Merge pull request #68 from flymin/dev

Implement access control with url parameter based on md5sum

README.md

@@ -64,6 +64,16 @@ TLS_MIN_VERS=
 #   To accept missing referrer header, add a blank entry (start comma):
 #   'REFERRERS=,http://localhost,https://another.name'
 REFERRERS=
+
+# Use key / code parameter in the request URL for access control. The code is
+# computed by requested PATH and your key.
+# Example:
+#   ACCESS_KEY=username
+#   To access your file, either access:
+#   http://$HOST:$PORT/my/place/my.file?key=username
+#   or access (md5sum of "/my/place/my.fileusername"):
+#   http://$HOST:$PORT/my/place/my.file?code=44356A355E89D9EE7B2D5687E48024B0
+ACCESS_KEY=
 ```
 
 ### YAML Configuration File
@@ -85,6 +95,7 @@ tls-cert: ""
 tls-key: ""
 tls-min-vers: ""
 url-prefix: ""
+access-key: ""
 ```
 
 Example configuration with possible alternative values:

cli/server/server.go

@@ -67,6 +67,11 @@ func handlerSelector() (handler http.HandlerFunc) {
 		handler = handle.AddCorsWildcardHeaders(handler)
 	}
 
+	// If configured, apply key code access control.
+	if "" != config.Get.AccessKey {
+		handler = handle.AddAccessKey(handler, config.Get.AccessKey)
+	}
+
 	return
 }
 

config/config.go

@@ -28,6 +28,7 @@ var (
 		TLSMinVersStr string   `yaml:"tls-min-vers"`
 		URLPrefix     string   `yaml:"url-prefix"`
 		Referrers     []string `yaml:"referrers"`
+		AccessKey     string   `yaml:"access-key"`
 	}
 )
 
@@ -43,6 +44,7 @@ const (
 	tlsKeyKey      = "TLS_KEY"
 	tlsMinVersKey  = "TLS_MIN_VERS"
 	urlPrefixKey   = "URL_PREFIX"
+	accessKeyKey   = "ACCESS_KEY"
 )
 
 var (
@@ -57,6 +59,7 @@ var (
 	defaultTLSMinVers  = ""
 	defaultURLPrefix   = ""
 	defaultCors        = false
+	defaultAccessKey   = ""
 )
 
 func init() {
@@ -76,6 +79,7 @@ func setDefaults() {
 	Get.TLSMinVersStr = defaultTLSMinVers
 	Get.URLPrefix = defaultURLPrefix
 	Get.Cors = defaultCors
+	Get.AccessKey = defaultAccessKey
 }
 
 // Load the configuration file.
@@ -126,6 +130,7 @@ func overrideWithEnvVars() {
 	Get.TLSMinVersStr = envAsStr(tlsMinVersKey, Get.TLSMinVersStr)
 	Get.URLPrefix = envAsStr(urlPrefixKey, Get.URLPrefix)
 	Get.Referrers = envAsStrSlice(referrersKey, Get.Referrers)
+	Get.AccessKey = envAsStr(accessKeyKey, Get.AccessKey)
 }
 
 // validate the configuration.

handle/handle.go

@@ -2,6 +2,7 @@ package handle
 
 import (
 	"crypto/tls"
+	"crypto/md5"
 	"fmt"
 	"log"
 	"net/http"
@@ -152,6 +153,43 @@ func AddCorsWildcardHeaders(serve http.HandlerFunc) http.HandlerFunc {
 	}
 }
 
+// Access Control through url parameters. The access key is set by ACCESS_KEY.
+// md5sum is computed by queried path + access key
+// (e.g. "/my/file" + ACCESS_KEY)
+func AddAccessKey(serve http.HandlerFunc, accessKey string) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		// Get key or md5sum from this access.
+		keys, keyOk := r.URL.Query()["key"]
+		var code string
+    	if !keyOk || len(keys[0]) < 1 {
+			// In case a code is provided
+			codes, codeOk := r.URL.Query()["code"]
+    		if !codeOk || len(codes[0]) < 1 {
+				http.NotFound(w, r)
+				return
+			}
+			code = strings.ToUpper(codes[0])
+		} else {
+			// In case a key is provided, convert to code.
+			data := []byte(r.URL.Path + keys[0])
+			hash := md5.Sum(data)
+			code = fmt.Sprintf("%X", hash)
+		}
+
+		// Compute the correct md5sum of this access.
+		localData := []byte(r.URL.Path + accessKey)
+		hash := md5.Sum(localData)
+		localCode := fmt.Sprintf("%X", hash)
+		
+		// Compare the two.
+		if code != localCode {
+			http.NotFound(w, r)
+			return
+		}
+		serve(w, r)
+	}
+}
+
 // Listening function for serving the handler function.
 func Listening() ListenerFunc {
 	return func(binding string, handler http.HandlerFunc) error {