Cloudreve/middleware/auth.go

341 lines
8.4 KiB
Go
Raw Normal View History

2019-11-12 15:34:54 +08:00
package middleware
import (
"github.com/cloudreve/Cloudreve/v3/pkg/filesystem"
"github.com/cloudreve/Cloudreve/v3/pkg/mq"
"net/http"
model "github.com/cloudreve/Cloudreve/v3/models"
"github.com/cloudreve/Cloudreve/v3/pkg/auth"
"github.com/cloudreve/Cloudreve/v3/pkg/cache"
"github.com/cloudreve/Cloudreve/v3/pkg/serializer"
2019-11-12 15:34:54 +08:00
"github.com/gin-contrib/sessions"
"github.com/gin-gonic/gin"
)
const (
CallbackFailedStatusCode = http.StatusUnauthorized
2019-11-12 15:34:54 +08:00
)
2019-12-10 17:10:34 +08:00
// SignRequired 验证请求签名
Feat: aria2 download and transfer in slave node (#1040) * Feat: retrieve nodes from data table * Feat: master node ping slave node in REST API * Feat: master send scheduled ping request * Feat: inactive nodes recover loop * Modify: remove database operations from aria2 RPC caller implementation * Feat: init aria2 client in master node * Feat: Round Robin load balancer * Feat: create and monitor aria2 task in master node * Feat: salve receive and handle heartbeat * Fix: Node ID will be 0 in download record generated in older version * Feat: sign request headers with all `X-` prefix * Feat: API call to slave node will carry meta data in headers * Feat: call slave aria2 rpc method from master * Feat: get slave aria2 task status Feat: encode slave response data using gob * Feat: aria2 callback to master node / cancel or select task to slave node * Fix: use dummy aria2 client when caller initialize failed in master node * Feat: slave aria2 status event callback / salve RPC auth * Feat: prototype for slave driven filesystem * Feat: retry for init aria2 client in master node * Feat: init request client with global options * Feat: slave receive async task from master * Fix: competition write in request header * Refactor: dependency initialize order * Feat: generic message queue implementation * Feat: message queue implementation * Feat: master waiting slave transfer result * Feat: slave transfer file in stateless policy * Feat: slave transfer file in slave policy * Feat: slave transfer file in local policy * Feat: slave transfer file in OneDrive policy * Fix: failed to initialize update checker http client * Feat: list slave nodes for dashboard * Feat: test aria2 rpc connection in slave * Feat: add and save node * Feat: add and delete node in node pool * Fix: temp file cannot be removed when aria2 task fails * Fix: delete node in admin panel * Feat: edit node and get node info * Modify: delete unused settings
2021-10-31 09:41:56 +08:00
func SignRequired(authInstance auth.Auth) gin.HandlerFunc {
2019-12-10 17:10:34 +08:00
return func(c *gin.Context) {
var err error
switch c.Request.Method {
Feat: aria2 download and transfer in slave node (#1040) * Feat: retrieve nodes from data table * Feat: master node ping slave node in REST API * Feat: master send scheduled ping request * Feat: inactive nodes recover loop * Modify: remove database operations from aria2 RPC caller implementation * Feat: init aria2 client in master node * Feat: Round Robin load balancer * Feat: create and monitor aria2 task in master node * Feat: salve receive and handle heartbeat * Fix: Node ID will be 0 in download record generated in older version * Feat: sign request headers with all `X-` prefix * Feat: API call to slave node will carry meta data in headers * Feat: call slave aria2 rpc method from master * Feat: get slave aria2 task status Feat: encode slave response data using gob * Feat: aria2 callback to master node / cancel or select task to slave node * Fix: use dummy aria2 client when caller initialize failed in master node * Feat: slave aria2 status event callback / salve RPC auth * Feat: prototype for slave driven filesystem * Feat: retry for init aria2 client in master node * Feat: init request client with global options * Feat: slave receive async task from master * Fix: competition write in request header * Refactor: dependency initialize order * Feat: generic message queue implementation * Feat: message queue implementation * Feat: master waiting slave transfer result * Feat: slave transfer file in stateless policy * Feat: slave transfer file in slave policy * Feat: slave transfer file in local policy * Feat: slave transfer file in OneDrive policy * Fix: failed to initialize update checker http client * Feat: list slave nodes for dashboard * Feat: test aria2 rpc connection in slave * Feat: add and save node * Feat: add and delete node in node pool * Fix: temp file cannot be removed when aria2 task fails * Fix: delete node in admin panel * Feat: edit node and get node info * Modify: delete unused settings
2021-10-31 09:41:56 +08:00
case "PUT", "POST", "PATCH":
err = auth.CheckRequest(authInstance, c.Request)
default:
Feat: aria2 download and transfer in slave node (#1040) * Feat: retrieve nodes from data table * Feat: master node ping slave node in REST API * Feat: master send scheduled ping request * Feat: inactive nodes recover loop * Modify: remove database operations from aria2 RPC caller implementation * Feat: init aria2 client in master node * Feat: Round Robin load balancer * Feat: create and monitor aria2 task in master node * Feat: salve receive and handle heartbeat * Fix: Node ID will be 0 in download record generated in older version * Feat: sign request headers with all `X-` prefix * Feat: API call to slave node will carry meta data in headers * Feat: call slave aria2 rpc method from master * Feat: get slave aria2 task status Feat: encode slave response data using gob * Feat: aria2 callback to master node / cancel or select task to slave node * Fix: use dummy aria2 client when caller initialize failed in master node * Feat: slave aria2 status event callback / salve RPC auth * Feat: prototype for slave driven filesystem * Feat: retry for init aria2 client in master node * Feat: init request client with global options * Feat: slave receive async task from master * Fix: competition write in request header * Refactor: dependency initialize order * Feat: generic message queue implementation * Feat: message queue implementation * Feat: master waiting slave transfer result * Feat: slave transfer file in stateless policy * Feat: slave transfer file in slave policy * Feat: slave transfer file in local policy * Feat: slave transfer file in OneDrive policy * Fix: failed to initialize update checker http client * Feat: list slave nodes for dashboard * Feat: test aria2 rpc connection in slave * Feat: add and save node * Feat: add and delete node in node pool * Fix: temp file cannot be removed when aria2 task fails * Fix: delete node in admin panel * Feat: edit node and get node info * Modify: delete unused settings
2021-10-31 09:41:56 +08:00
err = auth.CheckURI(authInstance, c.Request.URL)
}
2019-12-10 20:17:21 +08:00
if err != nil {
c.JSON(200, serializer.Err(serializer.CodeCredentialInvalid, err.Error(), err))
2019-12-10 20:17:21 +08:00
c.Abort()
return
2019-12-10 20:17:21 +08:00
}
2019-12-10 17:10:34 +08:00
c.Next()
}
}
2019-11-12 15:34:54 +08:00
// CurrentUser 获取登录用户
func CurrentUser() gin.HandlerFunc {
return func(c *gin.Context) {
session := sessions.Default(c)
uid := session.Get("user_id")
if uid != nil {
2020-02-15 14:02:21 +08:00
user, err := model.GetActiveUserByID(uid)
2019-11-12 15:34:54 +08:00
if err == nil {
c.Set("user", &user)
}
}
c.Next()
}
}
// AuthRequired 需要登录
func AuthRequired() gin.HandlerFunc {
return func(c *gin.Context) {
if user, _ := c.Get("user"); user != nil {
if _, ok := user.(*model.User); ok {
c.Next()
return
}
}
c.JSON(200, serializer.CheckLogin())
c.Abort()
}
}
// WebDAVAuth 验证WebDAV登录及权限
func WebDAVAuth() gin.HandlerFunc {
return func(c *gin.Context) {
// OPTIONS 请求不需要鉴权否则Windows10下无法保存文档
if c.Request.Method == "OPTIONS" {
c.Next()
return
}
username, password, ok := c.Request.BasicAuth()
if !ok {
c.Writer.Header()["WWW-Authenticate"] = []string{`Basic realm="cloudreve"`}
c.Status(http.StatusUnauthorized)
c.Abort()
return
}
expectedUser, err := model.GetActiveUserByEmail(username)
if err != nil {
c.Status(http.StatusUnauthorized)
c.Abort()
return
}
// 密码正确?
