Merge pull request #24 from kevinlin09/feat/support_encrypt

feat: support encryption

Author: kevinlin09

dashscope/api_entities/api_request_factory.py

@@ -1,5 +1,4 @@
 # Copyright (c) Alibaba, Inc. and its affiliates.
-
 from urllib.parse import urlencode
 
 import dashscope
@@ -10,8 +9,9 @@
                                         SERVICE_API_PATH, ApiProtocol,
                                         HTTPMethod)
 from dashscope.common.error import InputDataRequired, UnsupportedApiProtocol
+from dashscope.common.logging import logger
 from dashscope.protocol.websocket import WebsocketStreamingMode
-
+from dashscope.api_entities.encryption import Encryption
 
 def _get_protocol_params(kwargs):
     api_protocol = kwargs.pop('api_protocol', ApiProtocol.HTTPS)
@@ -49,6 +49,9 @@ def _build_api_request(model: str,
      base_address, flattened_output,
      extra_url_parameters) = _get_protocol_params(kwargs)
     task_id = kwargs.pop('task_id', None)
+    enable_encryption = kwargs.pop('enable_encryption', False)
+    encryption = None
+
     if api_protocol in [ApiProtocol.HTTP, ApiProtocol.HTTPS]:
         if base_address is None:
             base_address = dashscope.base_http_api_url
@@ -69,6 +72,12 @@ def _build_api_request(model: str,
         if extra_url_parameters is not None and extra_url_parameters:
             http_url += '?' + urlencode(extra_url_parameters)
 
+        if enable_encryption is True:
+            encryption = Encryption()
+            encryption.initialize()
+            if encryption.is_valid():
+                logger.debug('encryption enabled')
+
         request = HttpRequest(url=http_url,
                               api_key=api_key,
                               http_method=http_method,
@@ -77,7 +86,8 @@ def _build_api_request(model: str,
                               query=query,
                               timeout=request_timeout,
                               task_id=task_id,
-                              flattened_output=flattened_output)
+                              flattened_output=flattened_output,
+                              encryption=encryption)
     elif api_protocol == ApiProtocol.WEBSOCKET:
         if base_address is not None:
             websocket_url = base_address
@@ -103,6 +113,9 @@ def _build_api_request(model: str,
     if input is None and form is None:
         raise InputDataRequired('There is no input data and form data')
 
+    if encryption and encryption.is_valid():
+        input = encryption.encrypt(input)
+
     request_data = ApiRequestData(model,
                                   task_group=task_group,
                                   task=task,

