fix(sign): use timedelta to pass proper expiration time (#613)

environment_gcsfs.yaml

@@ -12,6 +12,7 @@ dependencies:
   - google-auth
   - google-auth-oauthlib
   - google-cloud-core
+  - google-cloud-storage
   - libfuse<3
   - pytest
   - pytest-timeout

gcsfs/core.py

@@ -10,7 +10,7 @@
 import re
 import warnings
 import weakref
-from datetime import datetime
+from datetime import datetime, timedelta
 from urllib.parse import parse_qs
 from urllib.parse import quote as quote_urllib
 from urllib.parse import urlsplit
@@ -1603,14 +1603,20 @@ def sign(self, path, expiration=100, **kwargs):
         """
         from google.cloud import storage
 
-        bucket, key, generation = self.split_path(path)
         client = storage.Client(
-            credentials=self.credentials.credentials, project=self.project
+            credentials=self.credentials.credentials,
+            project=self.project,
         )
+
+        bucket, key, generation = self.split_path(path)
         bucket = client.bucket(bucket)
         blob = bucket.blob(key)
+
         return blob.generate_signed_url(
-            expiration=expiration, generation=generation, **kwargs
+            expiration=timedelta(seconds=expiration),
+            generation=generation,
+            api_access_endpoint=self._endpoint,
+            **kwargs,
         )
 
 

gcsfs/tests/conftest.py

@@ -63,7 +63,7 @@ def docker_gcs():
     container = "gcsfs_test"
     cmd = (
         "docker run -d -p 4443:4443 --name gcsfs_test fsouza/fake-gcs-server:latest -scheme "
-        "http -public-host http://localhost:4443 -external-url http://localhost:4443 "
+        "http -public-host 0.0.0.0:4443 -external-url http://localhost:4443 "
         "-backend memory"
     )
     stop_docker(container)

gcsfs/tests/fake-service-account-credentials.json

@@ -0,0 +1,9 @@
+{
+  "type": "service_account",
+  "project_id": "gcsfs",
+  "private_key_id": "84e3fd6d7101ec632e7348e8940b2aca71133e71",
+  "private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDAJWz1KlBu2jRE\nlUahHKuJes34hj4pr8ADhgejpAguBBrubXVvSro7aSSbvyDC/GIcyDQ8Q33YK/kT\nufQvCez7iIACbtP53o6WjcrIAP+l8z9RUL9so+sBCaVRZzh74+cEMfWIbc3ACBB5\nU2BPBWQFtr3Qtbe8TUJ+liNcLb8I2JznfydHvl9cn0/50HeOB99Xho5JAY75aE0Y\nT+/aMTFlr/kUbekLRRi4pyE+uOA/ei5RmfwzqO366YLMtEC2DaHwTqSuxBWnbtTW\nu/OvYpmPHazd6own2zJLQ0Elnm5WC/d9YmxhHi/8pJFkkbVf/2CYWEBbmBI3ZOx3\n/nHQwcIPAgMBAAECggEAUztC/dYE/me10WmKLTrykTxpYTihT8RqG/ygbYGd63Tq\nx5IRlxJbJmYOrgp2IhBaXZZZjis8JXoyzBk2TXPyvChuLt+cIfYGdO/ZwZYxJ0z9\nhfdA3EoK/6mSe3cHcB8SEG6lqaHKyN6VaEC2DLTMlW8JvREiFEaxQY0+puzH/ge4\n2EypCP4pvlveH78EIIipPgWcJYGpv0bv8KErECuVHRjJv6vZqUjQdcIi73mCz/5u\nnQqLY8j9lOuCr9vBis7DZIyY2tn4vfqcqxfH9wuIFXnzIQW6Wyg0+bBQydHg1kJ2\nFOszfkBVxZ6LpcHGB4CV4c5z7Me2cMReXQz6VsyoLQKBgQD9v92rHZYDBy4/vGxx\nbpfUkAlcCGW8GXu+qsdmyhZdjSdjDLY6lav+6UoHIJgmnA7LsKPFgnEDrdn78KBb\n3wno3VHfozL5kF887q9hC/+UurwScCKIw5QkmWtsStVgjr6wPmAu6rspMz5xNjaa\nSU4YzlNcbBUUXUawhXytWPR+OwKBgQDB2bDCD00R2yfYFdjAKapqenOtMvrnihUi\nW9Se7Yizme7s25fDxF5CBPpOdKPU2EZUlqBC/5182oMUP/xYUOHJkuUhbYcvU0qr\n+BQewLwr6rs+O1QPTh/6e70SUFR+YJLaAHkDc6fvcdjtl+Zx/p02Zj+UiW3/D4Jj\nc0EqVr4qPQKBgQCbJx3a6xQ2dcWJoySLlxuvFQMkCt5pzQsk4jdaWmaifRSAM92Y\npLut+ecRxJRDx1gko7T/p2qC3WJT8iWbBx2ADRNqstcQUX5qO2dw5202+5bTj00O\nYsfKOSS96mPdzmo6SWl2RoB6CKM9hfCNFhVyhXXjJRMeiIoYlQZO1/1m0QKBgCzz\nat6FJ8z1MdcUsc9VmhPY00wdXzsjtOTjwHkeAa4MCvBXt2iI94Z9mwFoYLkxcZWZ\n3A3NMlrKXMzsTXq5PrI8Yu+Oc2OQ/+bCvv+ml7vjUYoLveFSr22pFd3STNWFVWhB\n5c3cGtwWXUQzDhfu/8umiCXMfHpBwW2IQ1srBCvNAoGATcC3oCFBC/HdGxdeJC5C\n59EoFvKdZsAdc2I5GS/DtZ1Wo9sXqubCaiUDz+4yty+ssHIZ1ikFr8rWfL6KFEs2\niTe+kgM/9FLFtftf1WDpbfIOumbz/6CiGLqsGNlO3ZaU0kYJ041SZ8RleTOYa0zO\noSTLwBo3vje+aflytEwS8SI=\n-----END PRIVATE KEY-----",
+  "client_email": "fake@gscfs.iam.gserviceaccount.com",
+  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
+  "token_uri": "https://oauth2.googleapis.com/token"
+}

