shrine 2.14.0 → 2.15.0

data/lib/shrine/plugins/backup.rb

@@ -2,28 +2,6 @@
 
 class Shrine
   module Plugins
-    # The `backup` plugin allows you to automatically back up stored files to
-    # an additional storage.
-    #
-    #     storages[:backup_store] = Shrine::Storage::S3.new(options)
-    #     plugin :backup, storage: :backup_store
-    #
-    # After a file is stored, it will be reuploaded from store to the provided
-    # backup storage.
-    #
-    #     user.update(avatar: file) # uploaded both to :store and :backup_store
-    #
-    # By default whenever stored files are deleted backed up files are deleted
-    # as well, but you can keep files on the "backup" storage by passing
-    # `delete: false`:
-    #
-    #     plugin :backup, storage: :backup_store, delete: false
-    #
-    # Note that when adding this plugin with already existing stored files,
-    # Shrine won't know whether a stored file is backed up or not, so
-    # attempting to delete the backup could result in an error. To avoid that
-    # you can set `delete: false` until you manually back up the existing
-    # stored files.
     module Backup
       def self.configure(uploader, opts = {})
         uploader.opts[:backup_storage] = opts.fetch(:storage, uploader.opts[:backup_storage])

data/lib/shrine/plugins/cached_attachment_data.rb

@@ -2,21 +2,6 @@
 
 class Shrine
   module Plugins
-    # The `cached_attachment_data` plugin adds the ability to retain the cached
-    # file across form redisplays, which means the file doesn't have to be
-    # reuploaded in case of validation errors.
-    #
-    #     plugin :cached_attachment_data
-    #
-    # The plugin adds `#cached_<attachment>_data` to the model, which returns
-    # the cached file as JSON, and should be used to set the value of the
-    # hidden form field.
-    #
-    #     @user.cached_avatar_data #=> '{"id":"38k25.jpg","storage":"cache","metadata":{...}}'
-    #
-    # This method delegates to `Attacher#read_cached`:
-    #
-    #     attacher.read_cached #=> '{"id":"38k25.jpg","storage":"cache","metadata":{...}}'
     module CachedAttachmentData
       module AttachmentMethods
         def initialize(*)

data/lib/shrine/plugins/copy.rb

@@ -2,20 +2,6 @@
 
 class Shrine
   module Plugins
-    # The `copy` plugin allows copying attachment from one record to another.
-    #
-    #     plugin :copy
-    #
-    # It adds a `Attacher#copy` method, which accepts another attacher, and
-    # copies the attachment from it:
-    #
-    #     photo.image_attacher.copy(other_photo.image_attacher)
-    #
-    # This method will automatically be called when the record is duplicated:
-    #
-    #     duplicated_photo = photo.dup
-    #     duplicated_photo.image #=> #<Shrine::UploadedFile>
-    #     duplicated_photo.image != photo.image
     module Copy
       module AttachmentMethods
         def initialize(*)

data/lib/shrine/plugins/data_uri.rb

@@ -8,79 +8,6 @@ require "forwardable"
 
