def POST(self, swarmName, swarmIp):
""" add a swarm cluster into current, check, pickle. """
res = {"msg": None, "code": 0}
swarmIp = swarmIp.strip()
swarmName = swarmName.strip()
logger.debug(
"post a swarm cluster, name is %s, ip is %s, check ip is %s" %
(swarmName, swarmIp, ip_check(swarmIp)))
if not swarmName or not swarmIp or not ip_check(swarmIp):
res.update(msg="POST: data params error", code=-1020)
elif self.isMember(swarmName):
res.update(msg="POST: swarm cluster already exists", code=-1021)
else:
#access node ip's info, and get all remote managers
url = Splice(netloc=swarmIp, port=self.port, path='/info').geturl
swarm = dict(name=swarmName)
logger.info(
"init a swarm cluter named %s, will get swarm ip info, that url is %s"
% (swarmName, url))
try:
nodeinfo = requests.get(url,
timeout=self.timeout,
verify=self.verify).json()
logger.debug("get swarm ip info, response is %s" % nodeinfo)
swarm["manager"] = [
nodes["Addr"].split(":")[0]
for nodes in nodeinfo["Swarm"]["RemoteManagers"]
]
except Exception, e:
logger.error(e, exc_info=True)
res.update(msg="POST: access the node ip has exception",
code=-1022)
else:
def signOut():
""" 单点注销流程
1. 根据sid查找注册的clients
2. pop一个client并跳转到其注销页面,携带参数为`NextUrl=当前路由地址`,如果有`ReturnUrl`同样携带。
client处理:检测通过注销局部会话并跳转回当前路由
3. 循环第2步,直到clients为空(所有已注册的局部会话已经注销)
4. 注销本地全局会话,删除相关数据,跳转到登录页面
"""
# 最终跳转回地址
ReturnUrl = request.args.get("ReturnUrl") or url_for(".signOut",
_external=True)
if g.sid:
clients = g.api.usersso.ssoGetRegisteredClient(g.sid)
logger.debug("has sid, get clients: {}".format(clients))
if clients and isinstance(clients, list) and len(clients) > 0:
clientName = clients.pop()
clientData = g.api.userapp.getUserApp(clientName)
if clientData:
if g.api.usersso.clearRegisteredClient(g.sid, clientName):
NextUrl = "{}/sso/authorized?{}".format(
clientData["app_redirect_url"].strip("/"),
urlencode(
dict(Action="ssoLogout",
ReturnUrl=ReturnUrl,
app_name=clientName)))
return redirect(NextUrl)
return redirect(url_for(".signOut"))
# 没有sid时,或者存在sid已经注销到第4步
g.api.usersso.clearRegisteredUserSid(g.uid, g.sid)
response = make_response(redirect(ReturnUrl))
response.set_cookie(key='sessionId', value='', expires=0)
return response
def InceptionOSC(Action, sqlsha1, inception):
"""查询pt-osc执行进度"""
res = dict(code=1, msg=None)
if Action in ("Query", "Stop") and sqlsha1 and inception and check_ipport(inception) and len(sqlsha1) == 41 and sqlsha1.startswith('*'):
if Action == "Query":
# 通过Inception查询osc
sql = 'inception get osc_percent %s;'
idb = IncetDB(host=inception.split(":")[0], port=int(inception.split(":")[-1]))
result = idb.get(sql, sqlsha1)
if not result:
res.update(code=2, msg="No query to OSC progress")
else:
res.update(data=result, code=0)
elif Action == "Stop":
# 通过Inception中止OSC执行
sql = 'inception stop alter %s;'
idb = IncetDB(host=inception.split(":")[0], port=int(inception.split(":")[-1]))
try:
result = idb.get(sql, sqlsha1)
logger.debug("stop osc result " + result)
except Exception,e:
res.update(msg=str(e))
else:
if not result:
res.update(code=2, msg="No query to OSC progress")
else:
res.update(data=result, code=0)
def useruploadpub():
# 通过表单形式上传图片
res = dict(code=1, msg=None)
logger.debug(request.files)
f = request.files.get('file')
callableAction = request.args.get("callableAction")
if f and allowed_file(f.filename):
filename = gen_rnd_filename() + "." + secure_filename(
f.filename).split('.')[-1] # 随机命名
# 判断是否上传到又拍云还是保存到本地
if Upyun['enable'] in ('true', 'True', True):
basedir = Upyun['basedir'] if Upyun['basedir'].startswith(
'/') else "/" + Upyun['basedir']
imgUrl = os.path.join(basedir, filename)
try:
# 又拍云存储封装接口
UploadImage2Upyun(imgUrl, f.stream.read())
except Exception, e:
logger.error(e, exc_info=True)
res.update(code=2, msg="System is abnormal")
else:
imgUrl = Upyun['dn'].strip("/") + imgUrl
