-
Notifications
You must be signed in to change notification settings - Fork 332
/
signurl.py
739 lines (632 loc) · 28.8 KB
/
signurl.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
# -*- coding: utf-8 -*-
# Copyright 2014 Google Inc. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Implementation of URL Signing workflow.
see: https://cloud.google.com/storage/docs/access-control#Signed-URLs)
"""
from __future__ import absolute_import
from __future__ import print_function
from __future__ import division
from __future__ import unicode_literals
import calendar
import copy
from datetime import datetime
from datetime import timedelta
import getpass
import json
import re
import sys
import six
from six.moves import urllib
from apitools.base.py.exceptions import HttpError
from apitools.base.py.http_wrapper import MakeRequest
from apitools.base.py.http_wrapper import Request
from boto import config
from gslib.command import Command
from gslib.command_argument import CommandArgument
from gslib.cs_api_map import ApiSelector
from gslib.exception import CommandException
from gslib.storage_url import ContainsWildcard
from gslib.storage_url import StorageUrlFromString
from gslib.utils import constants
from gslib.utils.boto_util import GetNewHttp
from gslib.utils.shim_util import GcloudStorageMap, GcloudStorageFlag
from gslib.utils.signurl_helper import CreatePayload, GetFinalUrl, to_bytes
try:
# Check for openssl.
# pylint: disable=C6204
from OpenSSL.crypto import FILETYPE_PEM
from OpenSSL.crypto import load_privatekey
from OpenSSL.crypto import sign
from OpenSSL.crypto import PKey
HAVE_OPENSSL = True
except ImportError:
load_privatekey = None
sign = None
HAVE_OPENSSL = False
FILETYPE_PEM = None
try:
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import padding
from cryptography.hazmat.primitives.asymmetric.rsa import RSAPrivateKey
from cryptography.hazmat.primitives.serialization import pkcs12
from cryptography.hazmat._oid import NameOID
HAVE_CRYPTO = True
except ImportError:
HAVE_CRYPTO = False
_CRYPTO_IMPORT_ERROR = "pyca/cryptography is not available. Either install it, or please consider using the .json keyfile"
_AUTO_DETECT_REGION = 'auto'
_MAX_EXPIRATION_TIME = timedelta(days=7)
_MAX_EXPIRATION_TIME_WITH_MINUS_U = timedelta(hours=12)
_SYNOPSIS = """
gsutil signurl [-c <content_type>] [-d <duration>] [-m <http_method>] \\
[-p <password>] [-r <region>] [-b <project>] (-u | <private-key-file>) \\
(gs://<bucket_name> | gs://<bucket_name>/<object_name>)...
"""
_DETAILED_HELP_TEXT = ("""
<B>SYNOPSIS</B>
""" + _SYNOPSIS + """
<B>DESCRIPTION</B>
The signurl command will generate a signed URL that embeds authentication data
so the URL can be used by someone who does not have a Google account. Please
see the `Signed URLs documentation
<https://cloud.google.com/storage/docs/access-control/signed-urls>`_ for
background about signed URLs.
Multiple gs:// URLs may be provided and may contain wildcards. A signed URL
will be produced for each provided URL, authorized
for the specified HTTP method and valid for the given duration.
NOTE: Unlike the gsutil ls command, the signurl command does not support
operations on sub-directories. For example, unless you have an object named
``some-directory/`` stored inside the bucket ``some-bucket``, the following
command returns an error: ``gsutil signurl <private-key-file> gs://some-bucket/some-directory/``
The signurl command uses the private key for a service account (the
'<private-key-file>' argument) to generate the cryptographic
signature for the generated URL. The private key file must be in PKCS12
or JSON format. If the private key is encrypted the signed URL command will
prompt for the passphrase used to protect the private key file
(default 'notasecret'). For more information regarding generating a private
key for use with the signurl command please see the `Authentication
documentation.
