Remove obsolete script

It's used in the code for escaping only parts of URLs

.drone.yml

@@ -0,0 +1,16 @@
+kind: pipeline
+name: default
+
+steps:
+- name: specs
+  image: ruby
+  environment:
+    REDIS_HOST: redis
+  commands:
+  - cp config.yml.erb.example config.yml.erb
+  - bundle install --jobs=3 --retry=3
+  - bundle exec rake test
+
+services:
+  - name: redis
+    image: redis

.github/workflows/ruby.yml

@@ -1,33 +0,0 @@
-name: Tests
-
-on:
-  push:
-    branches: [ master ]
-  pull_request:
-    branches: [ master ]
-
-permissions:
-  contents: read
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        ruby-version: ['2.7', '3.0', '3.1']
-        redis-version: [6, 7]
-    steps:
-    - uses: actions/checkout@v3
-    - name: Set up Ruby
-      uses: ruby/setup-ruby@v1
-      with:
-        ruby-version: ${{ matrix.ruby-version }}
-        bundler-cache: true # runs 'bundle install' and caches installed gems automatically
-    - name: Start Redis
-      uses: supercharge/redis-github-action@1.4.0
-      with:
-        redis-version: ${{ matrix.redis-version }}
-    - name: Configure
-      run: cp config.yml.erb.example config.yml.erb
-    - name: Run tests
-      run: bundle exec rake test

Dockerfile

@@ -1,8 +1,7 @@
-# FROM ruby:3.1.4
-FROM ruby:2.7.8
+FROM ruby:3.1.4
 
 WORKDIR /liquorcabinet
-ENV RACK_ENV=staging
+ENV RACK_ENV=production
 
 COPY Gemfile Gemfile.lock /liquorcabinet/
 RUN bundle install

Gemfile

@@ -3,11 +3,11 @@ source "https://rubygems.org"
 gem "sinatra", "~> 2.2.0"
 gem "sinatra-contrib", "~> 2.2.0"
 gem "activesupport", "~> 6.1.0"
-gem "rest-client", "~> 2.1.0"
 gem "redis", "~> 4.6.0"
-# Remove require when we can update to 3.0, which sets the new storage
-# format to columnar by default. Increases performance
+gem "rest-client", "~> 2.1.0"
+gem "aws-sigv4", "~> 1.0.0"
 gem "mime-types"
+gem "rainbows"
 
 group :test do
   gem 'rake'
@@ -19,6 +19,5 @@ group :test do
 end
 
 group :staging, :production do
-  gem "rainbows"
   gem "sentry-raven", require: false
 end

Gemfile.lock

@@ -9,6 +9,7 @@ GEM
       zeitwerk (~> 2.3)
     addressable (2.8.5)
       public_suffix (>= 2.0.2, < 6.0)
+    aws-sigv4 (1.0.3)
     base64 (0.1.1)
     concurrent-ruby (1.2.2)
     crack (0.4.5)
@@ -93,6 +94,7 @@ PLATFORMS
 
 DEPENDENCIES
   activesupport (~> 6.1.0)
+  aws-sigv4 (~> 1.0.0)
   m
   mime-types
   minitest

README.md

@@ -1,21 +1,55 @@
-[![Build Status](https://github.com/5apps/liquor-cabinet/actions/workflows/ruby.yml/badge.svg)](https://github.com/5apps/liquor-cabinet/actions/workflows/ruby.yml)
+[![Build Status](https://drone.kosmos.org/api/badges/5apps/liquor-cabinet/status.svg)](https://drone.kosmos.org/5apps/liquor-cabinet)
 
 # Liquor Cabinet
 
 Liquor Cabinet is where Frank stores all his stuff. It's a
 [remoteStorage](https://remotestorage.io) HTTP API, based on Sinatra. The
-metadata and OAuth tokens are stored in Redis, and documents can be stored in
-anything that supports the storage API of either Openstack Swift or Amazon S3.
+metadata and OAuth tokens are stored in Redis, and
+documents/files can be stored in anything that supports
+the S3 object storage API.
 
