今天使用 python3 写客户端试验了一下 Kong 的 HMac 认证功能,中间遇到几个小坑,分享一下
Kong这个 Api Gateway 还是很成熟的,这些坑到最后其实都是自己的错
官方文档在这里https://docs.konghq.com/hub/kong-inc/hmac-auth/
源代码如下,重点避坑指南在注释里:
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import datetime
__author__ = 'ChangYi'
import urllib
import requests
import base64
import email.utils
import hmac
import hashlib
if __name__ == "__main__":
url = "http://172.16.0.21:38000/getlist"
secret = b"nOc0YO0GuKuvJjhCZdgIVMHeWKJg93a5"
data = [('appkey', '6044344985872289337'),
('format', 'json'),
('v', '2.0'),
('offset', '0'),
('num', '100'),
('test', "中文")
]
#由于用了requests,就得提前做一下body,然后sha256,再base64,制作内容校验码Digest
body = urllib.parse.urlencode(data).encode()
print(body)
digest = hashlib.sha256(body).digest()
base64_digest = base64.standard_b64encode(digest).decode()
Digest = "SHA-256=" + base64_digest
user = "AAA"
date = email.utils.format_datetime(
datetime.datetime.now(datetime.timezone.utc), #第一个重点在这里,一定要用UTC制作时间戳
True)
#第二个重点,拼接signing_string一定要用 "key: value\n"的形式拼接,key全小写,冒号后面必须有一个空格
signing_string = f"x-date: {date}\nPOST /getlist HTTP/1.1\ndigest: {Digest}"
print(signing_string)
hash = hmac.new(secret, signing_string.encode(), digestmod='SHA256').digest() #第三个重点在这里,一定要不要用hexdigest()
sign = base64.standard_b64encode(hash).decode()
authstr = f'hmac username="{user}", algorithm="hmac-sha256", headers="x-date request-line digest", signature="{sign}"'
print("authstr = " + authstr)
headers = { # "Content-Type": "application/x-www-form-urlencoded; charset=utf-8",
"Host": "abc.abc.com",
"x-date": date,
"digest": Digest,#由于配置了内容校验码Digest,这一项必须有
"Authorization": authstr
}
print(requests.post(url, data=data, headers=headers).text)