dashscope/api_entities/encryption.py

@@ -0,0 +1,179 @@
+# Copyright (c) Alibaba, Inc. and its affiliates.
+import base64
+import json
+from dataclasses import dataclass
+import os
+from typing import Optional
+
+import requests
+from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
+from cryptography.hazmat.primitives import serialization, hashes
+from cryptography.hazmat.primitives.asymmetric import padding
+from cryptography.hazmat.backends import default_backend
+
+import dashscope
+from dashscope.common.constants import ENCRYPTION_AES_SECRET_KEY_BYTES, ENCRYPTION_AES_IV_LENGTH
+from dashscope.common.logging import logger
+
+
+class Encryption:
+    def __init__(self):
+        self.pub_key_id: str = ''
+        self.pub_key_str: str = ''
+        self.aes_key_bytes: bytes = b''
+        self.encrypted_aes_key_str: str = ''
+        self.iv_bytes: bytes = b''
+        self.base64_iv_str: str = ''
+        self.valid: bool = False
+
+    def initialize(self):
+        public_keys = self._get_public_keys()
+        if not public_keys:
+            return
+
+        public_key_str = public_keys.get('public_key')
+        public_key_id = public_keys.get('public_key_id')
+        if not public_key_str or not public_key_id:
+            logger.error("public keys data not valid")
+            return
+
+        aes_key_bytes = self._generate_aes_secret_key()
+        iv_bytes = self._generate_iv()
+
+        encrypted_aes_key_str = self._encrypt_aes_key_with_rsa(aes_key_bytes, public_key_str)
+        base64_iv_str = base64.b64encode(iv_bytes).decode('utf-8')
+
+        self.pub_key_id = public_key_id
+        self.pub_key_str = public_key_str
+        self.aes_key_bytes = aes_key_bytes
+        self.encrypted_aes_key_str = encrypted_aes_key_str
+        self.iv_bytes = iv_bytes
+        self.base64_iv_str = base64_iv_str
+
+        self.valid = True
+
+    def encrypt(self, dict_plaintext):
+        return self._encrypt_text_with_aes(json.dumps(dict_plaintext, ensure_ascii=False),
+                                           self.aes_key_bytes, self.iv_bytes)
+
+    def decrypt(self, base64_ciphertext):
+        return self._decrypt_text_with_aes(base64_ciphertext, self.aes_key_bytes, self.iv_bytes)
+
+    def is_valid(self):
+        return self.valid
+
+    def get_pub_key_id(self):
+        return self.pub_key_id
+
+    def get_encrypted_aes_key_str(self):
+        return self.encrypted_aes_key_str
+
+    def get_base64_iv_str(self):
+        return self.base64_iv_str
+
+    @staticmethod
+    def _get_public_keys():
+        url = dashscope.base_http_api_url + '/public-keys/latest'
+        headers = {
+            "Authorization": f"Bearer {dashscope.api_key}"
+        }
+
+        response = requests.get(url, headers=headers)
+        if response.status_code != 200:
+            logger.error("exceptional public key response: %s" % response)
+            return None
+
+        json_resp = response.json()
+        response_data = json_resp.get('data')
+
+        if not response_data:
+            logger.error("no valid data in public key response")
+            return None
+
+        return response_data
+
+    @staticmethod
+    def _generate_aes_secret_key():
+        return os.urandom(ENCRYPTION_AES_SECRET_KEY_BYTES)
+
+    @staticmethod
+    def _generate_iv():
+        return os.urandom(ENCRYPTION_AES_IV_LENGTH)
+
+    @staticmethod
+    def _encrypt_text_with_aes(plaintext, key, iv):
+        """使用AES-GCM加密数据"""
+
+        # 创建AES-GCM加密器
+        aes_gcm = Cipher(
+            algorithms.AES(key),
+            modes.GCM(iv, tag=None),
+            backend=default_backend()
+        ).encryptor()
+
+        # 关联数据设为空（根据需求可调整）
+        aes_gcm.authenticate_additional_data(b'')
+
+        # 加密数据
+        ciphertext = aes_gcm.update(plaintext.encode('utf-8')) + aes_gcm.finalize()
+
+        # 获取认证标签
+        tag = aes_gcm.tag
+
+        # 组合密文和标签
+        encrypted_data = ciphertext + tag
+
+        # 返回Base64编码结果
+        return base64.b64encode(encrypted_data).decode('utf-8')
+
+    @staticmethod
+    def _decrypt_text_with_aes(base64_ciphertext, aes_key, iv):
+        """使用AES-GCM解密响应"""
+
+        # 解码Base64数据
+        encrypted_data = base64.b64decode(base64_ciphertext)
+
+        # 分离密文和标签（标签长度16字节）
+        ciphertext = encrypted_data[:-16]
+        tag = encrypted_data[-16:]
+
+        # 创建AES-GCM解密器
+        aes_gcm = Cipher(
+            algorithms.AES(aes_key),
+            modes.GCM(iv, tag),
+            backend=default_backend()
+        ).decryptor()
+
+        # 验证关联数据（与加密时一致）
+        aes_gcm.authenticate_additional_data(b'')
+
+        # 解密数据
+        decrypted_bytes = aes_gcm.update(ciphertext) + aes_gcm.finalize()
+
+        # 明文
+        plaintext = decrypted_bytes.decode('utf-8')
+
+        return json.loads(plaintext)
+
+    @staticmethod
+    def _encrypt_aes_key_with_rsa(aes_key, public_key_str):
+        """使用RSA公钥加密AES密钥"""
+
+        # 解码Base64格式的公钥
+        public_key_bytes = base64.b64decode(public_key_str)
+
+        # 加载公钥
+        public_key = serialization.load_der_public_key(
+            public_key_bytes,
+            backend=default_backend()
+        )
+
+        base64_aes_key = base64.b64encode(aes_key).decode('utf-8')
+
+        # 使用RSA加密
+        encrypted_bytes = public_key.encrypt(
+            base64_aes_key.encode('utf-8'),
+            padding.PKCS1v15()
+        )
+
+        return base64.b64encode(encrypted_bytes).decode('utf-8')

dashscope/api_entities/http_request.py

@@ -2,6 +2,7 @@
 
 import json
 from http import HTTPStatus
+from typing import Optional
 
 import aiohttp
 import requests
@@ -16,6 +17,7 @@
                                     _handle_aiohttp_failed_response,
                                     _handle_http_failed_response,
                                     _handle_stream)
+from dashscope.api_entities.encryption import Encryption
 
 
 class HttpRequest(AioBaseRequest):
@@ -28,7 +30,8 @@ def __init__(self,
                  query: bool = False,
                  timeout: int = DEFAULT_REQUEST_TIMEOUT_SECONDS,
                  task_id: str = None,
-                 flattened_output: bool = False) -> None:
+                 flattened_output: bool = False,
+                 encryption: Optional[Encryption] = None) -> None:
         """HttpSSERequest, processing http server sent event stream.
 
