Use private ACL for private videos in s3

2025-02-25 18:55:32 -06:00 · 2022-10-19 10:43:53 +02:00
parent 3545e72c68
commit 9ab330b90d
46 changed files with 1753 additions and 845 deletions
--- a/server/controllers/download.ts
+++ b/server/controllers/download.ts
@@ -5,6 +5,7 @@ import { VideosTorrentCache } from '@server/lib/files-cache/videos-torrent-cache
 import { Hooks } from '@server/lib/plugins/hooks'
 import { VideoPathManager } from '@server/lib/video-path-manager'
 import { MStreamingPlaylist, MVideo, MVideoFile, MVideoFullLight } from '@server/types/models'
+import { addQueryParams } from '@shared/core-utils'
 import { HttpStatusCode, VideoStorage, VideoStreamingPlaylistType } from '@shared/models'
 import { STATIC_DOWNLOAD_PATHS } from '../initializers/constants'
 import { asyncMiddleware, optionalAuthenticate, videosDownloadValidator } from '../middlewares'
@@ -84,7 +85,7 @@ async function downloadVideoFile (req: express.Request, res: express.Response) {
  if (!checkAllowResult(res, allowParameters, allowedResult)) return

  if (videoFile.storage === VideoStorage.OBJECT_STORAGE) {
-    return res.redirect(videoFile.getObjectStorageUrl())
+    return redirectToObjectStorage({ req, res, video, file: videoFile })
  }

  await VideoPathManager.Instance.makeAvailableVideoFile(videoFile.withVideoOrPlaylist(video), path => {
@@ -120,7 +121,7 @@ async function downloadHLSVideoFile (req: express.Request, res: express.Response
  if (!checkAllowResult(res, allowParameters, allowedResult)) return

  if (videoFile.storage === VideoStorage.OBJECT_STORAGE) {
-    return res.redirect(videoFile.getObjectStorageUrl())
+    return redirectToObjectStorage({ req, res, video, file: videoFile })
  }

  await VideoPathManager.Instance.makeAvailableVideoFile(videoFile.withVideoOrPlaylist(streamingPlaylist), path => {
@@ -174,3 +175,20 @@ function checkAllowResult (res: express.Response, allowParameters: any, result?:

  return true
 }
+
+function redirectToObjectStorage (options: {
+  req: express.Request
+  res: express.Response
+  video: MVideo
+  file: MVideoFile
+}) {
+  const { req, res, video, file } = options
+
+  const baseUrl = file.getObjectStorageUrl(video)
+
+  const url = video.hasPrivateStaticPath() && req.query.videoFileToken
+    ? addQueryParams(baseUrl, { videoFileToken: req.query.videoFileToken })
+    : baseUrl
+
+  return res.redirect(url)
+}
--- a/server/controllers/index.ts
+++ b/server/controllers/index.ts
@@ -1,14 +1,15 @@
 export * from './activitypub'
 export * from './api'
+export * from './bots'
 export * from './client'
 export * from './download'
 export * from './feeds'
-export * from './services'
-export * from './static'
 export * from './lazy-static'
 export * from './misc'
-export * from './webfinger'
-export * from './tracker'
-export * from './bots'
+export * from './object-storage-proxy'
 export * from './plugins'
+export * from './services'
+export * from './static'
+export * from './tracker'
+export * from './webfinger'
 export * from './well-known'
--- a/server/controllers/object-storage-proxy.ts
+++ b/server/controllers/object-storage-proxy.ts
@@ -0,0 +1,78 @@
+import cors from 'cors'
+import express from 'express'
+import { OBJECT_STORAGE_PROXY_PATHS } from '@server/initializers/constants'
+import { getHLSFileReadStream, getWebTorrentFileReadStream } from '@server/lib/object-storage'
+import {
+  asyncMiddleware,
+  ensureCanAccessPrivateVideoHLSFiles,
+  ensureCanAccessVideoPrivateWebTorrentFiles,
+  optionalAuthenticate
+} from '@server/middlewares'
+import { HttpStatusCode } from '@shared/models'
+
+const objectStorageProxyRouter = express.Router()
+
+objectStorageProxyRouter.use(cors())
+
+objectStorageProxyRouter.get(OBJECT_STORAGE_PROXY_PATHS.PRIVATE_WEBSEED + ':filename',
+  optionalAuthenticate,
+  asyncMiddleware(ensureCanAccessVideoPrivateWebTorrentFiles),
+  asyncMiddleware(proxifyWebTorrent)
+)
+
+objectStorageProxyRouter.get(OBJECT_STORAGE_PROXY_PATHS.STREAMING_PLAYLISTS.PRIVATE_HLS + ':videoUUID/:filename',
+  optionalAuthenticate,
+  asyncMiddleware(ensureCanAccessPrivateVideoHLSFiles),
+  asyncMiddleware(proxifyHLS)
+)
+
+// ---------------------------------------------------------------------------
+
+export {
+  objectStorageProxyRouter
+}
+
+async function proxifyWebTorrent (req: express.Request, res: express.Response) {
+  const filename = req.params.filename
+
+  try {
+    const stream = await getWebTorrentFileReadStream({
+      filename,
+      rangeHeader: req.header('range')
+    })
+
+    return stream.pipe(res)
+  } catch (err) {
+    return handleObjectStorageFailure(res, err)
+  }
+}
+
+async function proxifyHLS (req: express.Request, res: express.Response) {
+  const playlist = res.locals.videoStreamingPlaylist
+  const video = res.locals.onlyVideo
+  const filename = req.params.filename
+
+  try {
+    const stream = await getHLSFileReadStream({
+      playlist: playlist.withVideo(video),
+      filename,
+      rangeHeader: req.header('range')
+    })
+
+    return stream.pipe(res)
+  } catch (err) {
+    return handleObjectStorageFailure(res, err)
+  }
+}
+
+function handleObjectStorageFailure (res: express.Response, err: Error) {
+  if (err.name === 'NoSuchKey') {
+    return res.sendStatus(HttpStatusCode.NOT_FOUND_404)
+  }
+
+  return res.fail({
+    status: HttpStatusCode.INTERNAL_SERVER_ERROR_500,
+    message: err.message,
+    type: err.name
+  })
+}