google-cloud-storage 1.26.2 → 1.27.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/AUTHENTICATION.md +8 -2
- data/CHANGELOG.md +17 -0
- data/lib/google/cloud/storage/bucket.rb +233 -58
- data/lib/google/cloud/storage/errors.rb +7 -2
- data/lib/google/cloud/storage/file.rb +83 -29
- data/lib/google/cloud/storage/file/signer_v2.rb +21 -12
- data/lib/google/cloud/storage/file/signer_v4.rb +36 -18
- data/lib/google/cloud/storage/project.rb +84 -30
- data/lib/google/cloud/storage/version.rb +1 -1
- metadata +3 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: c1c5fde2ed35606723e05c787ff96fd6ec31d7e06015e09bcac8dc0bc4b9ae05
|
|
4
|
+
data.tar.gz: bf1391389ff711934df5302f65cdf6136bad14b0a00865728da8fe3b549b3cbe
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 1e7d9a97562357737322928a56f093ed42bc8f8015a06723c5e403c402367a89f56604eeefb2bbbf289a7dce5b84ee055f76f3d6ef6df6d987f7f05ed5eed5fe
|
|
7
|
+
data.tar.gz: 67046c8397a7e7fabf7b0a4d4e6501417ba815b55267e641a0ab51cdb233641e699348629a021763724aaca623e25a901395d77453b78fbc90ae67d4efca17b1
|
data/AUTHENTICATION.md
CHANGED
|
@@ -102,8 +102,14 @@ To configure your system for this, simply:
|
|
|
102
102
|
2. Authenticate using OAuth 2.0 `$ gcloud auth login`
|
|
103
103
|
3. Write code as if already authenticated.
|
|
104
104
|
|
|
105
|
-
**NOTE:**
|
|
106
|
-
*should* only be used during development.
|
|
105
|
+
**NOTE:** The use of Cloud SDK credentials is _not_ recommended for running in
|
|
106
|
+
production. The Cloud SDK *should* only be used during development.
|
|
107
|
+
|
|
108
|
+
**NOTE:** The use of Cloud SDK credentials may not support certain methods such as
|
|
109
|
+
those that produce
|
|
110
|
+
[signed URLs](https://cloud.google.com/storage/docs/access-control/signed-urls) and
|
|
111
|
+
post objects. For these methods, authentication using a service account JSON key file
|
|
112
|
+
is required.
|
|
107
113
|
|
|
108
114
|
[gce-how-to]: https://cloud.google.com/compute/docs/authentication#using
|
|
109
115
|
[dev-console]: https://console.cloud.google.com/project
|
data/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,22 @@
|
|
|
1
1
|
# Release History
|
|
2
2
|
|
|
3
|
+
### 1.27.0 / 2020-07-29
|
|
4
|
+
|
|
5
|
+
#### Features
|
|
6
|
+
|
|
7
|
+
* Add support for signing URLs with IAMCredentials SignBlob API
|
|
8
|
+
* Add signer parameter accepting Procs to the following methods:
