77 lines
2.1 KiB
Ruby
77 lines
2.1 KiB
Ruby
# rubocop:disable Naming/FileName
|
|
# frozen_string_literal: true
|
|
|
|
module ObjectStorage
|
|
module CDN
|
|
class GoogleCDN
|
|
include Gitlab::Utils::StrongMemoize
|
|
|
|
attr_reader :options
|
|
|
|
def initialize(options)
|
|
@options = HashWithIndifferentAccess.new(options.to_h)
|
|
|
|
GoogleIpCache.async_refresh unless GoogleIpCache.ready?
|
|
end
|
|
|
|
def use_cdn?(request_ip)
|
|
return false unless config_valid?
|
|
|
|
ip = IPAddr.new(request_ip)
|
|
|
|
return false if ip.private? || ip.link_local? || ip.loopback?
|
|
|
|
!GoogleIpCache.google_ip?(request_ip)
|
|
end
|
|
|
|
def signed_url(path, expiry: 10.minutes, params: {})
|
|
expiration = (Time.current + expiry).utc.to_i
|
|
|
|
uri = Addressable::URI.parse(cdn_url)
|
|
uri.path = path
|
|
# Use an Array to preserve order: Google CDN needs to have
|
|
# Expires, KeyName, and Signature in that order or it will return a 403 error:
|
|
# https://cloud.google.com/cdn/docs/troubleshooting-steps#signing
|
|
query_params = params.to_a
|
|
query_params << ['Expires', expiration]
|
|
query_params << ['KeyName', key_name]
|
|
uri.query_values = query_params
|
|
|
|
unsigned_url = uri.to_s
|
|
signature = OpenSSL::HMAC.digest('SHA1', decoded_key, unsigned_url)
|
|
encoded_signature = Base64.urlsafe_encode64(signature)
|
|
|
|
"#{unsigned_url}&Signature=#{encoded_signature}"
|
|
end
|
|
|
|
private
|
|
|
|
def config_valid?
|
|
[key_name, decoded_key, cdn_url].all?(&:present?) && cdn_url.start_with?('https://')
|
|
end
|
|
|
|
def key_name
|
|
strong_memoize(:key_name) do
|
|
options['key_name']
|
|
end
|
|
end
|
|
|
|
def decoded_key
|
|
strong_memoize(:decoded_key) do
|
|
Base64.urlsafe_decode64(options['key']) if options['key']
|
|
rescue ArgumentError
|
|
Gitlab::ErrorTracking.log_exception(ArgumentError.new("Google CDN key is not base64-encoded"))
|
|
nil
|
|
end
|
|
end
|
|
|
|
def cdn_url
|
|
strong_memoize(:cdn_url) do
|
|
options['url']
|
|
end
|
|
end
|
|
end
|
|
end
|
|
end
|
|
|
|
# rubocop:enable Naming/FileName
|