From 772c08314cbe28de20126addeb88f67cf43850ff Mon Sep 17 00:00:00 2001 From: JinnyYi Date: Mon, 16 Aug 2021 13:14:28 +0800 Subject: [PATCH 1/5] GSP: Support Signed URL --- docs/rfcs/support-signed-url.md | 68 +++++++++++++++++++++++++++++++++ 1 file changed, 68 insertions(+) create mode 100644 docs/rfcs/support-signed-url.md diff --git a/docs/rfcs/support-signed-url.md b/docs/rfcs/support-signed-url.md new file mode 100644 index 000000000..6c9e5760b --- /dev/null +++ b/docs/rfcs/support-signed-url.md @@ -0,0 +1,68 @@ +- Author: JinnyYi +- Start Date: 2021-08-16 +- RFC PR: [beyondstorage/go-storage#0](https://github.com/beyondstorage/go-storage/issues/0) +- Tracking Issue: [beyondstorage/go-storage#0](https://github.com/beyondstorage/go-storage/issues/0) + +# GSP: Support Signed URL + +Previous discussion: + +- [Allow generate signed url for upload objects](https://github.com/beyondstorage/go-storage/issues/646) + +## Background + +Authentication is the process of proving user's identity to the system. In addition to adding signatures to the `Authorization` header of requests, users can also add signatures to the URL of the resource. + +A signed URL is a URL that provides limited permission and time to make a request. Signed URLs contain authentication information in their query string. Using query parameters to authenticate requests is useful when users want to express a request entirely in a URL. A use case scenario for signed URL is that users can grant access to the resource. + +## Proposal + +I propose to add the following interface containing operations that support the generation of signed URL for RESTful services: + +```toml +type HttpSigner interface { + QuerySignHttp(op, path string, ps ...types.Pair) (signedReq *http.Request, err error) +} +``` + +`HttpSigner` is the interface for `Signer` related operations which support calculate request signature. + +`QuerySignHttp` returns a "http.Request" with query string parameters containing signature in `URL` to represent the client's request for the specified operation. + +**Parameters** + +- op: is a const string representing operation name defined in `types` package. + - `op` SHOULD be the supported operation by service. +- path: is the path of object. + - `path` COULD be relative or absolute path. +- ps: is the arguments for this operation. + - `expire` is required. It provides the time period, with type `time.Duration`, for which the generated `signedReq.URL` is valid. + +**Returns** + +- signedReq: represents an HTTP request to be sent by service. + - `URL` SHOULD NOT be nil and SHOULD be the request's signed URL. +- err: returning error if errors are encountered. It's nil if no error. + +From service side: + +- Services SHOULD maintain the supported authorized access operation list and check the validity of `op`. +- Services SHOULD generate the request's singed URL in `signedReq.URL` with the `expire` duration. + +From user side: + +- A clock calibration is required for validation of expiration. + +## Rationale + +N/A + +## Compatibility + +This proposal will deprecate `Reacher` interface. + +## Implementation + +- Add new interface and operations in definitions. +- Implement integration test. +- Implement `HttpSigner` for services. From 96af9b6ff8fcf60b4ca15268fe8dec5967af0e07 Mon Sep 17 00:00:00 2001 From: JinnyYi Date: Mon, 16 Aug 2021 13:18:58 +0800 Subject: [PATCH 2/5] assign num --- docs/rfcs/{support-signed-url.md => 706-support-signed-url.md} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename docs/rfcs/{support-signed-url.md => 706-support-signed-url.md} (96%) diff --git a/docs/rfcs/support-signed-url.md b/docs/rfcs/706-support-signed-url.md similarity index 96% rename from docs/rfcs/support-signed-url.md rename to docs/rfcs/706-support-signed-url.md index 6c9e5760b..636817e73 100644 --- a/docs/rfcs/support-signed-url.md +++ b/docs/rfcs/706-support-signed-url.md @@ -3,7 +3,7 @@ - RFC PR: [beyondstorage/go-storage#0](https://github.com/beyondstorage/go-storage/issues/0) - Tracking Issue: [beyondstorage/go-storage#0](https://github.com/beyondstorage/go-storage/issues/0) -# GSP: Support Signed URL +# GSP-706: Support Signed URL Previous discussion: From 9073568cd2d02715ae88776a375d1eef6e03012b Mon Sep 17 00:00:00 2001 From: JinnyYi <82445294+JinnyYi@users.noreply.github.com> Date: Mon, 16 Aug 2021 15:18:19 +0800 Subject: [PATCH 3/5] Update language Co-authored-by: Xuanwo --- docs/rfcs/706-support-signed-url.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/rfcs/706-support-signed-url.md b/docs/rfcs/706-support-signed-url.md index 636817e73..51d5206ff 100644 --- a/docs/rfcs/706-support-signed-url.md +++ b/docs/rfcs/706-support-signed-url.md @@ -19,7 +19,7 @@ A signed URL is a URL that provides limited permission and time to make a reques I propose to add the following interface containing operations that support the generation of signed URL for RESTful services: -```toml +```go type HttpSigner interface { QuerySignHttp(op, path string, ps ...types.Pair) (signedReq *http.Request, err error) } From 2d8a286f6b4432adc3bbb711d9433e0d500fec42 Mon Sep 17 00:00:00 2001 From: JinnyYi Date: Mon, 16 Aug 2021 17:02:05 +0800 Subject: [PATCH 4/5] Rename and update expire --- ...6-support-signed-url.md => 706-support-http-signer.md} | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) rename docs/rfcs/{706-support-signed-url.md => 706-support-http-signer.md} (85%) diff --git a/docs/rfcs/706-support-signed-url.md b/docs/rfcs/706-support-http-signer.md similarity index 85% rename from docs/rfcs/706-support-signed-url.md rename to docs/rfcs/706-support-http-signer.md index 51d5206ff..2b40dc81b 100644 --- a/docs/rfcs/706-support-signed-url.md +++ b/docs/rfcs/706-support-http-signer.md @@ -1,9 +1,9 @@ - Author: JinnyYi - Start Date: 2021-08-16 -- RFC PR: [beyondstorage/go-storage#0](https://github.com/beyondstorage/go-storage/issues/0) +- RFC PR: [beyondstorage/go-storage#706](https://github.com/beyondstorage/go-storage/issues/706) - Tracking Issue: [beyondstorage/go-storage#0](https://github.com/beyondstorage/go-storage/issues/0) -# GSP-706: Support Signed URL +# GSP-706: Support HTTP Signer Previous discussion: @@ -36,7 +36,8 @@ type HttpSigner interface { - path: is the path of object. - `path` COULD be relative or absolute path. - ps: is the arguments for this operation. - - `expire` is required. It provides the time period, with type `time.Duration`, for which the generated `signedReq.URL` is valid. + - `expire` provides the time period, with type `time.Duration`, for which the generated `signedReq.URL` is valid. + - `expire` COULD be set by `types.WithExpire(xxx)`, is 3,600 seconds by default. **Returns** @@ -64,5 +65,6 @@ This proposal will deprecate `Reacher` interface. ## Implementation - Add new interface and operations in definitions. +- Update docs in site. - Implement integration test. - Implement `HttpSigner` for services. From a38f002879245ddd4ba05112f5e6a4bc438f400b Mon Sep 17 00:00:00 2001 From: JinnyYi Date: Tue, 17 Aug 2021 12:00:43 +0800 Subject: [PATCH 5/5] Add parameter for operation and add tracking issue --- docs/rfcs/706-support-http-signer.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/docs/rfcs/706-support-http-signer.md b/docs/rfcs/706-support-http-signer.md index 2b40dc81b..d169a2bb9 100644 --- a/docs/rfcs/706-support-http-signer.md +++ b/docs/rfcs/706-support-http-signer.md @@ -1,7 +1,7 @@ - Author: JinnyYi - Start Date: 2021-08-16 - RFC PR: [beyondstorage/go-storage#706](https://github.com/beyondstorage/go-storage/issues/706) -- Tracking Issue: [beyondstorage/go-storage#0](https://github.com/beyondstorage/go-storage/issues/0) +- Tracking Issue: [beyondstorage/go-storage#707](https://github.com/beyondstorage/go-storage/issues/707) # GSP-706: Support HTTP Signer @@ -11,7 +11,7 @@ Previous discussion: ## Background -Authentication is the process of proving user's identity to the system. In addition to adding signatures to the `Authorization` header of requests, users can also add signatures to the URL of the resource. +Authentication is the process of proving user's identity to the system. In addition to add signatures to the `Authorization` header of requests, users can also add signatures to the URL of the resource. A signed URL is a URL that provides limited permission and time to make a request. Signed URLs contain authentication information in their query string. Using query parameters to authenticate requests is useful when users want to express a request entirely in a URL. A use case scenario for signed URL is that users can grant access to the resource. @@ -21,11 +21,11 @@ I propose to add the following interface containing operations that support the ```go type HttpSigner interface { - QuerySignHttp(op, path string, ps ...types.Pair) (signedReq *http.Request, err error) + QuerySignHttp(op, path string, expire time.Duration, ps ...types.Pair) (signedReq *http.Request, err error) } ``` -`HttpSigner` is the interface for `Signer` related operations which support calculate request signature. +`HttpSigner` is the interface for `Signer` related operations which support calculating request signature. `QuerySignHttp` returns a "http.Request" with query string parameters containing signature in `URL` to represent the client's request for the specified operation. @@ -35,9 +35,9 @@ type HttpSigner interface { - `op` SHOULD be the supported operation by service. - path: is the path of object. - `path` COULD be relative or absolute path. +- expire: provides the time period, with type `time.Duration`, for which the generated `signedReq.URL` is valid. + - Different services have different valid value ranges for `expire`. - ps: is the arguments for this operation. - - `expire` provides the time period, with type `time.Duration`, for which the generated `signedReq.URL` is valid. - - `expire` COULD be set by `types.WithExpire(xxx)`, is 3,600 seconds by default. **Returns** @@ -48,7 +48,7 @@ type HttpSigner interface { From service side: - Services SHOULD maintain the supported authorized access operation list and check the validity of `op`. -- Services SHOULD generate the request's singed URL in `signedReq.URL` with the `expire` duration. +- Services SHOULD return `http.Request` pointer with signature in the query string of `URL`, which is constructed by specific storage service. From user side: