google-cloud-storage 1.17.0 → 1.18.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 99549b865b9a4222f87a79ca84f7bfb6f9291e48284fd27a8be32cd91a7fe6d5
-  data.tar.gz: b4aee052f8aa4f56caa8c37ddd1d8cac51ad562f85f8bb1b14f9166bc7d65bd2
+  metadata.gz: 625405fb7ef792e7cd585f572f0e5102dfc6a03b4fb84daabce5fbe08b30fede
+  data.tar.gz: 93902f2000495402041a5a564956973b67e381326a68fe282bfdf6576b05d242
 SHA512:
-  metadata.gz: 02ff1dab5acafa5b56ee161c1cae21fabd901f6e6edecd802d511c17732d8f837ac4e723babed90feaf2c54054880a36e908302b5ea64dc308e86107858fcc39
-  data.tar.gz: d154a90c24ae673416bb3759d040bb9299cd3a6c53b53b3406a4fe663b525cda298b5fc69da041e828cb7503faf3f7f4380e878bfb3a01dc4b962f71e7ec2b1f
+  metadata.gz: 5e6eb7b4c4ec6c710d97c9611804c851b61a6878f5a10ef138c43f1aa0c8eff862232edfd6ae46e8f614ca4315c682b7486eff51fb3ace86f417cb1d49e92aa4
+  data.tar.gz: 10a8d0a3c177e4b0c9265e81929fa7090463da4eb3c577ee88b3456a66712bf85fef5b6cb34e212cdbf7d5080432ed5679de1829f69d548999b24b436c9e7a3d

data/CHANGELOG.md

@@ -1,5 +1,13 @@
 # Release History
 
+### 1.18.0 / 2019-04-09
+
+* Add support for V4 signed URLs.
+  * Add version param to #signed_url.
+* Fix file path encoding for V2 signed URLs.
+  * Change CGI encoding to URI (percent) encoding to fix URLs containing spaces in file path.
+* Fix documentation typo.
+
 ### 1.17.0 / 2019-02-07
 
 * Add support for Bucket Policy Only with `Bucket#policy_only?`,
@@ -14,7 +22,7 @@
     This value was added in googleauth 0.7.0.
   * Loosen googleauth dependency
     Allow for new releases up to 0.10.
-    The googleauth devs have committed to maintanining the current API
+    The googleauth devs have committed to maintaining the current API
     and will not make backwards compatible changes before 0.10.
 
 ### 1.15.0 / 2018-10-03

data/lib/google/cloud/storage/bucket.rb

@@ -361,7 +361,7 @@ module Google
         # @param [Symbol, String] new_storage_class Storage class of the bucket.
         #
         def storage_class= new_storage_class
-          @gapi.storage_class = storage_class_for(new_storage_class)
+          @gapi.storage_class = storage_class_for new_storage_class
           patch_gapi! :storage_class
         end
 