 Liquor Cabinet only implements the storage API part of the remoteStorage
 protocol, but does not include the Webfinger and OAuth parts. It is meant to be
 added to existing systems and user accounts, so you will have to add your own
 OAuth dialog for remoteStorage authorizations and persist the tokens in Redis.
 
+There is an [open-source accounts management
+app](https://gitea.kosmos.org/kosmos/akkounts/) by the Kosmos project, which
+comes with a built-in remoteStorage dashboard and is compatible with Liquor
+Cabinet.
+
 If you have any questions about this program, please [post to the RS
 forums](https://community.remotestorage.io/c/server-development), and we'll
 gladly answer them.
 
+## System requirements
+
+* [Ruby](https://www.ruby-lang.org/en/) and [Bundler](https://bundler.io/)
+* [Redis](https://redis.io/)
+* S3-compatible object storage (e.g. [Garage](https://garagehq.deuxfleurs.fr/)
+  or [MinIO](https://min.io/) for self-hosting)
+
+## Setup
+
+1. Check the `config.yml.erb.example` file. Either copy it to `config.yml.erb`
+   and use the enviroment variables it contains, or create/deploy your own
+   config YAML file with custom values.
+2. Install dependencies: `bundle install`
+
+## Development
+
+Running the test suite:
+
+    bundle exec rake test
+
+Running the app:
+
+    bundle exec rainbows
+
+## Deployment
+
+_TODO document options_
+
 ## Contributing
 
 We love pull requests. If you want to submit a patch:

config.yml.erb.example

@@ -2,11 +2,11 @@ development: &defaults
   maintenance: false
   redis:
     host: <%= ENV["REDIS_HOST"] || "localhost" %>
-    port: <%= ENV["REDIS_PORT"] || "6379" %>
-    db: <%= ENV["REDIS_DB"] || 0 %>
+    port: <%= ENV["REDIS_PORT"] || 6379 %>
+    db: <%= ENV["REDIS_DB"] || 1 %>
   s3: &s3_defaults
     endpoint: <%= ENV["S3_ENDPOINT"] || "http://127.0.0.1:9000" %>
-    region: <%= ENV["S3_REGION"] %>
+    region: <%= ENV["S3_REGION"] || "us-east-1" %>
     access_key_id: <%= ENV["S3_ACCESS_KEY"] || "minioadmin" %>
     secret_key_id: <%= ENV["S3_SECRET_KEY"] || "minioadmin" %>
     bucket: <%= ENV["S3_BUCKET"] || "rs-development" %>

lib/remote_storage/rest_provider.rb

@@ -431,9 +431,9 @@ module RemoteStorage
       end
     end
 
-    def escape(url)
+    def escape(str)
       # We want spaces to turn into %20 and slashes to stay slashes
-      CGI::escape(url).gsub('+', '%20').gsub('%2F', '/')
+      CGI::escape(str).gsub('+', '%20').gsub('%2F', '/')
     end
 
     def redis

lib/remote_storage/s3.rb

@@ -10,18 +10,29 @@ module RemoteStorage
 
     private
 
-    # S3 already wraps the ETag around quotes
+    def s3_signer
+      signer ||= Aws::Sigv4::Signer.new(
+        service: 's3',
+        region: settings.s3["region"],
+        access_key_id: settings.s3["access_key_id"].to_s,
+        secret_access_key: settings.s3["secret_key_id"].to_s,
+        uri_escape_path: false
+      )
+    end
+
+    # S3 already wraps the ETag with quotes
     def format_etag(etag)
       etag
     end
 
     def do_put_request(url, data, content_type)
       deal_with_unauthorized_requests do
-        md5 = Digest::MD5.base64digest(data)
-        authorization_headers = authorization_headers_for(
-          "PUT", url, md5, content_type
-        ).merge({ "Content-Type" => content_type, "Content-Md5" => md5 })
-        res = RestClient.put(url, data, authorization_headers)
+        headers = { "Content-Type" => content_type }
+        auth_headers = auth_headers_for("PUT", url, headers, data)
+
+        # TODO check if put was successful, e.g. it's returning a 413 directly
+        # if the back-end does, too (missing CORS headers in that case)
+        res = RestClient.put(url, data, headers.merge(auth_headers))
 
