From 8f61bf27fdef978d15538015889045062004efc8 Mon Sep 17 00:00:00 2001 From: Matt Morrison Date: Fri, 12 Aug 2016 14:52:44 +1200 Subject: [PATCH 1/7] Add google_storage_signed_url data source. --- data_source_storage_object_signed_url.go | 299 ++++++++++++++++++ data_source_storage_object_signed_url_test.go | 212 +++++++++++++ provider.go | 3 +- 3 files changed, 513 insertions(+), 1 deletion(-) create mode 100644 data_source_storage_object_signed_url.go create mode 100644 data_source_storage_object_signed_url_test.go diff --git a/data_source_storage_object_signed_url.go b/data_source_storage_object_signed_url.go new file mode 100644 index 00000000..f39dcdf3 --- /dev/null +++ b/data_source_storage_object_signed_url.go @@ -0,0 +1,299 @@ +package google + +import ( + "bytes" + "crypto" + "crypto/rand" + "crypto/rsa" + "crypto/sha256" + "crypto/x509" + "encoding/base64" + "encoding/pem" + "fmt" + "github.com/hashicorp/terraform/helper/pathorcontents" + "github.com/hashicorp/terraform/helper/schema" + "golang.org/x/oauth2/google" + "golang.org/x/oauth2/jwt" + "log" + "net/url" + "os" + "os/user" + "strconv" + "strings" + "time" +) + +const gcsBaseUrl = "https://storage.googleapis.com" +const envVar = "GOOGLE_APPLICATION_CREDENTIALS" + +func dataSourceGoogleSignedUrl() *schema.Resource { + return &schema.Resource{ + Read: dataSourceGoogleSignedUrlRead, + + Schema: map[string]*schema.Schema{ + "bucket": &schema.Schema{ + Type: schema.TypeString, + Required: true, + }, + //TODO: implement support + //"content_type": &schema.Schema{ + // Type: schema.TypeString, + // Optional: true, + // Default: "", + //}, + "credentials": &schema.Schema{ + Type: schema.TypeString, + Optional: true, + }, + "duration": &schema.Schema{ + Type: schema.TypeString, + Optional: true, + Default: "1h", + }, + "http_method": &schema.Schema{ + Type: schema.TypeString, + Optional: true, + Default: "GET", + }, + //TODO: implement support + //"http_headers": &schema.Schema{ + // Type: schema.TypeList, + // Optional: true, + //}, + //TODO: implement support + //"md5_digest": &schema.Schema{ + // Type: schema.TypeString, + // Optional: true, + // Default: "", + //}, + "path": &schema.Schema{ + Type: schema.TypeString, + Required: true, + }, + "signed_url": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + }, + }, + } +} + +func dataSourceGoogleSignedUrlRead(d *schema.ResourceData, meta interface{}) error { + config := meta.(*Config) + + // ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + // Build UrlData object from data source attributes + urlData := &UrlData{} + + // HTTP Method + if method, ok := d.GetOk("http_method"); ok && len(method.(string)) >= 3 { + urlData.HttpMethod = method.(string) + } else { + return fmt.Errorf("not a valid http method") + } + + // convert duration to an expiration datetime (unix time in seconds) + durationString := "1h" + if v, ok := d.GetOk("duration"); ok { + durationString = v.(string) + } + duration, err := time.ParseDuration(durationString) + if err != nil { + return fmt.Errorf("could not parse duration") + } + expires := time.Now().Unix() + int64(duration.Seconds()) + urlData.Expires = int(expires) + + // object path + path := []string{ + "", + d.Get("bucket").(string), + d.Get("path").(string), + } + objectPath := strings.Join(path, "/") + urlData.Path = objectPath + + // ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + // Load JWT Config from Google Credentials + jwtConfig, err := loadJwtConfig(d, config) + if err != nil { + return err + } + urlData.JwtConfig = jwtConfig + + // ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + // Sign url object data + signature, err := SignString(urlData.CreateSigningString(), jwtConfig) + if err != nil { + return fmt.Errorf("could not sign data: %v", err) + } + urlData.Signature = signature + + // ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + // Construct URL + finalUrl := urlData.BuildUrl() + d.SetId(finalUrl) + d.Set("signed_url", finalUrl) + + return nil +} + +// This looks for credentials json in the following places, +// preferring the first location found: +// +// 1. Credentials provided in data source `credentials` attribute. +// 2. Credentials provided in the provider definition. +// 3. A JSON file whose path is specified by the +// GOOGLE_APPLICATION_CREDENTIALS environment variable. +func loadJwtConfig(d *schema.ResourceData, meta interface{}) (*jwt.Config, error) { + config := meta.(*Config) + + credentials := "" + if v, ok := d.GetOk("credentials"); ok { + log.Println("[DEBUG] using data source credentials") + credentials = v.(string) + + } else if config.Credentials != "" { + log.Println("[DEBUG] using provider credentials") + credentials = config.Credentials + + } else if filename := os.Getenv(envVar); filename != "" { + log.Println("[DEBUG] using env GOOGLE_APPLICATION_CREDENTIALS credentials") + credentials = filename + + } + + if strings.TrimSpace(credentials) != "" { + contents, _, err := pathorcontents.Read(credentials) + if err != nil { + return nil, fmt.Errorf("Error loading credentials: %s", err) + } + + cfg, err := google.JWTConfigFromJSON([]byte(contents), "") + if err != nil { + return nil, fmt.Errorf("Error parsing credentials: \n %s \n Error: %s", contents, err) + } + return cfg, nil + } + + return nil, fmt.Errorf("Credentials not provided in resource or provider configuration or GOOGLE_APPLICATION_CREDENTIALS environment variable.") +} + +func guessUnixHomeDir() string { + usr, err := user.Current() + if err == nil { + return usr.HomeDir + } + return os.Getenv("HOME") +} + +// parsePrivateKey converts the binary contents of a private key file +// to an *rsa.PrivateKey. It detects whether the private key is in a +// PEM container or not. If so, it extracts the the private key +// from PEM container before conversion. It only supports PEM +// containers with no passphrase. +// copied from golang.org/x/oauth2/internal +func parsePrivateKey(key []byte) (*rsa.PrivateKey, error) { + block, _ := pem.Decode(key) + if block != nil { + key = block.Bytes + } + parsedKey, err := x509.ParsePKCS8PrivateKey(key) + if err != nil { + parsedKey, err = x509.ParsePKCS1PrivateKey(key) + if err != nil { + return nil, fmt.Errorf("private key should be a PEM or plain PKSC1 or PKCS8; parse error: %v", err) + } + } + parsed, ok := parsedKey.(*rsa.PrivateKey) + if !ok { + return nil, fmt.Errorf("private key is invalid") + } + return parsed, nil +} + +type UrlData struct { + JwtConfig *jwt.Config + HttpMethod string + Expires int + Path string + Signature []byte +} + +// Creates a string in the form ready for signing: +// https://cloud.google.com/storage/docs/access-control/create-signed-urls-program +// Example output: +// ------------------- +// GET +// +// +// 1388534400 +// bucket/objectname +// ------------------- +func (u *UrlData) CreateSigningString() []byte { + var buf bytes.Buffer + + // HTTP VERB + buf.WriteString(u.HttpMethod) + buf.WriteString("\n") + + // MD5 digest (optional) + // TODO + buf.WriteString("\n") + + // request content-type (optional) + // TODO + buf.WriteString("\n") + + // signed url expiration + buf.WriteString(strconv.Itoa(u.Expires)) + buf.WriteString("\n") + + // additional request headers (optional) + // TODO + + // object path + buf.WriteString(u.Path) + + return buf.Bytes() +} + +// Builds the final signed URL a client can use to retrieve storage object +func (u *UrlData) BuildUrl() string { + // base64 encode signature + encoded := base64.StdEncoding.EncodeToString(u.Signature) + // encoded signature may include /, = characters that need escaping + encoded = url.QueryEscape(encoded) + + // set url + // https://cloud.google.com/storage/docs/access-control/create-signed-urls-program + var urlBuffer bytes.Buffer + urlBuffer.WriteString(gcsBaseUrl) + urlBuffer.WriteString(u.Path) + urlBuffer.WriteString("?GoogleAccessId=") + urlBuffer.WriteString(u.JwtConfig.Email) + urlBuffer.WriteString("&Expires=") + urlBuffer.WriteString(strconv.Itoa(u.Expires)) + urlBuffer.WriteString("&Signature=") + urlBuffer.WriteString(encoded) + + return urlBuffer.String() +} + +func SignString(toSign []byte, cfg *jwt.Config) ([]byte, error) { + pk, err := parsePrivateKey(cfg.PrivateKey) + if err != nil { + return nil, fmt.Errorf("could not parse key: %v\nKey:%s", err, string(cfg.PrivateKey)) + } + + // Hash string + hasher := sha256.New() + hasher.Write(toSign) + + signed, err := rsa.SignPKCS1v15(rand.Reader, pk, crypto.SHA256, hasher.Sum(nil)) + if err != nil { + return nil, fmt.Errorf("Error from signing: %s\n", err) + } + + return signed, nil +} diff --git a/data_source_storage_object_signed_url_test.go b/data_source_storage_object_signed_url_test.go new file mode 100644 index 00000000..576633de --- /dev/null +++ b/data_source_storage_object_signed_url_test.go @@ -0,0 +1,212 @@ +package google + +import ( + "testing" + + "bytes" + "encoding/base64" + "fmt" + "github.com/hashicorp/terraform/helper/acctest" + "github.com/hashicorp/terraform/helper/resource" + "github.com/hashicorp/terraform/terraform" + "golang.org/x/oauth2/google" + "io/ioutil" + "net/http" + "net/url" +) + +const fakeCredentials = `{ + "type": "service_account", + "project_id": "gcp-project", + "private_key_id": "29a54056cee3d6886d9e8515a959af538ab5add9", + "private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQEAsGHDAdHZfi81LgVeeMHXYLgNDpcFYhoBykYtTDdNyA5AixID\n8JdKlCmZ6qLNnZrbs4JlBJfmzw6rjUC5bVBFg5NwYVBu3+3Msa4rgLsTGsjPH9rt\nC+QFnFhcmzg3zz8eeXBqJdhw7wmn1Xa9SsC3h6YWveBk98ecyE7yGe8J8xGphjk7\nEQ/KBmRK/EJD0ZwuYW1W4Bv5f5fca7qvi9rCprEmL8//uy0qCwoJj2jU3zc5p72M\npkSZb1XlYxxTEo/h9WCEvWS9pGhy6fJ0sA2RsBHqU4Y5O7MJEei9yu5fVSZUi05f\n/ggfUID+cFEq0Z/A98whKPEBBJ/STdEaqEEkBwIDAQABAoIBAED6EsvF0dihbXbh\ntXbI+h4AT5cTXYFRUV2B0sgkC3xqe65/2YG1Sl0gojoE9bhcxxjvLWWuy/F1Vw93\nS5gQnTsmgpzm86F8yg6euhn3UMdqOJtknDToMITzLFJmOHEZsJFOL1x3ysrUhMan\nsn4qVrIbJn+WfbumBoToSFnzbHflacOh06ZRbYa2bpSPMfGGFtwqQjRadn5+pync\nlCjaupcg209sM0qEk/BDSzHvWL1VgLMdiKBx574TSwS0o569+7vPNt92Ydi7kARo\nreOzkkF4L3xNhKZnmls2eGH6A8cp1KZXoMLFuO+IwvBMA0O29LsUlKJU4PjBrf+7\nwaslnMECgYEA5bJv0L6DKZQD3RCBLue4/mDg0GHZqAhJBS6IcaXeaWeH6PgGZggV\nMGkWnULltJIYFwtaueTfjWqciAeocKx+rqoRjuDMOGgcrEf6Y+b5AqF+IjQM66Ll\nIYPUt3FCIc69z5LNEtyP4DSWsFPJ5UhAoG4QRlDTqT5q0gKHFjeLdeECgYEAxJRk\nkrsWmdmUs5NH9pyhTdEDIc59EuJ8iOqOLzU8xUw6/s2GSClopEFJeeEoIWhLuPY3\nX3bFt4ppl/ksLh05thRs4wXRxqhnokjD3IcGu3l6Gb5QZTYwb0VfN+q2tWVEE8Qc\nPQURheUsM2aP/gpJVQvNsWVmkT0Ijc3J8bR2hucCgYEAjOF4e0ueHu5NwFTTJvWx\nHTRGLwkU+l66ipcT0MCvPW7miRk2s3XZqSuLV0Ekqi/A3sF0D/g0tQPipfwsb48c\n0/wzcLKoDyCsFW7AQG315IswVcIe+peaeYfl++1XZmzrNlkPtrXY+ObIVbXOavZ5\nzOw0xyvj5jYGRnCOci33N4ECgYA91EKx2ABq0YGw3aEj0u31MMlgZ7b1KqFq2wNv\nm7oKgEiJ/hC/P673AsXefNAHeetfOKn/77aOXQ2LTEb2FiEhwNjiquDpL+ywoVxh\nT2LxsmqSEEbvHpUrWlFxn/Rpp3k7ElKjaqWxTHyTii2+BHQ+OKEwq6kQA3deSpy6\n1jz1fwKBgQDLqbdq5FA63PWqApfNVykXukg9MASIcg/0fjADFaHTPDvJjhFutxRP\nppI5Q95P12CQ/eRBZKJnRlkhkL8tfPaWPzzOpCTjID7avRhx2oLmstmYuXx0HluE\ncqXLbAV9WDpIJ3Bpa/S8tWujWhLDmixn2JeAdurWS+naH9U9e4I6Rw==\n-----END RSA PRIVATE KEY-----\n", + "client_email": "user@gcp-project.iam.gserviceaccount.com", + "client_id": "103198861025845558729", + "auth_uri": "https://accounts.google.com/o/oauth2/auth", + "token_uri": "https://accounts.google.com/o/oauth2/token", + "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", + "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/user%40gcp-project.iam.gserviceaccount.com" +}` + +// The following values are derived from the output of the `gsutil signurl` command. +// i.e. +// gsutil signurl fake_creds.json gs://tf-test-bucket-6159205297736845881/path/to/file +// URL HTTP Method Expiration Signed URL +// gs://tf-test-bucket-6159205297736845881/path/to/file GET 2016-08-12 14:03:30 https://storage.googleapis.com/tf-test-bucket-6159205297736845881/path/to/file?GoogleAccessId=user@gcp-project.iam.gserviceaccount.com&Expires=1470967410&Signature=JJvE2Jc%2BeoagyS1qRACKBGUkgLkKjw7cGymHhtB4IzzN3nbXDqr0acRWGy0%2BEpZ3HYNDalEYsK0lR9Q0WCgty5I0JKmPIuo9hOYa1xTNH%2B22xiWsekxGV%2FcA9FXgWpi%2BFt7fBmMk4dhDe%2BuuYc7N79hd0FYuSBNW1Wp32Bluoe4SNkNAB%2BuIDd9KqPzqs09UAbBoz2y4WxXOQnRyR8GAfb8B%2FDtv62gYjtmp%2F6%2Fyr6xj7byWKZdQt8kEftQLTQmP%2F17Efjp6p%2BXo71Q0F9IhAFiqWfp3Ij8hHDSebLcVb2ULXyHNNQpHBOhFgALrFW3I6Uc3WciLEOsBS9Ej3EGdTg%3D%3D + +const testUrlPath = "/tf-test-bucket-6159205297736845881/path/to/file" +const testUrlExpires = 1470967410 +const testUrlExpectedSignatureBase64Encoded = "JJvE2Jc%2BeoagyS1qRACKBGUkgLkKjw7cGymHhtB4IzzN3nbXDqr0acRWGy0%2BEpZ3HYNDalEYsK0lR9Q0WCgty5I0JKmPIuo9hOYa1xTNH%2B22xiWsekxGV%2FcA9FXgWpi%2BFt7fBmMk4dhDe%2BuuYc7N79hd0FYuSBNW1Wp32Bluoe4SNkNAB%2BuIDd9KqPzqs09UAbBoz2y4WxXOQnRyR8GAfb8B%2FDtv62gYjtmp%2F6%2Fyr6xj7byWKZdQt8kEftQLTQmP%2F17Efjp6p%2BXo71Q0F9IhAFiqWfp3Ij8hHDSebLcVb2ULXyHNNQpHBOhFgALrFW3I6Uc3WciLEOsBS9Ej3EGdTg%3D%3D" +const testUrlExpectedUrl = "https://storage.googleapis.com/tf-test-bucket-6159205297736845881/path/to/file?GoogleAccessId=user@gcp-project.iam.gserviceaccount.com&Expires=1470967410&Signature=JJvE2Jc%2BeoagyS1qRACKBGUkgLkKjw7cGymHhtB4IzzN3nbXDqr0acRWGy0%2BEpZ3HYNDalEYsK0lR9Q0WCgty5I0JKmPIuo9hOYa1xTNH%2B22xiWsekxGV%2FcA9FXgWpi%2BFt7fBmMk4dhDe%2BuuYc7N79hd0FYuSBNW1Wp32Bluoe4SNkNAB%2BuIDd9KqPzqs09UAbBoz2y4WxXOQnRyR8GAfb8B%2FDtv62gYjtmp%2F6%2Fyr6xj7byWKZdQt8kEftQLTQmP%2F17Efjp6p%2BXo71Q0F9IhAFiqWfp3Ij8hHDSebLcVb2ULXyHNNQpHBOhFgALrFW3I6Uc3WciLEOsBS9Ej3EGdTg%3D%3D" + +func TestUrlData_Signing(t *testing.T) { + urlData := &UrlData{ + HttpMethod: "GET", + Expires: testUrlExpires, + Path: testUrlPath, + } + // unescape and decode the expected signature + expectedSig, err := url.QueryUnescape(testUrlExpectedSignatureBase64Encoded) + if err != nil { + t.Error(err) + } + expected, err := base64.StdEncoding.DecodeString(expectedSig) + if err != nil { + t.Error(err) + } + + // load fake service account credentials + cfg, err := google.JWTConfigFromJSON([]byte(fakeCredentials), "") + if err != nil { + t.Error(err) + } + + // create url data signature + toSign := urlData.CreateSigningString() + result, err := SignString(toSign, cfg) + if err != nil { + t.Error(err) + } + + // compare to expected value + if !bytes.Equal(result, expected) { + t.Errorf("Signatures do not match:\n%x\n%x\n", expected, result) + } + +} + +func TestUrlData_CreateUrl(t *testing.T) { + // unescape and decode the expected signature + encodedSig, err := url.QueryUnescape(testUrlExpectedSignatureBase64Encoded) + if err != nil { + t.Error(err) + } + sig, err := base64.StdEncoding.DecodeString(encodedSig) + if err != nil { + t.Error(err) + } + + // load fake service account credentials + cfg, err := google.JWTConfigFromJSON([]byte(fakeCredentials), "") + if err != nil { + t.Error(err) + } + + urlData := &UrlData{ + HttpMethod: "GET", + Expires: testUrlExpires, + Path: testUrlPath, + Signature: sig, + JwtConfig: cfg, + } + result := urlData.BuildUrl() + if result != testUrlExpectedUrl { + t.Errorf("URL does not match expected value:\n%s\n%s", testUrlExpectedUrl, result) + } +} + +func TestDatasourceSignedUrl_basic(t *testing.T) { + resource.Test(t, resource.TestCase{ + //PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + Steps: []resource.TestStep{ + resource.TestStep{ + Config: testGoogleSignedUrlConfig, + Check: resource.ComposeTestCheckFunc( + testAccGoogleSignedUrlExists("data.google_storage_object_signed_url.blerg"), + ), + }, + }, + }) +} + +func TestDatasourceSignedUrl_accTest(t *testing.T) { + bucketName := fmt.Sprintf("tf-test-bucket-%d", acctest.RandInt()) + + resource.Test(t, resource.TestCase{ + //PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + Steps: []resource.TestStep{ + resource.TestStep{ + Config: testAccTestGoogleStorageObjectSingedUrl(bucketName), + Check: resource.ComposeTestCheckFunc( + testAccGoogleSignedUrlRetrieval("data.google_storage_object_signed_url.story_url"), + ), + }, + }, + }) +} + +func testAccGoogleSignedUrlExists(n string) resource.TestCheckFunc { + return func(s *terraform.State) error { + + r := s.RootModule().Resources[n] + a := r.Primary.Attributes + + if a["signed_url"] == "" { + return fmt.Errorf("signed_url is empty: %v", a) + } + + return nil + } +} + +func testAccGoogleSignedUrlRetrieval(n string) resource.TestCheckFunc { + return func(s *terraform.State) error { + r := s.RootModule().Resources[n] + a := r.Primary.Attributes + + if a["signed_url"] == "" { + return fmt.Errorf("signed_url is empty: %v", a) + } + + url := a["signed_url"] + + // send request to GET object using signed url + client := http.DefaultClient + response, err := client.Get(url) + if err != nil { + return err + } + + defer response.Body.Close() + body, err := ioutil.ReadAll(response.Body) + if err != nil { + return err + } + if string(body) != "once upon a time..." { + return fmt.Errorf("Got unexpected object contents: %s\n\tURL: %s", string(body), url) + } + + return nil + } +} + +const testGoogleSignedUrlConfig = ` +data "google_storage_object_signed_url" "blerg" { + bucket = "friedchicken" + path = "path/to/file" + +} +` + +func testAccTestGoogleStorageObjectSingedUrl(bucketName string) string { + return fmt.Sprintf(` +resource "google_storage_bucket" "bucket" { + name = "%s" +} + +resource "google_storage_bucket_object" "story" { + name = "path/to/file" + bucket = "${google_storage_bucket.bucket.name}" + + content = "once upon a time..." +} + +data "google_storage_object_signed_url" "story_url" { + bucket = "${google_storage_bucket.bucket.name}" + path = "${google_storage_bucket_object.story.name}" + +} +`, bucketName) +} diff --git a/provider.go b/provider.go index b439f5a2..bc4f93e8 100644 --- a/provider.go +++ b/provider.go @@ -57,7 +57,8 @@ func Provider() terraform.ResourceProvider { }, DataSourcesMap: map[string]*schema.Resource{ - "google_iam_policy": dataSourceGoogleIamPolicy(), + "google_iam_policy": dataSourceGoogleIamPolicy(), + "google_storage_object_signed_url": dataSourceGoogleSignedUrl(), }, ResourcesMap: map[string]*schema.Resource{ From ca682dcc284e3477b9196ca2fbb3b9421536447b Mon Sep 17 00:00:00 2001 From: Matt Morrison Date: Mon, 15 Aug 2016 11:15:25 +1200 Subject: [PATCH 2/7] Add google_storage_object_signed_url documentation. --- data_source_storage_object_signed_url.go | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/data_source_storage_object_signed_url.go b/data_source_storage_object_signed_url.go index f39dcdf3..fa323359 100644 --- a/data_source_storage_object_signed_url.go +++ b/data_source_storage_object_signed_url.go @@ -176,7 +176,7 @@ func loadJwtConfig(d *schema.ResourceData, meta interface{}) (*jwt.Config, error return cfg, nil } - return nil, fmt.Errorf("Credentials not provided in resource or provider configuration or GOOGLE_APPLICATION_CREDENTIALS environment variable.") + return nil, fmt.Errorf("Credentials not found in datasource, provider configuration or GOOGLE_APPLICATION_CREDENTIALS environment variable.") } func guessUnixHomeDir() string { @@ -281,6 +281,7 @@ func (u *UrlData) BuildUrl() string { } func SignString(toSign []byte, cfg *jwt.Config) ([]byte, error) { + // Parse private key pk, err := parsePrivateKey(cfg.PrivateKey) if err != nil { return nil, fmt.Errorf("could not parse key: %v\nKey:%s", err, string(cfg.PrivateKey)) @@ -290,9 +291,10 @@ func SignString(toSign []byte, cfg *jwt.Config) ([]byte, error) { hasher := sha256.New() hasher.Write(toSign) + // Sign string signed, err := rsa.SignPKCS1v15(rand.Reader, pk, crypto.SHA256, hasher.Sum(nil)) if err != nil { - return nil, fmt.Errorf("Error from signing: %s\n", err) + return nil, fmt.Errorf("error signing string: %s\n", err) } return signed, nil From 070433d8b2ab6396f699d870adee2ee024b00c31 Mon Sep 17 00:00:00 2001 From: Matt Morrison Date: Mon, 15 Aug 2016 17:34:56 +1200 Subject: [PATCH 3/7] =?UTF-8?q?Tidy=20up;=20-=20re-add=20=E2=80=98testAccP?= =?UTF-8?q?reCheck()=E2=80=99=20to=20acceptance=20tests,=20to=20ensure=20n?= =?UTF-8?q?ecessary=20GOOGLE=5F*=20env=20vars=20are=20set=20for=20Acceptan?= =?UTF-8?q?ce=20tests.=20-=20remove=20unused=20code=20from=20datasource=20?= =?UTF-8?q?-=20use=20URL=20signature=20(base64=20encoded)=20as=20data=20so?= =?UTF-8?q?urce=20ID=20instead=20of=20full=20URL?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- data_source_storage_object_signed_url.go | 34 ++++++++----------- data_source_storage_object_signed_url_test.go | 15 ++++---- 2 files changed, 22 insertions(+), 27 deletions(-) diff --git a/data_source_storage_object_signed_url.go b/data_source_storage_object_signed_url.go index fa323359..828e9ec0 100644 --- a/data_source_storage_object_signed_url.go +++ b/data_source_storage_object_signed_url.go @@ -17,14 +17,13 @@ import ( "log" "net/url" "os" - "os/user" "strconv" "strings" "time" ) const gcsBaseUrl = "https://storage.googleapis.com" -const envVar = "GOOGLE_APPLICATION_CREDENTIALS" +const googleCredentialsEnvVar = "GOOGLE_APPLICATION_CREDENTIALS" func dataSourceGoogleSignedUrl() *schema.Resource { return &schema.Resource{ @@ -132,14 +131,14 @@ func dataSourceGoogleSignedUrlRead(d *schema.ResourceData, meta interface{}) err // ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ // Construct URL finalUrl := urlData.BuildUrl() - d.SetId(finalUrl) + d.SetId(urlData.EncodedSignature()) d.Set("signed_url", finalUrl) return nil } // This looks for credentials json in the following places, -// preferring the first location found: +// in order of preference: // // 1. Credentials provided in data source `credentials` attribute. // 2. Credentials provided in the provider definition. @@ -150,15 +149,15 @@ func loadJwtConfig(d *schema.ResourceData, meta interface{}) (*jwt.Config, error credentials := "" if v, ok := d.GetOk("credentials"); ok { - log.Println("[DEBUG] using data source credentials") + log.Println("[DEBUG] using data source credentials to sign URL") credentials = v.(string) } else if config.Credentials != "" { - log.Println("[DEBUG] using provider credentials") + log.Println("[DEBUG] using provider credentials to sign URL") credentials = config.Credentials - } else if filename := os.Getenv(envVar); filename != "" { - log.Println("[DEBUG] using env GOOGLE_APPLICATION_CREDENTIALS credentials") + } else if filename := os.Getenv(googleCredentialsEnvVar); filename != "" { + log.Println("[DEBUG] using env GOOGLE_APPLICATION_CREDENTIALS credentials to sign URL") credentials = filename } @@ -179,14 +178,6 @@ func loadJwtConfig(d *schema.ResourceData, meta interface{}) (*jwt.Config, error return nil, fmt.Errorf("Credentials not found in datasource, provider configuration or GOOGLE_APPLICATION_CREDENTIALS environment variable.") } -func guessUnixHomeDir() string { - usr, err := user.Current() - if err == nil { - return usr.HomeDir - } - return os.Getenv("HOME") -} - // parsePrivateKey converts the binary contents of a private key file // to an *rsa.PrivateKey. It detects whether the private key is in a // PEM container or not. If so, it extracts the the private key @@ -258,13 +249,18 @@ func (u *UrlData) CreateSigningString() []byte { return buf.Bytes() } -// Builds the final signed URL a client can use to retrieve storage object -func (u *UrlData) BuildUrl() string { +func (u *UrlData) EncodedSignature() string { // base64 encode signature encoded := base64.StdEncoding.EncodeToString(u.Signature) // encoded signature may include /, = characters that need escaping encoded = url.QueryEscape(encoded) + return encoded +} + +// Builds the final signed URL a client can use to retrieve storage object +func (u *UrlData) BuildUrl() string { + // set url // https://cloud.google.com/storage/docs/access-control/create-signed-urls-program var urlBuffer bytes.Buffer @@ -275,7 +271,7 @@ func (u *UrlData) BuildUrl() string { urlBuffer.WriteString("&Expires=") urlBuffer.WriteString(strconv.Itoa(u.Expires)) urlBuffer.WriteString("&Signature=") - urlBuffer.WriteString(encoded) + urlBuffer.WriteString(u.EncodedSignature()) return urlBuffer.String() } diff --git a/data_source_storage_object_signed_url_test.go b/data_source_storage_object_signed_url_test.go index 576633de..d97a67e3 100644 --- a/data_source_storage_object_signed_url_test.go +++ b/data_source_storage_object_signed_url_test.go @@ -6,12 +6,12 @@ import ( "bytes" "encoding/base64" "fmt" + "github.com/hashicorp/go-cleanhttp" "github.com/hashicorp/terraform/helper/acctest" "github.com/hashicorp/terraform/helper/resource" "github.com/hashicorp/terraform/terraform" "golang.org/x/oauth2/google" "io/ioutil" - "net/http" "net/url" ) @@ -31,8 +31,8 @@ const fakeCredentials = `{ // The following values are derived from the output of the `gsutil