feat(framework): API 签名、安全白名单与 Web 配置调整

- 新增 ApiSignatureProperties 配置类
- 调整签名自动配置与 Redis DAO 实现
- 更新安全白名单与 Web 属性配置
- 网关新增安保模块路由配置

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

viewsh-framework/viewsh-spring-boot-starter-protection/src/main/java/com/viewsh/framework/signature/config/ApiSignatureProperties.java

@@ -0,0 +1,32 @@
+package com.viewsh.framework.signature.config;
+
+import lombok.Data;
+import org.springframework.boot.context.properties.ConfigurationProperties;
+
+import java.util.Map;
+
+/**
+ * API 签名配置属性
+ * <p>
+ * 支持在 application.yaml 中配置 appId/appSecret，应用启动时自动加载到 Redis。
+ *
+ * <pre>
+ * viewsh:
+ *   signature:
+ *     apps:
+ *       alarm-system: "your-app-secret"
+ *       third-party:  "another-secret"
+ * </pre>
+ *
+ * @author lzh
+ */
+@ConfigurationProperties(prefix = "viewsh.signature")
+@Data
+public class ApiSignatureProperties {
+
+    /**
+     * 签名应用列表：appId → appSecret
+     */
+    private Map<String, String> apps;
+
+}

viewsh-framework/viewsh-spring-boot-starter-protection/src/main/java/com/viewsh/framework/signature/config/ViewshApiSignatureAutoConfiguration.java

@@ -1,28 +1,34 @@
-package com.viewsh.framework.signature.config;
-
-import com.viewsh.framework.redis.config.ViewshRedisAutoConfiguration;
-import com.viewsh.framework.signature.core.aop.ApiSignatureAspect;
-import com.viewsh.framework.signature.core.redis.ApiSignatureRedisDAO;
-import org.springframework.boot.autoconfigure.AutoConfiguration;
-import org.springframework.context.annotation.Bean;
-import org.springframework.data.redis.core.StringRedisTemplate;
-
-/**
- * HTTP API 签名的自动配置类
- *
- * @author Zhougang
- */
-@AutoConfiguration(after = ViewshRedisAutoConfiguration.class)
-public class ViewshApiSignatureAutoConfiguration {
-
-    @Bean
-    public ApiSignatureAspect signatureAspect(ApiSignatureRedisDAO signatureRedisDAO) {
-        return new ApiSignatureAspect(signatureRedisDAO);
-    }
-
-    @Bean
-    public ApiSignatureRedisDAO signatureRedisDAO(StringRedisTemplate stringRedisTemplate) {
-        return new ApiSignatureRedisDAO(stringRedisTemplate);
-    }
-
-}
+package com.viewsh.framework.signature.config;
+
+import com.viewsh.framework.redis.config.ViewshRedisAutoConfiguration;
+import com.viewsh.framework.signature.core.aop.ApiSignatureAspect;
+import com.viewsh.framework.signature.core.redis.ApiSignatureRedisDAO;
+import org.springframework.boot.autoconfigure.AutoConfiguration;
+import org.springframework.boot.context.properties.EnableConfigurationProperties;
+import org.springframework.context.annotation.Bean;
+import org.springframework.data.redis.core.StringRedisTemplate;
+
+/**
+ * HTTP API 签名的自动配置类
+ *
+ * @author Zhougang
+ */
+@AutoConfiguration(after = ViewshRedisAutoConfiguration.class)
+@EnableConfigurationProperties(ApiSignatureProperties.class)
+public class ViewshApiSignatureAutoConfiguration {
+
+    @Bean
+    public ApiSignatureAspect signatureAspect(ApiSignatureRedisDAO signatureRedisDAO) {
+        return new ApiSignatureAspect(signatureRedisDAO);
+    }
+
+    @Bean
+    public ApiSignatureRedisDAO signatureRedisDAO(StringRedisTemplate stringRedisTemplate,
+                                                  ApiSignatureProperties properties) {
+        ApiSignatureRedisDAO dao = new ApiSignatureRedisDAO(stringRedisTemplate);
+        // 启动时将配置文件中的 appId/appSecret 同步到 Redis
+        dao.initApps(properties.getApps());
+        return dao;
+    }
+
+}

viewsh-framework/viewsh-spring-boot-starter-protection/src/main/java/com/viewsh/framework/signature/core/redis/ApiSignatureRedisDAO.java

