RubyGems - gcs-signer - Versions diffs - 0.1.0 → 0.4.1 - Mend

gcs-signer 0.1.0 → 0.4.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: d9da9710c3ec0d2781bb3d0002fc104a9f898ad9
-  data.tar.gz: 8027a48a1276f076f9d0a46a5bd9aa0841da712e
+SHA256:
+  metadata.gz: 736ffe7843310671d2c07459e94ef47ad8b9ebfa24cf46530a5b1138cd954b42
+  data.tar.gz: 77ee7afb236a5416f13e1f40aec1e0d37339319476d2167e56febf10c19b2349
 SHA512:
-  metadata.gz: 3b1303e21df8a93d2cd23a8ef1636a30d79ff3238643524adfc52efa7b082df53fdcb2d5fbdaa85e6a89b2ef06323d31d481a906106a895ca42bc6b7fb4687d5
-  data.tar.gz: 8e37da7d200265cdeb64ae82a0395a6c66a26ae92b1f9bb7d1e25698b30a349be783d372114cacb2605a3238e9afcb99fa8909fd8f4586421dbe7edb77edda6f
+  metadata.gz: 97985b7cbcd77a932e92a861efc6df31199a56066c255333e41cd4f156364a726de676e6eb85c9e083400cd5321917fc62c39964a4199e8efa9977c2c9316127
+  data.tar.gz: 6007e855ec3c35a80444ca98e7f1056cc876236f0e07090acb57e61662b5cfd558e2aea208239b1ba4c285747c958ce1aae12c6533be58318b08956cd446ddc1

data/README.md CHANGED Viewed

@@ -4,9 +4,8 @@ Simple signed URL generator for Google Cloud Storage.
 ## Features
-* No additional gems required.
 * No network connection required to generate signed URL.
-* Can read JSON service_account credentials from environment variables. So it can be used with [google-cloud-ruby](https://github.com/GoogleCloudPlatform/google-cloud-ruby) without additional configurations.
+* Can read JSON service-account credentials from environment variables. So it can be used with [google-cloud-ruby](https://github.com/GoogleCloudPlatform/google-cloud-ruby) without additional configurations.
 ## Installation
@@ -16,21 +15,33 @@ gem install gcs-signer
 ## Usage
-If you already configured `GOOGLE_CLOUD_KEYFILE` or `GOOGLE_CLOUD_KEYFILE_JSON` for google-cloud-ruby gem, just
+### Authentication
+If you already configured `GOOGLE_APPLICATION_CREDENTIALS` for google-cloud-ruby gem, just
+```ruby
+signer = GcsSigner.new
+```
+You can also set `GOOGLE_CLOUD_KEYFILE_JSON` environment varialble to the content of service-account.json.
 ```ruby
+puts ENV["GOOGLE_CLOUD_KEYFILE_JSON"]
+# => { "type": "service_account", ...
 signer = GcsSigner.new
 ```
-or you can give path of the service_account json file, or contents of it.
+or you can give path of the service account file, or contents of it without using environment variables.
 ```ruby
 signer = GcsSigner.new path: "/home/leo/path/to/service_account.json"
-signer = GcsSigner.new json_string: '{ "type": "service_account", ...'
+signer = GcsSigner.new keyfile_json: '{ "type": "service_account", ...'
 ```
-then `#sign_url` to generate signed URL.
+### Signing URL
+`#sign_url` to generate signed URL.
 ```ruby
 # The signed URL is valid for 5 minutes by default.
@@ -42,14 +53,16 @@ signer.sign_url "bucket-name", "object-name",
 signer.sign_url "bucket-name", "object_name", valid_for: 600
-# If you use AcriveSupport in your project, you can also do some magic like:
-signer.sign_url "buekct", "object", valid_for: 45.minutes
+# If you use AcriveSupport in your project, you can use some sugar like:
+signer.sign_url "bucket", "object", valid_for: 45.minutes
+signer.sign_url "bucket", "object", expires_at: 5.minutes.from_now
+# You can set response_content_disposition and response_content_type to change response headers.
+signer.sign_url "bucket", "object", response_content_type: "video/mp4"
+signer.sign_url "bucket", "object", response_content_disposition: "attachment; filename=video.mp4"
-# See https://cloud.google.com/storage/docs/access-control/signed-urls
-# for other avaliable options.
-signer.sign_url "buekct", "object", google_access_id: "sangwon@sha.kr",
-                method: "PUT", content_type: "text/plain",
-                md5: "beefbeef..."
+# You can use V4 signing if you prefer longer URL
+signer.sign_url "bucket", "object", version: :v4
 ```
 ## License

