Merge branch 'master' of http://gitlab.ctune.cn/weijunh/DMapManager

merge

 import decimal
+from re import template
 
 from flask import Flask as _Flask
 from flask.json import JSONEncoder as _JSONEncoder
@@ -58,18 +59,47 @@ def create_app():
     app.config['OAUTH2_JWT_KEY'] = 'secret-key'
     app.config['OAUTH2_JWT_ALG'] = 'HS256'
     # app.config['SQLALCHEMY_ECHO'] = True
-    
+
     # allows cookies and credentials to be submitted across domains
     app.config['CORS_SUPPORTS_CREDENTIALS'] = true
-    app.config['CORS_ORIGINS ']="*"
+    app.config['CORS_ORIGINS '] = "*"
 
     # 跨域设置
     CORS(app)
 
     # swagger设置
     swagger_config = Swagger.DEFAULT_CONFIG
-    swagger_config.update({"title": "DMapManager"})
-    Swagger(app, config=swagger_config)
+
+    SWAGGER_TEMPLATE = {
+        # "openapi": "3.0.0",
+        # "components": {
+        #     "securitySchemes": {
+        #         "bearerAuth": {
+        #             "type": "http",
+        #             "scheme": "bearer",
+        #             "bearerFormat": "JWT"
+        #         },
+        #     }
+        # },
+        "securityDefinitions": {
+            "APIKeyHeader": {
+                "type": "apiKey",
+                "in": "header",
+                "name": "Authorization"
+            }
+        },
+
+        "security": [{
+            "APIKeyHeader": []
+        }
+        ]
+    }
+
+    swagger_config = Swagger.DEFAULT_CONFIG
+    swagger_config.update(configure.swagger_configure)
+
+    Swagger(app, config=swagger_config,
+            template=SWAGGER_TEMPLATE)
 
     # 创建数据库
     db.init_app(app)
@@ -78,9 +108,12 @@ def create_app():
     # 日志
 
     logging.basicConfig(level=configure.log_level)
-    log_file = os.path.join(os.path.dirname(os.path.dirname(os.path.realpath(__file__))), "logs", "log.txt")
-    handler = logging.FileHandler(log_file, encoding='UTF-8')   # 设置日志字符集和存储路径名字
-    logging_format = logging.Formatter('[%(levelname)s] %(asctime)s %(message)s')
+    log_file = os.path.join(os.path.dirname(os.path.dirname(
+        os.path.realpath(__file__))), "logs", "log.txt")
+    handler = logging.FileHandler(
+        log_file, encoding='UTF-8')   # 设置日志字符集和存储路径名字
+    logging_format = logging.Formatter(
+        '[%(levelname)s] %(asctime)s %(message)s')
     handler.setFormatter(logging_format)
 
     app.logger.addHandler(handler)
@@ -99,6 +132,7 @@ def create_app():
     # start_schedule()
     return app
 
+
 def create_schedule():
     monitor = Flask(__name__)
     monitor.config['SQLALCHEMY_DATABASE_URI'] = configure.SQLALCHEMY_DATABASE_URI
@@ -109,12 +143,12 @@ def create_schedule():
 
     # allows cookies and credentials to be submitted across domains
     monitor.config['CORS_SUPPORTS_CREDENTIALS'] = true
-    monitor.config['CORS_ORIGINS ']="*"
-    
+    monitor.config['CORS_ORIGINS '] = "*"
+
     # swagger设置
     swagger_config = Swagger.DEFAULT_CONFIG
     Swagger(monitor, config=swagger_config)
-    
+
     # 创建数据库
     db.init_app(monitor)
     db.create_all(app=monitor)
@@ -124,9 +158,12 @@ def create_schedule():
 
     # 日志
     logging.basicConfig(level=configure.log_level)
-    log_file = os.path.join(os.path.dirname(os.path.dirname(os.path.realpath(__file__))), "logs", "monitor_log.txt")
-    handler = logging.FileHandler(log_file, encoding='UTF-8')   # 设置日志字符集和存储路径名字
-    logging_format = logging.Formatter('[%(levelname)s] %(asctime)s %(message)s')
+    log_file = os.path.join(os.path.dirname(os.path.dirname(
+        os.path.realpath(__file__))), "logs", "monitor_log.txt")
+    handler = logging.FileHandler(
+        log_file, encoding='UTF-8')   # 设置日志字符集和存储路径名字
+    logging_format = logging.Formatter(
+        '[%(levelname)s] %(asctime)s %(message)s')
     handler.setFormatter(logging_format)
     monitor.logger.addHandler(handler)
 

