google-cloud-storage 1.26.0 → 1.29.0

data/lib/google/cloud/storage/file/signer_v2.rb

@@ -77,13 +77,21 @@ module Google
           end
 
           def determine_signing_key options = {}
-            options[:signing_key] || options[:private_key] ||
-              @service.credentials.signing_key
+            signing_key = options[:signing_key] || options[:private_key] ||
+                          options[:signer] || @service.credentials.signing_key
+            raise SignedUrlUnavailable, error_msg("signing_key (private_key, signer)") unless signing_key
+            signing_key
           end
 
           def determine_issuer options = {}
-            options[:issuer] || options[:client_email] ||
-              @service.credentials.issuer
+            issuer = options[:issuer] || options[:client_email] || @service.credentials.issuer
+            raise SignedUrlUnavailable, error_msg("issuer (client_email)") unless issuer
+            issuer
+          end
+
+          def error_msg attr_name
+            "Service account credentials '#{attr_name}' is missing. To generate service account credentials " \
+            "see https://cloud.google.com/iam/docs/service-accounts"
           end
 
           def post_object options
@@ -99,8 +107,6 @@ module Google
             i = determine_issuer options
             s = determine_signing_key options
 
-            raise SignedUrlUnavailable unless i && s
-
             policy_str = p.to_json
             policy = Base64.strict_encode64(policy_str).delete "\n"
 
@@ -119,18 +125,21 @@ module Google
             i = determine_issuer options
             s = determine_signing_key options
 
-            raise SignedUrlUnavailable unless i && s
-
             sig = generate_signature s, signature_str(options)
             generate_signed_url i, sig, options[:expires], options[:query]
           end
 
           def generate_signature signing_key, secret
-            unless signing_key.respond_to? :sign
-              signing_key = OpenSSL::PKey::RSA.new signing_key
+            unencoded_signature = ""
+            if signing_key.is_a? Proc
+              unencoded_signature = signing_key.call secret
+            else
+              unless signing_key.respond_to? :sign
+                signing_key = OpenSSL::PKey::RSA.new signing_key
+              end
+              unencoded_signature = signing_key.sign OpenSSL::Digest::SHA256.new, secret
             end
-            signature = signing_key.sign OpenSSL::Digest::SHA256.new, secret
-            Base64.strict_encode64(signature).delete "\n"
+            Base64.strict_encode64(unencoded_signature).delete "\n"
           end
 
           def generate_signed_url issuer, signed_string, expires, query

data/lib/google/cloud/storage/file/signer_v4.rb

@@ -43,6 +43,7 @@ module Google
                           client_email: nil,
                           signing_key: nil,
                           private_key: nil,
+                          signer: nil,
                           expires: nil,
                           fields: nil,
                           conditions: nil,
@@ -50,8 +51,7 @@ module Google
                           virtual_hosted_style: nil,
                           bucket_bound_hostname: nil
             i = determine_issuer issuer, client_email
-            s = determine_signing_key signing_key, private_key
-            raise SignedUrlUnavailable unless i && s
+            s = determine_signing_key signing_key, private_key, signer
 
             now = Time.now.utc
             base_fields = required_fields i, now
@@ -63,7 +63,6 @@ module Google
             expires ||= 60*60*24
             p["expiration"] = (now + expires).strftime "%Y-%m-%dT%H:%M:%SZ"
 
-
             policy_str = escape_characters p.to_json
 
             policy = Base64.strict_encode64(policy_str).force_encoding "utf-8"
@@ -83,12 +82,13 @@ module Google
                          client_email: nil,
                          signing_key: nil,
                          private_key: nil,
+                         signer: nil,
                          query: nil,
                          scheme: "https",
                          virtual_hosted_style: nil,
                          bucket_bound_hostname: nil
             raise ArgumentError, "method is required" unless method
-            issuer, signer = issuer_and_signer issuer, client_email, signing_key, private_key
+            issuer, signer = issuer_and_signer issuer, client_email, signing_key, private_key, signer
             datetime_now = Time.now.utc
             goog_date = datetime_now.strftime "%Y%m%dT%H%M%SZ"
             datestamp = datetime_now.strftime "%Y%m%d"
@@ -174,6 +174,8 @@ module Google
           def policy_conditions base_fields, user_conditions, user_fields
             # Convert each pair in base_fields hash to a single-entry hash in an array.
             conditions = base_fields.to_a.map { |f| Hash[*f] }
+            # Add the bucket to the head of the base_fields. This is not returned in the PostObject fields.
+            conditions.unshift "bucket" => @bucket_name
             # Add user-provided conditions to the head of the conditions array.
             conditions.unshift user_conditions if user_conditions && !user_conditions.empty?
             if user_fields
@@ -191,28 +193,40 @@ module Google
           def determine_issuer issuer, client_email
             # Parse the Service Account and get client id and private key
             issuer = issuer || client_email || @service.credentials.issuer
-            raise SignedUrlUnavailable, "issuer (client_email) missing" unless issuer
+            raise SignedUrlUnavailable, error_msg("issuer (client_email)") unless issuer
             issuer
           end
 
