package dingdingapi import ( "bytes" "crypto/aes" "crypto/cipher" "crypto/rand" "crypto/sha1" "encoding/base64" "encoding/binary" "errors" "fmt" r "math/rand" "sort" "strings" "time" "git.rosy.net.cn/baseapi" "git.rosy.net.cn/baseapi/utils" ) const ( CBTagCheckURL = "check_url" CBTagUserAddOrg = "user_add_org" CBTagUserModifyOrg = "user_modify_org" CBTagUserLeaveOrg = "user_leave_org" ) const ( KeyMsgSignature = "msg_signature" KeyEventType = "EventType" KeyUserID = "UserId" SuccessResponse = "success" ) type CallbackResponse struct { MsgSignature string `json:"msg_signature"` Timestamp string `json:"timeStamp"` Nonce string `json:"nonce"` Encrypt string `json:"encrypt"` } type DingTalkCrypto struct { Token string EncodingAESKey string SuiteKey string BKey []byte Block cipher.Block } func (a *API) Err2CallbackResponse(err error) *CallbackResponse { if err == nil { return a.PackCallbackResult(SuccessResponse) } return a.PackCallbackResult(err.Error()) } func (a *API) SetCallbackToken(token string) { a.locker.RLock() defer a.locker.RUnlock() a.callbackToken = token } func (a *API) SetCallbackAESKey(b string) { a.locker.RLock() defer a.locker.RUnlock() a.callbackAESKey = b } func (a *API) GetCallbackToken() string { a.locker.RLock() defer a.locker.RUnlock() return a.callbackToken } func (a *API) GetCallbackAESKey() string { a.locker.RLock() defer a.locker.RUnlock() return a.callbackAESKey } func (a *API) PackCallbackResult(result string) (response *CallbackResponse) { timestamp := utils.Int64ToStr(time.Now().Unix()) nonce := utils.GetUUID() encryptedResult, sign, err := a.Encrypt(result, timestamp, nonce) if err == nil { response = &CallbackResponse{ Encrypt: encryptedResult, Timestamp: timestamp, Nonce: nonce, MsgSignature: sign, } //response.MsgSignature = a.calculateCallbackSign(utils.Struct2MapByJson(response)) } return response } func (a *API) calculateCallbackSign(data map[string]interface{}) (sign string) { strList := []string{ a.GetCallbackToken(), } for k, v := range data { if k != KeyMsgSignature { strList = append(strList, v.(string)) } } sort.Sort(sort.StringSlice(strList)) return fmt.Sprintf("%x", sha1.Sum([]byte(strings.Join(strList, "")))) } func (a *API) Encrypt(msg, timestamp, nonce string) (encryptedMsg, sign string, err error) { //aesKey := a.GetCallbackAESKey() //buf := bytes.NewBuffer(nil) //buf.WriteString(utils.GetUUID()[:16]) //binary.Write(buf, binary.BigEndian, int32(len(msg))) //buf.WriteString(msg) //buf.WriteString(a.corpID) //binResult, err := utils.AESCBCEncpryt(buf.Bytes(), []byte(aesKey), []byte(aesKey[:16])) //encryptedMsg = base64.StdEncoding.EncodeToString(binResult) c := NewDingTalkCrypto(a.callbackToken, a.callbackAESKey, a.appID) return c.GetEncryptMsg(msg, timestamp, nonce) } func (a *API) Decrypt(sign, timestr, nonce, msg string) (decryptedMsg string, err error) { //binMsg, err := base64.StdEncoding.DecodeString(msg) //if err == nil { // aesKey := a.GetCallbackAESKey() // binResult, err2 := utils.AESCBCDecpryt(binMsg, aesKey, aesKey[:16]) // if err = err2; err == nil { // var msgLen int32 // if err = binary.Read(bytes.NewBuffer(binResult[16:]), binary.BigEndian, &msgLen); err == nil { // // baseapi.SugarLogger.Debug(msgLen) // decryptedMsg = string(binResult[16+4 : 16+4+msgLen]) // } // } //} c := NewDingTalkCrypto(a.callbackToken, a.callbackAESKey, a.appID) return c.GetDecryptMsg(sign, timestr, nonce, msg) } func (a *API) RegisterCallback(callbackTagList []string, token, aesKey, urlStr string) (err error) { a.locker.Lock() // oldCallbackToken := a.callbackToken // oldCallbackAESKey := a.callbackAESKey a.callbackToken = token data, _ := base64.StdEncoding.DecodeString(aesKey + "=") a.callbackAESKey = string(data) a.locker.Unlock() if len(callbackTagList) > 0 { // 为0做测试用 _, err = a.AccessAPI("call_back/register_call_back", nil, map[string]interface{}{ "call_back_tag": callbackTagList, "token": token, "aes_key": aesKey, "url": urlStr, }) } // if err != nil { // a.locker.Lock() // defer a.locker.Unlock() // a.callbackToken = oldCallbackToken // a.callbackAESKey = oldCallbackAESKey // } return err } func (a *API) GetCallback() (callbackInfo map[string]interface{}, err error) { result, err := a.AccessAPI("call_back/get_call_back", nil, nil) if err == nil { return result, nil } return nil, err } func (a *API) UpdateCallback(callbackTagList []string, token, aesKey, urlStr string) (err error) { a.locker.Lock() oldCallbackToken := a.callbackToken oldCallbackAESKey := a.callbackAESKey a.callbackToken = token data, _ := base64.StdEncoding.DecodeString(aesKey + "=") a.callbackAESKey = string(data) a.locker.Unlock() if len(callbackTagList) > 0 { // 为0做测试用 _, err = a.AccessAPI("call_back/update_call_back", nil, map[string]interface{}{ "call_back_tag": callbackTagList, "token": token, "aes_key": aesKey, "url": urlStr, }) } if err != nil { a.locker.Lock() defer a.locker.Unlock() a.callbackToken = oldCallbackToken a.callbackAESKey = oldCallbackAESKey } return err } func (a *API) DeleteCallback() (err error) { _, err = a.AccessAPI("call_back/delete_call_back", nil, nil) return err } func (a *API) GetCallbackMsg(formMap map[string]interface{}, bodyData []byte) (msgMap map[string]interface{}, callbackResponse *CallbackResponse) { var bodyMap map[string]interface{} var err error err = utils.UnmarshalUseNumber(bodyData, &bodyMap) if err == nil { encrypt := utils.Interface2String(bodyMap["encrypt"]) dataMap := map[string]interface{}{ // KeyMsgSignature: formMap["signature"], "nonce": formMap["nonce"], "timestamp": formMap["timestamp"], "encrypt": encrypt, } signRemote := formMap["signature"].(string) signMine := a.calculateCallbackSign(dataMap) if signMine != signRemote { baseapi.SugarLogger.Infof("signRemote:%s, signMine:%s, formMap:%s, bodyData:%s", signRemote, signMine, utils.Format4Output(formMap, true), string(bodyData)) err = errors.New("sign not match") } else { var descryptMsg string if descryptMsg, err = a.Decrypt(formMap["signature"].(string), formMap["timestamp"].(string), formMap["nonce"].