gcs-signer 0.3.0 → 0.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 987f3aadc106b9ecf39f92c61722587746a2793b
-  data.tar.gz: 00ce402d313a94af0090c0a0f32fb17ab83d2ec1
+SHA256:
+  metadata.gz: 6b07c6432f999db39f6eaba9ac988a75c6b2617d5c9acbb4c739ae302d2e8e6d
+  data.tar.gz: dbb4cea0d3745b73cd6fc5b3714a853e069d3b59c6665dd53cdb970ca90b2814
 SHA512:
-  metadata.gz: 185e0bfed9f2fe6b25cf205e54e50893d44fe24cd2be6d6ac31d7e5022fd207d10fd1af8f66c748f62e6608bc3c19ab47eb3276e96d1dce6cc5a34c36ad8d89b
-  data.tar.gz: 29cb30b52c1d738ba9cf6c0ffc3b5cb75733372190ebdba454b5fefc61089a89636d0670633a454f911bd7c4d66124e7599caeda632f0dbdd9f4fc674c93935c
+  metadata.gz: ee1368958bb27c1ac8c595a6c5718b39e87d655da471432959929a3ee46641a5ef7e865c6d1a7a976ab55b1e570e282454d6ff5095ab2797cba6935ef4fe7fa2
+  data.tar.gz: 5394700acd1e1b2a36420bed4e9786750fbef5d8b23c64079ed041e9a09699ff63a34b944b594dae3a530d9b39570050e60df47d7a63bfd426661246891ee823

data/README.md

@@ -4,9 +4,8 @@ Simple signed URL generator for Google Cloud Storage.
 
 ## Features
 
-* No additional gems required.
 * No network connection required to generate signed URL.
-* Can read JSON service_account credentials from environment variables. So it can be used with [google-cloud-ruby](https://github.com/GoogleCloudPlatform/google-cloud-ruby) without additional configurations.
+* Can read JSON service-account credentials from environment variables. So it can be used with [google-cloud-ruby](https://github.com/GoogleCloudPlatform/google-cloud-ruby) without additional configurations.
 
 ## Installation
 
@@ -16,21 +15,33 @@ gem install gcs-signer
 
 ## Usage
 
-If you already configured `GOOGLE_CLOUD_KEYFILE` or `GOOGLE_CLOUD_KEYFILE_JSON` for google-cloud-ruby gem, just
+### Authentication
+
+If you already configured `GOOGLE_APPLICATION_CREDENTIALS` for google-cloud-ruby gem, just
+
+```ruby
+signer = GcsSigner.new
+```
+
+You can also set `GOOGLE_CLOUD_KEYFILE_JSON` environment varialble to the content of service-account.json.
 
 ```ruby
+puts ENV["GOOGLE_CLOUD_KEYFILE_JSON"]
+# => { "type": "service_account", ...
 signer = GcsSigner.new
 ```
 
-or you can give path of the service_account json file, or contents of it.
+or you can give path of the service account file, or contents of it without using environment variables.
 
 ```ruby
 signer = GcsSigner.new path: "/home/leo/path/to/service_account.json"
 
-signer = GcsSigner.new json_string: '{ "type": "service_account", ...'
+signer = GcsSigner.new keyfile_json: '{ "type": "service_account", ...'
 ```
 
-then `#sign_url` to generate signed URL.
+### Signing URL
+
+`#sign_url` to generate signed URL.
 
 ```ruby
 # The signed URL is valid for 5 minutes by default.
@@ -42,14 +53,16 @@ signer.sign_url "bucket-name", "object-name",
 
 signer.sign_url "bucket-name", "object_name", valid_for: 600
 
-# If you use AcriveSupport in your project, you can also do some magic like:
-signer.sign_url "buekct", "object", valid_for: 45.minutes
+# If you use AcriveSupport in your project, you can use some sugar like:
+signer.sign_url "bucket", "object", valid_for: 45.minutes
+signer.sign_url "bucket", "object", expires_at: 5.minutes.from_now
+
+# You can set response_content_disposition and response_content_type to change response headers.
+signer.sign_url "bucket", "object", response_content_type: "video/mp4"
+signer.sign_url "bucket", "object", response_content_disposition: "attachment; filename=video.mp4"
 
-# See https://cloud.google.com/storage/docs/access-control/signed-urls
-# for other avaliable options.
-signer.sign_url "buekct", "object", google_access_id: "sangwon@sha.kr",
-                method: "PUT", content_type: "text/plain",
-                md5: "beefbeef..."
+# You can use V4 signing if you prefer longer URL
+signer.sign_url "bucket", "object", version: :v4
 ```
 
 ## License

data/lib/gcs_signer.rb

@@ -1,8 +1,9 @@
 # frozen_string_literal: true
-require "uri"
-require "openssl"
-require "base64"
+
 require "json"
+require "base64"
+require "openssl"
+require "addressable"
 