-          def determine_signing_key signing_key, private_key
-            signing_key = signing_key || private_key || @service.credentials.signing_key
-            raise SignedUrlUnavailable, "signing_key (private_key) missing" unless signing_key
+          def determine_signing_key signing_key, private_key, signer
+            signing_key = signing_key || private_key || signer || @service.credentials.signing_key
+            raise SignedUrlUnavailable, error_msg("signing_key (private_key, signer)") unless signing_key
             signing_key
           end
 
+          def error_msg attr_name
+            "Service account credentials '#{attr_name}' is missing. To generate service account credentials " \
+            "see https://cloud.google.com/iam/docs/service-accounts"
+          end
+
           def service_account_signer signer
-            signer = OpenSSL::PKey::RSA.new signer unless signer.respond_to? :sign
-            # Sign string to sign
-            lambda do |string_to_sign|
-              sig = signer.sign OpenSSL::Digest::SHA256.new, string_to_sign
-              sig.unpack("H*").first
+            if signer.is_a? Proc
+              lambda do |string_to_sign|
+                sig = signer.call string_to_sign
+                sig.unpack("H*").first
+              end
+            else
+              signer = OpenSSL::PKey::RSA.new signer unless signer.respond_to? :sign
+              # Sign string to sign
+              lambda do |string_to_sign|
+                sig = signer.sign OpenSSL::Digest::SHA256.new, string_to_sign
+                sig.unpack("H*").first
+              end
             end
           end
 
-          def issuer_and_signer issuer, client_email, signing_key, private_key
+          def issuer_and_signer issuer, client_email, signing_key, private_key, signer
             issuer = determine_issuer issuer, client_email
-            signing_key = determine_signing_key signing_key, private_key
+            signing_key = determine_signing_key signing_key, private_key, signer
             signer = service_account_signer signing_key
             [issuer, signer]
           end
@@ -259,7 +273,7 @@ module Google
           # Only the characters in the regex set [A-Za-z0-9.~_-] must be left un-escaped; all others must be
           # percent-encoded using %XX UTF-8 style.
           def escape_query_param str
-            CGI.escape(str.to_s).gsub("%7E", "~")
+            CGI.escape(str.to_s).gsub("%7E", "~").gsub("+", "%20")
           end
 
           def host_name virtual_hosted_style, bucket_bound_hostname
@@ -336,11 +350,16 @@ module Google
           end
 
           def generate_signature signing_key, data
-            unless signing_key.respond_to? :sign
-              signing_key = OpenSSL::PKey::RSA.new signing_key
+            packed_signature = nil
+            if signing_key.is_a? Proc
+              packed_signature = signing_key.call data
+            else
+              unless signing_key.respond_to? :sign
+                signing_key = OpenSSL::PKey::RSA.new signing_key
+              end
+              packed_signature = signing_key.sign OpenSSL::Digest::SHA256.new, data
             end
-            signature = signing_key.sign OpenSSL::Digest::SHA256.new, data
-            signature.unpack("H*").first.force_encoding "utf-8"
+            packed_signature.unpack("H*").first.force_encoding "utf-8"
           end
         end
       end

