2019-11-12 15:34:54 +08:00
|
|
|
|
package middleware
|
|
|
|
|
|
|
|
|
|
|
|
import (
|
2020-06-05 14:45:24 +08:00
|
|
|
|
"net/http"
|
|
|
|
|
|
|
2025-04-20 17:31:25 +08:00
|
|
|
|
"github.com/cloudreve/Cloudreve/v4/application/dependency"
|
|
|
|
|
|
"github.com/cloudreve/Cloudreve/v4/ent"
|
|
|
|
|
|
"github.com/cloudreve/Cloudreve/v4/inventory"
|
|
|
|
|
|
"github.com/cloudreve/Cloudreve/v4/inventory/types"
|
|
|
|
|
|
"github.com/cloudreve/Cloudreve/v4/pkg/filemanager/driver/oss"
|
|
|
|
|
|
"github.com/cloudreve/Cloudreve/v4/pkg/filemanager/fs"
|
|
|
|
|
|
"github.com/cloudreve/Cloudreve/v4/pkg/filemanager/manager"
|
|
|
|
|
|
"github.com/cloudreve/Cloudreve/v4/pkg/logging"
|
|
|
|
|
|
"github.com/cloudreve/Cloudreve/v4/pkg/request"
|
|
|
|
|
|
"github.com/cloudreve/Cloudreve/v4/pkg/util"
|
|
|
|
|
|
|
|
|
|
|
|
"github.com/cloudreve/Cloudreve/v4/pkg/auth"
|
|
|
|
|
|
"github.com/cloudreve/Cloudreve/v4/pkg/serializer"
|
2019-11-12 15:34:54 +08:00
|
|
|
|
"github.com/gin-gonic/gin"
|
2022-03-03 19:17:25 +08:00
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
|
|
const (
|
|
|
|
|
|
CallbackFailedStatusCode = http.StatusUnauthorized
|
2019-11-12 15:34:54 +08:00
|
|
|
|
)
|
|
|
|
|
|
|
2019-12-10 17:10:34 +08:00
|
|
|
|
// SignRequired 验证请求签名
|
2021-10-31 09:41:56 +08:00
|
|
|
|
func SignRequired(authInstance auth.Auth) gin.HandlerFunc {
|
2019-12-10 17:10:34 +08:00
|
|
|
|
return func(c *gin.Context) {
|
2019-12-24 11:42:23 +08:00
|
|
|
|
var err error
|
|
|
|
|
|
switch c.Request.Method {
|
2025-04-20 17:31:25 +08:00
|
|
|
|
case http.MethodPut, http.MethodPost, http.MethodPatch:
|
|
|
|
|
|
err = auth.CheckRequest(c, authInstance, c.Request)
|
2019-12-24 11:42:23 +08:00
|
|
|
|
default:
|
2025-04-20 17:31:25 +08:00
|
|
|
|
err = auth.CheckURI(c, authInstance, c.Request.URL)
|
2019-12-24 11:42:23 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2019-12-10 20:17:21 +08:00
|
|
|
|
if err != nil {
|
2025-04-20 17:31:25 +08:00
|
|
|
|
c.JSON(200, serializer.ErrWithDetails(c, serializer.CodeCredentialInvalid, err.Error(), err))
|
2019-12-10 20:17:21 +08:00
|
|
|
|
c.Abort()
|
2019-12-30 19:08:38 +08:00
|
|
|
|
return
|
2019-12-10 20:17:21 +08:00
|
|
|
|
}
|
2021-11-08 19:54:26 +08:00
|
|
|
|
|
2019-12-10 17:10:34 +08:00
|
|
|
|
c.Next()
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2019-11-12 15:34:54 +08:00
|
|
|
|
// CurrentUser 获取登录用户
|
|
|
|
|
|
func CurrentUser() gin.HandlerFunc {
|
|
|
|
|
|
return func(c *gin.Context) {
|
2025-04-20 17:31:25 +08:00
|
|
|
|
dep := dependency.FromContext(c)
|
|
|
|
|
|
shouldContinue, err := dep.TokenAuth().VerifyAndRetrieveUser(c)
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
c.JSON(200, serializer.Err(c, err))
|
|
|
|
|
|
c.Abort()
|
|
|
|
|
|
return
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if shouldContinue {
|
|
|
|
|
|
// TODO: Logto handler
|
2019-11-12 15:34:54 +08:00
|
|
|
|
}
|
2025-04-20 17:31:25 +08:00
|
|
|
|
|
|
|
|
|
|
uid := inventory.UserIDFromContext(c)
|
|
|
|
|
|
if err := SetUserCtx(c, uid); err != nil {
|
|
|
|
|
|
c.JSON(200, serializer.Err(c, err))
|
|
|
|
|
|
c.Abort()
|
|
|
|
|
|
return
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2019-11-12 15:34:54 +08:00
|
|
|
|
c.Next()
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2025-04-20 17:31:25 +08:00
|
|
|
|
// SetUserCtx set the current login user via uid
|
|
|
|
|
|
func SetUserCtx(c *gin.Context, uid int) error {
|
|
|
|
|
|
dep := dependency.FromContext(c)
|
|
|
|
|
|
userClient := dep.UserClient()
|
|
|
|
|
|
loginUser, err := userClient.GetLoginUserByID(c, uid)
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return serializer.NewError(serializer.CodeDBError, "failed to get login user", err)
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
SetUserCtxByUser(c, loginUser)
|
|
|
|
|
|
return nil
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
func SetUserCtxByUser(c *gin.Context, user *ent.User) {
|
|
|
|
|
|
util.WithValue(c, inventory.UserCtx{}, user)
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// LoginRequired 需要登录
|
|
|
|
|
|
func LoginRequired() gin.HandlerFunc {
|
2019-11-12 15:34:54 +08:00
|
|
|
|
return func(c *gin.Context) {
|
2025-04-20 17:31:25 +08:00
|
|
|
|
if u := inventory.UserFromContext(c); u != nil && !inventory.IsAnonymousUser(u) {
|
|
|
|
|
|
c.Next()
|
|
|
|
|
|
return
|
2019-11-12 15:34:54 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2025-04-20 17:31:25 +08:00
|
|
|
|
c.JSON(200, serializer.ErrWithDetails(c, serializer.CodeCheckLogin, "Login required", nil))
|
2019-11-12 15:34:54 +08:00
|
|
|
|
c.Abort()
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
2019-12-21 18:32:13 +08:00
|
|
|
|
|
|
|
|
|
|
// WebDAVAuth 验证WebDAV登录及权限
|
|
|
|
|
|
func WebDAVAuth() gin.HandlerFunc {
|
|
|
|
|
|
return func(c *gin.Context) {
|
|
|
|
|
|
username, password, ok := c.Request.BasicAuth()
|
|
|
|
|
|
if !ok {
|
2025-04-20 17:31:25 +08:00
|
|
|
|
// OPTIONS 请求不需要鉴权
|
|
|
|
|
|
if c.Request.Method == http.MethodOptions {
|
|
|
|
|
|
c.Next()
|
|
|
|
|
|
return
|
|
|
|
|
|
}
|
2019-12-21 18:32:13 +08:00
|
|
|
|
c.Writer.Header()["WWW-Authenticate"] = []string{`Basic realm="cloudreve"`}
|
|
|
|
|
|
c.Status(http.StatusUnauthorized)
|
|
|
|
|
|
c.Abort()
|
|
|
|
|
|
return
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2025-04-20 17:31:25 +08:00
|
|
|
|
dep := dependency.FromContext(c)
|
|
|
|
|
|
l := dep.Logger()
|
|
|
|
|
|
userClient := dep.UserClient()
|
|
|
|
|
|
expectedUser, err := userClient.GetActiveByDavAccount(c, username, password)
|
2019-12-21 18:32:13 +08:00
|
|
|
|
if err != nil {
|
2025-04-20 17:31:25 +08:00
|
|
|
|
if username == "" {
|
|
|
|
|
|
if u, err := userClient.GetByEmail(c, username); err == nil {
|
|
|
|
|
|
// Try login with known user but incorrect password, record audit log
|
|
|
|
|
|
SetUserCtxByUser(c, u)
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
l.Debug("WebDAVAuth: failed to get user %q with provided credential: %s", username, err)
|
2019-12-21 18:32:13 +08:00
|
|
|
|
c.Status(http.StatusUnauthorized)
|
|
|
|
|
|
c.Abort()
|
|
|
|
|
|
return
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2025-04-20 17:31:25 +08:00
|
|
|
|
// Validate dav account
|
|
|
|
|
|
accounts, err := expectedUser.Edges.DavAccountsOrErr()
|
|
|
|
|
|
if err != nil || len(accounts) == 0 {
|
|
|
|
|
|
l.Debug("WebDAVAuth: failed to get user dav accounts %q with provided credential: %s", username, err)
|
2019-12-21 18:32:13 +08:00
|
|
|
|
c.Status(http.StatusUnauthorized)
|
|
|
|
|
|
c.Abort()
|
|
|
|
|
|
return
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// 用户组已启用WebDAV?