signurl` command. // i.e. // gsutil signurl fake_creds.json gs://tf-test-bucket-6159205297736845881/path/to/file -// URL HTTP Method Expiration Signed URL -// gs://tf-test-bucket-6159205297736845881/path/to/file GET 2016-08-12 14:03:30 https://storage.googleapis.com/tf-test-bucket-6159205297736845881/path/to/file?GoogleAccessId=user@gcp-project.iam.gserviceaccount.com&Expires=1470967410&Signature=JJvE2Jc%2BeoagyS1qRACKBGUkgLkKjw7cGymHhtB4IzzN3nbXDqr0acRWGy0%2BEpZ3HYNDalEYsK0lR9Q0WCgty5I0JKmPIuo9hOYa1xTNH%2B22xiWsekxGV%2FcA9FXgWpi%2BFt7fBmMk4dhDe%2BuuYc7N79hd0FYuSBNW1Wp32Bluoe4SNkNAB%2BuIDd9KqPzqs09UAbBoz2y4WxXOQnRyR8GAfb8B%2FDtv62gYjtmp%2F6%2Fyr6xj7byWKZdQt8kEftQLTQmP%2F17Efjp6p%2BXo71Q0F9IhAFiqWfp3Ij8hHDSebLcVb2ULXyHNNQpHBOhFgALrFW3I6Uc3WciLEOsBS9Ej3EGdTg%3D%3D +// URL HTTP Method Expiration Signed URL +// gs://tf-test-bucket-6159205297736845881/path/to/file GET 2016-08-12 14:03:30 https://storage.googleapis.com/tf-test-bucket-6159205297736845881/path/to/file?GoogleAccessId=user@gcp-project.iam.gserviceaccount.com&Expires=1470967410&Signature=JJvE2Jc%2BeoagyS1qRACKBGUkgLkKjw7cGymHhtB4IzzN3nbXDqr0acRWGy0%2BEpZ3HYNDalEYsK0lR9Q0WCgty5I0JKmPIuo9hOYa1xTNH%2B22xiWsekxGV%2FcA9FXgWpi%2BFt7fBmMk4dhDe%2BuuYc7N79hd0FYuSBNW1Wp32Bluoe4SNkNAB%2BuIDd9KqPzqs09UAbBoz2y4WxXOQnRyR8GAfb8B%2FDtv62gYjtmp%2F6%2Fyr6xj7byWKZdQt8kEftQLTQmP%2F17Efjp6p%2BXo71Q0F9IhAFiqWfp3Ij8hHDSebLcVb2ULXyHNNQpHBOhFgALrFW3I6Uc3WciLEOsBS9Ej3EGdTg%3D%3D const testUrlPath = "/tf-test-bucket-6159205297736845881/path/to/file" const testUrlExpires = 1470967410 @@ -75,7 +75,7 @@ func TestUrlData_Signing(t *testing.T) { } -func TestUrlData_CreateUrl(t *testing.T) { +func TestUrlData_BuildUrl(t *testing.T) { // unescape and decode the expected signature encodedSig, err := url.QueryUnescape(testUrlExpectedSignatureBase64Encoded) if err != nil { @@ -107,7 +107,7 @@ func TestUrlData_CreateUrl(t *testing.T) { func TestDatasourceSignedUrl_basic(t *testing.T) { resource.Test(t, resource.TestCase{ - //PreCheck: func() { testAccPreCheck(t) }, + PreCheck: func() { testAccPreCheck(t) }, Providers: testAccProviders, Steps: []resource.TestStep{ resource.TestStep{ @@ -124,7 +124,7 @@ func TestDatasourceSignedUrl_accTest(t *testing.T) { bucketName := fmt.Sprintf("tf-test-bucket-%d", acctest.RandInt()) resource.Test(t, resource.TestCase{ - //PreCheck: func() { testAccPreCheck(t) }, + PreCheck: func() { testAccPreCheck(t) }, Providers: testAccProviders, Steps: []resource.TestStep{ resource.TestStep{ @@ -163,12 +163,11 @@ func testAccGoogleSignedUrlRetrieval(n string) resource.TestCheckFunc { url := a["signed_url"] // send request to GET object using signed url - client := http.DefaultClient + client := cleanhttp.DefaultClient() response, err := client.Get(url) if err != nil { return err } - defer response.Body.Close() body, err := ioutil.ReadAll(response.Body) if err != nil { From b039b542f540992bfb4325b6f9fdb55835ad495f Mon Sep 17 00:00:00 2001 From: Matt Morrison Date: Mon, 5 Sep 2016 07:58:12 +1200 Subject: [PATCH 4/7] Add support for content_type, headers + md5_digest --- data_source_storage_object_signed_url.go | 96 +++++---- data_source_storage_object_signed_url_test.go | 183 +++++++++++++++++- 2 files changed, 242 insertions(+), 37 deletions(-) diff --git a/data_source_storage_object_signed_url.go b/data_source_storage_object_signed_url.go index 828e9ec0..9149d45f 100644 --- a/data_source_storage_object_signed_url.go +++ b/data_source_storage_object_signed_url.go @@ -10,16 +10,18 @@ import ( "encoding/base64" "encoding/pem" "fmt" - "github.com/hashicorp/terraform/helper/pathorcontents" - "github.com/hashicorp/terraform/helper/schema" - "golang.org/x/oauth2/google" - "golang.org/x/oauth2/jwt" "log" "net/url" "os" "strconv" "strings" "time" + + "github.com/hashicorp/terraform/helper/pathorcontents" + "github.com/hashicorp/terraform/helper/schema" + "golang.org/x/oauth2/google" + "golang.org/x/oauth2/jwt" + "sort" ) const gcsBaseUrl = "https://storage.googleapis.com" @@ -34,12 +36,11 @@ func dataSourceGoogleSignedUrl() *schema.Resource { Type: schema.TypeString, Required: true, }, - //TODO: implement support - //"content_type": &schema.Schema{ - // Type: schema.TypeString, - // Optional: true, - // Default: "", - //}, + "content_type": &schema.Schema{ + Type: schema.TypeString, + Optional: true, + Default: "", + }, "credentials": &schema.Schema{ Type: schema.TypeString, Optional: true, @@ -54,17 +55,16 @@ func dataSourceGoogleSignedUrl() *schema.Resource { Optional: true, Default: "GET", }, - //TODO: implement support - //"http_headers": &schema.Schema{ - // Type: schema.TypeList, - // Optional: true, - //}, - //TODO: implement support - //"md5_digest": &schema.Schema{ - // Type: schema.TypeString, - // Optional: true, - // Default: "", - //}, + "http_headers": &schema.Schema{ + Type: schema.TypeMap, + Optional: true, + Elem: schema.TypeString, + }, + "md5_digest": &schema.Schema{ + Type: schema.TypeString, + Optional: true, + Default: "", + }, "path": &schema.Schema{ Type: schema.TypeString, Required: true, @@ -80,7 +80,6 @@ func dataSourceGoogleSignedUrl() *schema.Resource { func dataSourceGoogleSignedUrlRead(d *schema.ResourceData, meta interface{}) error { config := meta.(*Config) - // ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ // Build UrlData object from data source attributes urlData := &UrlData{} @@ -103,6 +102,25 @@ func dataSourceGoogleSignedUrlRead(d *schema.ResourceData, meta interface{}) err expires := time.Now().Unix() + int64(duration.Seconds()) urlData.Expires = int(expires) + if v, ok := d.GetOk("content_type"); ok { + urlData.ContentType = v.(string) + } + + if v, ok := d.GetOk("http_headers"); ok { + hdrMap := v.(map[string]interface{}) + + if len(hdrMap) > 0 { + urlData.HttpHeaders = make(map[string]string, len(hdrMap)) + for k, v := range hdrMap { + urlData.HttpHeaders[k] = v.(string) + } + } + } + + if v, ok := d.GetOk("md5_digest"); ok { + urlData.Md5Digest = v.(string) + } + // object path path := []string{ "", @@ -112,7 +130,6 @@ func dataSourceGoogleSignedUrlRead(d *schema.ResourceData, meta interface{}) err objectPath := strings.Join(path, "/") urlData.Path = objectPath - // ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ // Load JWT Config from Google Credentials jwtConfig, err := loadJwtConfig(d, config) if err != nil { @@ -120,7 +137,6 @@ func dataSourceGoogleSignedUrlRead(d *schema.ResourceData, meta interface{}) err } urlData.JwtConfig = jwtConfig - // ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ // Sign url object data signature, err := SignString(urlData.CreateSigningString(), jwtConfig) if err != nil { @@ -128,7 +144,6 @@ func dataSourceGoogleSignedUrlRead(d *schema.ResourceData, meta interface{}) err } urlData.Signature = signature - // ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ // Construct URL finalUrl := urlData.BuildUrl() d.SetId(urlData.EncodedSignature()) @@ -204,11 +219,14 @@ func parsePrivateKey(key []byte) (*rsa.PrivateKey, error) { } type UrlData struct { - JwtConfig *jwt.Config - HttpMethod string - Expires int - Path string - Signature []byte + JwtConfig *jwt.Config + ContentType string + HttpMethod string + Expires int + Md5Digest string + HttpHeaders map[string]string + Path string + Signature []byte } // Creates a string in the form ready for signing: @@ -229,11 +247,11 @@ func (u *UrlData) CreateSigningString() []byte { buf.WriteString("\n") // MD5 digest (optional) - // TODO + buf.WriteString(u.Md5Digest) buf.WriteString("\n") // request content-type (optional) - // TODO + buf.WriteString(u.ContentType) buf.WriteString("\n") // signed url expiration @@ -241,11 +259,23 @@ func (u *UrlData) CreateSigningString() []byte { buf.WriteString("\n") // additional request headers (optional) - // TODO + // Must be sorted in lexigraphical order + var keys []string + for k := range u.HttpHeaders { + keys = append(keys, strings.ToLower(k)) + } + sort.Strings(keys) + + // To perform the opertion you want + for _, k := range keys { + buf.WriteString(fmt.Sprintf("%s:%s\n", k, u.HttpHeaders[k])) + } // object path buf.WriteString(u.Path) + fmt.Printf("SIGNING STRING: \n%s\n", buf.String()) + return buf.Bytes() } diff --git