代码拉取完成,页面将自动刷新
package osscrypto
import (
"encoding/base64"
"encoding/json"
"fmt"
"hash"
"hash/crc64"
"io"
"net/http"
"os"
"strconv"
kms "github.com/aliyun/alibaba-cloud-sdk-go/services/kms"
"github.com/aliyun/aliyun-oss-go-sdk/oss"
)
// MasterCipherManager is interface for getting master key with MatDesc(material desc)
// If you may use different master keys for encrypting and decrypting objects,each master
// key must have a unique, non-emtpy, unalterable MatDesc(json string format) and you must provide this interface
// If you always use the same master key for encrypting and decrypting objects, MatDesc
// can be empty and you don't need to provide this interface
//
// matDesc map[string]string:is converted by matDesc json string
// return: []string the secret key information,such as {"rsa-public-key","rsa-private-key"} or {"non-rsa-key"}
type MasterCipherManager interface {
GetMasterKey(matDesc map[string]string) ([]string, error)
}
// ExtraCipherBuilder is interface for creating a decrypt ContentCipher with Envelope
// If the objects you need to decrypt are neither encrypted with ContentCipherBuilder
// you provided, nor encrypted with rsa and ali kms master keys, you must provide this interface
//
// ContentCipher the interface used to decrypt objects
type ExtraCipherBuilder interface {
GetDecryptCipher(envelope Envelope, cm MasterCipherManager) (ContentCipher, error)
}
// CryptoBucketOption CryptoBucket option such as SetAliKmsClient, SetMasterCipherManager, SetDecryptCipherManager.
type CryptoBucketOption func(*CryptoBucket)
// SetAliKmsClient set field AliKmsClient of CryptoBucket
// If the objects you need to decrypt are encrypted with ali kms master key,but not with ContentCipherBuilder
// you provided, you must provide this interface
func SetAliKmsClient(client *kms.Client) CryptoBucketOption {
return func(bucket *CryptoBucket) {
bucket.AliKmsClient = client
}
}
// SetMasterCipherManager set field MasterCipherManager of CryptoBucket
func SetMasterCipherManager(manager MasterCipherManager) CryptoBucketOption {
return func(bucket *CryptoBucket) {
bucket.MasterCipherManager = manager
}
}
// SetExtraCipherBuilder set field ExtraCipherBuilder of CryptoBucket
func SetExtraCipherBuilder(extraBuilder ExtraCipherBuilder) CryptoBucketOption {
return func(bucket *CryptoBucket) {
bucket.ExtraCipherBuilder = extraBuilder
}
}
// DefaultExtraCipherBuilder is Default implementation of the ExtraCipherBuilder for rsa and kms master keys
type DefaultExtraCipherBuilder struct {
AliKmsClient *kms.Client
}
// GetDecryptCipher is used to get ContentCipher for decrypt object
func (decb *DefaultExtraCipherBuilder) GetDecryptCipher(envelope Envelope, cm MasterCipherManager) (ContentCipher, error) {
if cm == nil {
return nil, fmt.Errorf("DefaultExtraCipherBuilder GetDecryptCipher error,MasterCipherManager is nil")
}
if envelope.CEKAlg != AesCtrAlgorithm {
return nil, fmt.Errorf("DefaultExtraCipherBuilder GetDecryptCipher error,not supported content algorithm %s", envelope.CEKAlg)
}
if envelope.WrapAlg != RsaCryptoWrap && envelope.WrapAlg != KmsAliCryptoWrap {
return nil, fmt.Errorf("DefaultExtraCipherBuilder GetDecryptCipher error,not supported envelope wrap algorithm %s", envelope.WrapAlg)
}
matDesc := make(map[string]string)
if envelope.MatDesc != "" {
err := json.Unmarshal([]byte(envelope.MatDesc), &matDesc)
if err != nil {
return nil, err
}
}
masterKeys, err := cm.GetMasterKey(matDesc)
if err != nil {
return nil, err
}
var contentCipher ContentCipher
if envelope.WrapAlg == RsaCryptoWrap {
// for rsa master key
if len(masterKeys) != 2 {
return nil, fmt.Errorf("rsa keys count must be 2,now is %d", len(masterKeys))
}
rsaCipher, err := CreateMasterRsa(matDesc, masterKeys[0], masterKeys[1])
if err != nil {
return nil, err
}
aesCtrBuilder := CreateAesCtrCipher(rsaCipher)
