feat: Crypt driver, improve http/webdav handling (#4884)

this PR has several enhancements, fixes, and features: - [x] Crypt: a transparent encryption driver. Anyone can easily, and safely store encrypted data on the remote storage provider. Consider your data is safely stored in the safe, and the storage provider can only see the safe, but not your data. - [x] Optional: compatible with [Rclone Crypt](https://rclone.org/crypt/). More ways to manipulate the encrypted data. - [x] directory and filename encryption - [x] server-side encryption mode (server encrypts & decrypts all data, all data flows thru the server) - [x] obfuscate sensitive information internally - [x] introduced a server memory-cached multi-thread downloader. - [x] Driver: **Quark** enabled this feature, faster load in any single thread scenario. e.g. media player directly playing from the link, now it's faster. - [x] general improvement on HTTP/WebDAV stream processing & header handling & response handling - [x] Driver: **Mega** driver support ranged http header - [x] Driver: **Quark** fix bug of not closing HTTP request to Quark server while user end has closed connection to alist ## Crypt, a transparent Encrypt/Decrypt Driver. (Rclone Crypt compatible) e.g. Crypt mount path -> /vault Crypt remote path -> /ali/encrypted Aliyun mount paht -> /ali when the user uploads a.jpg to /vault, the data will be encrypted and saved to /ali/encrypted/xxxxx. And when the user wants to access a.jpg, it's automatically decrypted, and the user can do anything with it. Since it's Rclone Crypt compatible, users can download /ali/encrypted/xxxxx and decrypt it with rclone crypt tool. Or the user can mount this folder using rclone, then mount the decrypted folder in Linux... NB. Some breaking changes is made to make it follow global standard, e.g. processing the HTTP header properly. close #4679 close #4827 Co-authored-by: Sean He <866155+seanhe26@users.noreply.github.com> Co-authored-by: Andy Hsu <i@nn.ci>
2023-08-02 14:40:36 +08:00
parent 1dc1dd1f07
commit 3c21a9a520
38 changed files with 2861 additions and 335 deletions
--- a/drivers/all.go
+++ b/drivers/all.go
@ -16,6 +16,7 @@ import (
 	_ "github.com/alist-org/alist/v3/drivers/baidu_photo"
 	_ "github.com/alist-org/alist/v3/drivers/baidu_share"
 	_ "github.com/alist-org/alist/v3/drivers/cloudreve"
+	_ "github.com/alist-org/alist/v3/drivers/crypt"
 	_ "github.com/alist-org/alist/v3/drivers/dropbox"
 	_ "github.com/alist-org/alist/v3/drivers/ftp"
 	_ "github.com/alist-org/alist/v3/drivers/google_drive"
--- a/drivers/baidu_photo/utils.go
+++ b/drivers/baidu_photo/utils.go
@ -3,7 +3,6 @@ package baiduphoto
 import (
 	"context"
 	"fmt"
-	"io"
 	"net/http"

 	"github.com/alist-org/alist/v3/drivers/base"
@ -400,7 +399,7 @@ func (d *BaiduPhoto) linkFile(ctx context.Context, file *File, args model.LinkAr
 	return link, nil
 }

-func (d *BaiduPhoto) linkStreamAlbum(ctx context.Context, file *AlbumFile) (*model.Link, error) {
+/*func (d *BaiduPhoto) linkStreamAlbum(ctx context.Context, file *AlbumFile) (*model.Link, error) {
 	return &model.Link{
 		Header: http.Header{},
 		Writer: func(w io.Writer) error {
@ -421,9 +420,9 @@ func (d *BaiduPhoto) linkStreamAlbum(ctx context.Context, file *AlbumFile) (*mod
 			return err
 		},
 	}, nil
-}
+}*/

-func (d *BaiduPhoto) linkStream(ctx context.Context, file *File) (*model.Link, error) {
+/*func (d *BaiduPhoto) linkStream(ctx context.Context, file *File) (*model.Link, error) {
 	return &model.Link{
 		Header: http.Header{},
 		Writer: func(w io.Writer) error {
@ -441,7 +440,7 @@ func (d *BaiduPhoto) linkStream(ctx context.Context, file *File) (*model.Link, e
 			return err
 		},
 	}, nil
-}
+}*/

 // 获取uk
 func (d *BaiduPhoto) uInfo() (*UInfo, error) {
--- a/drivers/base/util.go
+++ b/drivers/base/util.go
@ -1,30 +1,19 @@
 package base

-import (
-	"io"
-	"net/http"
-	"strconv"
+import "io"

-	"github.com/alist-org/alist/v3/internal/model"
-	"github.com/alist-org/alist/v3/pkg/http_range"
-	"github.com/alist-org/alist/v3/pkg/utils"
-)
+type Closers struct {
+	closers []io.Closer
+}

