CMDB学习之API加密请求动态

#实现是通过时间戳+秘钥进行 MD5 加密处理
from django.shortcuts import render,HttpResponse,redirect,reverse
from django.views.decorators.csrf import csrf_exempt
import json
#使用rest_framework ，首先要安装pip去安装Djangorestframework ，这个模块
# 在Django的settings中注册app
import hashlib
import time
from django.conf import settings
from rest_framework.views import APIView
from rest_framework.response import Response
from api import models
from api import service
#服务端临时测试
KEY = 'alksdgjaldks'
#解密
def gen_key(key,ctime):
    key_str = '{}|{}'.format(key,ctime)
    md5 = hashlib.md5()
    md5.update(key_str.encode('utf-8'))
    return md5.hexdigest()



class AssetTest(APIView):
    def get(self,request):
        return Response("get ok ")
    def post(self,request):
        result = {'status':True,'data':5666666}
        #拿到key 和ctime ，MD5 正加密处理和请求的数据进行校验
        sign = request._request.GET.get('sign')
        ctime = request._request.GET.get('ctime')

        sign_key = gen_key(KEY,ctime)
        if sign != sign_key:
            result['status'] = False
            result['data'] = '检验不成功'

        return Response(result)

客户端测试API 

#!/usr/bin/env python
# -*- coding:utf-8 -*-

import requests
import time,hashlib

#通过双方有key 的方式进行验证,
key = 'alksdgjaldks'

ctime = time.time()
def gen_key():
    key_str = '{}|{}'.format(key,ctime)
    md5 = hashlib.md5()
    md5.update(key_str.encode('utf-8'))
    return md5.hexdigest()


#通过双方有key 的方式进行验证
ret = requests.post(
    url = 'http://127.0.0.1:8000/api/test',
    params = {'sign':gen_key(),'ctime':ctime}
)

print(ret.text)

注意测试URL路由   

url(r'^test',views.AssetTest.as_view()),#CBV 写法
上面是简单的加密，但是若劫持url依然可以去访问，所进一步进行修改

KEY = 'alksdgjaldks'
#解密
def gen_key(key,ctime):
    key_str = '{}|{}'.format(key,ctime)
    md5 = hashlib.md5()
    md5.update(key_str.encode('utf-8'))
    return md5.hexdigest()


SIGN_RECORD = {}

class AssetTest(APIView):
    def get(self,request):
        return Response("get ok ")
    def post(self,request):
        result = {'status':True,'data':5666666}
        #拿到key 和ctime ，MD5 正加密处理和请求的数据进行校验
        sign = request._request.GET.get('sign')
        ctime = request._request.GET.get('ctime')

        server_time = int(time.time()*1000)
        if server_time - int(ctime) > 5000:
            result['status'] = False
            result['data'] = '证书已经过期！'
            return Response(result)

        if sign in SIGN_RECORD:
            result['status'] = False
            result['data'] = '证书已经使用！'
            return Response(result)

        if sign != gen_key(KEY,ctime):
            result['status'] = False
            result['data'] = '检验不成功'
            return Response(result)

        SIGN_RECORD[sign] = ctime
        return Response(result)

#!/usr/bin/env python
# -*- coding:utf-8 -*-

import requests
import time,hashlib

#通过双方有key 的方式进行验证,
key = 'alksdgjaldks'

ctime = int(time.time() * 1000)
def gen_key():
    key_str = '{}|{}'.format(key,ctime)
    md5 = hashlib.md5()
    md5.update(key_str.encode('utf-8'))
    return md5.hexdigest()


#通过双方有key 的方式进行验证
ret = requests.post(
    url = 'http://127.0.0.1:8000/api/test',
    params = {'sign':gen_key(),'ctime':ctime}
)

print(ret.url,ret.text)