<https://cloud.google.com/storage/docs/authentication#generating-a-private-key>`_
If you used `service account credentials
<https://cloud.google.com/storage/docs/gsutil/addlhelp/CredentialTypesSupportingVariousUseCases#supported-credential-types_1>`_
for authentication, you can replace the <private-key-file> argument with
the -u or --use-service-account option to use the system-managed private key
directly. This avoids the need to store a private key file locally, but
prior to using this flag you must `configure
<https://cloud.google.com/sdk/gcloud/reference/auth/activate-service-account>`_
``gcloud`` to use your service account credentials.
<B>OPTIONS</B>
-b <project> Allows you to specify a user project that will be billed for
requests that use the signed URL. This is useful for generating
presigned links for buckets that use requester pays.
Note that it's not valid to specify both the ``-b`` and
``--use-service-account`` options together.
-c Specifies the content type for which the signed URL is
valid for.
-d Specifies the duration that the signed URL should be valid
for, default duration is 1 hour.
Times may be specified with no suffix (default hours), or
with s = seconds, m = minutes, h = hours, d = days.
This option may be specified multiple times, in which case
the duration the link remains valid is the sum of all the
duration options.
The max duration allowed is 7 days when ``private-key-file``
is used.
The max duration allowed is 12 hours when -u option is used.
This limitation exists because the system-managed key used to
sign the URL may not remain valid after 12 hours.
-m Specifies the HTTP method to be authorized for use
with the signed URL, default is GET. You may also specify
RESUMABLE to create a signed resumable upload start URL. When
using a signed URL to start a resumable upload session, you will
need to specify the 'x-goog-resumable:start' header in the
request or else signature validation will fail.
-p Specify the private key password instead of prompting.
-r <region> Specifies the `region
<https://cloud.google.com/storage/docs/locations>`_ in
which the resources for which you are creating signed URLs are
stored.
Default value is 'auto' which will cause gsutil to fetch the
region for the resource. When auto-detecting the region, the
current gsutil user's credentials, not the credentials from the
private-key-file, are used to fetch the bucket's metadata.
This option must be specified and not 'auto' when generating a
signed URL to create a bucket.
-u Use service account credentials instead of a private key file
to sign the URL.
You can also use the ``--use-service-account`` option,
which is equivalent to ``-u``.
Note that both options have a maximum allowed duration of
12 hours for a valid link.
<B>USAGE</B>
Create a signed URL for downloading an object valid for 10 minutes:
gsutil signurl -d 10m <private-key-file> gs://<bucket>/<object>
Create a signed URL, valid for one hour, for uploading a plain text
file via HTTP PUT:
gsutil signurl -m PUT -d 1h -c text/plain <private-key-file> \\
gs://<bucket>/<obj>
To construct a signed URL that allows anyone in possession of
the URL to PUT to the specified bucket for one day, creating
an object of Content-Type image/jpg, run:
gsutil signurl -m PUT -d 1d -c image/jpg <private-key-file> \\
gs://<bucket>/<obj>
To construct a signed URL that allows anyone in possession of
the URL to POST a resumable upload to the specified bucket for one day,
creating an object of Content-Type image/jpg, run:
gsutil signurl -m RESUMABLE -d 1d -c image/jpg <private-key-file> \\
gs://bucket/<obj>
""")
def _NowUTC():
"""Returns the current utc time as a datetime object."""
return datetime.utcnow()
def _DurationToTimeDelta(duration):
r"""Parses the given duration and returns an equivalent timedelta."""
match = re.match(r'^(\d+)([dDhHmMsS])?$', duration)
if not match:
raise CommandException('Unable to parse duration string')
duration, modifier = match.groups('h')
duration = int(duration)
modifier = modifier.lower()
if modifier == 'd':
ret = timedelta(days=duration)
elif modifier == 'h':
ret = timedelta(hours=duration)
elif modifier == 'm':
ret = timedelta(minutes=duration)
elif modifier == 's':
ret = timedelta(seconds=duration)
return ret
def _GenSignedUrl(key,
api,
use_service_account,
provider,
client_id,
method,
duration,
gcs_path,
logger,
region,
content_type=None,
billing_project=None,
string_to_sign_debug=False,
generation=None):
"""Construct a string to sign with the provided key.
