Use AWS signature v4 for presigned POST URLs #109
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jonathansick
force-pushed
the
u/jsickcodes/s3-presigned-post-v4
branch
4 times, most recently
from
45a8894
to
52448a1
Compare
This allows orgs to set whether objects should be public-readable from their bucket. Right now this change is hard-coded via a property on the Organization model, but will ultimately become a database column.
The v4 signature algorithm is required for new AWS regions, and v2 is being deprecated actively from older regions.
Also refactor code for getting the AWS session to embed the region into the authentication, while also configuring the S3 client to use v4 signature verification.
An error with PATCH /v1/orgs/:org/projects/:project/builds was being handled to roll-back the database, but this resulted in a success (202) being returned to the client rather than an error message.
This was a holdover from Keeper v1 to maintain consistency in logging, but overall its not safe to do this because the v1 APIs may not be enabled for a given deployment.
These appeared with mypy 0.942.
This will eventually be fixed by moving to a src-based package layout.
These columns for Organization replace the stand-in properties used for development. They are initially set as nullable to support migrations, with getter methods to support the migration for type checking.
This ensures that DB stamping only happens when a. the DB is initially created b. when a migration is run
jonathansick
force-pushed
the
u/jsickcodes/s3-presigned-post-v4
branch
from
3b070fa
to
05426ab
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The v4 signature algorithm is required for new AWS regions, and v2 is being deprecated actively from older regions.
Additional changes:
New Organization columns:
aws_regionandbucket_public_read. The former is needed for enabling the v4 algorithm and the latter provider control over whether objects in the S3 bucket should be public (LTD Proxy users should set this to False).Prevent databases being stamped with new database version until the migration actually happens
Fix compatibility with setuptools 61 package discovery
Fix compatibility with mypy 0.942