|
|
# -*- coding: utf-8 -*-
|
|
|
#
|
|
|
import base64
|
|
|
import hashlib
|
|
|
import json
|
|
|
import os
|
|
|
import re
|
|
|
import time
|
|
|
from io import StringIO
|
|
|
|
|
|
import paramiko
|
|
|
import sshpubkeys
|
|
|
from cryptography.hazmat.primitives import serialization
|
|
|
from django.conf import settings
|
|
|
from django.core.serializers.json import DjangoJSONEncoder
|
|
|
from itsdangerous import (
|
|
|
TimedJSONWebSignatureSerializer, JSONWebSignatureSerializer,
|
|
|
BadSignature, SignatureExpired
|
|
|
)
|
|
|
from six import string_types
|
|
|
|
|
|
from .http import http_date
|
|
|
|
|
|
UUID_PATTERN = re.compile(r'[0-9a-zA-Z\-]{36}')
|
|
|
|
|
|
|
|
|
class Singleton(type):
|
|
|
def __init__(cls, *args, **kwargs):
|
|
|
cls.__instance = None
|
|
|
super().__init__(*args, **kwargs)
|
|
|
|
|
|
def __call__(cls, *args, **kwargs):
|
|
|
if cls.__instance is None:
|
|
|
cls.__instance = super().__call__(*args, **kwargs)
|
|
|
return cls.__instance
|
|
|
else:
|
|
|
return cls.__instance
|
|
|
|
|
|
|
|
|
class Signer(metaclass=Singleton):
|
|
|
"""用来加密,解密,和基于时间戳的方式验证token"""
|
|
|
|
|
|
def __init__(self, secret_key=None):
|
|
|
self.secret_key = secret_key
|
|
|
|
|
|
def sign(self, value):
|
|
|
s = JSONWebSignatureSerializer(self.secret_key, algorithm_name='HS256')
|
|
|
return s.dumps(value).decode()
|
|
|
|
|
|
def unsign(self, value):
|
|
|
if value is None:
|
|
|
return value
|
|
|
s = JSONWebSignatureSerializer(self.secret_key, algorithm_name='HS256')
|
|
|
try:
|
|
|
return s.loads(value)
|
|
|
except BadSignature:
|
|
|
return None
|
|
|
|
|
|
def sign_t(self, value, expires_in=3600):
|
|
|
s = TimedJSONWebSignatureSerializer(self.secret_key, expires_in=expires_in)
|
|
|
return str(s.dumps(value), encoding="utf8")
|
|
|
|
|
|
def unsign_t(self, value):
|
|
|
s = TimedJSONWebSignatureSerializer(self.secret_key)
|
|
|
try:
|
|
|
return s.loads(value)
|
|
|
except (BadSignature, SignatureExpired):
|
|
|
return None
|
|
|
|
|
|
|
|
|
_supported_paramiko_ssh_key_types = (
|
|
|
paramiko.RSAKey,
|
|
|
paramiko.DSSKey,
|
|
|
paramiko.Ed25519Key,
|
|
|
paramiko.ECDSAKey,)
|
|
|
|
|
|
|
|
|
def ssh_key_string_to_obj(text, password=None):
|
|
|
key = None
|
|
|
for ssh_key_type in _supported_paramiko_ssh_key_types:
|
|
|
try:
|
|
|
key = ssh_key_type.from_private_key(StringIO(text), password=password)
|
|
|
return key
|
|
|
except paramiko.SSHException:
|
|
|
pass
|
|
|
if key is None:
|
|
|
raise ValueError('Invalid private key')
|
|
|
return key
|
|
|
|
|
|
|
|
|
def ssh_private_key_gen(private_key, password=None):
|
|
|
if isinstance(private_key, bytes):
|
|
|
private_key = private_key.decode("utf-8")
|
|
|
if isinstance(private_key, string_types):
|
|
|
private_key = ssh_key_string_to_obj(private_key, password=password)
|
|
|
return private_key
|
|
|
|
|
|
|
|
|
def ssh_pubkey_gen(private_key=None, username='jumpserver', hostname='localhost', password=None):
|
|
|
private_key = ssh_private_key_gen(private_key, password=password)
|
|
|
if not isinstance(private_key, (paramiko.RSAKey, paramiko.DSSKey)):
|
|
|
raise IOError('Invalid private key')
|
|
|
|
|
|
public_key = "%(key_type)s %(key_content)s %(username)s@%(hostname)s" % {
|
|
|
'key_type': private_key.get_name(),
|
|
|
'key_content': private_key.get_base64(),
|
|
|
'username': username,
|
|
|
'hostname': hostname,
|
|
|
}
|
|
|
return public_key
|
|
|
|
|
|
|
|
|
def ssh_key_gen(length=2048, type='rsa', password=None, username='jumpserver', hostname=None):
|
|
|
"""Generate user ssh private and public key
|
|
|
|
|
|
Use paramiko RSAKey generate it.
|
|
|
:return private key str and public key str
|
|
|
"""
|
|
|
|
|
|
if hostname is None:
|
|
|
hostname = os.uname()[1]
|
|
|
|
|
|
f = StringIO()
|
|
|
try:
|
|
|
if type == 'rsa':
|
|
|
private_key_obj = paramiko.RSAKey.generate(length)
|
|
|
elif type == 'dsa':
|
|
|
private_key_obj = paramiko.DSSKey.generate(length)
|
|
|
else:
|
|
|
raise IOError('SSH private key must be `rsa` or `dsa`')
|
|
|
private_key_obj.write_private_key(f, password=password)
|
|
|
private_key = f.getvalue()
|
|
|
public_key = ssh_pubkey_gen(private_key_obj, username=username, hostname=hostname)
|
|
|
return private_key, public_key
|
|
|
except IOError:
|
|
|
raise IOError('These is error when generate ssh key.')