 class Shrine
   module Plugins
-    # The `data_uri` plugin enables you to upload files as [data URIs].
-    # This plugin is useful for example when using [HTML5 Canvas].
-    #
-    #     plugin :data_uri
-    #
-    # If your attachment is called "avatar", this plugin will add
-    # `#avatar_data_uri` and `#avatar_data_uri=` methods to your model.
-    #
-    #     user.avatar #=> nil
-    #     user.avatar_data_uri = "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAUA"
-    #     user.avatar #=> #<Shrine::UploadedFile>
-    #
-    #     user.avatar.mime_type         #=> "image/png"
-    #     user.avatar.size              #=> 43423
-    #
-    # You can also use `#data_uri=` and `#data_uri` methods directly on the
-    # `Shrine::Attacher` (which the model methods just delegate to):
-    #
-    #     attacher.data_uri = "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAUA"
-    #
-    # If the data URI wasn't correctly parsed, an error message will be added to
-    # the attachment column. You can change the default error message:
-    #
-    #     plugin :data_uri, error_message: "data URI was invalid"
-    #     plugin :data_uri, error_message: ->(uri) { I18n.t("errors.data_uri_invalid") }
-    #
-    # ## File extension
-    #
-    # A data URI doesn't convey any information about the file extension, so
-    # when attaching from a data URI, the uploaded file location will be
-    # missing an extension. If you want the upload location to always have an
-    # extension, you can load the `infer_extension` plugin to infer it from the
-    # MIME type.
-    #
-    #     plugin :infer_extension
-    #
-    # ## `Shrine.data_uri`
-    #
-    # If you just want to parse the data URI and create an IO object from it,
-    # you can do that with `Shrine.data_uri`. If the data URI cannot be parsed,
-    # a `Shrine::Plugins::DataUri::ParseError` will be raised.
-    #
-    #     # or YourUploader.data_uri("...")
-    #     io = Shrine.data_uri("data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAUA")
-    #     io.content_type #=> "image/png"
-    #     io.size         #=> 21
-    #     io.read         # decoded content
-    #
-    # When the content type is ommited, `text/plain` is assumed. The parser
-    # also supports raw data URIs which aren't base64-encoded.
-    #
-    #     # or YourUploader.data_uri("...")
-    #     io = Shrine.data_uri("data:,raw%20content")
-    #     io.content_type #=> "text/plain"
-    #     io.size         #=> 11
-    #     io.read         #=> "raw content"
-    #
-    # You can also assign a filename:
-    #
-    #     io = Shrine.data_uri("data:,content", filename: "foo.txt")
-    #     io.original_filename #=> "foo.txt"
-    #
-    # ## `UploadedFile#data_uri` and `UploadedFile#base64`
-    #
-    # This plugin also adds UploadedFile#data_uri method, which returns a
-    # base64-encoded data URI of the file content, and UploadedFile#base64,
-    # which simply returns the file content base64-encoded.
-    #
-    #     uploaded_file.data_uri #=> "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAUA"
-    #     uploaded_file.base64   #=> "iVBORw0KGgoAAAANSUhEUgAAAAUA"
-    #
-    # [data URIs]: https://tools.ietf.org/html/rfc2397
-    # [HTML5 Canvas]: https://developer.mozilla.org/en-US/docs/Web/API/Canvas_API
     module DataUri
       class ParseError < Error; end
 

data/lib/shrine/plugins/default_storage.rb

@@ -2,17 +2,6 @@
 
 class Shrine
   module Plugins
-    # The `default_storage` plugin enables you to change which storages are going
-    # to be used for this uploader's attacher (the default is `:cache` and
-    # `:store`).
-    #
-    #     plugin :default_storage, cache: :special_cache, store: :special_store
-    #
-    # You can also pass a block and choose the values depending on the record
-    # values and the name of the attachment. This is useful if you're using the
-    # `dynamic_storage` plugin. Example:
-    #
-    #     plugin :default_storage, store: ->(record, name) { :"store_#{record.username}" }
     module DefaultStorage
       def self.configure(uploader, opts = {})
         uploader.opts[:default_storage_cache] = opts.fetch(:cache, uploader.opts[:default_storage_cache])

data/lib/shrine/plugins/default_url.rb

@@ -2,31 +2,6 @@
 
 class Shrine
   module Plugins
-    # The `default_url` plugin allows setting the URL which will be returned when
-    # the attachment is missing.
-    #
-    #     plugin :default_url
-    #
-    #     Attacher.default_url do |options|
-    #       "/#{name}/missing.jpg"
-    #     end
-    #
-    # `Attacher#url` returns the default URL when attachment is missing. Any
-    # passed in URL options will be present in the `options` hash.
-    #
-    #     attacher.url #=> "/avatar/missing.jpg"
-    #     # or
-    #     user.avatar_url #=> "/avatar/missing.jpg"
-    #
-    # The default URL block is evaluated in the context of an instance of
-    # `Shrine::Attacher`.
-    #
-    #     Attacher.default_url do |options|
-    #       self #=> #<Shrine::Attacher>
-    #
-    #       name   #=> :avatar
-    #       record #=> #<User>
-    #     end
     module DefaultUrl
       def self.configure(uploader, &block)
         if block

