认证流程http://www.cnblogs.com/weiwu1578/articles/8795998.html

权限流程http://www.cnblogs.com/weiwu1578/articles/8796125.html

当用发出请求时 首先执行dispatch函数,当执行当第二部时:

   #2.处理版本信息 处理认证信息 处理权限信息 对用户的访问频率进行限制
            self.initial(request, *args, **kwargs)

进入到initial方法:

  def initial(self, request, *args, **kwargs):
        """
        Runs anything that needs to occur prior to calling the method handler.
        """
        self.format_kwarg = self.get_format_suffix(**kwargs)

        # Perform content negotiation and store the accepted info on the request
        neg = self.perform_content_negotiation(request)
        request.accepted_renderer, request.accepted_media_type = neg

        # Determine the API version, if versioning is in use.
        #2.1处理版本信息
        version, scheme = self.determine_version(request, *args, **kwargs)
        request.version, request.versioning_scheme = version, scheme

        # Ensure that the incoming request is permitted
        #2.2处理认证信息
        self.perform_authentication(request)
        #2.3处理权限信息
        self.check_permissions(request)
        #2.4对用户的访问频率进行限制
        self.check_throttles(request)
 #2.4对用户的访问频率进行限制
        self.check_throttles(request)

下面 开始 限流的具体分析:

一、执行check_throttles方法

    def check_throttles(self, request):
        """
        Check if request should be throttled.
        Raises an appropriate exception if the request is throttled.
        """
        #遍历throttle对象列表
        for throttle in self.get_throttles():
            #根据allow_request()的返回值进行下一步操作,返回True的话不执行下面代码,标识不限流,返回False的话执行下面代码,还可以抛出异常
            if not throttle.allow_request(request, self):
                #返回False的话执行
                self.throttled(request, throttle.wait())

二、执行allow_request方法

首先找到BaseThrottle类,有好多类继承了该类,并且都有allow_request方法,至于执行那个类中的allow_request方法,取决于我们自定义的Throttle这个类继承谁

class BaseThrottle(object):
    """
    Rate throttling of requests.
    """

    def allow_request(self, request, view):
        """
        Return `True` if the request should be allowed, `False` otherwise.
        """
        raise NotImplementedError('.allow_request() must be overridden')
    #获取唯一标识,匿名用户用ip地址,认证用户用自己的user信息
    def get_ident(self, request):
        """
        Identify the machine making the request by parsing HTTP_X_FORWARDED_FOR
        if present and number of proxies is > 0. If not use all of
        HTTP_X_FORWARDED_FOR if it is available, if not use REMOTE_ADDR.
        """
        xff = request.META.get('HTTP_X_FORWARDED_FOR')
        remote_addr = request.META.get('REMOTE_ADDR')
        num_proxies = api_settings.NUM_PROXIES

        if num_proxies is not None:
            if num_proxies == 0 or xff is None:
                return remote_addr
            addrs = xff.split(',')
            client_addr = addrs[-min(num_proxies, len(addrs))]
            return client_addr.strip()

        return ''.join(xff.split()) if xff else remote_addr

    def wait(self):
        """
        Optionally, return a recommended number of seconds to wait before
        the next request.
        """
        return None

三、具体分析以具有代表性的SimpleRateThrottle类分析

class SimpleRateThrottle(BaseThrottle):
    """
    A simple cache implementation, that only requires `.get_cache_key()`
    to be overridden.

    The rate (requests / seconds) is set by a `throttle` attribute on the View
    class.  The attribute is a string of the form 'number_of_requests/period'.

    Period should be one of: ('s', 'sec', 'm', 'min', 'h', 'hour', 'd', 'day')

    Previous request information used for throttling is stored in the cache.
    """
    cache = default_cache
    timer = time.time
    cache_format = 'throttle_%(scope)s_%(ident)s'
    scope = None
    THROTTLE_RATES = api_settings.DEFAULT_THROTTLE_RATES

    def __init__(self):
        #判断是否有rate,实际上rate就是我们定义的scope的值
        if not getattr(self, 'rate', None):
            #没有调用get_rate()获取
            self.rate = self.get_rate()
        #num_requests代表具体的次数 duration代表具体的时间单位
        self.num_requests, self.duration = self.parse_rate(self.rate)

    def get_cache_key(self, request, view):
        """
        Should return a unique cache-key which can be used for throttling.
        Must be overridden.

