lesscode-flask 0.2.62__tar.gz → 0.2.89__tar.gz

{lesscode_flask-0.2.62 → lesscode_flask-0.2.89}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: lesscode-flask
-Version: 0.2.62
+Version: 0.2.89
 Summary: lesscode-flask 是基于flask的web开发脚手架项目，该项目初衷为简化开发过程，让研发人员更加关注业务。
 Home-page: https://lesscode-flask
 Author: Chao.yy

{lesscode_flask-0.2.62 → lesscode_flask-0.2.89}/lesscode_flask/__init__.py

@@ -1,4 +1,4 @@
-__version__ = "0.2.62"
+__version__ = "0.2.89"
 
 import functools
 import logging
@@ -16,6 +16,20 @@ class SQ_Blueprint(Blueprint):
         if not kwargs.get("import_name"):
             kwargs["import_name"] = __name__
         super().__init__(name=name, url_prefix=url_prefix, **kwargs)
+        # 记录蓝图内显式注册的“路径 + 方法”，供初始化阶段做冲突过滤。
+        self._route_method_keys = set()
+
+    def add_url_rule(self, rule, endpoint=None, view_func=None, provide_automatic_options=None, **options):
+        methods = options.get("methods")
+        if methods is None:
+            methods = ["GET"]
+        elif isinstance(methods, str):
+            methods = [methods]
+        methods = [str(item).upper() for item in methods if item]
+        for method in methods:
+            self._route_method_keys.add(f"{rule}|{method}")
+        return super().add_url_rule(rule, endpoint=endpoint, view_func=view_func,
+                                    provide_automatic_options=provide_automatic_options, **options)
 
     def decorator_handler(
             self,

{lesscode_flask-0.2.62 → lesscode_flask-0.2.89}/lesscode_flask/app.py

@@ -18,7 +18,7 @@ from werkzeug.middleware.proxy_fix import ProxyFix
 from lesscode_flask.model.response_result import ResponseResult
 from lesscode_flask.setup import setup_blueprint, setup_logging, setup_query_runner, setup_swagger, setup_sql_alchemy, \
     setup_redis, setup_login_manager, setup_resource_register, setup_data_download, setup_scheduler, \
-    setup_common_resource, setup_task
+    setup_common_resource, setup_task, setup_api_blueprint, prepare_api_blueprint_routes
 from lesscode_flask.signals import app_runed
 from lesscode_flask.utils.decorator.sql_injection import contains_sql_injection
 from lesscode_flask.utils.helpers import inject_args, generate_uuid, app_config
@@ -31,6 +31,7 @@ from lesscode_flask.utils.limit.req.rate_limiter_handler import RateLimitHandler
 from lesscode_flask.utils.limit.req_count.count_limiter_handler import CountLimitHandler
 from lesscode_flask.utils.limit.req_count.redis_count_limiter import RedisCountLimiter
 from lesscode_flask.utils.redis.redis_helper import RedisHelper
+from lesscode_flask.utils.sign import verify_request_signature
 from lesscode_flask.utils.swagger.swagger_util import generate_openapi_spec
 
 # import collections.abc as cabc
@@ -74,6 +75,7 @@ class Lesscoder(Flask):
             self.consecutiveAccessLimiter = RedisConsecutiveAccessLimiter(self.config.get("REDIS_LIMIT_KEY", "redis"))
 
     def preprocess_request(self) -> ft.ResponseReturnValue | None:
+        verify_request_signature(self)
         v = super(Lesscoder, self).preprocess_request()
         user_limit_policy = None
         if  hasattr(self, 'countLimiter') and self.countLimiter:
@@ -164,7 +166,9 @@ class Lesscoder(Flask):
         params_dict.update(view_args)
         SQL_INJECTION_ENABLE = self.config.get("SQL_INJECTION_ENABLE", False)
         if SQL_INJECTION_ENABLE:
-            if contains_sql_injection(params_dict):
+            sql_injection_white_list = self.config.get("SQL_INJECTION_WHITE_LIST", []) or []
+            is_sql_injection_white_path = any(req.path.startswith(path) for path in sql_injection_white_list)
+            if not is_sql_injection_white_path and contains_sql_injection(params_dict):
                 ResponseResult.fail("参数包含非法字符，请调整后重试！", status_code="403", http_code="403")
         # 调用处理函数执行请求处理
         result = self.ensure_sync(func)(**params_dict)
@@ -183,15 +187,80 @@ class Lesscoder(Flask):
             return result
 
