perf: AKSK添加访问IP控制

2025-09-15 06:49:17 +00:00 · 2023-10-31 14:15:07 +08:00
parent bc54685a31
commit dc841650cf
7 changed files with 100 additions and 32 deletions
--- a/apps/authentication/backends/drf.py
+++ b/apps/authentication/backends/drf.py
@@ -8,7 +8,7 @@ from django.utils.translation import gettext as _
 from rest_framework import authentication, exceptions

 from common.auth import signature
-from common.utils import get_object_or_none
+from common.utils import get_object_or_none, get_request_ip_or_data, contains_ip
 from ..models import AccessKey, PrivateToken


@@ -122,3 +122,14 @@ class SignatureAuthentication(signature.SignatureAuthentication):
            return user, secret
        except (AccessKey.DoesNotExist, exceptions.ValidationError):
            return None, None
+
+    def is_ip_allow(self, key_id, request):
+        try:
+            ak = AccessKey.objects.get(id=key_id)
+            ip_group = ak.ip_group
+            ip = get_request_ip_or_data(request)
+            if not contains_ip(ip, ip_group):
+                return False
+            return True
+        except (AccessKey.DoesNotExist, exceptions.ValidationError):
+            return False
--- a/apps/authentication/migrations/0024_accesskey_ip_group.py
+++ b/apps/authentication/migrations/0024_accesskey_ip_group.py
@@ -0,0 +1,19 @@
+# Generated by Django 4.1.10 on 2023-10-31 05:37
+
+import authentication.models.access_key
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('authentication', '0023_auto_20231010_1101'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='accesskey',
+            name='ip_group',
+            field=models.JSONField(default=authentication.models.access_key.defatult_ip_group, verbose_name='IP group'),
+        ),
+    ]
--- a/apps/authentication/models/access_key.py
+++ b/apps/authentication/models/access_key.py
@@ -12,9 +12,14 @@ def default_secret():
    return random_string(36)


+def defatult_ip_group():
+    return ["*"]
+
+
 class AccessKey(models.Model):
    id = models.UUIDField(verbose_name='AccessKeyID', primary_key=True, default=uuid.uuid4, editable=False)
    secret = models.CharField(verbose_name='AccessKeySecret', default=default_secret, max_length=36)
+    ip_group = models.JSONField(default=defatult_ip_group, verbose_name=_('IP group'))
    user = models.ForeignKey(settings.AUTH_USER_MODEL, verbose_name='User',
                             on_delete=common.db.models.CASCADE_SIGNAL_SKIP, related_name='access_keys')
    is_active = models.BooleanField(default=True, verbose_name=_('Active'))
--- a/apps/authentication/serializers/token.py
+++ b/apps/authentication/serializers/token.py
@@ -4,6 +4,7 @@ from django.utils import timezone
 from django.utils.translation import gettext_lazy as _
 from rest_framework import serializers

+from acls.serializers.rules import ip_group_child_validator, ip_group_help_text
 from common.utils import get_object_or_none, random_string
 from users.models import User
 from users.serializers import UserProfileSerializer
@@ -17,9 +18,14 @@ __all__ = [


 class AccessKeySerializer(serializers.ModelSerializer):
+    ip_group = serializers.ListField(
+        default=['*'], label=_('AccessIP'), help_text=ip_group_help_text,
+        child=serializers.CharField(max_length=1024, validators=[ip_group_child_validator])
+    )
+
    class Meta:
        model = AccessKey
-        fields = ['id', 'is_active', 'date_created', 'date_last_used']
+        fields = ['id', 'is_active', 'date_created', 'date_last_used'] + ['ip_group']
        read_only_fields = ['id', 'date_created', 'date_last_used']