data/lib/google/cloud/storage/project.rb

@@ -483,7 +483,7 @@ module Google
         # A {SignedUrlUnavailable} is raised if the service account credentials
         # are missing. Service account credentials are acquired by following the
         # steps in [Service Account Authentication](
-        # https://cloud.google.com/storage/docs/authentication#service_accounts).
+        # https://cloud.google.com/iam/docs/service-accounts).
         #
         # @see https://cloud.google.com/storage/docs/access-control/signed-urls
         #   Signed URLs guide
@@ -511,10 +511,22 @@ module Google
         #   use the signed URL.
         # @param [String] issuer Service Account's Client Email.
         # @param [String] client_email Service Account's Client Email.
-        # @param [OpenSSL::PKey::RSA, String] signing_key Service Account's
-        #   Private Key.
-        # @param [OpenSSL::PKey::RSA, String] private_key Service Account's
-        #   Private Key.
+        # @param [OpenSSL::PKey::RSA, String, Proc] signing_key Service Account's
+        #   Private Key or a Proc that accepts a single String parameter and returns a
+        #   RSA SHA256 signature using a valid Google Service Account Private Key.
+        # @param [OpenSSL::PKey::RSA, String, Proc] private_key Service Account's
+        #   Private Key or a Proc that accepts a single String parameter and returns a
+        #   RSA SHA256 signature using a valid Google Service Account Private Key.
+        # @param [OpenSSL::PKey::RSA, String, Proc] signer Service Account's
+        #   Private Key or a Proc that accepts a single String parameter and returns a
+        #   RSA SHA256 signature using a valid Google Service Account Private Key.
+        #
+        #   When using this method in environments such as GAE Flexible Environment,
+        #   GKE, or Cloud Functions where the private key is unavailable, it may be
+        #   necessary to provide a Proc (or lambda) via the signer parameter. This
+        #   Proc should return a signature created using a RPC call to the
+        #   [Service Account Credentials signBlob](https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/signBlob)
+        #   method as shown in the example below.
         # @param [Hash] query Query string parameters to include in the signed
         #   URL. The given parameters are not verified by the signature.
         #
@@ -540,7 +552,12 @@ module Google
         #   to create. Must be one of `:v2` or `:v4`. The default value is
         #   `:v2`.
         #
-        # @return [String]
+        # @return [String] The signed URL.
+        #
+        # @raise [SignedUrlUnavailable] If the service account credentials
+        #   are missing. Service account credentials are acquired by following the
+        #   steps in [Service Account Authentication](
+        #   https://cloud.google.com/iam/docs/service-accounts).
         #
         # @example
         #   require "google/cloud/storage"
@@ -575,6 +592,41 @@ module Google
         #                                   issuer: issuer_email,
         #                                   signing_key: key
         #
+        # @example Using Cloud IAMCredentials signBlob to create the signature:
+        #   require "google/cloud/storage"
+        #   require "google/apis/iamcredentials_v1"
+        #   require "googleauth"
+        #
+        #   # Issuer is the service account email that the Signed URL will be signed with
+        #   # and any permission granted in the Signed URL must be granted to the
+        #   # Google Service Account.
+        #   issuer = "service-account@project-id.iam.gserviceaccount.com"
+        #
+        #   # Create a lambda that accepts the string_to_sign
+        #   signer = lambda do |string_to_sign|
+        #     IAMCredentials = Google::Apis::IamcredentialsV1
+        #     iam_client = IAMCredentials::IAMCredentialsService.new
+        #
+        #     # Get the environment configured authorization
+        #     scopes = ["https://www.googleapis.com/auth/iam"]
+        #     iam_client.authorization = Google::Auth.get_application_default scopes
+        #
+        #     request = {
+        #       "payload": string_to_sign,
+        #     }
+        #     resource = "projects/-/serviceAccounts/#{issuer}"
+        #     response = iam_client.sign_service_account_blob resource, request, {}
+        #     response.signed_blob
+        #   end
+        #
+        #   storage = Google::Cloud::Storage.new
+        #
+        #   bucket_name = "my-todo-app"
+        #   file_path = "avatars/heidi/400x400.png"
+        #   url = storage.signed_url bucket_name, file_path,
+        #                            method: "GET", issuer: issuer,
+        #                            signer: signer
+        #
         # @example Using the `headers` option:
         #   require "google/cloud/storage"
         #
@@ -616,6 +668,7 @@ module Google
                        client_email: nil,
                        signing_key: nil,
                        private_key: nil,
+                       signer: nil,
                        query: nil,
                        scheme: "HTTPS",
                        virtual_hosted_style: nil,
@@ -624,31 +677,32 @@ module Google
           version ||= :v2
           case version.to_sym
           when :v2
-            signer = File::SignerV2.new bucket, path, service
-
-            signer.signed_url method: method,
-                              expires: expires,
-                              headers: headers,
-                              content_type: content_type,
-                              content_md5: content_md5,
-                              issuer: issuer,
-                              client_email: client_email,
-                              signing_key: signing_key,
-                              private_key: private_key,
-                              query: query
+            sign = File::SignerV2.new bucket, path, service
+            sign.signed_url method: method,
+                            expires: expires,
+                            headers: headers,
+                            content_type: content_type,
+                            content_md5: content_md5,
+                            issuer: issuer,
+                            client_email: client_email,
+                            signing_key: signing_key,
+                            private_key: private_key,
+                            signer: signer,
+                            query: query
           when :v4
-            signer = File::SignerV4.new bucket, path, service
-            signer.signed_url method: method,
-                              expires: expires,
-                              headers: headers,
-                              issuer: issuer,
-                              client_email: client_email,
-                              signing_key: signing_key,
-                              private_key: private_key,
-                              query: query,
-                              scheme: scheme,
-                              virtual_hosted_style: virtual_hosted_style,
-                              bucket_bound_hostname: bucket_bound_hostname
+            sign = File::SignerV4.new bucket, path, service
+            sign.signed_url method: method,
+                            expires: expires,
+                            headers: headers,
+                            issuer: issuer,
+                            client_email: client_email,
+                            signing_key: signing_key,
+                            private_key: private_key,
+                            signer: signer,
+                            query: query,
+                            scheme: scheme,
+                            virtual_hosted_style: virtual_hosted_style,
+                            bucket_bound_hostname: bucket_bound_hostname
           else
             raise ArgumentError, "version '#{version}' not supported"
           end

