Merge branch 'dev' into test

2025-12-01 17:52:33 +08:00
parent fc0428e7b5 754803b3eb
commit aa2fda8f62
15 changed files with 606 additions and 66 deletions
--- a/zt-module-databus/zt-module-databus-server/src/main/java/com/zt/plat/module/databus/framework/integration/gateway/core/ApiGatewayAccessLogger.java
+++ b/zt-module-databus/zt-module-databus-server/src/main/java/com/zt/plat/module/databus/framework/integration/gateway/core/ApiGatewayAccessLogger.java
--- a/zt-module-databus/zt-module-databus-server/src/main/java/com/zt/plat/module/databus/framework/integration/gateway/core/ApiGatewayRequestMapper.java
+++ b/zt-module-databus/zt-module-databus-server/src/main/java/com/zt/plat/module/databus/framework/integration/gateway/core/ApiGatewayRequestMapper.java
@@ -3,6 +3,7 @@ package com.zt.plat.module.databus.framework.integration.gateway.core;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.zt.plat.module.databus.framework.integration.config.ApiGatewayProperties;
 import com.zt.plat.module.databus.framework.integration.gateway.model.ApiInvocationContext;
+import com.zt.plat.module.databus.framework.integration.gateway.core.ApiGatewayAccessLogger;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.http.HttpHeaders;
@@ -90,6 +91,7 @@ public class ApiGatewayRequestMapper {
        });
        context.setUserAgent(GatewayHeaderUtils.findFirstHeaderValue(context.getRequestHeaders(), HttpHeaders.USER_AGENT));
        context.setClientIp(resolveClientIp(headers, context.getRequestHeaders()));
+        captureAccessLogId(context);
        populateQueryParams(headers, context, originalRequestUri);
        if (properties.isEnableTenantHeader()) {
            Object tenantHeaderValue = context.getRequestHeaders().get(properties.getTenantHeader());
@@ -114,6 +116,21 @@ public class ApiGatewayRequestMapper {
        return context;
    }

+    private void captureAccessLogId(ApiInvocationContext context) {
+        String headerValue = GatewayHeaderUtils.findFirstHeaderValue(context.getRequestHeaders(), ApiGatewayAccessLogger.HEADER_ACCESS_LOG_ID);
+        if (!StringUtils.hasText(headerValue)) {
+            return;
+        }
+        try {
+            Long logId = Long.valueOf(headerValue);
+            context.getAttributes().put(ApiGatewayAccessLogger.ATTR_LOG_ID, logId);
+        } catch (NumberFormatException ex) {
+            // 忽略格式问题，仅在属性中保留原文以便排查
+            context.getAttributes().put(ApiGatewayAccessLogger.ATTR_LOG_ID, headerValue);
+        }
+        context.getRequestHeaders().remove(ApiGatewayAccessLogger.HEADER_ACCESS_LOG_ID);
+    }
+
    private boolean isInternalHeader(String headerName) {
        if (!StringUtils.hasText(headerName)) {
            return true;
--- a/zt-module-databus/zt-module-databus-server/src/main/java/com/zt/plat/module/databus/framework/integration/gateway/security/GatewaySecurityFilter.java
+++ b/zt-module-databus/zt-module-databus-server/src/main/java/com/zt/plat/module/databus/framework/integration/gateway/security/GatewaySecurityFilter.java
@@ -13,6 +13,7 @@ import com.zt.plat.framework.tenant.core.context.TenantContextHolder;
 import com.zt.plat.framework.web.core.util.WebFrameworkUtils;
 import com.zt.plat.module.databus.dal.dataobject.gateway.ApiClientCredentialDO;
 import com.zt.plat.module.databus.framework.integration.config.ApiGatewayProperties;
+import com.zt.plat.module.databus.framework.integration.gateway.core.ApiGatewayAccessLogger;
 import com.zt.plat.module.databus.framework.integration.gateway.model.ApiGatewayResponse;
 import com.zt.plat.module.databus.service.gateway.ApiAnonymousUserService;
 import com.zt.plat.module.databus.service.gateway.ApiClientCredentialService;
@@ -56,6 +57,7 @@ public class GatewaySecurityFilter extends OncePerRequestFilter {
    private final ApiClientCredentialService credentialService;
    private final ApiAnonymousUserService anonymousUserService;
    private final ObjectMapper objectMapper;
+    private final ApiGatewayAccessLogger accessLogger;
    private final AntPathMatcher pathMatcher = new AntPathMatcher();
    private static final TypeReference<Map<String, Object>> MAP_TYPE = new TypeReference<>() {};

