# -*- coding: utf-8 -*-
# Copyright 2014 Google Inc. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Implementation of Url Signing workflow.
see: https://cloud.google.com/storage/docs/access-control#Signed-URLs)
"""
from __future__ import absolute_import
import base64
import calendar
from datetime import datetime
from datetime import timedelta
import getpass
import json
import re
import time
import urllib
from apitools.base.py.exceptions import HttpError
from apitools.base.py.http_wrapper import MakeRequest
from apitools.base.py.http_wrapper import Request
from gslib.command import Command
from gslib.command_argument import CommandArgument
from gslib.cs_api_map import ApiSelector
from gslib.exception import CommandException
from gslib.storage_url import ContainsWildcard
from gslib.storage_url import StorageUrlFromString
from gslib.util import GetNewHttp
from gslib.util import NO_MAX
from gslib.util import UTF8
try:
# Check for openssl.
# pylint: disable=C6204
from OpenSSL.crypto import FILETYPE_PEM
from OpenSSL.crypto import load_pkcs12
from OpenSSL.crypto import load_privatekey
from OpenSSL.crypto import sign
HAVE_OPENSSL = True
except ImportError:
load_privatekey = None
load_pkcs12 = None
sign = None
HAVE_OPENSSL = False
FILETYPE_PEM = None
_SYNOPSIS = """
gsutil signurl [-c] [-d] [-m] [-p] keystore-file url...
"""
_DETAILED_HELP_TEXT = ("""
SYNOPSIS
""" + _SYNOPSIS + """
DESCRIPTION
The signurl command will generate signed urls that can be used to access
the specified objects without authentication for a specific period of time.
Please see the `Signed URLs documentation
`_ for
background about signed URLs.
Multiple gs:// urls may be provided and may contain wildcards. A signed url
will be produced for each provided url, authorized
for the specified HTTP method and valid for the given duration.
Note: Unlike the gsutil ls command, the signurl command does not support
operations on sub-directories. For example, if you run the command:
gsutil signurl gs://some-bucket/some-object/
The signurl command uses the private key for a service account (the
'' argument) to generate the cryptographic
signature for the generated URL. The private key file must be in PKCS12
or JSON format. If the private key is encrypted the signed url command will
prompt for the passphrase used to protect the private key file
(default 'notasecret'). For more information regarding generating a private
key for use with the signurl command please see the `Authentication
documentation.
`_
gsutil will look up information about the object "some-object/" (with a
trailing slash) inside bucket "some-bucket", as opposed to operating on
objects nested under gs://some-bucket/some-object. Unless you actually
have an object with that name, the operation will fail.
OPTIONS
-m Specifies the HTTP method to be authorized for use
with the signed url, default is GET. You may also specify
RESUMABLE to create a signed resumable upload start URL. When
using a signed URL to start a resumable upload session, you will
need to specify the 'x-goog-resumable:start' header in the
request or else signature validation will fail.
-d Specifies the duration that the signed url should be valid
for, default duration is 1 hour.
Times may be specified with no suffix (default hours), or
with s = seconds, m = minutes, h = hours, d = days.
This option may be specified multiple times, in which case
the duration the link remains valid is the sum of all the
duration options.
-c Specifies the content type for which the signed url is
valid for.
-p Specify the keystore password instead of prompting.
USAGE
Create a signed url for downloading an object valid for 10 minutes:
gsutil signurl -d 10m gs:///