Expiration time for exported objects should be configurable #2053

Signed-off-by: Paul Bastide <pbastide@us.ibm.com>
LinuxForHealth · Mar 30, 2021 · 847687f · 847687f
1 parent 4ce072f
commit 847687f
Show file tree

Hide file tree

Showing 5 changed files with 22 additions and 3 deletions.
diff --git a/docs/src/pages/guides/FHIRServerUsersGuide.md b/docs/src/pages/guides/FHIRServerUsersGuide.md
@@ -2032,6 +2032,7 @@ This section contains reference information about each of the configuration prop
 |`fhirServer/bulkdata/core/cos/requestTimeout`|number|The request timeout in second for the COS client|
 |`fhirServer/bulkdata/core/cos/socketTimeout`|number|The socket timeout in second for the COS client|
 |`fhirServer/bulkdata/core/cos/useServerTruststore`|boolean|If the COS Client should use the IBM FHIR Server's TrustStore to access S3/IBMCOS service |
+|`fhirServer/bulkdata/core/cos/presignedExpiry`|number|The time in seconds of the presigned download URL; must be using HMAC auth|
 |`fhirServer/bulkdata/core/file/writeTriggerSizeMB`|number|The size, in megabytes, at which to write the buffer to file.|
 |`fhirServer/bulkdata/core/file/sizeThresholdMB`|number|The size, in megabytes, at which to finish writing a given file. Use `0` to indicate that all resources of a given type should be written to a single file.|
 |`fhirServer/bulkdata/core/file/resourceCountThreshold`|number|The number of resources at which to finish writing a given file. The actual number of resources written to a single file may be slightly above this number, dependent on the configured page size. Use `0` to indicate that there is no limit to the number of resources to be written to a single file.|
@@ -2152,6 +2153,7 @@ This section contains reference information about each of the configuration prop
 |`fhirServer/bulkdata/core/cos/requestTimeout`|120|
 |`fhirServer/bulkdata/core/cos/socketTimeout`|120|
 |`fhirServer/bulkdata/core/cos/useServerTruststore`|false|
+|`fhirServer/bulkdata/core/cos/presignedExpiry`|86400|
 |`fhirServer/bulkdata/core/pageSize`|1000|
 |`fhirServer/bulkdata/core/maxPartitions`|5|
 |`fhirServer/bulkdata/core/maxInputs`|5|
@@ -2264,6 +2266,7 @@ must restart the server for that change to take effect.
 |`fhirServer/bulkdata/core/cos/requestTimeout`|N|N|
 |`fhirServer/bulkdata/core/cos/socketTimeout`|N|N|
 |`fhirServer/bulkdata/core/cos/useServerTruststore`|Y|Y|
+|`fhirServer/bulkdata/core/cos/presignedExpiry`|Y|Y|
 |`fhirServer/bulkdata/core/batchIdEncryptionKey`|Y|N|
 |`fhirServer/bulkdata/core/pageSize`|Y|Y|
 |`fhirServer/bulkdata/core/maxPartitions`|Y|Y|

diff --git a/fhir-server/liberty-config/config/default/fhir-server-config.json b/fhir-server/liberty-config/config/default/fhir-server-config.json
@@ -148,7 +148,8 @@
                     "partUploadTriggerSizeMB": 10,
                     "objectSizeThresholdMB": 200,
                     "objectResourceCountThreshold": 200000,
-                    "useServerTruststore": true
+                    "useServerTruststore": true,
+                    "presignedExpiry": 86400
                 },
                 "file" : { 
                     "writeTriggerSizeMB": 1,

diff --git a/...n-bulkdata/src/main/java/com/ibm/fhir/operation/bulkdata/config/ConfigurationAdapter.java b/...n-bulkdata/src/main/java/com/ibm/fhir/operation/bulkdata/config/ConfigurationAdapter.java
@@ -466,4 +466,10 @@ public interface ConfigurationAdapter {
      * @return
      */
     int getImportInflyRateNumberOfFhirResources(String provider);
+
+    /**
+     * the expiry time of the generated presigned urls.
+     * @return
+     */
+    int getPresignedUrlExpiry();
 }
diff --git a/...ain/java/com/ibm/fhir/operation/bulkdata/config/impl/AbstractSystemConfigurationImpl.java b/...ain/java/com/ibm/fhir/operation/bulkdata/config/impl/AbstractSystemConfigurationImpl.java
@@ -317,4 +317,10 @@ public int getImportNumberOfFhirResourcesPerRead(String provider) {
     public int getImportInflyRateNumberOfFhirResources(String provider) {
         return IMPORT_INFLY_RATE_NUMOFFHIRRESOURCES;
     }
+
+    @Override
+    public int getPresignedUrlExpiry() {
+        int pageSize = FHIRConfigHelper.getIntProperty("fhirServer/bulkdata/core/cos/presignedExpiry", 86400);
+        return Math.max(1, pageSize);
+    }
 }
diff --git a/...eration-bulkdata/src/main/java/com/ibm/fhir/operation/bulkdata/model/url/DownloadUrl.java b/...eration-bulkdata/src/main/java/com/ibm/fhir/operation/bulkdata/model/url/DownloadUrl.java
@@ -19,6 +19,8 @@
 import javax.crypto.spec.SecretKeySpec;
 import javax.ws.rs.HttpMethod;
 
+import com.ibm.fhir.operation.bulkdata.config.ConfigurationFactory;
+
 /**
  * Based on the IBM Cloud Documentation
  *
@@ -29,7 +31,6 @@ public class DownloadUrl {
     private static final Logger logger = Logger.getLogger(DownloadUrl.class.getName());
 
     private static final String HTTP_METHOD = HttpMethod.GET;
-    private static final String EXPIRY_SECONDS = String.valueOf(86400);
 
     private static final MessageDigest digest = createSigningDigest();
 
@@ -110,10 +111,12 @@ public String getSignedUrl() throws Exception {
         String datestamp = time.format(DateTimeFormatter.ofPattern("yyyyMMdd"));
         String timestamp = datestamp + "T" + time.format(DateTimeFormatter.ofPattern("HHmmss")) + "Z";
 
+        String expirySeconds = String.valueOf(ConfigurationFactory.getInstance().getPresignedUrlExpiry());
+
         String standardizedQuerystring = "X-Amz-Algorithm=AWS4-HMAC-SHA256" +
                 "&X-Amz-Credential=" + URLEncoder.encode(accessKey + "/" + datestamp + "/" + region + "/s3/aws4_request", StandardCharsets.UTF_8.toString()) +
                 "&X-Amz-Date=" + timestamp +
-                "&X-Amz-Expires=" + EXPIRY_SECONDS +
+                "&X-Amz-Expires=" + expirySeconds +
                 "&X-Amz-SignedHeaders=host";
 
         String standardizedResource = "/" + bucketName + "/" + cosBucketPathPrefix + "/"+ objectKey;