//加密
static encryptAES(data, key) {
  const dataBytes = CryptoJS.enc.Utf8.parse(data);
  const keyBytes = CryptoJS.enc.Utf8.parse(key);
  const encrypted = CryptoJS.AES.encrypt(dataBytes, keyBytes, {
    iv: keyBytes,
    mode: CryptoJS.mode.CBC,
    padding: CryptoJS.pad.Pkcs7
  });
  return CryptoJS.enc.Base64.stringify(encrypted.ciphertext);
}

 @Override
    public Mono<Void> filter(ServerWebExchange exchange, GatewayFilterChain chain) {
        if (!cryptoProperties.isEnabled()) {
            return chain.filter(exchange);
        }
        ServerHttpRequest request = exchange.getRequest();
        //校驗請求路徑跳過加密
        String originalRequestUrl = RequestProvider.getOriginalRequestUrl(exchange);
        String path = exchange.getRequest().getURI().getPath();
        if (isSkip(path) || isSkip(originalRequestUrl)) {
            return chain.filter(exchange);
        }

        HttpHeaders headers = request.getHeaders();
        MediaType contentType = headers.getContentType();

        //后期算法升級擴展,暫時只判斷是否相等
        if (!cryptoProperties.getCryptoVersion().equals(headers.getFirst(cryptoProperties.getCryptoVersionHeader()))) {
            return Mono.error(new CryptoException("加密版本不支持"));
        }

        if (request.getMethod() == HttpMethod.GET) {
            return this.handleGetReq(exchange, chain);
        } else if (request.getMethod() == HttpMethod.POST &&
                (contentType == null ||
                        MediaType.APPLICATION_JSON.equals(contentType) ||
                        MediaType.APPLICATION_JSON_UTF8.equals(contentType))) {
            return this.handlePostReq(exchange, chain);
        } else {
            return chain.filter(exchange);
        }
    }

//構(gòu)造查詢參數(shù)Map
        MultiValueMap<String, String> map = buildMultiValueMap(dataJson);
        //新的解密后的uri
        ServerHttpRequest newHttpRequest = this.buildNewServerHttpRequest(request, map);
        //新的解密后的uri request
        ServerHttpRequestDecorator decorator = new ServerHttpRequestDecorator(newHttpRequest) {
            @Override
            public MultiValueMap<String, String> getQueryParams() {
                return map;
            }

        };

//構(gòu)造一個請求包裝
        final MultiValueMap<String, String> finalQueryParamMap = new LinkedMultiValueMap<>(queryParamMap);
        ServerHttpRequestDecorator decorator = new ServerHttpRequestDecorator(request) {

            @Override
            public HttpHeaders getHeaders() {
                HttpHeaders httpHeaders = new HttpHeaders();
                httpHeaders.putAll(super.getHeaders());
                httpHeaders.remove(HttpHeaders.CONTENT_LENGTH);
                httpHeaders.set(HttpHeaders.TRANSFER_ENCODING, "chunked");
                return httpHeaders;
            }

            //處理post url傳參解密
            @Override
            public MultiValueMap<String, String> getQueryParams() {
                if (queryParamsDecrypt) {
                    return finalQueryParamMap;
                }
                return super.getQueryParams();
            }

            @Override
            public Flux<DataBuffer> getBody() {
                //注意: 這里需要buffer一下,拿到完整報文后再map解密
                return super.getBody().buffer().map(buffer -> {
                    DataBuffer joinDataBuffer = dataBufferFactory.join(buffer);
                    byte[] content = new byte[joinDataBuffer.readableByteCount()];
                    joinDataBuffer.read(content);
                    DataBufferUtils.release(joinDataBuffer);
                    String decryptData = new String(content, StandardCharsets.UTF_8);
                    log.info("post decryptData: {}", decryptData);
                    if (!queryParamsDecrypt && StringUtils.isEmpty(decryptData)) {
                        throw new CryptoException("參數(shù)格式錯誤");
                    } else {
                        JSONObject dataJsonObj = JSON.parseObject(decryptData);
                        if (!queryParamsDecrypt && !dataJsonObj.containsKey(cryptoProperties.getParamName())) {
                            throw new CryptoException("參數(shù)格式錯誤");
                        }
                        byte[] bytes = AesUtil.decryptFormBase64(dataJsonObj.getString(cryptoProperties.getParamName()), cryptoProperties.getAesKey());
                        return dataBufferFactory.wrap(Objects.requireNonNull(bytes));
                    }
                });