|
2025-04-20 17:31:25 +08:00
|
|
|
|
group, err := expectedUser.Edges.GroupOrErr()
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
l.Debug("WebDAVAuth: user group not found: %s", err)
|
|
|
|
|
|
c.Status(http.StatusInternalServerError)
|
|
|
|
|
|
c.Abort()
|
|
|
|
|
|
return
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if !group.Permissions.Enabled(int(types.GroupPermissionWebDAV)) {
|
2019-12-21 18:32:13 +08:00
|
|
|
|
c.Status(http.StatusForbidden)
|
2025-04-20 17:31:25 +08:00
|
|
|
|
l.Debug("WebDAVAuth: user %q does not have WebDAV permission.", expectedUser.Email)
|
2019-12-21 18:32:13 +08:00
|
|
|
|
c.Abort()
|
|
|
|
|
|
return
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2025-04-20 17:31:25 +08:00
|
|
|
|
// 检查是否只读
|
|
|
|
|
|
if expectedUser.Edges.DavAccounts[0].Options.Enabled(int(types.DavAccountReadOnly)) {
|
|
|
|
|
|
switch c.Request.Method {
|
|
|
|
|
|
case http.MethodDelete, http.MethodPut, "MKCOL", "COPY", "MOVE", "LOCK", "UNLOCK":
|
|
|
|
|
|
c.Status(http.StatusForbidden)
|
|
|
|
|
|
c.Abort()
|
|
|
|
|
|
return
|
|
|
|
|
|
}
|
2023-07-29 08:53:26 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2025-04-20 17:31:25 +08:00
|
|
|
|
SetUserCtxByUser(c, expectedUser)
|
2019-12-21 18:32:13 +08:00
|
|
|
|
c.Next()
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
2019-12-30 19:08:38 +08:00
|
|
|
|
|
2022-03-03 19:17:25 +08:00
|
|
|
|
// 对上传会话进行验证
|
2025-04-20 17:31:25 +08:00
|
|
|
|
func UseUploadSession(policyType types.PolicyType) gin.HandlerFunc {
|
2022-03-03 19:17:25 +08:00
|
|
|
|
return func(c *gin.Context) {
|
|
|
|
|
|
// 验证key并查找用户
|
2025-04-20 17:31:25 +08:00
|
|
|
|
err := uploadCallbackCheck(c, policyType)
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
c.JSON(CallbackFailedStatusCode, serializer.Err(c, err))
|
2022-03-03 19:17:25 +08:00
|
|
|
|
c.Abort()
|
|
|
|
|
|
return
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
c.Next()
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2020-01-15 10:14:15 +08:00
|
|
|
|
// uploadCallbackCheck 对上传回调请求的 callback key 进行验证,如果成功则返回上传用户
|
2025-04-20 17:31:25 +08:00
|
|
|
|
func uploadCallbackCheck(c *gin.Context, policyType types.PolicyType) error {
|
2020-01-15 10:14:15 +08:00
|
|
|
|
// 验证 Callback Key
|
2022-03-03 19:17:25 +08:00
|
|
|
|
sessionID := c.Param("sessionID")
|
|
|
|
|
|
if sessionID == "" {
|
2025-04-20 17:31:25 +08:00
|
|
|
|
return serializer.NewError(serializer.CodeParamErr, "Session ID cannot be empty", nil)
|
2020-01-15 10:14:15 +08:00
|
|
|
|
}
|
2022-03-03 19:17:25 +08:00
|
|
|
|
|
2025-04-20 17:31:25 +08:00
|
|
|
|
dep := dependency.FromContext(c)
|
|
|
|
|
|
callbackSessionRaw, exist := dep.KV().Get(manager.UploadSessionCachePrefix + sessionID)
|
2020-01-15 10:14:15 +08:00
|
|
|
|
if !exist {
|
2025-04-20 17:31:25 +08:00
|
|
|
|
return serializer.NewError(serializer.CodeUploadSessionExpired, "Upload session does not exist or expired", nil)
|
2020-01-15 10:14:15 +08:00
|
|
|
|
}
|
2022-03-03 19:17:25 +08:00
|
|
|
|
|
2025-04-20 17:31:25 +08:00
|
|
|
|
callbackSession := callbackSessionRaw.(fs.UploadSession)
|
|
|
|
|
|
c.Set(manager.UploadSessionCtx, &callbackSession)
|
|
|
|
|
|
