feat: (storage) update signed_url to virtual style (#15832)

Author: gurusai-voleti

mmv1/third_party/terraform/services/storage/data_source_storage_object_signed_url.go

@@ -141,7 +141,12 @@ func dataSourceGoogleSignedUrlRead(d *schema.ResourceData, meta interface{}) err
 		}
 	}
 
-	urlData.Path = fmt.Sprintf("/%s/%s", d.Get("bucket").(string), d.Get("path").(string))
+	bucketName := d.Get("bucket").(string)
+	objectPath := d.Get("path").(string)
+	baseUrl := getGcsHostUrl(urlData, bucketName, objectPath)
+
+	// sign path should be same in both cases as we are using v2 signature
+	urlData.SignPath = fmt.Sprintf("/%s/%s", bucketName, objectPath)
 
 	// Load JWT Config from Google Credentials
 	jwtConfig, err := loadJwtConfig(d, config)
@@ -151,7 +156,7 @@ func dataSourceGoogleSignedUrlRead(d *schema.ResourceData, meta interface{}) err
 	urlData.JwtConfig = jwtConfig
 
 	// Construct URL
-	signedUrl, err := urlData.SignedUrl()
+	signedUrl, err := urlData.SignedUrl(baseUrl)
 	if err != nil {
 		return err
 	}
@@ -208,6 +213,25 @@ func loadJwtConfig(d *schema.ResourceData, meta interface{}) (*jwt.Config, error
 	return nil, errors.New("Credentials not found in datasource, provider configuration or GOOGLE_APPLICATION_CREDENTIALS environment variable.")
 }
 
+func getGcsHostUrl(urlData *UrlData, bucketName, objectPath string) string {
+	var baseUrl string
+	if strings.Contains(bucketName, ".") {
+		// Use path-style URL as "." in the bucket name create invalid virtual hostnames
+		// Signed URL format https://storage.googleapis.com/tf-test-bucket-6159205297736845881/path/to/object
+		// Path format is bucket_name/object_path
+		urlData.Path = fmt.Sprintf("/%s/%s", bucketName, objectPath)
+		baseUrl = gcsBaseUrl
+	} else {
+		// default to always virtual style URL
+		// URL format https://tf-test-bucket-6159205297736845881.storage.googleapis.com//path/to/object
+		// Path format is object_path
+		urlData.Path = fmt.Sprintf("/%s", objectPath)
+		gcsUrl := strings.Split(gcsBaseUrl, "://")
+		baseUrl = fmt.Sprintf("%s://%s.%s", gcsUrl[0], bucketName, gcsUrl[1])
+	}
+	return baseUrl
+}
+
 // parsePrivateKey converts the binary contents of a private key file
 // to an *rsa.PrivateKey. It detects whether the private key is in a
 // PEM container or not. If so, it extracts the the private key
@@ -241,7 +265,9 @@ type UrlData struct {
 	HttpMethod  string
 	Expires     int
 	HttpHeaders map[string]string
-	Path        string
+	SignPath    string
+	// Internally used field derived for virtual-host or path-style.
+	Path string
 }
 
 // SigningString creates a string representation of the UrlData in a form ready for signing:
@@ -285,7 +311,7 @@ func (u *UrlData) SigningString() []byte {
 	}
 
 	// Storage Object path (includes bucketname)
-	buf.WriteString(u.Path)
+	buf.WriteString(u.SignPath)
 
 	return buf.Bytes()
 }
@@ -317,7 +343,7 @@ func (u *UrlData) EncodedSignature() (string, error) {
 }
 
 // SignedUrl constructs the final signed URL a client can use to retrieve storage object
-func (u *UrlData) SignedUrl() (string, error) {
+func (u *UrlData) SignedUrl(baseUrl string) (string, error) {
 
 	encodedSig, err := u.EncodedSignature()
 	if err != nil {
@@ -327,7 +353,7 @@ func (u *UrlData) SignedUrl() (string, error) {
 	// build url
 	// https://cloud.google.com/storage/docs/access-control/create-signed-urls-program
 	var urlBuffer bytes.Buffer
-	urlBuffer.WriteString(gcsBaseUrl)
+	urlBuffer.WriteString(baseUrl)
 	urlBuffer.WriteString(u.Path)
 	urlBuffer.WriteString("?GoogleAccessId=")
 	urlBuffer.WriteString(u.JwtConfig.Email)

mmv1/third_party/terraform/services/storage/data_source_storage_object_signed_url_internal_test.go

@@ -30,16 +30,19 @@ const fakeCredentials = `{
 // URL	                                                HTTP Method     Expiration           Signed URL
 // gs://tf-test-bucket-6159205297736845881/path/to/file	GET             2016-08-12 14:03:30  https://storage.googleapis.com/tf-test-bucket-6159205297736845881/path/to/[email protected]&Expires=1470967410&Signature=JJvE2Jc%2BeoagyS1qRACKBGUkgLkKjw7cGymHhtB4IzzN3nbXDqr0acRWGy0%2BEpZ3HYNDalEYsK0lR9Q0WCgty5I0JKmPIuo9hOYa1xTNH%2B22xiWsekxGV%2FcA9FXgWpi%2BFt7fBmMk4dhDe%2BuuYc7N79hd0FYuSBNW1Wp32Bluoe4SNkNAB%2BuIDd9KqPzqs09UAbBoz2y4WxXOQnRyR8GAfb8B%2FDtv62gYjtmp%2F6%2Fyr6xj7byWKZdQt8kEftQLTQmP%2F17Efjp6p%2BXo71Q0F9IhAFiqWfp3Ij8hHDSebLcVb2ULXyHNNQpHBOhFgALrFW3I6Uc3WciLEOsBS9Ej3EGdTg%3D%3D
 
-const testUrlPath = "/tf-test-bucket-6159205297736845881/path/to/file"
+const testUrlPath = "path/to/file"
+const testSignUrlPath = "/tf-test-bucket-6159205297736845881/path/to/file"
 const testUrlExpires = 1470967410
+const testBucketName = "tf-test-bucket-6159205297736845881"
 const testUrlExpectedSignatureBase64Encoded = "JJvE2Jc%2BeoagyS1qRACKBGUkgLkKjw7cGymHhtB4IzzN3nbXDqr0acRWGy0%2BEpZ3HYNDalEYsK0lR9Q0WCgty5I0JKmPIuo9hOYa1xTNH%2B22xiWsekxGV%2FcA9FXgWpi%2BFt7fBmMk4dhDe%2BuuYc7N79hd0FYuSBNW1Wp32Bluoe4SNkNAB%2BuIDd9KqPzqs09UAbBoz2y4WxXOQnRyR8GAfb8B%2FDtv62gYjtmp%2F6%2Fyr6xj7byWKZdQt8kEftQLTQmP%2F17Efjp6p%2BXo71Q0F9IhAFiqWfp3Ij8hHDSebLcVb2ULXyHNNQpHBOhFgALrFW3I6Uc3WciLEOsBS9Ej3EGdTg%3D%3D"
-const testUrlExpectedUrl = "https://storage.googleapis.com/tf-test-bucket-6159205297736845881/path/to/[email protected]&Expires=1470967410&Signature=JJvE2Jc%2BeoagyS1qRACKBGUkgLkKjw7cGymHhtB4IzzN3nbXDqr0acRWGy0%2BEpZ3HYNDalEYsK0lR9Q0WCgty5I0JKmPIuo9hOYa1xTNH%2B22xiWsekxGV%2FcA9FXgWpi%2BFt7fBmMk4dhDe%2BuuYc7N79hd0FYuSBNW1Wp32Bluoe4SNkNAB%2BuIDd9KqPzqs09UAbBoz2y4WxXOQnRyR8GAfb8B%2FDtv62gYjtmp%2F6%2Fyr6xj7byWKZdQt8kEftQLTQmP%2F17Efjp6p%2BXo71Q0F9IhAFiqWfp3Ij8hHDSebLcVb2ULXyHNNQpHBOhFgALrFW3I6Uc3WciLEOsBS9Ej3EGdTg%3D%3D"
+const testUrlExpectedUrl = "https://tf-test-bucket-6159205297736845881.storage.googleapis.com/path/to/[email protected]&Expires=1470967410&Signature=JJvE2Jc%2BeoagyS1qRACKBGUkgLkKjw7cGymHhtB4IzzN3nbXDqr0acRWGy0%2BEpZ3HYNDalEYsK0lR9Q0WCgty5I0JKmPIuo9hOYa1xTNH%2B22xiWsekxGV%2FcA9FXgWpi%2BFt7fBmMk4dhDe%2BuuYc7N79hd0FYuSBNW1Wp32Bluoe4SNkNAB%2BuIDd9KqPzqs09UAbBoz2y4WxXOQnRyR8GAfb8B%2FDtv62gYjtmp%2F6%2Fyr6xj7byWKZdQt8kEftQLTQmP%2F17Efjp6p%2BXo71Q0F9IhAFiqWfp3Ij8hHDSebLcVb2ULXyHNNQpHBOhFgALrFW3I6Uc3WciLEOsBS9Ej3EGdTg%3D%3D"
 
