def check_security(request, args, kwargs):
#服务请求参数验证
open_id = ModuleUtils.getParam(request, "openid")
if open_id == None or ModuleUtils.getParam(request, "token") == None:
result = Result()
result.success = False
result.message = '访问请求参数不合法,请参照服务请求示例!'
return result
#openid存在检查
user, secret = check_kit.get_user_and_secret_by_openid(open_id)
if user == None or secret == None:
result = Result()
result.success = False
result.message = '身份认证不通过,请核对携带的认证信息!'
return result
#服务地址解析
service = check_kit.get_service_by_request(args, kwargs)
if service == None:
result = Result()
result.success = False
result.message = '服务请求地址解析失败,请参照服务请求示例!'
return result
#服务状态检查
status, result = check_kit.check_service_status(service)
if not status:
return result
#服务授权校验
auth, result = check_kit.check_authorization(user, service)
if not auth:
return result
#服务安全认证
authen, result = check_kit.check_authentication(request, user, secret)
if not authen:
return result
#用户余额检查
balance, result = check_kit.check_balance(user, service)
if not balance:
return result
result = Result()
result.success = True
result.message = service
return result
def check_security(request, args, kwargs):
#服务请求参数验证
open_id = ModuleUtils.getParam(request ,"openid")
if open_id == None or ModuleUtils.getParam(request ,"token") == None:
result = Result()
result.success = False;
result.message = '访问请求参数不合法,请参照服务请求示例!'
return result
#openid存在检查
user,secret = check_kit.get_user_and_secret_by_openid(open_id);
if user == None or secret == None :
result = Result()
result.success = False;
result.message = '身份认证不通过,请核对携带的认证信息!'
return result
#服务地址解析
service = check_kit.get_service_by_request( args, kwargs);
if service == None :
result = Result()
result.success = False;
result.message = '服务请求地址解析失败,请参照服务请求示例!'
return result
#服务状态检查
status,result = check_kit.check_service_status(service)
if not status:
return result
#服务授权校验
auth,result = check_kit.check_authorization(user,service)
if not auth:
return result
#服务安全认证
authen,result = check_kit.check_authentication(request,user,secret)
if not authen:
return result
#用户余额检查
balance,result = check_kit.check_balance(user,service)
if not balance:
return result
result = Result()
result.success = True
result.message = service
return result
def process_view(self, request, view, args, kwargs):
current_request_subject = "http://"+request.get_host()+request.get_full_path()
regex = "https?://.+:\d{4,5}/service/.*/.*/.*"
match = re.search(regex, current_request_subject)
if match:
result = security.check_security(request, args, kwargs)
if result.success == False:
return HttpResponse( result.message );
else:
service = result.message
kwargs.setdefault("url",service.serve_url)
kwargs.setdefault("openid", ModuleUtils.getParam(request ,"openid"))
kwargs.setdefault("invoked_service", service)
pass
def check_authentication(request, user, secret):
result = security.Result()
#用户认证校验
open_id = secret.open_id
remote_addr = request.META["REMOTE_ADDR"]
content_type = request.META["CONTENT_TYPE"]
uri_resource = request.path
#pbkdf2_sha256.encrypt("admin", salt="lxsalt", rounds=1 )
#pbkdf2_sha256.verify("admin",passlib_hash)
#passlibpbkdf2("admin", "lxsalt", 100, prf='hmac-sha256')
#hash_pbkdf2 = pbkdf2("admin", "lxsalt", 100, digest=hashlib.sha256) #@UndefinedVariable
#base64.b64encode(hash_pbkdf2).encode("utf-8")
try:
client_signature = base64.b64decode(
ModuleUtils.getParam(request, "token"))
if not "timestamp" in client_signature:
return False, "{'success': False,'error_message':'为防止重放攻击,请于token中加入格式为:timestamp:yyyyMMddHHmiss(24小时制)的时间戳!'}"
timestamp = client_signature[client_signature.find("timestamp") +
len("timestamp:"):]
client_signature = client_signature[0:client_signature.find("timestamp"
)]
#所传时间戳与当前时间差
delta_seconds = (
datetime.datetime.now() -
datetime.datetime.strptime(timestamp, "%Y%m%d%H%M%S")).seconds
stringtoSign = "%s%s%s%s%s" % (open_id, remote_addr, content_type,
uri_resource, timestamp)
server_signature = hmac.new(
secret.access_Key.encode('utf-8'),
stringtoSign.encode('utf-8'),
digestmod=hashlib.sha256).hexdigest() #@UndefinedVariable
#server_signature = make_password(stringtoSign ,secret.access_Key,'pbkdf2_sha256')
#server_signature = server_signature[server_signature.rindex("$")+1:]
if not server_signature == client_signature:
result.success = False
result.message = '身份认证失败,请核对携带的认证信息!'