res.update(data=dict(src=imgUrl), code=0)
else:
if not os.path.exists(UPLOAD_FOLDER): os.makedirs(UPLOAD_FOLDER)
f.save(os.path.join(UPLOAD_FOLDER, filename))
imgUrl = request.url_root + IMAGE_FOLDER + filename
res.update(data=dict(src=imgUrl), code=0)
def OAuthDirectLogin():
"""OAuth2直接登录(首选)"""
if request.method == 'POST':
sso = request.args.get("sso") or None
logger.debug("OAuthDirectLogin, sso type: {}, content: {}".format(
type(sso), sso))
openid = request.form.get("openid")
if openid:
auth = Authentication(g.mysql, g.redis)
# 直接注册新账号并设置登录态
res = auth.oauth2_signUp(openid, g.ip)
res = dfr(res)
if res["success"]:
# 记录登录日志
auth.brush_loginlog(
res,
login_ip=g.ip,
user_agent=request.headers.get("User-Agent"))
sso_isOk, sso_returnUrl, sso_appName = checkGet_ssoRequest(sso)
sessionId, returnUrl = checkSet_ssoTicketSid(
sso_isOk, sso_returnUrl, sso_appName, res["uid"],
url_for("front.userset", _anchor="bind"))
logger.debug(
"OAuthDirectLogin post returnUrl: {}".format(returnUrl))
return set_loginstate(sessionId, returnUrl)
else:
flash(res["msg"])
return redirect(
url_for("front.OAuthGuide", openid=openid, sso=sso))
else:
return redirect(g.redirect_uri)
def upload_view():
res = dict(code=-1, msg=None)
logger.debug(request.files)
f = request.files.get('file')
if f and allowed_file(f.filename):
filename = secure_filename(gen_rnd_filename() + "." +
f.filename.split('.')[-1]) #随机命名
basedir = Upyun['basedir'] if Upyun['basedir'].startswith(
'/') else "/" + Upyun['basedir']
imgUrl = os.path.join(basedir, filename)
try:
upres = api.put(imgUrl, f.stream.read())
except Exception, e:
logger.error(e, exc_info=True)
res.update(code=2, msg="Storage failure")
else:
imgId = md5(filename)
imgUrl = Upyun['dn'].strip("/") + imgUrl
upres.update(ctime=get_current_timestamp(),
imgUrl=imgUrl,
imgId=imgId)
try:
pipe = g.redis.pipeline()
pipe.sadd(picKey, imgId)
pipe.hmset("{}:{}".format(GLOBAL['ProcessName'], imgId), upres)
pipe.execute()
except Exception, e:
logger.error(e, exc_info=True)
res.update(
code=0,
msg=
"It has been uploaded, but the server has encountered an unknown error"
)
else:
def GitHub_Login_Page_State(code,
GITHUB_APP_ID,
GITHUB_APP_KEY,
GITHUB_REDIRECT_URI,
timeout=5,
verify=False):
''' Authorization Code cannot repeat '''
Access_Token_Url = Splice(scheme="https",
domain="github.com",
path="/login/oauth/access_token",
query={
"client_id": GITHUB_APP_ID,
"client_secret": GITHUB_APP_KEY,
"code": code,
"redirect_uri": GITHUB_REDIRECT_URI
}).geturl
data = requests.post(Access_Token_Url, timeout=timeout, verify=verify).text
data = Parse_Access_Token(data)
if "access_token" in data:
access_token = data.get("access_token")
User_Info_Url = Splice(scheme="https",
domain="api.github.com",
path="/user",
query={
"access_token": access_token
}).geturl
data = requests.get(User_Info_Url, timeout=timeout,
verify=verify).json()
username = "******" + data.get("login")
user_id = data.get("id")
user_github = data.get("html_url")
user_cname = data.get("name")
user_avater = data.get("avatar_url")
user_email = data.get("email")
user_extra = "blog:%s, company:%s, location:%s" % (
data.get("blog"), data.get("company"), data.get("location"))
try:
UserSQL = "INSERT INTO User (username, cname, email, avatar, time, github, extra) VALUES (%s, %s, %s, %s, %s, %s, %s)"
mysql.insert(UserSQL, username, user_cname, user_email,
user_avater, How_Much_Time(), user_github, user_extra)
OAuthSQL = "INSERT INTO OAuth (oauth_username, oauth_type, oauth_openid, oauth_access_token, oauth_expires) VALUES (%s, %s, %s, %s, %s)"
mysql.insert(OAuthSQL, username, "GitHub", user_id, access_token,
How_Much_Time())
except IntegrityError, e:
logger.debug(e, exc_info=True)
#Check if it has been registered
CheckSQL = "SELECT oauth_username FROM OAuth WHERE oauth_username=%s"