Args:
key: The private key to use for signing the URL.
api: The CloudApiDelegator instance
use_service_account: If True, use the service account credentials
instead of using the key file to sign the URL
provider: Cloud storage provider to connect to. If not present,
class-wide default is used.
client_id: Client ID signing this URL.
method: The HTTP method to be used with the signed URL.
duration: timedelta for which the constructed signed URL should be valid.
gcs_path: String path to the bucket of object for signing, in the form
'bucket' or 'bucket/object'.
logger: logging.Logger for warning and debug output.
region: Geographic region in which the requested resource resides.
content_type: Optional Content-Type for the signed URL. HTTP requests using
the URL must match this Content-Type.
billing_project: Specify a user project to be billed for the request.
string_to_sign_debug: If true AND logger is enabled for debug level,
print string to sign to debug. Used to differentiate user's
signed URL from the probing permissions-check signed URL.
generation: If not None, specifies a version of an object for signing.
Returns:
The complete URL (string).
"""
gs_host = config.get('Credentials', 'gs_host', 'storage.googleapis.com')
signed_headers = {'host': gs_host}
if method == 'RESUMABLE':
method = 'POST'
signed_headers['x-goog-resumable'] = 'start'
if not content_type:
logger.warn('Warning: no Content-Type header was specified with the -c '
'flag, so uploads to the resulting Signed URL must not '
'specify a Content-Type.')
if content_type:
signed_headers['content-type'] = content_type
if use_service_account:
final_url = api.SignUrl(provider=provider,
method=method,
duration=duration,
path=gcs_path,
generation=generation,
logger=logger,
region=region,
signed_headers=signed_headers,
string_to_sign_debug=string_to_sign_debug)
else:
if six.PY2:
digest = b'RSA-SHA256'
else:
# Your IDE may complain about this due to a bad docstring in pyOpenSsl:
# https://github.com/pyca/pyopenssl/issues/741
digest = 'RSA-SHA256'
string_to_sign, canonical_query_string = CreatePayload(
client_id=client_id,
method=method,
duration=duration,
path=gcs_path,
generation=generation,
logger=logger,
region=region,
signed_headers=signed_headers,
billing_project=billing_project,
string_to_sign_debug=string_to_sign_debug)
if isinstance(key, PKey):
raw_signature = sign(key, string_to_sign, digest)
else:
if not HAVE_CRYPTO:
raise CommandException(_CRYPTO_IMPORT_ERROR)
raw_signature = key.sign(to_bytes(string_to_sign), padding.PKCS1v15(), hashes.SHA256())
final_url = GetFinalUrl(raw_signature, gs_host, gcs_path,
canonical_query_string)
return final_url
def _ReadKeystore(key_string, passwd):
key_string = to_bytes(key_string)
passwd = to_bytes(passwd)
# Cryptography package is not bundled with gsutil, Keeping it at top would throw error.
if not HAVE_CRYPTO:
raise CommandException(_CRYPTO_IMPORT_ERROR)
try:
key, cert, add = pkcs12.load_key_and_certificates(key_string, passwd)
client_email = cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value
return key, client_email
except:
raise CommandException('Unable to load the keyfile, Invalid password or PKCS12 data.')
def _ReadJSONKeystore(ks_contents, passwd=None):
"""Read the client email and private key from a JSON keystore.
Assumes this keystore was downloaded from the Cloud Platform Console.
By default, JSON keystore private keys from the Cloud Platform Console
aren't encrypted so the passwd is optional as load_privatekey will
prompt for the PEM passphrase if the key is encrypted.
Arguments:
ks_contents: JSON formatted string representing the keystore contents. Must
be a valid JSON string and contain the fields 'private_key'
and 'client_email'.
passwd: Passphrase for encrypted private keys.
Returns:
key: Parsed private key from the keystore.
client_email: The email address for the service account.
Raises:
ValueError: If unable to parse ks_contents or keystore is missing
required fields.
