feature: 登录时，支持密码明文进行加密处理

deploy/helm/bk-user/charts/login/templates/general-envs-configmap.yaml

@@ -24,3 +24,7 @@ data:
   SENTRY_DSN: "{{ .Values.global.sentryDsn }}"
   # Login API Auth Enabled 登录是否开启了 API 认证
   BK_LOGIN_API_AUTH_ENABLED: "{{ .Values.bkLoginApiAuthEnabled }}"
+  # Rsa 登录密码加密
+  ENABLE_PASSWORD_RSA_ENCRYPTED: "{{ .Values.enablePasswordRSAEncrypted }}"
+  PASSWORD_RSA_PUBLIC_KEY: "{{ .Values.passwordRSAPublicKeyBase64 }}"
+  PASSWORD_RSA_PRIVATE_KEY: "{{ .Values.passwordRSAPrivateKeyBase64 }}"

deploy/helm/bk-user/charts/login/values.yaml

@@ -240,3 +240,8 @@ volumeMounts: []
   ## 自定义登录插件示例
   # - name: bk-login-plugin-example
   #   mountPath: /app/bklogin/ee_login/
+
+# rsa 登录密码明文加密
+enablePasswordRSAEncrypted: false
+passwordRSAPublicKeyBase64: ""
+passwordRSAPrivateKeyBase64: ""

deploy/helm/bk-user/values.yaml

@@ -59,7 +59,6 @@ saas:
 login:
   enabled: true
   bkComponentApiUrl: "http://bkapi.example.com"
-
   envFrom:
   - configMapRef:
       name: bk-login-general-envs

src/bkuser_global/crypt.py

@@ -0,0 +1,22 @@
+# -*- coding: utf-8 -*-
+"""
+Tencent is pleased to support the open source community by making 蓝鲸智云PaaS平台社区版 (BlueKing PaaS
+Community Edition) available.
+Copyright (C) 2017-2018 THL A29 Limited, a Tencent company. All rights reserved.
+Licensed under the MIT License (the "License"); you may not use this file except in compliance with the License.
+You may obtain a copy of the License at http://opensource.org/licenses/MIT
+Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
+an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+specific language governing permissions and limitations under the License.
+"""
+import base64
+
+import rsa
+
+
+def rsa_decrypt_password(pwd_str, private_key):
+    if not pwd_str:
+        return pwd_str
+
+    pkcs1_private_key = rsa.PrivateKey.load_pkcs1(private_key)
+    return rsa.decrypt(base64.b64decode(pwd_str), pkcs1_private_key).decode()

src/login/bklogin/bkauth/forms.py

@@ -12,15 +12,21 @@
 
 
 from django import forms
+from django.conf import settings
 from django.contrib.auth import authenticate
 from django.contrib.auth.forms import AuthenticationForm
 
+from bkuser_global.crypt import rsa_decrypt_password
+
 
 class BkAuthenticationForm(AuthenticationForm):
     def clean(self):
         username = self.cleaned_data.get("username")
         password = self.cleaned_data.get("password")
 
+        if settings.ENABLE_PASSWORD_RSA_ENCRYPTED:
+            password = rsa_decrypt_password(password, settings.PASSWORD_RSA_PRIVATE_KEY)
+
         if username and password:
             # will call backend/bk.py: BkUserBackend.authenticate()
             self.user_cache = authenticate(

src/login/bklogin/common/context_processors.py

@@ -9,6 +9,7 @@
 an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
 specific language governing permissions and limitations under the License.
 """
+import base64
 import urllib.parse
 from builtins import str
 
@@ -24,6 +25,8 @@
 def site_settings(request):
     real_static_url = urllib.parse.urljoin(str(settings.SITE_URL), str("." + settings.STATIC_URL))
     cur_domain = request.get_host()
+    password_rsa_public_key = base64.b64encode(settings.PASSWORD_RSA_PUBLIC_KEY.encode()).decode()
+    enable_password_rsa_encrypted = str(settings.ENABLE_PASSWORD_RSA_ENCRYPTED).lower()
     return {
         # "LOGIN_URL": settings.LOGIN_URL,
         "LOGOUT_URL": settings.LOGOUT_URL,
@@ -38,4 +41,6 @@ def site_settings(request):
         "JS_SUFFIX": settings.JS_SUFFIX,
         # 本地 css 后缀名
         "CSS_SUFFIX": settings.CSS_SUFFIX,
+        "PASSWORD_RSA_PUBLIC_KEY": password_rsa_public_key,
+        "ENABLE_PASSWORD_RSA_ENCRYPTED": enable_password_rsa_encrypted,
     }

src/login/bklogin/config/common/django_basic.py

@@ -9,9 +9,11 @@
 an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
 specific language governing permissions and limitations under the License.
 """
+import base64
 import os
 
 from . import PROJECT_ROOT, env
+from bklogin.common.log import logger
 
 ALLOWED_HOSTS = ["*"]
 
