fix(open api v2): jwt decode error

nannan00 · Aug 6, 2024 · 1594396 · 1594396
1 parent 7074164
commit 1594396
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 4 deletions.
diff --git a/src/bk-user/bkuser/apis/open_v2/authentications.py b/src/bk-user/bkuser/apis/open_v2/authentications.py
@@ -8,6 +8,7 @@
 an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
 specific language governing permissions and limitations under the License.
 """
+
 import base64
 import logging
 
@@ -59,6 +60,7 @@ def get_credentials(self, request):
 
     def verify_credentials(self, credentials):
         public_key = self._get_jwt_public_key(credentials["from"])
+        # Note: 不从 jwt header 里取 kid 判断是网关还是 ESB 签发的，在不同环境可能不准确
         jwt_payload = self._decode_jwt(credentials["jwt"], public_key)
         if not jwt_payload:
             return False, None
@@ -67,7 +69,9 @@ def verify_credentials(self, credentials):
 
     def _decode_jwt(self, content, public_key):
         try:
-            return jwt.decode(content, public_key, options={"verify_iss": False})
+            jwt_header = jwt.get_unverified_header(content)
+            algorithm = jwt_header.get("alg") or "RS512"
+            return jwt.decode(content, public_key, algorithms=[algorithm], options={"verify_iss": False})
         except Exception:  # pylint: disable=broad-except
             logger.exception("decode jwt fail, jwt: %s", content)
             return None

diff --git a/src/bk-user/bkuser/apis/open_v2/views/profilers.py b/src/bk-user/bkuser/apis/open_v2/views/profilers.py
@@ -424,12 +424,15 @@ def _convert_create_time_lookup_to_query(values: List[str], is_exact: bool) -> Q
         if is_exact:
             raise error_codes.VALIDATION_ERROR.f("unsupported extra lookup field: create_time")
 
-        # 时间转换异常，说明非预期内 IAM 特殊查询数据
+        # 时间转换异常，说明非预期内 IAM 特殊查询数据（从大到小）
         try:
             datetime_values = [datetime.datetime.strptime(v, "%Y-%m-%d %H:%M") for v in values]
         except Exception as error:
             raise error_codes.VALIDATION_ERROR.f(f"unsupported fuzzy create_time values: {values}, error={error}")
 
+        # 从小到大
+        datetime_values.reverse()
+
         # 判断是否满足间隔一分钟
         start_time = datetime_values[0]
         if all(start_time + datetime.timedelta(minutes=idx) == i for idx, i in enumerate(datetime_values)):

diff --git a/src/bk-user/bkuser/apis/web/platform_management/views.py b/src/bk-user/bkuser/apis/web/platform_management/views.py
@@ -8,6 +8,7 @@
 an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
 specific language governing permissions and limitations under the License.
 """
+
 from typing import List, Tuple
 
 from django.db import transaction
@@ -131,8 +132,6 @@ def _create_builtin_management_data_source(
 
         # 启用密码功能
         plugin_config.enable_password = True
-        # 内置管理员账号，不需要首次登录强制修改密码，可以登录后自行修改密码
-        plugin_config.login_limit.force_change_at_first_login = False
         # 密码有效期为永久，不会有过期续期的功能
         plugin_config.password_expire.valid_time = NEVER_EXPIRE_TIME