contentCipher, err = aesCtrBuilder.ContentCipherEnv(envelope)
} else if envelope.WrapAlg == KmsAliCryptoWrap {
// for kms master key
if len(masterKeys) != 1 {
return nil, fmt.Errorf("non-rsa keys count must be 1,now is %d", len(masterKeys))
}
if decb.AliKmsClient == nil {
return nil, fmt.Errorf("aliyun kms client is nil")
}
kmsCipher, err := CreateMasterAliKms(matDesc, masterKeys[0], decb.AliKmsClient)
if err != nil {
return nil, err
}
aesCtrBuilder := CreateAesCtrCipher(kmsCipher)
contentCipher, err = aesCtrBuilder.ContentCipherEnv(envelope)
} else {
// to do
// for master keys which are neither rsa nor kms
}
return contentCipher, err
}
// CryptoBucket implements the operations for encrypting and decrypting objects
// ContentCipherBuilder is used to encrypt and decrypt objects by default
// when the object's MatDesc which you want to decrypt is emtpy or same to the
// master key's MatDesc you provided in ContentCipherBuilder, sdk try to
// use ContentCipherBuilder to decrypt
type CryptoBucket struct {
oss.Bucket
ContentCipherBuilder ContentCipherBuilder
ExtraCipherBuilder ExtraCipherBuilder
MasterCipherManager MasterCipherManager
AliKmsClient *kms.Client
}
// GetCryptoBucket create a client encyrption bucket
func GetCryptoBucket(client *oss.Client, bucketName string, builder ContentCipherBuilder,
options ...CryptoBucketOption) (*CryptoBucket, error) {
var cryptoBucket CryptoBucket
cryptoBucket.Client = *client
cryptoBucket.BucketName = bucketName
cryptoBucket.ContentCipherBuilder = builder
for _, option := range options {
option(&cryptoBucket)
}
if cryptoBucket.ExtraCipherBuilder == nil {
cryptoBucket.ExtraCipherBuilder = &DefaultExtraCipherBuilder{AliKmsClient: cryptoBucket.AliKmsClient}
}
return &cryptoBucket, nil
}
// PutObject creates a new object and encyrpt it on client side when uploading to oss
func (bucket CryptoBucket) PutObject(objectKey string, reader io.Reader, options ...oss.Option) error {
options = bucket.AddEncryptionUaSuffix(options)
cc, err := bucket.ContentCipherBuilder.ContentCipher()
if err != nil {
return err
}
cryptoReader, err := cc.EncryptContent(reader)
if err != nil {
return err
}
var request *oss.PutObjectRequest
srcLen, err := oss.GetReaderLen(reader)
if err != nil {
request = &oss.PutObjectRequest{
ObjectKey: objectKey,
Reader: cryptoReader,
}
} else {
encryptedLen := cc.GetEncryptedLen(srcLen)
request = &oss.PutObjectRequest{
ObjectKey: objectKey,
Reader: oss.LimitReadCloser(cryptoReader, encryptedLen),
}
}
opts := addCryptoHeaders(options, cc.GetCipherData())
resp, err := bucket.DoPutObject(request, opts)
if err != nil {
return err
}
defer resp.Body.Close()
return err
}
// GetObject downloads the object from oss
// If the object is encrypted, sdk decrypt it automaticly
func (bucket CryptoBucket) GetObject(objectKey string, options ...oss.Option) (io.ReadCloser, error) {
options = bucket.AddEncryptionUaSuffix(options)
result, err := bucket.DoGetObject(&oss.GetObjectRequest{ObjectKey: objectKey}, options)
if err != nil {
return nil, err
}
return result.Response, nil
}
// GetObjectToFile downloads the object from oss to local file
// If the object is encrypted, sdk decrypt it automaticly
func (bucket CryptoBucket) GetObjectToFile(objectKey, filePath string, options ...oss.Option) error {
options = bucket.AddEncryptionUaSuffix(options)
tempFilePath := filePath + oss.TempFileSuffix
// Calls the API to actually download the object. Returns the result instance.
result, err := bucket.DoGetObject(&oss.GetObjectRequest{ObjectKey: objectKey}, options)
if err != nil {
return err
}
defer result.Response.Close()
// If the local file does not exist, create a new one. If it exists, overwrite it.
fd, err := os.OpenFile(tempFilePath, os.O_CREATE|os.O_TRUNC|os.O_WRONLY, oss.FilePermMode)
if err != nil {
return err
}
// Copy the data to the local file path.
