生成Google Cloud Storage對象的公共鏈接

Question

如何為用戶通過BlobStore API提交的Google Cloud Storage對象生成公共鏈接？

Answer 1

有幾種服務公共GCS對象的方法。 一種是簽名URL。 另一個是getServingUrl() App Engine方法。

但是，如果該對象對所有人都可見，則可以做一些簡單的事情。 設置對象的權限以授予對“ AllUsers”的讀取權限，該權限允許無需任何身份驗證即可讀取對象，然后只需將用戶引至以下路徑即可：

https://storage.googleapis.com/BUCKET_NAME/OBJECT_NAME

而已！

您可以通過API或以下gsutil命令將對象設置為可從雲控制台公開讀取： gsutil acl ch -g AllUsers:R gs://BUCKET_NAME/OBJECT_NAME

Answer 2

如何為Google Cloud Storage對象生成公共鏈接？

1. 通過控制台手動創建服務帳戶，並生成.p12密鑰文件。
2. 用戶將文件上傳到使用以下命令生成的URL后：

blobstoreService.createUploadUrl("/fileUploadingHandler", 
        UploadOptions.Builder.withMaxUploadSizeBytes(1024*1024*10) // 10 MB max
                             .googleStorageBucketName(BUCKET_NAME));

servlet（處理/fileUploadingHandler ）可以檢索GCS對象的文件名，並生成臨時簽名的公共鏈接，如下所示：

Map<String, List<FileInfo>> fileInfoMap = blobstoreService.getFileInfos(request);
List<FileInfo> fileInfos = fileInfoMap.get("fileName");
FileInfo fileInfo = fileInfos.get(0);
String[] parts = fileInfo.getGsObjectName().split("/"); // get rid of /gs/buck_name/
String fileName = parts[parts.length - 1];
String signedUrl = GcsUrlSigner.generateSignedUrl(fileName);
// send the temporary public link (signedUrl) back to the user

import com.google.api.client.util.Base64;

import java.io.InputStream;
import java.net.URLEncoder;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.Signature;

/**
 * Created by Fouad on 22-Dec-15.
 */
public class GcsUrlSigner
{
    private static final String DEFAULT_BUCKET_NAME = "XXXXXXXX.appspot.com";
    private static final String PUBLIC_URL_SERVICE_ACCOUNT_EMAIL = "XXXXXXXX@XXXXXX.iam.gserviceaccount.com";
    private static final String PUBLIC_URL_SERVICE_ACCOUNT_PKCS12_FILE_PATH = "XXXXXX.p12"; // located in the same folder as GcsUrlSigner.java
    private static final String PUBLIC_URL_SERVICE_ACCOUNT_PKCS12_FILE_PASSWORD = "notasecret";
    private static final long PUBLIC_URL_EXPIRATION_SECONDS = System.currentTimeMillis() / 1000 + 60; // 60 seconds

    public static String generateSignedUrl(String objectName) throws Exception
    {
        return generateSignedUrl(DEFAULT_BUCKET_NAME, objectName);
    }

    public static String generateSignedUrl(String bucketName, String objectName) throws Exception
    {
        PrivateKey key = loadKeyFromPkcs12(PUBLIC_URL_SERVICE_ACCOUNT_PKCS12_FILE_PATH, PUBLIC_URL_SERVICE_ACCOUNT_PKCS12_FILE_PASSWORD.toCharArray());
        return getSigningURL(key, "GET", PUBLIC_URL_EXPIRATION_SECONDS, bucketName, objectName);
    }

    private static String getSigningURL(PrivateKey key, String verb, long expirationSeconds, String bucketName, String objectName) throws Exception
    {
        String url_signature = signString(key, verb + "\n\n\n" + expirationSeconds + "\n" + "/" + bucketName + "/" + objectName);
        String signed_url = "https://storage.googleapis.com/" + bucketName + "/" + objectName +
                "?GoogleAccessId=" + PUBLIC_URL_SERVICE_ACCOUNT_EMAIL +
                "&Expires=" + expirationMillis +
                "&Signature=" + URLEncoder.encode(url_signature, "UTF-8");
        return signed_url;
    }

    private static PrivateKey loadKeyFromPkcs12(String filename, char[] password) throws Exception
    {
        InputStream is = GcsUrlSigner.class.getResourceAsStream(PUBLIC_URL_SERVICE_ACCOUNT_PKCS12_FILE_PATH);
        KeyStore ks = KeyStore.getInstance("PKCS12");
        ks.load(is, password);
        return (PrivateKey) ks.getKey("privatekey", password);
    }

    private static String signString(PrivateKey key, String stringToSign) throws Exception
    {
        if(key == null) throw new Exception("Private Key not initalized");

        Signature signer = Signature.getInstance("SHA256withRSA");
        signer.initSign(key);
        signer.update(stringToSign.getBytes("UTF-8"));

        byte[] rawSignature = signer.sign();

        return new String(Base64.encodeBase64(rawSignature), "UTF-8");
    }
}