Test: oss callback signature verification

pkg/filesystem/oss/callback.go

@@ -0,0 +1,116 @@
+package oss
+
+import (
+	"bytes"
+	"crypto"
+	"crypto/md5"
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/base64"
+	"encoding/pem"
+	"errors"
+	"fmt"
+	"github.com/HFO4/cloudreve/pkg/cache"
+	"github.com/HFO4/cloudreve/pkg/request"
+	"io/ioutil"
+	"net/http"
+	"net/url"
+	"strings"
+)
+
+// GetPublicKey 从回调请求或缓存中获取OSS的回调签名公钥
+func GetPublicKey(r *http.Request) ([]byte, error) {
+	var pubKey []byte
+
+	// 尝试从缓存中获取
+	pub, exist := cache.Get("oss_public_key")
+	if exist {
+		return pub.([]byte), nil
+	}
+
+	// 从请求中获取
+	pubURL, err := base64.StdEncoding.DecodeString(r.Header.Get("x-oss-pub-key-url"))
+	if err != nil {
+		return pubKey, err
+	}
+
+	// 确保这个 public key 是由 OSS 颁发的
+	if !strings.HasPrefix(string(pubURL), "http://gosspublic.alicdn.com/") &&
+		!strings.HasPrefix(string(pubURL), "https://gosspublic.alicdn.com/") {
+		return pubKey, errors.New("公钥URL无效")
+	}
+
+	// 获取公钥
+	client := request.HTTPClient{}
+	body, err := client.Request("GET", string(pubURL), nil).
+		CheckHTTPResponse(200).
+		GetResponse()
+	if err != nil {
+		return pubKey, err
+	}
+
+	// 写入缓存
+	_ = cache.Set("oss_public_key", []byte(body), 86400*7)
+
+	return []byte(body), nil
+}
+
+func getRequestMD5(r *http.Request) ([]byte, error) {
+	var byteMD5 []byte
+
+	// 获取请求正文
+	body, err := ioutil.ReadAll(r.Body)
+	r.Body.Close()
+	if err != nil {
+		return byteMD5, err
+	}
+	r.Body = ioutil.NopCloser(bytes.NewReader(body))
+
+	strURLPathDecode, err := url.PathUnescape(r.URL.Path)
+	if err != nil {
+		return byteMD5, err
+	}
+
+	strAuth := fmt.Sprintf("%s\n%s", strURLPathDecode, string(body))
+	md5Ctx := md5.New()
+	md5Ctx.Write([]byte(strAuth))
+	byteMD5 = md5Ctx.Sum(nil)
+
+	return byteMD5, nil
+}
+
+// VerifyCallbackSignature 验证OSS回调请求
+func VerifyCallbackSignature(r *http.Request) error {
+	bytePublicKey, err := GetPublicKey(r)
+	if err != nil {
+		return err
+	}
+
+	byteMD5, err := getRequestMD5(r)
+	if err != nil {
+		return err
+	}
+
+	strAuthorizationBase64 := r.Header.Get("authorization")
+	if strAuthorizationBase64 == "" {
+		return errors.New("no authorization field in Request header")
+	}
+	authorization, _ := base64.StdEncoding.DecodeString(strAuthorizationBase64)
+
+	pubBlock, _ := pem.Decode(bytePublicKey)
+	if pubBlock == nil {
+		return errors.New("pubBlock not exist")
+	}
+	pubInterface, err := x509.ParsePKIXPublicKey(pubBlock.Bytes)
+	if (pubInterface == nil) || (err != nil) {
+		return err
+	}
