X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/e55f6e9fcb652a2b1505364b34d9d48e79adaeaf..5239de634d8c3277024be6e1c1bf1dc049d2bdf0:/services/keepstore/perms.go

diff --git a/services/keepstore/perms.go b/services/keepstore/perms.go
index 6168a321c2..7205a4594d 100644
--- a/services/keepstore/perms.go
+++ b/services/keepstore/perms.go
@@ -1,19 +1,20 @@
-package main
+// Copyright (C) The Arvados Authors. All rights reserved.
+//
+// SPDX-License-Identifier: AGPL-3.0
+
+package keepstore
 
 import (
-	"git.curoverse.com/arvados.git/sdk/go/keepclient"
 	"time"
-)
 
-// The PermissionSecret is the secret key used to generate SHA1
-// digests for permission hints. apiserver and Keep must use the same
-// key.
-var PermissionSecret []byte
+	"git.arvados.org/arvados.git/sdk/go/arvados"
+	"git.arvados.org/arvados.git/sdk/go/keepclient"
+)
 
 // SignLocator takes a blobLocator, an apiToken and an expiry time, and
 // returns a signed locator string.
-func SignLocator(blobLocator, apiToken string, expiry time.Time) string {
-	return keepclient.SignLocator(blobLocator, apiToken, expiry, PermissionSecret)
+func SignLocator(cluster *arvados.Cluster, blobLocator, apiToken string, expiry time.Time) string {
+	return keepclient.SignLocator(blobLocator, apiToken, expiry, cluster.Collections.BlobSigningTTL.Duration(), []byte(cluster.Collections.BlobSigningKey))
 }
 
 // VerifySignature returns nil if the signature on the signedLocator
@@ -21,8 +22,8 @@ func SignLocator(blobLocator, apiToken string, expiry time.Time) string {
 // either ExpiredError (if the timestamp has expired, which is
 // something the client could have figured out independently) or
 // PermissionError.
-func VerifySignature(signedLocator, apiToken string) error {
-	err := keepclient.VerifySignature(signedLocator, apiToken, PermissionSecret)
+func VerifySignature(cluster *arvados.Cluster, signedLocator, apiToken string) error {
+	err := keepclient.VerifySignature(signedLocator, apiToken, cluster.Collections.BlobSigningTTL.Duration(), []byte(cluster.Collections.BlobSigningKey))
 	if err == keepclient.ErrSignatureExpired {
 		return ExpiredError
 	} else if err != nil {