class CryptoServerHttpResponseDecorator extends ServerHttpResponseDecorator {
        final DataBufferFactory bufferFactory;
        boolean isPass = false;
        public CryptoServerHttpResponseDecorator(ServerHttpResponse delegate) {
            super(delegate);
            bufferFactory = delegate.bufferFactory();
        }

        @Override
        public HttpHeaders getHeaders() {
            HttpHeaders headers = super.getHeaders();
            //同一個請求此處有可能調(diào)用多次,先重置為false
            isPass = false;
            if (headers.getContentType() != null &&
                    !MediaType.APPLICATION_JSON.equals(headers.getContentType()) &&
                    !MediaType.APPLICATION_JSON_UTF8.equals(headers.getContentType())) {
                //相應(yīng)體ContentType只處理json
                isPass = true;
            } else if (!headers.containsKey(cryptoProperties.getCryptoVersionHeader())) {
                //添加version響應(yīng)頭
                headers.add(cryptoProperties.getCryptoVersionHeader(), cryptoProperties.getCryptoVersion());
            }
            return headers;
        }

        //調(diào)用 writeWith 和 writeAndFlushWith 判斷: NettyWriteResponseFilter

        // application/json;charset=UTF-8 走這里
        @Override
        public Mono<Void> writeWith(Publisher<? extends DataBuffer> body) {
            if (body instanceof Flux && !isPass) {
                Flux<? extends DataBuffer> fluxBody = (Flux<? extends DataBuffer>) body;
                return super.writeWith(fluxBody.buffer().map(dataBuffer -> {
                    DataBuffer joinDataBuffer = bufferFactory.join(dataBuffer);
                    byte[] content = new byte[joinDataBuffer.readableByteCount()];
                    joinDataBuffer.read(content);
                    DataBufferUtils.release(joinDataBuffer);
                    Map<String, String> data = new HashMap<>(1);
                    data.put(cryptoProperties.getParamName(), AesUtil.encryptToBase64(content, cryptoProperties.getAesKey()));
                    return bufferFactory.wrap(JSON.toJSONString(data).getBytes(StandardCharsets.UTF_8));
                }));
            }
            return super.writeWith(body);
        }

        // StreamingMediaType類型:application/stream 和 application/stream+json 走這里
        @Override
        public Mono<Void> writeAndFlushWith(Publisher<? extends Publisher<? extends DataBuffer>> body) {
            return super.writeAndFlushWith(body);
        }
    }

package org.xx.xx.gateway.filter;

import com.alibaba.fastjson.JSON;
import com.alibaba.fastjson.JSONObject;
import com.google.common.collect.Lists;
import io.netty.buffer.ByteBufAllocator;
import lombok.RequiredArgsConstructor;
import lombok.SneakyThrows;
import lombok.extern.slf4j.Slf4j;
import org.reactivestreams.Publisher;
import org.xx.xx.gateway.props.CryptoProperties;
import org.xx.xx.gateway.provider.RequestProvider;
import org.xx.xx.gateway.provider.ResponseProvider;
import org.xx.xx.gateway.util.AesUtil;
import org.xx.xx.gateway.util.StringPool;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.cloud.gateway.filter.GatewayFilterChain;
import org.springframework.cloud.gateway.filter.GlobalFilter;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.Ordered;
import org.springframework.core.io.buffer.DataBuffer;
import org.springframework.core.io.buffer.DataBufferFactory;
import org.springframework.core.io.buffer.DataBufferUtils;
import org.springframework.core.io.buffer.NettyDataBufferFactory;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpMethod;
import org.springframework.http.HttpStatus;
import org.springframework.http.MediaType;
import org.springframework.http.server.reactive.ServerHttpRequest;
import org.springframework.http.server.reactive.ServerHttpRequestDecorator;
import org.springframework.http.server.reactive.ServerHttpResponse;
import org.springframework.http.server.reactive.ServerHttpResponseDecorator;
import org.springframework.util.AntPathMatcher;
import org.springframework.util.LinkedMultiValueMap;
import org.springframework.util.MultiValueMap;
import org.springframework.util.StringUtils;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Flux;
import reactor.core.publisher.Mono;

import java.net.URI;
import java.net.URISyntaxException;
import java.nio.charset.StandardCharsets;
import java.util.HashMap;
import java.util.Map;
import java.util.Objects;

