JointCloud
/
JCS-pub
Not watched
1
0
Fork 0
Code
Releases 0 Wiki evaluate Activity
Issues 0 Pull Requests 0 Datasets Model Cloudbrain HPC
You can not select more than 25 topics Topics must start with a chinese character,a letter or number, can include dashes ('-') and can be up to 35 characters long.
914 Commits
3 Branches
118 MB
1210 Download
Tree: 602436fcc4
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '602436fcc4'
${ noResults }
JCS-pub/client/internal/http/v1/aws_auth.go

aws_auth.go 9.4 kB
Raw Normal View History

增加aws鉴权
10 months ago
增加预签名接口
8 months ago
增加aws鉴权
10 months ago
Http接口加上版本标志
6 months ago
增加aws鉴权
10 months ago
Http接口加上版本标志
6 months ago
增加aws鉴权
10 months ago
Http接口加上版本标志
6 months ago
合并serve命令和mount命令;优化模块启动方式
7 months ago
增加aws鉴权
10 months ago
合并serve命令和mount命令;优化模块启动方式
7 months ago
增加aws鉴权
10 months ago
合并serve命令和mount命令;优化模块启动方式
7 months ago
增加aws鉴权
10 months ago
合并serve命令和mount命令;优化模块启动方式
7 months ago
增加aws鉴权
10 months ago
增加时间戳检查
8 months ago
增加aws鉴权
10 months ago
修复一些调试问题
7 months ago
增加aws鉴权
10 months ago
增加预签名接口
8 months ago
增加aws鉴权
10 months ago
修复一些调试问题
7 months ago
增加aws鉴权
10 months ago
合并serve命令和mount命令;优化模块启动方式
7 months ago
增加aws鉴权
10 months ago
增加时间戳检查
8 months ago
增加aws鉴权
10 months ago
修复一些调试问题
7 months ago
增加aws鉴权
10 months ago
增加预签名接口
8 months ago
增加aws鉴权
10 months ago
增加预签名接口
8 months ago
增加时间戳检查
8 months ago
增加通过ID下载文件的预签名接口
8 months ago
增加aws鉴权
10 months ago
增加预签名接口
8 months ago
合并serve命令和mount命令;优化模块启动方式
7 months ago
增加预签名接口
8 months ago
修复一些调试问题
7 months ago
增加预签名接口
8 months ago
增加通过ID下载文件的预签名接口
8 months ago
增加预签名接口
8 months ago
增加aws鉴权
10 months ago
增加预签名接口
8 months ago
增加aws鉴权
10 months ago
增加预签名接口
8 months ago
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321 
  1. package http

  2. 

  3. import (

  4. 	"bytes"

  5. 	"context"

  6. 	"crypto/sha256"

  7. 	"encoding/hex"

  8. 	"fmt"

  9. 	"io"

  10. 	"net/http"

  11. 	"strconv"

  12. 	"strings"

  13. 	"time"

  14. 

  15. 	"github.com/aws/aws-sdk-go-v2/aws"

  16. 	v4 "github.com/aws/aws-sdk-go-v2/aws/signer/v4"

  17. 	"github.com/aws/aws-sdk-go-v2/credentials"

  18. 	"github.com/gin-gonic/gin"

  19. 	"gitlink.org.cn/cloudream/common/consts/errorcode"

  20. 	"gitlink.org.cn/cloudream/common/pkgs/logger"

  21. 	"gitlink.org.cn/cloudream/jcs-pub/client/internal/http/types"

  22. )

  23. 

  24. const (

  25. 	AuthRegion          = "any"

  26. 	AuthService         = "jcs"

  27. 	AuthorizationHeader = "Authorization"

  28. )

  29. 

  30. type AWSAuth struct {

  31. 	cfg    *types.Config

  32. 	cred   aws.Credentials

  33. 	signer *v4.Signer

  34. }

  35. 

  36. func NewAWSAuth(cfg *types.Config) *AWSAuth {

  37. 	auth := &AWSAuth{

  38. 		cfg: cfg,

  39. 	}

  40. 

  41. 	if cfg.AuthAccessKey != "" && cfg.AuthSecretKey != "" {

  42. 		prod := credentials.NewStaticCredentialsProvider(cfg.AuthAccessKey, cfg.AuthSecretKey, "")

  43. 		cred, _ := prod.Retrieve(context.TODO())

  44. 		auth.cred = cred

  45. 		auth.signer = v4.NewSigner()

  46. 	}

  47. 

  48. 	return auth

  49. }

  50. 

