⚡ 增加黑白名单控制与默认屏蔽actuator接口的外部访问

blade-core-tool/src/main/java/org/springblade/core/tool/request/BladeRequestFilter.java

@@ -16,11 +16,15 @@
 package org.springblade.core.tool.request;
 
 import lombok.AllArgsConstructor;
+import org.springblade.core.tool.utils.WebUtil;
 import org.springframework.util.AntPathMatcher;
 
 import jakarta.servlet.*;
 import jakarta.servlet.http.HttpServletRequest;
+import org.springframework.util.PatternMatchUtils;
+
 import java.io.IOException;
+import java.util.List;
 
 /**
  * Request全局过滤
@@ -30,10 +34,32 @@ import java.io.IOException;
 @AllArgsConstructor
 public class BladeRequestFilter implements Filter {
 
+	/**
+	 * 请求配置
+	 */
 	private final RequestProperties requestProperties;
+	/**
+	 * xss配置
+	 */
 	private final XssProperties xssProperties;
+	/**
+	 * 路径匹配
+	 */
 	private final AntPathMatcher antPathMatcher = new AntPathMatcher();
 
+	/**
+	 * 默认拦截路径
+	 */
+	private final List<String> defaultBlockUrl = List.of("/**/actuator/**", "/health/**");
+	/**
+	 * 默认白名单
+	 */
+	private final List<String> defaultWhiteList = List.of("127.0.0.1", "172.30.*.*", "192.168.*.*", "10.*.*.*", "0:0:0:0:0:0:0:1");
+	/**
+	 * 默认提示信息
+	 */
+	private final static String DEFAULT_MESSAGE = "当前请求被拒绝，请联系管理员！";
+
 	@Override
 	public void init(FilterConfig config) {
 
@@ -41,7 +67,18 @@ public class BladeRequestFilter implements Filter {
 
 	@Override
 	public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
-		String path = ((HttpServletRequest) request).getServletPath();
+		// 获取请求
+		HttpServletRequest httpRequest = (HttpServletRequest) request;
+		String path = httpRequest.getServletPath();
+		// 判断 拦截请求 与 白名单
+		if (requestProperties.getEnabled()) {
+			// 获取请求IP
+			String ip = WebUtil.getIP(httpRequest);
+			// 判断是否拦截请求
+			if (isRequestBlock(path, ip)) {
+				throw new ServletException(DEFAULT_MESSAGE);
+			}
+		}
 		// 跳过 Request 包装
 		if (!requestProperties.getEnabled() || isRequestSkip(path)) {
 			chain.doFilter(request, response);
@@ -58,6 +95,54 @@ public class BladeRequestFilter implements Filter {
 		}
 	}
 
+	/**
+	 * 是否白名单
+	 *
+	 * @param ip ip地址
+	 * @return boolean
+	 */
+	private boolean isWhiteList(String ip) {
+		List<String> whiteList = requestProperties.getWhiteList();
+		String[] defaultWhiteIps = defaultWhiteList.toArray(new String[0]);
+		String[] whiteIps = whiteList.toArray(new String[0]);
+		return PatternMatchUtils.simpleMatch(defaultWhiteIps, ip) || PatternMatchUtils.simpleMatch(whiteIps, ip);
+	}
+
+	/**
+	 * 是否黑名单
+	 *
+	 * @param ip ip地址
+	 * @return boolean
+	 */
+	private boolean isBlackList(String ip) {
+		List<String> blackList = requestProperties.getBlackList();
+		String[] blackIps = blackList.toArray(new String[0]);
+		return PatternMatchUtils.simpleMatch(blackIps, ip);
+	}
+
+	/**
+	 * 是否禁用请求访问
+	 *
+	 * @param path 请求路径
+	 * @return boolean
+	 */
+	private boolean isRequestBlock(String path) {
+		List<String> blockUrl = requestProperties.getBlockUrl();
+		return defaultBlockUrl.stream().anyMatch(pattern -> antPathMatcher.match(pattern, path)) ||
+			blockUrl.stream().anyMatch(pattern -> antPathMatcher.match(pattern, path));
+	}
+
+	/**
+	 * 是否拦截请求
+	 *
+	 * @param path 请求路径
+	 * @param ip   ip地址
+	 * @return boolean
+	 */
+	private boolean isRequestBlock(String path, String ip) {
+		return (isRequestBlock(path) && !isWhiteList(ip)) || isBlackList(ip);
+	}
+
 	private boolean isRequestSkip(String path) {
 		return requestProperties.getSkipUrl().stream().anyMatch(pattern -> antPathMatcher.match(pattern, path));
 	}

blade-core-tool/src/main/java/org/springblade/core/tool/request/RequestProperties.java

@@ -40,4 +40,19 @@ public class RequestProperties {
 	 */
 	private List<String> skipUrl = new ArrayList<>();
 
+	/**
+	 * 禁用url
+	 */
+	private List<String> blockUrl = new ArrayList<>();
+
+	/**
+	 * 白名单，支持通配符，例如：10.20.0.8*、10.20.0.*
+	 */
+	private List<String> whiteList = new ArrayList<>();
+
+	/**
+	 * 黑名单，支持通配符，例如：10.20.0.8*、10.20.0.*
+	 */
+	private List<String> blackList = new ArrayList<>();
+
 }