webdav, err := model.GetWebdavByPassword(password, expectedUser.ID)
if err != nil {
c.Status(http.StatusUnauthorized)
c.Abort()
return
}
// 用户组已启用WebDAV
if !expectedUser.Group.WebDAVEnabled {
c.Status(http.StatusForbidden)
c.Abort()
return
}
c.Set("user", &expectedUser)
c.Set("webdav", webdav)
c.Next()
}
}
// 对上传会话进行验证
func UseUploadSession(policyType string) gin.HandlerFunc {
return func(c *gin.Context) {
// 验证key并查找用户
resp := uploadCallbackCheck(c, policyType)
if resp.Code != 0 {
c.JSON(CallbackFailedStatusCode, resp)
c.Abort()
return
}
c.Next()
}
}
2020-01-15 10:14:15 +08:00
// uploadCallbackCheck 对上传回调请求的 callback key 进行验证,如果成功则返回上传用户
func uploadCallbackCheck(c *gin.Context, policyType string) serializer.Response {
2020-01-15 10:14:15 +08:00
// 验证 Callback Key
sessionID := c.Param("sessionID")
if sessionID == "" {
return serializer.ParamErr("Session ID 不能为空", nil)
2020-01-15 10:14:15 +08:00
}
callbackSessionRaw, exist := cache.Get(filesystem.UploadSessionCachePrefix + sessionID)
2020-01-15 10:14:15 +08:00
if !exist {
return serializer.ParamErr("上传会话不存在或已过期", nil)
2020-01-15 10:14:15 +08:00
}
2020-01-15 10:14:15 +08:00
callbackSession := callbackSessionRaw.(serializer.UploadSession)
c.Set(filesystem.UploadSessionCtx, &callbackSession)
if callbackSession.Policy.Type != policyType {
return serializer.Err(serializer.CodePolicyNotAllowed, "Policy not supported", nil)
}
2020-01-15 10:14:15 +08:00
// 清理回调会话
_ = cache.Deletes([]string{sessionID}, filesystem.UploadSessionCachePrefix)
2020-01-15 10:14:15 +08:00
// 查找用户
2020-02-15 14:02:21 +08:00
user, err := model.GetActiveUserByID(callbackSession.UID)
2020-01-15 10:14:15 +08:00
if err != nil {
return serializer.Err(serializer.CodeCheckLogin, "找不到用户", err)
2020-01-15 10:14:15 +08:00
}
c.Set(filesystem.UserCtx, &user)
return serializer.Response{}
2020-01-15 10:14:15 +08:00
}
// RemoteCallbackAuth 远程回调签名验证
func RemoteCallbackAuth() gin.HandlerFunc {
return func(c *gin.Context) {
2020-01-15 10:14:15 +08:00
// 验证签名
session := c.MustGet(filesystem.UploadSessionCtx).(*serializer.UploadSession)
authInstance := auth.HMACAuth{SecretKey: []byte(session.Policy.SecretKey)}
2020-01-15 10:14:15 +08:00
if err := auth.CheckRequest(authInstance, c.Request); err != nil {
c.JSON(CallbackFailedStatusCode, serializer.Err(serializer.CodeCredentialInvalid, err.Error(), err))
c.Abort()
return
}
2020-01-15 10:14:15 +08:00
c.Next()
2020-01-15 10:14:15 +08:00
}
}
// QiniuCallbackAuth 七牛回调签名验证
func QiniuCallbackAuth() gin.HandlerFunc {
return func(c *gin.Context) {
//// 验证key并查找用户
//resp, user := uploadCallbackCheck(c)
//if resp.Code != 0 {
// c.JSON(401, serializer.GeneralUploadCallbackFailed{Error: resp.Msg})
// c.Abort()
// return
//}
//
//// 验证回调是否来自qiniu
//mac := qbox.NewMac(user.Policy.AccessKey, user.Policy.SecretKey)
//ok, err := mac.VerifyCallback(c.Request)
//if err != nil {
// util.Log().Debug("无法验证回调请求,%s", err)
// c.JSON(401, serializer.GeneralUploadCallbackFailed{Error: "无法验证回调请求"})
// c.Abort()
// return
//}
//if !ok {
// c.JSON(401, serializer.GeneralUploadCallbackFailed{Error: "回调签名无效"})
// c.Abort()
// return