@@ -1353,14 +1353,12 @@ module Google
         alias combine compose
 
         ##
-        # Access without authentication can be granted to a File for a specified
-        # period of time. This URL uses a cryptographic signature of your
-        # credentials to access the file identified by `path`. A URL can be
-        # created for paths that do not yet exist. For instance, a URL can be
-        # created to `PUT` file contents to.
+        # Generates a signed URL. See [Signed
+        # URLs](https://cloud.google.com/storage/docs/access-control/signed-urls)
+        # for more information.
         #
-        # Generating a URL requires service account credentials, either by
-        # connecting with a service account when calling
+        # Generating a signed URL requires service account credentials, either
+        # by connecting with a service account when calling
         # {Google::Cloud.storage}, or by passing in the service account `issuer`
         # and `signing_key` values. Although the private key can be passed as a
         # string for convenience, creating and storing an instance of
@@ -1372,20 +1370,26 @@ module Google
         # steps in [Service Account Authentication](
         # https://cloud.google.com/storage/docs/authentication#service_accounts).
         #
-        # @see https://cloud.google.com/storage/docs/access-control#Signed-URLs
-        #   Access Control Signed URLs guide
+        # @see https://cloud.google.com/storage/docs/access-control/signed-urls
+        #   Signed URLs guide
+        # @see https://cloud.google.com/storage/docs/access-control/signed-urls#signing-resumable
+        #   Using signed URLs with resumable uploads
         #
-        # @param [String] path Path to the file in Google Cloud Storage.
+        # @param [String, nil] path Path to the file in Google Cloud Storage, or
+        #   `nil` to generate a URL for listing all files in the bucket.
         # @param [String] method The HTTP verb to be used with the signed URL.
         #   Signed URLs can be used
         #   with `GET`, `HEAD`, `PUT`, and `DELETE` requests. Default is `GET`.
         # @param [Integer] expires The number of seconds until the URL expires.
-        #   Default is 300/5 minutes.
+        #   If the `version` is `:v2`, the default is 300 (5 minutes). If the
+        #   `version` is `:v4`, the default is 604800 (7 days).
         # @param [String] content_type When provided, the client (browser) must
-        #   send this value in the HTTP header. e.g. `text/plain`
+        #   send this value in the HTTP header. e.g. `text/plain`. This param is
+        #   not used if the `version` is `:v4`.
         # @param [String] content_md5 The MD5 digest value in base64. If you
         #   provide this in the string, the client (usually a browser) must
-        #   provide this HTTP header with this same value in its request.
+        #   provide this HTTP header with this same value in its request. This
+        #   param is not used if the `version` is `:v4`.
         # @param [Hash] headers Google extension headers (custom HTTP headers
         #   that begin with `x-goog-`) that must be included in requests that
         #   use the signed URL.
@@ -1403,6 +1407,9 @@ module Google
         #   using the URL, but only when the file resource is missing the
         #   corresponding values. (These values can be permanently set using
         #   {File#content_disposition=} and {File#content_type=}.)
+        # @param [Symbol, String] version The version of the signed credential
+        #   to create. Must be one of ':v2' or ':v4'. The default value is
+        #   ':v2'.
         #
         # @return [String]
         #
@@ -1414,21 +1421,20 @@ module Google
         #   bucket = storage.bucket "my-todo-app"
         #   shared_url = bucket.signed_url "avatars/heidi/400x400.png"
         #
-        # @example Any of the option parameters may be specified:
+        # @example Using the `expires` and `version` options:
         #   require "google/cloud/storage"
         #
         #   storage = Google::Cloud::Storage.new
         #
         #   bucket = storage.bucket "my-todo-app"
         #   shared_url = bucket.signed_url "avatars/heidi/400x400.png",
-        #                                  method: "PUT",
-        #                                  content_type: "image/png",
-        #                                  expires: 300 # 5 minutes from now
+        #                                  expires: 300, # 5 minutes from now
+        #                                  version: :v4
         #
-        # @example Using the issuer and signing_key options:
+        # @example Using the `issuer` and `signing_key` options:
         #   require "google/cloud/storage"
         #
-        #   storage = Google::Cloud.storage
+        #   storage = Google::Cloud::Storage.new
         #
         #   bucket = storage.bucket "my-todo-app"
         #   key = OpenSSL::PKey::RSA.new "-----BEGIN PRIVATE KEY-----\n..."
@@ -1436,10 +1442,10 @@ module Google
         #                                  issuer: "service-account@gcloud.com",
         #                                  signing_key: key
         #
-        # @example Using the headers option:
+        # @example Using the `headers` option:
         #   require "google/cloud/storage"
         #
-        #   storage = Google::Cloud.storage
+        #   storage = Google::Cloud::Storage.new
         #
         #   bucket = storage.bucket "my-todo-app"
         #   shared_url = bucket.signed_url "avatars/heidi/400x400.png",
@@ -1448,18 +1454,54 @@ module Google
         #                                    "x-goog-meta-foo" => "bar,baz"
         #                                  }
         #
-        def signed_url path, method: nil, expires: nil, content_type: nil,
+        # @example Generating a signed URL for resumable upload:
+        #   require "google/cloud/storage"
+        #
+        #   storage = Google::Cloud::Storage.new
+        #
+        #   bucket = storage.bucket "my-todo-app"
+        #   url = bucket.signed_url "avatars/heidi/400x400.png",
+        #                           method: "POST",
+        #                           content_type: "image/png",
+        #                           headers: {
+        #                             "x-goog-resumable" => "start"
+        #                           }
+        #   # Send the `x-goog-resumable:start` header and the content type
+        #   # with the resumable upload POST request.
+        #
+        # @example Omitting `path` for a URL to list all files in the bucket.
+        #   require "google/cloud/storage"
+        #
+        #   storage = Google::Cloud::Storage.new
+        #
+        #   bucket = storage.bucket "my-todo-app"
+        #   list_files_url = bucket.signed_url version: :v4
+        #
+        def signed_url path = nil, method: nil, expires: nil, content_type: nil,
                        content_md5: nil, headers: nil, issuer: nil,
                        client_email: nil, signing_key: nil, private_key: nil,
-                       query: nil
+                       query: nil, version: nil
           ensure_service!
-          signer = File::Signer.from_bucket self, path
-          signer.signed_url method: method, expires: expires, headers: headers,
-                            content_type: content_type,
-                            content_md5: content_md5, issuer: issuer,
-                            client_email: client_email,
-                            signing_key: signing_key, private_key: private_key,
-                            query: query
+          version ||= :v2
+          case version.to_sym
+          when :v2
+            signer = File::SignerV2.from_bucket self, path
+            signer.signed_url method: method, expires: expires,
+                              headers: headers, content_type: content_type,
+                              content_md5: content_md5, issuer: issuer,
+                              client_email: client_email,
+                              signing_key: signing_key,
+                              private_key: private_key, query: query
+          when :v4
+            signer = File::SignerV4.from_bucket self, path
+            signer.signed_url method: method, expires: expires,
+                              headers: headers, issuer: issuer,
+                              client_email: client_email,
+                              signing_key: signing_key,
+                              private_key: private_key, query: query
+          else
+            raise ArgumentError, "version '#{version}' not supported"
+          end
         end
 
