feat: 蓝鲸插件支持限制接入系统业务调用 (#70)

* feat: 蓝鲸插件支持限制接入系统业务调用

* feat: release bk-plugin-framework 2.2.0

* minor: update dependencies

* minor: review fix

* minor: update README

Author: normal-wls

README.md

@@ -234,7 +234,7 @@ class SopsExecPlugin(Plugin):
     ...
 ```
 
-### 回调插件使用系统
+## 回调插件使用系统
 
 如果**插件使用系统**支持接收蓝鲸插件的回调协议，则只需要添加两个配置，蓝鲸插件就可以在执行完成后回调**插件使用系统**（回调结果不影响插件任务执行结果），这样做的收益在于可以缓解因为**插件使用系统**不断轮询而带来的请求压力。
 
@@ -260,6 +260,25 @@ class SopsExecPlugin(Plugin):
 
 __注意__: 如果当前版本插件有在执行中的任务，请升级插件版本后再进行配置
 
+## 限制插件使用系统下的特定业务使用(可选, bk-plugin-framework>=2.2.0)
+
+如果你希望插件的执行只提供给使用系统的特定业务，可以在 `meta.py` 中添加对应的定义。
+
+```python
+allow_scope = {
+    "[插件使用系统的app_code]": {
+        "type": "[业务概念的类型值，如 project]",  # str
+        "value": ["1", "2"]  # List[str]
+    }
+}
+```
+
+上面的配置表示允许插件使用系统业务 1 和业务 2 调用 invoke 接口运行任务，其他的情况接口都会返回 403。
+
+__注意__:
+1. 该功能需要插件使用系统支持，在调用 invoke 接口时设置请求头 `Bkplugin-Scope-Type` 和 `Bkplugin-Scope-Value`。 
+2. 如果不希望进行限制，请不要进行该配置。
+3. 如果插件开放给了特定插件使用系统，但是没有配置 allow_scope，默认全部请求通过。
 
 ## 插件初始化方法(可选)
 

bk-plugin-framework/bk_plugin_framework/__version__.py

@@ -10,4 +10,4 @@
 specific language governing permissions and limitations under the License.
 """
 
-__version__ = "2.1.1"
+__version__ = "2.2.0"

bk-plugin-framework/bk_plugin_framework/services/bpf_service/api/invoke.py

@@ -14,7 +14,6 @@
 
 from django.utils.decorators import method_decorator
 from rest_framework import status
-from rest_framework import permissions
 from rest_framework import serializers
 from rest_framework.views import APIView
 from rest_framework.response import Response
@@ -27,6 +26,7 @@
 
 from bk_plugin_framework.hub import VersionHub
 from bk_plugin_framework.runtime.executor import BKPluginExecutor
+from bk_plugin_framework.services.bpf_service.api.permissions import ScopeAllowPermission
 from bk_plugin_framework.services.bpf_service.api.serializers import StandardResponseSerializer
 
 logger = logging.getLogger("bk_plugin")
@@ -53,7 +53,7 @@ class InvokeDataSerializer(serializers.Serializer):
 class Invoke(APIView):
 
     authentication_classes = []  # csrf exempt
-    permission_classes = [permissions.AllowAny]
+    permission_classes = [ScopeAllowPermission]
 
     @swagger_auto_schema(
         method="POST",

bk-plugin-framework/bk_plugin_framework/services/bpf_service/api/meta.py

@@ -72,8 +72,10 @@ def get(self, request):
             meta_module = import_module("bk_plugin.meta")
         except ImportError:
             description = ""
+            allow_scope = {}
         else:
             description = getattr(meta_module, "description", "")
+            allow_scope = getattr(meta_module, "allow_scope", {})
 
         return Response(
             {
@@ -85,6 +87,7 @@ def get(self, request):
                     "description": description,
                     "framework_version": FRAMEWORK_VERSION,
                     "runtime_version": RUNTIME_VERSION,
+                    "allow_scope": allow_scope,
                 },
                 "message": "",
             }

bk-plugin-framework/bk_plugin_framework/services/bpf_service/api/permissions.py

@@ -0,0 +1,37 @@
+# -*- coding: utf-8 -*-
+from importlib import import_module
+
+from rest_framework.permissions import BasePermission
+from rest_framework.request import Request
+
+from bk_plugin_framework.utils.validations import validate_allow_scope
+
+try:
+    meta_module = import_module("bk_plugin.meta")