@@ -4,20 +4,62 @@ import os
 from flask_sqlalchemy import SQLAlchemy
 import glob
 import traceback
-from pyDes import des,PAD_PKCS5,ECB
-
+from pyDes import des, PAD_PKCS5, ECB
+import json
 import base64
+from gmssl import sm3, func
+from Crypto.Cipher import AES
+from Crypto.Util.Padding import unpad, pad
+from cryptography.hazmat.primitives import padding
+from cryptography.hazmat.primitives.ciphers import algorithms
+from binascii import b2a_hex, a2b_hex
+
+
+class AESHelper():
+    key = 'w03MyIgc3zMHM5Qe'.encode('utf-8')
+    iv = '8765432187654321'.encode('utf-8')
+
+    @classmethod
+    def encode(self, instr):
+        plaintxt = self._pad(instr)
+        aes = AES.new(self.key, AES.MODE_CBC, self.iv)
+        ciphertext = aes.encrypt(plaintxt)
+        return b2a_hex(ciphertext).decode('utf-8')
+
+    @classmethod
+    def decode(self, instr):
+        encryptedData = instr
+        aes = AES.new(self.key, AES.MODE_CBC, self.iv)
+        plaintxt = aes.decrypt(a2b_hex(encryptedData))
+        return  bytes.decode(unpad(plaintxt, AES.block_size))
+
+    def _pad(data):
+        if not isinstance(data, bytes):
+            data = data.encode()
+        padder = padding.PKCS7(algorithms.AES.block_size).padder()
+        padded_data = padder.update(data)+padder.finalize()
+        return padded_data
+
+
+class SM3():
+    @classmethod
+    def encode(self, data=""):
+        by_str = bytes(data, 'utf-8')
+        result = sm3.sm3_hash(func.bytes_to_list(by_str))
+        return result
+
+
 class DES():
     '''
     DES密码加解密
     '''
-    Des: des = des("Chinadci", ECB, "\0\0\0\0\0\0\0\0", pad=None, padmode=PAD_PKCS5)
+    Des: des = des("Chinadci", ECB, "\0\0\0\0\0\0\0\0",
+                   pad=None, padmode=PAD_PKCS5)
 
     @classmethod
     def encode(cls, data):
         return str(base64.b64encode(cls.Des.encrypt(data)), encoding="utf8")
 
-
     @classmethod
     def decode(cls, data):
         if data:
@@ -26,6 +68,7 @@ class DES():
         else:
             return data
 
+
 db = SQLAlchemy()
 
 # 动态加载Model
@@ -33,13 +76,14 @@ current_dir = os.path.abspath(os.path.dirname(__file__))
 pkgs = list(glob.glob('%s/modules/*/models' % (current_dir)))
 pkgs.extend(list(glob.glob('%s/modules/*/*/models' % (current_dir))))
 
-for pkg in pkgs :
+for pkg in pkgs:
     pkg = os.path.normpath(pkg)
     node_list = pkg.split(os.path.sep)
-    pkg_name = "app.{}".format(".".join(node_list[node_list.index("modules"):]))
+    pkg_name = "app.{}".format(
+        ".".join(node_list[node_list.index("modules"):]))
     try:
         if pkg_name.__contains__("models"):
             __import__(pkg_name)
     except Exception as e:
         print(traceback.format_exc())
-        pass
\ No newline at end of file
+        pass

 from enum import auto
 from logging import error
+from unittest import result
 from flasgger import swag_from
 from app.util import BlueprintApi
 from app.util import BlueprintApi
 from flask import Blueprint, render_template, redirect, request, session, jsonify
-from sqlalchemy import and_
 from .models import *
-from .oauth2 import authorization, generate_user_info,require_oauth
+from .oauth2 import authorization, generate_user_info, require_oauth
 from authlib.oauth2 import OAuth2Error
 from authlib.integrations.flask_oauth2 import current_token
 from . import user_create, client_create, client_query, user_query, user_update, user_delete
 import configure
 from app.decorators.auth_decorator import auth_decorator
+import time
+from app.models import SM3, AESHelper
 