     def setup(self):
+        def _collect_blueprint_route_method_keys(blueprint_map):
+            # 从项目内已定义的蓝图中提取“完整路径 + 方法”，用于后续排除同名自动接口。
+            route_method_keys = set()
+            for blueprint in blueprint_map.values():
+                prefix = (getattr(blueprint, "url_prefix", "") or "").rstrip("/")
+                # 优先使用 SQ_Blueprint 记录的路由元数据，避免依赖 Flask 闭包结构。
+                blueprint_keys = getattr(blueprint, "_route_method_keys", None)
+                if isinstance(blueprint_keys, set) and blueprint_keys:
+                    for key in blueprint_keys:
+                        if "|" not in key:
+                            continue
+                        route, method = key.rsplit("|", 1)
+                        full_route = f"{prefix}{route}" if prefix else route
+                        if not full_route.startswith("/"):
+                            full_route = f"/{full_route}"
+                        full_route = full_route.replace("//", "/")
+                        route_method_keys.add(f"{full_route}|{str(method).upper()}")
+                    continue
+
+                # 兜底方案：兼容普通 Blueprint 或未记录元数据的蓝图。
+                deferred_functions = getattr(blueprint, "deferred_functions", []) or []
+                for deferred in deferred_functions:
+                    closure = getattr(deferred, "__closure__", None) or []
+                    route = None
+                    methods = None
+                    for cell in closure:
+                        value = cell.cell_contents
+                        if isinstance(value, str) and value.startswith("/"):
+                            route = value
+                        elif isinstance(value, dict) and isinstance(value.get("methods"), (list, tuple, set)):
+                            methods = [str(item).upper() for item in value.get("methods") if item]
+                    if not route:
+                        continue
+                    full_route = f"{prefix}{route}" if prefix else route
+                    if not full_route.startswith("/"):
+                        full_route = f"/{full_route}"
+                    full_route = full_route.replace("//", "/")
+                    methods = methods or ["GET"]
+                    for method in methods:
+                        route_method_keys.add(f"{full_route}|{method}")
+            return route_method_keys
+
         setup_logging(self)
+        # 1) 先从能力平台准备自动蓝图路由计划（仅组织数据，不立即注册）。
+        api_capability_server, api_route_prefix, api_route_list = prepare_api_blueprint_routes(self)
+        # 1) 先收集项目代码中的蓝图定义。
         blueprint_map = setup_blueprint(self)
+        # 2) 用项目接口签名作为排除条件，确保同路径同方法时由项目接口覆盖自动接口。
+        project_route_method_keys = _collect_blueprint_route_method_keys(blueprint_map)
+        auto_blueprints = setup_api_blueprint(
+            self,
+            exclude_route_method_keys=project_route_method_keys,
+            existing_blueprint_names=set(blueprint_map.keys()),
+            route_list=api_route_list,
+            capability_server=api_capability_server,
+            route_prefix=api_route_prefix
+        )
         setup_query_runner()
         setup_swagger(self)
         setup_sql_alchemy(self)
         setup_redis(self)
         setup_login_manager(self)
+        # 3) 先注册自动蓝图，再注册项目蓝图；同时自动蓝图已做冲突过滤，保证项目实现优先。
+        if auto_blueprints:
+            for auto_blueprint in auto_blueprints:
+                self.register_blueprint(
+                    auto_blueprint,
+                    name=getattr(auto_blueprint, "_registration_name", auto_blueprint.name)
+                )
         for blueprint_name, blueprint in blueprint_map.items():
-            self.register_blueprint(blueprint)
+            self.register_blueprint(
+                blueprint,
+                name=getattr(blueprint, "_registration_name", blueprint_name)
+            )
         setup_common_resource(self)
         setup_resource_register(self)
         setup_data_download(self)

{lesscode_flask-0.2.62 → lesscode_flask-0.2.89}/lesscode_flask/db/__init__.py

@@ -26,13 +26,13 @@ def execute_query(
         query_text = query.query
         # query_text = query_runner.apply_auto_limit(query.text, should_apply_auto_limit)
         start_time = time.perf_counter()
-        data =  QueryExecutor(
+        data = QueryExecutor(
             query_text,
             query_runner
         ).run()
         end_time = time.perf_counter()
         elapsed_time = end_time - start_time
-        logging.debug(f"query_text:\n{query_text}\nquery_time: {elapsed_time:.6f}s")
+        logging.info(f"query_text:\n{query_text}\nquery_time: {elapsed_time:.6f}s")
         return data
     except Exception as e:
         # models.db.session.rollback()
@@ -56,13 +56,18 @@ def execute(query_text, parameters, query_runner, should_apply_auto_limit=True):
         query.apply(parameters)
         query_text = query.query
         # query_text = query_runner.apply_auto_limit(query.text, should_apply_auto_limit)
-        logging.info("query_text:{}".format(query_text))
-        return QueryExecutor(
+        start_time = time.perf_counter()
+        data = QueryExecutor(
             query_text,
             query_runner
         ).exec()
+        end_time = time.perf_counter()
+        elapsed_time = end_time - start_time
+        logging.info(f"execute_text:\n{query_text}\nexecute_time: {elapsed_time:.6f}s")
+        return data
     except Exception as e:
         # models.db.session.rollback()
+        logging.error("error_execute_text:\n{}".format(query_text))
         raise e
 
 

{lesscode_flask-0.2.62 → lesscode_flask-0.2.89}/lesscode_flask/log/access_log_handler.py

@@ -45,6 +45,12 @@ class AccessLogHandler(Handler):
         app_key = request.headers.get("App-Key")
         url = request.path
         url_info_key = f"upms:url_info:{url}"
+        # 签名
+        signature = request.headers.get("signature") or request.headers.get('Signature')
+        # 随机数
+        nonce = request.headers.get("nonce") or request.headers.get('Nonce')
+        # 时间戳
+        timestamp = request.headers.get("timestamp") or request.headers.get('Timestamp')
 
         resource_id = "-"
         resource_label = url
@@ -66,7 +72,8 @@ class AccessLogHandler(Handler):
                                obj_id=current_user.id, type=current_user.type, client_id=client_id,
                                resource_id=resource_id, location=location, sub=current_user.sub,
                                resource_label=resource_label, url=url, referrer=referrer, client_ip=client_ip,
-                               user_agent=user_agent_string, token=token, app_key=app_key, start_time=start_time,
+                               user_agent=user_agent_string, token=token, app_key=app_key, signature=signature,
+                               nonce=nonce, timestamp=timestamp, start_time=start_time,
                                end_time=end_time, duration=end_time - start_time, status_code=status_code,
                                params=params)
 

{lesscode_flask-0.2.62 → lesscode_flask-0.2.89}/lesscode_flask/model/access_log.py

@@ -24,6 +24,9 @@ class AccessLog(BaseModel):
     user_agent = Column(String(512), comment='客户端')
     token = Column(String(64), comment='token')
     app_key = Column(String(64), comment='请求的app_key')
+    signature = Column(String(64), comment='签名')
+    nonce = Column(String(64), comment='签名随机数')
+    timestamp = Column(String(64), comment='签名时间戳')
     params = Column(JSONEncodedDict)
     start_time = Column(DOUBLE, comment='开始时间')
     end_time = Column(DOUBLE, comment='结束时间')

