OpenStack Swift Object Storage File Access? - ibm-cloud

I'm setting up OpenStack Swift object storage via IBM Bluemix for a few needs in our application. First of all I need a place to securly upload customer files via our API, which this is a perfect solution for.
The portion I'm struggling with is the public piece. Our SAAS product has certian images that are uploaded during account provisioning. These files need to be public accessable via a URL.
I'm able to get the swift SDK to retrieve files with both a token and username/password methods. However I'm not able to find a way to generate a public URL, or to set public access on objects or containers. The documentation seems to be lacking on this too.
Is this possible even? Should I be using a different method for storing public assets?

It is. You can either create temporary URLs for the resources you want to access, or change the settings for your Object Store container to allow read access.
To modify the container ACL, follow Public URLs For Objects In Bluemix Object Storage Service
Hints for creating URLs just for some files are at How to create temporary URL for Swift object storage using REST API?

Related

Cloud Storage - Disabled Public Access Prevention, but Failed

Okay, I was using Flutter and Firebase to upload data into Cloud Storage. I gained the downloadURL which can be accessible on web if people know the URL. I had enabled Public Access Prevention in Google Cloud Storage Console based on this doc and chose Access Control Uniform for this on doc.
I also had added Security Rule in Firebase Cloud Storage, so only Users with certain custom token can use it. But, it seems useless as everyone can get its downloaded URL. My question is why is that I still able to access the file if I am using the same URL which was I stored in Firestore? You can test it on this url.
Can hacker get the download URL I downloaded from Firestore?
Is there a secure way to download song from Firebase Cloud Storage so hacker won't get its URL?
Thank you for helping me out.
Updated v2:
I just found out that current audio file has its own AuthenticatedUrl as shown on this picture below. How can I get access to this url?
Updated v1:
I think I haven't activated Firebase App Check. Does this feature have ability to prevent it from being accessed publicly or maybe there is other things that I have to do to be able to prevent it being accessed publicly, beside all ways I described above???
Security rules only check if a user can get the download URL and do not restrict anyone from using it. You can use the getData() method instead. It doesn't return any URL and downloads the files directly and is controlled by security rules. So a user must be authenticated to fetch them.
As mentioned in the Answer :
If you're using the FlutterFire Storage library in your app, you can
call getData on a reference to the file to get its data. So with
that you just need to know the path to the data, and you won't need
the download URL in your application. Once you have the data locally,
you can create an image out of it with: Converting a byte array to
image in Flutter?
Unlike download URLs, the call to getData() is
checked by security rules, so you'll have to ensure that the user is
permitted to access the file.
You can also refer to this Answer :
For web apps: in the JavaScript/Web SDK using a download URL is the
only way to get at the data, while for the native mobile SDKs we also
have getData() and getFile() methods, which are enforced through
security rules.
Until that time, if signed URLs fit your needs
better, you can use those. Both signed URLs and download URLs are just
URLs that provide read-only access to the data. Signed URLs just
expire, while download URLs don't.
For more information, you can refer to this Github issue where a similar issue has been discussed.

Firebase storage authentication

I want to restrict access to Firebase Storage objects with storage rules and custom claims on authenticated users. Both cool features, good for scaling.
My problem however is:
The Firebase Storage download link allows public access, no matter the rules.
My download link given by getDownloadURL() is:
https://firebasestorage.googleapis.com/v0/b/***myappname***.appspot.com/o/logos%2F1618740110634.png?alt=media&token=bdf6a5c5-54a2-4211-aa40-85177a38210a
My rules are:
match /{allPaths=**} {
allow read, write: if false;
}
What link then should I use to restrict access to authenticated users only and for checking custom claims with for my admin (excel reports) files? I am very confused.
Have tried direct links, without the token at the end, the given storage location link.
With the public link, anyone has access I don't want them to have.
Using Flutter mobile and web.
The getDownloadURL() always returns a public URL. Everyone who has it can access the file.
There are short lived signed token URLs but they are not supported on native device SDKs.
The downloadURL is very secure. If someon does not have it no one will get to your file. So the magic here is to not share it anywere and to get what you would like work only with references. Only if someone has access to your reference (according to the storage rules) he can generate the downloadURL.
I would recommend to work in your app only with those references and only get the downloadURL when you realy want to access the file in App or open it.
In the firebase storage rules you can then use auth and the customClaims to define who can access the file references.
Once a downloadURL is generated the firebase storage rules don't matter. The file will be accessible over that link.

How do you set object access from shared publicly to only being able to access the file momentarily?

I've been playing around in google cloud storage. I've been able to upload files without any signature mismatch errors by doing the following.
set cors using gsutils from a json file.
get signed urls with an additional 'x-goog-acl': 'project-private' key value (or at least I think I have)
and PUT my object to storage with an additional body object 'x-goog-acl': 'project-private'
It doesn't seem to do anything. When I look in the console my image file is still shared publicly.
What I'm trying to do is that the user that is authenticated in my web app is the only person that can access that file. How can I do that I thought it was ACL permissions but I'm not sure anymore.

Google storage external authorization

I need to store my service data in Google Storage and let my users download files depending on their (users) access rights.
I've already made service that connects to Google Storage using server-centric mechanism, and transfers them to client-side, but I need client-side to go to Storage and download file without server-side.
I've tried to use temporary links for files, but I can't check, if user downloaded file or not to properly delete temporary link.
I've tried to look for oauth2 support, but it seems Google doesn't support oauth in such way (When my service decides to allow access or no).
The best solution is to generate tokens for users and if Google Storage would call my service before every file download.
How can I achieve that?

How do you get or generate a URL to the object in a bucket?

I'm storing objects in buckets on google cloud storage. I would like to provide a http url to the object for download. Is there a standard convention or way to expose files stored in cloud storage as http urls?
Yes. Assuming that the objects are publicly accessible:
http://BUCKET_NAME.storage.googleapis.com/OBJECT_NAME
You can also use:
http://storage.googleapis.com/BUCKET_NAME/OBJECT_NAME
Both HTTP and HTTPS work fine. Note that the object must be readable by anonymous users, or else the download will fail. More documentation is available at https://developers.google.com/storage/docs/reference-uris
If it is the case that the objects are NOT publicly accessible and you only want the one user to be able to access them, you can generate a signed URL that will allow only the holder of the URL to download the object, and even then only for a limited period of time. I recommend using one of the GCS client libraries for this, as it's easy to get the signing code slightly wrong: https://developers.google.com/storage/docs/accesscontrol#Signed-URLs
One way is to use https://storage.cloud.google.com// see more documentation at
https://developers.google.com/storage/docs/collaboration#browser
If the file is not public, you can use this link to the file and it will authenticate with your signed in Google account:
https://storage.cloud.google.com/{bucket-name}/{folder/filename}
Otherwise generate a signed URL:
gsutil signurl -d 10m Desktop/private-key.json gs://example-bucket/cat.jpeg