a/data_source_storage_object_signed_url_test.go b/data_source_storage_object_signed_url_test.go index d97a67e3..e4a78c03 100644 --- a/data_source_storage_object_signed_url_test.go +++ b/data_source_storage_object_signed_url_test.go @@ -12,7 +12,9 @@ import ( "github.com/hashicorp/terraform/terraform" "golang.org/x/oauth2/google" "io/ioutil" + "net/http" "net/url" + "strings" ) const fakeCredentials = `{ @@ -130,13 +132,92 @@ func TestDatasourceSignedUrl_accTest(t *testing.T) { resource.TestStep{ Config: testAccTestGoogleStorageObjectSingedUrl(bucketName), Check: resource.ComposeTestCheckFunc( - testAccGoogleSignedUrlRetrieval("data.google_storage_object_signed_url.story_url"), + testAccGoogleSignedUrlRetrieval("data.google_storage_object_signed_url.story_url", nil), ), }, }, }) } +func TestDatasourceSignedUrl_wHeaders(t *testing.T) { + + headers := map[string]string{ + "x-goog-test": "foo", + } + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + Steps: []resource.TestStep{ + resource.TestStep{ + Config: testAccTestGoogleStorageObjectSingedUrl_wHeader(), + Check: resource.ComposeTestCheckFunc( + testAccGoogleSignedUrlRetrieval("data.google_storage_object_signed_url.story_url_w_headers", headers), + ), + }, + }, + }) +} + +func TestDatasourceSignedUrl_wContentType(t *testing.T) { + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + Steps: []resource.TestStep{ + resource.TestStep{ + Config: testAccTestGoogleStorageObjectSingedUrl_wContentType(), + Check: resource.ComposeTestCheckFunc( + testAccGoogleSignedUrlRetrieval("data.google_storage_object_signed_url.story_url_w_content_type", nil), + ), + }, + }, + }) +} + +func TestDatasourceSignedUrl_wMD5(t *testing.T) { + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + Steps: []resource.TestStep{ + resource.TestStep{ + Config: testAccTestGoogleStorageObjectSingedUrl_wMD5(), + Check: resource.ComposeTestCheckFunc( + testAccGoogleSignedUrlRetrieval("data.google_storage_object_signed_url.story_url_w_md5", nil), + ), + }, + }, + }) +} + +// formatRequest generates ascii representation of a request +func formatRequest(r *http.Request) string { + // Create return string + var request []string + request = append(request, "--------") + // Add the request string + url := fmt.Sprintf("%v %v %v", r.Method, r.URL, r.Proto) + request = append(request, url) + // Add the host + request = append(request, fmt.Sprintf("Host: %v", r.Host)) + // Loop through headers + for name, headers := range r.Header { + //name = strings.ToLower(name) + for _, h := range headers { + request = append(request, fmt.Sprintf("%v: %v", name, h)) + } + } + + // If this is a POST, add post data + if r.Method == "POST" { + r.ParseForm() + request = append(request, "\n") + request = append(request, r.Form.Encode()) + } + request = append(request, "--------") + // Return the request as a string + return strings.Join(request, "\n") +} + func testAccGoogleSignedUrlExists(n string) resource.TestCheckFunc { return func(s *terraform.State) error { @@ -151,9 +232,12 @@ func testAccGoogleSignedUrlExists(n string) resource.TestCheckFunc { } } -func testAccGoogleSignedUrlRetrieval(n string) resource.TestCheckFunc { +func testAccGoogleSignedUrlRetrieval(n string, headers map[string]string) resource.TestCheckFunc { return func(s *terraform.State) error { r := s.RootModule().Resources[n] + if r == nil { + return fmt.Errorf("Datasource not found") + } a := r.Primary.Attributes if a["signed_url"] == "" { @@ -161,10 +245,38 @@ func testAccGoogleSignedUrlRetrieval(n string) resource.TestCheckFunc { } url := a["signed_url"] + fmt.Printf("URL: %s\n", url) + method := a["http_method"] + + req, _ := http.NewRequest(method, url, nil) + + // Apply custom headers to request + for k, v := range headers { + fmt.Printf("Adding Header (%s: %s)\n", k, v) + req.Header.Set(k, v) + } + + contentType := a["content_type"] + if contentType != "" { + fmt.Printf("Adding Content-Type: %s\n", contentType) + req.Header.Add("Content-Type", contentType) + } + + md5Digest := a["md5_digest"] + if md5Digest != "" { + fmt.Printf("Adding Content-MD5: %s\n", md5Digest) + req.Header.Add("Content-MD5", md5Digest) + } // send request to GET object using signed url client := cleanhttp.DefaultClient() - response, err := client.Get(url) + + // Print request + //dump, _ := httputil.DumpRequest(req, true) + //fmt.Printf("%+q\n", strings.Replace(string(dump), "\\n", "\n", 99)) + fmt.Printf("%s\n", formatRequest(req)) + + response, err := client.Do(req) if err != nil { return err } @@ -206,6 +318,69 @@ data "google_storage_object_signed_url" "story_url" { bucket = "${google_storage_bucket.bucket.name}" path = "${google_storage_bucket_object.story.name}" +}`, bucketName) } -`, bucketName) + +func testAccTestGoogleStorageObjectSingedUrl_wHeader() string { + return fmt.Sprintf(` +resource "google_storage_bucket" "bucket" { + name = "tf-signurltest-%s" +} + +resource "google_storage_bucket_object" "story" { + name = "path/to/file" + bucket = "${google_storage_bucket.bucket.name}" + + content = "once upon a time..." +} + +data "google_storage_object_signed_url" "story_url_w_headers" { + bucket = "${google_storage_bucket.bucket.name}" + path = "${google_storage_bucket_object.story.name}" + http_headers { + x-goog-test = "foo" + } +}`, acctest.RandString(6)) +} + +func testAccTestGoogleStorageObjectSingedUrl_wContentType() string { + return fmt.Sprintf(` +resource "google_storage_bucket" "bucket" { + name = "tf-signurltest-%s" +} + +resource "google_storage_bucket_object" "story" { + name = "path/to/file" + bucket = "${google_storage_bucket.bucket.name}" + + content = "once upon a time..." +} + +data "google_storage_object_signed_url" "story_url_w_content_type" { + bucket = "${google_storage_bucket.bucket.name}" + path = "${google_storage_bucket_object.story.name}" + + content_type = "text/plain" +}`, acctest.RandString(6)) +} + +func testAccTestGoogleStorageObjectSingedUrl_wMD5() string { + return fmt.Sprintf(` +resource "google_storage_bucket" "bucket" { + name = "tf-signurltest-%s" +} + +resource "google_storage_bucket_object" "story" { + name = "path/to/file" + bucket = "${google_storage_bucket.bucket.name}" + + content = "once upon a time..." +} + +data "google_storage_object_signed_url" "story_url_w_md5" { + bucket = "${google_storage_bucket.bucket.name}" + path = "${google_storage_bucket_object.story.name}" + + md5_digest = "${google_storage_bucket_object.story.md5hash}" +}`, acctest.RandString(6)) } From 0f123f6d232cdd8a9e08e9b6756c9f13833f71ef Mon Sep 17 00:00:00 2001 From: Matt Morrison Date: Mon, 5 Sep 2016 13:48:59 +1200 Subject: [PATCH 5/7] =?UTF-8?q?Incorporate=20@jen20=20code=20comments=20(e?= =?UTF-8?q?rrors,=20errwrap,=20TODO=E2=80=99s)=20Implement=20content=5Fmd5?= =?UTF-8?q?,=20content=5Ftype,=20extension=5Fheaders=20support.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- data_source_storage_object_signed_url.go | 184 +++++++++++------- data_source_storage_object_signed_url_test.go | 184 +++--------------- 2 files changed, 147 insertions(+), 221 deletions(-) diff --git a/data_source_storage_object_signed_url.go b/data_source_storage_object_signed_url.go index 9149d45f..6813bf95 100644 --- a/data_source_storage_object_signed_url.go +++ b/data_source_storage_object_signed_url.go @@ -9,6 +9,7 @@ import ( "crypto/x509" "encoding/base64" "encoding/pem" + "errors" "fmt" "log" "net/url" @@ -17,11 +18,15 @@ import ( "strings" "time" + "sort" + + "regexp" + + "github.com/hashicorp/errwrap" "github.com/hashicorp/terraform/helper/pathorcontents" "github.com/hashicorp/terraform/helper/schema" "golang.org/x/oauth2/google" "golang.org/x/oauth2/jwt" - "sort" ) const gcsBaseUrl = "https://storage.googleapis.com" @@ -36,6 +41,11 @@ func dataSourceGoogleSignedUrl() *schema.Resource { Type: schema.TypeString, Required: true, }, + "content_md5": &schema.Schema{ + Type: schema.TypeString, + Optional: true, + Default: "", + }, "content_type": &schema.Schema{ Type: schema.TypeString, Optional: true, @@ -50,20 +60,17 @@ func dataSourceGoogleSignedUrl() *schema.Resource { Optional: true, Default: "1h", }, + "extension_headers": &schema.Schema{ + Type: schema.TypeMap, + Optional: true, + Elem: schema.TypeString, + ValidateFunc: validateExtensionHeaders, + }, "http_method": &schema.Schema{ - Type: schema.TypeString, - Optional: true, - Default: "GET", - }, - "http_headers": &schema.Schema{ - Type: schema.TypeMap, - Optional: true, - Elem: schema.TypeString, - }, - "md5_digest": &schema.Schema{ - Type: schema.TypeString, - Optional: true, - Default: "", + Type: schema.TypeString, + Optional: true, + Default: "GET", + ValidateFunc: validateHttpMethod, }, "path": &schema.Schema{ Type: schema.TypeString, @@ -77,6 +84,26 @@ func dataSourceGoogleSignedUrl() *schema.Resource { } } +func validateExtensionHeaders(v interface{}, k string) (ws []string, errors []error) { + hdrMap := v.