Merge branch 'v2022.2.1'

.github/workflows/ci.yml

@@ -5,23 +5,25 @@ name: Java CI with Maven
 on:
   push:
     branches:
+      - main
       - master
       - dev
+      - develop
   pull_request:
     types: [opened, synchronize, reopened]
 jobs:
   build:
     name: Build
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
 
       - name: Set up JDK 17
-        uses: actions/setup-java@v3
+        uses: actions/setup-java@v4
         with:
-          distribution: 'adopt'
+          distribution: 'temurin'
           java-version: '17'
 
       - name: Cache local Maven repository
@@ -43,11 +45,8 @@ jobs:
       - name: Test with Maven
         run: mvn -B test -DskipTests=false
       - name: Upload to Codecov
-        uses: codecov/codecov-action@v3
+        uses: codecov/codecov-action@v4
         with:
-          # token: ${{ secrets.CODECOV_TOKEN }} # not required for public repos
-          # files: ./coverage1.xml,./coverage2.xml # optional
-          flags: unittests # optional
-          name: codecov-umbrella # optional
-          fail_ci_if_error: true # optional (default = false)
-          verbose: true # optional (default = false)
+          # possibly other stuff
+          token: ${{ secrets.CODECOV_ORG_TOKEN }}
+          fail_ci_if_error: false  # or true if you want CI to fail when Codecov fails

.github/workflows/codacy.yml

@@ -22,7 +22,7 @@ jobs:
     steps:
       # Checkout the repository to the GitHub Actions runner
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       # Execute Codacy Analysis CLI and generate a SARIF output with the security issues identified during the analysis
       - name: Run Codacy Analysis CLI

.github/workflows/codeql-analysis.yml

@@ -2,7 +2,7 @@ name: "CodeQL"
 
 on:
   push:
-    branches: [ "master","dev" ]
+    branches: [ "master","main" ]
   pull_request:
     # The branches below must be a subset of the branches above
     branches: [ "dev" ]
@@ -27,7 +27,25 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
+
+    - name: Set up JDK 17
+      uses: actions/setup-java@v4
+      with:
+        distribution: 'temurin'
+        java-version: '17'
+
+    - name: Cache local Maven repository
+      uses: actions/[email protected]
+      env:
+        cache-name: cache-mvn
+      with:
+        path: ~/.m2/repository
+        key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ hashFiles('**/pom.xml') }}
+        restore-keys: |
+          ${{ runner.os }}-build-${{ env.cache-name }}-
+          ${{ runner.os }}-build-
+          ${{ runner.os }}-
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL

.github/workflows/oss-deploy.yml

@@ -12,12 +12,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Set up JDK 17
-        uses: actions/setup-java@v3
+        uses: actions/setup-java@v4
         with:
-          distribution: 'adopt'
+          distribution: 'temurin'
           java-version: '17'
 
       - name: Cache local Maven repository
@@ -39,8 +39,9 @@ jobs:
 #        run: mvn deploy
 #        env:
 #          GITHUB_TOKEN: ${{ github.token }} # GITHUB_TOKEN is the default env for the password
+
       - name: Import GPG
-        uses: crazy-max/ghaction-import-gpg@v5.3.0
+        uses: crazy-max/ghaction-import-gpg@v5
         with:
           gpg_private_key: ${{ secrets.MAVEN_GPG_KEY }}
           passphrase: ${{ secrets.MAVEN_GPG_PASSPHRASE }}
@@ -49,5 +50,5 @@ jobs:
         run: ./mvnw --settings ./ossrh-settings.xml clean deploy -Dgpg.passphrase=${MAVEN_GPG_PASSPHRASE} -DskipTests=true -P 'oss-release'
         env:
           MAVEN_GPG_PASSPHRASE: ${{ secrets.MAVEN_GPG_PASSPHRASE }}
-          OSSRH_USERNAME: ${{ secrets.OSSRH_USERNAME }}
-          OSSRH_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
+          OSSRH_USERNAME: ${{ secrets.OSSRH_TOKEN_USER }}
+          OSSRH_PASSWORD: ${{ secrets.OSSRH_TOKEN_PWD }}

.github/workflows/qodana-analysis.yml

@@ -7,7 +7,8 @@ on:
       - main
       - master
       - dev
-      - 'releases/*'
+      - develop
+      #- 'releases/*'
 
 jobs:
   qodana:
@@ -17,15 +18,15 @@ jobs:
       pull-requests: write
       checks: write
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           ref: ${{ github.event.pull_request.head.sha }}  # to check out the actual pull request commit, not the merge commit
           fetch-depth: 0  # a full history is required for pull request analysis
 
       - name: Set up JDK
-        uses: actions/setup-java@v3
+        uses: actions/setup-java@v4
         with:
-          distribution: 'adopt'
+          distribution: 'temurin'
           java-version: '17'
 
       - name: Cache local Maven repository

README.md

@@ -1,4 +1,4 @@
-[![Maven Central](https://maven-badges.herokuapp.com/maven-central/com.power4j.fist/fist-kit-dependencies/badge.svg)](https://maven-badges.herokuapp.com/maven-central/com.power4j.fist/fist-kit-dependencies)
+[![Maven Central Version](https://img.shields.io/maven-central/v/com.power4j.fist/fist-kit-dependencies)](https://central.sonatype.com/artifact/com.power4j.fist/fist-kit-dependencies)
 ## 技术栈
 
 - JDK: `11`

fist-kit-app/fist-security/fist-support-security/pom.xml

@@ -61,6 +61,10 @@
       <groupId>org.springframework</groupId>
       <artifactId>spring-core</artifactId>
     </dependency>
+    <dependency>
+      <groupId>com.github.seancfoley</groupId>
+      <artifactId>ipaddress</artifactId>
+    </dependency>
     <!-- optional -->
     <dependency>
       <groupId>io.projectreactor</groupId>
@@ -92,7 +96,7 @@
     <dependency>
       <groupId>org.bouncycastle</groupId>
       <artifactId>bcprov-jdk15to18</artifactId>
-      <version>1.77</version>
+      <version>1.78.1</version>
       <scope>test</scope>
     </dependency>
     <dependency>

fist-kit-app/fist-security/fist-support-security/src/main/java/com/power4j/fist/boot/security/inner/TrustedUserFilter.java

@@ -21,11 +21,14 @@
 import com.power4j.fist.boot.security.context.UserContextHolder;
 import com.power4j.fist.boot.security.core.SecurityConstant;
 import com.power4j.fist.boot.security.core.UserInfo;
+import inet.ipaddr.AddressStringException;
+import inet.ipaddr.IPAddress;
+import inet.ipaddr.IPAddressString;
 import lombok.RequiredArgsConstructor;
 import lombok.Setter;
 import lombok.extern.slf4j.Slf4j;
+import org.apache.commons.lang3.ObjectUtils;
 import org.apache.commons.lang3.StringUtils;
-import org.springframework.lang.Nullable;
 import org.springframework.web.filter.OncePerRequestFilter;
 
 import javax.servlet.FilterChain;
@@ -34,9 +37,8 @@
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
 import java.net.InetAddress;
+import java.util.ArrayList;
 import java.util.Collection;
-import java.util.regex.Pattern;
-import java.util.regex.PatternSyntaxException;
 
 /**
  * @author CJ ([email protected])
@@ -54,15 +56,24 @@ public class TrustedUserFilter extends OncePerRequestFilter {
 	@Setter
 	private boolean strictMode = true;
 
-	@Override
-	public void afterPropertiesSet() throws ServletException {
-		postCheck();
-		super.afterPropertiesSet();
-	}
+	private final Collection<IPAddress> whitelist = new ArrayList<>(4);
 
-	@Nullable
-	@Setter
-	private Collection<String> whitelist;
+	public void setWhitelist(Collection<String> list) {
+		whitelist.clear();
+		if (ObjectUtils.isNotEmpty(list)) {
+			for (String p : list) {
+				try {
+					IPAddressString ip = new IPAddressString(p);
+					ip.validate();
+					whitelist.add(ip.getAddress());
+				}
+				catch (AddressStringException e) {
+					String msg = "非法IP地址:" + p;
+					throw new IllegalArgumentException(msg, e);
+				}
+			}
+		}
+	}
 
 	@Override
 	protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
@@ -92,32 +103,19 @@ else if (e.getCause() instanceof IOException) {
 		}
 	}
 
