casdoor/object/storage.go

// Copyright 2021 The Casdoor Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//      http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package object

import (
	"bytes"
	"fmt"
	"net/url"
	"path/filepath"
	"strings"

	"github.com/casdoor/casdoor/conf"
	"github.com/casdoor/casdoor/i18n"
	"github.com/casdoor/casdoor/storage"
	"github.com/casdoor/casdoor/util"
	"github.com/casdoor/oss"
)

var isCloudIntranet bool

func init() {
	isCloudIntranet = conf.GetConfigBool("isCloudIntranet")
}

func getProviderEndpoint(provider *Provider) string {
	endpoint := provider.Endpoint
	if provider.IntranetEndpoint != "" && isCloudIntranet {
		endpoint = provider.IntranetEndpoint
	}
	return endpoint
}

func escapePath(path string) string {
	tokens := strings.Split(path, "/")
	if len(tokens) > 0 {
		tokens[len(tokens)-1] = url.QueryEscape(tokens[len(tokens)-1])
	}

	res := strings.Join(tokens, "/")
	return res
}

func GetTruncatedPath(provider *Provider, fullFilePath string, limit int) string {
	pathPrefix := util.UrlJoin(util.GetUrlPath(provider.Domain), provider.PathPrefix)

	dir, file := filepath.Split(fullFilePath)
	ext := filepath.Ext(file)
	fileName := strings.TrimSuffix(file, ext)
	for {
		escapedString := escapePath(escapePath(fullFilePath))
		if len(escapedString) < limit-len(pathPrefix) {
			break
		}
		rs := []rune(fileName)
		fileName = string(rs[0 : len(rs)-1])
		fullFilePath = dir + fileName + ext
	}

	return fullFilePath
}

func GetUploadFileUrl(provider *Provider, fullFilePath string, hasTimestamp bool) (string, string) {
	escapedPath := util.UrlJoin(provider.PathPrefix, fullFilePath)
	objectKey := util.UrlJoin(util.GetUrlPath(provider.Domain), escapedPath)

	host := ""
	if provider.Type != "Local File System" {
		// provider.Domain = "https://cdn.casbin.com/casdoor/"
		host = util.GetUrlHost(provider.Domain)
		if !strings.HasPrefix(host, "http://") && !strings.HasPrefix(host, "https://") {
			host = fmt.Sprintf("https://%s", host)
		}
	} else {
		// provider.Domain = "http://localhost:8000" or "https://door.casdoor.com"
		host = util.UrlJoin(provider.Domain, "/files")
	}
	if provider.Type == "Azure Blob" {
		host = util.UrlJoin(host, provider.Bucket)
	}

	fileUrl := util.UrlJoin(host, escapePath(objectKey))

	if hasTimestamp {
		fileUrl = fmt.Sprintf("%s?t=%s", fileUrl, util.GetCurrentUnixTime())
	}

	if provider.Type == "Tencent Cloud COS" {
		objectKey = escapePath(objectKey)
	}

	return fileUrl, objectKey
}

func getStorageProvider(provider *Provider, lang string) (oss.StorageInterface, error) {
	endpoint := getProviderEndpoint(provider)
	storageProvider := storage.GetStorageProvider(provider.Type, provider.ClientId, provider.ClientSecret, provider.RegionId, provider.Bucket, endpoint)
	if storageProvider == nil {
		return nil, fmt.Errorf(i18n.Translate(lang, "storage:The provider type: %s is not supported"), provider.Type)
	}

	if provider.Domain == "" {
		provider.Domain = storageProvider.GetEndpoint()
		UpdateProvider(provider.GetId(), provider)
	}

	return storageProvider, nil
}

func uploadFile(provider *Provider, fullFilePath string, fileBuffer *bytes.Buffer, lang string) (string, string, error) {
	storageProvider, err := getStorageProvider(provider, lang)
	if err != nil {
		return "", "", err
	}

	fileUrl, objectKey := GetUploadFileUrl(provider, fullFilePath, true)