data/lib/shrine/plugins/default_url_options.rb

@@ -2,22 +2,6 @@
 
 class Shrine
   module Plugins
-    # The `default_url_options` plugin allows you to specify URL options that
-    # will be applied by default for uploaded files of specified storages.
-    #
-    #     plugin :default_url_options, store: { download: true }
-    #
-    # You can also generate the default URL options dynamically by using a
-    # block, which will receive the UploadedFile object along with any options
-    # that were passed to `UploadedFile#url`.
-    #
-    #     plugin :default_url_options, store: -> (io, **options) do
-    #       { response_content_disposition: ContentDisposition.attachment(io.original_filename) }
-    #     end
-    #
-    # In both cases the default options are merged with options passed to
-    # `UploadedFile#url`, and the latter will always have precedence over
-    # default options.
     module DefaultUrlOptions
       def self.configure(uploader, options = {})
         uploader.opts[:default_url_options] ||= {}

data/lib/shrine/plugins/delete_promoted.rb

@@ -2,12 +2,6 @@
 
 class Shrine
   module Plugins
-    # The `delete_promoted` plugin deletes files that have been promoted, after
-    # the record is saved. This means that cached files handled by the attacher
-    # will automatically get deleted once they're uploaded to store. This also
-    # applies to any other uploaded file passed to `Attacher#promote`.
-    #
-    #     plugin :delete_promoted
     module DeletePromoted
       module AttacherMethods
         def promote(uploaded_file = get, **options)

data/lib/shrine/plugins/delete_raw.rb

@@ -2,16 +2,6 @@
 
 class Shrine
   module Plugins
-    # The `delete_raw` plugin will automatically delete raw files that have been
-    # uploaded. This is especially useful when doing processing, to ensure that
-    # temporary files have been deleted after upload.
-    #
-    #     plugin :delete_raw
-    #
-    # By default any raw file that was uploaded will be deleted, but you can
-    # limit this only to files uploaded to certain storages:
-    #
-    #     plugin :delete_raw, storages: [:store]
     module DeleteRaw
       def self.configure(uploader, opts = {})
         uploader.opts[:delete_raw_storages] = opts.fetch(:storages, uploader.opts[:delete_raw_storages])