"""
# ensuring that json.loads receives unicode in Python 3 and bytes in Python 2
# Previous to Python 3.6, there was no automatic conversion and str was req.
ks = json.loads(six.ensure_str(ks_contents))
if 'client_email' not in ks or 'private_key' not in ks:
raise ValueError('JSON keystore doesn\'t contain required fields')
client_email = ks['client_email']
if passwd:
key = load_privatekey(FILETYPE_PEM, ks['private_key'], passwd)
else:
key = load_privatekey(FILETYPE_PEM, ks['private_key'])
return key, client_email
class UrlSignCommand(Command):
"""Implementation of gsutil url_sign command."""
# Command specification. See base class for documentation.
command_spec = Command.CreateCommandSpec(
'signurl',
command_name_aliases=['signedurl', 'queryauth'],
usage_synopsis=_SYNOPSIS,
min_args=1,
max_args=constants.NO_MAX,
supported_sub_args='m:d:b:c:p:r:u',
supported_private_args=['use-service-account'],
file_url_ok=False,
provider_url_ok=False,
urls_start_arg=1,
gs_api_support=[ApiSelector.XML, ApiSelector.JSON],
gs_default_api=ApiSelector.JSON,
argparse_arguments=[
CommandArgument.MakeZeroOrMoreFileURLsArgument(),
CommandArgument.MakeZeroOrMoreCloudURLsArgument(),
],
)
# Help specification. See help_provider.py for documentation.
help_spec = Command.HelpSpec(
help_name='signurl',
help_name_aliases=[
'signedurl',
'queryauth',
],
help_type='command_help',
help_one_line_summary='Create a signed URL',
help_text=_DETAILED_HELP_TEXT,
subcommand_help_text={},
)
def get_gcloud_storage_args(self):
# TODO (b/287273841): Replace `copy` with a better pattern for
# translating flag values.
original_args = copy.deepcopy(self.args)
original_sub_opts = copy.deepcopy(self.sub_opts)
gcloud_command = [
'storage', 'sign-url',
'--format=csv[separator="\\t"](resource:label="URL",'
' http_verb:label="HTTP Method",'
' expiration:label="Expiration",'
' signed_url:label="Signed URL")', '--private-key-file=' + self.args[0]
]
self.args = self.args[1:]
duration_arg_idx = None
http_verb_arg_idx = None
content_type_arg_idx = None
billing_project_arg_idx = None
for i, (flag, _) in enumerate(self.sub_opts):
if flag == '-d':
duration_arg_idx = i
elif flag == '-m':
http_verb_arg_idx = i
elif flag == '-c':
content_type_arg_idx = i
elif flag == '-b':
billing_project_arg_idx = i
if duration_arg_idx is not None:
# Convert duration to seconds, which gcloud can handle.
seconds = str(
int(
_DurationToTimeDelta(
self.sub_opts[duration_arg_idx][1]).total_seconds())) + 's'
self.sub_opts[duration_arg_idx] = ('-d', seconds)
if http_verb_arg_idx is not None:
if self.sub_opts[http_verb_arg_idx][1] == 'RESUMABLE':
self.sub_opts[http_verb_arg_idx] = ('-m', 'POST')
gcloud_command += ['--headers=x-goog-resumable=start']
if content_type_arg_idx is not None:
content_type_value = self.sub_opts[content_type_arg_idx][1]
self.sub_opts[content_type_arg_idx] = ('-c', 'content-type=' +
content_type_value)
if billing_project_arg_idx is not None:
project_value = self.sub_opts[billing_project_arg_idx][1]
self.sub_opts[billing_project_arg_idx] = ('-b',
'userProject=' + project_value)
fully_translated_command = super().get_gcloud_storage_args(
GcloudStorageMap(gcloud_command=gcloud_command,
flag_map={
'-m': GcloudStorageFlag('--http-verb'),
'-d': GcloudStorageFlag('--duration'),
'-b': GcloudStorageFlag('--query-params'),
'-c': GcloudStorageFlag('--headers'),
'-r': GcloudStorageFlag('--region'),
'-p': GcloudStorageFlag('--private-key-password'),
}))