        May return `None` if the request should not be throttled.
        """
        raise NotImplementedError('.get_cache_key() must be overridden')

    def get_rate(self):
        """
        Determine the string representation of the allowed request rate.
        """
        #判断当前类中我们定义的scope是否有值,没有则抛出异常,告诉我们必须设置scope
        if not getattr(self, 'scope', None):
            msg = ("You must set either `.scope` or `.rate` for '%s' throttle" %
                   self.__class__.__name__)
            raise ImproperlyConfigured(msg)

        try:
            #有的话直接返回scope对应的值
            return self.THROTTLE_RATES[self.scope]
        except KeyError:
            msg = "No default throttle rate set for '%s' scope" % self.scope
            raise ImproperlyConfigured(msg)

    def parse_rate(self, rate):
        """
        Given the request rate string, return a two tuple of:
        <allowed number of requests>, <period of time in seconds>
        """
        if rate is None:
            return (None, None)
        #rate实际就是我们自定义的scope的值 如10/m(代表10次每分钟)
        #按'/'切分num代表次数,period代表时间
        num, period = rate.split('/')
        #多少次
        num_requests = int(num)
        #获取具体的时间单位
        duration = {'s': 1, 'm': 60, 'h': 3600, 'd': 86400}[period[0]]
        return (num_requests, duration)

    def allow_request(self, request, view):
        """
        Implement the check to see if the request should be throttled.

        On success calls `throttle_success`.
        On failure calls `throttle_failure`.
        """
        #如果没有rate也就是scope没有值
        #如果没有则表示不限流,
        if self.rate is None:
            return True

        #get_cache_key必须自己重写,如果没有则表示不限流
        #key一般是唯一标示如用户名密码 或者登陆者的ip地址
        self.key = self.get_cache_key(request, view)
        if self.key is None:
            return True
        #获取当前key所对应的时间列表,也就是用户每一次访问的时间都放到该列表中
        self.history = self.cache.get(self.key, [])
        #当前时间
        self.now = self.timer()

        # Drop any requests from the history which have now passed the
        # throttle duration
        #当时间列表存在,并且当前时间已经超出了规定的时间
        while self.history and self.history[-1] <= self.now - self.duration:
            #把最开始加进去的时间删除
            self.history.pop()
        #如果列表中的时间数大于规定执行的次数
        if len(self.history) >= self.num_requests:
            #则return False
            return self.throttle_failure()
        #return True
        return self.throttle_success()

    def throttle_success(self):
        """
        Inserts the current request's timestamp along with the key
        into the cache.
        """
        self.history.insert(0, self.now)
        self.cache.set(self.key, self.history, self.duration)
        return True

    def throttle_failure(self):
        """
        Called when a request to the API has failed due to throttling.
        """
        return False

    def wait(self):
        """
        Returns the recommended next request time in seconds.
        """
        if self.history:
            #计算等待时间(也就是等待多久可以才可以访问下一次)
            remaining_duration = self.duration - (self.now - self.history[-1])
        else:
            remaining_duration = self.duration

        #在规定的时间内还可以访问多少次
        available_requests = self.num_requests - len(self.history) + 1
        if available_requests <= 0:
            return None

        return remaining_duration / float(available_requests)

四、回到第一步,执行allow_request方法

 def allow_request(self, request, view):
        """
        Implement the check to see if the request should be throttled.

