Test: remote callback auth

middleware/auth_test.go

@@ -5,6 +5,8 @@ import (
 	"github.com/DATA-DOG/go-sqlmock"
 	"github.com/HFO4/cloudreve/models"
 	"github.com/HFO4/cloudreve/pkg/auth"
+	"github.com/HFO4/cloudreve/pkg/cache"
+	"github.com/HFO4/cloudreve/pkg/serializer"
 	"github.com/HFO4/cloudreve/pkg/util"
 	"github.com/gin-gonic/gin"
 	"github.com/jinzhu/gorm"
@@ -198,3 +200,145 @@ func TestWebDAVAuth(t *testing.T) {
 	}
 
 }
+
+func TestRemoteCallbackAuth(t *testing.T) {
+	asserts := assert.New(t)
+	rec := httptest.NewRecorder()
+	AuthFunc := RemoteCallbackAuth()
+
+	// 成功
+	{
+		cache.Set(
+			"callback_testCallBackRemote",
+			serializer.UploadSession{
+				UID:         1,
+				PolicyID:    2,
+				VirtualPath: "/",
+			},
+			0,
+		)
+		cache.Deletes([]string{"1"}, "policy_")
+		mock.ExpectQuery("SELECT(.+)users(.+)").
+			WillReturnRows(sqlmock.NewRows([]string{"id", "group_id"}).AddRow(1, 1))
+		mock.ExpectQuery("SELECT(.+)groups(.+)").
+			WillReturnRows(sqlmock.NewRows([]string{"id", "policies"}).AddRow(1, "[2]"))
+		mock.ExpectQuery("SELECT(.+)policies(.+)").
+			WillReturnRows(sqlmock.NewRows([]string{"id", "secret_key"}).AddRow(2, "123"))
+		c, _ := gin.CreateTestContext(rec)
+		c.Params = []gin.Param{
+			{"key", "testCallBackRemote"},
+		}
+		c.Request, _ = http.NewRequest("POST", "/api/v3/callback/remote/testCallBackRemote", nil)
+		authInstance := auth.HMACAuth{SecretKey: []byte("123")}
+		auth.SignRequest(authInstance, c.Request, 0)
+		AuthFunc(c)
+		asserts.NoError(mock.ExpectationsWereMet())
+		asserts.False(c.IsAborted())
+	}
+
+	// Callback Key 不存在
+	{
+
+		c, _ := gin.CreateTestContext(rec)
+		c.Params = []gin.Param{
+			{"key", "testCallBackRemote"},
+		}
+		c.Request, _ = http.NewRequest("POST", "/api/v3/callback/remote/testCallBackRemote", nil)
+		authInstance := auth.HMACAuth{SecretKey: []byte("123")}
+		auth.SignRequest(authInstance, c.Request, 0)
+		AuthFunc(c)
+		asserts.True(c.IsAborted())
+	}
+
+	// 用户不存在
+	{
+		cache.Set(
+			"callback_testCallBackRemote",
+			serializer.UploadSession{
+				UID:         1,
+				PolicyID:    2,
+				VirtualPath: "/",
+			},
+			0,
+		)
+		cache.Deletes([]string{"1"}, "policy_")
+		mock.ExpectQuery("SELECT(.+)users(.+)").
+			WillReturnRows(sqlmock.NewRows([]string{"id", "group_id"}))
+		c, _ := gin.CreateTestContext(rec)
+		c.Params = []gin.Param{
+			{"key", "testCallBackRemote"},
+		}
+		c.Request, _ = http.NewRequest("POST", "/api/v3/callback/remote/testCallBackRemote", nil)
+		authInstance := auth.HMACAuth{SecretKey: []byte("123")}
+		auth.SignRequest(authInstance, c.Request, 0)
+		AuthFunc(c)
+		asserts.NoError(mock.ExpectationsWereMet())
+		asserts.True(c.IsAborted())
+	}
+
+	// 存储策略不一致
+	{
+		cache.Set(
+			"callback_testCallBackRemote",
+			serializer.UploadSession{
+				UID:         1,
+				PolicyID:    2,
