google-cloud-storage 1.25.1 → 1.26.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ab43474a1a6a25a439d96a67b8664caff72861d3d121c927d5c11623ae570cab
-  data.tar.gz: f2e6378f9708fc079f2ce3539947e5587eb57263b2d96c8877c93d1b07b30abd
+  metadata.gz: 6a69b7d03384d604c8b96548b952b6894af09ee7cef01845fe92b998ea77bcc8
+  data.tar.gz: 9fd54043ddab11b2284c73b17e780877b795a59593943deef43b9d14fbb4da1e
 SHA512:
-  metadata.gz: d40dfe073d42be6d3098a5c5e8779c4c52a7407b77f159e435e8c76ffe1cc59fc037591bcbc1b00ebaea9763d6085c7a9e639549eaacd89ea1444c1cd81a75e3
-  data.tar.gz: 16c8f515149d0794c40a474fb43d6c1859ff427b1ab5c75c6f4610959c49e3ed1a2c8d3a0060be58ded02f34867437fcaf81c1e2a8e00a8320af2fff470e5b34
+  metadata.gz: 36d6b3d59ab2655020f97e7d15a33a35b48a541632e03a6a8aa01f20289c821b9582cf21fdea2799cad8111c8208bd866154246a8ec69fb33102fd78853bc49f
+  data.tar.gz: 8d59996b1108a4c44e074e9762e48ad4a1f93c8dfd07efa11b77472a3b2285be52ce1486afa76b5301de683cf918c23d41d1d0dd877cd4bbaf0ab3d1cc91e405

data/CHANGELOG.md

@@ -1,5 +1,22 @@
 # Release History
 
+### 1.26.0 / 2020-04-06
+
+#### Features
+
+* Update V4 Signature support in Project#signed_url, Bucket#signed_url and File#signed_url
+  * Add scheme, virtual_hosted_style and bucket_bound_hostname to #signed_url methods
+  * Add support for V4 query param encoding and ordering
+  * Convert tabs in V4 to single whitespace character
+  * Set payload in V4 to X-Goog-Content-SHA256 if present
+  * Fix method param default value GET for #signed_url
+* Add support for V4 Signature POST Policies
+  * Add Bucket#generate_signed_post_policy_v4
+
+#### Bug Fixes
+
+* Address keyword argument warnings in Ruby 2.7 and later
+
 ### 1.25.1 / 2020-01-06
 
 #### Documentation

data/lib/google/cloud/storage/bucket.rb

@@ -1254,22 +1254,27 @@ module Google
                         storage_class: nil, encryption_key: nil, kms_key: nil,
                         temporary_hold: nil, event_based_hold: nil
           ensure_service!
-          options = { acl: File::Acl.predefined_rule_for(acl), md5: md5,
-                      cache_control: cache_control, content_type: content_type,
-                      content_disposition: content_disposition, crc32c: crc32c,
-                      content_encoding: content_encoding, metadata: metadata,
-                      content_language: content_language, key: encryption_key,
-                      kms_key: kms_key,
-                      storage_class: storage_class_for(storage_class),
-                      temporary_hold: temporary_hold,
-                      event_based_hold: event_based_hold,
-                      user_project: user_project }
           ensure_io_or_file_exists! file
           path ||= file.path if file.respond_to? :path
           path ||= file if file.is_a? String
           raise ArgumentError, "must provide path" if path.nil?
 
-          gapi = service.insert_file name, file, path, options
+
+          gapi = service.insert_file name, file, path, acl: File::Acl.predefined_rule_for(acl),
+                                                       md5: md5,
+                                                       cache_control: cache_control,
+                                                       content_type: content_type,
+                                                       content_disposition: content_disposition,
+                                                       crc32c: crc32c,
+                                                       content_encoding: content_encoding,
+                                                       metadata: metadata,
+                                                       content_language: content_language,
+                                                       key: encryption_key,
+                                                       kms_key: kms_key,
+                                                       storage_class: storage_class_for(storage_class),
+                                                       temporary_hold: temporary_hold,
+                                                       event_based_hold: event_based_hold,
+                                                       user_project: user_project
           File.from_gapi gapi, service, user_project: user_project
         end
         alias upload_file create_file
@@ -1368,9 +1373,6 @@ module Google
             raise ArgumentError, "must provide at least two source files"
           end
 
