Add SHA256 HMAC signed URL support to blobstore#650
Open
kathap wants to merge 3 commits into
Open
Conversation
Adds /signed/ location blocks to nginx blobstore configuration to support SHA256 HMAC signed URLs alongside existing MD5 signed URLs (/read/ and /write/). This enables future migration to storage-cli for WebDAV blobstore clients, providing consistency with BOSH's existing SHA256 HMAC signing implementation. Changes: - Added /signed/ location with secure_link_hmac (SHA256) verification - Applied to all three server blocks (internal, public, public TLS) - Supports GET, HEAD, and PUT methods - Uses existing blobstore.secure_link.secret property Benefits: - Stronger cryptographic security (SHA256 HMAC vs MD5) - Unified signing method across BOSH and CAPI platforms - Enables removal of blobstore_url_signer service in future - Zero impact on existing deployments (additive change only) This is a preparatory change. Legacy /read/ and /write/ endpoints remain unchanged and fully functional. No configuration changes required.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds /signed/ location blocks to nginx blobstore configuration to support SHA256 HMAC signed URLs alongside existing MD5 signed URLs (/read/ and /write/).
This enables future migration to storage-cli for WebDAV blobstore clients, providing consistency with BOSH's existing SHA256 HMAC signing implementation.
Changes:
Benefits:
This is a preparatory change for the storage-cli DAV signing integration. Legacy /read/ and /write/ endpoints remain unchanged and fully functional. No configuration changes required.
Links to any other associated PRs
Enhance storage-cli webdav config #634
Add WebDAV support to storage-cli client and improve test quality cloud_controller_ng#4974
Add Dav Signing Functionality storage-cli#105
I have viewed signed and have submitted the Contributor License Agreement
I have made this pull request to the
developbranchI have run CF Acceptance Tests on bosh lite