/**
 * CryptoFilter
 *
 * @author lizheng 
 * @version 1.0
 * @date 2022/3/11 上午10:57
 */
@Slf4j
@RequiredArgsConstructor
@Configuration
@ConditionalOnProperty(value = "gateway.crypto.enabled", havingValue = "true", matchIfMissing = true)
public class CryptoFilter implements GlobalFilter, Ordered {

    private final AntPathMatcher antPathMatcher = new AntPathMatcher();
    private final DataBufferFactory dataBufferFactory = new NettyDataBufferFactory(ByteBufAllocator.DEFAULT);

    private final CryptoProperties cryptoProperties;

    @Override
    public Mono<Void> filter(ServerWebExchange exchange, GatewayFilterChain chain) {
        if (!cryptoProperties.isEnabled()) {
            return chain.filter(exchange);
        }
        ServerHttpRequest request = exchange.getRequest();
        //校驗請求路徑跳過加密
        String originalRequestUrl = RequestProvider.getOriginalRequestUrl(exchange);
        String path = exchange.getRequest().getURI().getPath();
        if (isSkip(path) || isSkip(originalRequestUrl)) {
            return chain.filter(exchange);
        }

        HttpHeaders headers = request.getHeaders();
        MediaType contentType = headers.getContentType();

        //后期算法升級擴展,暫時只判斷是否相等
        if (!cryptoProperties.getCryptoVersion().equals(headers.getFirst(cryptoProperties.getCryptoVersionHeader()))) {
            return Mono.error(new CryptoException("加密版本不支持"));
        }

        if (request.getMethod() == HttpMethod.GET) {
            return this.handleGetReq(exchange, chain);
        } else if (request.getMethod() == HttpMethod.POST &&
                (contentType == null ||
                        MediaType.APPLICATION_JSON.equals(contentType) ||
                        MediaType.APPLICATION_JSON_UTF8.equals(contentType))) {
            return this.handlePostReq(exchange, chain);
        } else {
            return chain.filter(exchange);
        }
    }

    class CryptoServerHttpResponseDecorator extends ServerHttpResponseDecorator {
        final DataBufferFactory bufferFactory;
        boolean isPass = false;
        public CryptoServerHttpResponseDecorator(ServerHttpResponse delegate) {
            super(delegate);
            bufferFactory = delegate.bufferFactory();
        }

        @Override
        public HttpHeaders getHeaders() {
            HttpHeaders headers = super.getHeaders();
            //同一個請求此處有可能調(diào)用多次,先重置為false
            isPass = false;
            if (headers.getContentType() != null &&
                    !MediaType.APPLICATION_JSON.equals(headers.getContentType()) &&
                    !MediaType.APPLICATION_JSON_UTF8.equals(headers.getContentType())) {
                //相應(yīng)體ContentType只處理json
                isPass = true;
            } else if (!headers.containsKey(cryptoProperties.getCryptoVersionHeader())) {
                //添加version響應(yīng)頭
                headers.add(cryptoProperties.getCryptoVersionHeader(), cryptoProperties.getCryptoVersion());
            }
            return headers;
        }

