Source: post_policy_v4.go in package cloud.google.com/go/storage

Copyright 2020 Google LLC Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.


package storage

import (
	"crypto"
	"crypto/rand"
	"crypto/rsa"
	"crypto/sha256"
	"encoding/base64"
	"encoding/json"
	"errors"
	"fmt"
	"net/url"
	"strings"
	"time"
)

PostPolicyV4Options are used to construct a signed post policy. Please see https://cloud.google.com/storage/docs/xml-api/post-object for reference about the fields.

GoogleAccessID represents the authorizer of the signed URL generation. It is typically the Google service account client email address from the Google Developers Console in the form of "xxx@developer.gserviceaccount.com". Required.

	GoogleAccessID string

PrivateKey is the Google service account private key. It is obtainable from the Google Developers Console. At https://console.developers.google.com/project/<your-project-id>/apiui/credential, create a service account client ID or reuse one of your existing service account credentials. Click on the "Generate new P12 key" to generate and download a new private key. Once you download the P12 file, use the following command to convert it into a PEM file. $ openssl pkcs12 -in key.p12 -passin pass:notasecret -out key.pem -nodes Provide the contents of the PEM file as a byte slice. Exactly one of PrivateKey or SignBytes must be non-nil.

	PrivateKey []byte

SignBytes is a function for implementing custom signing. For example, if your application is running on Google App Engine, you can use appengine's internal signing function: ctx := appengine.NewContext(request) acc, _ := appengine.ServiceAccount(ctx) url, err := SignedURL("bucket", "object", &SignedURLOptions{ GoogleAccessID: acc, SignBytes: func(b []byte) ([]byte, error) { _, signedBytes, err := appengine.SignBytes(ctx, b) return signedBytes, err }, // etc. }) Exactly one of PrivateKey or SignBytes must be non-nil.

	SignBytes func(hashBytes []byte) (signature []byte, err error)

Expires is the expiration time on the signed URL. It must be a time in the future. Required.

	Expires time.Time

Style provides options for the type of URL to use. Options are PathStyle (default), BucketBoundHostname, and VirtualHostedStyle. See https://cloud.google.com/storage/docs/request-endpoints for details. Optional.

	Style URLStyle

Insecure when set indicates that the generated URL's scheme will use "http" instead of "https" (default). Optional.

	Insecure bool

Fields specifies the attributes of a PostPolicyV4 request. When Fields is non-nil, its attributes must match those that will passed into field Conditions. Optional.

	Fields *PolicyV4Fields

The conditions that the uploaded file will be expected to conform to. When used, the failure of an upload to satisfy a condition will result in a 4XX status code, back with the message describing the problem. Optional.

	Conditions []PostPolicyV4Condition
}

PolicyV4Fields describes the attributes for a PostPolicyV4 request.

ACL specifies the access control permissions for the object. Optional.

CacheControl specifies the caching directives for the object. Optional.

ContentType specifies the media type of the object. Optional.

ContentDisposition specifies how the file will be served back to requesters. Optional.

ContentEncoding specifies the decompressive transcoding that the object. This field is complementary to ContentType in that the file could be compressed but ContentType specifies the file's original media type. Optional.

Metadata specifies custom metadata for the object. If any key doesn't begin with "x-goog-meta-", an error will be returned. Optional.

StatusCodeOnSuccess when set, specifies the status code that Cloud Storage will serve back on successful upload of the object. Optional.

RedirectToURLOnSuccess when set, specifies the URL that Cloud Storage will serve back on successful upload of the object. Optional.

	RedirectToURLOnSuccess string
}

PostPolicyV4 describes the URL and respective form fields for a generated PostPolicyV4 request.

URL is the generated URL that the file upload will be made to.

Fields specifies the generated key-values that the file uploader must include in their multipart upload form.

