team/tyapi-server
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2dcba2e5d9e83c9b30741b1db39a7596b2a43ca8
tyapi-server/internal/application/api/query_whitelist_public_service.go

312 lines
9.5 KiB
Go
Raw Normal View History

f
2026-06-19 10:49:13 +08:00
package api
import (
"context"
"crypto/subtle"
"encoding/json"
fadd
2026-06-19 10:56:52 +08:00
"errors"
"fmt"
f
2026-06-19 10:49:13 +08:00
"strings"
"tyapi-server/internal/application/api/dto"
"tyapi-server/internal/config"
"tyapi-server/internal/domains/api/entities"
api_services "tyapi-server/internal/domains/api/services"
"tyapi-server/internal/shared/crypto"
"go.uber.org/zap"
fadd
2026-06-19 10:56:52 +08:00
"gorm.io/gorm"
f
2026-06-19 10:49:13 +08:00
)
const queryWhitelistMgmtKeyHeader = "Whitelist-Mgmt-Key"
// QueryWhitelistMgmtKeyHeader 公开接口管理密钥请求头名
func QueryWhitelistMgmtKeyHeader() string {
return queryWhitelistMgmtKeyHeader
}
fadd
2026-06-19 10:56:52 +08:00
// CreateEntryPublic 公开接口:新建规则(同用户+身份证+姓名已存在则拒绝)
f
2026-06-19 10:49:13 +08:00
func (s *QueryWhitelistApplicationServiceImpl) CreateEntryPublic(
ctx context.Context,
headerAccessID, managementKey, clientIP, encryptedData string,
) (*dto.QueryWhitelistEntryResponse, string, error) {
fadd
2026-06-19 10:56:52 +08:00
apiUser, payload, err := s.preparePublicRequest(ctx, headerAccessID, managementKey, clientIP, encryptedData)
if err != nil {
return nil, "", err
}
createdBy := "public_api:" + strings.TrimSpace(headerAccessID)
resp, err := s.createEntry(ctx, createdBy, &dto.QueryWhitelistEntryRequest{
UserID: apiUser.UserId,
Name: payload.Name,
IDCard: payload.IDCard,
APICodes: payload.APICodes,
Remark: payload.Remark,
}, clientIP)
return resp, apiUser.SecretKey, MapWhitelistAppError(err)
}
// AppendEntryPublic 公开接口:向已有规则追加 api_codes去重合并不新建记录
func (s *QueryWhitelistApplicationServiceImpl) AppendEntryPublic(
ctx context.Context,
headerAccessID, managementKey, clientIP, encryptedData string,
) (*dto.QueryWhitelistEntryResponse, string, error) {
apiUser, payload, err := s.preparePublicRequest(ctx, headerAccessID, managementKey, clientIP, encryptedData)
if err != nil {
return nil, "", err
}
if err := validateIDCard(payload.IDCard); err != nil {
return nil, "", MapWhitelistAppError(err)
}
if strings.TrimSpace(payload.Name) == "" {
return nil, "", ErrRequestParam
}
userID := apiUser.UserId
idCardHash := api_services.HashIDCard(payload.IDCard)
name := normalizeWhitelistName(payload.Name)
entry, err := s.repo.FindByUserIDCardHashAndName(ctx, userID, idCardHash, name)
if err != nil {
if errors.Is(err, gorm.ErrRecordNotFound) {
return nil, "", ErrWhitelistNotFound
}
return nil, "", err
}
for _, code := range entry.APICodes {
if code == "*" {
return nil, "", ErrRequestParam
}
}
merged := mergeAPICodes([]string(entry.APICodes), payload.APICodes)
entry.APICodes = entities.APICodeList(merged)
if remark := strings.TrimSpace(payload.Remark); remark != "" {
entry.Remark = remark
}
updatedBy := "public_api_append:" + strings.TrimSpace(headerAccessID)
entry.UpdatedBy = &updatedBy
entry.OperationIP = strings.TrimSpace(clientIP)
if err := s.repo.Update(ctx, entry); err != nil {
return nil, "", err
}
s.queryWhitelistSvc.InvalidateCache(entry.UserID, idCardHash)
resp := dto.NewQueryWhitelistEntryResponse(entry)
return &resp, apiUser.SecretKey, nil
}
func (s *QueryWhitelistApplicationServiceImpl) preparePublicRequest(