@@ -129,3 +131,27 @@
 # AUTHENTICATION
 # ==============================================================================
 AUTH_USER_MODEL = "bkauth.User"
+
+# ==============================================================================
+# RSA
+# ==============================================================================
+
+ENABLE_PASSWORD_RSA_ENCRYPTED = env.bool("ENABLE_PASSWORD_RSA_ENCRYPTED", False)
+PASSWORD_RSA_PUBLIC_KEY = env.str("BK_PASSWORD_RSA_PUBLIC_KEY", "")
+PASSWORD_RSA_PRIVATE_KEY = env.str("BK_PASSWORD_RSA_PRIVATE_KEY", "")
+
+if ENABLE_PASSWORD_RSA_ENCRYPTED:
+    message = "enable password rsa encrypted"
+    print(message)
+    logger.debug(message)
+
+    try:
+        PASSWORD_RSA_PUBLIC_KEY = base64.b64decode(PASSWORD_RSA_PUBLIC_KEY).decode()
+        PASSWORD_RSA_PRIVATE_KEY = base64.b64decode(PASSWORD_RSA_PRIVATE_KEY).decode()
+    except Exception as e:
+        rsa_key_info = (
+            f"PASSWORD_RSA_PUBLIC_KEY={PASSWORD_RSA_PUBLIC_KEY},PASSWORD_RSA_PRIVATE_KEY={PASSWORD_RSA_PRIVATE_KEY}"
+        )
+        message = f"password rsa encrypted is enabled, but b64decode fail, {rsa_key_info}"
+        logger.error(message)
+        raise e

src/login/bklogin/templates/account/login.html

@@ -119,4 +119,25 @@
         window.open("{{login_redirect_to}}");
         {% endif %}
     </script>
-</html>
+
+    <script src="{{STATIC_URL}}assets/jsencrypt-3.2.1.min.js?v={{STATIC_VERSION}}"></script>
+    <script type="text/javascript">
+        PASSWORD_RSA_PUBLIC_KEY = "{{ PASSWORD_RSA_PUBLIC_KEY }}"
+        ENABLE_PASSWORD_RSA_ENCRYPTED = "{{ ENABLE_PASSWORD_RSA_ENCRYPTED }}" === "true"
+        // 密码传输rsa加密
+        function rsa_encrypt_password() {
+            var public_key = window.atob(PASSWORD_RSA_PUBLIC_KEY).split('\n').join("");
+            var password = $('#password').val();
+            var encrypt = new JSEncrypt();
+            encrypt.setKey(public_key);
+            var encrypted = encrypt.encrypt(password);
+            $('#password').val(encrypted);
+        }
+        $(document).ready(function(){
+             if (ENABLE_PASSWORD_RSA_ENCRYPTED) {
+                 $('#login-form').submit(() => {
+                     rsa_encrypt_password();
+                });
+            }
+        })
+    </script></html>

src/login/bklogin/templates/account/login_ce.html

@@ -135,4 +135,27 @@
         window.open("{{login_redirect_to}}");
         {% endif %}
     </script>
+
+     <script src="{{STATIC_URL}}assets/jsencrypt-3.2.1.min.js?v={{STATIC_VERSION}}"></script>
+    <script type="text/javascript">
+        PASSWORD_RSA_PUBLIC_KEY = "{{ PASSWORD_RSA_PUBLIC_KEY }}"
+        ENABLE_PASSWORD_RSA_ENCRYPTED = "{{ ENABLE_PASSWORD_RSA_ENCRYPTED }}" === "true"
+
+        // 密码传输rsa加密
+        function rsa_encrypt_password() {
+            var public_key = window.atob(PASSWORD_RSA_PUBLIC_KEY).split('\n').join("");
+            var password = $('#password').val();
+            var encrypt = new JSEncrypt();
+            encrypt.setKey(public_key);
+            var encrypted = encrypt.encrypt(password);
+            $('#password').val(encrypted);
+        }
+        $(document).ready(function(){
+             if (ENABLE_PASSWORD_RSA_ENCRYPTED) {
+                 $('#login-form').submit(() => {
+                     rsa_encrypt_password();
+                });
+            }
+        })
+    </script>
 </html>

src/login/pyproject.toml

@@ -26,6 +26,7 @@ python-json-logger = "^2.0.2"
 sentry-sdk = "1.5.6"
 django-decorator-include = "^3.0"
 werkzeug = "2.0.3"
+rsa = "3.4.2"
 
 [tool.poetry.dev-dependencies]
 ipython = "^7.15.0"