Modify: auth instance as first param in SignURI/Request
This commit is contained in:
HFO4
parent
b5ee3ee609
commit
de4793aacb
7 changed files with 31 additions and 27 deletions
|
|
@ -15,11 +15,11 @@ func SignRequired() gin.HandlerFunc {
|
|||
var err error
|
||||
switch c.Request.Method {
|
||||
case "PUT", "POST":
|
||||
err = auth.CheckRequest(c.Request)
|
||||
err = auth.CheckRequest(auth.General, c.Request)
|
||||
// TODO 生产环境去掉下一行
|
||||
err = nil
|
||||
//err = nil
|
||||
default:
|
||||
err = auth.CheckURI(c.Request.URL)
|
||||
err = auth.CheckURI(auth.General, c.Request.URL)
|
||||
}
|
||||
|
||||
if err != nil {
|
||||
|
|
|
|||
|
|
@ -31,9 +31,9 @@ type Auth interface {
|
|||
// SignRequest 对PUT\POST等复杂HTTP请求签名,如果请求Header中
|
||||
// 包含 X-Policy, 则此请求会被认定为上传请求,只会对URI部分和
|
||||
// Policy部分进行签名。其他请求则会对URI和Body部分进行签名。
|
||||
func SignRequest(r *http.Request, expires int64) *http.Request {
|
||||
func SignRequest(instance Auth, r *http.Request, expires int64) *http.Request {
|
||||
// 生成签名
|
||||
sign := General.Sign(getSignContent(r), expires)
|
||||
sign := instance.Sign(getSignContent(r), expires)
|
||||
|
||||
// 将签名加到请求Header中
|
||||
r.Header["Authorization"] = []string{"Bearer " + sign}
|
||||
|
|
@ -41,7 +41,7 @@ func SignRequest(r *http.Request, expires int64) *http.Request {
|
|||
}
|
||||
|
||||
// CheckRequest 对复杂请求进行签名验证
|
||||
func CheckRequest(r *http.Request) error {
|
||||
func CheckRequest(instance Auth, r *http.Request) error {
|
||||
var (
|
||||
sign []string
|
||||
ok bool
|
||||
|
|
@ -51,7 +51,7 @@ func CheckRequest(r *http.Request) error {
|
|||
}
|
||||
sign[0] = strings.TrimPrefix(sign[0], "Bearer ")
|
||||
|
||||
return General.Check(getSignContent(r), sign[0])
|
||||
return instance.Check(getSignContent(r), sign[0])
|
||||
}
|
||||
|
||||
// getSignContent 根据请求Header中是否包含X-Policy判断是否为上传请求,
|
||||
|
|
@ -69,14 +69,14 @@ func getSignContent(r *http.Request) (rawSignString string) {
|
|||
}
|
||||
|
||||
// SignURI 对URI进行签名,签名只针对Path部分,query部分不做验证
|
||||
func SignURI(uri string, expires int64) (*url.URL, error) {
|
||||
func SignURI(instance Auth, uri string, expires int64) (*url.URL, error) {
|
||||
base, err := url.Parse(uri)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
// 生成签名
|
||||
sign := General.Sign(base.Path, expires)
|
||||
sign := instance.Sign(base.Path, expires)
|
||||
|
||||
// 将签名加到URI中
|
||||
queries := base.Query()
|
||||
|
|
@ -87,14 +87,14 @@ func SignURI(uri string, expires int64) (*url.URL, error) {
|
|||
}
|
||||
|
||||
// CheckURI 对URI进行鉴权
|
||||
func CheckURI(url *url.URL) error {
|
||||
func CheckURI(instance Auth, url *url.URL) error {
|
||||
//获取待验证的签名正文
|
||||
queries := url.Query()
|
||||
sign := queries.Get("sign")
|
||||
queries.Del("sign")
|
||||
url.RawQuery = queries.Encode()
|
||||
|
||||
return General.Check(url.Path, sign)
|
||||
return instance.Check(url.Path, sign)
|
||||
}
|
||||
|
||||
// Init 初始化通用鉴权器
|
||||
|
|
|
|||
|
|
@ -16,7 +16,7 @@ func TestSignURI(t *testing.T) {
|
|||
|
||||
// 成功
|
||||
{
|
||||
sign, err := SignURI("/api/v3/something?id=1", 0)
|
||||
sign, err := SignURI(General, "/api/v3/something?id=1", 0)
|
||||
asserts.NoError(err)
|
||||
queries := sign.Query()
|
||||
asserts.Equal("1", queries.Get("id"))
|
||||
|
|
@ -25,7 +25,7 @@ func TestSignURI(t *testing.T) {
|
|||
|
||||
// URI解码失败
|
||||
{
|
||||
sign, err := SignURI("://dg.;'f]gh./'", 0)
|
||||
sign, err := SignURI(General, "://dg.;'f]gh./'", 0)
|
||||
asserts.Error(err)
|
||||
asserts.Nil(sign)
|
||||
}
|
||||
|
|
@ -37,16 +37,16 @@ func TestCheckURI(t *testing.T) {
|
|||
|
||||
// 成功
|
||||
{
|
||||
sign, err := SignURI("/api/ok?if=sdf&fd=go", time.Now().Unix()+10)
|
||||
sign, err := SignURI(General, "/api/ok?if=sdf&fd=go", time.Now().Unix()+10)
|
||||
asserts.NoError(err)
|
||||
asserts.NoError(CheckURI(sign))
|
||||
asserts.NoError(CheckURI(General, sign))
|
||||
}
|
||||
|
||||
// 过期
|
||||
{
|
||||
sign, err := SignURI("/api/ok?if=sdf&fd=go", time.Now().Unix()-1)
|
||||
sign, err := SignURI(General, "/api/ok?if=sdf&fd=go", time.Now().Unix()-1)
|
||||
asserts.NoError(err)
|
||||
asserts.Error(CheckURI(sign))
|
||||
asserts.Error(CheckURI(General, sign))
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -58,7 +58,7 @@ func TestSignRequest(t *testing.T) {
|
|||
{
|
||||
req, err := http.NewRequest("POST", "http://127.0.0.1/api/v3/slave/upload", strings.NewReader("I am body."))