 
 def current_user():
@@ -45,17 +47,22 @@ class DataManager(BlueprintApi):
             except OAuth2Error as error:
                 return jsonify(dict(error.get_body()))
             if not user:
-                return render_template("auth/authorize.html", user=user, grant=grant)
-            # return render_template("auth/login1.html", user=user, grant=grant)
+                # 生成验证码
+                
+                return render_template("auth/authorize.html",
+                                       user=user,
+                                       grant=grant)
         error = ""
         if not user:
+            # 验证码校验
+
             if not "username" in request.form or not request.form.get("username"):
                 error = "用户名不可为空"
             elif not "password" in request.form or not request.form.get("password"):
                 error = "密码不可为空"
             else:
                 username = request.form.get("username")
-                password = request.form.get("password")
+                password = SM3.encode(request.form.get("password"))
                 user = User.query.filter_by(
                     username=username, password=password).first()
                 if not user:
@@ -64,15 +71,14 @@ class DataManager(BlueprintApi):
         if user:
             session["id"] = user.id
             grant_user = user
-            return authorization.create_authorization_response(grant_user=grant_user)
+            return authorization.create_authorization_response(request=request, grant_user=grant_user)
 
         try:
             grant = authorization.validate_consent_request(end_user=user)
         except OAuth2Error as error:
             return jsonify(dict(error.get_body()))
-        return render_template("auth/authorize.html", user=user, grant=grant, error=error)
-
-       
+        # return render_template("auth/authorize.html", user=user, grant=grant, error=error)
+        return authorization.create_authorization_response(grant_user=None)
 
     @staticmethod
     @bp.route("/token", methods=["POST"])
@@ -106,8 +112,7 @@ class DataManager(BlueprintApi):
         except OAuth2Error as error:
             return jsonify(dict(error.get_body()))
         return redirect(url)
-       
-       
+
     """接口"""
     @staticmethod
     @bp.route("/users", methods=["GET"])
@@ -166,3 +171,29 @@ class DataManager(BlueprintApi):
         获取client列表
         """
         return client_query.Api().result
+
+    @staticmethod
+    @bp.route("/init", methods=["GET"])
+    def init():
+        username = 'admin'
+        password = 'admin'
+        if not User.query.filter_by(username=username).one_or_none():
+            user = User(username=username, password=password, role='admin',
+                        phone='', company='', position='', email='',
+                        create_time=time.strftime(
+                            "%Y-%m-%d %H:%M:%S", time.localtime()),
+                        update_time=time.strftime("%Y-%m-%d %H:%M:%S", time.localtime()))
+            db.sesion.add(user)
+            db.session.commit()
+            return "创建默认用户成功"
+        else:
+            return "默认用户已存在"
+
+    @staticmethod
+    @bp.route("/test", methods=["GET"])
+    def test():
+        result = 'c78ca1de8139e62c99d4c4d2050ddd16'
+        result = AESHelper.encode('dataman2')
+        # result=DES.decode('U2FsdGVkX199Ncuh7+0/HVmonwM9Uz7SYnmF73wtW7c=')
+        result2 = AESHelper.decode(result)
+        return result2

@@ -40,6 +40,13 @@ class OAuth2Client(db.Model, OAuth2ClientMixin):
         Integer, ForeignKey('dmap_user.id', ondelete='CASCADE'))
     user = relationship('User')
 
+    def get_default_redirect_uri(self):
+        if self.redirect_uris:
+            return self.redirect_uris[0]
+
+    def check_redirect_uri(self, redirect_uri):
+        return redirect_uri in self.redirect_uris
+
 
 class OAuth2AuthorizationCode(db.Model, OAuth2AuthorizationCodeMixin):
     __tablename__ = 'dmap_oauth2_code'
@@ -57,4 +64,4 @@ class OAuth2Token(db.Model, OAuth2TokenMixin):
     user_id = Column(
         Integer, ForeignKey('dmap_user.id', ondelete='CASCADE'))
     # name = Column(Text)
-    user = relationship('User')
\ No newline at end of file
+    user = relationship('User')

+from authlib.oauth2.rfc6749 import grants
 from os import access, remove
 from time import time
 from authlib.integrations.flask_oauth2 import (
@@ -29,10 +30,11 @@ DUMMY_JWT_CONFIG = {
     'exp': 7200,
 }
 
+
 class myCodeIDToken(CodeIDToken):
     def validate(self, now, leeway):
         return super().validate(now=now, leeway=leeway)
-    
+
     def validate_exp(self, now, leeway):
         return super().validate_exp(now, leeway)
 
@@ -68,7 +70,34 @@ def create_authorization_code(client, grant_user, request):
     return code
 
