cloudreve/pkg/filesystem/driver/oss/callback.go

package oss

import (
	"bytes"
	"crypto"
	"crypto/md5"
	"crypto/rsa"
	"crypto/x509"
	"encoding/base64"
	"encoding/pem"
	"errors"
	"fmt"
	"io/ioutil"
	"net/http"
	"net/url"
	"strings"

	"github.com/cloudreve/Cloudreve/v3/pkg/cache"
	"github.com/cloudreve/Cloudreve/v3/pkg/request"
)

// GetPublicKey 从回调请求或缓存中获取OSS的回调签名公钥
func GetPublicKey(r *http.Request) ([]byte, error) {
	var pubKey []byte

	// 尝试从缓存中获取
	pub, exist := cache.Get("oss_public_key")
	if exist {
		return pub.([]byte), nil
	}

	// 从请求中获取
	pubURL, err := base64.StdEncoding.DecodeString(r.Header.Get("x-oss-pub-key-url"))
	if err != nil {
		return pubKey, err
	}

	// 确保这个 public key 是由 OSS 颁发的
	if !strings.HasPrefix(string(pubURL), "http://gosspublic.alicdn.com/") &&
		!strings.HasPrefix(string(pubURL), "https://gosspublic.alicdn.com/") {
		return pubKey, errors.New("public key url invalid")
	}

	// 获取公钥
	client := request.NewClient()
	body, err := client.Request("GET", string(pubURL), nil).
		CheckHTTPResponse(200).
		GetResponse()
	if err != nil {
		return pubKey, err
	}

	// 写入缓存
	_ = cache.Set("oss_public_key", []byte(body), 86400*7)

	return []byte(body), nil
}

func getRequestMD5(r *http.Request) ([]byte, error) {
	var byteMD5 []byte

	// 获取请求正文
	body, err := ioutil.ReadAll(r.Body)
	r.Body.Close()
	if err != nil {
		return byteMD5, err
	}
	r.Body = ioutil.NopCloser(bytes.NewReader(body))

	strURLPathDecode, err := url.PathUnescape(r.URL.Path)
	if err != nil {
		return byteMD5, err
	}

	strAuth := fmt.Sprintf("%s\n%s", strURLPathDecode, string(body))
	md5Ctx := md5.New()
	md5Ctx.Write([]byte(strAuth))
	byteMD5 = md5Ctx.Sum(nil)

	return byteMD5, nil
}

// VerifyCallbackSignature 验证OSS回调请求
func VerifyCallbackSignature(r *http.Request) error {
	bytePublicKey, err := GetPublicKey(r)
	if err != nil {
		return err
	}

	byteMD5, err := getRequestMD5(r)
	if err != nil {
		return err
	}

	strAuthorizationBase64 := r.Header.Get("authorization")
	if strAuthorizationBase64 == "" {
		return errors.New("no authorization field in Request header")
	}
	authorization, _ := base64.StdEncoding.DecodeString(strAuthorizationBase64)

	pubBlock, _ := pem.Decode(bytePublicKey)
	if pubBlock == nil {
		return errors.New("pubBlock not exist")
	}
	pubInterface, err := x509.ParsePKIXPublicKey(pubBlock.Bytes)
	if (pubInterface == nil) || (err != nil) {
		return err
	}
	pub := pubInterface.(*rsa.PublicKey)

	errorVerifyPKCS1v15 := rsa.VerifyPKCS1v15(pub, crypto.MD5, byteMD5, authorization)
	if errorVerifyPKCS1v15 != nil {
		return errorVerifyPKCS1v15
	}

	return nil
}
Test: oss callback signature verification 5 years ago			`package oss`

			`import (`
			`"bytes"`
			`"crypto"`
			`"crypto/md5"`
			`"crypto/rsa"`
			`"crypto/x509"`
			`"encoding/base64"`
			`"encoding/pem"`
			`"errors"`
			`"fmt"`
			`"io/ioutil"`
			`"net/http"`
			`"net/url"`
			`"strings"`
Comply with Golang semantic import versioning (#630) * Code: compatible with semantic import versioning * Tools & Docs: compatible with semantic import versioning * Clean go.mod & go.sum 4 years ago
			`"github.com/cloudreve/Cloudreve/v3/pkg/cache"`
			`"github.com/cloudreve/Cloudreve/v3/pkg/request"`
Test: oss callback signature verification 5 years ago			`)`

			`// GetPublicKey 从回调请求或缓存中获取OSS的回调签名公钥`
			`func GetPublicKey(r *http.Request) ([]byte, error) {`
			`var pubKey []byte`

			`// 尝试从缓存中获取`
			`pub, exist := cache.Get("oss_public_key")`
			`if exist {`
			`return pub.([]byte), nil`
			`}`

			`// 从请求中获取`
			`pubURL, err := base64.StdEncoding.DecodeString(r.Header.Get("x-oss-pub-key-url"))`
			`if err != nil {`
			`return pubKey, err`
			`}`

