test for cutting off location of owner check

Author: lovehunter9

pkg/drives/base.go

@@ -109,6 +109,15 @@ func IsThridPartyDrives(dstType string) bool {
 	}
 }
 
+func IsBaseDrives(dstType string) bool {
+	switch dstType {
+	case SrcTypeDrive, SrcTypeCache:
+		return true
+	default:
+		return false
+	}
+}
+
 func IsCloudDrives(dstType string) bool {
 	switch dstType {
 	case SrcTypeCloud, SrcTypeAWSS3, SrcTypeTencent, SrcTypeDropbox:

pkg/http/data.go

@@ -1,6 +1,8 @@
 package http
 
 import (
+	"files/pkg/drives"
+	"files/pkg/rpc"
 	"k8s.io/klog/v2"
 	"net/http"
 	"strconv"
@@ -15,12 +17,14 @@ type handleFunc func(w http.ResponseWriter, r *http.Request, d *common.Data) (in
 
 func handle(fn handleFunc, prefix string, server *settings.Server) http.Handler {
 	handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		if prefix == "/api/paste" || (prefix == "/api/resources" && r.Method == http.MethodPatch) {
-			klog.Warningf("Is src and dst yours? We'll check it for %s %s", r.Method, r.URL.Path)
-		} else if prefix == "/api/resources" || prefix == "/api/raw" || prefix == "/api/preview" {
-			klog.Warningf("Is src yours? We'll check it for %s %s", r.Method, r.URL.Path)
+		checked, err := CheckPathOwner(r, prefix)
+		if err != nil {
+			http.Error(w, err.Error(), http.StatusForbidden)
 		}
-		
+		if !checked {
+			http.Error(w, http.StatusText(http.StatusForbidden), http.StatusForbidden)
+		}
+
 		w.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate")
 
 		status, err := fn(w, r, &common.Data{
@@ -41,3 +45,54 @@ func handle(fn handleFunc, prefix string, server *settings.Server) http.Handler
 
 	return stripPrefix(prefix, handler)
 }
+
+func CheckPathOwner(r *http.Request, prefix string) (bool, error) {
+	if prefix != "/api/resources" && prefix != "/api/raw" && prefix != "/api/preview" && prefix != "/api/paste" {
+		return true, nil
+	}
+
+	var err error = nil
+	method := r.Method
+	src := r.URL.Path
+
+	srcType := r.URL.Query().Get("src_type")
+	if srcType == "" {
+		srcType = r.URL.Query().Get("src")
+		if srcType == "" {
+			srcType = drives.SrcTypeDrive
+		}
+	}
+
+	dst := r.URL.Query().Get("destination")
+	dstType := r.URL.Query().Get("dst_type")
+	if dstType == "" {
+		dstType = drives.SrcTypeDrive
+	}
+
+	klog.Infof("Checking owner for method: %s, prefix: %s, srcType: %s, src: %s, dstType: %s, dst: %s", method, prefix, srcType, src, dstType, dst)
+
+	bflRequest := r.Header.Get("X-Bfl-User")
+	bflParsed := ""
+	if drives.IsBaseDrives(srcType) {
+		bflParsed, err = rpc.PVCs.GetBfl(rpc.ExtractPvcFromURL(src))
+		if err != nil {
+			return false, err
+		}
+		if bflParsed != bflRequest {
+			return false, nil
+		}
+	}
+
+	if prefix == "/api/paste" || (prefix == "/api/resources" && r.Method == http.MethodPatch) {
+		if drives.IsBaseDrives(dstType) {
+			bflParsed, err = rpc.PVCs.GetBfl(rpc.ExtractPvcFromURL(dst))
+			if err != nil {
+				return false, err
+			}
+			if bflParsed != bflRequest {
+				return false, nil
+			}
+		}
+	}
+	return true, nil
+}

pkg/rpc/k8s.go

@@ -77,7 +77,7 @@ func (p *PVCCache) getBflForCachePVCOrCache(cachePvc string) (string, error) {
 	return bflName, nil
 }
 
-func (p *PVCCache) getBfl(pvc string) (string, error) {
+func (p *PVCCache) GetBfl(pvc string) (string, error) {
 	bflName, err := p.getBflForUserPVCOrCache(pvc)
 	if bflName == "" || err != nil {
 		bflName, err = p.getBflForCachePVCOrCache(pvc)

pkg/rpc/watcher.go

@@ -221,7 +221,7 @@ func WatchPath(addPaths []string, deletePaths []string, focusPaths []string) {
 					search3 = false
 				}
 				if search3 && checkString(path) {
-					bflName, err := PVCs.getBfl(ExtractPvcFromURL(path))
+					bflName, err := PVCs.GetBfl(ExtractPvcFromURL(path))
 					if err != nil {
 						klog.Info(err)
 					} else {
@@ -359,7 +359,7 @@ func handleEvent(e jfsnotify.Event) error {
 	var bflName string
 	var err error
 	if checkString(e.Name) {
-		bflName, err = PVCs.getBfl(ExtractPvcFromURL(e.Name))
+		bflName, err = PVCs.GetBfl(ExtractPvcFromURL(e.Name))
 		if err != nil {
 			klog.Info(err)
 		} else {