Use private ACL for private videos in s3

author: Chocobozzz <me@florianbigard.com> 2022-10-19 10:43:53 +0200
committer: Chocobozzz <chocobozzz@cpy.re> 2022-10-24 14:48:24 +0200
commit: 9ab330b90decf4edf152ff8e1d2948c065766b2c (patch)
tree: 29d924f50f7307e8e828a57ecb9ea78623487ce0 /server/controllers
parent: 3545e72c686ff1725bbdfd8d16d693e2f4aa75a3 (diff)
download: PeerTube-9ab330b90decf4edf152ff8e1d2948c065766b2c.tar.gz
PeerTube-9ab330b90decf4edf152ff8e1d2948c065766b2c.tar.zst
PeerTube-9ab330b90decf4edf152ff8e1d2948c065766b2c.zip
3 files changed, 104 insertions, 7 deletions
diff --git a/server/controllers/download.ts b/server/controllers/download.ts
index abd1df26f..d9f34109f 100644
--- a/server/controllers/download.ts
+++ b/server/controllers/download.ts
@@ -5,6 +5,7 @@ import { VideosTorrentCache } from '@server/lib/files-cache/videos-torrent-cache
 import { Hooks } from '@server/lib/plugins/hooks'
 import { VideoPathManager } from '@server/lib/video-path-manager'
 import { MStreamingPlaylist, MVideo, MVideoFile, MVideoFullLight } from '@server/types/models'
+import { addQueryParams } from '@shared/core-utils'
 import { HttpStatusCode, VideoStorage, VideoStreamingPlaylistType } from '@shared/models'
 import { STATIC_DOWNLOAD_PATHS } from '../initializers/constants'
 import { asyncMiddleware, optionalAuthenticate, videosDownloadValidator } from '../middlewares'
@@ -84,7 +85,7 @@ async function downloadVideoFile (req: express.Request, res: express.Response) {
  if (!checkAllowResult(res, allowParameters, allowedResult)) return
  if (videoFile.storage === VideoStorage.OBJECT_STORAGE) {
-    return res.redirect(videoFile.getObjectStorageUrl())
+    return redirectToObjectStorage({ req, res, video, file: videoFile })
  }
  await VideoPathManager.Instance.makeAvailableVideoFile(videoFile.withVideoOrPlaylist(video), path => {
@@ -120,7 +121,7 @@ async function downloadHLSVideoFile (req: express.Request, res: express.Response
  if (!checkAllowResult(res, allowParameters, allowedResult)) return
  if (videoFile.storage === VideoStorage.OBJECT_STORAGE) {
-    return res.redirect(videoFile.getObjectStorageUrl())
+    return redirectToObjectStorage({ req, res, video, file: videoFile })
  }
  await VideoPathManager.Instance.makeAvailableVideoFile(videoFile.withVideoOrPlaylist(streamingPlaylist), path => {
@@ -174,3 +175,20 @@ function checkAllowResult (res: express.Response, allowParameters: any, result?:
  return true
 }
+function redirectToObjectStorage (options: {
+  req: express.Request
+  res: express.Response
+  video: MVideo
+  file: MVideoFile
+}) {
+  const { req, res, video, file } = options
+  const baseUrl = file.getObjectStorageUrl(video)
+  const url = video.hasPrivateStaticPath() && req.query.videoFileToken
+    ? addQueryParams(baseUrl, { videoFileToken: req.query.videoFileToken })
+    : baseUrl
+  return res.redirect(url)
+}
diff --git a/server/controllers/index.ts b/server/controllers/index.ts
index 8574a9e7b..eaa2dd7c8 100644
--- a/server/controllers/index.ts
+++ b/server/controllers/index.ts
@@ -1,14 +1,15 @@
 export * from './activitypub'
 export * from './api'
+export * from './bots'
 export * from './client'
 export * from './download'
 export * from './feeds'
-export * from './services'
-export * from './static'
 export * from './lazy-static'
 export * from './misc'
-export * from './webfinger'
+export * from './object-storage-proxy'
-export * from './tracker'
-export * from './bots'
 export * from './plugins'
+export * from './services'
+export * from './static'
+export * from './tracker'
+export * from './webfinger'
 export * from './well-known'
diff --git a/server/controllers/object-storage-proxy.ts b/server/controllers/object-storage-proxy.ts
new file mode 100644
index 000000000..6fedcfd8f
--- /dev/null
+++ b/server/controllers/object-storage-proxy.ts
@@ -0,0 +1,78 @@
+import cors from 'cors'
+import express from 'express'
+import { OBJECT_STORAGE_PROXY_PATHS } from '@server/initializers/constants'
+import { getHLSFileReadStream, getWebTorrentFileReadStream } from '@server/lib/object-storage'
+import {
+  asyncMiddleware,
+  ensureCanAccessPrivateVideoHLSFiles,
+  ensureCanAccessVideoPrivateWebTorrentFiles,
+  optionalAuthenticate
+} from '@server/middlewares'
+import { HttpStatusCode } from '@shared/models'
+const objectStorageProxyRouter = express.Router()
+objectStorageProxyRouter.use(cors())
+objectStorageProxyRouter.get(OBJECT_STORAGE_PROXY_PATHS.PRIVATE_WEBSEED + ':filename',
+  optionalAuthenticate,
+  asyncMiddleware(ensureCanAccessVideoPrivateWebTorrentFiles),
+  asyncMiddleware(proxifyWebTorrent)
+)
+objectStorageProxyRouter.get(OBJECT_STORAGE_PROXY_PATHS.STREAMING_PLAYLISTS.PRIVATE_HLS + ':videoUUID/:filename',
+  optionalAuthenticate,
+  asyncMiddleware(ensureCanAccessPrivateVideoHLSFiles),
+  asyncMiddleware(proxifyHLS)
+)
+// ---------------------------------------------------------------------------
+export {
+  objectStorageProxyRouter
+}
+async function proxifyWebTorrent (req: express.Request, res: express.Response) {
+  const filename = req.params.filename
+  try {
+    const stream = await getWebTorrentFileReadStream({
+      filename,
+      rangeHeader: req.header('range')
+    })
+    return stream.pipe(res)
+  } catch (err) {
+    return handleObjectStorageFailure(res, err)
+  }
+}
+async function proxifyHLS (req: express.Request, res: express.Response) {
+  const playlist = res.locals.videoStreamingPlaylist
+  const video = res.locals.onlyVideo
+  const filename = req.params.filename
+  try {
+    const stream = await getHLSFileReadStream({
+      playlist: playlist.withVideo(video),
+      filename,
+      rangeHeader: req.header('range')
+    })
+    return stream.pipe(res)
+  } catch (err) {
+    return handleObjectStorageFailure(res, err)
+  }
+}
+function handleObjectStorageFailure (res: express.Response, err: Error) {
+  if (err.name === 'NoSuchKey') {
+    return res.sendStatus(HttpStatusCode.NOT_FOUND_404)
+  }
+  return res.fail({
+    status: HttpStatusCode.INTERNAL_SERVER_ERROR_500,
+    message: err.message,
+    type: err.name
+  })
+}
author	Chocobozzz <me@florianbigard.com>	2022-10-19 10:43:53 +0200
committer	Chocobozzz <chocobozzz@cpy.re>	2022-10-24 14:48:24 +0200
commit	9ab330b90decf4edf152ff8e1d2948c065766b2c (patch)
tree	29d924f50f7307e8e828a57ecb9ea78623487ce0 /server/controllers
parent	3545e72c686ff1725bbdfd8d16d693e2f4aa75a3 (diff)
download	PeerTube-9ab330b90decf4edf152ff8e1d2948c065766b2c.tar.gz PeerTube-9ab330b90decf4edf152ff8e1d2948c065766b2c.tar.zst PeerTube-9ab330b90decf4edf152ff8e1d2948c065766b2c.zip

diff --git a/server/controllers/download.ts b/server/controllers/download.ts index abd1df26f..d9f34109f 100644 --- a/server/controllers/download.ts +++ b/server/controllers/download.ts
@@ -5,6 +5,7 @@ import { VideosTorrentCache } from '@server/lib/files-cache/videos-torrent-cache
5	import { Hooks } from '@server/lib/plugins/hooks'	5	import { Hooks } from '@server/lib/plugins/hooks'
6	import { VideoPathManager } from '@server/lib/video-path-manager'	6	import { VideoPathManager } from '@server/lib/video-path-manager'
7	import { MStreamingPlaylist, MVideo, MVideoFile, MVideoFullLight } from '@server/types/models'	7	import { MStreamingPlaylist, MVideo, MVideoFile, MVideoFullLight } from '@server/types/models'
		8	import { addQueryParams } from '@shared/core-utils'
8	import { HttpStatusCode, VideoStorage, VideoStreamingPlaylistType } from '@shared/models'	9	import { HttpStatusCode, VideoStorage, VideoStreamingPlaylistType } from '@shared/models'
9	import { STATIC_DOWNLOAD_PATHS } from '../initializers/constants'	10	import { STATIC_DOWNLOAD_PATHS } from '../initializers/constants'
10	import { asyncMiddleware, optionalAuthenticate, videosDownloadValidator } from '../middlewares'	11	import { asyncMiddleware, optionalAuthenticate, videosDownloadValidator } from '../middlewares'
@@ -84,7 +85,7 @@ async function downloadVideoFile (req: express.Request, res: express.Response) {
84	if (!checkAllowResult(res, allowParameters, allowedResult)) return	85	if (!checkAllowResult(res, allowParameters, allowedResult)) return
85		86
86	if (videoFile.storage === VideoStorage.OBJECT_STORAGE) {	87	if (videoFile.storage === VideoStorage.OBJECT_STORAGE) {
87	return res.redirect(videoFile.getObjectStorageUrl())	88	return redirectToObjectStorage({ req, res, video, file: videoFile })
88	}	89	}
89		90
90	await VideoPathManager.Instance.makeAvailableVideoFile(videoFile.withVideoOrPlaylist(video), path => {	91	await VideoPathManager.Instance.makeAvailableVideoFile(videoFile.withVideoOrPlaylist(video), path => {
@@ -120,7 +121,7 @@ async function downloadHLSVideoFile (req: express.Request, res: express.Response
120	if (!checkAllowResult(res, allowParameters, allowedResult)) return	121	if (!checkAllowResult(res, allowParameters, allowedResult)) return
121		122
122	if (videoFile.storage === VideoStorage.OBJECT_STORAGE) {	123	if (videoFile.storage === VideoStorage.OBJECT_STORAGE) {
123	return res.redirect(videoFile.getObjectStorageUrl())	124	return redirectToObjectStorage({ req, res, video, file: videoFile })
124	}	125	}
125		126
126	await VideoPathManager.Instance.makeAvailableVideoFile(videoFile.withVideoOrPlaylist(streamingPlaylist), path => {	127	await VideoPathManager.Instance.makeAvailableVideoFile(videoFile.withVideoOrPlaylist(streamingPlaylist), path => {
@@ -174,3 +175,20 @@ function checkAllowResult (res: express.Response, allowParameters: any, result?:
174		175
175	return true	176	return true
176	}	177	}
		178
		179	function redirectToObjectStorage (options: {
		180	req: express.Request
		181	res: express.Response
		182	video: MVideo
		183	file: MVideoFile
		184	}) {
		185	const { req, res, video, file } = options
		186
		187	const baseUrl = file.getObjectStorageUrl(video)
		188
		189	const url = video.hasPrivateStaticPath() && req.query.videoFileToken
		190	? addQueryParams(baseUrl, { videoFileToken: req.query.videoFileToken })
		191	: baseUrl
		192
		193	return res.redirect(url)
		194	}


diff --git a/server/controllers/index.ts b/server/controllers/index.ts index 8574a9e7b..eaa2dd7c8 100644 --- a/server/controllers/index.ts +++ b/server/controllers/index.ts
@@ -1,14 +1,15 @@
1	export * from './activitypub'	1	export * from './activitypub'