        On success calls `throttle_success`.
        On failure calls `throttle_failure`.
        """
        #如果没有rate也就是scope没有值
        #如果没有则表示不限流,
        if self.rate is None:
            return True

        #get_cache_key必须自己重写,如果没有则表示不限流
        #key一般是唯一标示如用户名密码 或者登陆者的ip地址
        self.key = self.get_cache_key(request, view)
        if self.key is None:
            return True
        #获取当前key所对应的时间列表,也就是用户每一次访问的时间都放到该列表中
        self.history = self.cache.get(self.key, [])
        #当前时间
        self.now = self.timer()

        # Drop any requests from the history which have now passed the
        # throttle duration
        #当时间列表存在,并且当前时间已经超出了规定的时间
        while self.history and self.history[-1] <= self.now - self.duration:
            #把最开始加进去的时间删除
            self.history.pop()
        #如果列表中的时间数大于规定执行的次数
        if len(self.history) >= self.num_requests:
            #则return False
            return self.throttle_failure()
        #return True
        return self.throttle_success()

根据allow_request方法的返回值确定具体执行,返回False的话执行

#根据allow_request()的返回值进行下一步操作,返回True的话不执行下面代码,标识不限流,返回False的话执行下面代码,还可以抛出异常
            if not throttle.allow_request(request, self):
                #返回False的话执行
                self.throttled(request, throttle.wait())
 def throttled(self, request, wait):
        """
        If request is throttled, determine what kind of exception to raise.
        """
        raise exceptions.Throttled(wait)
class Throttled(APIException):
    status_code = status.HTTP_429_TOO_MANY_REQUESTS
    default_detail = _('Request was throttled.')
    extra_detail_singular = 'Expected available in {wait} second.'
    extra_detail_plural = 'Expected available in {wait} seconds.'
    default_code = 'throttled'

    def __init__(self, wait=None, detail=None, code=None):
        if detail is None:
            detail = force_text(self.default_detail)
        if wait is not None:
            wait = math.ceil(wait)
            detail = ' '.join((
                detail,
                force_text(ungettext(self.extra_detail_singular.format(wait=wait),
                                     self.extra_detail_plural.format(wait=wait),
                                     wait))))
        self.wait = wait
        super(Throttled, self).__init__(detail, code)

 

例子:继承BaseThrottle

  url(r'^limit/', app03_views.Limitview.as_view()),
import time

from django.shortcuts import render
from rest_framework.views import APIView
from rest_framework.response import Response
from rest_framework.throttling import BaseThrottle
from rest_framework import exceptions
# Create your views here.


AllOW={}

class MyThrottle(BaseThrottle):
    '''
    要求每分钟只能访问十次
    '''
    ip = '1.1.1.1'
    def allow_request(self, request, view):

        ctime=time.time()
        ip=self.ip
        if ip not in AllOW:
            AllOW[ip]=[ctime,]
        else:
            time_list=AllOW[ip]
            while True:
                if ctime-60>time_list[-1]:
                    time_list.pop()
                else :
                    break
            if len(AllOW[ip])>10:
                return False
            AllOW[ip].insert(0,ctime)
        return True

    def wait(self):
        ip=self.ip
        ctime=time.time()
        first_in_time=AllOW[ip][-1]
        wt=60-(ctime-first_in_time)
        return wt





class Limitview(APIView):
    throttle_classes=[MyThrottle,]
    def get(self,reques):
        self.dispatch()
        return Response('欢迎访问')

    def throttled(self,request,wait):
        class InnerThrottled(exceptions.Throttled):
            default_detail = '请求被限制.'
            extra_detail_singular = 'Expected available in {wait} second.'
            extra_detail_plural = '还需要再等待{wait}秒'

        raise InnerThrottled(wait)
REST_FRAMEWORK = {
    'UNAUTHENTICATED_USER': None,
    'UNAUTHENTICATED_TOKEN': None,
    "DEFAULT_AUTHENTICATION_CLASSES": [
      # "app01.utils.MyAuthentication",
        "app02.utils.MyAuthentication",
    ],
    "DEFAULT_PERMISSION_CLASSES":[
       "app02.utils.MyPermission",
       "app02.utils.AdminPermission",
    ],
}

 

seetings中没有配置跟Throttle有的的信息

继承SimpleRateThrottle

url(r'^limit/', app03_views.Limitview.as_view()),
import time

from django.shortcuts import render
from rest_framework.views import APIView
from rest_framework.response import Response
from rest_framework.throttling import BaseThrottle
from rest_framework.throttling import SimpleRateThrottle
from rest_framework import exceptions
# Create your views here.


AllOW={}

class MyThrottle(BaseThrottle):
    '''
    要求每分钟只能访问十次
    '''
    ip = '1.1.1.1'
    def allow_request(self, request, view):

        ctime=time.time()
        ip=self.ip
        if ip not in AllOW:
            AllOW[ip]=[ctime,]
        else:
            time_list=AllOW[ip]
            while True:
                if ctime-60>time_list[-1]:
                    time_list.pop()
                else :
                    break
            if len(AllOW[ip])>10:
                return False
            AllOW[ip].insert(0,ctime)
        return True

    def wait(self):
        ip=self.ip
        ctime=time.time()
        first_in_time=AllOW[ip][-1]
        wt=60-(ctime-first_in_time)
        return wt


class MySimpleRateThrottle(SimpleRateThrottle):
    #必须要写因为SimpleRateThrottle中要求了必须写
    '''
     def get_rate(self):
        """
        Determine the string representation of the allowed request rate.
        """
        #判断当前类中我们定义的scope是否有值,没有则抛出异常,告诉我们必须设置scope
        if not getattr(self, 'scope', None):
            msg = ("You must set either `.scope` or `.rate` for '%s' throttle" %
                   self.__class__.__name__)
            raise ImproperlyConfigured(msg)
    '''
    scope = 'tiga'

    #也必须必须要写
    '''
        def get_cache_key(self, request, view):
        """
        Should return a unique cache-key which can be used for throttling.
        Must be overridden.

        May return `None` if the request should not be throttled.
        """
        raise NotImplementedError('.get_cache_key() must be overridden')
    '''
    def get_cache_key(self, request, view):
        return self.get_ident(request)



class Limitview(APIView):
    throttle_classes=[MySimpleRateThrottle,]
    def get(self,reques):
        return Response('欢迎访问')

    def throttled(self,request,wait):
        class InnerThrottled(exceptions.Throttled):
            default_detail = '请求被限制.'
            extra_detail_singular = 'Expected available in {wait} second.'
            extra_detail_plural = '还需要再等待{wait}秒'

        raise InnerThrottled(wait)
from django.db import models

# Create your models here.
class Userinfo(models.Model):
    name=models.CharField(max_length=32,verbose_name='用户名')
    pwd=models.CharField(max_length=32,verbose_name='密码')
    token=models.CharField(max_length=64,null=True)

    def __str__(self):
        return self.name
REST_FRAMEWORK = {
    'UNAUTHENTICATED_USER': None,
    'UNAUTHENTICATED_TOKEN': None,
    "DEFAULT_AUTHENTICATION_CLASSES": [
      # "app01.utils.MyAuthentication",
        "app02.utils.MyAuthentication",
    ],
    "DEFAULT_PERMISSION_CLASSES":[
       "app02.utils.MyPermission",
       "app02.utils.AdminPermission",
    ],
    "DEFAULT_THROTTLE_RATES":{
       'tiga':'10/m',
    }
}

 

认证,权限,限流综合联系

    url(r'^index/', app04_views.IndexView.as_view()),
    url(r'^user/', app04_views.UserView.as_view()),
    url(r'^manage/', app04_views.ManageView.as_view()),
from django.shortcuts import render
from rest_framework.views import APIView
from rest_framework.response import Response
from rest_framework.authentication import BaseAuthentication
from rest_framework.permissions import BasePermission
from rest_framework.throttling import SimpleRateThrottle
from rest_framework import exceptions

from app01 import models

# Create your views here.
class MyAuthentication(BaseAuthentication):
    def authenticate(self, request):
        token=request.query_params.get('token')
        user=models.Userinfo.objects.filter(token=token).first()
        if user:
            return (user.name,user)
        return None

class UserPermission(BasePermission):
    message='登录用户才可以访问'
    def has_permission(self, request, view):
        if request.user:
            return True
        return False
class AdminPermission(BasePermission):
    message='管理员才能访问'
    def has_permission(self, request, view):
        if request.user =='ctz':
            return True
        return False