@@ -1,57 +1,78 @@
-package com.viewsh.framework.signature.core.redis;
-
-import lombok.AllArgsConstructor;
-import org.springframework.data.redis.core.StringRedisTemplate;
-
-import java.util.concurrent.TimeUnit;
-
-/**
- * HTTP API 签名 Redis DAO
- *
- * @author Zhougang
- */
-@AllArgsConstructor
-public class ApiSignatureRedisDAO {
-
-    private final StringRedisTemplate stringRedisTemplate;
-
-    /**
-     * 验签随机数
-     * <p>
-     * KEY 格式：signature_nonce:%s // 参数为 随机数
-     * VALUE 格式：String
-     * 过期时间：不固定
-     */
-    private static final String SIGNATURE_NONCE = "api_signature_nonce:%s:%s";
-
-    /**
-     * 签名密钥
-     * <p>
-     * HASH 结构
-     * KEY 格式：%s // 参数为 appid
-     * VALUE 格式：String
-     * 过期时间：永不过期（预加载到 Redis）
-     */
-    private static final String SIGNATURE_APPID = "api_signature_app";
-
-    // ========== 验签随机数 ==========
-
-    public String getNonce(String appId, String nonce) {
-        return stringRedisTemplate.opsForValue().get(formatNonceKey(appId, nonce));
-    }
-
-    public Boolean setNonce(String appId, String nonce, int time, TimeUnit timeUnit) {
-        return stringRedisTemplate.opsForValue().setIfAbsent(formatNonceKey(appId, nonce), "", time, timeUnit);
-    }
-
-    private static String formatNonceKey(String appId, String nonce) {
-        return String.format(SIGNATURE_NONCE, appId, nonce);
-    }
-
-    // ========== 签名密钥 ==========
-
-    public String getAppSecret(String appId) {
-        return (String) stringRedisTemplate.opsForHash().get(SIGNATURE_APPID, appId);
-    }
-
-}
+package com.viewsh.framework.signature.core.redis;
+
+import lombok.AllArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.data.redis.core.StringRedisTemplate;
+
+import java.util.Map;
+import java.util.concurrent.TimeUnit;
+
+/**
+ * HTTP API 签名 Redis DAO
+ *
+ * @author Zhougang
+ */
+@AllArgsConstructor
+@Slf4j
+public class ApiSignatureRedisDAO {
+
+    private final StringRedisTemplate stringRedisTemplate;
+
+    /**
+     * 验签随机数
+     * <p>
+     * KEY 格式：signature_nonce:%s // 参数为 随机数
+     * VALUE 格式：String
+     * 过期时间：不固定
+     */
+    private static final String SIGNATURE_NONCE = "api_signature_nonce:%s:%s";
+
+    /**
+     * 签名密钥
+     * <p>
+     * HASH 结构
+     * KEY 格式：%s // 参数为 appid
+     * VALUE 格式：String
+     * 过期时间：永不过期（预加载到 Redis）
+     */
+    private static final String SIGNATURE_APPID = "api_signature_app";
+
+    // ========== 验签随机数 ==========
+
+    public String getNonce(String appId, String nonce) {
+        return stringRedisTemplate.opsForValue().get(formatNonceKey(appId, nonce));
+    }
+
+    public Boolean setNonce(String appId, String nonce, int time, TimeUnit timeUnit) {
+        return stringRedisTemplate.opsForValue().setIfAbsent(formatNonceKey(appId, nonce), "", time, timeUnit);
+    }
+
+    private static String formatNonceKey(String appId, String nonce) {
+        return String.format(SIGNATURE_NONCE, appId, nonce);
+    }
+
+    // ========== 签名密钥 ==========
+
+    public String getAppSecret(String appId) {
+        return (String) stringRedisTemplate.opsForHash().get(SIGNATURE_APPID, appId);
+    }
+
+    /**
+     * 从配置文件加载 appId/appSecret 到 Redis
+     * <p>
+     * 先删除整个 Hash Key 再写入，确保 YAML 中移除的应用不会残留在 Redis 中。
+     *
+     * @param apps appId → appSecret 映射
+     */
+    public void initApps(Map<String, String> apps) {
+        if (apps == null || apps.isEmpty()) {
+            stringRedisTemplate.delete(SIGNATURE_APPID);
+            log.info("[initApps][配置为空，已清除 Redis 中的签名应用]");
+            return;
+        }
+        stringRedisTemplate.delete(SIGNATURE_APPID);
+        stringRedisTemplate.opsForHash().putAll(SIGNATURE_APPID, apps);
+        log.info("[initApps][从配置文件加载 {} 个签名应用到 Redis: {}]", apps.size(), apps.keySet());
+    }
+
+}