Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs(storage): Update documentation of SignedUrlUnavailable #6924

Merged
merged 1 commit into from
Jun 29, 2020
Merged

docs(storage): Update documentation of SignedUrlUnavailable #6924

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 8 additions & 2 deletions google-cloud-storage/AUTHENTICATION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -102,8 +102,14 @@ To configure your system for this, simply:
2. Authenticate using OAuth 2.0 `$ gcloud auth login`
3. Write code as if already authenticated.

**NOTE:** This is _not_ recommended for running in production. The Cloud SDK
*should* only be used during development.
**NOTE:** The use of Cloud SDK credentials is _not_ recommended for running in
production. The Cloud SDK *should* only be used during development.

**NOTE:** The use of Cloud SDK credentials may not support certain methods such as
those that produce
[signed URLs](https://cloud.google.com/storage/docs/access-control/signed-urls) and
post objects. For these methods, authentication using a service account JSON key file
is required.

[gce-how-to]: https://cloud.google.com/compute/docs/authentication#using
[dev-console]: https://console.cloud.google.com/project
Expand Down
25 changes: 20 additions & 5 deletions google-cloud-storage/lib/google/cloud/storage/bucket.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1406,7 +1406,7 @@ def compose sources, destination, acl: nil, encryption_key: nil
# A {SignedUrlUnavailable} is raised if the service account credentials
# are missing. Service account credentials are acquired by following the
# steps in [Service Account Authentication](
# https://cloud.google.com/storage/docs/authentication#service_accounts).
# https://cloud.google.com/iam/docs/service-accounts).
#
# @see https://cloud.google.com/storage/docs/access-control/signed-urls
# Signed URLs guide
Expand Down Expand Up @@ -1462,7 +1462,12 @@ def compose sources, destination, acl: nil, encryption_key: nil
# to create. Must be one of `:v2` or `:v4`. The default value is
# `:v2`.
#
# @return [String]
# @return [String] The signed URL.
#
# @raise [SignedUrlUnavailable] If the service account credentials
# are missing. Service account credentials are acquired by following the
# steps in [Service Account Authentication](
# https://cloud.google.com/iam/docs/service-accounts).
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some markdown parsers don't like the whitespace inside the URL parens. If you really need to line break, do something like:

[Service Account
Authentication](https://cloud.google.com/iam/docs/service_accounts)

Same for additional instances below.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Of course! Thanks for catching.

#
# @example
# require "google/cloud/storage"
Expand Down Expand Up @@ -1591,7 +1596,7 @@ def signed_url path = nil,
# A {SignedUrlUnavailable} is raised if the service account credentials
# are missing. Service account credentials are acquired by following the
# steps in [Service Account Authentication](
# https://cloud.google.com/storage/docs/authentication#service_accounts).
# https://cloud.google.com/iam/docs/service-accounts).
#
# @see https://cloud.google.com/storage/docs/xml-api/post-object
#
Expand All @@ -1613,7 +1618,12 @@ def signed_url path = nil,
# @param [OpenSSL::PKey::RSA, String] private_key Service Account's
# Private Key.
#
# @return [PostObject]
# @return [PostObject] An object containing the URL, fields, and values needed to upload files via html forms.
#
# @raise [SignedUrlUnavailable] If the service account credentials
# are missing. Service account credentials are acquired by following the
# steps in [Service Account Authentication](
# https://cloud.google.com/iam/docs/service-accounts).
#
# @example
# require "google/cloud/storage"
Expand Down Expand Up @@ -1703,7 +1713,7 @@ def post_object path,
# A {SignedUrlUnavailable} is raised if the service account credentials
# are missing. Service account credentials are acquired by following the
# steps in [Service Account Authentication](
# https://cloud.google.com/storage/docs/authentication#service_accounts).
# https://cloud.google.com/iam/docs/service-accounts).
#
# @see https://cloud.google.com/storage/docs/xml-api/post-object
#
Expand Down Expand Up @@ -1733,6 +1743,11 @@ def post_object path,
#
# @return [PostObject] An object containing the URL, fields, and values needed to upload files via html forms.
#
# @raise [SignedUrlUnavailable] If the service account credentials
# are missing. Service account credentials are acquired by following the
# steps in [Service Account Authentication](
# https://cloud.google.com/iam/docs/service-accounts).
#
# @example
# require "google/cloud/storage"
#
Expand Down
9 changes: 7 additions & 2 deletions google-cloud-storage/lib/google/cloud/storage/errors.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,8 +58,13 @@ def self.for_crc32c gcloud_digest, local_digest
##
# # SignedUrlUnavailable Error
#
# This is raised when File#signed_url is unable to generate a URL due to
# missing credentials needed to create the URL.
# Raised by signed URL methods if the service account credentials
# are missing. Service account credentials are acquired by following the
# steps in [Service Account Authentication](
# https://cloud.google.com/iam/docs/service-accounts).
#
# @see https://cloud.google.com/storage/docs/access-control/signed-urls Signed URLs
#
class SignedUrlUnavailable < Google::Cloud::Error
end
end
Expand Down
9 changes: 7 additions & 2 deletions google-cloud-storage/lib/google/cloud/storage/file.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1442,7 +1442,7 @@ def public_url protocol: :https
# A {SignedUrlUnavailable} is raised if the service account credentials
# are missing. Service account credentials are acquired by following the
# steps in [Service Account Authentication](
# https://cloud.google.com/storage/docs/authentication#service_accounts).
# https://cloud.google.com/iam/docs/service-accounts).
#
# @see https://cloud.google.com/storage/docs/access-control/signed-urls
# Signed URLs guide
Expand Down Expand Up @@ -1496,7 +1496,12 @@ def public_url protocol: :https
# to create. Must be one of `:v2` or `:v4`. The default value is
# `:v2`.
#
# @return [String]
# @return [String] The signed URL.
#
# @raise [SignedUrlUnavailable] If the service account credentials
# are missing. Service account credentials are acquired by following the
# steps in [Service Account Authentication](
# https://cloud.google.com/iam/docs/service-accounts).
#
# @example
# require "google/cloud/storage"
Expand Down
19 changes: 11 additions & 8 deletions google-cloud-storage/lib/google/cloud/storage/file/signer_v2.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,13 +77,20 @@ def signature_str options
end