 # Creates signed_url for a file on Google Cloud Storage.
 #
@@ -10,34 +11,36 @@ require "json"
 #  signer.sign "your-bucket", "object/name"
 #  # => "https://storage.googleapis.com/your-bucket/object/name?..."
 class GcsSigner
-  VERSION = "0.3.0"
+  ENV_KEYFILE_PATH = ENV["GOOGLE_CLOUD_KEYFILE"] || ENV["GOOGLE_APPLICATION_CREDENTIALS"]
+  ENV_KEYFILE_JSON = ENV["GOOGLE_CLOUD_KEYFILE_JSON"]
+  DEFAULT_GCS_URL = Addressable::URI.new(
+    scheme: "https", host: "storage.googleapis.com"
+  ).freeze
 
   # gcs-signer requires credential that can access to GCS.
   # [path] the path of the service_account json file.
-  # [json_string] ...or the content of the service_account json file.
+  # [keyfile_string] ...or the content of the service_account json file.
   # [gcs_url] Custom GCS url when signing a url.
   #
   # or if you also use \+google-cloud+ gem. you can authenticate
   # using environment variable that uses.
-  def initialize(path: nil, json_string: nil, gcs_url: nil)
-    json_string ||= File.read(path) unless path.nil?
-    json_string = look_for_environment_variables if json_string.nil?
+  def initialize(path: nil, keyfile_json: nil, gcs_url: DEFAULT_GCS_URL)
+    keyfile_json ||= path.nil? ? look_for_environment_variables : File.read(path)
+    fail AuthError, "No credentials given." if keyfile_json.nil?
 
-    fail AuthError, "No credentials given." if json_string.nil?
-    @credentials = JSON.parse(json_string)
+    @credentials = JSON.parse(keyfile_json)
     @key = OpenSSL::PKey::RSA.new(@credentials["private_key"])
-
-    @gcs_url = gcs_url || "https://storage.googleapis.com"
+    @gcs_url = Addressable::URI.parse(gcs_url)
   end
 
   # @return [String] Signed url
   # Generates signed url.
   # [bucket] the name of the Cloud Storage bucket that contains the object.
-  # [object_name] the name of the object for signed url..
+  # [key] the name of the object for signed url.
   # Variable options are available:
+  # [version] signature version; \+:v2+ or \+:v4+
   # [expires] Time(stamp in UTC) when the signed url expires.
   # [valid_for] ...or how much seconds is the signed url available.
-  # [google_access_id] Just in case if you want to change \+GoogleAccessId+
   # [response_content_disposition] Content-Disposition of the signed URL.
   # [response_content_type] Content-Type of the signed URL.
   #
@@ -57,26 +60,58 @@ class GcsSigner
   #  # If you use ActiveSupport, you can also do some magic.
   #  signer.sign_url("bucket", "path/to/file", valid_for: 40.minutes)
   #
-  # For details information of another options,
-  # like \+method+, \+md5+, and \+content_type+. See:
-  # https://cloud.google.com/storage/docs/access-control/signed-urls
-  #
-  def sign_url(bucket, object_name, options = {})
-    options = apply_default_options(options)
+  def sign_url(bucket, key, version: :v2, **options)
+    case version
+    when :v2
+      sign_url_v2(bucket, key, **options)
+    when :v4
+      sign_url_v4(bucket, key, **options)
+    else
+      fail ArgumentError, "Version not supported: #{version.inspect}"
+    end
+  end
 
-    url = URI.join(
-      @gcs_url,
-      URI.escape("/#{bucket}/"), URI.escape(object_name)
-    )
+  def sign_url_v2(bucket, key, method: "GET", valid_for: 300, **options)
+    url = @gcs_url + "./#{request_path(bucket, key)}"
+    expires_at = options[:expires] || Time.now.utc.to_i + valid_for.to_i
+    sign_payload = [method, "", "", expires_at.to_i, url.path].join("\n")
 
-    url.query = query_for_signed_url(
-      sign(string_that_will_be_signed(url, options)),
-      options
-    )
+    url.query_values = (options[:params] || {}).merge(
+      "GoogleAccessId" => @credentials["client_email"],
+      "Expires" => expires_at.to_i,
+      "Signature" => sign_v2(sign_payload),
+      "response-content-disposition" => options[:response_content_disposition],
+      "response-content-type" => options[:response_content_type]
+    ).compact
 
     url.to_s
   end
 
+  def sign_url_v4(bucket, key, method: "GET", headers: {}, **options)
+    url = @gcs_url + "./#{request_path(bucket, key)}"
+    time = Time.now.utc
+
+    request_headers = headers.merge(host: @gcs_url.host).transform_keys(&:downcase)
+    signed_headers = request_headers.keys.sort.join(";")
+    scopes = [time.strftime("%Y%m%d"), "auto", "storage", "goog4_request"].join("/")
+
+    url.query_values = build_query_params(time, scopes, signed_headers, **options)
+
+    canonical_request = [
+      method, url.path.to_s, url.query,
+      *request_headers.sort.map { |header| header.join(":") },
+      "", signed_headers, "UNSIGNED-PAYLOAD"
+    ].join("\n")
+
+    sign_payload = [
+      "GOOG4-RSA-SHA256", time.strftime("%Y%m%dT%H%M%SZ"), scopes,
+      Digest::SHA256.hexdigest(canonical_request)
+    ].join("\n")
+
+    url.query += "&X-Goog-Signature=#{sign_v4(sign_payload)}"
+    url.to_s
+  end
+
   # @return [String] contains \+project_id+ and \+client_email+
   # Prevents confidential information (like private key) from exposing
   # when used with interactive shell such as \+pry+ and \+irb+.
@@ -88,53 +123,51 @@ class GcsSigner
 