         ##
@@ -1563,7 +1605,7 @@ module Google
                         private_key: nil
           ensure_service!
 
-          signer = File::Signer.from_bucket self, path
+          signer = File::SignerV2.from_bucket self, path
           signer.post_object issuer: issuer, client_email: client_email,
                              signing_key: signing_key, private_key: private_key,
                              policy: policy

data/lib/google/cloud/storage/bucket/list.rb

@@ -128,7 +128,7 @@ module Google
           def all request_limit: nil
             request_limit = request_limit.to_i if request_limit
             unless block_given?
-              return enum_for(:all, request_limit: request_limit)
+              return enum_for :all, request_limit: request_limit
             end
             results = self
             loop do

data/lib/google/cloud/storage/file.rb

@@ -17,7 +17,8 @@ require "google/cloud/storage/convert"
 require "google/cloud/storage/file/acl"
 require "google/cloud/storage/file/list"
 require "google/cloud/storage/file/verifier"
-require "google/cloud/storage/file/signer"
+require "google/cloud/storage/file/signer_v2"
+require "google/cloud/storage/file/signer_v4"
 require "zlib"
 
 module Google
@@ -443,7 +444,7 @@ module Google
         # @param [Symbol, String] storage_class Storage class of the file.
         #
         def storage_class= storage_class
-          @gapi.storage_class = storage_class_for(storage_class)
+          @gapi.storage_class = storage_class_for storage_class
           update_gapi! :storage_class
         end
 
@@ -940,7 +941,7 @@ module Google
                                   key: encryption_key, range: range,
                                   user_project: user_project
           # FIX: downloading with encryption key will return nil
-          file ||= ::File.new(path)
+          file ||= ::File.new path
           verify = :none if range
           verify_file! file, verify
           if !skip_decompress &&
@@ -1384,12 +1385,12 @@ module Google
         alias url public_url
 
