Merge pull request #14643 from hashicorp/pr-8180
provider/google: New Datasource: Google Storage Object Signed URL (supersedes #8180)
This commit is contained in:
commit
c675b9e3f8
|
@ -0,0 +1,368 @@
|
|||
package google
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"crypto"
|
||||
"crypto/rand"
|
||||
"crypto/rsa"
|
||||
"crypto/sha256"
|
||||
"crypto/x509"
|
||||
"encoding/base64"
|
||||
"encoding/pem"
|
||||
"errors"
|
||||
"fmt"
|
||||
"log"
|
||||
"net/url"
|
||||
"os"
|
||||
"strconv"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"sort"
|
||||
|
||||
"github.com/hashicorp/errwrap"
|
||||
"github.com/hashicorp/terraform/helper/pathorcontents"
|
||||
"github.com/hashicorp/terraform/helper/schema"
|
||||
"golang.org/x/oauth2/google"
|
||||
"golang.org/x/oauth2/jwt"
|
||||
)
|
||||
|
||||
const gcsBaseUrl = "https://storage.googleapis.com"
|
||||
const googleCredentialsEnvVar = "GOOGLE_APPLICATION_CREDENTIALS"
|
||||
|
||||
func dataSourceGoogleSignedUrl() *schema.Resource {
|
||||
return &schema.Resource{
|
||||
Read: dataSourceGoogleSignedUrlRead,
|
||||
|
||||
Schema: map[string]*schema.Schema{
|
||||
"bucket": &schema.Schema{
|
||||
Type: schema.TypeString,
|
||||
Required: true,
|
||||
},
|
||||
"content_md5": &schema.Schema{
|
||||
Type: schema.TypeString,
|
||||
Optional: true,
|
||||
Default: "",
|
||||
},
|
||||
"content_type": &schema.Schema{
|
||||
Type: schema.TypeString,
|
||||
Optional: true,
|
||||
Default: "",
|
||||
},
|
||||
"credentials": &schema.Schema{
|
||||
Type: schema.TypeString,
|
||||
Optional: true,
|
||||
},
|
||||
"duration": &schema.Schema{
|
||||
Type: schema.TypeString,
|
||||
Optional: true,
|
||||
Default: "1h",
|
||||
},
|
||||
"extension_headers": &schema.Schema{
|
||||
Type: schema.TypeMap,
|
||||
Optional: true,
|
||||
Elem: schema.TypeString,
|
||||
ValidateFunc: validateExtensionHeaders,
|
||||
},
|
||||
"http_method": &schema.Schema{
|
||||
Type: schema.TypeString,
|
||||
Optional: true,
|
||||
Default: "GET",
|
||||
ValidateFunc: validateHttpMethod,
|
||||
},
|
||||
"path": &schema.Schema{
|
||||
Type: schema.TypeString,
|
||||
Required: true,
|
||||
},
|
||||
"signed_url": &schema.Schema{
|
||||
Type: schema.TypeString,
|
||||
Computed: true,
|
||||
},
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
func validateExtensionHeaders(v interface{}, k string) (ws []string, errors []error) {
|
||||
hdrMap := v.(map[string]interface{})
|
||||
for k, _ := range hdrMap {
|
||||
if !strings.HasPrefix(strings.ToLower(k), "x-goog-") {
|
||||
errors = append(errors, fmt.Errorf(
|
||||
"extension_header (%s) not valid, header name must begin with 'x-goog-'", k))
|
||||
}
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
func validateHttpMethod(v interface{}, k string) (ws []string, errs []error) {
|
||||
value := v.(string)
|
||||
value = strings.ToUpper(value)
|
||||
if value != "GET" && value != "HEAD" && value != "PUT" && value != "DELETE" {
|
||||
errs = append(errs, errors.New("http_method must be one of [GET|HEAD|PUT|DELETE]"))
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
func dataSourceGoogleSignedUrlRead(d *schema.ResourceData, meta interface{}) error {
|
||||
config := meta.(*Config)
|
||||
|
||||
// Build UrlData object from data source attributes
|
||||
urlData := &UrlData{}
|
||||
|
||||
// HTTP Method
|
||||
if method, ok := d.GetOk("http_method"); ok {
|
||||
urlData.HttpMethod = method.(string)
|
||||
}
|
||||
|
||||
// convert duration to an expiration datetime (unix time in seconds)
|
||||
durationString := "1h"
|
||||
if v, ok := d.GetOk("duration"); ok {
|
