Sign CloudFront urls only in case querystring_auth is enabled (jschne…

…ier#885) * Sign CloudFront urls only in case querystring_auth is enabled * Fix test
qedsoftware · Mar 9, 2022 · 99c8c06 · 99c8c06
1 parent c66a8e2
commit 99c8c06
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 3 deletions.
diff --git a/storages/backends/s3boto3.py b/storages/backends/s3boto3.py
@@ -740,7 +740,7 @@ def url(self, name, parameters=None, expire=None, http_method=None):
             url = "{}//{}/{}".format(
                 self.url_protocol, self.custom_domain, filepath_to_uri(name))
 
-            if self.cloudfront_signer:
+            if self.querystring_auth and self.cloudfront_signer:
                 expiration = datetime.utcnow() + timedelta(seconds=expire)
 
                 return self.cloudfront_signer.generate_presigned_url(url, date_less_than=expiration)

diff --git a/tests/test_s3boto3.py b/tests/test_s3boto3.py
@@ -604,18 +604,22 @@ def test_storage_url_custom_domain_signed_urls(self):
             -----END RSA PRIVATE KEY-----'''
         ).encode('ascii')
 
-        url = 'https://mock.cloudfront.net/file.txt?Expires=3600&Signature=DbqVgh3FHtttQxof214tSAVE8Nqn3Q4Ii7eR3iykbOqAPbV89HC3EB~0CWxarpLNtbfosS5LxiP5EutriM7E8uR4Gm~UVY-PFUjPcwqdnmAiKJF0EVs7koJcMR8MKDStuWfFKVUPJ8H7ORYTOrixyHBV2NOrpI6SN5UX6ctNM50_&Key-Pair-Id=test-key'  # noqa
+        url = 'https://mock.cloudfront.net/file.txt'
+        signed_url = url + '?Expires=3600&Signature=DbqVgh3FHtttQxof214tSAVE8Nqn3Q4Ii7eR3iykbOqAPbV89HC3EB~0CWxarpLNtbfosS5LxiP5EutriM7E8uR4Gm~UVY-PFUjPcwqdnmAiKJF0EVs7koJcMR8MKDStuWfFKVUPJ8H7ORYTOrixyHBV2NOrpI6SN5UX6ctNM50_&Key-Pair-Id=test-key'  # noqa
 
         self.storage.custom_domain = "mock.cloudfront.net"
 
         for pem_to_signer in (
                 s3boto3._use_cryptography_signer(),
                 s3boto3._use_rsa_signer()):
             self.storage.cloudfront_signer = pem_to_signer(key_id, pem)
+            self.storage.querystring_auth = False
+            self.assertEqual(self.storage.url(filename), url)
 
+            self.storage.querystring_auth = True
             with mock.patch('storages.backends.s3boto3.datetime') as mock_datetime:
                 mock_datetime.utcnow.return_value = datetime.utcfromtimestamp(0)
-                self.assertEqual(self.storage.url(filename), url)
+                self.assertEqual(self.storage.url(filename), signed_url)
 
     def test_generated_url_is_encoded(self):
         self.storage.custom_domain = "mock.cloudfront.net"