# -*- coding: utf-8 -*- # Copyright 2014 Google Inc. All Rights Reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. """Implementation of Url Signing workflow. see: https://developers.google.com/storage/docs/accesscontrol#Signed-URLs) """ from __future__ import absolute_import import base64 import calendar from datetime import datetime from datetime import timedelta import getpass import re import time import urllib from apitools.base.py.exceptions import HttpError from apitools.base.py.http_wrapper import MakeRequest from apitools.base.py.http_wrapper import Request from gslib.command import Command from gslib.command_argument import CommandArgument from gslib.cs_api_map import ApiSelector from gslib.exception import CommandException from gslib.storage_url import ContainsWildcard from gslib.storage_url import StorageUrlFromString from gslib.util import GetNewHttp from gslib.util import NO_MAX from gslib.util import UTF8 try: # Check for openssl. # pylint: disable=C6204 from OpenSSL.crypto import load_pkcs12 from OpenSSL.crypto import sign HAVE_OPENSSL = True except ImportError: load_pkcs12 = None sign = None HAVE_OPENSSL = False _SYNOPSIS = """ gsutil signurl [-c] [-d] [-m] [-p] pkcs12-file url... """ _DETAILED_HELP_TEXT = (""" SYNOPSIS """ + _SYNOPSIS + """ DESCRIPTION The signurl command will generate signed urls that can be used to access the specified objects without authentication for a specific period of time. Please see the `Signed URLs documentation `_ for background about signed URLs. Multiple gs:// urls may be provided and may contain wildcards. A signed url will be produced for each provided url, authorized for the specified HTTP method and valid for the given duration. Note: Unlike the gsutil ls command, the signurl command does not support operations on sub-directories. For example, if you run the command: gsutil signurl gs://some-bucket/some-object/ The signurl command uses the private key for a service account (the '' argument) to generate the cryptographic signature for the generated URL. The private key file must be in PKCS12 format. The signurl command will prompt for the passphrase used to protect the private key file (default 'notasecret'). For more information regarding generating a private key for use with the signurl command please see the `Authentication documentation. `_ gsutil will look up information about the object "some-object/" (with a trailing slash) inside bucket "some-bucket", as opposed to operating on objects nested under gs://some-bucket/some-object. Unless you actually have an object with that name, the operation will fail. OPTIONS -m Specifies the HTTP method to be authorized for use with the signed url, default is GET. -d Specifies the duration that the signed url should be valid for, default duration is 1 hour. Times may be specified with no suffix (default hours), or with s = seconds, m = minutes, h = hours, d = days. This option may be specified multiple times, in which case the duration the link remains valid is the sum of all the duration options. -c Specifies the content type for which the signed url is valid for. -p Specify the keystore password instead of prompting. USAGE Create a signed url for downloading an object valid for 10 minutes: gsutil signurl -d 10m gs:/// Create a signed url for uploading a plain text file via HTTP PUT: gsutil signurl -m PUT -d 1h -c text/plain \\ gs:/// To construct a signed URL that allows anyone in possession of the URL to PUT to the specified bucket for one day, creating any object of Content-Type image/jpg, run: gsutil signurl -m PUT -d 1d -c image/jpg \\ gs:/// """) def _DurationToTimeDelta(duration): r"""Parses the given duration and returns an equivalent timedelta.""" match = re.match(r'^(\d+)([dDhHmMsS])?$', duration) if not match: raise CommandException('Unable to parse duration string') duration, modifier = match.groups('h') duration = int(duration) modifier = modifier.lower() if modifier == 'd': ret = timedelta(days=duration) elif modifier == 'h': ret = timedelta(hours=duration) elif modifier == 'm': ret = timedelta(minutes=duration) elif modifier == 's': ret = timedelta(seconds=duration) return ret def _GenSignedUrl(key, client_id, method, md5, content_type, expiration, gcs_path): """Construct a string to sign with the provided key and returns \ the complete url.""" tosign = ('{0}\n{1}\n{2}\n{3}\n/{4}' .format(method, md5, content_type, expiration, gcs_path)) signature = base64.b64encode(sign(key, tosign, 'RSA-SHA256')) final_url = ('https://storage.googleapis.com/{0}?' 