(map[string]interface{}) + for k, _ := range hdrMap { + if !strings.HasPrefix(strings.ToLower(k), "x-goog") { + errors = append(errors, fmt.Errorf( + "extension_header (%s) not valid, header name must begin with 'x-goog-'", k)) + } + } + return +} + +func validateHttpMethod(v interface{}, k string) (ws []string, errs []error) { + value := v.(string) + value = strings.ToUpper(value) + if !regexp.MustCompile(`^(GET|HEAD|PUT|DELETE)$`).MatchString(value) { + errs = append(errs, errors.New("HTTP method must be one of [GET|HEAD|PUT|DELETE]")) + } + return +} + func dataSourceGoogleSignedUrlRead(d *schema.ResourceData, meta interface{}) error { config := meta.(*Config) @@ -87,7 +114,7 @@ func dataSourceGoogleSignedUrlRead(d *schema.ResourceData, meta interface{}) err if method, ok := d.GetOk("http_method"); ok && len(method.(string)) >= 3 { urlData.HttpMethod = method.(string) } else { - return fmt.Errorf("not a valid http method") + return errors.New("not a valid http method") } // convert duration to an expiration datetime (unix time in seconds) @@ -97,16 +124,23 @@ func dataSourceGoogleSignedUrlRead(d *schema.ResourceData, meta interface{}) err } duration, err := time.ParseDuration(durationString) if err != nil { - return fmt.Errorf("could not parse duration") + return errwrap.Wrapf("could not parse duration: {{err}}", err) } expires := time.Now().Unix() + int64(duration.Seconds()) urlData.Expires = int(expires) + // content_md5 is optional + if v, ok := d.GetOk("content_md5"); ok { + urlData.ContentMd5 = v.(string) + } + + // content_type is optional if v, ok := d.GetOk("content_type"); ok { urlData.ContentType = v.(string) } - if v, ok := d.GetOk("http_headers"); ok { + // extension_headers (x-goog-* HTTP headers) are optional + if v, ok := d.GetOk("extension_headers"); ok { hdrMap := v.(map[string]interface{}) if len(hdrMap) > 0 { @@ -117,10 +151,6 @@ func dataSourceGoogleSignedUrlRead(d *schema.ResourceData, meta interface{}) err } } - if v, ok := d.GetOk("md5_digest"); ok { - urlData.Md5Digest = v.(string) - } - // object path path := []string{ "", @@ -137,26 +167,28 @@ func dataSourceGoogleSignedUrlRead(d *schema.ResourceData, meta interface{}) err } urlData.JwtConfig = jwtConfig - // Sign url object data - signature, err := SignString(urlData.CreateSigningString(), jwtConfig) - if err != nil { - return fmt.Errorf("could not sign data: %v", err) - } - urlData.Signature = signature - // Construct URL - finalUrl := urlData.BuildUrl() - d.SetId(urlData.EncodedSignature()) - d.Set("signed_url", finalUrl) + signedUrl, err := urlData.SignedUrl() + if err != nil { + return err + } + + // Success + d.Set("signed_url", signedUrl) + + encodedSig, err := urlData.EncodedSignature() + if err != nil { + return err + } + d.SetId(encodedSig) return nil } -// This looks for credentials json in the following places, +// loadJwtConfig looks for credentials json in the following places, // in order of preference: -// -// 1. Credentials provided in data source `credentials` attribute. -// 2. Credentials provided in the provider definition. +// 1. `credentials` attribute of the datasource +// 2. `credentials` attribute in the provider definition. // 3. A JSON file whose path is specified by the // GOOGLE_APPLICATION_CREDENTIALS environment variable. func loadJwtConfig(d *schema.ResourceData, meta interface{}) (*jwt.Config, error) { @@ -180,17 +212,17 @@ func loadJwtConfig(d *schema.ResourceData, meta interface{}) (*jwt.Config, error if strings.TrimSpace(credentials) != "" { contents, _, err := pathorcontents.Read(credentials) if err != nil { - return nil, fmt.Errorf("Error loading credentials: %s", err) + return nil, errwrap.Wrapf("Error loading credentials: {{err}}", err) } cfg, err := google.JWTConfigFromJSON([]byte(contents), "") if err != nil { - return nil, fmt.Errorf("Error parsing credentials: \n %s \n Error: %s", contents, err) + return nil, errwrap.Wrapf("Error parsing credentials: {{err}}", err) } return cfg, nil } - return nil, fmt.Errorf("Credentials not found in datasource, provider configuration or GOOGLE_APPLICATION_CREDENTIALS environment variable.") + return nil, errors.New("Credentials not found in datasource, provider configuration or GOOGLE_APPLICATION_CREDENTIALS environment variable.") } // parsePrivateKey converts the binary contents of a private key file @@ -208,29 +240,29 @@ func parsePrivateKey(key []byte) (*rsa.PrivateKey, error) { if err != nil { parsedKey, err = x509.ParsePKCS1PrivateKey(key) if err != nil { - return nil, fmt.Errorf("private key should be a PEM or plain PKSC1 or PKCS8; parse error: %v", err) + return nil, errwrap.Wrapf("private key should be a PEM or plain PKSC1 or PKCS8; parse error: {{err}}", err) } } parsed, ok := parsedKey.(*rsa.PrivateKey) if !ok { - return nil, fmt.Errorf("private key is invalid") + return nil, errors.New("private key is invalid") } return parsed, nil } +// UrlData stores the values required to create a Signed Url type UrlData struct { JwtConfig *jwt.Config + ContentMd5 string ContentType string HttpMethod string Expires int - Md5Digest string HttpHeaders map[string]string Path string - Signature []byte } -// Creates a string in the form ready for signing: -// https://cloud.google.com/storage/docs/access-control/create-signed-urls-program +// SigningString creates a string representation of the UrlData in a form ready for signing: +// see https://cloud.google.com/storage/docs/access-control/create-signed-urls-program // Example output: // ------------------- // GET @@ -239,59 +271,78 @@ type UrlData struct { // 1388534400 // bucket/objectname // ------------------- -func (u *UrlData) CreateSigningString() []byte { +func (u *UrlData) SigningString() []byte { var buf bytes.Buffer - // HTTP VERB + // HTTP Verb buf.WriteString(u.HttpMethod) buf.WriteString("\n") - // MD5 digest (optional) - buf.WriteString(u.Md5Digest) + // Content MD5 (optional, always add new line) + buf.WriteString(u.ContentMd5) buf.WriteString("\n") - // request content-type (optional) + // Content Type (optional, always add new line) buf.WriteString(u.ContentType) buf.WriteString("\n") - // signed url expiration + // Expiration buf.WriteString(strconv.Itoa(u.Expires)) buf.WriteString("\n") - // additional request headers (optional) + // Extra HTTP headers (optional) // Must be sorted in lexigraphical order var keys []string for k := range u.HttpHeaders { keys = append(keys, strings.ToLower(k)) } sort.Strings(keys) - - // To perform the opertion you want + // Write sorted headers to signing string buffer for _, k := range keys { buf.WriteString(fmt.Sprintf("%s:%s\n", k, u.HttpHeaders[k])) } - // object path + // Storate Object path (includes bucketname) buf.WriteString(u.Path) - fmt.Printf("SIGNING STRING: \n%s\n", buf.String()) - return buf.Bytes() } -func (u *UrlData) EncodedSignature() string { +func (u *UrlData) Signature() ([]byte, error) { + // Sign url data + signature, err := SignString(u.SigningString(), u.JwtConfig) + if err != nil { + return nil, err + + } + + return signature, nil +} + +// EncodedSignature returns the Signature() after base64 encoding and url escaping +func (u *UrlData) EncodedSignature() (string, error) { + signature, err := u.Signature() + if err != nil { + return "", err + } + // base64 encode signature - encoded := base64.StdEncoding.EncodeToString(u.Signature) + encoded := base64.StdEncoding.EncodeToString(signature) // encoded signature may include /, = characters