feat(sdk): add signed url

docs/docs/02-concepts/04-tests.md

@@ -69,7 +69,7 @@ test "bucket starts empty" {
 
 In the first test (`bucket list should include created file`), a file is created in the bucket. The second test (`bucket starts empty`) verifies that the bucket is initialized without any file.
 
-### Running tests in a the cloud
+### Running tests in the cloud
 
 Consider the following example:
 

examples/tests/sdk_tests/bucket/signedUrl.w

@@ -0,0 +1,14 @@
+bring cloud;
+bring http;
+bring util;
+
+let testBucket = new cloud.Bucket(public: true) as "testBucket";
+
+test "signedUrl" {
+  let var error = "";
+  testBucket.put("file1.txt", "Foo");
+
+  let signedUrl = testBucket.signedUrl("file1.txt");
+  assert(signedUrl != "");
+
+}

libs/wingsdk/.projenrc.ts

@@ -104,6 +104,7 @@ const project = new cdk.JsiiProject({
     // shared client dependencies
     "ioredis",
     "jsonschema",
+    "@aws-sdk/s3-request-presigner",
   ],
   devDeps: [
     `@cdktf/provider-aws@^15.0.0`, // only for testing Wing plugins

libs/wingsdk/src/cloud/bucket.ts

@@ -6,6 +6,7 @@ import { fqnForType } from "../constants";
 import { App } from "../core";
 import { convertBetweenHandlers } from "../shared/convert";
 import { Json, IResource, Node, Resource } from "../std";
+import { Duration } from "../std";
 
 /**
  * Global identifier for `Bucket`.
@@ -345,6 +346,13 @@ export interface IBucketClient {
    * @inflight
    */
   publicUrl(key: string): Promise<string>;
+
+  /**
+   * Returns a signed url to the given file.
+   * @Throws if object does not exist.
+   * @inflight
+   */
+  signedUrl(key: string, duration?: Duration): Promise<string>;
 }
 
 /**
@@ -447,4 +455,6 @@ export enum BucketInflightMethods {
   TRY_GET_JSON = "tryGetJson",
   /** `Bucket.tryDelete` */
   TRY_DELETE = "tryDelete",
+
+  SIGNED_URL = "signedUrl"
 }

libs/wingsdk/src/shared-aws/bucket.inflight.ts

@@ -16,11 +16,11 @@ import {
 } from "@aws-sdk/client-s3";
 import { BucketDeleteOptions, IBucketClient } from "../cloud";
 import { Duration, Json } from "../std";
-
+import { getSignedUrl ,S3RequestPresigner} from "@aws-sdk/s3-request-presigner";
 export class BucketClient implements IBucketClient {
   constructor(
     private readonly bucketName: string,
-    private readonly s3Client = new S3Client({})
+    private readonly s3Client :any = new S3Client({}),
   ) {}
 
   /**
@@ -263,17 +263,29 @@ export class BucketClient implements IBucketClient {
     );
   }
 
-  /**
-   * Returns a signed url to the given file. This URL can be used by anyone to
-   * access the file until the link expires (defaults to 24 hours).
+
+ /**
+   * Returns a signed url to the given file.
+   * @Throws if object does not exist.
+   * @inflight
    * @param key The key to reach
-   * @param duration Time until expires
+*    @param duration Time until expires
    */
-  public async signed_url(key: string, duration?: Duration): Promise<string> {
-    // for signed_url take a look here: https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/s3-example-creating-buckets.html#s3-create-presigendurl-get
-    throw new Error(
-      `signed_url is not implemented yet (key=${key}, duration=${duration})`
-    );
+
+
+  public async signedUrl(key: string, duration?: Duration): Promise<string> {
+    if (!(await this.exists(key))) {
+      throw new Error(
+        `Cannot provide signed url for a non-existent key (key=${key})`
+      );
+    }
+    const expiryTimeInSeconds:number= duration?.seconds|| 86400;
+    const command: any = new GetObjectCommand({
+    Bucket: this.bucketName,
+    Key: key
+   });
+   return await getSignedUrl(this.s3Client,command,{expiresIn:expiryTimeInSeconds});
+
   }
 
   private async getLocation(): Promise<string> {

libs/wingsdk/src/shared-aws/permissions.ts

@@ -91,6 +91,7 @@ export function calculateBucketPermissions(
   // contains a check if an object exists/list
   if (
     ops.includes(cloud.BucketInflightMethods.PUBLIC_URL) ||
+    ops.includes(cloud.BucketInflightMethods.SIGNED_URL) ||
     ops.includes(cloud.BucketInflightMethods.LIST) ||
     ops.includes(cloud.BucketInflightMethods.EXISTS) ||
     ops.includes(cloud.BucketInflightMethods.TRY_GET) ||
@@ -120,13 +121,14 @@ export function calculateBucketPermissions(
     ops.includes(cloud.BucketInflightMethods.TRY_GET_JSON) ||
     ops.includes(cloud.BucketInflightMethods.TRY_DELETE) ||
     ops.includes(cloud.BucketInflightMethods.PUBLIC_URL) ||
+    ops.includes(cloud.BucketInflightMethods.SIGNED_URL) ||
     ops.includes(cloud.BucketInflightMethods.EXISTS)
   ) {
     actions.push("s3:GetObject*", "s3:GetBucket*");
   }
 
   // accessing the publicAccessBlock
-  if (ops.includes(cloud.BucketInflightMethods.PUBLIC_URL)) {
+  if (ops.includes(cloud.BucketInflightMethods.PUBLIC_URL || ops.includes(cloud.BucketInflightMethods.SIGNED_URL))) {
     actions.push("s3:GetBucketPublicAccessBlock");
   }
 

libs/wingsdk/src/target-sim/bucket.inflight.ts

@@ -10,7 +10,7 @@ import {
   IBucketClient,
   ITopicClient,
 } from "../cloud";
-import { Json } from "../std";
+import { Json , Duration } from "../std";
 import {
   ISimulatorContext,
   ISimulatorResourceInstance,
@@ -208,6 +208,28 @@ export class Bucket implements IBucketClient, ISimulatorResourceInstance {
     });
   }
 
+public async signedUrl(key: string, duration?: Duration){
+  const expiryTimeInSeconds:string= String((duration?.seconds|| 86400));
+  return this.context.withTrace({
+    message: `Signed URL (key=${key})`,
+    activity: async () =>{
+    const filePath = join(this._fileDir, key);
+    if(!this.objectKeys.has(key)){
+        throw new Error(
+          `Cannot provide signed url for an non-existent key (key=${key})`
+        ); 
+    }
+    /**
+     * Generating a mock signed url response
+     */
+
+    return url.pathToFileURL(filePath).searchParams.append("Expires",expiryTimeInSeconds);
+
+    }
+  });
+}
+
+
   private async addFile(key: string, value: string): Promise<void> {
     const actionType: BucketEventType = this.objectKeys.has(key)
       ? BucketEventType.UPDATE

