sso 单点登陆

• 原理
  • 使用同域名(如A.test.com,B.test.com)cookies共享的方式，第一次认证以后，将cookies存放于redis缓存中，每次请求都验证cookies

• nginx+lua脚本实现
  1.nginx 配置
  server {
  listen 80;
  server_name devops.test.com;
  error_log /data/logs/nginx/error-devops.log;
  location ^~ /proxy/ {
  internal; #指定规则为internal规则，防止外部请求命中此规则
  rewrite '^/proxy/(http?)/([^/]+)/(\d+)/(.*)' /$4 break;
  proxy_pass $1://$2:$3;
  }
  location @client{
  proxy_pass http://10.47.137.120:8001; #devops 服务地址及端口
  }
  location /api/v1{
  proxy_pass http://10.47.137.120:8001; #devops 服务地址及端口
  }
  location /static{
  proxy_pass http://10.47.137.120:8001;
  }
  location / {
  access_by_lua_file 'conf/vhosts/lua/devops.lua';
  }
  }
  1.从nginx的配置文件中能够看出,/api/v1/ 和/static 是没有调用lua脚本，而请求/ 都要走lua脚本认证

  2. @client 请求是lua脚本中指定的uri

  3. /proxy/ 是lua脚本中使用的uri，主要是用来跳转到认证登陆平台
     2.lua 脚本实现 devops.lua
     local sso = 'http://sso.test.com'
     local mysite = 'http://devops.test.com/'
     local login_url = sso .. '?next=' .. mysite

     function Logout()
     cookie_key = ngx.var.cookie_cookie_key
     if cookie_key ~= nil then
     local check_url = 'http/100.114.64.185/8000/logout/'
     local checkSign = 'cookie_key='.. cookie_key
     checkUrl = '/proxy/' .. check_url .. '?' .. checkSign
     local res = ngx.location.capture(checkUrl, {
     method = ngx.HTTP_GET,
     })
     ngx.redirect(login_url)
     else
     ngx.redirect(login_url)
     end
     end
     function getSSOUser()
     cookie_key = ngx.var.cookie_cookie_key
     if cookie_key == nil then
     ngx.redirect(login_url)
     end
     -- check user cookie
     local check_url = 'http/100.114.64.185/8000/sso/' -- format used by ngx.location.capture && proxy_pass(a httpclient simulation)
     local checkSign = 'cookie_key='.. cookie_key..'&&url='..mysite
     checkUrl = '/proxy/' .. check_url .. '?' .. checkSign
     --ngx.say(checkUrl)
     local res = ngx.location.capture(checkUrl, {
     method = ngx.HTTP_GET,
     })
     local cjson = require("cjson")
     --ngx.say(res.body)
     if 'false' == res.body then
     ngx.redirect(login_url)
     --ngx.say(res.body)
     else
     obj = cjson.decode(res.body)
     user = obj['user']
     return user
     end
     end
     function doLogin()
     local user = getSSOUser()
     ngx.header['Set-Cookie'] = {'x_webauth_user =' .. user}
     ngx.req.set_header("USER", user)br/>ngx.exec("@client")
     end
     if ngx.re.match(ngx.var.request_uri, "logout") then
     ngx.header['Set-Cookie'] = {'x_webauth_user = false'}
     Logout()
     else
     local x_user = ngx.var.cookie_x_webauth_user
     local cookie_key = ngx.var.cookie_cookie_key
     if cookie_key then
     doLogin()
     else
     ngx.redirect(login_url)
     end
     end

  4. lua脚本看起来没那么难，相对比较好理解

  5. 最前面的三个local 是定义变量
     if ngx.re.match(ngx.var.request_uri, "logout") then
     ngx.header['Set-Cookie'] = {'x_webauth_user = false'}
     Logout()
     #判断请求的uri里面是否有“logout”,匹配则设置cookies的 x_webauth_user值
     为false，并调用logout函数
     3.若是uri不包括logout
     local cookie_key = ngx.var.cookie_cookie_key 获取cookies下cookie_key的值
     若是值为空，直接从定向到单点登陆，login_url为
     http://sso.test.com?next=http://devops.test.com/ ，单点登陆平台须要作的
     是获取next后面的uri及认证，认证成功以后，redis缓存cookie_key，
     将cookie_key信息写入cookies中，让下次请求的时候带上cookie_key
     4.若是cookie_key值存在，则调用认证函数doLogin()
     function doLogin()
     local user = getSSOUser() #调用getSSOUser 函数
     ngx.header['Set-Cookie'] = {'x_webauth_user =' .. user}
     ngx.req.set_header("USER", user)
     ngx.exec("@client") #匹配nginx @client url
     end