||||
durationString = v.(string)
|
||||
}
|
||||
duration, err := time.ParseDuration(durationString)
|
||||
if err != nil {
|
||||
return errwrap.Wrapf("could not parse duration: {{err}}", err)
|
||||
}
|
||||
expires := time.Now().Unix() + int64(duration.Seconds())
|
||||
urlData.Expires = int(expires)
|
||||
|
||||
// content_md5 is optional
|
||||
if v, ok := d.GetOk("content_md5"); ok {
|
||||
urlData.ContentMd5 = v.(string)
|
||||
}
|
||||
|
||||
// content_type is optional
|
||||
if v, ok := d.GetOk("content_type"); ok {
|
||||
urlData.ContentType = v.(string)
|
||||
}
|
||||
|
||||
// extension_headers (x-goog-* HTTP headers) are optional
|
||||
if v, ok := d.GetOk("extension_headers"); ok {
|
||||
hdrMap := v.(map[string]interface{})
|
||||
|
||||
if len(hdrMap) > 0 {
|
||||
urlData.HttpHeaders = make(map[string]string, len(hdrMap))
|
||||
for k, v := range hdrMap {
|
||||
urlData.HttpHeaders[k] = v.(string)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
urlData.Path = fmt.Sprintf("/%s/%s", d.Get("bucket").(string), d.Get("path").(string))
|
||||
|
||||
// Load JWT Config from Google Credentials
|
||||
jwtConfig, err := loadJwtConfig(d, config)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
urlData.JwtConfig = jwtConfig
|
||||
|
||||
// Construct URL
|
||||
signedUrl, err := urlData.SignedUrl()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
// Success
|
||||
d.Set("signed_url", signedUrl)
|
||||
|
||||
encodedSig, err := urlData.EncodedSignature()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
d.SetId(encodedSig)
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// loadJwtConfig looks for credentials json in the following places,
|
||||
// in order of preference:
|
||||
// 1. `credentials` attribute of the datasource
|
||||
// 2. `credentials` attribute in the provider definition.
|
||||
// 3. A JSON file whose path is specified by the
|
||||
// GOOGLE_APPLICATION_CREDENTIALS environment variable.
|
||||
func loadJwtConfig(d *schema.ResourceData, meta interface{}) (*jwt.Config, error) {
|
||||
config := meta.(*Config)
|
||||
|
||||
credentials := ""
|
||||
if v, ok := d.GetOk("credentials"); ok {
|
||||
log.Println("[DEBUG] using data source credentials to sign URL")
|
||||
credentials = v.(string)
|
||||
|
||||
} else if config.Credentials != "" {
|
||||
log.Println("[DEBUG] using provider credentials to sign URL")
|
||||
credentials = config.Credentials
|
||||
|
||||
} else if filename := os.Getenv(googleCredentialsEnvVar); filename != "" {
|
||||
log.Println("[DEBUG] using env GOOGLE_APPLICATION_CREDENTIALS credentials to sign URL")
|
||||
credentials = filename
|
||||
|
||||
}
|
||||
|
||||
if strings.TrimSpace(credentials) != "" {
|
||||
contents, _, err := pathorcontents.Read(credentials)
|
||||
if err != nil {
|
||||
return nil, errwrap.Wrapf("Error loading credentials: {{err}}", err)
|
||||
}
|
||||
|
||||
cfg, err := google.JWTConfigFromJSON([]byte(contents), "")
|
||||
if err != nil {
|
||||
return nil, errwrap.Wrapf("Error parsing credentials: {{err}}", err)
|
||||
}
|
||||
return cfg, nil
|
||||
}
|
||||
|
||||
return nil, errors.New("Credentials not found in datasource, provider configuration or GOOGLE_APPLICATION_CREDENTIALS environment variable.")
|
||||
}
|
||||
|
||||
// parsePrivateKey converts the binary contents of a private key file
|
||||
// to an *rsa.PrivateKey. It detects whether the private key is in a
|
||||
// PEM container or not. If so, it extracts the the private key
|
||||
// from PEM container before conversion. It only supports PEM
|
||||
// containers with no passphrase.