-          options = { acl: File::Acl.predefined_rule_for(acl),
-                      key: encryption_key,
-                      user_project: user_project }
           destination_gapi = nil
           if block_given?
             destination_gapi = API::Object.new
@@ -1378,8 +1380,11 @@ module Google
             yield updater
             updater.check_for_changed_metadata!
           end
-          gapi = service.compose_file name, sources, destination,
-                                      destination_gapi, options
+
+          acl_rule = File::Acl.predefined_rule_for acl
+          gapi = service.compose_file name, sources, destination, destination_gapi, acl: acl_rule,
+                                                                                    key: encryption_key,
+                                                                                    user_project: user_project
           File.from_gapi gapi, service, user_project: user_project
         end
         alias compose_file compose
@@ -1440,6 +1445,19 @@ module Google
         #   using the URL, but only when the file resource is missing the
         #   corresponding values. (These values can be permanently set using
         #   {File#content_disposition=} and {File#content_type=}.)
+        # @param [String] scheme The URL scheme. The default value is `HTTPS`.
+        # @param [Boolean] virtual_hosted_style Whether to use a virtual hosted-style
+        #   hostname, which adds the bucket into the host portion of the URI rather
+        #   than the path, e.g. `https://mybucket.storage.googleapis.com/...`.
+        #   For V4 signing, this also sets the `host` header in the canonicalized
+        #   extension headers to the virtual hosted-style host, unless that header is
+        #   supplied via the `headers` param. The default value of `false` uses the
+        #   form of `https://storage.googleapis.com/mybucket`.
+        # @param [String] bucket_bound_hostname Use a bucket-bound hostname, which
+        #   replaces the `storage.googleapis.com` host with the name of a `CNAME`
+        #   bucket, e.g. a bucket named `gcs-subdomain.my.domain.tld`, or a Google
+        #   Cloud Load Balancer which routes to a bucket you own, e.g.
+        #   `my-load-balancer-domain.tld`.
         # @param [Symbol, String] version The version of the signed credential
         #   to create. Must be one of `:v2` or `:v4`. The default value is
         #   `:v2`.
@@ -1510,28 +1528,49 @@ module Google
         #   bucket = storage.bucket "my-todo-app"
         #   list_files_url = bucket.signed_url version: :v4
         #
-        def signed_url path = nil, method: nil, expires: nil, content_type: nil,
-                       content_md5: nil, headers: nil, issuer: nil,
-                       client_email: nil, signing_key: nil, private_key: nil,
-                       query: nil, version: nil
+        def signed_url path = nil,
+                       method: "GET",
+                       expires: nil,
+                       content_type: nil,
+                       content_md5: nil,
+                       headers: nil,
+                       issuer: nil,
+                       client_email: nil,
+                       signing_key: nil,
+                       private_key: nil,
+                       query: nil,
+                       scheme: "HTTPS",
+                       virtual_hosted_style: nil,
+                       bucket_bound_hostname: nil,
+                       version: nil
           ensure_service!
           version ||= :v2
           case version.to_sym
           when :v2
             signer = File::SignerV2.from_bucket self, path
-            signer.signed_url method: method, expires: expires,
-                              headers: headers, content_type: content_type,
-                              content_md5: content_md5, issuer: issuer,
+            signer.signed_url method: method,
+                              expires: expires,
+                              headers: headers,
+                              content_type: content_type,
+                              content_md5: content_md5,
+                              issuer: issuer,
                               client_email: client_email,
                               signing_key: signing_key,
-                              private_key: private_key, query: query
+                              private_key: private_key,
+                              query: query
           when :v4
             signer = File::SignerV4.from_bucket self, path
-            signer.signed_url method: method, expires: expires,
-                              headers: headers, issuer: issuer,
+            signer.signed_url method: method,
+                              expires: expires,
+                              headers: headers,
+                              issuer: issuer,
                               client_email: client_email,
                               signing_key: signing_key,
-                              private_key: private_key, query: query
+                              private_key: private_key,
+                              query: query,
+                              scheme: scheme,
+                              virtual_hosted_style: virtual_hosted_style,
+                              bucket_bound_hostname: bucket_bound_hostname
           else
             raise ArgumentError, "version '#{version}' not supported"
           end
@@ -1558,12 +1597,13 @@ module Google
         #
         # @param [String] path Path to the file in Google Cloud Storage.
         # @param [Hash] policy The security policy that describes what
-        #   can and cannot be uploaded in the form. When provided,
-        #   the PostObject fields will include a Signature based on the JSON
-        #   representation of this Hash and the same policy in Base64 format.
+        #   can and cannot be uploaded in the form. When provided, the PostObject
+        #   fields will include a signature based on the JSON representation of
+        #   this hash and the same policy in Base64 format.
+        #
         #   If you do not provide a security policy, requests are considered
         #   to be anonymous and will only work with buckets that have granted
-        #   WRITE or FULL_CONTROL permission to anonymous users.
+        #   `WRITE` or `FULL_CONTROL` permission to anonymous users.
         #   See [Policy Document](https://cloud.google.com/storage/docs/xml-api/post-object#policydocument)
         #   for more information.
         # @param [String] issuer Service Account's Client Email.
@@ -1633,17 +1673,110 @@ module Google
         #   post.fields[:signature] #=> "ABC...XYZ="
         #   post.fields[:policy] #=> "ABC...XYZ="
         #
-        def post_object path, policy: nil, issuer: nil,
-                        client_email: nil, signing_key: nil,
+        def post_object path,
+                        policy: nil,
+                        issuer: nil,
+                        client_email: nil,
+                        signing_key: nil,
                         private_key: nil
           ensure_service!
-
           signer = File::SignerV2.from_bucket self, path
-          signer.post_object issuer: issuer, client_email: client_email,
-                             signing_key: signing_key, private_key: private_key,
+          signer.post_object issuer: issuer,
+                             client_email: client_email,
+                             signing_key: signing_key,
+                             private_key: private_key,
                              policy: policy
         end
 
