PyPI - skyplatform-iam - Versions diffs - 1.0.0__tar.gz → 1.0.3__tar.gz - Mend

skyplatform-iam 1.0.0tar.gz → 1.0.3tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

{skyplatform_iam-1.0.0 → skyplatform_iam-1.0.3}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: skyplatform-iam
-Version: 1.0.0
+Version: 1.0.3
 Summary: SkyPlatform IAM认证SDK，提供FastAPI中间件和认证路由
 Project-URL: Homepage, https://github.com/xinmayoujiang12621/agenterra_iam
 Project-URL: Documentation, https://skyplatform-iam.readthedocs.io/
@@ -24,10 +24,9 @@ Classifier: Programming Language :: Python :: 3.12
 Classifier: Topic :: Internet :: WWW/HTTP :: HTTP Servers
 Classifier: Topic :: Security
 Classifier: Topic :: Software Development :: Libraries :: Python Modules
-Requires-Python: >=3.8
+Requires-Python: >=3.9
 Requires-Dist: fastapi>=0.68.0
 Requires-Dist: pydantic>=1.8.0
-Requires-Dist: python-dotenv>=0.19.0
 Requires-Dist: requests>=2.25.0
 Requires-Dist: starlette>=0.14.0
 Provides-Extra: dev

{skyplatform_iam-1.0.0 → skyplatform_iam-1.0.3}/pyproject.toml RENAMED Viewed

@@ -4,13 +4,13 @@ build-backend = "hatchling.build"
 [project]
 name = "skyplatform-iam"
-version = "1.0.0"
+version = "1.0.3"
 authors = [
   { name="x9", email="xuanxienanxunmobao@gmail.com" },
 ]
 description = "SkyPlatform IAM认证SDK，提供FastAPI中间件和认证路由"
 readme = "README.md"
-requires-python = ">=3.8"
+requires-python = ">=3.9"
 license = { text = "MIT" }
 keywords = ["fastapi", "authentication", "middleware", "iam", "skyplatform"]
 classifiers = [
@@ -34,7 +34,6 @@ dependencies = [
     "fastapi>=0.68.0",
     "pydantic>=1.8.0",
     "requests>=2.25.0",
-    "python-dotenv>=0.19.0",
     "starlette>=0.14.0",
 ]

{skyplatform_iam-1.0.0 → skyplatform_iam-1.0.3}/skyplatform_iam/__init__.py RENAMED Viewed

@@ -4,7 +4,7 @@ SkyPlatform IAM SDK
 """
 from .config import AuthConfig
-from .middleware import AuthMiddleware
+from .middleware import AuthMiddleware, AuthService, setup_auth_middleware, get_current_user, get_optional_user
 from .connect_agenterra_iam import ConnectAgenterraIam
 from .exceptions import (
     SkyPlatformAuthException,
@@ -28,6 +28,10 @@ __all__ = [
     # 中间件
     "AuthMiddleware",
+    "AuthService",
+    "setup_auth_middleware",
+    "get_current_user",
+    "get_optional_user",
     # 客户端
     "ConnectAgenterraIam",
@@ -84,10 +88,17 @@ def setup_auth(app, config: AuthConfig = None):
     Note:
         此函数只设置认证中间件，不包含预制路由。
         客户端应用需要根据业务需求自己实现认证相关的API接口。
+        建议传入完整的AuthConfig对象以避免环境变量配置问题。
     """
     if config is None:
         config = AuthConfig.from_env()
+    # 验证配置的完整性
+    config.validate_config()
+    # 初始化全局认证服务
+    setup_auth_middleware(config)
     # 添加中间件
     middleware = AuthMiddleware(app=app, config=config)
     app.add_middleware(AuthMiddleware, config=config)