|
||||
// copied from golang.org/x/oauth2/internal
|
||||
func parsePrivateKey(key []byte) (*rsa.PrivateKey, error) {
|
||||
block, _ := pem.Decode(key)
|
||||
if block != nil {
|
||||
key = block.Bytes
|
||||
}
|
||||
parsedKey, err := x509.ParsePKCS8PrivateKey(key)
|
||||
if err != nil {
|
||||
parsedKey, err = x509.ParsePKCS1PrivateKey(key)
|
||||
if err != nil {
|
||||
return nil, errwrap.Wrapf("private key should be a PEM or plain PKSC1 or PKCS8; parse error: {{err}}", err)
|
||||
}
|
||||
}
|
||||
parsed, ok := parsedKey.(*rsa.PrivateKey)
|
||||
if !ok {
|
||||
return nil, errors.New("private key is invalid")
|
||||
}
|
||||
return parsed, nil
|
||||
}
|
||||
|
||||
// UrlData stores the values required to create a Signed Url
|
||||
type UrlData struct {
|
||||
JwtConfig *jwt.Config
|
||||
ContentMd5 string
|
||||
ContentType string
|
||||
HttpMethod string
|
||||
Expires int
|
||||
HttpHeaders map[string]string
|
||||
Path string
|
||||
}
|
||||
|
||||
// SigningString creates a string representation of the UrlData in a form ready for signing:
|
||||
// see https://cloud.google.com/storage/docs/access-control/create-signed-urls-program
|
||||
// Example output:
|
||||
// -------------------
|
||||
// GET
|
||||
//
|
||||
//
|
||||
// 1388534400
|
||||
// bucket/objectname
|
||||
// -------------------
|
||||
func (u *UrlData) SigningString() []byte {
|
||||
var buf bytes.Buffer
|
||||
|
||||
// HTTP Verb
|
||||
buf.WriteString(u.HttpMethod)
|
||||
buf.WriteString("\n")
|
||||
|
||||
// Content MD5 (optional, always add new line)
|
||||
buf.WriteString(u.ContentMd5)
|
||||
buf.WriteString("\n")
|
||||
|
||||
// Content Type (optional, always add new line)
|
||||
buf.WriteString(u.ContentType)
|
||||
buf.WriteString("\n")
|
||||
|
||||
// Expiration
|
||||
buf.WriteString(strconv.Itoa(u.Expires))
|
||||
buf.WriteString("\n")
|
||||
|
||||
// Extra HTTP headers (optional)
|
||||
// Must be sorted in lexigraphical order
|
||||
var keys []string
|
||||
for k := range u.HttpHeaders {
|
||||
keys = append(keys, strings.ToLower(k))
|
||||
}
|
||||
sort.Strings(keys)
|
||||
// Write sorted headers to signing string buffer
|
||||
for _, k := range keys {
|
||||
buf.WriteString(fmt.Sprintf("%s:%s\n", k, u.HttpHeaders[k]))
|
||||
}
|
||||
|
||||
// Storate Object path (includes bucketname)
|
||||
buf.WriteString(u.Path)
|
||||
|
||||
return buf.Bytes()
|
||||
}
|
||||
|
||||
func (u *UrlData) Signature() ([]byte, error) {
|
||||
// Sign url data
|
||||
signature, err := SignString(u.SigningString(), u.JwtConfig)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
|
||||
}
|
||||
|
||||
return signature, nil
|
||||
}
|
||||
|
||||
// EncodedSignature returns the Signature() after base64 encoding and url escaping
|
||||
func (u *UrlData) EncodedSignature() (string, error) {
|
||||
signature, err := u.Signature()
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
|
||||
// base64 encode signature
|
||||
encoded := base64.StdEncoding.EncodeToString(signature)
|
||||
// encoded signature may include /, = characters that need escaping
|
||||
encoded = url.QueryEscape(encoded)
|
||||
|
||||
return encoded, nil
|
||||
}
|
||||
|
||||
// SignedUrl constructs the final signed URL a client can use to retrieve storage object
|
||||
func (u *UrlData) SignedUrl() (string, error) {
|
||||
|
||||
encodedSig, err := u.EncodedSignature()
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
|
||||
// build url
|
||||
// https://cloud.google.com/storage/docs/access-control/create-signed-urls-program
|
||||
var urlBuffer bytes.Buffer
|
||||
urlBuffer.WriteString(gcsBaseUrl)
|
||||
urlBuffer.WriteString(u.Path)
|
||||
urlBuffer.WriteString("?GoogleAccessId=")
|
||||
urlBuffer.WriteString(u.JwtConfig.Email)
|
||||
urlBuffer.WriteString("&Expires=")
