1:进入RAM控制台,创建一个RAM用户 访问方式一般选择OPenApi就可以了
登陆名称自己随意填写不重复就可以,确定后添加成功
生成的密钥信息可以保存到本地。
2:为RAM用户添加系统策略
添加AliyunSTSAssumeRoleAccess权限 这个步骤主要创建了一个用于获取临时访问凭证的角色,获得角色ARN
3:创建角色
如图:选择角色-> 创建角色
类型选择阿里云账户
添加角色名创建完成
这里的角色名称和ARN保存一下后续代码中要用到
4:创建策略
这里主要通过自定义策略实现,选择左边权限管理-》权限策略-》创建策略
切换到脚本编辑模式填写脚本内容
主要是设置Rescource配置对资源的访问 权限
Action:允许的操作
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss:PutObject" ], "Resource": [ "acs:oss:*:*:oss的bucket名字/目录", "acs:oss:*:*:oss的bucket名字/目录/*" ] } ]}
如果不限制目录可以这样写
"Resource": [ "acs:oss:*:*:oss的bucket名字", "acs:oss:*:*:oss的bucket名字/*" ]
脚本编辑完成后取个名字保存备用
4:为角色添加策略
把上面的脚本权限添加给校色,回到角色列表找到对应的用户选择添加权限
通过名字查找上面添加的策略,然后保存就完成了整个权限的添加。
万事俱备接下来是关于Go语言相关的事情。
6:Go代码上传案例
package main import ( "fmt" "os" "time" "strconv" "net/http" "io" "io/ioutil" "encoding/base64" "encoding/pem" "encoding/json" "crypto" "crypto/md5" "crypto/rsa" "crypto/x509" "crypto/hmac" "crypto/sha1" "errors" "hash" ) // 请填写您的AccessKeyId。 var accessKeyId string = "<yourAccessKeyId>" // 请填写您的AccessKeySecret。 var accessKeySecret string = "<yourAccessKeySecret>" // host的格式为 bucketname.endpoint ,请替换为您的真实信息。 var host string = "http://bucket-name.oss-cn-hangzhou.aliyuncs.com" // callbackUrl为 上传回调服务器的URL,请将下面的IP和Port配置为您自己的真实信息。 var callbackUrl string = "http://88.88.88.88:8888"; // 用户上传文件时指定的前缀。 var upload_dir string = "user-dir-prefix/" var expire_time int64 = 30 const ( base64Table = "123QRSTUabcdVWXYZHijKLAWDCABDstEFGuvwxyzGHIJklmnopqr234560178912" ) var coder = base64.NewEncoding(base64Table) func base64Encode(src []byte) []byte { return []byte(coder.EncodeToString(src)) } func get_gmt_iso8601(expire_end int64) string { var tokenExpire = time.Unix(expire_end, 0).UTC().Format("2006-01-02T15:04:05Z") return tokenExpire } type ConfigStruct struct{ Expiration string `json:"expiration"` Conditions [][]string `json:"conditions"` } type PolicyToken struct{ AccessKeyId string `json:"accessid"` Host string `json:"host"` Expire int64 `json:"expire"` Signature string `json:"signature"` Policy string `json:"policy"` Directory string `json:"dir"` Callback string `json:"callback"` } type CallbackParam struct{ CallbackUrl string `json:"callbackUrl"` CallbackBody string `json:"callbackBody"` CallbackBodyType string `json:"callbackBodyType"` } func get_policy_token() string { now := time.Now().Unix() expire_end := now + expire_time var tokenExpire = get_gmt_iso8601(expire_end) //create post policy json var config ConfigStruct config.Expiration = tokenExpire var condition []string condition = append(condition, "starts-with") condition = append(condition, "$key") condition = append(condition, upload_dir) config.Conditions = append(config.Conditions, condition) //calucate signature result,err:=json.Marshal(config) debyte := base64.StdEncoding.EncodeToString(result) h := hmac.New(func() hash.Hash { return sha1.New() }, []byte(accessKeySecret)) io.WriteString(h, debyte) signedStr := base64.StdEncoding.EncodeToString(h.Sum(nil)) var callbackParam CallbackParam callbackParam.CallbackUrl = callbackUrl callbackParam.CallbackBody = "filename=${object}&size=${size}&mimeType=${mimeType}&height=${imageInfo.height}&width=${imageInfo.width}" callbackParam.CallbackBodyType = "application/x-www-form-urlencoded" callback_str,err:=json.Marshal(callbackParam) if err != nil { fmt.Println("callback json err:", err) } callbackBase64 := base64.StdEncoding.EncodeToString(callback_str) var policyToken PolicyToken policyToken.AccessKeyId = accessKeyId policyToken.Host = host policyToken.Expire = expire_end policyToken.Signature = string(signedStr) policyToken.Directory = upload_dir policyToken.Policy = string(debyte) policyToken.Callback = string(callbackBase64) response,err:=json.Marshal(policyToken) if err != nil { fmt.Println("json err:", err) } return string(response) } func main() { strIPPort := ":8080"; if (len(os.Args)==3) { strIPPort = fmt.Sprintf("%s:%s", os.Args[1], os.Args[2]) } else if (len(os.Args)!