Modify: auth instance as first param in SignURI/Request

5 years ago · de4793aacb
parent b5ee3ee609
commit de4793aacb
7 changed files with 31 additions and 27 deletions
--- a/middleware/auth.go
+++ b/middleware/auth.go
@ -15,11 +15,11 @@ func SignRequired() gin.HandlerFunc {
 		var err error
 		switch c.Request.Method {
 		case "PUT", "POST":
-			err = auth.CheckRequest(c.Request)
+			err = auth.CheckRequest(auth.General, c.Request)
 			// TODO 生产环境去掉下一行
-			err = nil
+			//err = nil
 		default:
-			err = auth.CheckURI(c.Request.URL)
+			err = auth.CheckURI(auth.General, c.Request.URL)
 		}
 		if err != nil {
--- a/pkg/auth/auth.go
+++ b/pkg/auth/auth.go
@ -31,9 +31,9 @@ type Auth interface {
 // SignRequest 对PUT\POST等复杂HTTP请求签名，如果请求Header中
 // 包含 X-Policy， 则此请求会被认定为上传请求，只会对URI部分和
 // Policy部分进行签名。其他请求则会对URI和Body部分进行签名。
-func SignRequest(r *http.Request, expires int64) *http.Request {
+func SignRequest(instance Auth, r *http.Request, expires int64) *http.Request {
 	// 生成签名
-	sign := General.Sign(getSignContent(r), expires)
+	sign := instance.Sign(getSignContent(r), expires)
 	// 将签名加到请求Header中
 	r.Header["Authorization"] = []string{"Bearer " + sign}
@ -41,7 +41,7 @@ func SignRequest(r *http.Request, expires int64) *http.Request {
 }
 // CheckRequest 对复杂请求进行签名验证
-func CheckRequest(r *http.Request) error {
+func CheckRequest(instance Auth, r *http.Request) error {
 	var (
 		sign []string
 		ok   bool
@ -51,7 +51,7 @@ func CheckRequest(r *http.Request) error {
 	}
 	sign[0] = strings.TrimPrefix(sign[0], "Bearer ")
-	return General.Check(getSignContent(r), sign[0])
+	return instance.Check(getSignContent(r), sign[0])
 }
 // getSignContent 根据请求Header中是否包含X-Policy判断是否为上传请求，
@ -69,14 +69,14 @@ func getSignContent(r *http.Request) (rawSignString string) {
 }
 // SignURI 对URI进行签名,签名只针对Path部分，query部分不做验证
-func SignURI(uri string, expires int64) (*url.URL, error) {
+func SignURI(instance Auth, uri string, expires int64) (*url.URL, error) {
 	base, err := url.Parse(uri)
 	if err != nil {
 		return nil, err
 	}
 	// 生成签名
-	sign := General.Sign(base.Path, expires)
+	sign := instance.Sign(base.Path, expires)
 	// 将签名加到URI中
 	queries := base.Query()
@ -87,14 +87,14 @@ func SignURI(uri string, expires int64) (*url.URL, error) {
 }
 // CheckURI 对URI进行鉴权
-func CheckURI(url *url.URL) error {
+func CheckURI(instance Auth, url *url.URL) error {
 	//获取待验证的签名正文
 	queries := url.Query()
 	sign := queries.Get("sign")
 	queries.Del("sign")
 	url.RawQuery = queries.Encode()
-	return General.Check(url.Path, sign)
+	return instance.Check(url.Path, sign)
 }
 // Init 初始化通用鉴权器
--- a/pkg/auth/auth_test.go
+++ b/pkg/auth/auth_test.go
@ -16,7 +16,7 @@ func TestSignURI(t *testing.T) {
 	// 成功
 	{
-		sign, err := SignURI("/api/v3/something?id=1", 0)
+		sign, err := SignURI(General, "/api/v3/something?id=1", 0)
 		asserts.NoError(err)
 		queries := sign.Query()
 		asserts.Equal("1", queries.Get("id"))
@ -25,7 +25,7 @@ func TestSignURI(t *testing.T) {
 	// URI解码失败
 	{
-		sign, err := SignURI("://dg.;'f]gh./'", 0)
+		sign, err := SignURI(General, "://dg.;'f]gh./'", 0)
 		asserts.Error(err)
 		asserts.Nil(sign)
 	}
@ -37,16 +37,16 @@ func TestCheckURI(t *testing.T) {
 	// 成功
 	{
-		sign, err := SignURI("/api/ok?if=sdf&fd=go", time.Now().Unix()+10)
+		sign, err := SignURI(General, "/api/ok?if=sdf&fd=go", time.Now().Unix()+10)
 		asserts.NoError(err)
-		asserts.NoError(CheckURI(sign))
+		asserts.NoError(CheckURI(General, sign))
 	}
 	// 过期
 	{
-		sign, err := SignURI("/api/ok?if=sdf&fd=go", time.Now().Unix()-1)
+		sign, err := SignURI(General, "/api/ok?if=sdf&fd=go", time.Now().Unix()-1)
 		asserts.NoError(err)
-		asserts.Error(CheckURI(sign))
+		asserts.Error(CheckURI(General, sign))
 	}
 }
@ -58,7 +58,7 @@ func TestSignRequest(t *testing.T) {
 	{
 		req, err := http.NewRequest("POST", "http://127.0.0.1/api/v3/slave/upload", strings.NewReader("I am body."))