-func HandleRange(link *model.Link, file io.ReadSeekCloser, header http.Header, size int64) {
-	if header.Get("Range") != "" {
-		r, err := http_range.ParseRange(header.Get("Range"), size)
-		if err == nil && len(r) > 0 {
-			_, err := file.Seek(r[0].Start, io.SeekStart)
-			if err == nil {
-				link.Data = utils.NewLimitReadCloser(file, func() error {
-					return file.Close()
-				}, r[0].Length)
-				link.Status = http.StatusPartialContent
-				link.Header = http.Header{
-					"Content-Range":  []string{r[0].ContentRange(size)},
-					"Content-Length": []string{strconv.FormatInt(r[0].Length, 10)},
-				}
-			}
+func (c *Closers) Close() (err error) {
+	for _, closer := range c.closers {
+		if closer != nil {
+			_ = closer.Close()
 		}
 	}
+	return nil
+}
+func (c *Closers) Add(closer io.Closer) {
+	c.closers = append(c.closers, closer)
 }
--- a/drivers/crypt/driver.go
+++ b/drivers/crypt/driver.go
@ -0,0 +1,409 @@
+package crypt
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"net/http"
+	stdpath "path"
+	"regexp"
+	"strings"
+
+	"github.com/alist-org/alist/v3/internal/driver"
+	"github.com/alist-org/alist/v3/internal/errs"
+	"github.com/alist-org/alist/v3/internal/fs"
+	"github.com/alist-org/alist/v3/internal/model"
+	"github.com/alist-org/alist/v3/internal/net"
+	"github.com/alist-org/alist/v3/internal/op"
+	"github.com/alist-org/alist/v3/pkg/http_range"
+	"github.com/alist-org/alist/v3/pkg/utils"
+	rcCrypt "github.com/rclone/rclone/backend/crypt"
+	"github.com/rclone/rclone/fs/config/configmap"
+	"github.com/rclone/rclone/fs/config/obscure"
+	log "github.com/sirupsen/logrus"
+)
+
+type Crypt struct {
+	model.Storage
+	Addition
+	cipher        *rcCrypt.Cipher
+	remoteStorage driver.Driver
+}
+
+const obfuscatedPrefix = "___Obfuscated___"
+
+func (d *Crypt) Config() driver.Config {
+	return config
+}
+
+func (d *Crypt) GetAddition() driver.Additional {
+	return &d.Addition
+}
+
+func (d *Crypt) Init(ctx context.Context) error {
+	//obfuscate credentials if it's updated or just created
+	err := d.updateObfusParm(&d.Password)
+	if err != nil {
+		return fmt.Errorf("failed to obfuscate password: %w", err)
+	}
+	err = d.updateObfusParm(&d.Salt)
+	if err != nil {
+		return fmt.Errorf("failed to obfuscate salt: %w", err)
+	}
+
+	isCryptExt := regexp.MustCompile(`^[.][A-Za-z0-9-_]{2,}$`).MatchString
+	if !isCryptExt(d.EncryptedSuffix) {
+		return fmt.Errorf("EncryptedSuffix is Illegal")
+	}
+
+	op.MustSaveDriverStorage(d)
+
+	//need remote storage exist
+	storage, err := fs.GetStorage(d.RemotePath, &fs.GetStoragesArgs{})
+	if err != nil {
+		return fmt.Errorf("can't find remote storage: %w", err)
+	}
+	d.remoteStorage = storage
+
+	p, _ := strings.CutPrefix(d.Password, obfuscatedPrefix)
+	p2, _ := strings.CutPrefix(d.Salt, obfuscatedPrefix)
+	config := configmap.Simple{
+		"password":                  p,
+		"password2":                 p2,
+		"filename_encryption":       d.FileNameEnc,
+		"directory_name_encryption": d.DirNameEnc,
+		"filename_encoding":         "base64",
+		"suffix":                    d.EncryptedSuffix,
+		"pass_bad_blocks":           "",
+	}
+	c, err := rcCrypt.NewCipher(config)
+	if err != nil {
+		return fmt.Errorf("failed to create Cipher: %w", err)
+	}
+	d.cipher = c
+
+	//c, err := rcCrypt.newCipher(rcCrypt.NameEncryptionStandard, "", "", true, nil)
+	return nil
+}
+
+func (d *Crypt) updateObfusParm(str *string) error {
+	temp := *str
+	if !strings.HasPrefix(temp, obfuscatedPrefix) {
+		temp, err := obscure.Obscure(temp)
+		if err != nil {
+			return err
+		}
+		temp = obfuscatedPrefix + temp
+		*str = temp
+	}
+	return nil
+}
+
+func (d *Crypt) Drop(ctx context.Context) error {
+	return nil
+}
+
+func (d *Crypt) List(ctx context.Context, dir model.Obj, args model.ListArgs) ([]model.Obj, error) {
+	path := dir.GetPath()
+	//return d.list(ctx, d.RemotePath, path)
+	//remoteFull
+
+	objs, err := fs.List(ctx, d.getPathForRemote(path, true), &fs.ListArgs{NoLog: true})
+	// the obj must implement the model.SetPath interface
+	// return objs, err
+	if err != nil {
+		return nil, err
+	}
+
+	var result []model.Obj
+	for _, obj := range objs {
+		if obj.IsDir() {
+			name, err := d.cipher.DecryptDirName(obj.GetName())
+			if err != nil {
+				//filter illegal files
+				continue
+			}
+			objRes := model.Object{
+				Name:     name,
+				Size:     0,
