Merge branch 'tunnel-dev'

Author: luoxiao-supermap

dist/mapboxgl/include-mapboxgl.js

@@ -59,8 +59,8 @@
       inputScript(libsurl + '/mapbox-gl-js/1.13.2/mapbox-gl.js');
     }
     if (inArray(includes, 'mapbox-gl-enhance')) {
-      inputCSS(libsurl + '/mapbox-gl-js-enhance/1.12.1-3/mapbox-gl-enhance.css');
-      inputScript(libsurl + '/mapbox-gl-js-enhance/1.12.1-3/mapbox-gl-enhance.js');
+      inputCSS(libsurl + '/mapbox-gl-js-enhance/1.12.1-4/mapbox-gl-enhance.css');
+      inputScript(libsurl + '/mapbox-gl-js-enhance/1.12.1-4/mapbox-gl-enhance.js');
     }
     if (inArray(includes, 'g6')) {
       inputScript(libsurl + '/antv/g6/4.3.2/g6.min.js');

package.json

@@ -133,6 +133,7 @@
     "@mapbox/vector-tile": "1.3.1",
     "@sinonjs/text-encoding": "^0.7.2",
     "@supermap/iclient-common": "file:src/common",
+    "@supermap/tile-decryptor": "^0.0.1",
     "@tensorflow/tfjs": "^3.9.0",
     "@turf/turf": "6.5.0",
     "canvg": "3.0.10",
@@ -153,6 +154,7 @@
     "mapbox-gl": "1.13.2",
     "maplibre-gl": "3.1.0",
     "mapv": "2.0.62",
+    "node-forge": "^1.3.1",
     "ol": "6.14.1",
     "pbf": "3.2.1",
     "process": "^0.11.10",

src/common/index.common.js

@@ -333,7 +333,9 @@ import {
     ArrayStatistic,
     getMeterPerMapUnit,
     getWrapNum,
-    conversionDegree
+    conversionDegree,
+    EncryptRequest,
+    getServiceKey
 } from './util';
 import { CartoCSS, ThemeStyle } from './style';
 import {
@@ -498,6 +500,8 @@ export {
     isCORS,
     setCORS,
     FetchRequest,
+    EncryptRequest,
+    getServiceKey,
     ColorsPickerUtil,
     ArrayStatistic,
     getMeterPerMapUnit,

src/common/namespace.js

@@ -337,6 +337,8 @@ import {
   isCORS,
   setCORS,
   FetchRequest,
+  EncryptRequest,
+  getServiceKey,
   ColorsPickerUtil,
   ArrayStatistic,
   CartoCSS,
@@ -493,7 +495,8 @@ SuperMap.isCORS = isCORS;
 SuperMap.setRequestTimeout = setRequestTimeout;
 SuperMap.getRequestTimeout = getRequestTimeout;
 SuperMap.FetchRequest = FetchRequest;
-
+SuperMap.EncryptRequest = EncryptRequest;
+SuperMap.getServiceKey = getServiceKey;
 // commontypes
 SuperMap.inherit = inheritExt;
 SuperMap.mixin = mixinExt;

src/common/package.json

@@ -15,15 +15,17 @@
   "license": "Apache-2.0",
   "dependencies": {
     "@antv/g6": "^4.8.14",
+    "@supermap/tile-decryptor": "^0.0.1",
     "echarts": "5.4.3",
     "fetch-ie8": "1.5.0",
     "fetch-jsonp": "1.1.3",
+    "flatgeobuf": "3.23.1",
     "promise-polyfill": "8.2.3",
     "lodash.topairs": "4.3.0",
     "lodash.uniqby": "^4.7.0",
     "lodash.clonedeep": "^4.5.0",
     "mapv": "2.0.62",
-    "flatgeobuf": "3.23.1",
+    "node-forge": "^1.3.1",
     "rbush": "^2.0.2",
     "urijs": "^1.19.11",
     "xlsx": "https://cdn.sheetjs.com/xlsx-0.19.3/xlsx-0.19.3.tgz"