# Ensures dry run mode works correctly, as flag translation requires
# mutating command state.
# TODO(b/287273841): Refactor so that there's a better pattern for
# translating flag values.
self.args = original_args
self.sub_opts = original_sub_opts
return fully_translated_command
def _ParseAndCheckSubOpts(self):
# Default argument values
delta = None
method = 'GET'
content_type = ''
passwd = None
region = _AUTO_DETECT_REGION
use_service_account = False
billing_project = None
for o, v in self.sub_opts:
# TODO(PY3-ONLY): Delete this if block.
if six.PY2:
v = v.decode(sys.stdin.encoding or constants.UTF8)
if o == '-d':
if delta is not None:
delta += _DurationToTimeDelta(v)
else:
delta = _DurationToTimeDelta(v)
elif o == '-m':
method = v
elif o == '-c':
content_type = v
elif o == '-p':
passwd = v
elif o == '-r':
region = v
elif o == '-u' or o == '--use-service-account':
use_service_account = True
elif o == '-b':
billing_project = v
else:
self.RaiseInvalidArgumentException()
if delta is None:
delta = timedelta(hours=1)
else:
if use_service_account and delta > _MAX_EXPIRATION_TIME_WITH_MINUS_U:
# This restriction comes from the IAM SignBlob API. The SignBlob
# API uses a system-managed key which can guarantee validation only
# up to 12 hours. b/156160482#comment4
raise CommandException(
'Max valid duration allowed is %s when -u flag is used. For longer'
' duration, consider using the private-key-file instead of the -u'
' option.' % _MAX_EXPIRATION_TIME_WITH_MINUS_U)
elif delta > _MAX_EXPIRATION_TIME:
raise CommandException('Max valid duration allowed is '
'%s' % _MAX_EXPIRATION_TIME)
if method not in ['GET', 'PUT', 'DELETE', 'HEAD', 'RESUMABLE']:
raise CommandException('HTTP method must be one of'
'[GET|HEAD|PUT|DELETE|RESUMABLE]')
if not use_service_account and len(self.args) < 2:
raise CommandException(
'The command requires a key file argument and one or more '
'URL arguments if the --use-service-account flag is missing. '
'Run `gsutil help signurl` for more info')
if use_service_account and billing_project:
raise CommandException(
'Specifying both the -b and --use-service-account options together is'
'invalid.')
return method, delta, content_type, passwd, region, use_service_account, billing_project
def _ProbeObjectAccessWithClient(self, key, use_service_account, provider,
client_email, gcs_path, generation, logger,
region, billing_project):
"""Performs a head request against a signed URL to check for read access."""
# Choose a reasonable time in the future; if the user's system clock is
# 60 or more seconds behind the server's this will generate an error.
signed_url = _GenSignedUrl(key=key,
api=self.gsutil_api,
use_service_account=use_service_account,
provider=provider,
client_id=client_email,
method='HEAD',
duration=timedelta(seconds=60),
gcs_path=gcs_path,
generation=generation,
logger=logger,
region=region,
billing_project=billing_project,
string_to_sign_debug=True)
try:
h = GetNewHttp()
req = Request(signed_url, 'HEAD')
response = MakeRequest(h, req)
if response.status_code not in [200, 403, 404]:
raise HttpError.FromResponse(response)
return response.status_code
except HttpError as http_error:
if http_error.has_attr('response'):
error_response = http_error.response
error_string = ('Unexpected HTTP response code %s while querying '
'object readability. Is your system clock accurate?' %
error_response.status_code)
if error_response.content:
error_string += ' Content: %s' % error_response.content
else:
error_string = ('Expected an HTTP response code of '
'200 while querying object readability, but received '
'an error: %s' % http_error)
raise CommandException(error_string)
def _EnumerateStorageUrls(self, in_urls):
ret = []
for url_str in in_urls:
if ContainsWildcard(url_str):
ret.extend([blr.storage_url for blr in self.WildcardIterator(url_str)])
else:
ret.append(StorageUrlFromString(url_str))
return ret
def RunCommand(self):
"""Command entry point for signurl command."""