         ##
-        # Access without authentication can be granted to a File for a specified
-        # period of time. This URL uses a cryptographic signature of your
-        # credentials to access the file.
+        # Generates a signed URL for the file. See [Signed
+        # URLs](https://cloud.google.com/storage/docs/access-control/signed-urls)
+        # for more information.
         #
-        # Generating a URL requires service account credentials, either by
-        # connecting with a service account when calling
+        # Generating a signed URL requires service account credentials, either
+        # by connecting with a service account when calling
         # {Google::Cloud.storage}, or by passing in the service account `issuer`
         # and `signing_key` values. Although the private key can be passed as a
         # string for convenience, creating and storing an instance of
@@ -1401,19 +1402,24 @@ module Google
         # steps in [Service Account Authentication](
         # https://cloud.google.com/storage/docs/authentication#service_accounts).
         #
-        # @see https://cloud.google.com/storage/docs/access-control#Signed-URLs
-        #   Access Control Signed URLs guide
+        # @see https://cloud.google.com/storage/docs/access-control/signed-urls
+        #   Signed URLs guide
+        # @see https://cloud.google.com/storage/docs/access-control/signed-urls#signing-resumable
+        #   Using signed URLs with resumable uploads
         #
         # @param [String] method The HTTP verb to be used with the signed URL.
         #   Signed URLs can be used
         #   with `GET`, `HEAD`, `PUT`, and `DELETE` requests. Default is `GET`.
         # @param [Integer] expires The number of seconds until the URL expires.
-        #   Default is 300/5 minutes.
+        #   If the `version` is `:v2`, the default is 300 (5 minutes). If the
+        #   `version` is `:v4`, the default is 604800 (7 days).
         # @param [String] content_type When provided, the client (browser) must
-        #   send this value in the HTTP header. e.g. `text/plain`
+        #   send this value in the HTTP header. e.g. `text/plain`. This param is
+        #   not used if the `version` is `:v4`.
         # @param [String] content_md5 The MD5 digest value in base64. If you
         #   provide this in the string, the client (usually a browser) must
-        #   provide this HTTP header with this same value in its request.
+        #   provide this HTTP header with this same value in its request. This
+        #   param is not used if the `version` is `:v4`.
         # @param [Hash] headers Google extension headers (custom HTTP headers
         #   that begin with `x-goog-`) that must be included in requests that
         #   use the signed URL.
@@ -1431,6 +1437,9 @@ module Google
         #   using the URL, but only when the file resource is missing the
         #   corresponding values. (These values can be permanently set using
         #   {#content_disposition=} and {#content_type=}.)
+        # @param [Symbol, String] version The version of the signed credential
+        #   to create. Must be one of ':v2' or ':v4'. The default value is
+        #   ':v2'.
         #
         # @return [String]
         #
@@ -1443,21 +1452,20 @@ module Google
         #   file = bucket.file "avatars/heidi/400x400.png"
         #   shared_url = file.signed_url
         #
-        # @example Any of the option parameters may be specified:
+        # @example Using the `expires` and `version` options:
         #   require "google/cloud/storage"
         #
         #   storage = Google::Cloud::Storage.new
         #
         #   bucket = storage.bucket "my-todo-app"
         #   file = bucket.file "avatars/heidi/400x400.png"
-        #   shared_url = file.signed_url method: "PUT",
-        #                                content_type: "image/png",
-        #                                expires: 300 # 5 minutes from now
-        #
+        #   shared_url = file.signed_url expires: 300, # 5 minutes from now
+        #                                version: :v4
+
         # @example Using the `issuer` and `signing_key` options:
         #   require "google/cloud/storage"
         #
-        #   storage = Google::Cloud.storage
+        #   storage = Google::Cloud::Storage.new
         #
         #   bucket = storage.bucket "my-todo-app"
         #   file = bucket.file "avatars/heidi/400x400.png"
@@ -1478,18 +1486,46 @@ module Google
         #                                  "x-goog-meta-foo" => "bar,baz"
         #                                }
         #
+        # @example Generating a signed URL for resumable upload:
+        #   require "google/cloud/storage"
+        #
+        #   storage = Google::Cloud::Storage.new
+        #
+        #   bucket = storage.bucket "my-todo-app"
+        #   file = bucket.file "avatars/heidi/400x400.png", skip_lookup: true
+        #   url = file.signed_url method: "POST",
+        #                         content_type: "image/png",
+        #                         headers: {
+        #                           "x-goog-resumable" => "start"
+        #                         }
+        #   # Send the `x-goog-resumable:start` header and the content type
+        #   # with the resumable upload POST request.
+        #
         def signed_url method: nil, expires: nil, content_type: nil,
                        content_md5: nil, headers: nil, issuer: nil,
                        client_email: nil, signing_key: nil, private_key: nil,
-                       query: nil
+                       query: nil, version: nil
           ensure_service!
-          signer = File::Signer.from_file self
-          signer.signed_url method: method, expires: expires, headers: headers,
-                            content_type: content_type,
-                            content_md5: content_md5,
-                            issuer: issuer, client_email: client_email,
-                            signing_key: signing_key, private_key: private_key,
-                            query: query
+          version ||= :v2
+          case version.to_sym
+          when :v2
+            signer = File::SignerV2.from_file self
+            signer.signed_url method: method, expires: expires,
+                              headers: headers, content_type: content_type,
+                              content_md5: content_md5, issuer: issuer,
+                              client_email: client_email,
+                              signing_key: signing_key,
+                              private_key: private_key, query: query
+          when :v4
+            signer = File::SignerV4.from_file self
+            signer.signed_url method: method, expires: expires,
+                              headers: headers, issuer: issuer,
+                              client_email: client_email,
+                              signing_key: signing_key,
+                              private_key: private_key, query: query
+          else
+            raise ArgumentError, "version '#{version}' not supported"
+          end
         end
 