        //調(diào)用 writeWith 和 writeAndFlushWith 判斷: NettyWriteResponseFilter

        // application/json;charset=UTF-8 走這里
        @Override
        public Mono<Void> writeWith(Publisher<? extends DataBuffer> body) {
            if (body instanceof Flux && !isPass) {
                Flux<? extends DataBuffer> fluxBody = (Flux<? extends DataBuffer>) body;
                return super.writeWith(fluxBody.buffer().map(dataBuffer -> {
                    DataBuffer joinDataBuffer = bufferFactory.join(dataBuffer);
                    byte[] content = new byte[joinDataBuffer.readableByteCount()];
                    joinDataBuffer.read(content);
                    DataBufferUtils.release(joinDataBuffer);
                    Map<String, String> data = new HashMap<>(1);
                    data.put(cryptoProperties.getParamName(), AesUtil.encryptToBase64(content, cryptoProperties.getAesKey()));
                    return bufferFactory.wrap(JSON.toJSONString(data).getBytes(StandardCharsets.UTF_8));
                }));
            }
            return super.writeWith(body);
        }

        // StreamingMediaType類型:application/stream 和 application/stream+json 走這里
        @Override
        public Mono<Void> writeAndFlushWith(Publisher<? extends Publisher<? extends DataBuffer>> body) {
            return super.writeAndFlushWith(body);
        }
    }

    @SneakyThrows
    private Mono<Void> handlePostReq(ServerWebExchange exchange, GatewayFilterChain chain) {
        ServerHttpRequest request = exchange.getRequest();
        String paramData = request.getQueryParams().getFirst(cryptoProperties.getParamName());
        MultiValueMap<String, String> queryParamMap = new LinkedMultiValueMap<>();
        final boolean queryParamsDecrypt = !StringUtils.isEmpty(paramData);
        if (queryParamsDecrypt) {
            String dataJson;
            try {
                //AES解密
                dataJson = AesUtil.decryptFormBase64ToString(paramData, cryptoProperties.getAesKey());
            } catch (Exception e) {
                log.error("請求參數(shù)解密異常: ", e);
                return cryptoError(exchange.getResponse(), "請求參數(shù)解密異常");
            }
            //構(gòu)造查詢參數(shù)Map
            queryParamMap = buildMultiValueMap(dataJson);
            //新的解密后的uri request
            request = this.buildNewServerHttpRequest(request, queryParamMap);
        }

        //構(gòu)造一個請求包裝
        final MultiValueMap<String, String> finalQueryParamMap = new LinkedMultiValueMap<>(queryParamMap);
        ServerHttpRequestDecorator decorator = new ServerHttpRequestDecorator(request) {

            @Override
            public HttpHeaders getHeaders() {
                HttpHeaders httpHeaders = new HttpHeaders();
                httpHeaders.putAll(super.getHeaders());
                httpHeaders.remove(HttpHeaders.CONTENT_LENGTH);
                httpHeaders.set(HttpHeaders.TRANSFER_ENCODING, "chunked");
                return httpHeaders;
            }

            @Override
            public MultiValueMap<String, String> getQueryParams() {
                if (queryParamsDecrypt) {
                    return finalQueryParamMap;
                }
                return super.getQueryParams();
            }

            @Override
            public Flux<DataBuffer> getBody() {
                //注意: 這里需要buffer,拿到完整報文后再map解密
                return super.getBody().buffer().map(buffer -> {
                    DataBuffer joinDataBuffer = dataBufferFactory.join(buffer);
                    byte[] content = new byte[joinDataBuffer.readableByteCount()];
                    joinDataBuffer.read(content);
                    DataBufferUtils.release(joinDataBuffer);
                    String decryptData = new String(content, StandardCharsets.UTF_8);
                    log.info("post decryptData: {}", decryptData);
                    if (!queryParamsDecrypt && StringUtils.isEmpty(decryptData)) {
                        throw new CryptoException("參數(shù)格式錯誤");
                    } else {
                        JSONObject dataJsonObj = JSON.parseObject(decryptData);
                        if (!queryParamsDecrypt && !dataJsonObj.containsKey(cryptoProperties.getParamName())) {
                            throw new CryptoException("參數(shù)格式錯誤");
                        }
                        byte[] bytes = AesUtil.decryptFormBase64(dataJsonObj.getString(cryptoProperties.getParamName()), cryptoProperties.getAesKey());
                        return dataBufferFactory.wrap(Objects.requireNonNull(bytes));
                    }
                });
            }
        };
        return chain.filter(exchange.mutate()
                .request(decorator)
                .response(new CryptoServerHttpResponseDecorator(exchange.getResponse()))
                .build());
    }

