minor: 国密分支合入 horse

app.yml

@@ -6,7 +6,7 @@ is_use_celery: True
 author: 蓝鲸智云
 introduction: 标准运维是通过一套成熟稳定的任务调度引擎，把在多系统间的工作整合到一个流程，助力运维实现跨系统调度自动化的SaaS应用。
 introduction_en: SOPS is a SaaS application that utilizes a set of mature and stable task scheduling engines to help realize cross-system scheduling automation, and integrates the work among multiple systems into a single process.
-version: 3.29.0
+version: 3.30.0
 category: 运维工具
 language_support: 中文
 desktop:

app_desc.yaml

@@ -1,5 +1,5 @@
 spec_version: 2
-app_version: "3.29.0"
+app_version: "3.30.0"
 app:
     region: default
     bk_app_code: bk_sops

config/default.py

@@ -16,6 +16,8 @@
 from urllib.parse import urlparse
 
 from bamboo_engine.config import Settings as BambooSettings
+from bkcrypto import constants as bkcrypto_constants
+from bkcrypto.asymmetric.options import RSAAsymmetricOptions
 from blueapps.conf.default_settings import *  # noqa
 from blueapps.conf.log import get_logging_config_dict
 from blueapps.opentelemetry.utils import inject_logging_trace_info
@@ -155,7 +157,9 @@
 
 ENABLE_IPV6 = env.ENABLE_IPV6
 # paasv3 和 开启了ipv6 才会尝试加载 BK_API_URL_TMPL 这个变量
-if env.IS_PAAS_V3 or ENABLE_IPV6:
+ENABLE_GSE_V2 = env.ENABLE_GSE_V2
+
+if env.IS_PAAS_V3 or ENABLE_IPV6 or ENABLE_GSE_V2:
     BK_API_URL_TMPL = env.BK_APIGW_URL_TMPL
 
 if env.IS_PAAS_V3:
@@ -207,7 +211,7 @@
 # mako模板中：<script src="/a.js?v=${ STATIC_VERSION }"></script>
 # 如果静态资源修改了以后，上线前改这个版本号即可
 
-STATIC_VERSION = "3.29.0"
+STATIC_VERSION = "3.30.0"
 DEPLOY_DATETIME = datetime.datetime.now().strftime("%Y%m%d%H%M%S")
 
 STATICFILES_DIRS = [os.path.join(BASE_DIR, "static")]
@@ -672,7 +676,6 @@ def monitor_report_config():
 
         from bk_monitor_report import MonitorReporter  # noqa
         from bk_monitor_report.contrib.celery import MonitorReportStep  # noqa
-
         from blueapps.core.celery import celery_app  # noqa
 
         reporter = MonitorReporter(
@@ -787,5 +790,44 @@ def check_engine_admin_permission(request, *args, **kwargs):
 
 PIPELINE_ENGINE_ADMIN_API_PERMISSION = "config.default.check_engine_admin_permission"
 
+
+BKCRYPTO = {
+    "ASYMMETRIC_CIPHERS": {
+        "default": {
+            "get_key_config": "gcloud.utils.crypto.get_default_asymmetric_key_config",
+            "cipher_options": {
+                bkcrypto_constants.AsymmetricCipherType.RSA.value: RSAAsymmetricOptions(
+                    padding=bkcrypto_constants.RSACipherPadding.PKCS1_v1_5
+                )
+            },
+        },
+    },
+    "SYMMETRIC_CIPHERS": {"default": {"get_key_config": "gcloud.utils.crypto.get_default_symmetric_key_config"}},
+}
+
+# 启用框架内置数据加密
+BLUEAPPS_ENABLE_DB_ENCRYPTION = True
+# 复用已有的 default 对称加密实例
+BKCRYPTO["SYMMETRIC_CIPHERS"]["blueapps"] = BKCRYPTO["SYMMETRIC_CIPHERS"]["default"]
+
+
+# 加密
+if env.BKPAAS_BK_CRYPTO_TYPE == "SHANGMI":
+    BKCRYPTO_ASYMMETRIC_CIPHER_TYPE = bkcrypto_constants.AsymmetricCipherType.SM2.value
+    BKCRYPTO.update(
+        {
+            "ASYMMETRIC_CIPHER_TYPE": BKCRYPTO_ASYMMETRIC_CIPHER_TYPE,
+            "SYMMETRIC_CIPHER_TYPE": bkcrypto_constants.SymmetricCipherType.SM4.value,
+        }
+    )
+else:
+    BKCRYPTO_ASYMMETRIC_CIPHER_TYPE = bkcrypto_constants.AsymmetricCipherType.RSA.value
+    BKCRYPTO.update(
+        {
+            "ASYMMETRIC_CIPHER_TYPE": BKCRYPTO_ASYMMETRIC_CIPHER_TYPE,
+            "SYMMETRIC_CIPHER_TYPE": bkcrypto_constants.SymmetricCipherType.AES.value,
+        }
+    )
+
 # 任务列表过滤失败任务最大天数
 TASK_LIST_STATUS_FILTER_DAYS = env.BKPAAS_TASK_LIST_STATUS_FILTER_DAYS

config/sites/community/ver_settings.py

@@ -37,7 +37,6 @@
 LOah9mmRwLJdcfa3Js+jw2lOCmxzqauYZHVHg/hH7g==
 -----END RSA PRIVATE KEY-----
 """
-RSA_PRIV_KEY = base64.b64decode(env.RSA_PRIV_KEY).decode("utf-8") if env.RSA_PRIV_KEY else DEFAULT_RSA_PRIV_KEY
 
 # PUB_KEY for frontend, which can not use three quotes
 DEFAULT_RSA_PUB_KEY = (
@@ -49,8 +48,30 @@
     + "-----END PUBLIC KEY-----"
 )
 
+RSA_PRIV_KEY = base64.b64decode(env.RSA_PRIV_KEY).decode("utf-8") if env.RSA_PRIV_KEY else DEFAULT_RSA_PRIV_KEY
 RSA_PUB_KEY = base64.b64decode(env.RSA_PUB_KEY).decode("utf-8") if env.RSA_PUB_KEY else DEFAULT_RSA_PUB_KEY
 
+
+DEFAULT_SM2_PRIV_KEY = """
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEICI+zMQDiQ5/xXmnGxGqLSD++Cp+I601cIFLKRd2yrGBoAoGCCqBHM9V
+AYItoUQDQgAE95+i3TAfODAzb9QhJmyUmxH/HocisveqkrafHJ25NO/uCtkb2yXH
+vrZcCDmoxeO+z5vp88jN/ulVsl9qEqm6vQ==
+-----END EC PRIVATE KEY-----
+"""
+
+
+DEFAULT_SM2_PUB_KEY = (
+    "-----BEGIN PUBLIC KEY-----\\n"
+    + "MFkwEwYHKoZIzj0CAQYIKoEcz1UBgi0DQgAE95+i3TAfODAzb9QhJmyUmxH/Hoci\\n"
+    + "sveqkrafHJ25NO/uCtkb2yXHvrZcCDmoxeO+z5vp88jN/ulVsl9qEqm6vQ==\\n"
+    + "-----END PUBLIC KEY-----"
+)
+
+
+SM2_PRIV_KEY = base64.b64decode(env.RSA_PRIV_KEY).decode("utf-8") if env.RSA_PRIV_KEY else DEFAULT_RSA_PRIV_KEY
+SM2_PUB_KEY = base64.b64decode(env.RSA_PUB_KEY).decode("utf-8") if env.RSA_PUB_KEY else DEFAULT_SM2_PUB_KEY
+
 # APIGW Auth
 APIGW_APP_CODE_KEY = "bk_app_code"
 APIGW_USER_USERNAME_KEY = "bk_username"

config/sites/enterprise/ver_settings.py

@@ -37,7 +37,6 @@
 T8ow3nMSbvx5X28wOjbk04tmfM/kVqcVhFWhDHjHZzlt
 -----END RSA PRIVATE KEY-----
 """
-RSA_PRIV_KEY = base64.b64decode(env.RSA_PRIV_KEY).decode("utf-8") if env.RSA_PRIV_KEY else DEFAULT_RSA_PRIV_KEY
 
 # PUB_KEY for frontend, which can not use three quotes
 DEFAULT_RSA_PUB_KEY = (
@@ -48,7 +47,31 @@
     + "iymoAVK67gfTOTvckQIDAQAB\\n"
     + "-----END PUBLIC KEY-----"
 )
+
 RSA_PUB_KEY = base64.b64decode(env.RSA_PUB_KEY).decode("utf-8") if env.RSA_PUB_KEY else DEFAULT_RSA_PUB_KEY
+RSA_PRIV_KEY = base64.b64decode(env.RSA_PRIV_KEY).decode("utf-8") if env.RSA_PRIV_KEY else DEFAULT_RSA_PRIV_KEY
+
+
+DEFAULT_SM2_PRIV_KEY = """
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIIn5SYKHr3+m/XyC/ECzDJYuwUoTQHDUkIueKFXTjhSBoAoGCCqBHM9V
+AYItoUQDQgAEYxBE08d8yEEK2+DZ7F5RsNrUvCZ578lkYsXFDC1fW2IcRecNz8LG
+ZWSZGFfgYMeK1f3fIuYBAJVuna/V3FP4tA==
+-----END EC PRIVATE KEY-----
+"""
+
+
+DEFAULT_SM2_PUB_KEY = (
+    "-----BEGIN PUBLIC KEY-----\\n"
+    + "MFkwEwYHKoZIzj0CAQYIKoEcz1UBgi0DQgAEYxBE08d8yEEK2+DZ7F5RsNrUvCZ5\\n"
+    + "78lkYsXFDC1fW2IcRecNz8LGZWSZGFfgYMeK1f3fIuYBAJVuna/V3FP4tA==\\n"
+    + "-----END PUBLIC KEY-----"
+)
+
+
+SM2_PRIV_KEY = base64.b64decode(env.SM2_PRIV_KEY).decode("utf-8") if env.SM2_PRIV_KEY else DEFAULT_SM2_PRIV_KEY
+SM2_PUB_KEY = base64.b64decode(env.SM2_PUB_KEY).decode("utf-8") if env.SM2_PUB_KEY else DEFAULT_SM2_PUB_KEY
+
 
 # APIGW Auth
 APIGW_APP_CODE_KEY = "bk_app_code"

docs/develop/tag_usage_dev.md

@@ -313,6 +313,8 @@ ip 选择器，支持静态 ip 或动态 ip 的单选和多选。
 
   - `pubKey`: 加密公钥
   - `disabled`：设置是否禁用组件
+  - `canUseVar`: 是否可以使用全局变量，默认为true
+  - `textareaMode`: 手动输入密码时，表单类型为textarea，默认为false
   - `value`：加密后的密码值
 
 **方法**

en_docs/develop/tag_usage_dev.md

@@ -313,7 +313,10 @@ Password input box.
 
 **Attributes**
 
+  - `pubKey`: crypto public key
   - `disabled`: set whether this component is disabled.
+  - `canUseVar`: whether global variables can be used, which defaults to true
+  - `textareaMode`: When entering a password manually, the form type is textarea and the default is false
   - `value`: the encrypted password value
 
 **Methods**

env.py

@@ -109,5 +109,14 @@
 # 获取 PaaS 注入的蓝鲸域名
 BKPAAS_BK_DOMAIN = os.getenv("BKPAAS_BK_DOMAIN", "") or os.getenv("BK_DOMAIN", "")
 