         ##
@@ -1737,11 +1773,11 @@ module Google
         #   system or a StringIO instance.
         def gzip_decompress local_file
           if local_file.respond_to? :path
-            gz = ::File.open(Pathname(local_file).to_path, "rb") do |f|
-              Zlib::GzipReader.new(StringIO.new(f.read))
+            gz = ::File.open Pathname(local_file).to_path, "rb" do |f|
+              Zlib::GzipReader.new StringIO.new(f.read)
             end
             uncompressed_string = gz.read
-            ::File.open(Pathname(local_file).to_path, "w") do |f|
+            ::File.open Pathname(local_file).to_path, "w" do |f|
               f.write uncompressed_string
               f
             end

data/lib/google/cloud/storage/file/list.rb

@@ -142,7 +142,7 @@ module Google
           def all request_limit: nil
             request_limit = request_limit.to_i if request_limit
             unless block_given?
-              return enum_for(:all, request_limit: request_limit)
+              return enum_for :all, request_limit: request_limit
             end
             results = self
             loop do

data/lib/google/cloud/storage/file/{signer.rb → signer_v2.rb}

@@ -13,6 +13,7 @@
 # limitations under the License.
 
 
+require "addressable/uri"
 require "base64"
 require "cgi"
 require "openssl"
@@ -24,7 +25,7 @@ module Google
       class File
         ##
         # @private Create a signed_url for a file.
-        class Signer
+        class SignerV2
           def initialize bucket, path, service
             @bucket = bucket
             @path = path
@@ -42,10 +43,7 @@ module Google
           ##
           # The external path to the file.
           def ext_path
-            escaped_path = String(@path).split("/").map do |node|
-              CGI.escape node
-            end.join("/")
-            "/#{CGI.escape @bucket}/#{escaped_path}"
+            Addressable::URI.escape "/#{@bucket}/#{@path}"
           end
 
           ##
@@ -93,7 +91,7 @@ module Google
             raise SignedUrlUnavailable unless i && s
 
             policy_str = p.to_json
-            policy = Base64.strict_encode64(policy_str).delete("\n")
+            policy = Base64.strict_encode64(policy_str).delete "\n"
 
             signature = generate_signature s, policy
 
@@ -121,7 +119,7 @@ module Google
               signing_key = OpenSSL::PKey::RSA.new signing_key
             end
             signature = signing_key.sign OpenSSL::Digest::SHA256.new, secret
-            Base64.strict_encode64(signature).delete("\n")
+            Base64.strict_encode64(signature).delete "\n"
           end
 
           def generate_signed_url issuer, signed_string, expires, query

data/lib/google/cloud/storage/file/signer_v4.rb

@@ -0,0 +1,182 @@
+# Copyright 2019 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+require "addressable/uri"
+require "cgi"
+require "openssl"
+require "google/cloud/storage/errors"
+
+module Google
+  module Cloud
+    module Storage
+      class File
+        ##
+        # @private Create a signed_url for a file.
+        class SignerV4
+          def initialize bucket_name, file_name, service
+            @bucket_name = bucket_name
+            @file_name = file_name
+            @service = service
+          end
+
+          def self.from_file file
+            new file.bucket, file.name, file.service
+          end
+
+          def self.from_bucket bucket, file_name
+            new bucket.name, file_name, bucket.service
+          end
+
+          def signed_url method: "GET", expires: nil, headers: nil,
+                         issuer: nil, client_email: nil, signing_key: nil,
+                         private_key: nil, query: nil
+            issuer, signer = issuer_and_signer issuer, client_email,
+                                               signing_key, private_key
+            datetime_now = Time.now.utc
+            goog_date = datetime_now.strftime "%Y%m%dT%H%M%SZ"
+            datestamp = datetime_now.strftime "%Y%m%d"
+            # goog4_request is not checked.
+            scope = "#{datestamp}/auto/storage/goog4_request"
+
+            canonical_headers_str, signed_headers_str = \
+              canonical_and_signed_headers headers
+
+            algorithm = "GOOG4-RSA-SHA256"
+            expires = determine_expires expires
+            credential = CGI.escape issuer + "/" + scope
+            canonical_query_str = canonical_query query, algorithm,
+                                                  credential, goog_date,
+                                                  expires, signed_headers_str
+
+            # From AWS: You don't include a payload hash in the Canonical
+            # Request, because when you create a presigned URL, you don't know
+            # the payload content because the URL is used to upload an arbitrary
+            # payload. Instead, you use a constant string UNSIGNED-PAYLOAD.
+            canonical_request = [method,
+                                 ext_path,
+                                 canonical_query_str,
+                                 canonical_headers_str,
+                                 signed_headers_str,
+                                 "UNSIGNED-PAYLOAD"].join("\n")
+            # Construct string to sign
+            req_sha = Digest::SHA256.hexdigest canonical_request
+            string_to_sign = [algorithm, goog_date, scope, req_sha].join "\n"
+
+            # Sign string
+            signature = signer.call string_to_sign
+
+            # Construct signed URL
+            "#{ext_url}?#{canonical_query_str}&X-Goog-Signature=#{signature}"
+          end
+
+          protected
+
+          def determine_issuer issuer, client_email
+            # Parse the Service Account and get client id and private key
+            issuer = issuer || client_email || @service.credentials.issuer
+            unless issuer
+              raise SignedUrlUnavailable, "issuer (client_email) missing"
+            end
+            issuer
+          end
+
+          def determine_signing_key signing_key, private_key
+            signing_key = signing_key || private_key ||
+                          @service.credentials.signing_key
+            unless signing_key
+              raise SignedUrlUnavailable, "signing_key (private_key) missing"
+            end
+            signing_key
+          end
+
+          def service_account_signer signer
+            unless signer.respond_to? :sign
+              signer = OpenSSL::PKey::RSA.new signer
+            end
+            # Sign string to sign
+            lambda do |string_to_sign|
+              sig = signer.sign OpenSSL::Digest::SHA256.new, string_to_sign
+              sig.unpack("H*").first
+            end
+          end
+
+          def issuer_and_signer issuer, client_email, signing_key, private_key
+            issuer = determine_issuer issuer, client_email
+            signing_key = determine_signing_key signing_key, private_key
+            signer = service_account_signer signing_key
+            [issuer, signer]
+          end
+
+          def canonical_and_signed_headers headers
+            # Headers needs to be in alpha order.
+            canonical_headers = headers || {}
+            canonical_headers = Hash[canonical_headers.map do |k, v|
+                                       [k.downcase, v.strip.gsub(/\s+/, " ")]
+                                     end]
+            canonical_headers["host"] = "storage.googleapis.com"
+
+            canonical_headers = canonical_headers.sort_by do |k, _|
+              k.downcase
+            end.to_h
+            canonical_headers_str = ""
+            canonical_headers.each do |k, v|
+              canonical_headers_str += "#{k}:#{v}\n"
+            end
+            signed_headers_str = ""
+            canonical_headers.each_key { |k| signed_headers_str += "#{k};" }
+            signed_headers_str = signed_headers_str.chomp ";"
+            [canonical_headers_str, signed_headers_str]
+          end
+
+          def determine_expires expires
+            expires ||= 604_800 # Default is 7 days.
+            if expires > 604_800
+              raise ArgumentError, "Expiration time can't be longer than a week"
+            end
+            expires
+          end
+
+          def canonical_query query, algorithm, credential, goog_date, expires,
+                              signed_headers_str
+            query ||= {}
+            query["X-Goog-Algorithm"] = algorithm
+            query["X-Goog-Credential"] = credential
+            query["X-Goog-Date"] = goog_date
+            query["X-Goog-Expires"] = expires
+            query["X-Goog-SignedHeaders"] = CGI.escape signed_headers_str
+            query = query.sort_by { |k, _| k.to_s.downcase }.to_h
+            canonical_query_str = ""
+            query.each { |k, v| canonical_query_str += "#{k}=#{v}&" }
+            canonical_query_str.chomp "&"
+          end
+
+          ##
+          # The URI-encoded (percent encoded) external path to the file.
+          def ext_path
+            path = "/#{@bucket_name}"
+            path += "/#{String(@file_name)}" if @file_name && !@file_name.empty?
+            Addressable::URI.escape path
+          end
+
+          ##
+          # The external url to the file.
+          def ext_url
+            "#{GOOGLEAPIS_URL}#{ext_path}"
+          end
+        end
+      end
+    end
+  end
+end

data/lib/google/cloud/storage/file/verifier.rb

@@ -51,7 +51,7 @@ module Google
 
           def self.md5_for local_file
             if local_file.respond_to? :path
-              ::File.open(Pathname(local_file).to_path, "rb") do |f|
+              ::File.open Pathname(local_file).to_path, "rb" do |f|
                 ::Digest::MD5.file(f).base64digest
               end
             else # StringIO
@@ -64,7 +64,7 @@ module Google
 
