feat(api): change multiple auth order, add one more bk-user api in lo…

…gin (#394) * feat(api): change multiple auth order, add one more bk-user api in login * chore(helm/charts): version to 1.2.9
TencentBlueKing · May 5, 2022 · c9d09d2 · c9d09d2
1 parent b77c310
commit c9d09d2
Show file tree

Hide file tree

Showing 9 changed files with 52 additions and 17 deletions.
diff --git a/deploy/helm/bk-user/Chart.yaml b/deploy/helm/bk-user/Chart.yaml
@@ -2,8 +2,8 @@ apiVersion: v2
 name: bk-user
 description: A Helm chart for bk-user
 type: application
-version: 1.2.8
-appVersion: "v2.3.4-beta.16"
+version: 1.2.9
+appVersion: "v2.3.4-beta.17"
 
 dependencies:
 

diff --git a/deploy/helm/bk-user/charts/api/Chart.yaml b/deploy/helm/bk-user/charts/api/Chart.yaml
@@ -3,4 +3,4 @@ name: api
 description: Api module for bk-user
 type: application
 version: 1.0.0
-appVersion: "v2.3.4-beta.16"
+appVersion: "v2.3.4-beta.17"
diff --git a/deploy/helm/bk-user/charts/api/values.yaml b/deploy/helm/bk-user/charts/api/values.yaml
@@ -89,7 +89,7 @@ image:
   registry: hub.bktencent.com
   repository: blueking/bk-user-api
   pullPolicy: IfNotPresent
-  tag: "v2.3.4-beta.16"
+  tag: "v2.3.4-beta.17"
 
 nameOverride: ""
 fullnameOverride: ""

diff --git a/deploy/helm/bk-user/charts/login/Chart.yaml b/deploy/helm/bk-user/charts/login/Chart.yaml
@@ -3,4 +3,4 @@ name: login
 description: login module for blueking
 type: application
 version: 1.0.0
-appVersion: "v2.3.4-beta.16"
+appVersion: "v2.3.4-beta.17"
diff --git a/deploy/helm/bk-user/charts/login/values.yaml b/deploy/helm/bk-user/charts/login/values.yaml
@@ -83,7 +83,7 @@ image:
   registry: hub.bktencent.com
   repository: blueking/bk-login
   pullPolicy: IfNotPresent
-  tag: "v2.3.4-beta.16"
+  tag: "v2.3.4-beta.17"
 
 nameOverride: ""
 fullnameOverride: ""

diff --git a/deploy/helm/bk-user/charts/saas/Chart.yaml b/deploy/helm/bk-user/charts/saas/Chart.yaml
@@ -3,4 +3,4 @@ name: saas
 description: SaaS module for bk-user
 type: application
 version: 1.0.0
-appVersion: "v2.3.4-beta.16"
+appVersion: "v2.3.4-beta.17"
diff --git a/deploy/helm/bk-user/charts/saas/values.yaml b/deploy/helm/bk-user/charts/saas/values.yaml
@@ -81,7 +81,7 @@ image:
   registry: hub.bktencent.com
   repository: blueking/bk-user-saas
   pullPolicy: IfNotPresent
-  tag: "v2.3.4-beta.16"
+  tag: "v2.3.4-beta.17"
 
 command: []
 args: []

diff --git a/src/api/bkuser_core/enhanced_account/authentication.py b/src/api/bkuser_core/enhanced_account/authentication.py
@@ -29,6 +29,8 @@
 
 ESB_PUBLIC_KEY_CACHE_KEY = "bk_user:esb_public_key"
 
+TOKEN_KEY_NAME = "token"
+
 
 def create_user(username="admin"):
     return get_user_model()(username=username, is_staff=True, is_superuser=True)
@@ -39,7 +41,7 @@ class InternalTokenAuthentication(BaseAuthentication):
     keyword = "iBearer"
     model = None
 
-    query_params_keyword = "token"
+    query_params_keyword = TOKEN_KEY_NAME
 
     def get_token_from_query_params(self, request):
         try:
@@ -105,12 +107,12 @@ def authenticate(self, request):
         public_key = self._get_public_key(api_name)
         algorithm = jwt_header.get("alg") or "RS512"
 
