use subsys token for platform call

WeBankPartners · Jan 29, 2021 · d0baf14 · d0baf14
1 parent 1bd8b00
commit d0baf14
Show file tree

Hide file tree

Showing 8 changed files with 58 additions and 21 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -10,7 +10,7 @@ RUN sed -i 's/security.debian.org/mirrors.aliyun.com/g' /etc/apt/sources.list
 ADD requirements.txt /tmp/requirements.txt
 ADD dist/* /tmp/
 # Install && Clean up
-RUN apt update && apt-get -y install gcc python3-dev && \
+RUN apt update && apt-get -y install gcc python3-dev swig libssl-dev && \
     pip3 install -i http://mirrors.aliyun.com/pypi/simple/ --trusted-host mirrors.aliyun.com -r /tmp/requirements.txt && \
     pip3 install /tmp/*.whl && \
     rm -rf /root/.cache && apt autoclean && \

diff --git a/build/register.xml.tpl b/build/register.xml.tpl
@@ -18,17 +18,14 @@
 
     <!-- 5.权限设定 -->
     <authorities>
-        <authority systemRoleName="SUPER_ADMIN" >
+        <authority systemRoleName="SUPER_ADMIN">
             <menu code="ADMIN_ITS_DANGEROUS_CONFIG" />
-        </authority >
+        </authority>
     </authorities>
 
     <!-- 6.运行资源 - 描述部署运行本插件包需要的基础资源(如主机、虚拟机、容器、数据库等) -->
     <resourceDependencies>
-        <docker imageName="{{IMAGENAME}}" containerName="{{CONTAINERNAME}}" 
-        portBindings="{{ALLOCATE_PORT}}:9000" 
-        volumeBindings="/etc/localtime:/etc/localtime,{{BASE_MOUNT_PATH}}/itsdangerous/logs:/var/log/itsdangerous,{{BASE_MOUNT_PATH}}/certs:/certs" 
-        envVariables="ITSDANGEROUS_DB_USERNAME={{DB_USER}},ITSDANGEROUS_DB_PASSWORD={{DB_PWD}},ITSDANGEROUS_DB_HOSTIP={{DB_HOST}},ITSDANGEROUS_DB_HOSTPORT={{DB_PORT}},ITSDANGEROUS_DB_SCHEMA={{DB_SCHEMA}},GATEWAY_URL={{GATEWAY_URL}},JWT_SIGNING_KEY={{JWT_SIGNING_KEY}},WECUBE_S3_ACCESS_KEY={{S3_ACCESS_KEY}},WECUBE_S3_SECRET_KEY={{S3_SECRET_KEY}}" />
+        <docker imageName="{{IMAGENAME}}" containerName="{{CONTAINERNAME}}" portBindings="{{ALLOCATE_PORT}}:9000" volumeBindings="/etc/localtime:/etc/localtime,{{BASE_MOUNT_PATH}}/itsdangerous/logs:/var/log/itsdangerous,{{BASE_MOUNT_PATH}}/certs:/certs" envVariables="ITSDANGEROUS_DB_USERNAME={{DB_USER}},ITSDANGEROUS_DB_PASSWORD={{DB_PWD}},ITSDANGEROUS_DB_HOSTIP={{DB_HOST}},ITSDANGEROUS_DB_HOSTPORT={{DB_PORT}},ITSDANGEROUS_DB_SCHEMA={{DB_SCHEMA}},GATEWAY_URL={{GATEWAY_URL}},JWT_SIGNING_KEY={{JWT_SIGNING_KEY}},WECUBE_S3_ACCESS_KEY={{S3_ACCESS_KEY}},WECUBE_S3_SECRET_KEY={{S3_SECRET_KEY}},SUB_SYSTEM_CODE={{SUB_SYSTEM_CODE}},SUB_SYSTEM_KEY={{SUB_SYSTEM_KEY}}" />
         <mysql schema="itsdangerous" initFileName="init.sql" upgradeFileName="upgrade.sql" />
     </resourceDependencies>
 

diff --git a/etc/wecube_plugins_itsdangerous.conf b/etc/wecube_plugins_itsdangerous.conf
@@ -19,6 +19,8 @@
         "s3_secret_key": "ENV@WECUBE_S3_SECRET_KEY",
         "gateway_url": "ENV@GATEWAY_URL", 
         "jwt_signing_key": "ENV@JWT_SIGNING_KEY",
+        "sub_system_code": "ENV@SUB_SYSTEM_CODE",
+        "sub_system_key": "ENV@SUB_SYSTEM_KEY",
         "platform_timezone": "ENV@TZ"
     },
     "log": {
@@ -64,7 +66,9 @@
     	"use_token": true,
     	"username": "username",
     	"password": "password",
-    	"token": "token"
+    	"token": "token",
+        "sub_system_code": "${sub_system_code}",
+        "sub_system_key": "${sub_system_key}"
     },
     "data_permissions": {
         "wecube_plugins_itsdangerous.processor.policy": ["SUB_SYSTEM", "ADMIN_ITS_DANGEROUS_CONFIG"],

diff --git a/requirements.txt b/requirements.txt
@@ -12,4 +12,6 @@ gunicorn
 gevent
 pytz
 apscheduler
-texttable
+texttable
+# for platform login encryption, apt install swig
+M2Crypto
diff --git a/wecube_plugins_itsdangerous/apps/processor/api.py b/wecube_plugins_itsdangerous/apps/processor/api.py
@@ -26,6 +26,7 @@
 
