forked from wechatpay-apiv3/wechatpay-go
/
notify.go
174 lines (145 loc) · 4.4 KB
/
notify.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
// Copyright 2021 Tencent Inc. All rights reserved.
// Package notify 微信支付 API v3 Go SDK 商户通知处理库
package notify
import (
"bytes"
"context"
"crypto/aes"
"crypto/cipher"
"encoding/base64"
"encoding/json"
"fmt"
"io/ioutil"
"net/http"
"github.com/SilenceNo1/wechatpay-go/core/auth"
"github.com/SilenceNo1/wechatpay-go/core/auth/validators"
)
const rsaSignatureType = "WECHATPAY2-SHA256-RSA2048"
const defaultSignatureType = rsaSignatureType
const aeadAesGcmAlgorithm = "AEAD_AES_256_GCM"
// Handler 通知处理器,使用前先设置验签和解密的算法套件
type Handler struct {
cipherSuites map[string]CipherSuite
}
// CipherSuite 算法套件,包括验签和解密
type CipherSuite struct {
signatureType string
validator validators.WechatPayNotifyValidator
aeadAlgorithm string
aead cipher.AEAD
}
// NewEmptyHandler 创建一个不包含算法套件的空通知处理器
func NewEmptyHandler() *Handler {
h := &Handler{
cipherSuites: map[string]CipherSuite{},
}
return h
}
// AddCipherSuite 添加一个算法套件
func (h *Handler) AddCipherSuite(cipherSuite CipherSuite) *Handler {
h.cipherSuites[cipherSuite.signatureType] = cipherSuite
return h
}
// AddRSAWithAESGCM 添加一个 RSA + AES-GCM 的算法套件
func (h *Handler) AddRSAWithAESGCM(verifier auth.Verifier, aesgcm cipher.AEAD) *Handler {
v := CipherSuite{
signatureType: rsaSignatureType,
validator: *validators.NewWechatPayNotifyValidator(verifier),
aeadAlgorithm: aeadAesGcmAlgorithm,
aead: aesgcm,
}
return h.AddCipherSuite(v)
}
// ParseNotifyRequest 从 HTTP 请求(http.Request) 中解析 微信支付通知(notify.Request)
func (h *Handler) ParseNotifyRequest(
ctx context.Context,
request *http.Request,
content interface{},
) (*Request, error) {
signType := request.Header.Get("Wechatpay-Signature-Type")
if signType == "" {
signType = defaultSignatureType
}
suite, ok := h.cipherSuites[signType]
if !ok {
return nil, fmt.Errorf("unsupported Wechatpay-Signature-Type: %s", signType)
}
if err := suite.validator.Validate(ctx, request); err != nil {
return nil, fmt.Errorf("invalid notification, err: %v, request: %+v",
err, request)
}
body, err := getRequestBody(request)
if err != nil {
return nil, err
}
return processBody(suite, body, content)
}
func processBody(suite CipherSuite, body []byte, content interface{}) (*Request, error) {
ret := new(Request)
if err := json.Unmarshal(body, ret); err != nil {
return nil, fmt.Errorf("parse request body error: %v", err)
}
if ret.Resource.Algorithm != suite.aeadAlgorithm {
return nil, fmt.Errorf(
"possible invalid notification, resource.algorithm %s is not the configured algorithm %s",
ret.Resource.Algorithm,
suite.aeadAlgorithm)
}
plaintext, err := doAEADOpen(
suite.aead,
ret.Resource.Nonce,
ret.Resource.Ciphertext,
ret.Resource.AssociatedData,
)
if err != nil {
return ret, fmt.Errorf("%s decrypt error: %v", ret.Resource.Algorithm, err)
}
ret.Resource.Plaintext = plaintext
if err = json.Unmarshal([]byte(plaintext), &content); err != nil {
return ret, fmt.Errorf("unmarshal plaintext to content failed: %v", err)
}
return ret, nil
}
func doAEADOpen(c cipher.AEAD, nonce, ciphertext, additionalData string) (string, error) {
data, err := base64.StdEncoding.DecodeString(ciphertext)
if err != nil {
return "", err
}
plaintext, err := c.Open(
nil,
[]byte(nonce),
data,
[]byte(additionalData),
)
if err != nil {
return "", err
}
return string(plaintext), nil
}
func getRequestBody(request *http.Request) ([]byte, error) {
body, err := ioutil.ReadAll(request.Body)
if err != nil {
return nil, fmt.Errorf("read request body err: %v", err)
}
_ = request.Body.Close()
request.Body = ioutil.NopCloser(bytes.NewBuffer(body))
return body, nil
}
// NewRSANotifyHandler 创建一个 RSA 的通知处理器,它包含 AES-GCM 解密能力
func NewRSANotifyHandler(apiV3Key string, verifier auth.Verifier) (*Handler, error) {
c, err := aes.NewCipher([]byte(apiV3Key))
if err != nil {
return nil, err
}
aesgcm, err := cipher.NewGCM(c)
if err != nil {
return nil, err
}
return NewEmptyHandler().AddRSAWithAESGCM(verifier, aesgcm), nil
}
// NewNotifyHandler 创建通知处理器
// Deprecated: Use NewRSANotifyHandler instead
func NewNotifyHandler(apiV3Key string, verifier auth.Verifier) *Handler {
h, _ := NewRSANotifyHandler(apiV3Key, verifier)
return h
}