_, err = io.Copy(fd, result.Response.Body)
fd.Close()
if err != nil {
return err
}
// Compares the CRC value
hasRange, _, _ := oss.IsOptionSet(options, oss.HTTPHeaderRange)
encodeOpt, _ := oss.FindOption(options, oss.HTTPHeaderAcceptEncoding, nil)
acceptEncoding := ""
if encodeOpt != nil {
acceptEncoding = encodeOpt.(string)
}
if bucket.GetConfig().IsEnableCRC && !hasRange && acceptEncoding != "gzip" {
result.Response.ClientCRC = result.ClientCRC.Sum64()
err = oss.CheckCRC(result.Response, "GetObjectToFile")
if err != nil {
os.Remove(tempFilePath)
return err
}
}
return os.Rename(tempFilePath, filePath)
}
// DoGetObject is the actual API that gets the encrypted or not encrypted object.
// It's the internal function called by other public APIs.
func (bucket CryptoBucket) DoGetObject(request *oss.GetObjectRequest, options []oss.Option) (*oss.GetObjectResult, error) {
options = bucket.AddEncryptionUaSuffix(options)
// first,we must head object
metaInfo, err := bucket.GetObjectDetailedMeta(request.ObjectKey)
if err != nil {
return nil, err
}
isEncryptedObj := isEncryptedObject(metaInfo)
if !isEncryptedObj {
return bucket.Bucket.DoGetObject(request, options)
}
envelope, err := getEnvelopeFromHeader(metaInfo)
if err != nil {
return nil, err
}
if !isValidContentAlg(envelope.CEKAlg) {
return nil, fmt.Errorf("not supported content algorithm %s,object:%s", envelope.CEKAlg, request.ObjectKey)
}
if !envelope.IsValid() {
return nil, fmt.Errorf("getEnvelopeFromHeader error,object:%s", request.ObjectKey)
}
// use ContentCipherBuilder to decrpt object by default
encryptMatDesc := bucket.ContentCipherBuilder.GetMatDesc()
var cc ContentCipher
err = nil
if envelope.MatDesc == encryptMatDesc {
cc, err = bucket.ContentCipherBuilder.ContentCipherEnv(envelope)
} else {
cc, err = bucket.ExtraCipherBuilder.GetDecryptCipher(envelope, bucket.MasterCipherManager)
}
if err != nil {
return nil, fmt.Errorf("%s,object:%s", err.Error(), request.ObjectKey)
}
discardFrontAlignLen := int64(0)
uRange, err := oss.GetRangeConfig(options)
if err != nil {
return nil, err
}
if uRange != nil && uRange.HasStart {
// process range to align key size
adjustStart := adjustRangeStart(uRange.Start, cc)
discardFrontAlignLen = uRange.Start - adjustStart
if discardFrontAlignLen > 0 {
uRange.Start = adjustStart
options = oss.DeleteOption(options, oss.HTTPHeaderRange)
options = append(options, oss.NormalizedRange(oss.GetRangeString(*uRange)))
}
// seek iv
cipherData := cc.GetCipherData().Clone()
cipherData.SeekIV(uint64(adjustStart))
cc, _ = cc.Clone(cipherData)
}
params, _ := oss.GetRawParams(options)
resp, err := bucket.Do("GET", request.ObjectKey, params, options, nil, nil)
if err != nil {
return nil, err
}
result := &oss.GetObjectResult{
Response: resp,
}
// CRC
var crcCalc hash.Hash64
hasRange, _, _ := oss.IsOptionSet(options, oss.HTTPHeaderRange)
if bucket.GetConfig().IsEnableCRC && !hasRange {
crcCalc = crc64.New(oss.CrcTable())
result.ServerCRC = resp.ServerCRC
result.ClientCRC = crcCalc
}
// Progress
listener := oss.GetProgressListener(options)
contentLen, _ := strconv.ParseInt(resp.Headers.Get(oss.HTTPHeaderContentLength), 10, 64)
resp.Body = oss.TeeReader(resp.Body, crcCalc, contentLen, listener, nil)
resp.Body, err = cc.DecryptContent(resp.Body)
if err == nil && discardFrontAlignLen > 0 {
resp.Body = &oss.DiscardReadCloser{
RC: resp.Body,
Discard: int(discardFrontAlignLen)}
}
return result, err
