在使用HTTP/SOAP协议传输时,签名作为其中一个参数,起到鉴权的作用(客户端的密匙和服务端的密匙匹配)以及数据防篡改(参数是明文传输,将接口参数及密匙生成加密字符串,将加密字符串作为签名),因为对整个接口的参数进行了加密,因此任何一个参数发生变化那么签名验证及失败。 弊端:MD5加密不可逆,服务器端必须知道客户端的接口参数和值,否则签名验证便会失败,一般接口在设计时客户端请求参数并不完全已知,那么就不能用全参加密。
被测代码
"""用户签名+时间戳"""
# 用户签名+时间戳
def user_sign(request):
if request.method == 'POST':
client_time = request.POST.get('time', '') # 客户端时间戳
client_sign = request.POST.get('sign', '') # 客户端签名
else:
return "error"
if client_time == '' or client_sign == '':
return "sign null"
# 服务器时间
now_time = time.time() # 例:1466426831
server_time = str(now_time).split('.')[0]
# 获取时间差
time_difference = int(server_time) - int(client_time)
if time_difference >= 60 :
return "timeout"
# 签名检查
md5 = hashlib.md5()
sign_str = client_time + "&Guest-Bugmaster"
sign_bytes_utf8 = sign_str.encode(encoding="utf-8")
md5.update(sign_bytes_utf8)
sever_sign = md5.hexdigest()
if sever_sign != client_sign:
return "sign fail"
else:
return "sign right"
# 添加发布会接口---增加签名+时间戳
def add_event(request):
sign_result = user_sign(request)
if sign_result == "error":
return JsonResponse({'status':10011,'message':'request error'})
elif sign_result == "sign null":
return JsonResponse({'status':10012,'message':'user sign null'})
elif sign_result == "timeout":
return JsonResponse({'status':10013,'message':'user sign timeout'})
elif sign_result == "sign fail":
return JsonResponse({'status':10014,'message':'user sign error'})
eid = request.POST.get('eid','') # 发布会id
name = request.POST.get('name','') # 发布会标题
limit = request.POST.get('limit','') # 限制人数
status = request.POST.get('status','') # 状态
address = request.POST.get('address','') # 地址
start_time = request.POST.get('start_time','') # 发布会时间
if eid =='' or name == '' or limit == '' or address == '' or start_time == '':
return JsonResponse({'status':10021,'message':'parameter error'})
result = Event.objects.filter(id=eid)
if result:
return JsonResponse({'status':10022,'message':'event id already exists'})
result = Event.objects.filter(name=name)
if result:
return JsonResponse({'status':10023,'message':'event name already exists'})
if status == '':
status = 1
try:
Event.objects.create(id=eid,name=name,limit=limit,address=address,status=int(status),start_time=start_time)
except ValidationError:
error = 'start_time format error. It must be in YYYY-MM-DD HH:MM:SS format.'
return JsonResponse({'status':10024,'message':error})
return JsonResponse({'status':200,'message':'add event success'})
接口文档
测试用例
# coding=utf-8
import unittest
import requests
from time import time
import hashlib
class AddEventTest(unittest.TestCase):
def setUp(self):
self.base_url = "http://127.0.0.1:8000/api/sec_add_event/"
# app_key
self.api_key = "&Guest-Bugmaster"
# 当前时间
now_time = time()
self.client_time = str(now_time).split('.')[0]
# sign
md5 = hashlib.md5()
sign_str = self.client_time + self.api_key
sign_bytes_utf8 = sign_str.encode(encoding="utf-8")
md5.update(sign_bytes_utf8)
self.sign_md5 = md5.hexdigest()
def test_add_event_sign_null(self):
''' 签名参数为空 '''
payload = {'eid':1,'':'','limit':'','address':'','start_time':'','time':'','sign':''}
r = requests.post(self.base_url, data=payload)
result = r.json()
self.assertEqual(result['status'], 10011)
self.assertEqual(result['message'], 'user sign null')
def test_add_event_time_out(self):
''' 请求超时 '''
now_time = str(int(self.client_time) - 61)
payload = {'eid':1,'':'','limit':'','address':'','start_time':'','time':now_time,'sign':'abc'}
r = requests.post(self.base_url, data=payload)
result = r.json()
self.assertEqual(result['status'], 10012)
self.assertEqual(result['message'], 'user sign timeout')
def test_add_event_sign_error(self):
''' 签名错误 '''
payload = {'eid':1,'':'','limit':'','address':'','start_time':'','time':self.client_time,'sign':'abc'}
r = requests.post(self.base_url, data=payload)
result = r.json()
self.assertEqual(result['status'], 10013)
self.assertEqual(result['message'], 'user sign error')
def test_add_event_eid_exist(self):
''' id已经存在 '''
payload = {'eid':1,'name':'一加4发布会','limit':2000,'address':"深圳宝体",'start_time':'2017','time':self.client_time,'sign':self.sign_md5}
r = requests.post(self.base_url, data=payload)
result = r.json()
self.assertEqual(result['status'], 10022)
self.assertEqual(result['message'], 'event id already exists')
def test_add_event_name_exist(self):
''' 名称已经存在 '''
payload = {'eid':11,'name':'一加3手机发布会','limit':2000,'address':"深圳宝体",'start_time':'2017','time':self.client_time,'sign':self.sign_md5}
r = requests.post(self.base_url,data=payload)
result = r.json()
self.assertEqual(result['status'], 10023)
self.assertEqual(result['message'], 'event name already exists')
def test_add_event_data_type_error(self):
''' 日期格式错误 '''
payload = {'eid':11,'name':'一加5手机发布会','limit':2000,'address':"深圳宝体",'start_time':'2017','time':self.client_time,'sign':self.sign_md5}
r = requests.post(self.base_url,data=payload)
result = r.json()
self.assertEqual(result['status'], 10024)
self.assertIn('start_time format error.', result['message'])
def test_add_event_success(self):
''' 添加成功 '''
payload = {'eid':11,'name':'一加4手机发布会','limit':2000,'address':"深圳宝体",'start_time':'2017-05-10 12:00:00','time':self.client_time,'sign':self.sign_md5}
r = requests.post(self.base_url,data=payload)
result = r.json()
self.assertEqual(result['status'], 200)
self.assertEqual(result['message'], 'add event success')
if __name__ == '__main__':
unittest.main()
