CMDB学习之API加密请求动态
#实现是通过时间戳+秘钥进行 MD5 加密处理
from django.shortcuts import render,HttpResponse,redirect,reverse from django.views.decorators.csrf import csrf_exempt import json #使用rest_framework ,首先要安装pip去安装Djangorestframework ,这个模块 # 在Django的settings中注册app import hashlib import time from django.conf import settings from rest_framework.views import APIView from rest_framework.response import Response from api import models from api import service #服务端临时测试 KEY = 'alksdgjaldks' #解密 def gen_key(key,ctime): key_str = '{}|{}'.format(key,ctime) md5 = hashlib.md5() md5.update(key_str.encode('utf-8')) return md5.hexdigest() class AssetTest(APIView): def get(self,request): return Response("get ok ") def post(self,request): result = {'status':True,'data':5666666} #拿到key 和ctime ,MD5 正加密处理和请求的数据进行校验 sign = request._request.GET.get('sign') ctime = request._request.GET.get('ctime') sign_key = gen_key(KEY,ctime) if sign != sign_key: result['status'] = False result['data'] = '检验不成功' return Response(result)
客户端测试API
#!/usr/bin/env python # -*- coding:utf-8 -*- import requests import time,hashlib #通过双方有key 的方式进行验证, key = 'alksdgjaldks' ctime = time.time() def gen_key(): key_str = '{}|{}'.format(key,ctime) md5 = hashlib.md5() md5.update(key_str.encode('utf-8')) return md5.hexdigest() #通过双方有key 的方式进行验证 ret = requests.post( url = 'http://127.0.0.1:8000/api/test', params = {'sign':gen_key(),'ctime':ctime} ) print(ret.text)
注意测试URL路由
url(r'^test',views.AssetTest.as_view()),#CBV 写法
上面是简单的加密,但是若劫持url依然可以去访问,所进一步进行修改
KEY = 'alksdgjaldks' #解密 def gen_key(key,ctime): key_str = '{}|{}'.format(key,ctime) md5 = hashlib.md5() md5.update(key_str.encode('utf-8')) return md5.hexdigest() SIGN_RECORD = {} class AssetTest(APIView): def get(self,request): return Response("get ok ") def post(self,request): result = {'status':True,'data':5666666} #拿到key 和ctime ,MD5 正加密处理和请求的数据进行校验 sign = request._request.GET.get('sign') ctime = request._request.GET.get('ctime') server_time = int(time.time()*1000) if server_time - int(ctime) > 5000: result['status'] = False result['data'] = '证书已经过期!' return Response(result) if sign in SIGN_RECORD: result['status'] = False result['data'] = '证书已经使用!' return Response(result) if sign != gen_key(KEY,ctime): result['status'] = False result['data'] = '检验不成功' return Response(result) SIGN_RECORD[sign] = ctime return Response(result)
#!/usr/bin/env python # -*- coding:utf-8 -*- import requests import time,hashlib #通过双方有key 的方式进行验证, key = 'alksdgjaldks' ctime = int(time.time() * 1000) def gen_key(): key_str = '{}|{}'.format(key,ctime) md5 = hashlib.md5() md5.update(key_str.encode('utf-8')) return md5.hexdigest() #通过双方有key 的方式进行验证 ret = requests.post( url = 'http://127.0.0.1:8000/api/test', params = {'sign':gen_key(),'ctime':ctime} ) print(ret.url,ret.text)