         Args:
@@ -44,11 +47,23 @@ def __init__(self,
         self.url = url
         self.flattened_output = flattened_output
         self.async_request = async_request
+        self.encryption = encryption
         self.headers = {
             'Accept': 'application/json',
             'Authorization': 'Bearer %s' % api_key,
             **self.headers,
         }
+
+        if encryption and encryption.is_valid():
+            self.headers = {
+                "X-DashScope-EncryptionKey": json.dumps({
+                    "public_key_id": encryption.get_pub_key_id(),
+                    "encrypt_key": encryption.get_encrypted_aes_key_str(),
+                    "iv": encryption.get_base64_iv_str()
+                }),
+                **self.headers,
+            }
+
         self.query = query
         if self.async_request and self.query is False:
             self.headers = {
@@ -168,6 +183,8 @@ async def _handle_aio_response(self, response: aiohttp.ClientResponse):
                                                code=msg['code'],
                                                message=msg['message'])
                 else:
+                    if self.encryption and self.encryption.is_valid():
+                        output = self.encryption.decrypt(output)
                     yield DashScopeAPIResponse(request_id=request_id,
                                                status_code=HTTPStatus.OK,
                                                output=output,
@@ -183,6 +200,8 @@ async def _handle_aio_response(self, response: aiohttp.ClientResponse):
                 output[part.name] = await part.read()
             if 'request_id' in output:
                 request_id = output['request_id']
+            if self.encryption and self.encryption.is_valid():
+                output = self.encryption.decrypt(output)
             yield DashScopeAPIResponse(request_id=request_id,
                                        status_code=HTTPStatus.OK,
                                        output=output)
@@ -196,6 +215,8 @@ async def _handle_aio_response(self, response: aiohttp.ClientResponse):
                 usage = json_content['usage']
             if 'request_id' in json_content:
                 request_id = json_content['request_id']
+            if self.encryption and self.encryption.is_valid():
+                output = self.encryption.decrypt(output)
             yield DashScopeAPIResponse(request_id=request_id,
                                        status_code=HTTPStatus.OK,
                                        output=output,
@@ -243,6 +264,8 @@ def _handle_response(self, response: requests.Response):
                     if self.flattened_output:
                         yield msg
                     else:
+                        if self.encryption and self.encryption.is_valid():
+                            output = self.encryption.decrypt(output)
                         yield DashScopeAPIResponse(request_id=request_id,
                                                    status_code=HTTPStatus.OK,
                                                    output=output,
@@ -263,6 +286,8 @@ def _handle_response(self, response: requests.Response):
             if self.flattened_output:
                 yield json_content
             else:
+                if self.encryption and self.encryption.is_valid():
+                    output = self.encryption.decrypt(output)
                 yield DashScopeAPIResponse(request_id=request_id,
                                            status_code=HTTPStatus.OK,
                                            output=output,

dashscope/common/constants.py

@@ -37,6 +37,9 @@
 REQUEST_CONTENT_AUDIO = 'audio'
 FILE_PATH_SCHEMA = 'file://'
 
+ENCRYPTION_AES_SECRET_KEY_BYTES = 32
+ENCRYPTION_AES_IV_LENGTH = 12
+
 REPEATABLE_STATUS = [
     HTTPStatus.SERVICE_UNAVAILABLE, HTTPStatus.GATEWAY_TIMEOUT
 ]

requirements.txt

@@ -1,3 +1,4 @@
 aiohttp
 requests
 websocket-client
+cryptography

samples/test_generation.py

@@ -0,0 +1,26 @@
+import os
+from dashscope import Generation
+
+messages = [
+    {"role": "system", "content": "You are a helpful assistant."},
+    {"role": "user", "content": "你是谁？"},
+]
+response = Generation.call(
+    api_key=os.getenv("DASHSCOPE_API_KEY"),
+    model="qwen-plus",
+    messages=messages,
+    result_format="message",
+    enable_encryption=True,
+    stream=True,
+)
+
+for chunk in response:
+    print(chunk.output.choices[0].message.content)
+
+# if response.status_code == 200:
+#     print(response.output.choices[0].message.content)
+# else:
+#     print(f"HTTP返回码：{response.status_code}")
+#     print(f"错误码：{response.code}")
+#     print(f"错误信息：{response.message}")
+#     print("请参考文档：https://help.aliyun.com/zh/model-studio/developer-reference/error-code")