  51. func (a *AWSAuth) Auth(c *gin.Context) {

  52. 	if a.signer == nil {

  53. 		c.Next()

  54. 		return

  55. 	}

  56. 

  57. 	authorizationHeader := c.GetHeader(AuthorizationHeader)

  58. 	if authorizationHeader == "" {

  59. 		c.AbortWithStatusJSON(http.StatusBadRequest, Failed(errorcode.Unauthorized, "authorization header is missing"))

  60. 		return

  61. 	}

  62. 

  63. 	_, headers, reqSig, err := parseAuthorizationHeader(authorizationHeader)

  64. 	if err != nil {

  65. 		c.AbortWithStatusJSON(http.StatusBadRequest, Failed(errorcode.Unauthorized, "invalid Authorization header format"))

  66. 		return

  67. 	}

  68. 

  69. 	// 限制请求体大小

  70. 	rd := io.LimitReader(c.Request.Body, a.cfg.MaxBodySize)

  71. 	body, err := io.ReadAll(rd)

  72. 	if err != nil {

  73. 		c.AbortWithStatusJSON(http.StatusBadRequest, Failed(errorcode.BadArgument, "read request body failed"))

  74. 		return

  75. 	}

  76. 

  77. 	timestamp, err := time.Parse("20060102T150405Z", c.GetHeader("X-Amz-Date"))

  78. 	if err != nil {

  79. 		c.AbortWithStatusJSON(http.StatusBadRequest, Failed(errorcode.BadArgument, "invalid X-Amz-Date header format"))

  80. 		return

  81. 	}

  82. 

  83. 	if time.Now().After(timestamp.Add(5 * time.Minute)) {

  84. 		c.AbortWithStatusJSON(http.StatusBadRequest, Failed(errorcode.BadArgument, "X-Amz-Date is expired"))

  85. 		return

  86. 	}

  87. 

  88. 	payloadHash := sha256.Sum256(body)

  89. 	hexPayloadHash := hex.EncodeToString(payloadHash[:])

  90. 

  91. 	// 构造验签用的请求

  92. 	verifyReq, err := http.NewRequest(c.Request.Method, c.Request.URL.String(), nil)

  93. 	if err != nil {

  94. 		c.AbortWithStatusJSON(http.StatusOK, Failed(errorcode.OperationFailed, err.Error()))

  95. 		return

  96. 	}

  97. 	for _, h := range headers {

  98. 		if strings.EqualFold(h, "content-length") {

  99. 			verifyReq.ContentLength = c.Request.ContentLength

  100. 		} else if strings.EqualFold(h, "host") {

  101. 			verifyReq.Host = c.Request.Host

  102. 		} else {

  103. 			verifyReq.Header.Add(h, c.Request.Header.Get(h))

  104. 		}

  105. 	}

  106. 

  107. 	signer := v4.NewSigner()

  108. 	err = signer.SignHTTP(context.TODO(), a.cred, verifyReq, hexPayloadHash, AuthService, AuthRegion, timestamp)

  109. 	if err != nil {

  110. 		logger.Warnf("sign request: %v", err)

  111. 		c.AbortWithStatusJSON(http.StatusOK, Failed(errorcode.OperationFailed, "sign request failed"))

  112. 		return

  113. 	}

  114. 

  115. 	verifySig := getSignatureFromAWSHeader(verifyReq)

  116. 	if !strings.EqualFold(verifySig, reqSig) {

  117. 		logger.Warnf("signature mismatch, input header: %s, verify: %s", authorizationHeader, verifyReq.Header.Get(AuthorizationHeader))

  118. 		c.AbortWithStatusJSON(http.StatusOK, Failed(errorcode.Unauthorized, "signature mismatch"))

  119. 		return

  120. 	}

  121. 

  122. 	c.Request.Body = io.NopCloser(bytes.NewReader(body))

  123. 

  124. 	c.Next()

  125. }

  126. 

  127. func (a *AWSAuth) AuthWithoutBody(c *gin.Context) {

  128. 	if a.signer == nil {

  129. 		c.Next()

  130. 		return

  131. 	}

  132. 

  133. 	authorizationHeader := c.GetHeader(AuthorizationHeader)

  134. 	if authorizationHeader == "" {

  135. 		c.AbortWithStatusJSON(http.StatusBadRequest, Failed(errorcode.Unauthorized, "authorization header is missing"))

  136. 		return

  137. 	}

  138. 