skyplatform_iam-1.0.3/skyplatform_iam/config.py ADDED Viewed

@@ -0,0 +1,132 @@
+"""
+SkyPlatform IAM SDK 配置模块
+"""
+import os
+import fnmatch
+from typing import Optional, List
+from pydantic import BaseModel, Field
+from dotenv import load_dotenv
+# 加载环境变量
+load_dotenv()
+class AuthConfig(BaseModel):
+    """
+    认证配置类
+    支持环境变量和代码配置
+    """
+    # IAM服务配置
+    agenterra_iam_host: str
+    server_name: str
+    access_key: str
+    # Token配置
+    token_header: str = "Authorization"
+    token_prefix: str = "Bearer "
+    # 错误处理配置
+    enable_debug: bool = False
+    # 白名单路径配置（实例变量）
+    whitelist_paths: List[str] = Field(default_factory=list)
+    class Config:
+        env_prefix = "AGENTERRA_"
+    @classmethod
+    def from_env(cls) -> "AuthConfig":
+        """
+        从环境变量创建配置
+        """
+        return cls(
+            agenterra_iam_host=os.environ.get('AGENTERRA_IAM_HOST', ''),
+            server_name=os.environ.get('AGENTERRA_SERVER_NAME', ''),
+            access_key=os.environ.get('AGENTERRA_ACCESS_KEY', ''),
+            enable_debug=os.environ.get('AGENTERRA_ENABLE_DEBUG', 'false').lower() == 'true',
+            whitelist_paths=[]  # 初始化空的白名单路径列表
+        )
+    def validate_config(self) -> bool:
+        """
+        验证配置是否完整
+        """
+        required_fields = ['agenterra_iam_host', 'server_name', 'access_key']
+        for field in required_fields:
+            if not getattr(self, field):
+                raise ValueError(f"配置项 {field} 不能为空")
+        return True
+    def _normalize_path(self, path: str) -> str:
+        """
+        标准化路径格式
+        """
+        if not path:
+            return path
+        # 确保路径以 / 开头
+        if not path.startswith('/'):
+            path = '/' + path
+        # 移除重复的斜杠
+        while '//' in path:
+            path = path.replace('//', '/')
+        return path
+    def add_whitelist_path(self, path: str) -> None:
+        """
+        添加白名单路径
+        """
+        if not path:
+            return
+        normalized_path = self._normalize_path(path)
+        if normalized_path not in self.whitelist_paths:
+            self.whitelist_paths.append(normalized_path)
+    def add_whitelist_paths(self, paths: List[str]) -> None:
+        """
+        批量添加白名单路径
+        """
+        for path in paths:
+            self.add_whitelist_path(path)
+    def remove_whitelist_path(self, path: str) -> None:
+        """
+        移除白名单路径
+        """
+        if not path:
+            return
+        normalized_path = self._normalize_path(path)
+        if normalized_path in self.whitelist_paths:
+            self.whitelist_paths.remove(normalized_path)
+    def clear_whitelist_paths(self) -> None:
+        """
+        清空所有白名单路径
+        """
+        self.whitelist_paths.clear()
+    def get_whitelist_paths(self) -> List[str]:
+        """
+        获取所有白名单路径
+        """
+        return self.whitelist_paths.copy()
+    def is_path_whitelisted(self, path: str) -> bool:
+        """
+        检查路径是否在白名单中（支持通配符匹配）
+        """
+        if not path:
+            return False
+        normalized_path = self._normalize_path(path)
+        for whitelist_path in self.whitelist_paths:
+            # 支持通配符匹配
+            if fnmatch.fnmatch(normalized_path, whitelist_path):
+                return True
+        return False

{skyplatform_iam-1.0.0 → skyplatform_iam-1.0.3}/skyplatform_iam/connect_agenterra_iam.py RENAMED Viewed

