Skip to content

Commit

Permalink
Revert "Generate signed URLs for use with encryption"
Browse files Browse the repository at this point in the history
Committed to master instead of develop

This reverts commit 5006a8a.
  • Loading branch information
h4xnoodle committed Nov 6, 2019
1 parent 5006a8a commit d3ce74a
Show file tree
Hide file tree
Showing 6 changed files with 14 additions and 81 deletions.
5 changes: 2 additions & 3 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -34,17 +34,16 @@ bosh-gcscli -c config.json delete <remote-blob>
```
### Check if an object exists
```bash
bosh-gcscli -c config.json exists <remote-blob>
bosh-gcscli -c config.json exists <remote-blob>```
```

### Generate a signed url for an object
```bash
bosh-gcscli -c config.json sign <remote-blob> <http action> <expiry> [encrypt]
bosh-gcscli -c config.json sign <remote-blob> <http action> <expiry>```
```
Where:
- `<http action>` is GET, PUT, or DELETE
- `<expiry>` is a duration string less than 7 days (e.g. "6h")
- `[encrypt]` is optional. If 'encrypt' is supplied, requests with signed URLs will require `x-goog-encryption-key` and `x-goog-encryption-key-hash` headers

## Configuration
The command line tool expects a JSON configuration file. Run `bosh-gcscli --help` for details.
Expand Down
11 changes: 1 addition & 10 deletions client/client.go
Original file line number Diff line number Diff line change
Expand Up @@ -203,7 +203,7 @@ func (client *GCSBlobstore) readOnly() bool {
return client.authenticatedGCS == nil
}

func (client *GCSBlobstore) Sign(id string, action string, expiry time.Duration, willEncrypt bool) (string, error) {
func (client *GCSBlobstore) Sign(id string, action string, expiry time.Duration) (string, error) {
token, err := google.JWTConfigFromJSON([]byte(client.config.ServiceAccountFile), storage.ScopeFullControl)
if err != nil {
return "", err
Expand All @@ -215,14 +215,5 @@ func (client *GCSBlobstore) Sign(id string, action string, expiry time.Duration,
GoogleAccessID: token.Email,
Scheme: storage.SigningSchemeV4,
}

// GET/PUT to the resultant signed url will include
// 'x-goog-encryption-key' and 'x-goog-encryption-key-hash' headers
if willEncrypt {
options.Headers = []string{
"x-goog-encryption-algorithm:AES256",
}
}

return storage.SignedURL(client.config.BucketName, id, &options)
}
5 changes: 2 additions & 3 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -4,9 +4,8 @@ go 1.12

require (
cloud.google.com/go v0.44.3
github.com/onsi/ginkgo v1.10.3
github.com/onsi/gomega v1.7.1
golang.org/x/lint v0.0.0-20190930215403-16217165b5de // indirect
github.com/onsi/ginkgo v1.9.0
github.com/onsi/gomega v1.6.0
golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7
golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45
golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456 // indirect
Expand Down
8 changes: 0 additions & 8 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -40,12 +40,8 @@ github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1
github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
github.com/onsi/ginkgo v1.9.0 h1:SZjF721BByVj8QH636/8S2DnX4n0Re3SteMmw3N+tzc=
github.com/onsi/ginkgo v1.9.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
github.com/onsi/ginkgo v1.10.3 h1:OoxbjfXVZyod1fmWYhI7SEyaD8B00ynP3T+D5GiyHOY=
github.com/onsi/ginkgo v1.10.3/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
github.com/onsi/gomega v1.6.0 h1:8XTW0fcJZEq9q+Upcyws4JSGua2MFysCL5xkaSgHc+M=
github.com/onsi/gomega v1.6.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
github.com/onsi/gomega v1.7.1 h1:K0jcRCwNQM3vFGh1ppMtDh/+7ApJrjldlX8fA0jDTLQ=
github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
go.opencensus.io v0.22.0 h1:C9hSCOW830chIVkdja34wa6Ky+IzWllkUinR+BtRZd4=
go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
Expand All @@ -60,8 +56,6 @@ golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTk
golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
golang.org/x/lint v0.0.0-20190409202823-959b441ac422 h1:QzoH/1pFpZguR8NrRHLcO6jKqfv2zpuSqZLgdm7ZmjI=
golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
golang.org/x/lint v0.0.0-20190930215403-16217165b5de h1:5hukYrvBGR8/eNkX5mdUezrA6JiaEZDtJb9Ei+1LlBs=
golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE=
golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
Expand Down Expand Up @@ -143,8 +137,6 @@ gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkep
gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
gopkg.in/yaml.v2 v2.2.1 h1:mUhvW9EsL+naU5Q3cakzfE91YhliOondGd6ZrsDBHQE=
gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gopkg.in/yaml.v2 v2.2.4 h1:/eiJrUcujPVeJ3xlSWaiNi3uSVmDGBK1pDHUHAnao1I=
gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
Expand Down
38 changes: 0 additions & 38 deletions integration/gcs_static_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -67,43 +67,5 @@ var _ = Describe("Integration", func() {
Expect(resp.StatusCode).To(Equal(200))
defer resp.Body.Close()
})

It("can generate a signed url for encrypting later", func() {
session, err := RunGCSCLI(gcsCLIPath, ctx.ConfigPath, "sign", ctx.GCSFileName, "PUT", "1h", "encrypt")
Expect(err).ToNot(HaveOccurred())
signedPutUrl := string(session.Out.Contents())

session, err = RunGCSCLI(gcsCLIPath, ctx.ConfigPath, "sign", ctx.GCSFileName, "GET", "1h", "encrypt")
Expect(err).ToNot(HaveOccurred())
signedGetUrl := string(session.Out.Contents())

stuff := strings.NewReader(`stuff`)
putReq, _ := http.NewRequest("PUT", signedPutUrl, stuff)
getReq, _ := http.NewRequest("GET", signedGetUrl, nil)

// openssl rand 32 | base64
key := "PG+tLm6vjBZXpU6S5Oiv/rpkA4KLioQRTXU3AfVzyHc="
// echo -n key | base64 -D | shasum -a 256 | cut -f1 -d' ' | tr -d '\n' | xxd -r -p | base64
hash := "bQOB9Mp048LRjpIoKm2njgQgiC3FRO2gn/+x6Vlfa4E="

headers := map[string][]string{
"x-goog-encryption-algorithm": []string{"AES256"},
"x-goog-encryption-key": []string{key},
"x-goog-encryption-key-sha256": []string{hash},
}

putReq.Header = headers
getReq.Header = headers

resp, err := http.DefaultClient.Do(putReq)
Expect(err).ToNot(HaveOccurred())
Expect(resp.StatusCode).To(Equal(200))
resp.Body.Close()

resp, err = http.DefaultClient.Do(getReq)
Expect(err).ToNot(HaveOccurred())
Expect(resp.StatusCode).To(Equal(200))
resp.Body.Close()
})
})
})
28 changes: 9 additions & 19 deletions main.go
Original file line number Diff line number Diff line change
Expand Up @@ -51,15 +51,10 @@ bosh-gcscli -c config.json delete <remote-blob>
bosh-gcscli -c config.json exists <remote-blob>
# Generate a signed url for an object
# Where:
# - <http action> is GET, PUT, or DELETE
# - <expiry> is a duration string less than 7 days (e.g. "6h")
# - <encrypt> is optional the word 'encrypt'. Users of the signed url are required to provide the correct headers
eg. -H "x-goog-encryption-key: <customer-supplied encryption key>" -H "x-goog-encryption-sha256: <hash>" -H "x-goog-encryption-algorithm: AES256"
# eg bosh-gcscli -c config.json sign blobid PUT 24h encrypt
# eg bosh-gcscli -c config.json sign blobid PUT 24h
bosh-gcscli -c config.json sign <remote-blob> <http action> <expiry> [encrypt]
`
bosh-gcscli -c config.json sign <remote-blob> <http action> <expiry>
Where:
- <http action> is GET, PUT, or DELETE
- <expiry> is a duration string less than 7 days (e.g. "6h")`

var (
showVer = flag.Bool("v", false, "Print CLI version")
Expand Down Expand Up @@ -134,7 +129,7 @@ func main() {
switch cmd {
case "put":
if len(nonFlagArgs) != 3 {
log.Fatalf("put method expected 2 arguments got %d\n", len(nonFlagArgs))
log.Fatalf("put method expected 3 arguments got %d\n", len(nonFlagArgs))
}
src, dst := nonFlagArgs[1], nonFlagArgs[2]

Expand All @@ -149,7 +144,7 @@ func main() {
fmt.Println(err)
case "get":
if len(nonFlagArgs) != 3 {
log.Fatalf("get method expected 2 arguments got %d\n", len(nonFlagArgs))
log.Fatalf("get method expected 3 arguments got %d\n", len(nonFlagArgs))
}
src, dst := nonFlagArgs[1], nonFlagArgs[2]

Expand Down Expand Up @@ -181,8 +176,8 @@ func main() {
os.Exit(3)
}
case "sign":
if len(nonFlagArgs) < 4 {
log.Fatalf("sign method expected at least 3 arguments got %d\n", len(nonFlagArgs))
if len(nonFlagArgs) != 4 {
log.Fatalf("sign method expected 3 arguments got %d\n", len(nonFlagArgs))
}

id, action, expiry := nonFlagArgs[1], nonFlagArgs[2], nonFlagArgs[3]
Expand All @@ -193,18 +188,13 @@ func main() {
log.Fatal(err)
}

willEncrypt := false
if len(nonFlagArgs) > 4 {
willEncrypt = nonFlagArgs[4] == "encrypt"
}

var expiryDuration time.Duration
expiryDuration, err = time.ParseDuration(expiry)
if err != nil {
log.Fatalf("Invalid expiry duration: %v", err)
}
url := ""
url, err = blobstoreClient.Sign(id, action, expiryDuration, willEncrypt)
url, err = blobstoreClient.Sign(id, action, expiryDuration)
if err == nil {
os.Stdout.WriteString(url)
}
Expand Down

0 comments on commit d3ce74a

Please sign in to comment.