|
|
9
|
+
* Project#signed_url
|
|
10
|
+
* Bucket#generate_signed_post_policy_v4
|
|
11
|
+
* Bucket#post_object
|
|
12
|
+
* Bucket#signed_url
|
|
13
|
+
* File#signed_url
|
|
14
|
+
* Update signer aliases signing_key and private_key to similarly support Procs
|
|
15
|
+
|
|
16
|
+
#### Documentation
|
|
17
|
+
|
|
18
|
+
* Update documentation of SignedUrlUnavailable
|
|
19
|
+
|
|
3
20
|
### 1.26.2 / 2020-05-28
|
|
4
21
|
|
|
5
22
|
#### Documentation
|
|
@@ -1406,7 +1406,7 @@ module Google
|
|
|
1406
1406
|
# A {SignedUrlUnavailable} is raised if the service account credentials
|
|
1407
1407
|
# are missing. Service account credentials are acquired by following the
|
|
1408
1408
|
# steps in [Service Account Authentication](
|
|
1409
|
-
# https://cloud.google.com/
|
|
1409
|
+
# https://cloud.google.com/iam/docs/service-accounts).
|
|
1410
1410
|
#
|
|
1411
1411
|
# @see https://cloud.google.com/storage/docs/access-control/signed-urls
|
|
1412
1412
|
# Signed URLs guide
|
|
@@ -1433,10 +1433,22 @@ module Google
|
|
|
1433
1433
|
# use the signed URL.
|
|
1434
1434
|
# @param [String] issuer Service Account's Client Email.
|
|
1435
1435
|
# @param [String] client_email Service Account's Client Email.
|
|
1436
|
-
# @param [OpenSSL::PKey::RSA, String] signing_key Service Account's
|
|
1437
|
-
# Private Key
|
|
1438
|
-
#
|
|
1439
|
-
#
|
|
1436
|
+
# @param [OpenSSL::PKey::RSA, String, Proc] signing_key Service Account's
|
|
1437
|
+
# Private Key or a Proc that accepts a single String parameter and returns a
|
|
1438
|
+
# RSA SHA256 signature using a valid Google Service Account Private Key.
|
|
1439
|
+
# @param [OpenSSL::PKey::RSA, String, Proc] private_key Service Account's
|
|
1440
|
+
# Private Key or a Proc that accepts a single String parameter and returns a
|
|
1441
|
+
# RSA SHA256 signature using a valid Google Service Account Private Key.
|
|
1442
|
+
# @param [OpenSSL::PKey::RSA, String, Proc] signer Service Account's
|
|
1443
|
+
# Private Key or a Proc that accepts a single String parameter and returns a
|
|
1444
|
+
# RSA SHA256 signature using a valid Google Service Account Private Key.
|
|
1445
|
+
#
|
|
1446
|
+
# When using this method in environments such as GAE Flexible Environment,
|
|
1447
|
+
# GKE, or Cloud Functions where the private key is unavailable, it may be
|
|
1448
|
+
# necessary to provide a Proc (or lambda) via the signer parameter. This
|
|
1449
|
+
# Proc should return a signature created using a RPC call to the
|
|
1450
|
+
# [Service Account Credentials signBlob](https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/signBlob)
|
|
1451
|
+
# method as shown in the example below.
|
|
1440
1452
|
# @param [Hash] query Query string parameters to include in the signed
|
|
1441
1453
|
# URL. The given parameters are not verified by the signature.
|
|
1442
1454
|
#
|
|
@@ -1462,7 +1474,12 @@ module Google
|
|
|
1462
1474
|
# to create. Must be one of `:v2` or `:v4`. The default value is
|
|
1463
1475
|
# `:v2`.
|
|
1464
1476
|
#
|
|
1465
|
-
# @return [String]
|
|
1477
|
+
# @return [String] The signed URL.
|
|
1478
|
+
#
|
|
1479
|
+
# @raise [SignedUrlUnavailable] If the service account credentials
|
|
1480
|
+
# are missing. Service account credentials are acquired by following the
|
|
1481
|
+
# steps in [Service Account Authentication](
|
|
1482
|
+
# https://cloud.google.com/iam/docs/service-accounts).
|
|
1466
1483
|
#
|
|
1467
1484
|
# @example
|
|
1468
1485
|
# require "google/cloud/storage"
|
|
@@ -1493,6 +1510,40 @@ module Google
|
|
|
1493
1510
|
# issuer: "service-account@gcloud.com",
|
|
1494
1511
|
# signing_key: key
|
|
1495
1512
|
#
|
|
1513
|
+
# @example Using Cloud IAMCredentials signBlob to create the signature:
|
|
1514
|
+
# require "google/cloud/storage"
|
|
1515
|
+
# require "google/apis/iamcredentials_v1"
|
|
1516
|
+
# require "googleauth"
|
|
1517
|
+
#
|
|
1518
|
+
# # Issuer is the service account email that the Signed URL will be signed with
|
|
1519
|
+
# # and any permission granted in the Signed URL must be granted to the
|
|
1520
|
+
# # Google Service Account.
|
|
1521
|
+
# issuer = "service-account@project-id.iam.gserviceaccount.com"
|
|
1522
|
+
#
|
|
1523
|
+
# # Create a lambda that accepts the string_to_sign
|
|
1524
|
+
# signer = lambda do |string_to_sign|
|
|
1525
|
+
# IAMCredentials = Google::Apis::IamcredentialsV1
|
|
1526
|
+
# iam_client = IAMCredentials::IAMCredentialsService.new
|
|
1527
|
+
#
|
|
1528
|
+
# # Get the environment configured authorization
|
|
1529
|
+
# scopes = ["https://www.googleapis.com/auth/iam"]
|
|
1530
|
+
# iam_client.authorization = Google::Auth.get_application_default scopes
|
|
1531
|
+
#
|
|
1532
|
+
# request = {
|
|
1533
|
+
# "payload": string_to_sign,
|
|
1534
|
+
# }
|
|
1535
|
+
# resource = "projects/-/serviceAccounts/#{issuer}"
|
|
1536
|
+
# response = iam_client.sign_service_account_blob resource, request, {}
|
|
1537
|
+
# response.signed_blob
|
|
1538
|
+
# end
|
|
1539
|
+
#
|
|
1540
|
+
# storage = Google::Cloud::Storage.new
|
|
1541
|
+
#
|
|
1542
|
+
# bucket_name = "my-todo-app"
|
|
1543
|
+
# file_path = "avatars/heidi/400x400.png"
|
|
1544
|
+
# url = storage.signed_url bucket_name, file_path,
|
|
1545
|
+
# method: "GET", issuer: issuer,
|
|
1546
|
+
# signer: signer
|
|
1496
1547
|
# @example Using the `headers` option:
|
|
1497
1548
|
# require "google/cloud/storage"
|
|
1498
1549
|
#
|
|
@@ -1538,6 +1589,7 @@ module Google
|
|
|
1538
1589
|
client_email: nil,
|
|
1539
1590
|
signing_key: nil,
|
|
1540
1591
|
private_key: nil,
|
|
1592
|
+
signer: nil,
|
|
1541
1593
|
query: nil,
|
|
1542
1594
|
scheme: "HTTPS",
|
|
1543
1595
|
virtual_hosted_style: nil,
|
|
@@ -1547,30 +1599,32 @@ module Google
|
|
|
1547
1599
|
version ||= :v2
|
|
1548
1600
|
case version.to_sym
|
|
1549
1601
|
when :v2
|
|
1550
|
-
|
|
1551
|
-
|
|
1552
|
-
|
|
1553
|
-
|
|
1554
|
-
|
|
1555
|
-
|
|
1556
|
-
|
|
1557
|
-
|
|
1558
|
-
|
|
1559
|
-
|
|
1560
|
-
|
|
1602
|
+
sign = File::SignerV2.from_bucket self, path
|
|
1603
|
+
sign.signed_url method: method,
|
|
1604
|
+
expires: expires,
|
|
1605
|
+
headers: headers,
|
|
1606
|
+
content_type: content_type,
|
|
1607
|
+
content_md5: content_md5,
|
|
1608
|
+
issuer: issuer,
|
|
1609
|
+
client_email: client_email,
|
|
1610
|
+
signing_key: signing_key,
|
|
1611
|
+
private_key: private_key,
|
|
1612
|
+
signer: signer,
|
|
1613
|
+
query: query
|
|
1561
1614
|
when :v4
|
|
1562
|
-
|
|
1563
|
-
|
|
1564
|
-
|
|
1565
|
-
|
|
1566
|
-
|
|
1567
|
-
|
|
1568
|
-
|
|
1569
|
-
|
|
1570
|
-
|
|
1571
|
-
|
|
1572
|
-
|
|
1573
|
-
|
|
1615
|
+
sign = File::SignerV4.from_bucket self, path
|
|
1616
|
+
sign.signed_url method: method,
|
|
1617
|
+
expires: expires,
|
|
1618
|
+
headers: headers,
|
|
1619
|
+
issuer: issuer,
|
|
1620
|
+
client_email: client_email,
|
|
1621
|
+
signing_key: signing_key,
|
|
1622
|
+
private_key: private_key,
|
|
1623
|
+
signer: signer,
|
|
1624
|
+
query: query,
|
|
1625
|
+
scheme: scheme,
|
|
1626
|
+
virtual_hosted_style: virtual_hosted_style,
|
|
1627
|
+
bucket_bound_hostname: bucket_bound_hostname
|
|
1574
1628
|
else
|
|
1575
1629
|
raise ArgumentError, "version '#{version}' not supported"
