Class: AWS::CF::Signer

Inherits:

Object

• Object
• AWS::CF::Signer

Defined in:

lib/cloudfront-signer.rb

Class Attribute Summary

• .default_expires ⇒ Object

  Public: Provides an accessor to the default_expires value.

• .key_pair_id ⇒ Object

  Public: Provides a configuration option to set the key_pair_id if it has not been inferred from the key_path.

• .key_path ⇒ Object

  Public: Provides an accessor to the key_path.

Class Method Summary

• .configure {|_self| ... } ⇒ Object

  Public: Provides a simple way to configure the signing class.

• .is_configured? ⇒ Boolean

  Public: Provides a configuration check method which tests to see that the key_path, key_pair_id and private key values have all been set.

• .key=(key) ⇒ Object

  Public: Provides a configuration option to set the key directly as a string e.g.

• .sign(subject, configuration_options = {}, policy_options = {}) ⇒ Object

  Public: Builds a signed url or stream resource name with optional configuration and policy options.

• .sign_path(subject, policy_options = {}) ⇒ Object

  Public: Sign a stream path part or filename (spaces are allowed in stream paths and so are not removed).

• .sign_path_safe(subject, policy_options = {}) ⇒ Object

  Public: Sign a stream path or filename and HTML encode the result.

• .sign_url(subject, policy_options = {}) ⇒ Object

  Public: Sign a url - encoding any spaces in the url before signing.

• .sign_url_safe(subject, policy_options = {}) ⇒ Object

  Public: Sign a url (as above) and HTML encode the result.

• .signed_params(subject, policy_options = {}) ⇒ Object

  Public: Sign a subject url or stream resource name with optional policy options.

Class Attribute Details

.default_expires ⇒ Object

Public: Provides an accessor to the default_expires value

Returns an Integer value indicating the current setting

# File 'lib/cloudfront-signer.rb', line 77

def default_expires
  @default_expires ||= 3600
end

.key_pair_id ⇒ Object

Public: Provides a configuration option to set the key_pair_id if it has not been inferred from the key_path

Examples

AWS::CF::Signer.configure do |config|
  config.key_pair_id = "XXYYZZ"
end

Returns a String value indicating the current setting

# File 'lib/cloudfront-signer.rb', line 24

def key_pair_id
  @key_pair_id
end

.key_path ⇒ Object

Public: Provides an accessor to the key_path

Returns a String value indicating the current setting

# File 'lib/cloudfront-signer.rb', line 60

def key_path
  @key_path
end

Class Method Details

.configure {|_self| ... } ⇒ Object

Public: Provides a simple way to configure the signing class.

Yields self.

Examples

AWS::CF::Signer.configure do |config|
  config.key_path = "/path/to/yourkeyfile.pem"
  config.key_pair_id  = "XXYYZZ"
  config.default_expires = 3600
end

Returns nothing.

Yields:

• (_self)

Yield Parameters:

• _self (AWS::CF::Signer) —

  the object that the method was called on

# File 'lib/cloudfront-signer.rb', line 104

def self.configure
  yield self if block_given?

  unless key_path || private_key
    fail ArgumentError,
         'You must supply the path to a PEM format RSA key pair.'
  end

  unless @key_pair_id
    @key_pair_id = extract_key_pair_id(key_path)
    fail ArgumentError,
         'The Cloudfront signing key id could not be inferred from ' \
         "#{key_path}. Please supply the key pair id as a " \
         'configuration argument.' unless @key_pair_id
  end
end

.is_configured? ⇒ Boolean

Public: Provides a configuration check method which tests to see that the key_path, key_pair_id and private key values have all been set.

Returns a Boolean value indicating that settings are present.

Returns:

• (Boolean)

# File 'lib/cloudfront-signer.rb', line 125

def self.is_configured?
  (key_pair_id.nil? || private_key.nil?) ? false : true
end

.key=(key) ⇒ Object

Public: Provides a configuration option to set the key directly as a string e.g. as an ENV var

Examples

AWS::CF::Signer.configure do |config|
  config.key = ENV.fetch('KEY')
end

Returns nothing.

# File 'lib/cloudfront-signer.rb', line 53

def key=(key)
  @key = OpenSSL::PKey::RSA.new(key)
end

.sign(subject, configuration_options = {}, policy_options = {}) ⇒ Object

Public: Builds a signed url or stream resource name with optional configuration and policy options

Returns a String

# File 'lib/cloudfront-signer.rb', line 166

def self.sign(subject, configuration_options = {}, policy_options = {})
  # If the url or stream path already has a query string parameter -
  # append to that.
  separator = subject =~ /\?/ ? '&' : '?'

  subject.gsub!(/\s/, '%20') if configuration_options[:remove_spaces]

  result = subject +
           separator +
           signed_params(subject, policy_options).collect do |key, value|
             "#{key}=#{value}"
           end.join('&')

  if configuration_options[:html_escape]
    return html_encode(result)
  else
    return result
  end
end

.sign_path(subject, policy_options = {}) ⇒ Object

Public: Sign a stream path part or filename (spaces are allowed in stream paths and so are not removed).

Returns a String

# File 'lib/cloudfront-signer.rb', line 149

def self.sign_path(subject, policy_options = {})
  sign subject, { remove_spaces: false }, policy_options
end

.sign_path_safe(subject, policy_options = {}) ⇒ Object

Public: Sign a stream path or filename and HTML encode the result.

Returns a String

# File 'lib/cloudfront-signer.rb', line 156

def self.sign_path_safe(subject, policy_options = {})
  sign subject,
       { remove_spaces: false, html_escape: true },
       policy_options
end

.sign_url(subject, policy_options = {}) ⇒ Object

Public: Sign a url - encoding any spaces in the url before signing. CloudFront stipulates that signed URLs must not contain spaces (as opposed to stream paths/filenames which CAN contain spaces).

Returns a String

# File 'lib/cloudfront-signer.rb', line 134

def self.sign_url(subject, policy_options = {})
  sign subject, { remove_spaces: true }, policy_options
end

.sign_url_safe(subject, policy_options = {}) ⇒ Object

Public: Sign a url (as above) and HTML encode the result.

Returns a String

# File 'lib/cloudfront-signer.rb', line 141

def self.sign_url_safe(subject, policy_options = {})
  sign subject, { remove_spaces: true, html_escape: true }, policy_options
end

.signed_params(subject, policy_options = {}) ⇒ Object

Public: Sign a subject url or stream resource name with optional policy options. It returns raw params to be used in urls or cookies

Returns a Hash

# File 'lib/cloudfront-signer.rb', line 190

def self.signed_params(subject, policy_options = {})
  result = {}

  if policy_options[:policy_file]
    policy = IO.read(policy_options[:policy_file])
    result['Policy'] = encode_policy(policy)
  else
    policy_options[:expires] = epoch_time(policy_options[:expires] ||
                                          Time.now + default_expires)

    if policy_options.keys.size <= 1
      # Canned Policy - shorter URL
      expires_at = policy_options[:expires]
      policy = %{{"Statement":[{"Resource":"#{subject}","Condition":{"DateLessThan":{"AWS:EpochTime":#{expires_at}}}}]}}
      result['Expires'] = expires_at
    else
      # Custom Policy
      resource = policy_options[:resource] || subject
      policy = generate_custom_policy(resource, policy_options)
      result['Policy'] = encode_policy(policy)
    end
  end

  result.merge 'Signature' => create_signature(policy),
               'Key-Pair-Id' => @key_pair_id
end