+				Modified: obj.ModTime(),
+				IsFolder: obj.IsDir(),
+			}
+			result = append(result, &objRes)
+		} else {
+			thumb, ok := model.GetThumb(obj)
+			size, err := d.cipher.DecryptedSize(obj.GetSize())
+			if err != nil {
+				//filter illegal files
+				continue
+			}
+			name, err := d.cipher.DecryptFileName(obj.GetName())
+			if err != nil {
+				//filter illegal files
+				continue
+			}
+			objRes := model.Object{
+				Name:     name,
+				Size:     size,
+				Modified: obj.ModTime(),
+				IsFolder: obj.IsDir(),
+			}
+			if !ok {
+				result = append(result, &objRes)
+			} else {
+				objWithThumb := model.ObjThumb{
+					Object: objRes,
+					Thumbnail: model.Thumbnail{
+						Thumbnail: thumb,
+					},
+				}
+				result = append(result, &objWithThumb)
+			}
+		}
+	}
+
+	return result, nil
+}
+
+func (d *Crypt) Get(ctx context.Context, path string) (model.Obj, error) {
+	if utils.PathEqual(path, "/") {
+		return &model.Object{
+			Name:     "Root",
+			IsFolder: true,
+			Path:     "/",
+		}, nil
+	}
+	remoteFullPath := ""
+	var remoteObj model.Obj
+	var err, err2 error
+	firstTryIsFolder, secondTry := guessPath(path)
+	remoteFullPath = d.getPathForRemote(path, firstTryIsFolder)
+	remoteObj, err = fs.Get(ctx, remoteFullPath, &fs.GetArgs{NoLog: true})
+	if err != nil {
+		if errs.IsObjectNotFound(err) && secondTry {
+			//try the opposite
+			remoteFullPath = d.getPathForRemote(path, !firstTryIsFolder)
+			remoteObj, err2 = fs.Get(ctx, remoteFullPath, &fs.GetArgs{NoLog: true})
+			if err2 != nil {
+				return nil, err2
+			}
+		} else {
+			return nil, err
+		}
+	}
+	var size int64 = 0
+	name := ""
+	if !remoteObj.IsDir() {
+		size, err = d.cipher.DecryptedSize(remoteObj.GetSize())
+		if err != nil {
+			log.Warnf("DecryptedSize failed for %s ,will use original size, err:%s", path, err)
+			size = remoteObj.GetSize()
+		}
+		name, err = d.cipher.DecryptFileName(remoteObj.GetName())
+		if err != nil {
+			log.Warnf("DecryptFileName failed for %s ,will use original name, err:%s", path, err)
+			name = remoteObj.GetName()
+		}
+	} else {
+		name, err = d.cipher.DecryptDirName(remoteObj.GetName())
+		if err != nil {
+			log.Warnf("DecryptDirName failed for %s ,will use original name, err:%s", path, err)
+			name = remoteObj.GetName()
+		}
+	}
+	obj := &model.Object{
+		Path:     path,
+		Name:     name,
+		Size:     size,
+		Modified: remoteObj.ModTime(),
+		IsFolder: remoteObj.IsDir(),
+	}
+	return obj, nil
+	//return nil, errs.ObjectNotFound
+}
+
+func (d *Crypt) Link(ctx context.Context, file model.Obj, args model.LinkArgs) (*model.Link, error) {
+	dstDirActualPath, err := d.getActualPathForRemote(file.GetPath(), false)
+	if err != nil {
+		return nil, fmt.Errorf("failed to convert path to remote path: %w", err)
+	}
+	remoteLink, remoteFile, err := op.Link(ctx, d.remoteStorage, dstDirActualPath, args)
+	if err != nil {
+		return nil, err
+	}
+
+	if remoteLink.RangeReadCloser.RangeReader == nil && remoteLink.ReadSeekCloser == nil && len(remoteLink.URL) == 0 {
+		return nil, fmt.Errorf("the remote storage driver need to be enhanced to support encrytion")
+	}
+	remoteFileSize := remoteFile.GetSize()
+	var remoteCloser io.Closer
+	rangeReaderFunc := func(ctx context.Context, underlyingOffset, underlyingLength int64) (io.ReadCloser, error) {
+		length := underlyingLength
+		if underlyingLength >= 0 && underlyingOffset+underlyingLength >= remoteFileSize {
+			length = -1
+		}
+		if remoteLink.RangeReadCloser.RangeReader != nil {
+			//remoteRangeReader, err :=
+			remoteReader, err := remoteLink.RangeReadCloser.RangeReader(http_range.Range{Start: underlyingOffset, Length: length})
+			if err != nil {
+				return nil, err
+			}
+			return remoteReader, nil
+		}
+		if remoteLink.ReadSeekCloser != nil {
+			_, err := remoteLink.ReadSeekCloser.Seek(underlyingOffset, io.SeekStart)
+			if err != nil {
+				return nil, err
+			}
+			//keep reuse same ReadSeekCloser and close at last.
+			remoteCloser = remoteLink.ReadSeekCloser
+			return io.NopCloser(remoteLink.ReadSeekCloser), nil
+		}
+		if len(remoteLink.URL) > 0 {
+			rangedRemoteLink := &model.Link{
+				URL:    remoteLink.URL,
+				Header: remoteLink.Header,
+			}
+			response, err := RequestRangedHttp(args.HttpReq, rangedRemoteLink, underlyingOffset, length)
+			if err != nil {
