1

conf/project.go

@@ -11,6 +11,22 @@ import "time"
 const SysTimeform = "2006-01-02 15:04:05"
 const SysTimeformShort = "2006-01-02"
 
+// 请填写您的AccessKeyId。
+const AccessKeyId = "LTAI4GAEAwazcR8JvjZxMiJL"
+
+// 请填写您的AccessKeySecret。
+const AccessKeySecret = "805hbdLwM6cRcBBLSAE5o8mdDAi2NY"
+
+// host的格式为 bucketname.endpoint ，请替换为您的真实信息。
+const OssHost string = "http://measuresaas.oss-cn-shenzhen.aliyuncs.com"
+
+// callbackUrl为 上传回调服务器的URL，请将下面的IP和Port配置为您自己的真实信息。
+const CallbackUrl string = "http://88.88.88.88:8888"
+
+// 用户上传文件时指定的前缀。 --user-dir-prefix/
+const Upload_dir string = ""
+const Expire_time int64 = 60
+
 // 中国时区
 var SysTimeLocation, _ = time.LoadLocation("Asia/Chongqing")
 

go.mod

@@ -5,6 +5,7 @@ go 1.12
 require (
 	github.com/Joker/hpp v1.0.0 // indirect
 	github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751
+	github.com/aliyun/aliyun-oss-go-sdk v2.1.5+incompatible // indirect
 	github.com/asaskevich/govalidator v0.0.0-20200907205600-7a23bdc65eef // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.0 // indirect
 	github.com/dgrijalva/jwt-go v3.2.0+incompatible

go.sum

@@ -30,6 +30,9 @@ github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuy
 github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751 h1:JYp7IbQjafoB+tBA3gMyHYHrpOtNuDiK/uB5uXxq5wM=
 github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
+github.com/aliyun/aliyun-oss-go-sdk v1.9.8 h1:BOflvK0Zs/zGmoabyFIzTg5c3kguktWTXEwewwbuba0=
+github.com/aliyun/aliyun-oss-go-sdk v2.1.5+incompatible h1:v5yDfjkRY/kOxu05gkh0/D/2wYxbTFCoTr3JqFI0FLE=
+github.com/aliyun/aliyun-oss-go-sdk v2.1.5+incompatible/go.mod h1:T/Aws4fEfogEE9v+HPhhw+CntffsBHJ8nXQCwKr0/g8=
 github.com/andybalholm/brotli v1.0.1-0.20200619015827-c3da72aa01ed h1:G/gj6aolvcaqMTCmlHRDsLLQlJ/fXTC4vE9o18KRZtw=
 github.com/andybalholm/brotli v1.0.1-0.20200619015827-c3da72aa01ed/go.mod h1:loMXtMfwqflxFJPmdbJO0a3KNoPuLBgiu3qAvBg8x/Y=
 github.com/apache/thrift v0.12.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ=

