Secure everything

saarons · Sep 5, 2013 · ed86b60 · ed86b60
1 parent 141a527
commit ed86b60
Show file tree

Hide file tree

Showing 4 changed files with 36 additions and 5 deletions.
diff --git a/app/helpers/print_helper.rb b/app/helpers/print_helper.rb
@@ -15,4 +15,4 @@ def default_printers
     building = choose_building || buildings.first
     $printers[building]
   end
-end
+end
diff --git a/app/models/document.rb b/app/models/document.rb
@@ -3,7 +3,9 @@ class Document < ActiveRecord::Base
   attr_accessor :tempfile
 
   def fetch
-    response = Excon.get(self.url)
+    policy = $filepicker.policy('read')
+    signature = $filepicker.signature(policy)
+    response = Excon.get(self.url, query: {policy: policy, signature: signature})
 
     self.filename = response.headers["X-File-Name"]
 
@@ -21,7 +23,11 @@ def needs_conversion?
   end
 
   def convert
-    response = Excon.get("https://docs.google.com/viewer", :query => {:url => self.url})
+    policy = $filepicker.policy('read')
+    signature = $filepicker.signature(policy)
+    actual_url = "#{self.url}?policy=#{policy}&signature=#{signature}"
+
+    response = Excon.get("https://docs.google.com/viewer", :query => {:url => actual_url})
     gp_url = response.body[/gpUrl:('[^']*')/,1]
 
     if status = gp_url.present?
@@ -72,6 +78,9 @@ def announce
 
   def cleanup
     self.tempfile.unlink
-    Excon.delete(self.url)
+
+    policy = $filepicker.policy('remove')
+    signature = $filepicker.signature(policy)
+    Excon.delete(self.url, query: {policy: policy, signature: signature})
   end
 end
diff --git a/app/views/prints/new.html.erb b/app/views/prints/new.html.erb
@@ -22,7 +22,9 @@
   </div>
   <div class="col-sm-1 col-lg-1"><br><span class="hidden-xs divider">&raquo;</span></div>
   <div class="col-sm-4 col-lg-4">
-    <input id="filepicker" name="urls" data-fp-apikey="Ac88GjthXQdqNsr9JvJJHz" type="filepicker-dragdrop" data-fp-multiple="true" data-fp-drag-class="col-xs-12 printatcu-dragdrop" data-fp-extensions="<%= ALL_EXTENSIONS.join(",") %>" data-fp-button-class="btn btn-primary btn-block btn-lg"/>
+    <% policy = $filepicker.policy('pick') %>
+    <% signature = $filepicker.sign(policy) %>
+    <input id="filepicker" name="urls" data-fp-policy="<%= policy %>" data-fp-signature="<%= signature %>" data-fp-apikey="<%= $filepicker.api_key %>" type="filepicker-dragdrop" data-fp-multiple="true" data-fp-drag-class="col-xs-12 printatcu-dragdrop" data-fp-extensions="<%= ALL_EXTENSIONS.join(",") %>" data-fp-button-class="btn btn-primary btn-block btn-lg"/>
   </div>
   <div class="col-sm-1 col-lg-1"><br><span class="hidden-xs divider">&raquo;<br><br></span></div>
   <div class="col-sm-3 col-lg-3">

diff --git a/config/initializers/filepicker.rb b/config/initializers/filepicker.rb
@@ -0,0 +1,20 @@
+class Filepicker
+  attr_reader :api_key
+
+  def initialize(api_key, secret)
+    @api_key = api_key
+    @secret = secret
+  end
+
+  def policy(call, options = {})
+    policy = {expiry: Time.now.to_i + (60*60*24), call: call}
+    policy.merge!(options)
+    Base64.urlsafe_encode64(JSON.dumps(policy))
+  end
+
+  def sign(policy)
+    OpenSSL::HMAC.hexdigest("SHA256", @secret, policy)
+  end
+end
+
+$filepicker = Filepicker.new("Ac88GjthXQdqNsr9JvJJHz", ENV["FILEPICKER_SECRET"])