+				return nil, fmt.Errorf("remote storage http request failure,status: %d err:%s", response.StatusCode, err)
+			}
+			if underlyingOffset == 0 && length == -1 || response.StatusCode == http.StatusPartialContent {
+				return response.Body, nil
+			} else if response.StatusCode == http.StatusOK {
+				log.Warnf("remote http server not supporting range request, expect low perfromace!")
+				readCloser, err := net.GetRangedHttpReader(response.Body, underlyingOffset, length)
+				if err != nil {
+					return nil, err
+				}
+				return readCloser, nil
+			}
+
+			return response.Body, nil
+		}
+		//if remoteLink.Data != nil {
+		//	log.Warnf("remote storage not supporting range request, expect low perfromace!")
+		//	readCloser, err := net.GetRangedHttpReader(remoteLink.Data, underlyingOffset, length)
+		//	remoteCloser = remoteLink.Data
+		//	if err != nil {
+		//		return nil, err
+		//	}
+		//	return readCloser, nil
+		//}
+		return nil, errs.NotSupport
+
+	}
+	resultRangeReader := func(httpRange http_range.Range) (io.ReadCloser, error) {
+		readSeeker, err := d.cipher.DecryptDataSeek(ctx, rangeReaderFunc, httpRange.Start, httpRange.Length)
+		if err != nil {
+			return nil, err
+		}
+		return readSeeker, nil
+	}
+
+	resultRangeReadCloser := &model.RangeReadCloser{RangeReader: resultRangeReader, Closer: remoteCloser}
+	resultLink := &model.Link{
+		Header:          remoteLink.Header,
+		RangeReadCloser: *resultRangeReadCloser,
+		Expiration:      remoteLink.Expiration,
+	}
+
+	return resultLink, nil
+
+}
+
+func (d *Crypt) MakeDir(ctx context.Context, parentDir model.Obj, dirName string) error {
+	dstDirActualPath, err := d.getActualPathForRemote(parentDir.GetPath(), true)
+	if err != nil {
+		return fmt.Errorf("failed to convert path to remote path: %w", err)
+	}
+	dir := d.cipher.EncryptDirName(dirName)
+	return op.MakeDir(ctx, d.remoteStorage, stdpath.Join(dstDirActualPath, dir))
+}
+
+func (d *Crypt) Move(ctx context.Context, srcObj, dstDir model.Obj) error {
+	srcRemoteActualPath, err := d.getActualPathForRemote(srcObj.GetPath(), srcObj.IsDir())
+	if err != nil {
+		return fmt.Errorf("failed to convert path to remote path: %w", err)
+	}
+	dstRemoteActualPath, err := d.getActualPathForRemote(dstDir.GetPath(), dstDir.IsDir())
+	if err != nil {
+		return fmt.Errorf("failed to convert path to remote path: %w", err)
+	}
+	return op.Move(ctx, d.remoteStorage, srcRemoteActualPath, dstRemoteActualPath)
+}
+
+func (d *Crypt) Rename(ctx context.Context, srcObj model.Obj, newName string) error {
+	remoteActualPath, err := d.getActualPathForRemote(srcObj.GetPath(), srcObj.IsDir())
+	if err != nil {
+		return fmt.Errorf("failed to convert path to remote path: %w", err)
+	}
+	var newEncryptedName string
+	if srcObj.IsDir() {
+		newEncryptedName = d.cipher.EncryptDirName(newName)
+	} else {
+		newEncryptedName = d.cipher.EncryptFileName(newName)
+	}
+	return op.Rename(ctx, d.remoteStorage, remoteActualPath, newEncryptedName)
+}
+
+func (d *Crypt) Copy(ctx context.Context, srcObj, dstDir model.Obj) error {
+	srcRemoteActualPath, err := d.getActualPathForRemote(srcObj.GetPath(), srcObj.IsDir())
+	if err != nil {
+		return fmt.Errorf("failed to convert path to remote path: %w", err)
+	}
+	dstRemoteActualPath, err := d.getActualPathForRemote(dstDir.GetPath(), dstDir.IsDir())
+	if err != nil {
+		return fmt.Errorf("failed to convert path to remote path: %w", err)
+	}
+	return op.Copy(ctx, d.remoteStorage, srcRemoteActualPath, dstRemoteActualPath)
+
+}
+
+func (d *Crypt) Remove(ctx context.Context, obj model.Obj) error {
+	remoteActualPath, err := d.getActualPathForRemote(obj.GetPath(), obj.IsDir())
+	if err != nil {
+		return fmt.Errorf("failed to convert path to remote path: %w", err)
+	}
+	return op.Remove(ctx, d.remoteStorage, remoteActualPath)
+}
+
+func (d *Crypt) Put(ctx context.Context, dstDir model.Obj, stream model.FileStreamer, up driver.UpdateProgress) error {
+	dstDirActualPath, err := d.getActualPathForRemote(dstDir.GetPath(), true)
+	if err != nil {
+		return fmt.Errorf("failed to convert path to remote path: %w", err)
+	}
+
+	in := stream.GetReadCloser()
+	// Encrypt the data into wrappedIn
+	wrappedIn, err := d.cipher.EncryptData(in)
+	if err != nil {
+		return fmt.Errorf("failed to EncryptData: %w", err)
+	}
+
+	streamOut := &model.FileStream{
+		Obj: &model.Object{
+			ID:       stream.GetID(),