@@ -1,13 +1,9 @@
-import os
 import requests
 import logging
 import traceback
 import copy
-from dotenv import load_dotenv
 from enum import Enum
-# 加载环境变量
-load_dotenv()
+from fastapi import HTTPException, status
 class CredentialTypeEnum(str, Enum):
@@ -19,14 +15,31 @@ class CredentialTypeEnum(str, Enum):
 class ConnectAgenterraIam(object):
-    def __init__(self, logger_name="skyplatform_iam", log_level=logging.INFO):
+    _instance = None
+    _initialized = False
+    def __new__(cls, config=None, logger_name="skyplatform_iam", log_level=logging.INFO):
+        """
+        单例模式实现
+        确保整个应用中只有一个ConnectAgenterraIam实例
+        """
+        if cls._instance is None:
+            cls._instance = super(ConnectAgenterraIam, cls).__new__(cls)
+        return cls._instance
+    def __init__(self, config=None, logger_name="skyplatform_iam", log_level=logging.INFO):
         """
         初始化AgenterraIAM连接器
         参数:
+        - config: AuthConfig配置对象，如果为None则从环境变量读取
         - logger_name: 日志记录器名称
         - log_level: 日志级别
         """
+        # 防止重复初始化
+        if self._initialized:
+            return
         # 配置日志记录器
         self.logger = logging.getLogger(logger_name)
         if not self.logger.handlers:
@@ -38,10 +51,22 @@ class ConnectAgenterraIam(object):
             self.logger.addHandler(handler)
             self.logger.setLevel(log_level)
-        # 从环境变量读取配置，提供默认值以确保向后兼容
-        self.agenterra_iam_host = os.environ.get('AGENTERRA_IAM_HOST')
-        self.server_name = os.environ.get('AGENTERRA_SERVER_NAME')
-        self.access_key = os.environ.get('AGENTERRA_ACCESS_KEY')
+        # 必须传入config参数，不再支持从环境变量读取
+        if config is None:
+            raise ValueError("必须传入AuthConfig配置对象，不再支持从环境变量读取配置")
+        self.agenterra_iam_host = config.agenterra_iam_host
+        self.server_name = config.server_name
+        self.access_key = config.access_key
+        self.logger.info("使用传入的AuthConfig配置")
+        # 验证必要的配置
+        if not self.agenterra_iam_host:
+            self.logger.warning("AGENTERRA_IAM_HOST 配置未设置")
+        if not self.server_name:
+            self.logger.warning("AGENTERRA_SERVER_NAME 配置未设置")
+        if not self.access_key:
+            self.logger.warning("AGENTERRA_ACCESS_KEY 配置未设置")
         self.logger.info(f"初始化AgenterraIAM连接器 - Host: {self.agenterra_iam_host}, Server: {self._mask_sensitive(self.server_name)}")
@@ -54,6 +79,48 @@ class ConnectAgenterraIam(object):
             "server_name": self.server_name,
             "access_key": self.access_key
         }
+        # 标记为已初始化
+        self._initialized = True
+    def reload_config(self, config):
+        """
+        重新加载配置
+        用于在运行时更新配置
+        参数:
+        - config: AuthConfig配置对象
+        """
+        if config is None:
+            raise ValueError("必须传入AuthConfig配置对象")
+        self.logger.info("重新加载配置")
+        # 更新配置
+        self.agenterra_iam_host = config.agenterra_iam_host
+        self.server_name = config.server_name
+        self.access_key = config.access_key
+        # 验证必要的配置
+        if not self.agenterra_iam_host:
+            self.logger.warning("AGENTERRA_IAM_HOST 配置未设置")
+        if not self.server_name:
+            self.logger.warning("AGENTERRA_SERVER_NAME 配置未设置")
+        if not self.access_key:
+            self.logger.warning("AGENTERRA_ACCESS_KEY 配置未设置")
+        # 更新headers和body
+        self.headers = {
+            "Content-Type": "application/json",
+            "SERVER-AK": self.server_name,
+            "SERVER-SK": self.access_key
+        }
+        self.body = {
+            "server_name": self.server_name,
+            "access_key": self.access_key
+        }
+        self.logger.info(f"配置重新加载完成 - Host: {self.agenterra_iam_host}, Server: {self._mask_sensitive(self.server_name)}")
     def _mask_sensitive(self, value, mask_char="*", show_chars=4):
         """
@@ -430,6 +497,11 @@ class ConnectAgenterraIam(object):
                 "server_sk": server_sk,
             }
             uri = "/api/v2/service/verify"
+            # 检查agenterra_iam_host是否为None
+            if self.agenterra_iam_host is None:
+                raise ValueError("AGENTERRA_IAM_HOST 配置未设置或为空，请确保传入正确的AuthConfig对象")
             url = self.agenterra_iam_host + uri
             # 记录请求信息
@@ -463,7 +535,6 @@ class ConnectAgenterraIam(object):
                     else:
                         # token有效但无权限，抛出403异常
                         self.logger.warning(f"[{method_name}] token有效但用户无权限访问API: {api}")
-                        from fastapi import HTTPException, status
                         raise HTTPException(
                             status_code=status.HTTP_403_FORBIDDEN,
                             detail=result.get("message", "用户无权限访问此API")
@@ -475,7 +546,6 @@ class ConnectAgenterraIam(object):
                 result = response.json()
                 # 处理403响应
                 self.logger.warning(f"[{method_name}] 收到403响应 - {result.get('message', '用户无权限访问此API')}")
-                from fastapi import HTTPException, status
                 raise HTTPException(
                     status_code=status.HTTP_403_FORBIDDEN,
                     detail=result.get("message", "用户无权限访问此API")