}
// PutObjectFromFile creates a new object from the local file
// the object will be encrypted automaticly on client side when uploaded to oss
func (bucket CryptoBucket) PutObjectFromFile(objectKey, filePath string, options ...oss.Option) error {
options = bucket.AddEncryptionUaSuffix(options)
fd, err := os.Open(filePath)
if err != nil {
return err
}
defer fd.Close()
opts := oss.AddContentType(options, filePath, objectKey)
cc, err := bucket.ContentCipherBuilder.ContentCipher()
if err != nil {
return err
}
cryptoReader, err := cc.EncryptContent(fd)
if err != nil {
return err
}
var request *oss.PutObjectRequest
srcLen, err := oss.GetReaderLen(fd)
if err != nil {
request = &oss.PutObjectRequest{
ObjectKey: objectKey,
Reader: cryptoReader,
}
} else {
encryptedLen := cc.GetEncryptedLen(srcLen)
request = &oss.PutObjectRequest{
ObjectKey: objectKey,
Reader: oss.LimitReadCloser(cryptoReader, encryptedLen),
}
}
opts = addCryptoHeaders(opts, cc.GetCipherData())
resp, err := bucket.DoPutObject(request, opts)
if err != nil {
return err
}
defer resp.Body.Close()
return nil
}
// AppendObject please refer to Bucket.AppendObject
func (bucket CryptoBucket) AppendObject(objectKey string, reader io.Reader, appendPosition int64, options ...oss.Option) (int64, error) {
return 0, fmt.Errorf("CryptoBucket doesn't support AppendObject")
}
// DoAppendObject please refer to Bucket.DoAppendObject
func (bucket CryptoBucket) DoAppendObject(request *oss.AppendObjectRequest, options []oss.Option) (*oss.AppendObjectResult, error) {
return nil, fmt.Errorf("CryptoBucket doesn't support DoAppendObject")
}
// PutObjectWithURL please refer to Bucket.PutObjectWithURL
func (bucket CryptoBucket) PutObjectWithURL(signedURL string, reader io.Reader, options ...oss.Option) error {
return fmt.Errorf("CryptoBucket doesn't support PutObjectWithURL")
}
// PutObjectFromFileWithURL please refer to Bucket.PutObjectFromFileWithURL
func (bucket CryptoBucket) PutObjectFromFileWithURL(signedURL, filePath string, options ...oss.Option) error {
return fmt.Errorf("CryptoBucket doesn't support PutObjectFromFileWithURL")
}
// DoPutObjectWithURL please refer to Bucket.DoPutObjectWithURL
func (bucket CryptoBucket) DoPutObjectWithURL(signedURL string, reader io.Reader, options []oss.Option) (*oss.Response, error) {
return nil, fmt.Errorf("CryptoBucket doesn't support DoPutObjectWithURL")
}
// GetObjectWithURL please refer to Bucket.GetObjectWithURL
func (bucket CryptoBucket) GetObjectWithURL(signedURL string, options ...oss.Option) (io.ReadCloser, error) {
return nil, fmt.Errorf("CryptoBucket doesn't support GetObjectWithURL")
}
// GetObjectToFileWithURL please refer to Bucket.GetObjectToFileWithURL
func (bucket CryptoBucket) GetObjectToFileWithURL(signedURL, filePath string, options ...oss.Option) error {
return fmt.Errorf("CryptoBucket doesn't support GetObjectToFileWithURL")
}
// DoGetObjectWithURL please refer to Bucket.DoGetObjectWithURL
func (bucket CryptoBucket) DoGetObjectWithURL(signedURL string, options []oss.Option) (*oss.GetObjectResult, error) {
return nil, fmt.Errorf("CryptoBucket doesn't support DoGetObjectWithURL")
}
// ProcessObject please refer to Bucket.ProcessObject
func (bucket CryptoBucket) ProcessObject(objectKey string, process string, options ...oss.Option) (oss.ProcessObjectResult, error) {
var out oss.ProcessObjectResult
return out, fmt.Errorf("CryptoBucket doesn't support ProcessObject")
