msb-public
/
cloudreve
mirror of https://github.com/cloudreve/Cloudreve
1
0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'a3b4a22dbc'
${ noResults }
cloudreve/pkg/auth/auth.go

130 lines
3.3 KiB
Raw Normal View History Unescape

Feat: HMAC auth and check
5 years ago
package auth
import (
Feat: auth middleware for complex request
5 years ago
"bytes"
Feat: sign http request / read running mode from config file
5 years ago
"io/ioutil"
"net/http"
Feat: sign file source url
5 years ago
"net/url"
Feat: auth middleware for complex request
5 years ago
"strings"
Modify: add time.Now for expiration inside signing function
5 years ago
"time"
Comply with Golang semantic import versioning (#630) * Code: compatible with semantic import versioning * Tools & Docs: compatible with semantic import versioning * Clean go.mod & go.sum
4 years ago
model "github.com/cloudreve/Cloudreve/v3/models"
"github.com/cloudreve/Cloudreve/v3/pkg/conf"
"github.com/cloudreve/Cloudreve/v3/pkg/serializer"
"github.com/cloudreve/Cloudreve/v3/pkg/util"
Feat: HMAC auth and check
5 years ago
)
var (
Feat: download file from single file share
5 years ago
ErrAuthFailed = serializer.NewError(serializer.CodeNoPermissionErr, "鉴权失败", nil)
Feat: HMAC auth and check
5 years ago
ErrExpired = serializer.NewError(serializer.CodeSignExpired, "签名已过期", nil)
)
// General 通用的认证接口
var General Auth
// Auth 鉴权认证
type Auth interface {
// 对给定Body进行签名,expires为0表示永不过期
Sign(body string, expires int64) string
// 对给定Body和Sign进行检查
Check(body string, sign string) error
}
Feat: sign http request / read running mode from config file
5 years ago
// SignRequest 对PUT\POST等复杂HTTP请求签名如果请求Header中
// 包含 X-Policy 则此请求会被认定为上传请求只会对URI部分和
// Policy部分进行签名。其他请求则会对URI和Body部分进行签名。
Modify: auth instance as first param in SignURI/Request
5 years ago
func SignRequest(instance Auth, r *http.Request, expires int64) *http.Request {
Modify: add time.Now for expiration inside signing function
5 years ago
// 处理有效期
if expires > 0 {
expires += time.Now().Unix()
}
Feat: auth middleware for complex request
5 years ago
// 生成签名
Modify: auth instance as first param in SignURI/Request
5 years ago
sign := instance.Sign(getSignContent(r), expires)
Feat: auth middleware for complex request
5 years ago
// 将签名加到请求Header中
r.Header["Authorization"] = []string{"Bearer " + sign}
return r
}
// CheckRequest 对复杂请求进行签名验证
Modify: auth instance as first param in SignURI/Request
5 years ago
func CheckRequest(instance Auth, r *http.Request) error {
Feat: auth middleware for complex request
5 years ago
var (
sign []string
ok bool
)
if sign, ok = r.Header["Authorization"]; !ok || len(sign) == 0 {
return ErrAuthFailed
}
sign[0] = strings.TrimPrefix(sign[0], "Bearer ")
Modify: auth instance as first param in SignURI/Request
5 years ago
return instance.Check(getSignContent(r), sign[0])
Feat: auth middleware for complex request
5 years ago
}
// getSignContent 根据请求Header中是否包含X-Policy判断是否为上传请求
// 返回待签名/验证的字符串
func getSignContent(r *http.Request) (rawSignString string) {
Feat: sign http request / read running mode from config file
5 years ago
if policy, ok := r.Header["X-Policy"]; ok {
rawSignString = serializer.NewRequestSignString(r.URL.Path, policy[0], "")
} else {
Test: remote callback auth
5 years ago
var body = []byte{}
if r.Body != nil {
body, _ = ioutil.ReadAll(r.Body)
_ = r.Body.Close()
r.Body = ioutil.NopCloser(bytes.NewReader(body))
}
Feat: sign http request / read running mode from config file
5 years ago
rawSignString = serializer.NewRequestSignString(r.URL.Path, "", string(body))
}
Feat: auth middleware for complex request
5 years ago
return rawSignString
Feat: sign http request / read running mode from config file
5 years ago
}
Test: signRequired middleware
5 years ago
// SignURI 对URI进行签名,签名只针对Path部分query部分不做验证
Modify: auth instance as first param in SignURI/Request
5 years ago
func SignURI(instance Auth, uri string, expires int64) (*url.URL, error) {
Modify: add time.Now for expiration inside signing function
5 years ago
// 处理有效期
if expires != 0 {
expires += time.Now().Unix()
}
Feat: sign file source url
5 years ago
base, err := url.Parse(uri)
if err != nil {
return nil, err
}
Test: signRequired middleware
5 years ago
// 生成签名
Modify: auth instance as first param in SignURI/Request
5 years ago
sign := instance.Sign(base.Path, expires)
Test: signRequired middleware
5 years ago
// 将签名加到URI中
Feat: sign file source url
5 years ago
queries := base.Query()
queries.Set("sign", sign)
base.RawQuery = queries.Encode()
return base, nil
}
Feat: sign auth middleware
5 years ago
// CheckURI 对URI进行鉴权
Modify: auth instance as first param in SignURI/Request
5 years ago
func CheckURI(instance Auth, url *url.URL) error {
Feat: sign auth middleware
5 years ago
//获取待验证的签名正文
queries := url.Query()
sign := queries.Get("sign")
queries.Del("sign")
url.RawQuery = queries.Encode()
Modify: auth instance as first param in SignURI/Request
5 years ago
return instance.Check(url.Path, sign)
Feat: sign auth middleware
5 years ago
}
Feat: HMAC auth and check
5 years ago
// Init 初始化通用鉴权器
func Init() {
Feat: sign http request / read running mode from config file
5 years ago
var secretKey string
if conf.SystemConfig.Mode == "master" {
secretKey = model.GetSettingByName("secret_key")
} else {
Feat: send remote uploading callback
5 years ago
secretKey = conf.SlaveConfig.Secret
Feat: sign http request / read running mode from config file
5 years ago
if secretKey == "" {
util.Log().Panic("未指定 SlaveSecret请前往配置文件中指定")
}
}
Feat: HMAC auth and check
5 years ago
General = HMACAuth{
Feat: sign http request / read running mode from config file
5 years ago
SecretKey: []byte(secretKey),
Feat: HMAC auth and check
5 years ago
}
}