예제 #1
0
def check_security(request, args, kwargs):

    #服务请求参数验证
    open_id = ModuleUtils.getParam(request, "openid")
    if open_id == None or ModuleUtils.getParam(request, "token") == None:
        result = Result()
        result.success = False
        result.message = '访问请求参数不合法,请参照服务请求示例!'
        return result

    #openid存在检查
    user, secret = check_kit.get_user_and_secret_by_openid(open_id)
    if user == None or secret == None:
        result = Result()
        result.success = False
        result.message = '身份认证不通过,请核对携带的认证信息!'
        return result

    #服务地址解析
    service = check_kit.get_service_by_request(args, kwargs)
    if service == None:
        result = Result()
        result.success = False
        result.message = '服务请求地址解析失败,请参照服务请求示例!'
        return result

    #服务状态检查
    status, result = check_kit.check_service_status(service)
    if not status:
        return result

    #服务授权校验
    auth, result = check_kit.check_authorization(user, service)
    if not auth:
        return result

    #服务安全认证
    authen, result = check_kit.check_authentication(request, user, secret)
    if not authen:
        return result

    #用户余额检查
    balance, result = check_kit.check_balance(user, service)
    if not balance:
        return result

    result = Result()
    result.success = True
    result.message = service
    return result
def check_security(request, args, kwargs):
    
    #服务请求参数验证
    open_id = ModuleUtils.getParam(request ,"openid")
    if open_id == None or ModuleUtils.getParam(request ,"token") == None:
        result = Result()
        result.success = False;
        result.message = '访问请求参数不合法,请参照服务请求示例!'
        return result 
    
    #openid存在检查
    user,secret = check_kit.get_user_and_secret_by_openid(open_id);
    if user == None or secret == None :
        result = Result()
        result.success = False;
        result.message = '身份认证不通过,请核对携带的认证信息!'
        return result 
    
    #服务地址解析
    service = check_kit.get_service_by_request( args, kwargs);
    if service == None :
        result = Result()
        result.success = False;
        result.message = '服务请求地址解析失败,请参照服务请求示例!'
        return result 
    
    #服务状态检查
    status,result = check_kit.check_service_status(service)
    if not status:
        return result
    
    #服务授权校验
    auth,result = check_kit.check_authorization(user,service)
    if not auth:
        return result
    
    #服务安全认证
    authen,result = check_kit.check_authentication(request,user,secret)
    if not authen:
        return result
    
    #用户余额检查
    balance,result = check_kit.check_balance(user,service)
    if not balance:
        return result

    result = Result()
    result.success = True
    result.message = service
    return result
 def process_view(self, request, view, args, kwargs):
     current_request_subject = "http://"+request.get_host()+request.get_full_path()
     regex = "https?://.+:\d{4,5}/service/.*/.*/.*"
     match = re.search(regex, current_request_subject)
     if match:
         result = security.check_security(request, args, kwargs)
         if result.success == False:
             return HttpResponse( result.message );
         else: 
             service = result.message
             kwargs.setdefault("url",service.serve_url)
             kwargs.setdefault("openid", ModuleUtils.getParam(request ,"openid"))
             kwargs.setdefault("invoked_service", service)
     pass
def check_authentication(request, user, secret):
    result = security.Result()
    #用户认证校验
    open_id = secret.open_id
    remote_addr = request.META["REMOTE_ADDR"]
    content_type = request.META["CONTENT_TYPE"]
    uri_resource = request.path

    #pbkdf2_sha256.encrypt("admin", salt="lxsalt", rounds=1 )
    #pbkdf2_sha256.verify("admin",passlib_hash)
    #passlibpbkdf2("admin", "lxsalt", 100, prf='hmac-sha256')
    #hash_pbkdf2 = pbkdf2("admin", "lxsalt", 100, digest=hashlib.sha256) #@UndefinedVariable
    #base64.b64encode(hash_pbkdf2).encode("utf-8")