+
+# 获取加密类型
+BKPAAS_BK_CRYPTO_TYPE = (
+    os.getenv("BKPAAS_BK_CRYPTO_TYPE", "")
+    or os.getenv("BKAPP_BK_CRYPTO_TYPE", "")
+    or os.getenv("BK_CRYPTO_TYPE")
+    or "CLASSIC"
+)
+
 # 默认六个月
 BKPAAS_TASK_LIST_STATUS_FILTER_DAYS = int(os.getenv("BKPAAS_TASK_LIST_STATUS_FILTER_DAYS", 180))

env_v2.py

@@ -136,6 +136,8 @@
 # RSA KEYS, 保存的是密钥的base64加密形式, 使用base64.b64encode(KEY.encode("utf-8"))进行处理后保存为环境变量
 RSA_PRIV_KEY = os.getenv("BKAPP_RSA_PRIV_KEY", None)
 RSA_PUB_KEY = os.getenv("BKAPP_RSA_PUB_KEY", None)
+SM2_PRIV_KEY = os.getenv("BKAPP_SM2_PRIV_KEY", None)
+SM2_PUB_KEY = os.getenv("BKAPP_SM2_PUB_KEY", None)
 
 # 单业务下最大周期任务数量
 PERIODIC_TASK_PROJECT_MAX_NUMBER = int(os.getenv("BKAPP_PERIODIC_TASK_PROJECT_MAX_NUMBER", 50))

env_v3.py

@@ -167,6 +167,8 @@
 # RSA KEYS, 保存的是密钥的base64加密形式, 使用base64.b64encode(KEY.encode("utf-8"))进行处理后保存为环境变量
 RSA_PRIV_KEY = os.getenv("BKAPP_RSA_PRIV_KEY", None)
 RSA_PUB_KEY = os.getenv("BKAPP_RSA_PUB_KEY", None)
+SM2_PRIV_KEY = os.getenv("BKAPP_SM2_PRIV_KEY", None)
+SM2_PUB_KEY = os.getenv("BKAPP_SM2_PUB_KEY", None)
 
 # 单业务下最大周期任务数量
 PERIODIC_TASK_PROJECT_MAX_NUMBER = int(os.getenv("BKAPP_PERIODIC_TASK_PROJECT_MAX_NUMBER", 50))

frontend/desktop/package.json

@@ -12,8 +12,9 @@
   "license": "ISC",
   "dependencies": {
     "@blueking/bkcharts": "^2.0.11-alpha.5",
+    "@blueking/bkui-form": "0.0.35",
+    "@blueking/crypto-js-sdk": "0.0.5",
     "@blueking/user-selector": "^1.0.5-beta.2",
-    "@blueking/bkui-form": "0.0.11",
     "@vue/babel-preset-jsx": "^1.3.0",
     "ajv": "^6.10.2",
     "art-template": "^4.13.0",

frontend/desktop/src/assets/html/index-dev.html

@@ -32,6 +32,9 @@
         // 是否开启导入 V1 模板的入口
         var IMPORT_V1_FLAG = Number('0');
         var RSA_PUB_KEY = '';
+        var ASYMMETRIC_CIPHER_TYPE = '';
+        var ASYMMETRIC_PUBLIC_KEY = '';
+        var ASYMMETRIC_PREFIX = '';
         var APP_CODE = 'bk_sops';
         var FILE_UPLOAD_ENTRY = '/package/upload/';
         var MAX_NODE_EXECUTE_TIMEOUT = 6000;

frontend/desktop/src/assets/html/index.html

@@ -42,6 +42,9 @@
         // 是否开启导入 V1 模板的入口
         var IMPORT_V1_FLAG ={{import_v1_flag}};
         var RSA_PUB_KEY = '{{RSA_PUB_KEY}}';
+        var ASYMMETRIC_CIPHER_TYPE = '{{ASYMMETRIC_CIPHER_TYPE}}';
+        var ASYMMETRIC_PUBLIC_KEY = '{{ASYMMETRIC_PUBLIC_KEY}}';
+        var ASYMMETRIC_PREFIX = '{{ASYMMETRIC_PREFIX}}';
         var APP_CODE = '{{APP_CODE}}';
         var FILE_UPLOAD_ENTRY = '{{FILE_UPLOAD_ENTRY}}';
         var MEMBER_SELECTOR_DATA_HOST = '{{MEMBER_SELECTOR_DATA_HOST}}';