2	export * from './api'	2	export * from './api'
		3	export * from './bots'
3	export * from './client'	4	export * from './client'
4	export * from './download'	5	export * from './download'
5	export * from './feeds'	6	export * from './feeds'
6	export * from './services'
7	export * from './static'
8	export * from './lazy-static'	7	export * from './lazy-static'
9	export * from './misc'	8	export * from './misc'
10	export * from './webfinger'	9	export * from './object-storage-proxy'
11	export * from './tracker'
12	export * from './bots'
13	export * from './plugins'	10	export * from './plugins'
		11	export * from './services'
		12	export * from './static'
		13	export * from './tracker'
		14	export * from './webfinger'
14	export * from './well-known'	15	export * from './well-known'


diff --git a/server/controllers/object-storage-proxy.ts b/server/controllers/object-storage-proxy.ts new file mode 100644 index 000000000..6fedcfd8f --- /dev/null +++ b/server/controllers/object-storage-proxy.ts
@@ -0,0 +1,78 @@
		1	import cors from 'cors'
		2	import express from 'express'
		3	import { OBJECT_STORAGE_PROXY_PATHS } from '@server/initializers/constants'
		4	import { getHLSFileReadStream, getWebTorrentFileReadStream } from '@server/lib/object-storage'
		5	import {
		6	asyncMiddleware,
		7	ensureCanAccessPrivateVideoHLSFiles,
		8	ensureCanAccessVideoPrivateWebTorrentFiles,
		9	optionalAuthenticate
		10	} from '@server/middlewares'
		11	import { HttpStatusCode } from '@shared/models'
		12
		13	const objectStorageProxyRouter = express.Router()
		14
		15	objectStorageProxyRouter.use(cors())
		16
		17	objectStorageProxyRouter.get(OBJECT_STORAGE_PROXY_PATHS.PRIVATE_WEBSEED + ':filename',
		18	optionalAuthenticate,
		19	asyncMiddleware(ensureCanAccessVideoPrivateWebTorrentFiles),
		20	asyncMiddleware(proxifyWebTorrent)
		21	)
		22
		23	objectStorageProxyRouter.get(OBJECT_STORAGE_PROXY_PATHS.STREAMING_PLAYLISTS.PRIVATE_HLS + ':videoUUID/:filename',
		24	optionalAuthenticate,
		25	asyncMiddleware(ensureCanAccessPrivateVideoHLSFiles),
		26	asyncMiddleware(proxifyHLS)
		27	)
		28
		29	// ---------------------------------------------------------------------------
		30
		31	export {
		32	objectStorageProxyRouter
		33	}
		34
		35	async function proxifyWebTorrent (req: express.Request, res: express.Response) {
		36	const filename = req.params.filename
		37
		38	try {
		39	const stream = await getWebTorrentFileReadStream({
		40	filename,
		41	rangeHeader: req.header('range')
		42	})
		43
		44	return stream.pipe(res)
		45	} catch (err) {
		46	return handleObjectStorageFailure(res, err)
		47	}
		48	}
		49
		50	async function proxifyHLS (req: express.Request, res: express.Response) {
		51	const playlist = res.locals.videoStreamingPlaylist
		52	const video = res.locals.onlyVideo
		53	const filename = req.params.filename
		54
		55	try {
		56	const stream = await getHLSFileReadStream({
		57	playlist: playlist.withVideo(video),
		58	filename,
		59	rangeHeader: req.header('range')
		60	})
		61
		62	return stream.pipe(res)
		63	} catch (err) {
		64	return handleObjectStorageFailure(res, err)
		65	}
		66	}
		67
		68	function handleObjectStorageFailure (res: express.Response, err: Error) {
		69	if (err.name === 'NoSuchKey') {
		70	return res.sendStatus(HttpStatusCode.NOT_FOUND_404)
		71	}
		72
		73	return res.fail({
		74	status: HttpStatusCode.INTERNAL_SERVER_ERROR_500,
		75	message: err.message,
		76	type: err.name
		77	})
		78	}