 
-class AuthorizationCodeGrant(_AuthorizationCodeGrant):
+class AuthorizationCodeGrant(grants.AuthorizationCodeGrant):
+
+    def save_authorization_code(self, code, request):
+        client = request.client
+        auth_code = OAuth2AuthorizationCode(
+            code=code,
+            client_id=client.client_id,
+            redirect_uri=request.redirect_uri,
+            scope=request.scope,
+            user_id=request.user.id,
+        )
+        db.session.add(auth_code)
+        db.session.commit()
+        return auth_code
+
+    def query_authorization_code(self, code, client):
+        item = OAuth2AuthorizationCode.query.filter_by(
+            code=code, client_id=client.client_id).first()
+        if item and not item.is_expired():
+            return item
+
+    def delete_authorization_code(self, authorization_code):
+        db.session.delete(authorization_code)
+        db.session.commit()
+
+    def authenticate_user(self, authorization_code):
+        return User.query.get(authorization_code.user_id)
+
     def create_authorization_code(self, client, grant_user, request):
         return create_authorization_code(client, grant_user, request)
 
@@ -122,6 +151,17 @@ class HybridGrant(_OpenIDHybridGrant):
         return generate_user_info(user, scope)
 
 
+class PasswordGrant(grants.ResourceOwnerPasswordCredentialsGrant):
+    def authenticate_user(self, username, password):
+        user = User.query.filter_by(username=username).first()
+        if user.check_password(password):
+            return user
+
+    TOKEN_ENDPOINT_AUTH_METHODS = [
+        'client_secret_basic', 'client_secret_post'
+    ]
+
+
 authorization = AuthorizationServer()
 require_oauth = ResourceProtector()
 
@@ -142,6 +182,7 @@ def config_oauth(app):
     ])
     authorization.register_grant(ImplicitGrant)
     authorization.register_grant(HybridGrant)
+    authorization.register_grant(PasswordGrant)
 
     # protect resource
     bearer_cls = create_bearer_token_validator(db.session, OAuth2Token)

@@ -6,6 +6,8 @@
 from .models import *
 from app.util.component.ApiTemplate import ApiTemplate
 import time
+from app.models import SM3
+from app.models import AESHelper
 
 
 class Api(ApiTemplate):
@@ -26,13 +28,13 @@ class Api(ApiTemplate):
         res["result"] = False
         try:
             # 业务逻辑
-            username = self.para.get("username")
-            password = self.para.get("pwd")
-            role = self.para.get("role")
-            company = self.para.get("company", None)
-            position = self.para.get("position", None)
-            email = self.para.get("email", None)
-            phone = self.para.get("phone", None)
+            username = AESHelper.decode( self.para.get("username", ''))
+            password = SM3.encode(AESHelper.decode(self.para.get("pwd", '')))
+            role = AESHelper.decode(self.para.get("role", ''))
+            company = AESHelper.decode(self.para.get("company", ''))
+            position = AESHelper.decode(self.para.get("position", ''))
+            email = AESHelper.decode(self.para.get("email", ''))
+            phone = AESHelper.decode(self.para.get("phone", ''))
             # 是否重名
             if(User.query.filter_by(username=username).one_or_none()):
                 res["msg"] = "username 已存在"

 from app.util.component.ApiTemplate import ApiTemplate
-import time
+from app.models import SM3
 from .models import *
+from app.models import AESHelper
 
 
 class Api(ApiTemplate):
@@ -25,10 +26,13 @@ class Api(ApiTemplate):
             else:
                 # 更新密码要求同时输入pwd/newPwd/reNewPwd
                 if self.para.__contains__("pwd") or self.para.__contains__("newPwd") or self.para.__contains__("reNewPwd"):
-                    password = self.para.get("pwd")
-                    new_password = self.para.get("newPwd")
-                    re_new_password = self.para.get("reNewPwd")
-                    
+                    password = SM3.encode(
+                        AESHelper.decode(self.para.get("pwd")))
+                    new_password = SM3.encode(
+                        AESHelper.decode(self.para.get("newPwd")))
+                    re_new_password = SM3.encode(
+                        AESHelper.decode(self.para.get("reNewPwd")))
+
                     # validate pwd
                     if not password:
                         res["result"] = False
@@ -42,17 +46,17 @@ class Api(ApiTemplate):
                         res["result"] = False
                         res["msg"] = "原密码输入错误"
                         return res
-                    
+
                     # 更新密码
                     userinfo.update({"password": new_password})
-                    
-                #更新用户基本信息
+
+                # 更新用户基本信息
                 for key in obj_value:
                     if self.para.__contains__(obj_value[key]):
-                        value = self.para.get(obj_value[key])
+                        value = self.para.get(AESHelper.decode(obj_value[key]))
                         value = "" if value == "None" or value == "none" else value
                         userinfo.update({key: value})
-                        
+
                 db.session.commit()
                 res["result"] = True
                 res["msg"] = "更新用户信息成功"

