fix: cr

nannan00 · Aug 23, 2024 · 245d294 · 245d294
1 parent 28c7565
commit 245d294
Show file tree

Hide file tree

Showing 4 changed files with 23 additions and 8 deletions.
diff --git a/src/bk-user/bkuser/apis/open_v1/__init__.py b/src/bk-user/bkuser/apis/open_v1/__init__.py
@@ -0,0 +1,10 @@
+# -*- coding: utf-8 -*-
+"""
+TencentBlueKing is pleased to support the open source community by making 蓝鲸智云-用户管理(Bk-User) available.
+Copyright (C) 2017 THL A29 Limited, a Tencent company. All rights reserved.
+Licensed under the MIT License (the "License"); you may not use this file except in compliance with the License.
+You may obtain a copy of the License at http://opensource.org/licenses/MIT
+Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
+an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+specific language governing permissions and limitations under the License.
+"""
diff --git a/src/bk-user/bkuser/apis/open_v1/authentications.py b/src/bk-user/bkuser/apis/open_v1/authentications.py
@@ -26,9 +26,10 @@
 
 
 class ESBAuthentication(BaseAuthentication):
-    www_authenticate_realm = "api"
-
     def authenticate(self, request):
+        """
+        认证凭证信息，返回认证后的 Django User，同时设置 request.bk_app_code 便于后续鉴权判断请求来源
+        """
         credentials = self.get_credentials(request)
 
         if not credentials:
@@ -41,14 +42,13 @@ def authenticate(self, request):
         username = self._get_username_from_jwt_payload(payload)
         app_code = self._get_app_code_from_jwt_payload(payload)
 
-        request.bk_app_code = app_code  # 获取到调用 app_code
+        # 获取到调用 app_code
+        request.bk_app_code = app_code
 
         return self._get_or_create_user(username), None
 
-    def authenticate_header(self, request):
-        return '{0} realm="{1}"'.format("Bearer", self.www_authenticate_realm)
-
     def get_credentials(self, request):
+        """从 Header 头获取接口认证的凭证信息"""
         credentials = {
             "jwt": request.META.get("HTTP_X_BKAPI_JWT"),
             "from": request.META.get("HTTP_X_BKAPI_FROM", "esb"),
@@ -60,6 +60,7 @@ def get_credentials(self, request):
         return None
 
     def verify_credentials(self, credentials):
+        """JWT 校验并解析出调用方信息"""
         public_key = self._get_jwt_public_key(credentials["from"])
         # Note: 不从 jwt header 里取 kid 判断是网关还是 ESB 签发的，在不同环境可能不准确
         jwt_payload = self._decode_jwt(credentials["jwt"], public_key)
@@ -69,6 +70,7 @@ def verify_credentials(self, credentials):
         return True, jwt_payload
 
     def _decode_jwt(self, content, public_key):
+        """解析 JWT"""
         try:
             jwt_header = jwt.get_unverified_header(content)
             algorithm = jwt_header.get("alg") or "RS512"
@@ -111,6 +113,7 @@ def _get_app_code_from_jwt_payload(self, jwt_payload):
         return app_code
 
     def _get_or_create_user(self, username):
+        """获取或创建标准  Django User，用于通过认证"""
         user_model = get_user_model()
         user, _ = user_model.objects.get_or_create(
             username=username, defaults={"is_active": True, "is_staff": False, "is_superuser": False}
@@ -137,6 +140,7 @@ def _get_apigw_public_key(self):
 
     @cachedmethod(timeout=None)  # 缓存不过期，除非重新部署服务
     def _get_jwt_public_key(self, request_from):
+        """根据来源，获取 Jwt Public Key"""
         # TODO 理论上 open_v2 只接 ESB，open_v3 只接 APIGW，后续新增 open_v3 后可以分离该 Auth 类逻辑
         if request_from == "apigw":
             return self._get_apigw_public_key()

diff --git a/src/bk-user/bkuser/apis/open_v1/permissions.py b/src/bk-user/bkuser/apis/open_v1/permissions.py
@@ -21,6 +21,6 @@ class IsAllowedAppCode(BasePermission):
     def has_permission(self, request, view):
         """
         目前只允许桌面访问
-        桌面 AppCode: https://github.com/TencentBlueKing/blueking-console/blob/master/backend/components/esb.py#L35
+        桌面 AppCode: https://github.com/TencentBlueKing/blueking-console/blob/7ab1efb189deeed2e95557cd9a90d62c1b4b7735/backend/components/esb.py#L35
         """
         return hasattr(request, "bk_app_code") and request.bk_app_code in ["bk_paas"]
diff --git a/src/bk-user/bkuser/apis/open_v2/authentications.py b/src/bk-user/bkuser/apis/open_v2/authentications.py
@@ -40,7 +40,8 @@ def authenticate(self, request):
         username = self._get_username_from_jwt_payload(payload)
         app_code = self._get_app_code_from_jwt_payload(payload)
 
-        request.bk_app_code = app_code  # 获取到调用 app_code
+        # 获取到调用 app_code
+        request.bk_app_code = app_code
 
         return self._get_or_create_user(username), None