         return [
           res.headers[:etag].delete('"'),
@@ -32,24 +43,24 @@ module RemoteStorage
 
     def do_get_request(url, &block)
       deal_with_unauthorized_requests do
-        headers = { }
+        headers = {}
         headers["Range"] = server.env["HTTP_RANGE"] if server.env["HTTP_RANGE"]
-        authorization_headers = authorization_headers_for("GET", url)
-        RestClient.get(url, authorization_headers.merge(headers), &block)
+        auth_headers = auth_headers_for("GET", url, headers)
+        RestClient.get(url, headers.merge(auth_headers), &block)
       end
     end
 
     def do_head_request(url, &block)
       deal_with_unauthorized_requests do
-        authorization_headers = authorization_headers_for("HEAD", url)
-        RestClient.head(url, authorization_headers, &block)
+        auth_headers = auth_headers_for("HEAD", url)
+        RestClient.head(url, auth_headers, &block)
       end
     end
 
     def do_delete_request(url)
       deal_with_unauthorized_requests do
-        authorization_headers = authorization_headers_for("DELETE", url)
-        RestClient.delete(url, authorization_headers)
+        auth_headers = auth_headers_for("DELETE", url)
+        RestClient.delete(url, auth_headers)
       end
     end
 
@@ -67,38 +78,11 @@ module RemoteStorage
       return found
     end
 
-    # This is using the S3 authorizations, not the newer AW V4 Signatures
-    # (https://s3.amazonaws.com/doc/s3-developer-guide/RESTAuthentication.html)
-    def authorization_headers_for(http_verb, url, md5 = nil, content_type = nil)
-      url = File.join("/", url.gsub(base_url, ""))
-      date = Time.now.httpdate
-      signed_data = generate_s3_signature(http_verb, md5, content_type, date, url)
-      {
-        "Authorization" => "AWS #{credentials[:access_key_id]}:#{signed_data}",
-        "Date" => date
-      }
-    end
-
-    def credentials
-      @credentials ||= { access_key_id: settings.s3["access_key_id"], secret_key_id: settings.s3["secret_key_id"] }
-    end
-
-    def digest(secret, string_to_sign)
-      Base64.encode64(hmac(secret, string_to_sign)).strip
-    end
-
-    def hmac(key, value)
-      OpenSSL::HMAC.digest(OpenSSL::Digest.new('sha1'), key, value)
-    end
-
-    def uri_escape(s)
-      CGI.escape(s).gsub('%5B', '[').gsub('%5D', ']')
-    end
-
-    def generate_s3_signature(http_verb, md5, content_type, date, url)
-      string_to_sign = [http_verb, md5, content_type, date, url].join "\n"
-      signature = digest(credentials[:secret_key_id], string_to_sign)
-      uri_escape(signature)
+    def auth_headers_for(http_method, url, headers = {}, data = nil)
+      signature = s3_signer.sign_request(
+        http_method: http_method, url: url, headers: headers, body: data
+      )
+      signature.headers
     end
 
     def base_url
@@ -109,5 +93,4 @@ module RemoteStorage
       "#{base_url}/#{settings.s3["bucket"]}/#{user}"
     end
   end
-
 end

liquor-cabinet.rb

@@ -64,7 +64,7 @@ class LiquorCabinet < Sinatra::Base
       headers 'Access-Control-Allow-Origin' => '*',
               'Access-Control-Allow-Methods' => 'GET, PUT, DELETE',
               'Access-Control-Allow-Headers' => 'Authorization, Content-Type, Origin, If-Match, If-None-Match, Range',
-              'Access-Control-Expose-Headers' => 'ETag, Content-Length, Content-Range',
+              'Access-Control-Expose-Headers' => 'ETag, Content-Length, Content-Range, Content-Type',
               'Accept-Ranges' => 'bytes'
       headers['Access-Control-Allow-Origin'] = env["HTTP_ORIGIN"] if env["HTTP_ORIGIN"]
       headers['Cache-Control'] = 'no-cache'