Merge pull request #43 from jiayuan929/apigw-api

jiayuan929 · web-flow · commit 6835a66941bd · 2025-01-09T17:56:59.000+08:00
feat: bklogin API 切换到 APIGW
diff --git a/backend/account/accounts.py b/backend/account/accounts.py
@@ -28,9 +28,10 @@
 from django.shortcuts import render
 
 from account.exceptions import AccessPermissionDenied
+from apigw.client import BkLoginClient
+from apigw.exceptions import BkLoginNoAccessPermission
 from bk_i18n.constants import BK_LANG_TO_DJANGO_LANG
 from common.log import logger
-from components.login import get_user, is_login
 
 
 class AccountSingleton(object):
@@ -59,47 +60,36 @@ class Account(AccountSingleton):
         # 线上 LOGIN_DOMAIN 为空
         BK_LOGIN_URL = "/login/"
 
-    # 蓝鲸统一登录约定的错误码, 表示用户认证成功，但用户无应用访问权限
-    ACCESS_PERMISSION_DENIED_CODE = 1302403
-
     def is_bk_token_valid(self, request):
         """验证用户登录态."""
         bk_token = request.COOKIES.get(settings.BK_COOKIE_NAME, None)
         if not bk_token:
             return False, None
-        ret, data = self.verify_bk_login(bk_token)
-        # bk_token 无效
-        if not ret:
+
+        # 校验并获取用户信息
+        try:
+            data = BkLoginClient().get_user(bk_token)
+        except BkLoginNoAccessPermission as e:
+            raise AccessPermissionDenied(e)
+        except Exception:
             return False, None
+
         # 检查用户是否存在用户表中
         username = data.get("bk_username", "")
         user_model = get_user_model()
         try:
             user = user_model._default_manager.get_by_natural_key(username)
-            is_created_user = False
         except user_model.DoesNotExist:
             user = user_model.objects.create_user(username)
-            is_created_user = True
         finally:
             try:
-                ret, data = self.get_bk_user_info(bk_token)
-                # 若获取用户信息失败，则用户可登录，但用户其他信息为空
-                user.chname = data.get("chname", "")
-
+                user.chname = data.get("display_name", username)
                 # 用户隐私信息置空，需要的时候直接从用户管理 API 中获取
                 user.company = data.get("company", "")
                 user.qq = ""
                 user.phone = ""
                 user.email = ""
                 user.role = ""
-
-                # 仅新用户从用户管理同步权限
-                # 用户创建后直接在桌面管理用户是否能进入到 admin 页面的权限
-                if is_created_user:
-                    role = data.get("bk_role", "")
-                    is_superuser = True if role == 1 else False
-                    user.is_superuser = is_superuser
-                    user.is_staff = is_superuser
                 user.save()
 
                 # 设置timezone session
@@ -110,34 +100,6 @@ def is_bk_token_valid(self, request):
                 logger.error("Get and record user information failed：%s" % e)
         return True, user
 
-    def verify_bk_login(self, bk_token):
-        """请求平台接口验证登录是否失效"""
-        code, message, data = is_login(bk_token)
-        if code == 0:
-            return True, data
-
-        if code == self.ACCESS_PERMISSION_DENIED_CODE:
-            logger.info("No access permission: %s" % message)
-            raise AccessPermissionDenied(message)
-
-        logger.error("Verification of user login token is invalid, code: %s,  message: %s" % (code, message))
-        return False, {}
-
-    def get_bk_user_info(self, bk_token):
-        """请求平台接口获取用户信息"""
-        code, message, data = get_user(bk_token)
-        if code == 0:
-            return True, data
-
-        if code == self.ACCESS_PERMISSION_DENIED_CODE:
-            logger.info("No access permission: %s" % message)
-            raise AccessPermissionDenied(message)
-
-        logger.error(
-            "Get user information from the request platform interface failed, code: %s,  message: %s" % (code, message)
-        )
-        return False, {}
-
     def build_callback_url(self, request, jump_url):
         callback = request.build_absolute_uri()
         login_scheme, login_netloc = urlparse(jump_url)[:2]
diff --git a/backend/apigw/__init__.py b/backend/apigw/__init__.py
@@ -17,23 +17,3 @@
 
