v1.1.0

.gitignore

@@ -1,2 +1,3 @@
 resource_manager
 .idea/
+.env

api/api.go

@@ -53,6 +53,10 @@ func HandleUpload(resourceManager resource.Manager) gin.HandlerFunc {
 			c.AbortWithStatusJSON(400, gin.H{"error": "bad request"})
 			return
 		}
+		if !isValidPath(request.Path) {
+			c.AbortWithStatusJSON(400, gin.H{"error": "path cannot start with ../ or contain /../"})
+			return
+		}
 		content, err := base64.StdEncoding.DecodeString(request.Content)
 		if err != nil {
 			c.AbortWithStatusJSON(400, gin.H{"error": "bad request"})
@@ -69,26 +73,38 @@ func HandleUpload(resourceManager resource.Manager) gin.HandlerFunc {
 				return
 			}
 		}
+		log.Printf("Uploading '%s'...", request.Path)
+
 		resourceManager.Upload(resource.UploadRequest{
 			Buffer:    bytes.NewBuffer(content),
 			Path:      request.Path,
 			MimeType:  request.Properties.MimeType,
 			Overwrite: request.Properties.Overwrite,
 		})
+		log.Printf("Uploaded '%s'", request.Path)
 		// we return this as success
 		c.Status(http.StatusNoContent)
 	}
 }
 
+func isValidPath(currentPath string) bool {
+	if strings.HasPrefix(currentPath, "../") || strings.Contains(currentPath, "/../") {
+		return false
+	}
+	return true
+}
+
 func HandleCopy(resourceManager resource.Manager) gin.HandlerFunc {
 	return func(c *gin.Context) {
 		from := c.Query("from")
 		to := c.Query("to")
 		overwrite := c.Query("overwrite") == "true"
+		log.Printf("Copying from '%s' to '%s' (overwrite=%v)...", from, to, overwrite)
 		if err := resourceManager.Copy(from, to, overwrite); err != nil {
 			log.Println(err)
 			c.AbortWithStatus(500)
 		} else {
+			log.Printf("Done copyting from '%s' to '%s' (overwrite=%v)", from, to, overwrite)
 			c.Status(201)
 		}
 
@@ -98,11 +114,17 @@ func HandleCopy(resourceManager resource.Manager) gin.HandlerFunc {
 func HandlePresign(resourceManager resource.Manager) gin.HandlerFunc {
 	return func(c *gin.Context) {
 		path := c.Query("path")
+		if !isValidPath(path) {
+			c.AbortWithStatusJSON(400, gin.H{"error": "path cannot start with ../ or contain /../"})
+			return
+		}
 		url, err := resourceManager.Presign(c, path)
 		if err != nil {
 			c.AbortWithStatus(404)
 			return
 		}
+		log.Printf("Presigned '%s'", path)
+
 		if c.Query("redirect") == "true" {
 			c.Redirect(http.StatusTemporaryRedirect, url)
 		} else {
@@ -113,11 +135,22 @@ func HandlePresign(resourceManager resource.Manager) gin.HandlerFunc {
 
 func HandleDownload(resourceManager resource.Manager) gin.HandlerFunc {
 	return func(c *gin.Context) {
-		path := c.Query("path")
+		path := ""
+		if c.GetString("secure") == "token" {
+			path = c.GetString("path")
+		} else {
+			path = c.Query("path")
+		}
+		if !isValidPath(path) {
+			c.AbortWithStatusJSON(400, gin.H{"error": "path cannot start with ../ or contain /../"})
+			return
+		}
+		log.Printf("Downloading '%s'...", path)
 		data, err := resourceManager.Download(c, path)
 		if err == nil {
 			c.Header("content-disposition", "inline; filename=\""+filename(path)+"\"")
 			c.Data(200, readMimeType(path, ""), data)
+			log.Printf("Downloaded '%s'", path)
 		} else {
 			c.AbortWithStatus(http.StatusNotFound)
 		}
@@ -127,9 +160,15 @@ func HandleDownload(resourceManager resource.Manager) gin.HandlerFunc {
 func HandleDelete(resourceManager resource.Manager) gin.HandlerFunc {
 	return func(c *gin.Context) {
 		path := c.Query("path")
+		if !isValidPath(path) {
+			c.AbortWithStatusJSON(400, gin.H{"error": "path cannot start with ../ or contain /../"})
+			return
+		}
+		log.Printf("Deleting '%s'...", path)
 		if err := resourceManager.Delete(path); err != nil {
-			c.AbortWithError(400, err)
+			_ = c.AbortWithError(400, err)
 		} else {
+			log.Printf("Deleted '%s'", path)
 			c.Status(204)
 		}
 	}

