From de4793aacb033128f63ce192594f62efa7031af6 Mon Sep 17 00:00:00 2001 From: HFO4 <912394456@qq.com> Date: Sun, 29 Dec 2019 13:50:23 +0800 Subject: [PATCH] Modify: auth instance as first param in SignURI/Request --- middleware/auth.go | 6 +++--- pkg/auth/auth.go | 16 ++++++++-------- pkg/auth/auth_test.go | 28 ++++++++++++++-------------- pkg/conf/defaults.go | 2 +- pkg/filesystem/local/handler.go | 2 ++ pkg/filesystem/remote/handler.go | 3 ++- service/explorer/objects.go | 1 + 7 files changed, 31 insertions(+), 27 deletions(-) diff --git a/middleware/auth.go b/middleware/auth.go index 7a994e8..2f09cf3 100644 --- a/middleware/auth.go +++ b/middleware/auth.go @@ -15,11 +15,11 @@ func SignRequired() gin.HandlerFunc { var err error switch c.Request.Method { case "PUT", "POST": - err = auth.CheckRequest(c.Request) + err = auth.CheckRequest(auth.General, c.Request) // TODO 生产环境去掉下一行 - err = nil + //err = nil default: - err = auth.CheckURI(c.Request.URL) + err = auth.CheckURI(auth.General, c.Request.URL) } if err != nil { diff --git a/pkg/auth/auth.go b/pkg/auth/auth.go index c268bf2..c5ac39b 100644 --- a/pkg/auth/auth.go +++ b/pkg/auth/auth.go @@ -31,9 +31,9 @@ type Auth interface { // SignRequest 对PUT\POST等复杂HTTP请求签名,如果请求Header中 // 包含 X-Policy, 则此请求会被认定为上传请求,只会对URI部分和 // Policy部分进行签名。其他请求则会对URI和Body部分进行签名。 -func SignRequest(r *http.Request, expires int64) *http.Request { +func SignRequest(instance Auth, r *http.Request, expires int64) *http.Request { // 生成签名 - sign := General.Sign(getSignContent(r), expires) + sign := instance.Sign(getSignContent(r), expires) // 将签名加到请求Header中 r.Header["Authorization"] = []string{"Bearer " + sign} @@ -41,7 +41,7 @@ func SignRequest(r *http.Request, expires int64) *http.Request { } // CheckRequest 对复杂请求进行签名验证 -func CheckRequest(r *http.Request) error { +func CheckRequest(instance Auth, r *http.Request) error { var ( sign []string ok bool @@ -51,7 +51,7 @@ func CheckRequest(r *http.Request) error { } sign[0] = strings.TrimPrefix(sign[0], "Bearer ") - return General.Check(getSignContent(r), sign[0]) + return instance.Check(getSignContent(r), sign[0]) } // getSignContent 根据请求Header中是否包含X-Policy判断是否为上传请求, @@ -69,14 +69,14 @@ func getSignContent(r *http.Request) (rawSignString string) { } // SignURI 对URI进行签名,签名只针对Path部分,query部分不做验证 -func SignURI(uri string, expires int64) (*url.URL, error) { +func SignURI(instance Auth, uri string, expires int64) (*url.URL, error) { base, err := url.Parse(uri) if err != nil { return nil, err } // 生成签名 - sign := General.Sign(base.Path, expires) + sign := instance.Sign(base.Path, expires) // 将签名加到URI中 queries := base.Query() @@ -87,14 +87,14 @@ func SignURI(uri string, expires int64) (*url.URL, error) { } // CheckURI 对URI进行鉴权 -func CheckURI(url *url.URL) error { +func CheckURI(instance Auth, url *url.URL) error { //获取待验证的签名正文 queries := url.Query() sign := queries.Get("sign") queries.Del("sign") url.RawQuery = queries.Encode() - return General.Check(url.Path, sign) + return instance.Check(url.Path, sign) } // Init 初始化通用鉴权器 diff --git a/pkg/auth/auth_test.go b/pkg/auth/auth_test.go index 8407b8f..0aecf38 100644 --- a/pkg/auth/auth_test.go +++ b/pkg/auth/auth_test.go @@ -16,7 +16,7 @@ func TestSignURI(t *testing.T) { // 成功 { - sign, err := SignURI("/api/v3/something?id=1", 0) + sign, err := SignURI(General, "/api/v3/something?id=1", 0) asserts.NoError(err) queries := sign.Query() asserts.Equal("1", queries.Get("id")) @@ -25,7 +25,7 @@ func TestSignURI(t *testing.T) { // URI解码失败 { - sign, err := SignURI("://dg.;'f]gh./'", 0) + sign, err := SignURI(General, "://dg.;'f]gh./'", 0) asserts.Error(err) asserts.Nil(sign) } @@ -37,16 +37,16 @@ func TestCheckURI(t *testing.T) { // 成功 { - sign, err := SignURI("/api/ok?if=sdf&fd=go", time.Now().Unix()+10) + sign, err := SignURI(General, "/api/ok?if=sdf&fd=go", time.Now().Unix()+10) asserts.NoError(err) - asserts.NoError(CheckURI(sign)) + asserts.NoError(CheckURI(General, sign)) } // 过期 { - sign, err := SignURI("/api/ok?if=sdf&fd=go", time.Now().Unix()-1) + sign, err := SignURI(General, "/api/ok?if=sdf&fd=go", time.Now().Unix()-1) asserts.NoError(err) - asserts.Error(CheckURI(sign)) + asserts.Error(CheckURI(General, sign)) } } @@ -58,7 +58,7 @@ func TestSignRequest(t *testing.T) { { req, err := http.NewRequest("POST", "http://127.0.0.1/api/v3/slave/upload", strings.NewReader("I am body.")) asserts.NoError(err) - req = SignRequest(req, 0) + req = SignRequest(General, req, 0) asserts.NotEmpty(req.Header["Authorization"]) } @@ -71,7 +71,7 @@ func TestSignRequest(t *testing.T) { ) asserts.NoError(err) req.Header["X-Policy"] = []string{"I am Policy"} - req = SignRequest(req, 10) + req = SignRequest(General, req, 10) asserts.NotEmpty(req.Header["Authorization"]) } } @@ -88,8 +88,8 @@ func TestCheckRequest(t *testing.T) { strings.NewReader("I am body."), ) asserts.NoError(err) - req = SignRequest(req, 0) - err = CheckRequest(req) + req = SignRequest(General, req, 0) + err = CheckRequest(General, req) asserts.NoError(err) } @@ -102,8 +102,8 @@ func TestCheckRequest(t *testing.T) { ) asserts.NoError(err) req.Header["X-Policy"] = []string{"I am Policy"} - req = SignRequest(req, 0) - err = CheckRequest(req) + req = SignRequest(General, req, 0) + err = CheckRequest(General, req) asserts.NoError(err) } @@ -115,9 +115,9 @@ func TestCheckRequest(t *testing.T) { strings.NewReader("I am body."), ) asserts.NoError(err) - req = SignRequest(req, 0) + req = SignRequest(General, req, 0) req.Body = ioutil.NopCloser(strings.NewReader("2333")) - err = CheckRequest(req) + err = CheckRequest(General, req) asserts.Error(err) } } diff --git a/pkg/conf/defaults.go b/pkg/conf/defaults.go index 41c9b59..bc27782 100644 --- a/pkg/conf/defaults.go +++ b/pkg/conf/defaults.go @@ -41,7 +41,7 @@ var CORSConfig = &cors{ AllowOrigins: []string{"UNSET"}, AllowMethods: []string{"PUT", "POST", "GET", "OPTIONS"}, AllowHeaders: []string{"Cookie", "Content-Length", "Content-Type", "X-Path", "X-FileName"}, - AllowCredentials: true, + AllowCredentials: false, ExposeHeaders: nil, } diff --git a/pkg/filesystem/local/handler.go b/pkg/filesystem/local/handler.go index 43fb528..4cde4a8 100644 --- a/pkg/filesystem/local/handler.go +++ b/pkg/filesystem/local/handler.go @@ -142,12 +142,14 @@ func (handler Handler) Source( // 签名生成文件记录 signedURI, err = auth.SignURI( + auth.General, fmt.Sprintf("/api/v3/file/download/%s", downloadSessionID), expires, ) } else { // 签名生成文件记录 signedURI, err = auth.SignURI( + auth.General, fmt.Sprintf("/api/v3/file/get/%d/%s", file.ID, file.Name), expires, ) diff --git a/pkg/filesystem/remote/handler.go b/pkg/filesystem/remote/handler.go index 12ade10..34e838c 100644 --- a/pkg/filesystem/remote/handler.go +++ b/pkg/filesystem/remote/handler.go @@ -79,7 +79,8 @@ func (handler Handler) Token(ctx context.Context, TTL int64, key string) (serial uploadRequest.Header = map[string][]string{ "X-Policy": {policyEncoded}, } - auth.SignRequest(uploadRequest, time.Now().Unix()+TTL) + remoteAuth := auth.HMACAuth{SecretKey: []byte(handler.Policy.SecretKey)} + auth.SignRequest(remoteAuth, uploadRequest, time.Now().Unix()+TTL) if credential, ok := uploadRequest.Header["Authorization"]; ok && len(credential) == 1 { return serializer.UploadCredential{ diff --git a/service/explorer/objects.go b/service/explorer/objects.go index 24a5d09..243da26 100644 --- a/service/explorer/objects.go +++ b/service/explorer/objects.go @@ -66,6 +66,7 @@ func (service *ItemService) Archive(ctx context.Context, c *gin.Context) seriali ttl = 30 } signedURI, err := auth.SignURI( + auth.General, fmt.Sprintf("/api/v3/file/archive/%s/archive.zip", zipID), time.Now().Unix()+int64(ttl), )