Skip to content

feat(storage): add secured=false option for public artifact access #1436

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
dan-kirberger wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat(storage): add secured=false option for public artifact access #1436

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 22 additions & 1 deletion api/storage/storage.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -110,6 +110,11 @@ func ListBuildObjectNames(c *gin.Context) {
// The URL is valid for a limited time and can be used to securely upload files directly
// to the storage service without exposing credentials.
//
// When the optional `secured` query parameter is set to `false`, the object is stored under
// a `public/` prefix in the bucket, making it downloadable via a direct URL without authentication.
// This requires the storage bucket to have a public-read policy configured for the `public/*` prefix.
// Defaults to `true` (authenticated presigned GET URLs) when omitted.
//
// ---
// produces:
// - application/json
Expand All @@ -135,6 +140,11 @@ func ListBuildObjectNames(c *gin.Context) {
// description: Object name for the PUT URL
// required: true
// type: string
// - name: secured
// in: query
// description: "When false, stores the object under the public/ prefix for unauthenticated downloads. Defaults to true."
// required: false
// type: boolean
// security:
// - ApiKeyAuth: []
// responses:
Expand Down Expand Up @@ -185,7 +195,18 @@ func GetPresignedPutURL(c *gin.Context) {
return
}

path := fmt.Sprintf("%s/%s/%d/%s", org, repoName, buildNum, objName)
// when secured=false the object is stored under the public/ prefix, making
// it accessible without authentication via a direct (non-presigned) URL.
// defaults to true (authenticated presigned GET) when the param is absent.
secured := c.Query("secured") != "false"

var path string
if secured {
path = fmt.Sprintf("%s/%s/%d/%s", org, repoName, buildNum, objName)
} else {
path = fmt.Sprintf("public/%s/%s/%d/%s", org, repoName, buildNum, objName)
}

timeout := time.Duration(r.GetTimeout()) * time.Minute

putURL, err := storage.FromGinContext(c).PresignedPutObject(c, path, timeout)
Expand Down
15 changes: 8 additions & 7 deletions cmd/vela-server/storage.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,13 +21,14 @@ func setupStorage(_ context.Context, c *cli.Command) (storage.Storage, error) {
}
// storage configuration
_setup := &storage.Setup{
Enable: c.Bool("storage.enable"),
Driver: c.String("storage.driver"),
Endpoint: c.String("storage.addr"),
AccessKey: c.String("storage.access.key"),
SecretKey: c.String("storage.secret.key"),
Bucket: c.String("storage.bucket.name"),
Secure: c.Bool("storage.use.ssl"),
Enable: c.Bool("storage.enable"),
Driver: c.String("storage.driver"),
Endpoint: c.String("storage.addr"),
AccessKey: c.String("storage.access.key"),
SecretKey: c.String("storage.secret.key"),
Bucket: c.String("storage.bucket.name"),
Secure: c.Bool("storage.use.ssl"),
PublicPolicy: c.Bool("storage.public.policy"),
}
// setup the storage
//
Expand Down
Loading