skyplatform_iam-1.0.3/skyplatform_iam/middleware.py ADDED Viewed

@@ -0,0 +1,418 @@
+"""
+SkyPlatform IAM SDK 中间件模块
+"""
+import logging
+from typing import Optional, Callable, Dict, Any
+from fastapi import Request, Response, HTTPException, status
+from fastapi.responses import JSONResponse
+from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
+from starlette.middleware.base import BaseHTTPMiddleware
+import jwt
+from .config import AuthConfig
+from .connect_agenterra_iam import ConnectAgenterraIam
+from .exceptions import (
+    AuthenticationError,
+    AuthorizationError,
+    ConfigurationError
+)
+logger = logging.getLogger(__name__)
+class AuthMiddleware(BaseHTTPMiddleware):
+    """
+    认证中间件
+    自动拦截请求进行Token验证和权限检查
+    """
+    def __init__(
+            self,
+            app,
+            config: AuthConfig,
+            skip_validation: Optional[Callable[[Request], bool]] = None
+    ):
+        """
+        初始化认证中间件
+        Args:
+            app: FastAPI应用实例
+            config: 认证配置
+            skip_validation: 自定义跳过验证的函数
+        """
+        super().__init__(app)
+        self.config = config
+        self.iam_client = ConnectAgenterraIam(config=config)
+        self.skip_validation = skip_validation
+        # 验证配置
+        try:
+            self.config.validate_config()
+        except ValueError as e:
+            raise ConfigurationError(str(e))
+    def is_path_whitelisted(self, path: str) -> bool:
+        """
+        检查路径是否在本地白名单中
+        """
+        if not self.config:
+            return False
+        return self.config.is_path_whitelisted(path)
+    async def dispatch(self, request: Request, call_next: Callable) -> Response:
+        """
+        中间件主要处理逻辑
+        """
+        try:
+            # 获取请求路径
+            api_path = request.url.path
+            # 首先检查路径是否在本地白名单中
+            if self.is_path_whitelisted(api_path):
+                logger.info(f"路径 {api_path} 在本地白名单中，跳过认证直接允许访问")
+                # 设置白名单标识
+                request.state.user = None
+                request.state.authenticated = False
+                request.state.is_whitelist = True
+                # 直接调用下一个处理器
+                response = await call_next(request)
+                return response
+            # 提取Token（可能为空，白名单接口不需要token）
+            token = self._extract_token(request)
+            # 验证Token和权限（即使token为空也要调用IAM验证，因为可能是白名单接口）
+            user_info = await self._verify_token_and_permission(request, token)
+            if not user_info:
+                return self._create_error_response(
+                    status_code=401,
+                    message="Token验证失败",
+                    detail="提供的Token无效或已过期"
+                )
+            # 检查是否为白名单接口
+            if user_info.get('is_whitelist', False):
+                # 白名单接口，允许访问但不设置用户信息
+                request.state.user = None
+                request.state.authenticated = False
+                request.state.is_whitelist = True
+            else:
+                # 正常认证接口，设置用户信息
+                request.state.user = user_info
+                request.state.authenticated = True
+                request.state.is_whitelist = False
+            # 继续处理请求
+            response = await call_next(request)
+            return response
+        except HTTPException as e:
+            return self._create_error_response(
+                status_code=e.status_code,
+                message=str(e.detail),
+                detail=getattr(e, 'detail', None)
+            )
+        except AuthenticationError as e:
+            return self._create_error_response(
+                status_code=e.status_code,
+                message=e.message,
+                detail=e.detail
+            )
+        except AuthorizationError as e:
+            return self._create_error_response(
+                status_code=e.status_code,
+                message=e.message,
+                detail=e.detail
+            )
+        except Exception as e:
+            logger.error(f"认证中间件处理异常: {str(e)}")
+            if self.config.enable_debug:
+                logger.exception("详细异常信息:")
+            return self._create_error_response(
+                status_code=500,
+                message="内部服务器错误",
+                detail=str(e) if self.config.enable_debug else None
+            )
+    def _extract_token(self, request: Request) -> Optional[str]:
+        """
+        从请求中提取Token
+        """
+        # 从Authorization头提取
+        auth_header = request.headers.get(self.config.token_header)
+        if auth_header and auth_header.startswith(self.config.token_prefix):
+            return auth_header[len(self.config.token_prefix):].strip()
+        # 从查询参数提取（备选方案）
+        token = request.query_params.get("token")
+        if token:
+            return token
+        return None
+    async def _verify_token_and_permission(self, request: Request, token: Optional[str]) -> Optional[Dict[str, Any]]:
+        """
+        验证Token和权限
+        """
+        try:
+            # 获取请求信息
+            api_path = request.url.path
+            method = request.method
+            # 从请求头获取服务认证信息（可选）
+            server_ak = request.headers.get("SERVER-AK", "")
+            server_sk = request.headers.get("SERVER-SK", "")
+            # 调用IAM验证接口（即使token为空也要调用，因为可能是白名单接口）
+            user_info = self.iam_client.verify_token(
+                token=token or "",  # 如果token为None，传递空字符串
+                api=api_path,
+                method=method,
+                server_ak=server_ak,
+                server_sk=server_sk
+            )
+            return user_info
+        except HTTPException:
+            # 重新抛出HTTP异常
+            raise
+        except Exception as e:
+            logger.error(f"Token验证异常: {str(e)}")
+            if self.config.enable_debug:
+                logger.exception("详细异常信息:")
+            return None
+    def _create_error_response(
+            self,
+            status_code: int,
+            message: str,
+            detail: Optional[str] = None
+    ) -> JSONResponse:
+        """
+        创建错误响应
+        """
+        error_data = {
+            "success": False,
+            "message": message,
+            "status_code": status_code
+        }
+        if detail:
+            error_data["detail"] = detail
+        return JSONResponse(
+            status_code=status_code,
+            content=error_data
+        )
+class AuthService:
+    """
+    认证服务类
+    提供依赖注入式的认证功能
+    """
+    def __init__(self, auth_config: AuthConfig):
+        if auth_config is None:
+            raise ValueError("auth_config参数不能为None，必须传入AuthConfig配置对象")
+        self.security = HTTPBearer(auto_error=False)
+        self.iam_client = ConnectAgenterraIam(config=auth_config)
+        self.auth_config = auth_config
+    def is_path_whitelisted(self, path: str) -> bool:
+        """
+        检查路径是否在白名单中
+        """