+        ##
+        # Generate a PostObject that includes the fields and url to
+        # upload objects via html forms.
+        #
+        # Generating a PostObject requires service account credentials,
+        # either by connecting with a service account when calling
+        # {Google::Cloud.storage}, or by passing in the service account
+        # `issuer` and `signing_key` values. Although the private key can
+        # be passed as a string for convenience, creating and storing
+        # an instance of `OpenSSL::PKey::RSA` is more efficient
+        # when making multiple calls to `generate_signed_post_policy_v4`.
+        #
+        # A {SignedUrlUnavailable} is raised if the service account credentials
+        # are missing. Service account credentials are acquired by following the
+        # steps in [Service Account Authentication](
+        # https://cloud.google.com/storage/docs/authentication#service_accounts).
+        #
+        # @see https://cloud.google.com/storage/docs/xml-api/post-object
+        #
+        # @param [String] path Path to the file in Google Cloud Storage.
+        # @param [String] issuer Service Account's Client Email.
+        # @param [String] client_email Service Account's Client Email.
+        # @param [OpenSSL::PKey::RSA, String] signing_key Service Account's
+        #   Private Key.
+        # @param [OpenSSL::PKey::RSA, String] private_key Service Account's
+        #   Private Key.
+        # @param [Integer] expires The number of seconds until the URL expires.
+        #   The default is 604800 (7 days).
+        # @param [Hash] fields User-supplied form fields such as `acl`,
+        #   `cache-control`, `success_action_status`, and `success_action_redirect`.
+        # @param [Array<Hash|Array>] conditions User-supplied policy conditions.
+        # @param [String] scheme The URL scheme. The default value is `HTTPS`.
+        # @param [Boolean] virtual_hosted_style Whether to use a virtual hosted-style
+        #   hostname, which adds the bucket into the host portion of the URI rather
+        #   than the path, e.g. `https://mybucket.storage.googleapis.com/...`.
+        #   The default value of `false` uses the
+        #   form of `https://storage.googleapis.com/mybucket`.
+        # @param [String] bucket_bound_hostname Use a bucket-bound hostname, which
+        #   replaces the `storage.googleapis.com` host with the name of a `CNAME`
+        #   bucket, e.g. a bucket named `gcs-subdomain.my.domain.tld`, or a Google
+        #   Cloud Load Balancer which routes to a bucket you own, e.g.
+        #   `my-load-balancer-domain.tld`.
+        #
+        # @return [PostObject] An object containing the URL, fields, and values needed to upload files via html forms.
+        #
+        # @example
+        #   require "google/cloud/storage"
+        #
+        #   storage = Google::Cloud::Storage.new
+        #
+        #   bucket = storage.bucket "my-todo-app"
+        #
+        #   conditions = [["starts-with", "$acl","public"]]
+        #   post = bucket.generate_signed_post_policy_v4 "avatars/heidi/400x400.png", expires: 10,
+        #                                                                             conditions: conditions
+        #
+        #   post.url #=> "https://storage.googleapis.com/my-todo-app/"
+        #   post.fields["key"] #=> "my-todo-app/avatars/heidi/400x400.png"
+        #   post.fields["policy"] #=> "ABC...XYZ"
+        #   post.fields["x-goog-algorithm"] #=> "GOOG4-RSA-SHA256"
+        #   post.fields["x-goog-credential"] #=> "cred@pid.iam.gserviceaccount.com/20200123/auto/storage/goog4_request"
+        #   post.fields["x-goog-date"] #=> "20200128T000000Z"
+        #   post.fields["x-goog-signature"] #=> "4893a0e...cd82"
+        #
+        def generate_signed_post_policy_v4 path,
+                                           issuer: nil,
+                                           client_email: nil,
+                                           signing_key: nil,
+                                           private_key: nil,
+                                           expires: nil,
+                                           fields: nil,
+                                           conditions: nil,
+                                           scheme: "https",
+                                           virtual_hosted_style: nil,
+                                           bucket_bound_hostname: nil
+          ensure_service!
+          signer = File::SignerV4.from_bucket self, path
+          signer.post_object issuer: issuer,
+                             client_email: client_email,
+                             signing_key: signing_key,
+                             private_key: private_key,
+                             expires: expires,
+                             fields: fields,
+                             conditions: conditions,
+                             scheme: scheme,
+                             virtual_hosted_style: virtual_hosted_style,
+                             bucket_bound_hostname: bucket_bound_hostname
+        end
+
         ##
         # The {Bucket::Acl} instance used to control access to the bucket.
         #
@@ -2125,11 +2258,12 @@ module Google
         def create_notification topic, custom_attrs: nil, event_types: nil,
                                 prefix: nil, payload: nil
           ensure_service!
-          options = { custom_attrs: custom_attrs, event_types: event_types,
-                      prefix: prefix, payload: payload,
-                      user_project: user_project }
 
-          gapi = service.insert_notification name, topic, options
+          gapi = service.insert_notification name, topic, custom_attrs: custom_attrs,
+                                                          event_types: event_types,
+                                                          prefix: prefix,
+                                                          payload: payload,
+                                                          user_project: user_project
           Notification.from_gapi name, gapi, service, user_project: user_project
         end
         alias new_notification create_notification
@@ -2215,7 +2349,7 @@ module Google
           patch_args = Hash[attributes.map do |attr|
             [attr, @gapi.send(attr)]
           end]
-          patch_gapi = API::Bucket.new patch_args
+          patch_gapi = API::Bucket.new(**patch_args)
           @gapi = service.patch_bucket name, patch_gapi,
                                        user_project: user_project
           @lazy = nil