	_, err = storageProvider.Put(objectKey, fileBuffer)
	if err != nil {
		return "", "", err
	}

	return fileUrl, objectKey, nil
}

func UploadFileSafe(provider *Provider, fullFilePath string, fileBuffer *bytes.Buffer, lang string) (string, string, error) {
	// check fullFilePath is there security issue
	if strings.Contains(fullFilePath, "..") {
		return "", "", fmt.Errorf("the fullFilePath: %s is not allowed", fullFilePath)
	}

	var fileUrl string
	var objectKey string
	var err error
	times := 0
	for {
		fileUrl, objectKey, err = uploadFile(provider, fullFilePath, fileBuffer, lang)
		if err != nil {
			times += 1
			if times >= 5 {
				return "", "", err
			}
		} else {
			break
		}
	}
	return fileUrl, objectKey, nil
}

func DeleteFile(provider *Provider, objectKey string, lang string) error {
	// check fullFilePath is there security issue
	if strings.Contains(objectKey, "..") {
		return fmt.Errorf(i18n.Translate(lang, "storage:The objectKey: %s is not allowed"), objectKey)
	}

	storageProvider, err := getStorageProvider(provider, lang)
	if err != nil {
		return err
	}

	return storageProvider.Delete(objectKey)
}
Update license headers. 2022-02-13 23:39:27 +08:00			`// Copyright 2021 The Casdoor Authors. All Rights Reserved.`
feat: integrate Storage config into providers (#198) Signed-off-by: Kininaru <shiftregister233@outlook.com> 2021-07-26 11:39:49 +08:00			`//`
			`// Licensed under the Apache License, Version 2.0 (the "License");`
			`// you may not use this file except in compliance with the License.`
			`// You may obtain a copy of the License at`
			`//`
			`// http://www.apache.org/licenses/LICENSE-2.0`
			`//`
			`// Unless required by applicable law or agreed to in writing, software`
			`// distributed under the License is distributed on an "AS IS" BASIS,`
			`// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`// See the License for the specific language governing permissions and`
			`// limitations under the License.`

			`package object`

			`import (`
			`"bytes"`
			`"fmt"`
Add escapePath for getUploadFileUrl(). 2022-07-12 23:24:24 +08:00			`"net/url"`
feat: fix file name length problem (#1534) 2023-02-10 20:27:20 +08:00			`"path/filepath"`
feat: add local file system storage provider (#224) Signed-off-by: sh1luo <690898835@qq.com> 2021-08-08 14:18:44 +08:00			`"strings"`

feat: support overriding configuration with env (#590) 2022-03-20 23:21:09 +08:00			`"github.com/casdoor/casdoor/conf"`
feat: support i18n in backend err messages (#1232) * feat: support i18n in backend err messages * use gofumpt to fmt code * fix review problems * support auto generate err message * delete beego/i18n moudle * fix Github action test problems * fix review problems * use gofumpt to format code * use gofumpt to fmt code 2022-10-23 15:16:24 +08:00			`"github.com/casdoor/casdoor/i18n"`
Update import path. 2022-01-20 14:11:46 +08:00			`"github.com/casdoor/casdoor/storage"`
			`"github.com/casdoor/casdoor/util"`
feat: refactor code to add getStorageProvider() 2023-07-17 15:24:53 +08:00			`"github.com/casdoor/oss"`
feat: integrate Storage config into providers (#198) Signed-off-by: Kininaru <shiftregister233@outlook.com> 2021-07-26 11:39:49 +08:00			`)`

Add IntranetEndpoint to provider. 2021-12-04 16:35:33 +08:00			`var isCloudIntranet bool`

			`func init() {`
feat: return most backend API errors to frontend (#1836) * feat: return most backend API errros to frontend Signed-off-by: yehong <239859435@qq.com> * refactor: reduce int type change Signed-off-by: yehong <239859435@qq.com> * feat: return err backend in token.go Signed-off-by: yehong <239859435@qq.com> --------- Signed-off-by: yehong <239859435@qq.com> 2023-05-30 15:49:39 +08:00			`isCloudIntranet = conf.GetConfigBool("isCloudIntranet")`
Add IntranetEndpoint to provider. 2021-12-04 16:35:33 +08:00			`}`

			`func getProviderEndpoint(provider *Provider) string {`
			`endpoint := provider.Endpoint`
			`if provider.IntranetEndpoint != "" && isCloudIntranet {`
			`endpoint = provider.IntranetEndpoint`
			`}`
			`return endpoint`
			`}`

Add escapePath for getUploadFileUrl(). 2022-07-12 23:24:24 +08:00			`func escapePath(path string) string {`
			`tokens := strings.Split(path, "/")`
			`if len(tokens) > 0 {`
			`tokens[len(tokens)-1] = url.QueryEscape(tokens[len(tokens)-1])`
			`}`

			`res := strings.Join(tokens, "/")`
			`return res`
			`}`

feat: fix file name length problem (#1534) 2023-02-10 20:27:20 +08:00			`func GetTruncatedPath(provider *Provider, fullFilePath string, limit int) string {`
			`pathPrefix := util.UrlJoin(util.GetUrlPath(provider.Domain), provider.PathPrefix)`

