b2: Support Application Keys - fixes #2428

This supports B2 application keys limited to a bucket by making sure
we only list the buckets of the bucket ID that the key is limited to.
This commit is contained in:
Nick Craig-Wood 2018-08-01 14:33:01 +01:00
parent ffd11662ba
commit a119ca9f10
3 changed files with 42 additions and 12 deletions

View file

@ -31,11 +31,6 @@ func (e *Error) Fatal() bool {
var _ fserrors.Fataler = (*Error)(nil) var _ fserrors.Fataler = (*Error)(nil)
// Account describes a B2 account
type Account struct {
ID string `json:"accountId"` // The identifier for the account.
}
// Bucket describes a B2 bucket // Bucket describes a B2 bucket
type Bucket struct { type Bucket struct {
ID string `json:"bucketId"` ID string `json:"bucketId"`
@ -137,10 +132,26 @@ type File struct {
// AuthorizeAccountResponse is as returned from the b2_authorize_account call // AuthorizeAccountResponse is as returned from the b2_authorize_account call
type AuthorizeAccountResponse struct { type AuthorizeAccountResponse struct {
AbsoluteMinimumPartSize int `json:"absoluteMinimumPartSize"` // The smallest possible size of a part of a large file.
AccountID string `json:"accountId"` // The identifier for the account. AccountID string `json:"accountId"` // The identifier for the account.
AuthorizationToken string `json:"authorizationToken"` // An authorization token to use with all calls, other than b2_authorize_account, that need an Authorization header. Allowed struct { // An object (see below) containing the capabilities of this auth token, and any restrictions on using it.
BucketID string `json:"bucketId"` // When present, access is restricted to one bucket.
Capabilities []string `json:"capabilities"` // A list of strings, each one naming a capability the key has.
NamePrefix interface{} `json:"namePrefix"` // When present, access is restricted to files whose names start with the prefix
} `json:"allowed"`
APIURL string `json:"apiUrl"` // The base URL to use for all API calls except for uploading and downloading files. APIURL string `json:"apiUrl"` // The base URL to use for all API calls except for uploading and downloading files.
AuthorizationToken string `json:"authorizationToken"` // An authorization token to use with all calls, other than b2_authorize_account, that need an Authorization header.
DownloadURL string `json:"downloadUrl"` // The base URL to use for downloading files. DownloadURL string `json:"downloadUrl"` // The base URL to use for downloading files.
MinimumPartSize int `json:"minimumPartSize"` // DEPRECATED: This field will always have the same value as recommendedPartSize. Use recommendedPartSize instead.
RecommendedPartSize int `json:"recommendedPartSize"` // The recommended size for each part of a large file. We recommend using this part size for optimal upload performance.
}
// ListBucketsRequest is parameters for b2_list_buckets call
type ListBucketsRequest struct {
AccountID string `json:"accountId"` // The identifier for the account.
BucketID string `json:"bucketId,omitempty"` // When specified, the result will be a list containing just this bucket.
BucketName string `json:"bucketName,omitempty"` // When specified, the result will be a list containing just this bucket.
BucketTypes []string `json:"bucketTypes,omitempty"` // If present, B2 will use it as a filter for bucket types returned in the list buckets response.
} }
// ListBucketsResponse is as returned from the b2_list_buckets call // ListBucketsResponse is as returned from the b2_list_buckets call

View file

@ -66,7 +66,7 @@ func init() {
NewFs: NewFs, NewFs: NewFs,
Options: []fs.Option{{ Options: []fs.Option{{
Name: "account", Name: "account",
Help: "Account ID", Help: "Account ID or Application Key ID",
Required: true, Required: true,
}, { }, {
Name: "key", Name: "key",
@ -691,7 +691,11 @@ type listBucketFn func(*api.Bucket) error
// listBucketsToFn lists the buckets to the function supplied // listBucketsToFn lists the buckets to the function supplied
func (f *Fs) listBucketsToFn(fn listBucketFn) error { func (f *Fs) listBucketsToFn(fn listBucketFn) error {
var account = api.Account{ID: f.info.AccountID} var account = api.ListBucketsRequest{
AccountID: f.info.AccountID,
BucketID: f.info.Allowed.BucketID,
}
var response api.ListBucketsResponse var response api.ListBucketsResponse
opts := rest.Opts{ opts := rest.Opts{
Method: "POST", Method: "POST",

View file

@ -55,7 +55,7 @@ Choose a number from below, or type in your own value
13 / Yandex Disk 13 / Yandex Disk
\ "yandex" \ "yandex"
Storage> 3 Storage> 3
Account ID Account ID or Application Key ID
account> 123456789abc account> 123456789abc
Application Key Application Key
key> 0123456789abcdef0123456789abcdef0123456789 key> 0123456789abcdef0123456789abcdef0123456789
@ -93,6 +93,21 @@ excess files in the bucket.
rclone sync /home/local/directory remote:bucket rclone sync /home/local/directory remote:bucket
### Application Keys ###
B2 supports multiple [Application Keys for different access permission
to B2 Buckets](https://www.backblaze.com/b2/docs/application_keys.html).
You can use these with rclone too.
Follow Backblaze's docs to create an Application Key with the required
permission and add the `Application Key ID` as the `account` and the
`Application Key` itself as the `key`.
Note that you must put the Application Key ID as the `account` - you
can't use the master Account ID. If you try then B2 will return 401
errors.
### --fast-list ### ### --fast-list ###
This remote supports `--fast-list` which allows you to use fewer This remote supports `--fast-list` which allows you to use fewer