src/common/util/EncryptRequest.js

@@ -0,0 +1,180 @@
+import { FetchRequest } from './FetchRequest';
+import {
+  RSAEncrypt,
+  AESGCMEncrypt,
+  AESGCMDecrypt,
+  generateAESRandomKey,
+  generateAESRandomIV
+} from './RequestcryptUtil';
+import URI from 'urijs';
+
+/**
+ * @name EncryptRequest
+ * @version 11.2.0
+ * @namespace
+ * @category BaseTypes Util
+ * @classdesc 加密请求地址
+ * @param {string} serverUrl - 服务地址。
+ */
+export class EncryptRequest {
+  constructor(serverUrl) {
+    this.serverUrl = serverUrl;
+    this.tunnelUrl = undefined;
+    this.blockedUrlRegex = {
+      HEAD: [],
+      POST: [],
+      GET: [],
+      PUT: [],
+      DELETE: []
+    };
+    this.encryptAESKey = generateAESRandomKey();
+    this.encryptAESIV = generateAESRandomIV();
+  }
+
+  /**
+   * @function EncryptRequest.prototype.request
+   * @description 加密请求地址。
+   * @param {Object} config - 加密请求参数。
+   * @param {string} config.method - 请求方法。
+   * @param {string} config.url - 请求地址。
+   * @param {string} config.params - 请求参数。
+   * @param {Object} config.options - 请求的配置属性。
+   * @returns {Promise} Promise 对象。
+   */
+  async request(options) {
+    if (!this.serverUrl) {
+      throw 'serverUrl can not be empty.';
+    }
+    const config = Object.assign({ baseURL: '' }, options);
+    const tunnelUrl = await this._createTunnel();
+    if (!tunnelUrl) {
+      return;
+    }
+    for (const pattern of this.blockedUrlRegex[config.method.toUpperCase()]) {
+      const regex = new RegExp(pattern);
+      if (regex.test(config.baseURL + config.url)) {
+        const data = {
+          url: config.baseURL + (config.url.startsWith('/') ? config.url.substring(1, config.url.length) : config.url),
+          method: config.method,
+          timeout: config.timeout,
+          headers: config.headers,
+          body: config.data
+        };
+        // 替换请求
+        config.method = 'post';
+        config.data = AESGCMEncrypt(this.encryptAESKey, this.encryptAESIV, JSON.stringify(data));
+        if (!config.data) {
+          throw 'encrypt failed';
+        }
+        config.url = this.tunnelUrl;
+        break;
+      }
+    }
+    const response = await FetchRequest.commit(config.method, config.url, config.data, config.options);
+    if (config.url === this.tunnelUrl) {
+      const result = await response.text();
+      const decryptResult = AESGCMDecrypt(this.encryptAESKey, this.encryptAESIV, result);
+      if (!decryptResult) {
+        console.debug('解密请求响应失败');
+        return;
+      }
+      const resultData = JSON.parse(decryptResult);
+      const resData = Object.create({
+        json: function () {
+          return Promise.resolve(resultData.data);
+        }
+      });
+      return Object.assign(resData, resultData);
+    }
+    return response;
+  }
+
+  /**
+   * @private
+   * @description 获取RSA public key
+   * @function EncryptRequest.prototype._getRSAPublicKey
+   */
+  async _getRSAPublicKey() {
+    try {
+      const response = await FetchRequest.get(URI(this.serverUrl).segment('services/security/tunnel/v1/publickey').toString());
+      // 解析publicKey
+      const publicKeyObj = await response.json();
+      // 生成AES密钥
+      const aesKeyObj = {
+        key: this.encryptAESKey,
+        iv: this.encryptAESIV,
+        mode: 'GCM',
+        padding: 'NoPadding'
+      };
+      // 将AES密钥使用RSA公钥加密
+      const aesCipherText = RSAEncrypt(publicKeyObj.publicKey, aesKeyObj.key + aesKeyObj.iv);
+      return aesCipherText;
+    } catch (error) {
+      console.debug('RSA公钥获取失败，错误详情：' + error);
+    }
+  }
+
+  /**
+   * @private
+   * @description 创建隧道
+   * @function EncryptRequest.prototype._createTunnel
+   */
+  async _createTunnel() {
+    if (!this.tunnelUrl) {
+      try {
+        const data = await this._getRSAPublicKey();
+        if (!data) {
+          throw 'fetch RSA publicKey failed';
+        }
+        // 创建隧道
+        const response = await FetchRequest.post(URI(this.serverUrl).segment('services/security/tunnel/v1/tunnels').toString(), data);
+        const result = await response.json();
+        Object.assign(this, {
+          tunnelUrl: result.tunnelUrl,
+          blockedUrlRegex: Object.assign({}, this.blockedUrlRegex, result.blockedUrlRegex)
+        });
+      } catch (error) {
+        console.debug('安全隧道创建失败，错误详情：' + error);
+      }
+    }
+    return this.tunnelUrl;
+  }
+}
+
+/**
+ * @function getServiceKey
+ * @version 11.2.0
+ * @category iServer
+ * @description 获取矢量瓦片解密密钥
+ * @param {string} serviceUrl - iserver服务地址,例如： 'http://127.0.0.1:8090/iserver/services/xxx'、 'http://127.0.0.1:8090/iserver/services/xxx/rest/maps' 、 'http://127.0.0.1:8090/iserver/services/xxx/restjsr/v1/vectortile'
+ * @return {Promise} key - 矢量瓦片密钥
+ */
+export async function getServiceKey(serviceUrl) {
+  try {
+    const workspaceServerUrl = ((serviceUrl &&
+      serviceUrl.match(/.+(?=(\/restjsr\/v1\/vectortile\/|\/rest\/maps\/))/)) ||
+      [])[0];
+    if (!workspaceServerUrl) {
+      return;
+    }
+    const servicesResponse = await FetchRequest.get(workspaceServerUrl);
+    const servicesResult = await servicesResponse.json();
+    const matchRestData = (servicesResult || []).find(
+      (item) => serviceUrl.includes(item.name) && item.serviceEncryptInfo
+    );
+    if (!matchRestData) {
+      return;
+    }
+    const iserverHost = workspaceServerUrl.split('/services/')[0];
+    const encryptRequest = new EncryptRequest(iserverHost);
+    const svckeyUrl =
+      matchRestData && `${iserverHost}/services/security/svckeys/${matchRestData.serviceEncryptInfo.encrptKeyID}.json`;
+    const svcReponse = await encryptRequest.request({
+      method: 'get',
+      url: svckeyUrl
+    });
+    return svcReponse.json();
+  } catch (error) {
+    console.error(error);
+  }
+}