that need escaping encoded = url.QueryEscape(encoded) - return encoded + return encoded, nil } -// Builds the final signed URL a client can use to retrieve storage object -func (u *UrlData) BuildUrl() string { +// SignedUrl constructs the final signed URL a client can use to retrieve storage object +func (u *UrlData) SignedUrl() (string, error) { - // set url + encodedSig, err := u.EncodedSignature() + if err != nil { + return "", err + } + + // build url // https://cloud.google.com/storage/docs/access-control/create-signed-urls-program var urlBuffer bytes.Buffer urlBuffer.WriteString(gcsBaseUrl) @@ -301,16 +352,17 @@ func (u *UrlData) BuildUrl() string { urlBuffer.WriteString("&Expires=") urlBuffer.WriteString(strconv.Itoa(u.Expires)) urlBuffer.WriteString("&Signature=") - urlBuffer.WriteString(u.EncodedSignature()) + urlBuffer.WriteString(encodedSig) - return urlBuffer.String() + return urlBuffer.String(), nil } +// SignString calculates the SHA256 signature of the input string func SignString(toSign []byte, cfg *jwt.Config) ([]byte, error) { // Parse private key pk, err := parsePrivateKey(cfg.PrivateKey) if err != nil { - return nil, fmt.Errorf("could not parse key: %v\nKey:%s", err, string(cfg.PrivateKey)) + return nil, errwrap.Wrapf("failed to sign string, could not parse key: {{err}}", err) } // Hash string @@ -320,7 +372,7 @@ func SignString(toSign []byte, cfg *jwt.Config) ([]byte, error) { // Sign string signed, err := rsa.SignPKCS1v15(rand.Reader, pk, crypto.SHA256, hasher.Sum(nil)) if err != nil { - return nil, fmt.Errorf("error signing string: %s\n", err) + return nil, errwrap.Wrapf("failed to sign string, an error occurred: {{err}}", err) } return signed, nil diff --git a/data_source_storage_object_signed_url_test.go b/data_source_storage_object_signed_url_test.go index e4a78c03..b59b5a7a 100644 --- a/data_source_storage_object_signed_url_test.go +++ b/data_source_storage_object_signed_url_test.go @@ -6,15 +6,15 @@ import ( "bytes" "encoding/base64" "fmt" + "io/ioutil" + "net/http" + "net/url" + "github.com/hashicorp/go-cleanhttp" "github.com/hashicorp/terraform/helper/acctest" "github.com/hashicorp/terraform/helper/resource" "github.com/hashicorp/terraform/terraform" "golang.org/x/oauth2/google" - "io/ioutil" - "net/http" - "net/url" - "strings" ) const fakeCredentials = `{ @@ -64,7 +64,7 @@ func TestUrlData_Signing(t *testing.T) { } // create url data signature - toSign := urlData.CreateSigningString() + toSign := urlData.SigningString() result, err := SignString(toSign, cfg) if err != nil { t.Error(err) @@ -77,17 +77,7 @@ func TestUrlData_Signing(t *testing.T) { } -func TestUrlData_BuildUrl(t *testing.T) { - // unescape and decode the expected signature - encodedSig, err := url.QueryUnescape(testUrlExpectedSignatureBase64Encoded) - if err != nil { - t.Error(err) - } - sig, err := base64.StdEncoding.DecodeString(encodedSig) - if err != nil { - t.Error(err) - } - +func TestUrlData_SignedUrl(t *testing.T) { // load fake service account credentials cfg, err := google.JWTConfigFromJSON([]byte(fakeCredentials), "") if err != nil { @@ -98,10 +88,12 @@ func TestUrlData_BuildUrl(t *testing.T) { HttpMethod: "GET", Expires: testUrlExpires, Path: testUrlPath, - Signature: sig, JwtConfig: cfg, } - result := urlData.BuildUrl() + result, err := urlData.SignedUrl() + if err != nil { + t.Errorf("Could not generated signed url: %+v", err) + } if result != testUrlExpectedUrl { t.Errorf("URL does not match expected value:\n%s\n%s", testUrlExpectedUrl, result) } @@ -125,6 +117,11 @@ func TestDatasourceSignedUrl_basic(t *testing.T) { func TestDatasourceSignedUrl_accTest(t *testing.T) { bucketName := fmt.Sprintf("tf-test-bucket-%d", acctest.RandInt()) + headers := map[string]string{ + "x-goog-test": "foo", + "x-goog-if-generation-match": "1", + } + resource.Test(t, resource.TestCase{ PreCheck: func() { testAccPreCheck(t) }, Providers: testAccProviders, @@ -133,55 +130,8 @@ func TestDatasourceSignedUrl_accTest(t *testing.T) { Config: testAccTestGoogleStorageObjectSingedUrl(bucketName), Check: resource.ComposeTestCheckFunc( testAccGoogleSignedUrlRetrieval("data.google_storage_object_signed_url.story_url", nil), - ), - }, - }, - }) -} - -func TestDatasourceSignedUrl_wHeaders(t *testing.T) { - - headers := map[string]string{ - "x-goog-test": "foo", - } - - resource.Test(t, resource.TestCase{ - PreCheck: func() { testAccPreCheck(t) }, - Providers: testAccProviders, - Steps: []resource.TestStep{ - resource.TestStep{ - Config: testAccTestGoogleStorageObjectSingedUrl_wHeader(), - Check: resource.ComposeTestCheckFunc( testAccGoogleSignedUrlRetrieval("data.google_storage_object_signed_url.story_url_w_headers", headers), - ), - }, - }, - }) -} - -func TestDatasourceSignedUrl_wContentType(t *testing.T) { - resource.Test(t, resource.TestCase{ - PreCheck: func() { testAccPreCheck(t) }, - Providers: testAccProviders, - Steps: []resource.TestStep{ - resource.TestStep{ - Config: testAccTestGoogleStorageObjectSingedUrl_wContentType(), - Check: resource.ComposeTestCheckFunc( testAccGoogleSignedUrlRetrieval("data.google_storage_object_signed_url.story_url_w_content_type", nil), - ), - }, - }, - }) -} - -func TestDatasourceSignedUrl_wMD5(t *testing.T) { - resource.Test(t, resource.TestCase{ - PreCheck: func() { testAccPreCheck(t) }, - Providers: testAccProviders, - Steps: []resource.TestStep{ - resource.TestStep{ - Config: testAccTestGoogleStorageObjectSingedUrl_wMD5(), - Check: resource.ComposeTestCheckFunc( testAccGoogleSignedUrlRetrieval("data.google_storage_object_signed_url.story_url_w_md5", nil), ), }, @@ -189,35 +139,6 @@ func TestDatasourceSignedUrl_wMD5(t *testing.T) { }) } -// formatRequest generates ascii representation of a request -func formatRequest(r *http.Request) string { - // Create return string - var request []string - request = append(request, "--------") - // Add the request string - url := fmt.Sprintf("%v %v %v", r.Method, r.URL, r.Proto) - request = append(request, url) - // Add the host - request = append(request, fmt.Sprintf("Host: %v", r.Host)) - // Loop through headers - for name, headers := range r.Header { - //name = strings.ToLower(name) - for _, h := range headers { - request = append(request, fmt.Sprintf("%v: %v", name, h)) - } - } - - // If this is a POST, add post data - if r.Method == "POST" { - r.ParseForm() - request = append(request, "\n") - request = append(request, r.Form.Encode()) - } - request = append(request, "--------") - // Return the request as a string - return strings.Join(request, "\n") -} - func testAccGoogleSignedUrlExists(n string) resource.TestCheckFunc { return func(s *terraform.State) error { @@ -244,43 +165,37 @@ func testAccGoogleSignedUrlRetrieval(n string, headers map[string]string) resour return fmt.Errorf("signed_url is empty: %v", a) } + // create HTTP request url := a["signed_url"] - fmt.Printf("URL: %s\n", url) method := a["http_method"] - req, _ := http.NewRequest(method, url, nil) - // Apply custom headers to request + // Add extension headers to request, if provided for k, v := range headers { - fmt.Printf("Adding Header (%s: %s)\n", k, v) req.Header.Set(k, v) } + // content_type is optional, add to test query if provided in datasource config contentType := a["content_type"] if contentType != "" { - fmt.Printf("Adding Content-Type: %s\n", contentType) req.Header.Add("Content-Type", contentType) } - md5Digest := a["md5_digest"] - if md5Digest != "" { - fmt.Printf("Adding Content-MD5: %s\n", md5Digest) - req.Header.Add("Content-MD5", md5Digest) + // content_md5 is optional, add to test query if provided in datasource config + contentMd5 := a["content_md5"] + if contentMd5 != "" { + req.Header.Add("Content-MD5", contentMd5) } - // send request to GET object using signed url + // send request using signed url client := cleanhttp.DefaultClient() - - // Print request - //dump, _ := httputil.DumpRequest(req, true) - //fmt.Printf("%+q\n", strings.Replace(string(dump), "\\n", "\n", 99)) - fmt.Printf("%s\n", formatRequest(req)) - response, err := client.Do(req) if err != nil { return err } defer response.Body.Close() + + // check content in response, should be our test string or XML