projects / arvados.git / blobdiff
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
2809: Merge branch 'master' into 2809-workbench-rails4 refs #2809
[arvados.git] / services / keep / src / keep / perms.go
diff --git a/services/keep/src/keep/perms.go b/services/keep/src/keep/perms.go
index f3ff001c4ce3377cd152b8242a63da426353df60..0d1b091365085bbb079cc9cb1dd86eb1d6973b54 100644 (file)
--- a/services/keep/src/keep/perms.go
+++ b/services/keep/src/keep/perms.go
@@ -17,8 +17,8 @@ expressed as a hexadecimal number.  e.g.:
 The signature represents a guarantee that this locator was generated
 by either Keep or the API server for use with the supplied API token.
 If a request to Keep includes a locator with a valid signature and is
-accompanied by the proper API token, the user has permission to
-perform any action on that object (GET, PUT or DELETE).
+accompanied by the proper API token, the user has permission to GET
+that object.
 
 The signature may be generated either by Keep (after the user writes a
 block) or by the API server (if the user has can_read permission on
@@ -50,28 +50,33 @@ import (
 // key.
 var PermissionSecret []byte
 
-// makePermSignature returns a string representing the signed permission
-// hint for the blob identified by blob_hash, api_token and timestamp.
-func makePermSignature(blob_hash string, api_token string, timestamp string) string {
+// MakePermSignature returns a string representing the signed permission
+// hint for the blob identified by blob_hash, api_token and expiration timestamp.
+func MakePermSignature(blob_hash string, api_token string, expiry string) string {
        hmac := hmac.New(sha1.New, PermissionSecret)
        hmac.Write([]byte(blob_hash))
        hmac.Write([]byte("@"))
        hmac.Write([]byte(api_token))
        hmac.Write([]byte("@"))
-       hmac.Write([]byte(timestamp))
+       hmac.Write([]byte(expiry))
        digest := hmac.Sum(nil)
        return fmt.Sprintf("%x", digest)
 }
 
-// SignLocator takes a blob_locator, an api_token and a timestamp, and
+// SignLocator takes a blob_locator, an api_token and an expiry time, and
 // returns a signed locator string.
-func SignLocator(blob_locator string, api_token string, timestamp time.Time) string {
+func SignLocator(blob_locator string, api_token string, expiry time.Time) string {
+       // If no permission secret or API token is available,
+       // return an unsigned locator.
+       if PermissionSecret == nil || api_token == "" {
+               return blob_locator
+       }
        // Extract the hash from the blob locator, omitting any size hint that may be present.
        blob_hash := strings.Split(blob_locator, "+")[0]
        // Return the signed locator string.
-       timestamp_hex := fmt.Sprintf("%08x", timestamp.Unix())
+       timestamp_hex := fmt.Sprintf("%08x", expiry.Unix())
        return blob_locator +
-               "+A" + makePermSignature(blob_hash, api_token, timestamp_hex) +
+               "+A" + MakePermSignature(blob_hash, api_token, timestamp_hex) +
                "@" + timestamp_hex
 }