fix: security修改权限【thingsKit刷新token需要】

@@ -16,6 +16,7 @@
 package org.thingsboard.server.service.security.auth.jwt;
 
 import lombok.RequiredArgsConstructor;
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.authentication.BadCredentialsException;
 import org.springframework.security.authentication.CredentialsExpiredException;
@@ -33,6 +34,10 @@ import org.thingsboard.server.common.data.id.EntityId;
 import org.thingsboard.server.common.data.id.TenantId;
 import org.thingsboard.server.common.data.id.UserId;
 import org.thingsboard.server.common.data.security.Authority;
+import org.thingsboard.server.common.data.yunteng.constant.FastIotConstants;
+import org.thingsboard.server.common.data.yunteng.dto.UserDTO;
+import org.thingsboard.server.common.data.yunteng.dto.UserDetailsDTO;
+import org.thingsboard.server.dao.yunteng.service.YtUserService;
 import org.thingsboard.server.service.security.auth.RefreshAuthenticationToken;
 import org.thingsboard.server.service.security.auth.TokenOutdatingService;
 import org.thingsboard.server.service.security.model.SecurityUser;
@@ -43,6 +48,7 @@ import org.thingsboard.server.common.data.security.UserCredentials;
 import org.thingsboard.server.dao.customer.CustomerService;
 import org.thingsboard.server.dao.user.UserService;
 
+import java.util.List;
 import java.util.UUID;
 
 @Component
@@ -52,6 +58,7 @@ public class RefreshTokenAuthenticationProvider implements AuthenticationProvide
     private final UserService userService;
     private final CustomerService customerService;
     private final TokenOutdatingService tokenOutdatingService;
+    private final YtUserService ytUserService;
 
     @Override
     public Authentication authenticate(Authentication authentication) throws AuthenticationException {
@@ -77,27 +84,53 @@ public class RefreshTokenAuthenticationProvider implements AuthenticationProvide
     private SecurityUser authenticateByUserId(UserId userId) {
         TenantId systemId = new TenantId(EntityId.NULL_UUID);
         User user = userService.findUserById(systemId, userId);
+        SecurityUser securityUser;
         if (user == null) {
-            throw new UsernameNotFoundException("User not found by refresh token");
-        }
-
-        UserCredentials userCredentials = userService.findUserCredentialsByUserId(systemId, user.getId());
-        if (userCredentials == null) {
-            throw new UsernameNotFoundException("User credentials not found");
-        }
-
-        if (!userCredentials.isEnabled()) {
-            throw new DisabledException("User is not active");
+            //system platform user
+            securityUser = authenticateByPlatFormUserId(userId);
+            if(null == securityUser){
+                throw new UsernameNotFoundException("User not found by refresh token");
+            }
+        }else{
+            UserCredentials userCredentials = userService.findUserCredentialsByUserId(systemId, user.getId());
+            if (userCredentials == null) {
+                throw new UsernameNotFoundException("User credentials not found");
+            }
+
+            if (!userCredentials.isEnabled()) {
+                throw new DisabledException("User is not active");
+            }
+
+            if (user.getAuthority() == null) throw new InsufficientAuthenticationException("User has no authority assigned");
+
+            UserPrincipal userPrincipal = new UserPrincipal(UserPrincipal.Type.USER_NAME, user.getEmail());
+            String userName = user.getEmail().indexOf("@") != -1 ?user.getEmail().split("@")[0]:user.getEmail();
+            List<UserDetailsDTO> userDetailsDTOS =  ytUserService.findUserDetailsByUsername(userName,
+                    user.getTenantId().getId().toString());
+            user.setUserDetailsDTO(null != userDetailsDTOS && userDetailsDTOS.size()>0 ? userDetailsDTOS.get(0):null);
+            securityUser = new SecurityUser(user, userCredentials.isEnabled(), userPrincipal);
         }
-
-        if (user.getAuthority() == null) throw new InsufficientAuthenticationException("User has no authority assigned");
-
-        UserPrincipal userPrincipal = new UserPrincipal(UserPrincipal.Type.USER_NAME, user.getEmail());
-        SecurityUser securityUser = new SecurityUser(user, userCredentials.isEnabled(), userPrincipal);
-
         return securityUser;
     }
 