+			Path:     stream.GetPath(),
+			Name:     d.cipher.EncryptFileName(stream.GetName()),
+			Size:     d.cipher.EncryptedSize(stream.GetSize()),
+			Modified: stream.ModTime(),
+			IsFolder: stream.IsDir(),
+		},
+		ReadCloser:   io.NopCloser(wrappedIn),
+		Mimetype:     "application/octet-stream",
+		WebPutAsTask: stream.NeedStore(),
+		Old:          stream.GetOld(),
+	}
+	err = op.Put(ctx, d.remoteStorage, dstDirActualPath, streamOut, up, false)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+//func (d *Safe) Other(ctx context.Context, args model.OtherArgs) (interface{}, error) {
+//	return nil, errs.NotSupport
+//}
+
+var _ driver.Driver = (*Crypt)(nil)
--- a/drivers/crypt/meta.go
+++ b/drivers/crypt/meta.go
@ -0,0 +1,47 @@
+package crypt
+
+import (
+	"github.com/alist-org/alist/v3/internal/driver"
+	"github.com/alist-org/alist/v3/internal/op"
+)
+
+type Addition struct {
+	// Usually one of two
+	//driver.RootPath
+	//driver.RootID
+	// define other
+
+	FileNameEnc string `json:"filename_encryption" type:"select" required:"true" options:"off,standard,obfuscate" default:"off"`
+	DirNameEnc  string `json:"directory_name_encryption" type:"select" required:"true" options:"false,true" default:"false"`
+	RemotePath  string `json:"remote_path" required:"true" help:"This is where the encrypted data stores"`
+
+	Password        string `json:"password" required:"true" confidential:"true" help:"the main password"`
+	Salt            string `json:"salt" confidential:"true"  help:"If you don't know what is salt, treat it as a second password'. Optional but recommended"`
+	EncryptedSuffix string `json:"encrypted_suffix" required:"true" default:".bin" help:"encrypted files will have this suffix"`
+}
+
+/*// inMemory contains decrypted confidential info and other temp data. will not persist these info anywhere
+type inMemory struct {
+	password string
+	salt     string
+}*/
+
+var config = driver.Config{
+	Name:              "Crypt",
+	LocalSort:         true,
+	OnlyLocal:         false,
+	OnlyProxy:         true,
+	NoCache:           true,
+	NoUpload:          false,
+	NeedMs:            false,
+	DefaultRoot:       "/",
+	CheckStatus:       false,
+	Alert:             "",
+	NoOverwriteUpload: false,
+}
+
+func init() {
+	op.RegisterDriver(func() driver.Driver {
+		return &Crypt{}
+	})
+}
--- a/drivers/crypt/types.go
+++ b/drivers/crypt/types.go
@ -0,0 +1 @@
+package crypt
--- a/drivers/crypt/util.go
+++ b/drivers/crypt/util.go
@ -0,0 +1,55 @@
+package crypt
+
+import (
+	"net/http"
+	stdpath "path"
+	"path/filepath"
+	"strings"
+
+	"github.com/alist-org/alist/v3/internal/model"
+	"github.com/alist-org/alist/v3/internal/net"
+	"github.com/alist-org/alist/v3/internal/op"
+	"github.com/alist-org/alist/v3/pkg/http_range"
+)
+
+func RequestRangedHttp(r *http.Request, link *model.Link, offset, length int64) (*http.Response, error) {
+	header := net.ProcessHeader(&http.Header{}, &link.Header)
+	header = http_range.ApplyRangeToHttpHeader(http_range.Range{Start: offset, Length: length}, header)
+
+	return net.RequestHttp("GET", header, link.URL)
+}
+
+// will give the best guessing based on the path
+func guessPath(path string) (isFolder, secondTry bool) {
+	if strings.HasSuffix(path, "/") {
+		//confirmed a folder
+		return true, false
+	}
+	lastSlash := strings.LastIndex(path, "/")
+	if strings.Index(path[lastSlash:], ".") < 0 {
+		//no dot, try folder then try file
+		return true, true
+	}
+	return false, true
+}
+
+func (d *Crypt) getPathForRemote(path string, isFolder bool) (remoteFullPath string) {
+	if isFolder && !strings.HasSuffix(path, "/") {
+		path = path + "/"
+	}
+	dir, fileName := filepath.Split(path)
+
+	remoteDir := d.cipher.EncryptDirName(dir)
+	remoteFileName := ""
+	if len(strings.TrimSpace(fileName)) > 0 {
+		remoteFileName = d.cipher.EncryptFileName(fileName)
+	}
+	return stdpath.Join(d.RemotePath, remoteDir, remoteFileName)
+
+}
+
+// actual path is used for internal only. any link for user should come from remoteFullPath
+func (d *Crypt) getActualPathForRemote(path string, isFolder bool) (string, error) {
+	_, remoteActualPath, err := op.GetStorageAndActualPath(d.getPathForRemote(path, isFolder))
+	return remoteActualPath, err
+}
--- a/drivers/ftp/driver.go
+++ b/drivers/ftp/driver.go
@ -4,7 +4,6 @@ import (
 	"context"
 	stdpath "path"