+        if not self.auth_config:
+            return False
+        return self.auth_config.is_path_whitelisted(path)
+    async def verify_token(self, request: Request):
+        """验证token和权限"""
+        # 通过token, server_ak, server_sk判断是否有权限
+        api_path = request.url.path
+        # 首先检查路径是否在白名单中
+        if self.is_path_whitelisted(api_path):
+            logger.info(f"路径 {api_path} 在白名单中，跳过IAM鉴权")
+            return True
+        credentials: HTTPAuthorizationCredentials = await self.security(request)
+        method = request.method
+        server_ak = request.headers.get("SERVER-AK", "")
+        server_sk = request.headers.get("SERVER-SK", "")
+        token = ""
+        if credentials is not None:
+            token = credentials.credentials
+        user_info_by_iam = self.iam_client.verify_token(token, api_path, method, server_ak, server_sk)
+        if user_info_by_iam:
+            return True
+        return False
+    async def get_current_user(self, request: Request) -> Optional[Dict]:
+        """获取当前用户信息"""
+        try:
+            # 直接调用verify_token方法进行token验证
+            if not await self.verify_token(request):
+                return None
+            # 获取token用于后续用户信息获取
+            credentials: HTTPAuthorizationCredentials = await self.security(request)
+            if not credentials:
+                return None
+            token = credentials.credentials
+            # 直接解析JWT token获取payload
+            payload = self.decode_jwt_token(token)
+            if not payload:
+                logger.error("JWT token解析失败")
+                return None
+            # 从payload中提取用户信息
+            iam_user_id = payload.get("sub")  # JWT标准中用户ID存储在sub字段
+            username = None
+            # 解析新的凭证信息结构
+            all_credentials = payload.get("all_credentials", [])
+            total_credentials = payload.get("total_credentials", 0)
+            # 从all_credentials中提取username（向后兼容）
+            for cred in all_credentials:
+                if cred.get("type") == "username":
+                    username = cred.get("value")
+                    break
+            # 向后兼容性：如果没有all_credentials，尝试从payload的其他字段构建
+            if not all_credentials:
+                credentials_list = []
+                # 检查payload中是否有直接的username字段
+                if payload.get("username"):
+                    username = payload.get("username")
+                    credentials_list.append({"type": "username", "value": username})
+                if payload.get("email"):
+                    credentials_list.append({"type": "email", "value": payload.get("email")})
+                if payload.get("phone"):
+                    credentials_list.append({"type": "phone", "value": payload.get("phone")})
+                all_credentials = credentials_list
+                total_credentials = len(credentials_list)
+            if not username:
+                return None
+            # 构建用户信息字典
+            user_info = {
+                "id": iam_user_id,
+                "username": username,
+                "all_credentials": all_credentials,
+                "total_credentials": total_credentials,
+                "microservice": payload.get("microservice")  # 添加微服务信息
+            }
+            # 向后兼容：添加传统字段映射
+            for cred in all_credentials:
+                if cred.get("type") == "email":
+                    user_info["email"] = cred.get("value")
+                elif cred.get("type") == "phone":
+                    user_info["phone"] = cred.get("value")
+                elif cred.get("type") == "username" and not user_info.get("username"):
+                    user_info["username"] = cred.get("value")
+            # 统计凭证类型分布
+            cred_types = [cred.get("type") for cred in all_credentials]
+            cred_type_count = {cred_type: cred_types.count(cred_type) for cred_type in set(cred_types)}
+            logger.info(
+                f"用户认证成功: user_id={iam_user_id}, username={username}, 凭证数量={total_credentials}, 凭证类型分布={cred_type_count}")
+            logger.debug(f"JWT payload: {payload}")
+            # 将用户信息添加到请求状态中
+            request.state.user = user_info
+            return user_info
+        except HTTPException as e:
+            logger.error(f"获取当前用户信息失败: {str(e)}")
+            # 重新抛出HTTP异常（403权限不足）
+            return None
+        except Exception as e:
+            logger.error(f"获取当前用户信息失败: {str(e)}")
+            return None
+    async def require_auth(self, request: Request) -> Dict:
+        """要求用户必须登录"""
+        try:
+            user_info = await self.get_current_user(request)
+            if not user_info:
+                raise HTTPException(
+                    status_code=status.HTTP_401_UNAUTHORIZED,
+                    detail="需要登录认证",
+                    headers={"WWW-Authenticate": "Bearer"},
+                )
+            return user_info
+        except HTTPException:
+            # 重新抛出HTTP异常（可能是403权限不足或401未认证）
+            raise
+    async def optional_auth(self, request: Request) -> Optional[Dict]:
+        """可选的用户认证（不强制要求登录）"""
+        try:
+            return await self.get_current_user(request)
+        except HTTPException:
+            # 对于可选认证，如果是403权限不足，仍然抛出异常
+            # 如果是401未认证，返回None
+            raise
+    def decode_jwt_token(self, token: str) -> Optional[Dict]:
+        """直接解析JWT token获取payload"""
+        try:
+            # 不验证签名，只解析payload（因为token已经通过verify_token验证过）
+            decoded_payload = jwt.decode(token, options={"verify_signature": False})
+            logger.debug(f"JWT token解析成功: {decoded_payload}")
+            return decoded_payload
+        except jwt.InvalidTokenError as e:
+            logger.error(f"JWT token解析失败: {str(e)}")
+            return None
+        except Exception as e:
+            logger.error(f"JWT token解析异常: {str(e)}")
+            return None
+# 全局认证服务实例（延迟初始化）
+auth_service = None
+def setup_auth_middleware(auth_config: AuthConfig) -> None:
+    """
+    设置认证中间件配置
+    Args:
+        auth_config: 认证配置实例，包含白名单路径等配置
+    """
+    global auth_service
+    auth_service = AuthService(auth_config)
+    logger.info(f"认证中间件已配置，白名单路径数量: {len(auth_config.get_whitelist_paths())}")
+# 便捷的依赖函数
+async def get_current_user(request: Request) -> Dict:
+    """获取当前用户的依赖函数"""
+    if auth_service is None:
+        raise HTTPException(
+            status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+            detail="认证服务未初始化，请先调用setup_auth_middleware函数进行配置"
+        )
+    return await auth_service.require_auth(request)
+async def get_optional_user(request: Request) -> Optional[Dict]:
+    """获取可选当前用户的依赖函数"""
+    if auth_service is None:
+        raise HTTPException(
+            status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+            detail="认证服务未初始化，请先调用setup_auth_middleware函数进行配置"
+        )
+    return await auth_service.optional_auth(request)