	Fields map[string]string
}

PostPolicyV4Condition describes the constraints that the subsequent object upload's multipart form fields will be expected to conform to.

type PostPolicyV4Condition interface {
	isEmpty() bool
	json.Marshaler
}

type startsWith struct {
	key, value string
}

func (sw *startsWith) MarshalJSON() ([]byte, error) {
	return json.Marshal([]string{"starts-with", sw.key, sw.value})
}
func (sw *startsWith) isEmpty() bool {
	return sw.value == ""
}

ConditionStartsWith checks that an attributes starts with value. An empty value will cause this condition to be ignored.

func ConditionStartsWith(key, value string) PostPolicyV4Condition {
	return &startsWith{key, value}
}

type contentLengthRangeCondition struct {
	start, end uint64
}

func (clr *contentLengthRangeCondition) MarshalJSON() ([]byte, error) {
	return json.Marshal([]interface{}{"content-length-range", clr.start, clr.end})
}
func (clr *contentLengthRangeCondition) isEmpty() bool {
	return clr.start == 0 && clr.end == 0
}

type singleValueCondition struct {
	name, value string
}

func (svc *singleValueCondition) MarshalJSON() ([]byte, error) {
	return json.Marshal(map[string]string{svc.name: svc.value})
}
func (svc *singleValueCondition) isEmpty() bool {
	return svc.value == ""
}

ConditionContentLengthRange constraints the limits that the multipart upload's range header will be expected to be within.

func ConditionContentLengthRange(start, end uint64) PostPolicyV4Condition {
	return &contentLengthRangeCondition{start, end}
}

func conditionRedirectToURLOnSuccess(redirectURL string) PostPolicyV4Condition {
	return &singleValueCondition{"success_action_redirect", redirectURL}
}

func conditionStatusCodeOnSuccess(statusCode int) PostPolicyV4Condition {
	svc := &singleValueCondition{name: "success_action_status"}
	if statusCode > 0 {
		svc.value = fmt.Sprintf("%d", statusCode)
	}
	return svc
}

GenerateSignedPostPolicyV4 generates a PostPolicyV4 value from bucket, object and opts. The generated URL and fields will then allow an unauthenticated client to perform multipart uploads.

func GenerateSignedPostPolicyV4(bucket, object string, opts *PostPolicyV4Options) (*PostPolicyV4, error) {
	if bucket == "" {
		return nil, errors.New("storage: bucket must be non-empty")
	}
	if object == "" {
		return nil, errors.New("storage: object must be non-empty")
	}
	now := utcNow()
	if err := validatePostPolicyV4Options(opts, now); err != nil {
		return nil, err
	}

	var signingFn func(hashedBytes []byte) ([]byte, error)
	switch {
	case opts.SignBytes != nil:
		signingFn = opts.SignBytes

	case len(opts.PrivateKey) != 0:
		parsedRSAPrivKey, err := parseKey(opts.PrivateKey)
		if err != nil {
			return nil, err
		}
		signingFn = func(hashedBytes []byte) ([]byte, error) {
			return rsa.SignPKCS1v15(rand.Reader, parsedRSAPrivKey, crypto.SHA256, hashedBytes)
		}

	default:
		return nil, errors.New("storage: exactly one of PrivateKey or SignedBytes must be set")
	}

	var descFields PolicyV4Fields
	if opts.Fields != nil {
		descFields = *opts.Fields
	}

	if err := validateMetadata(descFields.Metadata); err != nil {
		return nil, err
	}

Build the policy.

	conds := make([]PostPolicyV4Condition, len(opts.Conditions))
	copy(conds, opts.Conditions)
	conds = append(conds,
		conditionRedirectToURLOnSuccess(descFields.RedirectToURLOnSuccess),
		conditionStatusCodeOnSuccess(descFields.StatusCodeOnSuccess),
		&singleValueCondition{"acl", descFields.ACL},
		&singleValueCondition{"cache-control", descFields.CacheControl},
	)

	YYYYMMDD := now.Format(yearMonthDay)
	policyFields := map[string]string{
		"key":                     object,
		"x-goog-date":             now.Format(iso8601),
		"x-goog-credential":       opts.GoogleAccessID + "/" + YYYYMMDD + "/auto/storage/goog4_request",
		"x-goog-algorithm":        "GOOG4-RSA-SHA256",
		"success_action_redirect": descFields.RedirectToURLOnSuccess,
		"acl":                     descFields.ACL,
	}
	for key, value := range descFields.Metadata {
		conds = append(conds, &singleValueCondition{key, value})
		policyFields[key] = value
	}