|
|
1576
1630
|
end
|
|
@@ -1591,7 +1645,7 @@ module Google
|
|
|
1591
1645
|
# A {SignedUrlUnavailable} is raised if the service account credentials
|
|
1592
1646
|
# are missing. Service account credentials are acquired by following the
|
|
1593
1647
|
# steps in [Service Account Authentication](
|
|
1594
|
-
# https://cloud.google.com/
|
|
1648
|
+
# https://cloud.google.com/iam/docs/service-accounts).
|
|
1595
1649
|
#
|
|
1596
1650
|
# @see https://cloud.google.com/storage/docs/xml-api/post-object
|
|
1597
1651
|
#
|
|
@@ -1608,12 +1662,28 @@ module Google
|
|
|
1608
1662
|
# for more information.
|
|
1609
1663
|
# @param [String] issuer Service Account's Client Email.
|
|
1610
1664
|
# @param [String] client_email Service Account's Client Email.
|
|
1611
|
-
# @param [OpenSSL::PKey::RSA, String] signing_key Service Account's
|
|
1612
|
-
# Private Key
|
|
1613
|
-
#
|
|
1614
|
-
#
|
|
1665
|
+
# @param [OpenSSL::PKey::RSA, String, Proc] signing_key Service Account's
|
|
1666
|
+
# Private Key or a Proc that accepts a single String parameter and returns a
|
|
1667
|
+
# RSA SHA256 signature using a valid Google Service Account Private Key.
|
|
1668
|
+
# @param [OpenSSL::PKey::RSA, String, Proc] private_key Service Account's
|
|
1669
|
+
# Private Key or a Proc that accepts a single String parameter and returns a
|
|
1670
|
+
# RSA SHA256 signature using a valid Google Service Account Private Key.
|
|
1671
|
+
# @param [OpenSSL::PKey::RSA, String, Proc] signer Service Account's
|
|
1672
|
+
# Private Key or a Proc that accepts a single String parameter and returns a
|
|
1673
|
+
# RSA SHA256 signature using a valid Google Service Account Private Key.
|
|
1674
|
+
#
|
|
1675
|
+
# When using this method in environments such as GAE Flexible Environment,
|
|
1676
|
+
# GKE, or Cloud Functions where the private key is unavailable, it may be
|
|
1677
|
+
# necessary to provide a Proc (or lambda) via the signer parameter. This
|
|
1678
|
+
# Proc should return a signature created using a RPC call to the
|
|
1679
|
+
# [Service Account Credentials signBlob](https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/signBlob)
|
|
1680
|
+
# method as shown in the example below.
|
|
1681
|
+
# @return [PostObject] An object containing the URL, fields, and values needed to upload files via html forms.
|
|
1615
1682
|
#
|
|
1616
|
-
# @
|
|
1683
|
+
# @raise [SignedUrlUnavailable] If the service account credentials
|
|
1684
|
+
# are missing. Service account credentials are acquired by following the
|
|
1685
|
+
# steps in [Service Account Authentication](
|
|
1686
|
+
# https://cloud.google.com/iam/docs/service-accounts).
|
|
1617
1687
|
#
|
|
1618
1688
|
# @example
|
|
1619
1689
|
# require "google/cloud/storage"
|
|
@@ -1673,19 +1743,61 @@ module Google
|
|
|
1673
1743
|
# post.fields[:signature] #=> "ABC...XYZ="
|
|
1674
1744
|
# post.fields[:policy] #=> "ABC...XYZ="
|
|
1675
1745
|
#
|
|
1746
|
+
# @example Using Cloud IAMCredentials signBlob to create the signature:
|
|
1747
|
+
# require "google/cloud/storage"
|
|
1748
|
+
# require "google/apis/iamcredentials_v1"
|
|
1749
|
+
# require "googleauth"
|
|
1750
|
+
#
|
|
1751
|
+
# # Issuer is the service account email that the Signed URL will be signed with
|
|
1752
|
+
# # and any permission granted in the Signed URL must be granted to the
|
|
1753
|
+
# # Google Service Account.
|
|
1754
|
+
# issuer = "service-account@project-id.iam.gserviceaccount.com"
|
|
1755
|
+
#
|
|
1756
|
+
# # Create a lambda that accepts the string_to_sign
|
|
1757
|
+
# signer = lambda do |string_to_sign|
|
|
1758
|
+
# IAMCredentials = Google::Apis::IamcredentialsV1
|
|
1759
|
+
# iam_client = IAMCredentials::IAMCredentialsService.new
|
|
1760
|
+
#
|
|
1761
|
+
# # Get the environment configured authorization
|
|
1762
|
+
# scopes = ["https://www.googleapis.com/auth/iam"]
|
|
1763
|
+
# iam_client.authorization = Google::Auth.get_application_default scopes
|
|
1764
|
+
#
|
|
1765
|
+
# request = {
|
|
1766
|
+
# "payload": string_to_sign,
|
|
1767
|
+
# }
|
|
1768
|
+
# resource = "projects/-/serviceAccounts/#{issuer}"
|
|
1769
|
+
# response = iam_client.sign_service_account_blob resource, request, {}
|
|
1770
|
+
# response.signed_blob
|
|
1771
|
+
# end
|
|
1772
|
+
#
|
|
1773
|
+
# storage = Google::Cloud::Storage.new
|
|
1774
|
+
#
|
|
1775
|
+
# bucket = storage.bucket "my-todo-app"
|
|
1776
|
+
# post = bucket.post_object "avatars/heidi/400x400.png",
|
|
1777
|
+
# issuer: issuer,
|
|
1778
|
+
# signer: signer
|
|
1779
|
+
#
|
|
1780
|
+
# post.url #=> "https://storage.googleapis.com"
|
|
1781
|
+
# post.fields[:key] #=> "my-todo-app/avatars/heidi/400x400.png"
|
|
1782
|
+
# post.fields[:GoogleAccessId] #=> "0123456789@gserviceaccount.com"
|
|
1783
|
+
# post.fields[:signature] #=> "ABC...XYZ="
|
|
1784
|
+
# post.fields[:policy] #=> "ABC...XYZ="
|
|
1785
|
+
#
|
|
1676
1786
|
def post_object path,
|
|
1677
1787
|
policy: nil,
|
|
1678
1788
|
issuer: nil,
|
|
1679
1789
|
client_email: nil,
|
|
1680
1790
|
signing_key: nil,
|
|
1681
|
-
private_key: nil
|
|
1791
|
+
private_key: nil,
|
|
1792
|
+
signer: nil
|
|
1682
1793
|
ensure_service!