src/common/util/RequestcryptUtil.js

@@ -0,0 +1,120 @@
+// import pki from 'node-forge/lib/pki';
+// import md from 'node-forge/lib/md';
+// import cipher from 'node-forge/lib/cipher';
+// import util from 'node-forge/lib/util';
+import { pki, md, cipher, util } from 'node-forge/dist/forge.min';
+
+/**
+ * @private
+ * @function RSAEncrypt
+ * @description RSAES-OAEP/SHA-256/MGF1-SHA-1加密，对应java的RSA/ECB/OAEPWithSHA-256AndMGF1Padding
+ * @param publicKeyStr - RSA 公钥
+ * @param message - 需要加密的信息
+ * @returns {string|boolean} 加密成功返回base64编码的密文，加密失败返回false
+ */
+export function RSAEncrypt (publicKeyStr, message) {
+    if (publicKeyStr && publicKeyStr.indexOf('BEGIN PUBLIC KEY') === -1) { // 转为PEM格式
+        publicKeyStr = `-----BEGIN PUBLIC KEY-----\n${publicKeyStr}\n-----END PUBLIC KEY-----`;
+    }
+    const publicKey = pki.publicKeyFromPem(publicKeyStr);
+    const obj = {
+                md: md.sha256.create(),
+                mgf1: {
+                    md: md.sha1.create()
+                }
+            };
+    const encrypted = publicKey.encrypt(message, 'RSA-OAEP', obj);
+    if (!encrypted) {
+        return false; // 加密失败
+    }
+    return window.btoa(encrypted);
+}
+
+/**
+ * @private
+ * @function AESGCMDecrypt
+ * @description AES/GCM解密
+ * @param key - 16位
+ * @param iv - 12位
+ * @param cipherText - 密文 = base64转码(加密内容 + 16位的mac值)
+ * @returns {boolean|string} 解密成功返回明文，解密失败返回false
+ */
+export function AESGCMDecrypt (key, iv, cipherText) {
+    const cipherStrAndMac = window.atob(cipherText);
+    const cipherStr = cipherStrAndMac.substring(0, cipherStrAndMac.length - 16);
+    const mac = cipherStrAndMac.substring(cipherStrAndMac.length - 16);
+    const decipher = cipher.createDecipher('AES-GCM', util.createBuffer(key));
+    decipher.start({
+        iv: util.createBuffer(iv),
+        additionalData: '', // optional
+        tagLength: 128, // optional, defaults to 128 bits
+        tag: mac // authentication tag from encryption
+    });
+    decipher.update(util.createBuffer(cipherStr));
+    const pass = decipher.finish();
+    if (pass) {
+        return util.decodeUtf8(decipher.output.data);
+    }
+    return false;
+}
+
+/**
+ * @private
+ * @function AESGCMEncrypt
+ * @description AES/GCM加密
+ * @param key - 16位
+ * @param iv - 12位
+ * @param msg - 明文
+ * @returns {boolean|string} 加密成功返回明文，加密失败返回false
+ */
+export function AESGCMEncrypt (key, iv, msg) {
+    msg = util.encodeUtf8(msg);
+    const cipherInstance = cipher.createCipher('AES-GCM', key);
+    cipherInstance.start({
+        iv: iv,
+        additionalData: '', // 'binary-encoded string', // optional
+        tagLength: 128 // optional, defaults to 128 bits
+    });
+    cipherInstance.update(util.createBuffer(msg));
+    const pass = cipherInstance.finish();
+    if (pass) {
+        const encrypted = cipherInstance.output;
+        const tag = cipherInstance.mode.tag;
+        return window.btoa(encrypted.data + tag.data);
+    }
+    return false;
+}
+
+/**
+ * @private
+ * @function generateAESRandomKey
+ * @description 生成随机的16位 AES key
+ * @returns {string}
+ */
+export function generateAESRandomKey () {
+    return randomString(16);
+}
+
+/**
+ * @private
+ * @function generateAESRandomIV
+ * @description 生成随机的12位 AES iv
+ * @returns {string}
+ */
+export function generateAESRandomIV () {
+    return randomString(12);
+}
+
+/**
+ * @private
+ * @function randomString
+ * @description 生成指定长度的随机字符串
+ * @param length - 随机字符串长度
+ * @returns {string}
+ */
+function randomString (length) {
+    const str = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
+    let result = '';
+    for (let i = length; i > 0; --i) { result += str[Math.floor(Math.random() * str.length)]; }
+    return result;
+}