This commit is contained in:
@@ -34,8 +34,8 @@
|
||||
1. 当前产品口径为服务器上传 AI 生成资源、Web 端只负责读取。
|
||||
2. 因此 `STS` 不作为默认上传主链,`api-server` 只暴露禁用式 contract,避免浏览器拿到 OSS 写权限。
|
||||
3. 服务端生成资源应优先复用 `OssClient::put_object`,上传成功后再走对象确认链路写入 `asset_object`。
|
||||
4. 读签名和 `HEAD Object` 的入参可以兼容 `bucket/object_key` 形式;例如 `xushi-dev/generated-square-hole-assets/.../image.png` 会先剥离当前配置 bucket,再参与 OSS V4 canonical request。若 bucket 与当前配置不一致,仍按普通 object_key 校验并拒绝不在 `generated-*` 前缀下的路径。
|
||||
5. OSS V4 `x-oss-date` 必须固定为 `yyyyMMdd'T'HHmmss'Z'`,不能依赖 `time::Time::to_string()`;后者在小时小于 10 时可能输出非补零时间,导致签名格式错误。
|
||||
4. 读签名和 `HEAD Object` 的入参必须直接传 object_key,不要把 bucket 名拼进路径;例如 `generated-square-hole-assets/.../image.png` 才是正确入参,`xushi-dev/...` 这类前缀不属于 object_key。
|
||||
5. OSS V4 `x-oss-date` 必须固定为 `yyyyMMdd'T'HHmmss'Z'`,不能依赖 `time::Time::to_string()`;后者在小时小于 10 时可能输出非补零时间,导致签名格式错误。
|
||||
|
||||
## 3. 边界约束
|
||||
|
||||
|
||||
@@ -468,7 +468,7 @@ impl OssClient {
|
||||
));
|
||||
}
|
||||
|
||||
let object_key = normalize_object_key_for_bucket(&self.config.bucket, &request.object_key)?;
|
||||
let object_key = normalize_object_key(&request.object_key)?;
|
||||
let expires_at = OffsetDateTime::now_utc()
|
||||
.checked_add(Duration::seconds(i64::try_from(expire_seconds).map_err(
|
||||
|_| OssError::InvalidRequest("expireSeconds 超出可支持范围".to_string()),
|
||||
@@ -541,7 +541,7 @@ impl OssClient {
|
||||
client: &reqwest::Client,
|
||||
request: OssHeadObjectRequest,
|
||||
) -> Result<OssHeadObjectResponse, OssError> {
|
||||
let object_key = normalize_object_key_for_bucket(&self.config.bucket, &request.object_key)?;
|
||||
let object_key = normalize_object_key(&request.object_key)?;
|
||||
let target_url = build_object_url(&self.config.bucket, &self.config.endpoint, &object_key)
|
||||
.map_err(|error| OssError::Request(format!("构造 OSS 对象 URL 失败:{error}")))?;
|
||||
let response = send_signed_request(
|
||||
@@ -764,17 +764,6 @@ fn build_object_key(
|
||||
parts.join("/")
|
||||
}
|
||||
|
||||
fn normalize_object_key_for_bucket(bucket: &str, raw: &str) -> Result<String, OssError> {
|
||||
let normalized = raw.trim().trim_start_matches('/').trim().to_string();
|
||||
let bucket_prefix = format!("{}/", bucket.trim().trim_matches('/'));
|
||||
let object_key = normalized
|
||||
.strip_prefix(&bucket_prefix)
|
||||
.unwrap_or(normalized.as_str())
|
||||
.to_string();
|
||||
|
||||
normalize_object_key(&object_key)
|
||||
}
|
||||
|
||||
fn normalize_object_key(raw: &str) -> Result<String, OssError> {
|
||||
let normalized = raw.trim().trim_start_matches('/').trim().to_string();
|
||||
if normalized.is_empty() {
|
||||
@@ -1470,7 +1459,7 @@ mod tests {
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn sign_get_object_url_accepts_bucket_prefixed_square_hole_key() {
|
||||
fn sign_get_object_url_uses_square_hole_object_key_without_bucket_prefix() {
|
||||
let client = OssClient::new(
|
||||
OssConfig::new(
|
||||
"xushi-dev".to_string(),
|
||||
@@ -1487,10 +1476,10 @@ mod tests {
|
||||
|
||||
let response = client
|
||||
.sign_get_object_url(OssSignedGetObjectUrlRequest {
|
||||
object_key: "xushi-dev/generated-square-hole-assets/square-hole-session-546d881972684be2980a2a882cd0cc71/square-hole-profile-134411276ce1469cbe398f946a25d7f8/square-hole-shape-image/rabbit-option/asset-1777979289912039/image.png".to_string(),
|
||||
object_key: "generated-square-hole-assets/square-hole-session-546d881972684be2980a2a882cd0cc71/square-hole-profile-134411276ce1469cbe398f946a25d7f8/square-hole-shape-image/rabbit-option/asset-1777979289912039/image.png".to_string(),
|
||||
expire_seconds: Some(300),
|
||||
})
|
||||
.expect("bucket-prefixed square hole key should build signed url");
|
||||
.expect("square hole object key should build signed url");
|
||||
|
||||
assert_eq!(response.bucket, "xushi-dev".to_string());
|
||||
assert_eq!(
|
||||
|
||||
Reference in New Issue
Block a user