@@ -72,18 +74,24 @@ public class GatewaySecurityFilter extends OncePerRequestFilter {
            filterChain.doFilter(request, response);
            return;
        }
+        Long accessLogId = accessLogger.logEntrance(request);
        // 校验访问 IP 是否落在允许范围内
        if (!isIpAllowed(request)) {
            log.warn("[API-PORTAL] 拦截来自 IP {} 访问 {} 的请求", request.getRemoteAddr(), pathWithinApplication);
            response.sendError(HttpStatus.FORBIDDEN.value(), "IP 禁止访问");
+            accessLogger.finalizeEarly(request, HttpStatus.FORBIDDEN.value(), "IP 禁止访问");
            return;
        }
        ApiGatewayProperties.Security security = properties.getSecurity();
        ApiClientCredentialDO credential = null;
        if (!security.isEnabled()) {
-            filterChain.doFilter(request, response);
+            byte[] originalBody = StreamUtils.copyToByteArray(request.getInputStream());
+            CachedBodyHttpServletRequest passthroughRequest = new CachedBodyHttpServletRequest(request, originalBody);
+            ApiGatewayAccessLogger.propagateLogIdHeader(passthroughRequest, accessLogId);
+            filterChain.doFilter(passthroughRequest, response);
            return;
        }
+        boolean dispatchedToGateway = false;
        try {
            Long tenantId = resolveTenantId(request);
            // 从请求头解析 appId 并加载客户端凭证，包含匿名访问配置
@@ -118,6 +126,7 @@ public class GatewaySecurityFilter extends OncePerRequestFilter {

            // 使用可重复读取的请求包装，供后续过滤器继续消费
            CachedBodyHttpServletRequest securedRequest = new CachedBodyHttpServletRequest(request, decryptedBody);
+            ApiGatewayAccessLogger.propagateLogIdHeader(securedRequest, accessLogId);
            if (StringUtils.hasText(request.getCharacterEncoding())) {
                securedRequest.setCharacterEncoding(request.getCharacterEncoding());
            }
@@ -129,6 +138,7 @@ public class GatewaySecurityFilter extends OncePerRequestFilter {
            ContentCachingResponseWrapper responseWrapper = new ContentCachingResponseWrapper(response);
            try {
                filterChain.doFilter(securedRequest, responseWrapper);
+                dispatchedToGateway = true;
                encryptResponse(responseWrapper, credential, security);
            } finally {
                responseWrapper.copyBodyToResponse();
@@ -136,9 +146,15 @@ public class GatewaySecurityFilter extends OncePerRequestFilter {
        } catch (SecurityValidationException ex) {
            log.warn("[API-PORTAL] 安全校验失败: {}", ex.getMessage());
            writeErrorResponse(response, security, credential, ex.status(), ex.getMessage());
+            if (!dispatchedToGateway) {
+                accessLogger.finalizeEarly(request, ex.status().value(), ex.getMessage());
+            }
        } catch (Exception ex) {
            log.error("[API-PORTAL] 处理安全校验时出现异常", ex);
            writeErrorResponse(response, security, credential, HttpStatus.INTERNAL_SERVER_ERROR, "网关安全校验失败");
+            if (!dispatchedToGateway) {
+                accessLogger.finalizeEarly(request, HttpStatus.INTERNAL_SERVER_ERROR.value(), "网关安全校验失败");
+            }
        }
    }