|
||||
urlBuffer.WriteString(strconv.Itoa(u.Expires))
|
||||
urlBuffer.WriteString("&Signature=")
|
||||
urlBuffer.WriteString(encodedSig)
|
||||
|
||||
return urlBuffer.String(), nil
|
||||
}
|
||||
|
||||
// SignString calculates the SHA256 signature of the input string
|
||||
func SignString(toSign []byte, cfg *jwt.Config) ([]byte, error) {
|
||||
// Parse private key
|
||||
pk, err := parsePrivateKey(cfg.PrivateKey)
|
||||
if err != nil {
|
||||
return nil, errwrap.Wrapf("failed to sign string, could not parse key: {{err}}", err)
|
||||
}
|
||||
|
||||
// Hash string
|
||||
hasher := sha256.New()
|
||||
hasher.Write(toSign)
|
||||
|
||||
// Sign string
|
||||
signed, err := rsa.SignPKCS1v15(rand.Reader, pk, crypto.SHA256, hasher.Sum(nil))
|
||||
if err != nil {
|
||||
return nil, errwrap.Wrapf("failed to sign string, an error occurred: {{err}}", err)
|
||||
}
|
||||
|
||||
return signed, nil
|
||||
}
|
|
@ -0,0 +1,263 @@
|
|||
package google
|
||||
|
||||
import (
|
||||
"testing"
|
||||
|
||||
"bytes"
|
||||
"encoding/base64"
|
||||
"fmt"
|
||||
"io/ioutil"
|
||||
"net/http"
|
||||
"net/url"
|
||||
|
||||
"github.com/hashicorp/go-cleanhttp"
|
||||
"github.com/hashicorp/terraform/helper/acctest"
|
||||
"github.com/hashicorp/terraform/helper/resource"
|
||||
"github.com/hashicorp/terraform/terraform"
|
||||
"golang.org/x/oauth2/google"
|
||||
)
|
||||
|
||||
const fakeCredentials = `{
|
||||
"type": "service_account",
|
||||
"project_id": "gcp-project",
|
||||
"private_key_id": "29a54056cee3d6886d9e8515a959af538ab5add9",
|
||||
"private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQEAsGHDAdHZfi81LgVeeMHXYLgNDpcFYhoBykYtTDdNyA5AixID\n8JdKlCmZ6qLNnZrbs4JlBJfmzw6rjUC5bVBFg5NwYVBu3+3Msa4rgLsTGsjPH9rt\nC+QFnFhcmzg3zz8eeXBqJdhw7wmn1Xa9SsC3h6YWveBk98ecyE7yGe8J8xGphjk7\nEQ/KBmRK/EJD0ZwuYW1W4Bv5f5fca7qvi9rCprEmL8//uy0qCwoJj2jU3zc5p72M\npkSZb1XlYxxTEo/h9WCEvWS9pGhy6fJ0sA2RsBHqU4Y5O7MJEei9yu5fVSZUi05f\n/ggfUID+cFEq0Z/A98whKPEBBJ/STdEaqEEkBwIDAQABAoIBAED6EsvF0dihbXbh\ntXbI+h4AT5cTXYFRUV2B0sgkC3xqe65/2YG1Sl0gojoE9bhcxxjvLWWuy/F1Vw93\nS5gQnTsmgpzm86F8yg6euhn3UMdqOJtknDToMITzLFJmOHEZsJFOL1x3ysrUhMan\nsn4qVrIbJn+WfbumBoToSFnzbHflacOh06ZRbYa2bpSPMfGGFtwqQjRadn5+pync\nlCjaupcg209sM0qEk/BDSzHvWL1VgLMdiKBx574TSwS0o569+7vPNt92Ydi7kARo\nreOzkkF4L3xNhKZnmls2eGH6A8cp1KZXoMLFuO+IwvBMA0O29LsUlKJU4PjBrf+7\nwaslnMECgYEA5bJv0L6DKZQD3RCBLue4/mDg0GHZqAhJBS6IcaXeaWeH6PgGZggV\nMGkWnULltJIYFwtaueTfjWqciAeocKx+rqoRjuDMOGgcrEf6Y+b5AqF+IjQM66Ll\nIYPUt3FCIc69z5LNEtyP4DSWsFPJ5UhAoG4QRlDTqT5q0gKHFjeLdeECgYEAxJRk\nkrsWmdmUs5NH9pyhTdEDIc59EuJ8iOqOLzU8xUw6/s2GSClopEFJeeEoIWhLuPY3\nX3bFt4ppl/ksLh05thRs4wXRxqhnokjD3IcGu3l6Gb5QZTYwb0VfN+q2tWVEE8Qc\nPQURheUsM2aP/gpJVQvNsWVmkT0Ijc3J8bR2hucCgYEAjOF4e0ueHu5NwFTTJvWx\nHTRGLwkU+l66ipcT0MCvPW7miRk2s3XZqSuLV0Ekqi/A3sF0D/g0tQPipfwsb48c\n0/wzcLKoDyCsFW7AQG315IswVcIe+peaeYfl++1XZmzrNlkPtrXY+ObIVbXOavZ5\nzOw0xyvj5jYGRnCOci33N4ECgYA91EKx2ABq0YGw3aEj0u31MMlgZ7b1KqFq2wNv\nm7oKgEiJ/hC/P673AsXefNAHeetfOKn/77aOXQ2LTEb2FiEhwNjiquDpL+ywoVxh\nT2LxsmqSEEbvHpUrWlFxn/Rpp3k7ElKjaqWxTHyTii2+BHQ+OKEwq6kQA3deSpy6\n1jz1fwKBgQDLqbdq5FA63PWqApfNVykXukg9MASIcg/0fjADFaHTPDvJjhFutxRP\nppI5Q95P12CQ/eRBZKJnRlkhkL8tfPaWPzzOpCTjID7avRhx2oLmstmYuXx0HluE\ncqXLbAV9WDpIJ3Bpa/S8tWujWhLDmixn2JeAdurWS+naH9U9e4I6Rw==\n-----END RSA PRIVATE KEY-----\n",
|
||||
"client_email": "user@gcp-project.iam.gserviceaccount.com",
|
||||
"client_id": "103198861025845558729",
|
||||
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
|
||||
"token_uri": "https://accounts.google.com/o/oauth2/token",
|
||||
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
|
||||
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/user%40gcp-project.iam.gserviceaccount.com"
|
||||
}`
|
||||
|
||||
// The following values are derived from the output of the `gsutil signurl` command.