web/api/oss_api.go

@@ -0,0 +1,500 @@
+/*
+ * @description: 阿里云oss相关
+ * @Author: CP
+ * @Date: 2020-12-04 10:06:19
+ * @FilePath: \construction_management\web\api\oss_api.go
+ */
+
+package api
+
+import (
+	"crypto"
+	"crypto/hmac"
+	"crypto/md5"
+	"crypto/rsa"
+	"crypto/sha1"
+	"crypto/x509"
+	"encoding/base64"
+	"encoding/json"
+	"encoding/pem"
+	"errors"
+	"fmt"
+	"hash"
+	"io"
+	"io/ioutil"
+	"net/http"
+	"strconv"
+	"time"
+
+	"github.com/kataras/iris/v12"
+	"go.mod/conf"
+)
+
+type OssApi struct {
+	//框架-web应用上下文环境
+	Ctx iris.Context
+}
+
+const (
+	base64Table = "123QRSTUabcdVWXYZHijKLAWDCABDstEFGuvwxyzGHIJklmnopqr234560178912"
+)
+
+var coder = base64.NewEncoding(base64Table)
+
+func base64Encode(src []byte) []byte {
+	return []byte(coder.EncodeToString(src))
+}
+
+func get_gmt_iso8601(expire_end int64) string {
+	var tokenExpire = time.Unix(expire_end, 0).UTC().Format("2006-01-02T15:04:05Z")
+	return tokenExpire
+}
+
+type ConfigStruct struct {
+	Expiration string     `json:"expiration"`
+	Conditions [][]string `json:"conditions"`
+}
+
+type PolicyToken struct {
+	AccessKeyId string `json:"accessid"`
+	Host        string `json:"host"`
+	Expire      int64  `json:"expire"`
+	Signature   string `json:"signature"`
+	Policy      string `json:"policy"`
+	Directory   string `json:"dir"`
+	Callback    string `json:"callback"`
+}
+
+type CallbackParam struct {
+	CallbackUrl      string `json:"callbackUrl"`
+	CallbackBody     string `json:"callbackBody"`
+	CallbackBodyType string `json:"callbackBodyType"`
+}
+
+func get_policy_token() string {
+	now := time.Now().Unix()
+	expire_end := now + conf.Expire_time
+	var tokenExpire = get_gmt_iso8601(expire_end)
+
+	//create post policy json
+	var config ConfigStruct
+	config.Expiration = tokenExpire
+	var condition []string
+	condition = append(condition, "starts-with")
+	condition = append(condition, "$key")
+	condition = append(condition, conf.Upload_dir)
+	config.Conditions = append(config.Conditions, condition)
+
+	//calucate signature
+	result, err := json.Marshal(config)
+	debyte := base64.StdEncoding.EncodeToString(result)
+	h := hmac.New(func() hash.Hash { return sha1.New() }, []byte(conf.AccessKeySecret))
+	io.WriteString(h, debyte)
+	signedStr := base64.StdEncoding.EncodeToString(h.Sum(nil))
+
+	var callbackParam CallbackParam
+	callbackParam.CallbackUrl = conf.CallbackUrl
+	callbackParam.CallbackBody = "filename=${object}&size=${size}&mimeType=${mimeType}&height=${imageInfo.height}&width=${imageInfo.width}"
+	callbackParam.CallbackBodyType = "application/x-www-form-urlencoded"
+	callback_str, err := json.Marshal(callbackParam)
+	if err != nil {
+		fmt.Println("callback json err:", err)
+	}
+	callbackBase64 := base64.StdEncoding.EncodeToString(callback_str)
+
+	var policyToken PolicyToken
+	policyToken.AccessKeyId = conf.AccessKeyId
+	policyToken.Host = conf.OssHost
+	policyToken.Expire = expire_end
+	policyToken.Signature = string(signedStr)
+	policyToken.Directory = conf.Upload_dir
+	policyToken.Policy = string(debyte)
+	policyToken.Callback = string(callbackBase64)
+	response, err := json.Marshal(policyToken)
+	if err != nil {
+		fmt.Println("json err:", err)
+	}
+	return string(response)
+}
+
+// 获得上传Oss签名
+func (c *OssApi) GetSignature() {
+	policyToken := PolicyToken{}
+	response := get_policy_token()
+	json.Unmarshal([]byte(response), &policyToken)
+	c.Ctx.JSON(iris.Map{
+		"code": 0,
+		"msg":  "",
+		"data": policyToken,
+	})
+
+}
+
+func handlerRequest(w http.ResponseWriter, r *http.Request) {
+	if r.Method == "GET" {
+		response := get_policy_token()
+		w.Header().Set("Access-Control-Allow-Methods", "POST")
+		w.Header().Set("Access-Control-Allow-Origin", "*")
+		io.WriteString(w, response)
+	}
+
+	if r.Method == "POST" {
+		fmt.Println("\nHandle Post Request ... ")
+
+		// Get PublicKey bytes
+		bytePublicKey, err := getPublicKey(r)
+		if err != nil {
+			responseFailed(w)
+			return
+		}
+