  139. 	_, headers, reqSig, err := parseAuthorizationHeader(authorizationHeader)

  140. 	if err != nil {

  141. 		c.AbortWithStatusJSON(http.StatusBadRequest, Failed(errorcode.Unauthorized, "invalid Authorization header format"))

  142. 		return

  143. 	}

  144. 

  145. 	timestamp, err := time.Parse("20060102T150405Z", c.GetHeader("X-Amz-Date"))

  146. 	if err != nil {

  147. 		c.AbortWithStatusJSON(http.StatusBadRequest, Failed(errorcode.BadArgument, "invalid X-Amz-Date header format"))

  148. 		return

  149. 	}

  150. 

  151. 	if time.Now().After(timestamp.Add(5 * time.Minute)) {

  152. 		c.AbortWithStatusJSON(http.StatusBadRequest, Failed(errorcode.BadArgument, "X-Amz-Date is expired"))

  153. 		return

  154. 	}

  155. 

  156. 	// 构造验签用的请求

  157. 	verifyReq, err := http.NewRequest(c.Request.Method, c.Request.URL.String(), nil)

  158. 	if err != nil {

  159. 		c.AbortWithStatusJSON(http.StatusOK, Failed(errorcode.OperationFailed, err.Error()))

  160. 		return

  161. 	}

  162. 	for _, h := range headers {

  163. 		if strings.EqualFold(h, "content-length") {

  164. 			verifyReq.ContentLength = c.Request.ContentLength

  165. 		} else if strings.EqualFold(h, "host") {

  166. 			verifyReq.Host = c.Request.Host

  167. 		} else {

  168. 			verifyReq.Header.Add(h, c.Request.Header.Get(h))

  169. 		}

  170. 	}

  171. 

  172. 	err = a.signer.SignHTTP(context.TODO(), a.cred, verifyReq, "", AuthService, AuthRegion, timestamp)

  173. 

  174. 	if err != nil {

  175. 		logger.Warnf("sign request: %v", err)

  176. 		c.AbortWithStatusJSON(http.StatusOK, Failed(errorcode.OperationFailed, "sign request failed"))

  177. 		return

  178. 	}

  179. 

  180. 	verifySig := getSignatureFromAWSHeader(verifyReq)

  181. 	if !strings.EqualFold(verifySig, reqSig) {

  182. 		logger.Warnf("signature mismatch, input header: %s, verify: %s", authorizationHeader, verifySig)

  183. 		c.AbortWithStatusJSON(http.StatusOK, Failed(errorcode.Unauthorized, "signature mismatch"))

  184. 		return

  185. 	}

  186. 

  187. 	c.Next()

  188. }

  189. 

  190. func (a *AWSAuth) PresignedAuth(c *gin.Context) {

  191. 	if a.signer == nil {

  192. 		c.Next()

  193. 		return

  194. 	}

  195. 

  196. 	query := c.Request.URL.Query()

  197. 

  198. 	signature := query.Get("X-Amz-Signature")

  199. 	query.Del("X-Amz-Signature")

  200. 	if signature == "" {

  201. 		c.AbortWithStatusJSON(http.StatusBadRequest, Failed(errorcode.BadArgument, "missing X-Amz-Signature query parameter"))

  202. 		return

  203. 	}

  204. 

  205. 	// alg := c.Request.URL.Query().Get("X-Amz-Algorithm")

  206. 	// cred := c.Request.URL.Query().Get("X-Amz-Credential")

  207. 

  208. 	date := query.Get("X-Amz-Date")

  209. 	expiresStr := query.Get("X-Expires")

  210. 	expires, err := strconv.ParseInt(expiresStr, 10, 64)

  211. 	if err != nil {

  212. 		c.AbortWithStatusJSON(http.StatusBadRequest, Failed(errorcode.BadArgument, "invalid X-Expires format"))

  213. 		return

  214. 	}

  215. 

  216. 	signedHeaders := strings.Split(query.Get("X-Amz-SignedHeaders"), ";")

  217. 

  218. 	c.Request.URL.RawQuery = query.Encode()

  219. 

  220. 	verifyReq, err := http.NewRequest(c.Request.Method, c.Request.URL.String(), nil)

  221. 	if err != nil {

  222. 		c.AbortWithStatusJSON(http.StatusOK, Failed(errorcode.OperationFailed, err.Error()))

  223. 		return

  224. 	}

  225. 	for _, h := range signedHeaders {

  226. 		if strings.EqualFold(h, "content-length") {

  227. 			verifyReq.ContentLength = c.Request.ContentLength

  228. 		} else if strings.EqualFold(h, "host") {

  229. 			verifyReq.Host = c.Request.Host

  230. 		} else {

  231. 			verifyReq.Header.Add(h, c.Request.Header.Get(h))

  232. 		}

  233. 	}

  234. 

