X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/1cd7fd3867acabeb29196da4cf505a0eb703b287..ef35a5388d60e892835309df2b46b221f8df221d:/services/api/app/models/blob.rb

diff --git a/services/api/app/models/blob.rb b/services/api/app/models/blob.rb
index 34600d7a25..9f9a20fe33 100644
--- a/services/api/app/models/blob.rb
+++ b/services/api/app/models/blob.rb
@@ -1,3 +1,9 @@
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: AGPL-3.0
+
+require 'request_error'
+
 class Blob
   extend DbCurrentTime
 
@@ -21,8 +27,8 @@ class Blob
   #     locator_hash +A blob_signature @ timestamp
   # where the timestamp is a Unix time expressed as a hexadecimal value,
   # and the blob_signature is the signed locator_hash + API token + timestamp.
-  # 
-  class InvalidSignatureError < StandardError
+  #
+  class InvalidSignatureError < RequestError
   end
 
   # Blob.sign_locator: return a signed and timestamped blob locator.
@@ -45,15 +51,16 @@ class Blob
       timestamp = opts[:expire]
     else
       timestamp = db_current_time.to_i +
-        (opts[:ttl] || Rails.configuration.blob_signature_ttl)
+        (opts[:ttl] || Rails.configuration.Collections.BlobSigningTTL.to_i)
     end
     timestamp_hex = timestamp.to_s(16)
     # => "53163cb4"
+    blob_signature_ttl = Rails.configuration.Collections.BlobSigningTTL.to_i.to_s(16)
 
     # Generate a signature.
     signature =
-      generate_signature((opts[:key] or Rails.configuration.blob_signing_key),
-                         blob_hash, opts[:api_token], timestamp_hex)
+      generate_signature((opts[:key] or Rails.configuration.Collections.BlobSigningKey),
+                         blob_hash, opts[:api_token], timestamp_hex, blob_signature_ttl)
 
     blob_locator + '+A' + signature + '@' + timestamp_hex
   end
@@ -63,9 +70,9 @@ class Blob
   #   Return value: true if the locator has a valid signature, false otherwise
   #   Arguments: signed_blob_locator, opts
   #
-  def self.verify_signature *args
+  def self.verify_signature(*args)
     begin
-      self.verify_signature! *args
+      self.verify_signature!(*args)
       true
     rescue Blob::InvalidSignatureError
       false
@@ -96,10 +103,11 @@ class Blob
     if timestamp.to_i(16) < (opts[:now] or db_current_time.to_i)
       raise Blob::InvalidSignatureError.new 'Signature expiry time has passed.'
     end
+    blob_signature_ttl = Rails.configuration.Collections.BlobSigningTTL.to_i.to_s(16)
 
     my_signature =
-      generate_signature((opts[:key] or Rails.configuration.blob_signing_key),
-                         blob_hash, opts[:api_token], timestamp)
+      generate_signature((opts[:key] or Rails.configuration.Collections.BlobSigningKey),
+                         blob_hash, opts[:api_token], timestamp, blob_signature_ttl)
 
     if my_signature != given_signature
       raise Blob::InvalidSignatureError.new 'Signature is invalid.'
@@ -108,10 +116,11 @@ class Blob
     true
   end
 
-  def self.generate_signature key, blob_hash, api_token, timestamp
+  def self.generate_signature key, blob_hash, api_token, timestamp, blob_signature_ttl
     OpenSSL::HMAC.hexdigest('sha1', key,
                             [blob_hash,
                              api_token,
-                             timestamp].join('@'))
+                             timestamp,
+                             blob_signature_ttl].join('@'))
   end
 end