{lesscode_flask-0.2.62 → lesscode_flask-0.2.89}/lesscode_flask/setting/__init__.py

@@ -90,6 +90,22 @@ class BaseConfig:
     AUTH_DEFAULT_ACCESS = 0
     # 启用生成刷新token
     OAUTH2_REFRESH_TOKEN_GENERATOR = True
+    # 请求签名校验开关（在token校验前执行）
+    SIGN_ENABLE: bool = False
+    # 固定签名密钥，建议在业务配置中覆盖
+    SIGN_SECRET: str = ""
+    # 签名有效时间窗口（秒）
+    SIGN_WINDOW_SEC: int = 300
+    # 防重放校验开关
+    SIGN_NONCE_ENABLE: bool = True
+    # nonce缓存时长（秒）
+    SIGN_NONCE_TTL_SEC: int = 300
+    # 签名白名单路径前缀
+    SIGN_WHITE_LIST: list = [SWAGGER_URL, SWAGGER_API_URL, f"{ROUTE_PREFIX}/oauth/token", f"{ROUTE_PREFIX}/oauth/captcha"]
+    # 签名IP白名单（支持单IP或CIDR，命中后跳过签名校验）
+    SIGN_IP_WHITE_LIST: list = []
+    # 忽略签名校验的方法
+    SIGN_IGNORE_METHODS: list = ["OPTIONS"]
     # 是否启用限流频率验证
     RATE_LIMIT_ENABLE: bool = False
 
@@ -132,6 +148,8 @@ class BaseConfig:
     FS_OAM_SERVICE_URL = "https://oa.shangqi.com.cn"
     # sql 注入验证器开关
     SQL_INJECTION_ENABLE = False
+    # sql 注入检测白名单，命中路径前缀时跳过检测
+    SQL_INJECTION_WHITE_LIST: list = []
     #
     #
     # # 外网地址
@@ -141,6 +159,9 @@ class BaseConfig:
     #
     # 数据服务
     CAPABILITY_PLATFORM_SERVER: str = "http://127.0.0.1:8976"
+    # 转调能力平台时附加的自定义请求头（key/value 由业务配置覆盖）
+    DATA_SOURCE_KEY: str = "Data-Source-Id"
+    DATA_SOURCE_VALUE: str = ""
     # # 权限服务地址
     # OAUTH_SERVER: str = ""
     # # 后端管理地址
@@ -165,6 +186,9 @@ class BaseConfig:
     REGISTER_ENABLE = False
     REGISTER_SERVER = "http://127.0.0.1:8976"
 
+    # 通过固定 API 拉取地址并自动注册蓝图（默认关闭）
+    AUTO_BLUEPRINT_ENABLE = False
+
     # 本地环境
     ENV = "local"
     # 是否代理能力平台的公共接口

{lesscode_flask-0.2.62 → lesscode_flask-0.2.89}/lesscode_flask/setup/__init__.py

@@ -73,7 +73,7 @@ def setup_logging(app):
         logging.getLogger().addHandler(access_log_handler)
 
 
-def setup_blueprint(app, path=None, pkg_name="handlers", blueprint_map={}):
+def setup_blueprint(app, path=None, pkg_name="handlers", blueprint_map=None):
     import os
     from flask import Blueprint
     import inspect
@@ -83,6 +83,17 @@ def setup_blueprint(app, path=None, pkg_name="handlers", blueprint_map={}):
     :param path: 项目内Handler的文件路径
     :param pkg_name: 引入模块前缀
     """
+    if blueprint_map is None:
+        blueprint_map = {}
+    seen_blueprint_ids = {id(blueprint) for blueprint in blueprint_map.values()}
+
+    def _alloc_blueprint_name(blueprint_name):
+        if blueprint_name not in blueprint_map:
+            return blueprint_name
+        index = 2
+        while f"{blueprint_name}-{index}" in blueprint_map:
+            index += 1
+        return f"{blueprint_name}-{index}"
     if path is None:
         # 项目内Handler的文件路径，使用当前工作目录作为根
         path = os.path.join(os.getcwd(), pkg_name)
@@ -102,17 +113,296 @@ def setup_blueprint(app, path=None, pkg_name="handlers", blueprint_map={}):
             for name, obj in inspect.getmembers(module):
                 # 找到Blueprint 的属性进行注册
                 if isinstance(obj, Blueprint):
-                    # 如果有配置统一前缀则作为蓝图路径的统一前缀
-                    blueprint_name = obj.name
-                    if blueprint_name in blueprint_map:
+                    # 同一个蓝图对象可能以多个变量名暴露，按对象身份去重，避免重复注册。
+                    if id(obj) in seen_blueprint_ids:
                         continue
-                    else:
-                        if hasattr(obj, "url_prefix") and app.config.get("ROUTE_PREFIX", ""):
-                            obj.url_prefix = f'{app.config.get("ROUTE_PREFIX")}{obj.url_prefix}'
-                        blueprint_map[blueprint_name] = obj
+                    # 如果有配置统一前缀则作为蓝图路径的统一前缀
+                    blueprint_name = _alloc_blueprint_name(obj.name)
+                    # 为蓝图保存唯一注册名，真正注册时通过 register_blueprint(name=...) 指定。
+                    setattr(obj, "_registration_name", blueprint_name)
+                    if hasattr(obj, "url_prefix") and app.config.get("ROUTE_PREFIX", ""):
+                        obj.url_prefix = f'{app.config.get("ROUTE_PREFIX")}{obj.url_prefix}'
+                    blueprint_map[blueprint_name] = obj
+                    seen_blueprint_ids.add(id(obj))
     return blueprint_map
 