data/lib/shrine/plugins/derivation_endpoint.rb

@@ -0,0 +1,652 @@
+# frozen_string_literal: true
+
+require "rack"
+require "content_disposition"
+
+require "openssl"
+require "tempfile"
+
+class Shrine
+  module Plugins
+    module DerivationEndpoint
+      def self.load_dependencies(uploader, opts = {})
+        uploader.plugin :rack_response
+        uploader.plugin :_urlsafe_serialization
+      end
+
+      def self.configure(uploader, opts = {})
+        uploader.opts[:derivation_endpoint_options] ||= {}
+        uploader.opts[:derivation_endpoint_options].merge!(opts)
+
+        uploader.opts[:derivation_endpoint_derivations] ||= {}
+
+        unless uploader.opts[:derivation_endpoint_options][:secret_key]
+          fail Error, "must provide :secret_key option to derivation_endpoint plugin"
+        end
+      end
+
+      module ClassMethods
+        def derivation_endpoint(**options)
+          Shrine::DerivationEndpoint.new(shrine_class: self, options: options)
+        end
+
+        def derivation_response(env, **options)
+          script_name = env["SCRIPT_NAME"]
+          path_info   = env["PATH_INFO"]
+
+          prefix = derivation_options[:prefix]
+          match  = path_info.match(/^\/#{prefix}/)
+
+          fail Error, "request path must start with \"/#{prefix}\", but is \"#{path_info}\"" unless match
+
+          begin
+            env["SCRIPT_NAME"] += match.to_s
+            env["PATH_INFO"]    = match.post_match
+
+            derivation_endpoint(**options).call(env)
+          ensure
+            env["SCRIPT_NAME"] = script_name
+            env["PATH_INFO"]   = path_info
+          end
+        end
+
+        def derivation(name, &block)
+          derivations[name] = block
+        end
+
+        def derivations
+          opts[:derivation_endpoint_derivations]
+        end
+
+        def derivation_options
+          opts[:derivation_endpoint_options]
+        end
+      end
+
+      module FileMethods
+        def derivation_url(name, *args, **options)
+          derivation(name, *args).url(**options)
+        end
+
+        def derivation_response(name, *args, env:, **options)
+          derivation(name, *args, **options).response(env)
+        end
+
+        def derivation(name, *args, **options)
+          Shrine::Derivation.new(
+            name:    name,
+            args:    args,
+            source:  self,
+            options: options,
+          )
+        end
+      end
+    end
+
+    register_plugin(:derivation_endpoint, DerivationEndpoint)
+  end
+
+  class Derivation
+    class NotFound       < Error; end
+    class SourceNotFound < Error; end
+
+    attr_reader :name, :args, :source, :options
+
+    def initialize(name:, args:, source:, options:)
+      @name    = name
+      @args    = args
+      @source  = source
+      @options = options
+    end
+
+    def url(**options)
+      Derivation::Url.new(self).call(
+        host:       option(:host),
+        prefix:     option(:prefix),
+        expires_in: option(:expires_in),
+        version:    option(:version),
+        metadata:   option(:metadata),
+        **options,
+      )
+    end
+
+    def response(env)
+      Derivation::Response.new(self).call(env)
+    end
+
+    def processed
+      Derivation::Processed.new(self).call
+    end
+
+    def generate(file = nil)
+      Derivation::Generate.new(self).call(file)
+    end
+
+    def upload(file = nil)
+      Derivation::Upload.new(self).call(file)
+    end
+
+    def retrieve
+      Derivation::Retrieve.new(self).call
+    end
+
+    def delete
+      Derivation::Delete.new(self).call
+    end
+
+    def self.options
+      @options ||= {}
+    end
+
+    def self.option(name, default: nil, result: nil)
+      options[name] = { default: default, result: result }
+    end
+
+    option :cache_control,               default: -> { default_cache_control }
+    option :disposition,                 default: -> { "inline" }
+    option :download,                    default: -> { true }
+    option :download_errors,             default: -> { [] }
+    option :download_options,            default: -> { {} }
+    option :expires_in
+    option :filename,                    default: -> { default_filename }
+    option :host
+    option :include_uploaded_file,       default: -> { false }
+    option :metadata,                    default: -> { [] }
+    option :prefix
+    option :secret_key
+    option :type
