Google-cloud-php: Support for generating and signing policy documents.

Created on 29 Oct 2019  路  5Comments  路  Source: googleapis/google-cloud-php

Hi there!

I'm struggling to implement a file-upload to Google Storage using a POST-request with policy document (as described here https://cloud.google.com/storage/docs/xml-api/post-object#policydocument).

googleapis/google-cloud-python has a bucket.generate_upload_policy function available, that generates the policy and signature. Unfortunately i couldn't find anything like that in googleapis/google-cloud-php.

Here is how i'm trying to get this to work:

$bucket = "my-bucket-name";
$acl = "public-read";
$contentType = "application/pdf";
$policyDocument = json_encode((object)[
    "expiration" => now()->addDay(),
    "conditions" => [
        ["starts-with", '$key', ""],
        (object)["acl" => $acl],
        (object)["bucket" => $bucket],
        ["eq", '$Content-Type', $contentType]
    ]
]);
$key = "-----BEGIN PRIVATE KEY-----\n my private key from the JSON generated via gcloud iam service-accounts keys create \n-----END PRIVATE KEY-----\n";
openssl_sign($policyDocument, $policySignature, $key, OPENSSL_ALGO_SHA256);

$formData = json_encode((object) [
    'key' => "test.pdf",
    'bucket' => $bucket,
    'Content-Type' => $contentType,
    'GoogleAccessId' => "my-service-account-email",
    'acl' => $acl,
    'policy' => base64_encode($policyDocument),
    'signature' => base64_encode($policySignature),
]);

The frontend then adds the file to the formdata under the file field and submits a POST request to http://my-bucket-name.storage.googleapis.com. Unfortunately i'm always getting a 403 status code back without any further errors or hints.

Are there any plans to add support for policy documents to this package? Or can someone spot an error in my implermentation? Help would be greatly appreciated!

storage feature request

Most helpful comment

@jdpedrie FWIW, I'm linking the Python implementation of Bucket.generate_upload_policy, and a snippet showing how it is used.

All 5 comments

@jdpedrie FWIW, I'm linking the Python implementation of Bucket.generate_upload_policy, and a snippet showing how it is used.

@codeflorist I'm going to look into this further as soon as I can and get back to you.

@jdpedrie Many thanks! I've already found the flaw in my code though. It's the base64-encoding of the policy, that must be signed, not the raw json. I've updated the above code, so that it works.

Still it would be useful, if googleapis/google-cloud-php would provide function for this. Especially in a App Engine environment, where (i guess) no private key would be needed. So i'm leaving this feature request open.

Duplicate of #2630, @jdpedrie can you close this?

Yep! @codeflorist support for this will be added in the next release.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

lorenzosfarra picture lorenzosfarra  路  7Comments

joseph1125 picture joseph1125  路  8Comments

joseflorido picture joseflorido  路  3Comments

fschirl picture fschirl  路  4Comments

LoekvanKooten picture LoekvanKooten  路  6Comments