skyplatform_iam-1.0.0/skyplatform_iam/auth_middleware.py DELETED Viewed

@@ -1,173 +0,0 @@
-from fastapi import Request, HTTPException, status
-from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
-from typing import Optional, Dict
-import jwt
-from .connect_agenterra_iam import ConnectAgenterraIam
-import logging
-logger = logging.getLogger(__name__)
-class AuthMiddleware:
-    def __init__(self):
-        self.security = HTTPBearer(auto_error=False)
-        self.iam_client = ConnectAgenterraIam()
-    async def verify_token(self, request: Request):
-        # 通过token, server_ak, server_sk判断是否有权限
-        credentials: HTTPAuthorizationCredentials = await self.security(request)
-        api_path = request.url.path
-        method = request.method
-        server_ak = request.headers.get("SERVER-AK", "")
-        server_sk = request.headers.get("SERVER-SK", "")
-        token = ""
-        if credentials is not None:
-            token = credentials.credentials
-        user_info_by_iam = self.iam_client.verify_token(token, api_path, method, server_ak, server_sk)
-        if user_info_by_iam:
-            return True
-        return False
-    async def get_current_user(self, request: Request) -> Optional[Dict]:
-        """获取当前用户信息"""
-        try:
-            # 直接调用verify_token方法进行token验证
-            if not await self.verify_token(request):
-                return None
-            # 获取token用于后续用户信息获取
-            credentials: HTTPAuthorizationCredentials = await self.security(request)
-            token = credentials.credentials
-            # 直接解析JWT token获取payload
-            payload = self.decode_jwt_token(token)
-            if not payload:
-                logger.error("JWT token解析失败")
-                return None
-            # 从payload中提取用户信息
-            iam_user_id = payload.get("sub")  # JWT标准中用户ID存储在sub字段
-            username = None
-            # 解析新的凭证信息结构
-            all_credentials = payload.get("all_credentials", [])
-            total_credentials = payload.get("total_credentials", 0)
-            # 从all_credentials中提取username（向后兼容）
-            for cred in all_credentials:
-                if cred.get("type") == "username":
-                    username = cred.get("value")
-                    break
-            # 向后兼容性：如果没有all_credentials，尝试从payload的其他字段构建
-            if not all_credentials:
-                credentials_list = []
-                # 检查payload中是否有直接的username字段
-                if payload.get("username"):
-                    username = payload.get("username")
-                    credentials_list.append({"type": "username", "value": username})
-                if payload.get("email"):
-                    credentials_list.append({"type": "email", "value": payload.get("email")})
-                if payload.get("phone"):
-                    credentials_list.append({"type": "phone", "value": payload.get("phone")})
-                all_credentials = credentials_list
-                total_credentials = len(credentials_list)
-            if not username:
-                return None
-            # 构建用户信息字典
-            user_info = {
-                "id": iam_user_id,
-                "username": username,
-                "all_credentials": all_credentials,
-                "total_credentials": total_credentials,
-                "microservice": payload.get("microservice")  # 添加微服务信息
-            }
-            # 向后兼容：添加传统字段映射
-            for cred in all_credentials:
-                if cred.get("type") == "email":
-                    user_info["email"] = cred.get("value")
-                elif cred.get("type") == "phone":
-                    user_info["phone"] = cred.get("value")
-                elif cred.get("type") == "username" and not user_info.get("username"):
-                    user_info["username"] = cred.get("value")
-            # 统计凭证类型分布
-            cred_types = [cred.get("type") for cred in all_credentials]
-            cred_type_count = {cred_type: cred_types.count(cred_type) for cred_type in set(cred_types)}
-            logger.info(
-                f"用户认证成功: user_id={iam_user_id}, username={username}, 凭证数量={total_credentials}, 凭证类型分布={cred_type_count}")
-            logger.debug(f"JWT payload: {payload}")
-            # 将用户信息添加到请求状态中
-            request.state.user = user_info
-            return user_info
-        except HTTPException as e:
-            print(403)
-            logger.error(f"获取当前用户信息失败: {str(e)}")
-            # 重新抛出HTTP异常（403权限不足）
-            return None
-        except Exception as e:
-            logger.error(f"获取当前用户信息失败: {str(e)}")
-            return None
-    async def require_auth(self, request: Request) -> Dict:
-        """要求用户必须登录"""
-        try:
-            user_info = await self.get_current_user(request)
-            if not user_info:
-                raise HTTPException(
-                    status_code=status.HTTP_401_UNAUTHORIZED,
-                    detail="需要登录认证",
-                    headers={"WWW-Authenticate": "Bearer"},
-                )
-            return user_info
-        except HTTPException:
-            # 重新抛出HTTP异常（可能是403权限不足或401未认证）
-            raise
-    async def optional_auth(self, request: Request) -> Optional[Dict]:
-        """可选的用户认证（不强制要求登录）"""
-        try:
-            return await self.get_current_user(request)
-        except HTTPException:
-            # 对于可选认证，如果是403权限不足，仍然抛出异常
-            # 如果是401未认证，返回None
-            raise
-    def decode_jwt_token(self, token: str) -> Optional[Dict]:
-        """直接解析JWT token获取payload"""
-        try:
-            # 不验证签名，只解析payload（因为token已经通过verify_token验证过）
-            decoded_payload = jwt.decode(token, options={"verify_signature": False})
-            logger.debug(f"JWT token解析成功: {decoded_payload}")
-            return decoded_payload
-        except jwt.InvalidTokenError as e:
-            logger.error(f"JWT token解析失败: {str(e)}")
-            return None
-        except Exception as e:
-            logger.error(f"JWT token解析异常: {str(e)}")
-            return None
-# 创建全局认证中间件实例
-auth_middleware = AuthMiddleware()
-# 便捷的依赖函数
-async def get_current_user(request: Request) -> Dict:
-    """获取当前用户的依赖函数"""
-    return await auth_middleware.require_auth(request)
-async def get_optional_user(request: Request) -> Optional[Dict]:
-    """获取可选当前用户的依赖函数"""
-    return await auth_middleware.optional_auth(request)