//}
c.Next()
}
}
2020-01-16 13:36:13 +08:00
// OSSCallbackAuth 阿里云OSS回调签名验证
func OSSCallbackAuth() gin.HandlerFunc {
return func(c *gin.Context) {
//// 验证key并查找用户
//resp, _ := uploadCallbackCheck(c)
//if resp.Code != 0 {
// c.JSON(401, serializer.GeneralUploadCallbackFailed{Error: resp.Msg})
// c.Abort()
// return
//}
//
//err := oss.VerifyCallbackSignature(c.Request)
//if err != nil {
// util.Log().Debug("回调签名验证失败,%s", err)
// c.JSON(401, serializer.GeneralUploadCallbackFailed{Error: "回调签名验证失败"})
// c.Abort()
// return
//}
2020-01-16 13:36:13 +08:00
c.Next()
}
}
2020-01-18 10:40:03 +08:00
// UpyunCallbackAuth 又拍云回调签名验证
func UpyunCallbackAuth() gin.HandlerFunc {
return func(c *gin.Context) {
//// 验证key并查找用户
//resp, user := uploadCallbackCheck(c)
//if resp.Code != 0 {
// c.JSON(401, serializer.GeneralUploadCallbackFailed{Error: resp.Msg})
// c.Abort()
// return
//}
//
//// 获取请求正文
//body, err := ioutil.ReadAll(c.Request.Body)
//c.Request.Body.Close()
//if err != nil {
// c.JSON(401, serializer.GeneralUploadCallbackFailed{Error: err.Error()})
// c.Abort()
// return
//}
//
//c.Request.Body = ioutil.NopCloser(bytes.NewReader(body))
//
//// 准备验证Upyun回调签名
//handler := upyun.Driver{Policy: &user.Policy}
//contentMD5 := c.Request.Header.Get("Content-Md5")
//date := c.Request.Header.Get("Date")
//actualSignature := c.Request.Header.Get("Authorization")
//
//// 计算正文MD5
//actualContentMD5 := fmt.Sprintf("%x", md5.Sum(body))
//if actualContentMD5 != contentMD5 {
// c.JSON(401, serializer.GeneralUploadCallbackFailed{Error: "MD5不一致"})
// c.Abort()
// return
//}
//
//// 计算理论签名
//signature := handler.Sign(context.Background(), []string{
// "POST",
// c.Request.URL.Path,
// date,
// contentMD5,
//})
//
//// 对比签名
//if signature != actualSignature {
// c.JSON(401, serializer.GeneralUploadCallbackFailed{Error: "鉴权失败"})
// c.Abort()
// return
//}
2020-01-18 10:40:03 +08:00
c.Next()
}
}
// OneDriveCallbackAuth OneDrive回调签名验证
func OneDriveCallbackAuth() gin.HandlerFunc {
return func(c *gin.Context) {
// 发送回调结束信号
mq.GlobalMQ.Publish(c.Param("sessionID"), mq.Message{})
c.Next()
}
}
2020-01-23 12:38:32 +08:00
// COSCallbackAuth 腾讯云COS回调签名验证
// TODO 解耦 测试
func COSCallbackAuth() gin.HandlerFunc {
return func(c *gin.Context) {
//// 验证key并查找用户
//resp, _ := uploadCallbackCheck(c)
//if resp.Code != 0 {
// c.JSON(401, serializer.GeneralUploadCallbackFailed{Error: resp.Msg})
// c.Abort()
// return
//}
2020-01-23 12:38:32 +08:00
c.Next()
}
}
2020-02-22 16:22:04 +08:00
// S3CallbackAuth Amazon S3回调签名验证
func S3CallbackAuth() gin.HandlerFunc {
return func(c *gin.Context) {
//// 验证key并查找用户
//resp, _ := uploadCallbackCheck(c)
//if resp.Code != 0 {
// c.JSON(401, serializer.GeneralUploadCallbackFailed{Error: resp.Msg})
// c.Abort()
// return
//}
c.Next()
}
}
2020-02-22 16:22:04 +08:00
// IsAdmin 必须为管理员用户组
func IsAdmin() gin.HandlerFunc {
return func(c *gin.Context) {
user, _ := c.Get("user")
if user.(*model.User).Group.ID != 1 && user.(*model.User).ID != 1 {
2020-02-22 16:22:04 +08:00
c.JSON(200, serializer.Err(serializer.CodeAdminRequired, "您不是管理组成员", nil))
c.Abort()
return
}
c.Next()
}
}