ctx context.Context,
headerAccessID, managementKey, clientIP, encryptedData string,
) (*entities.ApiUser, dto.QueryWhitelistPublicPayload, error) {
f
2026-06-19 10:49:13 +08:00
if !s.config.QueryWhitelist.PublicAPI.Enabled {
fadd
2026-06-19 10:56:52 +08:00
return nil, dto.QueryWhitelistPublicPayload{}, ErrPublicAPIDisabled
f
2026-06-19 10:49:13 +08:00
}
if strings.TrimSpace(managementKey) == "" {
fadd
2026-06-19 10:56:52 +08:00
return nil, dto.QueryWhitelistPublicPayload{}, ErrMissingMgmtKey
f
2026-06-19 10:49:13 +08:00
}
if !constantTimeEqual(managementKey, s.config.QueryWhitelist.PublicAPI.ManagementKey) {
fadd
2026-06-19 10:56:52 +08:00
return nil, dto.QueryWhitelistPublicPayload{}, ErrInvalidMgmtKey
f
2026-06-19 10:49:13 +08:00
}
headerAccessID = strings.TrimSpace(headerAccessID)
if headerAccessID == "" {
fadd
2026-06-19 10:56:52 +08:00
return nil, dto.QueryWhitelistPublicPayload{}, ErrMissingAccessId
f
2026-06-19 10:49:13 +08:00
}
apiUser, err := s.apiUserService.LoadApiUserByAccessId(ctx, headerAccessID)
if err != nil {
s.logger.Warn("公开白名单接口 AccessId 无效", zap.String("access_id", headerAccessID), zap.Error(err))
fadd
2026-06-19 10:56:52 +08:00
return nil, dto.QueryWhitelistPublicPayload{}, ErrInvalidAccessId
f
2026-06-19 10:49:13 +08:00
}
if apiUser.IsFrozen() {
fadd
2026-06-19 10:56:52 +08:00
return nil, dto.QueryWhitelistPublicPayload{}, ErrFrozenAccount
f
2026-06-19 10:49:13 +08:00
}
decrypted, err := crypto.AesDecrypt(encryptedData, apiUser.SecretKey)
if err != nil {
s.logger.Warn("公开白名单接口解密失败", zap.String("access_id", headerAccessID), zap.Error(err))
fadd
2026-06-19 10:56:52 +08:00
return nil, dto.QueryWhitelistPublicPayload{}, ErrDecryptFail
f
2026-06-19 10:49:13 +08:00
}
var raw map[string]json.RawMessage
if err := json.Unmarshal(decrypted, &raw); err != nil {
fadd
2026-06-19 10:56:52 +08:00
return nil, dto.QueryWhitelistPublicPayload{}, ErrRequestParam
f
2026-06-19 10:49:13 +08:00
}
if err := validatePublicAPICodesField(raw["api_codes"]); err != nil {
fadd
2026-06-19 10:56:52 +08:00
return nil, dto.QueryWhitelistPublicPayload{}, MapWhitelistAppError(err)
f
2026-06-19 10:49:13 +08:00
}
var payload dto.QueryWhitelistPublicPayload
if err := json.Unmarshal(decrypted, &payload); err != nil {
fadd
2026-06-19 10:56:52 +08:00
return nil, dto.QueryWhitelistPublicPayload{}, ErrRequestParam
f
2026-06-19 10:49:13 +08:00
}
if !s.config.App.IsDevelopment() && !apiUser.IsWhiteListed(clientIP) {
s.logger.Warn("公开白名单接口 IP 未授权",
zap.String("access_id", headerAccessID),
zap.String("client_ip", clientIP))
fadd
2026-06-19 10:56:52 +08:00
return nil, dto.QueryWhitelistPublicPayload{}, ErrInvalidIP
f
2026-06-19 10:49:13 +08:00
}
fadd
2026-06-19 10:56:52 +08:00
return apiUser, payload, nil
f
2026-06-19 10:49:13 +08:00
}
func (s *QueryWhitelistApplicationServiceImpl) createEntry(
ctx context.Context,
createdBy string,
req *dto.QueryWhitelistEntryRequest,
operationIP string,
) (*dto.QueryWhitelistEntryResponse, error) {
if err := validateQueryWhitelistRequest(req.UserID, req.Name, req.IDCard, req.APICodes); err != nil {
return nil, err
}
idCardHash := api_services.HashIDCard(req.IDCard)
exists, err := s.repo.ExistsByUserIDCardHashAndName(ctx, req.UserID, idCardHash, strings.TrimSpace(req.Name), "")
if err != nil {
return nil, err
}
if exists {
return nil, fmt.Errorf("该用户下已存在相同的身份证与姓名规则")
}
entry := &entities.QueryWhitelistEntry{
UserID: strings.TrimSpace(req.UserID),
Name: normalizeWhitelistName(req.Name),
IDCardHash: idCardHash,
IDCardMasked: api_services.MaskIDCard(req.IDCard),
APICodes: entities.APICodeList(req.APICodes),
Status: entities.QueryWhitelistStatusEnabled,
Remark: strings.TrimSpace(req.Remark),
OperationIP: strings.TrimSpace(operationIP),
CreatedBy: &createdBy,
}
if err := s.repo.Create(ctx, entry); err != nil {
return nil, err
}
s.queryWhitelistSvc.InvalidateCache(entry.UserID, idCardHash)
resp := dto.NewQueryWhitelistEntryResponse(entry)
return &resp, nil
}
fadd
2026-06-19 10:56:52 +08:00
// mergeAPICodes 合并接口编码并去重,保持原有顺序,新增编码追加在后
func mergeAPICodes(existing, incoming []string) []string {
seen := make(map[string]struct{}, len(existing)+len(incoming))
result := make([]string, 0, len(existing)+len(incoming))
for _, code := range existing {
code = strings.TrimSpace(code)
if code == "" {
continue
}
if _, ok := seen[code]; ok {
continue
}
seen[code] = struct{}{}
result = append(result, code)
}
for _, code := range incoming {
code = strings.TrimSpace(code)
if code == "" {
continue
}
if _, ok := seen[code]; ok {
continue
}
seen[code] = struct{}{}
result = append(result, code)
}
return result
}
f
2026-06-19 10:49:13 +08:00
func constantTimeEqual(a, b string) bool {
return subtle.ConstantTimeCompare([]byte(a), []byte(b)) == 1
}
// validatePublicAPICodesField 公开接口api_codes 必须为 string 数组,且禁止通配符 *
func validatePublicAPICodesField(raw json.RawMessage) error {
if len(raw) == 0 {
return fmt.Errorf("api_codes 必填且必须为 string 数组")
}
var probe interface{}
if err := json.Unmarshal(raw, &probe); err != nil {
return fmt.Errorf("api_codes 必须为 string 数组")
}
arr, ok := probe.([]interface{})
if !ok {
return fmt.Errorf("api_codes 必须为 string 数组,不可传字符串或其他类型")
}
if len(arr) == 0 {
return fmt.Errorf("api_codes 不能为空")
}
codes := make([]string, 0, len(arr))
for _, item := range arr {
s, ok := item.(string)
if !ok {
return fmt.Errorf("api_codes 数组元素必须为 string")
}
code := strings.TrimSpace(s)
if code == "" {
return fmt.Errorf("api_codes 不能包含空值")
}
if code == "*" {
return fmt.Errorf("公开接口不允许 api_codes 使用通配符 *")
}
codes = append(codes, code)
}
return validateAPICodes(codes)
}
// ValidatePublicAPIManagementKey 校验平台管理密钥
func ValidatePublicAPIManagementKey(cfg *config.Config, key string) error {
if !cfg.QueryWhitelist.PublicAPI.Enabled {
return ErrPublicAPIDisabled
}
if strings.TrimSpace(key) == "" {
return ErrMissingMgmtKey
}
if !constantTimeEqual(key, cfg.QueryWhitelist.PublicAPI.ManagementKey) {
return ErrInvalidMgmtKey
}
return nil
}
// MapWhitelistAppError 将校验错误映射为公开 API 错误码
func MapWhitelistAppError(err error) error {
if err == nil {
return nil
}
msg := err.Error()
switch {
case strings.Contains(msg, "身份证号格式不正确"),
strings.Contains(msg, "api_codes"),
strings.Contains(msg, "name 不能为空"),
strings.Contains(msg, "user_id 不能为空"):
return ErrRequestParam
case strings.Contains(msg, "已存在"):
return ErrWhitelistExists
default:
return err
}
}
// PublicAPIErrorMessage 公开接口错误文案
func PublicAPIErrorMessage(err error) string {
if err == nil {
return ""
}
switch err {
case ErrWhitelistExists:
return "规则已存在"
fadd
2026-06-19 10:56:52 +08:00
case ErrWhitelistNotFound:
return "规则不存在,请先调用创建接口"
f
2026-06-19 10:49:13 +08:00
case ErrRequestParam:
return "请求参数结构不正确"
default:
return GetErrorMessage(err)
}
}
Reference in New Issue Copy Permalink