-	void postCheck() {
-		if (whitelist != null) {
-			for (String p : whitelist) {
-				try {
-					Pattern.compile(p);
-				}
-				catch (PatternSyntaxException e) {
-					log.error("表达式非法:{}", p);
-					throw e;
-				}
-			}
-		}
-	}
-
 	private boolean isTrusted(HttpServletRequest request) {
 		if (strictMode) {
 			String ip = request.getRemoteAddr();
-			if (whitelist != null && whitelist.stream().anyMatch(ip::matches)) {
-				return true;
+			if (ObjectUtils.isNotEmpty(whitelist)) {
+				IPAddress reqAddr = new IPAddressString(ip).getAddress();
+				return whitelist.stream().anyMatch(addr -> addr.contains(reqAddr));
 			}
 			else {
 				InetAddress address = NetKit.parse(ip);
 				if (address.isLoopbackAddress() || address.isSiteLocalAddress()) {
 					return true;
 				}
-				log.warn("认证信息不可信");
+				log.warn("认证信息不可信,来源:{}", ip);
 				return false;
 			}
 		}

fist-kit-app/fist-security/fist-support-security/src/main/java/com/power4j/fist/security/core/authorization/config/GlobalAuthorizationProperties.java

@@ -23,6 +23,7 @@
 import java.util.Collections;
 import java.util.HashSet;
 import java.util.List;
+import java.util.Map;
 import java.util.Set;
 
 /**
@@ -55,6 +56,8 @@ public class GlobalAuthorizationProperties {
 
 	private Auth auth = new Auth();
 
+	private AccessIpConfig accessIp = new AccessIpConfig();
+
 	@Data
 	public static class Auth {
 
@@ -81,4 +84,20 @@ public static class SafeModeConfig {
 
 	}
 
+	@Data
+	public static class AccessIpConfig {
+
+		/** 用户访问IP的最大解析索引,用于防止IP欺骗 */
+		private int maxTrustResolves = 64;
+
+		/** 所有用户的IP白名单(CIDR) */
+		private List<String> global = Collections.singletonList("0.0.0.0/0");
+
+		/**
+		 * 针对特定用户的IP白名单(CIDR)
+		 */
+		private Map<String, List<String>> rules = Collections.emptyMap();
+
+	}
+
 }

fist-kit-app/fist-web/fist-boot-web-app/pom.xml

@@ -68,7 +68,7 @@
     <dependency>
       <groupId>org.bouncycastle</groupId>
       <artifactId>bcprov-jdk15to18</artifactId>
-      <version>1.77</version>
+      <version>1.78.1</version>
       <scope>test</scope>
     </dependency>
   </dependencies>

fist-kit-app/fist-web/fist-boot-web-app/src/main/java/com/power4j/fist/boot/common/jackson/JacksonConfig.java

@@ -16,10 +16,13 @@
 
 package com.power4j.fist.boot.common.jackson;
 
+import com.fasterxml.jackson.databind.AnnotationIntrospector;
 import com.fasterxml.jackson.databind.Module;
 import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.introspect.AnnotationIntrospectorPair;
 import com.power4j.fist.boot.common.jackson.module.DateTimeModule;
 import com.power4j.fist.boot.common.jackson.module.NumberStrModule;
+import com.power4j.fist.jackson.support.obfuscation.ObfuscatedAnnotationIntrospector;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.ObjectUtils;
@@ -72,6 +75,7 @@ public Jackson2ObjectMapperBuilderCustomizer customizer() {
 			applyTimeZone(builder);
 			applySimpleDateFormat(builder);
 			applyModules(builder);
+			applyExtra(builder);
 		};
 	}
 
@@ -111,4 +115,10 @@ private void applyModules(Jackson2ObjectMapperBuilder builder) {
 		}
 	}
 
+	private void applyExtra(Jackson2ObjectMapperBuilder builder) {
+		log.info("Install extra Serializer/Deserializer");
+		builder.annotationIntrospector(
+				introspector -> AnnotationIntrospectorPair.pair(introspector, new ObfuscatedAnnotationIntrospector()));
+	}
+
 }

fist-kit-app/fist-web/fist-support-web/pom.xml

@@ -41,6 +41,10 @@
       <groupId>com.power4j.fist</groupId>
       <artifactId>fist-support-spring</artifactId>
     </dependency>
+    <dependency>
+      <groupId>com.power4j.fist</groupId>
+      <artifactId>fist-jackson</artifactId>
+    </dependency>
     <dependency>
       <groupId>org.apache.commons</groupId>
       <artifactId>commons-lang3</artifactId>