 
+def _normalize_route(raw_route):
+    if not raw_route:
+        return None
+    route = str(raw_route).strip()
+    if not route.startswith("/"):
+        route = f"/{route}"
+    return route.replace("{", "<").replace("}", ">")
+
+
+def _normalize_route_prefix(route_prefix):
+    route_prefix = (route_prefix or "").strip()
+    if route_prefix and not route_prefix.startswith("/"):
+        route_prefix = f"/{route_prefix}"
+    if route_prefix.endswith("/") and route_prefix != "/":
+        route_prefix = route_prefix.rstrip("/")
+    return route_prefix
+
+
+def _map_local_route(route, route_prefix):
+    if not route_prefix:
+        return route
+    if route == "/icp":
+        return route_prefix
+    if route.startswith("/icp/"):
+        return f"{route_prefix}{route[4:]}"
+    return route
+
+
+def _build_target_url(capability_server, route):
+    return f"{capability_server}/{route.lstrip('/')}"
+
+
+def _normalize_methods(raw_methods, supported_methods):
+    if isinstance(raw_methods, str):
+        methods = [raw_methods.upper()]
+    elif isinstance(raw_methods, list):
+        methods = [str(item).upper() for item in raw_methods]
+    else:
+        methods = ["POST"]
+    return [item for item in methods if item in supported_methods] or ["POST"]
+
+
+def _build_proxy_view(app, target_url, title, description=None, dynamic_params=None):
+    # 生成一个代理视图：把当前请求透明转发到能力平台目标地址。
+    def _proxy_view(**path_params):
+        url = target_url
+        for key, value in path_params.items():
+            value = str(value)
+            url = url.replace(f"<{key}>", value).replace(f"{{{key}}}", value)
+
+        headers = {}
+        for key, value in request.headers:
+            if key.lower() not in {"host", "content-length"}:
+                headers[key] = value
+        # 转调时按配置补充自定义请求头，用于能力平台鉴权/路由。
+        data_source_key = app.config.get("DATA_SOURCE_KEY")
+        data_source_value = app.config.get("DATA_SOURCE_VALUE")
+        if data_source_key and data_source_value is not None:
+            headers[str(data_source_key)] = str(data_source_value)
+
+        resp = requests.request(
+            method=request.method,
+            url=url,
+            params=request.args.to_dict(flat=False),
+            data=request.get_data(),
+            headers=headers,
+            timeout=30,
+        )
+
+        excluded_headers = {"content-encoding", "content-length", "transfer-encoding", "connection"}
+        response_headers = [(k, v) for k, v in resp.headers.items() if k.lower() not in excluded_headers]
+        return Response(resp.content, status=resp.status_code, headers=response_headers)
+
+    _proxy_view._title = title
+    if description is not None:
+        _proxy_view.__doc__ = str(description)
+    _proxy_view._dynamic_params = list(dynamic_params or [])
+    _proxy_view.__name__ = f"auto_proxy_{uuid.uuid1().hex}"
+    return _proxy_view
+
+
+def _fetch_api_tree_data(app, source_url):
+    try:
+        source_payload = {}
+        source_client_id = app.config.get("CLIENT_ID")
+        if source_client_id is not None:
+            source_payload["client_id"] = source_client_id
+        source_resp = requests.request(method="POST", url=source_url, json=source_payload, timeout=10)
+        source_resp.raise_for_status()
+        source_data = source_resp.json()
+    except Exception as e:
+        app.logger.exception("动态蓝图拉取失败，source_url=%s，error=%s", source_url, str(e))
+        return None, set(), {}
+
+    data_payload = source_data.get("data", {}) if isinstance(source_data, dict) else {}
+    if not isinstance(data_payload, dict):
+        app.logger.warning("动态蓝图数据格式错误：data 不是 dict")
+        return None, set(), {}
+    if str(source_data.get("status", "")) not in {"00000", "0"}:
+        app.logger.warning("动态蓝图接口返回失败：status=%s, message=%s",
+                           source_data.get("status"), source_data.get("message"))
+        return None, set(), {}
+
+    tree_data = data_payload.get("tree", [])
+    selected_ids = data_payload.get("selected", [])
+    resource_params = data_payload.get("resource_params", {}) or {}
+    if not isinstance(tree_data, list):
+        app.logger.warning("动态蓝图数据格式错误：data.tree 不是 list")
+        return None, set(), {}
+    if not isinstance(selected_ids, list):
+        selected_ids = []
+    if not isinstance(resource_params, dict):
+        resource_params = {}
+    return tree_data, {str(item) for item in selected_ids if item}, resource_params
+
+
+def _flatten_tree_by_parent(node_list, permission_ids, resource_params=None, ancestors=None, result=None):
+    # 从树结构中提取最后一级接口，并按“根节点到父节点路径”分组。
+    if result is None:
+        result = []
+    if ancestors is None:
+        ancestors = []
+    for node in node_list:
+        if not isinstance(node, dict):
+            continue
+        node_id = str(node.get("id", "")).strip()
+        node_label = node.get("label") or node.get("title") or node.get("name") or "动态接口"
+        children = node.get("children", [])
+        has_children = isinstance(children, list) and len(children) > 0
+        url = node.get("url")
+        method = node.get("method") or node.get("request_method") or "POST"
+        title = node_label
+        description = node.get("description") or node.get("desc") or node.get("remark") or ""
+
+        # 仅将“有权限且为叶子节点”的接口加入结果，蓝图名由 ancestors 路径拼接而成。
+        if url and node_id and node_id in permission_ids and not has_children:
+            if ancestors:
+                group_label = "-".join([str(item).strip() for item in ancestors if str(item).strip()])
+            else:
+                group_label = "动态接口"
+            group_id = " > ".join([str(item).strip() for item in ancestors if str(item).strip()]) or "root"
+            result.append({
