X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/cea92754dfacf2b409d1f5b45dd0775fc44c842d..ef6f7202858cba65e06cc1a32d52ee2305687bc8:/services/api/app/models/blob.rb

diff --git a/services/api/app/models/blob.rb b/services/api/app/models/blob.rb
index c4e1881b29..41d5b27093 100644
--- a/services/api/app/models/blob.rb
+++ b/services/api/app/models/blob.rb
@@ -1,4 +1,13 @@
 class Blob
+  extend DbCurrentTime
+
+  def initialize locator
+    @locator = locator
+  end
+
+  def empty?
+    !!@locator.match(/^d41d8cd98f00b204e9800998ecf8427e(\+.*)?$/)
+  end
 
   # In order to get a Blob from Keep, you have to prove either
   # [a] you have recently written it to Keep yourself, or
@@ -16,20 +25,11 @@ class Blob
   class InvalidSignatureError < StandardError
   end
 
-  # Clock is a wrapper for Time.
-  # It can be replaced with a stub for unit testing (the poor man's mock).
-  # It must support a Clock.now method that returns a Time object.
-  @@Clock = Time
-
-  def self.set_clock c
-    @@Clock = c
-  end
-
   # Blob.sign_locator: return a signed and timestamped blob locator.
   #
   # The 'opts' argument should include:
-  #   [required] :key       - the Arvados server-side blobstore key
-  #   [required] :api_token - user's API token
+  #   [required] :api_token - API token (signatures only work for this token)
+  #   [optional] :key       - the Arvados server-side blobstore key
   #   [optional] :ttl       - number of seconds before signature should expire
   #   [optional] :expire    - unix timestamp when signature should expire
   #
@@ -44,14 +44,17 @@ class Blob
       end
       timestamp = opts[:expire]
     else
-      timestamp = @@Clock.now.to_i + (opts[:ttl] || 600)
+      timestamp = db_current_time.to_i +
+        (opts[:ttl] || Rails.configuration.blob_signature_ttl)
     end
     timestamp_hex = timestamp.to_s(16)
     # => "53163cb4"
+    blob_signature_ttl = Rails.configuration.blob_signature_ttl.to_s(16)
 
     # Generate a signature.
     signature =
-      generate_signature opts[:key], blob_hash, opts[:api_token], timestamp_hex
+      generate_signature((opts[:key] or Rails.configuration.blob_signing_key),
+                         blob_hash, opts[:api_token], timestamp_hex, blob_signature_ttl)
 
     blob_locator + '+A' + signature + '@' + timestamp_hex
   end
@@ -88,15 +91,17 @@ class Blob
     if !timestamp
       raise Blob::InvalidSignatureError.new 'No signature provided.'
     end
-    if !timestamp.match /^[\da-f]+$/
+    unless timestamp =~ /^[\da-f]+$/
       raise Blob::InvalidSignatureError.new 'Timestamp is not a base16 number.'
     end
-    if timestamp.to_i(16) < @@Clock.now.to_i
+    if timestamp.to_i(16) < (opts[:now] or db_current_time.to_i)
       raise Blob::InvalidSignatureError.new 'Signature expiry time has passed.'
     end
+    blob_signature_ttl = Rails.configuration.blob_signature_ttl.to_s(16)
 
     my_signature =
-      generate_signature opts[:key], blob_hash, opts[:api_token], timestamp
+      generate_signature((opts[:key] or Rails.configuration.blob_signing_key),
+                         blob_hash, opts[:api_token], timestamp, blob_signature_ttl)
 
     if my_signature != given_signature
       raise Blob::InvalidSignatureError.new 'Signature is invalid.'
@@ -105,10 +110,11 @@ class Blob
     true
   end
 
-  def self.generate_signature key, blob_hash, api_token, timestamp
+  def self.generate_signature key, blob_hash, api_token, timestamp, blob_signature_ttl
     OpenSSL::HMAC.hexdigest('sha1', key,
                             [blob_hash,
                              api_token,
-                             timestamp].join('@'))
+                             timestamp,
+                             blob_signature_ttl].join('@'))
   end
 end