api/middleware.go

@@ -0,0 +1,79 @@
+package api
+
+import (
+	"fmt"
+	"github.com/gin-gonic/gin"
+	"log"
+	"net/http"
+	"os"
+	"resource-manager/security"
+	"strings"
+	"time"
+)
+
+func Auth() gin.HandlerFunc {
+	basicAuth, hasBasicAuth := os.LookupEnv("BASIC_AUTH_CREDENTIALS")
+	var apiAuths []string
+	if list, hasApiAuth := os.LookupEnv("API_CREDENTIALS"); hasApiAuth {
+		apiAuths = strings.Split(list, ",")
+	}
+
+	return func(c *gin.Context) {
+		if rawToken := c.Query("token"); rawToken != "" {
+			token, err := security.ParseToken(rawToken)
+			if err != nil {
+				abort(c, nil, http.StatusUnauthorized, "invalid token")
+				return
+			}
+			c.Set("secure", "token")
+			c.Set("path", token.Path)
+			return
+		}
+		authHeader := c.GetHeader("Authorization")
+		if strings.HasPrefix(authHeader, "Basic ") && hasBasicAuth {
+			if strings.TrimPrefix(authHeader, "Basic ") == basicAuth {
+				c.Set("secure", security.TypeBasic)
+				return
+			}
+		}
+		if strings.HasPrefix(authHeader, "Api ") && hasBasicAuth {
+			key := strings.TrimPrefix(authHeader, "Api ")
+			if hasValidApiKey(apiAuths, key) {
+				c.Set("secure", security.TypeApi)
+				return
+			}
+		}
+		abort(c, nil, http.StatusUnauthorized, "missing auth")
+	}
+}
+
+func Secure(types ...security.Type) gin.HandlerFunc {
+	return func(c *gin.Context) {
+		value, exists := c.Get("secure")
+		if !exists {
+			abort(c, nil, http.StatusUnauthorized, "missing auth")
+		} else {
+			securityType := value.(security.Type)
+			for _, t := range types {
+				if t == securityType {
+					return
+				}
+			}
+			abort(c, nil, http.StatusUnauthorized, fmt.Sprintf("bad security: received %s type", securityType))
+		}
+	}
+}
+
+func hasValidApiKey(auths []string, key string) bool {
+	for _, a := range auths {
+		if a == key {
+			return true
+		}
+	}
+	return false
+}
+
+func abort(c *gin.Context, err error, statusCode int, message string) {
+	log.Printf("Aborted with error: %v", err)
+	c.AbortWithStatusJSON(statusCode, gin.H{"status": statusCode, "created": time.Now(), "message": message})
+}

api/routes.go

@@ -6,6 +6,7 @@ import (
 	"os"
 	"resource-manager/domain/cache"
 	"resource-manager/domain/resource"
+	"resource-manager/security"
 	"time"
 )
 
@@ -19,7 +20,7 @@ func createServer() *gin.Engine {
 	server := gin.New()
 	server.NoRoute(NoRoute())
 	server.NoMethod(NoMethod())
-	server.Use(gin.Recovery())
+	server.Use(gin.Recovery(), Auth())
 	return server
 }
 
@@ -31,11 +32,13 @@ func RegisterRoutes(server *gin.Engine) {
 
 	resourceManager := resource.NewManager(cacheManager, expiration)
 
-	server.POST("/api/v1/upload", HandleUpload(resourceManager))
-	server.GET("/api/v1/download", HandleDownload(resourceManager))
-	server.GET("/api/v1/presign", HandlePresign(resourceManager))
-	server.PUT("/api/v1/copy", HandleCopy(resourceManager))
-	server.DELETE("/api/v1/delete", HandleDelete(resourceManager))
+	resourcesGroup := server.Group("/api/v1/resources", Secure(security.TypeBasic, security.TypeApi))
+	resourcesGroup.POST("", HandleUpload(resourceManager))
+	resourcesGroup.GET("presign", HandlePresign(resourceManager))
+	resourcesGroup.PUT("copy", HandleCopy(resourceManager))
+	resourcesGroup.DELETE("", HandleDelete(resourceManager))
+
+	server.GET("/api/v1/resources", Secure(security.TypeBasic, security.TypeApi, security.TypeToken), HandleDownload(resourceManager))
 }
 
 func loadExpiration() time.Duration {

domain/cache/in_mem_cache.go

@@ -0,0 +1,40 @@
+package cache
+
+import (
+	"errors"
+	"time"
+)
+
+func newInMemCache() Manager {
+	return &inMemCache{make(map[string]inMemEntry)}
+}
+
+type inMemEntry struct {
+	value      string
+	expiration time.Time
+}
+
+type inMemCache struct {
+	entries map[string]inMemEntry
+}
+
+func (i *inMemCache) Set(key, value string, expiration time.Duration) error {
+	i.entries[key] = inMemEntry{
+		value:      value,
+		expiration: time.Now().Add(expiration),
+	}
+	return nil
+}
+func (i *inMemCache) Get(key string) (string, error) {
+	if val, exists := i.entries[key]; exists {
+		if val.expiration.Before(time.Now()) {
+			delete(i.entries, key)
+		} else {
+			return val.value, nil
+		}
+	}
+	return "", errors.New("no value for given key")
+}
+func (i *inMemCache) Remove(key string) {
+	delete(i.entries, key)
+}

domain/cache/redis_cache.go

@@ -2,7 +2,6 @@ package cache
 
 import (
 	"context"
-	"errors"
 	"github.com/go-redis/redis/v8"
 	"os"
 	"time"
@@ -37,37 +36,3 @@ func (r *redisCache) Remove(key string) {
 	defer cancel()
 	r.client.Del(ctx, key)
 }
-
-func newInMemCache() Manager {
-	return &inMemCache{make(map[string]inMemEntry)}
-}
-
-type inMemEntry struct {
-	value      string
-	expiration time.Time
-}
-
-type inMemCache struct {
-	entries map[string]inMemEntry
-}
-
-func (i *inMemCache) Set(key, value string, expiration time.Duration) error {
-	i.entries[key] = inMemEntry{
-		value:      value,
-		expiration: time.Now().Add(expiration),
-	}
-	return nil
-}
-func (i *inMemCache) Get(key string) (string, error) {
-	if val, exists := i.entries[key]; exists {
-		if val.expiration.Before(time.Now()) {
-			delete(i.entries, key)
-		} else {
-			return val.value, nil
-		}
-	}
-	return "", errors.New("no value for given key")
-}
-func (i *inMemCache) Remove(key string) {
-	delete(i.entries, key)
-}