+    option :upload,                      default: -> { false }
+    option :upload_location,             default: -> { default_upload_location }, result: -> (o) { upload_location(o) }
+    option :upload_options,              default: -> { {} }
+    option :upload_redirect,             default: -> { false }
+    option :upload_redirect_url_options, default: -> { {} }
+    option :upload_storage,              default: -> { source.storage_key.to_sym }
+    option :version
+
+    def option(name)
+      option_definition = self.class.options.fetch(name)
+
+      value = options.fetch(name) { shrine_class.derivation_options[name] }
+      value = instance_exec(&value) if value.is_a?(Proc)
+
+      if value.nil?
+        default = option_definition[:default]
+        value   = instance_exec(&default) if default
+      end
+
+      result = option_definition[:result]
+      value  = instance_exec(value, &result) if result
+
+      value
+    end
+
+    def shrine_class
+      source.shrine_class
+    end
+
+    private
+
+    # append version and extension to upload location if specified
+    def upload_location(location)
+      location = location.sub(/(?=(\.\w+)?$)/, "-#{option(:version)}") if option(:version)
+      location
+    end
+
+    def default_filename
+      [name, *args, File.basename(source.id, ".*")].join("-")
+    end
+
+    def default_upload_location
+      directory = source.id.sub(/\.[^\/]+/, "")
+      filename  = [name, *args].join("-")
+
+      [directory, filename].join("/")
+    end
+
+    def default_cache_control
+      if option(:expires_in)
+        "public, max-age=#{option(:expires_in)}"
+      else
+        "public, max-age=#{365*24*60*60}"
+      end
+    end
+
+    class Command
+      attr_reader :derivation
+
+      def initialize(derivation)
+        @derivation = derivation
+      end
+
+      def self.delegate(*names)
+        names.each do |name|
+          protected define_method(name) {
+            if [:name, :args, :source].include?(name)
+              derivation.public_send(name)
+            else
+              derivation.option(name)
+            end
+          }
+        end
+      end
+
+      private
+
+      def shrine_class
+        derivation.shrine_class
+      end
+    end
+  end
+
+  class Derivation::Url < Derivation::Command
+    delegate :name, :args, :source, :secret_key
+
+    def call(host: nil, prefix: nil, **options)
+      [host, *prefix, identifier(**options)].join("/")
+    end
+
+    private
+
+    def identifier(expires_in: nil,
+                   version: nil,
+                   type: nil,
+                   filename: nil,
+                   disposition: nil,
+                   metadata: [])
+
+      params = {}
+      params[:expires_at]  = (Time.now.utc + expires_in).to_i if expires_in
+      params[:version]     = version if version
+      params[:type]        = type if type
+      params[:filename]    = filename if filename
+      params[:disposition] = disposition if disposition
+
+      source_component = source.urlsafe_dump(metadata: metadata)
+
+      signed_url(name, *args, source_component, params)
+    end
+
+    def signed_url(*components)
+      signer = UrlSigner.new(secret_key)
+      signer.signed_url(*components)
+    end
+  end
+
+  class DerivationEndpoint
+    attr_reader :shrine_class, :options
+
+    def initialize(shrine_class:, options: {})
+      @shrine_class = shrine_class
+      @options      = options
+    end
+
+    def call(env)
+      request = Rack::Request.new(env)
+
+      status, headers, body = catch(:halt) do
+        error!(405, "Method not allowed") unless request.get? || request.head?
+
+        handle_request(request)
+      end
+
+      headers["Content-Length"] ||= body.map(&:bytesize).inject(0, :+).to_s
+
+      [status, headers, body]
+    end
+
+    def handle_request(request)
+      verify_signature!(request)
+      check_expiry!(request)
+
+      name, *args, serialized_file = request.path_info.split("/")[1..-1]
+
+      name          = name.to_sym
+      uploaded_file = shrine_class::UploadedFile.urlsafe_load(serialized_file)
+
+      # request params override statically configured options
+      options = self.options.dup
+
+      options[:type]        = request.params["type"]        if request.params["type"]
+      options[:disposition] = request.params["disposition"] if request.params["disposition"]
+      options[:filename]    = request.params["filename"]    if request.params["filename"]
+