class AnnoThrottle(SimpleRateThrottle):
    scope = 'anno'
    def get_cache_key(self, request, view):
        #如果是匿名用户则执行
        if not request.user:
            return self.get_ident(request)
        #如果不是匿名用户则让他执行
        return None

class UserThrottle(SimpleRateThrottle):
    scope = 'user'

    def get_cache_key(self, request, view):
        #当前用户登陆了,并且当前用户不是管理员
        if request.user and request.user!='ctz':
            return self.get_ident(request)
        #如果是匿名用户和管理员 则让他继续执行
        return None

class AdminThrottle(SimpleRateThrottle):
    scope = 'admin'

    def get_cache_key(self, request, view):
        #如果是管理员
        if request.user=='ctz':
            return self.get_ident(request)
        #不是管理员
        return  None

class IndexView(APIView):
    '''
    要求,所有用户都能访问,匿名用户5/m,普通用户10/m,管理员不限
    '''
    authentication_classes = [MyAuthentication,]
    permission_classes = []
    throttle_classes = [AnnoThrottle,UserThrottle,AdminThrottle]
    def get(self,request):
        return Response('首页')

    def throttled(self, request, wait):
        class UserInnerThrottled(exceptions.Throttled):
            default_detail = '请求被限制.'
            extra_detail_singular = 'Expected available in {wait} second.'
            extra_detail_plural = '还需要再等待{wait}秒'
        raise UserInnerThrottled(wait)



class UserView(APIView):
    '''
    要求:登录用户能访问,普通用户10/m,管理员20/m
    '''
    authentication_classes = [MyAuthentication,]
    permission_classes = [UserPermission,]
    throttle_classes = [UserThrottle,AdminThrottle]
    def get(self,request):
        return Response('用户界面')

    def permission_denied(self, request, message=None):
        """
        If request is not permitted, determine what kind of exception to raise.
        """

        if request.authenticators and not request.successful_authenticator:
            raise exceptions.NotAuthenticated('无权访问')
        raise exceptions.PermissionDenied(detail=message)


    def throttled(self, request, wait):
        class UserInnerThrottled(exceptions.Throttled):
            default_detail = '请求被限制.'
            extra_detail_singular = 'Expected available in {wait} second.'
            extra_detail_plural = '还需要再等待{wait}秒'
        raise UserInnerThrottled(wait)

class ManageView(APIView):
    '''
    要求:只有管理园能访问,5/m
    '''
    authentication_classes = [MyAuthentication,]
    permission_classes = [AdminPermission,]
    throttle_classes = [AdminThrottle]
    def get(self,request):
        return Response('管理员界面')

    def permission_denied(self, request, message=None):
        """
        If request is not permitted, determine what kind of exception to raise.
        """

        if request.authenticators and not request.successful_authenticator:
            raise exceptions.NotAuthenticated('无权访问')
        raise exceptions.PermissionDenied(detail=message)

    def throttled(self, request, wait):
        class UserInnerThrottled(exceptions.Throttled):
            default_detail = '请求被限制.'
            extra_detail_singular = 'Expected available in {wait} second.'
            extra_detail_plural = '还需要再等待{wait}秒'
        raise UserInnerThrottled(wait)
from django.db import models

# Create your models here.
class Userinfo(models.Model):
    name=models.CharField(max_length=32,verbose_name='用户名')
    pwd=models.CharField(max_length=32,verbose_name='密码')
    token=models.CharField(max_length=64,null=True)

    def __str__(self):
        return self.name
REST_FRAMEWORK = {
    'UNAUTHENTICATED_USER': None,
    'UNAUTHENTICATED_TOKEN': None,
    "DEFAULT_AUTHENTICATION_CLASSES": [
      # "app01.utils.MyAuthentication",
        "app02.utils.MyAuthentication",
    ],
    "DEFAULT_PERMISSION_CLASSES":[
       "app02.utils.MyPermission",
       "app02.utils.AdminPermission",
    ],
    "DEFAULT_THROTTLE_RATES":{
       'tiga':'10/m',
       'anno':'5/m',
       'user':'10/m',
       'admin':'20/m',
    }
}

 

posted on 2018-04-11 19:15  Py行僧  阅读(337)  评论(0编辑  收藏  举报