domain/resource/file_manager.go

@@ -0,0 +1,112 @@
+package resource
+
+import (
+	"context"
+	"log"
+	"os"
+	"path/filepath"
+	"resource-manager/domain/cache"
+	"resource-manager/security"
+	"strings"
+	"time"
+)
+
+func newLocalFolder(cacheManager cache.Manager, expiration time.Duration) Manager {
+	path := os.Getenv("LOCAL_PATH_PREFIX")
+	// if path isn't set use local
+	if path == "" {
+		path, _ = os.Getwd()
+	}
+	log.Println("Manager | using path (" + path + ") and expiration of " + expiration.String())
+	manager := fileManager{cacheManager, path, expiration}
+	return &manager
+}
+
+type fileManager struct {
+	cache      cache.Manager
+	path       string
+	expiration time.Duration
+}
+
+func (f *fileManager) Upload(request UploadRequest) {
+	fullPath := filepath.Join(f.path, request.Path)
+	createFolder(fullPath)
+	if checkFileExists(fullPath) && !request.Overwrite {
+		log.Println("Manager | cannot upload file as file on same path already exists")
+		return
+	}
+	log.Println("Manager | uploading to (" + request.Path + ")")
+	if err := os.WriteFile(fullPath, request.Buffer.Bytes(), 0o644); err != nil {
+		log.Println("Manager | failed uploading (" + request.Path + ") cause: " + err.Error())
+	}
+}
+
+func checkFileExists(path string) bool {
+	_, err := os.Stat(path)
+	return err == nil
+}
+func (f *fileManager) Download(_ context.Context, path string) (file []byte, err error) {
+	fullPath := filepath.Join(f.path, path)
+	file, err = os.ReadFile(fullPath)
+	if err != nil {
+		log.Println("Manager | failed downloading (" + path + ") cause: " + err.Error())
+	}
+	return
+}
+func (f *fileManager) Presign(_ context.Context, path string) (string, error) {
+	token, err := security.CreateToken(security.PresignToken{Path: path}, f.expiration)
+	if err != nil {
+		return "", err
+	}
+	return "/api/v1/resources?token=" + token, nil
+}
+func (f *fileManager) Copy(from string, to string, overwrite bool) error {
+	fromPath := filepath.Join(f.path, from)
+	toPath := filepath.Join(f.path, to)
+	log.Println("Manager | copying from (" + fromPath + ") to (" + toPath + ")")
+	createFolder(filepath.Join(toPath, "file"))
+	return copyFolder(fromPath, toPath, overwrite)
+}
+func (f *fileManager) Delete(path string) error {
+	log.Println("Manager | deleting " + path)
+	fullPath := filepath.Join(f.path, path)
+	if err := os.Remove(fullPath); err != nil {
+		log.Println("Manager | failed deleting (" + path + ") cause: " + err.Error())
+		return err
+	}
+	f.cache.Remove(path)
+	return nil
+}
+func createFolder(path string) {
+	paths := strings.Split(path, "/")
+	folderPath := "/" + filepath.Join(paths[:len(paths)-1]...)
+	if err := os.MkdirAll(folderPath, 0o755); err != nil {
+		log.Println("[error] ", err)
+	}
+}
+func copyFolder(source, destination string, overwrite bool) error {
+	var err = filepath.WalkDir(source, func(path string, d os.DirEntry, err error) error {
+		relPath := strings.Replace(path, source, "", 1)
+		if relPath == "" {
+			return nil
+		}
+		if d.IsDir() {
+			return os.Mkdir(filepath.Join(destination, relPath), 0755)
+		} else {
+			doesExist := false
+			if _, err := os.Stat(filepath.Join(destination, relPath)); !os.IsNotExist(err) {
+				doesExist = true
+			}
+			if !doesExist || overwrite {
+				var data, err1 = os.ReadFile(filepath.Join(source, relPath))
+				if err1 != nil {
+					return err1
+				}
+				return os.WriteFile(filepath.Join(destination, relPath), data, 0777)
+			} else {
+				return nil
+			}
+		}
+	})
+	return err
+}

domain/resource/manager.go

@@ -22,6 +22,7 @@ func NewManager(cacheManager cache.Manager, expiration time.Duration) Manager {
 		log.Println("Manager | using S3 for data storage")
 		return newS3Bucket(cacheManager, expiration)
 	} else {
+		log.Println("Manager | using local file for data storage")
 		return newLocalFolder(cacheManager, expiration)
 	}
 }

domain/resource/s3_manager.go

@@ -8,11 +8,9 @@ import (
 	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/aws/aws-sdk-go/service/s3"
 	"github.com/aws/aws-sdk-go/service/s3/s3manager"
-	"io/ioutil"
 	"log"
 	"net/url"
 	"os"
-	"path/filepath"
 	"resource-manager/domain/cache"
 	"strconv"
 	"strings"
@@ -20,101 +18,6 @@ import (
 	"time"
 )
 