    @SneakyThrows
    private Mono<Void> handleGetReq(ServerWebExchange exchange, GatewayFilterChain chain) {
        ServerHttpRequest request = exchange.getRequest();
        if (request.getQueryParams().isEmpty()) {
            // get無參數(shù) 不走參數(shù)解密
            return chain.filter(exchange.mutate()
                    .request(request)
                    .response(new CryptoServerHttpResponseDecorator(exchange.getResponse()))
                    .build());
        }
        String paramData = request.getQueryParams().getFirst(cryptoProperties.getParamName());

        if (StringUtils.isEmpty(paramData)) {
            //有參數(shù)但是密文字段不存在
            throw new CryptoException("參數(shù)格式錯誤");
        }

        String dataJson;
        try {
            //AES解密
            dataJson = AesUtil.decryptFormBase64ToString(paramData, cryptoProperties.getAesKey());
        } catch (Exception e) {
            log.error("請求參數(shù)解密異常: ", e);
            return cryptoError(exchange.getResponse(), "請求參數(shù)解密異常");
        }
        //構(gòu)造查詢參數(shù)Map
        MultiValueMap<String, String> map = buildMultiValueMap(dataJson);
        //新的解密后的uri
        ServerHttpRequest newHttpRequest = this.buildNewServerHttpRequest(request, map);
        //新的解密后的uri request
        ServerHttpRequestDecorator decorator = new ServerHttpRequestDecorator(newHttpRequest) {
            @Override
            public MultiValueMap<String, String> getQueryParams() {
                return map;
            }

        };
        return chain.filter(exchange.mutate()
                .request(decorator)
                .response(new CryptoServerHttpResponseDecorator(exchange.getResponse()))
                .build());
    }

    private MultiValueMap<String, String> buildMultiValueMap(String dataJson) {
        JSONObject jsonObject = JSON.parseObject(dataJson);
        MultiValueMap<String, String> map = new LinkedMultiValueMap<>(jsonObject.size());
        for (String key : jsonObject.keySet()) {
            map.put(key, Lists.newArrayList(jsonObject.getString(key)));
        }
        return map;
    }

    private ServerHttpRequest buildNewServerHttpRequest(ServerHttpRequest request, MultiValueMap<String, String> params) throws URISyntaxException {
        StringBuilder queryBuilder = new StringBuilder();
        for (String key : params.keySet()) {
            queryBuilder.append(key);
            queryBuilder.append(StringPool.EQUALS);
            queryBuilder.append(params.getFirst(key));
            queryBuilder.append(StringPool.AMPERSAND);
        }
        queryBuilder.deleteCharAt(queryBuilder.length() - 1);

        //經(jīng)過測試只覆蓋 ServerHttpRequest的getQueryParams路由分發(fā)之后,無法攜帶過去新的參數(shù),所以這里需要構(gòu)造一個新的解密后的uri
        URI uri = request.getURI();
        URI newUri = new URI(uri.getScheme(),
                uri.getUserInfo(),
                uri.getHost(),
                uri.getPort(),
                uri.getPath(),
                queryBuilder.toString(),
                uri.getFragment());

        //構(gòu)造一個新的ServerHttpRequest
        return request.mutate().uri(newUri).build();
    }

    private boolean isSkip(String path) {
        for (String pattern : cryptoProperties.getSkipPathPattern()) {
            if (antPathMatcher.match(pattern, path)) {
                return true;
            }
        }
       return false;
    }

    private Mono<Void> cryptoError(ServerHttpResponse resp, String msg) {
        resp.setStatusCode(HttpStatus.UNAUTHORIZED);
        resp.getHeaders().add("Content-Type", "application/json;charset=UTF-8");
        String result = JSON.toJSONString(ResponseProvider.unAuth(msg));
        DataBuffer buffer = resp.bufferFactory().wrap(result.getBytes(StandardCharsets.UTF_8));
        return resp.writeWith(Flux.just(buffer));
    }

    @Override
    public int getOrder() {
        return -200;
    }
}