if mysql.get(CheckSQL, username):
UpdateSQL = "UPDATE OAuth SET oauth_access_token=%s, oauth_expires=%s, oauth_openid=%s WHERE oauth_username=%s"
mysql.update(UpdateSQL, access_token, How_Much_Time(), user_id,
username)
#update user profile
UpdateUserSQL = "UPDATE User SET cname=%s, avatar=%s, extra=%s WHERE username=%s"
mysql.update(UpdateUserSQL, user_cname, user_avater,
user_extra, username)
return {"username": username, "uid": user_id}
except Exception, e:
logger.error(e, exc_info=True)
return False
def before_request():
sessionId = request.cookies.get("sessionId",
request.headers.get("sessionId"))
g.startTime = time.time()
g.redis = create_redis_engine()
g.mysql = create_mysql_engine()
g.signin = verify_sessionId(sessionId)
g.sid, g.uid = analysis_sessionId(sessionId,
"tuple") if g.signin else (None, None)
logger.debug("uid: {}, sid: {}".format(g.uid, g.sid))
g.api = api
g.ip = request.headers.get('X-Real-Ip', request.remote_addr)
g.agent = request.headers.get("User-Agent")
# 仅是重定向页面快捷定义
g.redirect_uri = get_redirect_url()
# 上下文扩展点之请求后(返回前)
before_request_hook = plugin.get_all_cep.get("before_request_hook")
for cep_func in before_request_hook():
cep_func(request=request, g=g)
before_request_return = plugin.get_all_cep.get("before_request_return")
for cep_func in before_request_return():
resp = cep_func(request=request, g=g)
try:
success = resp.is_before_request_return
except:
logger.warn(
"Plugin returns abnormalities when before_request_return")
else:
if success is True:
return resp
def GET(self, node=None):
""" 查询所有可用的节点群,并组织返回节点信息 """
res = {"code": 0, "msg": None, "data": []}
if self.leader:
#format (host, id, role, status, availability, reachability, containers, cpu, mem, label, UpdatedAt, DockerVersion).
req_data = self._checkSwarmNode(self.leader, node)
req_data = req_data if isinstance(req_data,
(list, tuple)) else (req_data, )
node_data = []
for i in req_data:
try:
node_id = i['ID']
node_role = 'Leader' if i.get(
'ManagerStatus',
{}).get('Leader') else i['Spec'].get('Role')
node_host = i['Spec'].get('Labels', {}).get(
'ipaddr', i['Description']['Hostname']) or i.get(
'ManagerStatus', {}).get('Addr', '').split(':')[0]
node_status = i['Status']['State']
node_availability = i['Spec'].get('Availability')
node_reachability = i.get('ManagerStatus',
{}).get('Reachability')
node_containers = self._checkSwarmNodeinfo(node_host).get(
"ContainersRunning"
) if ip_check(
node_host
) and node_status == "ready" and node_availability == "active" else 'Unknown'
node_cpu = int(i['Description']['Resources']['NanoCPUs'] /
1e9)
node_mem = int(
i['Description']['Resources']['MemoryBytes'] / 1e6 /
1024) #bytes to G
node_label = i['Spec'].get('Labels')
if isinstance(node_label, dict):
_node_label = ''
for k, v in node_label.iteritems():
_node_label += '%s=%s, ' % (k, v)
node_label = _node_label.strip(' ,')
node_CreatedAt = timeChange(i['CreatedAt'])
node_UpdatedAt = timeChange(i['UpdatedAt'])
node_dockerVersion = i['Description']['Engine'][
'EngineVersion']
node_indexVersion = i.get("Version", {}).get("Index")
except Exception, e:
logger.error(e, exc_info=True)
logger.debug(i)
node_host = i['Spec'].get('Labels', {}).get(
'ipaddr', i['Description']['Hostname']) or i.get(
'ManagerStatus', {}).get('Addr', '').split(':')[0]
node_data.append((node_host, i.get("ID")))
else:
node_data.append(
(node_host, node_id, node_role, node_status,
node_availability, node_reachability, node_containers,
node_cpu, node_mem, node_label, node_CreatedAt,
node_UpdatedAt, node_dockerVersion))
res.update(data=node_data)
def __signUp_transacion(self, guid, identifier, identity_type, certificate, verified, register_ip="", expire_time=0, use_profile_sql=True, define_profile_sql=None):
''' begin的方式使用事务注册账号,
参数:
@param guid str: 系统账号唯一标识
@param identifier str: 手机号、邮箱或第三方openid
@param identity_type int: 账号类型,参见`oauth2_name2type`函数
@param certificate str: 加盐密码或第三方access_token
@param verified int: 是否已验证 0-未验证 1-已验证
@param register_ip str: 注册IP地址
@param expire_time int: 特指OAuth过期时间戳,暂时保留
@param use_profile_sql bool: 定义是否执行define_profile_sql
@param define_profile_sql str: 自定义写入`user_profile`表的sql(需要完整可直接执行SQL)
流程:
1、写入`user_auth`表
2、写入`user_profile`表
返回字典:
success bool 表示注册是否成功;
msg str 表示提示信息。
'''
res = dict(success=False, msg=None)
# 校验
if guid and identifier and \
identity_type and \
certificate and \
verified and \
isinstance(guid, (str, unicode)) and \
len(guid) == 22 and \
identity_type in (0, 1, 2, 3, 4, 5, 6, 7, 8, 9) and \
verified in (1, 0):
ctime = get_current_timestamp()
try:
logger.debug("transaction, start")
self.db._db.begin()
try:
sql_1 = "INSERT INTO user_auth (uid, identity_type, identifier, certificate, verified, status, ctime, etime) VALUES (%s, %s, %s, %s, %s, %s, %s, %s)"
info = self.db.insert(sql_1, guid, identity_type, identifier, certificate, verified, 1, ctime, expire_time)
except IntegrityError:
res.update(msg="Account already exists")
except Exception, e:
logger.error(e, exc_info=True)
res.update(msg="System is abnormal")
else:
if use_profile_sql is True:
if define_profile_sql:
sql_2 = define_profile_sql
logger.info("execute define_profile_sql: {}".format(sql_2))
try:
info = self.db.execute(sql_2)
except:
raise
else:
sql_2 = "INSERT INTO user_profile (uid, register_source, register_ip, ctime, is_realname, is_admin) VALUES (%s, %s, %s, %s, %s, %s)"
try:
info = self.db.insert(sql_2, guid, identity_type, register_ip, ctime, 0, 0)
except:
raise
logger.debug('transaction, commit')
self.db._db.commit()
def ssoRegisterUserSid(self, uid, sid):
"""记录uid已登录的sso应用的sid"""
logger.debug("ssoRegisterUserSid for uid: {}, with sid: {}".format(uid, sid))
if uid and sid:
try:
ukey = "passport:user:sid:{}".format(uid)
self.redis.sadd(ukey, sid)
except Exception,e:
logger.error(e, exc_info=True)
else:
return True
def put(self):
""" 更新节点信息(Labels、Role等) """
node_id = request.form.get("node_id")
node_role = request.form.get("node_role")
node_labels = request.form.get("node_labels")
logger.debug("{}, {}, {}".format(node_id, node_role, node_labels))
return g.node.PUT(node_id=node_id,
node_role=node_role,
node_labels=node_labels)
def UserAuth_Login(username, password):
sql = " SELECT lauth_username, lauth_password FROM user_lauth WHERE lauth_username=%s"
data= mysql.get(sql, username)
logger.debug("mysql data is %s, request %s:%s" %(data, username, md5(password)))
if data and username == data.get("lauth_username") and md5(password) == data.get("lauth_password"):
logger.info("%s Sign in successfully" %username)
return True
else:
logger.info("%s Sign in failed" %username)
return False
def _checkSwarmManager(self, ip):
""" 查询节点的Manager """
url = Splice(netloc=ip, port=self.port, path='/info').geturl
logger.info("Get or Update swarm manager, that url is %s" %url)
try:
nodeinfo = requests.get(url, timeout=self.timeout, verify=self.verify).json()
logger.debug("Get or Update swarm manager, response is %s" %nodeinfo)
managers = [ nodes["Addr"].split(":")[0] for nodes in nodeinfo["Swarm"]["RemoteManagers"] ]
except Exception,e:
logger.error(e, exc_info=True)
return []
def __check_hasUser(self, uid):
"""检查是否存在账号"""
if uid and len(uid) == 22:
sql = "SELECT count(uid) FROM user_auth WHERE uid=%s"
try:
data = self.db.get(sql, uid)
except Exception, e:
logger.warn(e, exc_info=True)
else:
logger.debug(data)
if data and isinstance(data, dict):
return True if data.get('count(uid)', 0) > 0 else False
def validate():
res = dict(msg=None, success=False)
Action = request.args.get("Action")
if request.method == "POST":
if Action == "validate_ticket":
ticket = request.form.get("ticket")