+except ImportError:
+    allow_scope = {}
+else:
+    allow_scope = getattr(meta_module, "allow_scope", {})
+    if validate_allow_scope(allow_scope) is False:
+        raise RuntimeError("allow_scope in meta.py is invalid")
+
+
+class ScopeAllowPermission(BasePermission):
+    """
+    业务域鉴权，仅支持通过 apigw 的请求
+    """
+
+    def has_permission(self, request: Request, view):
+        if not allow_scope:
+            return True
+
+        bk_app_code = request.app.bk_app_code
+
+        # 如果没有进行使用方配置，则默认放行，如果不希望放行在插件开发者中心配置即可
+        if bk_app_code not in allow_scope:
+            return True
+
+        scope_type = request.headers.get("Bkplugin-Scope-Type")
+        scope_value = request.headers.get("Bkplugin-Scope-Value")
+
+        return scope_type == allow_scope[bk_app_code]["type"] and scope_value in allow_scope[bk_app_code]["value"]

bk-plugin-framework/bk_plugin_framework/services/bpf_service/api/plugin_api_dispatch.py

@@ -18,7 +18,6 @@
 from django.urls import resolve, Resolver404
 from django.utils.decorators import method_decorator
 from rest_framework import status
-from rest_framework import permissions
 from rest_framework import serializers
 from rest_framework.views import APIView
 from rest_framework.response import Response
@@ -29,6 +28,7 @@
 from blueapps.account.decorators import login_exempt
 from apigw_manager.apigw.decorators import apigw_require
 
+from bk_plugin_framework.services.bpf_service.api.permissions import ScopeAllowPermission
 from bk_plugin_framework.services.bpf_service.api.serializers import StandardResponseSerializer
 
 logger = logging.getLogger("bk_plugin")
@@ -67,7 +67,7 @@ def __init__(self, username):
 @method_decorator(apigw_require, name="dispatch")
 class PluginAPIDispatch(APIView):
     authentication_classes = []  # csrf exempt
-    permission_classes = [permissions.AllowAny]
+    permission_classes = [ScopeAllowPermission]
 
     @swagger_auto_schema(
         method="POST",

bk-plugin-framework/bk_plugin_framework/utils/validations.py

@@ -0,0 +1,31 @@
+# -*- coding: utf-8 -*-
+import logging
+
+import jsonschema
+
+
+logger = logging.getLogger("bk-plugin-framework")
+
+
+ALLOW_SCOPE_SCHEMA = {
+    "type": "object",
+    "patternProperties": {
+        ".*": {
+            "type": "object",
+            "properties": {
+                "type": {"type": "string"},
+                "value": {"type": "array", "items": {"type": "string"}},
+            },
+            "required": ["type", "value"],
+        },
+    },
+}
+
+
+def validate_allow_scope(data: dict):
+    try:
+        jsonschema.validate(data, ALLOW_SCOPE_SCHEMA)
+    except jsonschema.exceptions.ValidationError as e:
+        logger.exception(f"allow_scope is invalid: {e}")
+        return False
+    return True

bk-plugin-framework/dev-requirements.txt

@@ -1,6 +1,7 @@
 
 werkzeug>=2.0.0,<3.0.0
 pydantic>1.0,<2.0
+jsonschema>=2.5.0,<5.0
 
 # services
 Django>=2.2,<3.0

bk-plugin-framework/poetry.lock

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "bk-plugin-framework"
-version = "2.1.1"
+version = "2.2.0"
 description = "bk plugin python framework"
 authors = ["Your Name <you@example.com>"]
 license = "MIT"
@@ -11,6 +11,7 @@ pydantic = "^1.0"
 werkzeug = "^2.0.0"
 apigw-manager = {version = ">=1.0.6, <1.2.0", extras = ["extra"]}
 bk-plugin-runtime = "2.0.5"
+jsonschema = ">=2.5.0,<5.0.0"
 
 [tool.poetry.dev-dependencies]
 pytest = "^7.0.0"