 LOG = logging.getLogger(__name__)
 CONF = config.CONF
+TOKEN_KEY = 'itsdangerous_subsystem_token'
 
 
 def download_from_url(dir_path, url, random_name=False):
@@ -521,6 +522,8 @@ class WecubeService(object):
     def list(self, filters=None, orders=None, offset=None, limit=None, hooks=None):
         results = []
         client = wecube.WeCubeClient(CONF.wecube.base_url)
+        subsys_token = cache.get_or_create(TOKEN_KEY, client.login_subsystem, expires=600)
+        client.token = subsys_token
         key = '/platform/v1/plugins/interfaces/enabled'
         cached = cache.get(key, 15)
         if cache.validate(cached):
@@ -541,6 +544,8 @@ def list(self, filters=None, orders=None, offset=None, limit=None, hooks=None):
                 message=_('missing query param: %(attribute)s, eg. /v1/api?%(attribute)s=value') %
                 {'attribute': 'serviceName'})
         client = wecube.WeCubeClient(CONF.wecube.base_url)
+        subsys_token = cache.get_or_create(TOKEN_KEY, client.login_subsystem, expires=600)
+        client.token = subsys_token
         key = '/platform/v1/plugins/interfaces/enabled'
         cached = cache.get(key, 15)
         if cache.validate(cached):

diff --git a/wecube_plugins_itsdangerous/common/scope.py b/wecube_plugins_itsdangerous/common/scope.py
@@ -15,7 +15,7 @@
 
 CONF = config.CONF
 LOG = logging.getLogger(__name__)
-WECUBE_TOKEN = 'wecube_platform_token'
+TOKEN_KEY = 'itsdangerous_subsystem_token'
 
 
 class JsonScope(object):
@@ -40,6 +40,8 @@ def wecube_expr_query(expr):
         LOG.debug('wecube_expr_query with %s' % expr)
         cost_start = datetime.datetime.now()
         client = wecube.WeCubeClient(base_url)
+        subsys_token = cache.get_or_create(TOKEN_KEY, client.login_subsystem, expires=600)
+        client.token = subsys_token
         resp = client.post(base_url + '/platform/v1/data-model/dme/integrated-query', {
             'dataModelExpression': expr,
             'filters': []

diff --git a/wecube_plugins_itsdangerous/common/wecube.py b/wecube_plugins_itsdangerous/common/wecube.py
@@ -7,6 +7,8 @@
 
 """
 import logging
+import base64
+import random
 
 from talos.common import cache
 from talos.core import config
@@ -18,24 +20,27 @@
 
 LOG = logging.getLogger(__name__)
 CONF = config.CONF
-WECUBE_TOKEN = 'wecube_platform_token'
+TOKEN_KEY = 'itsdangerous_subsystem_token'
 
 
 def get_wecube_token(base_url=None):
     base_url = base_url or CONF.wecube.base_url
     token = talos_utils.get_attr(scoped_globals.GLOBALS, 'request.auth_token') or CONF.wecube.token
-    if not CONF.wecube.use_token:
-        token = cache.get(WECUBE_TOKEN)
-        if not cache.validate(token):
-            token = utils.RestfulJson.post(base_url + '/auth/v1/api/login',
-                                           json={
-                                               "username": CONF.wecube.username,
-                                               "password": CONF.wecube.password
-                                           }).json()['data'][1]['token']
-            cache.set(WECUBE_TOKEN, token)
     return token
 
 
+def encrypt(message, rsa_key):
+    import M2Crypto.RSA
+    template = '''-----BEGIN PRIVATE KEY-----
+%s
+-----END PRIVATE KEY-----'''
+    key_pem = template % rsa_key
+    privat_key = M2Crypto.RSA.load_key_string(key_pem.encode())
+    ciphertext = privat_key.private_encrypt(message.encode(), M2Crypto.RSA.pkcs1_padding)
+    encrypted_message = base64.b64encode(ciphertext).decode()
+    return encrypted_message
+
+
 class WeCubeClient(object):
     """WeCube Client"""
     def __init__(self, server, token=None):
@@ -53,6 +58,28 @@ def check_response(self, resp_json):
                     raise exceptions.PluginError(message=resp_json['data'][0]['message'])
             raise exceptions.PluginError(message=resp_json['message'])
 
+    def login_subsystem(self, set_self=True):
+        '''client = WeCubeClient('http://ip:port', None)
+           token = client.login_subsystem()
+           # use your access token
+        '''
+        sequence = 'abcdefghijklmnopqrstuvwxyz1234567890'
+        nonce = ''.join(random.choices(sequence, k=4))
+        url = self.server + '/auth/v1/api/login'
+        password = encrypt('%s:%s' % (CONF.wecube.sub_system_code, nonce), CONF.wecube.sub_system_key)
+        data = {
+            "password": password,
+            "username": CONF.wecube.sub_system_code,
+            "nonce": nonce,
+            "clientType": "SUB_SYSTEM"
+        }
+        resp_json = self.post(url, data)
+        for token in resp_json['data']:
+            if token['tokenType'] == 'accessToken':
+                if set_self:
+                    self.token = token['token']
+                return token['token']
+
     def get(self, url, param=None):
         LOG.info('GET %s', url)
         LOG.debug('Request: query - %s, data - None', str(param))

diff --git a/wecube_plugins_itsdangerous/server/wsgi_server.py b/wecube_plugins_itsdangerous/server/wsgi_server.py
@@ -34,7 +34,7 @@ def decrypt_rsa(secret_key, encrypt_text):
 
 
 @config.intercept('db_username', 'db_password', 'db_hostip', 'db_hostport', 'db_schema', 'gateway_url', 's3_access_key',
-                  's3_secret_key', 'jwt_signing_key', 'platform_timezone')
+                  's3_secret_key', 'jwt_signing_key', 'platform_timezone', 'sub_system_code', 'sub_system_key')
 def get_env_value(value, origin_value):
     prefix = 'ENV@'
     encrypt_prefix = 'RSA@'