php AWS S3预签名请求缓存

nkkqxpd9  于 2023-10-15  发布在  PHP
关注(0)|答案(6)|浏览(94)

我想将用户个人资料图片存储在S3存储桶中,但要保持这些图片的私密性。为了做到这一点,我创建了一个预签名的网址,每当图像是必需的。然而,这每次都会创建一个唯一的URL,这意味着浏览器永远不会缓存图像,我最终会在GET请求中付出更多。
下面是我的代码生成的URL的例子,我使用Laravel:

$s3 = \Storage::disk('s3');
$client = $s3->getDriver()->getAdapter()->getClient();
$expiry = new \DateTime('2017-07-25');

$command = $client->getCommand('GetObject', [
    'Bucket' => \Config::get('filesystems.disks.s3.bucket'),
    'Key'    => $key
]);

$request = $client->createPresignedRequest($command, $expiry);

return (string) $request->getUri();

我认为通过指定日期时间而不是时间单位,它会创建相同的URL,但实际上它会将剩余的秒数添加到URL,这里有一个例子:
xxxx.s3.eu-west-2.amazonaws.com/profile-pics/92323.png?X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AXXXXXXXXXXX%2Feu-west-2%2Fs3%2Faws4_request&X-Amz-Date=20170720T112123Z&X-Amz-SignedHeaders=host&X-Amz-Expires=391117&X-Amz-Signature=XXXXXXXXX

是否可以生成可重复的预签名请求URL,以便用户浏览器可以缓存图像?

hmtdttj4

hmtdttj41#

这是我在看完这篇文章后想到的一个python解决方案。它使用freezegun库来操纵时间,使签名在给定的时间段内保持不变。

import time
import datetime

import boto3
from freezegun import freezetime

S3_CLIENT = boto3.client("s3")

SEVEN_DAYS_IN_SECONDS = 604800
MAX_EXPIRES_SECONDS = SEVEN_DAYS_IN_SECONDS


def get_presigned_get_url(bucket: str, key: str, expires_in_seconds: int = MAX_EXPIRES_SECONDS) -> str:
        current_timestamp = int(time.time())
        truncated_timestamp = current_timestamp - (current_timestamp % expires_in_seconds)
        with freeze_time(datetime.datetime.fromtimestamp(truncated_timestamp)):
            presigned_url = S3_CLIENT.generate_presigned_url(
                ClientMethod="get_object",
                Params={
                    "Bucket": bucket,
                    "Key": key,
                    "ResponseCacheControl": f"private, max-age={expires_in_seconds}, immutable",
                },
                ExpiresIn=expires_in_seconds,
                HttpMethod="GET",
            )
        return presigned_url
hc8w905p

hc8w905p2#

也许是一个迟来的回复,但我会添加我的方法,以利于人们阅读这在未来。
为了强制浏览器缓存生效,每次都生成相同的URL是很重要的,直到你特别希望浏览器从服务器重新加载内容。不幸的是,sdk中提供的预签名者依赖于当前的时间戳,每次都会导致一个新的url。
这个例子是用Java编写的,但是它可以很容易地扩展到其他语言。
GetObjectRequest构建器(用于创建预签名的URL)允许覆盖配置。我们可以提供一个自定义签名器来修改它的行为

AwsRequestOverrideConfiguration.builder()
    .signer(new CustomAwsS3V4Signer())
    .credentialsProvider(<You may need to provide a custom credential provider 
here>)))
.build())

GetObjectRequest getObjectRequest =
    GetObjectRequest.builder()
            .bucket(getUserBucket())
            .key(key)
            .responseCacheControl("max-age="+(TimeUnit.DAYS.toSeconds(7)+ defaultIfNull(version,0L)))
            .overrideConfiguration(overrideConfig)
            .build();

public class CustomAwsS3V4Signer implements Presigner, Signer
{
    private final AwsS3V4Signer awsSigner;

    public CustomAwsS3V4Signer()
    {
        awsSigner = AwsS3V4Signer.create();
    }