			`dir, file := filepath.Split(fullFilePath)`
			`ext := filepath.Ext(file)`
			`fileName := strings.TrimSuffix(file, ext)`
			`for {`
			`escapedString := escapePath(escapePath(fullFilePath))`
			`if len(escapedString) < limit-len(pathPrefix) {`
			`break`
			`}`
			`rs := []rune(fileName)`
			`fileName = string(rs[0 : len(rs)-1])`
			`fullFilePath = dir + fileName + ext`
			`}`

			`return fullFilePath`
			`}`

feat: use another filename when uploading a duplicated file instead of replacing it (#1329) * fix: upload a file with the same name, not replace * Update resource.go Co-authored-by: hsluoyz <hsluoyz@qq.com> 2022-11-27 17:32:15 +08:00			`func GetUploadFileUrl(provider *Provider, fullFilePath string, hasTimestamp bool) (string, string) {`
Remove escapePath() to fix Unicode resource filenames 2023-09-17 21:31:22 +08:00			`escapedPath := util.UrlJoin(provider.PathPrefix, fullFilePath)`
Add escapePath for getUploadFileUrl(). 2022-07-12 23:24:24 +08:00			`objectKey := util.UrlJoin(util.GetUrlPath(provider.Domain), escapedPath)`
Add PermanentAvatar to user. 2021-08-21 23:17:33 +08:00
			`host := ""`
			`if provider.Type != "Local File System" {`
			`// provider.Domain = "https://cdn.casbin.com/casdoor/"`
			`host = util.GetUrlHost(provider.Domain)`
			`if !strings.HasPrefix(host, "http://") && !strings.HasPrefix(host, "https://") {`
			`host = fmt.Sprintf("https://%s", host)`
			`}`
			`} else {`
Update demo site URL. 2022-02-13 20:47:34 +08:00			`// provider.Domain = "http://localhost:8000" or "https://door.casdoor.com"`
Add PermanentAvatar to user. 2021-08-21 23:17:33 +08:00			`host = util.UrlJoin(provider.Domain, "/files")`
			`}`
fix: improve swagger Api docunment (#812) 2022-06-21 23:11:29 +08:00			`if provider.Type == "Azure Blob" {`
feat: support prefix path for storage files (#1258) 2022-11-04 21:08:39 +08:00			`host = util.UrlJoin(host, provider.Bucket)`
fix: improve swagger Api docunment (#812) 2022-06-21 23:11:29 +08:00			`}`
feat: fix the upload file name contains space problem (#1527) 2023-02-07 23:26:17 +08:00
			`fileUrl := util.UrlJoin(host, escapePath(objectKey))`
Add PermanentAvatar to user. 2021-08-21 23:17:33 +08:00
			`if hasTimestamp {`
fix: URL bug in getUploadFileUrl function 2022-07-20 17:49:11 +08:00			`fileUrl = fmt.Sprintf("%s?t=%s", fileUrl, util.GetCurrentUnixTime())`
Add PermanentAvatar to user. 2021-08-21 23:17:33 +08:00			`}`

feat: fix the upload file name contains space problem (#1527) 2023-02-07 23:26:17 +08:00			`if provider.Type == "Tencent Cloud COS" {`
			`objectKey = escapePath(objectKey)`
			`}`

Add PermanentAvatar to user. 2021-08-21 23:17:33 +08:00			`return fileUrl, objectKey`
			`}`

feat: refactor code to add getStorageProvider() 2023-07-17 15:24:53 +08:00			`func getStorageProvider(provider *Provider, lang string) (oss.StorageInterface, error) {`
Add IntranetEndpoint to provider. 2021-12-04 16:35:33 +08:00			`endpoint := getProviderEndpoint(provider)`
			`storageProvider := storage.GetStorageProvider(provider.Type, provider.ClientId, provider.ClientSecret, provider.RegionId, provider.Bucket, endpoint)`
Refactor the storage provider interface. 2021-08-08 11:37:16 +08:00			`if storageProvider == nil {`
feat: refactor code to add getStorageProvider() 2023-07-17 15:24:53 +08:00			`return nil, fmt.Errorf(i18n.Translate(lang, "storage:The provider type: %s is not supported"), provider.Type)`
feat: integrate Storage config into providers (#198) Signed-off-by: Kininaru <shiftregister233@outlook.com> 2021-07-26 11:39:49 +08:00			`}`

Refactor the storage provider interface. 2021-08-08 11:37:16 +08:00			`if provider.Domain == "" {`
			`provider.Domain = storageProvider.GetEndpoint()`
feat: integrate Storage config into providers (#198) Signed-off-by: Kininaru <shiftregister233@outlook.com> 2021-07-26 11:39:49 +08:00			`UpdateProvider(provider.GetId(), provider)`
			`}`

feat: refactor code to add getStorageProvider() 2023-07-17 15:24:53 +08:00			`return storageProvider, nil`
			`}`