-func newLocalFolder(cacheManager cache.Manager, expiration time.Duration) Manager {
-	path := os.Getenv("UPLOAD_PATH")
-	// if path isn't set use local
-	if path == "" {
-		path, _ = os.Getwd()
-	}
-	log.Println("Manager | using local file system for data storage (" + path + ")")
-	manager := fileManager{cacheManager, path}
-	return &manager
-}
-
-type fileManager struct {
-	cache cache.Manager
-	path  string
-}
-
-func (f *fileManager) Upload(request UploadRequest) {
-	fullPath := filepath.Join(f.path, request.Path)
-	createFolder(fullPath)
-	if checkFileExists(fullPath) && !request.Overwrite {
-		log.Println("Manager | cannot upload file as file on same path already exists")
-		return
-	}
-	log.Println("Manager | uploading to (" + request.Path + ")")
-	if err := os.WriteFile(fullPath, request.Buffer.Bytes(), 0o644); err != nil {
-		log.Println("Manager | failed uploading (" + request.Path + ") cause: " + err.Error())
-	}
-}
-
-func checkFileExists(path string) bool {
-	_, err := os.Stat(path)
-	return err == nil
-}
-func (f *fileManager) Download(ctx context.Context, path string) (file []byte, err error) {
-	fullPath := filepath.Join(f.path, path)
-	file, err = ioutil.ReadFile(fullPath)
-	if err != nil {
-		log.Println("Manager | failed downloading (" + path + ") cause: " + err.Error())
-	}
-	return
-}
-func (f *fileManager) Presign(_ context.Context, path string) (string, error) {
-	return "/api/v1/get?path=" + path, nil
-}
-func (f *fileManager) Copy(from string, to string, overwrite bool) error {
-	fromPath := filepath.Join(f.path, from)
-	toPath := filepath.Join(f.path, to)
-	log.Println("Manager | copying from (" + fromPath + ") to (" + toPath + ")")
-	createFolder(filepath.Join(toPath, "file"))
-	return copyFolder(fromPath, toPath, overwrite)
-}
-func (f *fileManager) Delete(path string) error {
-	log.Println("Manager | deleting " + path)
-	fullPath := filepath.Join(f.path, path)
-	if err := os.Remove(fullPath); err != nil {
-		log.Println("Manager | failed deleting (" + path + ") cause: " + err.Error())
-		return err
-	}
-	f.cache.Remove(path)
-	return nil
-}
-func createFolder(path string) {
-	paths := strings.Split(path, "/")
-	folderPath := "/" + filepath.Join(paths[:len(paths)-1]...)
-	if err := os.MkdirAll(folderPath, 0o755); err != nil {
-		log.Println("[error] ", err)
-	}
-}
-func copyFolder(source, destination string, overwrite bool) error {
-	var err = filepath.WalkDir(source, func(path string, d os.DirEntry, err error) error {
-		relPath := strings.Replace(path, source, "", 1)
-		if relPath == "" {
-			return nil
-		}
-		if d.IsDir() {
-			return os.Mkdir(filepath.Join(destination, relPath), 0755)
-		} else {
-			doesExist := false
-			if _, err := os.Stat(filepath.Join(destination, relPath)); !os.IsNotExist(err) {
-				doesExist = true
-			}
-			if !doesExist || overwrite {
-				var data, err1 = ioutil.ReadFile(filepath.Join(source, relPath))
-				if err1 != nil {
-					return err1
-				}
-				return ioutil.WriteFile(filepath.Join(destination, relPath), data, 0777)
-			} else {
-				return nil
-			}
-		}
-	})
-	return err
-}
-
 func newS3Bucket(cacheManager cache.Manager, expiration time.Duration) Manager {
 	sess, err := session.NewSession(&aws.Config{
 		Region: aws.String(os.Getenv("AWS_REGION_NAME"))},
@@ -163,22 +66,22 @@ func (a *awsManager) Upload(request UploadRequest) {
 	a.addToCurrentlyUploading(request.Path)
 	a.requests <- request
 }
-func (a *awsManager) Presign(ctx context.Context, path string) (string, error) {
+func (a *awsManager) Presign(_ context.Context, path string) (string, error) {
 	if !a.waitForUploadComplete(path) {
 		return "", errors.New("failed upload")
 	}
 	// ask cache for latest url
-	if url, err := a.cache.Get(path); err == nil {
-		return url, nil
+	if uri, err := a.cache.Get(path); err == nil {
+		return uri, nil
 	}
 	// if there is no value in cache, presign url and add it to cache
-	url, err := a.presign(path, a.expiration)
+	uri, err := a.presign(path, a.expiration)
 	if err != nil {
-		a.cache.Set(path, url, a.expiration)
+		_ = a.cache.Set(path, uri, a.expiration)
 	}
-	return url, err
+	return uri, err
 }
-func (a *awsManager) Download(ctx context.Context, path string) (file []byte, err error) {
+func (a *awsManager) Download(_ context.Context, path string) (file []byte, err error) {
 	return a.download(path)
 }
 func (a *awsManager) Copy(from string, to string, overwrite bool) error {

go.mod

@@ -17,6 +17,7 @@ require (
 	github.com/go-playground/locales v0.13.0 // indirect
 	github.com/go-playground/universal-translator v0.17.0 // indirect
 	github.com/go-playground/validator/v10 v10.4.1 // indirect
+	github.com/golang-jwt/jwt v3.2.2+incompatible // indirect
 	github.com/golang/protobuf v1.5.2 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/json-iterator/go v1.1.9 // indirect

go.sum

@@ -33,6 +33,8 @@ github.com/go-playground/validator/v10 v10.4.1/go.mod h1:nlOn6nFhuKACm19sB/8EGNn
 github.com/go-redis/redis/v8 v8.11.4 h1:kHoYkfZP6+pe04aFTnhDH6GDROa5yJdHJVNxV3F46Tg=
 github.com/go-redis/redis/v8 v8.11.4/go.mod h1:2Z2wHZXdQpCDXEGzqMockDpNyYvi2l4Pxt6RJr792+w=
 github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE=
+github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY=
+github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
 github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=

makefile

@@ -1,7 +1,7 @@
 # scripts for building account tracker backend
 # requires go 1.18+ and git installed
 
-VERSION := 0.0.1
+VERSION := 1.1.0
 
 serve:
 	go run ./...

security/generator.go

@@ -0,0 +1,60 @@
+package security
+
+import (
+	"errors"
+	"github.com/golang-jwt/jwt"
+	"os"
+	"time"
+)
+
+type PresignToken struct {
+	Path string
+}
+
+type Type string
+
+const (
+	TypeBasic Type = "basic"
+	TypeApi   Type = "api"
+	TypeToken Type = "token"
+)
+
+func CreateToken(tokenInfo PresignToken, duration time.Duration) (string, error) {
+	// jwt token
+	atClaims := jwt.MapClaims{}
+	atClaims["authorized"] = true
+	// user info
+	atClaims["path"] = tokenInfo.Path
+	// expiration
+	atClaims["exp"] = time.Now().Add(duration).Unix()
+	at := jwt.NewWithClaims(jwt.SigningMethodHS256, atClaims)
+
+	secret := getSecret()
+	return at.SignedString([]byte(secret))
+}
+
+func ParseToken(token string) (PresignToken, error) {
+	secret := getSecret()
+	parsedToken, err := jwt.Parse(token, func(t *jwt.Token) (interface{}, error) {
+		return []byte(secret), nil
+	})
+	if err != nil {
+		return PresignToken{}, err
+	}
+	claims, ok := parsedToken.Claims.(jwt.MapClaims)
+	if ok {
+		return PresignToken{
+			Path: claims["path"].(string),
+		}, nil
+	} else {
+		return PresignToken{}, errors.New("failed parsing token")
+	}
+}
+
+func getSecret() string {
+	secret, exists := os.LookupEnv("JWT_SECRET")
+	if !exists {
+		panic("env variable JWT_SECRET not set")
+	}
+	return secret
+}