|
||||
// i.e.
|
||||
// gsutil signurl fake_creds.json gs://tf-test-bucket-6159205297736845881/path/to/file
|
||||
// URL HTTP Method Expiration Signed URL
|
||||
// gs://tf-test-bucket-6159205297736845881/path/to/file GET 2016-08-12 14:03:30 https://storage.googleapis.com/tf-test-bucket-6159205297736845881/path/to/file?GoogleAccessId=user@gcp-project.iam.gserviceaccount.com&Expires=1470967410&Signature=JJvE2Jc%2BeoagyS1qRACKBGUkgLkKjw7cGymHhtB4IzzN3nbXDqr0acRWGy0%2BEpZ3HYNDalEYsK0lR9Q0WCgty5I0JKmPIuo9hOYa1xTNH%2B22xiWsekxGV%2FcA9FXgWpi%2BFt7fBmMk4dhDe%2BuuYc7N79hd0FYuSBNW1Wp32Bluoe4SNkNAB%2BuIDd9KqPzqs09UAbBoz2y4WxXOQnRyR8GAfb8B%2FDtv62gYjtmp%2F6%2Fyr6xj7byWKZdQt8kEftQLTQmP%2F17Efjp6p%2BXo71Q0F9IhAFiqWfp3Ij8hHDSebLcVb2ULXyHNNQpHBOhFgALrFW3I6Uc3WciLEOsBS9Ej3EGdTg%3D%3D
|
||||
|
||||
const testUrlPath = "/tf-test-bucket-6159205297736845881/path/to/file"
|
||||
const testUrlExpires = 1470967410
|
||||
const testUrlExpectedSignatureBase64Encoded = "JJvE2Jc%2BeoagyS1qRACKBGUkgLkKjw7cGymHhtB4IzzN3nbXDqr0acRWGy0%2BEpZ3HYNDalEYsK0lR9Q0WCgty5I0JKmPIuo9hOYa1xTNH%2B22xiWsekxGV%2FcA9FXgWpi%2BFt7fBmMk4dhDe%2BuuYc7N79hd0FYuSBNW1Wp32Bluoe4SNkNAB%2BuIDd9KqPzqs09UAbBoz2y4WxXOQnRyR8GAfb8B%2FDtv62gYjtmp%2F6%2Fyr6xj7byWKZdQt8kEftQLTQmP%2F17Efjp6p%2BXo71Q0F9IhAFiqWfp3Ij8hHDSebLcVb2ULXyHNNQpHBOhFgALrFW3I6Uc3WciLEOsBS9Ej3EGdTg%3D%3D"
|
||||
const testUrlExpectedUrl = "https://storage.googleapis.com/tf-test-bucket-6159205297736845881/path/to/file?GoogleAccessId=user@gcp-project.iam.gserviceaccount.com&Expires=1470967410&Signature=JJvE2Jc%2BeoagyS1qRACKBGUkgLkKjw7cGymHhtB4IzzN3nbXDqr0acRWGy0%2BEpZ3HYNDalEYsK0lR9Q0WCgty5I0JKmPIuo9hOYa1xTNH%2B22xiWsekxGV%2FcA9FXgWpi%2BFt7fBmMk4dhDe%2BuuYc7N79hd0FYuSBNW1Wp32Bluoe4SNkNAB%2BuIDd9KqPzqs09UAbBoz2y4WxXOQnRyR8GAfb8B%2FDtv62gYjtmp%2F6%2Fyr6xj7byWKZdQt8kEftQLTQmP%2F17Efjp6p%2BXo71Q0F9IhAFiqWfp3Ij8hHDSebLcVb2ULXyHNNQpHBOhFgALrFW3I6Uc3WciLEOsBS9Ej3EGdTg%3D%3D"
|
||||
|
||||
func TestUrlData_Signing(t *testing.T) {
|
||||
urlData := &UrlData{
|
||||
HttpMethod: "GET",
|
||||
Expires: testUrlExpires,
|
||||
Path: testUrlPath,
|
||||
}
|
||||
// unescape and decode the expected signature
|
||||
expectedSig, err := url.QueryUnescape(testUrlExpectedSignatureBase64Encoded)
|
||||
if err != nil {
|
||||
t.Error(err)
|
||||
}
|
||||
expected, err := base64.StdEncoding.DecodeString(expectedSig)
|
||||
if err != nil {
|
||||
t.Error(err)
|
||||
}
|
||||
|
||||
// load fake service account credentials
|
||||
cfg, err := google.JWTConfigFromJSON([]byte(fakeCredentials), "")
|
||||
if err != nil {
|
||||
t.Error(err)
|
||||
}
|
||||
|
||||
// create url data signature
|
||||
toSign := urlData.SigningString()
|
||||
result, err := SignString(toSign, cfg)
|
||||
if err != nil {
|
||||
t.Error(err)
|
||||
}
|
||||
|
||||
// compare to expected value
|
||||
if !bytes.Equal(result, expected) {
|
||||
t.Errorf("Signatures do not match:\n%x\n%x\n", expected, result)
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
func TestUrlData_SignedUrl(t *testing.T) {
|
||||
// load fake service account credentials
|
||||
cfg, err := google.JWTConfigFromJSON([]byte(fakeCredentials), "")
|
||||
if err != nil {
|
||||
t.Error(err)
|
||||
}
|
||||
|
