-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsecurelink-common.lua
91 lines (72 loc) · 3.18 KB
/
securelink-common.lua
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
-- Copyright (C) 2013 Luca Filipozzi <[email protected]>
--
-- Permission is hereby granted, free of charge, to any person obtaining a copy
-- of this software and associated documentation files (the "Software"), to deal
-- in the Software without restriction, including without limitation the rights
-- to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-- copies of the Software, and to permit persons to whom the Software is
-- furnished to do so, subject to the following conditions:
--
-- The above copyright notice and this permission notice shall be included in
-- all copies or substantial portions of the Software.
--
-- THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-- IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-- FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-- AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-- LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-- OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-- SOFTWARE.
local securelink = {}
local md5 = require("md5")
local function hmac_md5(_key, _msg)
if type(_key) ~= "string" or type(_msg) ~= "string" then
return nil
end
local _blocksize = 64 -- 512 bits for md5
-- keys longer than blocksize are shortened
if string.len(_key) > _blocksize then
_key = md5.sum(_key)
end
-- keys shorter than blocksize are zero-padded
if string.len(_key) < _blocksize then
_key = _key .. string.rep(string.char(0x00), _blocksize - string.len(_key))
end
local _opad = md5.exor(string.rep(string.char(0x5c), _blocksize), _key)
local _ipad = md5.exor(string.rep(string.char(0x36), _blocksize), _key)
return md5.sumhexa(_opad .. md5.sum(_ipad .. _msg))
end
local function base16_decode(_str)
return (_str:gsub('..', function(_cc)
return string.char(tonumber(_cc, 16))
end))
end
local function rewrite_uri(_key, _src, _tgt, _uri)
if not _key or not _src or not _tgt then
securelink.log_error("web server incorrectly configured")
securelink.return_status(500) -- internal server error
end
local _hmac, _msg = string.match(_uri, "^" .. _src .. "/(%x+)/(.*)$")
if not _hmac or not _msg then
securelink.log_error("hmac and message not found in uri")
securelink.return_status(400) -- bad request
end
if hmac_md5(_key, _msg) ~= string.lower(_hmac) then
securelink.log_error("computed hmac does not match the received hmac")
securelink.return_status(401) -- unauthorized
end
local _hash, _type, _file = string.match(_msg, "^(%x+)/(%x+)/([^/]+)$")
if not _hash or not _type or not _file then
securelink.log_error("message does contain necessary components")
securelink.return_status(403) -- forbidden
end
local _dir1, _dir2 = string.match(_hash, "^(%x%x)(%x%x)%x+$")
-- update URI
local _uri = _tgt .. "/" .. _dir1 .. "/" .. _dir2 .. "/" .. _hash
-- update content-type (EXTension)
local _ext = base16_decode(_type)
return _uri, _ext -- return both the rewritten uri and the content-type
end
securelink.rewrite_uri = rewrite_uri
return securelink
-- vim: set ts=2 sw=2 et ai si fdm=indent: