feat: add fine-grained control for link signing (#3924)

* Determine whether the URL requires Sign * Add File and Mem based KV NOT TESTED: TokenKV Function * Change Token KV func to common func. Add File based KV func * Remove KV, Remove Token I found that the original Sign function is enough to complete the link signature, and only need to add simple configuration items to meet the requirements. * Add IsStorageSigned func to judge if Signing is enabled in the storage settings. It should be working now. * Add a SIGN button to the management panel. * Add enable_sign to the basic storage struct. Can enable sign for every driver now. Bug: When sign enabled, in download page, Copy link doesn't contain a sign. (Not done yet) * Fix a bug from commit 8f6c25f. Response of fsread function does not contain sign. * Optimize code and follow advices. - Add back public/dist/README.md - Enable sign when DownProxyUrl is enabled - Merge needSign() to isEncrypt() in fsread.go * simplify code --------- Co-authored-by: Andy Hsu <i@nn.ci>
2023-03-24 22:44:33 +08:00 · 2023-03-24 22:44:33 +08:00 · 112363031a
parent 48dc3552a6
commit 112363031a
7 changed files with 30 additions and 7 deletions
--- a/go.mod
+++ b/go.mod
@ -76,7 +76,7 @@ require (
 	github.com/goccy/go-json v0.10.0 // indirect
 	github.com/golang/geo v0.0.0-20210211234256-740aa86cb551 // indirect
 	github.com/golang/protobuf v1.5.0 // indirect
-	github.com/golang/snappy v0.0.1 // indirect
+	github.com/golang/snappy v0.0.3 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
 	github.com/inconshreveable/mousetrap v1.0.1 // indirect
--- a/go.sum
+++ b/go.sum
@ -111,8 +111,8 @@ github.com/golang/geo v0.0.0-20210211234256-740aa86cb551 h1:gtexQ/VGyN+VVFRXSFig
 github.com/golang/geo v0.0.0-20210211234256-740aa86cb551/go.mod h1:QZ0nwyI2jOfgRAoBvP+ab5aRr7c9x7lhGEJrKvBwjWI=
 github.com/golang/protobuf v1.5.0 h1:LUVKkCeviFUMKqHa4tXIIij/lbhnMbP7Fn5wKdKkRh4=
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
-github.com/golang/snappy v0.0.1 h1:Qgr9rKW7uDUkrbSmQeiDsGa8SjGyCOGtuasMWwvp2P4=
-github.com/golang/snappy v0.0.1/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
+github.com/golang/snappy v0.0.3 h1:fHPg5GQYlCeLIPB9BZqMVR5nR9A+IM5zcgeTdjMYmLA=
+github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
 github.com/google/go-cmp v0.5.5 h1:Khx7svrCpmxxtHBq5j2mp/xVjsi8hQMfNLvJFAlrGgU=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
--- a/internal/model/storage.go
+++ b/internal/model/storage.go
@ -13,6 +13,7 @@ type Storage struct {
 	Remark          string    `json:"remark"`
 	Modified        time.Time `json:"modified"`
 	Disabled        bool      `json:"disabled"` // if disabled
+	EnableSign      bool      `json:"enable_sign"`
 	Sort
 	Proxy
 }
--- a/internal/op/driver.go
+++ b/internal/op/driver.go
@ -122,9 +122,14 @@ func getMainItems(config driver.Config) []driver.Item {
 		Type:    conf.TypeSelect,
 		Options: "front,back",
 	})
+	items = append(items, driver.Item{
+		Name:     "enable_sign",
+		Type:     conf.TypeBool,
+		Default:  "false",
+		Required: true,
+	})
 	return items
 }
-
 func getAdditionalItems(t reflect.Type, defaultRoot string) []driver.Item {
 	var items []driver.Item
 	for i := 0; i < t.NumField(); i++ {
--- a/server/common/check.go
+++ b/server/common/check.go
@ -8,9 +8,15 @@ import (
 	"github.com/alist-org/alist/v3/internal/conf"
 	"github.com/alist-org/alist/v3/internal/driver"
 	"github.com/alist-org/alist/v3/internal/model"
+	"github.com/alist-org/alist/v3/internal/op"
 	"github.com/alist-org/alist/v3/pkg/utils"
 )

+func IsStorageSignEnabled(rawPath string) bool {
+	storage := op.GetBalancedStorage(rawPath)
+	return storage != nil && storage.GetStorage().EnableSign
+}
+
 func CanWrite(meta *model.Meta, path string) bool {
 	if meta == nil || !meta.Write {
 		return false
--- a/server/handles/fsread.go
+++ b/server/handles/fsread.go
@ -165,6 +165,9 @@ func getReadme(meta *model.Meta, path string) string {
 }

 func isEncrypt(meta *model.Meta, path string) bool {
+	if common.IsStorageSignEnabled(path) {
+		return true
+	}
 	if meta == nil || meta.Password == "" {
 		return false
 	}
@ -260,16 +263,20 @@ func FsGet(c *gin.Context) {
 			return
 		}
 		if storage.Config().MustProxy() || storage.GetStorage().WebProxy {
+			query := ""
+			if isEncrypt(meta, reqPath) {
+				query = "?sign=" + sign.Sign(reqPath)
+			}
 			if storage.GetStorage().DownProxyUrl != "" {
 				rawURL = fmt.Sprintf("%s%s?sign=%s",
 					strings.Split(storage.GetStorage().DownProxyUrl, "\n")[0],
 					utils.EncodePath(reqPath, true),
 					sign.Sign(reqPath))
 			} else {
-				rawURL = fmt.Sprintf("%s/p%s?sign=%s",
+				rawURL = fmt.Sprintf("%s/p%s%s",
 					common.GetApiUrl(c.Request),
 					utils.EncodePath(reqPath, true),
-					sign.Sign(reqPath))
+					query)
 			}
 		} else {
 			// file have raw url
--- a/server/middlewares/down.go
+++ b/server/middlewares/down.go
@ -4,10 +4,11 @@ import (
 	"strings"

 	"github.com/alist-org/alist/v3/internal/conf"
+	"github.com/alist-org/alist/v3/internal/setting"
+
 	"github.com/alist-org/alist/v3/internal/errs"
 	"github.com/alist-org/alist/v3/internal/model"
 	"github.com/alist-org/alist/v3/internal/op"
-	"github.com/alist-org/alist/v3/internal/setting"
 	"github.com/alist-org/alist/v3/internal/sign"
 	"github.com/alist-org/alist/v3/pkg/utils"
 	"github.com/alist-org/alist/v3/server/common"
@ -49,6 +50,9 @@ func needSign(meta *model.Meta, path string) bool {
 	if setting.GetBool(conf.SignAll) {
 		return true
 	}
+	if common.IsStorageSignEnabled(path) {
+		return true
+	}
 	if meta == nil || meta.Password == "" {
 		return false
 	}