【feature】新增加密隧道工具; review by songym

Author: xiongjiaojiao

build/webpack.config.base.js

@@ -58,7 +58,12 @@ module.exports = {
 
  //其它解决方案配置
  resolve: {
- extensions: ['.js', '.json', '.css']
+ extensions: ['.js', '.json', '.css'],
+ fallback: {
+ crypto: false,
+ stream: false,
+ vm: false
+ }
  },
 
  externals: {

package.json

@@ -153,6 +153,7 @@
  "mapbox-gl": "1.13.2",
  "maplibre-gl": "3.1.0",
  "mapv": "2.0.62",
+ "node-forge": "^1.3.1",
  "ol": "6.14.1",
  "pbf": "3.2.1",
  "process": "^0.11.10",

src/common/index.common.js

@@ -333,7 +333,8 @@ import {
  ArrayStatistic,
  getMeterPerMapUnit,
  getWrapNum,
- conversionDegree
+ conversionDegree,
+ EncryptFetchRequestUtil
 } from './util';
 import { CartoCSS, ThemeStyle } from './style';
 import {
@@ -498,6 +499,7 @@ export {
  isCORS,
  setCORS,
  FetchRequest,
+ EncryptFetchRequestUtil,
  ColorsPickerUtil,
  ArrayStatistic,
  getMeterPerMapUnit,

src/common/namespace.js

@@ -337,6 +337,7 @@ import {
  isCORS,
  setCORS,
  FetchRequest,
+ EncryptFetchRequestUtil,
  ColorsPickerUtil,
  ArrayStatistic,
  CartoCSS,
@@ -493,6 +494,7 @@ SuperMap.isCORS = isCORS;
 SuperMap.setRequestTimeout = setRequestTimeout;
 SuperMap.getRequestTimeout = getRequestTimeout;
 SuperMap.FetchRequest = FetchRequest;
+SuperMap.EncryptFetchRequestUtil = EncryptFetchRequestUtil;
 
 // commontypes
 SuperMap.inherit = inheritExt;

src/common/package.json

@@ -18,12 +18,13 @@
  "echarts": "5.4.3",
  "fetch-ie8": "1.5.0",
  "fetch-jsonp": "1.1.3",
+ "flatgeobuf": "3.23.1",
  "promise-polyfill": "8.2.3",
  "lodash.topairs": "4.3.0",
  "lodash.uniqby": "^4.7.0",
  "lodash.clonedeep": "^4.5.0",
  "mapv": "2.0.62",
- "flatgeobuf": "3.23.1",
+ "node-forge": "^1.3.1",
  "rbush": "^2.0.2",
  "urijs": "^1.19.11",
  "xlsx": "https://cdn.sheetjs.com/xlsx-0.19.3/xlsx-0.19.3.tgz"

src/common/util/EncryptFetchRequestUtil.js

@@ -0,0 +1,111 @@
+import { FetchRequest } from './FetchRequest';
+import {
+ RSAEncrypt,
+ AESGCMEncrypt,
+ AESGCMDecrypt,
+ generateAESRandomKey,
+ generateAESRandomIV
+} from './RSAAndAESEn-DecryptorUtil';
+
+/**
+ * @private
+ * @name EncryptFetchRequestUtil
+ * @namespace
+ * @category BaseTypes Util
+ * @classdesc 加密请求地址
+ */
+export class EncryptFetchRequestUtil {
+ constructor(serverUrl = 'http://172.16.13.234:8090/iserver') {
+ this.serverUrl = serverUrl.split('').slice(-1)[0] === '/' ? serverUrl : `${serverUrl}/`;
+ this.tunnelUrl = undefined;
+ this.blockedUrlRegex = {
+ HEAD: [],
+ POST: [],
+ GET: [],
+ PUT: [],
+ DELETE: []
+ };
+ this.encryptAESKey = generateAESRandomKey();
+ this.encryptAESIV = generateAESRandomIV();
+ }
+
+ async encryptRequest(options) {
+ const config = Object.assign({ baseURL: '' }, options);
+ const tunnelUrl = await this.createTunnel();
+ if (!tunnelUrl) {
+ return;
+ }
+ for (const pattern of this.blockedUrlRegex[config.method.toUpperCase()]) {
+ const regex = new RegExp(pattern);
+ if (regex.test(config.baseURL + config.url)) {
+ const data = {
+ url: config.baseURL + (config.url.startsWith('/') ? config.url.substring(1, config.url.length) : config.url),
+ method: config.method,
+ timeout: config.timeout,
+ headers: config.headers,
+ body: config.data
+ };
+ // 替换请求
+ config.method = 'post';
+ config.data = AESGCMEncrypt(this.encryptAESKey, this.encryptAESIV, JSON.stringify(data));
+ if (!config.data) {
+ throw 'encrypt failed';
+ }
+ config.url = this.tunnelUrl;
+ break;
+ }
+ }
+ const response = await FetchRequest.commit(config.method, config.url, config.data, config.options);
+ if (config.url === this.tunnelUrl) {
+ const result = await response.text();
+ const decryptResult = AESGCMDecrypt(this.encryptAESKey, this.encryptAESIV, result);
+ if (!decryptResult) {
+ console.debug('解密请求响应失败');
+ return;
+ }
+ return JSON.parse(decryptResult).data;
+ }
+ return response;
+ }
+
+ async getRSAPublicKey() {
+ try {
+ const response = await FetchRequest.get(`${this.serverUrl}services/security/tunnel/v1/publickey`);
+ // 解析publicKey
+ const publicKeyObj = await response.json();
+ // 生成AES密钥
+ const aesKeyObj = {
+ key: this.encryptAESKey,
+ iv: this.encryptAESIV,
+ mode: 'GCM',
+ padding: 'NoPadding'
+ };
+ // 将AES密钥使用RSA公钥加密
+ const aesCipherText = RSAEncrypt(publicKeyObj.publicKey, aesKeyObj.key + aesKeyObj.iv);
+ return aesCipherText;
+ } catch (error) {
+ console.debug('RSA公钥获取失败，错误详情：' + error);
+ }
+ }
+
+ async createTunnel() {
+ if (!this.tunnelUrl) {
+ try {
+ const data = await this.getRSAPublicKey();
+ if (!data) {
+ throw 'fetch RSA publicKey failed';
+ }
+ // 创建隧道
+ const response = await FetchRequest.post(`${this.serverUrl}services/security/tunnel/v1/tunnels`, data);
+ const result = await response.json();
+ Object.assign(this, {
+ tunnelUrl: result.tunnelUrl,
+ blockedUrlRegex: Object.assign({}, this.blockedUrlRegex, result.blockedUrlRegex)
+ });
+ } catch (error) {
+ console.debug('安全隧道创建失败，错误详情：' + error);
+ }
+ }
+ return this.tunnelUrl;
+ }
+}

