PyPI - skyplatform-iam - Versions diffs - 1.1.0__py3-none-any.whl → 1.2.0__py3-none-any.whl - Mend

skyplatform-iam 1.1.0py3-none-any.whl → 1.2.0py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

skyplatform_iam/__init__.py +1 -1
skyplatform_iam/config.py +30 -9
skyplatform_iam/connect_agenterra_iam.py +59 -34
skyplatform_iam/middleware.py +37 -6
{skyplatform_iam-1.1.0.dist-info → skyplatform_iam-1.2.0.dist-info}/METADATA +1 -1
skyplatform_iam-1.2.0.dist-info/RECORD +8 -0
skyplatform_iam-1.1.0.dist-info/RECORD +0 -8
{skyplatform_iam-1.1.0.dist-info → skyplatform_iam-1.2.0.dist-info}/WHEEL +0 -0

skyplatform_iam/__init__.py CHANGED Viewed

@@ -17,7 +17,7 @@ from .exceptions import (
     NetworkError
 )
-__version__ = "1.0.0"
+__version__ = "1.2.0"
 __author__ = "x9"
 __description__ = "SkyPlatform IAM认证SDK，提供FastAPI中间件和IAM服务连接功能"

skyplatform_iam/config.py CHANGED Viewed

@@ -1,14 +1,18 @@
 """
 SkyPlatform IAM SDK 配置模块
 """
+import logging
 import os
 import fnmatch
-from typing import Optional, List
+from typing import List, Optional, Dict
+import jwt
 from pydantic import BaseModel, Field
 from dotenv import load_dotenv
 # 加载环境变量
 load_dotenv()
+logger = logging.getLogger(__name__)
 class AuthConfig(BaseModel):
@@ -20,6 +24,7 @@ class AuthConfig(BaseModel):
     agenterra_iam_host: str
     server_name: str
     access_key: str
+    machine_token: str
     # Token配置
     token_header: str = "Authorization"
@@ -44,6 +49,7 @@ class AuthConfig(BaseModel):
             server_name=os.environ.get('AGENTERRA_SERVER_NAME', ''),
             access_key=os.environ.get('AGENTERRA_ACCESS_KEY', ''),
             enable_debug=os.environ.get('AGENTERRA_ENABLE_DEBUG', 'false').lower() == 'true',
+            machine_token=os.environ.get('MACHINE_TOKEN', ''),
             whitelist_paths=[]  # 初始化空的白名单路径列表
         )
@@ -63,15 +69,15 @@ class AuthConfig(BaseModel):
         """
         if not path:
             return path
         # 确保路径以 / 开头
         if not path.startswith('/'):
             path = '/' + path
         # 移除重复的斜杠
         while '//' in path:
             path = path.replace('//', '/')
         return path
     def add_whitelist_path(self, path: str) -> None:
@@ -80,7 +86,7 @@ class AuthConfig(BaseModel):
         """
         if not path:
             return
         normalized_path = self._normalize_path(path)
         if normalized_path not in self.whitelist_paths:
             self.whitelist_paths.append(normalized_path)
@@ -98,7 +104,7 @@ class AuthConfig(BaseModel):
         """
         if not path:
             return
         normalized_path = self._normalize_path(path)
         if normalized_path in self.whitelist_paths:
             self.whitelist_paths.remove(normalized_path)
@@ -121,12 +127,27 @@ class AuthConfig(BaseModel):
         """
         if not path:
             return False
         normalized_path = self._normalize_path(path)
         for whitelist_path in self.whitelist_paths:
             # 支持通配符匹配
             if fnmatch.fnmatch(normalized_path, whitelist_path):
                 return True
         return False
+def decode_jwt_token(token: str) -> Optional[Dict]:
+    """直接解析JWT token获取payload"""
+    try:
+        # 不验证签名，只解析payload（因为token已经通过verify_token验证过）
+        decoded_payload = jwt.decode(token, options={"verify_signature": False})
+        logger.debug(f"JWT token解析成功: {decoded_payload}")
+        return decoded_payload
+    except jwt.InvalidTokenError as e:
+        logger.error(f"JWT token解析失败: {str(e)}")
+        return None
+    except Exception as e:
+        logger.error(f"JWT token解析异常: {str(e)}")
+        return None