Following from the order expected by the conformance test cases, hence manually inserting these fields in a specific order.

	conds = append(conds,
		&singleValueCondition{"bucket", bucket},
		&singleValueCondition{"key", object},
		&singleValueCondition{"x-goog-date", now.Format(iso8601)},
		&singleValueCondition{
			name:  "x-goog-credential",
			value: opts.GoogleAccessID + "/" + YYYYMMDD + "/auto/storage/goog4_request",
		},
		&singleValueCondition{"x-goog-algorithm", "GOOG4-RSA-SHA256"},
	)

	nonEmptyConds := make([]PostPolicyV4Condition, 0, len(opts.Conditions))
	for _, cond := range conds {
		if cond == nil || !cond.isEmpty() {
			nonEmptyConds = append(nonEmptyConds, cond)
		}
	}
	condsAsJSON, err := json.Marshal(map[string]interface{}{
		"conditions": nonEmptyConds,
		"expiration": opts.Expires.Format(time.RFC3339),
	})
	if err != nil {
		return nil, fmt.Errorf("storage: PostPolicyV4 JSON serialization failed: %v", err)
	}

	b64Policy := base64.StdEncoding.EncodeToString(condsAsJSON)
	shaSum := sha256.Sum256([]byte(b64Policy))
	signature, err := signingFn(shaSum[:])
	if err != nil {
		return nil, err
	}

	policyFields["policy"] = b64Policy
	policyFields["x-goog-signature"] = fmt.Sprintf("%x", signature)

Construct the URL.

	scheme := "https"
	if opts.Insecure {
		scheme = "http"
	}
	path := opts.Style.path(bucket, "") + "/"
	u := &url.URL{
		Path:    path,
		RawPath: pathEncodeV4(path),
		Host:    opts.Style.host(bucket),
		Scheme:  scheme,
	}

	if descFields.StatusCodeOnSuccess > 0 {
		policyFields["success_action_status"] = fmt.Sprintf("%d", descFields.StatusCodeOnSuccess)
	}

Clear out fields with blanks values.

	for key, value := range policyFields {
		if value == "" {
			delete(policyFields, key)
		}
	}
	pp4 := &PostPolicyV4{
		Fields: policyFields,
		URL:    u.String(),
	}
	return pp4, nil
}

validatePostPolicyV4Options checks that: * GoogleAccessID is set * either but not both PrivateKey and SignBytes are set or nil, but not both * Expires, the deadline is not in the past * if Style is not set, it'll use PathStyle

func validatePostPolicyV4Options(opts *PostPolicyV4Options, now time.Time) error {
	if opts == nil || opts.GoogleAccessID == "" {
		return errors.New("storage: missing required GoogleAccessID")
	}
	if privBlank, signBlank := len(opts.PrivateKey) == 0, opts.SignBytes == nil; privBlank == signBlank {
		return errors.New("storage: exactly one of PrivateKey or SignedBytes must be set")
	}
	if opts.Expires.Before(now) {
		return errors.New("storage: expecting Expires to be in the future")
	}
	if opts.Style == nil {
		opts.Style = PathStyle()
	}
	return nil
}

validateMetadata ensures that all keys passed in have a prefix of "x-goog-meta-", otherwise it will return an error.

func validateMetadata(hdrs map[string]string) (err error) {
	if len(hdrs) == 0 {
		return nil
	}

	badKeys := make([]string, 0, len(hdrs))
	for key := range hdrs {
		if !strings.HasPrefix(key, "x-goog-meta-") {
			badKeys = append(badKeys, key)
		}
	}
	if len(badKeys) != 0 {
		err = errors.New("storage: expected metadata to begin with x-goog-meta-, got " + strings.Join(badKeys, ", "))
	}
	return