Test: remote callback auth

2019-12-30 19:56:01 +08:00 · 2019-12-30 19:56:01 +08:00 · eceee2fc76
commit eceee2fc76
parent 4a5782b4e5
3 changed files with 153 additions and 4 deletions
--- a/middleware/auth_test.go
+++ b/middleware/auth_test.go
@ -5,6 +5,8 @@ import (
 	"github.com/DATA-DOG/go-sqlmock"
 	"github.com/HFO4/cloudreve/models"
 	"github.com/HFO4/cloudreve/pkg/auth"
 	"github.com/HFO4/cloudreve/pkg/cache"
 	"github.com/HFO4/cloudreve/pkg/serializer"
 	"github.com/HFO4/cloudreve/pkg/util"
 	"github.com/gin-gonic/gin"
 	"github.com/jinzhu/gorm"
@ -198,3 +200,145 @@ func TestWebDAVAuth(t *testing.T) {
 	}
 }
 func TestRemoteCallbackAuth(t *testing.T) {
 	asserts := assert.New(t)
 	rec := httptest.NewRecorder()
 	AuthFunc := RemoteCallbackAuth()
 	// 成功
 	{
 		cache.Set(
 			"callback_testCallBackRemote",
 			serializer.UploadSession{
 				UID:         1,
 				PolicyID:    2,
 				VirtualPath: "/",
 			},
 			0,
 		)
 		cache.Deletes([]string{"1"}, "policy_")
 		mock.ExpectQuery("SELECT(.+)users(.+)").
 			WillReturnRows(sqlmock.NewRows([]string{"id", "group_id"}).AddRow(1, 1))
 		mock.ExpectQuery("SELECT(.+)groups(.+)").
 			WillReturnRows(sqlmock.NewRows([]string{"id", "policies"}).AddRow(1, "[2]"))
 		mock.ExpectQuery("SELECT(.+)policies(.+)").
 			WillReturnRows(sqlmock.NewRows([]string{"id", "secret_key"}).AddRow(2, "123"))
 		c, _ := gin.CreateTestContext(rec)
 		c.Params = []gin.Param{
 			{"key", "testCallBackRemote"},
 		}
 		c.Request, _ = http.NewRequest("POST", "/api/v3/callback/remote/testCallBackRemote", nil)
 		authInstance := auth.HMACAuth{SecretKey: []byte("123")}
 		auth.SignRequest(authInstance, c.Request, 0)
 		AuthFunc(c)
 		asserts.NoError(mock.ExpectationsWereMet())
 		asserts.False(c.IsAborted())
 	}
 	// Callback Key 不存在
 	{
 		c, _ := gin.CreateTestContext(rec)
 		c.Params = []gin.Param{
 			{"key", "testCallBackRemote"},
 		}
 		c.Request, _ = http.NewRequest("POST", "/api/v3/callback/remote/testCallBackRemote", nil)
 		authInstance := auth.HMACAuth{SecretKey: []byte("123")}
 		auth.SignRequest(authInstance, c.Request, 0)
 		AuthFunc(c)
 		asserts.True(c.IsAborted())
 	}
 	// 用户不存在
 	{
 		cache.Set(
 			"callback_testCallBackRemote",
 			serializer.UploadSession{
 				UID:         1,
 				PolicyID:    2,
 				VirtualPath: "/",
 			},
 			0,
 		)
 		cache.Deletes([]string{"1"}, "policy_")
 		mock.ExpectQuery("SELECT(.+)users(.+)").
 			WillReturnRows(sqlmock.NewRows([]string{"id", "group_id"}))
 		c, _ := gin.CreateTestContext(rec)
 		c.Params = []gin.Param{
 			{"key", "testCallBackRemote"},
 		}
 		c.Request, _ = http.NewRequest("POST", "/api/v3/callback/remote/testCallBackRemote", nil)
 		authInstance := auth.HMACAuth{SecretKey: []byte("123")}
 		auth.SignRequest(authInstance, c.Request, 0)
 		AuthFunc(c)
 		asserts.NoError(mock.ExpectationsWereMet())
 		asserts.True(c.IsAborted())
 	}
 	// 存储策略不一致
 	{
 		cache.Set(
 			"callback_testCallBackRemote",
 			serializer.UploadSession{
 				UID:         1,
 				PolicyID:    2,
 				VirtualPath: "/",
 			},
 			0,
 		)
 		cache.Deletes([]string{"1"}, "policy_")
 		mock.ExpectQuery("SELECT(.+)users(.+)").
