gcs-signer 0.1.0 → 0.4.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: d9da9710c3ec0d2781bb3d0002fc104a9f898ad9
-  data.tar.gz: 8027a48a1276f076f9d0a46a5bd9aa0841da712e
+SHA256:
+  metadata.gz: 736ffe7843310671d2c07459e94ef47ad8b9ebfa24cf46530a5b1138cd954b42
+  data.tar.gz: 77ee7afb236a5416f13e1f40aec1e0d37339319476d2167e56febf10c19b2349
 SHA512:
-  metadata.gz: 3b1303e21df8a93d2cd23a8ef1636a30d79ff3238643524adfc52efa7b082df53fdcb2d5fbdaa85e6a89b2ef06323d31d481a906106a895ca42bc6b7fb4687d5
-  data.tar.gz: 8e37da7d200265cdeb64ae82a0395a6c66a26ae92b1f9bb7d1e25698b30a349be783d372114cacb2605a3238e9afcb99fa8909fd8f4586421dbe7edb77edda6f
+  metadata.gz: 97985b7cbcd77a932e92a861efc6df31199a56066c255333e41cd4f156364a726de676e6eb85c9e083400cd5321917fc62c39964a4199e8efa9977c2c9316127
+  data.tar.gz: 6007e855ec3c35a80444ca98e7f1056cc876236f0e07090acb57e61662b5cfd558e2aea208239b1ba4c285747c958ce1aae12c6533be58318b08956cd446ddc1

data/README.md

@@ -4,9 +4,8 @@ Simple signed URL generator for Google Cloud Storage.
 
 ## Features
 
-* No additional gems required.
 * No network connection required to generate signed URL.
-* Can read JSON service_account credentials from environment variables. So it can be used with [google-cloud-ruby](https://github.com/GoogleCloudPlatform/google-cloud-ruby) without additional configurations.
+* Can read JSON service-account credentials from environment variables. So it can be used with [google-cloud-ruby](https://github.com/GoogleCloudPlatform/google-cloud-ruby) without additional configurations.
 
 ## Installation
 
@@ -16,21 +15,33 @@ gem install gcs-signer
 
 ## Usage
 
-If you already configured `GOOGLE_CLOUD_KEYFILE` or `GOOGLE_CLOUD_KEYFILE_JSON` for google-cloud-ruby gem, just
+### Authentication
+
+If you already configured `GOOGLE_APPLICATION_CREDENTIALS` for google-cloud-ruby gem, just
+
+```ruby
+signer = GcsSigner.new
+```
+
+You can also set `GOOGLE_CLOUD_KEYFILE_JSON` environment varialble to the content of service-account.json.
 
 ```ruby
+puts ENV["GOOGLE_CLOUD_KEYFILE_JSON"]
+# => { "type": "service_account", ...
 signer = GcsSigner.new
 ```
 
-or you can give path of the service_account json file, or contents of it.
+or you can give path of the service account file, or contents of it without using environment variables.
 
 ```ruby
 signer = GcsSigner.new path: "/home/leo/path/to/service_account.json"
 
-signer = GcsSigner.new json_string: '{ "type": "service_account", ...'
+signer = GcsSigner.new keyfile_json: '{ "type": "service_account", ...'
 ```
 
-then `#sign_url` to generate signed URL.
+### Signing URL
+
+`#sign_url` to generate signed URL.
 
 ```ruby
 # The signed URL is valid for 5 minutes by default.
@@ -42,14 +53,16 @@ signer.sign_url "bucket-name", "object-name",
 
 signer.sign_url "bucket-name", "object_name", valid_for: 600
 
-# If you use AcriveSupport in your project, you can also do some magic like:
-signer.sign_url "buekct", "object", valid_for: 45.minutes
+# If you use AcriveSupport in your project, you can use some sugar like:
+signer.sign_url "bucket", "object", valid_for: 45.minutes
+signer.sign_url "bucket", "object", expires_at: 5.minutes.from_now
+
+# You can set response_content_disposition and response_content_type to change response headers.
+signer.sign_url "bucket", "object", response_content_type: "video/mp4"
+signer.sign_url "bucket", "object", response_content_disposition: "attachment; filename=video.mp4"
 
-# See https://cloud.google.com/storage/docs/access-control/signed-urls
-# for other avaliable options.
-signer.sign_url "buekct", "object", google_access_id: "sangwon@sha.kr",
-                method: "PUT", content_type: "text/plain",
-                md5: "beefbeef..."
+# You can use V4 signing if you prefer longer URL
+signer.sign_url "bucket", "object", version: :v4
 ```
 
 ## License

data/lib/gcs_signer.rb

@@ -1,8 +1,9 @@
 # frozen_string_literal: true
-require "uri"
-require "openssl"
-require "base64"
+
 require "json"
+require "base64"
+require "openssl"
+require "addressable"
 
 # Creates signed_url for a file on Google Cloud Storage.
 #
@@ -10,31 +11,39 @@ require "json"
 #  signer.sign "your-bucket", "object/name"
 #  # => "https://storage.googleapis.com/your-bucket/object/name?..."
 class GcsSigner
-  VERSION = "0.1.0"
+  DEFAULT_GCS_URL = Addressable::URI.new(
+    scheme: "https", host: "storage.googleapis.com"
+  ).freeze
 
   # gcs-signer requires credential that can access to GCS.
   # [path] the path of the service_account json file.
-  # [json_string] ...or the content of the service_account json file.
+  # [keyfile_string] ...or the content of the service_account json file.
+  # [gcs_url] Custom GCS url when signing a url.
   #
   # or if you also use \+google-cloud+ gem. you can authenticate
   # using environment variable that uses.
-  def initialize(path: nil, json_string: nil)
-    json_string ||= File.read(path) unless path.nil?
-    json_string = look_for_environment_variables if json_string.nil?
+  def initialize(path: nil, keyfile_json: nil, gcs_url: DEFAULT_GCS_URL)
+    keyfile_json ||= path.nil? ? look_for_environment_variables : File.read(path)
+    fail AuthError, "No credentials given." if keyfile_json.nil?
 
-    fail AuthError, "No credentials given." if json_string.nil?
-    @credentials = JSON.parse(json_string)
+    @credentials = JSON.parse(keyfile_json)
     @key = OpenSSL::PKey::RSA.new(@credentials["private_key"])
+    @gcs_url = Addressable::URI.parse(gcs_url)
   end
 
   # @return [String] Signed url
   # Generates signed url.
   # [bucket] the name of the Cloud Storage bucket that contains the object.
-  # [object_name] the name of the object for signed url..
+  # [key] the name of the object for signed url.
   # Variable options are available:
+  # [version] signature version; \+:v2+ or \+:v4+
   # [expires] Time(stamp in UTC) when the signed url expires.
   # [valid_for] ...or how much seconds is the signed url available.
-  # If you don't set those values, it will set to 300 seconds by default.
+  # [response_content_disposition] Content-Disposition of the signed URL.
+  # [response_content_type] Content-Type of the signed URL.
+  #
+  # If you set neither \+expires+ nor \+valid_for+,
+  # it will set to 300 seconds by default.
   #
   #  # default is 5 minutes
   #  signer.sign_url("bucket-name", "path/to/file")
@@ -49,19 +58,55 @@ class GcsSigner
   #  # If you use ActiveSupport, you can also do some magic.
   #  signer.sign_url("bucket", "path/to/file", valid_for: 40.minutes)
   #
-  # For details information of another options,
-  # like \+method+, \+md5+, and \+content_type+. See:
-  # https://cloud.google.com/storage/docs/access-control/signed-urls
-  #
-  # Just in case if you want to change \+GoogleAccessId+ in the signed url,
-  # You can set \+google_access_id+ as an option.
-  def sign_url(bucket, object_name, options = {})
-    options = apply_default_options(options)
-
-    url = URI.join "https://storage.googleapis.com",
-                   URI.escape("/#{bucket}/"), URI.escape(object_name)
-    signature = sign string_that_will_be_signed(url, options)
-    url.query = query_for_signed_url(signature, options)
+  def sign_url(bucket, key, version: :v2, **options)
+    case version
+    when :v2
+      sign_url_v2(bucket, key, **options)
+    when :v4
+      sign_url_v4(bucket, key, **options)
+    else
+      fail ArgumentError, "Version not supported: #{version.inspect}"
+    end
+  end
+
+  def sign_url_v2(bucket, key, method: "GET", valid_for: 300, **options)
+    url = @gcs_url + "./#{request_path(bucket, key)}"
+    expires_at = options[:expires] || Time.now.utc.to_i + valid_for.to_i
+    sign_payload = [method, "", "", expires_at.to_i, url.path].join("\n")
+
+    url.query_values = (options[:params] || {}).merge(
+      "GoogleAccessId" => @credentials["client_email"],
+      "Expires" => expires_at.to_i,
+      "Signature" => sign_v2(sign_payload),
+      "response-content-disposition" => options[:response_content_disposition],
+      "response-content-type" => options[:response_content_type]
+    ).compact
+
+    url.to_s
+  end
+
+  def sign_url_v4(bucket, key, method: "GET", headers: {}, **options)
+    url = @gcs_url + "./#{request_path(bucket, key)}"
+    time = Time.now.utc
+
+    request_headers = headers.merge(host: @gcs_url.host).transform_keys(&:downcase)
+    signed_headers = request_headers.keys.sort.join(";")
+    scopes = [time.strftime("%Y%m%d"), "auto", "storage", "goog4_request"].join("/")
+
+    url.query_values = build_query_params(time, scopes, signed_headers, **options)
+
+    canonical_request = [
+      method, url.path.to_s, url.query,
+      *request_headers.sort.map { |header| header.join(":") },
+      "", signed_headers, "UNSIGNED-PAYLOAD"
+    ].join("\n")
+
+    sign_payload = [
+      "GOOG4-RSA-SHA256", time.strftime("%Y%m%dT%H%M%SZ"), scopes,
+      Digest::SHA256.hexdigest(canonical_request)
+    ].join("\n")
+
+    url.query += "&X-Goog-Signature=#{sign_v4(sign_payload)}"
     url.to_s
   end
 