@Override
public SdkHttpFullRequest presign(SdkHttpFullRequest request, ExecutionAttributes executionAttributes)
{
    Instant baselineInstant = Instant.now().truncatedTo(ChronoUnit.DAYS);

    executionAttributes.putAttribute(AwsSignerExecutionAttribute.PRESIGNER_EXPIRATION,
            baselineInstant.plus(3, ChronoUnit.DAYS));

在这里,我们覆盖签名时钟来模拟一个固定的时间,这最终会导致url中的过期和签名一致,直到未来的某个日期:

Aws4PresignerParams.Builder builder = Aws4PresignerParams.builder()
            .signingClockOverride(Clock.fixed(baselineInstant, ZoneId.of("UTC")));

    Aws4PresignerParams signingParams =
            extractPresignerParams(builder, executionAttributes).build();

    return awsSigner.presign(request, signingParams);
    }
}

更多详情请点击此处:
https://murf.ai/resources/creating-cache-friendly-presigned-s3-urls-using-v4signer-q1bbqgk

vcirk6k6

vcirk6k63#

与其使用预签名的URL机制,不如向应用程序添加一个经过身份验证的端点,并在该端点内检索图像?在你的img标签中使用这个URL。这个端点可以缓存图像,并为浏览器提供适当的响应头来缓存图像。

t5fffqht

t5fffqht4#

类似于@Aragorn的概念,但这是更完整的代码。这又是Java。此外,由于我的应用程序是多区域的,我不得不把在区域属性。

import lombok.SneakyThrows;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Component;
import software.amazon.awssdk.core.client.config.ClientOverrideConfiguration;
import software.amazon.awssdk.core.signer.Signer;
import software.amazon.awssdk.services.s3.S3AsyncClient;
import software.amazon.awssdk.services.s3.S3Client;
import software.amazon.awssdk.services.s3.model.GetObjectRequest;
import software.amazon.awssdk.services.s3.model.PutObjectRequest;
import software.amazon.awssdk.services.s3.presigner.S3Presigner;
import software.amazon.awssdk.services.s3.presigner.model.GetObjectPresignRequest;

import javax.annotation.PostConstruct;
import javax.validation.constraints.NotNull;
import java.net.URI;
import java.net.URISyntaxException;
import java.nio.file.Path;
import java.time.Duration;
import java.util.UUID;
import java.util.concurrent.CompletableFuture;

@Component
@Slf4j
public class S3Operations {

    @Autowired
    private Signer awsSigner;

    private final Map<Region, S3Presigner> presignerMap = new ConcurrentHashMap<>();

    private S3Presigner buildPresignerForRegion(
      AwsCredentialsProvider credentialsProvider,
      Region region) {

        return S3Presigner.builder()
            .credentialsProvider(credentialsProvider)
            .region(region)
            .build();

    }

    /**
     * Convert an S3 URI to a normal HTTPS URI that expires.
     *
     * @param s3Uri S3 URI (e.g. s3://bucketname/ArchieTest/フェニックス.jpg)
     * @return https URI
     */
    @SneakyThrows
    public URI getExpiringUri(final URI s3Uri) {

        final GetObjectRequest getObjectRequest =
            GetObjectRequest.builder()
                .bucket(s3Uri.getHost())
                .key(s3Uri.getPath().substring(1))
                .overrideConfiguration(builder -> builder.signer(awsSigner))
                .build();

        final Region bucketRegion = bucketRegionMap.computeIfAbsent(s3Uri.getHost(),
            bucketName -> {
                final GetBucketLocationRequest getBucketLocationRequest = GetBucketLocationRequest.builder()
                    .bucket(bucketName)
                    .build();

                return Region.of(s3Client.getBucketLocation(getBucketLocationRequest).locationConstraint().toString());
            });

        final GetObjectPresignRequest getObjectPresignRequest = GetObjectPresignRequest.builder()
            .signatureDuration(Duration.ofSeconds(0)) // required, but ignored
            .getObjectRequest(getObjectRequest)
            .build();

        return presignerMap.computeIfAbsent(bucketRegion, this::buildPresignerForRegion).presignGetObject(getObjectPresignRequest).url().toURI();