   private
 
-  # Look for environment variable which stores service_account.
   def look_for_environment_variables
-    unless ENV["GOOGLE_CLOUD_KEYFILE"].nil?
-      return File.read(ENV["GOOGLE_CLOUD_KEYFILE"])
-    end
+    ENV_KEYFILE_PATH.nil? ? ENV_KEYFILE_JSON : File.read(ENV_KEYFILE_PATH)
+  end
 
-    ENV["GOOGLE_CLOUD_KEYFILE_JSON"]
+  def request_path(bucket, object)
+    [
+      bucket,
+      Addressable::URI.encode_component(
+        object, Addressable::URI::CharacterClasses::UNRESERVED
+      )
+    ].join("/")
   end
 
-  # Signs the string with the given private key.
-  def sign(string)
-    @key.sign OpenSSL::Digest::SHA256.new, string
+  def sign_v2(string)
+    Base64.strict_encode64(sign(string))
   end
 
-  def apply_default_options(options)
-    {
-      method: "GET", content_md5: nil,
-      content_type: nil,
-      expires: Time.now.utc.to_i + (options[:valid_for] || 300).to_i,
-      google_access_id: @credentials["client_email"]
-    }.merge(options)
+  def sign_v4(string)
+    sign(string).unpack1("H*")
   end
 
-  def string_that_will_be_signed(url, options)
-    [
-      options[:method],
-      options[:content_md5],
-      options[:content_type],
-      options[:expires].to_i,
-      url.path
-    ].join "\n"
+  # Signs the string with the given private key.
+  def sign(string)
+    @key.sign(OpenSSL::Digest.new("SHA256"), string)
   end
 
-  # Escapes and generates query string for actual result.
-  def query_for_signed_url(signature, options)
-    query = {
-      "GoogleAccessId" => options[:google_access_id],
-      "Expires" => options[:expires].to_i,
-      "Signature" => Base64.strict_encode64(signature),
+  # only used in v4
+  def build_query_params(time, scopes, signed_headers, valid_for: 300, **options)
+    goog_expires = if options[:expires]
+                     options[:expires].to_i - time.to_i
+                   else
+                     valid_for.to_i
+                   end.clamp(0, 604_800)
+
+    (options[:params] || {}).merge(
+      "X-Goog-Algorithm" => "GOOG4-RSA-SHA256",
+      "X-Goog-Credential" => [@credentials["client_email"], scopes].join("/"),
+      "X-Goog-Date" => time.strftime("%Y%m%dT%H%M%SZ"),
+      "X-Goog-Expires" => goog_expires,
+      "X-Goog-SignedHeaders" => signed_headers,
       "response-content-disposition" => options[:response_content_disposition],
       "response-content-type" => options[:response_content_type]
-    }.reject { |_, v| v.nil? }
-
-    URI.encode_www_form(query)
+    ).compact.sort
   end
 
   # raised When GcsSigner could not find service_account JSON file.
-  class AuthError < StandardError
-  end
+  class AuthError < StandardError; end
 end

data/lib/gcs_signer/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+class GcsSigner
+  VERSION = "0.4.0"
+end

metadata

@@ -1,92 +1,108 @@
 --- !ruby/object:Gem::Specification
 name: gcs-signer
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.4.0
 platform: ruby
 authors:
 - Sangwon Yi
 - Minku Lee
-autorequire: 
+- Larry Kim
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2017-09-06 00:00:00.000000000 Z
+date: 2021-01-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
-  name: rake
+  name: addressable
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '12.0'
-  type: :development
+        version: '2.7'
+  type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '12.0'
+        version: '2.7'
 - !ruby/object:Gem::Dependency
   name: pry
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.9'
+        version: '0.11'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.11'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '12.3'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.9'
+        version: '12.3'
 - !ruby/object:Gem::Dependency
   name: rubocop
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.40.0
+        version: '1.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.40.0
+        version: '1.0'
 description: |2
     Simple signed URL generator for Google Cloud Storage.
-    No additional gems and API requests required to generate signed URL.
+    No API requests required to generate signed URL.
 email:
 - sangwon@sha.kr
 - minku@sha.kr
+- larry@sha.kr
 executables: []
 extensions: []
 extra_rdoc_files: []
 files:
 - README.md
 - lib/gcs_signer.rb
+- lib/gcs_signer/version.rb
 homepage: https://github.com/shakrmedia/gcs-signer
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
-  - - "~>"
+  - - ">"
     - !ruby/object:Gem::Version
-      version: '2.2'
+      version: '2.6'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.6.13
-signing_key: 
+rubygems_version: 3.0.3
+signing_key:
 specification_version: 4
-summary: Simple signed URL generator for Google Cloud Storage.
+summary: Simple URL signer for Google Cloud Storage.
 test_files: []