 to the current version of the project delivered to anyone in the future.
 """
-from components.esb import _call_esb_api
-from components.http import http_get
-
-
-def is_login(bk_token):
-    """
-    校验登录态
-    """
-    path = '/api/c/compapi/v2/bk_login/is_login/'
-    _, code, message, data = _call_esb_api(http_get, path, {"bk_token": bk_token})
-    return code, message, data
-
-
-def get_user(bk_token):
-    """
-    校验登录态
-    """
-    path = '/api/c/compapi/v2/bk_login/get_user/'
-    _, code, message, data = _call_esb_api(http_get, path, {"bk_token": bk_token})
-    return code, message, data
diff --git a/backend/apigw/bk_api.py b/backend/apigw/bk_api.py
@@ -0,0 +1,45 @@
+# -*- coding: utf-8 -*-
+"""
+TencentBlueKing is pleased to support the open source community by making
+蓝鲸智云 - 蓝鲸桌面 (BlueKing - bkconsole) available.
+Copyright (C) 2022 THL A29 Limited,
+a Tencent company. All rights reserved.
+Licensed under the MIT License (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at http://opensource.org/licenses/MIT
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on
+an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
+either express or implied. See the License for the
+specific language governing permissions and limitations under the License.
+
+We undertake not to change the open source license (MIT license) applicable
+
+to the current version of the project delivered to anyone in the future.
+"""
+from bkapi_client_core.apigateway import APIGatewayClient, Operation, OperationGroup, bind_property
+
+
+class Group(OperationGroup):
+    # 校验 bk_token
+    verify_bk_token = bind_property(
+        Operation,
+        name="verify_bk_token",
+        method="GET",
+        path="/login/api/v3/open/bk-tokens/verify/",
+    )
+    # 查询 bk_token 对应的用户信息
+    get_bk_token_userinfo = bind_property(
+        Operation,
+        name="get_bk_token_userinfo",
+        method="GET",
+        path="/login/api/v3/open/bk-tokens/userinfo/",
+    )
+
+
+class Client(APIGatewayClient):
+    """Bkapi bk-login client"""
+
+    _api_name = "bk-login"
+
+    api = bind_property(Group, name="api")
diff --git a/backend/apigw/client.py b/backend/apigw/client.py
@@ -0,0 +1,57 @@
+# -*- coding: utf-8 -*-
+"""
+TencentBlueKing is pleased to support the open source community by making
+蓝鲸智云 - 蓝鲸桌面 (BlueKing - bkconsole) available.
+Copyright (C) 2022 THL A29 Limited,
+a Tencent company. All rights reserved.
+Licensed under the MIT License (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at http://opensource.org/licenses/MIT
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on
+an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
+either express or implied. See the License for the
+specific language governing permissions and limitations under the License.
+
+We undertake not to change the open source license (MIT license) applicable
+
+to the current version of the project delivered to anyone in the future.
+"""
+import logging
+
+from bkapi_client_core.exceptions import APIGatewayResponseError, ResponseError
+from django.conf import settings
+
+from apigw.bk_api import Client
+from apigw.exceptions import BkLoginGatewayServiceError, BkLoginNoAccessPermission
+
+logger = logging.getLogger(__name__)
+
+
+class BkLoginClient:
+    def __init__(self):
+        client = Client(endpoint=settings.BK_API_URL_TMPL, stage="prod")
+        client.update_bkapi_authorization(
+            bk_app_code="bk_paas",
+            bk_app_secret=settings.BK_APP_SECRET,
+        )
+        client.update_headers(self._prepare_headers())
+        self.client = client.api
+
+    def _prepare_headers(self) -> dict:
+        return {
+            # 调用全租户网关时，网关会强制要求传递 X-Bk-Tenant-Id, 但不会实际校验值的有效性, 统一传 default
+            "X-Bk-Tenant-Id": "default",
+        }
+
+    def get_user(self, bk_token: str) -> dict:
+        try:
+            resp = self.client.get_bk_token_userinfo(params={"bk_token": bk_token})
+        except (APIGatewayResponseError, ResponseError) as e:
+            logger.exception(f"call bk login api error, detail: {e}")
+            # 用户无权限时需要单独处理
+            if e.response.status_code == 403:
+                raise BkLoginNoAccessPermission(e.response.json()["error"]["message"])
+            raise BkLoginGatewayServiceError("call bk login api error")
+
+        return resp["data"]
diff --git a/backend/apigw/exceptions.py b/backend/apigw/exceptions.py
@@ -0,0 +1,36 @@
+# -*- coding: utf-8 -*-
+# TencentBlueKing is pleased to support the open source community by making
+# 蓝鲸智云 - PaaS 平台 (BlueKing - PaaS System) available.
+# Copyright (C) 2017 THL A29 Limited, a Tencent company. All rights reserved.
+# Licensed under the MIT License (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
+#
+#     http://opensource.org/licenses/MIT
+#
+# Unless required by applicable law or agreed to in writing, software distributed under
+# the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
+# either express or implied. See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# We undertake not to change the open source license (MIT license) applicable
+# to the current version of the project delivered to anyone in the future.
+
+
+class BkLoginGatewayServiceError(Exception):
+    """This error indicates that there's something wrong when operating bk-login's
+    API Gateway resource. It's a wrapper class of API SDK's original exceptions
+    """
+
+    def __init__(self, message: str):
+        super().__init__(message)
+        self.message = message
+
+
+class BkLoginApiError(BkLoginGatewayServiceError):
+    """When calling the bk-login api, bk-login returns an error message,
+    which needs to be captured and displayed to the user on the page
+    """
+
+
+class BkLoginNoAccessPermission(BkLoginGatewayServiceError):
+    """User login verification passed, but no access permission."""
diff --git a/backend/conf/settings_env.py b/backend/conf/settings_env.py
@@ -55,6 +55,7 @@
 