    }

对于上面注入的CustomAwsSigner。关键的区别是我抛出了一个不支持的操作异常。

import org.jetbrains.annotations.TestOnly;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Component;
import software.amazon.awssdk.auth.signer.AwsS3V4Signer;
import software.amazon.awssdk.auth.signer.AwsSignerExecutionAttribute;
import software.amazon.awssdk.auth.signer.params.Aws4PresignerParams;
import software.amazon.awssdk.core.interceptor.ExecutionAttributes;
import software.amazon.awssdk.core.signer.Presigner;
import software.amazon.awssdk.core.signer.Signer;
import software.amazon.awssdk.http.SdkHttpFullRequest;

import java.time.Clock;
import java.time.Instant;
import java.time.ZoneId;
import java.time.ZonedDateTime;
import java.time.temporal.ChronoField;
import java.time.temporal.ChronoUnit;

/**
 * This is a custom signer where the expiration is preset to a 5 minute block within an hour.
 * This must only be used for presigning.
 */
@Component
public class CustomAwsSigner implements Signer, Presigner {
    private final AwsS3V4Signer theSigner = AwsS3V4Signer.create();

    /**
     * This is the clip time for the expiration.  This should be divisible into 60.
     */
    @Value("${aws.s3.clipTimeInMinutes:5}")
    private long clipTimeInMinutes;

    @Value("${aws.s3.expirationInSeconds:3600}")
    private long expirationInSeconds;

    /**
     * Computes the base time as the processing time to the floor of nearest clip block.
     *
     * @param processingDateTime processing date time
     * @return base time
     */
    @TestOnly
    public ZonedDateTime computeBaseTime(final ZonedDateTime processingDateTime) {

        return processingDateTime
            .truncatedTo(ChronoUnit.MINUTES)
            .with(temporal -> temporal.with(ChronoField.MINUTE_OF_HOUR, temporal.get(ChronoField.MINUTE_OF_HOUR) / clipTimeInMinutes * clipTimeInMinutes));

    }

    @Override
    public SdkHttpFullRequest presign(final SdkHttpFullRequest request, final ExecutionAttributes executionAttributes) {

        final Instant baselineInstant = computeBaseTime(ZonedDateTime.now()).toInstant();

        final Aws4PresignerParams signingParams = Aws4PresignerParams.builder()
            .awsCredentials(executionAttributes.getAttribute(AwsSignerExecutionAttribute.AWS_CREDENTIALS))
            .signingName(executionAttributes.getAttribute(AwsSignerExecutionAttribute.SERVICE_SIGNING_NAME))
            .signingRegion(executionAttributes.getAttribute(AwsSignerExecutionAttribute.SIGNING_REGION))
            .signingClockOverride(Clock.fixed(baselineInstant, ZoneId.of("UTC")))
            .expirationTime(baselineInstant.plus(expirationInSeconds, ChronoUnit.SECONDS))
            .build();
        return theSigner.presign(request, signingParams);

    }

    @Override
    public SdkHttpFullRequest sign(final SdkHttpFullRequest request, final ExecutionAttributes executionAttributes) {

        throw new UnsupportedOperationException("this class is only used for presigning");

    }
}
bvjveswy

bvjveswy5#

如果有人在使用golang预签名具有缓存可能性的URL时遇到困难,您可以创建一个自定义的签名处理程序,并将命名的处理程序与您自己的交换,以更改签名时间并使时间桶的URL相同:

import (
    "time"

    "github.com/aws/aws-sdk-go/aws/request"
    v4 "github.com/aws/aws-sdk-go/aws/signer/v4"
)

// Will create same url if in the same 15 minutes time bucket
const presignPeriod = 15 * time.Minute

