X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/3c88abd3cb33cbe80bb81a7cca779fe668036c9e..e2ed71e15de22c629b5b5e174aa351cce03ee381:/sdk/go/keepclient/perms.go?ds=sidebyside diff --git a/sdk/go/keepclient/perms.go b/sdk/go/keepclient/perms.go index d650f0d7ad..a77983322d 100644 --- a/sdk/go/keepclient/perms.go +++ b/sdk/go/keepclient/perms.go @@ -1,3 +1,7 @@ +// Copyright (C) The Arvados Authors. All rights reserved. +// +// SPDX-License-Identifier: Apache-2.0 + // Generate and verify permission signatures for Keep locators. // // See https://dev.arvados.org/projects/arvados/wiki/Keep_locator_format @@ -61,7 +65,9 @@ func SignLocator(blobLocator, apiToken string, expiry time.Time, blobSignatureTT "@" + timestampHex } -var signedLocatorRe = regexp.MustCompile(`^([[:xdigit:]]{32}).*\+A([[:xdigit:]]{40})@([[:xdigit:]]{8})`) +var SignedLocatorRe = regexp.MustCompile( + //1 2 34 5 6 7 89 + `^([[:xdigit:]]{32})(\+[0-9]+)?((\+[B-Z][A-Za-z0-9@_-]*)*)(\+A([[:xdigit:]]{40})@([[:xdigit:]]{8}))((\+[B-Z][A-Za-z0-9@_-]*)*)$`) // VerifySignature returns nil if the signature on the signedLocator // can be verified using the given apiToken. Otherwise it returns @@ -74,13 +80,13 @@ var signedLocatorRe = regexp.MustCompile(`^([[:xdigit:]]{32}).*\+A([[:xdigit:]]{ // This function is intended to be used by system components and admin // utilities: userland programs do not know the permissionSecret. func VerifySignature(signedLocator, apiToken string, blobSignatureTTL time.Duration, permissionSecret []byte) error { - matches := signedLocatorRe.FindStringSubmatch(signedLocator) + matches := SignedLocatorRe.FindStringSubmatch(signedLocator) if matches == nil { return ErrSignatureMissing } blobHash := matches[1] - signatureHex := matches[2] - expiryHex := matches[3] + signatureHex := matches[6] + expiryHex := matches[7] if expiryTime, err := parseHexTimestamp(expiryHex); err != nil { return ErrSignatureInvalid } else if expiryTime.Before(time.Now()) {