+                "resource_id": node_id,
+                "group_id": group_id,
+                "group_label": group_label or "动态接口",
+                "url": url,
+                "method": method,
+                "title": title,
+                "description": description,
+                "dynamic_params": list(resource_params.get(node_id, []) if isinstance(resource_params, dict) else [])
+            })
+
+        if has_children:
+            next_ancestors = list(ancestors)
+            if node_label:
+                next_ancestors.append(node_label)
+            _flatten_tree_by_parent(children, permission_ids, resource_params=resource_params,
+                                    ancestors=next_ancestors, result=result)
+    return result
+
+
+def _group_routes(route_list):
+    grouped_routes = {}
+    for item in route_list:
+        grouped_routes.setdefault(item.get("group_id"), {
+            "label": item.get("group_label") or "动态接口",
+            "routes": []
+        })
+        grouped_routes[item.get("group_id")]["routes"].append(item)
+    return grouped_routes
+
+
+def _alloc_blueprint_name(group_label, used_blueprint_names):
+    # 如果蓝图名重复，则自动追加 -2、-3...
+    base_name = str(group_label or "动态接口").strip() or "动态接口"
+    if base_name not in used_blueprint_names:
+        used_blueprint_names.add(base_name)
+        return base_name
+    index = 2
+    while f"{base_name}-{index}" in used_blueprint_names:
+        index += 1
+    unique_name = f"{base_name}-{index}"
+    used_blueprint_names.add(unique_name)
+    return unique_name
+
+
+def prepare_api_blueprint_routes(app):
+    if not app.config.get("AUTO_BLUEPRINT_ENABLE", False):
+        return None, None, []
+
+    capability_server = app.config.get("CAPABILITY_PLATFORM_SERVER", "").rstrip("/")
+    if not capability_server:
+        app.logger.warning("AUTO_BLUEPRINT_ENABLE=True 但未配置 CAPABILITY_PLATFORM_SERVER，跳过动态蓝图注册")
+        return None, None, []
+
+    source_url = f"{capability_server}/icp/authPermission/client_resource_param_tree"
+    route_prefix = _normalize_route_prefix(app.config.get("ROUTE_PREFIX", ""))
+    tree_data, selected_id_set, resource_params = _fetch_api_tree_data(app, source_url)
+    if not tree_data:
+        return capability_server, route_prefix, []
+
+    route_list = _flatten_tree_by_parent(tree_data, selected_id_set, resource_params=resource_params)
+    if not route_list:
+        app.logger.warning("动态蓝图注册完成，但没有提取到可用路由")
+    return capability_server, route_prefix, route_list
+
+
+def setup_api_blueprint(app, exclude_route_method_keys=None, existing_blueprint_names=None,
+                        route_list=None, capability_server=None, route_prefix=None):
+    """
+    调用固定 API 拉取地址列表并动态创建蓝图。
+    固定请求地址：{CAPABILITY_PLATFORM_SERVER}/icp/authPermission/client_resource_param_tree
+    """
+    if route_list is None:
+        capability_server, route_prefix, route_list = prepare_api_blueprint_routes(app)
+    route_prefix = _normalize_route_prefix(route_prefix)
+    if not capability_server:
+        return []
+    if not route_list:
+        return []
+
+    exclude_route_method_keys = set(exclude_route_method_keys or [])
+    used_blueprint_names = set(existing_blueprint_names or [])
+    used_blueprint_names.update(set(app.blueprints.keys()))
+    registered_route_method_keys = set()
+    supported_methods = {"GET", "POST", "PUT", "PATCH", "DELETE"}
+    grouped_routes = _group_routes(route_list)
+
+    auto_blueprints = []
+    total_route_count = 0
+    for group_id, group_info in grouped_routes.items():
+        bp_name = _alloc_blueprint_name(group_info.get("label"), used_blueprint_names)
+        dynamic_bp = SQ_Blueprint(bp_name, url_prefix="")
+        group_route_count = 0
+
+        for index, item in enumerate(group_info.get("routes", [])):
+            remote_route = _normalize_route(item.get("url"))
+            if not remote_route:
+                continue
+            local_route = _map_local_route(remote_route, route_prefix)
+            target_url = item.get("target_url") or _build_target_url(capability_server, remote_route)
+            if not target_url:
+                app.logger.warning("动态蓝图未找到目标地址，route=%s，group=%s", remote_route, group_id)
+                continue
+
+            methods = _normalize_methods(item.get("method", "POST"), supported_methods)
+            available_methods = []
+            for method in methods:
+                route_method_key = f"{local_route}|{method}"
+                if route_method_key in exclude_route_method_keys:
+                    continue
+                if route_method_key in registered_route_method_keys:
+                    continue
+                available_methods.append(method)
+                registered_route_method_keys.add(route_method_key)
+            if not available_methods:
+                continue
+
+            title = item.get("title") or f"{bp_name}-{index + 1}"
+            endpoint = f"auto_dynamic_{group_id}_{index}_{'_'.join(available_methods).lower()}"
+            description = item.get("description") or title
+            view_func = _build_proxy_view(app, target_url=target_url, title=title,
+                                         description=description, dynamic_params=item.get("dynamic_params"))
+            dynamic_bp.add_url_rule(local_route, endpoint=endpoint, view_func=view_func, methods=available_methods)
+            group_route_count += 1
+            total_route_count += 1
+
+        if group_route_count > 0:
+            auto_blueprints.append(dynamic_bp)
+            app.logger.info("动态蓝图注册成功：%s，路由数量=%s", bp_name, group_route_count)
+
+    if total_route_count == 0:
+        app.logger.warning("动态蓝图注册完成，但没有可用路由")
+    return auto_blueprints
+
+
 def setup_query_runner():
     """
     注入数据查询执行器