if not HAVE_OPENSSL:
raise CommandException(
'The signurl command requires the pyopenssl library (try pip '
'install pyopenssl or easy_install pyopenssl)')
method, delta, content_type, passwd, region, use_service_account, billing_project = (
self._ParseAndCheckSubOpts())
arg_start_index = 0 if use_service_account else 1
storage_urls = self._EnumerateStorageUrls(self.args[arg_start_index:])
region_cache = {}
key = None
if not use_service_account:
try:
key, client_email = _ReadJSONKeystore(
open(self.args[0], 'rb').read(), passwd)
except ValueError:
# Ignore and try parsing as a pkcs12.
if not passwd:
passwd = getpass.getpass('Keystore password:')
try:
key, client_email = _ReadKeystore(
open(self.args[0], 'rb').read(), passwd)
except ValueError:
raise CommandException('Unable to parse private key from {0}'.format(
self.args[0]))
else:
client_email = self.gsutil_api.GetServiceAccountId(provider='gs')
print('URL\tHTTP Method\tExpiration\tSigned URL')
for url in storage_urls:
if url.scheme != 'gs':
raise CommandException('Can only create signed urls from gs:// urls')
if url.IsBucket():
if region == _AUTO_DETECT_REGION:
raise CommandException('Generating signed URLs for creating buckets'
' requires a region be specified via the -r '
'option. Run `gsutil help signurl` for more '
'information about the \'-r\' option.')
gcs_path = url.bucket_name
if method == 'RESUMABLE':
raise CommandException('Resumable signed URLs require an object '
'name.')
else:
# Need to URL encode the object name as Google Cloud Storage does when
# computing the string to sign when checking the signature.
gcs_path = '{0}/{1}'.format(
url.bucket_name,
urllib.parse.quote(url.object_name.encode(constants.UTF8),
safe=b'/~'))
if region == _AUTO_DETECT_REGION:
if url.bucket_name in region_cache:
bucket_region = region_cache[url.bucket_name]
else:
try:
_, bucket = self.GetSingleBucketUrlFromArg(
'gs://{}'.format(url.bucket_name), bucket_fields=['location'])
except Exception as e:
raise CommandException(
'{}: Failed to auto-detect location for bucket \'{}\'. Please '
'ensure you have storage.buckets.get permission on the bucket '
'or specify the bucket\'s location using the \'-r\' option.'.
format(e.__class__.__name__, url.bucket_name))
bucket_region = bucket.location.lower()
region_cache[url.bucket_name] = bucket_region
else:
bucket_region = region
final_url = _GenSignedUrl(key=key,
api=self.gsutil_api,
use_service_account=use_service_account,
provider=url.scheme,
client_id=client_email,
method=method,
duration=delta,
gcs_path=gcs_path,
generation=url.generation,
logger=self.logger,
region=bucket_region,
content_type=content_type,
billing_project=billing_project,
string_to_sign_debug=True)
expiration = calendar.timegm((datetime.utcnow() + delta).utctimetuple())
expiration_dt = datetime.fromtimestamp(expiration)
time_str = expiration_dt.strftime('%Y-%m-%d %H:%M:%S')
# TODO(PY3-ONLY): Delete this if block.
if six.PY2:
time_str = time_str.decode(constants.UTF8)
url_info_str = '{0}\t{1}\t{2}\t{3}'.format(url.url_string, method,
time_str, final_url)
# TODO(PY3-ONLY): Delete this if block.
if six.PY2:
url_info_str = url_info_str.encode(constants.UTF8)
print(url_info_str)
response_code = self._ProbeObjectAccessWithClient(
key, use_service_account, url.scheme, client_email, gcs_path,
url.generation, self.logger, bucket_region, billing_project)
if response_code == 404:
if url.IsBucket() and method != 'PUT':
raise CommandException(
'Bucket {0} does not exist. Please create a bucket with '
'that name before a creating signed URL to access it.'.format(
url))
else:
if method != 'PUT' and method != 'RESUMABLE':
raise CommandException(
'Object {0} does not exist. Please create/upload an object '
'with that name before a creating signed URL to access it.'.
format(url))
elif response_code == 403:
self.logger.warn(
'%s does not have permissions on %s, using this link will likely '
'result in a 403 error until at least READ permissions are granted',
client_email or 'The account', url)
return 0