+    private SecurityUser authenticateByPlatFormUserId(UserId userId){
+        UserDTO userDTO =ytUserService.findUserInfoById(userId.getId().toString());
+        if(null != userDTO){
+            String email = userDTO.getUsername() + FastIotConstants.DEFAULT_EMAIL_SUFFIX_FOR_TB;
+            UserPrincipal userPrincipal = new UserPrincipal(UserPrincipal.Type.USER_NAME, email);
+            User user = new User();
+            user.setAuthority(Authority.PLATFORM_USER);
+            user.setTenantId(new TenantId(EntityId.NULL_UUID));
+            user.setId(userId);
+            user.setEmail(email);
+            List<UserDetailsDTO> userDetailsDTOS =  ytUserService.findUserDetailsByUsername(userDTO.getUsername(),
+                    user.getTenantId().getId().toString());
+            user.setUserDetailsDTO(null != userDetailsDTOS && userDetailsDTOS.size()>0 ? userDetailsDTOS.get(0):null);
+            SecurityUser securityUser = new SecurityUser(user, true, userPrincipal);
+            return securityUser;
+        }
+        return null;
+    }
     private SecurityUser authenticateByPublicId(String publicId) {
         TenantId systemId = new TenantId(EntityId.NULL_UUID);
         CustomerId customerId;

@@ -279,7 +279,7 @@ public class RestAuthenticationProvider implements AuthenticationProvider {
   @Autowired private PasswordEncoder passwordEncoder;
 
   private Optional<UserDetailsDTO> ytUserDetailsByUserName(String username, String password) {
-    List<UserDetailsDTO> users = ytUserService.findUserDetailsByUsername(username);
+    List<UserDetailsDTO> users = ytUserService.findUserDetailsByUsername(username,null);
 
     if (users.isEmpty()) {
       throw new UsernameNotFoundException("User not found: " + username);

@@ -28,6 +28,7 @@ import org.thingsboard.server.common.data.security.model.JwtToken;
 import org.thingsboard.server.config.JwtSettings;
 import org.thingsboard.server.dao.customer.CustomerService;
 import org.thingsboard.server.dao.user.UserService;
+import org.thingsboard.server.dao.yunteng.service.YtUserService;
 import org.thingsboard.server.service.security.auth.jwt.JwtAuthenticationProvider;
 import org.thingsboard.server.service.security.auth.jwt.RefreshTokenAuthenticationProvider;
 import org.thingsboard.server.service.security.exception.JwtExpiredTokenException;
@@ -60,6 +61,7 @@ public class TokenOutdatingTest {
     private ConcurrentMapCacheManager cacheManager;
     private JwtTokenFactory tokenFactory;
     private JwtSettings jwtSettings;
+    private YtUserService ytUserService;
 
     private UserId userId;
 
@@ -91,7 +93,8 @@ public class TokenOutdatingTest {
         when(userService.findUserCredentialsByUserId(any(), eq(userId))).thenReturn(userCredentials);
 
         accessTokenAuthenticationProvider = new JwtAuthenticationProvider(tokenFactory, tokenOutdatingService);
-        refreshTokenAuthenticationProvider = new RefreshTokenAuthenticationProvider(tokenFactory, userService, mock(CustomerService.class), tokenOutdatingService);
+        refreshTokenAuthenticationProvider = new RefreshTokenAuthenticationProvider(tokenFactory, userService, mock(CustomerService.class), tokenOutdatingService,
+                ytUserService);
     }
 
     @Test

@@ -80,9 +80,9 @@ public class YtUserServiceImpl extends AbstractBaseService<UserMapper, User>
   private final ApplicationEventPublisher eventPublisher;
 
   @Override
-  public List<UserDetailsDTO> findUserDetailsByUsername(String username) {
+  public List<UserDetailsDTO> findUserDetailsByUsername(String username,String tenantId) {
     // 多个租户可能存在多个username相同的情况
-    return baseMapper.findUserDetailsByUserName(username);
+    return baseMapper.findUserDetailsByUserName(username,tenantId);
   }
 
