def check_security(request, args, kwargs): #服务请求参数验证 open_id = ModuleUtils.getParam(request, "openid") if open_id == None or ModuleUtils.getParam(request, "token") == None: result = Result() result.success = False result.message = '访问请求参数不合法,请参照服务请求示例!' return result #openid存在检查 user, secret = check_kit.get_user_and_secret_by_openid(open_id) if user == None or secret == None: result = Result() result.success = False result.message = '身份认证不通过,请核对携带的认证信息!' return result #服务地址解析 service = check_kit.get_service_by_request(args, kwargs) if service == None: result = Result() result.success = False result.message = '服务请求地址解析失败,请参照服务请求示例!' return result #服务状态检查 status, result = check_kit.check_service_status(service) if not status: return result #服务授权校验 auth, result = check_kit.check_authorization(user, service) if not auth: return result #服务安全认证 authen, result = check_kit.check_authentication(request, user, secret) if not authen: return result #用户余额检查 balance, result = check_kit.check_balance(user, service) if not balance: return result result = Result() result.success = True result.message = service return result
def check_security(request, args, kwargs): #服务请求参数验证 open_id = ModuleUtils.getParam(request ,"openid") if open_id == None or ModuleUtils.getParam(request ,"token") == None: result = Result() result.success = False; result.message = '访问请求参数不合法,请参照服务请求示例!' return result #openid存在检查 user,secret = check_kit.get_user_and_secret_by_openid(open_id); if user == None or secret == None : result = Result() result.success = False; result.message = '身份认证不通过,请核对携带的认证信息!' return result #服务地址解析 service = check_kit.get_service_by_request( args, kwargs); if service == None : result = Result() result.success = False; result.message = '服务请求地址解析失败,请参照服务请求示例!' return result #服务状态检查 status,result = check_kit.check_service_status(service) if not status: return result #服务授权校验 auth,result = check_kit.check_authorization(user,service) if not auth: return result #服务安全认证 authen,result = check_kit.check_authentication(request,user,secret) if not authen: return result #用户余额检查 balance,result = check_kit.check_balance(user,service) if not balance: return result result = Result() result.success = True result.message = service return result
def process_view(self, request, view, args, kwargs): current_request_subject = "http://"+request.get_host()+request.get_full_path() regex = "https?://.+:\d{4,5}/service/.*/.*/.*" match = re.search(regex, current_request_subject) if match: result = security.check_security(request, args, kwargs) if result.success == False: return HttpResponse( result.message ); else: service = result.message kwargs.setdefault("url",service.serve_url) kwargs.setdefault("openid", ModuleUtils.getParam(request ,"openid")) kwargs.setdefault("invoked_service", service) pass
def check_authentication(request, user, secret): result = security.Result() #用户认证校验 open_id = secret.open_id remote_addr = request.META["REMOTE_ADDR"] content_type = request.META["CONTENT_TYPE"] uri_resource = request.path #pbkdf2_sha256.encrypt("admin", salt="lxsalt", rounds=1 ) #pbkdf2_sha256.verify("admin",passlib_hash) #passlibpbkdf2("admin", "lxsalt", 100, prf='hmac-sha256') #hash_pbkdf2 = pbkdf2("admin", "lxsalt", 100, digest=hashlib.sha256) #@UndefinedVariable #base64.b64encode(hash_pbkdf2).encode("utf-8") try: client_signature = base64.b64decode( ModuleUtils.getParam(request, "token")) if not "timestamp" in client_signature: return False, "{'success': False,'error_message':'为防止重放攻击,请于token中加入格式为:timestamp:yyyyMMddHHmiss(24小时制)的时间戳!'}" timestamp = client_signature[client_signature.find("timestamp") + len("timestamp:"):] client_signature = client_signature[0:client_signature.find("timestamp" )] #所传时间戳与当前时间差 delta_seconds = ( datetime.datetime.now() - datetime.datetime.strptime(timestamp, "%Y%m%d%H%M%S")).seconds stringtoSign = "%s%s%s%s%s" % (open_id, remote_addr, content_type, uri_resource, timestamp) server_signature = hmac.new( secret.access_Key.encode('utf-8'), stringtoSign.encode('utf-8'), digestmod=hashlib.sha256).hexdigest() #@UndefinedVariable #server_signature = make_password(stringtoSign ,secret.access_Key,'pbkdf2_sha256') #server_signature = server_signature[server_signature.rindex("$")+1:] if not server_signature == client_signature: result.success = False result.message = '身份认证失败,请核对携带的认证信息!' return False, result if abs(delta_seconds) > 5 * 60: result.success = False result.message = '服务请求时间戳异常,疑似重放攻击!' return False, result except Exception, e: print e result.success = False result.message = '身份认证异常,请核对携带的认证信息!' return False, result
def process_view(self, request, view, args, kwargs): current_request_subject = "http://" + request.get_host( ) + request.get_full_path() regex = "https?://.+:\d{4,5}/service/.*/.*/.*" match = re.search(regex, current_request_subject) if match: result = security.check_security(request, args, kwargs) if result.success == False: return HttpResponse(result.message) else: service = result.message kwargs.setdefault("url", service.serve_url) kwargs.setdefault("openid", ModuleUtils.getParam(request, "openid")) kwargs.setdefault("invoked_service", service) pass
def check_authentication(request, user, secret): result = security.Result() # 用户认证校验 open_id = secret.open_id remote_addr = request.META["REMOTE_ADDR"] content_type = request.META["CONTENT_TYPE"] uri_resource = request.path # pbkdf2_sha256.encrypt("admin", salt="lxsalt", rounds=1 ) # pbkdf2_sha256.verify("admin",passlib_hash) # passlibpbkdf2("admin", "lxsalt", 100, prf='hmac-sha256') # hash_pbkdf2 = pbkdf2("admin", "lxsalt", 100, digest=hashlib.sha256) #@UndefinedVariable # base64.b64encode(hash_pbkdf2).encode("utf-8") try: client_signature = base64.b64decode(ModuleUtils.getParam(request, "token")) if not "timestamp" in client_signature: return ( False, "{'success': False,'error_message':'为防止重放攻击,请于token中加入格式为:timestamp:yyyyMMddHHmiss(24小时制)的时间戳!'}", ) timestamp = client_signature[client_signature.find("timestamp") + len("timestamp:") :] client_signature = client_signature[0 : client_signature.find("timestamp")] # 所传时间戳与当前时间差 delta_seconds = (datetime.datetime.now() - datetime.datetime.strptime(timestamp, "%Y%m%d%H%M%S")).seconds stringtoSign = "%s%s%s%s%s" % (open_id, remote_addr, content_type, uri_resource, timestamp) server_signature = hmac.new( secret.access_Key.encode("utf-8"), stringtoSign.encode("utf-8"), digestmod=hashlib.sha256 ).hexdigest() # @UndefinedVariable # server_signature = make_password(stringtoSign ,secret.access_Key,'pbkdf2_sha256') # server_signature = server_signature[server_signature.rindex("$")+1:] if not server_signature == client_signature: result.success = False result.message = "身份认证失败,请核对携带的认证信息!" return False, result if abs(delta_seconds) > 5 * 60: result.success = False result.message = "服务请求时间戳异常,疑似重放攻击!" return False, result except Exception, e: print e result.success = False result.message = "身份认证异常,请核对携带的认证信息!" return False, result