skyplatform_iam-1.0.0/skyplatform_iam/config.py DELETED Viewed

@@ -1,68 +0,0 @@
-"""
-SkyPlatform IAM SDK 配置模块
-"""
-import os
-from typing import Optional, List
-from pydantic import BaseModel
-from dotenv import load_dotenv
-# 加载环境变量
-load_dotenv()
-class AuthConfig(BaseModel):
-    """
-    认证配置类
-    支持环境变量和代码配置
-    """
-    # IAM服务配置
-    agenterra_iam_host: str
-    server_name: str
-    access_key: str
-    # Token配置
-    token_header: str = "Authorization"
-    token_prefix: str = "Bearer "
-    # 错误处理配置
-    enable_debug: bool = False
-    class Config:
-        env_prefix = "AGENTERRA_"
-    @classmethod
-    def from_env(cls) -> "AuthConfig":
-        """
-        从环境变量创建配置
-        """
-        return cls(
-            agenterra_iam_host=os.environ.get('AGENTERRA_IAM_HOST', ''),
-            server_name=os.environ.get('AGENTERRA_SERVER_NAME', ''),
-            access_key=os.environ.get('AGENTERRA_ACCESS_KEY', ''),
-            enable_debug=os.environ.get('AGENTERRA_ENABLE_DEBUG', 'false').lower() == 'true'
-        )
-    def validate_config(self) -> bool:
-        """
-        验证配置是否完整
-        """
-        required_fields = ['agenterra_iam_host', 'server_name', 'access_key']
-        for field in required_fields:
-            if not getattr(self, field):
-                raise ValueError(f"配置项 {field} 不能为空")
-        return True
-    def add_whitelist_path(self, path: str) -> None:
-        """
-        添加白名单路径
-        """
-        if path not in self.whitelist_paths:
-            self.whitelist_paths.append(path)
-    def remove_whitelist_path(self, path: str) -> None:
-        """
-        移除白名单路径
-        """
-        if path in self.whitelist_paths:
-            self.whitelist_paths.remove(path)