+	pub := pubInterface.(*rsa.PublicKey)
+
+	errorVerifyPKCS1v15 := rsa.VerifyPKCS1v15(pub, crypto.MD5, byteMD5, authorization)
+	if errorVerifyPKCS1v15 != nil {
+		return errorVerifyPKCS1v15
+	}
+
+	return nil
+}

pkg/filesystem/oss/callback_test.go

@@ -0,0 +1,192 @@
+package oss
+
+import (
+	"github.com/HFO4/cloudreve/pkg/cache"
+	"github.com/stretchr/testify/assert"
+	"io/ioutil"
+	"net/http"
+	"net/url"
+	"strings"
+	"testing"
+)
+
+func TestGetPublicKey(t *testing.T) {
+	asserts := assert.New(t)
+	testCases := []struct {
+		Request http.Request
+		ResNil  bool
+		Error   bool
+	}{
+		// Header解码失败
+		{
+			Request: http.Request{
+				Header: http.Header{
+					"X-Oss-Pub-Key-Url": {"中文"},
+				},
+			},
+			ResNil: true,
+			Error:  true,
+		},
+		// 公钥URL无效
+		{
+			Request: http.Request{
+				Header: http.Header{
+					"X-Oss-Pub-Key-Url": {"aHR0cHM6Ly9wb3JuaHViLmNvbQ=="},
+				},
+			},
+			ResNil: true,
+			Error:  true,
+		},
+		// 请求失败
+		{
+			Request: http.Request{
+				Header: http.Header{
+					"X-Oss-Pub-Key-Url": {"aHR0cDovL2dvc3NwdWJsaWMuYWxpY2RuLmNvbS8yMzQyMzQ="},
+				},
+			},
+			ResNil: true,
+			Error:  true,
+		},
+		// 成功
+		{
+			Request: http.Request{
+				Header: http.Header{
+					"X-Oss-Pub-Key-Url": {"aHR0cDovL2dvc3NwdWJsaWMuYWxpY2RuLmNvbS9jYWxsYmFja19wdWJfa2V5X3YxLnBlbQ=="},
+				},
+			},
+			ResNil: false,
+			Error:  false,
+		},
+	}
+
+	for i, testCase := range testCases {
+		asserts.NoError(cache.Deletes([]string{"oss_public_key"}, ""))
+		res, err := GetPublicKey(&testCase.Request)
+		if testCase.Error {
+			asserts.Error(err, "Test Case #%d", i)
+		} else {
+			asserts.NoError(err, "Test Case #%d", i)
+		}
+		if testCase.ResNil {
+			asserts.Empty(res, "Test Case #%d", i)
+		} else {
+			asserts.NotEmpty(res, "Test Case #%d", i)
+		}
+	}
+
+	// 测试缓存
+	asserts.NoError(cache.Set("oss_public_key", []byte("123"), 0))
+	res, err := GetPublicKey(nil)
+	asserts.NoError(err)
+	asserts.Equal([]byte("123"), res)
+}
+
+func TestVerifyCallbackSignature(t *testing.T) {
+	asserts := assert.New(t)
+	testPubKey := `-----BEGIN PUBLIC KEY-----
+MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKs/JBGzwUB2aVht4crBx3oIPBLNsjGs
+C0fTXv+nvlmklvkcolvpvXLTjaxUHR3W9LXxQ2EHXAJfCB+6H2YF1k8CAwEAAQ==
+-----END PUBLIC KEY-----
+`
+
+	// 成功
+	{
+		asserts.NoError(cache.Set("oss_public_key", []byte(testPubKey), 0))
+		r := http.Request{
+			URL: &url.URL{Path: "/api/v3/callback/oss/TnXx5E5VyfJUyM1UdkdDu1rtnJ34EbmH"},
+			Header: map[string][]string{
+				"Authorization":     {"e5LwzwTkP9AFAItT4YzvdJOHd0Y0wqTMWhsV/h5SG90JYGAmMd+8LQyj96R+9qUfJWjMt6suuUh7LaOryR87Dw=="},
+				"X-Oss-Pub-Key-Url": {"aHR0cHM6Ly9nb3NzcHVibGljLmFsaWNkbi5jb20vY2FsbGJhY2tfcHViX2tleV92MS5wZW0="},
+			},
+			Body: ioutil.NopCloser(strings.NewReader(`{"name":"2f7b2ccf30e9270ea920f1ab8a4037a546a2f0d5.jpg","source_name":"1/1_hFRtDLgM_2f7b2ccf30e9270ea920f1ab8a4037a546a2f0d5.jpg","size":114020,"pic_info":"810,539"}`)),
+		}
+		asserts.NoError(VerifyCallbackSignature(&r))
+	}
+
+	// 签名错误
+	{
+		asserts.NoError(cache.Set("oss_public_key", []byte(testPubKey), 0))
+		r := http.Request{
+			URL: &url.URL{Path: "/api/v3/callback/oss/TnXx5E5VyfJUyM1UdkdDu1rtnJ34EbmH"},
+			Header: map[string][]string{
+				"Authorization":     {"e3LwzwTkP9AFAItT4YzvdJOHd0Y0wqTMWhsV/h5SG90JYGAmMd+8LQyj96R+9qUfJWjMt6suuUh7LaOryR87Dw=="},
+				"X-Oss-Pub-Key-Url": {"aHR0cHM6Ly9nb3NzcHVibGljLmFsaWNkbi5jb20vY2FsbGJhY2tfcHViX2tleV92MS5wZW0="},
+			},
+			Body: ioutil.NopCloser(strings.NewReader(`{"name":"2f7b2ccf30e9270ea920f1ab8a4037a546a2f0d5.jpg","source_name":"1/1_hFRtDLgM_2f7b2ccf30e9270ea920f1ab8a4037a546a2f0d5.jpg","size":114020,"pic_info":"810,539"}`)),
+		}
+		asserts.Error(VerifyCallbackSignature(&r))
+	}
+
+	// GetPubKey 失败
+	{
+		asserts.NoError(cache.Deletes([]string{"oss_public_key"}, ""))
+		r := http.Request{
+			URL: &url.URL{Path: "/api/v3/callback/oss/TnXx5E5VyfJUyM1UdkdDu1rtnJ34EbmH"},
+			Header: map[string][]string{
+				"Authorization": {"e5LwzwTkP9AFAItT4YzvdJOHd0Y0wqTMWhsV/h5SG90JYGAmMd+8LQyj96R+9qUfJWjMt6suuUh7LaOryR87Dw=="},
+			},
+			Body: ioutil.NopCloser(strings.NewReader(`{"name":"2f7b2ccf30e9270ea920f1ab8a4037a546a2f0d5.jpg","source_name":"1/1_hFRtDLgM_2f7b2ccf30e9270ea920f1ab8a4037a546a2f0d5.jpg","size":114020,"pic_info":"810,539"}`)),
+		}
+		asserts.Error(VerifyCallbackSignature(&r))
+	}
+
+	// getRequestMD5 失败
+	{
+		asserts.NoError(cache.Set("oss_public_key", []byte(testPubKey), 0))
+		r := http.Request{
+			URL: &url.URL{Path: "%测试"},
+			Header: map[string][]string{
+				"Authorization":     {"e5LwzwTkP9AFAItT4YzvdJOHd0Y0wqTMWhsV/h5SG90JYGAmMd+8LQyj96R+9qUfJWjMt6suuUh7LaOryR87Dw=="},
+				"X-Oss-Pub-Key-Url": {"aHR0cHM6Ly9nb3NzcHVibGljLmFsaWNkbi5jb20vY2FsbGJhY2tfcHViX2tleV92MS5wZW0="},
+			},
+			Body: ioutil.NopCloser(strings.NewReader(`{"name":"2f7b2ccf30e9270ea920f1ab8a4037a546a2f0d5.jpg","source_name":"1/1_hFRtDLgM_2f7b2ccf30e9270ea920f1ab8a4037a546a2f0d5.jpg","size":114020,"pic_info":"810,539"}`)),
+		}
+		asserts.Error(VerifyCallbackSignature(&r))
+	}
+