=1) { fmt.Println("Usage : go run callbackserver.go ") fmt.Println("Usage : go run callbackserver.go ip port ") fmt.Println("Example : go run callbackserver.go 11.22.33.44 80 ") fmt.Println("Example : go run callbackserver.go 0.0.0.0 8080 ") fmt.Println("") os.Exit(0) } fmt.Printf("\ncallbackserver is running on %s \n", strIPPort); http.HandleFunc("/", handlerRequest) err := http.ListenAndServe(strIPPort, nil) if (err != nil) { strError := fmt.Sprintf("http.ListenAndServe failed : %s \n", err.Error()) panic(strError) } } func handlerRequest(w http.ResponseWriter, r *http.Request) { if (r.Method == "GET") { response := get_policy_token() w.Header().Set("Access-Control-Allow-Methods", "POST") w.Header().Set("Access-Control-Allow-Origin", "*") io.WriteString(w, response) } if (r.Method == "POST") { fmt.Println("\nHandle Post Request ... ") // Get PublicKey bytes bytePublicKey, err := getPublicKey(r) if (err != nil) { responseFailed(w) return } // Get Authorization bytes : decode from Base64String byteAuthorization, err := getAuthorization(r) if (err != nil) { responseFailed(w) return } // Get MD5 bytes from Newly Constructed Authrization String. byteMD5, err := getMD5FromNewAuthString(r) if (err != nil) { responseFailed(w) return } // verifySignature and response to client if (verifySignature(bytePublicKey, byteMD5, byteAuthorization)) { // do something you want accoding to callback_body ... responseSuccess(w) // response OK : 200 } else { responseFailed(w) // response FAILED : 400 } } } // getPublicKey : Get PublicKey bytes from Request.URL func getPublicKey(r *http.Request) ([]byte, error) { var bytePublicKey []byte // get PublicKey URL publicKeyURLBase64 := r.Header.Get("x-oss-pub-key-url") if (publicKeyURLBase64 == "") { fmt.Println("GetPublicKey from Request header failed : No x-oss-pub-key-url field. ") return bytePublicKey, errors.New("no x-oss-pub-key-url field in Request header ") } publicKeyURL, _ := base64.StdEncoding.DecodeString(publicKeyURLBase64) // fmt.Printf("publicKeyURL={%s}\n", publicKeyURL) // get PublicKey Content from URL responsePublicKeyURL, err := http.Get(string(publicKeyURL)) if (err != nil) { fmt.Printf("Get PublicKey Content from URL failed : %s \n", err.Error()) return bytePublicKey, err } bytePublicKey, err = ioutil.ReadAll(responsePublicKeyURL.Body) if (err != nil) { fmt.Printf("Read PublicKey Content from URL failed : %s \n", err.Error()) return bytePublicKey, err } defer responsePublicKeyURL.Body.Close() // fmt.Printf("publicKey={%s}\n", bytePublicKey) return bytePublicKey, nil } // getAuthorization : decode from Base64String func getAuthorization(r *http.Request) ([]byte, error) { var byteAuthorization []byte // Get Authorization bytes : decode from Base64String strAuthorizationBase64 := r.Header.Get("authorization") if (strAuthorizationBase64 == "") { fmt.Println("Failed to get authorization field from request header. ") return byteAuthorization, errors.New("no authorization field in Request header") } byteAuthorization, _ = base64.StdEncoding.DecodeString(strAuthorizationBase64) return byteAuthorization, nil } // getMD5FromNewAuthString : Get MD5 bytes from Newly Constructed Authrization String. func getMD5FromNewAuthString(r *http.Request) ([]byte, error) { var byteMD5 []byte // Construct the New Auth String from URI+Query+Body bodyContent, err := ioutil.ReadAll(r.Body) r.Body.Close() if (err != nil) { fmt.Printf("Read Request Body failed : %s \n", err.Error()) return byteMD5, err } strCallbackBody := string(bodyContent) // fmt.Printf("r.URL.RawPath={%s}, r.URL.Query()={%s}, strCallbackBody={%s}\n", r.URL.RawPath, r.URL.Query(), strCallbackBody) strURLPathDecode, errUnescape := unescapePath(r.URL.Path, encodePathSegment) //url.PathUnescape(r.URL.Path) for Golang v1.8.2+ if (errUnescape != nil) { fmt.Printf("url.PathUnescape failed : URL.Path=%s, error=%s \n", r.URL.Path, err.Error()) return byteMD5, errUnescape } // Generate New Auth String prepare for MD5 strAuth := "" if (r.URL.RawQuery == "") { strAuth = fmt.Sprintf("%s\n%s", strURLPathDecode, strCallbackBody) } else { strAuth = fmt.Sprintf("%s?