 func TestUrlData_Signing(t *testing.T) {
 	urlData := &UrlData{
 		HttpMethod: "GET",
 		Expires:    testUrlExpires,
 		Path:       testUrlPath,
+		SignPath:   testSignUrlPath,
 	}
 	// unescape and decode the expected signature
 	expectedSig, err := url.QueryUnescape(testUrlExpectedSignatureBase64Encoded)
@@ -83,8 +86,10 @@ func TestUrlData_SignedUrl(t *testing.T) {
 		Expires:    testUrlExpires,
 		Path:       testUrlPath,
 		JwtConfig:  cfg,
+		SignPath:   testSignUrlPath,
 	}
-	result, err := urlData.SignedUrl()
+	baseUrl := getGcsHostUrl(urlData, testBucketName, testUrlPath)
+	result, err := urlData.SignedUrl(baseUrl)
 	if err != nil {
 		t.Errorf("Could not generated signed url: %+v", err)
 	}

mmv1/third_party/terraform/services/storage/data_source_storage_object_signed_url_test.go

@@ -6,24 +6,49 @@ import (
 	"fmt"
 	"io/ioutil"
 	"net/http"
+	"strings"
 
 	"github.com/hashicorp/go-cleanhttp"
 	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
 	"github.com/hashicorp/terraform-plugin-testing/terraform"
 	"github.com/hashicorp/terraform-provider-google/google/acctest"
 )
 
-func TestAccStorageSignedUrl_basic(t *testing.T) {
+const objectPath = "object/objname"
+const stoargeApiHost = "storage.googleapis.com"
+
+func TestAccStorageSignedUrl_basicVirtualStyle(t *testing.T) {
 	t.Parallel()
 
+	bucketName := acctest.TestBucketName(t)
+
 	acctest.VcrTest(t, resource.TestCase{
 		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
 		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
 		Steps: []resource.TestStep{
 			{
-				Config: testGoogleSignedUrlConfig,
+				Config: testGoogleSignedUrlConfig(bucketName),
 				Check: resource.ComposeTestCheckFunc(
-					testAccSignedUrlExists(t, "data.google_storage_object_signed_url.blerg"),
+					testAccSignedUrlVirtualStyleExists(t, "data.google_storage_object_signed_url.blerg", bucketName),
+				),
+			},
+		},
+	})
+}
+
+func TestAccStorageSignedUrl_basicPathStyle(t *testing.T) {
+	t.Parallel()
+
+	bucketName := acctest.TestBucketName(t) + ".com"
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testGoogleSignedUrlConfig(bucketName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccSignedUrlPathStyleExists(t, "data.google_storage_object_signed_url.blerg", bucketName),
 				),
 			},
 		},
@@ -59,7 +84,7 @@ func TestAccStorageSignedUrl_accTest(t *testing.T) {
 	})
 }
 
-func testAccSignedUrlExists(t *testing.T, n string) resource.TestCheckFunc {
+func testAccSignedUrlVirtualStyleExists(t *testing.T, n, bucketName string) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
 
 		r := s.RootModule().Resources[n]
@@ -69,6 +94,30 @@ func testAccSignedUrlExists(t *testing.T, n string) resource.TestCheckFunc {
 			return fmt.Errorf("signed_url is empty: %v", a)
 		}
 
+		splitUrl := strings.Split(a["signed_url"], "/")
+		if splitUrl[2] != fmt.Sprintf("%s.%s", bucketName, stoargeApiHost) {
+			return fmt.Errorf("invalid virtual style URL")
+		}
+
+		return nil
+	}
+}
+
+func testAccSignedUrlPathStyleExists(t *testing.T, n, bucketName string) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+
+		r := s.RootModule().Resources[n]
+		a := r.Primary.Attributes
+
+		if a["signed_url"] == "" {
+			return fmt.Errorf("signed_url is empty: %v", a)
+		}
+
+		urlPrefix := fmt.Sprintf("%s://%s/%s/%s", "https", stoargeApiHost, bucketName, objectPath)
+		if !strings.HasPrefix(a["signed_url"], urlPrefix) {
+			return fmt.Errorf("invalid path style URL")
+		}
+
 		return nil
 	}
 }
@@ -131,13 +180,14 @@ func testAccSignedUrlRetrieval(n string, headers map[string]string) resource.Tes
 	}
 }
 
-const testGoogleSignedUrlConfig = `
+func testGoogleSignedUrlConfig(bucket string) string {
+	return fmt.Sprintf(`
 data "google_storage_object_signed_url" "blerg" {
-  bucket = "friedchicken"
-  path   = "path/to/file"
-
+  bucket      = "%s"
+  path        = "%s"
+}
+`, bucket, objectPath)
 }
-`
 
 func testAccTestGoogleStorageObjectSignedURL(bucketName string) string {
 	return fmt.Sprintf(`