cloud: Make URL cache bucket private

kcidb/cloud/functions.sh

@@ -151,6 +151,14 @@ function functions_deploy() {
                           env_yaml \
                           -- "$@")"
     eval "$params"
+
+    # Allow the App Engine service account to create its own tokens
+    # so it can sign Google Cloud Storage URLs
+    mute gcloud iam service-accounts add-iam-policy-binding \
+        "$project@appspot.gserviceaccount.com" \
+        --role=roles/iam.serviceAccountTokenCreator \
+        --member="serviceAccount:$project@appspot.gserviceaccount.com"
+
     # Create empty environment YAML
     declare env_yaml_file
     env_yaml_file=`mktemp --tmpdir kcidb_cloud_env.XXXXXXXX`

kcidb/cloud/storage.sh

@@ -16,7 +16,8 @@ function storage_deploy() {
         TMPDIR="$TMPDIR_ORIG" gsutil -q mb -p "$project" -c STANDARD \
             -l "us-central1" -b on "gs://$bucket"
     fi
-    TMPDIR="$TMPDIR_ORIG" gsutil -q iam ch allUsers:objectViewer "gs://$bucket/"
+    # Revoke public read access from the bucket
+    TMPDIR="$TMPDIR_ORIG" gsutil -q iam ch -d allUsers:objectViewer "gs://$bucket/"
 }
 
 # Remove a Google Cloud Storage Bucket and its contents

main.py

@@ -538,6 +538,11 @@ def kcidb_cache_urls(event, context):
         cache.store(url)
 
 
+# The expiration time (a timedelta) of the URLs returned by the cache
+# redirect, or None to return permanent URLs pointing to the public bucket.
+CACHE_REDIRECT_TTL = datetime.timedelta(seconds=10)
+
+
 @functions_framework.http
 def kcidb_cache_redirect(request):
     """
@@ -567,7 +572,7 @@ def kcidb_cache_redirect(request):
 
         # Check if the URL is in the cache
         cache_client = get_cache_client()
-        cache = cache_client.map(url_to_fetch)
+        cache = cache_client.map(url_to_fetch, ttl=CACHE_REDIRECT_TTL)
         if cache:
             LOGGER.info("Redirecting to the cache at %r", cache)
             # Redirect to the cached URL if it exists