%s\n%s", strURLPathDecode, r.URL.RawQuery, strCallbackBody) } // fmt.Printf("NewlyConstructedAuthString={%s}\n", strAuth) // Generate MD5 from the New Auth String md5Ctx := md5.New() md5Ctx.Write([]byte(strAuth)) byteMD5 = md5Ctx.Sum(nil) return byteMD5, nil } /* VerifySignature * VerifySignature需要三个重要的数据信息来进行签名验证: 1>获取公钥PublicKey; 2>生成新的MD5鉴权串; 3>解码Request携带的鉴权串; * 1>获取公钥PublicKey : 从RequestHeader的"x-oss-pub-key-url"字段中获取 URL, 读取URL链接的包含的公钥内容, 进行解码解析, 将其作为rsa.VerifyPKCS1v15的入参。 * 2>生成新的MD5鉴权串 : 把Request中的url中的path部分进行urldecode, 加上url的query部分, 再加上body, 组合之后进行MD5编码, 得到MD5鉴权字节串。 * 3>解码Request携带的鉴权串 : 获取RequestHeader的"authorization"字段, 对其进行Base64解码,作为签名验证的鉴权对比串。 * rsa.VerifyPKCS1v15进行签名验证,返回验证结果。 * */ func verifySignature(bytePublicKey []byte, byteMd5 []byte, authorization []byte) bool { pubBlock, _ := pem.Decode(bytePublicKey) if (pubBlock == nil) { fmt.Printf("Failed to parse PEM block containing the public key") return false } pubInterface, err := x509.ParsePKIXPublicKey(pubBlock.Bytes) if (pubInterface == nil) || (err != nil) { fmt.Printf("x509.ParsePKIXPublicKey(publicKey) failed : %s \n", err.Error()) return false } pub := pubInterface.(*rsa.PublicKey) errorVerifyPKCS1v15 := rsa.VerifyPKCS1v15(pub, crypto.MD5, byteMd5, authorization) if (errorVerifyPKCS1v15 != nil) { fmt.Printf("\nSignature Verification is Failed : %s \n", errorVerifyPKCS1v15.Error()) //printByteArray(byteMd5, "AuthMd5(fromNewAuthString)") //printByteArray(bytePublicKey, "PublicKeyBase64") //printByteArray(authorization, "AuthorizationFromRequest") return false } fmt.Printf("\nSignature Verification is Successful. \n") return true } // responseSuccess : Response 200 to client func responseSuccess(w http.ResponseWriter) { strResponseBody := "{\"Status\":\"OK\"}" w.Header().Set("Content-Type", "application/json") w.Header().Set("Content-Length", strconv.Itoa(len(strResponseBody))) w.WriteHeader(http.StatusOK) w.Write([]byte(strResponseBody)) fmt.Printf("\nPost Response : 200 OK . \n") } // responseFailed : Response 400 to client func responseFailed(w http.ResponseWriter) { w.WriteHeader(http.StatusBadRequest) fmt.Printf("\nPost Response : 400 BAD . \n") } func printByteArray(byteArrary []byte , arrName string) { fmt.Printf("++++++++ printByteArray : ArrayName=%s, ArrayLength=%d \n", arrName, len(byteArrary)) for i:=0; i<len(byteArrary); i++ { fmt.Printf("%02x", byteArrary[i]); } fmt.Printf("\n-------- printByteArray : End . \n") } type EscapeError string func (e EscapeError) Error() string { return "invalid URL escape " + strconv.Quote(string(e)) } type InvalidHostError string func (e InvalidHostError) Error() string { return "invalid character " + strconv.Quote(string(e)) + " in host name" } type encoding int const ( encodePath encoding = 1 + iota encodePathSegment encodeHost encodeZone encodeUserPassword encodeQueryComponent encodeFragment ) // unescapePath : unescapes a string; the mode specifies, which section of the URL string is being unescaped. func unescapePath(s string, mode encoding) (string, error) { // Count %, check that they're well-formed. mode = encodePathSegment n := 0 hasPlus := false for i := 0; i < len(s); { switch s[i] { case '%': n++ if i+2 >= len(s) || !ishex(s[i+1]) || !ishex(s[i+2]) { s = s[i:] if len(s) > 3 { s = s[:3] } return "", EscapeError(s) } // Per https://tools.ietf.org/html/rfc3986#page-21 // in the host component %-encoding can only be used // for non-ASCII bytes. // But https://tools.ietf.org/html/rfc6874#section-2 // introduces %25 being allowed to escape a percent sign // in IPv6 scoped-address literals. Yay. if mode == encodeHost && unhex(s[i+1]) < 8 && s[i:i+3] != "%25" { return "", EscapeError(s[i : i+3]) } if mode == encodeZone { // RFC 6874 says basically "anything goes" for zone identifiers // and that even non-ASCII can be redundantly escaped, // but it seems prudent to restrict %-escaped bytes here to those // that are valid host name bytes in their unescaped form. // That is, you can use escaping in the zone identifier but not // to introduce bytes you couldn't just write directly. // But Windows puts spaces here! Yay. v := unhex(s[i+1])<<4 | unhex(s[i+2]) if s[i:i+3] != "%25" && v != ' ' && shouldEscape(v, encodeHost) { return "", EscapeError(s[i : i+3]) } } i += 3 case '+': hasPlus = mode == encodeQueryComponent i++ default: if (mode == encodeHost || mode == encodeZone) && s[i] < 0x80 && shouldEscape(s[i], mode) { return "", InvalidHostError(s[i : i+1]) } i++ } } if n == 0 && !hasPlus { return s, nil } t := make([]byte, len(s)-2*n) j := 0 for i := 0; i < len(s); { switch s[i] { case '%': t[j] = unhex(s[i+1])<<4 | unhex(s[i+2]) j++ i += 3 case '+': if mode == encodeQueryComponent { t[j] = ' ' } else { t[j] = '+' } j++ i++ default: t[j] = s[i] j++ i++ } } return string(t), nil } // Please be informed that for now shouldEscape does not check all // reserved characters correctly. See golang.org/issue/5684. func shouldEscape(c byte, mode encoding) bool { // §2.3 Unreserved characters (alphanum) if 'A' <= c && c <= 'Z' || 'a' <= c && c <= 'z' || '0' <= c && c <= '9' { return false } if mode == encodeHost || mode == encodeZone { // §3.2.2 Host allows // sub-delims = "!" / "$" / "&" / "'" / "(" / ")" / "*" / "+" / "," / ";" / "=" // as part of reg-name. // We add : because we include :port as part of host. // We add [ ] because we include [ipv6]:port as part of host. // We add < > because they're the only characters left that // we could possibly allow, and Parse will reject them if we // escape them (because hosts can't use %-encoding for // ASCII bytes). switch c { case '!', '$', '&', '\'', '(', ')', '*', '+', ',', ';', '=', ':', '[', ']', '<', '>', '"': return false } } switch c { case '-', '_', '.', '~': // §2.3 Unreserved characters (mark) return false case '$', '&', '+', ',', '/', ':', ';', '=', '?', '@': // §2.2 Reserved characters (reserved) // Different sections of the URL allow a few of // the reserved characters to appear unescaped. switch mode { case encodePath: // §3.3 // The RFC allows : @ & = + $ but saves / ; , for assigning // meaning to individual path segments. This package // only manipulates the path as a whole, so we allow those // last three as well. That leaves only ? to escape. return c == '?' case encodePathSegment: // §3.3 // The RFC allows : @ & = + $ but saves / ; , for assigning // meaning to individual path segments. return c == '/' || c == ';' || c == ',' || c == '?' case encodeUserPassword: // §3.2.1 // The RFC allows ';', ':', '&', '=', '+', '$', and ',' in // userinfo, so we must escape only '@', '/', and '?'. // The parsing of userinfo treats ':' as special so we must escape // that too. return c == '@' || c == '/' || c == '?' || c == ':' case encodeQueryComponent: // §3.4 // The RFC reserves (so we must escape) everything. return true case encodeFragment: // §4.1 // The RFC text is silent but the grammar allows // everything, so escape nothing. return false } } // Everything else must be escaped. return true } func ishex(c byte) bool { switch { case '0' <= c && c <= '9': return true case 'a' <= c && c <= 'f': return true case 'A' <= c && c <= 'F': return true } return false } func unhex(c byte) byte { switch { case '0' <= c && c <= '9': return c - '0' case 'a' <= c && c <= 'f': return c - 'a' + 10 case 'A' <= c && c <= 'F': return c - 'A' + 10 } return 0 }