|
|
1683
|
-
|
|
1684
|
-
|
|
1685
|
-
|
|
1686
|
-
|
|
1687
|
-
|
|
1688
|
-
|
|
1794
|
+
sign = File::SignerV2.from_bucket self, path
|
|
1795
|
+
sign.post_object issuer: issuer,
|
|
1796
|
+
client_email: client_email,
|
|
1797
|
+
signing_key: signing_key,
|
|
1798
|
+
private_key: private_key,
|
|
1799
|
+
signer: signer,
|
|
1800
|
+
policy: policy
|
|
1689
1801
|
end
|
|
1690
1802
|
|
|
1691
1803
|
##
|
|
@@ -1703,17 +1815,29 @@ module Google
|
|
|
1703
1815
|
# A {SignedUrlUnavailable} is raised if the service account credentials
|
|
1704
1816
|
# are missing. Service account credentials are acquired by following the
|
|
1705
1817
|
# steps in [Service Account Authentication](
|
|
1706
|
-
# https://cloud.google.com/
|
|
1818
|
+
# https://cloud.google.com/iam/docs/service-accounts).
|
|
1707
1819
|
#
|
|
1708
1820
|
# @see https://cloud.google.com/storage/docs/xml-api/post-object
|
|
1709
1821
|
#
|
|
1710
1822
|
# @param [String] path Path to the file in Google Cloud Storage.
|
|
1711
1823
|
# @param [String] issuer Service Account's Client Email.
|
|
1712
1824
|
# @param [String] client_email Service Account's Client Email.
|
|
1713
|
-
# @param [OpenSSL::PKey::RSA, String] signing_key Service Account's
|
|
1714
|
-
# Private Key
|
|
1715
|
-
#
|
|
1716
|
-
#
|
|
1825
|
+
# @param [OpenSSL::PKey::RSA, String, Proc] signing_key Service Account's
|
|
1826
|
+
# Private Key or a Proc that accepts a single String parameter and returns a
|
|
1827
|
+
# RSA SHA256 signature using a valid Google Service Account Private Key.
|
|
1828
|
+
# @param [OpenSSL::PKey::RSA, String, Proc] private_key Service Account's
|
|
1829
|
+
# Private Key or a Proc that accepts a single String parameter and returns a
|
|
1830
|
+
# RSA SHA256 signature using a valid Google Service Account Private Key.
|
|
1831
|
+
# @param [OpenSSL::PKey::RSA, String, Proc] signer Service Account's
|
|
1832
|
+
# Private Key or a Proc that accepts a single String parameter and returns a
|
|
1833
|
+
# RSA SHA256 signature using a valid Google Service Account Private Key.
|
|
1834
|
+
#
|
|
1835
|
+
# When using this method in environments such as GAE Flexible Environment,
|
|
1836
|
+
# GKE, or Cloud Functions where the private key is unavailable, it may be
|
|
1837
|
+
# necessary to provide a Proc (or lambda) via the signer parameter. This
|
|
1838
|
+
# Proc should return a signature created using a RPC call to the
|
|
1839
|
+
# [Service Account Credentials signBlob](https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/signBlob)
|
|
1840
|
+
# method as shown in the example below.
|
|
1717
1841
|
# @param [Integer] expires The number of seconds until the URL expires.
|
|
1718
1842
|
# The default is 604800 (7 days).
|
|
1719
1843
|
# @param [Hash] fields User-supplied form fields such as `acl`,
|
|
@@ -1733,6 +1857,11 @@ module Google
|
|
|
1733
1857
|
#
|
|
1734
1858
|
# @return [PostObject] An object containing the URL, fields, and values needed to upload files via html forms.
|
|
1735
1859
|
#
|
|
1860
|
+
# @raise [SignedUrlUnavailable] If the service account credentials
|
|
1861
|
+
# are missing. Service account credentials are acquired by following the
|
|
1862
|
+
# steps in [Service Account Authentication](
|
|
1863
|
+
# https://cloud.google.com/iam/docs/service-accounts).
|
|
1864
|
+
#
|
|
1736
1865
|
# @example
|
|
1737
1866
|
# require "google/cloud/storage"
|
|
1738
1867
|
#
|
|
@@ -1752,11 +1881,56 @@ module Google
|
|
|
1752
1881
|
# post.fields["x-goog-date"] #=> "20200128T000000Z"
|
|
1753
1882
|
# post.fields["x-goog-signature"] #=> "4893a0e...cd82"
|
|
1754
1883
|
#
|
|
1884
|
+
# @example Using Cloud IAMCredentials signBlob to create the signature:
|
|
1885
|
+
# require "google/cloud/storage"
|
|
1886
|
+
# require "google/apis/iamcredentials_v1"
|
|
1887
|
+
# require "googleauth"
|
|
1888
|
+
#
|
|
1889
|
+
# # Issuer is the service account email that the Signed URL will be signed with
|
|
1890
|
+
# # and any permission granted in the Signed URL must be granted to the
|
|
1891
|
+
# # Google Service Account.
|
|
1892
|
+
# issuer = "service-account@project-id.iam.gserviceaccount.com"
|
|
1893
|
+
#
|
|
1894
|
+
# # Create a lambda that accepts the string_to_sign
|
|
1895
|
+
# signer = lambda do |string_to_sign|
|
|
1896
|
+
# IAMCredentials = Google::Apis::IamcredentialsV1
|
|
1897
|
+
# iam_client = IAMCredentials::IAMCredentialsService.new
|
|
1898
|
+
#
|
|
1899
|
+
# # Get the environment configured authorization
|
|
1900
|
+
# scopes = ["https://www.googleapis.com/auth/iam"]
|
|
1901
|
+
# iam_client.authorization = Google::Auth.get_application_default scopes
|
|
1902
|
+
#
|
|
1903
|
+
# request = {
|
|
1904
|
+
# "payload": string_to_sign,
|
|
1905
|
+
# }
|
|
1906
|
+
# resource = "projects/-/serviceAccounts/#{issuer}"
|
|
1907
|
+
# response = iam_client.sign_service_account_blob resource, request, {}
|
|
1908
|
+
# response.signed_blob
|
|
1909
|
+
# end
|
|
1910
|
+
#
|
|
1911
|
+
# storage = Google::Cloud::Storage.new
|
|
1912
|
+
#
|
|
1913
|
+
# bucket = storage.bucket "my-todo-app"
|
|
1914
|
+
# conditions = [["starts-with", "$acl","public"]]
|
|
1915
|
+
# post = bucket.generate_signed_post_policy_v4(
|
|
1916
|
+
# "avatars/heidi/400x400.png", expires: 10,
|
|
1917
|
+
# conditions: conditions, issuer: issuer, signer: signer
|
|
1918
|
+
# )
|
|
1919
|
+
#
|
|
1920
|
+
# post.url #=> "https://storage.googleapis.com/my-todo-app/"
|
|
1921
|
+
# post.fields["key"] #=> "my-todo-app/avatars/heidi/400x400.png"
|
|
1922
|
+
# post.fields["policy"] #=> "ABC...XYZ"
|
|
1923
|
+
# post.fields["x-goog-algorithm"] #=> "GOOG4-RSA-SHA256"
|
|
1924
|
+
# post.fields["x-goog-credential"] #=> "cred@pid.iam.gserviceaccount.com/20200123/auto/storage/goog4_request"
|
|
1925
|
+
# post.fields["x-goog-date"] #=> "20200128T000000Z"
|
|
1926
|
+
# post.fields["x-goog-signature"] #=> "4893a0e...cd82"
|
|
1927
|
+
#
|
|
1755
1928
|
def generate_signed_post_policy_v4 path,
|
|
1756
1929
|
issuer: nil,
|
|
1757
1930
|
client_email: nil,
|
|
1758
1931
|
signing_key: nil,
|
|
1759
1932
|
private_key: nil,
|
|
1933
|
+
signer: nil,
|
|
1760
1934
|
expires: nil,
|
|
1761
1935
|
fields: nil,
|
|
1762
1936
|
conditions: nil,
|
|
@@ -1764,17 +1938,18 @@ module Google
|
|
|
1764
1938
|
virtual_hosted_style: nil,
|
|
1765
1939
|
bucket_bound_hostname: nil
|
|
1766
1940
|
ensure_service!
