【feature】新增加密隧道工具; review by songym

Author: xiongjiaojiao

build/webpack.config.base.js

@@ -58,7 +58,12 @@ module.exports = {
 
     //其它解决方案配置
     resolve: {
-        extensions: ['.js', '.json', '.css']
+        extensions: ['.js', '.json', '.css'],
+        fallback: {
+          crypto: false,
+          stream: false,
+          vm: false
+        }
     },
 
     externals: {

package.json

@@ -153,6 +153,7 @@
     "mapbox-gl": "1.13.2",
     "maplibre-gl": "3.1.0",
     "mapv": "2.0.62",
+    "node-forge": "^1.3.1",
     "ol": "6.14.1",
     "pbf": "3.2.1",
     "process": "^0.11.10",

src/common/index.common.js

@@ -333,7 +333,8 @@ import {
     ArrayStatistic,
     getMeterPerMapUnit,
     getWrapNum,
-    conversionDegree
+    conversionDegree,
+    EncryptFetchRequestUtil
 } from './util';
 import { CartoCSS, ThemeStyle } from './style';
 import {
@@ -498,6 +499,7 @@ export {
     isCORS,
     setCORS,
     FetchRequest,
+    EncryptFetchRequestUtil,
     ColorsPickerUtil,
     ArrayStatistic,
     getMeterPerMapUnit,

src/common/namespace.js

@@ -337,6 +337,7 @@ import {
   isCORS,
   setCORS,
   FetchRequest,
+  EncryptFetchRequestUtil,
   ColorsPickerUtil,
   ArrayStatistic,
   CartoCSS,
@@ -493,6 +494,7 @@ SuperMap.isCORS = isCORS;
 SuperMap.setRequestTimeout = setRequestTimeout;
 SuperMap.getRequestTimeout = getRequestTimeout;
 SuperMap.FetchRequest = FetchRequest;
+SuperMap.EncryptFetchRequestUtil = EncryptFetchRequestUtil;
 
 // commontypes
 SuperMap.inherit = inheritExt;

src/common/package.json

@@ -18,12 +18,13 @@
     "echarts": "5.4.3",
     "fetch-ie8": "1.5.0",
     "fetch-jsonp": "1.1.3",
+    "flatgeobuf": "3.23.1",
     "promise-polyfill": "8.2.3",
     "lodash.topairs": "4.3.0",
     "lodash.uniqby": "^4.7.0",
     "lodash.clonedeep": "^4.5.0",
     "mapv": "2.0.62",
-    "flatgeobuf": "3.23.1",
+    "node-forge": "^1.3.1",
     "rbush": "^2.0.2",
     "urijs": "^1.19.11",
     "xlsx": "https://cdn.sheetjs.com/xlsx-0.19.3/xlsx-0.19.3.tgz"

src/common/util/EncryptFetchRequestUtil.js

@@ -0,0 +1,111 @@
+import { FetchRequest } from './FetchRequest';
+import {
+  RSAEncrypt,
+  AESGCMEncrypt,
+  AESGCMDecrypt,
+  generateAESRandomKey,
+  generateAESRandomIV
+} from './RSAAndAESEn-DecryptorUtil';
+
+/**
+ * @private
+ * @name EncryptFetchRequestUtil
+ * @namespace
+ * @category BaseTypes Util
+ * @classdesc 加密请求地址
+ */
+export class EncryptFetchRequestUtil {
+  constructor(serverUrl = 'http://172.16.13.234:8090/iserver') {
+    this.serverUrl = serverUrl.split('').slice(-1)[0] === '/' ? serverUrl : `${serverUrl}/`;
+    this.tunnelUrl = undefined;
+    this.blockedUrlRegex = {
+      HEAD: [],
+      POST: [],
+      GET: [],
+      PUT: [],
+      DELETE: []
+    };
+    this.encryptAESKey = generateAESRandomKey();
+    this.encryptAESIV = generateAESRandomIV();
+  }
+
+  async encryptRequest(options) {
+    const config = Object.assign({ baseURL: '' }, options);
+    const tunnelUrl = await this.createTunnel();
+    if (!tunnelUrl) {
+      return;
+    }
+    for (const pattern of this.blockedUrlRegex[config.method.toUpperCase()]) {
+      const regex = new RegExp(pattern);
+      if (regex.test(config.baseURL + config.url)) {
+        const data = {
+          url: config.baseURL + (config.url.startsWith('/') ? config.url.substring(1, config.url.length) : config.url),
+          method: config.method,
+          timeout: config.timeout,
+          headers: config.headers,
+          body: config.data
+        };
+        // 替换请求
+        config.method = 'post';
+        config.data = AESGCMEncrypt(this.encryptAESKey, this.encryptAESIV, JSON.stringify(data));
+        if (!config.data) {
+          throw 'encrypt failed';
+        }
+        config.url = this.tunnelUrl;
+        break;
+      }
+    }
+    const response = await FetchRequest.commit(config.method, config.url, config.data, config.options);
+    if (config.url === this.tunnelUrl) {
+      const result = await response.text();
+      const decryptResult = AESGCMDecrypt(this.encryptAESKey, this.encryptAESIV, result);
+      if (!decryptResult) {
+        console.debug('解密请求响应失败');
+        return;
+      }
+      return JSON.parse(decryptResult).data;
+    }
+    return response;
+  }
+
+  async getRSAPublicKey() {
+    try {
+      const response = await FetchRequest.get(`${this.serverUrl}services/security/tunnel/v1/publickey`);
+      // 解析publicKey
+      const publicKeyObj = await response.json();
+      // 生成AES密钥
+      const aesKeyObj = {
+        key: this.encryptAESKey,
+        iv: this.encryptAESIV,
+        mode: 'GCM',
+        padding: 'NoPadding'
+      };
+      // 将AES密钥使用RSA公钥加密
+      const aesCipherText = RSAEncrypt(publicKeyObj.publicKey, aesKeyObj.key + aesKeyObj.iv);
+      return aesCipherText;
+    } catch (error) {
+      console.debug('RSA公钥获取失败，错误详情：' + error);
+    }
+  }
+
+  async createTunnel() {
+    if (!this.tunnelUrl) {
+      try {
+        const data = await this.getRSAPublicKey();
+        if (!data) {
+          throw 'fetch RSA publicKey failed';
+        }
+        // 创建隧道
+        const response = await FetchRequest.post(`${this.serverUrl}services/security/tunnel/v1/tunnels`, data);
+        const result = await response.json();
+        Object.assign(this, {
+          tunnelUrl: result.tunnelUrl,
+          blockedUrlRegex: Object.assign({}, this.blockedUrlRegex, result.blockedUrlRegex)
+        });
+      } catch (error) {
+        console.debug('安全隧道创建失败，错误详情：' + error);
+      }
+    }
+    return this.tunnelUrl;
+  }
+}