data/lib/google/cloud/storage/service.rb

@@ -39,7 +39,7 @@ module Google
         ##
         # Creates a new Service instance.
         def initialize project, credentials,
-                       retries: nil, timeout: nil, host: nil
+                       retries: nil, timeout: nil, host: nil, quota_project: nil
           @project = project
           @credentials = credentials
           @service = API::StorageService.new
@@ -55,6 +55,7 @@ module Google
           @service.request_options.header["x-goog-api-client"] = \
             "gl-ruby/#{RUBY_VERSION} gccl/#{Google::Cloud::Storage::VERSION}"
           @service.request_options.header["Accept-Encoding"] = "gzip"
+          @service.request_options.quota_project = quota_project if quota_project
           @service.authorization = @credentials.client if @credentials
           @service.root_url = host if host
         end
@@ -292,12 +293,12 @@ module Google
         def insert_file bucket_name, source, path = nil, acl: nil,
                         cache_control: nil, content_disposition: nil,
                         content_encoding: nil, content_language: nil,
-                        content_type: nil, crc32c: nil, md5: nil, metadata: nil,
+                        content_type: nil, custom_time: nil, crc32c: nil, md5: nil, metadata: nil,
                         storage_class: nil, key: nil, kms_key: nil,
                         temporary_hold: nil, event_based_hold: nil,
                         user_project: nil
           params =
-            { cache_control: cache_control, content_type: content_type,
+            { cache_control: cache_control, content_type: content_type, custom_time: custom_time,
               content_disposition: content_disposition, md5_hash: md5,
               content_encoding: content_encoding, crc32c: crc32c,
               content_language: content_language, metadata: metadata,

data/lib/google/cloud/storage/version.rb

@@ -16,7 +16,7 @@
 module Google
   module Cloud
     module Storage
-      VERSION = "1.26.0".freeze
+      VERSION = "1.29.0".freeze
     end
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: google-cloud-storage
 version: !ruby/object:Gem::Version
-  version: 1.26.0
+  version: 1.29.0
 platform: ruby
 authors:
 - Mike Moore
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-04-06 00:00:00.000000000 Z
+date: 2020-09-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: google-cloud-core
@@ -298,7 +298,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.6
+rubygems_version: 3.1.4
 signing_key: 
 specification_version: 4
 summary: API Client library for Google Cloud Storage