|
||||
asserts.NoError(err)
|
||||
req = SignRequest(req, 0)
|
||||
req = SignRequest(General, req, 0)
|
||||
asserts.NotEmpty(req.Header["Authorization"])
|
||||
}
|
||||
|
||||
|
|
@ -71,7 +71,7 @@ func TestSignRequest(t *testing.T) {
|
|||
)
|
||||
asserts.NoError(err)
|
||||
req.Header["X-Policy"] = []string{"I am Policy"}
|
||||
req = SignRequest(req, 10)
|
||||
req = SignRequest(General, req, 10)
|
||||
asserts.NotEmpty(req.Header["Authorization"])
|
||||
}
|
||||
}
|
||||
|
|
@ -88,8 +88,8 @@ func TestCheckRequest(t *testing.T) {
|
|||
strings.NewReader("I am body."),
|
||||
)
|
||||
asserts.NoError(err)
|
||||
req = SignRequest(req, 0)
|
||||
err = CheckRequest(req)
|
||||
req = SignRequest(General, req, 0)
|
||||
err = CheckRequest(General, req)
|
||||
asserts.NoError(err)
|
||||
}
|
||||
|
||||
|
|
@ -102,8 +102,8 @@ func TestCheckRequest(t *testing.T) {
|
|||
)
|
||||
asserts.NoError(err)
|
||||
req.Header["X-Policy"] = []string{"I am Policy"}
|
||||
req = SignRequest(req, 0)
|
||||
err = CheckRequest(req)
|
||||
req = SignRequest(General, req, 0)
|
||||
err = CheckRequest(General, req)
|
||||
asserts.NoError(err)
|
||||
}
|
||||
|
||||
|
|
@ -115,9 +115,9 @@ func TestCheckRequest(t *testing.T) {
|
|||
strings.NewReader("I am body."),
|
||||
)
|
||||
asserts.NoError(err)
|
||||
req = SignRequest(req, 0)
|
||||
req = SignRequest(General, req, 0)
|
||||
req.Body = ioutil.NopCloser(strings.NewReader("2333"))
|
||||
err = CheckRequest(req)
|
||||
err = CheckRequest(General, req)
|
||||
asserts.Error(err)
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -41,7 +41,7 @@ var CORSConfig = &cors{
|
|||
AllowOrigins: []string{"UNSET"},
|
||||
AllowMethods: []string{"PUT", "POST", "GET", "OPTIONS"},
|
||||
AllowHeaders: []string{"Cookie", "Content-Length", "Content-Type", "X-Path", "X-FileName"},
|
||||
AllowCredentials: true,
|
||||
AllowCredentials: false,
|
||||
ExposeHeaders: nil,
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -142,12 +142,14 @@ func (handler Handler) Source(
|
|||
|
||||
// 签名生成文件记录
|
||||
signedURI, err = auth.SignURI(
|
||||
auth.General,
|
||||
fmt.Sprintf("/api/v3/file/download/%s", downloadSessionID),
|
||||
expires,
|
||||
)
|
||||
} else {
|
||||
// 签名生成文件记录
|
||||
signedURI, err = auth.SignURI(
|
||||
auth.General,
|
||||
fmt.Sprintf("/api/v3/file/get/%d/%s", file.ID, file.Name),
|
||||
expires,
|
||||
)
|
||||
|
|
|
|||
|
|
@ -79,7 +79,8 @@ func (handler Handler) Token(ctx context.Context, TTL int64, key string) (serial
|
|||
uploadRequest.Header = map[string][]string{
|
||||
"X-Policy": {policyEncoded},
|
||||
}
|
||||
auth.SignRequest(uploadRequest, time.Now().Unix()+TTL)
|
||||
remoteAuth := auth.HMACAuth{SecretKey: []byte(handler.Policy.SecretKey)}
|
||||
auth.SignRequest(remoteAuth, uploadRequest, time.Now().Unix()+TTL)
|
||||
|
||||
if credential, ok := uploadRequest.Header["Authorization"]; ok && len(credential) == 1 {
|
||||
return serializer.UploadCredential{
|
||||
|
|
|
|||
|
|
@ -66,6 +66,7 @@ func (service *ItemService) Archive(ctx context.Context, c *gin.Context) seriali
|
|||
ttl = 30
|
||||
}
|
||||
signedURI, err := auth.SignURI(
|
||||
auth.General,
|
||||
fmt.Sprintf("/api/v3/file/archive/%s/archive.zip", zipID),
|
||||
time.Now().Unix()+int64(ttl),
|
||||
)
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue