aspera-cli 4.7.0 → 4.9.0

data/lib/aspera/oauth.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 require 'aspera/open_application'
 require 'aspera/web_auth'
 require 'aspera/id_generator'
@@ -14,46 +15,38 @@ module Aspera
   # if a token is expired (api returns 4xx), call again get_authorization({refresh: true})
   # https://tools.ietf.org/html/rfc6749
   class Oauth
-    DEFAULT_CREATE_PARAMS={
-      token_field:    'access_token', # field with token in result
-      path_token:     'token', # default endpoint for /token to generate token
-      web:            {path_authorize: 'authorize'} # default endpoint for /authorize, used for code exchange
+    DEFAULT_CREATE_PARAMS = {
+      path_token:  'token', # default endpoint for /token to generate token
+      token_field: 'access_token', # field with token in result of call to path_token
+      web:         {path_authorize: 'authorize'} # default endpoint for /authorize, used for code exchange
     }.freeze
 
     # OAuth methods supported by default
-    STD_AUTH_TYPES=[:web, :jwt].freeze
+    STD_AUTH_TYPES = %i[web jwt].freeze
 
     # remove 5 minutes to account for time offset (TODO: configurable?)
-    JWT_NOTBEFORE_OFFSET_SEC=300
+    JWT_NOTBEFORE_OFFSET_SEC = 300
     # one hour validity (TODO: configurable?)
-    JWT_EXPIRY_OFFSET_SEC=3600
+    JWT_EXPIRY_OFFSET_SEC = 3600
     # tokens older than 30 minutes will be discarded from cache
-    TOKEN_CACHE_EXPIRY_SEC=1800
-    # a prefix for persistency of tokens (garbage collect)
-    PERSIST_CATEGORY_TOKEN='token'
-    TOKEN_EXPIRATION_GUARD_SEC=120
+    TOKEN_CACHE_EXPIRY_SEC = 1800
+    # tokens valid for less than this duration will be regenerated
+    TOKEN_EXPIRATION_GUARD_SEC = 120
+    # a prefix for persistency of tokens (simplify garbage collect)
+    PERSIST_CATEGORY_TOKEN = 'token'
 
     private_constant :JWT_NOTBEFORE_OFFSET_SEC,:JWT_EXPIRY_OFFSET_SEC,:TOKEN_CACHE_EXPIRY_SEC,:PERSIST_CATEGORY_TOKEN,:TOKEN_EXPIRATION_GUARD_SEC
 
     # persistency manager
-    @persist=nil
+    @persist = nil
     # token creation methods
-    @handlers={}
+    @create_handlers = {}
     # token unique identifiers from oauth parameters
-    @id_elements=[
-      [:crtype],
-      [:generic,:grant_type],
-      [:jwt,:payload,:sub],
-      [:auth,:username],
-      [:aoc_pub_link,:json,:url_token],
-      [:generic,:apikey],
-      [:scope],
-      [:generic,:response_type]
-    ]
+    @id_handlers = {}
 
     class << self
       def persist_mgr=(manager)
-        @persist=manager
+        @persist = manager
         # cleanup expired tokens
         @persist.garbage_collect(PERSIST_CATEGORY_TOKEN,TOKEN_CACHE_EXPIRY_SEC)
       end
@@ -62,7 +55,7 @@ module Aspera
         if @persist.nil?
           Log.log.debug('Not using persistency') # (use Aspera::Oauth.persist_mgr=Aspera::PersistencyFolder.new)
           # create NULL persistency class
-          @persist=Class.new do
+          @persist = Class.new do
             def get(_x);nil;end;def delete(_x);nil;end;def put(_x,_y);nil;end;def garbage_collect(_x,_y);nil;end # rubocop:disable Layout/EmptyLineBetweenDefs
           end.new
         end
@@ -76,60 +69,77 @@ module Aspera
 
       # register a bearer token decoder, mainly to inspect expiry date
       def register_decoder(method)
-        @decoders||=[]
+        @decoders ||= []
         @decoders.push(method)
       end
 
       # decode token using all registered decoders
       def decode_token(token)
         @decoders.each do |decoder|
-          result=decoder.call(token) rescue nil
+          result = decoder.call(token) rescue nil
           return result unless result.nil?
         end
         return nil
       end
 
-      # register a token creation method, specify using field :crtype in constructor
-      def register_token_creator(id, method)
-        raise 'error' unless id.is_a?(Symbol) && method.is_a?(Proc)
-        @handlers[id]=method
+      # register a token creation method
+      # @param id creation type from field :crtype in constructor
+      # @param lambda_create called to create token
+      # @param id_create called to generate unique id for token, for cache
+      def register_token_creator(id, lambda_create, id_create)
+        raise 'ERROR: requites Symbol and 2 lambdas' unless id.is_a?(Symbol) && lambda_create.is_a?(Proc) && id_create.is_a?(Proc)
+        @create_handlers[id] = lambda_create
+        @id_handlers[id] = id_create
       end
 
       # @return one of the registered creators for the given create type
       def token_creator(id)
-        raise "token create type unknown: #{id}/#{id.class}" unless @handlers.has_key?(id)
-        @handlers[id]
+        raise "token creator type unknown: #{id}/#{id.class}" unless @create_handlers.has_key?(id)
+        @create_handlers[id]
       end
 
       # list of identifiers foundn in creation parameters that can be used to uniquely identify the token
-      def id_elements
-        return @id_elements
+      def id_creator(id)
+        raise "id creator type unknown: #{id}/#{id.class}" unless @id_handlers.has_key?(id)
+        @id_handlers[id]
       end
     end # self
 
     # JSON Web Signature (JWS) compact serialization: https://datatracker.ietf.org/doc/html/rfc7515
-    register_decoder lambda { |token| parts=token.split('.'); raise 'not aoc token' unless parts.length.eql?(3); JSON.parse(Base64.decode64(parts[1]))}
+    register_decoder lambda { |token| parts = token.split('.'); raise 'not aoc token' unless parts.length.eql?(3); JSON.parse(Base64.decode64(parts[1]))}
 
     # generic token creation, parameters are provided in :generic
     register_token_creator :generic,lambda { |oauth|
-      return oauth.create_token(oauth.params[:generic])
+      return oauth.create_token(oauth.sparams)
+    },lambda { |oauth|
+      return [
+        oauth.sparams[:grant_type]&.split(':')&.last,
+        oauth.sparams[:apikey],
+        oauth.sparams[:response_type]
+      ]
     }
 
     # Authentication using Web browser
     register_token_creator :web,lambda { |oauth|
-      callback_verif=SecureRandom.uuid # used to check later
-      login_page_url=Rest.build_uri("#{oauth.params[:base_url]}/#{oauth.params[:web][:path_authorize]}",optional_scope_client_id({response_type: 'code', redirect_uri: oauth.params[:web][:redirect_uri], state: callback_verif}))
+      random_state = SecureRandom.uuid # used to check later
+      login_page_url = Rest.build_uri("#{oauth.api[:base_url]}/#{oauth.sparams[:path_authorize]}",
+        oauth.optional_scope_client_id.merge(response_type: 'code', redirect_uri: oauth.sparams[:redirect_uri], state: random_state))
       # here, we need a human to authorize on a web page
       Log.log.info("login_page_url=#{login_page_url}".bg_red.gray)
       # start a web server to receive request code
-      webserver=WebAuth.new(oauth.params[:web][:redirect_uri])
+      webserver = WebAuth.new(oauth.sparams[:redirect_uri])
       # start browser on login page
       OpenApplication.instance.uri(login_page_url)
       # wait for code in request
-      received_params=webserver.received_request
-      raise 'state does not match' if !callback_verif.eql?(received_params['state'])
+      received_params = webserver.received_request
+      raise 'wrong received state' unless random_state.eql?(received_params['state'])
       # exchange code for token
-      return oauth.create_token(oauth.optional_scope_client_id({grant_type: 'authorization_code', code: received_params['code'], redirect_uri: oauth.params[:web][:redirect_uri]},add_secret: true))
+      return oauth.create_token(oauth.optional_scope_client_id(add_secret: true).merge(
+        grant_type:   'authorization_code',
+        code:         received_params['code'],
+        redirect_uri: oauth.sparams[:redirect_uri]))
+    },lambda { |_oauth|
+      return []
     }
 
     # Authentication using private key
@@ -137,24 +147,26 @@ module Aspera
       # https://tools.ietf.org/html/rfc7523
       # https://tools.ietf.org/html/rfc7519
       require 'jwt'
-      seconds_since_epoch=Time.new.to_i
+      seconds_since_epoch = Time.new.to_i
       Log.log.info("seconds=#{seconds_since_epoch}")
-      raise 'missing JWT payload' unless oauth.params[:jwt][:payload].is_a?(Hash)
+      raise 'missing JWT payload' unless oauth.sparams[:payload].is_a?(Hash)
       jwt_payload = {
-        exp: seconds_since_epoch+JWT_EXPIRY_OFFSET_SEC, # expiration time
-        nbf: seconds_since_epoch-JWT_NOTBEFORE_OFFSET_SEC, # not before
+        exp: seconds_since_epoch + JWT_EXPIRY_OFFSET_SEC, # expiration time
+        nbf: seconds_since_epoch - JWT_NOTBEFORE_OFFSET_SEC, # not before
         iat: seconds_since_epoch, # issued at
         jti: SecureRandom.uuid # JWT id
-      }.merge(oauth.params[:jwt][:payload])
+      }.merge(oauth.sparams[:payload])
       Log.log.debug("JWT jwt_payload=[#{jwt_payload}]")
-      rsa_private=oauth.params[:jwt][:private_key_obj] # type: OpenSSL::PKey::RSA
+      rsa_private = oauth.sparams[:private_key_obj] # type: OpenSSL::PKey::RSA
       Log.log.debug("private=[#{rsa_private}]")
-      assertion = JWT.encode(jwt_payload, rsa_private, 'RS256', oauth.params[:jwt][:headers]||{})
+      assertion = JWT.encode(jwt_payload, rsa_private, 'RS256', oauth.sparams[:headers] || {})
       Log.log.debug("assertion=[#{assertion}]")
-      return oauth.create_token(oauth.optional_scope_client_id({grant_type: 'urn:ietf:params:oauth:grant-type:jwt-bearer', assertion: assertion}))
+      return oauth.create_token(oauth.optional_scope_client_id.merge(grant_type: 'urn:ietf:params:oauth:grant-type:jwt-bearer', assertion: assertion))
+    },lambda { |oauth|
+      return [oauth.sparams.dig(:payload,:sub)]
     }
 
-    attr_reader :params, :token_auth_api
+    attr_reader :gparams, :sparams, :api
 
     private
 
@@ -176,72 +188,80 @@ module Aspera
     def initialize(a_params)
       Log.log.debug("auth=#{a_params}")
       # replace default values
-      @params=DEFAULT_CREATE_PARAMS.clone.deep_merge(a_params)
-      if @params.has_key?(:redirect_uri)
-        uri=URI.parse(@params[:web][:redirect_uri])
-        raise 'redirect_uri scheme must be http or https' unless ['http','https'].include?(uri.scheme)
+      @gparams = DEFAULT_CREATE_PARAMS.deep_merge(a_params)
+      # check that type is known
+      self.class.token_creator(@gparams[:crtype])
+      # specific parameters for the creation type
+      @sparams=@gparams[@gparams[:crtype]]
+      if @gparams[:crtype].eql?(:web) && @sparams.has_key?(:redirect_uri)
+        uri = URI.parse(@sparams[:redirect_uri])
+        raise 'redirect_uri scheme must be http or https' unless %w[http https].include?(uri.scheme)
         raise 'redirect_uri must have a port' if uri.port.nil?
         # TODO: we could check that host is localhost or local address
       end
-      rest_params={base_url: @params[:base_url]}
-      rest_params[:auth]=a_params[:auth] if a_params.has_key?(:auth)
-      @token_auth_api=Rest.new(rest_params)
-    end
-
-    # @return unique identifier of token
-    # TODO: external handlers shall provide unique identifiers
-    def token_cache_id
-      parts=[PERSIST_CATEGORY_TOKEN,@params[:base_url]]
-      # add some of the parameters that uniquely identify the token
-      self.class.id_elements.each do |p|
-        identifier=@params.dig(*p)
-        identifier=identifier.split(':').last if identifier.is_a?(String) && p.last.eql?(:grant_type)
-        parts.push(identifier) unless identifier.nil?
-      end
-      return IdGenerator.from_list(parts)
+      rest_params = {
+        base_url:     @gparams[:base_url],
+        redirect_max: 2
+      }
+      rest_params[:auth] = a_params[:auth] if a_params.has_key?(:auth)
+      @api = Rest.new(rest_params)
+      # if needed use from api
+      @gparams.delete(:base_url)
+      @gparams.delete(:auth)
+      @gparams.delete(@gparams[:crtype])
+      Log.dump(:gparams,@gparams)
+      Log.dump(:sparams,@sparams)
     end
 
     public
 
     # helper method to create token as per RFC
     def create_token(www_params)
-      return @token_auth_api.call({
+      return @api.call({
         operation:       'POST',
-        subpath:         @params[:path_token],
-        headers:         {'Accept'=>'application/json'},
+        subpath:         @gparams[:path_token],
+        headers:         {'Accept' => 'application/json'},
         www_body_params: www_params})
     end
 