+'''
+生成验证码图片
+'''
+
+from PIL import Image, ImageDraw, ImageFont, ImageFilter
+import random
+
+
+# 随机字符
+def rndChar():
+    num = 0
+    while num == 0 and ((num >= 58 and num <= 64) or (num >= 91 and num <= 96)):
+        num = random.randint(48, 122)
+    return num
+
+# 随机颜色
+
+
+def rndColor():
+    return ''
\ No newline at end of file

@@ -5,6 +5,7 @@ deploy_ip_host = "172.26.40.105:8840"
 # 系统数据库
 SQLALCHEMY_DATABASE_URI = "postgresql://postgres:chinadci@172.26.60.101:5432/dmap_manager"
 
+
 # 指定精华表所在位置(必须为空间库)，设置为None则存放在各自的实体库中
 #VACUATE_DB_URI = None
 VACUATE_DB_URI = SQLALCHEMY_DATABASE_URI
@@ -13,6 +14,8 @@ VACUATE_DB_URI = SQLALCHEMY_DATABASE_URI
 dmap_engine = "http://172.26.99.160:8820"
 
 # 固定配置不需要修改
+
+swagger_configure = {"title": "DMapManager"}
 entry_data_thread = 3
 SECRET_KEY = b'_5#y2L"F4Q8z\n\xec]/'
 # 权限

+101映射域名
+dmap.apps.chinadci.com
+# 鉴权
+Authlib
+## 1 授权服务器
+为授权、颁发令牌、刷新令牌和撤销令牌提供多个端点。当资源拥有者（用户）获得授权时，授权服务器会向客户端颁发访问令牌。
+### 资源拥有者：用户
+### 客户端：客户端是一个代表资源拥有者并在授权情况下请求受保护资源的应用
+  * client_id是唯一标识
+  * client_secret是密码
+  * 客户端令牌端点认证方法 
+### 令牌
+使用令牌访问用户资源，令牌发布时带有有效期，有访问范围等等。它至少包括：
+*　access_token
+* refresh_token
+*...
+### 服务器
+authlib使用工具AuthorizationServer管理请求和响应
+
+
+
+# Web安全
+## 1 接口权限控制
+[swagger](https://swagger.io/docs/specification/2-0/what-is-swagger/)
+
+**需求：api需要授权**
+
+1.确定当前使用openapi2版本
+2.了解简单YAML使用方式，文档使用YAML格式
+3.声明Swagger，传入配置template（json或者yaml）
+```python
+Swagger(app, config=swagger_config,template=SWAGGER_TEMPLATE)
+```
+
+## 2 用户密码加密
+[pipy](https://pypi.org/project/gmssl/)
+[github](https://github.com/guanzhi/GmSSL)
+[使用gmssl demo](https://www.cnblogs.com/rocedu/p/15518988.html)
+
+**用户密码加密不可逆，兼容国产化，使用sm3算法，采用gmssl开源组件**
+
+封装好的类使用如下：
+```python
+from app.models import SM3
+password = SM3.encode('test')
+```
+## 3 通过网络传输的敏感信息要加密
+~~使用sm2，通过gmssl工具生成sm2的公钥、私钥。~~
+~~[教程](https://github.com/guanzhi/GmSSL)~~
+
+~~1.生成sm2公钥、私钥~~
+~~privatekey使用的pem是`zhou@123`~~
+
+~~2. 使用公钥加密，私钥解密~~
+~~前端使用sm-crypto，用户与python-gmssl互通~~
+~~[npm_sm-crypto](https://www.npmjs.com/package/sm-crypto)~~
+
+使用AES对称加密敏感信息，前端加密，后端解密。偏移量iv、加密密钥key与前端保持一致，保证解密正确。封装在models.py中。
+
+依赖组件：
+* pycryptodome
+* Crypto
+* binascii
+参考资料
+[pycryptodome]()
+
+**demo**
+```python
+from app.models import  AESHelper
+
+encryption=AESHelper.encode('test_data')
+result=AESHelper.decode(encryption)
+```
+
+## 4 使用验证码，防止恶意破解密码、刷票、论坛灌水、刷页
+验证码又叫CAPTCHA
+
+[验证码基础知识](https://baike.baidu.com/item/%E9%AA%8C%E8%AF%81%E7%A0%81/31701)
+[使用python图像处理标准库](https://www.liaoxuefeng.com/wiki/1016959663602400/1017785454949568)
+[pillow](https://pillow.readthedocs.io/en/stable/index.html)
\ No newline at end of file

@@ -17,3 +17,5 @@ kazoo==2.8.0
 paramiko==2.8.0
 requests==2.26.0
 schedule==1.1.0
+gmssl==3.2.1
+pycryptodome==3.13.0