app_name = request.form.get("app_name")
get_userinfo = True if request.form.get("get_userinfo") in (
1, True, "1", "True", "true", "on") else False
get_userbind = True if request.form.get("get_userbind") in (
1, True, "1", "True", "true", "on") else False
if ticket and app_name:
resp = g.api.usersso.ssoGetWithTicket(ticket)
logger.debug("sso validate ticket resp: {}".format(resp))
if resp and isinstance(resp, dict):
# 此时表明ticket验证通过,应当返回如下信息:
# dict(uid=所需, sid=所需,source=xx)
if g.api.userapp.getUserApp(app_name):
# app_name有效,验证全部通过
res.update(success=True,
uid=resp["uid"],
sid=resp["sid"],
expire=SYSTEM["SESSION_EXPIRE"])
# 有效,此sid已登录客户端中注册app_name且向uid中注册已登录的sid
res.update(register=dict(
Client=g.api.usersso.ssoRegisterClient(
sid=resp["sid"], app_name=app_name),
UserSid=g.api.usersso.ssoRegisterUserSid(
uid=resp["uid"], sid=resp["sid"])))
if get_userinfo is True:
userinfo = g.api.userprofile.getUserProfile(
uid=resp["uid"], getBind=get_userbind)
res.update(userinfo=userinfo)
else:
res.update(msg="No such app_name")
else:
res.update(msg="Invaild ticket or expired")
else:
res.update(msg="Empty ticket or app_name")
elif Action == "validate_sync":
token = request.form.get("token")
uid = request.form.get("uid")
if uid and token and len(uid) == 22 and len(token) == 32:
syncToken = g.api.usersso.ssoGetUidCronSyncToken(uid)
if syncToken and syncToken == token:
res.update(success=True)
else:
res.update(msg="Invaild token")
else:
res.update(msg="Invaild uid or token")
else:
res.update(msg="Invaild Action")
return jsonify(res)
def __check_hasEmail(self, email):
"""检查是否存在邮箱账号"""
if email_check(email):
sql = "SELECT uid FROM user_auth WHERE identity_type=%s AND identifier=%s"
try:
data = self.db.get(sql, 2, email)
except Exception, e:
logger.warn(e, exc_info=True)
else:
logger.debug(data)
if data and isinstance(data, dict):
return "uid" in data
def __check_hasEmail(self, email, getUid=False):
"""检查是否存在邮箱账号,不检测账号状态"""
if email_check(email):
sql = "SELECT uid FROM user_auth WHERE identity_type=2 AND identifier=%s"
try:
data = self.db.get(sql, email)
except Exception, e:
logger.warn(e, exc_info=True)
else:
logger.debug(data)
if data and isinstance(data, dict):
success = "uid" in data
return data["uid"] if success and getUid else success
def ssoRegisterClient(self, sid, app_name):
"""ticket验证通过,向相应sid中注册app_name"""
logger.debug("ssoRegisterClient for {}, with {}".format(sid, app_name))
if sid and app_name:
try:
skey = "passport:sso:sid:{}:clients".format(sid)
pipe = self.redis.pipeline()
pipe.sadd(skey, app_name)
pipe.expire(skey, SYSTEM["SESSION_EXPIRE"])
pipe.execute()
except Exception,e:
logger.error(e, exc_info=True)
else:
return True
def useruploadpub():
# 通过表单形式上传图片
res = dict(code=1, msg=None)
logger.debug(request.files)
f = request.files.get('file')
callableAction = request.args.get("callableAction")
if f and allowed_file(f.filename):
filename = gen_rnd_filename() + "." + secure_filename(
f.filename).split('.')[-1] # 随机命名
# 判断是否上传到又拍云还是保存到本地
if PICBED['enable'] in ('true', 'True', True):
try:
files = {
'picbed': (filename, f.stream.read(),
'image/%s' % filename.split(".")[-1])
}
resp = requests.post(
PICBED["api"],
files=files,
data=dict(album="passport"),
headers=dict(Authorization="LinkToken %s" %
PICBED["LinkToken"]),
timeout=5).json()
if not isinstance(resp, dict):
raise
except Exception as e:
res.update(code=4, msg=e)
else:
if resp.get('code') == 0:
res.update(data=dict(src=resp['src']), code=0)
else:
res.update(resp)
elif Upyun['enable'] in ('true', 'True', True):
basedir = Upyun['basedir'] if Upyun['basedir'].startswith(
'/') else "/" + Upyun['basedir']
imgUrl = os.path.join(basedir, filename)
try:
# 又拍云存储封装接口
UploadImage2Upyun(imgUrl, f.stream.read())
except Exception, e:
logger.error(e, exc_info=True)
