forked from aws/aws-sdk-java
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathCloudFrontCookieSigner.java
More file actions
405 lines (374 loc) · 21.3 KB
/
CloudFrontCookieSigner.java
File metadata and controls
405 lines (374 loc) · 21.3 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
/*
* Copyright 2013-2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License").
* You may not use this file except in compliance with the License.
* A copy of the License is located at
*
* http://aws.amazon.com/apache2.0
*
* or in the "license" file accompanying this file. This file is distributed
* on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
* express or implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
package com.amazonaws.services.cloudfront;
import static com.amazonaws.services.cloudfront.util.SignerUtils.buildCannedPolicy;
import static com.amazonaws.services.cloudfront.util.SignerUtils.buildCustomPolicy;
import static com.amazonaws.services.cloudfront.util.SignerUtils.generateResourcePath;
import static com.amazonaws.services.cloudfront.util.SignerUtils.loadPrivateKey;
import static com.amazonaws.services.cloudfront.util.SignerUtils.makeBytesUrlSafe;
import static com.amazonaws.services.cloudfront.util.SignerUtils.makeStringUrlSafe;
import static com.amazonaws.services.cloudfront.util.SignerUtils.signWithSha1RSA;
import static com.amazonaws.util.StringUtils.UTF8;
import static java.util.concurrent.TimeUnit.MILLISECONDS;
import java.io.File;
import java.io.IOException;
import java.security.InvalidKeyException;
import java.security.PrivateKey;
import java.security.spec.InvalidKeySpecException;
import java.util.Calendar;
import java.util.Date;
import java.util.HashMap;
import java.util.Map;
import org.apache.http.HttpResponse;
import org.apache.http.client.HttpClient;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.impl.client.DefaultHttpClient;
import com.amazonaws.AmazonClientException;
import com.amazonaws.services.cloudfront.util.SignerUtils;
import com.amazonaws.services.cloudfront.util.SignerUtils.Protocol;
import com.amazonaws.util.DateUtils;
// The source code originated from the .NET implementation at
// https://github.com/aws/aws-sdk-net/blob/master/sdk/src/Services/CloudFront/Custom/_bcl/AmazonCloudFrontCookieSigner.cs
/**
* Utility class for generating pre-signed Set-Cookie headers for serving private CloudFront content.
* <p>
* All dates must be in UTC. You can use {@link Calendar} to set the timezone
* before converting to a {@link Date} object, or use {@link DateUtils} to turn
* a UTC date String into a Date object.
* <p>
* <pre>
* Protocol protocol = Protocol.https;
* String distributionDomain = "d1b2c3a4g5h6.cloudfront.net";
* File privateKeyFile = new File("/path/to/cfcurlCloud/rsa-private-key.der");
* String resourcePath = "a/b/images.jpeg";
* String keyPairId = "APKAJCEOKRHC3XIVU5NA";
* Date activeFrom = DateUtils.parseISO8601Date("2012-11-14T22:20:00.000Z");
* Date expiresOn = DateUtils.parseISO8601Date("2011-11-14T22:20:00.000Z");
* String ipRange = "192.168.0.1/24";
*
* CookiesForCannedPolicy cookies = CloudFrontCookieSigner.getCookiesForCannedPolicy(
* protocol, distributionDomain, privateKeyFile, s3ObjectKey,
* keyPairId, expiresOn);
*
* HttpClient client = new DefaultHttpClient();
* HttpGet httpGet = new HttpGet(
* SignerUtils.generateResourcePath(protocol, distributionDomain,
* resourcePath));
*
* httpGet.addHeader("Cookie", cookies.getExpires().getKey() + "=" +
* cookies.getExpires().getValue());
* httpGet.addHeader("Cookie", cookies.getSignature().getKey() + "=" +
* cookies.getSignature().getValue());
* httpGet.addHeader("Cookie", cookies.getKeyPairId().getKey() + "=" +
* cookies.getKeyPairId().getValue());
*
* HttpResponse response = client.execute(httpGet);
*
* CookiesForCustomPolicy cookies2 = CloudFrontCookieSigner.getCookiesForCustomPolicy(
* protocol, distributionDomain, privateKeyFile, s3ObjectKey,
* keyPairId, expiresOn, activeFrom, ipRange);
* </pre>
*
* @see DateUtils
*/
public enum CloudFrontCookieSigner {
;
private static final String EXPIRES_KEY = "CloudFront-Expires";
private static final String SIGNATURE_KEY = "CloudFront-Signature";
private static final String POLICY_KEY = "CloudFront-Policy";
private static final String KEY_PAIR_ID_KEY = "CloudFront-Key-Pair-Id";
/**
* Returns signed cookies that grants universal access to private content until a given date.
*
* @param protocol The protocol used to access content using signed cookies.
* @param distributionDomain The domain name of the distribution.
* @param resourcePath The path for the resource.
* @param privateKeyFile The private key file in DER format
* @param keyPairId The key pair id corresponding to the private key file given.
* @param expiresOn The expiration date till which content can be accessed using the generated cookies.
* @return The signed cookies.
*/
public static CookiesForCannedPolicy getCookiesForCannedPolicy(Protocol protocol,
String distributionDomain,
File privateKeyFile,
String resourcePath,
String keyPairId,
Date expiresOn) throws InvalidKeySpecException, IOException {
PrivateKey privateKey = loadPrivateKey(privateKeyFile);
return getCookiesForCannedPolicy(protocol, distributionDomain, privateKey, resourcePath, keyPairId, expiresOn);
}
/**
* Returns signed cookies that grants universal access to private content until a given date.
*
* @param protocol The protocol used to access content using signed cookies.
* @param distributionDomain The domain name of the distribution.
* @param resourcePath The path for the resource.
* @param privateKey The private key file. RSA private key (.der) are supported.
* @param keyPairId The key pair id corresponding to the private key file given.
* @param expiresOn The expiration date till which content can be accessed using the generated cookies.
* @return The signed cookies.
*/
public static CookiesForCannedPolicy getCookiesForCannedPolicy(Protocol protocol,
String distributionDomain,
PrivateKey privateKey,
String resourcePath,
String keyPairId,
Date expiresOn) {
String url = generateResourcePath(protocol, distributionDomain, resourcePath);
return getCookiesForCannedPolicy(url, keyPairId, privateKey, expiresOn);
}
/**
* Generate signed cookies that allows access to a specific distribution and
* resource path by applying a access restrictions from a "canned" (simplified)
* policy document.
*
* @param resourceUrlOrPath The URL or path that uniquely identifies a resource within a
* distribution. For standard distributions the resource URL will
* be <tt>"http://" + distributionName + "/" + path</tt>
* (may also include URL parameters. For distributions with the
* HTTPS required protocol, the resource URL must start with
* <tt>"https://"</tt>. RTMP resources do not take the form of a
* URL, and instead the resource path is nothing but the stream's
* name.
* @param keyPairId Identifier of a public/private certificate keypair already configured in your Amazon Web Services account.
* @param privateKeyFile The RSA private key data that corresponding to the certificate keypair identified by keyPairId.
* @param expiresOn The expiration date till which content can be accessed using the generated cookies.
* @return The signed cookies.
*/
public static CookiesForCannedPolicy getCookiesForCannedPolicy(String resourceUrlOrPath,
String keyPairId,
File privateKeyFile,
Date expiresOn) throws InvalidKeySpecException, IOException {
PrivateKey privateKey = loadPrivateKey(privateKeyFile);
{
return getCookiesForCannedPolicy(resourceUrlOrPath, keyPairId, privateKey, expiresOn);
}
}
/**
* Generate signed cookies that allows access to a specific distribution and
* resource path by applying a access restrictions from a "canned" (simplified)
* policy document.
*
* @param resourceUrlOrPath The URL or path that uniquely identifies a resource within a
* distribution. For standard distributions the resource URL will
* be <tt>"http://" + distributionName + "/" + path</tt>
* (may also include URL parameters. For distributions with the
* HTTPS required protocol, the resource URL must start with
* <tt>"https://"</tt>.
* @param keyPairId Identifier of a public/private certificate keypair already configured in your Amazon Web Services account.
* @param privateKey The RSA private key data that corresponding to the certificate keypair identified by keyPairId.
* @param expiresOn The expiration date till which content can be accessed using the generated cookies.
* @return The signed cookies.
*/
public static CookiesForCannedPolicy getCookiesForCannedPolicy(String resourceUrlOrPath,
String keyPairId,
PrivateKey privateKey,
Date expiresOn) {
try {
final String cannedPolicy = buildCannedPolicy(resourceUrlOrPath, expiresOn);
byte[] signatureBytes = signWithSha1RSA(cannedPolicy.getBytes(UTF8), privateKey);
String urlSafeSignature = makeBytesUrlSafe(signatureBytes);
// Create the cookies
final CookiesForCannedPolicy cookies = new CookiesForCannedPolicy();
cookies.setExpires(String.valueOf(MILLISECONDS.toSeconds(expiresOn.getTime())));
cookies.setSignature(urlSafeSignature);
cookies.setKeyPairId(keyPairId);
return cookies;
} catch (InvalidKeyException e) {
throw new AmazonClientException("Couldn't sign canned policy cookie", e);
}
}
/**
* Returns signed cookies that provides tailored access to private content based on an access time window and an ip range.
*
* @param protocol The protocol used to access content using signed cookies.
* @param distributionDomain The domain name of the distribution.
* @param privateKeyFile Your private key file. RSA private key (.der) are supported.
* @param resourcePath The path for the resource.
* @param keyPairId The key pair id corresponding to the private key file given.
* @param expiresOn The expiration date till which content can be accessed using the generated cookies.
* @param activeFrom The date from which content can be accessed using the generated cookies.
* @param ipRange The allowed IP address range of the client making the GET request, in CIDR form (e.g. 192.168.0.1/24).
* @return The signed cookies.
*/
public static CookiesForCustomPolicy getCookiesForCustomPolicy(Protocol protocol,
String distributionDomain,
File privateKeyFile,
String resourcePath,
String keyPairId,
Date expiresOn,
Date activeFrom,
String ipRange) throws InvalidKeySpecException, IOException {
PrivateKey privateKey = loadPrivateKey(privateKeyFile);
return getCookiesForCustomPolicy(protocol, distributionDomain, privateKey, resourcePath, keyPairId, expiresOn, activeFrom, ipRange);
}
/**
* Returns signed cookies that provides tailored access to private content based on an access time window and an ip range.
*
* @param protocol The protocol used to access content using signed cookies.
* @param distributionDomain The domain name of the distribution.
* @param privateKey Your private key file. RSA private key (.der) are supported.
* @param resourcePath The path for the resource.
* @param keyPairId The key pair id corresponding to the private key file given.
* @param expiresOn The expiration date till which content can be accessed using the generated cookies.
* @param activeFrom The date from which content can be accessed using the generated cookies.
* @param ipRange The allowed IP address range of the client making the GET request, in CIDR form (e.g. 192.168.0.1/24).
* @return The signed cookies.
*/
public static CookiesForCustomPolicy getCookiesForCustomPolicy(Protocol protocol,
String distributionDomain,
PrivateKey privateKey,
String resourcePath,
String keyPairId,
Date expiresOn,
Date activeFrom,
String ipRange) {
final String url = generateResourcePath(protocol, distributionDomain, resourcePath);
return getCookiesForCustomPolicy(url, privateKey, keyPairId, expiresOn,
activeFrom, ipRange);
}
/**
* Returns signed cookies that provides tailored access to private content based on an access time window and an ip range.
*
* @param resourceUrlOrPath The URL or path for resource within a distribution.
* @param privateKey Your private key file. RSA private key (.der) are supported.
* @param keyPairId The key pair id corresponding to the private key file given.
* @param expiresOn The expiration date till which content can be accessed using the generated cookies.
* @param activeFrom The date from which content can be accessed using the generated cookies.
* @param ipRange The allowed IP address range of the client making the GET request, in CIDR form (e.g. 192.168.0.1/24).
* @return The signed cookies.
*/
public static CookiesForCustomPolicy getCookiesForCustomPolicy(String resourceUrlOrPath,
PrivateKey privateKey,
String keyPairId,
Date expiresOn,
Date activeFrom,
String ipRange) {
try {
final String policy = buildCustomPolicy(resourceUrlOrPath, expiresOn, activeFrom, ipRange);
byte[] signatureBytes = signWithSha1RSA(policy.getBytes(UTF8), privateKey);
String urlSafePolicy = makeStringUrlSafe(policy);
String urlSafeSignature = makeBytesUrlSafe(signatureBytes);
// Create the cookies
final CookiesForCustomPolicy cookies = new CookiesForCustomPolicy();
cookies.setPolicy(urlSafePolicy);
cookies.setSignature(urlSafeSignature);
cookies.setKeyPairId(keyPairId);
return cookies;
} catch (InvalidKeyException e) {
throw new AmazonClientException("Couldn't sign custom policy cookie", e);
}
}
/**
* Returns signed cookies that provides tailored access to private content based on an access time window and an ip range.
*
* @param protocol The protocol used to access content using signed cookies.
* @param distributionDomain The domain name of the distribution.
* @param privateKey Your private key file. RSA private key (.der) are supported.
* @param resourcePath The path for the resource.
* @param keyPairId The key pair id corresponding to the private key file given.
* @param expiresOn The expiration date till which content can be accessed using the generated cookies.
* @param ipRange The allowed IP address range of the client making the GET request, in CIDR form (e.g. 192.168.0.1/24).
* @return The signed cookies.
*/
public static CookiesForCustomPolicy getCookiesForCustomPolicy(Protocol protocol,
String distributionDomain,
PrivateKey privateKey,
String resourcePath,
String keyPairId,
Date expiresOn,
String ipRange) {
return getCookiesForCustomPolicy(protocol, distributionDomain, privateKey, resourcePath, keyPairId,
expiresOn, null, ipRange);
}
/**
* Contains common cookies used by Amazon CloudFront.
*/
public static class SignedCookies {
/**
* The active CloudFront key pair Id for the key pair (Trusted Signer) that you are using to generate the signature.
* For more information, see <a href="http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-trusted-signers.html">
* Specifying the AWS Accounts That Can Create Signed URLs and Signed Cookies (Trusted Signers)</a>
* in the <i>Amazon CloudFront User Guide</i>.
*/
protected Map.Entry<String, String> keyPairId;
protected static class CookieKeyValuePair implements Map.Entry<String, String> {
private String key;
private String value;
public CookieKeyValuePair(String key, String value) {
this.key = key;
this.value = value;
}
@Override
public String getKey() {
return key;
}
@Override
public String getValue() {
return value;
}
@Override
public String setValue(String value) {
String originalValue = this.value;
this.value = value;
return originalValue;
}
}
/**
* The hashed and signed version of the policy.
*/
protected Map.Entry<String, String> signature;
public Map.Entry<String, String> getKeyPairId() {
return keyPairId;
}
public void setKeyPairId(String keyPairId) {
this.keyPairId = new CookieKeyValuePair(KEY_PAIR_ID_KEY, keyPairId);
}
public Map.Entry<String, String> getSignature() {
return signature;
}
public void setSignature(String signature) {
this.signature = new CookieKeyValuePair(SIGNATURE_KEY, signature);
}
}
/**
* Contains the cookies used to access restricted content from
* CloudFront using a canned policy
*/
public static class CookiesForCannedPolicy extends SignedCookies {
// Date and time in Unix time format (in seconds) and Coordinated Universal Time (UTC).
public Map.Entry<String, String> expires;
public Map.Entry<String, String> getExpires() {
return expires;
}
public void setExpires(String expires) {
this.expires = new CookieKeyValuePair(EXPIRES_KEY, expires);
}
}
/**
* Contains the cookies used to access restricted content from
* CloudFront using a custom policy.
*/
public static class CookiesForCustomPolicy extends SignedCookies {
// Base64 encoded version of the custom policy.
public Map.Entry<String, String> policy;
public Map.Entry<String, String> getPolicy() {
return policy;
}
public void setPolicy(String policy) {
this.policy = new CookieKeyValuePair(POLICY_KEY, policy);
}
}
}