|
|
1767
|
-
|
|
1768
|
-
|
|
1769
|
-
|
|
1770
|
-
|
|
1771
|
-
|
|
1772
|
-
|
|
1773
|
-
|
|
1774
|
-
|
|
1775
|
-
|
|
1776
|
-
|
|
1777
|
-
|
|
1941
|
+
sign = File::SignerV4.from_bucket self, path
|
|
1942
|
+
sign.post_object issuer: issuer,
|
|
1943
|
+
client_email: client_email,
|
|
1944
|
+
signing_key: signing_key,
|
|
1945
|
+
private_key: private_key,
|
|
1946
|
+
signer: signer,
|
|
1947
|
+
expires: expires,
|
|
1948
|
+
fields: fields,
|
|
1949
|
+
conditions: conditions,
|
|
1950
|
+
scheme: scheme,
|
|
1951
|
+
virtual_hosted_style: virtual_hosted_style,
|
|
1952
|
+
bucket_bound_hostname: bucket_bound_hostname
|
|
1778
1953
|
end
|
|
1779
1954
|
|
|
1780
1955
|
##
|
|
@@ -58,8 +58,13 @@ module Google
|
|
|
58
58
|
##
|
|
59
59
|
# # SignedUrlUnavailable Error
|
|
60
60
|
#
|
|
61
|
-
#
|
|
62
|
-
# missing credentials
|
|
61
|
+
# Raised by signed URL methods if the service account credentials
|
|
62
|
+
# are missing. Service account credentials are acquired by following the
|
|
63
|
+
# steps in [Service Account Authentication](
|
|
64
|
+
# https://cloud.google.com/iam/docs/service-accounts).
|
|
65
|
+
#
|
|
66
|
+
# @see https://cloud.google.com/storage/docs/access-control/signed-urls Signed URLs
|
|
67
|
+
#
|
|
63
68
|
class SignedUrlUnavailable < Google::Cloud::Error
|
|
64
69
|
end
|
|
65
70
|
end
|
|
@@ -1442,7 +1442,7 @@ module Google
|
|
|
1442
1442
|
# A {SignedUrlUnavailable} is raised if the service account credentials
|
|
1443
1443
|
# are missing. Service account credentials are acquired by following the
|
|
1444
1444
|
# steps in [Service Account Authentication](
|
|
1445
|
-
# https://cloud.google.com/
|
|
1445
|
+
# https://cloud.google.com/iam/docs/service-accounts).
|
|
1446
1446
|
#
|
|
1447
1447
|
# @see https://cloud.google.com/storage/docs/access-control/signed-urls
|
|
1448
1448
|
# Signed URLs guide
|
|
@@ -1467,10 +1467,22 @@ module Google
|
|
|
1467
1467
|
# use the signed URL.
|
|
1468
1468
|
# @param [String] issuer Service Account's Client Email.
|
|
1469
1469
|
# @param [String] client_email Service Account's Client Email.
|
|
1470
|
-
# @param [OpenSSL::PKey::RSA, String] signing_key Service Account's
|
|
1471
|
-
# Private Key
|
|
1472
|
-
#
|
|
1473
|
-
#
|
|
1470
|
+
# @param [OpenSSL::PKey::RSA, String, Proc] signing_key Service Account's
|
|
1471
|
+
# Private Key or a Proc that accepts a single String parameter and returns a
|
|
1472
|
+
# RSA SHA256 signature using a valid Google Service Account Private Key.
|
|
1473
|
+
# @param [OpenSSL::PKey::RSA, String, Proc] private_key Service Account's
|
|
1474
|
+
# Private Key or a Proc that accepts a single String parameter and returns a
|
|
1475
|
+
# RSA SHA256 signature using a valid Google Service Account Private Key.
|
|
1476
|
+
# @param [OpenSSL::PKey::RSA, String, Proc] signer Service Account's
|
|
1477
|
+
# Private Key or a Proc that accepts a single String parameter and returns a
|
|
1478
|
+
# RSA SHA256 signature using a valid Google Service Account Private Key.
|
|
1479
|
+
#
|
|
1480
|
+
# When using this method in environments such as GAE Flexible Environment,
|
|
1481
|
+
# GKE, or Cloud Functions where the private key is unavailable, it may be
|
|
1482
|
+
# necessary to provide a Proc (or lambda) via the signer parameter. This
|
|
1483
|
+
# Proc should return a signature created using a RPC call to the
|
|
1484
|
+
# [Service Account Credentials signBlob](https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/signBlob)
|
|
1485
|
+
# method as shown in the example below.
|
|
1474
1486
|
# @param [Hash] query Query string parameters to include in the signed
|
|
1475
1487
|
# URL. The given parameters are not verified by the signature.
|
|
1476
1488
|
#
|
|
@@ -1496,7 +1508,12 @@ module Google
|
|
|
1496
1508
|
# to create. Must be one of `:v2` or `:v4`. The default value is
|
|
1497
1509
|
# `:v2`.
|
|
1498
1510
|
#
|
|
1499
|
-
# @return [String]
|
|
1511
|
+
# @return [String] The signed URL.
|
|
1512
|
+
#
|
|
1513
|
+
# @raise [SignedUrlUnavailable] If the service account credentials
|
|
1514
|
+
# are missing. Service account credentials are acquired by following the
|
|
1515
|
+
# steps in [Service Account Authentication](
|
|
1516
|
+
# https://cloud.google.com/iam/docs/service-accounts).
|
|
1500
1517
|
#
|
|
1501
1518
|
# @example
|
|
1502
1519
|
# require "google/cloud/storage"
|
|
@@ -1556,6 +1573,40 @@ module Google
|
|
|
1556
1573
|
# # Send the `x-goog-resumable:start` header and the content type
|
|
1557
1574
|
# # with the resumable upload POST request.
|
|
1558
1575
|
#
|
|
1576
|
+
# @example Using Cloud IAMCredentials signBlob to create the signature:
|
|
1577
|
+
# require "google/cloud/storage"
|
|
1578
|
+
# require "google/apis/iamcredentials_v1"
|
|
1579
|
+
# require "googleauth"
|
|
1580
|
+
#
|
|
1581
|
+
# # Issuer is the service account email that the Signed URL will be signed with
|
|
1582
|
+
# # and any permission granted in the Signed URL must be granted to the
|
|
1583
|
+