data/lib/google/cloud/storage/file.rb

@@ -1479,6 +1479,19 @@ module Google
         #   using the URL, but only when the file resource is missing the
         #   corresponding values. (These values can be permanently set using
         #   {#content_disposition=} and {#content_type=}.)
+        # @param [String] scheme The URL scheme. The default value is `HTTPS`.
+        # @param [Boolean] virtual_hosted_style Whether to use a virtual hosted-style
+        #   hostname, which adds the bucket into the host portion of the URI rather
+        #   than the path, e.g. `https://mybucket.storage.googleapis.com/...`.
+        #   For V4 signing, this also sets the `host` header in the canonicalized
+        #   extension headers to the virtual hosted-style host, unless that header is
+        #   supplied via the `headers` param. The default value of `false` uses the
+        #   form of `https://storage.googleapis.com/mybucket`.
+        # @param [String] bucket_bound_hostname Use a bucket-bound hostname, which
+        #   replaces the `storage.googleapis.com` host with the name of a `CNAME`
+        #   bucket, e.g. a bucket named `gcs-subdomain.my.domain.tld`, or a Google
+        #   Cloud Load Balancer which routes to a bucket you own, e.g.
+        #   `my-load-balancer-domain.tld`.
         # @param [Symbol, String] version The version of the signed credential
         #   to create. Must be one of `:v2` or `:v4`. The default value is
         #   `:v2`.
@@ -1503,7 +1516,7 @@ module Google
         #   file = bucket.file "avatars/heidi/400x400.png"
         #   shared_url = file.signed_url expires: 300, # 5 minutes from now
         #                                version: :v4
-
+        #
         # @example Using the `issuer` and `signing_key` options:
         #   require "google/cloud/storage"
         #
@@ -1543,28 +1556,48 @@ module Google
         #   # Send the `x-goog-resumable:start` header and the content type
         #   # with the resumable upload POST request.
         #
-        def signed_url method: nil, expires: nil, content_type: nil,
-                       content_md5: nil, headers: nil, issuer: nil,
-                       client_email: nil, signing_key: nil, private_key: nil,
-                       query: nil, version: nil
+        def signed_url method: "GET",
+                       expires: nil,
+                       content_type: nil,
+                       content_md5: nil,
+                       headers: nil,
+                       issuer: nil,
+                       client_email: nil,
+                       signing_key: nil,
+                       private_key: nil,
+                       query: nil,
+                       scheme: "HTTPS",
+                       virtual_hosted_style: nil,
+                       bucket_bound_hostname: nil,
+                       version: nil
           ensure_service!
           version ||= :v2
           case version.to_sym
           when :v2
             signer = File::SignerV2.from_file self
-            signer.signed_url method: method, expires: expires,
-                              headers: headers, content_type: content_type,
-                              content_md5: content_md5, issuer: issuer,
+            signer.signed_url method: method,
+                              expires: expires,
+                              headers: headers,
+                              content_type: content_type,
+                              content_md5: content_md5,
+                              issuer: issuer,
                               client_email: client_email,
                               signing_key: signing_key,
-                              private_key: private_key, query: query
+                              private_key: private_key,
+                              query: query
           when :v4
             signer = File::SignerV4.from_file self
-            signer.signed_url method: method, expires: expires,
-                              headers: headers, issuer: issuer,
+            signer.signed_url method: method,
+                              expires: expires,
+                              headers: headers,
+                              issuer: issuer,
                               client_email: client_email,
                               signing_key: signing_key,
-                              private_key: private_key, query: query
+                              private_key: private_key,
+                              query: query,
+                              scheme: scheme,
+                              virtual_hosted_style: virtual_hosted_style,
+                              bucket_bound_hostname: bucket_bound_hostname
           else
             raise ArgumentError, "version '#{version}' not supported"
           end
@@ -1733,7 +1766,7 @@ module Google
           # Sending nil metadata results in an Apiary runtime error:
           # NoMethodError: undefined method `each' for nil:NilClass
           attr_params.reject! { |k, v| k == :metadata && v.nil? }
-          Google::Apis::StorageV1::Object.new attr_params
+          Google::Apis::StorageV1::Object.new(**attr_params)
         end
 
         protected
@@ -1784,12 +1817,12 @@ module Google
                       user_project: user_project }.delete_if { |_k, v| v.nil? }
 
           resp = service.rewrite_file \
-            bucket, name, new_bucket, new_name, updated_gapi, options
+            bucket, name, new_bucket, new_name, updated_gapi, **options
           until resp.done
             sleep 1
             retry_options = options.merge token: resp.rewrite_token
             resp = service.rewrite_file \
-              bucket, name, new_bucket, new_name, updated_gapi, retry_options
+              bucket, name, new_bucket, new_name, updated_gapi, **retry_options
           end
           resp.resource
         end

data/lib/google/cloud/storage/file/list.rb

@@ -77,11 +77,13 @@ module Google
           def next
             return nil unless next?
             ensure_service!
-            options = {
-              prefix: @prefix, delimiter: @delimiter, token: @token, max: @max,
-              versions: @versions, user_project: @user_project
-            }
-            gapi = @service.list_files @bucket, options
+
+            gapi = @service.list_files @bucket, prefix: @prefix,
+                                                delimiter: @delimiter,
+                                                token: @token,
+                                                max: @max,
+                                                versions: @versions,
+                                                user_project: @user_project
             File::List.from_gapi gapi, @service, @bucket, @prefix,
                                  @delimiter, @max, @versions,
                                  user_project: @user_project

data/lib/google/cloud/storage/file/signer_v4.rb

@@ -39,37 +39,83 @@ module Google
             new bucket.name, file_name, bucket.service
           end
 
-          def signed_url method: "GET", expires: nil, headers: nil,
-                         issuer: nil, client_email: nil, signing_key: nil,
-                         private_key: nil, query: nil
-            issuer, signer = issuer_and_signer issuer, client_email,
-                                               signing_key, private_key
+          def post_object issuer: nil,
+                          client_email: nil,
+                          signing_key: nil,
+                          private_key: nil,
+                          expires: nil,
+                          fields: nil,
+                          conditions: nil,
+                          scheme: "https",
+                          virtual_hosted_style: nil,
+                          bucket_bound_hostname: nil
+            i = determine_issuer issuer, client_email
+            s = determine_signing_key signing_key, private_key
+            raise SignedUrlUnavailable unless i && s
+
+            now = Time.now.utc
+            base_fields = required_fields i, now
+            post_fields = fields.dup || {}
+            post_fields.merge! base_fields
+
+            p = {}
+            p["conditions"] = policy_conditions base_fields, conditions, fields
+            expires ||= 60*60*24
+            p["expiration"] = (now + expires).strftime "%Y-%m-%dT%H:%M:%SZ"
+
+
+            policy_str = escape_characters p.to_json
+
+            policy = Base64.strict_encode64(policy_str).force_encoding "utf-8"
+            signature = generate_signature s, policy
+
+            post_fields["x-goog-signature"] = signature
+            post_fields["policy"] = policy
+            url = post_object_ext_url scheme, virtual_hosted_style, bucket_bound_hostname
+            hostname = "#{url}#{bucket_path path_style?(virtual_hosted_style, bucket_bound_hostname)}"
+            Google::Cloud::Storage::PostObject.new hostname, post_fields
+          end
+
+          def signed_url method: "GET",
+                         expires: nil,
+                         headers: nil,
+                         issuer: nil,
+                         client_email: nil,
+                         signing_key: nil,
+                         private_key: nil,
+                         query: nil,
+                         scheme: "https",
+                         virtual_hosted_style: nil,
+                         bucket_bound_hostname: nil
+            raise ArgumentError, "method is required" unless method
+            issuer, signer = issuer_and_signer issuer, client_email, signing_key, private_key
             datetime_now = Time.now.utc
             goog_date = datetime_now.strftime "%Y%m%dT%H%M%SZ"
             datestamp = datetime_now.strftime "%Y%m%d"
             # goog4_request is not checked.
             scope = "#{datestamp}/auto/storage/goog4_request"
 
