X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/e55f6e9fcb652a2b1505364b34d9d48e79adaeaf..fa7cf8fa43d32ef0d438976ed9e87fc7b91bc89d:/sdk/go/keepclient/perms.go diff --git a/sdk/go/keepclient/perms.go b/sdk/go/keepclient/perms.go index 12105c6cfc..a77983322d 100644 --- a/sdk/go/keepclient/perms.go +++ b/sdk/go/keepclient/perms.go @@ -1,3 +1,7 @@ +// Copyright (C) The Arvados Authors. All rights reserved. +// +// SPDX-License-Identifier: Apache-2.0 + // Generate and verify permission signatures for Keep locators. // // See https://dev.arvados.org/projects/arvados/wiki/Keep_locator_format @@ -29,13 +33,15 @@ var ( // makePermSignature generates a SHA-1 HMAC digest for the given blob, // token, expiry, and site secret. -func makePermSignature(blobHash, apiToken, expiry string, permissionSecret []byte) string { +func makePermSignature(blobHash, apiToken, expiry, blobSignatureTTL string, permissionSecret []byte) string { hmac := hmac.New(sha1.New, permissionSecret) hmac.Write([]byte(blobHash)) hmac.Write([]byte("@")) hmac.Write([]byte(apiToken)) hmac.Write([]byte("@")) hmac.Write([]byte(expiry)) + hmac.Write([]byte("@")) + hmac.Write([]byte(blobSignatureTTL)) digest := hmac.Sum(nil) return fmt.Sprintf("%x", digest) } @@ -46,19 +52,22 @@ func makePermSignature(blobHash, apiToken, expiry string, permissionSecret []byt // // This function is intended to be used by system components and admin // utilities: userland programs do not know the permissionSecret. -func SignLocator(blobLocator, apiToken string, expiry time.Time, permissionSecret []byte) string { +func SignLocator(blobLocator, apiToken string, expiry time.Time, blobSignatureTTL time.Duration, permissionSecret []byte) string { if len(permissionSecret) == 0 || apiToken == "" { return blobLocator } // Strip off all hints: only the hash is used to sign. blobHash := strings.Split(blobLocator, "+")[0] timestampHex := fmt.Sprintf("%08x", expiry.Unix()) + blobSignatureTTLHex := strconv.FormatInt(int64(blobSignatureTTL.Seconds()), 16) return blobLocator + - "+A" + makePermSignature(blobHash, apiToken, timestampHex, permissionSecret) + + "+A" + makePermSignature(blobHash, apiToken, timestampHex, blobSignatureTTLHex, permissionSecret) + "@" + timestampHex } -var signedLocatorRe = regexp.MustCompile(`^([[:xdigit:]]{32}).*\+A([[:xdigit:]]{40})@([[:xdigit:]]{8})`) +var SignedLocatorRe = regexp.MustCompile( + //1 2 34 5 6 7 89 + `^([[:xdigit:]]{32})(\+[0-9]+)?((\+[B-Z][A-Za-z0-9@_-]*)*)(\+A([[:xdigit:]]{40})@([[:xdigit:]]{8}))((\+[B-Z][A-Za-z0-9@_-]*)*)$`) // VerifySignature returns nil if the signature on the signedLocator // can be verified using the given apiToken. Otherwise it returns @@ -70,20 +79,21 @@ var signedLocatorRe = regexp.MustCompile(`^([[:xdigit:]]{32}).*\+A([[:xdigit:]]{ // // This function is intended to be used by system components and admin // utilities: userland programs do not know the permissionSecret. -func VerifySignature(signedLocator, apiToken string, permissionSecret []byte) error { - matches := signedLocatorRe.FindStringSubmatch(signedLocator) +func VerifySignature(signedLocator, apiToken string, blobSignatureTTL time.Duration, permissionSecret []byte) error { + matches := SignedLocatorRe.FindStringSubmatch(signedLocator) if matches == nil { return ErrSignatureMissing } blobHash := matches[1] - signatureHex := matches[2] - expiryHex := matches[3] + signatureHex := matches[6] + expiryHex := matches[7] if expiryTime, err := parseHexTimestamp(expiryHex); err != nil { return ErrSignatureInvalid } else if expiryTime.Before(time.Now()) { return ErrSignatureExpired } - if signatureHex != makePermSignature(blobHash, apiToken, expiryHex, permissionSecret) { + blobSignatureTTLHex := strconv.FormatInt(int64(blobSignatureTTL.Seconds()), 16) + if signatureHex != makePermSignature(blobHash, apiToken, expiryHex, blobSignatureTTLHex, permissionSecret) { return ErrSignatureInvalid } return nil