src/common/util/RSAAndAESEn-DecryptorUtil.js

@@ -0,0 +1,119 @@
+import pki from 'node-forge/lib/pki';
+import md from 'node-forge/lib/md';
+import cipher from 'node-forge/lib/cipher';
+import util from 'node-forge/lib/util';
+
+/**
+ * @private
+ * @function RSAEncrypt
+ * @description RSAES-OAEP/SHA-256/MGF1-SHA-1加密，对应java的RSA/ECB/OAEPWithSHA-256AndMGF1Padding
+ * @param publicKeyStr - RSA 公钥
+ * @param message - 需要加密的信息
+ * @returns {string|boolean} 加密成功返回base64编码的密文，加密失败返回false
+ */
+export function RSAEncrypt (publicKeyStr, message) {
+ if (publicKeyStr && publicKeyStr.indexOf('BEGIN PUBLIC KEY') === -1) { // 转为PEM格式
+ publicKeyStr = `-----BEGIN PUBLIC KEY-----\n${publicKeyStr}\n-----END PUBLIC KEY-----`;
+ }
+ const publicKey = pki.publicKeyFromPem(publicKeyStr);
+ const obj = {
+ md: md.sha256.create(),
+ mgf1: {
+ md: md.sha1.create()
+ }
+ };
+ const encrypted = publicKey.encrypt(message, 'RSA-OAEP', obj);
+ if (!encrypted) {
+ return false; // 加密失败
+ }
+ return window.btoa(encrypted);
+}
+
+/**
+ * @private
+ * @function AESGCMDecrypt
+ * @description AES/GCM解密
+ * @param key - 16位
+ * @param iv - 12位
+ * @param cipherText - 密文 = base64转码(加密内容 + 16位的mac值)
+ * @returns {boolean|string} 解密成功返回明文，解密失败返回false
+ */
+export function AESGCMDecrypt (key, iv, cipherText) {
+ const cipherStrAndMac = window.atob(cipherText);
+ const cipherStr = cipherStrAndMac.substring(0, cipherStrAndMac.length - 16);
+ const mac = cipherStrAndMac.substring(cipherStrAndMac.length - 16);
+ const decipher = cipher.createDecipher('AES-GCM', util.createBuffer(key));
+ decipher.start({
+ iv: util.createBuffer(iv),
+ additionalData: '', // optional
+ tagLength: 128, // optional, defaults to 128 bits
+ tag: mac // authentication tag from encryption
+ });
+ decipher.update(util.createBuffer(cipherStr));
+ const pass = decipher.finish();
+ if (pass) {
+ return util.decodeUtf8(decipher.output.data);
+ }
+ return false;
+}
+
+/**
+ * @private
+ * @function AESGCMEncrypt
+ * @description AES/GCM加密
+ * @param key - 16位
+ * @param iv - 12位
+ * @param msg - 明文
+ * @returns {boolean|string} 加密成功返回明文，加密失败返回false
+ */
+export function AESGCMEncrypt (key, iv, msg) {
+ msg = util.encodeUtf8(msg);
+ const cipherInstance = cipher.createCipher('AES-GCM', key);
+ cipherInstance.start({
+ iv: iv,
+ additionalData: '', // 'binary-encoded string', // optional
+ tagLength: 128 // optional, defaults to 128 bits
+ });
+ cipherInstance.update(util.createBuffer(msg));
+ const pass = cipherInstance.finish();
+ if (pass) {
+ const encrypted = cipherInstance.output;
+ const tag = cipherInstance.mode.tag;
+ return window.btoa(encrypted.data + tag.data);
+ }
+ return false;
+}
+
+/**
+ * @private
+ * @function generateAESRandomKey
+ * @description 生成随机的16位 AES key
+ * @returns {string}
+ */
+export function generateAESRandomKey () {
+ return randomString(16);
+}
+
+/**
+ * @private
+ * @function generateAESRandomIV
+ * @description 生成随机的12位 AES iv
+ * @returns {string}
+ */
+export function generateAESRandomIV () {
+ return randomString(12);
+}
+
+/**
+ * @private
+ * @function randomString
+ * @description 生成指定长度的随机字符串
+ * @param length - 随机字符串长度
+ * @returns {string}
+ */
+function randomString (length) {
+ const str = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
+ let result = '';
+ for (let i = length; i > 0; --i) { result += str[Math.floor(Math.random() * str.length)]; }
+ return result;
+}