{lesscode_flask-0.2.62 → lesscode_flask-0.2.89}/lesscode_flask/utils/limit/req_count/count_limiter_handler.py

@@ -39,20 +39,20 @@ class CountLimitHandler:
         logout_url = f"{fs_oam_service_url}/icp/oauth/logout_token?token={token}"
 
         # 发送 GET 请求到 lock_account_url
-        try:
-            lock_response = requests.get(lock_account_url, timeout=30)
-            logger.info(
-                "Lock account request sent, status: %s", lock_response.status_code
-            )
-        except requests.RequestException as e:
-            logger.error("Failed to send lock account request: %s", str(e))
+        # try:
+        #     lock_response = requests.get(lock_account_url, timeout=30)
+        #     logger.info(
+        #         "Lock account request sent, status: %s", lock_response.status_code
+        #     )
+        # except requests.RequestException as e:
+        #     logger.error("Failed to send lock account request: %s", str(e))
 
-        # 发送 GET 请求到 logout_url
-        try:
-            logout_response = requests.get(logout_url, timeout=30)
-            logger.info("Logout request sent, status: %s", logout_response.status_code)
-        except requests.RequestException as e:
-            logger.error("Failed to send logout request: %s", str(e))
+        # # 发送 GET 请求到 logout_url
+        # try:
+        #     logout_response = requests.get(logout_url, timeout=30)
+        #     logger.info("Logout request sent, status: %s", logout_response.status_code)
+        # except requests.RequestException as e:
+        #     logger.error("Failed to send logout request: %s", str(e))
         limit_fs_webhook_url = current_app.config.get("LIMIT_FS_WEBHOOK_URL")
         # 如果配置了飞书 webhook URL，则发送告警通知
         if limit_fs_webhook_url:
@@ -69,9 +69,9 @@ class CountLimitHandler:
             content.append({"tag": "text", "text": f"资源地址：{request.path}\n"})
 
             content.append({"tag": "text", "text": "运维处理："})
-            # content.append({"tag": "a", "text": "强制下线", "href": f"{url}"})
-            # content.append({"tag": "a", "text": "    禁止登录    ",
-            # "href": f"{lock_account_url}"})
+            content.append({"tag": "a", "text": "强制下线", "href": f"{logout_url}"})
+            content.append({"tag": "a", "text": "    禁止登录    ",
+            "href": f"{lock_account_url}"})
             ban_ip_url = f"{fs_oam_service_url}/icp/accessLog/ban_ip?ip={request.remote_addr}"
             content.append({"tag": "a", "text": "封禁IP ", "href": f"{ban_ip_url}"})
 

lesscode_flask-0.2.89/lesscode_flask/utils/sign/__init__.py

@@ -0,0 +1,3 @@
+from lesscode_flask.utils.sign.signature import verify_request_signature
+
+__all__ = ["verify_request_signature"]