 			WillReturnRows(sqlmock.NewRows([]string{"id", "group_id"}).AddRow(1, 1))
 		mock.ExpectQuery("SELECT(.+)groups(.+)").
 			WillReturnRows(sqlmock.NewRows([]string{"id", "policies"}).AddRow(1, "[3]"))
 		mock.ExpectQuery("SELECT(.+)policies(.+)").
 			WillReturnRows(sqlmock.NewRows([]string{"id", "secret_key"}).AddRow(3, "123"))
 		c, _ := gin.CreateTestContext(rec)
 		c.Params = []gin.Param{
 			{"key", "testCallBackRemote"},
 		}
 		c.Request, _ = http.NewRequest("POST", "/api/v3/callback/remote/testCallBackRemote", nil)
 		authInstance := auth.HMACAuth{SecretKey: []byte("123")}
 		auth.SignRequest(authInstance, c.Request, 0)
 		AuthFunc(c)
 		asserts.NoError(mock.ExpectationsWereMet())
 		asserts.True(c.IsAborted())
 	}
 	// 签名错误
 	{
 		cache.Set(
 			"callback_testCallBackRemote",
 			serializer.UploadSession{
 				UID:         1,
 				PolicyID:    2,
 				VirtualPath: "/",
 			},
 			0,
 		)
 		cache.Deletes([]string{"1"}, "policy_")
 		mock.ExpectQuery("SELECT(.+)users(.+)").
 			WillReturnRows(sqlmock.NewRows([]string{"id", "group_id"}).AddRow(1, 1))
 		mock.ExpectQuery("SELECT(.+)groups(.+)").
 			WillReturnRows(sqlmock.NewRows([]string{"id", "policies"}).AddRow(1, "[2]"))
 		mock.ExpectQuery("SELECT(.+)policies(.+)").
 			WillReturnRows(sqlmock.NewRows([]string{"id", "secret_key"}).AddRow(2, "123"))
 		c, _ := gin.CreateTestContext(rec)
 		c.Params = []gin.Param{
 			{"key", "testCallBackRemote"},
 		}
 		c.Request, _ = http.NewRequest("POST", "/api/v3/callback/remote/testCallBackRemote", nil)
 		AuthFunc(c)
 		asserts.NoError(mock.ExpectationsWereMet())
 		asserts.True(c.IsAborted())
 	}
 	// Callback Key 为空
 	{
 		c, _ := gin.CreateTestContext(rec)
 		c.Request, _ = http.NewRequest("POST", "/api/v3/callback/remote", nil)
 		AuthFunc(c)
 		asserts.True(c.IsAborted())
 	}
 }
--- a/models/user.go
+++ b/models/user.go
@ -177,7 +177,9 @@ func (user *User) AfterCreate(tx *gorm.DB) (err error) {
 // AfterFind 找到用户后的钩子
 func (user *User) AfterFind() (err error) {
 	// 解析用户设置到OptionsSerialized
-	err = json.Unmarshal([]byte(user.Options), &user.OptionsSerialized)
+	if user.Options != "" {
 		err = json.Unmarshal([]byte(user.Options), &user.OptionsSerialized)
 	}
 	// 预加载存储策略
 	user.Policy, _ = GetPolicyByID(user.GetPolicyID())
--- a/pkg/auth/auth.go
+++ b/pkg/auth/auth.go
@ -60,9 +60,12 @@ func getSignContent(r *http.Request) (rawSignString string) {
 	if policy, ok := r.Header["X-Policy"]; ok {
 		rawSignString = serializer.NewRequestSignString(r.URL.Path, policy[0], "")
 	} else {
-		body, _ := ioutil.ReadAll(r.Body)
+		var body = []byte{}
-		_ = r.Body.Close()
+		if r.Body != nil {
-		r.Body = ioutil.NopCloser(bytes.NewReader(body))
+			body, _ = ioutil.ReadAll(r.Body)
 			_ = r.Body.Close()
 			r.Body = ioutil.NopCloser(bytes.NewReader(body))
 		}
 		rawSignString = serializer.NewRequestSignString(r.URL.Path, "", string(body))
 	}
 	return rawSignString