1 # Copyright (C) The Arvados Authors. All rights reserved.
3 # SPDX-License-Identifier: AGPL-3.0
13 !!@locator.match(/^d41d8cd98f00b204e9800998ecf8427e(\+.*)?$/)
16 # In order to get a Blob from Keep, you have to prove either
17 # [a] you have recently written it to Keep yourself, or
18 # [b] apiserver has recently decided that you should be able to read it
20 # To ensure that the requestor of a blob is authorized to read it,
21 # Keep requires clients to timestamp the blob locator with an expiry
22 # time, and to sign the timestamped locator with their API token.
24 # A signed blob locator has the form:
25 # locator_hash +A blob_signature @ timestamp
26 # where the timestamp is a Unix time expressed as a hexadecimal value,
27 # and the blob_signature is the signed locator_hash + API token + timestamp.
29 class InvalidSignatureError < StandardError
32 # Blob.sign_locator: return a signed and timestamped blob locator.
34 # The 'opts' argument should include:
35 # [required] :api_token - API token (signatures only work for this token)
36 # [optional] :key - the Arvados server-side blobstore key
37 # [optional] :ttl - number of seconds before signature should expire
38 # [optional] :expire - unix timestamp when signature should expire
40 def self.sign_locator blob_locator, opts
41 # We only use the hash portion for signatures.
42 blob_hash = blob_locator.split('+').first
44 # Generate an expiry timestamp (seconds after epoch, base 16)
47 raise "Cannot specify both :ttl and :expire options"
49 timestamp = opts[:expire]
51 timestamp = db_current_time.to_i +
52 (opts[:ttl] || Rails.configuration.blob_signature_ttl)
54 timestamp_hex = timestamp.to_s(16)
56 blob_signature_ttl = Rails.configuration.blob_signature_ttl.to_s(16)
58 # Generate a signature.
60 generate_signature((opts[:key] or Rails.configuration.blob_signing_key),
61 blob_hash, opts[:api_token], timestamp_hex, blob_signature_ttl)
63 blob_locator + '+A' + signature + '@' + timestamp_hex
66 # Blob.verify_signature
67 # Safely verify the signature on a blob locator.
68 # Return value: true if the locator has a valid signature, false otherwise
69 # Arguments: signed_blob_locator, opts
71 def self.verify_signature(*args)
73 self.verify_signature!(*args)
75 rescue Blob::InvalidSignatureError
80 # Blob.verify_signature!
81 # Verify the signature on a blob locator.
82 # Return value: true if the locator has a valid signature
83 # Arguments: signed_blob_locator, opts
85 # Blob::InvalidSignatureError if the blob locator does not include a
88 def self.verify_signature! signed_blob_locator, opts
89 blob_hash = signed_blob_locator.split('+').first
90 given_signature, timestamp = signed_blob_locator.
96 raise Blob::InvalidSignatureError.new 'No signature provided.'
98 unless timestamp =~ /^[\da-f]+$/
99 raise Blob::InvalidSignatureError.new 'Timestamp is not a base16 number.'
101 if timestamp.to_i(16) < (opts[:now] or db_current_time.to_i)
102 raise Blob::InvalidSignatureError.new 'Signature expiry time has passed.'
104 blob_signature_ttl = Rails.configuration.blob_signature_ttl.to_s(16)
107 generate_signature((opts[:key] or Rails.configuration.blob_signing_key),
108 blob_hash, opts[:api_token], timestamp, blob_signature_ttl)
110 if my_signature != given_signature
111 raise Blob::InvalidSignatureError.new 'Signature is invalid.'
117 def self.generate_signature key, blob_hash, api_token, timestamp, blob_signature_ttl
118 OpenSSL::HMAC.hexdigest('sha1', key,
122 blob_signature_ttl].join('@'))
projects / arvados.git / blob