JointCloud
/
JCS-pub
Not watched
1
0
Fork 0
Code
Releases 0 Wiki evaluate Activity
Issues 0 Pull Requests 0 Datasets Model Cloudbrain HPC
You can not select more than 25 topics Topics must start with a chinese character,a letter or number, can include dashes ('-') and can be up to 35 characters long.
730 Commits
3 Branches
118 MB
1 Download
Tree: bd2069fbf0
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'bd2069fbf0'
${ noResults }
JCS-pub/client/internal/http/aws_auth.go

aws_auth.go 5.8 kB
Raw Normal View History

增加aws鉴权
10 months ago
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197 
  1. package http

  2. 

  3. import (

  4. 	"bytes"

  5. 	"context"

  6. 	"crypto/sha256"

  7. 	"encoding/hex"

  8. 	"fmt"

  9. 	"io"

  10. 	"net/http"

  11. 	"strings"

  12. 	"time"

  13. 

  14. 	"github.com/aws/aws-sdk-go-v2/aws"

  15. 	v4 "github.com/aws/aws-sdk-go-v2/aws/signer/v4"

  16. 	"github.com/aws/aws-sdk-go-v2/credentials"

  17. 	"github.com/gin-gonic/gin"

  18. 	"gitlink.org.cn/cloudream/common/consts/errorcode"

  19. 	"gitlink.org.cn/cloudream/common/pkgs/logger"

  20. 	"gitlink.org.cn/cloudream/storage/client/internal/config"

  21. )

  22. 

  23. const (

  24. 	AuthRegion          = "any"

  25. 	AuthService         = "jcs"

  26. 	AuthorizationHeader = "Authorization"

  27. )

  28. 

  29. type AWSAuth struct {

  30. 	cred   aws.Credentials

  31. 	signer *v4.Signer

  32. }

  33. 

  34. func NewAWSAuth(accessKey string, secretKey string) (*AWSAuth, error) {

  35. 	prod := credentials.NewStaticCredentialsProvider(accessKey, secretKey, "")

  36. 	cred, err := prod.Retrieve(context.TODO())

  37. 	if err != nil {

  38. 		return nil, err

  39. 	}

  40. 

  41. 	return &AWSAuth{

  42. 		cred:   cred,

  43. 		signer: v4.NewSigner(),

  44. 	}, nil

  45. }

  46. 

  47. func (a *AWSAuth) Auth(c *gin.Context) {

  48. 	authorizationHeader := c.GetHeader(AuthorizationHeader)

  49. 	if authorizationHeader == "" {

  50. 		c.AbortWithStatusJSON(http.StatusBadRequest, Failed(errorcode.Unauthorized, "authorization header is missing"))

  51. 		return

  52. 	}

  53. 

  54. 	_, headers, reqSig, err := parseAuthorizationHeader(authorizationHeader)

  55. 	if err != nil {

  56. 		c.AbortWithStatusJSON(http.StatusBadRequest, Failed(errorcode.Unauthorized, "invalid Authorization header format"))

  57. 		return

  58. 	}

  59. 

  60. 	// 限制请求体大小

  61. 	rd := io.LimitReader(c.Request.Body, config.Cfg().MaxHTTPBodySize)

  62. 	body, err := io.ReadAll(rd)

  63. 	if err != nil {

  64. 		c.AbortWithStatusJSON(http.StatusBadRequest, Failed(errorcode.BadArgument, "read request body failed"))

  65. 		return

  66. 	}

  67. 

  68. 	payloadHash := sha256.Sum256(body)

  69. 	hexPayloadHash := hex.EncodeToString(payloadHash[:])

  70. 

  71. 	// 构造验签用的请求

  72. 	verifyReq, err := http.NewRequest(c.Request.Method, c.Request.URL.String(), nil)

  73. 	if err != nil {

  74. 		c.AbortWithStatusJSON(http.StatusOK, Failed(errorcode.OperationFailed, err.Error()))

  75. 		return

  76. 	}

  77. 	for _, h := range headers {

  78. 		verifyReq.Header.Add(h, c.Request.Header.Get(h))

  79. 	}

  80. 	verifyReq.Host = c.Request.Host

  81. 

  82. 	timestamp, err := time.Parse("20060102T150405Z", c.GetHeader("X-Amz-Date"))

  83. 	if err != nil {

  84. 		c.AbortWithStatusJSON(http.StatusBadRequest, Failed(errorcode.BadArgument, "invalid X-Amz-Date header format"))

  85. 		return

  86. 	}

  87. 

  88. 	signer := v4.NewSigner()

  89. 	err = signer.SignHTTP(context.TODO(), a.cred, verifyReq, hexPayloadHash, AuthService, AuthRegion, timestamp)

  90. 	if err != nil {

  91. 		logger.Warnf("sign request: %v", err)

  92. 		c.AbortWithStatusJSON(http.StatusOK, Failed(errorcode.OperationFailed, "sign request failed"))

  93. 		return

  94. 	}

  95. 