-    # helper method
-    def optional_scope_client_id(call_params, add_secret: false)
-      call_params[:scope] = @params[:scope] unless @params[:scope].nil?
-      call_params[:client_id] = @params[:client_id] unless @params[:client_id].nil?
-      call_params[:client_secret] = @params[:client_secret] if add_secret && !@params[:client_id].nil?
+    # @return Hash with optional general parameters
+    def optional_scope_client_id(add_secret: false)
+      call_params={}
+      call_params[:scope] = @gparams[:scope] unless @gparams[:scope].nil?
+      call_params[:client_id] = @gparams[:client_id] unless @gparams[:client_id].nil?
+      call_params[:client_secret] = @gparams[:client_secret] if add_secret && !@gparams[:client_id].nil?
       return call_params
     end
 
     # Oauth v2 token generation
     # @param use_refresh_token set to true to force refresh or re-generation (if previous failed)
-    def get_authorization(use_refresh_token: false)
+    def get_authorization(use_refresh_token: false, use_cache: true)
       # generate token unique identifier for persistency (memory/disk cache)
-      token_id=token_cache_id
+      token_id = IdGenerator.from_list([
+        PERSIST_CATEGORY_TOKEN,
+        @api.params[:base_url],
+        @gparams[:crtype],
+        self.class.id_creator(@gparams[:crtype]).call(self), # array, so we flatten later
+        @gparams[:scope],
+        @api.params.dig(%i[auth username])
+      ].flatten)
 
       # get token_data from cache (or nil), token_data is what is returned by /token
-      token_data=self.class.persist_mgr.get(token_id)
-      token_data=JSON.parse(token_data) unless token_data.nil?
+      token_data = self.class.persist_mgr.get(token_id) if use_cache
+      token_data = JSON.parse(token_data) unless token_data.nil?
       # Optional optimization: check if node token is expired  basd on decoded content then force refresh if close enough
       # might help in case the transfer agent cannot refresh himself
       # `direct` agent is equipped with refresh code
       if !use_refresh_token && !token_data.nil?
-        decoded_token = self.class.decode_token(token_data[@params[:token_field]])
+        decoded_token = self.class.decode_token(token_data[@gparams[:token_field]])
         Log.dump('decoded_token',decoded_token) unless decoded_token.nil?
         if decoded_token.is_a?(Hash)
-          expires_at_sec=
-          if    decoded_token['expires_at'].is_a?(String) then DateTime.parse(decoded_token['expires_at']).to_time
-          elsif decoded_token['exp'].is_a?(Integer)       then Time.at(decoded_token['exp'])
-          end
+          expires_at_sec =
+            if    decoded_token['expires_at'].is_a?(String) then DateTime.parse(decoded_token['expires_at']).to_time
+            elsif decoded_token['exp'].is_a?(Integer)       then Time.at(decoded_token['exp'])
+            end
           # force refresh if we see a token too close from expiration
-          use_refresh_token=true if expires_at_sec.is_a?(Time) && (expires_at_sec-Time.now) < TOKEN_EXPIRATION_GUARD_SEC
+          use_refresh_token = true if expires_at_sec.is_a?(Time) && (expires_at_sec - Time.now) < TOKEN_EXPIRATION_GUARD_SEC
           Log.log.debug("Expiration: #{expires_at_sec} / #{use_refresh_token}")
         end
       end
@@ -250,21 +270,21 @@ module Aspera
       if use_refresh_token
         if token_data.is_a?(Hash) && token_data.has_key?('refresh_token')
           # save possible refresh token, before deleting the cache
-          refresh_token=token_data['refresh_token']
+          refresh_token = token_data['refresh_token']
         end
         # delete cache
         self.class.persist_mgr.delete(token_id)
-        token_data=nil
+        token_data = nil
         # lets try the existing refresh token
         if !refresh_token.nil?
           Log.log.info("refresh=[#{refresh_token}]".bg_green)
           # try to refresh
           # note: AoC admin token has no refresh, and lives by default 1800secs
-          resp=create_token(optional_scope_client_id({grant_type: 'refresh_token',refresh_token: refresh_token}))
+          resp = create_token(optional_scope_client_id.merge(grant_type: 'refresh_token',refresh_token: refresh_token))
           if resp[:http].code.start_with?('2')
             # save only if success
-            json_data=resp[:http].body
-            token_data=JSON.parse(json_data)
+            json_data = resp[:http].body
+            token_data = JSON.parse(json_data)
             self.class.persist_mgr.put(token_id,json_data)
           else
             Log.log.debug("refresh failed: #{resp[:http].body}".bg_red)
@@ -274,14 +294,14 @@ module Aspera
 