   @Override

@@ -17,30 +17,34 @@ import java.util.Set;
 @Mapper
 public interface UserMapper extends BaseMapper<User> {
 
-    List<UserDetailsDTO> findUserDetailsByUserName(String username);
+  List<UserDetailsDTO> findUserDetailsByUserName(
+      @Param("username") String username, @Param("tenantId") String tenantId);
 
-    List<UserDetailsDTO> findUserDetailsByPhoneNumber(String phoneNumber);
+  List<UserDetailsDTO> findUserDetailsByPhoneNumber(String phoneNumber);
 
-    IPage<UserDTO> getUserPage(IPage<?> page, @Param("queryMap") Map<String, Object> queryMap);
+  IPage<UserDTO> getUserPage(IPage<?> page, @Param("queryMap") Map<String, Object> queryMap);
 
-    IPage<UserDTO> getTenantAdminPage(IPage<?> page, @Param("tenantId") String tenantId);
+  IPage<UserDTO> getTenantAdminPage(IPage<?> page, @Param("tenantId") String tenantId);
 
-    Set<String> getAllIdsByTenantId(@Param("tenantIds") Collection<String> tenantIds);
+  Set<String> getAllIdsByTenantId(@Param("tenantIds") Collection<String> tenantIds);
 
-    void setPassword2NullAndInsertActiveToken(
-            @Param("userId") String userId, @Param("activeToken") String activeToken);
+  void setPassword2NullAndInsertActiveToken(
+      @Param("userId") String userId, @Param("activeToken") String activeToken);
 
-    UserDTO findUserInfo(UserDTO userDTO);
+  UserDTO findUserInfo(UserDTO userDTO);
 
-    List<UserDTO> findUserInfoByPhoneNumber(UserDTO userDTO);
+  List<UserDTO> findUserInfoByPhoneNumber(UserDTO userDTO);
 
-    String findUserCustomerIdById(@Param("userId") String userId);
+  String findUserCustomerIdById(@Param("userId") String userId);
 
-    List<UserDTO> getUserCountByRoleType(@Param("roleType") RoleEnum roleType);
+  List<UserDTO> getUserCountByRoleType(@Param("roleType") RoleEnum roleType);
 
-    List<UserDTO> getMyCustomers(@Param("tenantId") String tenantId, @Param("customerId") String customerId, @Param("userIds") Collection<String> userIds);
+  List<UserDTO> getMyCustomers(
+      @Param("tenantId") String tenantId,
+      @Param("customerId") String customerId,
+      @Param("userIds") Collection<String> userIds);
 
-    List<UserDTO> findUsersAsyncByTs(@Param("startTs") String startTs,@Param("endTs") String endTs);
+  List<UserDTO> findUsersAsyncByTs(@Param("startTs") String startTs, @Param("endTs") String endTs);
 
-    String findCustomerIdByUserId(@Param("id") String id);
+  String findCustomerIdByUserId(@Param("id") String id);
 }

@@ -18,7 +18,7 @@ import java.util.Set;
 import java.util.concurrent.CompletableFuture;
 
 public interface YtUserService {
-  List<UserDetailsDTO> findUserDetailsByUsername(String username);
+  List<UserDetailsDTO> findUserDetailsByUsername(String username,String tenantId);
 
   UserDTO saveAccount(
       UserDTO userDTO, boolean sendEmail, boolean sendMsg, boolean isTenantAdmin, String tenantId);

@@ -79,7 +79,12 @@
                              LEFT JOIN sys_role sr ON sur.role_id = sr.id
                 WHERE sur.user_id = (SELECT id FROM sys_user WHERE username = #{username})
                 ) rr ON su.id = rr.user_id
-        WHERE su.username = #{username};
+        <where>
+            su.username = #{username}
+            <if test="tenantId !=null and tenantId !=''">
+               AND su.tenant_id = #{tenantId}
+            </if>
+        </where>
     </select>
 
     <select id="getUserPage" resultMap="userDTOMap">