lesscode_flask-0.2.89/lesscode_flask/utils/sign/signature.py

@@ -0,0 +1,160 @@
+import hashlib
+import hmac
+import ipaddress
+import time
+
+from flask import request
+
+from lesscode_flask.model.response_result import ResponseResult
+from lesscode_flask.utils.redis.redis_helper import RedisHelper
+
+SIGN_ERROR_MESSAGE = "未知错误"
+
+
+def _body_sha256() -> str:
+    # 对原始请求体做哈希，保证不同 content-type 下签名输入一致。
+    body_bytes = request.get_data(cache=True) or b""
+    return hashlib.sha256(body_bytes).hexdigest()
+
+
+def _is_upload_request() -> bool:
+    # 上传文件请求：multipart/form-data 或存在文件字段。
+    content_type = (request.content_type or "").lower()
+    return content_type.startswith("multipart/form-data") or bool(request.files)
+
+
+def _canonical_sign_content(timestamp: str, nonce: str) -> str:
+    # 规范签名串格式：
+    # METHOD \n PATH \n QUERY_STRING \n BODY_SHA256 \n TIMESTAMP \n NONCE
+    method = request.method.upper()
+    path = request.path
+    query_string = (request.query_string or b"").decode("utf-8")
+    if _is_upload_request():
+        # 上传请求忽略body参与签名时，固定使用空串哈希。
+        body_hash = hashlib.sha256(b"").hexdigest()
+    else:
+        body_hash = _body_sha256()
+    return f"{method}\n{path}\n{query_string}\n{body_hash}\n{timestamp}\n{nonce}"
+
+
+def _in_sign_white_list(white_list: list) -> bool:
+    # 白名单匹配规则：只要请求路径以前缀命中就跳过签名校验。
+    if not white_list:
+        return False
+    request_path = request.path or ""
+    for white_item in white_list:
+        if white_item and request_path.startswith(white_item):
+            return True
+    return False
+
+
+def _request_client_ip() -> str:
+    # 优先读取公司网关透传IP，再回退到常见代理头和直连IP。
+    remote_addr_header = request.headers.get("remote-addr", "").strip()
+    if remote_addr_header:
+        return remote_addr_header
+
+    x_forwarded_for = request.headers.get("X-Forwarded-For", "")
+    if x_forwarded_for:
+        client_ip = x_forwarded_for.split(",")[0].strip()
+        if client_ip:
+            return client_ip
+    x_real_ip = request.headers.get("X-Real-IP", "").strip()
+    if x_real_ip:
+        return x_real_ip
+    return (request.remote_addr or "").strip()
+
+
+def _in_sign_ip_white_list(ip_white_list: list) -> bool:
+    # IP白名单支持单IP和CIDR网段，例如：["10.0.0.1", "10.10.0.0/16"]。
+    if not ip_white_list:
+        return False
+    client_ip = _request_client_ip()
+    if not client_ip:
+        return False
+    try:
+        client_ip_obj = ipaddress.ip_address(client_ip)
+    except ValueError:
+        return False
+
+    for item in ip_white_list:
+        white_item = (item or "").strip()
+        if not white_item:
+            continue
+        try:
+            if "/" in white_item:
+                if client_ip_obj in ipaddress.ip_network(white_item, strict=False):
+                    return True
+            elif client_ip_obj == ipaddress.ip_address(white_item):
+                return True
+        except ValueError:
+            # 非法配置项直接跳过，避免影响其它合法项匹配。
+            continue
+    return False
+
+
+def verify_request_signature(app):
+    # 签名校验在 token/权限校验前执行。
+    # 关闭开关时，直接放行，不影响现有接口。
+    if not app.config.get("SIGN_ENABLE", False):
+        return
+    # 公司内部IP可走白名单，命中则跳过签名校验。
+    if _in_sign_ip_white_list(app.config.get("SIGN_IP_WHITE_LIST", [])):
+        return
+    # 预检请求通常不带业务签名，默认忽略。
+    if request.method in app.config.get("SIGN_IGNORE_METHODS", ["OPTIONS"]):
+        return
+    # 白名单接口不做签名校验，例如登录、swagger等入口。
+    if _in_sign_white_list(app.config.get("SIGN_WHITE_LIST", [])):
+        return
+
+    # 读取签名相关请求头，固定使用无前缀命名。
+    timestamp = request.headers.get("Timestamp", "")
+    nonce = request.headers.get("Nonce", "")
+    signature = request.headers.get("Signature", "")
+    sign_secret = app.config.get("SIGN_SECRET", "")
+
+    # 任何签名基础参数缺失都统一返回“未知错误”，避免向外暴露细节。
+    if not timestamp or not nonce or not signature:
+        ResponseResult.fail(message=SIGN_ERROR_MESSAGE, status_code="401", http_code="401")
+    # 服务端密钥未配置时也拦截，防止“空密钥”误放行。
+    if not sign_secret:
+        ResponseResult.fail(message=SIGN_ERROR_MESSAGE, status_code="401", http_code="401")
+
+    # 时间戳必须是整数秒。
+    try:
+        ts = int(timestamp)
+    except (TypeError, ValueError):
+        ResponseResult.fail(message=SIGN_ERROR_MESSAGE, status_code="401", http_code="401")
+        return
+
+    # 时间窗校验，防止旧请求被重放。
+    sign_window_sec = int(app.config.get("SIGN_WINDOW_SEC", 300))
+    now_ts = int(time.time())
+    if abs(now_ts - ts) > sign_window_sec:
+        ResponseResult.fail(message=SIGN_ERROR_MESSAGE, status_code="401", http_code="401")
+
+    if app.config.get("SIGN_NONCE_ENABLE", True):
+        # 防重放：同一个 nonce 在 TTL 窗口内只能使用一次。
+        nonce_key = f"sign:nonce:{nonce}"
+        nonce_ttl = int(app.config.get("SIGN_NONCE_TTL_SEC", sign_window_sec))
+        try:
+            ok = RedisHelper(app.config.get("REDIS_LIMIT_KEY", "redis")).sync_set(
+                nonce_key, "1", ex=nonce_ttl, nx=True
+            )
+            if not ok:
+                ResponseResult.fail(message=SIGN_ERROR_MESSAGE, status_code="401", http_code="401")
+        except Exception:
+            # Redis 异常按失败处理，避免在防重放失效时放过请求。
+            ResponseResult.fail(message=SIGN_ERROR_MESSAGE, status_code="401", http_code="401")
+
+    # 按统一规则组装签名串并计算服务端签名。
+    sign_content = _canonical_sign_content(timestamp=timestamp, nonce=nonce)
+    expected = hmac.new(
+        sign_secret.encode("utf-8"),
+        sign_content.encode("utf-8"),
+        hashlib.sha256,
+    ).hexdigest()
+    # 常量时间比较，降低时序侧信道风险。
+    if not hmac.compare_digest(expected, signature):
+        ResponseResult.fail(message=SIGN_ERROR_MESSAGE, status_code="401", http_code="401")

{lesscode_flask-0.2.62 → lesscode_flask-0.2.89}/lesscode_flask/utils/swagger/swagger_util.py

@@ -4,6 +4,94 @@ from lesscode_flask.utils.swagger.swagger_template import get_response_template,
     split_doc, get_param_template
 