       # no cache, nor refresh: generate a token
       if token_data.nil?
-        resp=self.class.token_creator(@params[:crtype]).call(self)
-        json_data=resp[:http].body
-        token_data=JSON.parse(json_data)
+        resp = self.class.token_creator(@gparams[:crtype]).call(self)
+        json_data = resp[:http].body
+        token_data = JSON.parse(json_data)
         self.class.persist_mgr.put(token_id,json_data)
       end # if ! in_cache
-      raise "API error: No such field in answer: #{@params[:token_field]}" unless token_data.has_key?(@params[:token_field])
+      raise "API error: No such field in answer: #{@gparams[:token_field]}" unless token_data.has_key?(@gparams[:token_field])
       # ok we shall have a token here
-      return 'Bearer '+token_data[@params[:token_field]]
+      return 'Bearer ' + token_data[@gparams[:token_field]]
     end
   end # OAuth
 end # Aspera

data/lib/aspera/open_application.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 require 'aspera/log'
 require 'aspera/environment'
 require 'rbconfig'
@@ -10,34 +11,36 @@ module Aspera
   # if method is "graphical", then the URL will be opened with the default browser.
   class OpenApplication
     include Singleton
-    # User Interfaces
-    def self.user_interfaces; [:text, :graphical]; end
+    class << self
+      # User Interfaces
+      def user_interfaces; %i[text graphical]; end
 
-    def self.default_gui_mode
-      return :graphical if [Aspera::Environment::OS_WINDOWS,Aspera::Environment::OS_X].include?(Aspera::Environment.os)
-      # unix family
-      return :graphical if ENV.has_key?('DISPLAY') && !ENV['DISPLAY'].empty?
-      return :text
-    end
+      def default_gui_mode
+        return :graphical if [Aspera::Environment::OS_WINDOWS,Aspera::Environment::OS_X].include?(Aspera::Environment.os)
+        # unix family
+        return :graphical if ENV.has_key?('DISPLAY') && !ENV['DISPLAY'].empty?
+        return :text
+      end
 
-    # command must be non blocking
-    def self.uri_graphical(uri)
-      case Aspera::Environment.os
-      when Aspera::Environment::OS_X
-        return system('open',uri.to_s)
-      when Aspera::Environment::OS_WINDOWS
-        return system('start explorer "'+uri.to_s+'"')
-      when Aspera::Environment::OS_LINUX
-        return system("xdg-open '#{uri}'")
-      else
-        raise "no graphical open method for #{Aspera::Environment.os}"
+      # command must be non blocking
+      def uri_graphical(uri)
+        case Aspera::Environment.os
+        when Aspera::Environment::OS_X
+          return system('open',uri.to_s)
+        when Aspera::Environment::OS_WINDOWS
+          return system('start explorer "' + uri.to_s + '"')
+        when Aspera::Environment::OS_LINUX
+          return system("xdg-open '#{uri}'")
+        else
+          raise "no graphical open method for #{Aspera::Environment.os}"
+        end
       end
     end
 
     attr_accessor :url_method
 
     def initialize
-      @url_method=self.class.default_gui_mode
+      @url_method = self.class.default_gui_mode
     end
 
     # this is non blocking
@@ -48,9 +51,9 @@ module Aspera
       when :text
         case the_url.to_s
         when /^http/
-          puts "USER ACTION: please enter this url in a browser:\n"+the_url.to_s.red()+"\n"
+          puts "USER ACTION: please enter this url in a browser:\n" + the_url.to_s.red + "\n"
         else
-          puts "USER ACTION: open this:\n"+the_url.to_s.red()+"\n"
+          puts "USER ACTION: open this:\n" + the_url.to_s.red + "\n"
         end
       else
         raise StandardError,"unsupported url open method: #{@url_method}"

data/lib/aspera/persistency_action_once.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 require 'json'
 require 'aspera/log'
 