@@ -76,47 +121,51 @@ class GcsSigner
 
   private
 
-  # Look for environment variable which stores service_account.
   def look_for_environment_variables
-    unless ENV["GOOGLE_CLOUD_KEYFILE"].nil?
-      return File.read(ENV["GOOGLE_CLOUD_KEYFILE"])
-    end
+    env_keyfile_path = ENV["GOOGLE_CLOUD_KEYFILE"] || ENV["GOOGLE_APPLICATION_CREDENTIALS"]
+    env_keyfile_path.nil? ? ENV["GOOGLE_CLOUD_KEYFILE_JSON"] : File.read(env_keyfile_path)
+  end
 
-    ENV["GOOGLE_CLOUD_KEYFILE_JSON"]
+  def request_path(bucket, object)
+    [
+      bucket, *object.split("/")
+    ].map do |str|
+      Addressable::URI.encode_component(str, Addressable::URI::CharacterClasses::UNRESERVED)
+    end.join("/")
   end
 
-  # Signs the string with the given private key.
-  def sign(string)
-    @key.sign OpenSSL::Digest::SHA256.new, string
+  def sign_v2(string)
+    Base64.strict_encode64(sign(string))
   end
 
-  def apply_default_options(options)
-    {
-      method: "GET", content_md5: nil,
-      content_type: nil,
-      expires: Time.now.utc.to_i + (options[:valid_for] || 300).to_i,
-      google_access_id: @credentials["client_email"]
-    }.merge(options)
+  def sign_v4(string)
+    sign(string).unpack1("H*")
   end
 
-  def string_that_will_be_signed(url, options)
-    [
-      options[:method],
-      options[:content_md5],
-      options[:content_type],
-      options[:expires].to_i,
-      url.path
-    ].join "\n"
+  # Signs the string with the given private key.
+  def sign(string)
+    @key.sign(OpenSSL::Digest.new("SHA256"), string)
   end
 
-  # Escapes and generates query string for actual result.
-  def query_for_signed_url(signature, options)
-    URI.encode_www_form GoogleAccessId: options[:google_access_id],
-                        Expires: options[:expires].to_i,
-                        Signature: Base64.strict_encode64(signature)
+  # only used in v4
+  def build_query_params(time, scopes, signed_headers, valid_for: 300, **options)
+    goog_expires = if options[:expires]
+                     options[:expires].to_i - time.to_i
+                   else
+                     valid_for.to_i
+                   end.clamp(0, 604_800)
+
+    (options[:params] || {}).merge(
+      "X-Goog-Algorithm" => "GOOG4-RSA-SHA256",
+      "X-Goog-Credential" => [@credentials["client_email"], scopes].join("/"),
+      "X-Goog-Date" => time.strftime("%Y%m%dT%H%M%SZ"),
+      "X-Goog-Expires" => goog_expires,
+      "X-Goog-SignedHeaders" => signed_headers,
+      "response-content-disposition" => options[:response_content_disposition],
+      "response-content-type" => options[:response_content_type]
+    ).compact.sort
   end
 
   # raised When GcsSigner could not find service_account JSON file.
-  class AuthError < StandardError
-  end
+  class AuthError < StandardError; end
 end

data/lib/gcs_signer/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+class GcsSigner
+  VERSION = "0.4.1"
+end

metadata

@@ -1,90 +1,108 @@
 --- !ruby/object:Gem::Specification
 name: gcs-signer
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.4.1
 platform: ruby
 authors:
 - Sangwon Yi
-autorequire: 
+- Minku Lee
+- Larry Kim
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2016-12-27 00:00:00.000000000 Z
+date: 2021-02-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
-  name: rake
+  name: addressable
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '12.0'
-  type: :development
+        version: '2.7'
+  type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '12.0'
+        version: '2.7'
 - !ruby/object:Gem::Dependency
   name: pry
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.9'
+        version: '0.11'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.11'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '12.3'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.9'
+        version: '12.3'
 - !ruby/object:Gem::Dependency
   name: rubocop
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.40.0
+        version: '1.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.40.0
+        version: '1.0'
 description: |2
     Simple signed URL generator for Google Cloud Storage.
-    No additional gems and API requests required to generate signed URL.
+    No API requests required to generate signed URL.
 email:
 - sangwon@sha.kr
+- minku@sha.kr
+- larry@sha.kr
 executables: []
 extensions: []
 extra_rdoc_files: []
 files:
 - README.md
 - lib/gcs_signer.rb
+- lib/gcs_signer/version.rb
 homepage: https://github.com/shakrmedia/gcs-signer
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
-  - - "~>"
+  - - ">"
     - !ruby/object:Gem::Version
-      version: '2.2'
+      version: '2.6'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.5.2
-signing_key: 
+rubygems_version: 3.2.7
+signing_key:
 specification_version: 4
-summary: Simple signed URL generator for Google Cloud Storage.
+summary: Simple URL signer for Google Cloud Storage.
 test_files: []