From 625acde13ffe5904b1f3920331d62709e9298f58 Mon Sep 17 00:00:00 2001
From: Shiming Zhang <wzshiming@hotmail.com>
Date: Tue, 26 Nov 2024 10:55:08 +0800
Subject: [PATCH] Add ip check for oss

---
 crproxy.go                |  1 +
 go.mod                    |  7 +++++--
 go.sum                    |  4 ++--
 storage/driver/oss/oss.go | 16 ++++++++++++----
 4 files changed, 20 insertions(+), 8 deletions(-)

diff --git a/crproxy.go b/crproxy.go
index ca07b5e..f4106b5 100644
--- a/crproxy.go
+++ b/crproxy.go
@@ -721,6 +721,7 @@ func (c *CRProxy) notFoundResponse(rw http.ResponseWriter, r *http.Request) {
 func (c *CRProxy) redirect(rw http.ResponseWriter, r *http.Request, blobPath string, info *PathInfo) error {
 	options := map[string]interface{}{
 		"method": r.Method,
+		"ip":     r.RemoteAddr,
 	}
 	linkExpires := c.linkExpires
 	if linkExpires > 0 {
diff --git a/go.mod b/go.mod
index 7f74a9e..bf38b2a 100644
--- a/go.mod
+++ b/go.mod
@@ -3,7 +3,7 @@ module github.com/daocloud/crproxy
 go 1.22
 
 require (
-	github.com/denverdino/aliyungo v0.0.0-20230411124812-ab98a9173ace
+	github.com/denverdino/aliyungo v0.0.0
 	github.com/distribution/reference v0.6.0
 	github.com/docker/distribution v0.0.0
 	github.com/gorilla/handlers v1.5.2
@@ -18,7 +18,10 @@ require (
 	golang.org/x/crypto v0.28.0
 )
 
-replace github.com/docker/distribution => github.com/distribution/distribution v2.8.3+incompatible
+replace (
+	github.com/denverdino/aliyungo => github.com/wzshiming/aliyungo v0.0.0-20241126040137-4b8c22b50cd3
+	github.com/docker/distribution => github.com/distribution/distribution v2.8.3+incompatible
+)
 
 require (
 	cloud.google.com/go/compute/metadata v0.3.0 // indirect
diff --git a/go.sum b/go.sum
index 958827d..a9e5f85 100644
--- a/go.sum
+++ b/go.sum
@@ -45,8 +45,6 @@ github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ3
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/denverdino/aliyungo v0.0.0-20230411124812-ab98a9173ace h1:1SnCTPFh2AADpm7ti864EYaugexyiDFt55BW188+d6k=
-github.com/denverdino/aliyungo v0.0.0-20230411124812-ab98a9173ace/go.mod h1:TK05uvk4XXfK2kdvRwfcZ1NaxjDxmm7H3aQLko0mJxA=
 github.com/distribution/distribution v2.8.3+incompatible h1:RlpEXBLq/WPXYvBYMDAmBX/SnhD67qwtvW/DzKc8pAo=
 github.com/distribution/distribution v2.8.3+incompatible/go.mod h1:EgLm2NgWtdKgzF9NpMzUKgzmR7AMmb0VQi2B+ZzDRjc=
 github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
@@ -202,6 +200,8 @@ github.com/uber/jaeger-client-go v2.30.0+incompatible h1:D6wyKGCecFaSRUpo8lCVbaO
 github.com/uber/jaeger-client-go v2.30.0+incompatible/go.mod h1:WVhlPFC8FDjOFMMWRy2pZqQJSXxYSwNYOkTr/Z6d3Kk=
 github.com/uber/jaeger-lib v2.4.1+incompatible h1:td4jdvLcExb4cBISKIpHuGoVXh+dVKhn2Um6rjCsSsg=
 github.com/uber/jaeger-lib v2.4.1+incompatible/go.mod h1:ComeNDZlWwrWnDv8aPp0Ba6+uUTzImX/AauajbLI56U=
+github.com/wzshiming/aliyungo v0.0.0-20241126040137-4b8c22b50cd3 h1:MwH8lliQekyhQXNq6RXiL7hHS66+nqMnnrRJ0Xn6s9Y=
+github.com/wzshiming/aliyungo v0.0.0-20241126040137-4b8c22b50cd3/go.mod h1:TK05uvk4XXfK2kdvRwfcZ1NaxjDxmm7H3aQLko0mJxA=
 github.com/wzshiming/cmux v0.4.2 h1:tI73lL5ztVfiqw7R5m5BkxT1+vQ2PBo/oV6qPbNGPiA=
 github.com/wzshiming/cmux v0.4.2/go.mod h1:JgE61QfZAjEyNMX0iZo9zIKY6pr9bHVY132yYPwHW5U=
 github.com/wzshiming/geario v0.0.0-20240308093553-a996e3817533 h1:mq74wxgDCz7Q6CqZYExt0DHf7Ze28lyMW/TNsfcuk8M=
diff --git a/storage/driver/oss/oss.go b/storage/driver/oss/oss.go
index 87348bf..1e42a4b 100644
--- a/storage/driver/oss/oss.go
+++ b/storage/driver/oss/oss.go
@@ -484,6 +484,8 @@ func (d *driver) Delete(ctx context.Context, path string) error {
 
 // URLFor returns a URL which may be used to retrieve the content stored at the given path.
 // May return an UnsupportedMethodErr in certain StorageDriver implementations.
+// https://help.aliyun.com/zh/oss/developer-reference/ddd-signatures-to-urls
+// https://help.aliyun.com/zh/oss/developer-reference/include-signatures-in-the-authorization-header
 func (d *driver) URLFor(ctx context.Context, path string, options map[string]interface{}) (string, error) {
 	methodString := "GET"
 	method, ok := options["method"]
@@ -504,17 +506,23 @@ func (d *driver) URLFor(ctx context.Context, path string, options map[string]int
 		}
 	}
 
-	var q url.Values
+	q := url.Values{}
 	referer, ok := options["referer"]
 	if ok {
 		refererString, ok := referer.(string)
 		if ok {
-			q = url.Values{
-				"referer": []string{refererString},
-			}
+			q["referer"] = []string{refererString}
 		}
 	}
 
+	ip, ok := options["ip"]
+	if ok {
+		ipString, ok := ip.(string)
+		if ok {
+			q["x-oss-ac-source-ip"] = []string{ipString}
+			q["x-oss-ac-subnet-mask"] = []string{"32"}
+		}
+	}
 	signedURL := d.Bucket.SignedURLWithMethod(methodString, d.ossPath(path), expiresTime, q, nil)
 	return signedURL, nil
 }