def determine_signing_key options = {}
options[:signing_key] || options[:private_key] ||
@service.credentials.signing_key
signing_key = options[:signing_key] || options[:private_key] || @service.credentials.signing_key
raise SignedUrlUnavailable, error_msg("signing_key (private_key)") unless signing_key
signing_key
end

def determine_issuer options = {}
options[:issuer] || options[:client_email] ||
@service.credentials.issuer
issuer = options[:issuer] || options[:client_email] || @service.credentials.issuer
raise SignedUrlUnavailable, error_msg("issuer (client_email)") unless issuer
issuer
end

def error_msg attr_name
"Service account credentials '#{attr_name}' is missing. To generate service account credentials " \
"see https://cloud.google.com/iam/docs/service-accounts"
end

def post_object options
Expand All @@ -99,8 +106,6 @@ def post_object options
i = determine_issuer options
s = determine_signing_key options

raise SignedUrlUnavailable unless i && s

policy_str = p.to_json
policy = Base64.strict_encode64(policy_str).delete "\n"

Expand All @@ -119,8 +124,6 @@ def signed_url options
i = determine_issuer options
s = determine_signing_key options

raise SignedUrlUnavailable unless i && s

sig = generate_signature s, signature_str(options)
generate_signed_url i, sig, options[:expires], options[:query]
end
Expand Down
10 changes: 7 additions & 3 deletions google-cloud-storage/lib/google/cloud/storage/file/signer_v4.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,6 @@ def post_object issuer: nil,
bucket_bound_hostname: nil
i = determine_issuer issuer, client_email
s = determine_signing_key signing_key, private_key
raise SignedUrlUnavailable unless i && s

now = Time.now.utc
base_fields = required_fields i, now
Expand Down Expand Up @@ -192,16 +191,21 @@ def signed_url_hostname scheme, virtual_hosted_style, bucket_bound_hostname
def determine_issuer issuer, client_email
# Parse the Service Account and get client id and private key
issuer = issuer || client_email || @service.credentials.issuer
raise SignedUrlUnavailable, "issuer (client_email) missing" unless issuer
raise SignedUrlUnavailable, error_msg("issuer (client_email)") unless issuer
issuer
end

def determine_signing_key signing_key, private_key
signing_key = signing_key || private_key || @service.credentials.signing_key
raise SignedUrlUnavailable, "signing_key (private_key) missing" unless signing_key
raise SignedUrlUnavailable, error_msg("signing_key (private_key)") unless signing_key
signing_key
end

def error_msg attr_name
"Service account credentials '#{attr_name}' is missing. To generate service account credentials " \
"see https://cloud.google.com/iam/docs/service-accounts"
end

def service_account_signer signer
signer = OpenSSL::PKey::RSA.new signer unless signer.respond_to? :sign
# Sign string to sign
Expand Down
9 changes: 7 additions & 2 deletions google-cloud-storage/lib/google/cloud/storage/project.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -483,7 +483,7 @@ def hmac_keys service_account_email: nil, project_id: nil,
# A {SignedUrlUnavailable} is raised if the service account credentials
# are missing. Service account credentials are acquired by following the
# steps in [Service Account Authentication](
# https://cloud.google.com/storage/docs/authentication#service_accounts).
# https://cloud.google.com/iam/docs/service-accounts).
#
# @see https://cloud.google.com/storage/docs/access-control/signed-urls
# Signed URLs guide
Expand Down Expand Up @@ -540,7 +540,12 @@ def hmac_keys service_account_email: nil, project_id: nil,
# to create. Must be one of `:v2` or `:v4`. The default value is
# `:v2`.
#
# @return [String]
# @return [String] The signed URL.
#
# @raise [SignedUrlUnavailable] If the service account credentials
# are missing. Service account credentials are acquired by following the
# steps in [Service Account Authentication](
# https://cloud.google.com/iam/docs/service-accounts).
#
# @example
# require "google/cloud/storage"
Expand Down