|
|
|
|
|
|
|
|
|
def validate_ssh_private_key(text, password=None):
|
|
|
key = parse_ssh_private_key_str(text, password=password)
|
|
|
return bool(key)
|
|
|
|
|
|
|
|
|
def parse_ssh_private_key_str(text: bytes, password=None) -> str:
|
|
|
private_key = _parse_ssh_private_key(text, password=password)
|
|
|
if private_key is None:
|
|
|
return ""
|
|
|
# 解析之后,转换成 openssh 格式的私钥
|
|
|
private_key_bytes = private_key.private_bytes(
|
|
|
serialization.Encoding.PEM,
|
|
|
serialization.PrivateFormat.OpenSSH,
|
|
|
serialization.NoEncryption()
|
|
|
)
|
|
|
return private_key_bytes.decode('utf-8')
|
|
|
|
|
|
|
|
|
def parse_ssh_public_key_str(text: bytes = "", password=None) -> str:
|
|
|
private_key = _parse_ssh_private_key(text, password=password)
|
|
|
if private_key is None:
|
|
|
return ""
|
|
|
public_key_bytes = private_key.public_key().public_bytes(
|
|
|
serialization.Encoding.OpenSSH,
|
|
|
serialization.PublicFormat.OpenSSH,
|
|
|
)
|
|
|
return public_key_bytes.decode('utf-8')
|
|
|
|
|
|
|
|
|
def _parse_ssh_private_key(text, password=None):
|
|
|
"""
|
|
|
text: bytes
|
|
|
password: str
|
|
|
return:private key types:
|
|
|
ec.EllipticCurvePrivateKey,
|
|
|
rsa.RSAPrivateKey,
|
|
|
dsa.DSAPrivateKey,
|
|
|
ed25519.Ed25519PrivateKey,
|
|
|
"""
|
|
|
if isinstance(text, str):
|
|
|
try:
|
|
|
text = text.encode("utf-8")
|
|
|
except UnicodeDecodeError:
|
|
|
return None
|
|
|
if isinstance(password, str):
|
|
|
try:
|
|
|
password = password.encode("utf-8")
|
|
|
except UnicodeDecodeError:
|
|
|
return None
|
|
|
|
|
|
try:
|
|
|
if is_openssh_format_key(text):
|
|
|
return serialization.load_ssh_private_key(text, password=password)
|
|
|
return serialization.load_pem_private_key(text, password=password)
|
|
|
except (ValueError, TypeError) as e:
|
|
|
raise e
|
|
|
|
|
|
|
|
|
def is_openssh_format_key(text: bytes):
|
|
|
return text.startswith(b"-----BEGIN OPENSSH PRIVATE KEY-----")
|
|
|
|
|
|
|
|
|
def validate_ssh_public_key(text):
|
|
|
ssh = sshpubkeys.SSHKey(text)
|
|
|
try:
|
|
|
ssh.parse()
|
|
|
except (sshpubkeys.InvalidKeyException, UnicodeDecodeError):
|
|
|
return False
|
|
|
except NotImplementedError as e:
|
|
|
return False
|
|
|
return True
|
|
|
|
|
|
|
|
|
def content_md5(data):
|
|
|
"""计算data的MD5值,经过Base64编码并返回str类型。
|
|
|
|
|
|
返回值可以直接作为HTTP Content-Type头部的值
|
|
|
"""
|
|
|
if isinstance(data, str):
|
|
|
data = hashlib.md5(data.encode('utf-8'))
|
|
|
value = base64.b64encode(data.hexdigest().encode('utf-8'))
|
|
|
return value.decode('utf-8')
|
|
|
|
|
|
|
|
|
def make_signature(access_key_secret, date=None):
|
|
|
if isinstance(date, bytes):
|
|
|
date = bytes.decode(date)
|
|
|
if isinstance(date, int):
|
|
|
date_gmt = http_date(date)
|
|
|
elif date is None:
|
|
|
date_gmt = http_date(int(time.time()))
|
|
|
else:
|
|
|
date_gmt = date
|
|
|
|
|
|
data = str(access_key_secret) + "\n" + date_gmt
|
|
|
return content_md5(data)
|
|
|
|
|
|
|
|
|
def encrypt_password(password, salt=None, algorithm='sha512'):
|
|
|
from passlib.hash import sha512_crypt, des_crypt
|
|
|
|
|
|
def sha512():
|
|
|
return sha512_crypt.using(rounds=5000).hash(password, salt=salt)
|
|
|
|
|
|
def des():
|
|
|
return des_crypt.hash(password, salt=salt[:2])
|
|
|
|
|
|
support_algorithm = {
|
|
|
'sha512': sha512,
|
|
|
'des': des
|
|
|
}
|
|
|
|
|
|
if isinstance(algorithm, str):
|
|
|
algorithm = algorithm.lower()
|
|
|
|
|
|
if algorithm not in support_algorithm.keys():
|
|
|
algorithm = 'sha512'
|
|
|
|
|
|
if password and support_algorithm[algorithm]:
|
|
|
return support_algorithm[algorithm]()
|
|
|
return None
|
|
|
|
|
|
|
|
|
def get_signer():
|
|
|
s = Signer(settings.SECRET_KEY)
|
|
|
return s
|
|
|
|
|
|
|
|
|
signer = get_signer()
|
|
|
|
|
|
|
|
|
def ensure_last_char_is_ascii(data):
|
|
|
remain = ''
|
|
|
|
|
|
|
|
|
def data_to_json(data, sort_keys=True, indent=2, cls=None):
|
|
|
if cls is None:
|
|
|
cls = DjangoJSONEncoder
|
|
|
return json.dumps(data, sort_keys=sort_keys, indent=indent, cls=cls)
|