 		asserts.NoError(err)
-		req = SignRequest(req, 0)
+		req = SignRequest(General, req, 0)
 		asserts.NotEmpty(req.Header["Authorization"])
 	}
@ -71,7 +71,7 @@ func TestSignRequest(t *testing.T) {
 		)
 		asserts.NoError(err)
 		req.Header["X-Policy"] = []string{"I am Policy"}
-		req = SignRequest(req, 10)
+		req = SignRequest(General, req, 10)
 		asserts.NotEmpty(req.Header["Authorization"])
 	}
 }
@ -88,8 +88,8 @@ func TestCheckRequest(t *testing.T) {
 			strings.NewReader("I am body."),
 		)
 		asserts.NoError(err)
-		req = SignRequest(req, 0)
+		req = SignRequest(General, req, 0)
-		err = CheckRequest(req)
+		err = CheckRequest(General, req)
 		asserts.NoError(err)
 	}
@ -102,8 +102,8 @@ func TestCheckRequest(t *testing.T) {
 		)
 		asserts.NoError(err)
 		req.Header["X-Policy"] = []string{"I am Policy"}
-		req = SignRequest(req, 0)
+		req = SignRequest(General, req, 0)
-		err = CheckRequest(req)
+		err = CheckRequest(General, req)
 		asserts.NoError(err)
 	}
@ -115,9 +115,9 @@ func TestCheckRequest(t *testing.T) {
 			strings.NewReader("I am body."),
 		)
 		asserts.NoError(err)
-		req = SignRequest(req, 0)
+		req = SignRequest(General, req, 0)
 		req.Body = ioutil.NopCloser(strings.NewReader("2333"))
-		err = CheckRequest(req)
+		err = CheckRequest(General, req)
 		asserts.Error(err)
 	}
 }
--- a/pkg/conf/defaults.go
+++ b/pkg/conf/defaults.go
@ -41,7 +41,7 @@ var CORSConfig = &cors{
 	AllowOrigins:     []string{"UNSET"},
 	AllowMethods:     []string{"PUT", "POST", "GET", "OPTIONS"},
 	AllowHeaders:     []string{"Cookie", "Content-Length", "Content-Type", "X-Path", "X-FileName"},
-	AllowCredentials: true,
+	AllowCredentials: false,
 	ExposeHeaders:    nil,
 }
--- a/pkg/filesystem/local/handler.go
+++ b/pkg/filesystem/local/handler.go
@ -142,12 +142,14 @@ func (handler Handler) Source(
 		// 签名生成文件记录
 		signedURI, err = auth.SignURI(
 			auth.General,
 			fmt.Sprintf("/api/v3/file/download/%s", downloadSessionID),
 			expires,
 		)
 	} else {
 		// 签名生成文件记录
 		signedURI, err = auth.SignURI(
 			auth.General,
 			fmt.Sprintf("/api/v3/file/get/%d/%s", file.ID, file.Name),
 			expires,
 		)
--- a/pkg/filesystem/remote/handler.go
+++ b/pkg/filesystem/remote/handler.go
@ -79,7 +79,8 @@ func (handler Handler) Token(ctx context.Context, TTL int64, key string) (serial
 	uploadRequest.Header = map[string][]string{
 		"X-Policy": {policyEncoded},
 	}
-	auth.SignRequest(uploadRequest, time.Now().Unix()+TTL)
+	remoteAuth := auth.HMACAuth{SecretKey: []byte(handler.Policy.SecretKey)}
 	auth.SignRequest(remoteAuth, uploadRequest, time.Now().Unix()+TTL)
 	if credential, ok := uploadRequest.Header["Authorization"]; ok && len(credential) == 1 {
 		return serializer.UploadCredential{
--- a/service/explorer/objects.go
+++ b/service/explorer/objects.go
@ -66,6 +66,7 @@ func (service *ItemService) Archive(ctx context.Context, c *gin.Context) seriali
 		ttl = 30
 	}
 	signedURI, err := auth.SignURI(
 		auth.General,
 		fmt.Sprintf("/api/v3/file/archive/%s/archive.zip", zipID),
 		time.Now().Unix()+int64(ttl),
 	)