  96. 	verifySig := a.getSignature(verifyReq)

  97. 	if !strings.EqualFold(verifySig, reqSig) {

  98. 		c.AbortWithStatusJSON(http.StatusOK, Failed(errorcode.Unauthorized, "signature mismatch"))

  99. 		return

  100. 	}

  101. 

  102. 	c.Request.Body = io.NopCloser(bytes.NewReader(body))

  103. 

  104. 	c.Next()

  105. }

  106. 

  107. func (a *AWSAuth) AuthWithoutBody(c *gin.Context) {

  108. 	authorizationHeader := c.GetHeader(AuthorizationHeader)

  109. 	if authorizationHeader == "" {

  110. 		c.AbortWithStatusJSON(http.StatusBadRequest, Failed(errorcode.Unauthorized, "authorization header is missing"))

  111. 		return

  112. 	}

  113. 

  114. 	_, headers, reqSig, err := parseAuthorizationHeader(authorizationHeader)

  115. 	if err != nil {

  116. 		c.AbortWithStatusJSON(http.StatusBadRequest, Failed(errorcode.Unauthorized, "invalid Authorization header format"))

  117. 		return

  118. 	}

  119. 

  120. 	// 构造验签用的请求

  121. 	verifyReq, err := http.NewRequest(c.Request.Method, c.Request.URL.String(), nil)

  122. 	if err != nil {

  123. 		c.AbortWithStatusJSON(http.StatusOK, Failed(errorcode.OperationFailed, err.Error()))

  124. 		return

  125. 	}

  126. 	for _, h := range headers {

  127. 		verifyReq.Header.Add(h, c.Request.Header.Get(h))

  128. 	}

  129. 	verifyReq.Host = c.Request.Host

  130. 

  131. 	timestamp, err := time.Parse("20060102T150405Z", c.GetHeader("X-Amz-Date"))

  132. 	if err != nil {

  133. 		c.AbortWithStatusJSON(http.StatusBadRequest, Failed(errorcode.BadArgument, "invalid X-Amz-Date header format"))

  134. 		return

  135. 	}

  136. 

  137. 	err = a.signer.SignHTTP(context.TODO(), a.cred, verifyReq, "", AuthService, AuthRegion, timestamp)

  138. 	if err != nil {

  139. 		logger.Warnf("sign request: %v", err)

  140. 		c.AbortWithStatusJSON(http.StatusOK, Failed(errorcode.OperationFailed, "sign request failed"))

  141. 		return

  142. 	}

  143. 

  144. 	verifySig := a.getSignature(verifyReq)

  145. 	if strings.EqualFold(verifySig, reqSig) {

  146. 		c.AbortWithStatusJSON(http.StatusOK, Failed(errorcode.Unauthorized, "signature mismatch"))

  147. 		return

  148. 	}

  149. 

  150. 	c.Next()

  151. }

  152. 

  153. // 解析 Authorization 头部

  154. func parseAuthorizationHeader(authorizationHeader string) (string, []string, string, error) {

  155. 	if !strings.HasPrefix(authorizationHeader, "AWS4-HMAC-SHA256 ") {

  156. 		return "", nil, "", fmt.Errorf("invalid Authorization header format")

  157. 	}

  158. 

  159. 	authorizationHeader = strings.TrimPrefix(authorizationHeader, "AWS4-HMAC-SHA256")

  160. 

  161. 	parts := strings.Split(authorizationHeader, ",")

  162. 	if len(parts) != 3 {

  163. 		return "", nil, "", fmt.Errorf("invalid Authorization header format")

  164. 	}

  165. 

  166. 	var credential, signedHeaders, signature string

  167. 	for _, part := range parts {

  168. 		part = strings.TrimSpace(part)

  169. 

  170. 		if strings.HasPrefix(part, "Credential=") {

  171. 			credential = strings.TrimPrefix(part, "Credential=")

  172. 		}

  173. 		if strings.HasPrefix(part, "SignedHeaders=") {

  174. 			signedHeaders = strings.TrimPrefix(part, "SignedHeaders=")

  175. 		}

  176. 		if strings.HasPrefix(part, "Signature=") {

  177. 			signature = strings.TrimPrefix(part, "Signature=")

  178. 		}

  179. 	}

  180. 

  181. 	if credential == "" || signedHeaders == "" || signature == "" {

  182. 		return "", nil, "", fmt.Errorf("missing necessary parts in Authorization header")

  183. 	}

  184. 

  185. 	headers := strings.Split(signedHeaders, ";")

  186. 	return credential, headers, signature, nil

  187. }

  188. 

  189. func (a *AWSAuth) getSignature(req *http.Request) string {

  190. 	auth := req.Header.Get(AuthorizationHeader)

  191. 	idx := strings.Index(auth, "Signature=")

  192. 	if idx == -1 {

  193. 		return ""

  194. 	}

  195. 

  196. 	return auth[idx+len("Signature="):]

  197. }

本项目旨在将云际存储公共基础设施化,使个人及企业可低门槛使用高效的云际存储服务(安装开箱即用云际存储客户端即可,无需关注其他组件的部署),同时支持用户灵活便捷定制云际存储的功能细节。