+      options[:expires_in]  = expires_in(request) if request.params["expires_at"]
+
+      derivation = uploaded_file.derivation(name, *args, **options)
+
+      begin
+        status, headers, body = derivation.response(request.env)
+      rescue Derivation::NotFound
+        error!(404, "Unknown derivation \"#{name}\"")
+      rescue Derivation::SourceNotFound
+        error!(404, "Source file not found")
+      end
+
+      if status == 200 || status == 206
+        headers["Cache-Control"] = derivation.option(:cache_control)
+      end
+
+      [status, headers, body]
+    end
+
+    private
+
+    def verify_signature!(request)
+      signer = UrlSigner.new(secret_key)
+      signer.verify_url("#{request.path_info[1..-1]}?#{request.query_string}")
+    rescue UrlSigner::InvalidSignature => error
+      error!(403, error.message.capitalize)
+    end
+
+    def check_expiry!(request)
+      if request.params["expires_at"]
+        error!(403, "Request has expired") if expires_in(request) <= 0
+      end
+    end
+
+    def expires_in(request)
+      expires_at = Integer(request.params["expires_at"])
+
+      (Time.at(expires_at) - Time.now).to_i
+    end
+
+    # Halts the request with the error message.
+    def error!(status, message)
+      throw :halt, [status, { "Content-Type" => "text/plain" }, [message]]
+    end
+
+    def secret_key
+      derivation_options[:secret_key]
+    end
+
+    def derivation_options
+      shrine_class.derivation_options.merge(self.options)
+    end
+  end
+
+  class Derivation::Response < Derivation::Command
+    delegate :type, :disposition, :filename,
+             :upload, :upload_redirect, :upload_redirect_url_options
+
+    def call(env)
+      if upload
+        upload_response(env)
+      else
+        local_response(env)
+      end
+    end
+
+    private
+
+    def local_response(env)
+      derivative = derivation.generate
+
+      file_response(derivative, env)
+    end
+
+    def file_response(file, env)
+      file.close
+      response = rack_file_response(file.path, env)
+
+      status = response[0]
+
+      filename  = self.filename
+      filename += File.extname(file.path) if File.extname(filename).empty?
+
+      headers = {}
+      headers["Content-Type"]        = type || response[1]["Content-Type"]
+      headers["Content-Disposition"] = content_disposition(filename)
+      headers["Content-Length"]      = response[1]["Content-Length"]
+      headers["Content-Range"]       = response[1]["Content-Range"] if response[1]["Content-Range"]
+      headers["Accept-Ranges"]       = "bytes"
+
+      body = Rack::BodyProxy.new(response[2]) { File.delete(file.path) }
+
+      [status, headers, body]
+    end
+
+    def upload_response(env)
+      uploaded_file = derivation.retrieve
+
+      unless uploaded_file
+        derivative    = derivation.generate
+        uploaded_file = derivation.upload(derivative)
+      end
+
+      if upload_redirect
+        File.delete(derivative.path) if derivative
+
+        redirect_url = uploaded_file.url(upload_redirect_url_options)
+
+        [302, { "Location" => redirect_url }, []]
+      else
+        if derivative
+          file_response(derivative, env)
+        else
+          uploaded_file.to_rack_response(
+            type:        type,
+            disposition: disposition,
+            filename:    filename,
+            range:       env["HTTP_RANGE"],
+          )
+        end
+      end
+    end
+
+    def rack_file_response(path, env)
+      server = Rack::File.new("", {}, "application/octet-stream")
+
+      if Rack.release > "2"
+        server.serving(Rack::Request.new(env), path)
+      else
+        server = server.dup
+        server.path = path
+        server.serving(env)
+      end
+    end
+
+    def content_disposition(filename)
+      ContentDisposition.format(disposition: disposition, filename: filename)
+    end
+  end
+
+  class Derivation::Processed < Derivation::Command
+    delegate :upload
+
+    def call
+      if upload
+        upload_result
+      else
+        local_result
+      end
+    end
+
+    private
+
+    def local_result
+      derivation.generate
+    end
+
+    def upload_result
+      uploaded_file = derivation.retrieve
+
+      unless uploaded_file
+        derivative    = derivation.generate
+        uploaded_file = derivation.upload(derivative)
+
+        derivative.unlink
+      end
+
+      uploaded_file
+    end
+  end
+
+  class Derivation::Generate < Derivation::Command