           def self.crc32c_for local_file
             if local_file.respond_to? :path
-              ::File.open(Pathname(local_file).to_path, "rb") do |f|
+              ::File.open Pathname(local_file).to_path, "rb" do |f|
                 ::Digest::CRC32c.file(f).base64digest
               end
             else # StringIO

data/lib/google/cloud/storage/project.rb

@@ -358,7 +358,7 @@ module Google
             name: bucket_name,
             location: location
           }.delete_if { |_, v| v.nil? })
-          storage_class = storage_class_for(storage_class)
+          storage_class = storage_class_for storage_class
           updater = Bucket::Updater.new(new_bucket).tap do |b|
             b.logging_bucket = logging_bucket unless logging_bucket.nil?
             b.logging_prefix = logging_prefix unless logging_prefix.nil?
@@ -379,11 +379,9 @@ module Google
         end
 
         ##
-        # Access without authentication can be granted to a File for a specified
-        # period of time. This URL uses a cryptographic signature of your
-        # credentials to access the file identified by `path`. A URL can be
-        # created for paths that do not yet exist. For instance, a URL can be
-        # created to `PUT` file contents to.
+        # Generates a signed URL. See [Signed
+        # URLs](https://cloud.google.com/storage/docs/access-control/signed-urls)
+        # for more information.
         #
         # Generating a URL requires service account credentials, either by
         # connecting with a service account when calling
@@ -398,21 +396,27 @@ module Google
         # steps in [Service Account Authentication](
         # https://cloud.google.com/storage/docs/authentication#service_accounts).
         #
-        # @see https://cloud.google.com/storage/docs/access-control#Signed-URLs
-        #   Access Control Signed URLs guide
+        # @see https://cloud.google.com/storage/docs/access-control/signed-urls
+        #   Signed URLs guide
+        # @see https://cloud.google.com/storage/docs/access-control/signed-urls#signing-resumable
+        #   Using signed URLs with resumable uploads
         #
-        # @param [String] bucket Name of the bucket.
+        # @param [String, nil] bucket Name of the bucket, or nil if URL for all
+        #   buckets is desired.
         # @param [String] path Path to the file in Google Cloud Storage.
         # @param [String] method The HTTP verb to be used with the signed URL.
         #   Signed URLs can be used
         #   with `GET`, `HEAD`, `PUT`, and `DELETE` requests. Default is `GET`.
         # @param [Integer] expires The number of seconds until the URL expires.
-        #   Default is 300/5 minutes.
+        #   If the `version` is `:v2`, the default is 300 (5 minutes). If the
+        #   `version` is `:v4`, the default is 604800 (7 days).
         # @param [String] content_type When provided, the client (browser) must
-        #   send this value in the HTTP header. e.g. `text/plain`
+        #   send this value in the HTTP header. e.g. `text/plain`. This param is
+        #   not used if the `version` is `:v4`.
         # @param [String] content_md5 The MD5 digest value in base64. If you
         #   provide this in the string, the client (usually a browser) must
-        #   provide this HTTP header with this same value in its request.
+        #   provide this HTTP header with this same value in its request. This
+        #   param is not used if the `version` is `:v4`.
         # @param [Hash] headers Google extension headers (custom HTTP headers
         #   that begin with `x-goog-`) that must be included in requests that
         #   use the signed URL.
@@ -430,6 +434,9 @@ module Google
         #   using the URL, but only when the file resource is missing the
         #   corresponding values. (These values can be permanently set using
         #   {File#content_disposition=} and {File#content_type=}.)
+        # @param [Symbol, String] version The version of the signed credential
+        #   to create. Must be one of ':v2' or ':v4'. The default value is
+        #   ':v2'.
         #
         # @return [String]
         #
@@ -442,7 +449,7 @@ module Google
         #   file_path = "avatars/heidi/400x400.png"
         #   shared_url = storage.signed_url bucket_name, file_path
         #
-        # @example Any of the option parameters may be specified:
+        # @example Using the `expires` and `version` options:
         #   require "google/cloud/storage"
         #
         #   storage = Google::Cloud::Storage.new
@@ -450,14 +457,13 @@ module Google
         #   bucket_name = "my-todo-app"
         #   file_path = "avatars/heidi/400x400.png"
         #   shared_url = storage.signed_url bucket_name, file_path,
-        #                                   method: "PUT",
-        #                                   content_type: "image/png",
-        #                                   expires: 300 # 5 minutes from now
+        #                                   expires: 300, # 5 minutes from now
+        #                                   version: :v4
         #
-        # @example Using the issuer and signing_key options:
+        # @example Using the `issuer` and `signing_key` options:
         #   require "google/cloud/storage"
         #
-        #   storage = Google::Cloud.storage
+        #   storage = Google::Cloud::Storage.new
         #
         #   bucket_name = "my-todo-app"
         #   file_path = "avatars/heidi/400x400.png"
@@ -467,10 +473,10 @@ module Google
         #                                   issuer: issuer_email,
         #                                   signing_key: key
         #
-        # @example Using the headers option:
+        # @example Using the `headers` option:
         #   require "google/cloud/storage"
         #
-        #   storage = Google::Cloud.storage
+        #   storage = Google::Cloud::Storage.new
         #
         #   bucket_name = "my-todo-app"
         #   file_path = "avatars/heidi/400x400.png"
@@ -480,17 +486,48 @@ module Google
         #                                     "x-goog-meta-foo" => "bar,baz"
         #                                   }
         #
+        # @example Generating a signed URL for resumable upload:
+        #   require "google/cloud/storage"
+        #
+        #   storage = Google::Cloud::Storage.new
+        #
+        #   bucket_name = "my-todo-app"
+        #   file_path = "avatars/heidi/400x400.png"
+        #
+        #   url = storage.signed_url bucket_name, file_path,
+        #                            method: "POST",
+        #                            content_type: "image/png",
+        #                            headers: {
+        #                              "x-goog-resumable" => "start"
+        #                            }
+        #   # Send the `x-goog-resumable:start` header and the content type
+        #   # with the resumable upload POST request.
+        #
         def signed_url bucket, path, method: nil, expires: nil,
                        content_type: nil, content_md5: nil, headers: nil,
                        issuer: nil, client_email: nil, signing_key: nil,
-                       private_key: nil, query: nil
-          signer = File::Signer.new bucket, path, service
-          signer.signed_url method: method, expires: expires, headers: headers,
-                            content_type: content_type,
-                            content_md5: content_md5,
-                            issuer: issuer, client_email: client_email,
-                            signing_key: signing_key, private_key: private_key,
-                            query: query
+                       private_key: nil, query: nil, version: nil
+          version ||= :v2
+          case version.to_sym
+          when :v2
+            signer = File::SignerV2.new bucket, path, service
+
+            signer.signed_url method: method, expires: expires,
+                              headers: headers, content_type: content_type,
+                              content_md5: content_md5, issuer: issuer,
+                              client_email: client_email,
+                              signing_key: signing_key,
+                              private_key: private_key, query: query
+          when :v4
+            signer = File::SignerV4.new bucket, path, service
+            signer.signed_url method: method, expires: expires,
+                              headers: headers, issuer: issuer,
+                              client_email: client_email,
+                              signing_key: signing_key,
+                              private_key: private_key, query: query
+          else
+            raise ArgumentError, "version '#{version}' not supported"
+          end
         end
 