data/lib/gcs_signer.rb CHANGED Viewed

@@ -1,8 +1,9 @@
 # frozen_string_literal: true
-require "uri"
-require "openssl"
-require "base64"
 require "json"
+require "base64"
+require "openssl"
+require "addressable"
 # Creates signed_url for a file on Google Cloud Storage.
 #
@@ -10,31 +11,39 @@ require "json"
 #  signer.sign "your-bucket", "object/name"
 #  # => "https://storage.googleapis.com/your-bucket/object/name?..."
 class GcsSigner
-  VERSION = "0.1.0"
+  DEFAULT_GCS_URL = Addressable::URI.new(
+    scheme: "https", host: "storage.googleapis.com"
+  ).freeze
   # gcs-signer requires credential that can access to GCS.
   # [path] the path of the service_account json file.
-  # [json_string] ...or the content of the service_account json file.
+  # [keyfile_string] ...or the content of the service_account json file.
+  # [gcs_url] Custom GCS url when signing a url.
   #
   # or if you also use \+google-cloud+ gem. you can authenticate
   # using environment variable that uses.
-  def initialize(path: nil, json_string: nil)
-    json_string ||= File.read(path) unless path.nil?
-    json_string = look_for_environment_variables if json_string.nil?
+  def initialize(path: nil, keyfile_json: nil, gcs_url: DEFAULT_GCS_URL)
+    keyfile_json ||= path.nil? ? look_for_environment_variables : File.read(path)
+    fail AuthError, "No credentials given." if keyfile_json.nil?
-    fail AuthError, "No credentials given." if json_string.nil?
-    @credentials = JSON.parse(json_string)
+    @credentials = JSON.parse(keyfile_json)
     @key = OpenSSL::PKey::RSA.new(@credentials["private_key"])
+    @gcs_url = Addressable::URI.parse(gcs_url)
   end
   # @return [String] Signed url
   # Generates signed url.
   # [bucket] the name of the Cloud Storage bucket that contains the object.
-  # [object_name] the name of the object for signed url..
+  # [key] the name of the object for signed url.
   # Variable options are available:
+  # [version] signature version; \+:v2+ or \+:v4+
   # [expires] Time(stamp in UTC) when the signed url expires.
   # [valid_for] ...or how much seconds is the signed url available.
-  # If you don't set those values, it will set to 300 seconds by default.
+  # [response_content_disposition] Content-Disposition of the signed URL.
+  # [response_content_type] Content-Type of the signed URL.
+  #
+  # If you set neither \+expires+ nor \+valid_for+,
+  # it will set to 300 seconds by default.
   #
   #  # default is 5 minutes
   #  signer.sign_url("bucket-name", "path/to/file")
@@ -49,19 +58,55 @@ class GcsSigner
   #  # If you use ActiveSupport, you can also do some magic.
   #  signer.sign_url("bucket", "path/to/file", valid_for: 40.minutes)
   #
-  # For details information of another options,
-  # like \+method+, \+md5+, and \+content_type+. See:
-  # https://cloud.google.com/storage/docs/access-control/signed-urls
-  #
-  # Just in case if you want to change \+GoogleAccessId+ in the signed url,
-  # You can set \+google_access_id+ as an option.
-  def sign_url(bucket, object_name, options = {})
-    options = apply_default_options(options)
-    url = URI.join "https://storage.googleapis.com",
-                   URI.escape("/#{bucket}/"), URI.escape(object_name)
-    signature = sign string_that_will_be_signed(url, options)
-    url.query = query_for_signed_url(signature, options)
+  def sign_url(bucket, key, version: :v2, **options)
+    case version
+    when :v2
+      sign_url_v2(bucket, key, **options)
+    when :v4
+      sign_url_v4(bucket, key, **options)
+    else
+      fail ArgumentError, "Version not supported: #{version.inspect}"
+    end
+  end
+  def sign_url_v2(bucket, key, method: "GET", valid_for: 300, **options)
+    url = @gcs_url + "./#{request_path(bucket, key)}"
+    expires_at = options[:expires] || Time.now.utc.to_i + valid_for.to_i
+    sign_payload = [method, "", "", expires_at.to_i, url.path].join("\n")
+    url.query_values = (options[:params] || {}).merge(
+      "GoogleAccessId" => @credentials["client_email"],
+      "Expires" => expires_at.to_i,
+      "Signature" => sign_v2(sign_payload),
+      "response-content-disposition" => options[:response_content_disposition],
+      "response-content-type" => options[:response_content_type]
+    ).compact
+    url.to_s
+  end
+  def sign_url_v4(bucket, key, method: "GET", headers: {}, **options)
+    url = @gcs_url + "./#{request_path(bucket, key)}"
+    time = Time.now.utc
+    request_headers = headers.merge(host: @gcs_url.host).transform_keys(&:downcase)
+    signed_headers = request_headers.keys.sort.join(";")
+    scopes = [time.strftime("%Y%m%d"), "auto", "storage", "goog4_request"].join("/")
+    url.query_values = build_query_params(time, scopes, signed_headers, **options)
+    canonical_request = [
+      method, url.path.to_s, url.query,
+      *request_headers.sort.map { |header| header.join(":") },
+      "", signed_headers, "UNSIGNED-PAYLOAD"
+    ].join("\n")
+    sign_payload = [
+      "GOOG4-RSA-SHA256", time.strftime("%Y%m%dT%H%M%SZ"), scopes,
+      Digest::SHA256.hexdigest(canonical_request)
+    ].join("\n")
+    url.query += "&X-Goog-Signature=#{sign_v4(sign_payload)}"
     url.to_s
   end
@@ -76,47 +121,51 @@ class GcsSigner
   private
-  # Look for environment variable which stores service_account.
   def look_for_environment_variables
-    unless ENV["GOOGLE_CLOUD_KEYFILE"].nil?
-      return File.read(ENV["GOOGLE_CLOUD_KEYFILE"])
-    end
+    env_keyfile_path = ENV["GOOGLE_CLOUD_KEYFILE"] || ENV["GOOGLE_APPLICATION_CREDENTIALS"]
+    env_keyfile_path.nil? ? ENV["GOOGLE_CLOUD_KEYFILE_JSON"] : File.read(env_keyfile_path)
+  end
-    ENV["GOOGLE_CLOUD_KEYFILE_JSON"]
+  def request_path(bucket, object)
+    [
+      bucket, *object.split("/")
+    ].map do |str|
+      Addressable::URI.encode_component(str, Addressable::URI::CharacterClasses::UNRESERVED)
+    end.join("/")
   end
-  # Signs the string with the given private key.
-  def sign(string)
-    @key.sign OpenSSL::Digest::SHA256.new, string
+  def sign_v2(string)
+    Base64.strict_encode64(sign(string))
   end
-  def apply_default_options(options)
-    {
-      method: "GET", content_md5: nil,
-      content_type: nil,
-      expires: Time.now.utc.to_i + (options[:valid_for] || 300).to_i,
-      google_access_id: @credentials["client_email"]
-    }.merge(options)
+  def sign_v4(string)
+    sign(string).unpack1("H*")
   end
-  def string_that_will_be_signed(url, options)
-    [
-      options[:method],
-      options[:content_md5],
-      options[:content_type],
-      options[:expires].to_i,
-      url.path
-    ].join "\n"
+  # Signs the string with the given private key.
+  def sign(string)
+    @key.sign(OpenSSL::Digest.new("SHA256"), string)
   end
-  # Escapes and generates query string for actual result.
-  def query_for_signed_url(signature, options)
-    URI.encode_www_form GoogleAccessId: options[:google_access_id],
-                        Expires: options[:expires].to_i,
-                        Signature: Base64.strict_encode64(signature)
+  # only used in v4
+  def build_query_params(time, scopes, signed_headers, valid_for: 300, **options)
+    goog_expires = if options[:expires]
+                     options[:expires].to_i - time.to_i
+                   else
+                     valid_for.to_i
+                   end.clamp(0, 604_800)
+    (options[:params] || {}).merge(
+      "X-Goog-Algorithm" => "GOOG4-RSA-SHA256",
+      "X-Goog-Credential" => [@credentials["client_email"], scopes].join("/"),
+      "X-Goog-Date" => time.strftime("%Y%m%dT%H%M%SZ"),
+      "X-Goog-Expires" => goog_expires,
+      "X-Goog-SignedHeaders" => signed_headers,
+      "response-content-disposition" => options[:response_content_disposition],
+      "response-content-type" => options[:response_content_type]
+    ).compact.sort
   end
   # raised When GcsSigner could not find service_account JSON file.
-  class AuthError < StandardError
-  end
+  class AuthError < StandardError; end
 end