-            canonical_headers_str, signed_headers_str = \
-              canonical_and_signed_headers headers
+            canonical_headers_str, signed_headers_str = canonical_and_signed_headers \
+              headers, virtual_hosted_style, bucket_bound_hostname
 
             algorithm = "GOOG4-RSA-SHA256"
             expires = determine_expires expires
-            credential = CGI.escape issuer + "/" + scope
-            canonical_query_str = canonical_query query, algorithm,
-                                                  credential, goog_date,
-                                                  expires, signed_headers_str
+            credential = issuer + "/" + scope
+            canonical_query_str = canonical_query query, algorithm, credential, goog_date, expires, signed_headers_str
 
             # From AWS: You don't include a payload hash in the Canonical
             # Request, because when you create a presigned URL, you don't know
             # the payload content because the URL is used to upload an arbitrary
             # payload. Instead, you use a constant string UNSIGNED-PAYLOAD.
+            payload = headers&.key?("X-Goog-Content-SHA256") ? headers["X-Goog-Content-SHA256"] : "UNSIGNED-PAYLOAD"
+
             canonical_request = [method,
-                                 ext_path,
+                                 file_path(!(virtual_hosted_style || bucket_bound_hostname)),
                                  canonical_query_str,
                                  canonical_headers_str,
                                  signed_headers_str,
-                                 "UNSIGNED-PAYLOAD"].join("\n")
+                                 payload].join("\n")
+
             # Construct string to sign
             req_sha = Digest::SHA256.hexdigest canonical_request
             string_to_sign = [algorithm, goog_date, scope, req_sha].join "\n"
@@ -78,33 +124,85 @@ module Google
             signature = signer.call string_to_sign
 
             # Construct signed URL
-            "#{ext_url}?#{canonical_query_str}&X-Goog-Signature=#{signature}"
+            hostname = signed_url_hostname scheme, virtual_hosted_style, bucket_bound_hostname
+            "#{hostname}?#{canonical_query_str}&X-Goog-Signature=#{signature}"
+          end
+
+          # methods below are public visibility only for unit testing
+          def escape_characters str
+            str.split("").map do |s|
+              if !s.ascii_only?
+                escape_special_unicode s
+              else
+                case s
+                when "\\"
+                  '\\'
+                when "\b"
+                  '\b'
+                when "\f"
+                  '\f'
+                when "\n"
+                  '\n'
+                when "\r"
+                  '\r'
+                when "\t"
+                  '\t'
+                when "\v"
+                  '\v'
+                else
+                  s
+                end
+              end
+            end.join
+          end
+
+          def escape_special_unicode str
+            str.unpack("U*").map { |i| '\u' + i.to_s(16).rjust(4, "0") }.join
           end
 
           protected
 
+          def required_fields issuer, time
+            {
+              "key" => @file_name,
+              "x-goog-date" => time.strftime("%Y%m%dT%H%M%SZ"),
+              "x-goog-credential" => "#{issuer}/#{time.strftime '%Y%m%d'}/auto/storage/goog4_request",
+              "x-goog-algorithm" => "GOOG4-RSA-SHA256"
+            }.freeze
+          end
+
+          def policy_conditions base_fields, user_conditions, user_fields
+            # Convert each pair in base_fields hash to a single-entry hash in an array.
+            conditions = base_fields.to_a.map { |f| Hash[*f] }
+            # Add user-provided conditions to the head of the conditions array.
+            conditions.unshift user_conditions if user_conditions && !user_conditions.empty?
+            if user_fields
+              # Convert each pair in fields hash to a single-entry hash and add it to the head of the conditions array.
+              user_fields.to_a.reverse.each { |f| conditions.unshift Hash[*f] }
+            end
+            conditions.freeze
+          end
+
+          def signed_url_hostname scheme, virtual_hosted_style, bucket_bound_hostname
+            url = ext_url scheme, virtual_hosted_style, bucket_bound_hostname
+            "#{url}#{file_path path_style?(virtual_hosted_style, bucket_bound_hostname)}"
+          end
+
           def determine_issuer issuer, client_email
             # Parse the Service Account and get client id and private key
             issuer = issuer || client_email || @service.credentials.issuer
-            unless issuer
-              raise SignedUrlUnavailable, "issuer (client_email) missing"
-            end
+            raise SignedUrlUnavailable, "issuer (client_email) missing" unless issuer
             issuer
           end
 
           def determine_signing_key signing_key, private_key
-            signing_key = signing_key || private_key ||
-                          @service.credentials.signing_key
-            unless signing_key
-              raise SignedUrlUnavailable, "signing_key (private_key) missing"
-            end
+            signing_key = signing_key || private_key || @service.credentials.signing_key
+            raise SignedUrlUnavailable, "signing_key (private_key) missing" unless signing_key
             signing_key
           end
 
           def service_account_signer signer
-            unless signer.respond_to? :sign
-              signer = OpenSSL::PKey::RSA.new signer
-            end
+            signer = OpenSSL::PKey::RSA.new signer unless signer.respond_to? :sign
             # Sign string to sign
             lambda do |string_to_sign|
               sig = signer.sign OpenSSL::Digest::SHA256.new, string_to_sign
@@ -119,25 +217,22 @@ module Google
             [issuer, signer]
           end
 