         protected

data/lib/google/cloud/storage/version.rb

@@ -16,7 +16,7 @@
 module Google
   module Cloud
     module Storage
-      VERSION = "1.17.0".freeze
+      VERSION = "1.18.0".freeze
     end
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: google-cloud-storage
 version: !ruby/object:Gem::Version
-  version: 1.17.0
+  version: 1.18.0
 platform: ruby
 authors:
 - Mike Moore
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-02-07 00:00:00.000000000 Z
+date: 2019-04-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: google-cloud-core
@@ -73,6 +73,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.4'
+- !ruby/object:Gem::Dependency
+  name: addressable
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.6.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.6.0
 - !ruby/object:Gem::Dependency
   name: minitest
   requirement: !ruby/object:Gem::Requirement
@@ -163,14 +177,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.61.0
+        version: 0.64.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.61.0
+        version: 0.64.0
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
@@ -243,7 +257,8 @@ files:
 - lib/google/cloud/storage/file.rb
 - lib/google/cloud/storage/file/acl.rb
 - lib/google/cloud/storage/file/list.rb
-- lib/google/cloud/storage/file/signer.rb
+- lib/google/cloud/storage/file/signer_v2.rb
+- lib/google/cloud/storage/file/signer_v4.rb
 - lib/google/cloud/storage/file/verifier.rb
 - lib/google/cloud/storage/notification.rb
 - lib/google/cloud/storage/policy.rb
@@ -270,8 +285,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.6
+rubygems_version: 3.0.3
 signing_key: 
 specification_version: 4
 summary: API Client library for Google Cloud Storage