessToken,
"token_type": "bearer",
"expires_in": 7200, // 建议加上令牌过期时间
"id_token": tokenString, // ID令牌通常包含用户信息的JWT
})
return
}
func SsoUserInfo(c *gin.Context) {
var userInfo account.AccountInfo
givenName := ""
familyName := ""
fmt.Println("用户信息")
// 校验访问令牌,并返回用户信息
// 这里需要验证访问令牌是否有效
accessToken := c.GetHeader("Authorization")
accessToken = strings.Replace(accessToken, "Bearer ", "", 1)
fmt.Println(accessToken)
key := cache.GetSsoAccessToken(accessToken)
fmt.Println(key)
b := cache.RedisClient.Get(key).Val()
fmt.Println("信息是", b)
if b == "" {
c.JSON(http.StatusBadRequest, gin.H{"error": "invalid_token"})
return
}
err := json.Unmarshal([]byte(b), &userInfo)
if err != nil {
c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
return
}
if userInfo.NickName != "" {
runes := []rune(userInfo.NickName)
familyName = string(runes[0])
givenName = string(runes[1:])
}
info := UserInfo{
Sub: getAccountNumber(userInfo.Domain, userInfo.ID),
Name: userInfo.NickName,
GivenName: familyName,
FamilyName: givenName,
PreferredUsername: userInfo.EnglishName,
Email: userInfo.MailAccount,
EmailVerified: true,
Picture: userInfo.Avatar,
}
/*
userInfo := UserInfo{
Sub: "248289761001",
Name: "Jane Doe",
GivenName: "Jane",
FamilyName: "Doe",
PreferredUsername: "j.doe",
Email: "janedoe@example.com",
EmailVerified: true,
Picture: "http://example.com/janedoe/me.jpg",
}
*/
c.JSON(http.StatusOK, info)
return
}
func LoginHtml(c *gin.Context) {
exists := cache.RedisClient.Exists(cache.GetSSoLoginHtml()).Val()
if exists != 1 {
b, err := ioutil.ReadFile("./data/static/sso.html")
if err != nil {
c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
return
}
cache.RedisClient.Set(cache.GetSSoLoginHtml(), string(b), 300*time.Second)
}
htmlContent := cache.RedisClient.Get(cache.GetSSoLoginHtml()).Val()
c.Writer.WriteHeader(http.StatusOK)
c.Writer.Write([]byte(htmlContent))
return
}
func Login(c *gin.Context) {
var req account.LoginRequest
if err := c.ShouldBindBodyWith(&req, binding.JSON); err != nil {
service.Error(c, e.InvalidParams, err)
return
}
req.Ip = c.ClientIP()
res, err := service.AccountProvider.Login(c, &req)
if err != nil {
service.Error(c, e.InvalidParams, err)
return
}
token, err := secret.CombineSecret(res.Token, "zz", res.Token)
if err != nil {
service.Error(c, e.Error, err)
return
}
c.SetCookie("token", token, 43200, "/", "", false, true)
//c.Redirect(http.StatusFound, c.Query("redirect_uri")+"?code="+c.Query("code")+"&state="+c.Query("state"))
service.Success(c, "")
return
}
func genJwt(token string) (string, bool) {
//解析token
jwtToken, err := secret.GetJwtFromStr(token)
if err != nil {
return "'", false
}
req := account.DecryptJwtRequest{
Token: jwtToken,
}
info, err := service.AccountProvider.DecryptJwt(context.Background(), &req) // 处理
if err != nil {
logger.Warn("sso 解密微服务提示错误", err)
return "", false
}
//info.ID =
//生成 uuid 插入redis
code := uuid.New().String()
cache.RedisClient.Set(cache.GetSSOCode(code), info.ID, 600*time.Second)
return code, true
}
func getAccountNumber(domain string, id uint64) string {
return fmt.Sprintf("%s_%010d", domain, id)
}