9 !!@locator.match(/^d41d8cd98f00b204e9800998ecf8427e(\+.*)?$/)
12 # In order to get a Blob from Keep, you have to prove either
13 # [a] you have recently written it to Keep yourself, or
14 # [b] apiserver has recently decided that you should be able to read it
16 # To ensure that the requestor of a blob is authorized to read it,
17 # Keep requires clients to timestamp the blob locator with an expiry
18 # time, and to sign the timestamped locator with their API token.
20 # A signed blob locator has the form:
21 # locator_hash +A blob_signature @ timestamp
22 # where the timestamp is a Unix time expressed as a hexadecimal value,
23 # and the blob_signature is the signed locator_hash + API token + timestamp.
25 class InvalidSignatureError < StandardError
28 # Blob.sign_locator: return a signed and timestamped blob locator.
30 # The 'opts' argument should include:
31 # [required] :api_token - API token (signatures only work for this token)
32 # [optional] :key - the Arvados server-side blobstore key
33 # [optional] :ttl - number of seconds before signature should expire
34 # [optional] :expire - unix timestamp when signature should expire
36 def self.sign_locator blob_locator, opts
37 # We only use the hash portion for signatures.
38 blob_hash = blob_locator.split('+').first
40 # Generate an expiry timestamp (seconds after epoch, base 16)
43 raise "Cannot specify both :ttl and :expire options"
45 timestamp = opts[:expire]
47 timestamp = db_current_time.to_i +
48 (opts[:ttl] || Rails.configuration.blob_signature_ttl)
50 timestamp_hex = timestamp.to_s(16)
52 blob_signature_ttl = Rails.configuration.blob_signature_ttl.to_s(16)
54 # Generate a signature.
56 generate_signature((opts[:key] or Rails.configuration.blob_signing_key),
57 blob_hash, opts[:api_token], timestamp_hex, blob_signature_ttl)
59 blob_locator + '+A' + signature + '@' + timestamp_hex
62 # Blob.verify_signature
63 # Safely verify the signature on a blob locator.
64 # Return value: true if the locator has a valid signature, false otherwise
65 # Arguments: signed_blob_locator, opts
67 def self.verify_signature *args
69 self.verify_signature! *args
71 rescue Blob::InvalidSignatureError
76 # Blob.verify_signature!
77 # Verify the signature on a blob locator.
78 # Return value: true if the locator has a valid signature
79 # Arguments: signed_blob_locator, opts
81 # Blob::InvalidSignatureError if the blob locator does not include a
84 def self.verify_signature! signed_blob_locator, opts
85 blob_hash = signed_blob_locator.split('+').first
86 given_signature, timestamp = signed_blob_locator.
92 raise Blob::InvalidSignatureError.new 'No signature provided.'
94 unless timestamp =~ /^[\da-f]+$/
95 raise Blob::InvalidSignatureError.new 'Timestamp is not a base16 number.'
97 if timestamp.to_i(16) < (opts[:now] or db_current_time.to_i)
98 raise Blob::InvalidSignatureError.new 'Signature expiry time has passed.'
100 blob_signature_ttl = Rails.configuration.blob_signature_ttl.to_s(16)
103 generate_signature((opts[:key] or Rails.configuration.blob_signing_key),
104 blob_hash, opts[:api_token], timestamp, blob_signature_ttl)
106 if my_signature != given_signature
107 raise Blob::InvalidSignatureError.new 'Signature is invalid.'
113 def self.generate_signature key, blob_hash, api_token, timestamp, blob_signature_ttl
114 OpenSSL::HMAC.hexdigest('sha1', key,
118 blob_signature_ttl].join('@'))