+		// Get Authorization bytes : decode from Base64String
+		byteAuthorization, err := getAuthorization(r)
+		if err != nil {
+			responseFailed(w)
+			return
+		}
+
+		// Get MD5 bytes from Newly Constructed Authrization String.
+		byteMD5, err := getMD5FromNewAuthString(r)
+		if err != nil {
+			responseFailed(w)
+			return
+		}
+
+		// verifySignature and response to client
+		if verifySignature(bytePublicKey, byteMD5, byteAuthorization) {
+			// do something you want accoding to callback_body ...
+
+			responseSuccess(w) // response OK : 200
+		} else {
+			responseFailed(w) // response FAILED : 400
+		}
+	}
+}
+
+// getPublicKey : Get PublicKey bytes from Request.URL
+func getPublicKey(r *http.Request) ([]byte, error) {
+	var bytePublicKey []byte
+	// get PublicKey URL
+	publicKeyURLBase64 := r.Header.Get("x-oss-pub-key-url")
+	if publicKeyURLBase64 == "" {
+		fmt.Println("GetPublicKey from Request header failed :  No x-oss-pub-key-url field. ")
+		return bytePublicKey, errors.New("no x-oss-pub-key-url field in Request header ")
+	}
+	publicKeyURL, _ := base64.StdEncoding.DecodeString(publicKeyURLBase64)
+	// fmt.Printf("publicKeyURL={%s}\n", publicKeyURL)
+	// get PublicKey Content from URL
+	responsePublicKeyURL, err := http.Get(string(publicKeyURL))
+	if err != nil {
+		fmt.Printf("Get PublicKey Content from URL failed : %s \n", err.Error())
+		return bytePublicKey, err
+	}
+	bytePublicKey, err = ioutil.ReadAll(responsePublicKeyURL.Body)
+	if err != nil {
+		fmt.Printf("Read PublicKey Content from URL failed : %s \n", err.Error())
+		return bytePublicKey, err
+	}
+	defer responsePublicKeyURL.Body.Close()
+	// fmt.Printf("publicKey={%s}\n", bytePublicKey)
+	return bytePublicKey, nil
+}
+
+// getAuthorization : decode from Base64String
+func getAuthorization(r *http.Request) ([]byte, error) {
+	var byteAuthorization []byte
+	// Get Authorization bytes : decode from Base64String
+	strAuthorizationBase64 := r.Header.Get("authorization")
+	if strAuthorizationBase64 == "" {
+		fmt.Println("Failed to get authorization field from request header. ")
+		return byteAuthorization, errors.New("no authorization field in Request header")
+	}
+	byteAuthorization, _ = base64.StdEncoding.DecodeString(strAuthorizationBase64)
+	return byteAuthorization, nil
+}
+
+// getMD5FromNewAuthString : Get MD5 bytes from Newly Constructed Authrization String.
+func getMD5FromNewAuthString(r *http.Request) ([]byte, error) {
+	var byteMD5 []byte
+	// Construct the New Auth String from URI+Query+Body
+	bodyContent, err := ioutil.ReadAll(r.Body)
+	r.Body.Close()
+	if err != nil {
+		fmt.Printf("Read Request Body failed : %s \n", err.Error())
+		return byteMD5, err
+	}
+	strCallbackBody := string(bodyContent)
+	// fmt.Printf("r.URL.RawPath={%s}, r.URL.Query()={%s}, strCallbackBody={%s}\n", r.URL.RawPath, r.URL.Query(), strCallbackBody)
+	strURLPathDecode, errUnescape := unescapePath(r.URL.Path, encodePathSegment) //url.PathUnescape(r.URL.Path) for Golang v1.8.2+
+	if errUnescape != nil {
+		fmt.Printf("url.PathUnescape failed : URL.Path=%s, error=%s \n", r.URL.Path, err.Error())
+		return byteMD5, errUnescape
+	}
+
+	// Generate New Auth String prepare for MD5
+	strAuth := ""
+	if r.URL.RawQuery == "" {
+		strAuth = fmt.Sprintf("%s\n%s", strURLPathDecode, strCallbackBody)
+	} else {
+		strAuth = fmt.Sprintf("%s?%s\n%s", strURLPathDecode, r.URL.RawQuery, strCallbackBody)
+	}
+	// fmt.Printf("NewlyConstructedAuthString={%s}\n", strAuth)
+
+	// Generate MD5 from the New Auth String
+	md5Ctx := md5.New()
+	md5Ctx.Write([]byte(strAuth))
+	byteMD5 = md5Ctx.Sum(nil)
+
+	return byteMD5, nil
+}
+
+/*  VerifySignature
+*   VerifySignature需要三个重要的数据信息来进行签名验证： 1>获取公钥PublicKey;  2>生成新的MD5鉴权串;  3>解码Request携带的鉴权串;
+*   1>获取公钥PublicKey : 从RequestHeader的"x-oss-pub-key-url"字段中获取 URL, 读取URL链接的包含的公钥内容， 进行解码解析， 将其作为rsa.VerifyPKCS1v15的入参。
+*   2>生成新的MD5鉴权串 : 把Request中的url中的path部分进行urldecode， 加上url的query部分， 再加上body， 组合之后进行MD5编码， 得到MD5鉴权字节串。
+*   3>解码Request携带的鉴权串 ： 获取RequestHeader的"authorization"字段， 对其进行Base64解码，作为签名验证的鉴权对比串。
+*   rsa.VerifyPKCS1v15进行签名验证，返回验证结果。
+* */
+func verifySignature(bytePublicKey []byte, byteMd5 []byte, authorization []byte) bool {
+	pubBlock, _ := pem.Decode(bytePublicKey)
+	if pubBlock == nil {
+		fmt.Printf("Failed to parse PEM block containing the public key")
+		return false
+	}
+	pubInterface, err := x509.ParsePKIXPublicKey(pubBlock.Bytes)
+	if (pubInterface == nil) || (err != nil) {
+		fmt.Printf("x509.ParsePKIXPublicKey(publicKey) failed : %s \n", err.Error())
+		return false
+	}
+	pub := pubInterface.(*rsa.PublicKey)
+
+	errorVerifyPKCS1v15 := rsa.VerifyPKCS1v15(pub, crypto.MD5, byteMd5, authorization)
+	if errorVerifyPKCS1v15 != nil {
+		fmt.Printf("\nSignature Verification is Failed : %s \n", errorVerifyPKCS1v15.Error())
+		//printByteArray(byteMd5, "AuthMd5(fromNewAuthString)")
+		//printByteArray(bytePublicKey, "PublicKeyBase64")
+		//printByteArray(authorization, "AuthorizationFromRequest")
+		return false
+	}
+
+	fmt.Printf("\nSignature Verification is Successful. \n")
+	return true
+}
+
+// responseSuccess : Response 200 to client
+func responseSuccess(w http.ResponseWriter) {
+	strResponseBody := "{\"Status\":\"OK\"}"
+	w.Header().Set("Content-Type", "application/json")
+	w.Header().Set("Content-Length", strconv.Itoa(len(strResponseBody)))
+	w.WriteHeader(http.StatusOK)
+	w.Write([]byte(strResponseBody))
+	fmt.Printf("\nPost Response : 200 OK . \n")
+}
+
+// responseFailed : Response 400 to client
+func responseFailed(w http.ResponseWriter) {
+	w.WriteHeader(http.StatusBadRequest)
+	fmt.Printf("\nPost Response : 400 BAD . \n")
+}
+
+func printByteArray(byteArrary []byte, arrName string) {
+	fmt.Printf("++++++++ printByteArray :  ArrayName=%s, ArrayLength=%d \n", arrName, len(byteArrary))
+	for i := 0; i < len(byteArrary); i++ {
+		fmt.Printf("%02x", byteArrary[i])
+	}
+	fmt.Printf("\n-------- printByteArray :  End . \n")
+}
+
+type EscapeError string
+
+func (e EscapeError) Error() string {
+	return "invalid URL escape " + strconv.Quote(string(e))
+}
+
+type InvalidHostError string
+
+func (e InvalidHostError) Error() string {
+	return "invalid character " + strconv.Quote(string(e)) + " in host name"
+}
+
+type encoding int
+
+const (
+	encodePath encoding = 1 + iota
+	encodePathSegment
+	encodeHost
+	encodeZone
+	encodeUserPassword
+	encodeQueryComponent
+	encodeFragment
+)
+
+// unescapePath : unescapes a string; the mode specifies, which section of the URL string is being unescaped.
+func unescapePath(s string, mode encoding) (string, error) {
+	// Count %, check that they're well-formed.
+	mode = encodePathSegment
+	n := 0
+	hasPlus := false
+	for i := 0; i < len(s); {
+		switch s[i] {
+		case '%':
+			n++
+			if i+2 >= len(s) || !ishex(s[i+1]) || !ishex(s[i+2]) {
+				s = s[i:]
+				if len(s) > 3 {
+					s = s[:3]
+				}
+				return "", EscapeError(s)
+			}
+			// Per https://tools.ietf.org/html/rfc3986#page-21
+			// in the host component %-encoding can only be used
+			// for non-ASCII bytes.
+			// But https://tools.ietf.org/html/rfc6874#section-2
+			// introduces %25 being allowed to escape a percent sign
+			// in IPv6 scoped-address literals. Yay.
+			if mode == encodeHost && unhex(s[i+1]) < 8 && s[i:i+3] != "%25" {
+				return "", EscapeError(s[i : i+3])
+			}
+			if mode == encodeZone {
+				// RFC 6874 says basically "anything goes" for zone identifiers
+				// and that even non-ASCII can be redundantly escaped,
+				// but it seems prudent to restrict %-escaped bytes here to those
+				// that are valid host name bytes in their unescaped form.
+				// That is, you can use escaping in the zone identifier but not
+				// to introduce bytes you couldn't just write directly.
+				// But Windows puts spaces here! Yay.
+				v := unhex(s[i+1])<<4 | unhex(s[i+2])
+				if s[i:i+3] != "%25" && v != ' ' && shouldEscape(v, encodeHost) {