skyplatform_iam/connect_agenterra_iam.py CHANGED Viewed

@@ -5,6 +5,8 @@ import copy
 from enum import Enum
 from fastapi import HTTPException, status
+from .config import decode_jwt_token
 class CredentialTypeEnum(str, Enum):
     """凭证类型枚举，与后端API保持一致"""
@@ -17,7 +19,7 @@ class CredentialTypeEnum(str, Enum):
 class ConnectAgenterraIam(object):
     _instance = None
     _initialized = False
     def __new__(cls, config=None, logger_name="skyplatform_iam", log_level=logging.INFO):
         """
         单例模式实现
@@ -26,11 +28,11 @@ class ConnectAgenterraIam(object):
         if cls._instance is None:
             cls._instance = super(ConnectAgenterraIam, cls).__new__(cls)
         return cls._instance
     def __init__(self, config=None, logger_name="skyplatform_iam", log_level=logging.INFO):
         """
         初始化AgenterraIAM连接器
         参数:
         - config: AuthConfig配置对象，如果为None则从环境变量读取
         - logger_name: 日志记录器名称
@@ -39,7 +41,7 @@ class ConnectAgenterraIam(object):
         # 防止重复初始化
         if self._initialized:
             return
         # 配置日志记录器
         self.logger = logging.getLogger(logger_name)
         if not self.logger.handlers:
@@ -50,16 +52,17 @@ class ConnectAgenterraIam(object):
             handler.setFormatter(formatter)
             self.logger.addHandler(handler)
             self.logger.setLevel(log_level)
         # 必须传入config参数，不再支持从环境变量读取
         if config is None:
             raise ValueError("必须传入AuthConfig配置对象，不再支持从环境变量读取配置")
         self.agenterra_iam_host = config.agenterra_iam_host
         self.server_name = config.server_name
         self.access_key = config.access_key
+        self.machine_token = config.machine_token
         self.logger.info("使用传入的AuthConfig配置")
         # 验证必要的配置
         if not self.agenterra_iam_host:
             self.logger.warning("AGENTERRA_IAM_HOST 配置未设置")
@@ -67,9 +70,10 @@ class ConnectAgenterraIam(object):
             self.logger.warning("AGENTERRA_SERVER_NAME 配置未设置")
         if not self.access_key:
             self.logger.warning("AGENTERRA_ACCESS_KEY 配置未设置")
-        self.logger.info(f"初始化AgenterraIAM连接器 - Host: {self.agenterra_iam_host}, Server: {self._mask_sensitive(self.server_name)}")
+        self.logger.info(
+            f"初始化AgenterraIAM连接器 - Host: {self.agenterra_iam_host}, Server: {self._mask_sensitive(self.server_name)}")
         self.headers = {
             "Content-Type": "application/json",
             "SERVER-AK": self.server_name,
@@ -77,9 +81,10 @@ class ConnectAgenterraIam(object):
         }
         self.body = {
             "server_name": self.server_name,
-            "access_key": self.access_key
+            "access_key": self.access_key,
+            "machine_token": self.machine_token
         }
         # 标记为已初始化
         self._initialized = True
@@ -87,20 +92,20 @@ class ConnectAgenterraIam(object):
         """
         重新加载配置
         用于在运行时更新配置
         参数:
         - config: AuthConfig配置对象
         """
         if config is None:
             raise ValueError("必须传入AuthConfig配置对象")
         self.logger.info("重新加载配置")
         # 更新配置
         self.agenterra_iam_host = config.agenterra_iam_host
         self.server_name = config.server_name
         self.access_key = config.access_key
         # 验证必要的配置
         if not self.agenterra_iam_host:
             self.logger.warning("AGENTERRA_IAM_HOST 配置未设置")
@@ -108,7 +113,7 @@ class ConnectAgenterraIam(object):
             self.logger.warning("AGENTERRA_SERVER_NAME 配置未设置")
         if not self.access_key:
             self.logger.warning("AGENTERRA_ACCESS_KEY 配置未设置")
         # 更新headers和body
         self.headers = {
             "Content-Type": "application/json",
@@ -117,63 +122,65 @@ class ConnectAgenterraIam(object):
         }
         self.body = {
             "server_name": self.server_name,
-            "access_key": self.access_key
+            "access_key": self.access_key,
+            "machine_token": self.machine_token,
         }
-        self.logger.info(f"配置重新加载完成 - Host: {self.agenterra_iam_host}, Server: {self._mask_sensitive(self.server_name)}")
+        self.logger.info(
+            f"配置重新加载完成 - Host: {self.agenterra_iam_host}, Server: {self._mask_sensitive(self.server_name)}")
     def _mask_sensitive(self, value, mask_char="*", show_chars=4):
         """
         脱敏处理敏感信息
         参数:
         - value: 要脱敏的值
         - mask_char: 脱敏字符
         - show_chars: 显示的字符数量
         返回: 脱敏后的字符串
         """
         if not value or not isinstance(value, str):
             return str(value) if value else "None"
         if len(value) <= show_chars:
             return mask_char * len(value)
         return value[:show_chars] + mask_char * (len(value) - show_chars)
     def _sanitize_log_data(self, data):
         """
         清理日志数据，脱敏敏感信息
         参数:
         - data: 要清理的数据（字典或其他类型）
         返回: 清理后的数据
         """
         if not isinstance(data, dict):
             return data
         # 需要脱敏的字段列表
         sensitive_fields = [
-            'password', 'access_key', 'token', 'refresh_token',
+            'password', 'access_key', 'token', 'refresh_token',
             'SERVER-SK', 'new_password', 'server_sk'
         ]
         sanitized = copy.deepcopy(data)
         for key, value in sanitized.items():
             if key.lower() in [field.lower() for field in sensitive_fields]:
                 sanitized[key] = self._mask_sensitive(str(value))
             elif isinstance(value, dict):
                 sanitized[key] = self._sanitize_log_data(value)
         return sanitized
     def _log_request(self, method_name, url, headers, body):
         """记录请求信息"""
         sanitized_headers = self._sanitize_log_data(headers)
         sanitized_body = self._sanitize_log_data(body)
         self.logger.info(f"[{method_name}] 发送请求 - URL: {url}")
         self.logger.info(f"[{method_name}] 请求头: {sanitized_headers}")
         self.logger.info(f"[{method_name}] 请求体: {sanitized_body}")
@@ -346,6 +353,11 @@ class ConnectAgenterraIam(object):
             if response.status_code == 200:
                 self.logger.info(f"[{method_name}] 密码登录成功")
+                data = response.json()["data"]
+                access_token = data["access_token"]
+                payload = decode_jwt_token(access_token)
+                self.machine_token = payload["machine_access_token"]
                 return response
             else:
                 self.logger.warning(f"[{method_name}] 密码登录失败 - 状态码: {response.status_code}")
@@ -452,9 +464,12 @@ class ConnectAgenterraIam(object):
             # 记录请求信息
             self._log_request(method_name, url, self.headers, body)
+            headers = self.headers.copy()
+            headers['MACHINE-TOKEN'] = self.machine_token
             response = requests.post(
                 url=url,
-                headers=self.headers,
+                headers=headers,
                 json=body,
                 verify=False
             )
@@ -474,7 +489,7 @@ class ConnectAgenterraIam(object):
             self.logger.error(f"[{method_name}] 异常堆栈: {traceback.format_exc()}")
             return False
-    def verify_token(self, token, api, method, server_ak="", server_sk=""):
+    def verify_token(self, token, api, method, server_ak="", server_sk="", machine_token=""):
         """
         请求iam进行鉴权
         server_name: 服务名称
@@ -494,6 +509,7 @@ class ConnectAgenterraIam(object):
             body = {
                 "server_name": self.server_name,
                 "access_key": self.access_key,
+                "machine_token": machine_token if machine_token else self.machine_token,
                 "token": token,
                 "api": api,
                 "method": method,
@@ -600,6 +616,7 @@ class ConnectAgenterraIam(object):
             body = {
                 "server_name": self.server_name,
                 "access_key": self.access_key,
+                "machine_token": self.machine_token,
                 "user_id": user_id,
                 "new_password": new_password
             }
@@ -647,6 +664,7 @@ class ConnectAgenterraIam(object):
             body = {
                 "server_name": self.server_name,
                 "access_key": self.access_key,
+                "machine_token": self.machine_token,
                 "refresh_token": refresh_token
             }
             uri = "/api/v2/service/refresh_token"
@@ -694,6 +712,7 @@ class ConnectAgenterraIam(object):
             body = {
                 "server_name": self.server_name,
                 "access_key": self.access_key,
+                "machine_token": self.machine_token,
                 "user_id": user_id,
                 "role_id": role_id
             }
@@ -736,6 +755,7 @@ class ConnectAgenterraIam(object):
             body = {
                 "server_name": self.server_name,
                 "access_key": self.access_key,
+                "machine_token": self.machine_token,
                 "token": token,
             }
             uri = "/api/v2/service/token"
@@ -788,6 +808,7 @@ class ConnectAgenterraIam(object):
             body = {
                 "server_name": self.server_name,
                 "access_key": self.access_key,
+                "machine_token": self.machine_token,
                 "user_id": user_id,
                 "config_name": config_name
             }
@@ -844,6 +865,7 @@ class ConnectAgenterraIam(object):
             body = {
                 "server_name": self.server_name,
                 "access_key": self.access_key,
+                "machine_token": self.machine_token,
                 "user_id": user_id
             }
@@ -896,6 +918,7 @@ class ConnectAgenterraIam(object):
             body = {
                 "server_name": self.server_name,
                 "access_key": self.access_key,
+                "machine_token": self.machine_token,
                 "user_id": user_id,
                 "config_name": config_name
             }
@@ -957,6 +980,7 @@ class ConnectAgenterraIam(object):
             body = {
                 "server_name": self.server_name,
                 "access_key": self.access_key,
+                "machine_token": self.machine_token,
                 "target_user_id": target_user_id,
                 "cred_type": cred_type.value,
                 "cred_value": cred_value
@@ -1021,6 +1045,7 @@ class ConnectAgenterraIam(object):
             body = {
                 "server_name": self.server_name,
                 "access_key": self.access_key,
+                "machine_token": self.machine_token,
                 "cred_type": cred_type.value,
                 "cred_value": cred_value
             }