 
+def _get_dynamic_params(view_func):
+    dynamic_params = getattr(view_func, "_dynamic_params", None)
+    if isinstance(dynamic_params, list):
+        return dynamic_params
+    return []
+
+
+def _map_param_type(param_type):
+    param_type = str(param_type or "").lower()
+    if param_type in {"int", "integer"}:
+        return "integer"
+    if param_type in {"float", "number", "double"}:
+        return "number"
+    if param_type in {"bool", "boolean"}:
+        return "boolean"
+    if param_type in {"dict", "object"}:
+        return "object"
+    if param_type in {"list", "array"}:
+        return "array"
+    return "string"
+
+
+def _build_dynamic_schema(param_type):
+    schema_type = _map_param_type(param_type)
+    if schema_type == "array":
+        return {"type": "array", "items": {"type": "string"}}
+    return {"type": schema_type}
+
+
+def _build_dynamic_body(view_func, not_allow_list=None):
+    dynamic_params = _get_dynamic_params(view_func)
+    if not dynamic_params:
+        return None
+
+    not_allow_list = set(not_allow_list or [])
+    body = {}
+    required = []
+    request_type = "application/json"
+    for param in dynamic_params:
+        param_name = param.get("param_name")
+        if not param_name or param_name in not_allow_list:
+            continue
+        position = str(param.get("param_position") or "").lower()
+        if position == "path":
+            continue
+        if position in {"query", "header"}:
+            continue
+
+        schema = _build_dynamic_schema(param.get("param_type"))
+        body[param_name] = {
+            **schema,
+            "description": param.get("param_description") or param.get("param_ch_name") or f"Path parameter {param_name}",
+            "example": get_sample_data(param.get("param_type"))
+        }
+        required.append(param_name)
+
+    if not body:
+        return None
+    return get_request_body(body, required, request_type)
+
+
+def _build_dynamic_query_params(rule, view_func):
+    dynamic_params = _get_dynamic_params(view_func)
+    if not dynamic_params:
+        return None
+
+    parameters = []
+    path_arg_set = set(rule.arguments)
+    for param in dynamic_params:
+        param_name = param.get("param_name")
+        if not param_name or param_name in path_arg_set:
+            continue
+        position = str(param.get("param_position") or "").lower()
+        if position == "header":
+            continue
+        if position == "path":
+            continue
+
+        parameters.append({
+            "name": param_name,
+            "in": "query",
+            "description": param.get("param_description") or param.get("param_ch_name") or f"Path parameter {param_name}",
+            "required": False,
+            "schema": _build_dynamic_schema(param.get("param_type"))
+        })
+    return parameters
+
+
 def generate_openapi_spec(app, is_read_template=False):
     paths = {}
     if is_read_template:
@@ -100,11 +188,15 @@ def replace_symbol(path):
 def get_sample_data(type, param=None, param_template_dict=None):
     if param_template_dict and param_template_dict.get(param.name):
         return param_template_dict.get(param.name, {}).get("param_sample")
-    elif type == "dict":
+    elif type in {"dict", "object"}:
         return {"sample": "sample"}
-    elif type == "list":
+    elif type in {"list", "array"}:
         return ["sample"]
-    elif type == "int":
+    elif type in {"int", "integer"}:
+        return 0
+    elif type in {"bool", "boolean"}:
+        return False
+    elif type in {"float", "number", "double"}:
         return 0
     else:
         return ""
@@ -129,6 +221,9 @@ def get_params_type(param, param_template_dict=None):
 def extract_post_body(view_func, not_allow_list=None, param_desc_dict=None, param_template_dict=None):
     if param_desc_dict is None:
         param_desc_dict = {}
+    dynamic_body = _build_dynamic_body(view_func, not_allow_list=not_allow_list)
+    if dynamic_body is not None:
+        return dynamic_body
     body = {}
     # 提取查询参数和表单参数
     sig = inspect.signature(view_func)
@@ -144,6 +239,9 @@ def extract_post_body(view_func, not_allow_list=None, param_desc_dict=None, para
 
     required = []
     for arg, param in sig.parameters.items():
+        # Skip variadic args like **path_params used by dynamic proxy views.
+        if param.kind in (inspect.Parameter.VAR_POSITIONAL, inspect.Parameter.VAR_KEYWORD):
+            continue
         param_type = get_params_type(param, param_template_dict)
         param_info = {
             "type": param_type,
@@ -173,15 +271,19 @@ def extract_post_body(view_func, not_allow_list=None, param_desc_dict=None, para
 def extract_path_parameters(rule, view_func, param_desc_dict=None, param_template_dict=None):
     if param_desc_dict is None:
         param_desc_dict = {}
+    dynamic_param_map = {
+        str(item.get("param_name")): item for item in _get_dynamic_params(view_func) if item.get("param_name")
+    }
     parameters = []
     # 提取路径参数
     for arg in rule.arguments:
+        dynamic_param = dynamic_param_map.get(arg, {})
         parameters.append({
             "name": arg,
             "in": "path",
             "required": True,
-            "description": get_param_desc(arg, param_desc_dict, param_template_dict),
-            "schema": {
+            "description": dynamic_param.get("param_description") or get_param_desc(arg, param_desc_dict, param_template_dict),
+            "schema": _build_dynamic_schema(dynamic_param.get("param_type")) if dynamic_param else {
                 "type": "integer" if "int" in str(view_func.__annotations__.get(arg, '')) else "string"
             }
         })
@@ -199,10 +301,16 @@ def get_param_desc(arg, param_desc_dict, param_template_dict):
 def extract_get_parameters(rule, view_func, param_desc_dict=None, param_template_dict=None):
     if param_desc_dict is None:
         param_desc_dict = {}
+    dynamic_parameters = _build_dynamic_query_params(rule, view_func)
+    if dynamic_parameters is not None:
+        return dynamic_parameters
     parameters = []
     # 提取查询参数和表单参数
     sig = inspect.signature(view_func)
     for arg, param in sig.parameters.items():
+        # Skip variadic args like **path_params used by dynamic proxy views.
+        if param.kind in (inspect.Parameter.VAR_POSITIONAL, inspect.Parameter.VAR_KEYWORD):
+            continue
         if arg not in rule.arguments:
             param_info = {
                 "name": arg,

{lesscode_flask-0.2.62 → lesscode_flask-0.2.89}/lesscode_flask.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: lesscode-flask
-Version: 0.2.62
+Version: 0.2.89
 Summary: lesscode-flask 是基于flask的web开发脚手架项目，该项目初衷为简化开发过程，让研发人员更加关注业务。
 Home-page: https://lesscode-flask
 Author: Chao.yy

{lesscode_flask-0.2.62 → lesscode_flask-0.2.89}/lesscode_flask.egg-info/SOURCES.txt

@@ -28,6 +28,7 @@ lesscode_flask/service/resource_param_template_service.py
 lesscode_flask/setting/__init__.py
 lesscode_flask/setup/__init__.py
 lesscode_flask/static/swagger.py
+lesscode_flask/utils/__init__.py
 lesscode_flask/utils/dify_utils.py
 lesscode_flask/utils/fs_util.py
 lesscode_flask/utils/helpers.py
@@ -52,6 +53,8 @@ lesscode_flask/utils/oss/ks3_oss.py
 lesscode_flask/utils/oss/minio_oss.py
 lesscode_flask/utils/redis/redis_helper.py
 lesscode_flask/utils/request/request.py
+lesscode_flask/utils/sign/__init__.py
+lesscode_flask/utils/sign/signature.py
 lesscode_flask/utils/swagger/swagger_template.py
 lesscode_flask/utils/swagger/swagger_util.py
 lesscode_flask/utils/task/__init__.py