+					return "", EscapeError(s[i : i+3])
+				}
+			}
+			i += 3
+		case '+':
+			hasPlus = mode == encodeQueryComponent
+			i++
+		default:
+			if (mode == encodeHost || mode == encodeZone) && s[i] < 0x80 && shouldEscape(s[i], mode) {
+				return "", InvalidHostError(s[i : i+1])
+			}
+			i++
+		}
+	}
+
+	if n == 0 && !hasPlus {
+		return s, nil
+	}
+
+	t := make([]byte, len(s)-2*n)
+	j := 0
+	for i := 0; i < len(s); {
+		switch s[i] {
+		case '%':
+			t[j] = unhex(s[i+1])<<4 | unhex(s[i+2])
+			j++
+			i += 3
+		case '+':
+			if mode == encodeQueryComponent {
+				t[j] = ' '
+			} else {
+				t[j] = '+'
+			}
+			j++
+			i++
+		default:
+			t[j] = s[i]
+			j++
+			i++
+		}
+	}
+	return string(t), nil
+}
+
+// Please be informed that for now shouldEscape does not check all
+// reserved characters correctly. See golang.org/issue/5684.
+func shouldEscape(c byte, mode encoding) bool {
+	// §2.3 Unreserved characters (alphanum)
+	if 'A' <= c && c <= 'Z' || 'a' <= c && c <= 'z' || '0' <= c && c <= '9' {
+		return false
+	}
+
+	if mode == encodeHost || mode == encodeZone {
+		// §3.2.2 Host allows
+		//	sub-delims = "!" / "$" / "&" / "'" / "(" / ")" / "*" / "+" / "," / ";" / "="
+		// as part of reg-name.
+		// We add : because we include :port as part of host.
+		// We add [ ] because we include [ipv6]:port as part of host.
+		// We add < > because they're the only characters left that
+		// we could possibly allow, and Parse will reject them if we
+		// escape them (because hosts can't use %-encoding for
+		// ASCII bytes).
+		switch c {
+		case '!', '$', '&', '\'', '(', ')', '*', '+', ',', ';', '=', ':', '[', ']', '<', '>', '"':
+			return false
+		}
+	}
+
+	switch c {
+	case '-', '_', '.', '~': // §2.3 Unreserved characters (mark)
+		return false
+
+	case '$', '&', '+', ',', '/', ':', ';', '=', '?', '@': // §2.2 Reserved characters (reserved)
+		// Different sections of the URL allow a few of
+		// the reserved characters to appear unescaped.
+		switch mode {
+		case encodePath: // §3.3
+			// The RFC allows : @ & = + $ but saves / ; , for assigning
+			// meaning to individual path segments. This package
+			// only manipulates the path as a whole, so we allow those
+			// last three as well. That leaves only ? to escape.
+			return c == '?'
+
+		case encodePathSegment: // §3.3
+			// The RFC allows : @ & = + $ but saves / ; , for assigning
+			// meaning to individual path segments.
+			return c == '/' || c == ';' || c == ',' || c == '?'
+
+		case encodeUserPassword: // §3.2.1
+			// The RFC allows ';', ':', '&', '=', '+', '$', and ',' in
+			// userinfo, so we must escape only '@', '/', and '?'.
+			// The parsing of userinfo treats ':' as special so we must escape
+			// that too.
+			return c == '@' || c == '/' || c == '?' || c == ':'
+
+		case encodeQueryComponent: // §3.4
+			// The RFC reserves (so we must escape) everything.
+			return true
+
+		case encodeFragment: // §4.1
+			// The RFC text is silent but the grammar allows
+			// everything, so escape nothing.
+			return false
+		}
+	}
+
+	// Everything else must be escaped.
+	return true
+}
+
+func ishex(c byte) bool {
+	switch {
+	case '0' <= c && c <= '9':
+		return true
+	case 'a' <= c && c <= 'f':
+		return true
+	case 'A' <= c && c <= 'F':
+		return true
+	}
+	return false
+}
+
+func unhex(c byte) byte {
+	switch {
+	case '0' <= c && c <= '9':
+		return c - '0'
+	case 'a' <= c && c <= 'f':
+		return c - 'a' + 10
+	case 'A' <= c && c <= 'F':
+		return c - 'A' + 10
+	}
+	return 0
+}

web/routes/routes.go

@@ -125,6 +125,12 @@ func Configure(b *bootstrap.Bootstrapper) {
 	apiContract.Router.Use(middleware.AccessAuth)
 	apiContract.Handle(new(api.ContractApi))
 
+	// oss相关
+	apiOss := mvc.New(b.Party("/api/oss"))
+	apiOss.Router.Use(middleware.SessionsAuth)
+	apiOss.Router.Use(middleware.AccessAuth)
+	apiOss.Handle(new(api.OssApi))
+
 	// rpc相关
 	// rpc := mvc.New(b.Party("/api/rpc/test"))
 	// rpc.Register(RpcService)