-        # do decode
+        # do decode, without verify issuer
         try:
-            jwt_playload = jwt.decode(jwt_content, public_key, algorithm, issuer="APIGW")
+            jwt_playload = jwt.decode(jwt_content, public_key, algorithm)
         except Exception:  # pylint: disable=broad-except
             logger.exception("JWT decode failed! jwt_payload: %s, public_key: %s", jwt_content, public_key)
-            return exceptions.AuthenticationFailed("decode jwt token fail")
+            raise exceptions.AuthenticationFailed("decode jwt token fail")
 
         # username = self._get_username_from_jwt_payload(payload)
         app_code = self._get_app_code_from_jwt_payload(jwt_playload)
@@ -210,18 +212,26 @@ class MultipleAuthentication(BaseAuthentication):
     """it's a dispatcher"""
 
     def authenticate(self, request):
+        # FIXME: 最终, 下掉token, 只保留 jwt + app_code/app_secret
         # withe list
         for white_url in settings.AUTH_EXEMPT_PATHS:
             if re.search(white_url, request.path):
                 logger.debug("%s path in white_url<%s>, exempting auth", request.path, white_url)
                 return None, None
+        # NOTE: some case we want to use token as credentials, call through APIGateway(set default headers)
+        # so we should verify others first, not jwt
+        if get_authorization_header(request) or request.query_params.get(TOKEN_KEY_NAME):
+            # token
+            return InternalTokenAuthentication().authenticate(request)
+
+        # app_code and app_secret
+        if HEADER_APP_CODE_KEY_NAME in request.META and HEADER_APP_SECRET_KEY_NAME in request.META:
+            return AppCodeAppSecretAuthentication().authenticate(request)
 
         # jwt
         if HEADER_JWT_KEY_NAME in request.META:
             return ESBOrAPIGatewayAuthentication().authenticate(request)
 
-        # app_code and app_secret
-        if HEADER_APP_CODE_KEY_NAME in request.META and HEADER_APP_SECRET_KEY_NAME in request.META:
-            return AppCodeAppSecretAuthentication().authenticate(request)
-        # token
-        return InternalTokenAuthentication().authenticate(request)
+        raise exceptions.AuthenticationFailed(
+            "no valid authentication credentials provided! should call through APIGateway/ESB"
+        )
diff --git a/src/login/bklogin/components/usermgr_api.py b/src/login/bklogin/components/usermgr_api.py
@@ -121,6 +121,16 @@ def direct_get_categories():
     return ok, message, _data
 
 
+def direct_get_profile_by_code(code, fields="username"):
+    path = "/api/v2/profiles/{code}/".format(code=code)
+    url = "{host}{path}".format(host=BK_USERMGR_HOST, path=path)
+
+    data = {"fields": fields, "lookup_field": "code"}
+
+    ok, _, message, _data = _call_usermgr_api(http_get, url, data)
+    return ok, message, _data
+
+
 def esb_authenticate(username, password, language="", domain=""):
     """
     认证用户名和密码
@@ -184,6 +194,19 @@ def esb_get_categories():
     return ok, message, _data
 
 
+def esb_get_profile_by_code(code, fields="username"):
+    path = "/api/c/compapi/v2/usermanage/retrieve_user/"
+
+    data = {
+        "id": code,
+        "lookup_field": "code",
+        "fields": fields,
+    }
+
+    ok, _, message, _data = _call_esb_api(http_get, path, data)
+    return ok, message, _data
+
+
 if settings.BK_LOGIN_API_AUTH_ENABLED:
     message = "bk_login api auth enabled=True, will call usermgr api via esb"
     print(message)
@@ -193,6 +216,7 @@ def esb_get_categories():
     batch_query_users = esb_batch_query_users
     upsert_user = esb_upsert_user
     get_categories = esb_get_categories
+    get_profile_by_code = esb_get_profile_by_code
 else:
     message = "bk_login api auth enabled=False, will call usermgr api directly"
     print(message)
@@ -202,3 +226,4 @@ def esb_get_categories():
     batch_query_users = direct_batch_query_users
     upsert_user = direct_upsert_user
     get_categories = direct_get_categories
+    get_profile_by_code = direct_get_profile_by_code