@@ -19,15 +20,15 @@ module Aspera
       raise 'mandatory :data' if options[:data].nil?
       raise 'mandatory :id (String)' unless options[:id].is_a?(String)
       raise 'mandatory 1 element in :id' unless options[:id].length >= 1
-      @manager=options[:manager]
-      @persisted_object=options[:data]
-      @object_id=options[:id]
+      @manager = options[:manager]
+      @persisted_object = options[:data]
+      @object_id = options[:id]
       # by default , at save time, file is deleted if data is nil
-      @delete_condition=options[:delete] || lambda{|d|d.empty?}
-      @persist_format=options[:format] || lambda {|h| JSON.generate(h)}
-      persist_parse=options[:parse] || lambda {|t| JSON.parse(t)}
-      persist_merge=options[:merge] || lambda {|current,file| current.concat(file).uniq rescue current}
-      value=@manager.get(@object_id)
+      @delete_condition = options[:delete] || lambda{|d|d.empty?}
+      @persist_format = options[:format] || lambda {|h| JSON.generate(h)}
+      persist_parse = options[:parse] || lambda {|t| JSON.parse(t)}
+      persist_merge = options[:merge] || lambda {|current,file| current.concat(file).uniq rescue current}
+      value = @manager.get(@object_id)
       persist_merge.call(@persisted_object,persist_parse.call(value)) unless value.nil?
     end
 

data/lib/aspera/persistency_folder.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 require 'fileutils'
 require 'aspera/log'
 
@@ -7,11 +8,11 @@ require 'aspera/log'
 module Aspera
   # Persist data on file system
   class PersistencyFolder
-    FILE_SUFFIX='.txt'
+    FILE_SUFFIX = '.txt'
     private_constant :FILE_SUFFIX
     def initialize(folder)
-      @cache={}
-      @folder=folder
+      @cache = {}
+      @folder = folder
       Log.log.debug("persistency folder: #{@folder}")
     end
 
@@ -21,11 +22,11 @@ module Aspera
       if @cache.has_key?(object_id)
         Log.log.debug('got from memory cache')
       else
-        persist_filepath=id_to_filepath(object_id)
+        persist_filepath = id_to_filepath(object_id)
         Log.log.debug("persistency = #{persist_filepath}")
         if File.exist?(persist_filepath)
           Log.log.debug('got from file cache')
-          @cache[object_id]=File.read(persist_filepath)
+          @cache[object_id] = File.read(persist_filepath)
         end
       end
       return @cache[object_id]
@@ -33,21 +34,23 @@ module Aspera
 
     def put(object_id,value)
       raise 'value: only String supported' unless value.is_a?(String)
-      persist_filepath=id_to_filepath(object_id)
+      persist_filepath = id_to_filepath(object_id)
       Log.log.debug("persistency saving: #{persist_filepath}")
+      File.delete(persist_filepath) if File.exist?(persist_filepath)
       File.write(persist_filepath,value)
-      @cache[object_id]=value
+      File.chmod(0400,persist_filepath)
+      @cache[object_id] = value
     end
 
     def delete(object_id)
-      persist_filepath=id_to_filepath(object_id)
+      persist_filepath = id_to_filepath(object_id)
       Log.log.debug("persistency deleting: #{persist_filepath}")
       File.delete(persist_filepath) if File.exist?(persist_filepath)
       @cache.delete(object_id)
     end
 
     def garbage_collect(persist_category,max_age_seconds=nil)
-      garbage_files=Dir[File.join(@folder,persist_category+'*'+FILE_SUFFIX)]
+      garbage_files = Dir[File.join(@folder,persist_category + '*' + FILE_SUFFIX)]
       if !max_age_seconds.nil?
         current_time = Time.now
         garbage_files.select! { |filepath| (current_time - File.stat(filepath).mtime).to_i > max_age_seconds}
@@ -65,6 +68,7 @@ module Aspera
     def id_to_filepath(object_id)
       raise 'object_id: only String supported' unless object_id.is_a?(String)
       FileUtils.mkdir_p(@folder)
+      File.chmod(0700,@folder)
       return File.join(@folder,"#{object_id}#{FILE_SUFFIX}")
       #.gsub(/[^a-z]+/,FILE_FIELD_SEPARATOR)
     end