Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support TempURL for content in private containers #32

Closed
robert-bor opened this issue May 14, 2013 · 1 comment
Closed

Support TempURL for content in private containers #32

robert-bor opened this issue May 14, 2013 · 1 comment
Assignees
Labels
Milestone

Comments

@robert-bor
Copy link
Contributor

@robert-bor robert-bor commented May 14, 2013

Requirement

Content in private container must currently be served through the application. It is desirable that the application server can serve a 3xx HTTP response with a valid temporary URL (TempURL) to the object.

The implementation must be hidden by the API. Possibly by making this part of the getXXXURL() family.

My notes

Before TempURLs can be created, the account must first be passed the key for the hashes. This is done in the following way:

curl -v -X POST -H "X-Auth-Token: [AUTH_TOKEN]" -H "X-Account-Meta-Temp-Url-Key: [YOUR_PASSWORD]" [SWIFT_URL]

The digest must be created out of:

  • the method
  • expires
  • object path

Note that the object path contains the path after the host!

Let's take an example

  • method: GET
  • expires: 2737152115
  • object path: /v1/AUTH_a32c0e5f920a4dbc967e50dd2a4e3957/secret/hum3.png
String plainText = "GET\n2737152115\n/v1/AUTH_a32c0e5f920a4dbc967e50dd2a4e3957/secret/hum3.png";

This body must be SHA1 hashed in base-16 notation. For the example the result will be:

e9dab41e3ec1ae2d6c9dfb794bc9cb401757992c

The Fetch URL is the same as usual, except that you add an extra parameter (containing two sub-parameters, semi-colon delimited) to it:

  • temp_url_sig=e9dab41e3ec1ae2d6c9dfb794bc9cb401757992c
  • temp_url_expires=2737152115

The full URL now becomes:

https://a32c0e5f920a4dbc967e50dd2a4e3957.objectstore.eu/secret/hum3.png?temp_url_sig=e9dab41e3ec1ae2d6c9dfb794bc9cb401757992c;temp_url_expires=2737152115

The ObjectStore does the same composition with method, expires and object path and also creates a hash out of it, using the password (X-Account-Meta-Temp-Url-Key) set in the Account. It then compares this hash with the temp_url_sig. If the hashes match, the first test is passed. It then checks whether the time has expired. If it has not, it can now return the content.

Hash code

This codes behaves in a similar way to Python's hmac.new():

    public static String getHmacMD5(String privateKey, String input) throws Exception{
        SecretKeySpec keySpec = new SecretKeySpec(privateKey.getBytes(), "HmacSHA1");
        Mac mac = Mac.getInstance("HmacSHA1");
        mac.init(keySpec);
        byte[] hashBytes = mac.doFinal(input.getBytes());
        return Hex.encodeHexString(hashBytes);
    }

Caveats

CloudVPS currently works with a host that hides the /v1/AUTH_Account. Account is also replaced with a base-16 identifier. This value must still be passed as the full object path for the hash. Koert has said he will look into the possibility of just adding the regular object path, which would make a really nice solution.

Links

http://docs.rackspace.com/files/api/v1/cf-devguide/content/Create_TempURL-d1a444.html
http://docs.openstack.org/developer/swift/misc.html#module-swift.common.middleware.tempurl
https://www.hpcloud.com/learn/controlled-access-object-store (alternative approach)
http://www.rackspace.com/blog/rackspace-cloud-files-how-to-create-temporary-urls/

@ghost ghost assigned robert-bor May 14, 2013
robert-bor added a commit that referenced this issue May 26, 2013
…useful because it is both used to set the password on the Account and to create a hash (as part of the TempURL). Both password must match, so this method helps to do that
robert-bor added a commit that referenced this issue May 26, 2013
…object. Needs wiring into StoredObject as well as the complete hashing algorithm to be functional
robert-bor added a commit that referenced this issue May 26, 2013
…m for the hash password is better integrated for saving/retrieving/using.
@robert-bor robert-bor closed this May 27, 2013
@robert-bor
Copy link
Contributor Author

@robert-bor robert-bor commented May 29, 2013

CloudVPS is implementing the promised solution: https://github.com/CloudVPS/swift-tempurl/

robert-bor added a commit that referenced this issue May 29, 2013
Issue #32 - use an & instead of a ; to separate arguments, contrary to the specifications
katta pushed a commit to twxkit/joss that referenced this issue Oct 6, 2014
katta pushed a commit to twxkit/joss that referenced this issue Oct 6, 2014
…which is useful because it is both used to set the password on the Account and to create a hash (as part of the TempURL). Both password must match, so this method helps to do that
katta pushed a commit to twxkit/joss that referenced this issue Oct 6, 2014
…e Access object. Needs wiring into StoredObject as well as the complete hashing algorithm to be functional
katta pushed a commit to twxkit/joss that referenced this issue Oct 6, 2014
… mechanism for the hash password is better integrated for saving/retrieving/using.
katta pushed a commit to twxkit/joss that referenced this issue Oct 6, 2014
Issue javaswift#32 - use an & instead of a ; to separate arguments, contrary to the specifications
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
1 participant
You can’t perform that action at this time.