libs/wingsdk/test/shared-aws/bucket.inflight.test.ts

@@ -535,3 +535,75 @@ test("tryDelete a non-existent object from the bucket", async () => {
   // THEN
   expect(objectTryDelete).toEqual(false);
 });
+
+test("Given a bucket when reaching to a non existent key, signed url it should throw an error", async () => {
+  // GIVEN
+  let error;
+  const BUCKET_NAME = "BUCKET_NAME";
+  const KEY = "KEY";
+
+  s3Mock.on(GetPublicAccessBlockCommand, { Bucket: BUCKET_NAME }).resolves({
+    PublicAccessBlockConfiguration: {
+      BlockPublicAcls: false,
+      BlockPublicPolicy: false,
+      RestrictPublicBuckets: false,
+      IgnorePublicAcls: false,
+    },
+  });
+  s3Mock
+    .on(GetBucketLocationCommand, { Bucket: BUCKET_NAME })
+    .resolves({ LocationConstraint: "us-east-2" });
+  s3Mock
+    .on(HeadObjectCommand, { Bucket: BUCKET_NAME, Key: KEY })
+    .rejects({ name: "NotFound" });
+
+  //WHEN
+  const client = new BucketClient(BUCKET_NAME);
+  try {
+    await client.signedUrl(KEY);
+  } catch (err) {
+    error = err;
+  }
+  // THEN
+  expect(error?.message).toBe(
+    "Cannot provide signed url for a non-existent key (key=KEY)"
+  );
+});
+
+test("Given a bucket, when giving one of its keys, we should get its signed url", async () => {
+  // GIVEN
+  const BUCKET_NAME = "BUCKET_NAME";
+  const KEY = "KEY";
+  const REGION = "us-east-2";
+
+  s3Mock.on(GetPublicAccessBlockCommand, { Bucket: BUCKET_NAME }).resolves({
+    PublicAccessBlockConfiguration: {
+      BlockPublicAcls: false,
+      BlockPublicPolicy: false,
+      RestrictPublicBuckets: false,
+      IgnorePublicAcls: false,
+    },
+  });
+  s3Mock
+    .on(GetBucketLocationCommand, { Bucket: BUCKET_NAME })
+    .resolves({ LocationConstraint: REGION });
+  s3Mock.on(HeadObjectCommand, { Bucket: BUCKET_NAME, Key: KEY }).resolves({
+    AcceptRanges: "bytes",
+    ContentLength: 3191,
+    ContentType: "image/jpeg",
+    ETag: "6805f2cfc46c0f04559748bb039d69ae",
+    LastModified: new Date("Thu, 15 Dec 2016 01:19:41 GMT"),
+    Metadata: {},
+    VersionId: "null",
+  });
+
+  // WHEN
+  const client = new BucketClient(BUCKET_NAME);
+  const response = await client.signedUrl(KEY);
+
+  // THEN
+  expect(response).contains(
+    'https://s3.amazonaws.com'
+  );
+
+});

libs/wingsdk/test/target-sim/bucket.test.ts

@@ -705,3 +705,50 @@ test("tryDelete objects from bucket", async () => {
   expect(existingObject2TryDelete).toEqual(true);
   expect(nonExistentObjectTryDelete).toEqual(false);
 });
+
+test("Given a bucket when reaching to a non existent key, signed url it should throw an error", async () => {
+  //GIVEN
+  let error;
+  const app = new SimApp();
+  cloud.Bucket._newBucket(app, "my_bucket", { public: true });
+
+  const s = await app.startSimulator();
+  const client = s.getResource("/my_bucket") as cloud.IBucketClient;
+
+  const KEY = "KEY";
+
+  // WHEN
+  try {
+    await client.signedUrl(KEY);
+  } catch (err) {
+    error = err;
+  }
+
+  expect(error?.message).toBe(
+    "Cannot provide signed url for an non-existent key (key=KEY)"
+  );
+  // THEN
+  await s.stop();
+});
+
+
+test("Given a bucket, when giving one of its keys, we should get it's signed url", async () => {
+  // GIVEN
+  const app = new SimApp();
+  cloud.Bucket._newBucket(app, "my_bucket", { public: true });
+
+  const s = await app.startSimulator();
+  const client = s.getResource("/my_bucket") as cloud.IBucketClient;
+
+  const KEY = "KEY";
+  const VALUE = "VALUE";
+
+  // WHEN
+  await client.put(KEY, VALUE);
+  const response = await client.signedUrl(KEY);
+
+  // THEN
+  await s.stop();
+  const filePath = `${client.fileDir}/${KEY}`;
+  expect(response).toEqual(url.pathToFileURL(filePath).searchParams.append("Expires","86400"));
+});

package.json

@@ -31,5 +31,8 @@
       "@aws-sdk/util-utf8-node@3.259.0": "patches/@aws-sdk__util-utf8-node@3.259.0.patch",
       "@aws-sdk/util-utf8-browser@3.259.0": "patches/@aws-sdk__util-utf8-browser@3.259.0.patch"
     }
+  },
+  "dependencies": {
+    "@aws-sdk/s3-request-presigner": "^3.395.0"
   }
 }