-          def canonical_and_signed_headers headers
-            # Headers needs to be in alpha order.
+          def canonical_and_signed_headers headers, virtual_hosted_style, bucket_bound_hostname
+            if virtual_hosted_style && bucket_bound_hostname
+              raise "virtual_hosted_style: #{virtual_hosted_style} and bucket_bound_hostname: " \
+                    "#{bucket_bound_hostname} params cannot both be passed together"
+            end
+
             canonical_headers = headers || {}
             headers_arr = canonical_headers.map do |k, v|
-              [k.downcase, v.strip.gsub(/[^\S\t]+/, " ").gsub(/\t+/, "\t")]
+              [k.downcase, v.strip.gsub(/[^\S\t]+/, " ").gsub(/\t+/, " ")]
             end
             canonical_headers = Hash[headers_arr]
-            canonical_headers["host"] = "storage.googleapis.com"
-
-            canonical_headers = canonical_headers.sort_by do |k, _|
-              k.downcase
-            end.to_h
-            canonical_headers_str = ""
-            canonical_headers.each do |k, v|
-              canonical_headers_str += "#{k}:#{v}\n"
-            end
-            signed_headers_str = ""
-            canonical_headers.each_key { |k| signed_headers_str += "#{k};" }
-            signed_headers_str = signed_headers_str.chomp ";"
+            canonical_headers["host"] = host_name virtual_hosted_style, bucket_bound_hostname
+
+            canonical_headers = canonical_headers.sort_by(&:first).to_h
+            canonical_headers_str = canonical_headers.map { |k, v| "#{k}:#{v}\n" }.join
+            signed_headers_str = canonical_headers.keys.join ";"
             [canonical_headers_str, signed_headers_str]
           end
 
@@ -149,32 +244,103 @@ module Google
             expires
           end
 
-          def canonical_query query, algorithm, credential, goog_date, expires,
-                              signed_headers_str
+          def canonical_query query, algorithm, credential, goog_date, expires, signed_headers_str
             query ||= {}
             query["X-Goog-Algorithm"] = algorithm
             query["X-Goog-Credential"] = credential
             query["X-Goog-Date"] = goog_date
             query["X-Goog-Expires"] = expires
-            query["X-Goog-SignedHeaders"] = CGI.escape signed_headers_str
-            query = query.sort_by { |k, _| k.to_s.downcase }.to_h
-            canonical_query_str = ""
-            query.each { |k, v| canonical_query_str += "#{k}=#{v}&" }
-            canonical_query_str.chomp "&"
+            query["X-Goog-SignedHeaders"] = signed_headers_str
+            query = query.map { |k, v| [escape_query_param(k), escape_query_param(v)] }.sort_by(&:first).to_h
+            query.map { |k, v| "#{k}=#{v}" }.join "&"
+          end
+
+          ##
+          # Only the characters in the regex set [A-Za-z0-9.~_-] must be left un-escaped; all others must be
+          # percent-encoded using %XX UTF-8 style.
+          def escape_query_param str
+            CGI.escape(str.to_s).gsub("%7E", "~")
+          end
+
+          def host_name virtual_hosted_style, bucket_bound_hostname
+            return bucket_bound_hostname if bucket_bound_hostname
+            virtual_hosted_style ? "#{@bucket_name}.storage.googleapis.com" : "storage.googleapis.com"
           end
 
           ##
           # The URI-encoded (percent encoded) external path to the file.
-          def ext_path
-            path = "/#{@bucket_name}"
-            path += "/#{String(@file_name)}" if @file_name && !@file_name.empty?
-            Addressable::URI.escape path
+          def file_path path_style
+            path = []
+            path << "/#{@bucket_name}" if path_style
+            path << "/#{String(@file_name)}" if @file_name && !@file_name.empty?
+            CGI.escape(path.join).gsub "%2F", "/"
+          end
+
+          ##
+          # The external path to the bucket, with trailing slash.
+          def bucket_path path_style
+            return "/#{@bucket_name}/" if path_style
           end
 