# # Google Service Account.
|
|
1584
|
+
# issuer = "service-account@project-id.iam.gserviceaccount.com"
|
|
1585
|
+
#
|
|
1586
|
+
# # Create a lambda that accepts the string_to_sign
|
|
1587
|
+
# signer = lambda do |string_to_sign|
|
|
1588
|
+
# IAMCredentials = Google::Apis::IamcredentialsV1
|
|
1589
|
+
# iam_client = IAMCredentials::IAMCredentialsService.new
|
|
1590
|
+
#
|
|
1591
|
+
# # Get the environment configured authorization
|
|
1592
|
+
# scopes = ["https://www.googleapis.com/auth/iam"]
|
|
1593
|
+
# iam_client.authorization = Google::Auth.get_application_default scopes
|
|
1594
|
+
#
|
|
1595
|
+
# request = {
|
|
1596
|
+
# "payload": string_to_sign,
|
|
1597
|
+
# }
|
|
1598
|
+
# resource = "projects/-/serviceAccounts/#{issuer}"
|
|
1599
|
+
# response = iam_client.sign_service_account_blob resource, request, {}
|
|
1600
|
+
# response.signed_blob
|
|
1601
|
+
# end
|
|
1602
|
+
#
|
|
1603
|
+
# storage = Google::Cloud::Storage.new
|
|
1604
|
+
#
|
|
1605
|
+
# bucket = storage.bucket "my-todo-app"
|
|
1606
|
+
# file = bucket.file "avatars/heidi/400x400.png", skip_lookup: true
|
|
1607
|
+
# url = file.signed_url method: "GET", issuer: issuer,
|
|
1608
|
+
# signer: signer
|
|
1609
|
+
#
|
|
1559
1610
|
def signed_url method: "GET",
|
|
1560
1611
|
expires: nil,
|
|
1561
1612
|
content_type: nil,
|
|
@@ -1565,6 +1616,7 @@ module Google
|
|
|
1565
1616
|
client_email: nil,
|
|
1566
1617
|
signing_key: nil,
|
|
1567
1618
|
private_key: nil,
|
|
1619
|
+
signer: nil,
|
|
1568
1620
|
query: nil,
|
|
1569
1621
|
scheme: "HTTPS",
|
|
1570
1622
|
virtual_hosted_style: nil,
|
|
@@ -1574,30 +1626,32 @@ module Google
|
|
|
1574
1626
|
version ||= :v2
|
|
1575
1627
|
case version.to_sym
|
|
1576
1628
|
when :v2
|
|
1577
|
-
|
|
1578
|
-
|
|
1579
|
-
|
|
1580
|
-
|
|
1581
|
-
|
|
1582
|
-
|
|
1583
|
-
|
|
1584
|
-
|
|
1585
|
-
|
|
1586
|
-
|
|
1587
|
-
|
|
1629
|
+
sign = File::SignerV2.from_file self
|
|
1630
|
+
sign.signed_url method: method,
|
|
1631
|
+
expires: expires,
|
|
1632
|
+
headers: headers,
|
|
1633
|
+
content_type: content_type,
|
|
1634
|
+
content_md5: content_md5,
|
|
1635
|
+
issuer: issuer,
|
|
1636
|
+
client_email: client_email,
|
|
1637
|
+
signing_key: signing_key,
|
|
1638
|
+
private_key: private_key,
|
|
1639
|
+
signer: signer,
|
|
1640
|
+
query: query
|
|
1588
1641
|
when :v4
|
|
1589
|
-
|
|
1590
|
-
|
|
1591
|
-
|
|
1592
|
-
|
|
1593
|
-
|
|
1594
|
-
|
|
1595
|
-
|
|
1596
|
-
|
|
1597
|
-
|
|
1598
|
-
|
|
1599
|
-
|
|
1600
|
-
|
|
1642
|
+
sign = File::SignerV4.from_file self
|
|
1643
|
+
sign.signed_url method: method,
|
|
1644
|
+
expires: expires,
|
|
1645
|
+
headers: headers,
|
|
1646
|
+
issuer: issuer,
|
|
1647
|
+
client_email: client_email,
|
|
1648
|
+
signing_key: signing_key,
|
|
1649
|
+
private_key: private_key,
|
|
1650
|
+
signer: signer,
|
|
1651
|
+
query: query,
|
|
1652
|
+
scheme: scheme,
|
|
1653
|
+
virtual_hosted_style: virtual_hosted_style,
|
|
1654
|
+
bucket_bound_hostname: bucket_bound_hostname
|
|
1601
1655
|
else
|
|
1602
1656
|
raise ArgumentError, "version '#{version}' not supported"
|
|
1603
1657
|
end
|
|
@@ -77,13 +77,21 @@ module Google
|
|
|
77
77
|
end
|
|
78
78
|
|
|
79
79
|
def determine_signing_key options = {}
|
|
80
|
-
options[:signing_key] || options[:private_key] ||
|
|
81
|
-
|
|
80
|
+
signing_key = options[:signing_key] || options[:private_key] ||
|
|
81
|
+
options[:signer] || @service.credentials.signing_key
|
|
82
|
+
raise SignedUrlUnavailable, error_msg("signing_key (private_key, signer)") unless signing_key
|
|
83
|
+
signing_key
|
|
82
84
|
end
|
|
83
85
|
|
|
84
86
|
def determine_issuer options = {}
|
|
85
|
-
options[:issuer] || options[:client_email] ||
|
|
86
|
-
|
|
87
|
+
issuer = options[:issuer] || options[:client_email] || @service.credentials.issuer
|
|
88
|
+
raise SignedUrlUnavailable, error_msg("issuer (client_email)") unless issuer
|
|
89
|
+
issuer
|
|
90
|
+
end
|
|
91
|
+
|
|
92
|
+
def error_msg attr_name
|
|
93
|
+
"Service account credentials '#{attr_name}' is missing. To generate service account credentials " \
|
|
94
|
+
"see https://cloud.google.com/iam/docs/service-accounts"
|
|
87
95
|
end
|
|
88
96
|
|
|
89
97
|
def post_object options
|
|
@@ -99,8 +107,6 @@ module Google
|
|
|
99
107
|
i = determine_issuer options
|
|
100
108
|
s = determine_signing_key options
|
|
101
109
|
|
|
102
|
-
raise SignedUrlUnavailable unless i && s
|
|
103
|
-
|
|
104
110
|
policy_str = p.to_json
|
|
105
111
|
policy = Base64.strict_encode64(policy_str).delete "\n"
|
|
106
112
|
|
|
@@ -119,18 +125,21 @@ module Google
|
|
|
119
125
|
i = determine_issuer options
|
|
120
126
|
s = determine_signing_key options
|
|
121
127
|
|
|
122
|
-
raise SignedUrlUnavailable unless i && s
|
|
123
|
-
|
|
124
128
|
sig = generate_signature s, signature_str(options)
|
|
125
129
|
generate_signed_url i, sig, options[:expires], options[:query]
|
|
126
130
|
end
|
|
127
131
|
|
|
128
132
|
def generate_signature signing_key, secret
|
|
129
|
-
|
|
130
|
-
|
|
133
|
+
