From 5d1475f0efcae169a4b1b276f38d52573d2db534 Mon Sep 17 00:00:00 2001
From: Sergey Motornyuk <sergey.motornyuk@linkdigital.com.au>
Date: Fri, 16 Sep 2022 13:38:46 +0300
Subject: [PATCH] Configurable lifetime of secure urls

---
 README.md                       |  6 ++++++
 ckanext/cloudstorage/storage.py | 14 ++++++++++++--
 2 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index a0ad3db..4299f18 100644
--- a/README.md
+++ b/README.md
@@ -63,6 +63,12 @@ will be aborted. You can configure this lifetime, example:
 
      ckanext.cloudstorage.max_multipart_lifetime  = 7
 
+One-time URLs generated by CKAN are expired in an hour. This behaviour can be
+changed by setting expected lifetime(in seconds) as `ckanext.cloudstorage.secure_ttl` option:
+
+    # make one-time links valid only for 1 minute
+    ckanext.cloudstorage.secure_ttl = 60
+
 # Migrating From FileStorage
 
 If you already have resources that have been uploaded and saved using CKAN's
diff --git a/ckanext/cloudstorage/storage.py b/ckanext/cloudstorage/storage.py
index f5881f7..29ef482 100644
--- a/ckanext/cloudstorage/storage.py
+++ b/ckanext/cloudstorage/storage.py
@@ -28,6 +28,16 @@
 AWS_UPLOAD_PART_SIZE = 5 * 1024 * 1024
 
 
+CONFIG_SECURE_TTL = "ckanext.cloudstorage.secure_ttl"
+DEFAULT_SECURE_TTL = 3600
+
+
+def config_secure_ttl():
+    return p.toolkit.asint(p.toolkit.config.get(
+        CONFIG_SECURE_TTL, DEFAULT_SECURE_TTL
+    ))
+
+
 def _get_underlying_file(wrapper):
     if isinstance(wrapper, FlaskFileStorage):
         return wrapper.stream
@@ -409,7 +419,7 @@ def get_url_by_path(self, path, content_type=None):
                 sas_token=blob_service.generate_blob_shared_access_signature(
                     container_name=self.container_name,
                     blob_name=path,
-                    expiry=datetime.utcnow() + timedelta(hours=1),
+                    expiry=datetime.utcnow() + timedelta(seconds=config_secure_ttl()),
                     permission=azure_blob.BlobPermissions.READ,
                 ),
             )
@@ -429,7 +439,7 @@ def get_url_by_path(self, path, content_type=None):
                 ]
 
             generate_url_params = {
-                "expires_in": 60 * 60,
+                "expires_in": config_secure_ttl(),
                 "method": "GET",
                 "bucket": self.container_name,
                 "key": path,