-	"github.com/alist-org/alist/v3/drivers/base"
 	"github.com/alist-org/alist/v3/internal/driver"
 	"github.com/alist-org/alist/v3/internal/errs"
 	"github.com/alist-org/alist/v3/internal/model"
@ -67,9 +66,8 @@ func (d *FTP) Link(ctx context.Context, file model.Obj, args model.LinkArgs) (*m

 	r := NewFTPFileReader(d.conn, file.GetPath())
 	link := &model.Link{
-		Data: r,
+		ReadSeekCloser: r,
 	}
-	base.HandleRange(link, r, args.Header, file.GetSize())
 	return link, nil
 }

--- a/drivers/local/driver.go
+++ b/drivers/local/driver.go
@ -1,10 +1,11 @@
 package local

 import (
+	"bytes"
 	"context"
 	"errors"
 	"fmt"
-	"io"
+	"io/fs"
 	"net/http"
 	"os"
 	stdpath "path"
@ -80,36 +81,54 @@ func (d *Local) List(ctx context.Context, dir model.Obj, args model.ListArgs) ([
 		if !d.ShowHidden && strings.HasPrefix(f.Name(), ".") {
 			continue
 		}
-		thumb := ""
-		if d.Thumbnail {
-			typeName := utils.GetFileType(f.Name())
-			if typeName == conf.IMAGE || typeName == conf.VIDEO {
-				thumb = common.GetApiUrl(nil) + stdpath.Join("/d", args.ReqPath, f.Name())
-				thumb = utils.EncodePath(thumb, true)
-				thumb += "?type=thumb&sign=" + sign.Sign(stdpath.Join(args.ReqPath, f.Name()))
-			}
-		}
-		isFolder := f.IsDir() || isSymlinkDir(f, fullPath)
-		var size int64
-		if !isFolder {
-			size = f.Size()
-		}
-		file := model.ObjThumb{
-			Object: model.Object{
-				Path:     filepath.Join(dir.GetPath(), f.Name()),
-				Name:     f.Name(),
-				Modified: f.ModTime(),
-				Size:     size,
-				IsFolder: isFolder,
-			},
-			Thumbnail: model.Thumbnail{
-				Thumbnail: thumb,
-			},
-		}
-		files = append(files, &file)
+		file := d.FileInfoToObj(f, args.ReqPath, fullPath)
+		files = append(files, file)
 	}
 	return files, nil
 }
+func (d *Local) FileInfoToObj(f fs.FileInfo, reqPath string, fullPath string) model.Obj {
+	thumb := ""
+	if d.Thumbnail {
+		typeName := utils.GetFileType(f.Name())
+		if typeName == conf.IMAGE || typeName == conf.VIDEO {
+			thumb = common.GetApiUrl(nil) + stdpath.Join("/d", reqPath, f.Name())
+			thumb = utils.EncodePath(thumb, true)
+			thumb += "?type=thumb&sign=" + sign.Sign(stdpath.Join(reqPath, f.Name()))
+		}
+	}
+	isFolder := f.IsDir() || isSymlinkDir(f, fullPath)
+	var size int64
+	if !isFolder {
+		size = f.Size()
+	}
+	file := model.ObjThumb{
+		Object: model.Object{
+			Path:     filepath.Join(fullPath, f.Name()),
+			Name:     f.Name(),
+			Modified: f.ModTime(),
+			Size:     size,
+			IsFolder: isFolder,
+		},
+		Thumbnail: model.Thumbnail{
+			Thumbnail: thumb,
+		},
+	}
+	return &file
+
+}
+func (d *Local) GetMeta(ctx context.Context, path string) (model.Obj, error) {
+	f, err := os.Stat(path)
+	if err != nil {
+		return nil, err
+	}
+	file := d.FileInfoToObj(f, path, path)
+	//h := "123123"
+	//if s, ok := f.(model.SetHash); ok && file.GetHash() == ("","")  {
+	//	s.SetHash(h,"SHA1")
+	//}
+	return file, nil
+
+}

 func (d *Local) Get(ctx context.Context, path string) (model.Obj, error) {
 	path = filepath.Join(d.GetRootPath(), path)
@ -147,13 +166,21 @@ func (d *Local) Link(ctx context.Context, file model.Obj, args model.LinkArgs) (
 			"Content-Type": []string{"image/png"},
 		}
 		if thumbPath != nil {
-			link.FilePath = thumbPath
+			open, err := os.Open(*thumbPath)
+			if err != nil {
+				return nil, err
+			}
+			link.ReadSeekCloser = open
 		} else {
-			link.Data = io.NopCloser(buf)
-			link.Header.Set("Content-Length", strconv.Itoa(buf.Len()))
+			link.ReadSeekCloser = utils.ReadSeekerNopCloser(bytes.NewReader(buf.Bytes()))
+			//link.Header.Set("Content-Length", strconv.Itoa(buf.Len()))
 		}
 	} else {
-		link.FilePath = &fullPath
+		open, err := os.Open(fullPath)
+		if err != nil {
+			return nil, err
+		}
+		link.ReadSeekCloser = open
 	}
 	return &link, nil
 }
--- a/drivers/mega/driver.go
+++ b/drivers/mega/driver.go
@ -4,7 +4,11 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"github.com/alist-org/alist/v3/drivers/base"
+	"github.com/alist-org/alist/v3/pkg/http_range"
+	"github.com/rclone/rclone/lib/readers"
 	"io"
+	"time"

 	"github.com/alist-org/alist/v3/internal/driver"
 	"github.com/alist-org/alist/v3/internal/errs"
@ -64,51 +68,41 @@ func (d *Mega) GetRoot(ctx context.Context) (model.Obj, error) {

