add gitee auth (#1)

* add gitee auth

* fix

Author: wj00037

.gitignore

@@ -0,0 +1 @@
+.vscode

BigFiles/main.go

@@ -12,11 +12,6 @@ import (
 )
 
 func main() {
-	user := os.Getenv("LFS_USER")
-	pass := os.Getenv("LFS_PASS")
-	if user == "" || pass == "" {
-		log.Fatalln("LFS_USER and LFS_PASS must be set")
-	}
 	bucket := os.Getenv("LFS_BUCKET")
 	if bucket == "" {
 		log.Fatalln("LFS_BUCKET must be set")
@@ -25,7 +20,7 @@ func main() {
 	s, err := server.New(server.Options{
 		S3Accelerate: true,
 		Bucket:       bucket,
-		IsAuthorized: auth.Static(user, pass),
+		IsAuthorized: auth.GiteeAuth(),
 	})
 	if err != nil {
 		log.Fatalln(err)

README.md

@@ -4,3 +4,14 @@ v2.12.0](https://github.com/git-lfs/git-lfs/tree/v2.12.0/docs/api) server.
 - It can be configured to use any S3-API-compatible backend for LFS storage.
 - It does not currently implent the locking API.
 - See [the default entrypoint](BigFiles/main.go).
+
+
+**TODO**:
+
+1. 外部参数校验：username、password进行格式校验。
+2. 添加配置文件，将AKSK等写入配置文件中。可参考merlin-server配置文件的格式与读取方式。
+3. 添加测试用例。
+4. 认证方式支持token。
+5. 认证时校验用户在仓库内权限。
+6. 支持ssh。
+7. 仓库添加github action。

auth/gitee.go

@@ -0,0 +1,98 @@
+package auth
+
+import (
+	"encoding/json"
+	"errors"
+	"io"
+	"net/http"
+	"net/url"
+	"os"
+	"strings"
+)
+
+type giteeUser struct {
+	Login string `json:"login"`
+	// Permission string `json:"permission"`
+}
+
+type AccessToken struct {
+	Token string `json:"access_token"`
+}
+
+func GiteeAuth() func(string, string) error {
+	return func(username, password string) error {
+		token, err := getToken(username, password)
+		if err != nil {
+			return err
+		}
+
+		return verifyUser(username, token)
+	}
+}
+
+// getToken gets access_token by username and password
+func getToken(username, password string) (string, error) {
+	clientId := os.Getenv("CLIENT_ID")
+	clientSecret := os.Getenv("CLIENT_SECRET")
+	form := url.Values{}
+	form.Add("scope", "user_info")
+	form.Add("grant_type", "password")
+	form.Add("username", username)
+	form.Add("password", password)
+	form.Add("client_id", clientId)
+	form.Add("client_secret", clientSecret)
+
+	path := "https://gitee.com/oauth/token"
+	response, err := http.Post(path, "application/x-www-form-urlencoded", strings.NewReader(form.Encode()))
+	if err != nil {
+		panic(err)
+	}
+	defer response.Body.Close()
+
+	if response.StatusCode != http.StatusOK {
+		return "", errors.New("invalid credentials")
+	}
+	body, err := io.ReadAll(response.Body)
+	if err != nil {
+		panic(err)
+	}
+	var accessToken AccessToken
+	err = json.Unmarshal(body, &accessToken)
+	if err != nil {
+		panic(err)
+	}
+	return accessToken.Token, nil
+}
+
+// verifyUser verifies user info by access_token
+func verifyUser(username, token string) error {
+	path := "https://gitee.com/api/v5/user?access_token=" + token
+	req, err := http.NewRequest("GET", path, nil)
+	if err != nil {
+		panic(err)
+	}
+	req.Header.Set("Content-Type", "application/json;charset=UTF-8")
+
+	response, err := http.DefaultClient.Do(req)
+	if err != nil {
+		panic(err)
+	}
+	defer response.Body.Close()
+	if response.StatusCode != http.StatusOK {
+		return errors.New("invalid credentials")
+	}
+	body, err := io.ReadAll(response.Body)
+	if err != nil {
+		panic(err)
+	}
+	var giteeUser giteeUser
+	err = json.Unmarshal(body, &giteeUser)
+	if err != nil {
+		panic(err)
+	}
+	if giteeUser.Login == username {
+		return nil
+	} else {
+		return errors.New("username does not match")
+	}
+}

server/server.go

@@ -6,7 +6,6 @@ import (
 	"fmt"
 	"math"
 	"net/http"
-	"net/url"
 	"os"
 	"regexp"
 	"time"
@@ -15,7 +14,6 @@ import (
 	"github.com/metalogical/BigFiles/batch"
 	"github.com/minio/minio-go/v7"
 	"github.com/minio/minio-go/v7/pkg/credentials"
-	"github.com/minio/minio-go/v7/pkg/s3utils"
 )
 
 var S3PutLimit int = 5*int(math.Pow10(9)) - 1 // 5GB - 1
@@ -46,22 +44,18 @@ func (o Options) imputeFromEnv() (Options, error) {
 		if region == "" {
 			return o, errors.New("endpoint required")
 		}
-		o.Endpoint = fmt.Sprintf("s3.%s.amazonaws.com", region)
+		o.Endpoint = region
 	}
 	if o.AccessKeyID == "" {
-		if s3utils.IsAmazonEndpoint(url.URL{Host: o.Endpoint}) {
-			o.AccessKeyID = os.Getenv("AWS_ACCESS_KEY_ID")
-			if o.AccessKeyID == "" {
-				return o, fmt.Errorf("AWS access key ID required for %s", o.Endpoint)
-			}
-			o.SecretAccessKey = os.Getenv("AWS_SECRET_ACCESS_KEY")
-			if o.SecretAccessKey == "" {
-				return o, fmt.Errorf("AWS secret access key required for %s", o.Endpoint)
-			}
-			o.SessionToken = os.Getenv("AWS_SESSION_TOKEN")
-		} else {
-			return o, fmt.Errorf("access key & id required for %s", o.Endpoint)
+		o.AccessKeyID = os.Getenv("AWS_ACCESS_KEY_ID")
+		if o.AccessKeyID == "" {
+			return o, fmt.Errorf("AWS access key ID required for %s", o.Endpoint)
+		}
+		o.SecretAccessKey = os.Getenv("AWS_SECRET_ACCESS_KEY")
+		if o.SecretAccessKey == "" {
+			return o, fmt.Errorf("AWS secret access key required for %s", o.Endpoint)
 		}
+		o.SessionToken = os.Getenv("AWS_SESSION_TOKEN")
 	}
 	if o.Bucket == "" {
 		return o, fmt.Errorf("bucket required")
@@ -100,7 +94,7 @@ func New(o Options) (http.Handler, error) {
 	}
 
 	r := chi.NewRouter()
-	r.Post("/objects/batch", s.handleBatch)
+	r.Post("/{owner}/{repo}/objects/batch", s.handleBatch)
 
 	return r, nil
 }
@@ -127,7 +121,7 @@ func (s *server) handleBatch(w http.ResponseWriter, r *http.Request) {
 		if username, password, ok := r.BasicAuth(); ok {
 			err = s.isAuthorized(username, password)
 			if err != nil {
-				err = fmt.Errorf("Unauthorized: %w", err)
+				err = fmt.Errorf("unauthorized: %w", err)
 			}
 		} else {
 			err = errors.New("Unauthorized")