vbatts/quay
Archived
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Merge pull request #3131 from quay/joseph.schorr/QUAY-954/cloudfront

Browse source 
Return S3 URLs for security scanner
This commit is contained in:
Joseph Schorr 2018-07-05 17:23:05 +03:00 committed by GitHub
commit 0eaff446e0
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 11 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
storage/cloud.py
View file

@ -615,22 +615,22 @@ class CloudFrontedS3Storage(S3Storage):
def get_direct_download_url(self, path, request_ip=None, expires_in=60, requires_cors=False, def get_direct_download_url(self, path, request_ip=None, expires_in=60, requires_cors=False,
head=False): head=False):
# If CloudFront could not be loaded, fall back to normal S3. # If CloudFront could not be loaded, fall back to normal S3.
if self.cloudfront_privatekey is None: if self.cloudfront_privatekey is None or request_ip is None:
return super(CloudFrontedS3Storage, self).get_direct_download_url(path, request_ip, return super(CloudFrontedS3Storage, self).get_direct_download_url(path, request_ip,
expires_in, requires_cors, expires_in, requires_cors,
head) head)
resolved_ip_info = None resolved_ip_info = None
logger.debug('Got direct download request for path "%s" with IP "%s"', path, request_ip) logger.debug('Got direct download request for path "%s" with IP "%s"', path, request_ip)
if request_ip is not None:
# Lookup the IP address in our resolution table and determine whether it is under AWS. # Lookup the IP address in our resolution table and determine whether it is under AWS.
# If it is, then return an S3 signed URL, since we are in-network. # If it is, then return an S3 signed URL, since we are in-network.
resolved_ip_info = self._context.ip_resolver.resolve_ip(request_ip) resolved_ip_info = self._context.ip_resolver.resolve_ip(request_ip)
logger.debug('Resolved IP information for IP %s: %s', request_ip, resolved_ip_info) logger.debug('Resolved IP information for IP %s: %s', request_ip, resolved_ip_info)
if resolved_ip_info and resolved_ip_info.provider == 'aws': if resolved_ip_info and resolved_ip_info.provider == 'aws':
return super(CloudFrontedS3Storage, self).get_direct_download_url(path, request_ip, return super(CloudFrontedS3Storage, self).get_direct_download_url(path, request_ip,
expires_in, requires_cors, expires_in, requires_cors,
head) head)
url = 'https://%s/%s' % (self.cloudfront_distribution_domain, path) url = 'https://%s/%s' % (self.cloudfront_distribution_domain, path)
expire_date = datetime.now() + timedelta(seconds=expires_in) expire_date = datetime.now() + timedelta(seconds=expires_in)

3
storage/test/test_cloudfront.py
View file

@ -64,5 +64,4 @@ def test_direct_download_no_ip(test_aws_ip, aws_ip_range_data, ipranges_populate
_TEST_BUCKET, _TEST_USER, _TEST_PASSWORD) _TEST_BUCKET, _TEST_USER, _TEST_PASSWORD)
engine.put_content(_TEST_PATH, _TEST_CONTENT) engine.put_content(_TEST_PATH, _TEST_CONTENT)
assert engine.exists(_TEST_PATH) assert engine.exists(_TEST_PATH)
assert 's3.amazonaws.com' in engine.get_direct_download_url(_TEST_PATH)
assert 'cloudfrontdomain' in engine.get_direct_download_url(_TEST_PATH)