res.update(code=2, msg="System is abnormal")
else:
imgUrl = Upyun['dn'].strip("/") + imgUrl
res.update(data=dict(src=imgUrl), code=0)
else:
if not os.path.exists(UPLOAD_FOLDER): os.makedirs(UPLOAD_FOLDER)
f.save(os.path.join(UPLOAD_FOLDER, filename))
imgUrl = request.url_root + IMAGE_FOLDER + filename
res.update(data=dict(src=imgUrl), code=0)
def authorized():
""" Client SSO 单点登录、注销入口, 根据`Action`参数判断是`ssoLogin`还是`ssoLogout` """
Action = request.args.get("Action")
if Action == "ssoLogin":
# 单点登录
ticket = request.args.get("ticket")
if request.method == "GET" and ticket and g.signin == False:
resp = sso_request("{}/sso/validate".format(sso_server), dict(Action="validate_ticket"), dict(ticket=ticket, app_name=SSO["app_name"], get_userinfo=False, get_userbind=False))
logger.debug("SSO check ticket resp: {}".format(resp))
if resp and isinstance(resp, dict) and "success" in resp and "uid" in resp:
if resp["success"] is True:
uid = resp["uid"]
sid = resp["sid"]
expire = int(resp["expire"])
#userinfo = resp["userinfo"]
#logger.debug(userinfo)
# 授权令牌验证通过,设置局部会话,允许登录
sessionId = set_sessionId(uid=uid, seconds=expire, sid=sid)
response = make_response(redirect(get_redirect_url("front.index")))
response.set_cookie(key="sessionId", value=sessionId, max_age=expire, httponly=True, secure=False if request.url_root.split("://")[0] == "http" else True)
return response
elif Action == "ssoLogout":
# 单点注销
ReturnUrl = request.args.get("ReturnUrl") or get_referrer_url() or url_for("front.index", _external=True)
NextUrl = "{}/signOut?ReturnUrl={}".format(sso_server, ReturnUrl)
app_name = request.args.get("app_name")
if request.method == "GET" and NextUrl and app_name and g.signin == True and app_name == SSO["app_name"]:
response = make_response(redirect(NextUrl))
response.set_cookie(key="sessionId", value="", expires=0)
return response
elif Action == "ssoConSync":
# 数据同步:参数中必须包含大写的hmac_sha256(app_name:app_id:app_secret)的signature值
signature = request.args.get("signature")
if request.method == "POST" and signature and signature == hmac_sha256("{}:{}:{}".format(SSO["app_name"], SSO["app_id"], SSO["app_secret"])).upper():
try:
data = json.loads(request.form.get("data"))
ct = data["CallbackType"]
cd = data["CallbackData"]
uid = data["uid"]
token = data["token"]
except Exception,e:
logger.warning(e)
else:
logger.info("ssoConSync with uid: {} -> {}: {}".format(uid, ct, cd))
resp = sso_request("{}/sso/validate".format(sso_server), dict(Action="validate_sync"), dict(token=token, uid=uid))
if resp and isinstance(resp, dict) and resp.get("success") is True:
# 之后根据不同类型的ct处理cd
logger.debug("ssoConSync is ok")
return jsonify(msg="Synchronization completed", success=True, app_name=SSO["app_name"])
def before_request():
sessionId = request.cookies.get("sessionId",
request.headers.get("sessionId"))
g.startTime = time.time()
g.redis = create_redis_engine()
g.mysql = create_mysql_engine()
g.signin = verify_sessionId(sessionId)
g.sid, g.uid = analysis_sessionId(sessionId,
"tuple") if g.signin else (None, None)
logger.debug("uid: {}, sid: {}".format(g.uid, g.sid))
g.api = api
g.ip = request.headers.get('X-Real-Ip', request.remote_addr)
g.agent = request.headers.get("User-Agent")
# 仅是重定向页面快捷定义
g.redirect_uri = get_redirect_url()
def verify_rule(Ld):
"""根据er、ir规则判断是否放行请求"""
allow = Attribution(
dict(
ip=Attribution(
dict(access=get_ip(), secure=parse_valid_comma(Ld["allow_ip"]) or [])
),
origin=Attribution(
dict(
access=get_origin(),
secure=parse_valid_comma(Ld["allow_origin"]) or [],
)
),
ep=Attribution(
dict(
access=request.endpoint,
secure=parse_valid_comma(Ld["allow_ep"]) + ["api.index"],
)
),
method=Attribution(
dict(
access=request.method,
secure=[
m.upper()
for m in parse_valid_comma(Ld["allow_method"]) or []
if m
],
)
),
)
)
#: 参数 逻辑运算符 参数 逻辑运算符 参数...