// TimeInterface implements an interface that
// has the a time variable (Now) and a function
// to retrieve the time variable
type TimeInterface struct {
    Now time.Time
}

func (t *TimeInterface) NowFunc() time.Time {
    return t.Now
}

// getSignTime function returns the signing time
// (initial time) for the time bucket
func getSignTime() time.Time {
    now := time.Now().UTC()
    signTime := now.Round(presignPeriod)
    if signTime.After(now) {
        signTime.Add(-presignPeriod)
    }

    return signTime
}

// CustomSignSDKRequest Implements a custom aws signing
// handler that sets signing time on buckets of 
// <presignPeriod> minutes.
// It is used so browsers can cache the result of the
// url for get requests, instead of downloading the resource everytime.
func CustomSignSDKRequest(req *request.Request) {
    t := TimeInterface{
        Now: getSignTime(),
    }
    v4.SignSDKRequestWithCurrentTime(req, t.NowFunc)
}
nnsrf1az

nnsrf1az6#

将解决方案从弗朗西斯科的解决方案扩展到golang v2,沿着这条线的东西可能会起作用:

import (
    "context"
    "log"
    "net/http"
    "time"

    "github.com/aws/aws-sdk-go-v2/aws"
    v4 "github.com/aws/aws-sdk-go-v2/aws/signer/v4"
    "github.com/aws/aws-sdk-go-v2/service/s3"
)

// Lifted from https://stackoverflow.com/a/70249671

// Will create same url if in the same 15 minutes time bucket
const presignPeriod = 15 * time.Minute

// getSignTime function returns the signing time
// (initial time) for the time bucket
func getSignTime() time.Time {
    now := time.Now().UTC()
    signTime := now.Round(presignPeriod)
    if signTime.After(now) {
        signTime = signTime.Add(-presignPeriod)
    }
    return signTime
}

// HTTPPresignerV4 is a wrapper around the v4.Signer that implements the
// PresignHTTP method.
type HTTPPresignerV4 struct {
    signer v4.Signer
}

func (client *HTTPPresignerV4) PresignHTTP(ctx context.Context, credentials aws.Credentials, r *http.Request,
    payloadHash string, service string, region string, signingTime time.Time,
    optFns ...func(*v4.SignerOptions),
) (url string, signedHeader http.Header, err error) {
    // Get the signing time
    signTime := getSignTime()

    // Sign the request
    signedUrl, signedHeaders, err := client.signer.PresignHTTP(context.Background(), credentials, r, payloadHash, service, region, signTime)

    if err != nil {
        log.Printf("Failed to sign URL: %v", err)
        return "", nil, err
    }

    // Return the URL
    return signedUrl, signedHeaders, nil
}

type S3PresignClient struct {
    PresignClient *s3.PresignClient
    Bucket        string
}

func (client *S3PresignClient) GetPresignedUrl(key string) (string, error) {
    // Create the request
    signedRequest, err := client.PresignClient.PresignGetObject(context.TODO(), &s3.GetObjectInput{
        Bucket: aws.String(client.Bucket),
        Key:    aws.String(key),
    })

    if err != nil {
        log.Printf("Failed to create presigned URL request: %v", err)
        return "", err
    }

    if err != nil {
        log.Printf("Failed to sign URL: %v", err)
        return "", err
    }

    // Return the URL
    return signedRequest.URL, nil
}

// Create a new PresignClient
func NewPresignClient(config aws.Config, bucket string) *S3PresignClient {
    // Here we create a presigning client that has the signingTime set to the
    // beginning of the time bucket. This is so that we can reuse the same
    // presigned URL for the same time bucket. This is useful to being able to
    // generate the same url for the same time bucket and allow some caching of
    // the presigned URL.

    s3Client := s3.NewFromConfig(config)
    presignClient := s3.NewPresignClient(s3Client, func(o *s3.PresignOptions) {
        o.Presigner = &HTTPPresignerV4{
            signer: *v4.NewSigner(),
        }
    })

    return &S3PresignClient{
        PresignClient: presignClient,
        Bucket:        bucket,
    }
}

相关问题