skyplatform_iam/middleware.py CHANGED Viewed

@@ -66,7 +66,14 @@ class AuthMiddleware(BaseHTTPMiddleware):
         try:
             # 获取请求路径
             api_path = request.url.path
+            method = request.method
+            # 检查是否为机机接口鉴权 来自其他服务
+            server_ak = request.headers.get('SERVER-AK')
+            server_sk = request.headers.get('SERVER-SK')
+            # 检查是否为人机接口鉴权 来自前端
+            # token = request.headers.get('Authorization')
             # 首先检查路径是否在本地白名单中
             if self.is_path_whitelisted(api_path):
                 logger.info(f"路径 {api_path} 在本地白名单中，跳过认证直接允许访问")
@@ -80,6 +87,7 @@ class AuthMiddleware(BaseHTTPMiddleware):
             # 提取Token（可能为空，白名单接口不需要token）
             token = self._extract_token(request)
+            machine_token = self._extract_machine_token(request)
             # 验证Token和权限（即使token为空也要调用IAM验证，因为可能是白名单接口）
             user_info = await self._verify_token_and_permission(request, token)
@@ -97,6 +105,11 @@ class AuthMiddleware(BaseHTTPMiddleware):
                 request.state.authenticated = False
                 request.state.is_whitelist = True
             else:
+                if machine_token:
+                    payload = jwt.decode(machine_token, algorithms=["HS256"], options={"verify_signature": False})
+                    user_id = payload.get("sub", None)
+                    request.state.user_id = user_id
                 # 正常认证接口，设置用户信息
                 request.state.user = user_info
                 request.state.authenticated = True
@@ -142,15 +155,29 @@ class AuthMiddleware(BaseHTTPMiddleware):
         # 从Authorization头提取
         auth_header = request.headers.get(self.config.token_header)
         if auth_header and auth_header.startswith(self.config.token_prefix):
+            print("has auth_header: ", auth_header)
             return auth_header[len(self.config.token_prefix):].strip()
         # 从查询参数提取（备选方案）
         token = request.query_params.get("token")
         if token:
+            print("has token: ", token)
             return token
         return None
+    def _extract_machine_token(self, request: Request) -> Optional[str]:
+        """
+        从请求中提取Token
+        """
+        # 从Authorization头提取
+        machine_token = request.headers.get("MACHINE-TOKEN")
+        if machine_token:
+            print("has MACHINE-TOKEN': ", machine_token)
+            return machine_token
+        return None
     async def _verify_token_and_permission(self, request: Request, token: Optional[str]) -> Optional[Dict[str, Any]]:
         """
         验证Token和权限
@@ -163,6 +190,7 @@ class AuthMiddleware(BaseHTTPMiddleware):
             # 从请求头获取服务认证信息（可选）
             server_ak = request.headers.get("SERVER-AK", "")
             server_sk = request.headers.get("SERVER-SK", "")
+            machine_token = request.headers.get("MACHINE-TOKEN", "")
             # 调用IAM验证接口（即使token为空也要调用，因为可能是白名单接口）
             user_info = self.iam_client.verify_token(
@@ -170,7 +198,8 @@ class AuthMiddleware(BaseHTTPMiddleware):
                 api=api_path,
                 method=method,
                 server_ak=server_ak,
-                server_sk=server_sk
+                server_sk=server_sk,
+                machine_token=machine_token
             )
             return user_info
@@ -233,22 +262,24 @@ class AuthService:
         """验证token和权限"""
         # 通过token, server_ak, server_sk判断是否有权限
         api_path = request.url.path
         # 首先检查路径是否在白名单中
         if self.is_path_whitelisted(api_path):
             logger.info(f"路径 {api_path} 在白名单中，跳过IAM鉴权")
             return True
         credentials: HTTPAuthorizationCredentials = await self.security(request)
         method = request.method
         server_ak = request.headers.get("SERVER-AK", "")
         server_sk = request.headers.get("SERVER-SK", "")
+        machine_token = request.headers.get("MACHINE-TOKEN", "")
+        print("248 machine_token:", machine_token)
         token = ""
         if credentials is not None:
             token = credentials.credentials
-        user_info_by_iam = self.iam_client.verify_token(token, api_path, method, server_ak, server_sk)
+        user_info_by_iam = self.iam_client.verify_token(token, api_path, method, server_ak, server_sk, machine_token)
         if user_info_by_iam:
             return True
         return False
@@ -264,7 +295,7 @@ class AuthService:
             credentials: HTTPAuthorizationCredentials = await self.security(request)
             if not credentials:
                 return None
             token = credentials.credentials
             # 直接解析JWT token获取payload