    try:
        client_signature = base64.b64decode(
            ModuleUtils.getParam(request, "token"))
        if not "timestamp" in client_signature:
            return False, "{'success': False,'error_message':'为防止重放攻击,请于token中加入格式为:timestamp:yyyyMMddHHmiss(24小时制)的时间戳!'}"
        timestamp = client_signature[client_signature.find("timestamp") +
                                     len("timestamp:"):]
        client_signature = client_signature[0:client_signature.find("timestamp"
                                                                    )]
        #所传时间戳与当前时间差
        delta_seconds = (
            datetime.datetime.now() -
            datetime.datetime.strptime(timestamp, "%Y%m%d%H%M%S")).seconds

        stringtoSign = "%s%s%s%s%s" % (open_id, remote_addr, content_type,
                                       uri_resource, timestamp)
        server_signature = hmac.new(
            secret.access_Key.encode('utf-8'),
            stringtoSign.encode('utf-8'),
            digestmod=hashlib.sha256).hexdigest()  #@UndefinedVariable
        #server_signature = make_password(stringtoSign ,secret.access_Key,'pbkdf2_sha256')
        #server_signature = server_signature[server_signature.rindex("$")+1:]
        if not server_signature == client_signature:
            result.success = False
            result.message = '身份认证失败,请核对携带的认证信息!'
            return False, result
        if abs(delta_seconds) > 5 * 60:
            result.success = False
            result.message = '服务请求时间戳异常,疑似重放攻击!'
            return False, result
    except Exception, e:
        print e
        result.success = False
        result.message = '身份认证异常,请核对携带的认证信息!'
        return False, result
 def process_view(self, request, view, args, kwargs):
     current_request_subject = "http://" + request.get_host(
     ) + request.get_full_path()
     regex = "https?://.+:\d{4,5}/service/.*/.*/.*"
     match = re.search(regex, current_request_subject)
     if match:
         result = security.check_security(request, args, kwargs)
         if result.success == False:
             return HttpResponse(result.message)
         else:
             service = result.message
             kwargs.setdefault("url", service.serve_url)
             kwargs.setdefault("openid",
                               ModuleUtils.getParam(request, "openid"))
             kwargs.setdefault("invoked_service", service)
     pass
def check_authentication(request, user, secret):
    result = security.Result()
    # 用户认证校验
    open_id = secret.open_id
    remote_addr = request.META["REMOTE_ADDR"]
    content_type = request.META["CONTENT_TYPE"]
    uri_resource = request.path

    # pbkdf2_sha256.encrypt("admin", salt="lxsalt", rounds=1 )
    # pbkdf2_sha256.verify("admin",passlib_hash)
    # passlibpbkdf2("admin", "lxsalt", 100, prf='hmac-sha256')
    # hash_pbkdf2 = pbkdf2("admin", "lxsalt", 100, digest=hashlib.sha256) #@UndefinedVariable
    # base64.b64encode(hash_pbkdf2).encode("utf-8")

    try:
        client_signature = base64.b64decode(ModuleUtils.getParam(request, "token"))
        if not "timestamp" in client_signature:
            return (
                False,
                "{'success': False,'error_message':'为防止重放攻击,请于token中加入格式为:timestamp:yyyyMMddHHmiss(24小时制)的时间戳!'}",
            )
        timestamp = client_signature[client_signature.find("timestamp") + len("timestamp:") :]
        client_signature = client_signature[0 : client_signature.find("timestamp")]
        # 所传时间戳与当前时间差
        delta_seconds = (datetime.datetime.now() - datetime.datetime.strptime(timestamp, "%Y%m%d%H%M%S")).seconds

        stringtoSign = "%s%s%s%s%s" % (open_id, remote_addr, content_type, uri_resource, timestamp)
        server_signature = hmac.new(
            secret.access_Key.encode("utf-8"), stringtoSign.encode("utf-8"), digestmod=hashlib.sha256
        ).hexdigest()  # @UndefinedVariable
        # server_signature = make_password(stringtoSign ,secret.access_Key,'pbkdf2_sha256')
        # server_signature = server_signature[server_signature.rindex("$")+1:]
        if not server_signature == client_signature:
            result.success = False
            result.message = "身份认证失败,请核对携带的认证信息!"
            return False, result
        if abs(delta_seconds) > 5 * 60:
            result.success = False
            result.message = "服务请求时间戳异常,疑似重放攻击!"
            return False, result
    except Exception, e:
        print e
        result.success = False
        result.message = "身份认证异常,请核对携带的认证信息!"
        return False, result