Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

storage: PostPolicyV4Options.SignBytes is not compatible with Credentials API #4752

Closed
apstndb opened this issue Sep 14, 2021 · 2 comments · Fixed by #5079
Closed

storage: PostPolicyV4Options.SignBytes is not compatible with Credentials API #4752

apstndb opened this issue Sep 14, 2021 · 2 comments · Fixed by #5079
Assignees
@tritone @BrennaEpp
Labels
api: storage Issues related to the Cloud Storage API. priority: p2 Moderately-important priority. Fix may not be included in next release. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns.

Comments

@apstndb
Copy link
Contributor

apstndb commented Sep 14, 2021
edited

Client

Cloud Storage

Environment

Reproduced in local and remote environment

Go Environment

$ go version
go version go1.16.5 darwin/amd64

Code

The definition of PostPolicyV4Options.SignBytes and SignedURLOptions.SignBytes differ.

The input of PostPolicyV4Options.SignBytes is hashedBytes.

google-cloud-go/storage/post_policy_v4.go

Lines 221 to 233 in 27c3ed0

var signingFn func(hashedBytes []byte) ([]byte, error)
switch {
case opts.SignBytes != nil:
signingFn = opts.SignBytes
case len(opts.PrivateKey) != 0:
parsedRSAPrivKey, err := parseKey(opts.PrivateKey)
if err != nil {
return nil, err
}
signingFn = func(hashedBytes []byte) ([]byte, error) {
return rsa.SignPKCS1v15(rand.Reader, parsedRSAPrivKey, crypto.SHA256, hashedBytes)
}

google-cloud-go/storage/post_policy_v4.go

Lines 310 to 311 in 27c3ed0

shaSum := sha256.Sum256([]byte(b64Policy))
signature, err := signingFn(shaSum[:])

The input of SignedURLOptions.SignBytes is raw bytes.

google-cloud-go/storage/storage.go

Lines 699 to 715 in 27c3ed0

signBytes := opts.SignBytes
if opts.PrivateKey != nil {
key, err := parseKey(opts.PrivateKey)
if err != nil {
return "", err
}
signBytes = func(b []byte) ([]byte, error) {
sum := sha256.Sum256(b)
return rsa.SignPKCS1v15(
rand.Reader,
key,
crypto.SHA256,
sum[:],
)
}
}
b, err := signBytes(signBuf.Bytes())

This difference seems to make PostPolicyV4Options.SignBytes incompatible with projects.serviceAccounts.signBlob of Service Account Credentials API.

Code

email := os.Getenv("IMPERSONATE_SERVICE_ACCOUNT")
var signBytesFn func(b []byte) ([]byte, error)
var privateKey []byte

if email != "" {
	credCli, err := credentials.NewIamCredentialsClient(ctx)
	if err != nil {
		 panic(err)
	}
	defer credCli.Close()

	signBytesFn = func(b []byte) ([]byte, error) {
		 req := &credentialspb.SignBlobRequest{
			 Payload: b,
			 Name:    email,
		 }
		 resp, err := credCli.SignBlob(ctx, req)
		 if err != nil {
			 panic(err)
		 }
		 return resp.SignedBlob, err
	}
} else {
	cred, _ := google.FindDefaultCredentials(ctx)
	jwtConfig, _ := google.JWTConfigFromJSON(cred.JSON)
	email = jwtConfig.Email
	privateKey = jwtConfig.PrivateKey
}

opts := &storage.PostPolicyV4Options{
	GoogleAccessID: email,
	SignBytes:      signBytesFn,
	PrivateKey:     privateKey,
	Expires:        time.Now().Add(10 * time.Minute),
	Fields: &storage.PolicyV4Fields{
		 Metadata: map[string]string{},
	},
}

policy, err := storage.GenerateSignedPostPolicyV4(bucket, object, opts)

Expected behavior

Signed policy document are valid in both cases of IMPERSONATE_SERVICE_ACCOUNT or GOOGLE_APPLICATION_CREDENTIALS.

Actual behavior

Signed policy document only valid in case of GOOGLE_APPLICATION_CREDENTIALS.

Additional context

Possible patch
storage/v1.16.1...apstndb:fix-policy-document
@apstndb apstndb added the triage me I really want to be triaged. label Sep 14, 2021
@product-auto-label product-auto-label bot added the api: storage Issues related to the Cloud Storage API. label Sep 14, 2021
@WildSunLove WildSunLove added priority: p1 Important issue which blocks shipping the next release. Will be fixed prior to next release. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns. labels Sep 14, 2021
@BrennaEpp BrennaEpp added type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design. and removed type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns. priority: p1 Important issue which blocks shipping the next release. Will be fixed prior to next release. labels Sep 14, 2021
@BrennaEpp BrennaEpp added priority: p2 Moderately-important priority. Fix may not be included in next release. and removed triage me I really want to be triaged. labels Sep 28, 2021
@BrennaEpp BrennaEpp added type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns. and removed type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design. labels Nov 1, 2021
@BrennaEpp
Copy link
Contributor

Hi @apstndb, thanks for filing this issue! We looked into this and are coming up with a solution for this. I'll update you later this week on the progress.

@BrennaEpp BrennaEpp mentioned this issue Nov 4, 2021
Merged
@BrennaEpp
Copy link
Contributor

Update: I have a PR to implement a fix for this. To avoid breaking people depending on the current behaviour, we added an extra field to PostPolicyV4Options called SignRawBytes that is compatible with the credentials api and does not expect hashed bytes as input.
Once that is merged and released, this code should work with the replacement of SignBytes -> SignRawBytes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tritone tritone

@BrennaEpp BrennaEpp

Labels
api: storage Issues related to the Cloud Storage API. priority: p2 Moderately-important priority. Fix may not be included in next release. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(storage): post policy can be signed with a fn that takes raw bytes BrennaEpp/google-cloud-go
4 participants
@apstndb @WildSunLove @tritone @BrennaEpp