with error body, err := ioutil.ReadAll(response.Body) if err != nil { return err @@ -318,42 +233,15 @@ data "google_storage_object_signed_url" "story_url" { bucket = "${google_storage_bucket.bucket.name}" path = "${google_storage_bucket_object.story.name}" -}`, bucketName) -} - -func testAccTestGoogleStorageObjectSingedUrl_wHeader() string { - return fmt.Sprintf(` -resource "google_storage_bucket" "bucket" { - name = "tf-signurltest-%s" -} - -resource "google_storage_bucket_object" "story" { - name = "path/to/file" - bucket = "${google_storage_bucket.bucket.name}" - - content = "once upon a time..." } data "google_storage_object_signed_url" "story_url_w_headers" { bucket = "${google_storage_bucket.bucket.name}" path = "${google_storage_bucket_object.story.name}" - http_headers { + extension_headers { x-goog-test = "foo" + x-goog-if-generation-match = 1 } -}`, acctest.RandString(6)) -} - -func testAccTestGoogleStorageObjectSingedUrl_wContentType() string { - return fmt.Sprintf(` -resource "google_storage_bucket" "bucket" { - name = "tf-signurltest-%s" -} - -resource "google_storage_bucket_object" "story" { - name = "path/to/file" - bucket = "${google_storage_bucket.bucket.name}" - - content = "once upon a time..." } data "google_storage_object_signed_url" "story_url_w_content_type" { @@ -361,26 +249,12 @@ data "google_storage_object_signed_url" "story_url_w_content_type" { path = "${google_storage_bucket_object.story.name}" content_type = "text/plain" -}`, acctest.RandString(6)) -} - -func testAccTestGoogleStorageObjectSingedUrl_wMD5() string { - return fmt.Sprintf(` -resource "google_storage_bucket" "bucket" { - name = "tf-signurltest-%s" -} - -resource "google_storage_bucket_object" "story" { - name = "path/to/file" - bucket = "${google_storage_bucket.bucket.name}" - - content = "once upon a time..." } data "google_storage_object_signed_url" "story_url_w_md5" { bucket = "${google_storage_bucket.bucket.name}" path = "${google_storage_bucket_object.story.name}" - md5_digest = "${google_storage_bucket_object.story.md5hash}" -}`, acctest.RandString(6)) + content_md5 = "${google_storage_bucket_object.story.md5hash}" +}`, bucketName) } From 00e5eb2aabf2c95704fb5913362b14e41a7e89b7 Mon Sep 17 00:00:00 2001 From: Matt Morrison Date: Mon, 5 Sep 2016 14:25:44 +1200 Subject: [PATCH 6/7] =?UTF-8?q?Minor=20fixes:=20-=20extension=5Fheaders=20?= =?UTF-8?q?validation=20-=20header=20prefix=20must=20be=20=E2=80=98x-goog-?= =?UTF-8?q?=E2=80=98=20(with=20a=20trailing=20hyphen)=20-=20http=5Fmethod?= =?UTF-8?q?=20validate,=20explicitly=20name=20the=20datasource=20attribute?= =?UTF-8?q?=20that=20is=20failing=20validation=20-=20remove=20redundant=20?= =?UTF-8?q?http=5Fmethod=20validation=20that=20is=20no=20longer=20needed?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- data_source_storage_object_signed_url.go | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/data_source_storage_object_signed_url.go b/data_source_storage_object_signed_url.go index 6813bf95..10a03ff0 100644 --- a/data_source_storage_object_signed_url.go +++ b/data_source_storage_object_signed_url.go @@ -87,7 +87,7 @@ func dataSourceGoogleSignedUrl() *schema.Resource { func validateExtensionHeaders(v interface{}, k string) (ws []string, errors []error) { hdrMap := v.(map[string]interface{}) for k, _ := range hdrMap { - if !strings.HasPrefix(strings.ToLower(k), "x-goog") { + if !strings.HasPrefix(strings.ToLower(k), "x-goog-") { errors = append(errors, fmt.Errorf( "extension_header (%s) not valid, header name must begin with 'x-goog-'", k)) } @@ -99,7 +99,7 @@ func validateHttpMethod(v interface{}, k string) (ws []string, errs []error) { value := v.(string) value = strings.ToUpper(value) if !regexp.MustCompile(`^(GET|HEAD|PUT|DELETE)$`).MatchString(value) { - errs = append(errs, errors.New("HTTP method must be one of [GET|HEAD|PUT|DELETE]")) + errs = append(errs, errors.New("http_method must be one of [GET|HEAD|PUT|DELETE]")) } return } @@ -111,10 +111,8 @@ func dataSourceGoogleSignedUrlRead(d *schema.ResourceData, meta interface{}) err urlData := &UrlData{} // HTTP Method - if method, ok := d.GetOk("http_method"); ok && len(method.(string)) >= 3 { + if method, ok := d.GetOk("http_method"); ok { urlData.HttpMethod = method.(string) - } else { - return errors.New("not a valid http method") } // convert duration to an expiration datetime (unix time in seconds) From 490d86d291b8abe916380e95c4ca4c940af7fb61 Mon Sep 17 00:00:00 2001 From: Paddy Date: Wed, 24 May 2017 15:55:01 -0700 Subject: [PATCH 7/7] Fix some style things, handle errors. Fix a typo, follow our acceptance test naming guidelines, simplify some logic, and handle an unhandled error. --- data_source_storage_object_signed_url.go | 13 ++----------- data_source_storage_object_signed_url_test.go | 13 ++++++++----- 2 files changed, 10 insertions(+), 16 deletions(-) diff --git a/data_source_storage_object_signed_url.go b/data_source_storage_object_signed_url.go index 10a03ff0..fced990c 100644 --- a/data_source_storage_object_signed_url.go +++ b/data_source_storage_object_signed_url.go @@ -20,8 +20,6 @@ import ( "sort" - "regexp" - "github.com/hashicorp/errwrap" "github.com/hashicorp/terraform/helper/pathorcontents" "github.com/hashicorp/terraform/helper/schema" @@ -98,7 +96,7 @@ func validateExtensionHeaders(v interface{}, k string) (ws []string, errors []er func validateHttpMethod(v interface{}, k string) (ws []string, errs []error) { value := v.(string) value = strings.ToUpper(value) - if !regexp.MustCompile(`^(GET|HEAD|PUT|DELETE)$`).MatchString(value) { + if value != "GET" && value != "HEAD" && value != "PUT" && value != "DELETE" { errs = append(errs, errors.New("http_method must be one of [GET|HEAD|PUT|DELETE]")) } return @@ -149,14 +147,7 @@ func dataSourceGoogleSignedUrlRead(d *schema.ResourceData, meta interface{}) err } } - // object path - path := []string{ - "", - d.Get("bucket").(string), - d.Get("path").(string), - } - objectPath := strings.Join(path, "/") - urlData.Path = objectPath + urlData.Path = fmt.Sprintf("/%s/%s", d.Get("bucket").(string), d.Get("path").(string)) // Load JWT Config from Google Credentials jwtConfig, err := loadJwtConfig(d, config) diff --git a/data_source_storage_object_signed_url_test.go b/data_source_storage_object_signed_url_test.go index b59b5a7a..03912216 100644 --- a/data_source_storage_object_signed_url_test.go +++ b/data_source_storage_object_signed_url_test.go @@ -99,7 +99,7 @@ func TestUrlData_SignedUrl(t *testing.T) { } } -func TestDatasourceSignedUrl_basic(t *testing.T) { +func TestAccStorageSignedUrl_basic(t *testing.T) { resource.Test(t, resource.TestCase{ PreCheck: func() { testAccPreCheck(t) }, Providers: testAccProviders, @@ -114,7 +114,7 @@ func TestDatasourceSignedUrl_basic(t *testing.T) { }) } -func TestDatasourceSignedUrl_accTest(t *testing.T) { +func TestAccStorageSignedUrl_accTest(t *testing.T) { bucketName := fmt.Sprintf("tf-test-bucket-%d", acctest.RandInt()) headers := map[string]string{ @@ -127,7 +127,7 @@ func TestDatasourceSignedUrl_accTest(t *testing.T) { Providers: testAccProviders, Steps: []resource.TestStep{ resource.TestStep{ - Config: testAccTestGoogleStorageObjectSingedUrl(bucketName), + Config: testAccTestGoogleStorageObjectSignedURL(bucketName), Check: resource.ComposeTestCheckFunc( testAccGoogleSignedUrlRetrieval("data.google_storage_object_signed_url.story_url", nil), testAccGoogleSignedUrlRetrieval("data.google_storage_object_signed_url.story_url_w_headers", headers), @@ -168,7 +168,10 @@ func testAccGoogleSignedUrlRetrieval(n string, headers map[string]string) resour // create HTTP request url := a["signed_url"] method := a["http_method"] - req, _ := http.NewRequest(method, url, nil) + req, err := http.NewRequest(method, url, nil) + if err != nil { + return err + } // Add extension headers to request, if provided for k, v := range headers { @@ -216,7 +219,7 @@ data "google_storage_object_signed_url" "blerg" { } ` -func testAccTestGoogleStorageObjectSingedUrl(bucketName string) string { +func testAccTestGoogleStorageObjectSignedURL(bucketName string) string { return fmt.Sprintf(` resource "google_storage_bucket" "bucket" { name = "%s"