||||
urlData := &UrlData{
|
||||
HttpMethod: "GET",
|
||||
Expires: testUrlExpires,
|
||||
Path: testUrlPath,
|
||||
JwtConfig: cfg,
|
||||
}
|
||||
result, err := urlData.SignedUrl()
|
||||
if err != nil {
|
||||
t.Errorf("Could not generated signed url: %+v", err)
|
||||
}
|
||||
if result != testUrlExpectedUrl {
|
||||
t.Errorf("URL does not match expected value:\n%s\n%s", testUrlExpectedUrl, result)
|
||||
}
|
||||
}
|
||||
|
||||
func TestAccStorageSignedUrl_basic(t *testing.T) {
|
||||
resource.Test(t, resource.TestCase{
|
||||
PreCheck: func() { testAccPreCheck(t) },
|
||||
Providers: testAccProviders,
|
||||
Steps: []resource.TestStep{
|
||||
resource.TestStep{
|
||||
Config: testGoogleSignedUrlConfig,
|
||||
Check: resource.ComposeTestCheckFunc(
|
||||
testAccGoogleSignedUrlExists("data.google_storage_object_signed_url.blerg"),
|
||||
),
|
||||
},
|
||||
},
|
||||
})
|
||||
}
|
||||
|
||||
func TestAccStorageSignedUrl_accTest(t *testing.T) {
|
||||
bucketName := fmt.Sprintf("tf-test-bucket-%d", acctest.RandInt())
|
||||
|
||||
headers := map[string]string{
|
||||
"x-goog-test": "foo",
|
||||
"x-goog-if-generation-match": "1",
|
||||
}
|
||||
|
||||
resource.Test(t, resource.TestCase{
|
||||
PreCheck: func() { testAccPreCheck(t) },
|
||||
Providers: testAccProviders,
|
||||
Steps: []resource.TestStep{
|
||||
resource.TestStep{
|
||||
Config: testAccTestGoogleStorageObjectSignedURL(bucketName),
|
||||
Check: resource.ComposeTestCheckFunc(
|
||||
testAccGoogleSignedUrlRetrieval("data.google_storage_object_signed_url.story_url", nil),
|
||||
testAccGoogleSignedUrlRetrieval("data.google_storage_object_signed_url.story_url_w_headers", headers),
|
||||
testAccGoogleSignedUrlRetrieval("data.google_storage_object_signed_url.story_url_w_content_type", nil),
|
||||
testAccGoogleSignedUrlRetrieval("data.google_storage_object_signed_url.story_url_w_md5", nil),
|
||||
),
|
||||
},
|
||||
},
|
||||
})
|
||||
}
|
||||
|
||||
func testAccGoogleSignedUrlExists(n string) resource.TestCheckFunc {
|
||||
return func(s *terraform.State) error {
|
||||
|
||||
r := s.RootModule().Resources[n]
|
||||
a := r.Primary.Attributes
|
||||
|
||||
if a["signed_url"] == "" {
|
||||
return fmt.Errorf("signed_url is empty: %v", a)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
}
|
||||
|
||||
func testAccGoogleSignedUrlRetrieval(n string, headers map[string]string) resource.TestCheckFunc {
|
||||
return func(s *terraform.State) error {
|
||||
r := s.RootModule().Resources[n]
|
||||
if r == nil {
|
||||
return fmt.Errorf("Datasource not found")
|
||||
}
|
||||
a := r.Primary.Attributes
|
||||
|
||||
if a["signed_url"] == "" {
|
||||
return fmt.Errorf("signed_url is empty: %v", a)
|
||||
}
|
||||
|
||||
// create HTTP request
|
||||
url := a["signed_url"]
|
||||
method := a["http_method"]
|
||||
req, err := http.NewRequest(method, url, nil)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
// Add extension headers to request, if provided
|
||||
for k, v := range headers {
|
||||
req.Header.Set(k, v)
|
||||
}
|
||||
|
||||
// content_type is optional, add to test query if provided in datasource config
|
||||
contentType := a["content_type"]
|
||||
if contentType != "" {
|
||||
req.Header.Add("Content-Type", contentType)
|
||||
}
|
||||
|
||||
// content_md5 is optional, add to test query if provided in datasource config
|
||||
contentMd5 := a["content_md5"]
|
||||
if contentMd5 != "" {
|
||||
req.Header.Add("Content-MD5", contentMd5)
|
||||
}
|
||||
|
||||
// send request using signed url
|
||||
client := cleanhttp.DefaultClient()
|
||||
response, err := client.Do(req)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
defer response.Body.Close()
|
||||
|
||||
// check content in response, should be our test string or XML with error
|
||||
body, err := ioutil.ReadAll(response.Body)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if string(body) != "once upon a time..." {
|
||||
return fmt.Errorf("Got unexpected object contents: %s\n\tURL: %s", string(body), url)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
}
|
||||
|
||||
const testGoogleSignedUrlConfig = `
|
||||
data "google_storage_object_signed_url" "blerg" {
|
||||
bucket = "friedchicken"
|
||||
path = "path/to/file"
|
||||
|
||||
}
|
||||
`
|
||||
|
||||
func testAccTestGoogleStorageObjectSignedURL(bucketName string) string {
|
||||
return fmt.Sprintf(`
|
||||
resource "google_storage_bucket" "bucket" {
|
||||
name = "%s"
|
||||
}
|
||||
|
||||
resource "google_storage_bucket_object" "story" {
|
||||
name = "path/to/file"
|
||||
bucket = "${google_storage_bucket.bucket.name}"
|
||||
|
||||
content = "once upon a time..."
|
||||
}
|
||||
|
||||
data "google_storage_object_signed_url" "story_url" {
|
||||
bucket = "${google_storage_bucket.bucket.name}"
|
||||
path = "${google_storage_bucket_object.story.name}"
|
||||
|
||||
}
|
||||
|
||||
data "google_storage_object_signed_url" "story_url_w_headers" {
|
||||
bucket = "${google_storage_bucket.bucket.name}"
|
||||
path = "${google_storage_bucket_object.story.name}"
|
||||
extension_headers {
|
||||
x-goog-test = "foo"
|
||||
x-goog-if-generation-match = 1
|
||||
}
|
||||
}
|
||||
|
||||
data "google_storage_object_signed_url" "story_url_w_content_type" {
|
||||
bucket = "${google_storage_bucket.bucket.name}"
|
||||
path = "${google_storage_bucket_object.story.name}"
|
||||
|
||||
content_type = "text/plain"
|
||||
}
|
||||
|
||||
data "google_storage_object_signed_url" "story_url_w_md5" {
|
||||
bucket = "${google_storage_bucket.bucket.name}"
|
||||
path = "${google_storage_bucket_object.story.name}"
|
||||
|
||||
content_md5 = "${google_storage_bucket_object.story.md5hash}"
|
||||
}`, bucketName)
|
||||
}
|
|
@ -54,6 +54,7 @@ func Provider() terraform.ResourceProvider {
|
|||
"google_compute_zones": dataSourceGoogleComputeZones(),
|
||||
"google_container_engine_versions": dataSourceGoogleContainerEngineVersions(),
|
||||
"google_iam_policy": dataSourceGoogleIamPolicy(),
|
||||
"google_storage_object_signed_url": dataSourceGoogleSignedUrl(),
|
||||
},
|
||||
|
||||
ResourcesMap: map[string]*schema.Resource{
|
||||
|
|
|
@ -0,0 +1,81 @@
|
|||
---
|
||||
layout: "google"
|
||||
page_title: "Google: google_storage_object_signed_url"
|
||||
sidebar_current: "docs-google-datasource-signed_url"
|
||||
description: |-
|
||||
Provides signed URL to Google Cloud Storage object.
