cloud: Make URL cache bucket private

kernelci · Feb 12, 2024 · cdeffba · cdeffba
1 parent edce5b6
commit cdeffba
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 2 deletions.
diff --git a/kcidb/cloud/storage.sh b/kcidb/cloud/storage.sh
@@ -16,7 +16,8 @@ function storage_deploy() {
         TMPDIR="$TMPDIR_ORIG" gsutil -q mb -p "$project" -c STANDARD \
             -l "us-central1" -b on "gs://$bucket"
     fi
-    TMPDIR="$TMPDIR_ORIG" gsutil -q iam ch allUsers:objectViewer "gs://$bucket/"
+    # Revoke public read access from the bucket
+    TMPDIR="$TMPDIR_ORIG" gsutil -q iam ch -d allUsers:objectViewer "gs://$bucket/"
 }
 
 # Remove a Google Cloud Storage Bucket and its contents

diff --git a/main.py b/main.py
@@ -538,6 +538,11 @@ def kcidb_cache_urls(event, context):
         cache.store(url)
 
 
+# The expiration time (a timedelta) of the URLs returned by the cache
+# redirect, or None to return permanent URLs pointing to the public bucket.
+CACHE_REDIRECT_TTL = datetime.timedelta(seconds=10)
+
+
 @functions_framework.http
 def kcidb_cache_redirect(request):
     """
@@ -567,7 +572,7 @@ def kcidb_cache_redirect(request):
 
         # Check if the URL is in the cache
         cache_client = get_cache_client()
-        cache = cache_client.map(url_to_fetch)
+        cache = cache_client.map(url_to_fetch, ttl=CACHE_REDIRECT_TTL)
         if cache:
             LOGGER.debug("Redirecting to the cache at %s", cache)
             # Redirect to the cached URL if it exists