X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/a50278e3d0e26bb5d513d0af5da2fb559b112388..ffd4738242c61fa5acd423f927339f836dfb0ffb:/services/keepstore/perms.go diff --git a/services/keepstore/perms.go b/services/keepstore/perms.go index 6168a321c2..38445d982b 100644 --- a/services/keepstore/perms.go +++ b/services/keepstore/perms.go @@ -5,15 +5,10 @@ import ( "time" ) -// The PermissionSecret is the secret key used to generate SHA1 -// digests for permission hints. apiserver and Keep must use the same -// key. -var PermissionSecret []byte - // SignLocator takes a blobLocator, an apiToken and an expiry time, and // returns a signed locator string. func SignLocator(blobLocator, apiToken string, expiry time.Time) string { - return keepclient.SignLocator(blobLocator, apiToken, expiry, PermissionSecret) + return keepclient.SignLocator(blobLocator, apiToken, expiry, theConfig.BlobSignatureTTL.Duration(), theConfig.blobSigningKey) } // VerifySignature returns nil if the signature on the signedLocator @@ -22,7 +17,7 @@ func SignLocator(blobLocator, apiToken string, expiry time.Time) string { // something the client could have figured out independently) or // PermissionError. func VerifySignature(signedLocator, apiToken string) error { - err := keepclient.VerifySignature(signedLocator, apiToken, PermissionSecret) + err := keepclient.VerifySignature(signedLocator, apiToken, theConfig.BlobSignatureTTL.Duration(), theConfig.blobSigningKey) if err == keepclient.ErrSignatureExpired { return ExpiredError } else if err != nil {