skyplatform_iam-1.0.0/skyplatform_iam/middleware.py DELETED Viewed

@@ -1,186 +0,0 @@
-"""
-SkyPlatform IAM SDK 中间件模块
-"""
-import logging
-from typing import Optional, Callable, Dict, Any
-from fastapi import Request, Response, HTTPException
-from fastapi.responses import JSONResponse
-from starlette.middleware.base import BaseHTTPMiddleware
-from .config import AuthConfig
-from .connect_agenterra_iam import ConnectAgenterraIam
-from .exceptions import (
-    AuthenticationError,
-    AuthorizationError,
-    ConfigurationError
-)
-logger = logging.getLogger(__name__)
-class AuthMiddleware(BaseHTTPMiddleware):
-    """
-    认证中间件
-    自动拦截请求进行Token验证和权限检查
-    """
-    def __init__(
-            self,
-            app,
-            config: AuthConfig,
-            skip_validation: Optional[Callable[[Request], bool]] = None
-    ):
-        """
-        初始化认证中间件
-        Args:
-            app: FastAPI应用实例
-            config: 认证配置
-            skip_validation: 自定义跳过验证的函数
-        """
-        super().__init__(app)
-        self.config = config
-        self.iam_client = ConnectAgenterraIam()
-        self.skip_validation = skip_validation
-        # 验证配置
-        try:
-            self.config.validate_config()
-        except ValueError as e:
-            raise ConfigurationError(str(e))
-    async def dispatch(self, request: Request, call_next: Callable) -> Response:
-        """
-        中间件主要处理逻辑
-        """
-        try:
-            # 提取Token（可能为空，白名单接口不需要token）
-            token = self._extract_token(request)
-            # 验证Token和权限（即使token为空也要调用IAM验证，因为可能是白名单接口）
-            user_info = await self._verify_token_and_permission(request, token)
-            if not user_info:
-                return self._create_error_response(
-                    status_code=401,
-                    message="Token验证失败",
-                    detail="提供的Token无效或已过期"
-                )
-            # 检查是否为白名单接口
-            if user_info.get('is_whitelist', False):
-                # 白名单接口，允许访问但不设置用户信息
-                request.state.user = None
-                request.state.authenticated = False
-                request.state.is_whitelist = True
-            else:
-                # 正常认证接口，设置用户信息
-                request.state.user = user_info
-                request.state.authenticated = True
-                request.state.is_whitelist = False
-            # 继续处理请求
-            response = await call_next(request)
-            return response
-        except HTTPException as e:
-            # FastAPI HTTPException直接返回
-            return self._create_error_response(
-                status_code=e.status_code,
-                message=str(e.detail),
-                detail=getattr(e, 'detail', None)
-            )
-        except AuthenticationError as e:
-            return self._create_error_response(
-                status_code=e.status_code,
-                message=e.message,
-                detail=e.detail
-            )
-        except AuthorizationError as e:
-            return self._create_error_response(
-                status_code=e.status_code,
-                message=e.message,
-                detail=e.detail
-            )
-        except Exception as e:
-            logger.error(f"认证中间件处理异常: {str(e)}")
-            if self.config.enable_debug:
-                logger.exception("详细异常信息:")
-            return self._create_error_response(
-                status_code=500,
-                message="内部服务器错误",
-                detail=str(e) if self.config.enable_debug else None
-            )
-    def _extract_token(self, request: Request) -> Optional[str]:
-        """
-        从请求中提取Token
-        """
-        # 从Authorization头提取
-        auth_header = request.headers.get(self.config.token_header)
-        if auth_header and auth_header.startswith(self.config.token_prefix):
-            return auth_header[len(self.config.token_prefix):].strip()
-        # 从查询参数提取（备选方案）
-        token = request.query_params.get("token")
-        if token:
-            return token
-        return None
-    async def _verify_token_and_permission(self, request: Request, token: Optional[str]) -> Optional[Dict[str, Any]]:
-        """
-        验证Token和权限
-        """
-        try:
-            # 获取请求信息
-            api_path = request.url.path
-            method = request.method
-            # 从请求头获取服务认证信息（可选）
-            server_ak = request.headers.get("SERVER-AK", "")
-            server_sk = request.headers.get("SERVER-SK", "")
-            # 调用IAM验证接口（即使token为空也要调用，因为可能是白名单接口）
-            user_info = self.iam_client.verify_token(
-                token=token or "",  # 如果token为None，传递空字符串
-                api=api_path,
-                method=method,
-                server_ak=server_ak,
-                server_sk=server_sk
-            )
-            return user_info
-        except HTTPException:
-            # 重新抛出HTTP异常
-            raise
-        except Exception as e:
-            logger.error(f"Token验证异常: {str(e)}")
-            if self.config.enable_debug:
-                logger.exception("详细异常信息:")
-            return None
-    def _create_error_response(
-            self,
-            status_code: int,
-            message: str,
-            detail: Optional[str] = None
-    ) -> JSONResponse:
-        """
-        创建错误响应
-        """
-        error_data = {
-            "success": False,
-            "message": message,
-            "status_code": status_code
-        }
-        if detail:
-            error_data["detail"] = detail
-        return JSONResponse(
-            status_code=status_code,
-            content=error_data
-        )

{skyplatform_iam-1.0.0 → skyplatform_iam-1.0.3}/README.md RENAMED Viewed

File without changes

{skyplatform_iam-1.0.0 → skyplatform_iam-1.0.3}/skyplatform_iam/exceptions.py RENAMED Viewed

File without changes

skyplatform-iam 1.0.0__tar.gz → 1.0.3__tar.gz

skyplatform-iam 1.0.0tar.gz → 1.0.3tar.gz