|
||||
---
|
||||
|
||||
# google\_storage\_object\_signed_url
|
||||
|
||||
The Google Cloud storage signed URL data source generates a signed URL for a given storage object. Signed URLs provide a way to give time-limited read or write access to anyone in possession of the URL, regardless of whether they have a Google account.
|
||||
|
||||
For more info about signed URL's is available [here](https://cloud.google.com/storage/docs/access-control/signed-urls).
|
||||
|
||||
## Example Usage
|
||||
|
||||
```hcl
|
||||
data "google_storage_object_signed_url" "artifact" {
|
||||
bucket = "install_binaries"
|
||||
path = "path/to/install_file.bin"
|
||||
|
||||
}
|
||||
|
||||
resource "google_compute_instance" "vm" {
|
||||
name = "vm"
|
||||
...
|
||||
|
||||
provisioner "remote-exec" {
|
||||
inline = [
|
||||
"wget '${data.google_storage_object_signed_url.artifact.signed_url}' -O install_file.bin",
|
||||
"chmod +x install_file.bin",
|
||||
"./install_file.bin"
|
||||
]
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
## Full Example
|
||||
|
||||
```hcl
|
||||
data "google_storage_object_signed_url" "get_url" {
|
||||
bucket = "fried_chicken"
|
||||
path = "path/to/file"
|
||||
content_md5 = "pRviqwS4c4OTJRTe03FD1w=="
|
||||
content_type = "text/plain"
|
||||
duration = "2d"
|
||||
credentials = "${file("path/to/credentials.json")}"
|
||||
|
||||
extension_headers {
|
||||
x-goog-if-generation-match = 1
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
## Argument Reference
|
||||
|
||||
The following arguments are supported:
|
||||
|
||||
* `bucket` - (Required) The name of the bucket to read the object from
|
||||
* `path` - (Required) The full path to the object inside the bucket
|
||||
* `http_method` - (Optional) What HTTP Method will the signed URL allow (defaults to `GET`)
|
||||
* `duration` - (Optional) For how long shall the signed URL be valid (defaults to 1 hour - i.e. `1h`).
|
||||
See [here](https://golang.org/pkg/time/#ParseDuration) for info on valid duration formats.
|
||||
* `credentials` - (Optional) What Google service account credentials json should be used to sign the URL.
|
||||
This data source checks the following locations for credentials, in order of preference: data source `credentials` attribute, provider `credentials` attribute and finally the GOOGLE_APPLICATION_CREDENTIALS environment variable.
|
||||
|
||||
> **NOTE** the default google credentials configured by `gcloud` sdk or the service account associated with a compute instance cannot be used, because these do not include the private key required to sign the URL. A valid `json` service account credentials key file must be used, as generated via Google cloud console.
|
||||
|
||||
* `content_type` - (Optional) If you specify this in the datasource, the client must provide the `Content-Type` HTTP header with the same value in its request.
|
||||
* `content_md5` - (Optional) The [MD5 digest](https://cloud.google.com/storage/docs/hashes-etags#_MD5) value in Base64.
|
||||
Typically retrieved from `google_storage_bucket_object.object.md5hash` attribute.
|
||||
If you provide this in the datasource, the client (e.g. browser, curl) must provide the `Content-MD5` HTTP header with this same value in its request.
|
||||
* `extension_headers` - (Optional) As needed. The server checks to make sure that the client provides matching values in requests using the signed URL.
|
||||
Any header starting with `x-goog-` is accepted but see the [Google Docs](https://cloud.google.com/storage/docs/xml-api/reference-headers) for list of headers that are supported by Google.
|
||||
|
||||
|
||||
## Attributes Reference
|
||||
|
||||
The following attributes are exported:
|
||||
|
||||
* `signed_url` - The signed URL that can be used to access the storage object without authentication.
|
|
@ -39,6 +39,9 @@
|
|||
<li<%= sidebar_current("docs-google-datasource-iam-policy") %>>
|
||||
<a href="/docs/providers/google/d/google_iam_policy.html">google_iam_policy</a>
|
||||
</li>
|
||||
<li<%= sidebar_current("docs-google-datasource-signed_url") %>>
|
||||
<a href="/docs/providers/google/d/signed_url.html">google_storage_object_signed_url</a>
|
||||
</li>
|
||||
</ul>
|
||||
</li>
|
||||
|
||||
|
|
Loading…
Reference in New Issue