#: 参数: origin and ip and ep and method
#: 逻辑运算符: and or not in not in
#: er控制的是参与逻辑运算的参数及之间的逻辑运算符
#: ir控制的是参数如何返回True
er = Ld["exterior_relation"]
ir = Ld["interior_relation"]
if not er:
er = "origin and ip and ep and method"
#: ir定义的最终规则
ir_cmd = _allow_ir(ir, allow)
#: 综合er、ir构建最终执行的命令字符串
for opt in ALLOWED_RULES:
er = er.replace(opt, ir_cmd[opt])
logger.debug("last er: %s" % er)
return eval(er)
def _checkSwarmHealth(self, leader):
""" 根据Leader查询某swarm集群是否健康 """
state = []
mnum = 0
logger.info("To determine whether the cluster is healthy, starting, swarm leader is %s" %leader)
try:
nodes = requests.get(Splice(netloc=leader, port=self.port, path='/nodes').geturl, timeout=self.timeout, verify=self.verify).json()
logger.debug("check swarm health, swarm nodes length is %d" % len(nodes))
for node in nodes:
if node['Spec'].get('Role') == 'manager':
mnum += 1
isHealth = True if node['Status']['State'] == 'ready' and node['Spec'].get('Availability') == 'active' and node.get('ManagerStatus', {}).get('Reachability') == 'reachable' else False
if isHealth:
state.append(isHealth)
except Exception,e:
logger.warn(e, exc_info=True)
return "ERROR"
def get(self):
if g.signin:
return redirect(url_for("uc"))
else:
SSOLoginURL = "%s?%s" % (
PLUGINS['thirdLogin']['WEIBO']['REDIRECT_URI'],
urlencode({
"sso": request.args.get('sso'),
"sso_r": request.args.get('sso_r'),
"sso_p": request.args.get('sso_p'),
"sso_t": request.args.get('sso_t')
}))
logger.debug(SSOLoginURL)
if PLUGINS['thirdLogin']['WEIBO']['ENABLE']:
return redirect(
Weibo_Login_Page_Url(
PLUGINS['thirdLogin']['WEIBO']['APP_ID'], SSOLoginURL))
else:
return redirect(url_for("login"))
def useruploadpub():
# 通过表单形式上传图片
res = dict(code=1, msg=None)
logger.debug(request.files)
f = request.files.get('file')
callableAction = request.args.get("callableAction")
if f and allowed_file(f.filename):
filename = secure_filename(gen_rnd_filename() + "." + f.filename.split('.')[-1]) # 随机命名
basedir = Upyun['basedir'] if Upyun['basedir'].startswith('/') else "/" + Upyun['basedir']
imgUrl = os.path.join(basedir, filename)
try:
# 又拍云存储封装接口
upyunapi = CloudStorage(timeout=15)
upyunapi.put(imgUrl, f.stream.read())
except Exception, e:
logger.error(e, exc_info=True)
res.update(code=2, msg="System is abnormal")
else:
imgUrl = Upyun['dn'].strip("/") + imgUrl
res.update(data=dict(src=imgUrl), code=0)
def oauth2_signUp(self, openid, register_ip):
"""OAuth直接登录时注册入系统
@param openid str: 加密的openid,用以获取缓存中数据userinfo,格式是:
userinfo dict: 用户信息,必须包含`openid`,`identity_type`,`avatar`,`nick_name`
@param register_ip str: 注册IP地址
"""
res = dict(msg=None, success=False)
userinfo = self.__oauth2_getUserinfo(openid)
logger.debug(userinfo)
logger.debug(type(userinfo))
if userinfo and isinstance(userinfo, dict) and "avatar" in userinfo and "nick_name" in userinfo and "openid" in userinfo and "access_token" in userinfo and "identity_type" in userinfo:
openid = userinfo["openid"]
access_token = userinfo["access_token"]
identity_type = int(userinfo["identity_type"])
avatar = userinfo["avatar"]
nick_name = userinfo["nick_name"]
gender = int(userinfo.get("gender") or 2)
signature = userinfo.get("signature") or ""
location = userinfo.get("location") or ""
expire_time = userinfo.get("expire_time") or 0
guid = gen_uniqueId()
logger.debug("check test: guid length: {}, identifier: {}, identity_type:{}, identity_type: {}, certificate: {}".format(len(guid), openid, identity_type, type(identity_type), access_token))