     function getSSOUser()
         cookie_key = ngx.var.cookie_cookie_key
         if cookie_key == nil then
                 ngx.redirect(login_url)
         end
         -- check user cookie
         local check_url = 'http/100.114.64.185/8000/sso/'  -- format used by ngx.location.capture && proxy_pass(a httpclient simulation)
         local checkSign = 'cookie_key='.. cookie_key..'&&url='..mysite
         checkUrl = '/proxy/' .. check_url .. '?' .. checkSign
         --ngx.say(checkUrl)
      local res = ngx.location.capture(checkUrl, {
                 method = ngx.HTTP_GET,
         })  #get请求单点登陆平台的接口/sso/cookie_key=* 验证cookie_key 的有效性，错误返回false
         local cjson = require("cjson")
         --ngx.say(res.body)
         if 'false' == res.body then  #若是返回false，从新跳回登陆界面
                 ngx.redirect(login_url)
                 --ngx.say(res.body)
         else
                 obj = cjson.decode(res.body)
                 user = obj['user']
                 return user   #正确则返回认证用户及cookie信息写入
         end

     end
     5.注销函数
     function Logout()
     cookie_key = ngx.var.cookie_cookie_key #获取cookie_key 值
     if cookie_key ~= nil then #若是值不为空
     local check_url = 'http/100.114.64.185/8000/logout/'
     local checkSign = 'cookie_key='.. cookie_key
     checkUrl = '/proxy/' .. check_url .. '?' .. checkSign
     local res = ngx.location.capture(checkUrl, {
     method = ngx.HTTP_GET,
     }) #请求http://100.114.64.185:8000/logout/?cookie_key=****，经过get请求删除redis中的cookie值，达到注销的功能
     ngx.redirect(login_url)
     else
     ngx.redirect(login_url)
     end
     end
     6.http://100.114.64.185:8000 是一个阿里云内网负载均衡，后端是两台单点认证服务

• 登陆平台
  1.能够用django写一个认证平台，也能够用flask写，我的推荐flask，轻量级
  2.平台须要的功能
  认证用户名及密码(对接LDAP)
  提供cookie值判断接口API
  删除cookie值的接口API
  3.django实现，部分代码
  redis 链接：
  def rds(key='',name='',status=''):
  import redis
  Rds = rdsconfig()
  host = Rds['host']
  port = Rds['port']
  passwd = Rds['passwd']
  if passwd:
  r = redis.Redis(host=host,port=port,password=passwd)
  else:
  r = redis.Redis(host=host,port=port)
  if status == 'add':
  r.setex(key,name,21600)
  elif status == 'get':
  return r.get(key)
  elif status == 'del':
  return r.delete(key)
  登陆部分：
  def login(request):
  cip=get_client_ip(request)
  cap_form = CaptchaLoginForm()
  #print cap_form
  if request.method == 'GET':
  #cap_form = CaptchaLoginForm()
  try:
  url=request.get_full_path()
  url=url.split('=')[1]
  logger.info(color_print('{} - access index'.format(cip),'info'))
  except:
  return render(request,'login.html',locals())
  return render(request,'login.html',locals())
  elif request.method == 'POST':
  username = request.POST.get('username').strip(' ')
  url = request.POST.get('url').strip(' ')
  response=HttpResponseRedirect(url)
  secret=MkPasswd.Passwd() #生成随机数
  secret=MkPasswd.Passwd()+username #md5 加密随机数，生成cookie_key
  secret_key=md5Encode(secret)
  rds(secret_key,username,'add')
  response.set_cookie('cookie_key',secret_key,\
  max_age=606012,domain='.yongqianbao.com')
  #response.set_cookie('x_webauth_user',username)
  if url == '/':
  return HttpResponseRedirect('http://intra.yongqianbao.com')
  return response
  else:
  return render(request,'login.html',locals())
  判断cookie_key 是否存在于redis中
  def sso(request):
  import json
  cip=get_client_ip(request)
  if request.method == 'GET':
  cookie_key=request.GET.get('cookie_key')
  url=request.GET.get('url')
  #print url
  #print cookie_key
  time_now = int(time.time())
  user=rds(key=cookie_key,status='get')
  if user:
  watch={'user':user}
  login=Login(username=user,url=url,ip=cip,time=time_now,status=1)
  login.save()
  response=HttpResponse(json.dumps(watch),content_type="application/json")
  return response
  else:
  return HttpResponse('false')
  注销函数：
  def logout(request):
  if request.method == 'GET':
  cookie_key=request.GET.get('cookie_key')
  #url=request.GET.get('url')
  is_succ=rds(key=cookie_key,status='del')
  #print is_succ
  return HttpResponse(True)
• 做品展现
  • 登陆认证
    
  • 重置密码
    
    • 认证成功后，自动跳转到next后的页面