gcsfs/tests/test_core.py

@@ -1,7 +1,7 @@
-import datetime
 import io
 import os
 from builtins import FileNotFoundError
+from datetime import datetime, timezone
 from itertools import chain
 from unittest import mock
 from urllib.parse import parse_qs, unquote, urlparse
@@ -140,7 +140,7 @@ def test_info(gcs):
     gcs.touch(a)
     assert gcs.info(a) == gcs.ls(a, detail=True)[0]
 
-    today = datetime.datetime.utcnow().date().isoformat()
+    today = datetime.utcnow().date().isoformat()
     assert gcs.created(a).isoformat().startswith(today)
     assert gcs.modified(a).isoformat().startswith(today)
     # Check conformance with expected info attribute names.
@@ -1493,3 +1493,28 @@ def test_find_maxdepth(gcs):
 
     with pytest.raises(ValueError, match="maxdepth must be at least 1"):
         gcs.find(f"{TEST_BUCKET}/nested", maxdepth=0)
+
+
+def test_sign(gcs, monkeypatch):
+    file = TEST_BUCKET + "/test.jpg"
+    with gcs.open(file, "wb") as f:
+        f.write(b"This is a test string")
+    assert gcs.cat(file) == b"This is a test string"
+
+    # `sign` is creating a google Client on its own, it needs a realistically
+    # looking credentials file.
+    if not gcs.on_google:
+        monkeypatch.setenv(
+            "GOOGLE_APPLICATION_CREDENTIALS",
+            os.path.dirname(__file__) + "/fake-service-account-credentials.json",
+        )
+
+    current_ts_utc = int(datetime.now(tz=timezone.utc).timestamp())
+    result = gcs.sign(file)
+
+    # Check it here since emulator doesn't really validate those values
+    params = parse_qs(urlparse(result).query)
+    assert int(params["Expires"][0]) >= current_ts_utc + 100
+
+    response = requests.get(result)
+    assert response.text == "This is a test string"