Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(storage): enable CSEK w/ V4 signed URLs #9450

Merged
merged 2 commits into from
Oct 10, 2019
Merged

fix(storage): enable CSEK w/ V4 signed URLs #9450

merged 2 commits into from
Oct 10, 2019

Conversation

tseaver
Copy link
Contributor

@tseaver tseaver commented Oct 10, 2019

Closes #7626

@tseaver tseaver added the api: storage Issues related to the Cloud Storage API. label Oct 10, 2019
@tseaver tseaver requested a review from frankyn October 10, 2019 21:31
@googlebot googlebot added the cla: yes This human has signed the Contributor License Agreement. label Oct 10, 2019
frankyn
frankyn reviewed Oct 10, 2019
View reviewed changes
storage/google/cloud/storage/blob.py
@@ -468,6 +468,11 @@ def generate_signed_url(
else:
helper = generate_signed_url_v4

if self._encryption_key is not None:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this should only be done if v4.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Per chat, we still need to add the X-Goog-Encryption-Algorithm header for V2 (but not the key or hash, oddly enough). See: https://cloud.google.com/storage/docs/access-control/signed-urls-v2#about-canonical-extension-headers

@tseaver
fix: apply weird/b0rken rules for V2 signing with CSEK.
767da8b 
Only the 'X-Goog-Encryption-Algorithm' gets added to the signed headers.

Ugh.
@tseaver tseaver added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Oct 10, 2019
@yoshi-kokoro yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Oct 10, 2019
@tseaver tseaver merged commit 42ce2ef into googleapis:master Oct 10, 2019
@tseaver tseaver deleted the 7626-storage-v4-signed-url-w-csek branch October 10, 2019 22:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@frankyn frankyn frankyn approved these changes

@crwilcox crwilcox Awaiting requested review from crwilcox

Assignees
No one assigned
Labels
api: storage Issues related to the Cloud Storage API. cla: yes This human has signed the Contributor License Agreement.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Storage: add systests for V4 signed URLs with CSEK headers
4 participants
@tseaver @frankyn @googlebot @yoshi-kokoro