data/lib/gcs_signer/version.rb ADDED Viewed

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+class GcsSigner
+  VERSION = "0.4.1"
+end

metadata CHANGED Viewed

@@ -1,90 +1,108 @@
 --- !ruby/object:Gem::Specification
 name: gcs-signer
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.4.1
 platform: ruby
 authors:
 - Sangwon Yi
-autorequire:
+- Minku Lee
+- Larry Kim
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2016-12-27 00:00:00.000000000 Z
+date: 2021-02-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
-  name: rake
+  name: addressable
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '12.0'
-  type: :development
+        version: '2.7'
+  type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '12.0'
+        version: '2.7'
 - !ruby/object:Gem::Dependency
   name: pry
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.9'
+        version: '0.11'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.11'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '12.3'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.9'
+        version: '12.3'
 - !ruby/object:Gem::Dependency
   name: rubocop
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.40.0
+        version: '1.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.40.0
+        version: '1.0'
 description: |2
     Simple signed URL generator for Google Cloud Storage.
-    No additional gems and API requests required to generate signed URL.
+    No API requests required to generate signed URL.
 email:
 - sangwon@sha.kr
+- minku@sha.kr
+- larry@sha.kr
 executables: []
 extensions: []
 extra_rdoc_files: []
 files:
 - README.md
 - lib/gcs_signer.rb
+- lib/gcs_signer/version.rb
 homepage: https://github.com/shakrmedia/gcs-signer
 licenses:
 - MIT
 metadata: {}
-post_install_message:
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
-  - - "~>"
+  - - ">"
     - !ruby/object:Gem::Version
-      version: '2.2'
+      version: '2.6'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project:
-rubygems_version: 2.5.2
-signing_key:
+rubygems_version: 3.2.7
+signing_key:
 specification_version: 4
-summary: Simple signed URL generator for Google Cloud Storage.
+summary: Simple URL signer for Google Cloud Storage.
 test_files: []