(string), encrypt); err == nil { err = utils.UnmarshalUseNumber([]byte(descryptMsg), &msgMap) } else { baseapi.SugarLogger.Debugf("dingdingapi GetCallbackMsg, Decrypt err :", err) } } } return msgMap, nil } func NewDingTalkCrypto(token, encodingAESKey, suiteKey string) *DingTalkCrypto { token = "ITKIL2FeFHZa48fEK9g3dbJ1DOww7shOrIZ2f" encodingAESKey = "EjTgnEa377fEcgzlQUbcgTzxPNznRjpOuSPgQAwv9aA" suiteKey = "ding7iu9cptairtcls0c" bkey, _ := base64.StdEncoding.DecodeString(encodingAESKey + "=") block, _ := aes.NewCipher(bkey) c := &DingTalkCrypto{ Token: token, EncodingAESKey: encodingAESKey, SuiteKey: suiteKey, BKey: bkey, Block: block, } return c } func (c *DingTalkCrypto) GetDecryptMsg(signature, timestamp, nonce, secretMsg string) (string, error) { if !c.VerificationSignature(c.Token, timestamp, nonce, secretMsg, signature) { return "", errors.New("ERROR: 签名不匹配") } decode, err := base64.StdEncoding.DecodeString(secretMsg) if err != nil { return "", err } if len(decode) < aes.BlockSize { return "", errors.New("ERROR: 密文太短") } blockMode := cipher.NewCBCDecrypter(c.Block, c.BKey[:c.Block.BlockSize()]) plantText := make([]byte, len(decode)) blockMode.CryptBlocks(plantText, decode) plantText = pkCS7UnPadding(plantText) size := binary.BigEndian.Uint32(plantText[16:20]) plantText = plantText[20:] corpID := plantText[size:] if string(corpID) != c.SuiteKey { return "", errors.New("ERROR: CorpID匹配不正确") } return string(plantText[:size]), nil } func (c *DingTalkCrypto) GetEncryptMsg(msg, timestamp, nonce string) (string, string, error) { size := make([]byte, 4) binary.BigEndian.PutUint32(size, uint32(len(msg))) msg = randomString(16) + string(size) + msg + c.SuiteKey plantText := pkCS7Padding([]byte(msg), c.Block.BlockSize()) if len(plantText)%aes.BlockSize != 0 { return "", "", errors.New("ERROR: 消息体size不为16的倍数") } blockMode := cipher.NewCBCEncrypter(c.Block, c.BKey[:c.Block.BlockSize()]) chipherText := make([]byte, len(plantText)) blockMode.CryptBlocks(chipherText, plantText) outMsg := base64.StdEncoding.EncodeToString(chipherText) signature := c.CreateSignature(c.Token, timestamp, nonce, string(outMsg)) return string(outMsg), signature, nil } // 数据签名 func (c *DingTalkCrypto) CreateSignature(token, timestamp, nonce, msg string) string { params := make([]string, 0) params = append(params, token) params = append(params, timestamp) params = append(params, nonce) params = append(params, msg) sort.Strings(params) return sha1Sign(strings.Join(params, "")) } func sha1Sign(s string) string { h := sha1.New() h.Write([]byte(s)) bs := h.Sum(nil) return fmt.Sprintf("%x", bs) } // 验证数据签名 func (c *DingTalkCrypto) VerificationSignature(token, timestamp, nonce, msg, sigture string) bool { return c.CreateSignature(token, timestamp, nonce, msg) == sigture } // 解密补位 func pkCS7UnPadding(plantText []byte) []byte { length := len(plantText) unpadding := int(plantText[length-1]) return plantText[:(length - unpadding)] } // 加密补位 func pkCS7Padding(ciphertext []byte, blockSize int) []byte { padding := blockSize - len(ciphertext)%blockSize padtext := bytes.Repeat([]byte{byte(padding)}, padding) return append(ciphertext, padtext...) } // 随机字符串 func randomString(n int, alphabets ...byte) string { const alphanum = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" var bytes = make([]byte, n) var randby bool if num, err := rand.Read(bytes); num != n || err != nil { r.Seed(time.Now().UnixNano()) randby = true } for i, b := range bytes { if len(alphabets) == 0 { if randby { bytes[i] = alphanum[r.Intn(len(alphanum))] } else { bytes[i] = alphanum[b%byte(len(alphanum))] } } else { if randby { bytes[i] = alphabets[r.Intn(len(alphabets))] } else { bytes[i] = alphabets[b%byte(len(alphabets))] } } } return string(bytes) }