JointCloud
/
JCS-pub
Not watched
1
0
Fork 0
Code
Releases 0 Wiki evaluate Activity
Issues 0 Pull Requests 0 Datasets Model Cloudbrain HPC
You can not select more than 25 topics Topics must start with a chinese character,a letter or number, can include dashes ('-') and can be up to 35 characters long.
943 Commits
3 Branches
118 MB
1 Download
Tree: 72eecbe356
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '72eecbe356'
${ noResults }
JCS-pub/client/internal/http/auth/auth.go

auth.go 2.1 kB
Raw Normal View History

客户端鉴权改为证书
5 months ago
调试签名校验接口
4 months ago
客户端鉴权改为证书
5 months ago
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081 
  1. package auth

  2. 

  3. import (

  4. 	"crypto/tls"

  5. 

  6. 	"github.com/gin-gonic/gin"

  7. 	"gitlink.org.cn/cloudream/common/pkgs/logger"

  8. 	"gitlink.org.cn/cloudream/jcs-pub/client/internal/http/types"

  9. 	"gitlink.org.cn/cloudream/jcs-pub/client/sdk/signer"

  10. 	"gitlink.org.cn/cloudream/jcs-pub/common/ecode"

  11. )

  12. 

  13. const (

  14. 	ClientInternalSNI = "client.jcs-pub.internal"

  15. )

  16. 

  17. type Auth struct {

  18. 	cfg *types.Config

  19. }

  20. 

  21. func New(cfg *types.Config) *Auth {

  22. 	return &Auth{

  23. 		cfg: cfg,

  24. 	}

  25. }

  26. 

  27. func (a *Auth) TLSConfigSelector(hello *tls.ClientHelloInfo) (*tls.Config, error) {

  28. 	switch hello.ServerName {

  29. 	case ClientInternalSNI:

  30. 		return &tls.Config{

  31. 			Certificates: []tls.Certificate{a.cfg.ServerCert},

  32. 			ClientAuth:   tls.RequireAndVerifyClientCert,

  33. 			ClientCAs:    a.cfg.RootCA,

  34. 			NextProtos:   []string{"h2", "http/1.1"},

  35. 		}, nil

  36. 

  37. 	default:

  38. 		return &tls.Config{

  39. 			Certificates: []tls.Certificate{a.cfg.ServerCert},

  40. 			ClientAuth:   tls.NoClientCert,

  41. 			NextProtos:   []string{"h2", "http/1.1"},

  42. 		}, nil

  43. 	}

  44. }

  45. 

  46. func (a *Auth) RejectNoCertAuth(c *gin.Context) {

  47. 	if c.Request.TLS == nil || c.Request.TLS.ServerName != ClientInternalSNI {

  48. 		c.AbortWithStatusJSON(401, types.Failed(ecode.Unauthorized, "must provide client certificate"))

  49. 		return

  50. 	}

  51. 

  52. 	c.Next()

  53. }

  54. 

  55. func (a *Auth) Presigned(c *gin.Context) {

  56. 	log := logger.WithField("HTTP", "Auth")

  57. 

  58. 	accID := signer.GetAccessKeyID(c.Request.URL)

  59. 	if accID == "" {

  60. 		log.Warn("access key id not found in query string")

  61. 		c.AbortWithStatusJSON(401, types.Failed(ecode.Unauthorized, "access key id not found in query string"))

  62. 		return

  63. 	}

  64. 

  65. 	cliCert := a.cfg.ClientCerts[accID]

  66. 	if cliCert == nil {

  67. 		log.Warnf("client cert not found for access key id %s", accID)

  68. 		c.AbortWithStatusJSON(401, types.Failed(ecode.Unauthorized, "client cert not found for access key id %s", accID))

  69. 		return

  70. 	}

  71. 	c.Request.URL.Host = c.Request.Host

  72. 

  73. 	err := signer.VerifyPresigned(cliCert.VerifyKey, c.Request.Method, c.Request.URL)

  74. 	if err != nil {

  75. 		log.Warn(err.Error())

  76. 		c.AbortWithStatusJSON(401, types.Failed(ecode.Unauthorized, err.Error()))

  77. 		return

  78. 	}

  79. 

  80. 	c.Next()

  81. }

本项目旨在将云际存储公共基础设施化,使个人及企业可低门槛使用高效的云际存储服务(安装开箱即用云际存储客户端即可,无需关注其他组件的部署),同时支持用户灵活便捷定制云际存储的功能细节。