New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support TempURL for content in private containers #32

Closed
robert-bor opened this Issue May 14, 2013 · 1 comment

Comments

Projects
None yet
1 participant
@robert-bor
Member

robert-bor commented May 14, 2013

Requirement

Content in private container must currently be served through the application. It is desirable that the application server can serve a 3xx HTTP response with a valid temporary URL (TempURL) to the object.

The implementation must be hidden by the API. Possibly by making this part of the getXXXURL() family.

My notes

Before TempURLs can be created, the account must first be passed the key for the hashes. This is done in the following way:

curl -v -X POST -H "X-Auth-Token: [AUTH_TOKEN]" -H "X-Account-Meta-Temp-Url-Key: [YOUR_PASSWORD]" [SWIFT_URL]

The digest must be created out of:

  • the method
  • expires
  • object path

Note that the object path contains the path after the host!

Let's take an example

  • method: GET
  • expires: 2737152115
  • object path: /v1/AUTH_a32c0e5f920a4dbc967e50dd2a4e3957/secret/hum3.png
String plainText = "GET\n2737152115\n/v1/AUTH_a32c0e5f920a4dbc967e50dd2a4e3957/secret/hum3.png";

This body must be SHA1 hashed in base-16 notation. For the example the result will be:

e9dab41e3ec1ae2d6c9dfb794bc9cb401757992c

The Fetch URL is the same as usual, except that you add an extra parameter (containing two sub-parameters, semi-colon delimited) to it:

  • temp_url_sig=e9dab41e3ec1ae2d6c9dfb794bc9cb401757992c
  • temp_url_expires=2737152115

The full URL now becomes:

https://a32c0e5f920a4dbc967e50dd2a4e3957.objectstore.eu/secret/hum3.png?temp_url_sig=e9dab41e3ec1ae2d6c9dfb794bc9cb401757992c;temp_url_expires=2737152115

The ObjectStore does the same composition with method, expires and object path and also creates a hash out of it, using the password (X-Account-Meta-Temp-Url-Key) set in the Account. It then compares this hash with the temp_url_sig. If the hashes match, the first test is passed. It then checks whether the time has expired. If it has not, it can now return the content.

Hash code

This codes behaves in a similar way to Python's hmac.new():

    public static String getHmacMD5(String privateKey, String input) throws Exception{
        SecretKeySpec keySpec = new SecretKeySpec(privateKey.getBytes(), "HmacSHA1");
        Mac mac = Mac.getInstance("HmacSHA1");
        mac.init(keySpec);
        byte[] hashBytes = mac.doFinal(input.getBytes());
        return Hex.encodeHexString(hashBytes);
    }

Caveats

CloudVPS currently works with a host that hides the /v1/AUTH_Account. Account is also replaced with a base-16 identifier. This value must still be passed as the full object path for the hash. Koert has said he will look into the possibility of just adding the regular object path, which would make a really nice solution.

Links

http://docs.rackspace.com/files/api/v1/cf-devguide/content/Create_TempURL-d1a444.html
http://docs.openstack.org/developer/swift/misc.html#module-swift.common.middleware.tempurl
https://www.hpcloud.com/learn/controlled-access-object-store (alternative approach)
http://www.rackspace.com/blog/rackspace-cloud-files-how-to-create-temporary-urls/

@ghost ghost assigned robert-bor May 14, 2013

robert-bor added a commit that referenced this issue May 26, 2013

Issue #32 - the hash password is now part of AccountConfig, which is …
…useful because it is both used to set the password on the Account and to create a hash (as part of the TempURL). Both password must match, so this method helps to do that

robert-bor added a commit that referenced this issue May 26, 2013

Issue #32 - the TempURL prefix can now be determined from the Access …
…object. Needs wiring into StoredObject as well as the complete hashing algorithm to be functional

robert-bor added a commit that referenced this issue May 26, 2013

Issue #32 - both GET and PUT temporary URLs are created. The mechanis…
…m for the hash password is better integrated for saving/retrieving/using.

@robert-bor robert-bor closed this May 27, 2013

@robert-bor

This comment has been minimized.

Show comment
Hide comment
@robert-bor

robert-bor May 29, 2013

Member

CloudVPS is implementing the promised solution: https://github.com/CloudVPS/swift-tempurl/

Member

robert-bor commented May 29, 2013

CloudVPS is implementing the promised solution: https://github.com/CloudVPS/swift-tempurl/

robert-bor added a commit that referenced this issue May 29, 2013

Display a warning on tenant discovery
Issue #32 - use an & instead of a ; to separate arguments, contrary to the specifications

katta pushed a commit to twxkit/joss that referenced this issue Oct 6, 2014

katta pushed a commit to twxkit/joss that referenced this issue Oct 6, 2014

Issue #32 - the hash password is now part of AccountConfig, which is …
…useful because it is both used to set the password on the Account and to create a hash (as part of the TempURL). Both password must match, so this method helps to do that

katta pushed a commit to twxkit/joss that referenced this issue Oct 6, 2014

Issue #32 - the TempURL prefix can now be determined from the Access …
…object. Needs wiring into StoredObject as well as the complete hashing algorithm to be functional

katta pushed a commit to twxkit/joss that referenced this issue Oct 6, 2014

Issue #32 - both GET and PUT temporary URLs are created. The mechanis…
…m for the hash password is better integrated for saving/retrieving/using.

katta pushed a commit to twxkit/joss that referenced this issue Oct 6, 2014

Display a warning on tenant discovery
Issue #32 - use an & instead of a ; to separate arguments, contrary to the specifications
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment