Explorar o código

更改租户ip异地登录逻辑更改为跟租户绑定可配置

liyanbo hai 1 mes
pai
achega
4d4d264827

+ 4 - 1
byzs-module-system/src/main/java/cn/iocoder/byzs/module/system/controller/admin/tenant/vo/tenant/TenantRespVO.java

@@ -48,8 +48,11 @@ public class TenantRespVO {
     @Schema(description = "账号数量", requiredMode = Schema.RequiredMode.REQUIRED, example = "1024")
     private Integer accountCount;
 
+    @Schema(description = "IP限制", example = "192.168.1.0/24")
+    private String ipLimit;
+
     @Schema(description = "创建时间", requiredMode = Schema.RequiredMode.REQUIRED)
     @ExcelProperty("创建时间")
     private LocalDateTime createTime;
 
-}
+}

+ 4 - 1
byzs-module-system/src/main/java/cn/iocoder/byzs/module/system/controller/admin/tenant/vo/tenant/TenantSaveReqVO.java

@@ -49,6 +49,9 @@ public class TenantSaveReqVO {
     @NotNull(message = "账号数量不能为空")
     private Integer accountCount;
 
+    @Schema(description = "IP限制,逗号分隔的IP列表或网段,如:192.168.1.100,192.168.2.0/24", example = "192.168.1.0/24")
+    private String ipLimit;
+
     // ========== 仅【创建】时,需要传递的字段 ==========
 
     @Schema(description = "用户账号", requiredMode = Schema.RequiredMode.REQUIRED, example = "byzs")
@@ -67,4 +70,4 @@ public class TenantSaveReqVO {
                 || (ObjectUtil.isAllNotEmpty(username, password)); // 新增时,必须都传递 username、password
     }
 
-}
+}

+ 5 - 1
byzs-module-system/src/main/java/cn/iocoder/byzs/module/system/dal/dataobject/tenant/TenantDO.java

@@ -78,5 +78,9 @@ public class TenantDO extends BaseDO {
      * 账号数量
      */
     private Integer accountCount;
+    /**
+     * IP限制,逗号分隔的IP列表或网段
+     */
+    private String ipLimit;
 
-}
+}

+ 28 - 16
byzs-module-system/src/main/java/cn/iocoder/byzs/module/system/service/auth/AdminAuthServiceImpl.java

@@ -18,7 +18,9 @@ import cn.iocoder.byzs.module.system.controller.admin.auth.vo.*;
 import cn.iocoder.byzs.module.system.controller.admin.auth.vo.*;
 import cn.iocoder.byzs.module.system.convert.auth.AuthConvert;
 import cn.iocoder.byzs.module.system.dal.dataobject.oauth2.OAuth2AccessTokenDO;
+import cn.iocoder.byzs.module.system.dal.dataobject.tenant.TenantDO;
 import cn.iocoder.byzs.module.system.dal.dataobject.user.AdminUserDO;
+import cn.iocoder.byzs.module.system.dal.mysql.tenant.TenantMapper;
 import cn.iocoder.byzs.module.system.enums.logger.LoginLogTypeEnum;
 import cn.iocoder.byzs.module.system.enums.logger.LoginResultEnum;
 import cn.iocoder.byzs.module.system.enums.oauth2.OAuth2ClientConstants;
@@ -38,6 +40,7 @@ import jakarta.validation.Validator;
 import jodd.util.StringUtil;
 import lombok.Setter;
 import lombok.extern.slf4j.Slf4j;
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.stereotype.Service;
 import org.springframework.transaction.annotation.Transactional;
@@ -83,6 +86,8 @@ public class AdminAuthServiceImpl implements AdminAuthService {
     @Value("${byzs.captcha.enable:true}")
     @Setter // 为了单测:开启或者关闭验证码
     private Boolean captchaEnable;
+    @Autowired
+    private TenantMapper tenantMapper;
 
     @Override
     public AdminUserDO authenticate(String username, String password) {
@@ -147,30 +152,37 @@ public class AdminAuthServiceImpl implements AdminAuthService {
             tenantId = user.getTenantId();
         }
 
-        // 删除用户之前的所有令牌,实现单点登录(默认租户用户可以多设备登录)
-        if (!Objects.equals(tenantId, WebFrameworkUtils.DEFAULT_TENANT_ID)){
+        // 默认租户用户可以多设备登录,无需校验ip
+        if (Objects.equals(tenantId, WebFrameworkUtils.DEFAULT_TENANT_ID)){
+            return;
+        }
 
-            //查看登录ip是否已被授权
-            if (StringUtil.isNotBlank(user.getLoginIp()) && !IpUtil.isSameNetworkSegment(user.getLoginIp(), getClientIP())) {
+        //该租户未限制ip
+        TenantDO tenantDO = tenantMapper.selectById(tenantId);
+        if (tenantDO != null && (tenantDO.getIpLimit() == null || tenantDO.getIpLimit().equals("false"))) {
+            return;
+        }
 
-                //发送手机验证码
+        //查看登录ip是否已被授权或不在同一网段
+        if (StringUtil.isNotBlank(user.getLoginIp()) && !IpUtil.isSameNetworkSegment(user.getLoginIp(), getClientIP())) {
+
+            //发送手机验证码
 //                AuthSmsLoginReqVO authSmsLoginReqVO = new AuthSmsLoginReqVO().setMobile(user.getNickname());
 //                smsCodeApi.sendSmsCode(AuthConvert.INSTANCE.convert(authSmsLoginReqVO));
 
-                //校验手机号是否存在
-                if(StringUtil.isBlank(user.getMobile())){
-                    throw exception(AUTH_LOGIN_IP_NOT_AUTHORIZED_NOT_MOBILE_NOT_EXISTS);
-                }
-
-                // 构建返回数据
-                java.util.Map<String, Object> data = new java.util.HashMap<>();
-                data.put("mobile", user.getMobile());
-                throw exception(AUTH_LOGIN_IP_NOT_AUTHORIZED, data);
+            //校验手机号是否存在
+            if(StringUtil.isBlank(user.getMobile())){
+                throw exception(AUTH_LOGIN_IP_NOT_AUTHORIZED_NOT_MOBILE_NOT_EXISTS);
             }
 
-            // 删除用户之前的所有令牌,实现单点登录(默认租户用户可以多设备登录)
-            oauth2TokenService.removeUserTokens(user.getId(), getUserType().getValue());
+            // 构建返回数据
+            java.util.Map<String, Object> data = new java.util.HashMap<>();
+            data.put("mobile", user.getMobile());
+            throw exception(AUTH_LOGIN_IP_NOT_AUTHORIZED, data);
         }
+
+        // 删除用户之前的所有令牌,实现单点登录(默认租户用户可以多设备登录)
+        oauth2TokenService.removeUserTokens(user.getId(), getUserType().getValue());
     }
 
     @Override