return False, result
if abs(delta_seconds) > 5 * 60:
result.success = False
result.message = '服务请求时间戳异常,疑似重放攻击!'
return False, result
except Exception, e:
print e
result.success = False
result.message = '身份认证异常,请核对携带的认证信息!'
return False, result
def process_view(self, request, view, args, kwargs):
current_request_subject = "http://" + request.get_host(
) + request.get_full_path()
regex = "https?://.+:\d{4,5}/service/.*/.*/.*"
match = re.search(regex, current_request_subject)
if match:
result = security.check_security(request, args, kwargs)
if result.success == False:
return HttpResponse(result.message)
else:
service = result.message
kwargs.setdefault("url", service.serve_url)
kwargs.setdefault("openid",
ModuleUtils.getParam(request, "openid"))
kwargs.setdefault("invoked_service", service)
pass
def check_authentication(request, user, secret):
result = security.Result()
# 用户认证校验
open_id = secret.open_id
remote_addr = request.META["REMOTE_ADDR"]
content_type = request.META["CONTENT_TYPE"]
uri_resource = request.path
# pbkdf2_sha256.encrypt("admin", salt="lxsalt", rounds=1 )
# pbkdf2_sha256.verify("admin",passlib_hash)
# passlibpbkdf2("admin", "lxsalt", 100, prf='hmac-sha256')
# hash_pbkdf2 = pbkdf2("admin", "lxsalt", 100, digest=hashlib.sha256) #@UndefinedVariable
# base64.b64encode(hash_pbkdf2).encode("utf-8")
try:
client_signature = base64.b64decode(ModuleUtils.getParam(request, "token"))
if not "timestamp" in client_signature:
return (
False,
"{'success': False,'error_message':'为防止重放攻击,请于token中加入格式为:timestamp:yyyyMMddHHmiss(24小时制)的时间戳!'}",
)
timestamp = client_signature[client_signature.find("timestamp") + len("timestamp:") :]
client_signature = client_signature[0 : client_signature.find("timestamp")]
# 所传时间戳与当前时间差
delta_seconds = (datetime.datetime.now() - datetime.datetime.strptime(timestamp, "%Y%m%d%H%M%S")).seconds
stringtoSign = "%s%s%s%s%s" % (open_id, remote_addr, content_type, uri_resource, timestamp)
server_signature = hmac.new(
secret.access_Key.encode("utf-8"), stringtoSign.encode("utf-8"), digestmod=hashlib.sha256
).hexdigest() # @UndefinedVariable
# server_signature = make_password(stringtoSign ,secret.access_Key,'pbkdf2_sha256')
# server_signature = server_signature[server_signature.rindex("$")+1:]
if not server_signature == client_signature:
result.success = False
result.message = "身份认证失败,请核对携带的认证信息!"
return False, result
if abs(delta_seconds) > 5 * 60:
result.success = False
result.message = "服务请求时间戳异常,疑似重放攻击!"
return False, result
except Exception, e:
print e
result.success = False
result.message = "身份认证异常,请核对携带的认证信息!"
return False, result
