Skip to content

Add option to disable presigned URL generation for public S3 buckets#660

Open
timbaev wants to merge 3 commits intojenkinsci:masterfrom
timbaev:feature/optional-presigned-urls
Open

Add option to disable presigned URL generation for public S3 buckets#660
timbaev wants to merge 3 commits intojenkinsci:masterfrom
timbaev:feature/optional-presigned-urls

Conversation

@timbaev
Copy link

@timbaev timbaev commented Aug 12, 2025

This PR adds a new configuration option generatePresignedUrls to the S3 artifact storage that allows users to disable the generation of presigned URLs and instead use direct S3 URLs for artifact access. This is useful when S3 buckets are configured with public read access and don't require authentication parameters in the URLs.

Key changes:

  • Added generatePresignedUrls boolean configuration field (defaults to true for backward compatibility)
  • Modified S3BlobStore.toExternalURL() and S3BlobStore.artifactUrls() to return direct URLs when presigned URL generation is disabled
  • Added UI checkbox in the Jenkins configuration page with help documentation
  • When disabled, URLs will be in the format https://bucket.s3.region.amazonaws.com/path/to/artifact without authentication parameters

Testing done

Automated tests:

  • Added testDirectUrlGeneration() test in JCloudsArtifactManagerTest that verifies:
    • When generatePresignedUrls is set to false, the generated URLs do not contain presigned authentication parameters (X-Amz-Algorithm, X-Amz-Credential, X-Amz-Signature)
    • The test creates a workflow job, archives an artifact, and validates the URL format
  • Added checkGeneratePresignedUrlsDefaultAndSetterGetter() test in S3BlobStoreConfigTest that verifies:
    • The default value is true (maintaining backward compatibility)
    • The setter and getter methods work correctly
  • Updated existing config validation test to include the new parameter

Manual testing:

  • Tested the configuration UI to ensure the checkbox appears and saves correctly
  • Verified that existing configurations continue to work with presigned URLs (default behavior)
  • Tested with a public S3 bucket to confirm direct URLs work without authentication

UI Screenshots:

Configuration page before changes Снимок экрана 2025-08-12 в 17 20 10
Configuration page after changes Снимок экрана 2025-08-12 в 17 19 13

Submitter checklist

  • Make sure you are opening from a topic/feature/bugfix branch (right side) and not your main branch!
  • Ensure that the pull request title represents the desired changelog entry
  • Please describe what you did
  • Link to relevant issues in GitHub or Jira
  • Link to relevant pull requests, esp. upstream and downstream changes
  • Ensure you have provided tests that demonstrate the feature works or the issue is fixed

@timbaev
feat: add option to generate direct URLs instead of presigned URLs
cbddae5 
- Add generatePresignedUrls configuration option (default: true)
- Implement direct URL generation when presigned URLs are disabled
- Update S3BlobStore to support both URL generation modes
- Add UI checkbox for generatePresignedUrls setting
- Include comprehensive test coverage for new functionality
- Update validation method to include new parameter

This change allows users to choose between presigned URLs (secure, time-limited)
and direct URLs (permanent, bucket-policy dependent) for S3 artifact access.
@timbaev timbaev requested a review from a team as a code owner August 12, 2025 14:31
@jglick jglick added the enhancement New feature or request label Aug 12, 2025
@jglick
Copy link
Member

jglick commented Aug 12, 2025

Presumably your automated & manual tests involved a bucket with public read access but I am unclear on what your automated & manual tests consisted of beyond that.

(The existence of https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-public-write-prohibited.html implies that public write access is technically possible, but that is certainly not something we would want to encourage.)

@timbaev
feat: make presigned URLs optional for downloads but mandatory for up…
1f068a3 
…loads

- Always use presigned URLs for PUT operations regardless of generatePresignedUrls setting
- Respect generatePresignedUrls setting only for download operations (GET, etc.)
- Remove direct URL generation for artifact uploads in artifactUrls method
- Simplify testDirectUrlGeneration test and improve assertions with Hamcrest matchers
@timbaev
Copy link
Author

timbaev commented Aug 14, 2025

@jglick Thanks for the review! Updated the logic to use the new parameter only for downloading artifacts. Also checked the test - it passes now.

@timbaev timbaev requested a review from jglick August 14, 2025 11:40
@timbaev
Copy link
Author

timbaev commented Sep 10, 2025

@jglick Hello 👋
Can you help with the review?

@jglick jglick requested a review from a team September 25, 2025 18:58
@timbaev
Copy link
Author

timbaev commented Oct 29, 2025

@jglick Hello 👋
Any chance this could get reviewed? We’ve been using the fork together with MinIO for a month now, and it’s been working without any issues.

@jglick
Copy link
Member

jglick commented Nov 3, 2025

On my list but so far I have not found the time to review this (or indeed maintain this plugin much at all).

@jglick jglick mentioned this pull request Mar 10, 2026
Draft
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jglick jglick Awaiting requested review from jglick

Assignees

No one assigned

Labels

enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@timbaev @jglick