YWtkDX1P

· 5 years ago · Dec 09, 2019, 06:06 AM
1local tokenStore = ngx.shared.tokenStore
2
3local cjson = require "cjson"
4local http = require "resty.http"
5local httpc = http.new()
6
7local b64 = require "ngx.base64"
8local aes = require "resty.aes"
9
10local oauthUrl=os.getenv("OAUTH_SERVICE_URL")
11local s3Url=os.getenv("S3_SERVICE_URL")
12local userName=os.getenv("USER_NAME")
13local userSecret=os.getenv("USER_PASSWORD")
14local clientName=os.getenv("CLIENT_NAME")
15local clientSecret=os.getenv("CLIENT_PASSWORD")
16local expiryTime=os.getenv("EXPIRY_TIME")
17local aes_secret = os.getenv("AES_SECRET_KEY")
18local aes_iv = os.getenv("AES_IV")
19local aes_128_cbc_with_iv = assert(aes:new(aes_secret,nil, aes.cipher(128,"cbc"), {iv=aes_iv}))
20
21local query_string = ngx.req.get_uri_args()
22
23local encodedEncryptedKey = query_string["key"]
24local decodedEncryptedKey = b64.decode_base64url(encodedEncryptedKey)
25local key = aes_128_cbc_with_iv:decrypt(decodedEncryptedKey)
26
27--ngx.log(ngx.ERR,"key is " .. key)
28
29local encodedEncryptedPfolder = query_string["pfolder"]
30local decodedEncryptedPfolder = b64.decode_base64url(encodedEncryptedPfolder)
31local pfolder = aes_128_cbc_with_iv:decrypt(decodedEncryptedPfolder)
32
33--ngx.log(ngx.ERR,"bucket is " .. buckets)
34
35local encodedEncryptedTimeStamp = query_string["timestamp"]
36local decodedEncryptedTimeStamp = b64.decode_base64url(encodedEncryptedTimeStamp)
37local timeStamp = aes_128_cbc_with_iv:decrypt(decodedEncryptedTimeStamp)
38
39--ngx.log(ngx.ERR,"timestamp is " .. timeStamp)
40
41local signature = query_string["signature"]
42
43--ngx.log(ngx.ERR,"signature is " .. signature)
44
45local combinedParams= key .. "&" .. pfolder .. "&" .. timeStamp
46local calculatedSignature = aes_128_cbc_with_iv:encrypt(combinedParams)
47local encodedCalculatedSignature = b64.encode_base64url(calculatedSignature)
48
49--ngx.log(ngx.ERR,"received signature:" .. signature);
50--ngx.log(ngx.ERR,"expected signature:" .. encodedCalculatedSignature);
51
52if signature ~= encodedCalculatedSignature then
53    return ngx.redirect("/error.html");
54else
55    --ngx.log(ngx.ERR,"signature match");
56end
57
58function isempty(s)
59    return s == nil or s == ''
60end
61
62function starts_with(str, start)
63    return str:sub(1, #start) == start
64end
65
66function getNewToken()
67    --ngx.log(ngx.INFO,"generating new token");
68    local oauthRes, oauthErr = httpc:request_uri(oauthUrl .. "/oauth/token",
69            {
70                method = "POST",
71                body = "username=" .. userName .. "&password=" .. userSecret .. "&grant_type=password&client_id=" .. clientName .. "&client_secret=" .. clientSecret,
72                headers =
73                {
74                    ["Content-Type"] = "application/x-www-form-urlencoded",
75                },
76                keepalive_timeout = 60,
77                keepalive_pool = 10
78            })
79
80    if not oauthRes then
81        ngx.log(ngx.ERR,"failed to oauth request: " .. oauthErr);
82        return ngx.redirect("/error.html")
83    end
84
85    --ngx.log(ngx.ERR,oauthRes.body)
86    local oauthJson=oauthRes.body
87    local oauthTable = cjson.decode(oauthJson)
88    local token=oauthTable.access_token
89    tokenStore:set("token", token)
90    return token;
91end
92
93function getUrl(count)
94
95    if(count>1) then
96        ngx.log(ngx.ERR,"Max attempt exhausted in generating url" .. count);
97        return ngx.redirect("/error.html");
98    end
99
100    count=count+1;
101
102    local token =tokenStore:get("token")
103
104    if(isempty(token)) then
105        token = getNewToken();
106    end
107
108    local s3Res, s3Err = httpc:request_uri(s3Url .. "/v1/object/viewPresignedUrl?key=" .. key .."&expirationTime=" .. expiryTime .."&bucketNames=" .. pfolder,
109            {
110                method = "GET",
111                headers =
112                {
113                    ["Content-Type"] = "application/x-www-form-urlencoded",
114                    ["authorization"]="Bearer " .. token,
115                },
116                keepalive_timeout = 60,
117                keepalive_pool = 10
118            })
119
120    if not s3Res then
121        ngx.log(ngx.ERR,"failed to s3 request: " .. s3Err)
122        return ngx.redirect("/error.html");
123    end
124
125    local s3Json = s3Res.body
126    local s3ResponseTable = cjson.decode(s3Json)
127    local s3Status = s3ResponseTable.status
128
129    if s3Status == "SUCCESS" then
130        --ngx.log(ngx.ERR,s3ResponseTable.presignedUrl)
131        return s3ResponseTable.presignedUrl
132    elseif s3Status == "ERROR" then
133        ngx.log(ngx.ERR,s3ResponseTable.error.message);
134        return ngx.redirect("/error.html")
135    elseif starts_with(s3ResponseTable.error_description,"Access token expired") then
136        --ngx.log(ngx.ERR,"Access token expired");
137        token=getNewToken();
138        return getUrl(count)
139    else
140        ngx.log(ngx.ERR,s3Json);
141        return ngx.redirect("/error.html")
142    end
143
144end
145
146local count=0;
147local targetUrl = getUrl(count)
148ngx.var.target=targetUrl;