+    delegate :name, :args, :source,
+             :download, :download_errors, :download_options,
+             :include_uploaded_file
+
+    def call(file = nil)
+      derivative = generate(file)
+      derivative = normalize(derivative)
+      derivative
+    end
+
+    private
+
+    def generate(file)
+      if download
+        with_downloaded(file) do |file|
+          if include_uploaded_file
+            uploader.instance_exec(file, source, *args, &derivation_block)
+          else
+            uploader.instance_exec(file, *args, &derivation_block)
+          end
+        end
+      else
+        uploader.instance_exec(source, *args, &derivation_block)
+      end
+    end
+
+    def normalize(derivative)
+      if derivative.is_a?(Tempfile)
+        derivative.open
+      elsif derivative.is_a?(File)
+        derivative.close
+        derivative = File.open(derivative.path)
+      elsif derivative.is_a?(String)
+        derivative = File.open(derivative)
+      elsif defined?(Pathname) && derivative.is_a?(Pathname)
+        derivative = derivative.open
+      else
+        fail Error, "unexpected derivation result: #{derivation.inspect} (expected File, Tempfile, String, or Pathname object)"
+      end
+
+      derivative.binmode
+      derivative
+    end
+
+    def with_downloaded(file, &block)
+      if file
+        yield file
+      else
+        download_source(&block)
+      end
+    end
+
+    def download_source
+      download_args = download_options.any? ? [download_options] : []
+      downloaded    = false
+
+      source.download(*download_args) do |file|
+        downloaded = true
+        yield file
+      end
+    rescue *download_errors
+      raise if downloaded # re-raise if the error didn't happen on download
+      raise Derivation::SourceNotFound, "source file \"#{source.id}\" was not found on storage :#{source.storage_key}"
+    end
+
+    def derivation_block
+      shrine_class.derivations[name] or fail Derivation::NotFound, "derivation #{name.inspect} is not defined"
+    end
+
+    def uploader
+      source.uploader
+    end
+  end
+
+  class Derivation::Upload < Derivation::Command
+    delegate :upload_location, :upload_storage, :upload_options
+
+    def call(derivative = nil)
+      derivative ||= derivation.generate
+
+      uploader.upload derivative,
+        location:       upload_location,
+        upload_options: upload_options
+    end
+
+    private
+
+    def uploader
+      shrine_class.new(upload_storage)
+    end
+  end
+
+  class Derivation::Retrieve < Derivation::Command
+    delegate :upload_location, :upload_storage
+
+    def call
+      if storage.exists?(upload_location)
+        shrine_class::UploadedFile.new(
+          "storage" => upload_storage.to_s,
+          "id"      => upload_location,
+        )
+      end
+    end
+
+    private
+
+    def storage
+      shrine_class.find_storage(upload_storage)
+    end
+  end
+
+  class Derivation::Delete < Derivation::Command
+    delegate :upload_location, :upload_storage
+
+    def call
+      storage.delete(upload_location)
+    end
+
+    private
+
+    def storage
+      shrine_class.find_storage(upload_storage)
+    end
+  end
+
+  class UrlSigner
+    class InvalidSignature < Error; end
+
+    attr_reader :secret_key
+
+    def initialize(secret_key)
+      @secret_key = secret_key
+    end
+
+    def signed_url(*components, params)
+      path  = Rack::Utils.escape_path(components.join("/"))
+      query = Rack::Utils.build_query(params)
+
+      signature = generate_signature("#{path}?#{query}")
+
+      query = Rack::Utils.build_query(params.merge(signature: signature))
+
+      "#{path}?#{query}"
+    end
+
+    def verify_url(path_with_query)
+      path, query = path_with_query.split("?")
+
+      params    = Rack::Utils.parse_query(query.to_s)
+      signature = params.delete("signature")
+      query     = Rack::Utils.build_query(params)
+
+      verify_signature("#{path}?#{query}", signature)
+    end
+
+    def verify_signature(string, signature)
+      if signature.nil?
+        fail InvalidSignature, "missing \"signature\" param"
+      elsif signature != generate_signature(string)
+        fail InvalidSignature, "provided signature does not match the calculated signature"
+      end
+    end
+
+    def generate_signature(string)
+      OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA256.new, secret_key, string)
+    end
+  end
+end