+				VirtualPath: "/",
+			},
+			0,
+		)
+		cache.Deletes([]string{"1"}, "policy_")
+		mock.ExpectQuery("SELECT(.+)users(.+)").
+			WillReturnRows(sqlmock.NewRows([]string{"id", "group_id"}).AddRow(1, 1))
+		mock.ExpectQuery("SELECT(.+)groups(.+)").
+			WillReturnRows(sqlmock.NewRows([]string{"id", "policies"}).AddRow(1, "[3]"))
+		mock.ExpectQuery("SELECT(.+)policies(.+)").
+			WillReturnRows(sqlmock.NewRows([]string{"id", "secret_key"}).AddRow(3, "123"))
+		c, _ := gin.CreateTestContext(rec)
+		c.Params = []gin.Param{
+			{"key", "testCallBackRemote"},
+		}
+		c.Request, _ = http.NewRequest("POST", "/api/v3/callback/remote/testCallBackRemote", nil)
+		authInstance := auth.HMACAuth{SecretKey: []byte("123")}
+		auth.SignRequest(authInstance, c.Request, 0)
+		AuthFunc(c)
+		asserts.NoError(mock.ExpectationsWereMet())
+		asserts.True(c.IsAborted())
+	}
+
+	// 签名错误
+	{
+		cache.Set(
+			"callback_testCallBackRemote",
+			serializer.UploadSession{
+				UID:         1,
+				PolicyID:    2,
+				VirtualPath: "/",
+			},
+			0,
+		)
+		cache.Deletes([]string{"1"}, "policy_")
+		mock.ExpectQuery("SELECT(.+)users(.+)").
+			WillReturnRows(sqlmock.NewRows([]string{"id", "group_id"}).AddRow(1, 1))
+		mock.ExpectQuery("SELECT(.+)groups(.+)").
+			WillReturnRows(sqlmock.NewRows([]string{"id", "policies"}).AddRow(1, "[2]"))
+		mock.ExpectQuery("SELECT(.+)policies(.+)").
+			WillReturnRows(sqlmock.NewRows([]string{"id", "secret_key"}).AddRow(2, "123"))
+		c, _ := gin.CreateTestContext(rec)
+		c.Params = []gin.Param{
+			{"key", "testCallBackRemote"},
+		}
+		c.Request, _ = http.NewRequest("POST", "/api/v3/callback/remote/testCallBackRemote", nil)
+		AuthFunc(c)
+		asserts.NoError(mock.ExpectationsWereMet())
+		asserts.True(c.IsAborted())
+	}
+
+	// Callback Key 为空
+	{
+		c, _ := gin.CreateTestContext(rec)
+		c.Request, _ = http.NewRequest("POST", "/api/v3/callback/remote", nil)
+		AuthFunc(c)
+		asserts.True(c.IsAborted())
+	}
+}

models/user.go

@@ -177,7 +177,9 @@ func (user *User) AfterCreate(tx *gorm.DB) (err error) {
 // AfterFind 找到用户后的钩子
 func (user *User) AfterFind() (err error) {
 	// 解析用户设置到OptionsSerialized
+	if user.Options != "" {
 		err = json.Unmarshal([]byte(user.Options), &user.OptionsSerialized)
+	}
 
 	// 预加载存储策略
 	user.Policy, _ = GetPolicyByID(user.GetPolicyID())

pkg/auth/auth.go

@@ -60,9 +60,12 @@ func getSignContent(r *http.Request) (rawSignString string) {
 	if policy, ok := r.Header["X-Policy"]; ok {
 		rawSignString = serializer.NewRequestSignString(r.URL.Path, policy[0], "")
 	} else {
-		body, _ := ioutil.ReadAll(r.Body)
+		var body = []byte{}
+		if r.Body != nil {
+			body, _ = ioutil.ReadAll(r.Body)
 			_ = r.Body.Close()
 			r.Body = ioutil.NopCloser(bytes.NewReader(body))
+		}
 		rawSignString = serializer.NewRequestSignString(r.URL.Path, "", string(body))
 	}
 	return rawSignString