Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

登录及修改密码相关的接口应该使用【密文】传递密码 #126

Closed
Canway-shiisa opened this issue Oct 28, 2021 · 7 comments · Fixed by #252 or #256
Closed

登录及修改密码相关的接口应该使用【密文】传递密码 #126

Canway-shiisa opened this issue Oct 28, 2021 · 7 comments · Fixed by #252 or #256
Labels
Layer: frontend Front pages related Layer: login Login module related Layer: saas SaaS module related Sign: help wanted Extra attention is needed Sign: security Something related to security Type: enhancement Enhancement for existing feature

Comments

@Canway-shiisa
Copy link
Contributor

No description provided.

@IMBlues IMBlues added Type: enhancement Enhancement for existing feature Layer: login Login module related Layer: saas SaaS module related Sign: security Something related to security Layer: frontend Front pages related labels Oct 28, 2021
@IMBlues IMBlues added this to the 202111H2 milestone Nov 8, 2021
@Xmandon Xmandon modified the milestones: 202111H2, Y2021M45-46 Nov 8, 2021
@IMBlues
Copy link
Contributor

IMBlues commented Nov 9, 2021

可能的前端加密方案:

image

https://github.com/travist/jsencrypt

后端以私钥解密后,保持原逻辑不变

@Xmandon Xmandon removed this from the Y2021M45-46 milestone Nov 23, 2021
@IMBlues
Copy link
Contributor

IMBlues commented Jan 17, 2022

临时使用 base64 隐藏明文

@IMBlues IMBlues linked a pull request Jan 17, 2022 that will close this issue
fix: count field type from str to int in api v3 & SaaS 页面支持 base64 密码传入 #252
Merged
yuri0528 added a commit to yuri0528/bk-user that referenced this issue Jan 19, 2022
@yuri0528
fix: 登录及修改密码使用base64加密 TencentBlueKing#126
f2c391f
IMBlues added a commit that referenced this issue Jan 19, 2022
@IMBlues
Merge pull request #256 from yuri0528/bug-password
d539cbe 
fix: 登录及修改密码使用base64加密 #126
@IMBlues IMBlues linked a pull request Jan 20, 2022 that will close this issue
fix: 登录及修改密码使用base64加密 #126 #256
Merged
@IMBlues IMBlues changed the title 登录及修改密码相关的接口使用明文传递密码 登录及修改密码相关的接口应该使用【密文】传递密码 Mar 29, 2022
@wklken wklken added the Sign: help wanted Extra attention is needed label Mar 29, 2022
@wklken
Copy link
Collaborator

wklken commented Mar 29, 2022
edited
Loading

  1. 前端base64编码 (如果有 rsa 需求, 可以同时支持多种? )
  2. 后台form表单拿到之后, 第一时间decode, 往后走逻辑

需要变更, 提交 PR 到两个项目:

  1. 7.0 https://github.com/TencentBlueKing/bk-user 的login项目
  2. 6.0/3.0 https://github.com/Tencent/bk-PaaS/tree/develop 这个分支
    6.1/3.1之后的版本 https://github.com/Tencent/bk-PaaS/tree/ft_upgrade_py3 (直接cherry pick过来)

注意企业版/社区版的登录页面是两个 account/login.html和account/login_ce.html, 需要一起改

@Chace-wang
Copy link

Chace-wang commented Apr 2, 2022
edited
Loading

需求:蓝鲸登录前端密码传输时,rsa加密处理
修改模块:
1. bk-PaaS/paas2/login
2. bk-user/src/login

修改内容:
1. login/conf/default
添加DEFAULT_RSA_PUBLIC_KEY,DEFAULT_RSA_PRIVATE_KEY、RSA_PRIVATE_KEY、RSA_PRIVATE_KEY配置
因为代码开源,为了安全,配置可从环境变量修改

image

2. common/context_processors.py
    增加传参RSA_PUBLIC_KEY给前端

image

4.  增加utils/crypt
      添加rsa解密函数

image

5.  bkauth/forms
      密码认证前进行解密

image

6. static/assets/ 
    新增依赖jsencrypt.js,前端rsa加密用
    依赖下载地址:https://www.bootcdn.cn/jsencrypt/

7. templates/account/login.html or login_ce.html
    密码传输前进行rsa加密

image
--------------补充步骤
8. 修改requestment.txt
添加 rsa==3.4.2

@IMBlues
Copy link
Contributor

IMBlues commented Apr 2, 2022

需求:蓝鲸登录前端密码传输时,rsa加密处理 修改模块: 1. bk-PaaS/paas2/login 2. bk-user/src/login

修改内容: 1. login/conf/default 添加DEFAULT_RSA_PUBLIC_KEY,DEFAULT_RSA_PRIVATE_KEY、RSA_PRIVATE_KEY、RSA_PRIVATE_KEY配置 因为代码开源,为了安全,配置可从环境变量修改

image

2. common/context_processors.py
    增加传参RSA_PUBLIC_KEY给前端

image

4.  增加utils/crypt
      添加rsa解密函数

image

5.  bkauth/forms
      密码认证前进行解密

image

6. static/assets/ 
    新增依赖jsencrypt.js,前端rsa加密用
    依赖下载地址:https://www.bootcdn.cn/jsencrypt/

7. templates/account/login.html or login_ce.html
    密码传输前进行rsa加密

image

看起来流程都是 OK 的,用户管理还有修改密码部分,看看要不要一并修改了?

@Chace-wang
Copy link

Chace-wang commented Apr 2, 2022
edited
Loading

需求:修改、重置密码时传输加密
(因缺少前端开发人员,暂只提供后端修改方案)

后端修改

修改模块:bk-user/src/saas

  1. saas/bkuser_shell/config/common/platform.py
    添加DEFAULT_RSA_PUBLIC_KEY,DEFAULT_RSA_PRIVATE_KEY、RSA_PRIVATE_KEY、RSA_PRIVATE_KEY配置

  2. saas/bkuser_shell/common/context_processors.py
    增加传参RSA_PUBLIC_KEY给前端

  3. saas/bkuser_shell/common/增加crypt.py,添加解密函数,同上面login模块的crypt.py
    (后续可以把crypt.py放到bkuser_global中共用)

  4. saas/bkuser_shell/common/serializers.py
    修改函数Base64OrPlainField
    a. 去除兼容base64的代码
    b. 添加rsa加密

image

----------补充步骤
5. pyproject.toml 添加 rsa==3.4.2

@wklken wklken mentioned this issue Jul 11, 2022
Closed
@wklken
Copy link
Collaborator

wklken commented Jul 12, 2022

登录的已合并: #532
版本: > v2.3.4-beta.29

@wklken wklken closed this as completed Sep 23, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Layer: frontend Front pages related Layer: login Login module related Layer: saas SaaS module related Sign: help wanted Extra attention is needed Sign: security Something related to security Type: enhancement Enhancement for existing feature
Projects
None yet
Milestone
No milestone
5 participants
@wklken @IMBlues @Xmandon @Chace-wang @Canway-shiisa