src/common/util/RSAAndAESEn-DecryptorUtil.js

@@ -0,0 +1,119 @@
+import pki from 'node-forge/lib/pki';
+import md from 'node-forge/lib/md';
+import cipher from 'node-forge/lib/cipher';
+import util from 'node-forge/lib/util';
+
+/**
+ * @private
+ * @function RSAEncrypt
+ * @description RSAES-OAEP/SHA-256/MGF1-SHA-1加密，对应java的RSA/ECB/OAEPWithSHA-256AndMGF1Padding
+ * @param publicKeyStr - RSA 公钥
+ * @param message - 需要加密的信息
+ * @returns {string|boolean} 加密成功返回base64编码的密文，加密失败返回false
+ */
+export function RSAEncrypt (publicKeyStr, message) {
+    if (publicKeyStr && publicKeyStr.indexOf('BEGIN PUBLIC KEY') === -1) { // 转为PEM格式
+        publicKeyStr = `-----BEGIN PUBLIC KEY-----\n${publicKeyStr}\n-----END PUBLIC KEY-----`;
+    }
+    const publicKey = pki.publicKeyFromPem(publicKeyStr);
+    const obj = {
+                md: md.sha256.create(),
+                mgf1: {
+                    md: md.sha1.create()
+                }
+            };
+    const encrypted = publicKey.encrypt(message, 'RSA-OAEP', obj);
+    if (!encrypted) {
+        return false; // 加密失败
+    }
+    return window.btoa(encrypted);
+}
+
+/**
+ * @private
+ * @function AESGCMDecrypt
+ * @description AES/GCM解密
+ * @param key - 16位
+ * @param iv - 12位
+ * @param cipherText - 密文 = base64转码(加密内容 + 16位的mac值)
+ * @returns {boolean|string} 解密成功返回明文，解密失败返回false
+ */
+export function AESGCMDecrypt (key, iv, cipherText) {
+    const cipherStrAndMac = window.atob(cipherText);
+    const cipherStr = cipherStrAndMac.substring(0, cipherStrAndMac.length - 16);
+    const mac = cipherStrAndMac.substring(cipherStrAndMac.length - 16);
+    const decipher = cipher.createDecipher('AES-GCM', util.createBuffer(key));
+    decipher.start({
+        iv: util.createBuffer(iv),
+        additionalData: '', // optional
+        tagLength: 128, // optional, defaults to 128 bits
+        tag: mac // authentication tag from encryption
+    });
+    decipher.update(util.createBuffer(cipherStr));
+    const pass = decipher.finish();
+    if (pass) {
+        return util.decodeUtf8(decipher.output.data);
+    }
+    return false;
+}
+
+/**
+ * @private
+ * @function AESGCMEncrypt
+ * @description AES/GCM加密
+ * @param key - 16位
+ * @param iv - 12位
+ * @param msg - 明文
+ * @returns {boolean|string} 加密成功返回明文，加密失败返回false
+ */
+export function AESGCMEncrypt (key, iv, msg) {
+    msg = util.encodeUtf8(msg);
+    const cipherInstance = cipher.createCipher('AES-GCM', key);
+    cipherInstance.start({
+        iv: iv,
+        additionalData: '', // 'binary-encoded string', // optional
+        tagLength: 128 // optional, defaults to 128 bits
+    });
+    cipherInstance.update(util.createBuffer(msg));
+    const pass = cipherInstance.finish();
+    if (pass) {
+        const encrypted = cipherInstance.output;
+        const tag = cipherInstance.mode.tag;
+        return window.btoa(encrypted.data + tag.data);
+    }
+    return false;
+}
+
+/**
+ * @private
+ * @function generateAESRandomKey
+ * @description 生成随机的16位 AES key
+ * @returns {string}
+ */
+export function generateAESRandomKey () {
+    return randomString(16);
+}
+
+/**
+ * @private
+ * @function generateAESRandomIV
+ * @description 生成随机的12位 AES iv
+ * @returns {string}
+ */
+export function generateAESRandomIV () {
+    return randomString(12);
+}
+
+/**
+ * @private
+ * @function randomString
+ * @description 生成指定长度的随机字符串
+ * @param length - 随机字符串长度
+ * @returns {string}
+ */
+function randomString (length) {
+    const str = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
+    let result = '';
+    for (let i = length; i > 0; --i) { result += str[Math.floor(Math.random() * str.length)]; }
+    return result;
+}