 func (d *Mega) Link(ctx context.Context, file model.Obj, args model.LinkArgs) (*model.Link, error) {
 	if node, ok := file.(*MegaNode); ok {
-		//link, err := d.c.Link(node.Node, true)
+
+		//down, err := d.c.NewDownload(node.Node)
 		//if err != nil {
-		//	return nil, err
+		//	return nil, fmt.Errorf("open download file failed: %w", err)
 		//}
-		//return &model.Link{URL: link}, nil
-		down, err := d.c.NewDownload(node.Node)
-		if err != nil {
-			return nil, err
-		}
-		//u := down.GetResourceUrl()
-		//u = strings.Replace(u, "http", "https", 1)
-		//return &model.Link{URL: u}, nil
-		r, w := io.Pipe()
-		go func() {
-			defer func() {
-				_ = recover()
-			}()
-			log.Debugf("chunk size: %d", down.Chunks())
-			var (
-				chunk []byte
-				err   error
-			)
-			for id := 0; id < down.Chunks(); id++ {
-				chunk, err = down.DownloadChunk(id)
-				if err != nil {
-					log.Errorf("mega down: %+v", err)
-					break
-				}
-				log.Debugf("id: %d,len: %d", id, len(chunk))
-				//_, _, err = down.ChunkLocation(id)
-				//if err != nil {
-				//	log.Errorf("mega down: %+v", err)
-				//	return
-				//}
-				//_, err = c.Write(chunk)
-				if _, err = w.Write(chunk); err != nil {
-					break
-				}
+
+		size := file.GetSize()
+		var finalClosers base.Closers
+		resultRangeReader := func(httpRange http_range.Range) (io.ReadCloser, error) {
+			length := httpRange.Length
+			if httpRange.Length >= 0 && httpRange.Start+httpRange.Length >= size {
+				length = -1
 			}
-			err = w.CloseWithError(err)
+			var down *mega.Download
+			err := utils.Retry(3, time.Second, func() (err error) {
+				down, err = d.c.NewDownload(node.Node)
+				return err
+			})
 			if err != nil {
-				log.Errorf("mega down: %+v", err)
+				return nil, fmt.Errorf("open download file failed: %w", err)
 			}
-		}()
-		return &model.Link{Data: r}, nil
+			oo := &openObject{
+				ctx:  ctx,
+				d:    down,
+				skip: httpRange.Start,
+			}
+			finalClosers.Add(oo)
+
+			return readers.NewLimitedReadCloser(oo, length), nil
+		}
+		resultRangeReadCloser := &model.RangeReadCloser{RangeReader: resultRangeReader, Closer: &finalClosers}
+		resultLink := &model.Link{
+			RangeReadCloser: *resultRangeReadCloser,
+		}
+		return resultLink, nil
 	}
 	return nil, fmt.Errorf("unable to convert dir to mega node")
 }
--- a/drivers/mega/util.go
+++ b/drivers/mega/util.go
@ -1,3 +1,92 @@
 package mega

+import (
+	"context"
+	"fmt"
+	"github.com/alist-org/alist/v3/pkg/utils"
+	"github.com/t3rm1n4l/go-mega"
+	"io"
+	"sync"
+	"time"
+)
+
 // do others that not defined in Driver interface
+// openObject represents a download in progress
+type openObject struct {
+	ctx    context.Context
+	mu     sync.Mutex
+	d      *mega.Download
+	id     int
+	skip   int64
+	chunk  []byte
+	closed bool
+}
+
+// get the next chunk
+func (oo *openObject) getChunk(ctx context.Context) (err error) {
+	if oo.id >= oo.d.Chunks() {
+		return io.EOF
+	}
+	var chunk []byte
+	err = utils.Retry(3, time.Second, func() (err error) {
+		chunk, err = oo.d.DownloadChunk(oo.id)
+		return err
+	})
+	if err != nil {
+		return err
+	}
+	oo.id++
+	oo.chunk = chunk
+	return nil
+}
+
+// Read reads up to len(p) bytes into p.
+func (oo *openObject) Read(p []byte) (n int, err error) {
+	oo.mu.Lock()
+	defer oo.mu.Unlock()
+	if oo.closed {
+		return 0, fmt.Errorf("read on closed file")
+	}
+	// Skip data at the start if requested
+	for oo.skip > 0 {
+		_, size, err := oo.d.ChunkLocation(oo.id)
+		if err != nil {
+			return 0, err
+		}
+		if oo.skip < int64(size) {
+			break
+		}
+		oo.id++
+		oo.skip -= int64(size)
+	}
+	if len(oo.chunk) == 0 {
+		err = oo.getChunk(oo.ctx)
+		if err != nil {
+			return 0, err
+		}
+		if oo.skip > 0 {
+			oo.chunk = oo.chunk[oo.skip:]
+			oo.skip = 0
+		}
+	}
+	n = copy(p, oo.chunk)
+	oo.chunk = oo.chunk[n:]
+	return n, nil
+}
+
+// Close closed the file - MAC errors are reported here
+func (oo *openObject) Close() (err error) {
+	oo.mu.Lock()
+	defer oo.mu.Unlock()
+	if oo.closed {
+		return nil
+	}
+	err = utils.Retry(3, 500*time.Millisecond, func() (err error) {
+		return oo.d.Finish()
+	})
+	if err != nil {
+		return fmt.Errorf("failed to finish download: %w", err)
+	}
+	oo.closed = true
+	return nil
+}
--- a/drivers/quark_uc/driver.go
+++ b/drivers/quark_uc/driver.go
@ -5,18 +5,15 @@ import (
 	"crypto/md5"
 	"crypto/sha1"
 	"encoding/hex"
-	"fmt"
 	"io"
 	"net/http"
 	"os"
-	"strconv"
 	"time"