define_profile_sql = "INSERT INTO user_profile (uid, register_source, register_ip, nick_name, gender, signature, avatar, location, ctime, is_realname, is_admin) VALUES ('%s', %d, '%s', '%s', %d, '%s', '%s', '%s', %d, %d, %d)" % (guid, identity_type, register_ip, nick_name, gender, signature, avatar, location, get_current_timestamp(), 0, 0)
upts = self.__signUp_transacion(guid=guid, identifier=openid, identity_type=identity_type, certificate=access_token, verified=1, register_ip=register_ip, expire_time=expire_time, define_profile_sql=define_profile_sql)
res.update(upts)
if res["success"]:
self.__oauth2_delUserinfo(openid)
res.update(identity_type=identity_type, uid=guid)
else:
res.update(msg="Check failed")
logger.info(res)
return res
def OAuthBindAccount():
"""OAuth2绑定已有账号登录"""
if request.method == 'POST':
sso = request.args.get("sso") or None
logger.debug("OAuthBindAccount, sso type: {}, content: {}".format(
type(sso), sso))
openid = request.form.get("openid")
if vaptcha.validate:
account = request.form.get("account")
password = request.form.get("password")
auth = Authentication(g.mysql, g.redis)
res = auth.oauth2_bindLogin(openid=openid,
account=account,
password=password)
res = dfr(res)
if res["success"]:
# 记录登录日志
auth.brush_loginlog(
res,
login_ip=g.ip,
user_agent=request.headers.get("User-Agent"))
sso_isOk, sso_returnUrl, sso_appName = checkGet_ssoRequest(sso)
sessionId, returnUrl = checkSet_ssoTicketSid(
sso_isOk, sso_returnUrl, sso_appName, res["uid"],
url_for("front.userset", _anchor="bind"))
logger.debug(
"OAuthBindAccount post returnUrl: {}".format(returnUrl))
return set_loginstate(sessionId, returnUrl)
else:
flash(res["msg"])
else:
flash(u"人机验证失败")
return redirect(url_for('.OAuthBindAccount', openid=openid, sso=sso))
else:
openid = request.args.get("openid")
if openid:
return render_template("auth/OAuthBindAccount.html",
vaptcha=vaptcha.getChallenge)
else:
return redirect(g.redirect_uri)
def oauth2_bindLogin(self, openid, account, password):
"""OAuth绑定账号并登录系统
@param openid str: 加密的openid
@param account str: 同`signIn`中account
@param password str: 同`signIn`中password
"""
res = dict(msg=None, success=False)
userinfo = self.__oauth2_getUserinfo(openid)
logger.debug(userinfo)
logger.debug(type(userinfo))
if userinfo and isinstance(userinfo, dict) and "avatar" in userinfo and "nick_name" in userinfo and "openid" in userinfo and "access_token" in userinfo and "identity_type" in userinfo:
res = self.signIn(account, password)
openid = userinfo["openid"]
logger.debug(res)
if res["success"] is True:
# 登录成功,即可绑定openid到uid,无需校验(goto_signUp已经校验)
uid = res["uid"]
access_token = userinfo["access_token"]
identity_type = int(userinfo["identity_type"])
expire_time = userinfo.get("expire_time") or 0
upts = self.__signUp_transacion(guid=uid, identifier=openid, identity_type=identity_type, certificate=access_token, verified=1, expire_time=expire_time, use_profile_sql=False)
res.update(upts)
if res["success"] is True:
self.__oauth2_delUserinfo(openid)
else:
res.update(msg="Check failed")
logger.info(res)
return res
def __checkUsersetLock(self, etime):
"""检查用户某项是否加锁
参数:
@param etime str: 有效期,见"规则"
规则:
1. 10位UNIX时间戳,小于当前时间即锁失效,可以修改
2. 结果为0表示加锁,不可以修改;结果为1表示无锁
返回:
True -> 加锁 -> 不可以修改(默认)
False -> 无锁 -> 可修改
"""
logger.debug(etime)
logger.debug(type(etime))
if etime and isinstance(etime, int):
if abs(etime) == 1:
return False
elif etime == 0:
return True
else:
if 1 < etime < get_current_timestamp():
return False
return True