			`func uploadFile(provider Provider, fullFilePath string, fileBuffer bytes.Buffer, lang string) (string, string, error) {`
			`storageProvider, err := getStorageProvider(provider, lang)`
			`if err != nil {`
			`return "", "", err`
			`}`

feat: use another filename when uploading a duplicated file instead of replacing it (#1329) * fix: upload a file with the same name, not replace * Update resource.go Co-authored-by: hsluoyz <hsluoyz@qq.com> 2022-11-27 17:32:15 +08:00			`fileUrl, objectKey := GetUploadFileUrl(provider, fullFilePath, true)`
Add PermanentAvatar to user. 2021-08-21 23:17:33 +08:00
feat: refactor code to add getStorageProvider() 2023-07-17 15:24:53 +08:00			`_, err = storageProvider.Put(objectKey, fileBuffer)`
feat: add local file system storage provider (#224) Signed-off-by: sh1luo <690898835@qq.com> 2021-08-08 14:18:44 +08:00			`if err != nil {`
Add resource list page. 2021-08-15 00:17:53 +08:00			`return "", "", err`
feat: add local file system storage provider (#224) Signed-off-by: sh1luo <690898835@qq.com> 2021-08-08 14:18:44 +08:00			`}`

Add resource list page. 2021-08-15 00:17:53 +08:00			`return fileUrl, objectKey, nil`
feat: integrate Storage config into providers (#198) Signed-off-by: Kininaru <shiftregister233@outlook.com> 2021-07-26 11:39:49 +08:00			`}`
Add DeleteFile(). 2021-08-15 00:41:51 +08:00
Remove Go i18n duplicates 2023-03-19 21:47:49 +08:00			`func UploadFileSafe(provider Provider, fullFilePath string, fileBuffer bytes.Buffer, lang string) (string, string, error) {`
fix: fix upload file security issue (#1063) * fix: fix upload file security issue * fix: fix 2022-08-25 11:34:09 +08:00			`// check fullFilePath is there security issue`
			`if strings.Contains(fullFilePath, "..") {`
			`return "", "", fmt.Errorf("the fullFilePath: %s is not allowed", fullFilePath)`
			`}`

Add UploadFileSafe(). 2021-11-20 16:21:15 +08:00			`var fileUrl string`
			`var objectKey string`
			`var err error`
			`times := 0`
			`for {`
Remove Go i18n duplicates 2023-03-19 21:47:49 +08:00			`fileUrl, objectKey, err = uploadFile(provider, fullFilePath, fileBuffer, lang)`
Add UploadFileSafe(). 2021-11-20 16:21:15 +08:00			`if err != nil {`
			`times += 1`
			`if times >= 5 {`
			`return "", "", err`
			`}`
			`} else {`
			`break`
			`}`
			`}`
			`return fileUrl, objectKey, nil`
			`}`

feat: support i18n in backend err messages (#1232) * feat: support i18n in backend err messages * use gofumpt to fmt code * fix review problems * support auto generate err message * delete beego/i18n moudle * fix Github action test problems * fix review problems * use gofumpt to format code * use gofumpt to fmt code 2022-10-23 15:16:24 +08:00			`func DeleteFile(provider *Provider, objectKey string, lang string) error {`
fix: fix the delete file vulnerability issue (#1174) 2022-10-01 00:33:27 +08:00			`// check fullFilePath is there security issue`
			`if strings.Contains(objectKey, "..") {`
feat: refactor backend i18n (#1373) * fix: handle the dataSourceName when DB changes * reduce duplication of code * feat: refactor translation error message * feat: use json intsead of ini file * remove useless translation * fix translate problems * remove useless addition * fix pr problems * fix pr problems * fix split problem * use gofumpt to fmt code * use crowdin to execute backend translation * fix pr problems * refactor: change translation file structure same as frontend * delete useless output * update go.mod 2022-12-07 13:13:23 +08:00			`return fmt.Errorf(i18n.Translate(lang, "storage:The objectKey: %s is not allowed"), objectKey)`
fix: fix the delete file vulnerability issue (#1174) 2022-10-01 00:33:27 +08:00			`}`

feat: refactor code to add getStorageProvider() 2023-07-17 15:24:53 +08:00			`storageProvider, err := getStorageProvider(provider, lang)`
			`if err != nil {`
			`return err`
Add DeleteFile(). 2021-08-15 00:41:51 +08:00			`}`

			`return storageProvider.Delete(objectKey)`
			`}`