+	// 无 Authorization 头
+	{
+		asserts.NoError(cache.Set("oss_public_key", []byte(testPubKey), 0))
+		r := http.Request{
+			URL: &url.URL{Path: "/api/v3/callback/oss/TnXx5E5VyfJUyM1UdkdDu1rtnJ34EbmH"},
+			Header: map[string][]string{
+				"X-Oss-Pub-Key-Url": {"aHR0cHM6Ly9nb3NzcHVibGljLmFsaWNkbi5jb20vY2FsbGJhY2tfcHViX2tleV92MS5wZW0="},
+			},
+			Body: ioutil.NopCloser(strings.NewReader(`{"name":"2f7b2ccf30e9270ea920f1ab8a4037a546a2f0d5.jpg","source_name":"1/1_hFRtDLgM_2f7b2ccf30e9270ea920f1ab8a4037a546a2f0d5.jpg","size":114020,"pic_info":"810,539"}`)),
+		}
+		asserts.Error(VerifyCallbackSignature(&r))
+	}
+
+	// pub block 不存在
+	{
+		asserts.NoError(cache.Set("oss_public_key", []byte(""), 0))
+		r := http.Request{
+			URL: &url.URL{Path: "/api/v3/callback/oss/TnXx5E5VyfJUyM1UdkdDu1rtnJ34EbmH"},
+			Header: map[string][]string{
+				"Authorization":     {"e5LwzwTkP9AFAItT4YzvdJOHd0Y0wqTMWhsV/h5SG90JYGAmMd+8LQyj96R+9qUfJWjMt6suuUh7LaOryR87Dw=="},
+				"X-Oss-Pub-Key-Url": {"aHR0cHM6Ly9nb3NzcHVibGljLmFsaWNkbi5jb20vY2FsbGJhY2tfcHViX2tleV92MS5wZW0="},
+			},
+			Body: ioutil.NopCloser(strings.NewReader(`{"name":"2f7b2ccf30e9270ea920f1ab8a4037a546a2f0d5.jpg","source_name":"1/1_hFRtDLgM_2f7b2ccf30e9270ea920f1ab8a4037a546a2f0d5.jpg","size":114020,"pic_info":"810,539"}`)),
+		}
+		asserts.Error(VerifyCallbackSignature(&r))
+	}
+
+	// ParsePKIXPublicKey出错
+	{
+		asserts.NoError(cache.Set("oss_public_key", []byte("-----BEGIN PUBLIC KEY-----\n-----END PUBLIC KEY-----"), 0))
+		r := http.Request{
+			URL: &url.URL{Path: "/api/v3/callback/oss/TnXx5E5VyfJUyM1UdkdDu1rtnJ34EbmH"},
+			Header: map[string][]string{
+				"Authorization":     {"e5LwzwTkP9AFAItT4YzvdJOHd0Y0wqTMWhsV/h5SG90JYGAmMd+8LQyj96R+9qUfJWjMt6suuUh7LaOryR87Dw=="},
+				"X-Oss-Pub-Key-Url": {"aHR0cHM6Ly9nb3NzcHVibGljLmFsaWNkbi5jb20vY2FsbGJhY2tfcHViX2tleV92MS5wZW0="},
+			},
+			Body: ioutil.NopCloser(strings.NewReader(`{"name":"2f7b2ccf30e9270ea920f1ab8a4037a546a2f0d5.jpg","source_name":"1/1_hFRtDLgM_2f7b2ccf30e9270ea920f1ab8a4037a546a2f0d5.jpg","size":114020,"pic_info":"810,539"}`)),
+		}
+		asserts.Error(VerifyCallbackSignature(&r))
+	}
+}
+
+///api/v3/callback/oss/TnXx5E5VyfJUyM1UdkdDu1rtnJ34EbmH
+//{"name":"2f7b2ccf30e9270ea920f1ab8a4037a546a2f0d5.jpg","source_name":"1/1_hFRtDLgM_2f7b2ccf30e9270ea920f1ab8a4037a546a2f0d5.jpg","size":114020,"pic_info":"810,539"}
+// aHR0cHM6Ly9nb3NzcHVibGljLmFsaWNkbi5jb20vY2FsbGJhY2tfcHViX2tleV92MS5wZW0=
+// e5LwzwTkP9AFAItT4YzvdJOHd0Y0wqTMWhsV/h5SG90JYGAmMd+8LQyj96R+9qUfJWjMt6suuUh7LaOryR87Dw==