{skyplatform_iam-1.1.0.dist-info → skyplatform_iam-1.2.0.dist-info}/METADATA RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: skyplatform-iam
-Version: 1.1.0
+Version: 1.2.0
 Summary: SkyPlatform IAM认证SDK，提供FastAPI中间件和认证路由
 Project-URL: Homepage, https://github.com/xinmayoujiang12621/agenterra_iam
 Project-URL: Documentation, https://skyplatform-iam.readthedocs.io/

skyplatform_iam-1.2.0.dist-info/RECORD ADDED Viewed

@@ -0,0 +1,8 @@
+skyplatform_iam/__init__.py,sha256=N4acauQXv5CUHNgaeYc3wCTi9zlwt9xvZW5szZ-ahkc,4664
+skyplatform_iam/config.py,sha256=4EOzjevFtQ25tZPK7wpU58W6hD-B_XVQF7VCNQzdVOM,4429
+skyplatform_iam/connect_agenterra_iam.py,sha256=ixnk45JQoILfwVVKdPllLO-xUqGb8moOh0G6sAIvrVU,40712
+skyplatform_iam/exceptions.py,sha256=Rt55QIzVK1F_kn6yzKQKKakD6PZDFdPLCGaCphKKms8,2166
+skyplatform_iam/middleware.py,sha256=e_YNRWXmDVKeKwpAcFYptTV4WZboAF-ICC5p9rvLSE0,17069
+skyplatform_iam-1.2.0.dist-info/METADATA,sha256=T7kVHT53D8WXPJTomoWc6nDNIS3ZM2SYGVDX_r26JGY,12658
+skyplatform_iam-1.2.0.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
+skyplatform_iam-1.2.0.dist-info/RECORD,,

skyplatform_iam-1.1.0.dist-info/RECORD DELETED Viewed

@@ -1,8 +0,0 @@
-skyplatform_iam/__init__.py,sha256=JfCqvHdzjiwkEVhgzlB45pKKs0VkxKg8yrMMQ4NpWpY,4664
-skyplatform_iam/config.py,sha256=s4tctVpguKZv4O1Fhf7_Fo7zELNX6KYviMjkE1WPbQM,3715
-skyplatform_iam/connect_agenterra_iam.py,sha256=9SnZkYmZ1VewzIz6a3-uOdOLzHrhPyJPIofZHgImJCM,39785
-skyplatform_iam/exceptions.py,sha256=Rt55QIzVK1F_kn6yzKQKKakD6PZDFdPLCGaCphKKms8,2166
-skyplatform_iam/middleware.py,sha256=XNJxvjw3O55TW-ff_uORK-C9Wy4BTAfkcnNjy1SQkx0,15721
-skyplatform_iam-1.1.0.dist-info/METADATA,sha256=K3G-22HfmCKyzHOK_zvrpGDzez_gpEvrqon7nsvG4wg,12658
-skyplatform_iam-1.1.0.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
-skyplatform_iam-1.1.0.dist-info/RECORD,,

{skyplatform_iam-1.1.0.dist-info → skyplatform_iam-1.2.0.dist-info}/WHEEL RENAMED Viewed

File without changes

skyplatform-iam 1.1.0__py3-none-any.whl → 1.2.0__py3-none-any.whl

skyplatform-iam 1.1.0py3-none-any.whl → 1.2.0py3-none-any.whl