 # 与 ESB 通信的密钥
 ESB_TOKEN = env.str("BK_PAAS_SECRET_KEY")
+BK_APP_SECRET = env.str("BK_PAAS_SECRET_KEY")
 
 # website
 # domain
@@ -77,7 +78,7 @@
 BK_API_URL_TMPL = env.str("BK_API_URL_TMPL", "http://bkapi.example.com/api/{api_name}")
 
 # 登录访问的域名，代码中会自动拼接 /login/ 地址
-# LOGIN_DOMAIN = env.str("BK_LOGIN_DOMAIN", "paas.example.com")
+LOGIN_DOMAIN = env.str("BK_LOGIN_DOMAIN", "")
 # PaaS3.0 开发者中心的访问地址，不填则展示 PaaS2.0 开发者中心访问地址
 BK_PAAS3_URL = env.str("BK_PAAS3_URL", "")
 
diff --git a/backend/templates/desktop/index.html b/backend/templates/desktop/index.html
@@ -125,7 +125,7 @@
                             </div>
                             <div class="dock-startbtn">
                                 <a href="javascript:;" class="dock-tool-start">
-                                    <img src="{{STATIC_URL}}img/getheadimg.jpg" onerror="javascript:this.src='{{STATIC_URL}}img/getheadimg.jpg';" class="indicator-header-img" title="{{request.user.username}}" style="width:40px;height:40px;border-radius: 25px;">
+                                    <img src="{{STATIC_URL}}img/getheadimg.jpg" onerror="javascript:this.src='{{STATIC_URL}}img/getheadimg.jpg';" class="indicator-header-img" title="{{request.user.chname}}" style="width:40px;height:40px;border-radius: 25px;">
                                 </a>
                             </div>
                         </div>
@@ -159,7 +159,7 @@
             <div class="startmenu-selfinfo"></div>
             <ul class="startmenu">
                 <li>
-                    <a><span class="startmenu-username">{{request.user.username}}</span></a>
+                    <a><span class="startmenu-username">{{request.user.chname}}</span></a>
                 </li>
                 <li><a href="{{BK_DOCS_URL_PREFIX}}" target="blank" class="">{% trans '文档中心' %}</a></li>
                 <li><a href="javascript:;" class="about">{% trans '蓝鲸官网' %}</a></li>
diff --git a/backend/user_center/views.py b/backend/user_center/views.py
@@ -25,8 +25,8 @@
 from django.utils import timezone, translation
 from django.utils.translation import gettext as _
 
-from account.accounts import Account
 from account.decorators import is_superuser_perm
+from apigw.client import BkLoginClient
 from app.models import App
 from app_esb_auth.models import EsbAuthApplyReocrd
 from bk_i18n.constants import TIME_ZONE_LIST
@@ -62,7 +62,7 @@ def account(request):
 
     # 获取用户基本信息
     bk_token = request.COOKIES.get(settings.BK_COOKIE_NAME, None)
-    _, data = Account().get_bk_user_info(bk_token)
+    data = BkLoginClient().get_user(bk_token)
     role = data.get("bk_role")
 
     context = {