'GoogleAccessId={1}&Expires={2}&Signature={3}' .format(gcs_path, client_id, expiration, urllib.quote_plus(str(signature)))) return final_url def _ReadKeystore(ks_contents, passwd): ks = load_pkcs12(ks_contents, passwd) client_id = (ks.get_certificate() .get_subject() .CN.replace('.apps.googleusercontent.com', '@developer.gserviceaccount.com')) return ks, client_id class UrlSignCommand(Command): """Implementation of gsutil url_sign command.""" # Command specification. See base class for documentation. command_spec = Command.CreateCommandSpec( 'signurl', command_name_aliases=['signedurl', 'queryauth'], usage_synopsis=_SYNOPSIS, min_args=2, max_args=NO_MAX, supported_sub_args='m:d:c:p:', file_url_ok=False, provider_url_ok=False, urls_start_arg=1, gs_api_support=[ApiSelector.XML, ApiSelector.JSON], gs_default_api=ApiSelector.JSON, argparse_arguments=[ CommandArgument.MakeNFileURLsArgument(1), CommandArgument.MakeZeroOrMoreCloudURLsArgument() ] ) # Help specification. See help_provider.py for documentation. help_spec = Command.HelpSpec( help_name='signurl', help_name_aliases=['signedurl', 'queryauth'], help_type='command_help', help_one_line_summary='Create a signed url', help_text=_DETAILED_HELP_TEXT, subcommand_help_text={}, ) def _ParseAndCheckSubOpts(self): # Default argument values delta = None method = 'GET' content_type = '' passwd = None for o, v in self.sub_opts: if o == '-d': if delta is not None: delta += _DurationToTimeDelta(v) else: delta = _DurationToTimeDelta(v) elif o == '-m': method = v elif o == '-c': content_type = v elif o == '-p': passwd = v else: self.RaiseInvalidArgumentException() if delta is None: delta = timedelta(hours=1) expiration = calendar.timegm((datetime.utcnow() + delta).utctimetuple()) if method not in ['GET', 'PUT', 'DELETE', 'HEAD']: raise CommandException('HTTP method must be one of [GET|HEAD|PUT|DELETE]') return method, expiration, content_type, passwd def _ProbeObjectAccessWithClient(self, key, client_id, gcs_path): """Performs a head request against a signed url to check for read access.""" signed_url = _GenSignedUrl(key, client_id, 'HEAD', '', '', int(time.time()) + 10, gcs_path) try: h = GetNewHttp() req = Request(signed_url, 'HEAD') response = MakeRequest(h, req) if response.status_code not in [200, 403, 404]: raise HttpError(response) return response.status_code except HttpError as e: raise CommandException('Unexpected response code while querying' 'object readability ({0})'.format(e.message)) def _EnumerateStorageUrls(self, in_urls): ret = [] for url_str in in_urls: if ContainsWildcard(url_str): ret.extend([blr.storage_url for blr in self.WildcardIterator(url_str)]) else: ret.append(StorageUrlFromString(url_str)) return ret def RunCommand(self): """Command entry point for signurl command.""" if not HAVE_OPENSSL: raise CommandException( 'The signurl command requires the pyopenssl library (try pip ' 'install pyopenssl or easy_install pyopenssl)') method, expiration, content_type, passwd = self._ParseAndCheckSubOpts() storage_urls = self._EnumerateStorageUrls(self.args[1:]) if not passwd: passwd = getpass.getpass('Keystore password:') ks, client_id = _ReadKeystore(open(self.args[0], 'rb').read(), passwd) print 'URL\tHTTP Method\tExpiration\tSigned URL' for url in storage_urls: if url.scheme != 'gs': raise CommandException('Can only create signed urls from gs:// urls') if url.IsBucket(): gcs_path = url.bucket_name else: # Need to url encode the object name as Google Cloud Storage does when # computing the string to sign when checking the signature. gcs_path = '{0}/{1}'.format(url.bucket_name, urllib.quote(url.object_name.encode(UTF8))) final_url = _GenSignedUrl(ks.get_privatekey(), client_id, method, '', content_type, expiration, gcs_path) expiration_dt = datetime.fromtimestamp(expiration) print '{0}\t{1}\t{2}\t{3}'.format(url.url_string.encode(UTF8), method, (expiration_dt .strftime('%Y-%m-%d %H:%M:%S')), final_url.encode(UTF8)) response_code = self._ProbeObjectAccessWithClient(ks.get_privatekey(), client_id, gcs_path) if response_code == 404 and method != 'PUT': if url.IsBucket(): msg = ('Bucket {0} does not exist. Please create a bucket with ' 'that name before a creating signed URL to access it.' .format(url)) else: msg = ('Object {0} does not exist. Please create/upload an object ' 'with that name before a creating signed URL to access it.' .format(url)) raise CommandException(msg) elif response_code == 403: self.logger.warn( '%s does not have permissions on %s, using this link will likely ' 'result in a 403 error until at least READ permissions are granted', client_id, url) return 0