unencoded_signature = ""
|
|
134
|
+
if signing_key.is_a? Proc
|
|
135
|
+
unencoded_signature = signing_key.call secret
|
|
136
|
+
else
|
|
137
|
+
unless signing_key.respond_to? :sign
|
|
138
|
+
signing_key = OpenSSL::PKey::RSA.new signing_key
|
|
139
|
+
end
|
|
140
|
+
unencoded_signature = signing_key.sign OpenSSL::Digest::SHA256.new, secret
|
|
131
141
|
end
|
|
132
|
-
|
|
133
|
-
Base64.strict_encode64(signature).delete "\n"
|
|
142
|
+
Base64.strict_encode64(unencoded_signature).delete "\n"
|
|
134
143
|
end
|
|
135
144
|
|
|
136
145
|
def generate_signed_url issuer, signed_string, expires, query
|
|
@@ -43,6 +43,7 @@ module Google
|
|
|
43
43
|
client_email: nil,
|
|
44
44
|
signing_key: nil,
|
|
45
45
|
private_key: nil,
|
|
46
|
+
signer: nil,
|
|
46
47
|
expires: nil,
|
|
47
48
|
fields: nil,
|
|
48
49
|
conditions: nil,
|
|
@@ -50,8 +51,7 @@ module Google
|
|
|
50
51
|
virtual_hosted_style: nil,
|
|
51
52
|
bucket_bound_hostname: nil
|
|
52
53
|
i = determine_issuer issuer, client_email
|
|
53
|
-
s = determine_signing_key signing_key, private_key
|
|
54
|
-
raise SignedUrlUnavailable unless i && s
|
|
54
|
+
s = determine_signing_key signing_key, private_key, signer
|
|
55
55
|
|
|
56
56
|
now = Time.now.utc
|
|
57
57
|
base_fields = required_fields i, now
|
|
@@ -82,12 +82,13 @@ module Google
|
|
|
82
82
|
client_email: nil,
|
|
83
83
|
signing_key: nil,
|
|
84
84
|
private_key: nil,
|
|
85
|
+
signer: nil,
|
|
85
86
|
query: nil,
|
|
86
87
|
scheme: "https",
|
|
87
88
|
virtual_hosted_style: nil,
|
|
88
89
|
bucket_bound_hostname: nil
|
|
89
90
|
raise ArgumentError, "method is required" unless method
|
|
90
|
-
issuer, signer = issuer_and_signer issuer, client_email, signing_key, private_key
|
|
91
|
+
issuer, signer = issuer_and_signer issuer, client_email, signing_key, private_key, signer
|
|
91
92
|
datetime_now = Time.now.utc
|
|
92
93
|
goog_date = datetime_now.strftime "%Y%m%dT%H%M%SZ"
|
|
93
94
|
datestamp = datetime_now.strftime "%Y%m%d"
|
|
@@ -192,28 +193,40 @@ module Google
|
|
|
192
193
|
def determine_issuer issuer, client_email
|
|
193
194
|
# Parse the Service Account and get client id and private key
|
|
194
195
|
issuer = issuer || client_email || @service.credentials.issuer
|
|
195
|
-
raise SignedUrlUnavailable, "issuer (client_email)
|
|
196
|
+
raise SignedUrlUnavailable, error_msg("issuer (client_email)") unless issuer
|
|
196
197
|
issuer
|
|
197
198
|
end
|
|
198
199
|
|
|
199
|
-
def determine_signing_key signing_key, private_key
|
|
200
|
-
signing_key = signing_key || private_key || @service.credentials.signing_key
|
|
201
|
-
raise SignedUrlUnavailable, "signing_key (private_key)
|
|
200
|
+
def determine_signing_key signing_key, private_key, signer
|
|
201
|
+
signing_key = signing_key || private_key || signer || @service.credentials.signing_key
|
|
202
|
+
raise SignedUrlUnavailable, error_msg("signing_key (private_key, signer)") unless signing_key
|
|
202
203
|
signing_key
|
|
203
204
|
end
|
|
204
205
|
|
|
206
|
+
def error_msg attr_name
|
|
207
|
+
"Service account credentials '#{attr_name}' is missing. To generate service account credentials " \
|
|
208
|
+
"see https://cloud.google.com/iam/docs/service-accounts"
|
|
209
|
+
end
|
|
210
|
+
|
|
205
211
|
def service_account_signer signer
|
|
206
|
-
|
|
207
|
-
|
|
208
|
-
|
|
209
|
-
|
|
210
|
-
|
|
212
|
+
if signer.is_a? Proc
|
|
213
|
+
lambda do |string_to_sign|
|
|
214
|
+
sig = signer.call string_to_sign
|
|
215
|
+
sig.unpack("H*").first
|
|
216
|
+
end
|
|
217
|
+
else
|
|
218
|
+
signer = OpenSSL::PKey::RSA.new signer unless signer.respond_to? :sign
|
|
219
|
+
# Sign string to sign
|
|
220
|
+
lambda do |string_to_sign|
|
|
221
|
+
sig = signer.sign OpenSSL::Digest::SHA256.new, string_to_sign
|
|
222
|
+
sig.unpack("H*").first
|
|
223
|
+
end
|
|
211
224
|
end
|
|
212
225
|
end
|
|
213
226
|
|
|
214
|
-
def issuer_and_signer issuer, client_email, signing_key, private_key
|
|
227
|
+
def issuer_and_signer issuer, client_email, signing_key, private_key, signer
|
|
215
228
|
issuer = determine_issuer issuer, client_email
|
|
216
|
-
signing_key = determine_signing_key signing_key, private_key
|
|
229
|
+
signing_key = determine_signing_key signing_key, private_key, signer
|
|
217
230
|
signer = service_account_signer signing_key
|
|
218
231
|
[issuer, signer]
|
|
219
232
|
end
|
|
@@ -337,11 +350,16 @@ module Google
|
|
|
337
350
|
end
|
|
338
351
|
|
|
339
352
|
def generate_signature signing_key, data
|
|
340
|
-
|
|
341
|
-
|
|
353
|
+
packed_signature = nil
|
|
354
|
+
if signing_key.is_a? Proc
|
|
355
|
+
packed_signature = signing_key.call data
|
|
356
|
+
else
|
|
357
|
+
unless signing_key.respond_to? :sign
|
|
358
|
+
signing_key = OpenSSL::PKey::RSA.new signing_key
|
|
359
|
+
end
|
|
360
|
+
packed_signature = signing_key.sign OpenSSL::Digest::SHA256.new, data
|
|
342
361
|
end
|
|
343
|
-
|
|
344
|
-
signature.unpack("H*").first.force_encoding "utf-8"
|
|
362
|
+
packed_signature.unpack("H*").first.force_encoding "utf-8"
|
|
345
363
|
end
|
|
346
364
|
end
|
|
347
365
|
end
|
|
@@ -483,7 +483,7 @@ module Google
|
|
|
483
483
|
# A {SignedUrlUnavailable} is raised if the service account credentials
|
|
484
484
|
# are missing. Service account credentials are acquired by following the
|
|
485
485
|
# steps in [Service Account Authentication](
|
|
486
|
-
# https://cloud.google.com/
|
|
486
|
+
# https://cloud.google.com/iam/docs/service-accounts).
|
|
487
487
|
#
|
|
488
488
|
# @see https://cloud.google.com/storage/docs/access-control/signed-urls
|
|
489
489
|
# Signed URLs guide
|
|
@@ -511,10 +511,22 @@ module Google
|
|
|
511
511
|
# use the signed URL.
|
|
512
512
|
# @param [String] issuer Service Account's Client Email.
|
|
513
513
|
# @param [String] client_email Service Account's Client Email.
|
|
514
|
-
# @param [OpenSSL::PKey::RSA, String] signing_key Service Account's
|
|
515
|
-
# Private Key
|
|
516
|
-
#
|
|
517
|
-
#
|
|
514
|
+
# @param [OpenSSL::PKey::RSA, String, Proc] signing_key Service Account's
|
|
515
|
+
# Private Key or a Proc that accepts a single String parameter and returns a
|
|
516
|
+
# RSA SHA256 signature using a valid Google Service Account Private Key.
|
|
517
|
+
# @param [OpenSSL::PKey::RSA, String, Proc] private_key Service Account's
|
|
518
|
+
# Private Key or a Proc that accepts a single String parameter and returns a
|
|
519
|
+
# RSA SHA256 signature using a valid Google Service Account Private Key.
|
|
520
|
+
# @param [OpenSSL::PKey::RSA, String, Proc] signer Service Account's
|
|
521
|
+
# Private Key or a Proc that accepts a single String parameter and returns a
|
|
522
|
+
# RSA SHA256 signature using a valid Google Service Account Private Key.
|
|
523
|
+
#
|
|
524
|
+
# When using this method in environments such as GAE Flexible Environment,
|
|
525
|
+
# GKE, or Cloud Functions where the private key is unavailable, it may be
|
|
526
|
+
# necessary to provide a Proc (or lambda) via the signer parameter. This
|
|
527
|
+
# Proc should return a signature created using a RPC call to the
|
|
528
|
+
# [Service Account Credentials signBlob](https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/signBlob)
|
|
529
|
+
# method as shown in the example below.
|
|
518
530
|
# @param [Hash] query Query string parameters to include in the signed
|
|
519
531
|
# URL. The given parameters are not verified by the signature.
|
|
520
532
|
#
|
|
@@ -540,7 +552,12 @@ module Google
|
|
|
540
552
|
# to create. Must be one of `:v2` or `:v4`. The default value is
|
|
541
553
|
# `:v2`.
|
|
542
554
|
#
|
|
543
|
-
# @return [String]
|
|
555
|
+
# @return [String] The signed URL.
|
|
556
|
+
#
|
|
557
|
+
# @raise [SignedUrlUnavailable] If the service account credentials
|
|
558
|
+
# are missing. Service account credentials are acquired by following the
|
|
559
|
+
# steps in [Service Account Authentication](
|
|
560
|
+
# https://cloud.google.com/iam/docs/service-accounts).
|
|
544
561
|
#
|
|
545
562
|
# @example
|
|
546
563
|
# require "google/cloud/storage"
|
|
@@ -575,6 +592,41 @@ module Google
|
|
|
575
592
|
# issuer: issuer_email,
|
|
576
593
|
# signing_key: key
|
|
577
594
|
#
|
|
595
|
+
# @example Using Cloud IAMCredentials signBlob to create the signature:
|
|
596
|
+
# require "google/cloud/storage"
|
|
597
|
+
# require "google/apis/iamcredentials_v1"
|
|
598
|
+
# require "googleauth"
|
|
599
|
+
#
|
|
600
|
+
# # Issuer is the service account email that the Signed URL will be signed with
|
|
601
|
+
# # and any permission granted in the Signed URL must be granted to the
|
|
602
|
+
# # Google Service Account.
|
|
603
|
+
# issuer = "service-account@project-id.iam.gserviceaccount.com"
|
|
604
|
+
#
|
|
605
|
+
# # Create a lambda that accepts the string_to_sign
|
|
606
|
+
# signer = lambda do |string_to_sign|
|
|
607
|
+
# IAMCredentials = Google::Apis::IamcredentialsV1
|
|
608
|
+
# iam_client = IAMCredentials::IAMCredentialsService.new
|
|
609
|
+
#
|
|
610
|
+
# # Get the environment configured authorization
|
|
611
|
+
# scopes = ["https://www.googleapis.com/auth/iam"]
|
|
612
|
+
# iam_client.authorization = Google::Auth.get_application_default scopes
|
|
613
|
+
#
|
|
614
|
+
# request = {
|
|
615
|
+
# "payload": string_to_sign,
|
|
616
|
+
# }
|
|
617
|
+
# resource = "projects/-/serviceAccounts/#{issuer}"
|
|
618
|
+
# response = iam_client.sign_service_account_blob resource, request, {}
|
|
619
|
+
# response.signed_blob
|
|
620
|
+
# end
|
|
621
|
+
#
|
|
622
|
+
# storage = Google::Cloud::Storage.new
|
|
623
|
+
#
|
|
624
|
+
# bucket_name = "my-todo-app"
|
|
625
|
+
# file_path = "avatars/heidi/400x400.png"
|
|
626
|
+
# url = storage.signed_url bucket_name, file_path,
|
|
627
|
+
# method: "GET", issuer: issuer,
|
|
628
|
+
# signer: signer
|
|
629
|
+
#
|
|
578
630
|
# @example Using the `headers` option:
|
|
579
631
|
# require "google/cloud/storage"
|
|
580
632
|
#
|
|
@@ -616,6 +668,7 @@ module Google
|
|
|
616
668
|
client_email: nil,
|
|
617
669
|
signing_key: nil,
|
|
618
670
|
private_key: nil,
|
|
671
|
+
signer: nil,
|
|
619
672
|
query: nil,
|
|
620
673
|
scheme: "HTTPS",
|
|
621
674
|
virtual_hosted_style: nil,
|
|
@@ -624,31 +677,32 @@ module Google
|
|
|
624
677
|
version ||= :v2
|
|
625
678
|
case version.to_sym
|
|
626
679
|
when :v2
|
|
627
|
-
|
|
628
|
-
|
|
629
|
-
|
|
630
|
-
|
|
631
|
-
|
|
632
|
-
|
|
633
|
-
|
|
634
|
-
|
|
635
|
-
|
|
636
|
-
|
|
637
|
-
|
|
638
|
-
|
|
680
|
+
sign = File::SignerV2.new bucket, path, service
|
|
681
|
+
sign.signed_url method: method,
|
|
682
|
+
expires: expires,
|
|
683
|
+
headers: headers,
|
|
684
|
+
content_type: content_type,
|
|
685
|
+
content_md5: content_md5,
|
|
686
|
+
issuer: issuer,
|
|
687
|
+
client_email: client_email,
|
|
688
|
+
signing_key: signing_key,
|
|
689
|
+
private_key: private_key,
|
|
690
|
+
signer: signer,
|
|
691
|
+
query: query
|
|
639
692
|
when :v4
|
|
640
|
-
|
|
641
|
-
|
|
642
|
-
|
|
643
|
-
|
|
644
|
-
|
|
645
|
-
|
|
646
|
-
|
|
647
|
-
|
|
648
|
-
|
|
649
|
-
|
|
650
|
-
|
|
651
|
-
|
|
693
|
+
sign = File::SignerV4.new bucket, path, service
|
|
694
|
+
sign.signed_url method: method,
|
|
695
|
+
expires: expires,
|
|
696
|
+
headers: headers,
|
|
697
|
+
issuer: issuer,
|
|
698
|
+
client_email: client_email,
|
|
699
|
+
signing_key: signing_key,
|
|
700
|
+
private_key: private_key,
|
|
701
|
+
signer: signer,
|
|
702
|
+
query: query,
|
|
703
|
+
scheme: scheme,
|
|
704
|
+
virtual_hosted_style: virtual_hosted_style,
|
|
705
|
+
bucket_bound_hostname: bucket_bound_hostname
|
|
652
706
|
else
|
|
653
707
|
raise ArgumentError, "version '#{version}' not supported"
|
|
654
708
|
end
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: google-cloud-storage
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 1.27.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Mike Moore
|
|
@@ -9,7 +9,7 @@ authors:
|
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: bin
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date: 2020-
|
|
12
|
+
date: 2020-07-29 00:00:00.000000000 Z
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: google-cloud-core
|
|
@@ -298,7 +298,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
298
298
|
- !ruby/object:Gem::Version
|
|
299
299
|
version: '0'
|
|
300
300
|
requirements: []
|
|
301
|
-
rubygems_version: 3.
|
|
301
|
+
rubygems_version: 3.1.3
|
|
302
302
|
signing_key:
|
|
303
303
|
specification_version: 4
|
|
304
304
|
summary: API Client library for Google Cloud Storage
|