diff --git a/src/bk-login/bklogin/settings.py b/src/bk-login/bklogin/settings.py index 402226228..3521deb9c 100644 --- a/src/bk-login/bklogin/settings.py +++ b/src/bk-login/bklogin/settings.py @@ -8,8 +8,10 @@ an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. """ +import hashlib import os from pathlib import Path +from urllib.parse import urlparse import environ import urllib3 @@ -39,6 +41,7 @@ "django.contrib.sessions", "django.contrib.messages", "django.contrib.staticfiles", + "corsheaders", "django_prometheus", "bklogin.authentication", ] @@ -48,6 +51,7 @@ "django.middleware.security.SecurityMiddleware", "django.contrib.sessions.middleware.SessionMiddleware", "django.middleware.locale.LocaleMiddleware", + "corsheaders.middleware.CorsMiddleware", "django.middleware.common.CommonMiddleware", "django.middleware.csrf.CsrfViewMiddleware", "django.contrib.messages.middleware.MessageMiddleware", @@ -134,15 +138,38 @@ BK_LOGIN_URL = f"{BK_DOMAIN_SCHEME}://{BK_LOGIN_ADDR}{SITE_URL}" AJAX_BASE_URL = env.str("AJAX_BASE_URL", SITE_URL) # 蓝鲸公共的Cookie的Domain(比如 bk_token和blueking_language) -BK_COOKIE_DOMAIN = "." + env.str("BK_DOMAIN") +BK_COOKIE_DOMAIN = f".{BK_DOMAIN}" # 登录完成后允许重定向的HOST ALLOWED_REDIRECT_HOSTS = env.list("BK_LOGIN_ALLOWED_REDIRECT_HOSTS", default=[]) +# 语言Cookie(蓝鲸体系共享) +LANGUAGE_COOKIE_DOMAIN = BK_COOKIE_DOMAIN -# django cookie -SESSION_COOKIE_NAME = "bklogin_sessionid" +# session & csrf +_BK_LOGIN_URL_PARSE_URL = urlparse(BK_LOGIN_URL) +_BK_LOGIN_HOSTNAME = _BK_LOGIN_URL_PARSE_URL.hostname # 去除端口的域名 +_BK_LOGIN_NETLOC = _BK_LOGIN_URL_PARSE_URL.netloc # 若有端口,则会带上对应端口 +_BK_LOGIN_IS_SPECIAL_PORT = _BK_LOGIN_URL_PARSE_URL.port in [None, 80, 443] +_BK_LOGIN_SCHEME = _BK_LOGIN_URL_PARSE_URL.scheme +_BK_LOGIN_URL_MD5_16BIT = hashlib.md5(BK_LOGIN_URL.encode("utf-8")).hexdigest()[8:-8] +# 注意:Cookie Domain是不支持端口的 +SESSION_COOKIE_DOMAIN = _BK_LOGIN_HOSTNAME +CSRF_COOKIE_DOMAIN = SESSION_COOKIE_DOMAIN +SESSION_COOKIE_NAME = f"bklogin_sessionid_{_BK_LOGIN_URL_MD5_16BIT}" SESSION_COOKIE_AGE = 60 * 60 * 24 # 1天 -CSRF_COOKIE_NAME = "bklogin_csrftoken" -LANGUAGE_COOKIE_DOMAIN = BK_COOKIE_DOMAIN +CSRF_COOKIE_NAME = f"bklogin_csrftoken_{_BK_LOGIN_URL_MD5_16BIT}" +# 对于特殊端口,带端口和不带端口都得添加,其他只需要添加默认原生的即可 +CSRF_TRUSTED_ORIGINS = [_BK_LOGIN_HOSTNAME, _BK_LOGIN_NETLOC] if _BK_LOGIN_IS_SPECIAL_PORT else [_BK_LOGIN_NETLOC] + +# cors +CORS_ALLOW_CREDENTIALS = True # 在 response 添加 Access-Control-Allow-Credentials, 即允许跨域使用 cookies +CORS_ORIGIN_WHITELIST = ( + [f"{_BK_LOGIN_SCHEME}://{_BK_LOGIN_HOSTNAME}", f"{_BK_LOGIN_SCHEME}://{_BK_LOGIN_NETLOC}"] + if _BK_LOGIN_IS_SPECIAL_PORT + else [f"{_BK_LOGIN_SCHEME}://{_BK_LOGIN_NETLOC}"] +) +# debug/联调测试时需要允许额外的域名跨域请求 +CORS_ORIGIN_ADDITIONAL_WHITELIST = env.list("CORS_ORIGIN_ADDITIONAL_WHITELIST", default=[]) +CORS_ORIGIN_WHITELIST.extend(CORS_ORIGIN_ADDITIONAL_WHITELIST) # 登录票据 # 登录票据Cookie名称 diff --git a/src/bk-login/poetry.lock b/src/bk-login/poetry.lock index 714cdd159..b5a40dd56 100644 --- a/src/bk-login/poetry.lock +++ b/src/bk-login/poetry.lock @@ -454,6 +454,25 @@ type = "legacy" url = "https://mirrors.tencent.com/pypi/simple" reference = "tencent" +[[package]] +name = "django-cors-headers" +version = "4.3.0" +description = "django-cors-headers is a Django application for handling the server headers required for Cross-Origin Resource Sharing (CORS)." +optional = false +python-versions = ">=3.8" +files = [ + {file = "django_cors_headers-4.3.0-py3-none-any.whl", hash = "sha256:bd36c7aea0d070e462f3383f0dc9ef717e5fdc2b10a99c98c285f16da84ffba2"}, + {file = "django_cors_headers-4.3.0.tar.gz", hash = "sha256:25aabc94d4837678c1edf442c7f68a5f5fd151f6767b0e0b01c61a2179d02711"}, +] + +[package.dependencies] +Django = ">=3.2" + +[package.source] +type = "legacy" +url = "https://mirrors.tencent.com/pypi/simple" +reference = "tencent" + [[package]] name = "django-environ" version = "0.8.1" @@ -2484,4 +2503,4 @@ reference = "tencent" [metadata] lock-version = "2.0" python-versions = ">=3.10,<3.11" -content-hash = "ed8e326eafc9cf2a2e247c25428773f17d101b271af049766c0e583c9070c511" +content-hash = "8fe857ac749537cae9361f953f3727dc9260e67da4213830fc2c3ca11e58b789" diff --git a/src/bk-login/pyproject.toml b/src/bk-login/pyproject.toml index 3b66835fe..8e441aaf4 100644 --- a/src/bk-login/pyproject.toml +++ b/src/bk-login/pyproject.toml @@ -33,6 +33,7 @@ opentelemetry-instrumentation-requests = "0.41b0" opentelemetry-instrumentation-logging = "0.41b0" pydantic = "2.3.0" blue-krill = "2.0.2" +django-cors-headers = "4.3.0" [tool.poetry.group.dev.dependencies] ruff = "^0.1.4"