  235. 	timestamp, err := time.Parse("20060102T150405Z", date)

  236. 	if err != nil {

  237. 		c.AbortWithStatusJSON(http.StatusBadRequest, Failed(errorcode.BadArgument, "invalid X-Amz-Date format"))

  238. 		return

  239. 	}

  240. 

  241. 	if time.Now().After(timestamp.Add(time.Duration(expires) * time.Second)) {

  242. 		c.AbortWithStatusJSON(http.StatusUnauthorized, Failed(errorcode.Unauthorized, "request expired"))

  243. 		return

  244. 	}

  245. 

  246. 	signer := v4.NewSigner()

  247. 	uri, _, err := signer.PresignHTTP(context.TODO(), a.cred, verifyReq, "", AuthService, AuthRegion, timestamp)

  248. 	if err != nil {

  249. 		c.AbortWithStatusJSON(http.StatusOK, Failed(errorcode.OperationFailed, "sign request failed"))

  250. 		return

  251. 	}

  252. 

  253. 	verifySig := getSignatureFromAWSQuery(uri)

  254. 	if !strings.EqualFold(verifySig, signature) {

  255. 		logger.Warnf("signature mismatch, input: %s, verify: %s", signature, verifySig)

  256. 		c.AbortWithStatusJSON(http.StatusOK, Failed(errorcode.Unauthorized, "signature mismatch"))

  257. 		return

  258. 	}

  259. 

  260. 	c.Next()

  261. }

  262. 

  263. // 解析 Authorization 头部

  264. func parseAuthorizationHeader(authorizationHeader string) (string, []string, string, error) {

  265. 	if !strings.HasPrefix(authorizationHeader, "AWS4-HMAC-SHA256 ") {

  266. 		return "", nil, "", fmt.Errorf("invalid Authorization header format")

  267. 	}

  268. 

  269. 	authorizationHeader = strings.TrimPrefix(authorizationHeader, "AWS4-HMAC-SHA256")

  270. 

  271. 	parts := strings.Split(authorizationHeader, ",")

  272. 	if len(parts) != 3 {

  273. 		return "", nil, "", fmt.Errorf("invalid Authorization header format")

  274. 	}

  275. 

  276. 	var credential, signedHeaders, signature string

  277. 	for _, part := range parts {

  278. 		part = strings.TrimSpace(part)

  279. 

  280. 		if strings.HasPrefix(part, "Credential=") {

  281. 			credential = strings.TrimPrefix(part, "Credential=")

  282. 		}

  283. 		if strings.HasPrefix(part, "SignedHeaders=") {

  284. 			signedHeaders = strings.TrimPrefix(part, "SignedHeaders=")

  285. 		}

  286. 		if strings.HasPrefix(part, "Signature=") {

  287. 			signature = strings.TrimPrefix(part, "Signature=")

  288. 		}

  289. 	}

  290. 

  291. 	if credential == "" || signedHeaders == "" || signature == "" {

  292. 		return "", nil, "", fmt.Errorf("missing necessary parts in Authorization header")

  293. 	}

  294. 

  295. 	headers := strings.Split(signedHeaders, ";")

  296. 	return credential, headers, signature, nil

  297. }

  298. 

  299. func getSignatureFromAWSHeader(req *http.Request) string {

  300. 	auth := req.Header.Get(AuthorizationHeader)

  301. 	idx := strings.Index(auth, "Signature=")

  302. 	if idx == -1 {

  303. 		return ""

  304. 	}

  305. 

  306. 	return auth[idx+len("Signature="):]

  307. }

  308. 

  309. func getSignatureFromAWSQuery(uri string) string {

  310. 	idx := strings.Index(uri, "X-Amz-Signature=")

  311. 	if idx == -1 {

  312. 		return ""

  313. 	}

  314. 

  315. 	andIdx := strings.Index(uri[idx:], "&")

  316. 	if andIdx == -1 {

  317. 		return uri[idx+len("X-Amz-Signature="):]

  318. 	}

  319. 

  320. 	return uri[idx+len("X-Amz-Signature=") : andIdx]

  321. }

本项目旨在将云际存储公共基础设施化,使个人及企业可低门槛使用高效的云际存储服务(安装开箱即用云际存储客户端即可,无需关注其他组件的部署),同时支持用户灵活便捷定制云际存储的功能细节。