			`// 确保这个 public key 是由 OSS 颁发的`
			`if !strings.HasPrefix(string(pubURL), "http://gosspublic.alicdn.com/") &&`
			`!strings.HasPrefix(string(pubURL), "https://gosspublic.alicdn.com/") {`
i18n: logs in conf/crontab/email/fs.driver 2 years ago			`return pubKey, errors.New("public key url invalid")`
Test: oss callback signature verification 5 years ago			`}`

			`// 获取公钥`
Feat: aria2 download and transfer in slave node (#1040) * Feat: retrieve nodes from data table * Feat: master node ping slave node in REST API * Feat: master send scheduled ping request * Feat: inactive nodes recover loop * Modify: remove database operations from aria2 RPC caller implementation * Feat: init aria2 client in master node * Feat: Round Robin load balancer * Feat: create and monitor aria2 task in master node * Feat: salve receive and handle heartbeat * Fix: Node ID will be 0 in download record generated in older version * Feat: sign request headers with all `X-` prefix * Feat: API call to slave node will carry meta data in headers * Feat: call slave aria2 rpc method from master * Feat: get slave aria2 task status Feat: encode slave response data using gob * Feat: aria2 callback to master node / cancel or select task to slave node * Fix: use dummy aria2 client when caller initialize failed in master node * Feat: slave aria2 status event callback / salve RPC auth * Feat: prototype for slave driven filesystem * Feat: retry for init aria2 client in master node * Feat: init request client with global options * Feat: slave receive async task from master * Fix: competition write in request header * Refactor: dependency initialize order * Feat: generic message queue implementation * Feat: message queue implementation * Feat: master waiting slave transfer result * Feat: slave transfer file in stateless policy * Feat: slave transfer file in slave policy * Feat: slave transfer file in local policy * Feat: slave transfer file in OneDrive policy * Fix: failed to initialize update checker http client * Feat: list slave nodes for dashboard * Feat: test aria2 rpc connection in slave * Feat: add and save node * Feat: add and delete node in node pool * Fix: temp file cannot be removed when aria2 task fails * Fix: delete node in admin panel * Feat: edit node and get node info * Modify: delete unused settings 3 years ago			`client := request.NewClient()`
Test: oss callback signature verification 5 years ago			`body, err := client.Request("GET", string(pubURL), nil).`
			`CheckHTTPResponse(200).`
			`GetResponse()`
			`if err != nil {`
			`return pubKey, err`
			`}`

			`// 写入缓存`
			`_ = cache.Set("oss_public_key", []byte(body), 86400*7)`

			`return []byte(body), nil`
			`}`

			`func getRequestMD5(r *http.Request) ([]byte, error) {`
			`var byteMD5 []byte`

			`// 获取请求正文`
			`body, err := ioutil.ReadAll(r.Body)`
			`r.Body.Close()`
			`if err != nil {`
			`return byteMD5, err`
			`}`
			`r.Body = ioutil.NopCloser(bytes.NewReader(body))`

			`strURLPathDecode, err := url.PathUnescape(r.URL.Path)`
			`if err != nil {`
			`return byteMD5, err`
			`}`

			`strAuth := fmt.Sprintf("%s\n%s", strURLPathDecode, string(body))`
			`md5Ctx := md5.New()`
			`md5Ctx.Write([]byte(strAuth))`
			`byteMD5 = md5Ctx.Sum(nil)`

			`return byteMD5, nil`
			`}`

			`// VerifyCallbackSignature 验证OSS回调请求`
			`func VerifyCallbackSignature(r *http.Request) error {`
			`bytePublicKey, err := GetPublicKey(r)`
			`if err != nil {`
			`return err`
			`}`

			`byteMD5, err := getRequestMD5(r)`
			`if err != nil {`
			`return err`
			`}`

			`strAuthorizationBase64 := r.Header.Get("authorization")`
			`if strAuthorizationBase64 == "" {`
			`return errors.New("no authorization field in Request header")`
			`}`
			`authorization, _ := base64.StdEncoding.DecodeString(strAuthorizationBase64)`

			`pubBlock, _ := pem.Decode(bytePublicKey)`
			`if pubBlock == nil {`
			`return errors.New("pubBlock not exist")`
			`}`
			`pubInterface, err := x509.ParsePKIXPublicKey(pubBlock.Bytes)`
			`if (pubInterface == nil) \|\| (err != nil) {`
			`return err`
			`}`
			`pub := pubInterface.(*rsa.PublicKey)`

			`errorVerifyPKCS1v15 := rsa.VerifyPKCS1v15(pub, crypto.MD5, byteMD5, authorization)`
			`if errorVerifyPKCS1v15 != nil {`
			`return errorVerifyPKCS1v15`
			`}`

			`return nil`
			`}`