           ##
           # The external url to the file.
-          def ext_url
-            "#{GOOGLEAPIS_URL}#{ext_path}"
+          def ext_url scheme, virtual_hosted_style, bucket_bound_hostname
+            url = GOOGLEAPIS_URL.dup
+            if virtual_hosted_style
+              parts = url.split "//"
+              parts[1] = "#{@bucket_name}.#{parts[1]}"
+              parts.join "//"
+            elsif bucket_bound_hostname
+              raise ArgumentError, "scheme is required" unless scheme
+              URI "#{scheme.to_s.downcase}://#{bucket_bound_hostname}"
+            else
+              url
+            end
+          end
+
+          def path_style? virtual_hosted_style, bucket_bound_hostname
+            !(virtual_hosted_style || bucket_bound_hostname)
+          end
+
+          ##
+          # The external path to the file, URI-encoded.
+          # Will not URI encode the special `${filename}` variable.
+          # "You can also use the ${filename} variable..."
+          # https://cloud.google.com/storage/docs/xml-api/post-object
+          #
+          def post_object_ext_path
+            path = "/#{@bucket_name}/#{@file_name}"
+            escaped = Addressable::URI.escape path
+            special_var = "${filename}"
+            # Restore the unencoded `${filename}` variable, if present.
+            if path.include? special_var
+              return escaped.gsub "$%7Bfilename%7D", special_var
+            end
+            escaped
+          end
+
+          ##
+          # The external url to the file.
+          def post_object_ext_url scheme, virtual_hosted_style, bucket_bound_hostname
+            url = GOOGLEAPIS_URL.dup
+            if virtual_hosted_style
+              parts = url.split "//"
+              parts[1] = "#{@bucket_name}.#{parts[1]}/"
+              parts.join "//"
+            elsif bucket_bound_hostname
+              raise ArgumentError, "scheme is required" unless scheme
+              URI "#{scheme.to_s.downcase}://#{bucket_bound_hostname}/"
+            else
+              url
+            end
+          end
+
+          def generate_signature signing_key, data
+            unless signing_key.respond_to? :sign
+              signing_key = OpenSSL::PKey::RSA.new signing_key
+            end
+            signature = signing_key.sign OpenSSL::Digest::SHA256.new, data
+            signature.unpack("H*").first.force_encoding "utf-8"
           end
         end
       end

data/lib/google/cloud/storage/policy/binding.rb

@@ -230,11 +230,12 @@ module Google
           ##
           # @private
           def to_gapi
-            Google::Apis::StorageV1::Policy::Binding.new({
+            params = {
               role: @role,
               members: @members,
               condition: @condition&.to_gapi
-            }.delete_if { |_, v| v.nil? })
+            }.delete_if { |_, v| v.nil? }
+            Google::Apis::StorageV1::Policy::Binding.new(**params)
           end
         end
       end

data/lib/google/cloud/storage/post_object.rb

@@ -27,7 +27,7 @@ module Google
       #   form. Each key/value pair should be set as an input tag's name and
       #   value.
       #
-      # @example
+      # @example Using Bucket#post_object (V2):
       #   require "google/cloud/storage"
       #
       #   storage = Google::Cloud::Storage.new
@@ -41,6 +41,23 @@ module Google
       #   post.fields[:signature] #=> "ABC...XYZ="
       #   post.fields[:policy] #=> "ABC...XYZ="
       #
+      # @example Using Bucket#generate_signed_post_policy_v4 (V4):
+      #   require "google/cloud/storage"
+      #
+      #   storage = Google::Cloud::Storage.new
+      #
+      #   bucket = storage.bucket "my-todo-app"
+      #   conditions = [["starts-with","$acl","public"]]
+      #   post = bucket.generate_signed_post_policy_v4 "avatars/heidi/400x400.png", expires: 10, conditions: conditions
+      #
+      #   post.url #=> "https://storage.googleapis.com/my-todo-app/"
+      #   post.fields["key"] #=> "my-todo-app/avatars/heidi/400x400.png"
+      #   post.fields["policy"] #=> "ABC...XYZ"
+      #   post.fields["x-goog-algorithm"] #=> "GOOG4-RSA-SHA256"
+      #   post.fields["x-goog-credential"] #=> "cred@pid.iam.gserviceaccount.com/20200123/auto/storage/goog4_request"
+      #   post.fields["x-goog-date"] #=> "20200128T000000Z"
+      #   post.fields["x-goog-signature"] #=> "4893a0e...cd82"
+      #
       class PostObject
         attr_reader :url, :fields
 

data/lib/google/cloud/storage/project.rb

@@ -357,10 +357,11 @@ module Google
                           logging_bucket: nil, logging_prefix: nil,
                           website_main: nil, website_404: nil, versioning: nil,
                           requester_pays: nil, user_project: nil
-          new_bucket = Google::Apis::StorageV1::Bucket.new({
+          params = {
             name: bucket_name,
             location: location
-          }.delete_if { |_, v| v.nil? })
+          }.delete_if { |_, v| v.nil? }
+          new_bucket = Google::Apis::StorageV1::Bucket.new(**params)
           storage_class = storage_class_for storage_class
           updater = Bucket::Updater.new(new_bucket).tap do |b|
             b.logging_bucket = logging_bucket unless logging_bucket.nil?
@@ -522,6 +523,19 @@ module Google
         #   using the URL, but only when the file resource is missing the
         #   corresponding values. (These values can be permanently set using
         #   {File#content_disposition=} and {File#content_type=}.)
+        # @param [String] scheme The URL scheme. The default value is `HTTPS`.
+        # @param [Boolean] virtual_hosted_style Whether to use a virtual hosted-style
+        #   hostname, which adds the bucket into the host portion of the URI rather
+        #   than the path, e.g. `https://mybucket.storage.googleapis.com/...`.
+        #   For V4 signing, this also sets the `host` header in the canonicalized
+        #   extension headers to the virtual hosted-style host, unless that header is
+        #   supplied via the `headers` param. The default value of `false` uses the
+        #   form of `https://storage.googleapis.com/mybucket`.
+        # @param [String] bucket_bound_hostname Use a bucket-bound hostname, which
+        #   replaces the `storage.googleapis.com` host with the name of a `CNAME`
+        #   bucket, e.g. a bucket named `gcs-subdomain.my.domain.tld`, or a Google
+        #   Cloud Load Balancer which routes to a bucket you own, e.g.
+        #   `my-load-balancer-domain.tld`.
         # @param [Symbol, String] version The version of the signed credential
         #   to create. Must be one of `:v2` or `:v4`. The default value is
         #   `:v2`.
@@ -591,28 +605,50 @@ module Google
         #   # Send the `x-goog-resumable:start` header and the content type
         #   # with the resumable upload POST request.
         #
-        def signed_url bucket, path, method: nil, expires: nil,
-                       content_type: nil, content_md5: nil, headers: nil,
-                       issuer: nil, client_email: nil, signing_key: nil,
-                       private_key: nil, query: nil, version: nil
+        def signed_url bucket,
+                       path,
+                       method: "GET",
+                       expires: nil,
+                       content_type: nil,
+                       content_md5: nil,
+                       headers: nil,
+                       issuer: nil,
+                       client_email: nil,
+                       signing_key: nil,
+                       private_key: nil,
+                       query: nil,
+                       scheme: "HTTPS",
+                       virtual_hosted_style: nil,
+                       bucket_bound_hostname: nil,
+                       version: nil
           version ||= :v2
           case version.to_sym
           when :v2
             signer = File::SignerV2.new bucket, path, service
 
-            signer.signed_url method: method, expires: expires,
-                              headers: headers, content_type: content_type,
-                              content_md5: content_md5, issuer: issuer,
+            signer.signed_url method: method,
+                              expires: expires,
+                              headers: headers,
+                              content_type: content_type,
+                              content_md5: content_md5,
+                              issuer: issuer,
                               client_email: client_email,
                               signing_key: signing_key,
-                              private_key: private_key, query: query
+                              private_key: private_key,
+                              query: query
           when :v4
             signer = File::SignerV4.new bucket, path, service
-            signer.signed_url method: method, expires: expires,
-                              headers: headers, issuer: issuer,
+            signer.signed_url method: method,
+                              expires: expires,
+                              headers: headers,
+                              issuer: issuer,
                               client_email: client_email,
                               signing_key: signing_key,
-                              private_key: private_key, query: query
+                              private_key: private_key,
+                              query: query,
+                              scheme: scheme,
+                              virtual_hosted_style: virtual_hosted_style,
+                              bucket_bound_hostname: bucket_bound_hostname
           else
             raise ArgumentError, "version '#{version}' not supported"
           end

data/lib/google/cloud/storage/service.rb

@@ -152,9 +152,8 @@ module Google
         ##
         # Creates a new bucket ACL.
         def insert_bucket_acl bucket_name, entity, role, user_project: nil
-          new_acl = Google::Apis::StorageV1::BucketAccessControl.new(
-            { entity: entity, role: role }.delete_if { |_k, v| v.nil? }
-          )
+          params = { entity: entity, role: role }.delete_if { |_k, v| v.nil? }
+          new_acl = Google::Apis::StorageV1::BucketAccessControl.new(**params)
           execute do
             service.insert_bucket_access_control \
               bucket_name, new_acl, user_project: user_project(user_project)
@@ -182,9 +181,8 @@ module Google
         ##
         # Creates a new default ACL.
         def insert_default_acl bucket_name, entity, role, user_project: nil
-          new_acl = Google::Apis::StorageV1::ObjectAccessControl.new(
-            { entity: entity, role: role }.delete_if { |_k, v| v.nil? }
-          )
+          param = { entity: entity, role: role }.delete_if { |_k, v| v.nil? }
+          new_acl = Google::Apis::StorageV1::ObjectAccessControl.new(**param)
           execute do
             service.insert_default_object_access_control \
               bucket_name, new_acl, user_project: user_project(user_project)
@@ -243,13 +241,13 @@ module Google
         def insert_notification bucket_name, topic_name, custom_attrs: nil,
                                 event_types: nil, prefix: nil, payload: nil,
                                 user_project: nil
-          new_notification = Google::Apis::StorageV1::Notification.new(
+          params =
             { custom_attributes: custom_attrs,
               event_types: event_types(event_types),
               object_name_prefix: prefix,
               payload_format: payload_format(payload),
               topic: topic_path(topic_name) }.delete_if { |_k, v| v.nil? }
-          )
+          new_notification = Google::Apis::StorageV1::Notification.new(**params)
 
           execute do
             service.insert_notification \
@@ -298,14 +296,14 @@ module Google
                         storage_class: nil, key: nil, kms_key: nil,
                         temporary_hold: nil, event_based_hold: nil,
                         user_project: nil
-          file_obj = Google::Apis::StorageV1::Object.new(
+          params =
             { cache_control: cache_control, content_type: content_type,
               content_disposition: content_disposition, md5_hash: md5,
               content_encoding: content_encoding, crc32c: crc32c,
               content_language: content_language, metadata: metadata,
               storage_class: storage_class, temporary_hold: temporary_hold,
               event_based_hold: event_based_hold }.delete_if { |_k, v| v.nil? }
-          )
+          file_obj = Google::Apis::StorageV1::Object.new(**params)
           content_type ||= mime_type_for(path || Pathname(source).to_path)
 
           execute do
@@ -432,9 +430,8 @@ module Google
         # Creates a new file ACL.
         def insert_file_acl bucket_name, file_name, entity, role,
                             generation: nil, user_project: nil
-          new_acl = Google::Apis::StorageV1::ObjectAccessControl.new(
-            { entity: entity, role: role }.delete_if { |_k, v| v.nil? }
-          )
+          params = { entity: entity, role: role }.delete_if { |_k, v| v.nil? }
+          new_acl = Google::Apis::StorageV1::ObjectAccessControl.new(**params)
           execute do
             service.insert_object_access_control \
               bucket_name, file_name, new_acl,

data/lib/google/cloud/storage/version.rb

@@ -16,7 +16,7 @@
 module Google
   module Cloud
     module Storage
-      VERSION = "1.25.1".freeze
+      VERSION = "1.26.0".freeze
     end
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: google-cloud-storage
 version: !ruby/object:Gem::Version
-  version: 1.25.1
+  version: 1.26.0
 platform: ruby
 authors:
 - Mike Moore
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-01-06 00:00:00.000000000 Z
+date: 2020-04-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: google-cloud-core