}
func (bucket CryptoBucket) AddEncryptionUaSuffix(options []oss.Option) []oss.Option {
var outOption []oss.Option
bSet, _, _ := oss.IsOptionSet(options, oss.HTTPHeaderUserAgent)
if bSet || bucket.Client.Config.UserSetUa {
outOption = options
return outOption
}
outOption = append(options, oss.UserAgentHeader(bucket.Client.Config.UserAgent+"/"+EncryptionUaSuffix))
return outOption
}
// isEncryptedObject judge the object is encrypted or not
func isEncryptedObject(headers http.Header) bool {
encrptedKey := headers.Get(oss.HTTPHeaderOssMetaPrefix + OssClientSideEncryptionKey)
return len(encrptedKey) > 0
}
// addCryptoHeaders save Envelope information in oss meta
func addCryptoHeaders(options []oss.Option, cd *CipherData) []oss.Option {
opts := []oss.Option{}
// convert content-md5
md5Option, _ := oss.FindOption(options, oss.HTTPHeaderContentMD5, nil)
if md5Option != nil {
opts = append(opts, oss.Meta(OssClientSideEncryptionUnencryptedContentMD5, md5Option.(string)))
options = oss.DeleteOption(options, oss.HTTPHeaderContentMD5)
}
// convert content-length
lenOption, _ := oss.FindOption(options, oss.HTTPHeaderContentLength, nil)
if lenOption != nil {
opts = append(opts, oss.Meta(OssClientSideEncryptionUnencryptedContentLength, lenOption.(string)))
options = oss.DeleteOption(options, oss.HTTPHeaderContentLength)
}
opts = append(opts, options...)
// matDesc
if cd.MatDesc != "" {
opts = append(opts, oss.Meta(OssClientSideEncryptionMatDesc, cd.MatDesc))
}
// encrypted key
strEncryptedKey := base64.StdEncoding.EncodeToString(cd.EncryptedKey)
opts = append(opts, oss.Meta(OssClientSideEncryptionKey, strEncryptedKey))
// encrypted iv
strEncryptedIV := base64.StdEncoding.EncodeToString(cd.EncryptedIV)
opts = append(opts, oss.Meta(OssClientSideEncryptionStart, strEncryptedIV))
// wrap alg
opts = append(opts, oss.Meta(OssClientSideEncryptionWrapAlg, cd.WrapAlgorithm))
// cek alg
opts = append(opts, oss.Meta(OssClientSideEncryptionCekAlg, cd.CEKAlgorithm))
return opts
}
func getEnvelopeFromHeader(header http.Header) (Envelope, error) {
var envelope Envelope
envelope.IV = header.Get(oss.HTTPHeaderOssMetaPrefix + OssClientSideEncryptionStart)
decodedIV, err := base64.StdEncoding.DecodeString(envelope.IV)
if err != nil {
return envelope, err
}
envelope.IV = string(decodedIV)
envelope.CipherKey = header.Get(oss.HTTPHeaderOssMetaPrefix + OssClientSideEncryptionKey)
decodedKey, err := base64.StdEncoding.DecodeString(envelope.CipherKey)
if err != nil {
return envelope, err
}
envelope.CipherKey = string(decodedKey)
envelope.MatDesc = header.Get(oss.HTTPHeaderOssMetaPrefix + OssClientSideEncryptionMatDesc)
envelope.WrapAlg = header.Get(oss.HTTPHeaderOssMetaPrefix + OssClientSideEncryptionWrapAlg)
envelope.CEKAlg = header.Get(oss.HTTPHeaderOssMetaPrefix + OssClientSideEncryptionCekAlg)
envelope.UnencryptedMD5 = header.Get(oss.HTTPHeaderOssMetaPrefix + OssClientSideEncryptionUnencryptedContentMD5)
envelope.UnencryptedContentLen = header.Get(oss.HTTPHeaderOssMetaPrefix + OssClientSideEncryptionUnencryptedContentLength)
return envelope, err
}
func isValidContentAlg(algName string) bool {
// now content encyrption only support aec/ctr algorithm
return algName == AesCtrAlgorithm
}
func adjustRangeStart(start int64, cc ContentCipher) int64 {
alignLen := int64(cc.GetAlignLen())
return (start / alignLen) * alignLen
}
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。