if callbackSession.Policy.Type != string(policyType) {
|
|
|
|
|
|
return serializer.NewError(serializer.CodePolicyNotAllowed, "", nil)
|
2022-03-03 19:17:25 +08:00
|
|
|
|
}
|
2020-01-15 10:14:15 +08:00
|
|
|
|
|
2025-04-20 17:31:25 +08:00
|
|
|
|
if err := SetUserCtx(c, callbackSession.UID); err != nil {
|
|
|
|
|
|
return err
|
2020-01-15 10:14:15 +08:00
|
|
|
|
}
|
2025-04-20 17:31:25 +08:00
|
|
|
|
|
|
|
|
|
|
return nil
|
2020-01-15 10:14:15 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2019-12-30 19:08:38 +08:00
|
|
|
|
// RemoteCallbackAuth 远程回调签名验证
|
|
|
|
|
|
func RemoteCallbackAuth() gin.HandlerFunc {
|
|
|
|
|
|
return func(c *gin.Context) {
|
2020-01-15 10:14:15 +08:00
|
|
|
|
// 验证签名
|
2025-04-20 17:31:25 +08:00
|
|
|
|
session := c.MustGet(manager.UploadSessionCtx).(*fs.UploadSession)
|
|
|
|
|
|
if session.Policy.Edges.Node == nil {
|
|
|
|
|
|
c.JSON(CallbackFailedStatusCode, serializer.ErrWithDetails(c, serializer.CodeCredentialInvalid, "Node not found", nil))
|
2022-03-20 11:26:26 +08:00
|
|
|
|
c.Abort()
|
|
|
|
|
|
return
|
|
|
|
|
|
}
|
2022-03-23 20:05:10 +08:00
|
|
|
|
|
2025-04-20 17:31:25 +08:00
|
|
|
|
authInstance := auth.HMACAuth{SecretKey: []byte(session.Policy.Edges.Node.SlaveKey)}
|
|
|
|
|
|
if err := auth.CheckRequest(c, authInstance, c.Request); err != nil {
|
|
|
|
|
|
c.JSON(CallbackFailedStatusCode, serializer.ErrWithDetails(c, serializer.CodeCredentialInvalid, err.Error(), err))
|
2022-03-20 11:26:26 +08:00
|
|
|
|
c.Abort()
|
|
|
|
|
|
return
|
|
|
|
|
|
}
|
2019-12-30 19:08:38 +08:00
|
|
|
|
|
|
|
|
|
|
c.Next()
|
2025-04-20 17:31:25 +08:00
|
|
|
|
|
2019-12-30 19:08:38 +08:00
|
|
|
|
}
|
|
|
|
|
|
}
|
2020-01-16 13:36:13 +08:00
|
|
|
|
|
|
|
|
|
|
// OSSCallbackAuth 阿里云OSS回调签名验证
|
|
|
|
|
|
func OSSCallbackAuth() gin.HandlerFunc {
|
|
|
|
|
|
return func(c *gin.Context) {
|
2025-04-20 17:31:25 +08:00
|
|
|
|
dep := dependency.FromContext(c)
|
|
|
|
|
|
err := oss.VerifyCallbackSignature(c.Request, dep.KV(), dep.RequestClient(
|
|
|
|
|
|
request.WithContext(c),
|
|
|
|
|
|
request.WithLogger(logging.FromContext(c)),
|
|
|
|
|
|
))
|
2022-03-20 11:23:55 +08:00
|
|
|
|
if err != nil {
|
2025-04-20 17:31:25 +08:00
|
|
|
|
dep.Logger().Debug("Failed to verify callback request: %s", err)
|
2022-09-29 17:39:48 +08:00
|
|
|
|
c.JSON(401, serializer.GeneralUploadCallbackFailed{Error: "Failed to verify callback request."})
|
2022-03-20 11:23:55 +08:00
|
|
|
|
c.Abort()
|
|
|
|
|
|
return
|
|
|
|
|
|
}
|
2020-01-16 13:36:13 +08:00
|
|
|
|
|
|
|
|
|
|
c.Next()
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
2020-01-18 10:40:03 +08:00
|
|
|
|
|
2020-02-22 16:22:04 +08:00
|
|
|
|
// IsAdmin 必须为管理员用户组
|
|
|
|
|
|
func IsAdmin() gin.HandlerFunc {
|
|
|
|
|
|
return func(c *gin.Context) {
|
2025-04-20 17:31:25 +08:00
|
|
|
|
user := inventory.UserFromContext(c)
|
|
|
|
|
|
if !user.Edges.Group.Permissions.Enabled(int(types.GroupPermissionIsAdmin)) {
|
|
|
|
|
|
c.JSON(200, serializer.ErrWithDetails(c, serializer.CodeNoPermissionErr, "", nil))
|
2020-02-22 16:22:04 +08:00
|
|
|
|
c.Abort()
|
|
|
|
|
|
return
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
c.Next()
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