 	"github.com/alist-org/alist/v3/drivers/base"
 	"github.com/alist-org/alist/v3/internal/driver"
 	"github.com/alist-org/alist/v3/internal/errs"
 	"github.com/alist-org/alist/v3/internal/model"
-	"github.com/alist-org/alist/v3/pkg/http_range"
 	"github.com/alist-org/alist/v3/pkg/utils"
 	"github.com/go-resty/resty/v2"
 	log "github.com/sirupsen/logrus"
@ -69,62 +66,17 @@ func (d *QuarkOrUC) Link(ctx context.Context, file model.Obj, args model.LinkArg
 	if err != nil {
 		return nil, err
 	}
-	u := resp.Data[0].DownloadUrl
-	start, end := int64(0), file.GetSize()
-	link := model.Link{
-		Header: http.Header{},
-	}
-	if rg := args.Header.Get("Range"); rg != "" {
-		parseRange, err := http_range.ParseRange(rg, file.GetSize())
-		if err != nil {
-			return nil, err
-		}
-		start, end = parseRange[0].Start, parseRange[0].Start+parseRange[0].Length
-		link.Header.Set("Content-Range", parseRange[0].ContentRange(file.GetSize()))
-		link.Header.Set("Content-Length", strconv.FormatInt(parseRange[0].Length, 10))
-		link.Status = http.StatusPartialContent
-	} else {
-		link.Header.Set("Content-Length", strconv.FormatInt(file.GetSize(), 10))
-		link.Status = http.StatusOK
-	}
-	link.Writer = func(w io.Writer) error {
-		// request 10 MB at a time
-		chunkSize := int64(10 * 1024 * 1024)
-		for start < end {
-			_end := start + chunkSize
-			if _end > end {
-				_end = end
-			}
-			_range := "bytes=" + strconv.FormatInt(start, 10) + "-" + strconv.FormatInt(_end-1, 10)
-			start = _end
-			err = func() error {
-				req, err := http.NewRequest(http.MethodGet, u, nil)
-				if err != nil {
-					return err
-				}
-				req.Header.Set("Range", _range)
-				req.Header.Set("User-Agent", ua)
-				req.Header.Set("Cookie", d.Cookie)
-				req.Header.Set("Referer", d.conf.referer)
-				resp, err := base.HttpClient.Do(req)
-				if err != nil {
-					return err
-				}
-				defer resp.Body.Close()
-				if resp.StatusCode != http.StatusPartialContent {
-					return fmt.Errorf("unexpected status code: %d", resp.StatusCode)
-				}
-				_, err = io.Copy(w, resp.Body)
-				return err
-			}()
-			if err != nil {
-				return err
-			}

-		}
-		return nil
-	}
-	return &link, nil
+	return &model.Link{
+		URL: resp.Data[0].DownloadUrl,
+		Header: http.Header{
+			"Cookie":     []string{d.Cookie},
+			"Referer":    []string{d.conf.referer},
+			"User-Agent": []string{ua},
+		},
+		Concurrency: 2,
+		PartSize:    10 * 1024 * 1024,
+	}, nil
 }

 func (d *QuarkOrUC) MakeDir(ctx context.Context, parentDir model.Obj, dirName string) error {
--- a/drivers/sftp/driver.go
+++ b/drivers/sftp/driver.go
@ -5,7 +5,6 @@ import (
 	"os"
 	"path"

-	"github.com/alist-org/alist/v3/drivers/base"
 	"github.com/alist-org/alist/v3/internal/driver"
 	"github.com/alist-org/alist/v3/internal/errs"
 	"github.com/alist-org/alist/v3/internal/model"
@ -57,9 +56,8 @@ func (d *SFTP) Link(ctx context.Context, file model.Obj, args model.LinkArgs) (*
 		return nil, err
 	}
 	link := &model.Link{
-		Data: remoteFile,
+		ReadSeekCloser: remoteFile,
 	}
-	base.HandleRange(link, remoteFile, args.Header, file.GetSize())
 	return link, nil
 }

--- a/drivers/smb/driver.go
+++ b/drivers/smb/driver.go
@ -6,7 +6,6 @@ import (
 	"path/filepath"
 	"strings"

-	"github.com/alist-org/alist/v3/drivers/base"
 	"github.com/alist-org/alist/v3/internal/driver"
 	"github.com/alist-org/alist/v3/internal/model"
 	"github.com/alist-org/alist/v3/pkg/utils"
@ -80,9 +79,8 @@ func (d *SMB) Link(ctx context.Context, file model.Obj, args model.LinkArgs) (*m
 		return nil, err
 	}
 	link := &model.Link{
-		Data: remoteFile,
+		ReadSeekCloser: remoteFile,
 	}
-	base.HandleRange(link, remoteFile, args.Header, file.GetSize())
 	d.updateLastConnTime()
 	return link, nil
 }
--- a/drivers/virtual/driver.go
+++ b/drivers/virtual/driver.go
@ -52,9 +52,18 @@ func (d *Virtual) List(ctx context.Context, dir model.Obj, args model.ListArgs)
 	return res, nil
 }

+type nopReadSeekCloser struct {
+	io.Reader
+}
+
+func (nopReadSeekCloser) Seek(offset int64, whence int) (int64, error) {
+	return offset, nil
+}
+func (nopReadSeekCloser) Close() error { return nil }
+
 func (d *Virtual) Link(ctx context.Context, file model.Obj, args model.LinkArgs) (*model.Link, error) {
 	return &model.Link{
-		Data: io.NopCloser(io.LimitReader(random.Rand, file.GetSize())),
+		ReadSeekCloser: nopReadSeekCloser{io.LimitReader(random.Rand, file.GetSize())},
 	}, nil
 }